Skip to content

Instantly share code, notes, and snippets.

@r00tten

r00tten/43d7ffd611932cf51d7150b176ecfc29_dll.yar

Last active April 19, 2019 06:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save r00tten/5c62a9d02d66159224fe27ebe65b7e1f to your computer and use it in GitHub Desktop.
Save r00tten/5c62a9d02d66159224fe27ebe65b7e1f to your computer and use it in GitHub Desktop.
Download ZIP
YARA rule of APT28 SedUploader variant. https://r00tten.com/late-night-show-apt28-phishing-document/
Raw
43d7ffd611932cf51d7150b176ecfc29_dll.yar
rule SedUploader {
meta:
author = "Mert Degirmenci"
description = "APT28 SedUploader variant"
date = "15.04.2019"
hash1 = "b20aab629ea7fa73b98be9f3df1568c0a3b37480"
strings:
// google.com
$s_domain1 = { 4a 5f 1e 7c 6b 6a 6d 4e 39 47 2d 30 71 1b 07 0f 43 2d 56 2a 2d 30 71 1b 07 0f 43 2d 56 2a 2d 30 71 1b 07 0f 43 2d 56 2a 2d 30 71 1b }
// beatguitar.com
$s_domain2 = { 4f 55 10 6f 60 7a 2a 59 37 58 03 53 1e 76 07 0f 43 2d 56 2a 2d 30 71 1b 07 0f 43 2d 56 2a 2d 30 71 1b 07 0f 43 2d 56 2a 2d 30 71 1b }
// qO4fU4DfMPBtLuikUd4cM4zVWu
$s_mutex = { 5c 7f 45 7d 52 3b 07 4b 1b 7a 6f 44 3d 6e 6e 64 16 49 62 49 60 04 0b 4d 50 7a }
// 0x10002f63 8d0c30 lea ecx, [eax + esi]
// 0x10002f66 c745fc0a0000. mov dword [local_4h], 0xa
// 0x10002f6d 33d2 xor edx, edx
// 0x10002f6f f775fc div dword [local_4h]
// 0x10002f72 8a82a8710010 mov al, byte [edx + str.0q_e]
// 0x10002f78 32040f xor al, byte [edi + ecx]
// 0x10002f7b 8801 mov byte [ecx], al
// 0x10002f7d 8b450c mov eax, dword [arg_ch]
// 0x10002f80 40 inc eax
// 0x10002f81 89450c mov dword [arg_ch], eax
// 0x10002f84 3bc3 cmp eax, ebx
// 0x10002f86 7cdb jl 0x10002f63
$s_xorRoutine = { 8d 0c 30 c7 45 fc 0a 00 00 00 33 d2 f7 75 fc 8a 82 a8 71 00 10 32 04 0f 88 01 8b 45 0c 40 89 45 0c 3b c3 7c db }
condition:
uint16(0) == 0x5a4d and all of them
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment