From bfb40aa206c5542c7ca210b6b904fc8553252a27 Mon Sep 17 00:00:00 2001 From: Ladislav Zezula Date: Fri, 2 Oct 2020 10:28:30 +0200 Subject: [PATCH 1/2] Added YARA rules for Quick Batch installer --- .../tools/pe/x86/installers.yara | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara index bb3987e04..e27706190 100644 --- a/support/yara_patterns/tools/pe/x86/installers.yara +++ b/support/yara_patterns/tools/pe/x86/installers.yara @@ -127,6 +127,72 @@ rule install_creator { $s01 at pe.overlay.offset } +rule quick_batch_compiler_2x { + meta: + tool = "I" + name = "Quick Batch File Compiler" + version = "2.x" + strings: + $delphi_01 = "Runtime error at 00000000" // Common Delphi/Embarcadero + $delphi_02 = "Access violation at address %p in module '%s'. %s of address %p" wide // Found in almost all Quick Batch samples + $s01 = "File is corrupt." + $s02 = "Compressed file is corrupt" + $s03 = "Quick Batch File Compiler" + $s04 = "cmd.exe /c" + $s05 = "a%.5u.bat" + condition: + pe.number_of_sections >= 8 and + pe.sections[0].name == "CODE" and + pe.sections[1].name == "DATA" and + all of ($delphi_*) and + 4 of ($s*) +} + +rule quick_batch_compiler_4x { + meta: + tool = "I" + name = "Quick Batch File Compiler" + version = "4.x" + strings: + $delphi_01 = "Runtime error at 00000000" // Common Delphi/Embarcadero + $delphi_02 = "Access violation at address %p in module '%s'. %s of address %p" wide // Found in almost all Quick Batch samples + $s01 = "Quick Batch File Compiler Runtime Module Version 4." wide + $s02 = "In order to correctly identify malware while avoiding false positives, antivirus manufacturers shalldetect the presence of Quick Batch File Compiler label" wide + $s03 = { 1A 00 00 00 53 00 63 00 72 00 69 00 70 00 74 00 43 00 72 00 79 00 70 00 74 00 6F 00 72 00 00 00 } // Delphi "ScriptCryptor" + condition: + pe.number_of_sections >= 8 and + all of ($delphi_*) and + 2 of ($s*) +} + +rule quick_batch_compiler { + meta: + tool = "I" + name = "Quick Batch File Compiler" + version = "2.x - 4.x" + strings: + $qbatch_01 = "Runtime error at 00000000" // Common Delphi/Embarcadero + $qbatch_02 = "Access violation at address %p in module '%s'. %s of address %p" wide // Found in almost all Quick Batch samples + $qbatch_03 = "http://www.abyssmedia.com" // Found in some samples + $code_01 = { c7 05 ?? ?? ?? 00 63 51 e1 b7 bb 2b 00 00 00 b8 ?? ?? ?? 00 8b 10 81 c2 b9 79 37 9e 89 } + $code_02 = { 6a 00 6a 00 6a 20 6a 00 6a 00 6a 00 8b 45 ?? e8 ?? ?? ?? ?? 50 6a 00 e8 } + $code_03 = { 6a 00 6a 00 6a 20 6a 00 6a 00 6a 00 a1 ?? ?? ?? 00 e8 ?? ?? ?? ?? 50 6a 00 e8 } + $code_04 = { 6a 00 6a 00 6a 20 6a ff 68 ?? ?? ?? 00 68 ?? ?? ?? 00 a1 ?? ?? ?? ?? e8 ?? ?? ?? ?? 50 6a 00 e8 } + $s10 = "Quick Batch File Compiler" ascii wide + $s20 = "RC_SCRIPT" wide + $s21 = "MYFILES" wide + $s22 = "SCRIPT" wide + $s23 = "FORM" wide + $s24 = "RTFM" wide + condition: + pe.number_of_sections >= 8 and + (pe.sections[0].name == "CODE" or pe.sections[0].name == ".text") and + (pe.sections[1].name == "DATA" or pe.sections[2].name == ".data") and + 2 of ($qbatch_*) and + ((2 of ($code_*)) or (1 of ($s*))) and + any of ($s*) +} + rule kgb_sfx { meta: tool = "I" From 37660d4ce5b499598867d5a40a2e3ee4c12b3a05 Mon Sep 17 00:00:00 2001 From: Ladislav Zezula Date: Fri, 2 Oct 2020 13:03:35 +0200 Subject: [PATCH 2/2] Fixed indentation --- .../tools/pe/x86/installers.yara | 62 +++++++++---------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara index e27706190..9bc6f5941 100644 --- a/support/yara_patterns/tools/pe/x86/installers.yara +++ b/support/yara_patterns/tools/pe/x86/installers.yara @@ -128,67 +128,67 @@ rule install_creator { } rule quick_batch_compiler_2x { - meta: + meta: tool = "I" name = "Quick Batch File Compiler" - version = "2.x" + version = "2.x" strings: - $delphi_01 = "Runtime