Skip to content

R
rules
Commit 836d7f74 by j0sm1
Options

New classification 

New malware rules classification
parent 0e5f4909
Showing with 4828 additions and 0 deletions
malware/APT3102.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT3102Code : APT3102 Family
{
meta:
description = "3102 code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
condition:
any of them
}
rule APT3102Strings : APT3102 Family
{
meta:
description = "3102 Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "rundll32_exec.dll\x00Update"
// this is in the encrypted code - shares with 9002 variant
//$ = "POST http://%ls:%d/%x HTTP/1.1"
condition:
any of them
}
malware/APT9002.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT9002Code : APT9002 Family
{
meta:
description = "9002 code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// start code block
$ = { B9 7A 21 00 00 BE ?? ?? ?? ?? 8B F8 ?? ?? ?? F3 A5 }
// decryption from other variant with multiple start threads
$ = { 8A 14 3E 8A 1C 01 32 DA 88 1C 01 8B 54 3E 04 40 3B C2 72 EC }
condition:
any of them
}
rule APT9002Strings : APT9002 Family
{
meta:
description = "9002 Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "POST http://%ls:%d/%x HTTP/1.1"
$ = "%%TEMP%%\\%s_p.ax" wide ascii
$ = "%TEMP%\\uid.ax" wide ascii
$ = "%%TEMP%%\\%s.ax" wide ascii
// also triggers on surtr $ = "mydll.dll\x00DoWork"
$ = "sysinfo\x00sysbin01"
$ = "\\FlashUpdate.exe"
condition:
any of them
}
rule APT9002 : Family
{
meta:
description = "9002"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
APT9002Code or APT9002Strings
}
malware/APT_Careto.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Careto_SGH {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto SGH component signature"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
strings:
$m1 = "PGPsdkDriver" ascii wide fullword
$m2 = "jpeg1x32" ascii wide fullword
$m3 = "SkypeIE6Plugin" ascii wide fullword
$m4 = "CDllUninstall" ascii wide fullword
condition:
2 of them
}
rule Careto_OSX_SBD {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto OSX component signature"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
strings:
/* XORed "/dev/null strdup() setuid(geteuid())" */
$1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
condition:
all of them
}
rule Careto_CnC {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto CnC communication signature"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
strings:
$1 = "cgi-bin/commcgi.cgi" ascii wide
$2 = "Group" ascii wide
$3 = "Install" ascii wide
$4 = "Bn" ascii wide
condition:
all of them
}
rule Careto_CnC_domains {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto known command and control domains"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
strings:
$1 = "linkconf.net" ascii wide nocase
$2 = "redirserver.net" ascii wide nocase
$3 = "swupdt.com" ascii wide nocase
condition:
any of them
}
malware/APT_DeputyDog_Fexel.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT_DeputyDog_Fexel
{
meta:
author = "ThreatConnect Intelligence Research Team"
strings:
$180 = "180.150.228.102" wide ascii
$0808cmd = {25 30 38 78 30 38 78 00 5C 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 [2-6] 43 00 61 00 6E 00 27 00 74 00 20 00 6F 00 70 00 65 00 6E 00 20 00 73 00 68 00 65 00 6C 00 6C 00 21}
$cUp = "Upload failed! [Remote error code:" nocase wide ascii
$DGGYDSYRL = {00 44 47 47 59 44 53 59 52 4C 00}
$GDGSYDLYR = "GDGSYDLYR_%" wide ascii
condition:
any of them
}
malware/APT_Hellsing.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule apt_hellsing_implantstrings : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing implants"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="the file uploaded failed !"
$a2="ping 127.0.0.1"
$b1="the file downloaded failed !"
$b2="common.asp"
$c="xweber_server.exe"
$d="action="
$debugpath1="d:\\Hellsing\\release\\msger\\" nocase
$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase
$debugpath3="D:\\Hellsing\\release\\exe\\" nocase
$debugpath4="d:\\hellsing\\sys\\xkat\\" nocase
$debugpath5="e:\\Hellsing\\release\\clare" nocase
$debugpath6="e:\\Hellsing\\release\\irene\\" nocase
$debugpath7="d:\\hellsing\\sys\\irene\\" nocase
$e="msger_server.dll"
$f="ServiceMain"
condition:
($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
}
rule apt_hellsing_installer : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing xweber/msger installers"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
$a1="xweber_install_uac.exe"
$a2="system32\\cmd.exe" wide
$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
$a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
$a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
$a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
$a10="%SystemRoot%\\system32\\cmd.exe" wide
$a11="msger_install.dll"
$a12={00 65 78 2E 64 6C 6C 00}
condition:
($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
}
rule apt_hellsing_proxytool : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing proxy testing tool"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="PROXY_INFO: automatic proxy url => %s "
$a2="PROXY_INFO: connection type => %d "
$a3="PROXY_INFO: proxy server => %s "
$a4="PROXY_INFO: bypass list => %s "
$a5="InternetQueryOption failed with GetLastError() %d"
$a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
condition:
($mz at 0) and (2 of ($a*)) and filesize < 300000
}
rule apt_hellsing_xkat : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing xKat tool"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="\\Dbgv.sys"
$a2="XKAT_BIN"
$a3="release sys file error."
$a4="driver_load error. "
$a5="driver_create error."
$a6="delete file:%s error."
$a7="delete file:%s ok."
$a8="kill pid:%d error."
$a9="kill pid:%d ok."
$a10="-pid-delete"
$a11="kill and delete pid:%d error."
$a12="kill and delete pid:%d ok."
condition:
($mz at 0) and (6 of ($a*)) and filesize < 300000
}
rule apt_hellsing_msgertype2 : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing msger type 2 implants"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="%s\\system\\%d.txt"
$a2="_msger"
$a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
$a4="http://%s/data/%s.1000001000"
$a5="/lib/common.asp?action=user_upload&file="
$a6="%02X-%02X-%02X-%02X-%02X-%02X"
condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000
}
rule apt_hellsing_irene : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing msger irene installer"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="\\Drivers\\usbmgr.tmp" wide
$a2="\\Drivers\\usbmgr.sys" wide
$a3="common_loadDriver CreateFile error! "
$a4="common_loadDriver StartService error && GetLastError():%d! "
$a5="irene" wide
$a6="aPLib v0.43 - the smaller the better"
condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000
}
malware/APT_Hikit.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT_Hikit_msrv
{
meta:
author = "ThreatConnect Intelligence Research Team"
strings:
$m = {6D 73 72 76 2E 64 6C 6C 00 44 6C 6C}
condition:
any of them
}
malware/APT_Kaba.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule rtf_Kaba_jDoe
{
meta:
author = "@patrickrolsen"
maltype = "APT.Kaba"
filetype = "RTF"
version = "0.1"
description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
date = "2013-12-10"
strings:
$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
$author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"
$author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"
$string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
condition:
($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
}
malware/APT_Mongall.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Backdoor_APT_Mongal
{
meta:
author = "@patrickrolsen"
maltype = "Backdoor.APT.Mongall"
version = "0.1"
reference = "fd69a799e21ccb308531ce6056944842"
date = "01/04/2014"
strings:
$author = "author user"
$title = "title Vjkygdjdtyuj" nocase
$comp = "company ooo"
$cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10"
$passwd = "password 00000000"
condition:
all of them
}
rule MongalCode : Mongal Family
{
meta:
description = "Mongal code features"
author = "Seth Hardy"
last_modified = "2014-07-15"
strings:
// gettickcount value checking
$ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB }
condition:
any of them
}
rule MongalStrings : Mongal Family
{
meta:
description = "Mongal Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-15"
strings:
$ = "NSCortr.dll"
$ = "NSCortr1.dll"
$ = "Sina.exe"
condition:
any of them
}
rule Mongal : Family
{
meta:
description = "Mongal"
author = "Seth Hardy"
last_modified = "2014-07-15"
condition:
MongalCode or MongalStrings
}
malware/APT_NGO_wuaclt.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT_NGO_wuaclt
{
meta:
author = "AlienVault Labs"
strings:
$a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat"
$b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
$c = "/news/show.asp?id%d=%d"
$d = "%%APPDATA%%\\Microsoft\\wuauclt\\"
$e = "0l23kj@nboxu"
$f = "%%s.asp?id=%%d&Sid=%%d"
$g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)"
$h = "Cookies: UseID=KGIOODAOOK%%s"
condition:
($a and $b and $c) or ($d and $e) or ($f and $g and $h)
}
rule APT_NGO_wuaclt_PDF
{
meta:
author = "AlienVault Labs"
strings:
$pdf = "%PDF" nocase
$comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A}
condition:
$pdf at 0 and $comment in (0..200)
}
malware/APT_OPCleaver.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule ZhoupinExploitCrew
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase
condition:
1 of them
}
rule BackDoorLogger
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "BackDoorLogger"
$s2 = "zhuAddress"
condition:
all of them
}
rule Jasus
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found"
condition:
all of them
}
rule LoggerModule
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition:
all of them
}
rule NetC
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "NetC.exe" wide
$s2 = "Net Service"
condition:
all of them
}
rule ShellCreator2
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "ShellCreator2.Properties"
$s2 = "set_IV"
condition:
all of them
}
rule SmartCopy2
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork"
condition:
all of them
}
rule SynFlooder
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "your target's IP is : %s"
$s3 = "Raw TCP Socket Created successfully."
condition:
all of them
}
rule TinyZBot
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "NetScp" wide
$s2 = "TinyZBot.Properties.Resources.resources"
$s3 = "Aoao WaterMark"
$s4 = "Run_a_exe"
$s5 = "netscp.exe"
$s6 = "get_MainModule_WebReference_DefaultWS"
$s7 = "remove_CheckFileMD5Completed"
$s8 = "http://tempuri.org/"
$s9 = "Zhoupin_Cleaver"
condition:
($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
}
rule antivirusdetector
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector"
condition:
all of them
}
rule csext
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "COM+ System Extentions"
$s2 = "csext.exe"
$s3 = "COM_Extentions_bin"
condition:
all of them
}
rule kagent
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "kill command is in last machine, going back"
$s2 = "message data length in B64: %d Bytes"
condition:
all of them
}
rule mimikatzWrapper
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "mimikatzWrapper"
$s2 = "get_mimikatz"
condition:
all of them
}
rule pvz_in
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "LAST_TIME=00/00/0000:00:00PM$"
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
condition:
all of them
}
rule pvz_out
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "Network Connectivity Module" wide
$s2 = "OSPPSVC" wide
condition:
all of them
}
rule wndTest
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition:
all of them
}
rule zhCat
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "zhCat -l -h -tp 1234"
$s2 = "ABC ( A Big Company )" wide
condition:
all of them
}
rule zhLookUp
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "zhLookUp.Properties"
condition:
all of them
}
rule zhmimikatz
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "MimikatzRunner"
$s2 = "zhmimikatz"
condition:
all of them
}
rule Zh0uSh311
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "Zh0uSh311"
condition:
all of them
}
malware/APT_c16.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule apt_c16_win_memory_pcclient
{
meta:
author = "@dragonthreatlab "
md5 = "ec532bbe9d0882d403473102e9724557"
description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
strings:
$str1 = "Kill You" ascii
$str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
$str3 = "%4.2f KB" ascii
$encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}
condition:
all of them
}
rule apt_c16_win_disk_pcclient
{
meta:
author = "@dragonthreatlab "
md5 = "55f84d88d84c221437cd23cdbc541d2e"
description = "Encoded version of pcclient found on disk"
strings:
$header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06}
condition:
$header at 0
}
rule apt_c16_win32_dropper
{
meta:
author = "@dragonthreatlab"
md5 = "ad17eff26994df824be36db246c8fb6a"
description = "APT malware used to drop PcClient RAT"
strings:
$mz = {4D 5A}
$str1 = "clbcaiq.dll" ascii
$str2 = "profapi_104" ascii
$str3 = "/ShowWU" ascii
$str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii
$str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E}
condition:
$mz at 0 and all of ($str*)
}
rule apt_c16_win_swisyn
{
meta:
author = "@dragonthreatlab"
md5 = "a6a18c846e5179259eba9de238f67e41"
description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
strings:
$mz = {4D 5A}
$str1 = "/ShowWU" ascii
$str2 = "IsWow64Process"
$str3 = "regsvr32 "
$str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10}
condition:
$mz at 0 and all of ($str*)
}
rule apt_c16_win_wateringhole
{
meta:
author = "@dragonthreatlab "
description = "Detects code from APT wateringhole"
strings:
$str1 = "function runmumaa()"
$str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("
$str3 = "function MoSaklgEs7(k)"
condition:
any of ($str*)
}
malware/APT_pcclient.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule backdoor_apt_pcclient
{
meta:
author = "@patrickrolsen"
maltype = "APT.PCCLient"
filetype = "DLL"
version = "0.1"
description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
date = "2012-10"
strings:
$magic = { 4d 5a } // MZ
$string1 = "www.micro1.zyns.com"
$string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string3 = "msacm32.drv" wide
$string4 = "C:\\Windows\\Explorer.exe" wide
$string5 = "Elevation:Administrator!" wide
$string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
condition:
$magic at 0 and 4 of ($string*)
}
malware/Android_Malware.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Android_Malware : iBanking
{
meta:
author = "Xylitol xylitol@malwareint.com"
date = "2014-02-14"
description = "Match first two bytes, files and string present in iBanking"
reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"
strings:
// Generic android
$pk = {50 4B}
$file1 = "AndroidManifest.xml"
// iBanking related
$file2 = "res/drawable-xxhdpi/ok_btn.jpg"
$string1 = "bot_id"
$string2 = "type_password2"
condition:
($pk at 0 and 2 of ($file*) and ($string1 or $string2))
}
malware/Anthem_DeepPanda.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
/* Anthem Deep Panda APT */
rule Anthem_DeepPanda_sl_txt_packed {
meta:
description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"
author = "Florian Roth"
date = "2015/02/08"
hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
strings:
$s0 = "Command line port scanner" fullword wide
$s1 = "sl.exe" fullword wide
$s2 = "CPports.txt" fullword ascii
$s3 = ",GET / HTTP/.}" fullword ascii
$s4 = "Foundstone Inc." fullword wide
$s9 = " 2002 Foundstone Inc." fullword wide
$s15 = ", Inc. 2002" fullword ascii
$s20 = "ICMP Time" fullword ascii
condition:
all of them
}
rule Anthem_DeepPanda_lot1 {
meta:
description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"
author = "Florian Roth"
date = "2015/02/08"
hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
strings:
$s0 = "Unable to open target process: %d, pid %d" fullword ascii
$s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
$s2 = "Target: Failed to load SAM functions." fullword ascii
$s5 = "Error writing the test file %s, skipping this share" fullword ascii
$s6 = "Failed to create service (%s/%s), error %d" fullword ascii
$s8 = "Service start failed: %d (%s/%s)" fullword ascii
$s12 = "PwDump.exe" fullword ascii
$s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii
$s14 = ":\\\\.\\pipe\\%s" fullword ascii
$s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii
$s16 = "dump logon session" fullword ascii
$s17 = "Timed out waiting to get our pipe back" fullword ascii
$s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
$s20 = "%s\\%s.exe" fullword ascii
condition:
10 of them
}
rule Anthem_DeepPanda_htran_exe {
meta:
description = "Anthem Hack Deep Panda - htran-exe"
author = "Florian Roth"
date = "2015/02/08"
hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
strings:
$s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
$s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" fullword ascii
$s3 = "[SERVER]connection to %s:%d error" fullword ascii
$s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s5 = "[-] ERROR: Must supply logfile name." fullword ascii
$s6 = "[-] There is a error...Create a new connection." fullword ascii
$s7 = "[+] Accept a Client on port %d from %s" fullword ascii
$s8 = "======================== htran V%s =======================" fullword ascii
$s9 = "[-] Socket Listen error." fullword ascii
$s10 = "[-] ERROR: open logfile" fullword ascii
$s11 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s12 = "[+] Make a Connection to %s:%d ......" fullword ascii
$s14 = "Recv %5d bytes from %s:%d" fullword ascii
$s15 = "[+] OK! I Closed The Two Socket." fullword ascii
$s16 = "[+] Waiting another Client on port:%d...." fullword ascii
$s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii
$s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
condition:
10 of them
}
rule Anthem_DeepPanda_Trojan_Kakfum {
meta:
description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
author = "Florian Roth"
date = "2015/02/08"
hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
strings:
$s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
$s1 = "%s\\sqlsrv32.dll" fullword ascii
$s2 = "%s\\sqlsrv64.dll" fullword ascii
$s3 = "%s\\%d.tmp" fullword ascii
$s4 = "ServiceMaix" fullword ascii
$s15 = "sqlserver" fullword ascii
condition:
all of them
}
malware/Babar.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule SNOWGLOBE_Babar_Malware {
meta:
description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
author = "Florian Roth"
reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
date = "2015/02/18"
hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
score = 80
strings:
$mz = { 4d 5a }
$z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
$z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
$z2 = "ExecQueryFailled!" fullword ascii
$z3 = "NBOT_COMMAND_LINE" fullword
$z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
$s1 = "/s /n %s \"%s\"" fullword ascii
$s2 = "%%WINDIR%%\\%s\\%s" fullword ascii
$s3 = "/c start /wait " fullword ascii
$s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
$x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
$x2 = "%COMMON_APPDATA%" fullword ascii
$x4 = "CONOUT$" fullword ascii
$x5 = "cmd.exe" fullword ascii
$x6 = "DLLPATH" fullword ascii
condition:
( $mz at 0 ) and filesize < 1MB and
(
( 1 of ($z*) and 1 of ($x*) ) or
( 3 of ($s*) and 4 of ($x*) )
)
}
malware/Bangat.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule BangatCode : Bangat Family
{
meta:
description = "Bangat code features"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
// dec [ebp + procname], push eax, push edx, call get procaddress
$ = { FE 4D ?? 8D 4? ?? 50 5? FF }
condition:
any of them
}
rule BangatStrings : Bangat Family
{
meta:
description = "Bangat Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
$lib1 = "DreatePipe"
$lib2 = "HetSystemDirectoryA"
$lib3 = "SeleaseMutex"
$lib4 = "DloseWindowStation"
$lib5 = "DontrolService"
$file = "~hhC2F~.tmp"
$mc = "~_MC_3~"
condition:
all of ($lib*) or $file or $mc
}
rule Bangat : Family
{
meta:
description = "Bangat"
author = "Seth Hardy"
last_modified = "2014-07-10"
condition:
BangatCode or BangatStrings
}
malware/BlackEnergy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule BlackEnergy_BE_2 {
meta:
description = "Detects BlackEnergy 2 Malware"
author = "Florian Roth"
reference = "http://goo.gl/DThzLz"
date = "2015/02/19"
hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
strings:
$mz = { 4d 5a }
$s0 = "<description> Windows system utility service </description>" fullword ascii
$s1 = "WindowsSysUtility - Unicode" fullword wide
$s2 = "msiexec.exe" fullword wide
$s3 = "WinHelpW" fullword ascii
$s4 = "ReadProcessMemory" fullword ascii
condition:
( $mz at 0 ) and filesize < 250KB and all of ($s*)
}
malware/BlackShades.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule BlackShades_3 : Trojan
{
meta:
description = "BlackShades RAT"
author = "botherder https://github.com/botherder"
strings:
$mod1 = /(m)odAPI/
$mod2 = /(m)odAudio/
$mod3 = /(m)odBtKiller/
$mod4 = /(m)odCrypt/
$mod5 = /(m)odFuctions/
$mod6 = /(m)odHijack/
$mod7 = /(m)odICallBack/
$mod8 = /(m)odIInet/
$mod9 = /(m)odInfect/
$mod10 = /(m)odInjPE/
$mod11 = /(m)odLaunchWeb/
$mod12 = /(m)odOS/
$mod13 = /(m)odPWs/
$mod14 = /(m)odRegistry/
$mod15 = /(m)odScreencap/
$mod16 = /(m)odSniff/
$mod17 = /(m)odSocketMaster/
$mod18 = /(m)odSpread/
$mod19 = /(m)odSqueezer/
$mod20 = /(m)odSS/
$mod21 = /(m)odTorrentSeed/
$tmr1 = /(t)mrAlarms/
$tmr2 = /(t)mrAlive/
$tmr3 = /(t)mrAnslut/
$tmr4 = /(t)mrAudio/
$tmr5 = /(t)mrBlink/
$tmr6 = /(t)mrCheck/
$tmr7 = /(t)mrCountdown/
$tmr8 = /(t)mrCrazy/
$tmr9 = /(t)mrDOS/
$tmr10 = /(t)mrDoWork/
$tmr11 = /(t)mrFocus/
$tmr12 = /(t)mrGrabber/
$tmr13 = /(t)mrInaktivitet/
$tmr14 = /(t)mrInfoTO/
$tmr15 = /(t)mrIntervalUpdate/
$tmr16 = /(t)mrLiveLogger/
$tmr17 = /(t)mrPersistant/
$tmr18 = /(t)mrScreenshot/
$tmr19 = /(t)mrSpara/
$tmr20 = /(t)mrSprid/
$tmr21 = /(t)mrTCP/
$tmr22 = /(t)mrUDP/
$tmr23 = /(t)mrWebHide/
condition:
10 of ($mod*) or 10 of ($tmr*)
}
rule BlackShades2 : Trojan
{
meta:
author="Kevin Falcoz"
date="26/06/2013"
description="BlackShades Server"
strings:
$signature1={62 73 73 5F 73 65 72 76 65 72}
$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
$signature3={6D 6F 64 49 6E 6A 50 45}
condition:
$signature1 and $signature2 and $signature3
}
rule BlackShades_4 : rat
{
meta:
description = "BlackShades"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-01-12"
filetype = "memory"
version = "1.0"
strings:
$a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 }
$b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B }
$c = { 62 73 73 5F 73 65 72 76 65 72 }
$d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
$e = { 6D 6F 64 49 6E 6A 50 45 }
$apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439"
condition:
any of ($a, $b, $c, $d, $e) or $apikey
}
rule BlackShades : Trojan
{
meta:
author="Kevin Falcoz"
date="26/06/2013"
description="BlackShades Server"
strings:
$signature1={62 73 73 5F 73 65 72 76 65 72}
$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
$signature3={6D 6F 64 49 6E 6A 50 45}
condition:
$signature1 and $signature2 and $signature3
}
malware/Bolonyokte.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Bolonyokte : rat
{
meta:
description = "UnknownDotNet RAT - Bolonyokte"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-02-01"
filetype = "memory"
version = "1.0"
strings:
$campaign1 = "Bolonyokte" ascii wide
$campaign2 = "donadoni" ascii wide
$decoy1 = "nyse.com" ascii wide
$decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide
$decoy3 = "bf13-5d45cb40" ascii wide
$artifact1 = "Backup.zip" ascii wide
$artifact2 = "updates.txt" ascii wide
$artifact3 = "vdirs.dat" ascii wide
$artifact4 = "default.dat"
$artifact5 = "index.html"
$artifact6 = "mime.dat"
$func1 = "FtpUrl"
$func2 = "ScreenCapture"
$func3 = "CaptureMouse"
$func4 = "UploadFile"
$ebanking1 = "Internet Banking" wide
$ebanking2 = "(Online Banking)|(Online banking)"
$ebanking3 = "(e-banking)|(e-Banking)" nocase
$ebanking4 = "login"
$ebanking5 = "en ligne" wide
$ebanking6 = "bancaires" wide
$ebanking7 = "(eBanking)|(Ebanking)" wide
$ebanking8 = "Anmeldung" wide
$ebanking9 = "internet banking" nocase wide
$ebanking10 = "Banking Online" nocase wide
$ebanking11 = "Web Banking" wide
$ebanking12 = "Power"
condition:
any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*)
}
malware/Boouset.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule BoousetCode : Boouset Family
{
meta:
description = "Boouset code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 }
condition:
any of them
}
malware/Bublik_downloader.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Bublik : Downloader
{
meta:
author="Kevin Falcoz"
date="29/09/2013"
description="Bublik Trojan Downloader"
strings:
$signature1={63 6F 6E 73 6F 6C 61 73}
$signature2={63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69}
condition:
$signature1 and $signature2
}
malware/Casper.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Casper_Backdoor_x86 {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/05"
hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
score = 80
strings:
$s1 = "\"svchost.exe\"" fullword wide
$s2 = "firefox.exe" fullword ascii
$s3 = "\"Host Process for Windows Services\"" fullword wide
$x1 = "\\Users\\*" fullword ascii
$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x4 = "\\Documents and Settings\\*" fullword ascii
$y1 = "%s; %S=%S" fullword wide
$y2 = "%s; %s=%s" fullword ascii
$y3 = "Cookie: %s=%s" fullword ascii
$y4 = "http://%S:%d" fullword wide
$z1 = "http://google.com/" fullword ascii
$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
$z3 = "Operating System\"" fullword wide
condition:
( all of ($s*) ) or
( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
}
rule Casper_EXE_Dropper {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/05"
hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
score = 80
strings:
$s0 = "<Command>" fullword ascii
$s1 = "</Command>" fullword ascii
$s2 = "\" /d \"" fullword ascii
$s4 = "'%s' %s" fullword ascii
$s5 = "nKERNEL32.DLL" fullword wide
$s6 = "@ReturnValue" fullword wide
$s7 = "ID: 0x%x" fullword ascii
$s8 = "Name: %S" fullword ascii
condition:
7 of them
}
rule Casper_Included_Strings {
meta:
description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 50
strings:
$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
$a1 = "& SYSTEMINFO) ELSE EXIT"
$mz = { 4d 5a }
$c1 = "domcommon.exe" wide fullword // File Name
$c2 = "jpic.gov.sy" fullword // C2 Server
$c3 = "aiomgr.exe" wide fullword // File Name
$c4 = "perfaudio.dat" fullword // Temp File Name
$c5 = "Casper_DLL.dll" fullword // Name
$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key
$c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex
condition:
all of ($a*) or
( $mz at 0 ) and ( 1 of ($c*) )
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
malware/Cerberus.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Cerberus : rat
{
meta:
description = "Cerberus"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-01-12"
filetype = "memory"
version = "1.0"
strings:
$checkin = "Ypmw1Syv023QZD"
$clientpong = "wZ2pla"
$serverping = "wBmpf3Pb7RJe"
$generic = "cerberus" nocase
condition:
any of them
}
malware/Cookies.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule CookiesStrings : Cookies Family
{
meta:
description = "Cookies Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-20"
strings:
$zip1 = "ntdll.exePK"
$zip2 = "AcroRd32.exePK"
$zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
$zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
$exe1 = "Leave GetCommand!"
$exe2 = "perform exe success!"
$exe3 = "perform exe failure!"
$exe4 = "Entry SendCommandReq!"
$exe5 = "Reqfile not exist!"
$exe6 = "LeaveDealUpfile!"
$exe7 = "Entry PostData!"
$exe8 = "Leave PostFile!"
$exe9 = "Entry PostFile!"
$exe10 = "\\unknow.zip" wide ascii
$exe11 = "the url no respon!"
condition:
(2 of ($zip*)) or (2 of ($exe*))
}
rule Cookies : Family
{
meta:
description = "Cookies"
author = "Seth Hardy"
last_modified = "2014-06-20"
condition:
CookiesStrings
}
malware/DarkComet.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule DarkComet_2
{
meta:
description = "DarkComet RAT"
author = "botherder https://github.com/botherder"
strings:
$bot1 = /(#)BOT#OpenUrl/ wide ascii
$bot2 = /(#)BOT#Ping/ wide ascii
$bot3 = /(#)BOT#RunPrompt/ wide ascii
$bot4 = /(#)BOT#SvrUninstall/ wide ascii
$bot5 = /(#)BOT#URLDownload/ wide ascii
$bot6 = /(#)BOT#URLUpdate/ wide ascii
$bot7 = /(#)BOT#VisitUrl/ wide ascii
$bot8 = /(#)BOT#CloseServer/ wide ascii
$ddos1 = /(D)DOSHTTPFLOOD/ wide ascii
$ddos2 = /(D)DOSSYNFLOOD/ wide ascii
$ddos3 = /(D)DOSUDPFLOOD/ wide ascii
$keylogger1 = /(A)ctiveOnlineKeylogger/ wide ascii
$keylogger2 = /(U)nActiveOnlineKeylogger/ wide ascii
$keylogger3 = /(A)ctiveOfflineKeylogger/ wide ascii
$keylogger4 = /(U)nActiveOfflineKeylogger/ wide ascii
$shell1 = /(A)CTIVEREMOTESHELL/ wide ascii
$shell2 = /(S)UBMREMOTESHELL/ wide ascii
$shell3 = /(K)ILLREMOTESHELL/ wide ascii
condition:
4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*)
}
rule DarkComet : rat
{
meta:
description = "DarkComet"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-01-12"
filetype = "memory"
version = "1.0"
strings:
$a = "#BEGIN DARKCOMET DATA --"
$b = "#EOF DARKCOMET DATA --"
$c = "DC_MUTEX-"
$k1 = "#KCMDDC5#-890"
$k2 = "#KCMDDC51#-890"
condition:
any of them
}
malware/Derusbi.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Trojan_Derusbi {
meta:
Author = "RSA_IR"
Date = "4Sept13"
File = "derusbi_variants v 1.3"
MD5 = " c0d4c5b669cc5b51862db37e972d31ec "
strings:
$b1 = {8b 15 ?? ?? ?? ?? 8b ce d3 ea 83 c6 ?? 30 90 ?? ?? ?? ?? 40 3b 05 ?? ?? ?? ?? 72 ??}
$b2 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E F7 5D 88 2E 0C A2 88 2E 4B 5D 88 2E F3 5D 88 2E}
$b3 = {4E E6 40 BB}
$b4 = {B1 19 BF 44}
$b5 = {6A F5 44 3D ?? ?? 00 00 27 AF D4 3D 69 F5 44 3D 6E F5 44 3D 95 0A 44 3D D2 F5 44 3D 6A F5 44 3D}
$b6 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E}
$b7 = {D6 D5 A4 A3 ?? ?? 00 00 9B 8F 34 A3 D5 D5 A4 A3 D2 D5 A4 A3 29 2A A4 A3}
$b8 = {C3 76 33 9F ?? ?? 00 00 8E 2C A3 9F C0 76 33 9F C7 76 33 9F 3C 89 33 9F}
condition:
2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
}
rule APT_Derusbi_DeepPanda
{
meta:
author = "ThreatConnect Intelligence Research Team"
reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf"
strings:
$D = "Dom4!nUserP4ss" wide ascii
condition:
$D
}
rule APT_Derusbi_Gen
{
meta:
author = "ThreatConnect Intelligence Research Team"
strings:
$2 = "273ce6-b29f-90d618c0" wide ascii
$A = "Ace123dx" fullword wide ascii
$A1 = "Ace123dxl!" fullword wide ascii
$A2 = "Ace123dx!@#x" fullword wide ascii
$C = "/Catelog/login1.asp" wide ascii
$DF = "~DFTMP$$$$$.1" wide ascii
$G = "GET /Query.asp?loginid=" wide ascii
$L = "LoadConfigFromReg failded" wide ascii
$L1 = "LoadConfigFromBuildin success" wide ascii
$ph = "/photoe/photo.asp HTTP" wide ascii
$PO = "POST /photos/photo.asp" wide ascii
$PC = "PCC_IDENT" wide ascii
condition:
any of them
}
malware/Dexter.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Dexter_Malware {
meta:
description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b"
author = "Florian Roth"
reference = "http://goo.gl/oBvy8b"
date = "2015/02/10"
score = 70
strings:
$s0 = "Java Security Plugin" fullword wide
$s1 = "%s\\%s\\%s.exe" fullword wide
$s2 = "Sun Java Security Plugin" fullword wide
$s3 = "\\Internet Explorer\\iexplore.exe" fullword wide
condition:
all of them
}
malware/Dridex.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Dridex_Trojan_XML {
meta:
description = "Dridex Malware in XML Document"
author = "Florian Roth @4nc4p"
reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
date = "2015/03/08"
hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
strings:
// can be ascii or wide formatted - therefore no restriction
$c_xml = "<?xml version="
$c_word = "<?mso-application progid=\"Word.Document\"?>"
$c_macro = "w:macrosPresent=\"yes\""
$c_binary = "<w:binData w:name="
$c_0_chars = "<o:Characters>0</o:Characters>"
$c_1_line = "<o:Lines>1</o:Lines>"
condition:
all of ($c*)
}
malware/Enfal.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule EnfalCode : Enfal Family
{
meta:
description = "Enfal code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
// mov al, 20h; sub al, bl; add [ebx+esi], al; push esi; inc ebx; call edi; cmp ebx, eax
$decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 }
condition:
any of them
}
rule EnfalStrings : Enfal Family
{
meta:
description = "Enfal Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb"
$ = "e:\\programs\\LuridDownLoader"
$ = "LuridDownloader for Falcon"
$ = "DllServiceTrojan"
$ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\"
$ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89"
