rule masepie_campaign_htmlstarter { meta: description = "Detect Malicious Web page HTML file from CERT-UA#8399" references = "TRR240101;https://cert.gov.ua/article/6276894" hash = "628bc9f4aa71a015ec415d5d7d8cb168359886a231e17ecac2e5664760ee8eba" date = "2024-01-24" author = "HarfangLab" context = "file" strings: $s1 = "" ascii wide fullword $s2 = "src=\".\\Capture" ascii wide condition: filesize > 600 and filesize < 5KB and (all of them) } rule masepie_campaign_webdavlnk { meta: description = "Detect Malicious LNK from CERT-UA#8399" references = "TRR240101;https://cert.gov.ua/article/6276894" hash = "19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc" date = "2024-01-24" author = "HarfangLab" context = "file" strings: $a1 = "[system.Diagnostics.Process]::Start('msedge','http" wide nocase fullword $a2 = "\\Microsoft\\Edge\\Application\\msedge.exe" wide nocase fullword $a3 = "powershell.exe" ascii wide fullword $s1 = "win-j5ggokh35ap" ascii fullword $s2 = "desktop-q0f4sik" ascii fullword condition: filesize > 1200 and filesize < 5KB and (uint16be(0) == 0x4c00) and ( (all of ($a*)) or (any of ($s*)) ) } rule masepie_campaign_masepie { meta: description = "Detect MASEPIE from CERT-UA#8399" references = "TRR240101;https://cert.gov.ua/article/6276894" hash = "18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6" date = "2024-01-24" author = "HarfangLab" context = "file" strings: $t1 = "Try it againg" ascii wide fullword $t2 = "{user}{SEPARATOR}{k}" ascii wide fullword $t3 = "Error transporting file" ascii wide fullword $t4 = "check-ok" ascii wide fullword $a1 = ".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))" ascii wide fullword $a2 = "dec_file_mes(mes, key)" ascii wide fullword $a3 = "os.popen('whoami').read()" ascii wide fullword condition: filesize > 2KB and filesize < 15MB and (4 of them) } rule masepie_campaign_oceanmap { meta: description = "Detect OCEANMAP from CERT-UA#8399" references = "TRR240101;https://cert.gov.ua/article/6276894" hash = "24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04" date = "2024-01-24" modified = "2024-01-31" author = "HarfangLab" context = "file" strings: $dotNet = ".NETFramework,Version" ascii fullword $a1 = "$ SELECT INBOX.Drafts" wide fullword $a2 = "$ SELECT Drafts" wide fullword $a3 = "$ UID SEARCH subject \"" wide fullword $a4 = "$ APPEND INBOX {" wide fullword $a5 = "+FLAGS (\\Deleted)" wide fullword $a6 = "$ EXPUNGE" wide fullword $a7 = "BODY.PEEK[text]" wide fullword $t1 = "change_time" ascii fullword $t2 = "ReplaceBytes" ascii fullword $t3 = "fcreds" ascii fullword $t4 = "screds" ascii fullword $t5 = "r_creds" ascii fullword $t6 = "comp_id" ascii fullword $t7 = "changesecond" wide fullword $t8 = "taskkill /F /PID" wide fullword $t9 = "cmd.exe" wide fullword condition: filesize > 8KB and filesize < 100KB and (uint16be(0) == 0x4D5A) and $dotNet and (3 of ($a*)) and (2 of ($t*)) }