Added KeyBoy rules

Added KeyBoy rules

Added KeyBoy rules
6ebf596c · Yara Rules · 3d9451bc · 6ebf596c
Commit 6ebf596c authored May 06, 2015 by Yara Rules
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 0 deletions

KeyBoy.yar malware/KeyBoy.yar +46 -0

No files found.
--- a/malware/KeyBoy.yar
+++ b/malware/KeyBoy.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule KeyBoy_Dropper  
+{  
+    meta:
+        Author      = "Rapid7 Labs"
+        Date        = "2013/06/07"
+        Description = "Strings inside"
+        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
+
+    strings:
+        $1 = "I am Admin"  
+        $2 = "I am User"  
+        $3 = "Run install success!"  
+        $4 = "Service install success!"  
+        $5 = "Something Error!"  
+        $6 = "Not Configed, Exiting"  
+
+    condition:  
+        all of them  
+}
+
+rule KeyBoy_Backdoor  
+{
+    meta:
+        Author      = "Rapid7 Labs"
+        Date        = "2013/06/07"
+        Description = "Strings inside"
+        Reference   = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
+
+    strings:  
+        $1 = "$login$"  
+        $2 = "$sysinfo$"  
+        $3 = "$shell$"  
+        $4 = "$fileManager$"  
+        $5 = "$fileDownload$"  
+        $6 = "$fileUpload$"  
+
+    condition:  
+        all of them  
+}