1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Androguard module used in this rule file is under development by people at https://koodous.com/.
You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
*/
import "androguard"
import "cuckoo"
rule libyan_scorpions
{
meta:
source = "https://cyberkov.com/wp-content/uploads/2016/09/Hunting-Libyan-Scorpions-EN.pdf"
sample = "9d8e5ccd4cf543b4b41e4c6a1caae1409076a26ee74c61c148dffd3ce87d7787"
strings:
$ip_1 = "41.208.110.46" ascii wide
$domain_1 = "winmeif.myq-see.com" ascii wide nocase
$domain_2 = "wininit.myq-see.com" ascii wide nocase
$domain_3 = "samsung.ddns.me" ascii wide nocase
$domain_4 = "collge.myq-see.com" ascii wide nocase
$domain_5 = "sara2011.no-ip.biz" ascii wide nocase
condition:
androguard.url(/41\.208\.110\.46/) or cuckoo.network.http_request(/41\.208\.110\.46/) or
androguard.url(/winmeif.myq-see.com/i) or cuckoo.network.dns_lookup(/winmeif.myq-see.com/i) or
androguard.url(/wininit.myq-see.com/i) or cuckoo.network.dns_lookup(/wininit.myq-see.com/i) or
androguard.url(/samsung.ddns.me/i) or cuckoo.network.dns_lookup(/samsung.ddns.me/i) or
androguard.url(/collge.myq-see.com/i) or cuckoo.network.dns_lookup(/collge.myq-see.com/i) or
androguard.url(/sara2011.no-ip.biz/i) or cuckoo.network.dns_lookup(/sara2011.no-ip.biz/i) or
any of ($domain_*) or any of ($ip_*) or
androguard.certificate.sha1("DFFDD3C42FA06BCEA9D65B8A2E980851383BD1E3")
}