Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider.
rule win_havoc_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.havoc." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 85c0 7856 488b842488000000 488bb42488000000 4531c9 } // n = 5, score = 800 // 85c0 | dec eax // 7856 | mov dword ptr [esp + 0x28], eax // 488b842488000000 | mov eax, 0x10 // 488bb42488000000 | dec eax // 4531c9 | mov dword ptr [esp + 0x20], edi $sequence_1 = { 48898424ae000000 4c8d442458 ba2a040000 8b842498000000 4889442448 } // n = 5, score = 800 // 48898424ae000000 | call dword ptr [eax + 0x15c] // 4c8d442458 | mov ecx, 0x40 // ba2a040000 | dec eax // 8b842498000000 | mov dword ptr [esp + 0x70], eax // 4889442448 | dec ecx $sequence_2 = { 4488440101 448a440202 4488440102 448a440203 4488440103 4883c004 4883f820 } // n = 7, score = 800 // 4488440101 | mov dword ptr [esp + 0x38], ebx // 448a440202 | xor eax, eax // 4488440102 | mov dword ptr [esp + 0x40], esi // 448a440203 | xor edi, edi // 4488440103 | mov ecx, 0xadd31df0 // 4883c004 | dec eax // 4883f820 | mov dword ptr [esp + 0x38], ebx $sequence_3 = { 4885c0 7504 31f6 eb08 488b4030 ffc3 } // n = 6, score = 800 // 4885c0 | dec eax // 7504 | mov edx, dword ptr [ebx] // 31f6 | dec eax // eb08 | mov dword ptr [edx + 0x55c], eax // 488b4030 | dec eax // ffc3 | mov ecx, dword ptr [edx + 0x644] $sequence_4 = { 55 4c89c5 57 56 4889d6 53 } // n = 6, score = 800 // 55 | dec eax // 4c89c5 | mov edx, dword ptr [ebx] // 57 | dec eax // 56 | mov dword ptr [edx + 0x30c], eax // 4889d6 | dec eax // 53 | mov eax, dword ptr [ebx] $sequence_5 = { 4883ec28 488b410c 488b4904 488d5008 488b05???????? } // n = 5, score = 800 // 4883ec28 | je 0x164a // 488b410c | dec eax // 488b4904 | mov eax, dword ptr [esi] // 488d5008 | dec eax // 488b05???????? | $sequence_6 = { 488d4b10 4c8d4c2460 4889442460 8b442478 ba00000002 4c8d842490000000 } // n = 6, score = 800 // 488d4b10 | mov eax, dword ptr [ebx] // 4c8d4c2460 | call dword ptr [eax + 0x45c] // 4889442460 | dec eax // 8b442478 | mov ecx, esi // ba00000002 | mov dword ptr [esp + 0x2c], eax // 4c8d842490000000 | dec eax $sequence_7 = { f3a5 488bbc2480000000 488b742460 b934010000 f3a5 } // n = 5, score = 800 // f3a5 | dec esp // 488bbc2480000000 | mov ecx, ebp // 488b742460 | dec eax // b934010000 | lea ecx, [esp + 0x98] // f3a5 | dec eax $sequence_8 = { baff010f00 c744244001000000 4889442444 31c0 85f6 } // n = 5, score = 800 // baff010f00 | inc ecx // c744244001000000 | mov eax, 0x2ce5a244 // 4889442444 | dec eax // 31c0 | mov dword ptr [edx + 0x5cc], eax // 85f6 | dec eax $sequence_9 = { 4155 4154 4531e4 55 57 56 53 } // n = 7, score = 800 // 4155 | mov dword ptr [edx + 0x484], eax // 4154 | dec eax // 4531e4 | test ecx, ecx // 55 | je 0x1746 // 57 | mov edx, 0xbb6970d6 // 56 | dec eax // 53 | mov edx, dword ptr [ebx] condition: 7 of them and filesize < 164864 }
rule win_havoc_w0 { //Detects ntdll API hashes used in Havoc C2 Demon payloads meta: author = "embee_research @ HuntressLabs" vendor = "Huntress Research" date = "2022/10/11" source = "https://raw.githubusercontent.com/embee-research/Yara/main/HavocDemons.yara" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc" malpedia_rule_date = "20221012" malpedia_hash = "" malpedia_version = "20221012" malpedia_sharing = "TLP:WHITE" strings: // Syscall Hashes $nt_hash1 = {53 17 e6 70} //0x70e61753 == ntdll.dll $nt_hash2 = {43 6a 45 9e} //0x9e456a43 == LdrLoadDll $nt_hash3 = {ec b8 83 f7} //0xf783b8ec == NtAllocateVirtualMemory $nt_hash4 = {88 28 e9 50} //0x50e92888 == NtProtectVirtualMemory $nt_hash5 = {f6 99 5a 2e} //0x2e5a99f6 == LdrGetProcedureAddress $nt_hash6 = {da 81 b3 c0} //0xc0b381da == NtAllocateHeap $nt_hash7 = {d7 71 ba 70} //0x70ba71d7 == RtlFreeHeap $nt_hash8 = {88 2b 49 8e} //0x8e492b88 == RtlExitUserThread $nt_hash9 = {ef f0 a1 3a} //0x3aa1f0ef == RtlExitUserProcess $nt_hash10 = {f5 39 34 7c} //0x7c3439f5 == RtlRandomEx $nt_hash11 = {70 f2 ab 35} //0x35abf270 == RtlNtStatusToDosError $nt_hash12 = {1d aa a3 3c} //0x3ca3aa1d == RtlGetVersion $nt_hash13 = {11 b2 8f f7} //0xf78fb211 == RtlCreateTimerQueue $nt_hash14 = {4c 7c de a5} //0xa5de7c4c == RtlCreateTimer $nt_hash15 = {90 fe 61 95} //0x9561fe90 == RtlDeleteTimerQueue $nt_hash16 = {d0 ee 33 77} //0x7733eed0 == RtlCaptureContext $nt_hash17 = {a9 af 4b 55} //0x554bafa9 == RtlAddVectoredExceptionHandler $nt_hash18 = {0e 21 0c 88} //0x880c210e == RtlRemoveVectoredExceptionHandler $nt_hash19 = {3d 13 8e 8b} //0x8b8e133d == NtClose $nt_hash20 = {7d 74 58 ca} //0xca58747d == ZwCreateEvent condition: //PE or Shellcode or Shellcode //Leave as "3 of them" for more robust (but compute expensive) searching (3 of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856) }
rule win_havoc_w1 { //Detects the hashing routine used in Havoc C2 meta: author = "embee_research @ HuntressLabs" vendor = "Huntress Research" date = "2022/10/11" source = "https://raw.githubusercontent.com/embee-research/Yara/main/HavocDemonDJB2.yara" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc" malpedia_rule_date = "20221012" malpedia_hash = "" malpedia_version = "20221012" malpedia_sharing = "TLP:WHITE" strings: // Hashing Routine of DLL $dll = {b8 05 15 00 00 0f be 11 48 ff c1 84 d2 74 07 6b c0 21 01 d0 eb ef} //Hashing Routine of Shellcode $shellcode = {41 80 f8 60 76 04 41 83 e8 20 6b c0 21 45 0f b6 c0 49 ff c1 44 01 c0 eb c4} condition: //PE or Shellcode or Shellcode //Leave as "any of them" for more robust (but compute expensive) searching (any of them) and (uint16(0) == 0x5a4d or uint16(0) == 0x00e8 or uint16(0) == 0x4856) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY