Last active
April 19, 2019 06:13
-
-
Save r00tten/5c62a9d02d66159224fe27ebe65b7e1f to your computer and use it in GitHub Desktop.
YARA rule of APT28 SedUploader variant. https://r00tten.com/late-night-show-apt28-phishing-document/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule SedUploader { | |
meta: | |
author = "Mert Degirmenci" | |
description = "APT28 SedUploader variant" | |
date = "15.04.2019" | |
hash1 = "b20aab629ea7fa73b98be9f3df1568c0a3b37480" | |
strings: | |
// google.com | |
$s_domain1 = { 4a 5f 1e 7c 6b 6a 6d 4e 39 47 2d 30 71 1b 07 0f 43 2d 56 2a 2d 30 71 1b 07 0f 43 2d 56 2a 2d 30 71 1b 07 0f 43 2d 56 2a 2d 30 71 1b } | |
// beatguitar.com | |
$s_domain2 = { 4f 55 10 6f 60 7a 2a 59 37 58 03 53 1e 76 07 0f 43 2d 56 2a 2d 30 71 1b 07 0f 43 2d 56 2a 2d 30 71 1b 07 0f 43 2d 56 2a 2d 30 71 1b } | |
// qO4fU4DfMPBtLuikUd4cM4zVWu | |
$s_mutex = { 5c 7f 45 7d 52 3b 07 4b 1b 7a 6f 44 3d 6e 6e 64 16 49 62 49 60 04 0b 4d 50 7a } | |
// 0x10002f63 8d0c30 lea ecx, [eax + esi] | |
// 0x10002f66 c745fc0a0000. mov dword [local_4h], 0xa | |
// 0x10002f6d 33d2 xor edx, edx | |
// 0x10002f6f f775fc div dword [local_4h] | |
// 0x10002f72 8a82a8710010 mov al, byte [edx + str.0q_e] | |
// 0x10002f78 32040f xor al, byte [edi + ecx] | |
// 0x10002f7b 8801 mov byte [ecx], al | |
// 0x10002f7d 8b450c mov eax, dword [arg_ch] | |
// 0x10002f80 40 inc eax | |
// 0x10002f81 89450c mov dword [arg_ch], eax | |
// 0x10002f84 3bc3 cmp eax, ebx | |
// 0x10002f86 7cdb jl 0x10002f63 | |
$s_xorRoutine = { 8d 0c 30 c7 45 fc 0a 00 00 00 33 d2 f7 75 fc 8a 82 a8 71 00 10 32 04 0f 88 01 8b 45 0c 40 89 45 0c 3b c3 7c db } | |
condition: | |
uint16(0) == 0x5a4d and all of them | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment