Skip to content

R
rules
Commit 0e3ac178 by Jose Vila
Options

Removed duplicates

parent ec77c4b5
Showing with 9 additions and 491 deletions
malware/Miscelanea.yar
...@@ -161,32 +161,6 @@ rule TrojanDownloader { ...@@ -161,32 +161,6 @@ rule TrojanDownloader {
$x1 and $x2 and ( all of ($s*) ) and filesize < 35000 $x1 and $x2 and ( all of ($s*) ) and filesize < 35000
} }
rule Embedded_EXE_Cloaking {
meta:
description = "Detects an embedded executable in a non-executable file"
author = "Florian Roth"
date = "2015/02/27"
score = 80
strings:
$noex_png = { 89 50 4E 47 }
$noex_pdf = { 25 50 44 46 }
$noex_rtf = { 7B 5C 72 74 66 31 }
$noex_jpg = { FF D8 FF E0 }
$noex_gif = { 47 49 46 38 }
$mz = { 4D 5A }
$a1 = "This program cannot be run in DOS mode"
$a2 = "This program must be run under Win32"
condition:
(
( $noex_png at 0 ) or
( $noex_pdf at 0 ) or
( $noex_rtf at 0 ) or
( $noex_jpg at 0 ) or
( $noex_gif at 0 )
)
and
for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
}
rule Cloaked_as_JPG { rule Cloaked_as_JPG {
meta: meta:
...@@ -200,350 +174,6 @@ rule Cloaked_as_JPG { ...@@ -200,350 +174,6 @@ rule Cloaked_as_JPG {
$ext and uint16be(0x00) != 0xFFD8 $ext and uint16be(0x00) != 0xFFD8
} }
rule WindowsCredentialEditor
{
meta:
description = "Windows Credential Editor" threat_level = 10 score = 90
strings:
$a = "extract the TGT session key"
$b = "Windows Credentials Editor"
condition:
$a or $b
}
rule Amplia_Security_Tool
{
meta:
description = "Amplia Security Tool"
score = 60
nodeepdive = 1
strings:
$a = "Amplia Security"
$b = "Hernan Ochoa"
$c = "getlsasrvaddr.exe"
$d = "Cannot get PID of LSASS.EXE"
$e = "extract the TGT session key"
$f = "PPWDUMP_DATA"
condition: 1 of them
}
rule perlbot_pl {
meta:
description = "Semi-Auto-generated - file perlbot.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "7e4deb9884ffffa5d82c22f8dc533a45"
strings:
$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
$s1 = "#Acesso a Shel - 1 ON 0 OFF"
condition:
1 of them
}
rule php_backdoor_php {
meta:
description = "Semi-Auto-generated - file php-backdoor.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
strings:
$s0 = "http://michaeldaw.org 2006"
$s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"
$s3 = "coded by z0mbie"
condition:
1 of them
}
rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {
meta:
description = "Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
strings:
$s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"
$s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"
$s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
condition:
1 of them
}
rule Nshell__1__php_php {
meta:
description = "Semi-Auto-generated - file Nshell (1).php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "973fc89694097a41e684b43a21b1b099"
strings:
$s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"
$s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
condition:
1 of them
}
rule shankar_php_php {
meta:
description = "Semi-Auto-generated - file shankar.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "6eb9db6a3974e511b7951b8f7e7136bb"
strings:
$sAuthor = "ShAnKaR"
$s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"
$s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"
condition:
1 of ($s*) and $sAuthor
}
rule Casus15_php_php {
meta:
description = "Semi-Auto-generated - file Casus15.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"
strings:
$s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"
$s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"
$s3 = "value='Calistirmak istediginiz "
condition:
1 of them
}
rule small_php_php {
meta:
description = "Semi-Auto-generated - file small.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "fcee6226d09d150bfa5f103bee61fbde"
strings:
$s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
$s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"
$s4 = "@ini_set('error_log',NULL);" fullword
condition:
2 of them
}
rule shellbot_pl {
meta:
description = "Semi-Auto-generated - file shellbot.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
strings:
$s0 = "ShellBOT"
$s1 = "PacktsGr0up"
$s2 = "CoRpOrAtIoN"
$s3 = "# Servidor de irc que vai ser usado "
$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
condition:
2 of them
}
rule fuckphpshell_php {
meta:
description = "Semi-Auto-generated - file fuckphpshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "554e50c1265bb0934fcc8247ec3b9052"
strings:
$s0 = "$succ = \"Warning! "
$s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"
$s2 = "\\*=-- MEMBERS AREA --=*/"
$s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"
condition:
2 of them
}
rule ngh_php_php {
meta:
description = "Semi-Auto-generated - file ngh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c372b725419cdfd3f8a6371cfeebc2fd"
strings:
$s0 = "Cr4sh_aka_RKL"
$s1 = "NGH edition"
$s2 = "/* connectback-backdoor on perl"
$s3 = "<form action=<?=$script?>?act=bindshell method=POST>"
$s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"
condition:
1 of them
}
rule jsp_reverse_jsp {
meta:
description = "Semi-Auto-generated - file jsp-reverse.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8b0e6779f25a17f0ffb3df14122ba594"
strings:
$s0 = "// backdoor.jsp"
$s1 = "JSP Backdoor Reverse Shell"
$s2 = "http://michaeldaw.org"
condition:
1 of them
}
rule Tool_asp {
meta:
description = "Semi-Auto-generated - file Tool.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"
strings:
$s0 = "mailto:rhfactor@antisocial.com"
$s2 = "?raiz=root"
$s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"
$s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"
condition:
2 of them
}
rule NT_Addy_asp {
meta:
description = "Semi-Auto-generated - file NT Addy.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2e0d1bae844c9a8e6e351297d77a1fec"
strings:
$s0 = "NTDaddy v1.9 by obzerve of fux0r inc"
$s2 = "<ERROR: THIS IS NOT A TEXT FILE>"
$s4 = "RAW D.O.S. COMMAND INTERFACE"
condition:
1 of them
}
rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {
meta:
description = "Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "089ff24d978aeff2b4b2869f0c7d38a3"
strings:
$s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"
$s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
$s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"
condition:
1 of them
}
rule RemExp_asp {
meta:
description = "Semi-Auto-generated - file RemExp.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "aa1d8491f4e2894dbdb91eec1abc2244"
strings:
$s0 = "<title>Remote Explorer</title>"
$s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"
$s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
condition:
2 of them
}
rule phvayvv_php_php {
meta:
description = "Semi-Auto-generated - file phvayvv.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "35fb37f3c806718545d97c6559abd262"
strings:
$s0 = "{mkdir(\"$dizin/$duzenx2\",777)"
$s1 = "$baglan=fopen($duzkaydet,'w');"
$s2 = "PHVayv 1.0"
condition:
1 of them
}
rule klasvayv_asp {
meta:
description = "Semi-Auto-generated - file klasvayv.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2b3e64bf8462fc3d008a3d1012da64ef"
strings:
$s1 = "set aktifklas=request.querystring(\"aktifklas\")"
$s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"
$s3 = "<font color=\"#858585\">www.aventgrup.net"
$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
condition:
1 of them
}
rule r57shell_php_php {
meta:
description = "Semi-Auto-generated - file r57shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d28445de424594a5f14d0fe2a7c4e94f"
strings:
$s0 = "r57shell" fullword
$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
$s2 = "RusH security team"
$s3 = "'ru_text12' => 'back-connect"
condition:
1 of them
}
rule rst_sql_php_php {
meta:
description = "Semi-Auto-generated - file rst_sql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0961641a4ab2b8cb4d2beca593a92010"
strings:
$s0 = "C:\\tmp\\dump_"
$s1 = "RST MySQL"
$s2 = "http://rst.void.ru"
$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
condition:
2 of them
}
rule wh_bindshell_py {
meta:
description = "Semi-Auto-generated - file wh_bindshell.py.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "fab20902862736e24aaae275af5e049c"
strings:
$s0 = "#Use: python wh_bindshell.py [port] [password]"
$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
condition:
1 of them
}
rule lurm_safemod_on_cgi {
meta:
description = "Semi-Auto-generated - file lurm_safemod_on.cgi.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5ea4f901ce1abdf20870c214b3231db3"
strings:
$s0 = "Network security team :: CGI Shell" fullword
$s1 = "#########################<<KONEC>>#####################################" fullword
$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
condition:
1 of them
}
rule c99madshell_v2_0_php_php {
meta:
description = "Semi-Auto-generated - file c99madshell_v2.0.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d27292895da9afa5b60b9d3014f39294"
strings:
$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
condition:
all of them
}
rule backupsql_php_often_with_c99shell {
meta:
description = "Semi-Auto-generated - file backupsql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"
strings:
$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
condition:
all of them
}
rule uploader_php_php {
meta:
description = "Semi-Auto-generated - file uploader.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0b53b67bb3b004a8681e1458dd1895d0"
strings:
$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
$s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
$s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
condition:
2 of them
}
rule telnet_pl {
meta:
description = "Semi-Auto-generated - file telnet.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "dd9dba14383064e219e29396e242c1ec"
strings:
$s0 = "W A R N I N G: Private Server"
$s2 = "$Message = q$<pre><font color=\"#669999\"> _____ _____ _____ _____ "
condition:
all of them
}
rule w3d_php_php {
meta:
description = "Semi-Auto-generated - file w3d.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "987f66b29bfb209a0b4f097f84f57c3b"
strings:
$s0 = "W3D Shell"
$s1 = "By: Warpboy"
$s2 = "No Query Executed"
condition:
2 of them
}
rule rtf_yahoo_ken rule rtf_yahoo_ken
...@@ -718,25 +348,6 @@ rule PythoRAT ...@@ -718,25 +348,6 @@ rule PythoRAT
all of them all of them
} }
rule CN_Toolset_sig_1433_135_sqlr {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
strings:
$s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii
$s11 = ";DATABASE=master" fullword ascii
$s12 = "xp_cmdshell '" fullword ascii
$s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii
condition:
all of them
}
rule VirusRat rule VirusRat
{ {
meta: meta:
...@@ -1002,74 +613,6 @@ rule DownExecute_A ...@@ -1002,74 +613,6 @@ rule DownExecute_A
all of ($winver*) or any of ($pdb*) or any of ($magic*) or 2 of ($str*) all of ($winver*) or any of ($pdb*) or any of ($magic*) or 2 of ($str*)
} }
rule CN_Toolset__XScanLib_XScanLib_XScanLib {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
super_rule = 1
hash0 = "af419603ac28257134e39683419966ab3d600ed2"
hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"
strings:
$s1 = "Plug-in thread causes an exception, failed to alert user." fullword
$s2 = "PlugGetUdpPort" fullword
$s3 = "XScanLib.dll" fullword
$s4 = "PlugGetTcpPort" fullword
$s11 = "PlugGetVulnNum" fullword
condition:
all of them
}
rule CN_Toolset_NTscan_PipeCmd {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
strings:
$s2 = "Please Use NTCmd.exe Run This Program." fullword ascii
$s3 = "PipeCmd.exe" fullword wide
$s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii
$s5 = "%s\\pipe\\%s%s%d" fullword ascii
$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
$s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii
$s9 = "PipeCmdSrv.exe" fullword ascii
$s10 = "This is a service executable! Couldn't start directly." fullword ascii
$s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii
$s14 = "PIPECMDSRV" fullword wide
$s15 = "PipeCmd Service" fullword ascii
condition:
4 of them
}
rule CN_Toolset_LScanPortss_2 {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "4631ec57756466072d83d49fbc14105e230631a0"
strings:
$s1 = "LScanPort.EXE" fullword wide
$s3 = "www.honker8.com" fullword wide
$s4 = "DefaultPort.lst" fullword ascii
$s5 = "Scan over.Used %dms!" fullword ascii
$s6 = "www.hf110.com" fullword wide
$s15 = "LScanPort Microsoft " fullword wide
$s18 = "L-ScanPort2.0 CooFly" fullword wide
condition:
4 of them
}
rule CVE_2015_1674_CNGSYS { rule CVE_2015_1674_CNGSYS {
meta: meta:
description = "Detects exploits for CVE-2015-1674" description = "Detects exploits for CVE-2015-1674"
...@@ -1088,6 +631,7 @@ rule CVE_2015_1674_CNGSYS { ...@@ -1088,6 +631,7 @@ rule CVE_2015_1674_CNGSYS {
condition: condition:
uint16(0) == 0x5a4d and filesize < 60KB and all of them uint16(0) == 0x5a4d and filesize < 60KB and all of them
} }
rule Ap0calypse rule Ap0calypse
{ {
meta: meta:
...@@ -1360,20 +904,3 @@ $my_hex_string2 = {89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E ...@@ -1360,20 +904,3 @@ $my_hex_string2 = {89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E
condition: condition:
$my_hex_string and $my_hex_string2 $my_hex_string and $my_hex_string2
} }
rule Mimikatz_Logfile
{
meta:
description = "Detects a log file generated by malicious hack tool mimikatz"
author = "Florian Roth"
score = 80
date = "2015/03/31"
reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
strings:
$s1 = "SID :" ascii fullword
$s2 = "* NTLM :" ascii fullword
$s3 = "Authentication Id :" ascii fullword
$s4 = "wdigest :" ascii fullword
condition:
all of them
}
malware/THOR_HackTools.yar
...@@ -1524,7 +1524,7 @@ rule aspfile1 { ...@@ -1524,7 +1524,7 @@ rule aspfile1 {
3 of them 3 of them
} }
rule EditServer { rule EditServer_HackTool {
meta: meta:
description = "Disclosed hacktool set (old stuff) - file EditServer.exe" description = "Disclosed hacktool set (old stuff) - file EditServer.exe"
author = "Florian Roth" author = "Florian Roth"
...@@ -2782,6 +2782,7 @@ rule CN_Toolset__XScanLib_XScanLib_XScanLib { ...@@ -2782,6 +2782,7 @@ rule CN_Toolset__XScanLib_XScanLib_XScanLib {
description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll" description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
author = "Florian Roth" author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/" reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30" date = "2015/03/30"
score = 70 score = 70
super_rule = 1 super_rule = 1
...@@ -2803,6 +2804,7 @@ rule CN_Toolset_NTscan_PipeCmd { ...@@ -2803,6 +2804,7 @@ rule CN_Toolset_NTscan_PipeCmd {
description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe" description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
author = "Florian Roth" author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/" reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30" date = "2015/03/30"
score = 70 score = 70
hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e" hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
...@@ -2827,6 +2829,7 @@ rule CN_Toolset_LScanPortss_2 { ...@@ -2827,6 +2829,7 @@ rule CN_Toolset_LScanPortss_2 {
description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe" description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
author = "Florian Roth" author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/" reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30" date = "2015/03/30"
score = 70 score = 70
hash = "4631ec57756466072d83d49fbc14105e230631a0" hash = "4631ec57756466072d83d49fbc14105e230631a0"
...@@ -2847,6 +2850,7 @@ rule CN_Toolset_sig_1433_135_sqlr { ...@@ -2847,6 +2850,7 @@ rule CN_Toolset_sig_1433_135_sqlr {
description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe" description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
author = "Florian Roth" author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/" reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30" date = "2015/03/30"
score = 70 score = 70
hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57" hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
...@@ -2859,20 +2863,6 @@ rule CN_Toolset_sig_1433_135_sqlr { ...@@ -2859,20 +2863,6 @@ rule CN_Toolset_sig_1433_135_sqlr {
all of them all of them
} }
rule DarkComet_Keylogger_File
{
meta:
author = "Florian Roth"
description = "Looks like a keylogger file created by DarkComet Malware"
date = "25.07.14"
score = 50
strings:
$magic = "::"
$entry = /\n:: [A-Z]/
$timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/
condition:
($magic at 0) and #entry > 10 and #timestamp > 10
}
/* Mimikatz */ /* Mimikatz */
...@@ -3013,6 +3003,7 @@ rule Mimikatz_Logfile ...@@ -3013,6 +3003,7 @@ rule Mimikatz_Logfile
author = "Florian Roth" author = "Florian Roth"
score = 80 score = 80
date = "2015/03/31" date = "2015/03/31"
reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar"
strings: strings:
$s1 = "SID :" ascii fullword $s1 = "SID :" ascii fullword
$s2 = "* NTLM :" ascii fullword $s2 = "* NTLM :" ascii fullword
......
malware/THOR_Webshells.yar
...@@ -6643,7 +6643,7 @@ rule DarkSpy105 { ...@@ -6643,7 +6643,7 @@ rule DarkSpy105 {
condition: condition:
all of them all of them
} }
rule EditServer { rule EditServer_Webshell {
meta: meta:
description = "Webshells Auto-generated - file EditServer.exe" description = "Webshells Auto-generated - file EditServer.exe"
author = "Yara Bulk Rule Generator by Florian Roth" author = "Yara Bulk Rule Generator by Florian Roth"
...@@ -7623,7 +7623,7 @@ rule xssshell_default { ...@@ -7623,7 +7623,7 @@ rule xssshell_default {
condition: condition:
all of them all of them
} }
rule EditServer_2 { rule EditServer_Webshell_2 {
meta: meta:
description = "Webshells Auto-generated - file EditServer.exe" description = "Webshells Auto-generated - file EditServer.exe"
author = "Yara Bulk Rule Generator by Florian Roth" author = "Yara Bulk Rule Generator by Florian Roth"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment