stvemillertime/wolfssl.yar

## wolfssl.yar
rule Methodology_RareEquities_Library_WolfSSL
{
	meta:
		author = "@stvemillertime"
		description = "This looks for PEs with strings from WolfSSL libraries (formerly CyaSSL). Matches on this rule may have built-in SSL capability. This hilariously catches 15+ distinct malware families from 8+ distinct APT and UNC clusters...and...TRICKBOT (shame, shame)."
    		ref_md5 = "ad41c3e660cb6cfad9b4d63af5d96469"
	strings:
	  	$base = "CLNTSRVRclient finished" ascii wide
    		$base2 = "CLNTserver finished" ascii wide
		$a1 = "server finished" ascii wide
		$a2 = "master secret" ascii wide
		$a3 = "key expansion" ascii wide
		$z1 = "SSLeay wolfSSL compatibility"
		$z2 = "CyaSSL_write lenSend error!"
		$z3 = "CyaSSL_write sendData error!"
		$z4 = "CyaSSL_read lenRecv error!"
		$z5 = "CyaSSL_read data error!"
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (any of ($base*)) and ((any of ($a*)) or (any of ($z*)))
}
	rule Methodology_RareEquities_Library_WolfSSL
	{
	meta:
	author = "@stvemillertime"
	description = "This looks for PEs with strings from WolfSSL libraries (formerly CyaSSL). Matches on this rule may have built-in SSL capability. This hilariously catches 15+ distinct malware families from 8+ distinct APT and UNC clusters...and...TRICKBOT (shame, shame)."
	ref_md5 = "ad41c3e660cb6cfad9b4d63af5d96469"
	strings:
	$base = "CLNTSRVRclient finished" ascii wide
	$base2 = "CLNTserver finished" ascii wide
	$a1 = "server finished" ascii wide
	$a2 = "master secret" ascii wide
	$a3 = "key expansion" ascii wide
	$z1 = "SSLeay wolfSSL compatibility"
	$z2 = "CyaSSL_write lenSend error!"
	$z3 = "CyaSSL_write sendData error!"
	$z4 = "CyaSSL_read lenRecv error!"
	$z5 = "CyaSSL_read data error!"
	condition:
	uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (any of ($base)) and ((any of ($a)) or (any of ($z*)))
	}