Last active
January 9, 2020 09:45
-
-
Save SwitHak/8e6ac7b692403a8b6c02f7e09861d95c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Host Indicator of Compromises (Comma separator used): | |
--- | |
Name,MD5 Hash,SHA-1 Hash,SHA-256 Hash,Size (bytes),Type,Compilation Date | |
dustman.exe,8AFA8A59EEBF43EF223BE52E08FCDC67,E3AE32EBE8465C7DF1225A51234F13E8A44969CC,F07B0C79A8C88A5760847226AF277CF34AB5508394A58820DB4DB5A8D0340FC7,264704,64-bit EXE,Sun Dec 29 08:57:19 2019 (GMT+3) | |
elrawdsk.sys,993E9CB95301126DEBDEA7DD66B9E121,A7133C316C534D1331C801BBCD3F4C62141013A1,36A4E35ABF2217887E97041E3E0B17483AA4D2C1AEE6FEADD48EF448BF1B9E6C,24576,64-bit EXE,Sun Oct 14 10:43:19 2012(GMT+3) | |
assistant.sys,EAEA9CCB40C82AF8F3867CD0F4DD5E9D,7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,68288,64-bit EXE,Sat May 31 05:18:53 2008 (GMT+3) | |
agent.exe,F5F8160FE8468A77B6A495155C3DACEA,20D61C337653392EA472352931820DC60C37B2BC,44100C73C6E2529C591A10CD3668691D92DC0241152EC82A72C6E63DA299D3A2,116224,64-bit EXE,Sun Dec 29 08:56:27 2019 (GMT+3) | |
--- | |
# YARA Rules | |
## Dustman.exe | |
- | |
import "pe" | |
rule dustman { | |
meta: | |
hash1 = "f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7" | |
strings: | |
$x1 = "C:\\windows\\system32\\cmd.exe" fullword ascii | |
$x2 = "C:\\Users\\Admin\\Desktop\\Dustman\\x64\\Release\\Dustman.pdb" fullword ascii | |
$s3 = "AppPolicyGetProcessTerminationMethod" fullword ascii | |
$s4 = "elrawdsk.sys" fullword wide | |
$s5 = "qpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppqphppphpp" fullword ascii | |
$s6 = "Wpppppppppppppppqpppfppprppprpppsppprppptppphpppuppp}pppvpppypppwppp|pppxppp|pppyppp|pppzpppwppp{pppxppp|pppfppp}pppfppp" fullword ascii | |
$s7 = "ipppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppOp0qppp" fullword ascii | |
$s8 = "!q0qpppyPppppppp\"q0qpppzPpppppp`\"q0qpppKPppppppP\"q0qpppqTpppppp@\"q0qpppyTpppppp0\"q0qpppzTpppppp \"q0qpppKTpppppp" fullword ascii | |
$s9 = "qppppp{0x.pppp~ppppppppppppppppqpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp0" fullword ascii | |
$s10 = "ppLSpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp8" fullword ascii | |
$s11 = "\"q0qpppqDppppppp#q0qpppyDpppppp`#q0qpppzDppppppP#q0qpppqHpppppp@#q0qpppzHpppppp0#q0qpppqLpppppp #q0qpppzLpppppp" fullword ascii | |
$s12 = "zpppppp" fullword ascii /* reversed goodware string 'ppppppz' */ | |
$s13 = "ppprppp`ppp}pppapppbpppbppprpppQppp}pppEppprppp1ppp}ppp3ppprppppppappp\"ppp}ppp#ppp}ppp'pppfppp)ppp{ppp" fullword ascii | |
$s14 = "/c agent.exe A" fullword ascii | |
$s15 = "<q0qpppOtppppppp=q0qppp0tpppppp`=q0qppp1tppppppP=q0qppp3tpppppp@=q0qppp4tpppppp8=q0qppp5tpppppp(=q0qppp6tpppppp" fullword ascii | |
$s16 = "<pp[=ppq?pppeeeqeeereeeseeeteeeueeeveeeweeexeeeyeeezeee{eee|eee}eee~eee" fullwordascii | |
