Mirrors/cert-orangecyberdefense-cti
1
0
Fork 0
mirror of https://github.com/cert-orangecyberdefense/cti synced 2026-06-08 22:47:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
57a136fe1079f7e55159a4233c2e47e323a4ee96
cert-orangecyberdefense-cti/mintsloader/yara
T
Mar-Pic 2b8e6840fc Create yara
2025-02-18 16:01:08 +01:00

65 lines
5.4 KiB
Plaintext
Raw Blame History

#We share here 3 Yara rules related to Mintsloader prepared by our Reverse Engineering Team.
#Dynamic analysis in our Malicious File Detection solution (https://www.orangecyberdefense.com/global/datasheets/malicious-file-detection) embed by default such rules.
rule Window_Trojan_MintsLoader_0 : malware {
meta:
description = "MintsLoader JS malware"
researcher = "Alexis BONNEFOI"
source = "OCD"
creation_date = "15/10/2024"
os = "Windows"
category = "Trojan"
product = "p2a, mfd"
threat_name = "Windows.Trojan.MintsLoader"
strings:
$a1 = /var arrayLength = array.length;\s*if\([0-9]{2,5} < 0 \|\| [0-9]{2,5} >= arrayLength\) \{\s*var [a-z]{1,} = 0;\s*\}/
$a2 = /function [a-z_]{1,}0[a-z_]{1,}\(/
$a3 = /var [A-Z][a-z]{1,} = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\+\/=';\s*var [A-Z][a-z]{1,} = '';\s*var [A-Z][a-z]{1,} = '';/
$a4 = /for \(var [A-Z][a-z]{1,} = [a-f0-9x+*\/ -]{1,50}, [a-z][A-Z][a-z]{1,}, [a-z][A-Z][a-z]{1,}, [a-z][A-Z][a-z]{1,} = [a-f0-9x+*\/ -]{1,50}; [a-z][A-Z][a-z]{1,} = [A-Z][a-z]{1,}\['charAt'\]\([a-z][A-Z][a-z]{1,}\+\+\);.{50,2000}\s*[a-z][A-Z][a-z]{1,} = [A-Z][a-z]{1,}\['indexOf'\]\([a-z][A-Z][a-z]{1,}\)/
$a5 = /var \S{1,} = \S{1,}\('[A-F0-9]{50,}'\);/
$a6 = /\/\/ ?([A-Za-z]{1,30} ?){5,30}/
condition:
#a5 > 1 and #a6 > 50 and all of them
}
rule Window_Trojan_MintsLoader_1 : malware {
meta:
description = "MintsLoader stage 2 payload, Powershell, payload until April 2024"
researcher = "Alexis BONNEFOI"
source = "OCD"
creation_date = "15/10/2024"
os = "Windows"
category = "Trojan"
product = "p2a, mfd"
threat_name = "Windows.Trojan.MintsLoader"
strings:
$a1 = /\[Ref\]\.Assembly.GetType\((\$[a-z0-9]{1,20}\.){2}\$[a-z0-9]{1,20}\(\$\((\[char\]\([0-9]{1,4}[+*\/-][0-9]{1,4}\)\+){2,100}\[char\]\([0-9]{1,4}[+*\/-][0-9]{1,4}\)\)\)\)\.GetField\((\$[a-z0-9]{1,20}\.){2}\$[a-z0-9]{1,20}\(\$\((\[char\]\([0-9]{1,4}[+*\/-][0-9]{1,4}\)\+){2,100}\[char\]\([0-9]{1,4}[+*\/-][0-9]{1,4}\)\)\),(\$[a-z0-9]{1,20}\.){2}\$[a-z0-9]{1,20}\(\$\((\[char\]\([0-9]{1,4}[+*\/-][0-9]{1,4}\)\+){2,100}\[char\]\([0-9]{1,4}[+*\/-][0-9]{1,4}\)\)\)\)\.SetValue\(\$[a-z0-9]{1,20},\$true\);/
$a2 = /^set-alias [A-z0-9]{1,30} \$\((\[char\]\([0-9]{1,4}-[0-9]{1,4}\)\+?){9}\)\s*\$[A-z0-9]{1,20} = \$executioncontext/