$ = "Madonna\x00Jesus"
$ = "/iupw82/netstate"
$ = "fuckNodAgain"
$ = "iloudermao"
$ = "Crpq2.cgi"
$ = "Clnpp5.cgi"
$ = "Dqpq3ll.cgi"
$ = "dieosn83.cgi"
$ = "Rwpq1.cgi"
$ = "/Ccmwhite"
$ = "/Cmwhite"
$ = "/Crpwhite"
$ = "/Dfwhite"
$ = "/Query.txt"
$ = "/Ufwhite"
$ = "/cgl-bin/Clnpp5.cgi"
$ = "/cgl-bin/Crpq2.cgi"
$ = "/cgl-bin/Dwpq3ll.cgi"
$ = "/cgl-bin/Owpq4.cgi"
$ = "/cgl-bin/Rwpq1.cgi"
$ = "/trandocs/mm/"
$ = "/trandocs/netstat"
$ = "NFal.exe"
$ = "LINLINVMAN"
$ = "7NFP4R9W"
condition:
any of them
}
rule Enfal : Family
{
meta:
description = "Enfal"
author = "Seth Hardy"
last_modified = "2014-06-19"
condition:
EnfalCode or EnfalStrings
}
rule Enfal_Malware {
meta:
description = "Detects a certain type of Enfal Malware"
author = "Florian Roth"
reference = "not set"
date = "2015/02/10"
hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16"
score = 60
strings:
$s0 = "POWERPNT.exe" fullword ascii
$s1 = "%APPDATA%\\Microsoft\\Windows\\" fullword ascii
$s2 = "%HOMEPATH%" fullword ascii
$s3 = "Server2008" fullword ascii
$s4 = "Server2003" fullword ascii
$s5 = "Server2003R2" fullword ascii
$s6 = "Server2008R2" fullword ascii
$s9 = "%HOMEDRIVE%" fullword ascii
$s13 = "%ComSpec%" fullword ascii
condition:
all of them
}
rule Enfal_Malware_Backdoor {
meta:
description = "Generic Rule to detect the Enfal Malware"
author = "Florian Roth"
date = "2015/02/10"
super_rule = 1
hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790"
hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b"
hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
score = 60
strings:
$mz = { 4d 5a }
$x1 = "Micorsoft Corportation" fullword wide
$x2 = "IM Monnitor Service" fullword wide
$s1 = "imemonsvc.dll" fullword wide
$s2 = "iphlpsvc.tmp" fullword
$z1 = "urlmon" fullword
$z2 = "Registered trademarks and service marks are the property of their respec" wide
$z3 = "XpsUnregisterServer" fullword
$z4 = "XpsRegisterServer" fullword
$z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
condition:
( $mz at 0 ) and
(
1 of ($x*) or
( all of ($s*) and all of ($z*) )
)
}
malware/Ezcob.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule EzcobStrings : Ezcob Family
{
meta:
description = "Ezcob Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
$ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12"
$ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12"
$ = "Ezcob" wide ascii
$ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126"
$ = "20110113144935"
condition:
any of them
}
rule Ezcob : Family
{
meta:
description = "Ezcob"
author = "Seth Hardy"
last_modified = "2014-06-23"
condition:
EzcobStrings
}
malware/F0xy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule ws_f0xy_downloader {
meta:
description = "f0xy malware downloader"
author = "Nick Griffin (Websense)"
strings:
$mz="MZ"
$string1="bitsadmin /transfer"
$string2="del rm.bat"
$string3="av_list="
condition:
($mz at 0) and (all of ($string*))
}
malware/FakeM.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule HTMLVariant : FakeM Family HTML Variant
{
meta:
description = "Identifier for html variant of FAKEM"
author = "Katie Kleemola"
last_updated = "2014-05-20"
strings:
// decryption loop
$s1 = { 8B 55 08 B9 00 50 00 00 8D 3D ?? ?? ?? 00 8B F7 AD 33 C2 AB 83 E9 04 85 C9 75 F5 }
//mov byte ptr [ebp - x] y, x: 0x10-0x1 y: 0-9,A-F
$s2 = { C6 45 F? (3?|4?) }
condition:
$s1 and #s2 == 16
}
malware/FinSpy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule FinSpy_2
{
meta:
description = "FinFisher FinSpy"
author = "botherder https://github.com/botherder"
strings:
$password1 = /\/scomma kbd101\.sys/ wide ascii
$password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
$password3 = /\/scomma excel2010\.part/ wide ascii
$password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
$password5 = /\/stab MSVCR32\.manifest/ wide ascii
$password6 = /\/scomma MSN2010\.dll/ wide ascii
$password7 = /\/scomma Firefox\.base/ wide ascii
$password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
$password9 = /\/scomma IE7setup\.sys/ wide ascii
$password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
$password11 = /\/scomma office2007\.cab/ wide ascii
$password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
$password13 = /\/scomma outlook2007\.dll/ wide ascii
$password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
$screenrec1 = /(s)111o00000000\.dat/ wide ascii
$screenrec2 = /(t)111o00000000\.dat/ wide ascii
$screenrec3 = /(f)113o00000000\.dat/ wide ascii
$screenrec4 = /(w)114o00000000\.dat/ wide ascii
$screenrec5 = /(u)112Q00000000\.dat/ wide ascii
$screenrec6 = /(v)112Q00000000\.dat/ wide ascii
$screenrec7 = /(v)112O00000000\.dat/ wide ascii
//$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
//$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
$micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
$skyperec1 = /\[%19s\] %25s\: %s/ wide ascii
$skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
$driver = /\\\\\\\\\.\\\\driverw/ wide ascii
$janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
$janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
$versions1 = /(f)inspyv2/ nocase
$versions2 = /(f)inspyv4/ nocase
$bootkit1 = /(b)ootkit_x32driver/
$bootkit2 = /(b)ootkit_x64driver/
$typo1 = /(S)creenShort Recording/ wide
$mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
condition:
8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
}
rule FinSpy
{
meta:
description = "FinFisher FinSpy"
author = "AlienVault Labs"
strings:
$filter1 = "$password14"
$filter2 = "$screenrec7"
$filter3 = "$micrec"
$filter4 = "$skyperec3"
$filter5 = "$mouserec2"
$filter6 = "$driver"
$filter7 = "$janedow2"
$filter8 = "$bootkit2"
$password1 = /\/scomma kbd101\.sys/ wide ascii
$password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
$password3 = /\/scomma excel2010\.part/ wide ascii
$password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
$password5 = /\/stab MSVCR32\.manifest/ wide ascii
$password6 = /\/scomma MSN2010\.dll/ wide ascii
$password7 = /\/scomma Firefox\.base/ wide ascii
$password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
$password9 = /\/scomma IE7setup\.sys/ wide ascii
$password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
$password11 = /\/scomma office2007\.cab/ wide ascii
$password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
$password13 = /\/scomma outlook2007\.dll/ wide ascii
$password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
$screenrec1 = /(s)111o00000000\.dat/ wide ascii
$screenrec2 = /(t)111o00000000\.dat/ wide ascii
$screenrec3 = /(f)113o00000000\.dat/ wide ascii
$screenrec4 = /(w)114o00000000\.dat/ wide ascii
$screenrec5 = /(u)112Q00000000\.dat/ wide ascii
$screenrec6 = /(v)112Q00000000\.dat/ wide ascii
$screenrec7 = /(v)112O00000000\.dat/ wide ascii
//$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
//$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
$micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
$skyperec1 = /\[%19s\] %25s\: %s/ wide ascii
$skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
//$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
//$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
//$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
$driver = /\\\\\\\\\.\\\\driverw/ wide ascii
$janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
$janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
//$versions1 = /(f)inspyv2/ nocase
//$versions2 = /(f)inspyv4/ nocase
$bootkit1 = /(b)ootkit_x32driver/
$bootkit2 = /(b)ootkit_x64driver/
$typo1 = /(S)creenShort Recording/ wide
$mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
condition:
(8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*)
}
malware/Gh0st.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT_WIN_Gh0st_ver
{
meta:
author = "@BryanNolen"
date = "2012-12"
type = "APT"
version = "1.1"
ref = "Detection of Gh0st RAT server DLL component"
ref1 = "http://www.mcafee.com/au/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf"
strings:
$library = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"
$capability = "GetClipboardData"
$capability1 = "capCreateCaptureWindowA"
$capability2 = "CreateRemoteThread"
$capability3 = "WriteProcessMemory"
$capability4 = "LsaRetrievePrivateData"
$capability5 = "AdjustTokenPrivileges"
$function = "ResetSSDT"
$window = "WinSta0\\Default"
$magic = {47 6C 6F 62 61 6C 5C [5-9] 20 25 64} /* $magic = "Gh0st" */
condition:
all of them
}
rule Gh0st
{
meta:
description = "Gh0st"
author = "botherder https://github.com/botherder"
strings:
$ = /(G)host/
$ = /(i)nflate 1\.1\.4 Copyright 1995-2002 Mark Adler/
$ = /(d)eflate 1\.1\.4 Copyright 1995-2002 Jean-loup Gailly/
$ = /(%)s\\shell\\open\\command/
$ = /(G)etClipboardData/
$ = /(W)riteProcessMemory/
$ = /(A)djustTokenPrivileges/
$ = /(W)inSta0\\Default/
$ = /(#)32770/
$ = /(#)32771/
$ = /(#)32772/
$ = /(#)32774/
condition:
all of them
}
rule gh0st
{
meta:
author = "https://github.com/jackcr/"
strings:
$a = { 47 68 30 73 74 ?? ?? ?? ?? ?? ?? ?? ?? 78 9C }
$b = "Gh0st Update"
condition:
any of them
}
malware/Gholee.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule gholeeV1
{
meta:
Author = "@GelosSnake"
Date = "2014/08"
Description = "Gholee first discovered variant "
Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
strings:
$a = "sandbox_avg10_vc9_SP1_2011"
$b = "gholee"
condition:
all of them
}
rule gholeeV2
{
meta:
Author = "@GelosSnake"
Date = "2015-02-12"
Description = "Gholee first discovered variant "
Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
strings:
$string0 = "RichHa"
$string1 = " ((((( H" wide
$string2 = "1$1,141<1D1L1T1\\1d1l1t1"
$string3 = "<8;$O' "
$string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
$string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
$string6 = "urn:schemas-microsoft-com:asm.v1"
$string7 = "8.848H8O8i8s8y8"
$string8 = "wrapper3" wide
$string9 = "pwwwwwwww"
$string10 = "Sunday"
$string11 = "YYuTVWh"
$string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
$string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
$string15 = "wrapper3 Version 1.0" wide
$string16 = "77A779"
$string17 = "<C<G<M<R<X<"
$string18 = "9 9-9N9X9s9"
condition:
18 of them
}
malware/Glasses.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule GlassesCode : Glasses Family
{
meta:
description = "Glasses code features"
author = "Seth Hardy"
last_modified = "2014-07-22"
strings:
$ = { B8 AB AA AA AA F7 E1 D1 EA 8D 04 52 2B C8 }
$ = { B8 56 55 55 55 F7 E9 8B 4C 24 1C 8B C2 C1 E8 1F 03 D0 49 3B CA }
condition:
any of them
}
rule GlassesStrings : Glasses Family
{
meta:
description = "Strings used by Glasses"
author = "Seth Hardy"
last_modified = "2014-07-22"
strings:
$ = "thequickbrownfxjmpsvalzydg"
$ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)"
$ = "\" target=\"NewRef\"></a>"
condition:
all of them
}
rule Glasses : Family
{
meta:
description = "Glasses family"
author = "Seth Hardy"
last_modified = "2014-07-22"
condition:
GlassesCode or GlassesStrings
}
malware/Grozlex.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Grozlex : Stealer
{
meta:
author="Kevin Falcoz"
date="20/08/2013"
description="Grozlex Stealer - Possible HCStealer"
strings:
$signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E}
condition:
$signature
}
malware/HackTools.yar 0 → 100644
This source diff could not be displayed because it is too large. You can view the blob instead.
