From 81e92ffabc8cf25ff4dc2deed3f8ff7c28edac07 Mon Sep 17 00:00:00 2001 From: mthaxton Date: Fri, 2 Feb 2024 15:58:01 -0600 Subject: [PATCH] requested tweaks to description --- packs/win_malware.conf | 4 ++-- win_malware/zardoor_modules.yaml | 10 +++++----- win_malware/zardoor_mutex.yaml | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/packs/win_malware.conf b/packs/win_malware.conf index 537def2..e4f2f5b 100644 --- a/packs/win_malware.conf +++ b/packs/win_malware.conf @@ -788,7 +788,7 @@ "query": "SELECT object_name, object_type from winbaseobj WHERE object_type='Mutant' AND (object_name='ThreadMutex12453' OR object_name='3e603a07-7b2d-4a15-afef-7e9a0841e4d5' OR object_name like 'rrx_%' OR object_name='6c2711b5-e736-4397-a883-0d181a3f85ae');", "interval": 86400, "snapshot": true, - "description": "The Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool notably used by Threat Actors to maintain remote access on the system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.", + "description": "Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool (RAT) notably used by threat actors to maintain unauthorized access on the infected system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.", "platform": [ "windows" ] @@ -797,7 +797,7 @@ "query": "SELECT f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime,'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path = h.path WHERE (f.filename = 'oci.dll' OR f.filename = 'zor32.dll' OR f.filename = 'zar32.dll') AND f.directory = 'C:\\Windows\\System32';", "interval": 86400, "snapshot": true, - "description": "The Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool notably used by Threat Actors to maintain remote access on the system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.", + "description": "Zardoor backdoor components were written to disk and executed. Zardoor is a custom remote access tool (RAT) notably used by threat actors to maintain unauthorized access on the infected system. Once successfully executed, Zardoor can be used to execute arbitrary commands, interact with the file system, and connect to other systems on the local network.", "platform": [ "windows" ] diff --git a/win_malware/zardoor_modules.yaml b/win_malware/zardoor_modules.yaml index 0a7d8ab..b1b7410 100644 --- a/win_malware/zardoor_modules.yaml +++ b/win_malware/zardoor_modules.yaml @@ -5,11 +5,11 @@ Zardoor Modules: WHERE (f.filename = "oci.dll" OR f.filename = "zor32.dll" OR f.filename = "zar32.dll") AND f.directory = "C:\Windows\System32"; interval: 86400 snapshot: true - description: The Zardoor backdoor components were written to disk and executed. - Zardoor is a custom remote access tool notably used by Threat Actors to maintain remote - access on the system. Once successfully executed, Zardoor can be used to execute - arbitrary commands, interact with the file system, and connect to other systems - on the local network. + description: Zardoor backdoor components were written to disk and executed. Zardoor + is a custom remote access tool (RAT) notably used by threat actors to maintain + unauthorized access on the infected system. Once successfully executed, Zardoor + can be used to execute arbitrary commands, interact with the file system, and + connect to other systems on the local network. references: - c6419df4bbda5b75ea4a0b8e8acd2100b149443584390c91a218e7735561ef74 - f71f7c68209ea8218463df397e5c39ef5f916f138dc001feb3a60ef585bd2ac2 diff --git a/win_malware/zardoor_mutex.yaml b/win_malware/zardoor_mutex.yaml index 480bb81..2b49375 100644 --- a/win_malware/zardoor_mutex.yaml +++ b/win_malware/zardoor_mutex.yaml @@ -4,11 +4,11 @@ Zardoor Mutex: WHERE object_type = "Mutant" AND (object_name = "ThreadMutex12453" OR object_name = "3e603a07-7b2d-4a15-afef-7e9a0841e4d5" OR object_name like "rrx_%" OR object_name = "6c2711b5-e736-4397-a883-0d181a3f85ae"); interval: 86400 snapshot: true - description: The Zardoor backdoor components were written to disk and executed. - Zardoor is a custom remote access tool notably used by Threat Actors to maintain remote - access on the system. Once successfully executed, Zardoor can be used to execute - arbitrary commands, interact with the file system, and connect to other systems - on the local network. + description: Zardoor backdoor components were written to disk and executed. Zardoor + is a custom remote access tool (RAT) notably used by threat actors to maintain + unauthorized access on the infected system. Once successfully executed, Zardoor + can be used to execute arbitrary commands, interact with the file system, and + connect to other systems on the local network. references: - c6419df4bbda5b75ea4a0b8e8acd2100b149443584390c91a218e7735561ef74 - f71f7c68209ea8218463df397e5c39ef5f916f138dc001feb3a60ef585bd2ac2