Silas Cutler silascutler

## gist:1df43b57356e35780c24da1e2e5d9e83
rule netd_CreatedFiles {
meta:
	author = "NCSC"
		description = "Unique file paths created by netd"
		date = "2023-08-31"
	strings:
		$ = "/data/local/tmp/.aid.cache"
		$ = "/data/local/tmp/.syscache.csv"
		$ = "/data/local/tmp/.syspackages.csv"
		$ = "/data/local/tmp/.sysinfo.csv"

## hash list
5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e
45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78
56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19
830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570
458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456
99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f
1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392
f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb
23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76
586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730

## MSTIC_H0lyGh0st_yara_fixed
rule SiennaBlue
{
  meta:
		author = "Microsoft Threat Intelligence Center (MSTIC)"
		description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples"
		hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86"
		hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219"
	strings:
		$holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go"
		$holylocker_s2 = "HolyLocker/Main.EncryptionExtension"

## NCSC Cyclops Blink yara Rules


// https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter
rule CyclopsBlink_module_initialisation
{
    meta:
        author = "NCSC"
        description = "Detects the code bytes used to initialise the modules built into Cyclops Blink"
        hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
        hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"

## MalShare Attackers Q1 2022
# Nuclei Scanner
103.109.111.138
103.192.77.167
103.230.104.27
103.230.105.42
103.230.106.53
103.230.107.5
103.96.104.92
103.96.104.94
103.96.104.95

## strfmt.csv

          
            StringFmt
            Assessed Name
             Description

            
              CFE
               Create File Error
               Sent if an error in calling CreateFileA() in sub_401C20()

            
              GFSE
               Get File Size Error
               Sent if an error in calling GetFileSize() in sub_401C20()

            
              LAE
               Local Alloc Error
               Sent if an error in calling LocalAlloc() in sub_401C20()

            
              RFE
               Read File Error
               Sent if an error in calling ReadFile() in sub_401C20()

            
              CPE
               Creat Process Error
               Sent if an error in calling CreateProcess() in WinMain()

            
              DFE
               Delete File Error
               Sent if an error after calling function that calls DeleteFile() in WinMain()

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                silascutler
                / keybase.md
            
            
              Created
              November 28, 2018 00:16
            
          
    Keybase proof

I hereby claim:

I am silascutler on github.
I am silascutler (https://keybase.io/silascutler) on keybase.
I have a public key ASDDh8SdafblsJStYjOI-H-ItS33KeKle1vBidzY2cpeLgo

To claim this, I am signing this object:

  
## IDA describe flags

from idautils import *
from idaapi import *
from idc import *

def descFlags(inflags):
        if inflags & FUNC_NORET:
                print "Flag: FUNC_NORET"
        if inflags & FUNC_FAR:
                print "Flag: FUNC_FAR"

## lsandbox
#!/bin/bash
# (C) Silas `p1nk` Cutler 2017
# Simple Sandbox Runner


VM_NAME="sandbox"
VM_USER="administrator"
VM_PASS="password"

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                silascutler
                / keybase.md
            
            
              Created
              October 8, 2014 11:59
            
          
    Keybase proof

I hereby claim:

I am silascutler on github.
I am silascutler (https://keybase.io/silascutler) on keybase.
I have a public key whose fingerprint is C55A FC29 84F9 375A 0C12  CF4F 3E18 4A6C 6554 A731

To claim this, I am signing this object:
	rule netd_CreatedFiles {
	meta:
	author = "NCSC"
	description = "Unique file paths created by netd"
	date = "2023-08-31"
	strings:
	$ = "/data/local/tmp/.aid.cache"
	$ = "/data/local/tmp/.syscache.csv"
	$ = "/data/local/tmp/.syspackages.csv"
	$ = "/data/local/tmp/.sysinfo.csv"
	5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e
	45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78
	56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19
	830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570
	458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456
	99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f
	1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392
	f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb
	23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76
	586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730
	rule SiennaBlue
	{
	meta:
	author = "Microsoft Threat Intelligence Center (MSTIC)"
	description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples"
	hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86"
	hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219"
	strings:
	$holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go"
	$holylocker_s2 = "HolyLocker/Main.EncryptionExtension"


	// https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter
	rule CyclopsBlink_module_initialisation
	{
	meta:
	author = "NCSC"
	description = "Detects the code bytes used to initialise the modules built into Cyclops Blink"
	hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
	hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
	# Nuclei Scanner
	103.109.111.138
	103.192.77.167
	103.230.104.27
	103.230.105.42
	103.230.106.53
	103.230.107.5
	103.96.104.92
	103.96.104.94
	103.96.104.95
StringFmt	Assessed Name	Description
CFE	Create File Error	Sent if an error in calling CreateFileA() in sub_401C20()
GFSE	Get File Size Error	Sent if an error in calling GetFileSize() in sub_401C20()
LAE	Local Alloc Error	Sent if an error in calling LocalAlloc() in sub_401C20()
RFE	Read File Error	Sent if an error in calling ReadFile() in sub_401C20()
CPE	Creat Process Error	Sent if an error in calling CreateProcess() in WinMain()
DFE	Delete File Error	Sent if an error after calling function that calls DeleteFile() in WinMain()

	from idautils import *
	from idaapi import *
	from idc import *

	def descFlags(inflags):
	if inflags & FUNC_NORET:
	print "Flag: FUNC_NORET"
	if inflags & FUNC_FAR:
	print "Flag: FUNC_FAR"
	#!/bin/bash
	# (C) Silas `p1nk` Cutler 2017
	# Simple Sandbox Runner



	VM_NAME="sandbox"
	VM_USER="administrator"
	VM_PASS="password"