// detect common properties of the BE2 and BE3 loader
// https://ics-cert.us-cert.gov/sites/default/files/file_attach/ICS-ALERT-14-281-01E.yara

rule Sanesecurity_BlackEnergy
{
    strings: 
        $hc1 = {68 97 04 81 1D 6A 01}
        $hc2 = {68 A8 06 B0 3B 6A 02}
        $hc3 = {68 14 06 F5 33 6A 01}
        $hc4 = {68 AF 02 91 AB 6A 01}
        $hc5 = {68 8A 86 39 56 6A 02}
        $hc6 = {68 19 2B 90 95 6A 01}
        $hc7 = {(68 | B?) 11 05 90 23}
        $hc8 = {(68 | B?) EB 05 4A 2F}
        $hc9 = {(68 | B?) B7 05 57 2A}
    condition:
        2 of ($hc*)
}

// detect BE3 variants that are not caught by the general BlackEnergy rule
rule Sanesecurity_BlackEnergy3
{
    strings: 
        $a1 = "MCSF_Config" ascii
        $a2 = "NTUSER.LOG" ascii
        $a3 = "ldplg" ascii
        $a4 = "unlplg" ascii
        $a5 = "getp" ascii
        $a6 = "getpd" ascii
        $a7 = "CSTR" ascii
        $a5 = "FONTCACHE.DAT" ascii
    condition:
        4 of them
}

// detect both packed and unpacked variants of the BE2 driver
rule Sanesecurity_BlackEnergy2_Driver
{
    strings:
        $a1 = {7E 4B 54 1A}
        $a2 = {E0 3C 96 A2}
        $a3 = "IofCompleteRequest" ascii
        $b1 = {31 A1 44 BC}
        $b2 = "IoAttachDeviceToDeviceStack" ascii
        $b3 = "KeInsertQueueDpc" ascii
        $c1 = {A3 41 FD 66}
        $c2 = {61 1E 4E F8}
        $c3 = "PsCreateSystemThread" ascii
    condition:
        all of ($a*) and 3 of ($b*, $c*)
}

// detect BE2 variants, typically plugins or loaders containing plugins
rule Sanesecurity_BlackEnergy2
{
    strings:
        $ex1 = "DispatchCommand" ascii
        $ex2 = "DispatchEvent" ascii
        $a1 = {68 A1 B0 5C 72}
        $a2 = {68 6B 43 59 4E}
        $a3 = {68 E6 4B 59 4E}
    condition:
        all of ($ex*) and 3 of ($a*)
}