Merge pull request #761 from avast/improvement-bat2exe-detection

The detection of BAT to PE-EXE script-compilers.
avast · May 5, 2020 · fab8f3e · fab8f3e
2 parents 96b5cf8 + 711171b
commit fab8f3e
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/support/yara_patterns/tools/pe/x64/compilers.yara b/support/yara_patterns/tools/pe/x64/compilers.yara
@@ -157,6 +157,17 @@ rule autohotkey_uv_01 {
 		)
 }
 
+rule f2ko_bat2exe_uv_01 {
+	meta:
+		tool = "C"
+		name = "F2KO Bat2Exe"
+		pattern = "4883EC??49C7C0????????4831D248B9????????????????E8????????4831C9E8????????4889??????????4D31C048C7C2001000004831C9E8????????4889"
+	strings:
+		$1 = { 48 83 EC ?? 49 C7 C0 ?? ?? ?? ?? 48 31 D2 48 B9 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 31 C9 E8 ?? ?? ?? ?? 48 89 ?? ?? ?? ?? ?? 4D 31 C0 48 C7 C2 00 10 00 00 48 31 C9 E8 ?? ?? ?? ?? 48 89 }
+	condition:
+		$1 at pe.entry_point
+}
+
 rule msvc_general
 {
 	meta:

diff --git a/support/yara_patterns/tools/pe/x86/compilers.yara b/support/yara_patterns/tools/pe/x86/compilers.yara
@@ -3383,6 +3383,43 @@ rule ocbat2exe {
 		for any of them : ( $ at pe.entry_point )
 }
 
+rule f2ko_bat2exe_uv_01 {
+	meta:
+		tool = "C"
+		name = "F2KO Bat2Exe"
+		pattern = "68????0000680000000068????????E8????????83C40C6800000000E8????????A3????????680000000068001000006800000000E8????????A3"
+	strings:
+		$1 = { 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? ?? A3 }
+	condition:
+		$1 at pe.entry_point
+}
+
+rule adv_bat_to_exe_uv_01 {
+	meta:
+		tool = "C"
+		name = "Advanced BAT to EXE Converter"
+		pattern = "B94FC3000033C08DBD????????F3AB66ABAAA0????????8885????????B96918000033C08DBD????????F3AB66ABAA8A0D????????888D????????B94000000033C08DBD????????F3AB66ABAA8A15????????8895????????B95900000033C08D"
+	strings:
+		$1 = { B9 4F C3 00 00 33 C0 8D BD ?? ?? ?? ?? F3 AB 66 AB AA A0 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? B9 69 18 00 00 33 C0 8D BD ?? ?? ?? ?? F3 AB 66 AB AA 8A 0D ?? ?? ?? ?? 88 8D ?? ?? ?? ?? B9 40 00 00 00 33 C0 8D BD ?? ?? ?? ?? F3 AB 66 AB AA 8A 15 ?? ?? ?? ?? 88 95 ?? ?? ?? ?? B9 59 00 00 00 33 C0 8D }
+	condition:
+		$1
+}
+
+rule exescript_uv_01 {
+	meta:
+		tool = "C"
+		name = "ExeScript"
+		pattern = "558BEC81EC????????566A00FF15????????8985????????C785????????00000000C745????????00FF15????????A3"
+	strings:
+		$1 = { 55 8B EC 81 EC ?? ?? ?? ?? 56 6A 00 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 C7 45 ?? ?? ?? ?? 00 FF 15 ?? ?? ?? ?? A3 }
+		$2 = "<!-- ----- ExeScript Options Begin -----"
+	condition:
+		$1 at pe.entry_point and
+		@2 > pe.sections[pe.section_index(".rdata")].raw_data_offset and
+		@2 < pe.sections[pe.section_index(".rdata")].raw_data_offset +
+			pe.sections[pe.section_index(".rdata")].raw_data_size
+}
+
 rule plugintoexe_100 {
 	meta:
 		tool = "P"