├── regin-scanner.exe ├── screens ├── ishot-141127-181510.png ├── ishot-141127-191923.png ├── ishot-141129-190200.png ├── ishot-141129-190453.png └── ishot-141129-190515.png ├── README.md ├── regin-scanner.py └── regin_rules.yar /regin-scanner.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Neo23x0/ReginScanner/master/regin-scanner.exe -------------------------------------------------------------------------------- /screens/ishot-141127-181510.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Neo23x0/ReginScanner/master/screens/ishot-141127-181510.png -------------------------------------------------------------------------------- /screens/ishot-141127-191923.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Neo23x0/ReginScanner/master/screens/ishot-141127-191923.png -------------------------------------------------------------------------------- /screens/ishot-141129-190200.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Neo23x0/ReginScanner/master/screens/ishot-141129-190200.png -------------------------------------------------------------------------------- /screens/ishot-141129-190453.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Neo23x0/ReginScanner/master/screens/ishot-141129-190453.png -------------------------------------------------------------------------------- /screens/ishot-141129-190515.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Neo23x0/ReginScanner/master/screens/ishot-141129-190515.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Obsolete 2 | 3 | The two specialiced scanners [Regin Scanner](https://github.com/Neo23x0/ReginScanner) and [Skeleton Key Scanner](https://github.com/Neo23x0/SkeletonKeyScanner) have been merged into a new generic IOC scanner called [LOKI](https://github.com/Neo23x0/Loki). 4 | 5 | LOKI features a completely free IOC signature definition via different configuration files. It includes signatures for Regin, Skeleton Key and the recently published [FiveEyes QUERTY malware](http://www.spiegel.de/media/media-35668.pdf) mentioned in the [Spiegel report](http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html) released on 17.01.2015. 6 | 7 | LOKI is free for private and commercial use and published under the GPL. He is the little brother of [THOR](http://www.bsk-consulting.de/apt-scanner-thor/), our full featured corporate APT Scanner. 8 | 9 | # ReginScanner 10 | 11 | Scanner for Regin Backdoor 12 | 13 | Detection is based on four detection methods: 14 | 15 | 1. File Name IOC 16 | Based on the reports published by Symantec and Kaspersky 17 | 18 | 2. Yara Ruleset 19 | Based on my rules published on pastebin: 20 | http://pastebin.com/0ZEWvjsC 21 | 22 | 3. SHA256 hash check 23 | Compares known malicious SHA256 hashes with scanned files 24 | 25 | 4. File System Scanner for Regin Virtual Filesystems 26 | based on .evt virtual filesystem detection by Paul Rascagneres, G DATA 27 | Reference: https://blog.gdatasoftware.com/blog/article/regin-an-old-but-sophisticated-cyber-espionage-toolkit-platform.html 28 | 29 | The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems. 30 | 31 | # Requirements 32 | 33 | No requirements if you use the compiled EXE. 34 | 35 | If you want to build it yourself: 36 | 37 | - yara : It's recommended to use the most recent version of the compiled packages for Windows (x86) - Download it from here: http://goo.gl/PQjmsf 38 | - scandir : faster alternative to os.walk() 39 | - colorama : to color it up 40 | 41 | # Rule Base 42 | 43 | The Yara rules published by Kaspersky are not bundled with this scanner. Extract them from the report and add them to the "regin_rules.yar" rule set to get better results. 