$s17 = "\\assistant.sys" fullword wide | |
$s18 = ":q0qpppitppppppx;q0qpppjtpppppph;q0qpppktppppppX;q0qpppltppppppH;q0qpppmtpppppp8;q0qpppntpppppp(;q0qpppotpppppp" fullword ascii | |
$s19 = ">q0qpppjxppppppx?q0qpppmxppppppP?q0qppp\\xpppppp@?q0qpppKxpppppp8?q0qpppNxpppppp(?q0qppp3xpppppp" fullword ascii | |
$s20 = ";q0qpppZtppppppx<q0qppp[tpppppph<q0qppp\\tppppppX<q0qppp]tpppppp0<q0qppp_tpppppp<q0qpppBtpppppp" fullword ascii | |
condition: | |
( uint16(0) == 0x5a4d and | |
filesize < 800KB and | |
pe.imphash() == "47cb8a71a145ac31ea5df1b531c7fa09" and | |
( 1 of ($x*) or 4 of ($s*) ) | |
) or ( all of them ) | |
} | |
## elrawdsk.sys | |
import "pe" | |
rule elrawdsk { | |
meta: | |
hash1 = "36a4e35abf2217887e97041e3e0b17483aa4d2c1aee6feadd48ef448bf1b9e6c" | |
strings: | |
$x1 = "c:\\projects\\rawdisk\\bin\\wnet\\fre\\amd64\\elrawdsk.pdb" fullword ascii | |
$s2 = "elrawdsk.sys" fullword wide | |
$s3 = "RawDisk Driver. Allows write access to files and raw disk sectors for user mode applications in Windows 2000 and later." fullword wide | |
$s4 = "\\DosDevices\\ElRawDisk" fullword wide | |
$s5 = "Copyright (C) 2007-2012, EldoS Corporation " fullword wide | |
$s6 = "IoGetDiskDeviceObject" fullword wide | |
$s7 = "\\#{9A6DB7D2-FECF-41ff-9A92-6EDA696613DF}#" fullword wide | |
$s8 = "\\#{8A6DB7D2-FECF-41ff-9A92-6EDA696613DE}#" fullword wide | |
$s9 = "EldoS Corporation" fullword wide | |
$s10 = "{25EC4453-AB06-4b3f-BCF0-B260A68B64C9}" fullword ascii | |
$s11 = "\\Device\\ElRawDisk" fullword wide | |
$s12 = "###ElRawDiskAMD64###" fullword ascii | |
condition: | |
( uint16(0) == 0x5a4d and | |
filesize < 70KB and | |
pe.imphash() == "6863bacaac5428e1e55a107a613c0717" and | |
( 1 of ($x*) or 4 of ($s*) ) | |
) or ( all of them ) | |
} | |
## assistant.sys | |
import "pe" | |
rule assistant { | |
meta: | |
hash1 = "cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986" | |
strings: | |
$x1 = "C:\\vbox\\branch\\w64-1.6\\out\\win.amd64\\release\\obj\\src\\VBox\\HostDrivers\\VBoxDrv\\VBoxDrv.pdb" fullword ascii | |
$s2 = "C:\\vbox\\branch\\w64-1.6\\src\\VBox\\Runtime\\r0drv\\memobj-r0drv.cpp" fullword ascii | |
$s3 = "VBoxDrv.sys" fullword ascii | |
$s4 = "vboxdrv: Bad ioctl request header; cbIn=%#lx cbOut=%#lx fFlags=%#lx" fullword ascii | |
$s5 = "SUP_IOCTL_COOKIE: Version mismatch. Requested: %#x Min: %#x Current: %#x" fullword ascii | |
$s6 = "SUP_IOCTL_QUERY_FUNCS: Invalid input/output sizes. cbIn=%ld expected %ld. cbOut=%ld expected %ld." fullword ascii | |
$s7 = "SUP_IOCTL_PAGE_ALLOC: Invalid input/output sizes. cbIn=%ld expected %ld. cbOut=%ld expected %ld." fullword ascii | |
$s8 = "SUP_IOCTL_LOW_ALLOC: Invalid input/output sizes. cbIn=%ld expected %ld. cbOut=%ld expected %ld." fullword ascii | |
$s9 = "SUP_IOCTL_LDR_LOAD: Invalid input/output sizes. cbIn=%ld expected %ld. cbOut=%ld expected %ld." fullword ascii | |
