Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
6a9160cc
Commit
6a9160cc
authored
Jul 22, 2015
by
mmorenog
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Create Exploit_CVE_2015_2426.yar
parent
3d202f1c
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
48 additions
and
0 deletions
+48
-0
Exploit_CVE_2015_2426.yar
malware/Exploit_CVE_2015_2426.yar
+48
-0
No files found.
malware/Exploit_CVE_2015_2426.yar
0 → 100644
View file @
6a9160cc
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Exploit_MS15_077_078 {
meta:
description = "MS15-078 / MS15-077 exploit - generic signature"
author = "Florian Roth"
reference = "https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200"
date = "2015-07-21"
hash1 = "18e3e840a5e5b75747d6b961fca66a670e3faef252aaa416a88488967b47ac1c"
hash2 = "0b5dc030e73074b18b1959d1cf7177ff510dbc2a0ec2b8bb927936f59eb3d14d"
hash3 = "fc609adef44b5c64de029b2b2cff22a6f36b6bdf9463c1bd320a522ed39de5d9"
hash4 = "ad6bb982a1ecfe080baf0a2b27950f989c107949b1cf02b6e0907f1a568ece15"
strings:
$s1 = "GDI32.DLL" fullword ascii
$s2 = "atmfd.dll" fullword wide
$s3 = "AddFontMemResourceEx" fullword ascii
$s4 = "NamedEscape" fullword ascii
$s5 = "CreateBitmap" fullword ascii
$s6 = "DeleteObject" fullword ascii
$op0 = { 83 45 e8 01 eb 07 c7 45 e8 } /* Opcode */
$op1 = { 8d 85 24 42 fb ff 89 04 24 e8 80 22 00 00 c7 45 } /* Opcode */
$op2 = { eb 54 8b 15 6c 00 4c 00 8d 85 24 42 fb ff 89 44 } /* Opcode */
$op3 = { 64 00 88 ff 84 03 70 03 }
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of ($s*) or all of ($op*)
}
rule Exploit_MS15_077_078_HackingTeam {
meta:
description = "MS15-078 / MS15-077 exploit - Hacking Team code"
author = "Florian Roth"
date = "2015-07-21"
super_rule = 1
hash1 = "ad6bb982a1ecfe080baf0a2b27950f989c107949b1cf02b6e0907f1a568ece15"
hash2 = "fc609adef44b5c64de029b2b2cff22a6f36b6bdf9463c1bd320a522ed39de5d9"
strings:
$s1 = "\\SystemRoot\\system32\\CI.dll" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "\\sysnative\\CI.dll" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "CRTDLL.DLL" fullword ascii
$s5 = "\\sysnative" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "InternetOpenA coolio, trying open %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2500KB and all of them
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