error at 00000000" // Common Delphi/Embarcadero - $delphi_02 = "Access violation at address %p in module '%s'. %s of address %p" wide // Found in almost all Quick Batch samples - $s01 = "File is corrupt." - $s02 = "Compressed file is corrupt" - $s03 = "Quick Batch File Compiler" - $s04 = "cmd.exe /c" - $s05 = "a%.5u.bat" + $delphi_01 = "Runtime error at 00000000" // Common Delphi/Embarcadero + $delphi_02 = "Access violation at address %p in module '%s'. %s of address %p" wide // Found in almost all Quick Batch samples + $s01 = "File is corrupt." + $s02 = "Compressed file is corrupt" + $s03 = "Quick Batch File Compiler" + $s04 = "cmd.exe /c" + $s05 = "a%.5u.bat" condition: pe.number_of_sections >= 8 and - pe.sections[0].name == "CODE" and - pe.sections[1].name == "DATA" and - all of ($delphi_*) and - 4 of ($s*) + pe.sections[0].name == "CODE" and + pe.sections[1].name == "DATA" and + all of ($delphi_*) and + 4 of ($s*) } rule quick_batch_compiler_4x { meta: tool = "I" name = "Quick Batch File Compiler" - version = "4.x" + version = "4.x" strings: - $delphi_01 = "Runtime error at 00000000" // Common Delphi/Embarcadero - $delphi_02 = "Access violation at address %p in module '%s'. %s of address %p" wide // Found in almost all Quick Batch samples - $s01 = "Quick Batch File Compiler Runtime Module Version 4." wide - $s02 = "In order to correctly identify malware while avoiding false positives, antivirus manufacturers shalldetect the presence of Quick Batch File Compiler label" wide + $delphi_01 = "Runtime error at 00000000" // Common Delphi/Embarcadero + $delphi_02 = "Access violation at address %p in module '%s'. %s of address %p" wide // Found in almost all Quick Batch samples + $s01 = "Quick Batch File Compiler Runtime Module Version 4." wide + $s02 = "In order to correctly identify malware while avoiding false positives, antivirus manufacturers shalldetect the presence of Quick Batch File Compiler label" wide $s03 = { 1A 00 00 00 53 00 63 00 72 00 69 00 70 00 74 00 43 00 72 00 79 00 70 00 74 00 6F 00 72 00 00 00 } // Delphi "ScriptCryptor" condition: pe.number_of_sections >= 8 and - all of ($delphi_*) and - 2 of ($s*) + all of ($delphi_*) and + 2 of ($s*) } rule quick_batch_compiler { meta: tool = "I" name = "Quick Batch File Compiler" - version = "2.x - 4.x" + version = "2.x - 4.x" strings: - $qbatch_01 = "Runtime error at 00000000" // Common Delphi/Embarcadero + $qbatch_01 = "Runtime error at 00000000" // Common Delphi/Embarcadero $qbatch_02 = "Access violation at address %p in module '%s'. %s of address %p" wide // Found in almost all Quick Batch samples $qbatch_03 = "http://www.abyssmedia.com" // Found in some samples $code_01 = { c7 05 ?? ?? ?? 00 63 51 e1 b7 bb 2b 00 00 00 b8 ?? ?? ?? 00 8b 10 81 c2 b9 79 37 9e 89 } $code_02 = { 6a 00 6a 00 6a 20 6a 00 6a 00 6a 00 8b 45 ?? e8 ?? ?? ?? ?? 50 6a 00 e8 } $code_03 = { 6a 00 6a 00 6a 20 6a 00 6a 00 6a 00 a1 ?? ?? ?? 00 e8 ?? ?? ?? ?? 50 6a 00 e8 } $code_04 = { 6a 00 6a 00 6a 20 6a ff 68 ?? ?? ?? 00 68 ?? ?? ?? 00 a1 ?? ?? ?? ?? e8 ?? ?? ?? ?? 50 6a 00 e8 } - $s10 = "Quick Batch File Compiler" ascii wide - $s20 = "RC_SCRIPT" wide - $s21 = "MYFILES" wide - $s22 = "SCRIPT" wide - $s23 = "FORM" wide - $s24 = "RTFM" wide + $s10 = "Quick Batch File Compiler" ascii wide + $s20 = "RC_SCRIPT" wide + $s21 = "MYFILES" wide + $s22 = "SCRIPT" wide + $s23 = "FORM" wide + $s24 = "RTFM" wide condition: pe.number_of_sections >= 8 and - (pe.sections[0].name == "CODE" or pe.sections[0].name == ".text") and - (pe.sections[1].name == "DATA" or pe.sections[2].name == ".data") and - 2 of ($qbatch_*) and + (pe.sections[0].name == "CODE" or pe.sections[0].name == ".text") and + (pe.sections[1].name == "DATA" or pe.sections[2].name == ".data") and + 2 of ($qbatch_*) and ((2 of ($code_*)) or (1 of ($s*))) and any of ($s*) }