44 | (Hint: Check the double quote signs " after copy&paste if errors occur) 45 | https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf 46 | 47 | # Usage 48 | 49 | ´´´ 50 | usage: regin-scanner.py [-h] [-p path] [--dots] [--debug] 51 | 52 | Regin Scanner 53 | 54 | optional arguments: 55 | -h, --help show this help message and exit 56 | -p path Path to scan 57 | --dots Print a dot for every scanned file to see the progress 58 | --debug Debug output 59 | ´´´ 60 | 61 | # Screenshots 62 | 63 | ReginScanner reports system as clean 64 | 65 | ![ReginScannerScreen](/screens/ishot-141129-190200.png?raw=true "ReginScanner detecting file name IOC") 66 | 67 | ReginScanner with detections 68 | 69 | ![ReginScannerScreen](/screens/ishot-141129-190453.png?raw=true "ReginScanner detecting Yara IOC") 70 | 71 | # Contact 72 | 73 | Profile on Company Homepage 74 | http://www.bsk-consulting.de/author/froth/ 75 | 76 | Twitter 77 | @MalwrSignatures 78 | 79 | If you are interested in a corporate solution for APT scanning, check: 80 | http://www.bsk-consulting.de/apt-scanner-thor/ 81 | -------------------------------------------------------------------------------- /regin-scanner.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: iso-8859-1 -*- 3 | # -*- coding: utf-8 -*- 4 | # 5 | # Regin Scanner 6 | # 7 | # Detection is based on three detection methods: 8 | # 9 | # 1. File Name IOC 10 | # Based on the reports published by Symantec and Kaspersky 11 | # 12 | # 2. Yara Ruleset 13 | # Based on my rules published on pastebin: 14 | # http://pastebin.com/0ZEWvjsC 15 | # 16 | # 3. Hash Check 17 | # Compares known malicious SHA256 hashes with scanned files 18 | # 19 | # 4. File System Scanner for Regin Virtual Filesystems 20 | # based on .evt virtual filesystem detection by Paul Rascagneres, G DATA 21 | # Reference: https://blog.gdatasoftware.com/uploads/media/regin-detect.py 22 | # 23 | # If you like ReginScanner you'll love THOR our full-featured APT Scanner 24 | # 25 | # Florian Roth 26 | # BSK Consulting GmbH 27 | # December 2014 28 | # v0.7.1b 29 | # 30 | # DISCLAIMER - USE AT YOUR OWN RISK. 31 | 32 | import sys 33 | import os 34 | import argparse 35 | import scandir 36 | import traceback 37 | import binascii 38 | import yara 39 | import hashlib 40 | from colorama import Fore, Back, Style 41 | from colorama import init 42 | 43 | EVIL_FILES = [ '\\usbclass.sys', '\\adpu160.sys', '\\msrdc64.dat', '\\msdcsvc.dat', '\\config\\SystemAudit.Evt', '\\config\\SecurityAudit.Evt', '\\config\\SystemLog.evt', '\\config\\ApplicationLog.evt', '\\ime\\imesc5\\dicts\\pintlgbs.imd', '\\ime\\imesc5\\dicts\\pintlgbp.imd', 'ystem32\\winhttpc.dll', 'ystem32\\wshnetc.dll', '\\SysWow64\\wshnetc.dll', 'ystem32\\svcstat.exe', 'ystem32\\svcsstat.exe', 'IME\\IMESC5\\DICTS\\PINTLGBP.IMD', 'ystem32\\wsharp.dll', 'ystem32\\wshnetc.dll', 'pchealth\\helpctr\\Database\\cdata.dat', 'pchealth\\helpctr\\Database\\cdata.edb', 'Windows\\Panther\\setup.etl.000', 'ystem32\\wbem\\repository\\INDEX2.DATA', 