DarkSide FE rules

bmi000 · May 13, 2021 · 9b3b381 · 9b3b381
1 parent 8ca9e30
commit 9b3b381
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/yara/crime_ransom_darkside.yar b/yara/crime_ransom_darkside.yar
@@ -20,3 +20,54 @@ rule MAL_RANSOM_Darkside_May21_1 {
       filesize < 200KB and
       3 of them or all of ($op*) or all of ($s*)
 }
+
+rule MAL_Ransomware_Win_DARKSIDE_v1_1 {
+    meta:
+        author = "FireEye"
+        date = "2021-03-22"
+        description = "Detection for early versions of DARKSIDE ransomware samples based on the encryption mode configuration values."
+        hash = "1a700f845849e573ab3148daef1a3b0b"
+        reference = "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html"
+    strings:
+        $consts = { 80 3D [4] 01 [1-10] 03 00 00 00 [1-10] 03 00 00 00 [1-10] 00 00 04 00 [1-10] 00 00 00 00 [1-30] 80 3D [4] 02 [1-10] 03 00 00 00 [1-10] 03 00 00 00 [1-10] FF FF FF FF [1-10] FF FF FF FF [1-30] 03 00 00 00 [1-10] 03 00 00 00 }
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $consts
+}
+
+rule MAL_Dropper_Win_Darkside_1 {
+    meta:
+        author = "FireEye"
+        date_created = "2021-05-11"
+        description = "Detection for on the binary that was used as the dropper leading to DARKSIDE."
+        reference = "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html"
+    strings:
+        $CommonDLLs1 = "KERNEL32.dll" fullword
+        $CommonDLLs2 = "USER32.dll" fullword
+        $CommonDLLs3 = "ADVAPI32.dll" fullword
+        $CommonDLLs4 = "ole32.dll" fullword
+        $KeyString1 = { 74 79 70 65 3D 22 77 69 6E 33 32 22 20 6E 61 6D 65 3D 22 4D 69 63 72 6F 73 6F 66 74 2E 57 69 6E 64 6F 77 73 2E 43 6F 6D 6D 6F 6E 2D 43 6F 6E 74 72 6F 6C 73 22 20 76 65 72 73 69 6F 6E 3D 22 36 2E 30 2E 30 2E 30 22 20 70 72 6F 63 65 73 73 6F 72 41 72 63 68 69 74 65 63 74 75 72 65 3D 22 78 38 36 22 20 70 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D 22 36 35 39 35 62 36 34 31 34 34 63 63 66 31 64 66 22 }
+        $KeyString2 = { 74 79 70 65 3D 22 77 69 6E 33 32 22 20 6E 61 6D 65 3D 22 4D 69 63 72 6F 73 6F 66 74 2E 56 43 39 30 2E 4D 46 43 22 20 76 65 72 73 69 6F 6E 3D 22 39 2E 30 2E 32 31 30 32 32 2E 38 22 20 70 72 6F 63 65 73 73 6F 72 41 72 63 68 69 74 65 63 74 75 72 65 3D 22 78 38 36 22 20 70 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D 22 31 66 63 38 62 33 62 39 61 31 65 31 38 65 33 62 22 }
+        $Slashes = { 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C 7C }
+    condition:
+        filesize < 2MB and filesize > 500KB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (all of ($CommonDLLs*)) and (all of ($KeyString*)) and $Slashes
+}
+
+rule MAL_Backdoor_Win_C3_1 {
+    meta:
+        author = "FireEye"
+        date_created = "2021-05-11"
+        description = "Detection to identify the Custom Command and Control (C3) binaries."
+        md5 = "7cdac4b82a7573ae825e5edb48f80be5"
+        reference = "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html"
+    strings:
+        $dropboxAPI = "Dropbox-API-Arg"
+        $knownDLLs1 = "WINHTTP.dll" fullword
+        $knownDLLs2 = "SHLWAPI.dll" fullword
+        $knownDLLs3 = "NETAPI32.dll" fullword
+        $knownDLLs4 = "ODBC32.dll" fullword
+        $tokenString1 = { 5B 78 5D 20 65 72 72 6F 72 20 73 65 74 74 69 6E 67 20 74 6F 6B 65 6E }
+        $tokenString2 = { 5B 78 5D 20 65 72 72 6F 72 20 63 72 65 61 74 69 6E 67 20 54 6F 6B 65 6E }
+        $tokenString3 = { 5B 78 5D 20 65 72 72 6F 72 20 64 75 70 6C 69 63 61 74 69 6E 67 20 74 6F 6B 65 6E }
+    condition:
+        filesize < 5MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (((all of ($knownDLLs*)) and ($dropboxAPI or (1 of ($tokenString*)))) or (all of ($tokenString*)))
+}