EK_Fragus.yar

rule fragus_htm : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Fragus Exploit Kit Detection"
   hash0 = "f76deec07a61b4276acc22beef41ea47"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = ">Hello, "
   $string1 = "http://www.clantemplates.com"
   $string2 = "this template was created by Bl1nk and is downloadable at <B>ClanTemplates.com<BR></B>Replace "
   $string3 = "></TD></TR></TABLE> "
   $string4 = "Image21"
   $string5 = "scrollbar etc.<BR><BR>Enjoy, Bl1nk</FONT></TD></TR></TABLE><BR></CENTER></TD></TR> "
   $string6 = "to this WarCraft Template"
   $string7 = " document.getElementById) x"
   $string8 = "    if (a[i].indexOf("
   $string9 = "x.oSrc;"
   $string10 = "x.src; x.src"
   $string11 = "<HTML>"
   $string12 = "FFFFFF"
   $string13 = " CELLSPACING"
   $string14 = "images/layoutnormal_03.gif"
   $string15 = "<TR> <TD "
   $string16 = " CELLPADDING"
condition:
   16 of them
}
rule fragus_js : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Fragus Exploit Kit Detection"
   hash0 = "f234c11b5da9a782cb1e554f520a66cf"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "));ELI6Q3PZ"
   $string1 = "VGhNU2pWQmMyUXhPSFI2TTNCVGVEUXpSR3huYm1aeE5UaFhXRFI0ZFhCQVMxWkRNVGh0V0hZNFZVYzBXWFJpTVRoVFpFUklaVGxG"
   $string2 = "eFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkw"
   $string3 = "TkhXa0ZrT1haNGRFSXhRM3BrTkRoVGMxZEJSMmcyT0dwNlkzSTJYM1pCYkZnMVVqQmpWMEZIYURZNGFucGpjalpmZGtGc1dERXpT"
   $string4 = "byKZKkpZU<<18"
   $string5 = ");CUer0x"
   $string6 = "bzWRebpU3yE>>16"
   $string7 = "RUJEWlVvMGNsVTVNMEpNWDNaNGJVSkpPRUJrUlVwRVQwQlNaR2cyY0ZWSE5GbDBRVFZ5UjFnMk9HVldOWGhMYUdFelRIZG5NMWQz"
   $string8 = "WnZSVGxuT1ZSRkwwaFZSelZGUm5GRlJFVTBLVHQ0UWxKQ1drdzBiWEJ5WkhSdVBtdG9XVWd6TVVGSGFFeDVTMlk3ZUVKU1FscE1O"
   $string9 = "QmZjMGN4YjBCd1oyOXBURUJJZEhvMFdYcGtOamhFV1ZwU01GVlZZbXBpUUZKV1lqTXpWMDAwY0dSNlF6aE1SekZ5ZEc4ME9FeEtN"
   $string10 = "SCpMaWXOuME("
   $string11 = "VjJKcVkxZGlYMTlhUVdRNVNUTkhaRFk0YWpsYWJsWkRNVGh0V0hZNFZVYzBXWFJ2Tm5CVmFEUlpWVmhDT0ZWV05YaDBRa1ZTUkUw"
   $string12 = "2;}else{Yuii37DWU"
   $string13 = "ELI6Q3PZ"
   $string14 = "ZUhNNVZYQlZlRFY0UUZnMk9HMVlORkpFYkRsNGMxbEpPRUJSTVY5SGNETllPRXB0YjBsaloySnhPVVZ3UkZWQVgzTllORGgwV0RS"
   $string15 = "S05GbE1lalk0Vm1ORmVEWnpXbEpXZDBWaU5ubzJjRlkzVjFsbFgwVmlURlpuYnpCUE5HNTBhRFpaVEZrMVFYTjZObkIwWTBVNE4x"
   $string16 = "Vm5CWFFVZG9OamhxZW1OeU5sOTJRV3hZTVROSlpEWTRVM294V1VSUFFFdFdZalE0WlVjeGNsSmtObmhBYURVNFZVZEFjRlZDZGtO"
   $string17 = "Yuii37DWU<<12"
   $string18 = ";while(hdnR9eo3pZ6E3<ZZeD3LjJQ.length){eMImGB"
condition:
   18 of them
}
rule fragus_js2 : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Fragus Exploit Kit Detection"
   hash0 = "f234c11b5da9a782cb1e554f520a66cf"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "(ELI6Q3PZ"
   $string1 = "SnJTbVJqV2tOa09VbGZSMHcwY0ZWZmRrRjBjRFY0Y3psVmNGVjROWGhBV0RZNGJWZzBVa1J4TjNCVlgwVmlhRjkyZURaS1NWOUhj"
   $string2 = "eFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkw"
   $string3 = "VUpKUVdWS05ISlZjMXBTTUdWRlNFQmpaMjlrVDBCTFYzY3pZbGRpZG5oeldFUndkSE16YjB4M2JXSnFZMWRpZVY4ellreDNaMko1"
   $string4 = "((Yuii37DWU"
   $string5 = "YURVNFZXUlhjRlZDZGxsQVJ6UlNaRTlBUzFkM00ySlhiekU0ZEhnMWNrUjZZM0kyWDNaQmJGZ3hNMGxrTmpoVGVqRlpkSEUyV1dW"
   $string6 = "String.fromCharCode(ZZeD3LjJQ);}else if(QIyZsvvbEmVOpp"
   $string7 = "1);ELI6Q3PZ"
   $string8 = "));Yuii37DWU"
   $string9 = ");CUer0x"
   $string10 = "T1ZaQ05IUkRTVGhqT1VWd1ZWOUpRMlZLZG5oNlQwQkxWM2N6WWxkQmRrRkFPVmR3VlRsYWJsWnNOWGhKT1ZkeFZWazFRbEU1UlZK"
   $string11 = "TlpkM2wxS3lzcExUUTRYU2s4UEhocFVqRk9jazA3SUdsbUtIaHBVakZPY2swcGV5QkdWek5NVnlzOVVrSklWVE0wVDJ0NlpTZzJP"
   $string12 = "String.fromCharCode(((eMImGB"
   $string13 = "RGRDUkV0WFV6VkJkRkV4WHpCalYwRkhhRFk0YW5wamNqWmZka0ZzV0RaSWExZzBXWEZDUlZsQVpEWkJOMEoyZUhwd1duSlRXVE5J"
   $string14 = "SCpMaWXOuME(mi1mm8bu87rL0W);eval(Pcii3iVk1AG);</script></body></html>"
   $string15 = "Yuii37DWU"
   $string16 = "Yuii37DWU<<12"
   $string17 = "eTVzWlc1bmRHZ3NJRWhWUnpWRlJuRkZSRVUwUFRFd01qUXNJR2hQVlZsRVJFVmxVaXdnZUVKU1FscE1ORzF3Y21SMGJpd2dSbGN6"
condition:
   17 of them
}
rule fragus_js_flash : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Fragus Exploit Kit Detection"
   hash0 = "377431417b34de8592afecaea9aab95d"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "document.appendChild(bdy);try{for (i"
   $string1 = "0; i<10; i"
   $string2 = "default"
   $string3 = "var m "
   $string4 = "/g, document.getElementById('divid').innerHTML));"
   $string5 = " n.substring(0,r/2);"
   $string6 = "document.getElementById('f').innerHTML"
   $string7 = "'atk' onclick"
   $string8 = "function MAKEHEAP()"
   $string9 = "document.createElement('div');"
   $string10 = "<button id"
   $string11 = "/g, document.getElementById('divid').innerHTML);"
   $string12 = "document.body.appendChild(gg);"
   $string13 = "var bdy "
   $string14 = "var gg"
   $string15 = " unescape(gg);while(n.length<r/2) { n"
condition:
   15 of them
}
rule fragus_js_java : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Fragus Exploit Kit Detection"
   hash0 = "7398e435e68a2fa31607518befef30fb"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "I></XML><SPAN DATASRC"
   $string1 = "setTimeout('vparivatel()',8000);function vparivatel(){document.write('<iframe src"
   $string2 = "I DATAFLD"
   $string3 = " unescape("
   $string4 = ", 1);swf.setAttribute("
   $string5 = "function XMLNEW(){var spray "
   $string6 = "vparivatel.php"
   $string7 = "6) ){if ( (lv"
   $string8 = "'WIN 9,0,16,0')"
   $string9 = "d:/Program Files/Outlook Express/WAB.EXE"
   $string10 = "<XML ID"
   $string11 = "new ActiveXObject("
   $string12 = "'7.1.0') ){SHOWPDF('iepdf.php"
   $string13 = "function SWF(){try{sv"
   $string14 = "'WIN 9,0,28,0')"
   $string15 = "C DATAFORMATAS"
   $string16 = " shellcode;xmlcode "
   $string17 = "function SNAPSHOT(){var a"
condition:
   17 of them
}
rule fragus_js_quicktime : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Fragus Exploit Kit Detection"
   hash0 = "6bfc7bb877e1a79be24bd9563c768ffd"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = "                setTimeout("
   $string1 = "wnd.location"
   $string2 = "window;"
   $string3 = "        var pls "
   $string4 = "        mem_flag "
   $string5 = ", 1500);} else{ PRyyt4O3wvgz(1);}"
   $string6 = "         } catch(e) { }"
   $string7 = " mem_flag) JP7RXLyEu();"
   $string8 = " 0x400000;"
   $string9 = "----------------------------------------------------------------------------------------------------"
   $string10 = "        heapBlocks "
   $string11 = "        return mm;"
   $string12 = "0x38);"
   $string13 = "        h();"
   $string14 = " getb(b,bSize);"
   $string15 = "getfile.php"
condition:
   15 of them
}
rule fragus_js_vml : EK
{
meta:
   author = "Josh Berry"
   date = "2016-06-26"
   description = "Fragus Exploit Kit Detection"
   hash0 = "8ab72337c815e0505fcfbc97686c3562"
   sample_filetype = "js-html"
   yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
   $string0 = " 0x100000;"
   $string1 = "            var gg "
   $string2 = "/g, document.getElementById('divid').innerHTML));"
   $string3 = "                                var sss "
   $string4 = "                }"
   $string5 = "                        document.body.appendChild(obj);"
   $string6 = "                                var hbs "
   $string7 = " shcode; }"
   $string8 = " '<div id"
   $string9 = " hbs - (shcode.length"
   $string10 = "){ m[i] "
   $string11 = " unescape(gg);"
   $string12 = "                                var z "
   $string13 = "                                var hb "
   $string14 = " Math.ceil('0'"
condition:
   14 of them
}