Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
1d481118
Commit
1d481118
authored
Jul 20, 2016
by
mmorenog
Committed by
GitHub
Jul 20, 2016
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update APT_HackingTeam.yar
parent
b8ad9ac8
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
67 additions
and
0 deletions
+67
-0
APT_HackingTeam.yar
malware/APT_HackingTeam.yar
+67
-0
No files found.
malware/APT_HackingTeam.yar
View file @
1d481118
...
@@ -70,3 +70,70 @@ rule HackingTeam_Elevator_EXE : HackingTeam {
...
@@ -70,3 +70,70 @@ rule HackingTeam_Elevator_EXE : HackingTeam {
condition:
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*)
uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*)
}
}
import "pe"
rule RCS_Backdoor
{
meta:
description = "Hacking Team RCS Backdoor"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$debug3"
$filter2 = "$log2"
$filter3 = "error2"
$debug1 = /\- (C)hecking components/ wide ascii
$debug2 = /\- (A)ctivating hiding system/ wide ascii
$debug3 = /(f)ully operational/ wide ascii
$log1 = /\- Browser activity \(FF\)/ wide ascii
$log2 = /\- Browser activity \(IE\)/ wide ascii
// Cause false positives.
//$log3 = /\- About to call init routine at %p/ wide ascii
//$log4 = /\- Calling init routine at %p/ wide ascii
$error1 = /\[Unable to deploy\]/ wide ascii
$error2 = /\[The system is already monitored\]/ wide ascii
condition:
(2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
}
rule RCS_Scout
{
meta:
description = "Hacking Team RCS Scout"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$engine5"
$filter2 = "$start4"
$filter3 = "$upd2"
$filter4 = "$lookma6"
$engine1 = /(E)ngine started/ wide ascii
$engine2 = /(R)unning in background/ wide ascii
$engine3 = /(L)ocking doors/ wide ascii
$engine4 = /(R)otors engaged/ wide ascii
$engine5 = /(I)\'m going to start it/ wide ascii
$start1 = /Starting upgrade\!/ wide ascii
$start2 = /(I)\'m going to start the program/ wide ascii
$start3 = /(i)s it ok\?/ wide ascii
$start4 = /(C)lick to start the program/ wide ascii
$upd1 = /(U)pdJob/ wide ascii
$upd2 = /(U)pdTimer/ wide ascii
$lookma1 = /(O)wning PCI bus/ wide
$lookma2 = /(F)ormatting bios/ wide
$lookma3 = /(P)lease insert a disk in drive A:/ wide
$lookma4 = /(U)pdating CPU microcode/ wide
$lookma5 = /(N)ot sure what's happening/ wide
$lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide
condition:
(all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