$s10 = "SUP_IOCTL_PAGE_LOCK: Invalid input/output sizes. cbIn=%ld expected %ld." fullword ascii | |
$s11 = "SUP_IOCTL_CALL_VMMR0: Invalid input/output sizes. cbIn=%ld expected %ld. cbOut=%ld expected %ld." fullword ascii | |
$s12 = "VBoxDrvLinuxIOCtl: too much output! %#x > %#x; uCmd=%#x!" fullword ascii | |
$s13 = "supdrvLdrFree: Image '%s' has %d dangling objects!" fullword ascii | |
$s14 = "SUP_IOCTL_PAGE_LOCK: Invalid input/output sizes. cbOut=%ld expected %ld." fullword ascii | |
$s15 = "!supdrvCheckInvalidChar(pReq->u.In.szName, \";:()[]{}/\\\\|&*%#@!~`\\\"'\")" fullword ascii | |
$s16 = "\\DosDevices\\VBoxDrv" fullword wide | |
$s17 = "SUP_IOCTL_LDR_GET_SYMBOL: %s" fullword ascii | |
$s18 = "pReq->Hdr.cbIn <= SUP_IOCTL_PAGE_ALLOC_SIZE_IN" fullword ascii | |
$s19 = "pReq->Hdr.cbIn <= SUP_IOCTL_LOW_ALLOC_SIZE_IN" fullword ascii | |
$s20 = "SUP_IOCTL_LDR_LOAD: sym #%ld: unterminated name! (%#lx / %#lx)" fullword ascii | |
condition: | |
( uint16(0) == 0x5a4d and | |
filesize < 200KB and | |
pe.imphash() == "b262e8d078ede007ebd0aa71b9152863" and | |
pe.exports("AssertMsg1") and | |
pe.exports("RTAssertDoBreakpoint") and | |
pe.exports("RTMpDoesCpuExist") and | |
pe.exports("SUPR0ContAlloc") and | |
pe.exports("SUPR0ContFree") and | |
pe.exports("SUPR0GipMap") and | |
( 1 of ($x*) or 4 of ($s*) ) | |
) or ( all of them ) | |
} | |
## agent.exe | |
import "pe" | |
rule agent { | |
meta: | |
hash1 = "44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2" | |
strings: | |
$x1 = "C:\\Users\\Admin\\Desktop\\Dustman\\Furutaka\\drv\\agent.plain.pdb" fullword ascii | |
$s2 = "************** “The Political Statement” ************** " fullword ascii | |
$s3 = "api-ms-win-core-synch-l1-2-0.dll" fullword wide | |
$s4 = "AppPolicyGetProcessTerminationMethod" fullword ascii | |
$s5 = "b4b615c28ccd059cf8ed1abf1c71fe03c0354522990af63adf3c911e2287a4b906d47d" fullword wide | |
$s6 = "operator co_await" fullword ascii | |
$s7 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide | |
$s8 = "bad array new length" fullword ascii | |
$s9 = ".CRT$XIAC" fullword ascii | |
$s10 = ".?AVERDError@@" fullword ascii | |
$s11 = ".?AVbad_array_new_length@std@@" fullword ascii | |
$s12 = "\\\\?\\ElRawDisk" fullword wide | |
$s13 = "api-ms-win-core-file-l1-2-2" fullword wide | |
$s14 = ".CRT$XCL" fullword ascii | |
condition: | |
( uint16(0) == 0x5a4d and | |
filesize < 300KB and | |
pe.imphash() == "75f159bf634600808810849f244592eb" and | |
( 1 of ($x*) or 4 of ($s*) ) | |
) or ( all of them ) | |
} | |
# References | |
- [Technical Report by Saudia CNA regarding DUSTMAN activities](https://www.scribd.com/document/442047923/Saudi-Technical-Report-JM) | |
PS: Ihate So much IOC inside PDF, CSV FTW ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment