/* Yara Rule Set Author: Florian Roth Date: 2017-07-23 Identifier: Operation Wilted Tulip Reference: http://www.clearskysec.com/tulip */ import "pe" /* Rule Set ----------------------------------------------------------------- */ rule WiltedTulip_tdtess { meta: description = "Detects malicious service used in Operation Wilted Tulip" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "3fd28b9d1f26bd0cee16a167184c9f4a22fd829454fd89349f2962548f70dc34" strings: $x1 = "d2lubG9naW4k" fullword wide /* base64 encoded string 'winlogin$' */ $x2 = "C:\\Users\\admin\\Documents\\visual studio 2015\\Projects\\Export\\TDTESS_ShortOne\\WinService Template\\" ascii $s1 = "\\WinService Template\\obj\\x64\\x64\\winlogin" ascii $s2 = "winlogin.exe" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) or 2 of them ) ) } rule WiltedTulip_matryoshka_Injector { meta: description = "Detects hack tool used in Operation Wilted Tulip" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "c41e97b3b22a3f0264f10af2e71e3db44e53c6633d0d690ac4d2f8f5005708ed" hash2 = "b93b5d6716a4f8eee450d9f374d0294d1800784bc99c6934246570e4baffe509" strings: $s1 = "Injector.dll" fullword ascii $s2 = "ReflectiveLoader" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) or ( pe.exports("__dec") and pe.exports("_check") and pe.exports("_dec") and pe.exports("start") and pe.exports("test") ) } rule WiltedTulip_Zpp { meta: description = "Detects hack tool used in Operation Wilted Tulip" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "10ec585dc1304436821a11e35473c0710e844ba18727b302c6bd7f8ebac574bb" hash2 = "7d046a3ed15035ea197235980a72d133863c372cc27545af652e1b2389c23918" hash3 = "6d6816e0b9c24e904bc7c5fea5951d53465c478cc159ab900d975baf8a0921cf" strings: $x1 = "[ERROR] Error Main -i -s -d -gt -lt -mb" fullword wide $x2 = "[ERROR] Error Main -i(with.) -s -d -gt -lt -mb -o -e" fullword wide $s1 = "LT Time invalid" fullword wide $s2 = "doCompressInNetWorkDirectory" fullword ascii $s3 = "files remaining ,total file save = " fullword wide $s4 = "$ec996350-79a4-477b-87ae-2d5b9dbe20fd" fullword ascii $s5 = "Destinition Directory Not Found" fullword wide $s6 = "\\obj\\Release\\ZPP.pdb" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 30KB and ( 1 of ($x*) or 3 of them ) } rule WiltedTulip_Netsrv_netsrvs { meta: description = "Detects sample from Operation Wilted Tulip" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "a062cb4364125427b54375d51e9e9afb0baeb09b05a600937f70c9d6d365f4e5" hash2 = "afa563221aac89f96c383f9f9f4ef81d82c69419f124a80b7f4a8c437d83ce77" hash3 = "acf24620e544f79e55fd8ae6022e040257b60b33cf474c37f2877c39fbf2308a" hash4 = "bff115d5fb4fd8a395d158fb18175d1d183c8869d54624c706ee48a1180b2361" hash5 = "07ab795eeb16421a50c36257e6e703188a0fef9ed87647e588d0cd2fcf56fe43" strings: $s1 = "Process %d Created" fullword ascii $s2 = "%s\\system32\\rundll32.exe" fullword wide $s3 = "%s\\SysWOW64\\rundll32.exe" fullword wide $c1 = "slbhttps" fullword ascii $c2 = "/slbhttps" fullword wide $c3 = "/slbdnsk1" fullword wide $c4 = "netsrv" fullword wide $c5 = "/slbhttps" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) and 1 of ($c*) ) ) } rule WiltedTulip_ReflectiveLoader { meta: description = "Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904" hash2 = "1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a" hash3 = "a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f" hash4 = "cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0" hash5 = "eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89" strings: $x1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii $x2 = "%d is an x86 process (can't inject x64 content)" fullword ascii $x3 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii $x4 = "Failed to impersonate token from %d (%u)" fullword ascii $x5 = "Failed to impersonate logged on user %d (%u)" fullword ascii $x6 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them ) or ( 2 of them ) or pe.exports("_ReflectiveLoader@4") } rule WiltedTulip_Matryoshka_RAT { meta: description = "Detects Matryoshka RAT used in Operation Wilted Tulip" author = "Florian Roth" reference = "http://www.clearskysec.com/tulip" date = "2017-07-23" hash1 = "6f208473df0d31987a4999eeea04d24b069fdb6a8245150aa91dfdc063cd64ab" hash2 = "6cc1f4ecd28b833c978c8e21a20a002459b4a6c21a4fbaad637111aa9d5b1a32" strings: $s1 = "%S:\\Users\\public" fullword wide $s2 = "ntuser.dat.swp" fullword wide $s3 = "Job Save / Load Config" fullword wide $s4 = ".?AVPSCL_CLASS_JOB_SAVE_CONFIG@@" fullword ascii $s5 = "winupdate64.com" fullword ascii $s6 = "Job Save KeyLogger" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them ) }