Skip to content
This repository was archived by the owner on Jan 10, 2025. It is now read-only.

Commit 34c4427

Browse files
peaseadpeasead
authored
Merge pull request #382 from elastic/issue-380
Issue 380
2 parents 17d9d0b + 9a598fc commit 34c4427

File tree

2 files changed

+40
-0
lines changed

2 files changed

+40
-0
lines changed

blog/climbing-the-pyramid-with-celestial-themed-malware/README.MD

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
# Climbing the Pyramid with Celestial-themed Malware
2+
3+
## Abstract
4+
The Deimos trojan (AKA Jupyter Infostealer, SolarMarker) is a malware tool first reported in 2020, but has been in active development and employs advanced defensive countermeasures used to frustrate analysis. This post details the campaign TTPs through the malware indicators.
5+
6+
## URL
7+
8+
## Artifacts
9+
Artifacts and code snippets from the blog post.
10+
11+
| Artifact | Description | Note |
12+
| - | - | - |
13+
| f268491d2f7e9ab562a239ec56c4b38d669a7bd88181efb0bd89e450c68dd421 | Lure file | - |
14+
| af1e952b5b02ca06497e2050bd1ce8d17b9793fdb791473bdae5d994056cb21f | Malware installer | - |
15+
| d6e1c6a30356009c62bc2aa24f49674a7f492e5a34403344bfdd248656e20a54 | .NET DLL file | - |
16+
| 216[.]230[.]232[.]134 | Command and control | - |
17+
| [Deimos YARA Rule](windows_trojan_deimos.yar) | YARA rule to identify the Deimos DLL file. | - |

blog/climbing-the-pyramid-with-celestial-themed-malware/windows_trojan_deimos.yar

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
rule Windows_Trojan_Deimos_DLL {
2+
meta:
3+
author = "Elastic Security"
4+
creation_date = "2021-09-18"
5+
last_modified = "2021-09-18"
6+
os = "Windows"
7+
arch = "x86"
8+
category_type = "Trojan"
9+
family = "Deimos"
10+
threat_name = "Windows.Trojan.Deimos"
11+
description = "Detects the presence of the Deimos trojan DLL file."
12+
reference = ""
13+
reference_sample = "2c1941847f660a99bbc6de16b00e563f70d900f9dbc40c6734871993961d3d3e"
14+
15+
strings:
16+
$a1 = "\\APPDATA\\ROAMING" wide fullword
17+
$a2 = "{\"action\":\"ping\",\"" wide fullword
18+
$a3 = "Deimos" ascii fullword
19+
$b1 = { 00 57 00 58 00 59 00 5A 00 5F 00 00 17 75 00 73 00 65 00 72 00 }
20+
$b2 = { 0C 08 16 1F 68 9D 08 17 1F 77 9D 08 18 1F 69 9D 08 19 1F 64 9D }
21+
condition:
22+
all of ($a*) or 1 of ($b*)
23+
}

0 commit comments

Comments
 (0)