diff --git a/third_party/yara/JPCERT/RELEASE b/third_party/yara/JPCERT/RELEASE index 01032e6c5..e0e626cfc 100644 --- a/third_party/yara/JPCERT/RELEASE +++ b/third_party/yara/JPCERT/RELEASE @@ -1 +1 @@ -1b8b09eff1eaccd062993a31469158fdb5c34a06 +9315b430b0dbbb0db4da9196373ec8e26a538608 diff --git a/third_party/yara/JPCERT/contagiousinterview.yara b/third_party/yara/JPCERT/contagiousinterview.yara new file mode 100644 index 000000000..6a19df5a7 --- /dev/null +++ b/third_party/yara/JPCERT/contagiousinterview.yara @@ -0,0 +1,34 @@ +rule Lazarus_OtterCookie_downloader { + meta: + description = "OtterCookie downloader" + author = "JPCERT/CC Incident Response Group" + created_date = "2025-04-02" + updated_date = "2025-04-02" + hash = "62f796ddbbd7670d7a58ecfde9a5440e4e07ca7c7fa23e6a164746ef7c55fce2" + hash = "4ca9ff33010f1f48b3a59c603fc7491071414fb4c6101215aab8b4b88a6b5cbf" + + strings: + $str1 = { 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 20 3d 20 20 7b 20 64 6f 6d 61 69 6e 2c 20 73 75 62 64 6f 6d 61 69 6e 2c 20 69 64 20 7d } + $str2 = "const domain =" ascii + $str3 = "const subdomain =" ascii + + condition: + all of them +} + +rule Lazarus_OtterCookie_js { + meta: + description = "OtterCookie downloader js" + author = "JPCERT/CC Incident Response Group" + created_date = "2025-04-02" + updated_date = "2025-04-02" + hash = "71d2fd0c71b44331e08f11a254e7acc2cec3067dbd8f4848d5ef11e5a59ea253" + + strings: + $str1 = "const GET_RPCNODE_URL = `${domain}/${subdomain}/${id}`;" ascii + $str2 = "axios.get(GET_RPCNODE_URL)" ascii + $str3 = "catch(err=>eval(err.response.data));" ascii + + condition: + all of them +} \ No newline at end of file diff --git a/third_party/yara/JPCERT/getrdoor.yara b/third_party/yara/JPCERT/getrdoor.yara new file mode 100644 index 000000000..f07091480 --- /dev/null +++ b/third_party/yara/JPCERT/getrdoor.yara @@ -0,0 +1,19 @@ +rule malware_GETRdoor { + meta: + description = "ELF backdoor targeting FortiGate" + author = "JPCERT/CC Incident Response Group" + hash = "9da731d152c57e90cc95bc58aa55c0873005a747fda0d45529e964bdbc9dc18c" + created_date = "2025-11-14" + updated_date = "2025-11-14" + + strings: + $s1 = "do_upload: file open failed" ascii + $s2 = "/bin/snifferd" ascii + $s3 = "tcp[(tcp[12]>>2):%d] = 0x%s" ascii + $s4 = {00 34 37 34 35 35 34 35 32 00} // 47455452 + $s5 = "diagnose debug crashlog clear" ascii + $s6 = {00 0A 30 78 30 30 30 30 00} // \n0x0000 + + condition: + 3 of them +} \ No newline at end of file diff --git a/third_party/yara/JPCERT/pangolin8rat.yara b/third_party/yara/JPCERT/pangolin8rat.yara index 0380eb91e..eae101fec 100644 --- a/third_party/yara/JPCERT/pangolin8rat.yara +++ b/third_party/yara/JPCERT/pangolin8rat.yara @@ -1,7 +1,7 @@ rule malware_Pangolin8RAT { meta: - description = "Hunt GobLoaderScript" + description = "Hunt Pangolin8RAT" author = "JPCERT/CC Incident Response Group" hash = "F95441B1CD6399887E99DBE6AA0CEB0CA907E8175192E71F8F1A4CCA49E8FC82" diff --git a/third_party/yara/JPCERT/stonemite.yara b/third_party/yara/JPCERT/stonemite.yara new file mode 100644 index 000000000..41c554310 --- /dev/null +++ b/third_party/yara/JPCERT/stonemite.yara @@ -0,0 +1,16 @@ +rule malware_STONEMITE { + meta: + description = "STONEMITE RAT" + author = "JPCERT/CC Incident Response Group" + hash = "da1b52f8f3d2f99abf17790a2eb932f7db3c70bb71af89a5eff2e59540c9f78c" + created_date = "2025-11-14" + updated_date = "2025-11-14" + + strings: + $s1 = {3D 27 07 00 00 75 ?? 6A 00 6A 00 68 28 07 00 00 FF 75 ?? E8} + $s2 = "POST /%s HTTP/1.1" ascii + $s3 = "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" ascii + + condition: + all of them +} \ No newline at end of file diff --git a/third_party/yara/JPCERT/veletrix.yara b/third_party/yara/JPCERT/veletrix.yara new file mode 100644 index 000000000..d9af645e4 --- /dev/null +++ b/third_party/yara/JPCERT/veletrix.yara @@ -0,0 +1,43 @@ +rule malware_VeletrixLoader { + meta: + description = "Veletrix Loader" + author = "JPCERT/CC Incident Response Group" + hash = "253ff072d71caeb02ed596fd6aa266e625f51a09d49d82726a11b66218bdd6c3" + created_date = "2025-10-16" + updated_date = "2025-10-16" + + strings: + $logfile = { + C7 45 ?? 6C 6F 67 5F + 48 8D 4D ?? + C7 45 ?? 64 65 2E 00 + C7 85 ?? ?? ?? ?? 6C 6F 67 00 + } + + $xor_decode = { + 41 8D 0C 30 + 45 03 C6 + 80 34 39 99 + 44 3B C0 + } + + condition: + all of them +} + +rule malware_VeletrixLoader_python { + meta: + description = "Veletrix Loader" + author = "JPCERT/CC Incident Response Group" + hash = "96fe34f367423a1ca75e0e0b293ef4918ca30f5efcb36c9b67dec746493f3b37" + created_date = "2025-10-16" + updated_date = "2025-10-16" + + strings: + $msg = "执行Shellcode(生产环境需极度谨慎!)" ascii + $func = "def run_shellcode(shellcode)" ascii + $shell = "\\x64\\x65\\x2e\\x00\\xc7" ascii + + condition: + 2 of them +} \ No newline at end of file diff --git a/third_party/yara/bartblaze/RELEASE b/third_party/yara/bartblaze/RELEASE index e30760524..f94ddd2c5 100644 --- a/third_party/yara/bartblaze/RELEASE +++ b/third_party/yara/bartblaze/RELEASE @@ -1 +1 @@ -5f691e0d7d423a58d2217d5c08fa2f1c00b75a93 +a88bd98592ea6dd57da61bbcb8de76eb8cbf33b6 diff --git a/third_party/yara/bartblaze/generic/LNK_Ruleset.yar b/third_party/yara/bartblaze/generic/LNK_Ruleset.yar index 453245f62..ce78e920a 100644 --- a/third_party/yara/bartblaze/generic/LNK_Ruleset.yar +++ b/third_party/yara/bartblaze/generic/LNK_Ruleset.yar @@ -8,7 +8,7 @@ private rule isLNK version = "1.0" creation_date = "2020-01-01" first_imported = "2021-12-30" - last_modified = "2021-12-30" + last_modified = "2025-11-14" status = "RELEASED" sharing = "TLP:WHITE" source = "BARTBLAZE" @@ -54,7 +54,7 @@ rule PS_in_LNK $ = "bypass" ascii wide nocase condition: - isLNK and any of them + isLNK and 2 of them } rule Script_in_LNK