malware/IMuler.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule IMulerCode : IMuler Family
{
meta:
description = "IMuler code tricks"
author = "Seth Hardy"
last_modified = "2014-06-16"
strings:
// Load these function strings 4 characters at a time. These check the first two blocks:
$L4_tmpSpotlight = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 53 70 6F }
$L4_TMPAAABBB = { C7 ?? ?? ?? ?? ?? 54 4D 50 41 C7 ?? ?? ?? ?? ?? 41 41 42 42 }
$L4_FILEAGENTVer = { C7 ?? 46 49 4C 45 C7 ?? 04 41 47 45 4E }
$L4_TMP0M34JDF8 = { C7 ?? ?? ?? ?? ?? 54 4D 50 30 C7 ?? ?? ?? ?? ?? 4D 33 34 4A }
$L4_tmpmdworker = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 2E 6D 64 }
condition:
any of ($L4*)
}
rule IMulerStrings : IMuler Family
{
meta:
description = "IMuler Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-16"
strings:
$ = "/cgi-mac/"
$ = "xnocz1"
$ = "checkvir.plist"
$ = "/Users/apple/Documents/mac back"
$ = "iMuler2"
$ = "/Users/imac/Desktop/macback/"
$ = "xntaskz.gz"
$ = "2wmsetstatus.cgi"
$ = "launch-0rp.dat"
$ = "2wmupload.cgi"
$ = "xntmpz"
$ = "2wmrecvdata.cgi"
$ = "xnorz6"
$ = "2wmdelfile.cgi"
$ = "/LanchAgents/checkvir"
$ = "0PERA:%s"
$ = "/tmp/Spotlight"
$ = "/tmp/launch-ICS000"
condition:
any of them
}
rule IMuler : Family
{
meta:
description = "IMuler"
author = "Seth Hardy"
last_modified = "2014-06-16"
condition:
IMulerCode or IMulerStrings
}
malware/Install11.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Insta11Code : Insta11 Family
{
meta:
description = "Insta11 code features"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
// jmp $+5; push 423h
$jumpandpush = { E9 00 00 00 00 68 23 04 00 00 }
condition:
any of them
}
rule Insta11Strings : Insta11 Family
{
meta:
description = "Insta11 Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
$ = "XTALKER7"
$ = "Insta11 Microsoft" wide ascii
$ = "wudMessage"
$ = "ECD4FC4D-521C-11D0-B792-00A0C90312E1"
$ = "B12AE898-D056-4378-A844-6D393FE37956"
condition:
any of them
}
rule Insta11 : Family
{
meta:
description = "Insta11"
author = "Seth Hardy"
last_modified = "2014-06-23"
condition:
Insta11Code or Insta11Strings
}
malware/Intel_Virtualization.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Intel_Virtualization_Wizard_exe {
meta:
author = "cabrel@zerklabs.com"
description = "Dynamic DLL abuse executable"
file_1_seen = "2013-05-21"
file_1_sha256 = "7787757ae851f4a162f46f794be1532ab78e1928185212bdab83b3106f28c708"
strings:
$a = {4C 6F 61 64 53 54 52 49 4E 47}
$b = {49 6E 69 74 69 61 6C 69 7A 65 4B 65 79 48 6F 6F 6B}
$c = {46 69 6E 64 52 65 73 6F 75 72 63 65 73}
$d = {4C 6F 61 64 53 54 52 49 4E 47 46 72 6F 6D 48 4B 43 55}
$e = {68 63 63 75 74 69 6C 73 2E 44 4C 4C}
condition:
all of them
}
rule Intel_Virtualization_Wizard_dll {
meta:
author = "cabrel@zerklabs.com"
description = "Dynamic DLL (Malicious)"
file_1_seen = "2013-05-21"
file_1_sha256 = "485ae043b6a5758789f1d33766a26d8b45b9fde09cde0512aa32d4bd1ee04f28"
strings:
$a = {48 3A 5C 46 61 73 74 5C 50 6C 75 67 28 68 6B 63 6D 64 29 5C}
$b = {64 6C 6C 5C 52 65 6C 65 61 73 65 5C 48 69 6A 61 63 6B 44 6C 6C 2E 70 64 62}
condition:
($a and $b) and Intel_Virtualization_Wizard_exe
}
malware/KINS.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule KINS_dropper {
meta:
author = "AlienVault Labs aortega@alienvault.com"
description = "Match protocol, process injects and windows exploit present in KINS dropper"
reference = "http://goo.gl/arPhm3"
strings:
// Network protocol
$n1 = "tid=%d&ta=%s-%x" fullword
$n2 = "fid=%d" fullword
$n3 = "%[^.].%[^(](%[^)])" fullword
// Injects
$i0 = "%s [%s %d] 77 %s"
$i01 = "Global\\%s%x"
$i1 = "Inject::InjectProcessByName()"
$i2 = "Inject::CopyImageToProcess()"
$i3 = "Inject::InjectProcess()"
$i4 = "Inject::InjectImageToProcess()"
$i5 = "Drop::InjectStartThread()"
// UAC bypass
$uac1 = "ExploitMS10_092"
$uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
$uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
condition:
2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
}
rule KINS_DLL_zeus {
meta:
author = "AlienVault Labs aortega@alienvault.com"
description = "Match default bot in KINS leaked dropper, Zeus"
reference = "http://goo.gl/arPhm3"
strings:
// Network protocol
$n1 = "%BOTID%" fullword
$n2 = "%opensocks%" fullword
$n3 = "%openvnc%" fullword
$n4 = /Global\\(s|v)_ev/ fullword
// Crypted strings
$s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
$s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
$s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
$s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
$s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
condition:
all of ($n*) and 1 of ($s*)
}
malware/Kelihos.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule KelihosHlux
{
meta:
author = "@malpush"
maltype = "KelihosHlux"
description = "http://malwared.ru"
date = "22/02/2014"
strings:
$KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 }
condition:
$KelihosHlux_HexString
}
malware/LURK0.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule LURK0Header : Family LURK0 {
meta:
description = "5 char code for LURK0"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
condition:
any of them
}
rule CCTV0Header : Family CCTV0 {
meta:
description = "5 char code for LURK0"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
//if its just one char a time
$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
// bit hacky but for when samples dont just simply mov 1 char at a time
$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
condition:
any of them
}
rule SharedStrings : Family {
meta:
description = "Internal names found in LURK0/CCTV0 samples"
author = "Katie Kleemola"
last_updated = "07-22-2014"
strings:
// internal names
$i1 = "Butterfly.dll"
$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
$i3 = "ETClientDLL"
// dbx
$d1 = "\\DbxUpdateET\\" wide
$d2 = "\\DbxUpdateBT\\" wide
$d3 = "\\DbxUpdate\\" wide
// other folders
$mc1 = "\\Micet\\"
// embedded file names
$n1 = "IconCacheEt.dat" wide
$n2 = "IconConfigEt.dat" wide
$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
$m2 = "\x00\x00111\x00\x00" wide
$m3 = "\x00\x00ETUN\x00\x00" wide
$m4 = "\x00\x00ER\x00\x00" wide
condition:
any of them //todo: finetune this
}
rule LURK0 : Family LURK0 {
meta:
description = "rule for lurk0"
author = "Katie Kleemola"
last_updated = "07-22-2014"
condition:
LURK0Header and SharedStrings
}
rule CCTV0 : Family CCTV0 {
meta:
description = "rule for cctv0"
author = "Katie Kleemola"
last_updated = "07-22-2014"
condition:
CCTV0Header and SharedStrings
}
malware/Lenovo_superfish.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
/* LENOVO Superfish -------------------------------------------------------- */
rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
meta:
description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
author = "Florian Roth / improved by kbandla"
reference = "https://twitter.com/4nc4p/status/568325493558272000"
date = "2015/02/19"
hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
strings:
$mz = { 4d 5a }
//$s1 = "VisualDiscovery.exe" fullword wide
$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
$s3 = "GetPCProxyHandler" fullword ascii
$s4 = "StartPCProxy" fullword ascii
$s5 = "SetPCProxyHandler" fullword ascii
condition:
( $mz at 0 ) and filesize < 2MB and all of ($s*)
}
malware/Leverage.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule leverage_a
{
meta:
author = "earada@alienvault.com"
version = "1.0"
description = "OSX/Leverage.A"
date = "2013/09"
strings:
$a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
$a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:"
$a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
$script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
$script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'"
$script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'"
$properties = "serverVisible \x00"
condition:
all of them
}
malware/LogPOS.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule LogPOS
{
meta:
author = "Morphick Security"
description = "Detects Versions of LogPOS"
md5 = "af13e7583ed1b27c4ae219e344a37e2b"
strings:
$mailslot = "\\\\.\\mailslot\\LogCC"
$get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="
//64A130000000 mov eax, dword ptr fs:[0x30]
//8B400C mov eax, dword ptr [eax + 0xc]
//8B401C mov eax, dword ptr [eax + 0x1c]
//8B4008 mov eax, dword ptr [eax + 8]
$sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }
condition:
$sc and 1 of ($mailslot,$get)
}
malware/LostDoor.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule lost_door : Trojan
{
meta:
author="Kevin Falcoz"
date="23/02/2013"
description="Lost Door"
strings:
$signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/
condition:
$signature1
}
malware/LuckyCat.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule LuckyCatCode : LuckyCat Family
{
meta:
description = "LuckyCat code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B }
$dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C }
$commonletters = { B? 63 B? 61 B? 73 B? 65 }
condition:
$xordecrypt or ($dll and $commonletters)
}
malware/MacControl.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule MacControlCode : MacControl Family
{
meta:
description = "MacControl code tricks"
author = "Seth Hardy"
last_modified = "2014-06-17"
strings:
// Load these function strings 4 characters at a time. These check the first two blocks:
$L4_Accept = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 3A 20 }
$L4_AcceptLang = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 2D 4C }
$L4_Pragma = { C7 ?? 50 72 61 67 C7 ?? 04 6D 61 3A 20 }
$L4_Connection = { C7 ?? 43 6F 6E 6E C7 ?? 04 65 63 74 69 }
$GEThgif = { C7 ?? 47 45 54 20 C7 ?? 04 2F 68 2E 67 }
condition:
all of ($L4*) or $GEThgif
}
rule MacControlStrings : MacControl Family
{
meta:
description = "MacControl Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-17"
strings:
$ = "HTTPHeadGet"
$ = "/Library/launched"
$ = "My connect error with no ip!"
$ = "Send File is Failed"
$ = "****************************You Have got it!****************************"
condition:
any of them
}
rule MacControl : Family
{
meta:
description = "MacControl"
author = "Seth Hardy"
last_modified = "2014-06-16"
condition:
MacControlCode or MacControlStrings
}
malware/Mirage.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule MirageStrings : Mirage Family
{
meta:
description = "Mirage Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "Neo,welcome to the desert of real." wide ascii
$ = "/result?hl=en&id=%s"
condition:
any of them
}
rule Mirage : Family
{
meta:
description = "Mirage"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
MirageStrings
}
malware/Miscelanea_Linux.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule LinuxAESDDoS
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
strings:
$a = "3AES"
$b = "Hacker"
$c = "VERSONEX"
condition:
2 of ($a,$b,$c)
}
rule LinuxBillGates
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429"
strings:
$a= "12CUpdateGates"
$b= "11CUpdateBill"
condition:
$a and $b
}
rule LinuxElknot
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"
strings:
$a = "ZN8CUtility7DeCryptEPciPKci"
$b = "ZN13CThreadAttack5StartEP11CCmdMessage"
condition:
$a and $b
}
rule LinuxMrBlack
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
strings:
$a = "Mr.Black"
$b = "VERS0NEX:%s|%d|%d|%s"
condition:
$a and $b
}
rule LinuxTsunami
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
strings:
$a = "PRIVMSG %s :[STD]Hitting %s"
$b = "NOTICE %s :TSUNAMI <target> <secs>"
$c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
condition:
$a or $b or $c
}
malware/Miscelanea_RTF.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule rtf_multiple
{
meta:
author = "@patrickrolsen"
maltype = "Multiple"
version = "0.1"
reference = "fd69a799e21ccb308531ce6056944842"
date = "01/04/2014"
strings:
$rtf = { 7b 5c 72 74 ?? ?? } // {\rt01 {\rtf1 {\rtxa
$string1 = "author user"
$string2 = "title Vjkygdjdtyuj" nocase
$string3 = "company ooo"
$string4 = "password 00000000"
condition:
($rtf at 0) and (all of ($string*))
}
malware/NSFree.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule NSFreeCode : NSFree Family
{
meta:
description = "NSFree code features"
author = "Seth Hardy"
last_modified = "2014-06-24"
strings:
// push vars then look for MZ
$ = { 53 56 57 66 81 38 4D 5A }
// nops then look for PE\0\0
$ = { 90 90 90 90 81 3F 50 45 00 00 }
condition:
all of them
}
rule NSFreeStrings : NSFree Family
{
meta:
description = "NSFree Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-24"
strings:
$ = "\\MicNS\\" nocase
$ = "NSFreeDll" wide ascii
// xor 0x58 dos stub
$ = { 0c 30 31 2b 78 28 2a 37 3f 2a 39 35 78 3b 39 36 36 37 }
condition:
any of them
}
rule NSFree : Family
{
meta:
description = "NSFree"
author = "Seth Hardy"
last_modified = "2014-06-24"
condition:
NSFreeCode or NSFreeStrings
}
malware/Naikon.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule NaikonCode : Naikon Family
{
meta:
description = "Naikon code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// decryption
$ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
$ = { 35 5A 01 00 00} // xor eax, 15ah
$ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
condition:
all of them
}
rule NaikonStrings : Naikon Family
{
meta:
description = "Naikon Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "NOKIAN95/WEB"
$ = "/tag=info&id=15"
$ = "skg(3)=&3.2d_u1"
$ = "\\Temp\\iExplorer.exe"
$ = "\\Temp\\\"TSG\""
condition:
any of them
}
rule Naikon : Family
{
meta:
description = "Naikon"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
NaikonCode or NaikonStrings
}
malware/NetPass.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule NetpassStrings : NetPass Variant {
meta:
description = "Identifiers for netpass variant"
author = "Katie Kleemola"
last_updated = "2014-05-29"
strings:
$exif1 = "Device Protect ApplicatioN" wide
$exif2 = "beep.sys" wide //embedded exe name
$exif3 = "BEEP Driver" wide //embedded exe description
$string1 = "\x00NetPass Update\x00"
$string2 = "\x00%s:DOWNLOAD\x00"
$string3 = "\x00%s:UPDATE\x00"
$string4 = "\x00%s:uNINSTALL\x00"
condition:
all of ($exif*) or any of ($string*)
}
rule NetPass : Variant {
meta:
description = "netpass variant"
author = "Katie Kleemola"
last_updated = "2014-07-08"
condition:
NetpassStrings
}
malware/NetTraveler.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule NetTravStrings : NetTraveler Family {
meta:
description = "Identifiers for NetTraveler DLL"
author = "Katie Kleemola"
last_updated = "2014-05-20"
strings:
//network strings
$ = "?action=updated&hostid="
$ = "travlerbackinfo"
$ = "?action=getcmd&hostid="
$ = "%s?action=gotcmd&hostid="
$ = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext="
//debugging strings
$ = "\x00Method1 Fail!!!!!\x00"
$ = "\x00Method3 Fail!!!!!\x00"
$ = "\x00method currect:\x00"
$ = /\x00\x00[\w\-]+ is Running!\x00\x00/
$ = "\x00OtherTwo\x00"
condition:
any of them
}
rule NetTravExports : NetTraveler Family {
meta:
description = "Export names for dll component"
author = "Katie Kleemola"
last_updated = "2014-05-20"
strings:
//dll component exports
$ = "?InjectDll@@YAHPAUHWND__@@K@Z"
$ = "?UnmapDll@@YAHXZ"
$ = "?g_bSubclassed@@3HA"
condition:
any of them
}
rule NetTraveler : Family {
meta:
description = "Nettravelr"
author = "Katie Kleemola"
last_updated = "2014-07-08"
condition:
NetTravExports or NetTravStrings or NetpassStrings
}
malware/Njrat.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Njrat
{
meta:
description = "Njrat"
author = "botherder https://github.com/botherder"
strings:
$string1 = /(F)romBase64String/
$string2 = /(B)ase64String/
$string3 = /(C)onnected/ wide ascii
$string4 = /(R)eceive/
$string5 = /(S)end/ wide ascii
$string6 = /(D)ownloadData/ wide ascii
$string7 = /(D)eleteSubKey/ wide ascii
$string8 = /(g)et_MachineName/
$string9 = /(g)et_UserName/
$string10 = /(g)et_LastWriteTime/
$string11 = /(G)etVolumeInformation/
$string12 = /(O)SFullName/ wide ascii
$string13 = /(n)etsh firewall/ wide
$string14 = /(c)md\.exe \/k ping 0 & del/ wide
$string15 = /(c)md\.exe \/c ping 127\.0\.0\.1 & del/ wide
$string16 = /(c)md\.exe \/c ping 0 -n 2 & del/ wide
$string17 = {7C 00 27 00 7C 00 27 00 7C}
condition:
10 of them
}
malware/Notepad.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule TROJAN_Notepad {
meta:
Author = "RSA_IR"
Date = "4Jun13"
File = "notepad.exe v 1.1"
MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927"
strings:
$s1 = "75BAA77C842BE168B0F66C42C7885997"
$s2 = "B523F63566F407F3834BCC54AAA32524"
condition:
$s1 or $s2
}
malware/Olyx.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule OlyxCode : Olyx Family
{
meta:
description = "Olyx code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 }
$slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C }
condition:
any of them
}
rule OlyxStrings : Olyx Family
{
meta:
description = "Olyx Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$ = "/Applications/Automator.app/Contents/MacOS/DockLight"
condition:
any of them
}
rule Olyx : Family
{
meta:
description = "Olyx"
author = "Seth Hardy"
last_modified = "2014-06-19"
condition:
OlyxCode or OlyxStrings
}
malware/Opcleaver.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule OPCLEAVER_BackDoorLogger
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "BackDoorLogger"
$s2 = "zhuAddress"
condition:
all of them
}
rule OPCLEAVER_Jasus
{
meta:
description = "ARP cache poisoner used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found"
condition:
all of them
}
rule OPCLEAVER_LoggerModule
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition:
all of them
}
rule OPCLEAVER_NetC
{
meta:
description = "Net Crawler used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "NetC.exe" wide
$s2 = "Net Service"
condition:
all of them
}
rule OPCLEAVER_ShellCreator2
{
meta:
description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "ShellCreator2.Properties"
$s2 = "set_IV"
condition:
all of them
}
rule OPCLEAVER_SmartCopy2
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork"
condition:
all of them
}
rule OPCLEAVER_SynFlooder
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "your target’s IP is : %s"
$s3 = "Raw TCP Socket Created successfully."
condition:
all of them
}
rule OPCLEAVER_TinyZBot
{
meta:
description = "Tiny Bot used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "NetScp" wide
$s2 = "TinyZBot.Properties.Resources.resources"
$s3 = "Aoao WaterMark"
$s4 = "Run_a_exe"
$s5 = "netscp.exe"
$s6 = "get_MainModule_WebReference_DefaultWS"
$s7 = "remove_CheckFileMD5Completed"
$s8 = "http://tempuri.org/"
$s9 = "Zhoupin_Cleaver"
condition:
(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
}
rule OPCLEAVER_ZhoupinExploitCrew
{
meta:
description = "Keywords used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase
condition:
1 of them
}
rule OPCLEAVER_antivirusdetector
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector"
condition:
all of them
}
rule OPCLEAVER_csext
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "COM+ System Extentions"
$s2 = "csext.exe"
$s3 = "COM_Extentions_bin"
condition:
all of them
}
rule OPCLEAVER_kagent
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "kill command is in last machine, going back"
$s2 = "message data length in B64: %d Bytes"
condition:
all of them
}
rule OPCLEAVER_mimikatzWrapper
{
meta:
description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "mimikatzWrapper"
$s2 = "get_mimikatz"
condition:
all of them
}
rule OPCLEAVER_pvz_in
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "LAST_TIME=00/00/0000:00:00PM$"
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
condition:
all of them
}
rule OPCLEAVER_pvz_out
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Network Connectivity Module" wide
$s2 = "OSPPSVC" wide
condition:
all of them
}
rule OPCLEAVER_wndTest
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition:
all of them
}
rule OPCLEAVER_zhCat
{
meta:
description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
$s2 = "ABC ( A Big Company )" wide fullword
condition:
all of them
}
rule OPCLEAVER_zhLookUp
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "zhLookUp.Properties"
condition:
all of them
}
rule OPCLEAVER_zhmimikatz
{
meta:
description = "Mimikatz wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "MimikatzRunner"
$s2 = "zhmimikatz"
condition:
all of them
}
rule OPCLEAVER_Parviz_Developer
{
meta:
description = "Parviz developer known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Florian Roth"
score = "70"
strings:
$s1 = "Users\\parviz\\documents\\" nocase
condition:
$s1
}
rule OPCLEAVER_CCProxy_Config
{
meta:
description = "CCProxy config known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Florian Roth"
score = "70"
strings:
$s1 = "UserName=User-001" fullword ascii
$s2 = "Web=1" fullword ascii
$s3 = "Mail=1" fullword ascii
$s4 = "FTP=0" fullword ascii
$x1 = "IPAddressLow=78.109.194.114" fullword ascii
condition:
all of ($s*) or $x1
}
malware/PlugX.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule PlugXStrings : PlugX Family
{
meta:
description = "PlugX Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-12"
strings:
$BootLDR = "boot.ldr" wide ascii
$Dwork = "d:\\work" nocase
$Plug25 = "plug2.5"
$Plug30 = "Plug3.0"
$Shell6 = "Shell6"
condition:
$BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))
}
rule plugX : rat
{
meta:
author = "Jean-Philippe Teissier / @Jipe_"
description = "PlugX RAT"
date = "2014-05-13"
filetype = "memory"
version = "1.0"
ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py"
strings:
$v1a = { 47 55 4C 50 00 00 00 00 }
$v1b = "/update?id=%8.8x"
$v1algoa = { BB 33 33 33 33 2B }
$v1algob = { BB 44 44 44 44 2B }
$v2a = "Proxy-Auth:"
$v2b = { 68 A0 02 00 00 }
$v2k = { C1 8F 3A 71 }
condition:
$v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))
}
malware/PoisonIvy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule poisonivy : rat
{
meta:
description = "Poison Ivy"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-02-01"
filetype = "memory"
version = "1.0"
ref1 = "https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py"
strings:
$a = { 53 74 75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76 65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C }
condition:
$a
}
malware/PubSab.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule PubSabCode : PubSab Family
{
meta:
description = "PubSab code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 }
condition:
any of them
}
rule PubSabStrings : PubSab Family
{
meta:
description = "PubSab Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$ = "_deamon_init"
$ = "com.apple.PubSabAgent"
$ = "/tmp/screen.jpeg"
condition:
any of them
}
rule PubSab : Family
{
meta:
description = "PubSab"
author = "Seth Hardy"
last_modified = "2014-06-19"
condition:
PubSabCode or PubSabStrings
}
malware/Quarian.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule QuarianStrings : Quarian Family
{
meta:
description = "Quarian Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-09"
strings:
$ = "s061779s061750"
$ = "[OnUpLoadFile]"
$ = "[OnDownLoadFile]"
$ = "[FileTransfer]"
$ = "---- Not connect the Manager, so start UnInstall ----"
$ = "------- Enter CompressDownLoadDir ---------"
$ = "------- Enter DownLoadDirectory ---------"
$ = "[HandleAdditionalData]"
$ = "[mswsocket.dll]"
$ = "msupdate.dll........Enter ThreadCmd!"
$ = "ok1-1"
$ = "msupdate_tmp.dll"
$ = "replace Rpcss.dll successfully!"
$ = "f:\\loadhiddendriver-mdl\\objfre_win7_x86\\i386\\intelnat.pdb"
$ = "\\drivercashe\\" wide ascii
$ = "\\microsoft\\windwos\\" wide ascii
$ = "\\DosDevices\\LOADHIDDENDRIVER" wide ascii
$ = "\\Device\\LOADHIDDENDRIVER" wide ascii
$ = "Global\\state_maping" wide ascii
$ = "E:\\Code\\2.0\\2.0_multi-port\\2.0\\ServerInstall_New-2010-0913_sp3\\msupdataDll\\Release\\msupdate_tmp.pdb"
$ = "Global\\unInstall_event_1554_Ower" wide ascii
condition:
any of them
}
rule QuarianCode : Quarian Family
{
meta:
description = "Quarian code features"
author = "Seth Hardy"
last_modified = "2014-07-09"
strings:
// decrypt in intelnat.sys
$ = { C1 E? 04 8B ?? F? C1 E? 05 33 C? }
// decrypt in mswsocket.dll
$ = { C1 EF 05 C1 E3 04 33 FB }
$ = { 33 D8 81 EE 47 86 C8 61 }
// loop in msupdate.dll
$ = { FF 45 E8 81 45 EC CC 00 00 00 E9 95 FE FF FF }
condition:
any of them
}
rule Quarian : Family
{
meta:
description = "Quarian"
author = "Seth Hardy"
last_modified = "2014-07-09"
condition:
QuarianCode or QuarianStrings
}
malware/RAT_Terminator.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule TerminatorRat : rat
{
meta:
description = "Terminator RAT"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-10-24"
filetype = "memory"
version = "1.0"
ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html"
strings:
$a = "Accelorator"
$b = "<html><title>12356</title><body>"
condition:
all of them
}
rule TROJAN_Notepad_shell_crew {
meta:
author = "RSA_IR"
Date = "4Jun13"
File = "notepad.exe v 1.1"
MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927"
strings:
$s1 = "75BAA77C842BE168B0F66C42C7885997"
$s2 = "B523F63566F407F3834BCC54AAA32524"
condition:
$s1 or $s2
}
malware/RCS.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RCS_Backdoor
{
meta:
description = "Hacking Team RCS Backdoor"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$debug3"
$filter2 = "$log2"
$filter3 = "error2"
$debug1 = /\- (C)hecking components/ wide ascii
$debug2 = /\- (A)ctivating hiding system/ wide ascii
$debug3 = /(f)ully operational/ wide ascii
$log1 = /\- Browser activity \(FF\)/ wide ascii
$log2 = /\- Browser activity \(IE\)/ wide ascii
// Cause false positives.
//$log3 = /\- About to call init routine at %p/ wide ascii
//$log4 = /\- Calling init routine at %p/ wide ascii
$error1 = /\[Unable to deploy\]/ wide ascii
$error2 = /\[The system is already monitored\]/ wide ascii
condition:
(2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
}
rule RCS_Scout
{
meta:
description = "Hacking Team RCS Scout"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$engine5"
$filter2 = "$start4"
$filter3 = "$upd2"
$filter4 = "$lookma6"
$engine1 = /(E)ngine started/ wide ascii
$engine2 = /(R)unning in background/ wide ascii
$engine3 = /(L)ocking doors/ wide ascii
$engine4 = /(R)otors engaged/ wide ascii
$engine5 = /(I)\'m going to start it/ wide ascii
$start1 = /Starting upgrade\!/ wide ascii
$start2 = /(I)\'m going to start the program/ wide ascii
$start3 = /(i)s it ok\?/ wide ascii
$start4 = /(C)lick to start the program/ wide ascii
$upd1 = /(U)pdJob/ wide ascii
$upd2 = /(U)pdTimer/ wide ascii
$lookma1 = /(O)wning PCI bus/ wide
$lookma2 = /(F)ormatting bios/ wide
$lookma3 = /(P)lease insert a disk in drive A:/ wide
$lookma4 = /(U)pdating CPU microcode/ wide
$lookma5 = /(N)ot sure what's happening/ wide
$lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide
condition:
(all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
}
malware/Ramsonware.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule CryptoLocker_set1
{
meta:
author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
date = "2014-04-13"
description = "Detection of Cryptolocker Samples"
strings:
$string0 = "static"
$string1 = " kscdS"
$string2 = "Romantic"
$string3 = "CompanyName" wide
$string4 = "ProductVersion" wide
$string5 = "9%9R9f9q9"
$string6 = "IDR_VERSION1" wide
$string7 = " </trustInfo>"
$string8 = "LookFor" wide
$string9 = ":n;t;y;"
$string10 = " <requestedExecutionLevel level"
$string11 = "VS_VERSION_INFO" wide
$string12 = "2.0.1.0" wide
$string13 = "<assembly xmlns"
$string14 = " <trustInfo xmlns"
$string15 = "srtWd@@"
$string16 = "515]5z5"
$string17 = "C:\\lZbvnoVe.exe" wide
condition:
8 of ($string*)
}
rule CryptoLocker_rule2
{
meta:
author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
date = "2014-04-14"
description = "Detection of CryptoLocker Variants"
strings:
$string0 = "2.0.1.7" wide
$string1 = " <security>"
$string2 = "Romantic"
$string3 = "ProductVersion" wide
$string4 = "9%9R9f9q9"
$string5 = "IDR_VERSION1" wide
$string6 = "button"
$string7 = " </security>"
$string8 = "VFileInfo" wide
$string9 = "LookFor" wide
$string10 = " </requestedPrivileges>"
$string11 = " uiAccess"
$string12 = " <trustInfo xmlns"
$string13 = "last.inf"
$string14 = " manifestVersion"
$string15 = "FFFF04E3" wide
$string16 = "3,31363H3P3m3u3z3"
condition:
8 of ($string*)
}
malware/Regsubdat.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RegSubDatCode : RegSubDat Family
{
meta:
description = "RegSubDat code features"
author = "Seth Hardy"
last_modified = "2014-07-14"
strings:
// decryption loop
$ = { 80 34 3? 99 40 (3D FB 65 00 00 | 3B C6) 7? F? }
// push then pop values
$ = { 68 FF FF 7F 00 5? }
$ = { 68 FF 7F 00 00 5? }
condition:
all of them
}
rule RegSubDatStrings : RegSubDat Family
{
meta:
description = "RegSubDat Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-14"
strings:
$avg1 = "Button"
$avg2 = "Allow"
$avg3 = "Identity Protection"
$avg4 = "Allow for all"
$avg5 = "AVG Firewall Asks For Confirmation"
$mutex = "0x1A7B4C9F"
condition:
all of ($avg*) or $mutex
}
rule RegSubDat : Family
{
meta:
description = "RegSubDat"
author = "Seth Hardy"
last_modified = "2014-07-14"
condition:
RegSubDatCode or RegSubDatStrings
}
malware/Rooter.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RooterCode : Rooter Family
{
meta:
description = "Rooter code features"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
// xor 0x30 decryption
$ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 }
condition:
any of them
}
rule RooterStrings : Rooter Family
{
meta:
description = "Rooter Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
$group1 = "seed\x00"
$group2 = "prot\x00"
$group3 = "ownin\x00"
$group4 = "feed0\x00"
$group5 = "nown\x00"
condition:
3 of ($group*)
}
rule Rooter : Family
{
meta:
description = "Rooter"
author = "Seth Hardy"
last_modified = "2014-07-10"
condition:
RooterCode or RooterStrings
}
rule RookieCode : Rookie Family
{
meta:
description = "Rookie code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// hidden AutoConfigURL
$ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 }
// hidden ProxyEnable
$ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 }
// xor on rand value?
$ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 }
condition:
any of them
}
rule Rookie : Family
{
meta:
description = "Rookie"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
RookieCode or RookieStrings
}
malware/Safenet.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule SafeNetCode : SafeNet Family
{
meta:
description = "SafeNet code features"
author = "Seth Hardy"
last_modified = "2014-07-16"
strings:
// add edi, 14h; cmp edi, 50D0F8h
$ = { 83 C7 14 81 FF F8 D0 40 00 }
condition:
any of them
}
rule SafeNetStrings : SafeNet Family
{
meta:
description = "Strings used by SafeNet"
author = "Seth Hardy"
last_modified = "2014-07-16"
strings:
$ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr"
$ = "/safe/record.php"
$ = "_Rm.bat" wide ascii
$ = "try\x0d\x0a\x09\x09\x09\x09 del %s" wide ascii
$ = "Ext.org" wide ascii
condition:
any of them
}
rule SafeNet : Family
{
meta:
description = "SafeNet family"
condition:
SafeNetCode or SafeNetStrings
}
malware/Scarhikn.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule ScarhiknStrings : Scarhikn Family
{
meta:
description = "Scarhikn Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "9887___skej3sd"
$ = "haha123"
condition:
any of them
}
rule ScarhiknCode : Scarhikn Family
{
meta:
description = "Scarhikn code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// decryption
$ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 }
$ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 }
condition:
any of them
}
rule Scarhikn : Family
{
meta:
description = "Scarhikn"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
ScarhiknCode or ScarhiknStrings
}
malware/Scieron.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Scieron
{
meta:
author = "Symantec Security Response"
ref = "http://www.symantec.com/connect/tr/blogs/scarab-attackers-took-aim-select-russian-targets-2012"
date = "22.01.15"
strings:
// .text:10002069 66 83 F8 2C cmp ax, ','
// .text:1000206D 74 0C jz short loc_1000207B
// .text:1000206F 66 83 F8 3B cmp ax, ';'
// .text:10002073 74 06 jz short loc_1000207B
// .text:10002075 66 83 F8 7C cmp ax, '|'
// .text:10002079 75 05 jnz short loc_10002080
$code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05}
// .text:10001D83 83 F8 09 cmp eax, 9 ; switch 10 cases
// .text:10001D86 0F 87 DB 00 00 00 ja loc_10001E67 ; jumptable 10001D8C default case
// .text:10001D8C FF 24 85 55 1F 00+ jmp ds:off_10001F55[eax*4] ; switch jump
$code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24}
$str1 = "IP_PADDING_DATA" wide ascii
$str2 = "PORT_NUM" wide ascii
condition:
all of them
}
malware/ShadowTech.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule ShadowTech
{
meta:
description = "ShadowTech RAT"
author = "botherder https://github.com/botherder"
strings:
$string1 = /\#(S)trings/
$string2 = /\#(G)UID/
$string3 = /\#(B)lob/
$string4 = /(S)hadowTech Rat\.exe/
$string5 = /(S)hadowTech_Rat/
condition:
all of them
}
malware/Shamoon.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule CrowdStrike_Shamoon_DroppedFile {
meta:
description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
strings:
$testn123 = "test123" wide
$testn456 = "test456" wide
$testn789 = "test789" wide
$testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
condition:
(any of ($testn*) or $pingcmd) and $testdomain
}
malware/Skeleton.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule skeleton_key_patcher
{
meta:
description = "Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN"
author = "Dell SecureWorks Counter Threat Unit"
reference = "http://goo.gl/aAk3lN"
date = "2015/01/13"
score = 70
strings:
$target_process = "lsass.exe" wide
$dll1 = "cryptdll.dll"
$dll2 = "samsrv.dll"
$name = "HookDC.dll"
$patched1 = "CDLocateCSystem"
$patched2 = "SamIRetrievePrimaryCredentials"
$patched3 = "SamIRetrieveMultiplePrimaryCredentials"
condition:
all of them
}
rule skeleton_key_injected_code
{
meta:
description = "Skeleton Key injected Code http://goo.gl/aAk3lN"
author = "Dell SecureWorks Counter Threat Unit"
reference = "http://goo.gl/aAk3lN"
date = "2015/01/13"
score = 70
strings:
$injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 00 48 81 C4 58 01 00 00 C3 }
$patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
$patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
$patch_SamIRetrieveMultiplePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
condition:
any of them
}
malware/Stealer.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule universal_1337_stealer_serveur : Stealer
{
meta:
author="Kevin Falcoz"
date="24/02/2013"
description="Universal 1337 Stealer Serveur"
strings:
$signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/
$signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/
$signature3={46 54 50 7E} /*FTP~*/
$signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/
condition:
$signature1 and $signature2 or $signature3 and $signature4
}
malware/Surtr.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RSharedStrings : Surtr Family {
meta:
description = "identifiers for remote and gmremote"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = "nView_DiskLoydb" wide
$ = "nView_KeyLoydb" wide
$ = "nView_skins" wide
$ = "UsbLoydb" wide
$ = "%sBurn%s" wide
$ = "soul" wide
condition:
any of them
}
rule RemoteStrings : Remote Variant Surtr Family {
meta:
description = "indicators for remote.dll - surtr stage 2"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = "\x00Remote.dll\x00"
$ = "\x00CGm_PlugBase::"
$ = "\x00ServiceMain\x00_K_H_K_UH\x00"
$ = "\x00_Remote_\x00" wide
condition:
any of them
}
rule GmRemoteStrings : GmRemote Variant Family Surtr {
meta:
description = "identifiers for gmremote: surtr stage 2"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = "\x00x86_GmRemote.dll\x00"
$ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00"
$ = "\x00GmShutPoint\x00"
$ = "\x00GmRecvPoint\x00"
$ = "\x00GmInitPoint\x00"
$ = "\x00GmVerPoint\x00"
$ = "\x00GmNumPoint\x00"
$ = "_Gt_Remote_" wide
$ = "%sBurn\\workdll.tmp" wide
condition:
any of them
}
rule GmRemote : Family Surtr Variant GmRemote {
meta:
description = "identifier for gmremote"
author = "Katie Kleemola"
last_updated = "07-25-2014"
condition:
RSharedStrings and GmRemoteStrings
}
rule Remote : Family Surtr Variant Remote {
meta:
description = "identifier for remote"
author = "Katie Kleemola"
last_updated = "07-25-2014"
condition:
RSharedStrings and RemoteStrings
}
rule SurtrStrings : Surtr Family {
meta:
author = "Katie Kleemola"
description = "Strings for Surtr"
last_updated = "2014-07-16"
strings:
$ = "\x00soul\x00"
$ = "\x00InstallDll.dll\x00"
$ = "\x00_One.dll\x00"
$ = "_Fra.dll"
$ = "CrtRunTime.log"
$ = "Prod.t"
$ = "Proe.t"
$ = "Burn\\"
$ = "LiveUpdata_Mem\\"
condition:
any of them
}
rule SurtrCode : Surtr Family {
meta:
author = "Katie Kleemola"
description = "Code features for Surtr Stage1"
last_updated = "2014-07-16"
strings:
//decrypt config
$ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? }
//if Burn folder name is not in strings
$ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C }
//mov char in _Fire
$ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 }
condition:
any of them
}
rule Surtr : Family {
meta:
author = "Katie Kleemola"
description = "Rule for Surtr Stage One"
last_updated = "2014-07-16"
condition:
SurtrStrings or SurtrCode
}
malware/T5000.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule T5000Strings : T5000 Family
{
meta:
description = "T5000 Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-26"
strings:
$ = "_tmpR.vbs"
$ = "_tmpg.vbs"
$ = "Dtl.dat" wide ascii
$ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
$ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
$ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
$ = "43EE34A9-9063-4d2c-AACD-F5C62B849089"
$ = "A8859547-C62D-4e8b-A82D-BE1479C684C9"
$ = "A59CF429-D0DD-4207-88A1-04090680F714"
$ = "utd_CE31" wide ascii
$ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
$ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
$ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
$ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
condition:
any of them
}
rule T5000 : Family
{
meta:
description = "T5000"
author = "Seth Hardy"
last_modified = "2014-06-26"
condition:
T5000Strings
}
malware/Turla.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WaterBug_turla_dll
{
meta:
description = "Symantec Waterbug Attack - Trojan Turla DLL"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
condition:
pe.exports("ee") and $a
}
malware/Urausy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule urausy_skype_dat {
meta:
author = "AlienVault Labs"
description = "Yara rule to match against memory of processes infected by Urausy skype.dat"
strings:
$a = "skype.dat" ascii wide
$b = "skype.ini" ascii wide
$win1 = "CreateWindow"
$win2 = "YIWEFHIWQ" ascii wide
$desk1 = "CreateDesktop"
$desk2 = "MyDesktop" ascii wide
condition:
$a and $b and (all of ($win*) or all of ($desk*))
}
malware/Vidgrab.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule VidgrabCode : Vidgrab Family
{
meta:
description = "Vidgrab code tricks"
author = "Seth Hardy"
last_modified = "2014-06-20"
strings:
$divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
// add eax, ecx; xor byte ptr [eax], ??h; inc ecx
$xorloop = { 03 C1 80 30 (66 | 58) 41 }
$junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
condition:
all of them
}
rule VidgrabStrings : Vidgrab Family
{
meta:
description = "Vidgrab Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-20"
strings:
$ = "IDI_ICON5" wide ascii
$ = "starter.exe"
$ = "wmifw.exe"
$ = "Software\\rar"
$ = "tmp092.tmp"
$ = "temp1.exe"
condition:
3 of them
}
rule Vidgrab : Family
{
meta:
description = "Vidgrab"
author = "Seth Hardy"
last_modified = "2014-06-20"
condition:
VidgrabCode or VidgrabStrings
}
malware/Warp.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WarpCode : Warp Family
{
meta:
description = "Warp code features"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
// character replacement
$ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F }
condition:
any of them
}
rule WarpStrings : Warp Family
{
meta:
description = "Warp Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
$ = "/2011/n325423.shtml?"
$ = "wyle"
$ = "\\~ISUN32.EXE"
condition:
any of them
}
rule Warp : Family
{
meta:
description = "Warp"
author = "Seth Hardy"
last_modified = "2014-07-10"
condition:
WarpCode or WarpStrings
}
malware/Waterbug.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WaterBug_wipbot_2013_core_PDF {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$PDF = "%PDF-"
$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
condition:
($PDF at 0) and #a > 150 and #b > 200
}
rule WaterBug_wipbot_2013_dll {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$string1 = "/%s?rank=%s"
$string2 = "ModuleStart\x00ModuleStop\x00start"
$string3 = "1156fd22-3443-4344-c4ffff"
//read file... error..
$string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
condition:
2 of them
}
rule WaterBug_wipbot_2013_core {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
$code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
$code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
condition:
$mz at 0 and (($code1 or $code2) or ($code3 and $code4))
}
rule WaterBug_turla_dropper {
meta:
description = "Symantec Waterbug Attack - Trojan Turla Dropper"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
$b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
condition:
all of them
}
rule WaterBug_fa_malware {
meta:
description = "Symantec Waterbug Attack - FA malware variant"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
$string2 = "d:\\proj\\cn\\fa64\\"
$string3 = "sengoku_Win32.sys\x00"
$string4 = "rk_ntsystem.c"
$string5 = "\\uroboros\\"
$string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
condition:
($mz at 0) and (any of ($string*))
}
rule WaterBug_sav {
meta:
description = "Symantec Waterbug Attack - SAV Malware"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
$code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC 3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
$code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
$code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
condition:
($mz at 0) and (($code1a or $code1b or $code1c) and $code2)
}
malware/Webshell-shell.yar 0 → 100644
This source diff could not be displayed because it is too large. You can view the blob instead.
malware/Wimmie.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WimmieShellcode : Wimmie Family
{
meta:
description = "Wimmie code features"
author = "Seth Hardy"
last_modified = "2014-07-17"
strings:
// decryption loop
$ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 }
$xordecrypt = {B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 }
condition:
any of them
}
rule WimmieStrings : Wimmie Family
{
meta:
description = "Strings used by Wimmie"
author = "Seth Hardy"
last_modified = "2014-07-17"
strings:
$ = "\x00ScriptMan"
$ = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" wide ascii
$ = "ProbeScriptFint" wide ascii
$ = "ProbeScriptKids"
condition:
any of them
}
rule Wimmie : Family
{
meta:
description = "Wimmie family"
author = "Seth Hardy"
last_modified = "2014-07-17"
condition:
WimmieShellcode or WimmieStrings
}
malware/WoolenGoldfish.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WoolenGoldfish_Sample_1 {
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 60
hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
strings:
$s1 = "Cannot execute (%d)" fullword ascii
$s16 = "SvcName" fullword ascii
condition:
all of them
}
rule WoolenGoldfish_Generic_1 {
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 90
super_rule = 1
hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
strings:
$x0 = "Users\\Wool3n.H4t\\"
$x1 = "C-CPP\\CWoolger"
$x2 = "NTSuser.exe" fullword wide
$s1 = "107.6.181.116" fullword wide
$s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
$s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
$s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
$s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
$s6 = "wlg.dat" fullword
$s7 = "woolger" fullword wide
$s8 = "[Enter]" fullword
$s9 = "[Control]" fullword
condition:
( 1 of ($x*) and 2 of ($s*) ) or
( 6 of ($s*) )
}
rule WoolenGoldfish_Generic_2 {
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 90
hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
strings:
$s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
condition:
all of them
}
rule WoolenGoldfish_Generic_3 {
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 90
hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
strings:
$x1 = "... get header FATAL ERROR !!! %d bytes read > header_size" fullword ascii
$x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide
$x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
$s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii
$s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide
$s2 = "Attempting to unlock uninitialized lock!" fullword ascii
$s4 = "unable to load kernel32.dll" fullword ascii
$s5 = "index.php?c=%S&r=%x" fullword wide
$s6 = "%s len:%d " fullword ascii
$s7 = "Encountered error sending syscall response to client" fullword ascii
$s9 = "/info.dat" fullword ascii
$s10 = "Error entering thread lock" fullword ascii
$s11 = "Error exiting thread lock" fullword ascii
$s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
condition:
( 1 of ($x*) ) or
( 8 of ($s*) )
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment