search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
529 stars 159 forks source link

[Rule Idea] - SWIFT information harvesting #233

Open re-fox opened 3 years ago

re-fox commented 3 years ago

Prerequisites

Summary

Similar to other collection rules , look for SWIFT information targeting.

Examples

DYEPACK sample 4659dadbf5b07c8c3c36ae941f71b631737631bc3fded2fe2af250ceba98959a

Features

The malware in will craft sql statements looking for SWIFT related information.

Some examples:

SELECT MESG_S_UMID FROM SAAOWNER.MESG_%s WHERE MESG_SENDER_SWIFT_ADDRESS LIKE '%%%s%%' AND MESG_TRN_REF LIKE '%%%s%%';
DELETE FROM SAAOWNER.MESG_%s WHERE MESG_S_UMID = '%s';
DELETE FROM SAAOWNER.TEXT_%s WHERE TEXT_S_UMID = '%s'; 
SELECT * FROM (SELECT JRNL_DISPLAY_TEXT, JRNL_DATE_TIME FROM SAAOWNER.JRNL_%s WHERE JRNL_DISPLAY_TEXT LIKE '%%LT BBHOBDDHA: Log%%' ORDER BY JRNL_DATE_TIME DESC) A WHERE ROWNUM = 1;
SELECT MESG_FIN_CCY_AMOUNT FROM SAAOWNER.MESG_%s WHERE MESG_S_UMID = '%s';
SELECT MESG_S_UMID FROM SAAOWNER.MESG_%s WHERE MESG_SENDER_SWIFT_ADDRESS LIKE '%%%s%%' AND MESG_FIN_CCY_AMOUNT LIKE '%%%s%%';
UPDATE SAAOWNER.MESG_%s SET MESG_FIN_CCY_AMOUNT = '%s' WHERE MESG_S_UMID = '%s';
UPDATE SAAOWNER.TEXT_%s SET TEXT_DATA_BLOCK = UTL_RAW.CAST_TO_VARCHAR2('%s') WHERE TEXT_S_UMID = '%s';

Additional context

Rule details

Namespace

/collection/swift

References

Other rule meta information

williballenthin commented 3 years ago

this sample is near and dear to me.

great idea for the rule!

johnk3r commented 2 years ago

Hello, I'll support it!