'ystem32\\wbem\\repository\\OBJECTS2.DATA', 'ystem32\\dnscache.dat', 'ystem32\\mregnx.dat', 'ystem32\\displn32.dat', 'ystem32\\dmdskwk.dat', 'ystem32\\nvwrsnu.dat', 'ystem32\\tapiscfg.dat', 'ystem32\\pciclass.sys' ] 44 | 45 | EVIL_HASHES = [ '20831e820af5f41353b5afab659f2ad42ec6df5d9692448872f3ed8bbb40ab92', '225e9596de85ca7b1025d6e444f6a01aa6507feef213f4d2e20da9e7d5d8e430', '392f32241cd3448c7a435935f2ff0d2cdc609dda81dd4946b1c977d25134e96e', '40c46bcab9acc0d6d235491c01a66d4c6f35d884c19c6f410901af6d1e33513b', '4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be', '4e39bc95e35323ab586d740725a1c8cbcde01fe453f7c4cac7cced9a26e42cc9', '5001793790939009355ba841610412e0f8d60ef5461f2ea272ccf4fd4c83b823', '5c81cf8262f9a8b0e100d2a220f7119e54edfc10c4fb906ab7848a015cd12d90', '7553d4a5914af58b23a9e0ce6a262cd230ed8bb2c30da3d42d26b295f9144ab7', '7d38eb24cf5644e090e45d5efa923aff0e69a600fb0ab627e8929bb485243926', '8098938987e2f29e3ee416b71b932651f6430d15d885f2e1056d41163ae57c13', '8389b0d3fb28a5f525742ca2bf80a81cf264c806f99ef684052439d6856bc7e7', '8d7be9ed64811ea7986d788a75cbc4ca166702c6ff68c33873270d7c6597f5db', '9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f', '9ddbe7e77cb5616025b92814d68adfc9c3e076dddbe29de6eb73701a172c3379', 'a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355', 'a0e3c52a2c99c39b70155a9115a6c74ea79f8a68111190faa45a8fd1e50f8880', 'a6603f27c42648a857b8a1cbf301ed4f0877be75627f6bbe99c0bfd9dc4adb35', 'a7493fac96345a989b1a03772444075754a2ef11daa22a7600466adc1f69a669', 'a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe', 'a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe', 'b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047', 'b755ed82c908d92043d4ec3723611c6c5a7c162e78ac8065eb77993447368fce', 'c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513', 'cca1850725f278587845cd19cbdf3dceb6f65790d11df950f17c5ff6beb18601', 'df77132b5c192bd8d2d26b1ebb19853cf03b01d38afd5d382ce77e0d7219c18c', 'e1ba03a10a40aab909b2ba58dcdfd378b4d264f1f4a554b669797bbb8c8ac902', 'e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935', 'ecd7de3387b64b7dab9a7fb52e8aa65cb7ec9193f8eac6a7d79407a6a932ef69', 'f1d903251db466d35533c28e3c032b7212aa43c8d64ddf8c5521b43031e69e1e', 'f89549fc84a8d0f8617841c6aa4bb1678ea2b6081c1f7f74ab1aebd4db4176e4', 'fd92fd7d0f925ccc0b4cbb6b402e8b99b64fa6a4636d985d78e5507bd4cfecef', 'fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129' ] 46 | FALSE_POSITIVES = [ '6e5ebbc8b70c1d593634daf0c190deadfda18c3cbc8f552a76f156f3869ef05b', '7565e7de9532c75b3a16e3ed0103bc092dbca63c6bdc19053dfef01250029e59', 'a26db2eb9f3e2509b4eba949db97595cc32332d9321df68283bfc102e66d766f', '18cd54d163c9c5f16e824d13c411e21fd7616d34e9f1cf2adcbf869ed6aeeed4', '0099940a366b401f30faaf820f4815083778383a2b1e9fab58e16d10b8965e3f', 'b04a85ef2edbc5ac7b312e9d57b533d9d355d0c7cbbd24a8085c6873baf9411f', '581730d7cce49af90efad5f904ce205ee7123e6c0d206867fb8ad22559fa0556', '9009ca5c5f6e2c7a776896e406805bc4c627028ce90d8fe566a6b2190c7e0106' ] 47 | 48 | def scan(path): 49 | 50 | # Startup 51 | print "Scanning %s ... " % path , 52 | # Compromised marker 53 | compromised = False 54 | c = 0 55 | 56 | # Compiling yara rules 57 | if os.path.exists('regin_rules.yar'): 58 | rules = yara.compile('regin_rules.yar') 59 | else: 60 | print "Place the yara rule file 'regin_rules.yar' in the program folder to enable Yara scanning." 