bozhihouc/d-eyes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
d-eyes/yaraRules/Ransom.DarkSide.yar

266 lines
26 KiB
Plaintext
Raw Permalink Normal View History

feat(d-eyes): init
2023-11-06 16:31:16 +08:00
import "hash"
rule RANSOM_darkside
{
meta:
description ="Detect the risk of Ransomeware Darkside Rule 1"
detail = "Rule to detect packed and unpacked samples of DarkSide"
strings:
$pattern_0 = { CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC558BEC5053515256570FEFC0660FEFC033DB8B7D088B450C33D2B910000000F7F185C0740B0F110783C7104885C075F585D27502EB5892B908000000F7F185C0740B0F7F0783C7084885C075F585D27502EB3B92B904000000F7F185C0740A891F83C7044885C075F685D27502EB1F92B902000000F7F185C0740B66891F83C7024885C075F585D27502EB02881F5F5E5A595B585DC20800558BEC5053515256578B750C8B7D088B451033D2B910000000F7F185C074110F10060F110783C61083C7104885C075EF85D27502EB6892B908000000F7F185C074110F6F060F7F0783C60883C7084885C075EF85D27502EB4592B904000000F7F185C0740F8B1E891F83C60483C7044885C075F185D27502EB2492B902000000F7F185C0740E66891F83C60283C7024885C075F285D27502EB048A1E881F5F5E5A595B585DC20C00558BEC53515256578B4D0C8B75088B7D1033C033DBAC8AD8C0E80480E30F3C0072063C09770204303C0A72063C0F7702045780FB00720880FB09770380C33080FB0A720880FB0F770380C35766AB8AC366AB4985C975BE6633C066AB5F5E5A595B5DC20C00558BEC53515256578B75088B7D0C55FCB2808A0683C601880783C701BB0200000002D275058A164612D273E602D275058A164612D2734F33C002D275058A164612D20F83DB00000002D275058A164612D213C002D275058A164612D213C002D275058A164612D213C002D275058A164612D213C074068BDF2BD88A03880747BB02000000EB9BB80100000002D275058A164612D213C002D275058A164612D272EA2BC3BB010000007528B90100000002D275058A164612D213C902D275058A164612D272EA568BF72BF5F3A45EE94FFFFFFF48C1E0088A06468BE8B90100000002D275058A164612D213C902D275058A164612D272EA3D007D000083D9FF3D0005000083D9FF3D8000000083D1003D8000000083D100568BF72BF0F3A45EE9FEFEFFFF8A064633C9C0E801741783D1028BE8568BF72BF0F3A45EBB01000000E9DDFEFFFF5D2B7D0C8BC75F5E5A595B5DC20800558BEC53515256578B7D088B450CB9FF00000033D2F7F185C074188BD868FF00000057E8AD00000081C7FF0000004B85DB75EA85D274075257E8970000005F5E5A595B5DC20800558BEC5351525657B9F0000000BEB2B640008B45088B108B58048B78088B400C89540E0C89440E08895C0E04893C0E81EA101010102D1010101081EB1010101081EF1010101083E91079D533D233C98B750C33DB8B7D108A81B2B6400002141E02D08AA2B2B64000438882B2B6400088A1B2B640003BDF7306FEC175DAEB0633DBFEC175D25F5E5A595B5DC20C00558BEC535152565733C0A3C2B84000A3C6B84000B9400000008D35B2B640008D3DB2B74000F3A58B7D088B15C2B840008B4D0C8B1DC6B840004F33C0029AB3B740008A82B3B740008AABB2B740008883B2B7400088AAB3B7400002C5478A80B2B74000FEC23007FEC975D18915C2B84000891DC6B840005F5E5A595B5DC2080053515256578D35047040008D3DCAB84000FF76FC56E891FEFFFF56E8864500008BD8FF76FC56E888FBFFFF8B46FC8D3406B915000000E85C010000AD5056E868FEFFFF56E85D4500008BD8FF76FC56E85FFBFFFF8B46FC8D3406B93D000000E833010000AD5056E83FFEFFFF5256E8334500008BD85AFF76FC56E834FBFFFF8B46FC8D3406B915000000E808010000AD5056E814FEFFFF5256E8084500008BD85AFF76FC56E809FBFFFF8B46FC8D3406B904000000E8DD000000AD5056E8E9FDFFFF5256E8DD4400008BD85AFF76FC56E8DEFAFFFF8B46FC8D3406B906000000E8B2000000AD5056E8BEFDFFFF5256E8B24400008BD85AFF76FC56E8B3FAFFFF8B46FC8D3406B901000000E887000000AD5056E893FDFFFF5256E8874400008BD85AFF76FC56E888FAFFFF8B46FC8D3406B903000000E85C000000AD5056E868FDFFFF5256E85C4400008BD85AFF76FC56E85DFAFFFF8B46FC8D3406B901000000E831000000AD5056E83DFDFFFF5256E8314400008BD85AFF76FC56E832FAFFFF8B46FC8D3406B902000000E8060000005F5E5A595BC3ADFF76FC56E80AFDFFFF515653E8F743000059ABFF76FC56E8FFF9FFFF8B46FC8D34064985C975D8C3558BEC81EC1401000053515256578D85ECFEFFFF50FF1516B940008BB5F0FEFFFF8BBDF4FEFFFF83FE05750583FF01720583FE057313B8000000005F5E5A595B8BE55DC3E9DA00000083FE05751883FF017513B8330000005F5E5A595B8BE55DC3E9BD00000083FE05751883FF027513B8340000005F5E5A595B8BE55DC3E9A000000083FE06751785FF7513B83C0000005F5E5A595B8BE55DC3E98400000083FE06751583FF017510B83D0000005F5E5A595B8BE55DC3EB6A83FE06751583FF027510B83E0000005F5E5A595B8BE55DC3EB5083FE06751583FF037510B83F0000005F5E5A595B8BE55DC3EB3683FE0A751485FF7510B8640000005F5E5A595B8BE55DC3EB1D83FE0A750583FF00770583FE0A760EB8FFFFFF7F5F5E5A595B8BE55DC3B8FFFFFFFF5F5E5A595B8BE55DC3558BEC83C4F853515256576A0068800000006A026A006A006800000040FF7508FF1526B940008945FC837DFCFF74226A008D45F850FF7510FF750CFF75FCFF1536B9400085C07409FF75FCFF153EB940005F5E5A595B8BE55DC20C008BFF558BEC5351525657837D0C0074728D3DAABA4000837D100075086A1057E842F8FFFFFF750CFF750868EFBEADDEFF15F6B84000FF750CFF750850FF15F6B840003107FF750CFF7508
$pattern_1 = { 70211F3B6E97C50000473D000000A000004602003EBBFF1F92CC558BEC5053515256570FEFC0660333DBFBFFEDFF8B7D088B450C33D2B9100000F7F185C0740B0F110783C710480A692EFB7F75F585D27502EB5892B9081C7F08B60F592E3B040A891F38049B641979F61F02661CD6FEBFEC023802881F5F5E5A595B585DC25D977E20634F8B750C9110110F1006252383FD94C61097EF6819AC59BA226F7F089DEFD8EE0119450F8B1E82C604A23E033232F1240EC602B9EC91C1A5F2048A1EA70CA12CCBD9A64D757D42E9FEFFBFAC8AD8C0E80480E30F3C0072063C09770204303C0A090FB66F6DBB5780FB140804150380C3300C0ADADFFE790F5766AB8AC3034985C975BE6646FF252CD6096564610C55FCB2806FDF86DB8A069701887801BBAD0299058A164FD62EFB4612D273E60A4F430C0F83DB7F2A7B602613C00A74068BDF2BD821EC63DB8A03644762EB9BB80142900BFBFB72EA2BC3BB1C7528B923C96F7FFB1F568BF72BF5F3A45EE94D01D248C1E008C3468BE8DE1EC26E0C0449303D007D4B83D9FF0DD93CD907058000D100BDB01BF250F04C33C974017417B1D8B0B61902561B96204B06E1C25D2B398BC75208111AEE18EDB9FF2660F4F8EFDDF7188BD8680E579B03D981C70B4B85DB75EAEE94CD5EFE7407521546B9F0256F7F6BB7BE02A6B24D50108B58048B7807400C895FF7FFDB540E03440E08895C0E04893C0E81EA10002D048168ED9FB1EB05EF83E91079D57EC0DFFFFDE4EC80108A814A02141E02D08AA20A436BFFBFDF88820688A1053BDF7306FEC175DAEB062C076E0B29A3D227F8A327A8C27DFBEDFE04C6B940998D35378D3D05A7B2F3A57DBC8FF7F31520B41D242A9A1BFB8DDD1CB38A8205AB28888305AA11D88DFFFE02C5478A800EFEC23007FEA0D189402F9684D8893D0D7C6BF07BF8CF6004A8CAFF76FC5630040549FF33FFDBAC59109C0C8B46FC8D3406B9150F477291BD05F0AD50283D52C252D961295A532A02B902BB04550608B902B90103E10843260299C3AD8615B2BF2751565333F959AB329FE0EEF874D8C33F81EC1468C885ECFE7777DFF0FFFF50FF4FA9168BB5F00C8BBDF40583FE055877F74BA483FF017205097313B86D00695BF36DFA8BE55DC36C073C2118751C3300D21C210234DF04D2FD06751785FF1B3C1555109AC11EC8B83DEB6A19023EA419644250033FC866DE2636690A75141864FECDEE4C1DDE00770A760EB8FFFFFF7F1B927C490DFF3083C4AEFD7A84F82D6A0068976A02080AFE8FB07509405A083B268945FC837DFCFF7422916D73DF188D45F85072020C1DFC34ECB0AE3672090C3E59746B43DACC8BFFCE3C0D7472E1AD44FB51AAAA0B04576A1057BC67BF3F16470868EFBEADDE3FA8F6105090BDB0670C31070E47040F92F50EC9080CB8624E071B5913D85CD6A8DE6D1FDF6AF9E4D88D045D6D50DAFF58F78F7D63AEC6BE8BF085F6743429562ADDDCE1CBCE088D430119FDBDFF56B027ECEF0A1AAA065639C68BC37077FB9C630484FAF4BAF10B6807A31DB0B14CF20A8BD12DE09A3871989ABBFD24E84013CB376608A783FB048DD2D90317B87FDEFC87DEF8C4E55D49C628308D17EE000DC32FF145B083C027E0F089850CE3FD202387B960051108102B99FE37040B7D14000F8475C41E0FA6DBC5F60F571C119846100320ED17EF8930B1BD4EB0104E17D32CDBCB1056105E3026074F57CDE6E26E5F304840732AE457008B6FF017BF954D8BFAFB4D148A3FFF88447B6DFBD30FFFA3F389550C02106E5359FDF0A964085556BD0A14078B5F6FFFDFBE354F208B5792F003F2C1C60733DE8BF303F0080933CEED2FFFF28BF103F30D33D68BF203F11233C68907892ECBB26D96898947143A243404CBD612202F3B24342CCBB22C0428380818CBB25C802838081820CBB22C3C0C1C2CDFB22C173C0C1C2CED0463476063760CED04750C53606363ED187510ED18D80863637510ED2C6424ED3036C2142C6524ED30234C818D6538ED3065386DA30DFC4D85ED0F851B975E5DF30702CBE5726BC80357105F1867206FB6022F972877307F380F0C024EE572B9DC1EFE56FE5EFE66FE6EA6D996CBFE76FE7E7F3D7F7F94A6699A7F7F7F7F7F9AE5C8708D6B5757575D8C966B57BED8FE2011BFE4B834118B9DA7274320837B2086F1B195000824E977EF1866C335DB32C500E4B2BD154E8B55BA338942200524B5655BFA24EB16831940030C6D370297C0237485CAFC86C21297EE1A818880308D7D80F3B920B16FE21DF2F3ABB900DF518D7580F810CD33E7FED1168D7604E2F92175128B06194DA6ECED078D7F17F473181911C9600933C441290CD5BB0A5B5B59F033E476B05505E00CEDAA9BBDB266E03AA5D908A6BFB960DDDFFCDD4FE0C64580018BA98F7EF05D0C81C379B981A849B1BE07D84150F8510851FC8DAB8360115F547B8D626FADBB1D508D3B50E874D3815240D3E0BF6563F02203740F9908199BBB4B1961646306AE9B780C830627307DC7E63041B73BDB06F8410ECB8A369391B8D51A68A41F000B8278E2C406CE1F0926023676729008AA12F80C1A24446B4B22170E54206317F226F8C37EF45B18B8C3F8EF238B71C65E4E62F475F8F46A0514066C737F01CE04EB43EB3F3D310A1B1CB5D84CD837C2EBC60D2C5A839117A1C12C4468F7BBA5196AD2C86AD6616CDBD8288E2E33ED3CAD1D14C3999178FF733C02CA74D72E71A1A14402EBFC1C332275D4565858CA5D4F846D35570F06E6AC62895FE9BF454B183B480875278D1F30AABEC220586C3BEA0F2C3A0E186BD5E850C63826070017E40793C5F30C0262CC0D776B110D6F68081017F4FDDD58B2C77568
condition:
$pattern_0 or $pattern_1 and filesize < 5831344
}
rule MAL_RANSOM_Darkside_May21_1 {
meta:
description ="Detect the risk of Ransomeware Darkside Rule 2"
hash1 = "ec368752c2cf3b23efbfa5705f9e582fc9d6766435a7b8eea8ef045082c6fbce"
strings:
$op1 = { 85 c9 75 ed ff 75 10 ff b5 d8 fe ff ff ff b5 dc fe ff ff e8 7d fc ff ff ff 8d cc fe ff ff 8b 8d cc fe ff ff }
$op2 = { 66 0f 6f 06 66 0f 7f 07 83 c6 10 83 c7 10 49 85 c9 75 ed 5f }
$op3 = { 6a 00 ff 15 72 0d 41 00 ab 46 81 fe 80 00 00 00 75 2e 6a ff 6a 01 }
$op4 = { 0f b7 0c 5d 88 0f 41 00 03 4c 24 04 89 4c 24 04 83 e1 3f 0f b7 14 4d 88 0f 41 00 03 54 24 08 89 54 24 08 83 e2 3f }
$s1 = "http://darksid" ascii
$s2 = "[ Welcome to DarkSide ]" ascii
$s3 = ".onion/" ascii
condition:
uint16(0) == 0x5a4d and
filesize < 200KB and
3 of them or all of ($op*) or all of ($s*)
}
rule MAL_Ransomware_Win_DARKSIDE_v1_1 {
meta:
description ="Detect the risk of Ransomeware Darkside Rule 3"
detail= "Detection for early versions of DARKSIDE ransomware samples based on the encryption mode configuration values."
strings:
$consts = { 80 3D [4] 01 [1-10] 03 00 00 00 [1-10] 03 00 00 00 [1-10] 00 00 04 00 [1-10] 00 00 00 00 [1-30] 80 3D [4] 02 [1-10] 03 00 00 00 [1-10] 03 00 00 00 [1-10] FF FF FF FF [1-10] FF FF FF FF [1-30] 03 00 00 00 [1-10] 03 00 00 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $consts
}
rule MAL_Dropper_Win_Darkside_1 {
meta:
description ="Detect the risk of Ransomeware Darkside Rule 4"
description = "Detection for on the binary that was used as the dropper leading to DARKSIDE."
strings:
$CommonDLLs1 = "KERNEL32.dll" fullword
$CommonDLLs2 = "USER32.dll" fullword
$CommonDLLs3 = "ADVAPI32.dll" fullword
$CommonDLLs4 = "ole32.dll" fullword
$KeyString1 = { 74 79 70 65 3D 22 77 69 6E 33 32 22 20 6E 61 6D 65 3D 22 4D 69 63 72 6F 73 6F 66 74 2E 57 69 6E 64 6F 77 73 2E 43 6F 6D 6D 6F 6E 2D 43 6F 6E 74 72 6F 6C 73 22 20 76 65 72 73 69 6F 6E 3D 22 36 2E 30 2E 30 2E 30 22 20 70 72 6F 63 65 73 73 6F 72 41 72 63 68 69 74 65 63 74 75 72 65 3D 22 78 38 36 22 20 70 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D 22 36 35 39 35 62 36 34 31 34 34 63 63 66 31 64 66 22 }
$KeyString2 = { 74 79 70 65 3D 22 77 69 6E 33 32 22 20 6E 61 6D 65 3D 22 4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D 46 43 22 20 76 65 72 73 69 6F 6E 3D 22 39 2E 30 2E 32 31 30 32 32 2E 38 22 20 70 72 6F 63 65 73 73 6F 72 41 72 63 68 69 74 65 63 74 75 72 65 3D 22 78 38 36 22 20 70 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D 22 31 66 63 38 62 33 62 39 61 31 65 31 38 65 33 62 22 }
$Slashes = { 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C }
condition:
filesize < 2MB and filesize > 500KB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (all of ($CommonDLLs*)) and (all of ($KeyString*)) and $Slashes
}
rule MAL_Backdoor_Win_C3_1 {
meta:
description ="Detect the risk of Ransomeware Darkside Rule 5"
detail = "Detection to identify the Custom Command and Control (C3) binaries."
md5 = "7cdac4b82a7573ae825e5edb48f80be5"
strings:
$dropboxAPI = "Dropbox-API-Arg"
$knownDLLs1 = "WINHTTP.dll" fullword
$knownDLLs2 = "SHLWAPI.dll" fullword
$knownDLLs3 = "NETAPI32.dll" fullword
$knownDLLs4 = "ODBC32.dll" fullword
$tokenString1 = { 5B 78 5D 20 65 72 72 6F 72 20 73 65 74 74 69 6E 67 20 74 6F 6B 65 6E }
$tokenString2 = { 5B 78 5D 20 65 72 72 6F 72 20 63 72 65 61 74 69 6E 67 20 54 6F 6B 65 6E }
$tokenString3 = { 5B 78 5D 20 65 72 72 6F 72 20 64 75 70 6C 69 63 61 74 69 6E 67 20 74 6F 6B 65 6E }
condition:
filesize < 5MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (((all of ($knownDLLs*)) and ($dropboxAPI or (1 of ($tokenString*)))) or (all of ($tokenString*)))
}
rule Win32_Ransomware_DarkSide : tc_detection malicious
{
meta:
description ="Detect the risk of Ransomeware Darkside Rule 6"
strings:
$find_files_v1 = {
55 8B EC 81 EC ?? ?? ?? ?? 53 51 52 56 57 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ??
83 7D ?? ?? 0F 84 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 04 45 ?? ?? ??
?? 50 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ??
?? FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 83 C4 ?? FF 75 ?? E8 ?? ?? ?? ?? C7 45 ?? ??
?? ?? ?? 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 8D 85 ??
?? ?? ?? 50 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8D 9D ?? ??
?? ?? 83 3B ?? 74 ?? 81 3B ?? ?? ?? ?? 74 ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8D 85 ?? ??
?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 83 7D ??
?? 74 ?? FF 75 ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 45 ?? 5F 5E 5A 59 5B
8B E5 5D C2
}
$enumerate_drives = {
55 8B EC 81 EC ?? ?? ?? ?? 53 51 52 56 57 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15
?? ?? ?? ?? 8B D8 85 DB 74 ?? C1 EB ?? 8D B5 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 83 F8
?? 74 ?? 83 F8 ?? 75 ?? 56 E8 ?? ?? ?? ?? 8D 76 ?? 4B 85 DB 75 ?? 5F 5E 5A 59 5B 8B
E5 5D C3 55 8B EC 81 EC ?? ?? ?? ?? 53 51 52 56 57 8D 85 ?? ?? ?? ?? 50 FF 75 ?? E8
?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 45 ?? C7
00 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4
?? 6A ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ??
?? 89 45 ?? 83 7D ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 66 A9 ?? ?? 74 ?? 6A ?? 8D 85 ?? ??
?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 8D 40 ?? 50 FF 15 ?? ?? ??
?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15
?? ?? ?? ?? 85 C0 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 5F 5E 5A 59 5B 8B E5 5D C2
}
$escalate_privileges = {
55 8B EC 83 C4 ?? 53 51 52 56 57 8D 45 ?? 50 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 0F
85 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 8D 45 ?? 50 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75
?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8D 45 ?? 50
FF 75 ?? FF 75 ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 75 ?? AD 8B F8 83
7E ?? ?? 74 ?? C7 46 ?? ?? ?? ?? ?? 83 C6 ?? 4F 85 FF 75 ?? 6A ?? 6A ?? 6A ?? FF 75
?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ??
?? FF 75 ?? FF 15 ?? ?? ?? ?? 5F 5E 5A 59 5B 8B E5 5D C3
}
$enumerate_netshare = {
55 8B EC 81 EC ?? ?? ?? ?? 53 51 52 56 57 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15
?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 7D ?? 8D 45 ?? 50 8D 45 ?? 50 8D 45 ?? 50 6A ??
8D 45 ?? 50 6A ?? 57 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 75 ?? 83 7E ?? ?? 75 ?? 68 ??
?? ?? ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 C7 03 ?? ?? ?? ?? C7 43 ??
?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? 8D 47 ?? 50 53 FF 15 ?? ?? ??
?? 83 C4 ?? 53 FF 15 ?? ?? ?? ?? FF 36 53 FF 15 ?? ?? ?? ?? 83 C4 ?? 53 E8 ?? ?? ??
?? 53 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 C6 ?? FF 4D ?? 83 7D ?? ?? 75 ??
FF 15 ?? ?? ?? ?? 5F 5E 5A 59 5B 8B E5 5D C2
}
$find_files_v2 = {
55 8B EC 81 EC ?? ?? ?? ?? 53 51 52 56 57 8D 85 ?? ?? ?? ?? 50 FF 75 ?? E8 ?? ?? ??
?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D BD
?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 83 C4 ?? 57 FF 15 ?? ?? ?? ??
83 C4 ?? 66 83 7C 47 ?? ?? 74 ?? 66 C7 04 47 ?? ?? 83 C7 ?? C7 04 47 ?? ?? ?? ?? C7
44 47 ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 8D 85 ?? ?? ?? ??
50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 66 A9 ?? ?? 74 ??
8D 9D ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 83 C4
?? 6A ?? 56 FF 15 ?? ?? ?? ?? 83 C4 ?? 83 C0 ?? 53 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 56
E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 75 ??
FF 15 ?? ?? ?? ?? 5F 5E 5A 59 5B 8B E5 5D C2
}
condition:
uint16(0) == 0x5A4D and
(
(
$find_files_v1 and
$enumerate_drives and
$escalate_privileges
) or
(
$find_files_v2 and
$enumerate_netshare
)
)
}
rule win_darkside_auto {
meta:
description ="Detect the risk of Ransomeware Darkside Rule 7"
strings:
$sequence_0 = { 12d2 13c0 7406 8bdf }
// n = 4, score = 900
// 12d2 | adc dl, dl
// 13c0 | adc eax, eax
// 7406 | je 8
// 8bdf | mov ebx, edi
$sequence_1 = { 12d2 73e6 02d2 7505 8a16 46 }
// n = 6, score = 900
// 12d2 | adc dl, dl
// 73e6 | jae 0xffffffe8
// 02d2 | add dl, dl
// 7505 | jne 7
// 8a16 | mov dl, byte ptr [esi]
// 46 | inc esi
$sequence_2 = { 83c701 bb02000000 02d2 7505 8a16 46 12d2 }
// n = 7, score = 900
// 83c701 | add edi, 1
// bb02000000 | mov ebx, 2
// 02d2 | add dl, dl
// 7505 | jne 7
// 8a16 | mov dl, byte ptr [esi]
// 46 | inc esi
// 12d2 | adc dl, dl
$sequence_3 = { b9f0000000 be???????? 8b4508 8b10 }
// n = 4, score = 900
// b9f0000000 | mov ecx, 0xf0
// be???????? |
// 8b4508 | mov eax, dword ptr [ebp + 8]
// 8b10 | mov edx, dword ptr [eax]
$sequence_4 = { 8b7808 8b400c 89540e0c 89440e08 895c0e04 893c0e }
// n = 6, score = 900
// 8b7808 | mov edi, dword ptr [eax + 8]
// 8b400c | mov eax, dword ptr [eax + 0xc]
// 89540e0c | mov dword ptr [esi + ecx + 0xc], edx
// 89440e08 | mov dword ptr [esi + ecx + 8], eax
// 895c0e04 | mov dword ptr [esi + ecx + 4], ebx
// 893c0e | mov dword ptr [esi + ecx], edi
$sequence_5 = { 81c7ff000000 4b 85db 75ea }
// n = 4, score = 900
// 81c7ff000000 | add edi, 0xff
// 4b | dec ebx
// 85db | test ebx, ebx
// 75ea | jne 0xffffffec
$sequence_6 = { 33db fec1 75d2 5f 5e 5a }
// n = 6, score = 900
// 33db | xor ebx, ebx
// fec1 | inc cl
// 75d2 | jne 0xffffffd4
// 5f | pop edi
// 5e | pop esi
// 5a | pop edx
$sequence_7 = { 8b5804 8b7808 8b400c 89540e0c 89440e08 895c0e04 893c0e }
// n = 7, score = 900
// 8b5804 | mov ebx, dword ptr [eax + 4]
// 8b7808 | mov edi, dword ptr [eax + 8]
// 8b400c | mov eax, dword ptr [eax + 0xc]
// 89540e0c | mov dword ptr [esi + ecx + 0xc], edx
// 89440e08 | mov dword ptr [esi + ecx + 8], eax
// 895c0e04 | mov dword ptr [esi + ecx + 4], ebx
// 893c0e | mov dword ptr [esi + ecx], edi
$sequence_8 = { 85c0 7418 8bd8 68ff000000 57 e8???????? 81c7ff000000 }
// n = 7, score = 900
// 85c0 | test eax, eax
// 7418 | je 0x1a
// 8bd8 | mov ebx, eax
// 68ff000000 | push 0xff
// 57 | push edi
// e8???????? |
// 81c7ff000000 | add edi, 0xff
$sequence_9 = { 5b 5d c20c00 55 8bec 53 51 }
// n = 7, score = 900
// 5b | pop ebx
// 5d | pop ebp
// c20c00 | ret 0xc
// 55 | push ebp
// 8bec | mov ebp, esp
// 53 | push ebx
// 51 | push ecx
condition:
7 of them and filesize < 286720
}
rule darkside_hash
{
meta:
description ="Detect the risk of Ransomeware Darkside Rule 8"
condition:
hash.sha256(0,filesize) =="0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9"
}
Reference in New Issue Copy Permalink