Winnti Yara Signatures

The following Operation SMN Yara signatures will aid the detection of the Winnti dropper, engine, service, and worker modules.

 

---

 

rule Winnti_Dropper
{
 meta:
  copyright = "Novetta Solutions"
  author = "Novetta Advanced Research Group"

 strings:
  $runner = "%s\\rundll32.exe \"%s\", DlgProc %s"
  $inflate = "Copyright 1995-2005 Mark Adler"
  
 condition:
  $runner and $inflate

}

rule Winnti_service
{
 meta:
  copyright = "Novetta Solutions"
  author = "Novetta Advanced Research Group"

 strings:
  $newmem = "new memory failed!"
  $value = "can not find value %d\n"
  $onevalue = "find one value %d\n"
  $nofile = "Can not open the file (error %d)"
  
 condition:
  3 of ($newmem, $value, $onevalue, $nofile)

}

rule Winnti_engine
{
 meta:
  copyright = "Novetta Solutions"
  author = "Novetta Advanced Research Group"

 strings:
  $api1 = "SHCreateItemFromParsingName"
  $datfile = "otfkty.dat"
  $workstart = "work_start"
  $workend = "work_end"
  
 condition:
  ($api1 or $datfile) and ($workstart and $workend)
  

}

rule Winnti_worker
{
 meta:
  copyright = "Novetta Solutions"
  author = "Novetta Advanced Research Group"

 strings:
  $pango = "pango-basic-win32.dll"
  $tango = "tango.dll"
  $dat = "%s\\%d%d.dat"
  $cryptobase = "%s\\sysprep\\cryptbase.dll"
  
 condition:
  $pango and $tango and $dat and $cryptobase

}