61 | 62 | for root, directories, files in scandir.walk(path, onerror=walkError, followlinks=False): 63 | 64 | # Skip symbolic links (powerful method for NTFS) 65 | #for dir in directories: 66 | # 67 | # try: 68 | # f_info = win32file.GetFileAttributesEx(os.path.join(root, dir)) 69 | # fileatt = 0 70 | # fileatt = int(f_info[0]) 71 | # if fileatt == 9238: 72 | # directories.remove(dir) 73 | # else: 74 | # pass 75 | # except Exception, e: 76 | # directories.remove(dir) 77 | 78 | # Loop through files 79 | for filename in files: 80 | try: 81 | 82 | # Get the file and path 83 | filePath = os.path.join(root,filename) 84 | 85 | # Print files 86 | if args.printAll: 87 | print "[SCANNING] %s" % filePath 88 | 89 | # Counter 90 | c += 1 91 | 92 | printProgress(c) 93 | 94 | if args.dots: 95 | sys.stdout.write(".") 96 | 97 | file_size = os.stat(filePath).st_size 98 | # print file_size 99 | 100 | # File Name Checks ------------------------------------------------- 101 | for file in EVIL_FILES: 102 | if file in filePath: 103 | print Fore.RED, "\bREGIN File Name MATCH: %s" % filePath, Fore.WHITE 104 | compromised = True 105 | 106 | # CRC Check -------------------------------------------------------- 107 | try: 108 | if file_size <= 11: 109 | continue 110 | 111 | # Code from Paul Rascagneres 112 | fp = open(filePath, 'r') 113 | SectorSize=fp.read(2)[::-1] 114 | MaxSectorCount=fp.read(2)[::-1] 115 | MaxFileCount=fp.read(2)[::-1] 116 | FileTagLength=fp.read(1)[::-1] 117 | CRC32custom=fp.read(4)[::-1] 118 | fp.close() 119 | 120 | #if args.debug: 121 | # print "SectorSize: ", SectorSize.encode('hex') 122 | # print "MaxSectorCount: ", MaxSectorCount.encode('hex') 123 | # print "MaxFileCount: ", MaxFileCount.encode('hex') 124 | # print "FileTagLength: ", FileTagLength.encode('hex') 125 | # print "CRC32custom: ", CRC32custom.encode('hex') 126 | 127 | fp = open(filePath, 'r') 128 | data=fp.read(0x7) 129 | crc = binascii.crc32(data, 0x45) 130 | crc2 = '%08x' % (crc & 0xffffffff) 131 | #if args.debug: 132 | # print "CRC2: ", crc2.encode('hex') 133 | 134 | if CRC32custom.encode('hex') == crc2: 135 | print Fore.RED, "\bREGIN Virtual Filesystem MATCH: %s" % filePath, Fore.WHITE 136 | compromised = True 137 | 138 | except Exception, e: 139 | if args.debug: 140 | traceback.print_exc() 141 | 142 | # Hash Check ------------------------------------------------------- 143 | if file_size > 500000: 144 | continue 145 | 146 | sha256hash = sha256(filePath) 147 | if sha256hash in EVIL_HASHES: 148 | print Fore.RED, "\bREGIN SHA256 Hash MATCH: %s FILE: %s" % ( sha256(filePath), filePath), Fore.WHITE 149 | compromised = True 150 | if sha256hash in FALSE_POSITIVES: 151 | compromised = False 152 | continue 153 | 154 | # Yara Check ------------------------------------------------------- 155 | if 'rules' in locals(): 156 | try: 157 | matches = rules.match(filePath) 158 | if matches: 159 | for match in matches: 160 | print Fore.RED, "\bREGIN Yara Rule MATCH: %s FILE: %s" % ( match, filePath), Fore.WHITE 161 | compromised = True 162 | except Exception, e: 163 | if args.debug: 164 | traceback.print_exc() 165 | 166 | except Exception, e: 167 | if args.debug: 168 | traceback.print_exc() 169 | 170 | # Return result 171 | return compromised 172 | 173 | def sha256(filePath): 174 | try: 175 | with