地区

亚洲

中东

StrongPity

初始载荷

Exfiltrate模块(全版本)

  1. import "pe"
  3. rule APT_StrongPity_Exfiltrate
  4. {
  5.     meta:
  6.         author = "建瓯最坏"
  7.         description = "写于2020-12-25,StrongPity,Exfiltrate模块,联网插件"
  8.         V16 = "90B4DF284BD28909047D179F7A0A3391"
  9.         V20 = "C5CBD6A7DE703AB24C7AAE8D3B0BF38F"
  10.         V21 = "ACD4A1BFD4F08DD799B09496CDA32AF3"
  11.         V22 = "81390CE601D34F384BFF9198EEF793A9"
  13.     strings:
  14.         //版本号标识,格式如"v33_kt33p3"
  15.         $HexVerNumV = { 6A 76 }
  16.         $HexVerNumUnderscore = { 6A 5F }
  17.         $HexVerNumK = { 6A 6B }
  18.         $HexVerNumP = { 6A 70 }
  19.         $StringsName = "name=%ls" nocase
  20.         $StringsDel = "delete=" nocase
  21.         //有些版本SFT字符串被加密处理了,无法通用
  22.         //$StringsSFT = "*.sft" nocase wide
  24.     condition:
  25.         all of them
  26.         and ( @HexVerNumUnderscore[1] - @HexVerNumV[1] <= 0x33 )
  27.         and pe.imports("Kernel32.dll","ReadFile")
  28.         and pe.imports("Kernel32.dll","CreateProcessW")
  29.         and pe.imports("WinHTTP.dll","WinHttpSendRequest")
  30.         //早期版本(V16)导入表没有,通过GetProcAddress获得
  31.         //and pe.imports("Kernel32.dll","GetVolumeInformationW")
  32. }

未知