Added payload sig for T5000.

ctxis · Jun 8, 2017 · d2a4769 · d2a4769
1 parent 75c6808
commit d2a4769
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -45,12 +45,14 @@ CAPE also has Yara signatures to detect payloads that are extracted by a behavio
     - Dridex
     - NetTraveler
     - ZeroT
+    - Jaff
+    - T5000
 
 There are a number of other behavioural and malware family packages and parsers currently in the works, so watch this space.
 
 Packages can be written based on API hooks, the CAPE debugger, or a combination of both.
 
-The CAPE debugger allows four breakpoints to be set on each malware thread to detect on read, write or execute of a memory region, as well as single-step mode. This allows fine control over malware execution until it is possible to dump the memory regions of interest, containing code or configuration data. Breakpoints can be set dynamically by package code or via Yara signatures.
+The CAPE debugger allows four breakpoints to be set on each malware thread to detect on read, write or execute of a memory region, as well as single-step mode. This allows fine control over malware execution until it is possible to dump the memory regions of interest, containing code or configuration data. Breakpoints can be set dynamically by package code, API hooks or Yara signatures.
 
 Processes, modules and memory regions can variously be dumped by CAPE through use of a simple API. These dumps can then be scanned and parsed for configuration information.
 

diff --git a/data/yara/CAPE/T5000.yar b/data/yara/CAPE/T5000.yar
@@ -0,0 +1,30 @@
+rule T5000
+{
+    meta:
+        author = "Seth Hardy"
+        description = "T5000 Payload"
+        cape_type = "T5000 Payload"
+
+    strings:
+        $ = "_tmpR.vbs"
+        $ = "_tmpg.vbs"
+        $ = "Dtl.dat" wide ascii
+        $ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
+        $ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
+        $ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
+        $ = "43EE34A9-9063-4d2c-AACD-F5C62B849089"
+        $ = "A8859547-C62D-4e8b-A82D-BE1479C684C9"
+        $ = "A59CF429-D0DD-4207-88A1-04090680F714"
+        $ = "utd_CE31" wide ascii
+        $ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
+        $ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
+        $ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
+        $ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
+        
+    condition:
+       any of them
+}
+/*
+    last_modified = "2014-06-26"
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/