$a3 = /\$[a-z0-9]{1,48} = \[System\.Text\.Encoding\]::ascii\s*function [a-z0-9]{1,48}\s*\{param\(\$[a-z0-9]{1,48}\s?\)\s*\$[a-z0-9]{1,48}\s?= \[System\.Convert\]::FromBase64String\(\$[a-z0-9]{1,48}\)\s+\$[a-z0-9]{1,48}\s?=\s?\$[a-z0-9]{1,48}\.GetBytes\("[a-z0-9]{1,48}"\)\s*\$[a-z0-9]{1,48}\s?=\s?\$[a-z0-9]{1,48}\s*\$[a-z0-9]{1,48}\s?=\s?\$\(for\s?\(\$[a-z0-9]{1,48}\s?=\s?0;\s?\$[a-z0-9]{1,48}\s-lt \$[a-z0-9]{1,48}\.length;\s?\)\s*\{\s*for\s?\(\$[a-z0-9]{1,48}\s?=\s?0;\s?\$[a-z0-9]{1,48}\s-lt \$[a-z0-9]{1,48}\.length;\s?\$[a-z0-9]{1,48}\+\+\s?\)\s?\{\s*\$[a-z0-9]{1,48}\[\$[a-z0-9]{1,48}] -bxor \$[a-z0-9]{1,48}\[\$[a-z0-9]{1,48}\]\s*\$[a-z0-9]{1,48}\+\+\s*if\s?\(\$[a-z0-9]{1,48} -ge \$[a-z0-9]{1,48}\.Length\)\s?\{\s*\$[a-z0-9]{1,48}\s?=\s?\$[a-z0-9]{1,48}\.length\s*\}\s*\}\s*}\)\s*\$[a-z0-9]{1,48}\s?=\s?New-Object System\.IO\.MemoryStream\(\s?,\s?\$[a-z0-9]{1,48}\s?\)\s*\$[a-z0-9]{1,48}\s?=\s?New-Object System\.IO\.MemoryStream\s*\$[a-z0-9]{1,48}\s?=\s?New-Object System\.IO\.Compression\.GzipStream \$[a-z0-9]{1,48}\s?,\s?\(\[IO\.Compression\.CompressionMode\]::Decompress\)\s*\$[a-z0-9]{1,48}\.CopyTo\(\s?\$[a-z0-9]{1,48}\s?\)\s*(\$[a-z0-9]{1,48}\.Close\(\)\s*){2}\[byte\[\]\]\s?\$[a-z0-9]{1,48}\s?=\s?\$[a-z0-9]{1,48}\s?\.ToArray\(\)\s*\$[a-z0-9]{1,48}\s?=\s?\$[a-z0-9]{1,48}\s*return\s?\$[a-z0-9]{1,48}\s*\}/ nocase
condition:
all of them
}
rule Window_Trojan_MintsLoader_2 : malware {
meta:
description = "MintsLoader stage 2 payload, Powershell, in memory payload since August 2024"
researcher = "Alexis BONNEFOI"
source = "OCD"
creation_date = "15/10/2024"
os = "Windows"
category = "Trojan"
product = "p2a, mfd"
threat_name = "Windows.Trojan.MintsLoader"
strings:
$a1 = /\$[a-z]{1,48}='ur'\s?;new-alias press c\$\(\$[a-z]{1,48}\)l;\$[a-z]{1,48}=\(((0x)?[A-Fa-f0-9]{2,5},?){20,40}\);\$[a-z]{1,48}=\('bronx','get-cmdlet'\);\$[a-z]{1,48}=\$[a-z]{1,48};foreach\(\$[a-z]{1,48} in \$[a-z]{1,48}\)\{\$[a-z]{1,48}=\$[a-z]{1,48};\$[a-z]{1,48}=\$[a-z]{1,48}\+\[char\]\(\$[a-z]{1,48}-[0-9]{1,8}\);\$[a-z]{1,48}=\$[a-z]{1,48};\s*\$[a-z]{1,48}=\$[a-z]{1,48}\};\$[a-z]{1,48}\[(2|(0x)?[A-Fa-f0-9]{1,4}|[0-9]{1,8}\s?[+*\/%-]\s?[0-9]{1,8}\s?)\]\s?=\$[a-z]{1,48};\$[a-z]{1,48}='rl'\;\$[a-z]{1,48}=1\;\.\$\(\[char\]\((107|(0x)?[A-Fa-f0-9]{1,4}|(0x)?[A-Fa-f0-9]{1,8}\s?[+*\/%-]\s?(0x)?[A-Fa-f0-9]{1,8}\s?)\)\+'e'\+'x'\)\(press\s*-useb\s*\$[a-z]{1,48}\)\s*/
$a2 = /\$[a-z]{1,48}='ur'\s?;new-alias press c\$\(\$[a-z]{1,48}\)l;\$[a-z]{1,48}=\(([0-9]{2,5},?){20,40}\);\$[a-z]{1,48}=\('bronx','get-cmdlet'\);\$[a-z]{1,48}=\$[a-z]{1,48};foreach\(\$[a-z]{1,48} in \$[a-z]{1,48}\)\{\$[a-z]{1,48}=\$[a-z]{1,48};\$[a-z]{1,48}=\$[a-z]{1,48}\+\[char\]\(\$[a-z]{1,48}-[0-9]{1,8}\);\$[a-z]{1,48}=\$[a-z]{1,48};\s*\$[a-z]{1,48}=\$[a-z]{1,48}\};\$[a-z]{1,48}\[2\]=\$[a-z]{1,48};\$[a-z]{1,48}='rl'\;\$[a-z]{1,48}=1\;\.\$\(\[char\]\(9992-9887\)\+'e'\+'x'\)\(press\s*-useb\s*\$[a-z]{1,48}\)\s*/
condition:
any of them
}
Reference in New Issue View Git Blame Copy Permalink