Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
050520f6
Commit
050520f6
authored
Jun 08, 2017
by
mmorenog
Committed by
GitHub
Jun 08, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Create MALW_Gafgyt.yar
parent
cedbb466
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
122 additions
and
0 deletions
+122
-0
MALW_Gafgyt.yar
malware/MALW_Gafgyt.yar
+122
-0
No files found.
malware/MALW_Gafgyt.yar
0 → 100644
View file @
050520f6
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Gafgyt_Botnet_generic : MALW
{
meta:
description = "Gafgyt Trojan"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "e3fac853203c3f1692af0101eaad87f1"
SHA1 = "710781e62d49419a3a73624f4a914b2ad1684c6a"
strings:
$etcTZ = "/bin/busybox;echo -e 'gayfgt'"
$s2 = "/proc/net/route"
$s3 = "admin"
$s4 = "root"
condition:
$etcTZ and $s2 and $s3 and $s4
}
rule Gafgyt_Botnet_oh : MALW
{
meta:
description = "Gafgyt Trojan"
author = "Joan Soriano / @joanbtl"
date = "2017-05-025"
version = "1.0"
MD5 = "97f5edac312de349495cb4afd119d2a5"
SHA1 = "916a51f2139f11e8be6247418dca6c41591f4557"
strings:
$s1 = "busyboxterrorist"
$s2 = "BOGOMIPS"
$s3 = "124.105.97.%d"
$s4 = "fucknet"
condition:
$s1 and $s2 and $s3 and $s4
}
rule Gafgyt_Botnet_bash : MALW
{
meta:
description = "Gafgyt Trojan"
author = "Joan Soriano / @joanbtl"
date = "2017-05-25"
version = "1.0"
MD5 = "c8d58acfe524a09d4df7ffbe4a43c429"
SHA1 = "b41fefa8470f3b3657594af18d2ea4f6ac4d567f"
strings:
$s1 = "PONG!"
$s2 = "GETLOCALIP"
$s3 = "HTTPFLOOD"
$s4 = "LUCKYLILDUDE"
condition:
$s1 and $s2 and $s3 and $s4
}
rule Gafgyt_Botnet_hoho : MALW
{
meta:
description = "Gafgyt Trojan"
author = "Joan Soriano / @joanbtl"
date = "2017-05-25"
version = "1.0"
MD5 = "369c7c66224b343f624803d595aa1e09"
SHA1 = "54519d2c124cb536ed0ddad5683440293d90934f"
strings:
$s1 = "PING"
$s2 = "PRIVMSG"
$s3 = "Remote IRC Bot"
$s4 = "23.95.43.182"
condition:
$s1 and $s2 and $s3 and $s4
}
rule Gafgyt_Botnet_jackmy : MALW
{
meta:
description = "Gafgyt Trojan"
author = "Joan Soriano / @joanbtl"
date = "2017-05-25"
version = "1.0"
MD5 = "419b8a10a3ac200e7e8a0c141b8abfba"
SHA1 = "5433a5768c5d22dabc4d133c8a1d192d525939d5"
strings:
$s1 = "PING"
$s2 = "PONG"
$s3 = "jackmy"
$s4 = "203.134.%d.%d"
condition:
$s1 and $s2 and $s3 and $s4
}
rule Gafgyt_Botnet_HIHI: MALW
{
meta:
description = "Gafgyt Trojan"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "cc99e8dd2067fd5702a4716164865c8a"
SHA1 = "b9b316c1cc9f7a1bf8c70400861de08d95716e49"
strings:
$s1 = "PING"
$s2 = "PONG"
$s3 = "TELNET LOGIN CRACKED - %s:%s:%s"
$s4 = "ADVANCEDBOT"
$s5 = "46.166.185.92"
$s6 = "LOLNOGTFO"
condition:
$s1 and $s2 and $s3 and $s4 and $s5 and $s6
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