open(filePath, 'rb') as file: 176 | file_data = file.read() 177 | return hashlib.sha256(file_data).hexdigest() 178 | except Exception, e: 179 | if args.debug: 180 | traceback.print_exc() 181 | return 0 182 | 183 | def walkError(err): 184 | if args.debug: 185 | traceback.print_exc() 186 | 187 | def printProgress(i): 188 | if (i%4) == 0: 189 | sys.stdout.write('\b/') 190 | elif (i%4) == 1: 191 | sys.stdout.write('\b-') 192 | elif (i%4) == 2: 193 | sys.stdout.write('\b\\') 194 | elif (i%4) == 3: 195 | sys.stdout.write('\b|') 196 | sys.stdout.flush() 197 | 198 | def printWelcome(): 199 | print Back.CYAN, " ", Back.BLACK 200 | print Fore.CYAN 201 | print " REGIN SCANNER" 202 | print " " 203 | print " by Florian Roth - BSK Consulting GmbH" 204 | print " Jan 2015" 205 | print " Version 0.7.2b" 206 | print " " 207 | print " DISCLAIMER - USE AT YOUR OWN RISK" 208 | print " " 209 | print Back.CYAN, " ", Back.BLACK 210 | print Fore.WHITE+''+Back.BLACK 211 | 212 | # MAIN ################################################################ 213 | if __name__ == '__main__': 214 | 215 | # Parse Arguments 216 | parser = argparse.ArgumentParser(description='Regin Scanner') 217 | parser.add_argument('-p', help='Path to scan', metavar='path', default='C:\\') 218 | parser.add_argument('--printAll', action='store_true', help='Print all files that are scanned', default=False) 219 | parser.add_argument('--dots', action='store_true', help='Print a dot for every scanned file to see the progress', default=False) 220 | parser.add_argument('--debug', action='store_true', default=False, help='Debug output') 221 | 222 | args = parser.parse_args() 223 | 224 | # Colorization 225 | init() 226 | 227 | # Print Welcome 228 | printWelcome() 229 | 230 | # Scan Path 231 | result = scan(args.p) 232 | 233 | if result: 234 | print Fore.RED+''+Back.BLACK 235 | print "\bRESULT: REGIN INDICATORS DETECTED!" 236 | print Fore.WHITE+''+Back.BLACK 237 | else: 238 | print Fore.GREEN+''+Back.BLACK 239 | print "\bRESULT: SYSTEM SEEMS TO BE CLEAN. :)" 240 | print Fore.WHITE+''+Back.BLACK 241 | 242 | raw_input("Press Enter to exit ...") -------------------------------------------------------------------------------- /regin_rules.yar: -------------------------------------------------------------------------------- 1 | rule Regin_APT_KernelDriver_Generic_A { 2 | meta: 3 | description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2" 4 | author = "@Malwrsignatures - included in APT Scanner THOR" 5 | date = "23.11.14" 6 | hash1 = "187044596bc1328efa0ed636d8aa4a5c" 7 | hash2 = "06665b96e293b23acc80451abb413e50" 8 | hash3 = "d240f06e98c8d3e647cbf4d442d79475" 9 | strings: 10 | $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 11 | $m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e } 12 | 13 | $s0 = "atapi.sys" fullword wide 14 | $s1 = "disk.sys" fullword wide 15 | $s3 = "h.data" fullword ascii 16 | $s4 = "\\system32" fullword ascii 17 | $s5 = "\\SystemRoot" fullword ascii 18 | $s6 = "system" fullword ascii 19 | $s7 = "temp" fullword ascii 20 | $s8 = "windows" fullword ascii 21 | 22 | $x1 = "LRich6" fullword ascii 23 | $x2 = "KeServiceDescriptorTable" fullword ascii 24 | condition: 25 | $m0 at 0 and $m1 and 26 | all of ($s*) and 1 of ($x*) 27 | } 28 | 29 | rule Regin_APT_KernelDriver_Generic_B { 30 | meta: 31 | description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2" 32 | author = "@Malwrsignatures - included in APT Scanner THOR" 33 | date = "23.11.14" 34 | hash1 = "ffb0b9b5b610191051a7bdf0806e1e47" 35 | hash2 = "bfbe8c3ee78750c3a520480700e440f8" 36 | hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d" 37 | hash4 = "06665b96e293b23acc80451abb413e50" 38 | hash5 = "2c8b9d2885543d7ade3cae98225e263b" 39 | hash6 = "4b6b86c7fec1c574706cecedf44abded" 40 | hash7 = "187044596bc1328efa0ed636d8aa4a5c" 41 | hash8 = "d240f06e98c8d3e647cbf4d442d79475" 42 | hash9 = "6662c390b2bbbd291ec7987388fc75d7" 43 | hash10 = "1c024e599ac055312a4ab75b3950040a" 44 | hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d" 45 | hash12 = "b505d65721bb2453d5039a389113b566" 46 | hash13 = "b269894f434657db2b15949641a67532" 47 | strings: 48 | $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 49 | $s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e } 50 | $s2 = "H.data" fullword ascii nocase 51 | $s3 = "INIT" fullword ascii 52 | $s4 = "ntoskrnl.exe" fullword ascii 53 | 54 | $v1 = "\\system32" fullword ascii 55 | $v2 = "\\SystemRoot" fullword ascii 56 | $v3 = "KeServiceDescriptorTable" fullword ascii 57 | 58 | $w1 = "\\system32" fullword ascii 59 | $w2 = "\\SystemRoot" fullword ascii 60 | $w3 = "LRich6" fullword ascii 61 | 62 | $x1 = "_snprintf" fullword ascii 63 | $x2 = "_except_handler3" fullword ascii 64 | 65 | $y1 = "mbstowcs" fullword ascii 66 | $y2 = "wcstombs" fullword ascii 67 | $y3 = "KeGetCurrentIrql" fullword ascii 68 | 69 | $z1 = "wcscpy" fullword ascii 70 | $z2 = "ZwCreateFile" fullword ascii 71 | $z3 = "ZwQueryInformationFile" fullword ascii 72 | $z4 = "wcslen" fullword ascii 73 | $z5 = "atoi" fullword ascii 74 | condition: 75 | $m0 at 0 and all of ($s*) and 76 | ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) 77 | and filesize < 20KB 78 | } 79 | 80 | rule Regin_APT_KernelDriver_Generic_C { 81 | meta: 82 | description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2" 83 | author = "@Malwrsignatures - included in APT Scanner THOR" 84 | date = "23.11.14" 85 | hash1 = "e0895336617e0b45b312383814ec6783556d7635" 86 | hash2 = "732298fa025ed48179a3a2555b45be96f7079712" 87 | strings: 88 | $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } 89 | 90 | $s0 = "KeGetCurrentIrql" fullword ascii 91 | $s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide 92 | $s2 = "usbclass" fullword wide 93 | 94 | $x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii 95 | $x2 = "Universal Serial Bus Class Driver" fullword wide 96 | $x3 = "5.2.3790.0" fullword wide 97 | 98 | $y1 = "LSA Shell" fullword wide 99 | $y2 = "0Richw" fullword ascii 100 | condition: 101 | $m0 at 0 and all of ($s*) and 102 | ( all of ($x*) or all of ($y*) ) 103 | and filesize < 20KB 104 | } 105 | 106 | /* Update 27.11.14 */ 107 | 108 | rule Regin_sig_svcsstat { 109 | meta: 110 | description = "Detects svcstat from Regin report - file svcsstat.exe_sample" 111 | author = "@MalwrSignatures" 112 | date = "26.11.14" 113 | hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2" 114 | strings: 115 | $s0 = "Service Control Manager" fullword ascii 116 | $s1 = "_vsnwprintf" fullword ascii 117 | $s2 = "Root Agency" fullword ascii 118 | $s3 = "Root Agency0" fullword ascii 119 | $s4 = "StartServiceCtrlDispatcherA" fullword ascii 120 | $s5 = "\\\\?\\UNC" fullword wide 121 | $s6 = "%ls%ls" fullword wide 122 | condition: 123 | all of them and filesize < 15KB and filesize > 10KB 124 | } 125 | 126 | rule Regin_Sample_1 { 127 | meta: 128 | description = "Auto-generated rule - file-3665415_sys" 129 | author = "@MalwrSignatures" 130 | date = "26.11.14" 131 | hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2" 132 | strings: 133 | $s0 = "Getting PortName/Identifier failed - %x" fullword ascii 134 | $s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii 135 | $s2 = "External Naming Failed - Status %x" fullword ascii 136 | $s3 = "------- Same multiport - different interrupts" fullword ascii 137 | $s4 = "%x occurred prior to the wait - starting the" fullword ascii 138 | $s5 = "'user registry info - userPortIndex: %d" fullword ascii 139 | $s6 = "Could not report legacy device - %x" fullword ascii 140 | $s7 = "entering SerialGetPortInfo" fullword ascii 141 | $s8 = "'user registry info - userPort: %x" fullword ascii 142 | $s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii 143 | $s10 = "Kernel debugger is using port at address %X" fullword ascii 144 | $s12 = "Release - freeing multi context" fullword ascii 145 | $s13 = "Serial driver will not load port" fullword ascii 146 | $s14 = "'user registry info - userAddressSpace: %d" fullword ascii 147 | $s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii 148 | $s20 = "'user registry info - userIndexed: %d" fullword ascii 149 | condition: 150 | all of them and filesize < 110KB and filesize > 80KB 151 | } 152 | 153 | rule Regin_Sample_2 { 154 | meta: 155 | description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin" 156 | author = "@MalwrSignatures" 157 | date = "26.11.14" 158 | hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400" 159 | strings: 160 | $s0 = "\\SYSTEMROOT\\system32\\lsass.exe" fullword wide 161 | $s1 = "atapi.sys" fullword wide 162 | $s2 = "disk.sys" fullword wide 163 | $s3 = "IoGetRelatedDeviceObject" fullword ascii 164 | $s4 = "HAL.dll" fullword ascii 165 | $s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" fullword ascii 166 | $s6 = "PsGetCurrentProcessId" fullword ascii 167 | $s7 = "KeGetCurrentIrql" fullword ascii 168 | $s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide 169 | $s9 = "KeSetImportanceDpc" fullword ascii 170 | $s10 = "KeQueryPerformanceCounter" fullword ascii 171 | $s14 = "KeInitializeEvent" fullword ascii 172 | $s15 = "KeDelayExecutionThread" fullword ascii 173 | $s16 = "KeInitializeTimerEx" fullword ascii 174 | $s18 = "PsLookupProcessByProcessId" fullword ascii 175 | $s19 = "ExReleaseFastMutexUnsafe" fullword ascii 176 | $s20 = "ExAcquireFastMutexUnsafe" fullword ascii 177 | condition: 178 | all of them and filesize < 40KB and filesize > 30KB 179 | } 180 | 181 | rule Regin_Sample_3 { 182 | meta: 183 | description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129" 184 | author = "@Malwrsignatures" 185 | date = "27.11.14" 186 | hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129" 187 | strings: 188 | $hd = { fe ba dc fe } 189 | 190 | $s0 = "Service Pack x" fullword wide 191 | $s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide 192 | $s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide 193 | $s3 = "mntoskrnl.exe" fullword wide 194 | $s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" fullword wide 195 | $s5 = "Memory location: 0x%p, size 0x%08x" wide fullword 196 | $s6 = "Service Pack" fullword wide 197 | $s7 = ".sys" fullword wide 198 | $s8 = ".dll" fullword wide 199 | 200 | $s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" fullword wide 201 | $s11 = "IoGetRelatedDeviceObject" fullword ascii 202 | $s11 = "VMEM.sys" fullword ascii 203 | $s12 = "RtlGetVersion" fullword wide 204 | $s14 = "ntkrnlpa.exe" fullword ascii 205 | condition: 206 | ( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB 207 | } 208 | 209 | rule Regin_Sample_Set_1 { 210 | meta: 211 | description = "Auto-generated rule - file SHF-000052 and ndisips.sys" 212 | author = "@MalwrSignatures" 213 | date = "26.11.14" 214 | hash = "8487a961c8244004c9276979bb4b0c14392fc3b8" 215 | hash = "bcf3461d67b39a427c83f9e39b9833cfec977c61" 216 | strings: 217 | $s0 = "HAL.dll" fullword ascii 218 | $s1 = "IoGetDeviceObjectPointer" fullword ascii 219 | $s2 = "MaximumPortsServiced" fullword wide 220 | $s3 = "KeGetCurrentIrql" fullword ascii 221 | $s4 = "ntkrnlpa.exe" fullword ascii 222 | $s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide 223 | $s6 = "ConnectMultiplePorts" fullword wide 224 | $s7 = "\\SYSTEMROOT" fullword wide 225 | $s8 = "IoWriteErrorLogEntry" fullword ascii 226 | $s9 = "KeQueryPerformanceCounter" fullword ascii 227 | $s10 = "KeServiceDescriptorTable" fullword ascii 228 | $s11 = "KeRemoveEntryDeviceQueue" fullword ascii 229 | $s12 = "SeSinglePrivilegeCheck" fullword ascii 230 | $s13 = "KeInitializeEvent" fullword ascii 231 | $s14 = "IoBuildDeviceIoControlRequest" fullword ascii 232 | $s15 = "KeRemoveDeviceQueue" fullword ascii 233 | $s16 = "IofCompleteRequest" fullword ascii 234 | $s17 = "KeInitializeSpinLock" fullword ascii 235 | $s18 = "MmIsNonPagedSystemAddressValid" fullword ascii 236 | $s19 = "IoCreateDevice" fullword ascii 237 | $s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii 238 | condition: 239 | all of them and filesize < 40KB and filesize > 30KB 240 | } 241 | 242 | rule Regin_Sample_Set_2 { 243 | meta: 244 | description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935" 245 | author = "@MalwrSignatures" 246 | date = "27.11.14" 247 | hash = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be" 248 | hash = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935" 249 | strings: 250 | $hd = { fe ba dc fe } 251 | 252 | $s0 = "d%ls%ls" fullword wide 253 | $s1 = "\\\\?\\UNC" fullword wide 254 | $s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide 255 | $s3 = "\\\\?\\UNC\\" fullword wide 256 | $s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide 257 | $s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword 258 | $s6 = "\\\\.\\Global\\%s" fullword wide 259 | $s7 = "temp" fullword wide 260 | $s8 = "\\\\.\\%s" fullword wide 261 | $s9 = "Memory location: 0x%p, size 0x%08x" fullword wide 262 | 263 | $s10 = "sscanf" fullword ascii 264 | $s11 = "disp.dll" fullword ascii 265 | $s11 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii 266 | $s12 = "%d.%d.%d.%d%c" fullword ascii 267 | $s13 = "imagehlp.dll" fullword ascii 268 | $s14 = "%hd %d" fullword ascii 269 | condition: 270 | ( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB 271 | } 272 | --------------------------------------------------------------------------------