#dailyyara $ = "Fake_RtlBitMapAddr" ascii wide key string for PE files leveraging CVE-2021-40449 b08b660ed646c390d5a254070123c74c 434d2f921bfb0e72ff759d43f63bd374 ef034bb27daf97cca141fe9b774bfb2a 9b01c9549397c3d66493ee4150228a9b

New Kind of Network (NKN) C2 schema for malware comms. This could get interesting. Check it out: NKN: nkn.org/technology/our… RAT: github.com/Maka8ka/NGLite Files: virustotal.com/gui/domain/see… SDK: github.com/nknorg/nkn-sdk… Blog: maka8ka.cc/post/%E4%B8%80… h/t @NinjaOperator & Robert Falc

#dailypcap app.any.run/tasks/2a256f8a… NGLite use is creative, good starting point is to detect the returned text websocket of NKN after the GET request flow:from_server; content:"|81|"; offset:0; depth:1; content:"updateSigChainBlockHash";

#dailyyara PE files capable of ICMP $ = "IcmpCreateFile" ascii wide $ = "Icmp6CreateFile" ascii wide $ = "IcmpSendEcho" ascii wide $ = "IcmpCloseHandle" ascii wide $ = "GetIcmpStatistics" ascii wide $ = "IcmpParseReplies" ascii wide $ = "Icmp6ParseReplies" ascii wide 1 of them

#100DaysOfYARA I'm late to the party here, I haven't seen good performing rules for ISO file detection, created the following to be the first match in condition: condition: filesize > 60000 and uint32(0x8001) == 0x30304443 and uint8(0x8005) == 0x31

#100DaysOfYARA #dailyyara taking obfuscation detection to next level with yara Ex: Ap0pD0at0a { 41 70 3? 70 44 3? 61 74 3? 61 } Always use 3? for 0-9 range for numbers in ascii form

Thanks Florian Roth ⚡️ I would suggest editing APT_HKTL_Wiper_WhisperGate_Stage3_Jan22 keepc $xc1 but remove $s1 and change filesize limit to at least 5MB to detect b6563e61cdc02b6379efc51eb8792a43

#100DaysofYARA #dailyyara Ransom path $ = /[A-Za-z]:[\x2F\x5C][\x00-\x7F]{0,300}[Rr][Aa][Nn][Ss][Oo][Mm][\x00-\x7F]{0,300}\.(pdb|go)/ ascii 6bc2a7555122ccaddd5ae0497f3a3419 Steve YARA Synapse Miller it would be awesome if you'll create new Go paths ruleset just like the pdb ones!

#ThreatIntel #Wiper Related sample to the new wiper from Ukraine 84ba0197920fd3e2b7dfa719fee09d2f

Hey ET Labs I would suggest editing sid 2035653 pcre to /^[A-Za-z0-9\/_-+]{171}=$/

#APT34 #OilRig #ThreatIntel #Trashtics relatively recent compiled post exploitation tool 2022-03-08T03:58:55Z c4bdc6759a8e979966b86ddfdeb358d6

#ThreatIntel Fresh #Emotet DLL detected by Kaspersky bc729f7827290a0899c0b811f91a8f09 www[.]nexxdecor[.]vn

RonnieColemanYARAParser is a bulk analysis script that helps you use YARA/modules to build on-demand, customized views of file features from dozens or hundreds of files at once. Updates to show match path, output to CSV etc github.com/stvemillertime… #dailyyara #100DaysOfYARA2

#dailyyara Getting back to Yara greatness, found nice CryptoJS obfuscation with reverse base64 45445df447cb076ab99ef94dbf9f8942 $ = "ycq1yb0BXeyN2LzJWas9CehpWYv02bj5SZyFGbmRWdvx2YuMnauR2Yv8iOzBHd0hmI9MmczBCdwlmcjNHP" // CF $ = "strrev" fullword $ = "reverse().join" fullword

#ThreatIntel The moment you access old sample on VTI and notice someone is rescanning

#SideWinder #ThreatIntelligence #ThreatIntel Interesting Maldoc c87eb71ff038df7b517644fa5c097eac

#dailyyara #100DaysofYARA Back to Yara greatness, totally appreciate all the contributions the following shows number of occurrences per matching string from a rule file yara -ws rule.yar sample.exe | tail -n +2 | cut -d : -f 3- | sort | uniq -c | sort -rn

#100DaysOfYARA #dailyyara Always wanted to keep writing regex for perfect detections but would sacrifice performance 3 recommended things to enhance performance - file header - file size - regex position github.com/silv0123/yara-… I Hope Florian Roth ⚡️ won't come after me for this.

#100DaysofYARA day 2 - one cluster in my portfolio, TA427 really likes to use password-protected ZIP files with an MSC file as the only embedded file (used to use .VBS files) lets look for ZIPs that match those features! github.com/100DaysofYARA/…

#ThreatIntel dce41d9d1da0084e7e44847b1b2b9fe0 Tied to Elastic reporting elastic.co/security-labs/… Mimicking CrowdStrike Installer Repo peakyblinders-team This could be attributed to a cluster related to #APT34