Last active
December 25, 2019 11:26
-
-
Save r00tten/b579ea939513485724b3574c582258b7 to your computer and use it in GitHub Desktop.
Yara rule for the analyzed Risk files. https://r00tten.com/in-depth-analysis-attack-vector-triggered-by-risk/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule Risk { | |
meta: | |
author = "Mert Degirmenci" | |
description = "YARA rule for the files whose hash is one of the below" | |
date = "12.11.2019" | |
hash1 = "c40d59f85e1b4bacf10643b535da804af2e99caba91ab860b221121e24a2a9bb" | |
hash2 = "11455bc66548fd161362d300d24c6539c36c7b236aafd4f457d8ee2d8b6c9262" | |
hash3 = "29659dd2cd05d0e3c97c2fd3687644a78622ad487178901cb67f14be314c168b" | |
hash4 = "3c3b311505b8a3b280024d05017ff9edcb19e193c1760cac099d09fb165e93d7" | |
hash5 = "6822a44b8ae526747479d59ea775b7dc5758880469f802caa9ad4ceade2218df" | |
hash6 = "b0a8c2cb1e0afb0cdef74f983c4f16be2bcd87a93b3d3aa8cad21ec85d29153e" | |
hash7 = "f7c2cd67d1a009454facf8ab9b0cbee0c9a53644cae7bbd4bc952917ec19522b" | |
strings: | |
$s_guitar = "Hide_GuitarX" ascii | |
//گ7ێو4ئوپڤچێ7ۆچ3ڤ31ث4ئ0ڕڕثئ53ئ58ژگ30235ەئێو4ۆ343ۆئە1ێ8ئ6427ڕ0و05204چو8ث36گ6چ44ۆڤڕگ305ێ4ڵێ6485چ150ڵۆڵ7ڕژۆثچ34ث0ثپچگپڕ08پڵ5ەوڵێث7ە3ث8ە11چپ80ڤەڵ8گ044گژچژڕ1ڵ111687پ0ژثپ14و748ە8ژ3پ5631گ1 | |
$sv_PA = { da af 37 db 8e d9 88 34 d8 a6 d9 88 d9 be da a4 } | |
//3ڤ05ێئ5ڤڤ4ڵ3ڵ5ەە6ژڕ7ەژ83ڵ8ڵ8ئ58ئ2ڕو0ێڵ2ڵ36گ077ەئڤێڤ1ژ5ڤوڤ5وڕ16و24وپێڵ2ۆگ33ئژثگ5چ1وژ8وە263پۆگئڵ55ڤ14چ6ۆ15ثۆ711ثەئ84چوڵگگڤ0ئژڵچ2ڕە7ە7گچڕ1ڤ2چ6ێگپڕ238گگ6ڤگۆەە831ێەگ613وۆ6چ2ۆث07ڤێۆچ7330 | |
$sv_PA_GLV = { 33 da a4 30 35 db 8e d8 a6 35 da a4 da a4 34 da } | |
//47ڵژڕو3606ژڵ45ژو5گچڵوڵ55ثڵ14پگ3پەڵ1ڵ1ڕ520ڤو6ڵ30ڕ0چچۆژگئەث1گ4175ڕۆگئوئ71چچ554ئ7وە5ژێڵ4107ەگژپ5پپ22ث4ث0ەث268چچڤگئئەث8ڕ2گژڵ4ێپ4ڤ13ڤ5ۆۆثئە2ڤوڤچ4ثپگ7ڕڕ33ث38ە1ەڕگەڕئڕڕپ3ژەثپپگژ6ێ50گ45ثچڕ | |
$sv_F7 = { 34 37 da b5 da 98 da 95 d9 88 33 36 30 36 da 98 } | |
//ثۆڤڵ2ێ76ڕپچ44ەپ4ە2147ڤ5ڤە20ووپئڤڤ6ڤژ3731پگڵڵڵێوگ27378ث8ڤەپئ80چڤڕ5پە630ثو7پ3ڤثوپۆگڕ1گەڕچژ7پئ243ثژ5ڕ0ژ7ڵ0ۆ6گ87ەژژ78ث0و6ۆ80ڵ583ژوچئ8ە2530ئ61چڤ6ڕ0ئڵچڕ33ئ2ڤ3ە88ۆڤ51ڤ548830ئگ622وچثگ51ڵئێ | |
$sv_B0 = { d8 ab db 86 da a4 da b5 32 db 8e 37 36 da 95 d9 } | |
//05ڕ1ث2ێ6چڵ2ثگژڤە1ڕ62ژڕڤ632ث6437ژ36ێپێ4و4ۆ6125ێژژگە31ڵچڤگەگ7گ0وۆ4چڕوڤێڵۆ56ثچچ05ثڤە1ڵڤ8ڕ8ئو52568ێ445ۆچ66ێ7ێ74گپ73ڵوگۆ76چ4وەئێو3ڕ7764433ڵ0گژچوثڵچئگثڕڤڤ6ڕ7ێپ3ە325ئ785ڤڕئپ2532ڵەێ26284ەڤ | |
$sv_68 = { 30 35 da 95 31 d8 ab 32 db 8e 36 da 86 da b5 32 } | |
//8ڕ812گو64گژ4ە1ڤگ4گڤۆژچچگچوپێ7ڵ775ڵ8ژڤ7ۆۆپ1ڕ7ۆ8385ئئ5ئئ3گ1چثگوۆ8ەڵڵ742ث56ەژث3ە1ڕ00ثگ4ەث423038533727ڵ1پ7ە3ەەڤ2ث8ثپەڵ4ە3ئپگ2ڕثۆە5پچ1ئپوێ0چ130ڵ8ڤث03ڤ32و8ڵێچ7ث745ێڵژە8ث783517ۆڤۆ1پ500و0چ | |
$sv_3C = { 38 da 95 38 31 32 da af d9 88 36 34 da af da 98 } | |
//082پ11ژپوەچئپەێگەڵێ1ژڤە3664گپ453158و15چەڕ37ڵئگ6ە6ڵچ5ۆ0ڕث17ئ36پپچژ4ڵێو63ژ77گ104چڵپڤڤڤڕپ0ث062214ژڕ3گثو627پ3ۆ6ێێچڵ6و23وڵڵوژێژچژێپ4ۆڤئ7ڕ3ڕچوچڤ4ۆۆگ6ثژ4و7ثث3ڕپ0ۆڵۆڵ52ە42ث0ێئۆۆگ482ێو4ڤڤپگ | |
$sv_29 = { 30 38 32 d9 be 31 31 da 98 d9 be d9 88 db 95 da } | |
//484 05E8 call uint8[] Risk.Properties.pivXzWdzeJWjeaqOGHdveAHWAfZOfnJDIK::wjllPrhevNrbhVfoxikTPfvSRFDqBJfKVfax() | |
//485 05ED call class [mscorlib]System.Reflection.Assembly [mscorlib]System.Reflection.Assembly::Load(uint8[]) | |
//486 05F2 stloc.0 | |
//487 05F3 ldloc.0 | |
//488 05F4 ldstr "GuitarLibX.Hide_GuitarX" | |
//489 05F9 callvirt instance class [mscorlib]System.Type [mscorlib]System.Reflection.Assembly::GetType(string) | |
//490 05FE stloc.1 | |
//491 05FF newobj instance void Risk.rqshchHfcppuYqLlgwoXsYYTEvaNyXyVr::.ctor() | |
//492 0604 stloc.2 | |
$s_loadSeq = { 28 A4 00 00 06 28 A9 00 00 0A 0A 06 72 BF 23 00 70 6F AA 00 00 0A 0B 73 01 00 00 06 0C } | |
condition: | |
uint16(0) == 0x5a4d and $s_guitar and $s_loadSeq and any of ($sv_*) | |
} | |
rule nanoCore { | |
meta: | |
author = "Mert Degirmenci" | |
description = "Nano Core Client RAT variant" | |
date = "25.12.2019" | |
hash1 = "8d68e9e02e2289e0cc49f7b1dfe678a8b49ed4f02f31103907ec57ad3ecf59a1" | |
strings: | |
// Deobfucated form: | |
// private static void smethod_21() | |
// { | |
// int num = 0; | |
// int num2 = Class24.smethod_22(); | |
// for (int i = num; i <= num2; i += 250) | |
// { | |
// bool flag; | |
// Class8.mutex_0 = new Mutex(true, string.Format("Global\\{{{0}}}", Class24.smethod_2()), ref flag); | |
// if (flag) | |
// { | |
// return; | |
// } | |
// Thread.Sleep(250); | |
// } | |
// Class8.smethod_42(); | |
// } | |
$s_mutex = { 16 28 46 01 00 06 18 2D 07 26 1B 2D 06 26 2B 4A 0C 2B F7 0B 2B F8 17 20 67 22 D0 1E 28 FF 00 00 06 28 32 01 00 06 8C 48 00 00 01 28 5C 00 00 0A 12 00 73 DD 00 00 0A 1A 2D 06 26 06 2C 0A 2B 07 80 35 00 00 04 2B F4 2A 20 FA 00 00 00 28 DE 00 00 0A 07 20 FA 00 00 00 58 0B 07 08 31 B8 28 88 00 00 06 } | |
$s_res = { 10 00 00 00 E8 99 3F 18 32 75 76 2F 58 EE CA 83 35 F6 61 35 18 5D 01 00 78 1E 89 C0 2B 22 B3 76 } | |
condition: | |
uint16(0) == 0x5a4d and all of them | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment