You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
APPENDIX: YARA RULES<br />
rule Destover : Backdoor<br />
{<br />
meta:<br />
author = "Blue Coat Systems, Inc."<br />
info = "Used for attacks on Sony Pictures Entertainment and targets in South Korea"<br />
strings:<br />
$a1= "recdiscm32.exe"<br />
$a2= "taskhosts64.exe"<br />
$a3= "taskchg16.exe"<br />
$a4= "rdpshellex32.exe"<br />
$a5 ="mobsynclm64.exe"<br />
$a6 ="comon32.exe"<br />
$a7 ="diskpartmg16.exe"<br />
$a8 ="dpnsvr16.exe"<br />
$a9 ="expandmn32.exe"<br />
$a10="hwrcompsvc64.exe"<br />
$a12="cmd.exe /c wmic.exe /node:\"%s\" /user:\"%s\" /password:\"%s\" PROCESS CALL CREATE \"%s\" > %s"<br />
$a13="#99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C66"<br />
$a14="b8ac0905cda0360fc115f614119da76d84e2277762bd7558b2650a79013fb50138f732d5a03730d7d5b17"<br />
$a15="b076e0580463a202bad74cb9c1b85af3fb4d1be513ccca3ae8b57d193be77b4ab63802b3216d3a80b0082"<br />
$a16="bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40bd51483321ebe44595f7"<br />
$a17="b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d73469b8beabc1"<br />
$a18="b59d165982e3d5721c4d40195f85aedf2a12d6616be11a2c19fa11821604edc4675bdca4f9b9cbfb27244"<br />
$a19="e4004c1f94182000103d883a448b3f802ce4b44a83301270002c20d0321cfd0011ccef784c26a400f43df"<br />
$b1 = "---------------End--------------!"<br />
$b2 = "WaitRecv End" wide<br />
condition:<br />
any of ($a*) or all of ($b*)<br />
}<br />
rule Destover2 : Backdoor<br />
{<br />
meta:<br />
author = "Blue Coat Systems, Inc."<br />
info = "Used for attacks on Sony Pictures Entertainment and targets in South Korea"<br />
strings:<br />
$a1 = "%sd.e%sc" fullword ascii wide<br />
$a2 = "xe" fullword ascii wide<br />
$a3 = "cm" fullword ascii wide<br />
$b1 = "%smd.e%sc" fullword ascii wide<br />
$c1 = "%sm%se%sc" fullword ascii wide<br />
$d = "ChfTime Success" ascii wide<br />
$e = {FF15????????6A3EFF75??FF15????????5985C0598D85????????50FF75??68????????68????????75}<br />
$f = "%s \"%s > %s 2>&1\"" ascii wide<br />
}<br />
condition:<br />
all of ($a*) or ($b1 and $a2) or ($c1 and $a2) or $d or $e or $f<br />
rule DarkSeoul_Obf_ChopString : Backdoor<br />
{<br />
meta:<br />
author = "Blue Coat Systems, Inc."<br />
info = "Obfuscation method used by the DarkSeoul group"<br />
strings:<br />
$a1={8B54240456BE????????57B91400000033C08BFEF3AB803A0074158A023C2E74073C2074038806468A42014284C075EB}<br />
condition:<br />
any of them<br />
}<br />
rule DarkSeoul_Obf_BCSUB : Backdoor<br />
{<br />
meta:<br />
author = "Blue Coat Systems, Inc."<br />
info = "Obfuscation method used by the DarkSeoul group"<br />
strings:<br />
$a1="pM[XpSZJ[JC{"<br />
condition:<br />
any of them<br />
}<br />
rule DarkSeoul_Obf_XORA7 : Backdoor<br />
{<br />
meta:<br />
author = "Blue Coat Systems, Inc."<br />
info = "Obfuscation method used by the DarkSeoul group"<br />
strings:<br />
$a1={E0C2D3F7D5C8C4E6C3C3D5C2D4D4}<br />
condition:<br />
any of them<br />
}