Added rules CN_Toolset_* from Loki thor-hacktools.yar

7913f78f · David André · 39305620 · 7913f78f
Commit 7913f78f authored May 20, 2015 by David André
Show whitespace changes
Inline Side-by-side

Showing with 69 additions and 0 deletions

Miscelanea.yar malware/Miscelanea.yar +69 -0

No files found.
--- a/malware/Miscelanea.yar
+++ b/malware/Miscelanea.yar
@@ -825,6 +825,7 @@ rule CN_Toolset_sig_1433_135_sqlr {
 		description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
 		author = "Florian Roth"
 		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
 		date = "2015/03/30"
 		score = 70
 		hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
@@ -836,3 +837,71 @@ rule CN_Toolset_sig_1433_135_sqlr {
 	condition:
 		all of them
 }
+rule CN_Toolset__XScanLib_XScanLib_XScanLib {
+	meta:
+		description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
+		author = "Florian Roth"
+		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
+		date = "2015/03/30"
+		score = 70
+		super_rule = 1
+		hash0 = "af419603ac28257134e39683419966ab3d600ed2"
+		hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
+		hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"
+	strings:
+		$s1 = "Plug-in thread causes an exception, failed to alert user." fullword
+		$s2 = "PlugGetUdpPort" fullword
+		$s3 = "XScanLib.dll" fullword
+		$s4 = "PlugGetTcpPort" fullword
+		$s11 = "PlugGetVulnNum" fullword
+	condition:
+		all of them
+}
+rule CN_Toolset_NTscan_PipeCmd {
+	meta:
+		description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
+		author = "Florian Roth"
+		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
+		date = "2015/03/30"
+		score = 70
+		hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
+	strings:
+		$s2 = "Please Use NTCmd.exe Run This Program." fullword ascii
+		$s3 = "PipeCmd.exe" fullword wide
+		$s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii
+		$s5 = "%s\\pipe\\%s%s%d" fullword ascii
+		$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
+		$s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii
+		$s9 = "PipeCmdSrv.exe" fullword ascii
+		$s10 = "This is a service executable! Couldn't start directly." fullword ascii
+		$s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii
+		$s14 = "PIPECMDSRV" fullword wide
+		$s15 = "PipeCmd Service" fullword ascii
+	condition:
+		4 of them
+}
+rule CN_Toolset_LScanPortss_2 {
+	meta:
+		description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
+		author = "Florian Roth"
+		reference = "http://qiannao.com/ls/905300366/33834c0c/"
+		reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
+		date = "2015/03/30"
+		score = 70
+		hash = "4631ec57756466072d83d49fbc14105e230631a0"
+	strings:
+		$s1 = "LScanPort.EXE" fullword wide
+		$s3 = "www.honker8.com" fullword wide
+		$s4 = "DefaultPort.lst" fullword ascii
+		$s5 = "Scan over.Used %dms!" fullword ascii
+		$s6 = "www.hf110.com" fullword wide
+		$s15 = "LScanPort Microsoft " fullword wide
+		$s18 = "L-ScanPort2.0 CooFly" fullword wide
+	condition:
+		4 of them
+}