Skip to content

R
rules
Commit 836d7f74 by j0sm1
Options

New classification 

New malware rules classification
parent 0e5f4909
Showing with 8319 additions and 0 deletions
malware/APT1.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule LIGHTDART_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "ret.log" wide ascii
$s2 = "Microsoft Internet Explorer 6.0" wide ascii
$s3 = "szURL Fail" wide ascii
$s4 = "szURL Successfully" wide ascii
$s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii
condition:
all of them
}
rule AURIGA_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "superhard corp." wide ascii
$s2 = "microsoft corp." wide ascii
$s3 = "[Insert]" wide ascii
$s4 = "[Delete]" wide ascii
$s5 = "[End]" wide ascii
$s6 = "!(*@)(!@KEY" wide ascii
$s7 = "!(*@)(!@SID=" wide ascii
condition:
all of them
}
rule AURIGA_driver_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Services\\riodrv32" wide ascii
$s2 = "riodrv32.sys" wide ascii
$s3 = "svchost.exe" wide ascii
$s4 = "wuauserv.dll" wide ascii
$s5 = "arp.exe" wide ascii
$pdb = "projects\\auriga" wide ascii
condition:
all of ($s*) or $pdb
}
rule BANGAT_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "superhard corp." wide ascii
$s2 = "microsoft corp." wide ascii
$s3 = "[Insert]" wide ascii
$s4 = "[Delete]" wide ascii
$s5 = "[End]" wide ascii
$s6 = "!(*@)(!@KEY" wide ascii
$s7 = "!(*@)(!@SID=" wide ascii
$s8 = "end binary output" wide ascii
$s9 = "XriteProcessMemory" wide ascii
$s10 = "IE:Password-Protected sites" wide ascii
$s11 = "pstorec.dll" wide ascii
condition:
all of them
}
rule BISCUIT_GREENCAT_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "zxdosml" wide ascii
$s2 = "get user name error!" wide ascii
$s3 = "get computer name error!" wide ascii
$s4 = "----client system info----" wide ascii
$s5 = "stfile" wide ascii
$s6 = "cmd success!" wide ascii
condition:
all of them
}
rule BOUNCER_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii
$s2 = "IDR_DATA%d" wide ascii
$s3 = "asdfqwe123cxz" wide ascii
$s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
condition:
($s1 and $s2) or ($s3 and $s4)
}
rule BOUNCER_DLL_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "new_connection_to_bounce():" wide ascii
$s2 = "usage:%s IP port [proxip] [port] [key]" wide ascii
condition:
all of them
}
rule CALENDAR_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "content" wide ascii
$s2 = "title" wide ascii
$s3 = "entry" wide ascii
$s4 = "feed" wide ascii
$s5 = "DownRun success" wide ascii
$s6 = "%s@gmail.com" wide ascii
$s7 = "<!--%s-->" wide ascii
$b8 = "W4qKihsb+So=" wide ascii
$b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii
$b10 = "8oqKiqb5880/uJLzAsY=" wide ascii
condition:
all of ($s*) or all of ($b*)
}
rule COMBOS_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii
$s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii
$s3 = "Delay" wide ascii
$s4 = "Getfile" wide ascii
$s5 = "Putfile" wide ascii
$s6 = "---[ Virtual Shell]---" wide ascii
$s7 = "Not Comming From Our Server %s." wide ascii
condition:
all of them
}
rule DAIRY_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii
$s2 = "KilFail" wide ascii
$s3 = "KilSucc" wide ascii
$s4 = "pkkill" wide ascii
$s5 = "pklist" wide ascii
condition:
all of them
}
rule GLOOXMAIL_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Kill process success!" wide ascii
$s2 = "Kill process failed!" wide ascii
$s3 = "Sleep success!" wide ascii
$s4 = "based on gloox" wide ascii
$pdb = "glooxtest.pdb" wide ascii
condition:
all of ($s*) or $pdb
}
rule GOGGLES_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Kill process success!" wide ascii
$s2 = "Kill process failed!" wide ascii
$s3 = "Sleep success!" wide ascii
$s4 = "based on gloox" wide ascii
$pdb = "glooxtest.pdb" wide ascii
condition:
all of ($s*) or $pdb
}
rule HACKSFASE1_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = {cb 39 82 49 42 be 1f 3a}
condition:
all of them
}
rule HACKSFASE2_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Send to Server failed." wide ascii
$s2 = "HandShake with the server failed. Error:" wide ascii
$s3 = "Decryption Failed. Context Expired." wide ascii
condition:
all of them
}
rule KURTON_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" wide ascii
$s2 = "!(*@)(!@PORT!(*@)(!@URL" wide ascii
$s3 = "MyTmpFile.Dat" wide ascii
$s4 = "SvcHost.DLL.log" wide ascii
condition:
all of them
}
rule LONGRUN_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" wide ascii
$s2 = "%s\\%c%c%c%c%c%c%c" wide ascii
$s3 = "wait:" wide ascii
$s4 = "Dcryption Error! Invalid Character" wide ascii
condition:
all of them
}
rule MACROMAIL_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "svcMsn.dll" wide ascii
$s2 = "RundllInstall" wide ascii
$s3 = "Config service %s ok." wide ascii
$s4 = "svchost.exe" wide ascii
condition:
all of them
}
rule MANITSME_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Install an Service hosted by SVCHOST." wide ascii
$s2 = "The Dll file that to be released." wide ascii
$s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
$s4 = "svchost.exe" wide ascii
$e1 = "Man,it's me" wide ascii
$e2 = "Oh,shit" wide ascii
$e3 = "Hallelujah" wide ascii
$e4 = "nRet == SOCKET_ERROR" wide ascii
$pdb1 = "rouji\\release\\Install.pdb" wide ascii
$pdb2 = "rouji\\SvcMain.pdb" wide ascii
condition:
(all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2
}
rule MINIASP_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "miniasp" wide ascii
$s2 = "wakeup=" wide ascii
$s3 = "download ok!" wide ascii
$s4 = "command is null!" wide ascii
$s5 = "device_input.asp?device_t=" wide ascii
condition:
all of them
}
rule NEWSREELS_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" wide ascii
$s2 = "name=%s&userid=%04d&other=%c%s" wide ascii
$s3 = "download ok!" wide ascii
$s4 = "command is null!" wide ascii
$s5 = "noclient" wide ascii
$s6 = "wait" wide ascii
$s7 = "active" wide ascii
$s8 = "hello" wide ascii
condition:
all of them
}
rule SEASALT_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" wide ascii
$s2 = "upfileok" wide ascii
$s3 = "download ok!" wide ascii
$s4 = "upfileer" wide ascii
$s5 = "fxftest" wide ascii
condition:
all of them
}
rule STARSYPOUND_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "*(SY)# cmd" wide ascii
$s2 = "send = %d" wide ascii
$s3 = "cmd.exe" wide ascii
$s4 = "*(SY)#" wide ascii
condition:
all of them
}
rule SWORD_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" wide ascii
$s2 = "sleep:" wide ascii
$s3 = "down:" wide ascii
$s4 = "*========== Bye Bye ! ==========*" wide ascii
condition:
all of them
}
rule thequickbrow_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "thequickbrownfxjmpsvalzydg" wide ascii
condition:
all of them
}
rule TABMSGSQL_APT1 {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "letusgohtppmmv2.0.0.1" wide ascii
$s2 = "Mozilla/4.0 (compatible; )" wide ascii
$s3 = "filestoc" wide ascii
$s4 = "filectos" wide ascii
$s5 = "reshell" wide ascii
condition:
all of them
}
rule CCREWBACK1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "postvalue" wide ascii
$b = "postdata" wide ascii
$c = "postfile" wide ascii
$d = "hostname" wide ascii
$e = "clientkey" wide ascii
$f = "start Cmd Failure!" wide ascii
$g = "sleep:" wide ascii
$h = "downloadcopy:" wide ascii
$i = "download:" wide ascii
$j = "geturl:" wide ascii
$k = "1.234.1.68" wide ascii
condition:
4 of ($a,$b,$c,$d,$e) or $f or 3 of ($g,$h,$i,$j) or $k
}
rule TrojanCookies_CCREW
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "sleep:" wide ascii
$b = "content=" wide ascii
$c = "reqpath=" wide ascii
$d = "savepath=" wide ascii
$e = "command=" wide ascii
condition:
4 of ($a,$b,$c,$d,$e)
}
rule GEN_CCREW1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "W!r@o#n$g" wide ascii
$b = "KerNel32.dll" wide ascii
condition:
any of them
}
rule Elise
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "SetElise.pdb" wide ascii
condition:
$a
}
rule EclipseSunCloudRAT
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "Eclipse_A" wide ascii
$b = "\\PJTS\\" wide ascii
$c = "Eclipse_Client_B.pdb" wide ascii
$d = "XiaoME" wide ascii
$e = "SunCloud-Code" wide ascii
$f = "/uc_server/data/forum.asp" wide ascii
condition:
any of them
}
rule MoonProject
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "Serverfile is smaller than Clientfile" wide ascii
$b = "\\M tools\\" wide ascii
$c = "MoonDLL" wide ascii
$d = "\\M tools\\" wide ascii
condition:
any of them
}
rule ccrewDownloader1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = {DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42}
condition:
any of them
}
rule ccrewDownloader2
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "3gZFQOBtY3sifNOl" wide ascii
$b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" wide ascii
$c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" wide ascii
condition:
any of them
}
rule ccrewMiniasp
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "MiniAsp.pdb" wide ascii
$b = "device_t=" wide ascii
condition:
any of them
}
rule ccrewSSLBack2
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = {39 82 49 42 BE 1F 3A}
condition:
any of them
}
rule ccrewSSLBack3
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "SLYHKAAY" wide ascii
condition:
any of them
}
rule ccrewSSLBack1
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "!@#%$^#@!" wide ascii
$b = "64.91.80.6" wide ascii
condition:
any of them
}
rule ccrewDownloader3
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "ejlcmbv" wide ascii
$b = "bhxjuisv" wide ascii
$c = "yqzgrh" wide ascii
$d = "uqusofrp" wide ascii
$e = "Ljpltmivvdcbb" wide ascii
$f = "frfogjviirr" wide ascii
$g = "ximhttoskop" wide ascii
condition:
4 of them
}
rule ccrewQAZ
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "!QAZ@WSX" wide ascii
condition:
$a
}
rule metaxcd
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "<meta xcd=" wide ascii
condition:
$a
}
rule MiniASP
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A }
$PDB = "MiniAsp.pdb" nocase wide ascii
condition:
any of them
}
rule DownloaderPossibleCCrew
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$a = "%s?%.6u" wide ascii
$b = "szFileUrl=%s" wide ascii
$c = "status=%u" wide ascii
$d = "down file success" wide ascii
$e = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" wide ascii
condition:
all of them
}
rule APT1_MAPIGET
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "%s\\Attachment.dat" wide ascii
$s2 = "MyOutlook" wide ascii
$s3 = "mail.txt" wide ascii
$s4 = "Recv Time:" wide ascii
$s5 = "Subject:" wide ascii
condition:
all of them
}
rule APT1_LIGHTBOLT
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$str1 = "bits.exe" wide ascii
$str2 = "PDFBROW" wide ascii
$str3 = "Browser.exe" wide ascii
$str4 = "Protect!" wide ascii
condition:
2 of them
}
rule APT1_GETMAIL
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$stra1 = "pls give the FULL path" wide ascii
$stra2 = "mapi32.dll" wide ascii
$stra3 = "doCompress" wide ascii
$strb1 = "getmail.dll" wide ascii
$strb2 = "doCompress" wide ascii
$strb3 = "love" wide ascii
condition:
all of ($stra*) or all of ($strb*)
}
rule APT1_GDOCUPLOAD
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$str1 = "name=\"GALX\"" wide ascii
$str2 = "User-Agent: Shockwave Flash" wide ascii
$str3 = "add cookie failed..." wide ascii
$str4 = ",speed=%f" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_Y21K
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "Y29ubmVjdA" wide ascii // connect
$2 = "c2xlZXA" wide ascii // sleep
$3 = "cXVpdA" wide ascii // quit
$4 = "Y21k" wide ascii // cmd
$5 = "dW5zdXBwb3J0" wide ascii // unsupport
condition:
4 of them
}
rule APT1_WEBC2_YAHOO
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$http1 = "HTTP/1.0" wide ascii
$http2 = "Content-Type:" wide ascii
$uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii
condition:
all of them
}
rule APT1_WEBC2_UGX
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii
$exe = "DefWatch.exe" wide ascii
$html = "index1.html" wide ascii
$cmd1 = "!@#tiuq#@!" wide ascii
$cmd2 = "!@#dmc#@!" wide ascii
$cmd3 = "!@#troppusnu#@!" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_TOCK
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "InprocServer32" wide ascii
$2 = "HKEY_PERFORMANCE_DATA" wide ascii
$3 = "<!---[<if IE 5>]id=" wide ascii
condition:
all of them
}
rule APT1_WEBC2_TABLE
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$msg1 = "Fail To Execute The Command" wide ascii
$msg2 = "Execute The Command Successfully" wide ascii
/*
$gif1 = /\w+\.gif/
*/
$gif2 = "GIF89" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_RAVE
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "iniet.exe" wide ascii
$2 = "cmd.exe" wide ascii
$3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii
$4 = "Device File System" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_QBP
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "2010QBP" wide ascii
$2 = "adobe_sl.exe" wide ascii
$3 = "URLDownloadToCacheFile" wide ascii
$4 = "dnsapi.dll" wide ascii
$5 = "urlmon.dll" wide ascii
condition:
4 of them
}
rule APT1_WEBC2_HEAD
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "Ready!" wide ascii
$2 = "connect ok" wide ascii
$3 = "WinHTTP 1.0" wide ascii
$4 = "<head>" wide ascii
condition:
all of them
}
rule APT1_WEBC2_GREENCAT
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "reader_sl.exe" wide ascii
$2 = "MS80547.bat" wide ascii
$3 = "ADR32" wide ascii
$4 = "ControlService failed!" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_DIV
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "3DC76854-C328-43D7-9E07-24BF894F8EF5" wide ascii
$2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii
$3 = "Hello from MFC!" wide ascii
$4 = "Microsoft Internet Explorer" wide ascii
condition:
3 of them
}
rule APT1_WEBC2_CSON
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$httpa1 = "/Default.aspx?INDEX=" wide ascii
$httpa2 = "/Default.aspx?ID=" wide ascii
$httpb1 = "Win32" wide ascii
$httpb2 = "Accept: text*/*" wide ascii
$exe1 = "xcmd.exe" wide ascii
$exe2 = "Google.exe" wide ascii
condition:
1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*)
}
rule APT1_WEBC2_CLOVER
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$msg1 = "BUILD ERROR!" wide ascii
$msg2 = "SUCCESS!" wide ascii
$msg3 = "wild scan" wide ascii
$msg4 = "Code too clever" wide ascii
$msg5 = "insufficient lookahead" wide ascii
$ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii
$ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii
condition:
2 of ($msg*) and 1 of ($ua*)
}
rule APT1_WEBC2_BOLID
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$vm = "VMProtect" wide ascii
$http = "http://[c2_location]/[page].html" wide ascii
condition:
all of them
}
rule APT1_WEBC2_ADSPACE
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "<!---HEADER ADSPACE style=" wide ascii
$2 = "ERSVC.DLL" wide ascii
condition:
all of them
}
rule APT1_WEBC2_AUSOV
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "ntshrui.dll" wide ascii
$2 = "%SystemRoot%\\System32\\" wide ascii
$3 = "<!--DOCHTML" wide ascii
$4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii
$5 = "Ausov" wide ascii
condition:
4 of them
}
rule APT1_WARP
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$err1 = "exception..." wide ascii
$err2 = "failed..." wide ascii
$err3 = "opened..." wide ascii
$exe1 = "cmd.exe" wide ascii
$exe2 = "ISUN32.EXE" wide ascii
condition:
2 of ($err*) and all of ($exe*)
}
rule APT1_TARSIP_ECLIPSE
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$1 = "\\pipe\\ssnp" wide ascii
$2 = "toobu.ini" wide ascii
$3 = "Serverfile is not bigger than Clientfile" wide ascii
$4 = "URL download success" wide ascii
condition:
3 of them
}
rule APT1_TARSIP_MOON
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "\\XiaoME\\SunCloud-Code\\moon" wide ascii
$s2 = "URL download success!" wide ascii
$s3 = "Kugoosoft" wide ascii
$msg1 = "Modify file failed!! So strange!" wide ascii
$msg2 = "Create cmd process failed!" wide ascii
$msg3 = "The command has not been implemented!" wide ascii
$msg4 = "Runas success!" wide ascii
$onec1 = "onec.php" wide ascii
$onec2 = "/bin/onec" wide ascii
condition:
1 of ($s*) and 1 of ($msg*) and 1 of ($onec*)
}
rule APT1_payloads
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$pay1 = "rusinfo.exe" wide ascii
$pay2 = "cmd.exe" wide ascii
$pay3 = "AdobeUpdater.exe" wide ascii
$pay4 = "buildout.exe" wide ascii
$pay5 = "DefWatch.exe" wide ascii
$pay6 = "d.exe" wide ascii
$pay7 = "em.exe" wide ascii
$pay8 = "IMSCMig.exe" wide ascii
$pay9 = "localfile.exe" wide ascii
$pay10 = "md.exe" wide ascii
$pay11 = "mdm.exe" wide ascii
$pay12 = "mimikatz.exe" wide ascii
$pay13 = "msdev.exe" wide ascii
$pay14 = "ntoskrnl.exe" wide ascii
$pay15 = "p.exe" wide ascii
$pay16 = "otepad.exe" wide ascii
$pay17 = "reg.exe" wide ascii
$pay18 = "regsvr.exe" wide ascii
$pay19 = "runinfo.exe" wide ascii
$pay20 = "AdobeUpdate.exe" wide ascii
$pay21 = "inetinfo.exe" wide ascii
$pay22 = "svehost.exe" wide ascii
$pay23 = "update.exe" wide ascii
$pay24 = "NTLMHash.exe" wide ascii
$pay25 = "wpnpinst.exe" wide ascii
$pay26 = "WSDbg.exe" wide ascii
$pay27 = "xcmd.exe" wide ascii
$pay28 = "adobeup.exe" wide ascii
$pay29 = "0830.bin" wide ascii
$pay30 = "1001.bin" wide ascii
$pay31 = "a.bin" wide ascii
$pay32 = "ISUN32.EXE" wide ascii
$pay33 = "AcroRD32.EXE" wide ascii
$pay34 = "INETINFO.EXE" wide ascii
condition:
1 of them
}
rule APT1_RARSilent_EXE_PDF
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$winrar1 = "WINRAR.SFX" wide ascii
/*
$winrar2 = ";The comment below contains SFX script commands" wide ascii
$winrar3 = "Silent=1" wide ascii
*/
/*$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
*/
$str2 = "Steup=\"" wide ascii
condition:
all of ($winrar*) and 1 of ($str*)
}
rule APT1_aspnetreport
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$url = "aspnet_client/report.asp" wide ascii
$param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii
condition:
$url and $param and APT1_payloads
}
rule APT1_Revird_svc
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$dll1 = "nwwwks.dll" wide ascii
$dll2 = "rdisk.dll" wide ascii
$dll3 = "skeys.dll" wide ascii
$dll4 = "SvcHost.DLL.log" wide ascii
$svc1 = "InstallService" wide ascii
$svc2 = "RundllInstallA" wide ascii
$svc3 = "RundllUninstallA" wide ascii
$svc4 = "ServiceMain" wide ascii
$svc5 = "UninstallService" wide ascii
condition:
1 of ($dll*) and 2 of ($svc*)
}
rule APT1_dbg_mess
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$dbg1 = "Down file ok!" wide ascii
$dbg2 = "Send file ok!" wide ascii
$dbg3 = "Command Error!" wide ascii
$dbg4 = "Pls choose target first!" wide ascii
$dbg5 = "Alert!" wide ascii
$dbg6 = "Pls press enter to make sure!" wide ascii
$dbg7 = "Are you sure to " wide ascii
condition:
4 of them and APT1_payloads
}
rule APT1_known_malicious_RARSilent
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$str1 = "Analysis And Outlook.doc\"" wide ascii
$str2 = "North Korean launch.pdf\"" wide ascii
$str3 = "Dollar General.doc\"" wide ascii
$str4 = "Dow Corning Corp.pdf\"" wide ascii
condition:
1 of them and APT1_RARSilent_EXE_PDF
}
malware/APT3102.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT3102Code : APT3102 Family
{
meta:
description = "3102 code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
condition:
any of them
}
rule APT3102Strings : APT3102 Family
{
meta:
description = "3102 Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "rundll32_exec.dll\x00Update"
// this is in the encrypted code - shares with 9002 variant
//$ = "POST http://%ls:%d/%x HTTP/1.1"
condition:
any of them
}
malware/APT9002.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT9002Code : APT9002 Family
{
meta:
description = "9002 code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// start code block
$ = { B9 7A 21 00 00 BE ?? ?? ?? ?? 8B F8 ?? ?? ?? F3 A5 }
// decryption from other variant with multiple start threads
$ = { 8A 14 3E 8A 1C 01 32 DA 88 1C 01 8B 54 3E 04 40 3B C2 72 EC }
condition:
any of them
}
rule APT9002Strings : APT9002 Family
{
meta:
description = "9002 Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "POST http://%ls:%d/%x HTTP/1.1"
$ = "%%TEMP%%\\%s_p.ax" wide ascii
$ = "%TEMP%\\uid.ax" wide ascii
$ = "%%TEMP%%\\%s.ax" wide ascii
// also triggers on surtr $ = "mydll.dll\x00DoWork"
$ = "sysinfo\x00sysbin01"
$ = "\\FlashUpdate.exe"
condition:
any of them
}
rule APT9002 : Family
{
meta:
description = "9002"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
APT9002Code or APT9002Strings
}
malware/APT_Careto.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Careto_SGH {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto SGH component signature"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
strings:
$m1 = "PGPsdkDriver" ascii wide fullword
$m2 = "jpeg1x32" ascii wide fullword
$m3 = "SkypeIE6Plugin" ascii wide fullword
$m4 = "CDllUninstall" ascii wide fullword
condition:
2 of them
}
rule Careto_OSX_SBD {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto OSX component signature"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
strings:
/* XORed "/dev/null strdup() setuid(geteuid())" */
$1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
condition:
all of them
}
rule Careto_CnC {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto CnC communication signature"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
strings:
$1 = "cgi-bin/commcgi.cgi" ascii wide
$2 = "Group" ascii wide
$3 = "Install" ascii wide
$4 = "Bn" ascii wide
condition:
all of them
}
rule Careto_CnC_domains {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto known command and control domains"
reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
strings:
$1 = "linkconf.net" ascii wide nocase
$2 = "redirserver.net" ascii wide nocase
$3 = "swupdt.com" ascii wide nocase
condition:
any of them
}
malware/APT_DeputyDog_Fexel.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT_DeputyDog_Fexel
{
meta:
author = "ThreatConnect Intelligence Research Team"
strings:
$180 = "180.150.228.102" wide ascii
$0808cmd = {25 30 38 78 30 38 78 00 5C 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 [2-6] 43 00 61 00 6E 00 27 00 74 00 20 00 6F 00 70 00 65 00 6E 00 20 00 73 00 68 00 65 00 6C 00 6C 00 21}
$cUp = "Upload failed! [Remote error code:" nocase wide ascii
$DGGYDSYRL = {00 44 47 47 59 44 53 59 52 4C 00}
$GDGSYDLYR = "GDGSYDLYR_%" wide ascii
condition:
any of them
}
malware/APT_Hellsing.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule apt_hellsing_implantstrings : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing implants"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="the file uploaded failed !"
$a2="ping 127.0.0.1"
$b1="the file downloaded failed !"
$b2="common.asp"
$c="xweber_server.exe"
$d="action="
$debugpath1="d:\\Hellsing\\release\\msger\\" nocase
$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase
$debugpath3="D:\\Hellsing\\release\\exe\\" nocase
$debugpath4="d:\\hellsing\\sys\\xkat\\" nocase
$debugpath5="e:\\Hellsing\\release\\clare" nocase
$debugpath6="e:\\Hellsing\\release\\irene\\" nocase
$debugpath7="d:\\hellsing\\sys\\irene\\" nocase
$e="msger_server.dll"
$f="ServiceMain"
condition:
($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
}
rule apt_hellsing_installer : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing xweber/msger installers"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
$a1="xweber_install_uac.exe"
$a2="system32\\cmd.exe" wide
$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
$a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
$a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
$a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
$a10="%SystemRoot%\\system32\\cmd.exe" wide
$a11="msger_install.dll"
$a12={00 65 78 2E 64 6C 6C 00}
condition:
($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
}
rule apt_hellsing_proxytool : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing proxy testing tool"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="PROXY_INFO: automatic proxy url => %s "
$a2="PROXY_INFO: connection type => %d "
$a3="PROXY_INFO: proxy server => %s "
$a4="PROXY_INFO: bypass list => %s "
$a5="InternetQueryOption failed with GetLastError() %d"
$a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
condition:
($mz at 0) and (2 of ($a*)) and filesize < 300000
}
rule apt_hellsing_xkat : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing xKat tool"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="\\Dbgv.sys"
$a2="XKAT_BIN"
$a3="release sys file error."
$a4="driver_load error. "
$a5="driver_create error."
$a6="delete file:%s error."
$a7="delete file:%s ok."
$a8="kill pid:%d error."
$a9="kill pid:%d ok."
$a10="-pid-delete"
$a11="kill and delete pid:%d error."
$a12="kill and delete pid:%d ok."
condition:
($mz at 0) and (6 of ($a*)) and filesize < 300000
}
rule apt_hellsing_msgertype2 : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing msger type 2 implants"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="%s\\system\\%d.txt"
$a2="_msger"
$a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
$a4="http://%s/data/%s.1000001000"
$a5="/lib/common.asp?action=user_upload&file="
$a6="%02X-%02X-%02X-%02X-%02X-%02X"
condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000
}
rule apt_hellsing_irene : PE
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing msger irene installer"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$a1="\\Drivers\\usbmgr.tmp" wide
$a2="\\Drivers\\usbmgr.sys" wide
$a3="common_loadDriver CreateFile error! "
$a4="common_loadDriver StartService error && GetLastError():%d! "
$a5="irene" wide
$a6="aPLib v0.43 - the smaller the better"
condition:
($mz at 0) and (4 of ($a*)) and filesize < 500000
}
malware/APT_Hikit.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT_Hikit_msrv
{
meta:
author = "ThreatConnect Intelligence Research Team"
strings:
$m = {6D 73 72 76 2E 64 6C 6C 00 44 6C 6C}
condition:
any of them
}
malware/APT_Kaba.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule rtf_Kaba_jDoe
{
meta:
author = "@patrickrolsen"
maltype = "APT.Kaba"
filetype = "RTF"
version = "0.1"
description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
date = "2013-12-10"
strings:
$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
$author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"
$author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"
$string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
condition:
($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
}
malware/APT_Mongall.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Backdoor_APT_Mongal
{
meta:
author = "@patrickrolsen"
maltype = "Backdoor.APT.Mongall"
version = "0.1"
reference = "fd69a799e21ccb308531ce6056944842"
date = "01/04/2014"
strings:
$author = "author user"
$title = "title Vjkygdjdtyuj" nocase
$comp = "company ooo"
$cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10"
$passwd = "password 00000000"
condition:
all of them
}
rule MongalCode : Mongal Family
{
meta:
description = "Mongal code features"
author = "Seth Hardy"
last_modified = "2014-07-15"
strings:
// gettickcount value checking
$ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB }
condition:
any of them
}
rule MongalStrings : Mongal Family
{
meta:
description = "Mongal Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-15"
strings:
$ = "NSCortr.dll"
$ = "NSCortr1.dll"
$ = "Sina.exe"
condition:
any of them
}
rule Mongal : Family
{
meta:
description = "Mongal"
author = "Seth Hardy"
last_modified = "2014-07-15"
condition:
MongalCode or MongalStrings
}
malware/APT_NGO_wuaclt.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT_NGO_wuaclt
{
meta:
author = "AlienVault Labs"
strings:
$a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat"
$b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
$c = "/news/show.asp?id%d=%d"
$d = "%%APPDATA%%\\Microsoft\\wuauclt\\"
$e = "0l23kj@nboxu"
$f = "%%s.asp?id=%%d&Sid=%%d"
$g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)"
$h = "Cookies: UseID=KGIOODAOOK%%s"
condition:
($a and $b and $c) or ($d and $e) or ($f and $g and $h)
}
rule APT_NGO_wuaclt_PDF
{
meta:
author = "AlienVault Labs"
strings:
$pdf = "%PDF" nocase
$comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A}
condition:
$pdf at 0 and $comment in (0..200)
}
malware/APT_OPCleaver.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule ZhoupinExploitCrew
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase
condition:
1 of them
}
rule BackDoorLogger
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "BackDoorLogger"
$s2 = "zhuAddress"
condition:
all of them
}
rule Jasus
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found"
condition:
all of them
}
rule LoggerModule
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition:
all of them
}
rule NetC
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "NetC.exe" wide
$s2 = "Net Service"
condition:
all of them
}
rule ShellCreator2
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "ShellCreator2.Properties"
$s2 = "set_IV"
condition:
all of them
}
rule SmartCopy2
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork"
condition:
all of them
}
rule SynFlooder
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "your target's IP is : %s"
$s3 = "Raw TCP Socket Created successfully."
condition:
all of them
}
rule TinyZBot
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "NetScp" wide
$s2 = "TinyZBot.Properties.Resources.resources"
$s3 = "Aoao WaterMark"
$s4 = "Run_a_exe"
$s5 = "netscp.exe"
$s6 = "get_MainModule_WebReference_DefaultWS"
$s7 = "remove_CheckFileMD5Completed"
$s8 = "http://tempuri.org/"
$s9 = "Zhoupin_Cleaver"
condition:
($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
}
rule antivirusdetector
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector"
condition:
all of them
}
rule csext
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "COM+ System Extentions"
$s2 = "csext.exe"
$s3 = "COM_Extentions_bin"
condition:
all of them
}
rule kagent
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "kill command is in last machine, going back"
$s2 = "message data length in B64: %d Bytes"
condition:
all of them
}
rule mimikatzWrapper
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "mimikatzWrapper"
$s2 = "get_mimikatz"
condition:
all of them
}
rule pvz_in
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "LAST_TIME=00/00/0000:00:00PM$"
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
condition:
all of them
}
rule pvz_out
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "Network Connectivity Module" wide
$s2 = "OSPPSVC" wide
condition:
all of them
}
rule wndTest
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition:
all of them
}
rule zhCat
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "zhCat -l -h -tp 1234"
$s2 = "ABC ( A Big Company )" wide
condition:
all of them
}
rule zhLookUp
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "zhLookUp.Properties"
condition:
all of them
}
rule zhmimikatz
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "MimikatzRunner"
$s2 = "zhmimikatz"
condition:
all of them
}
rule Zh0uSh311
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "Zh0uSh311"
condition:
all of them
}
malware/APT_Regin.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Regin_APT_KernelDriver_Generic_A {
meta:
description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
author = "@Malwrsignatures - included in APT Scanner THOR"
date = "23.11.14"
hash1 = "187044596bc1328efa0ed636d8aa4a5c"
hash2 = "06665b96e293b23acc80451abb413e50"
hash3 = "d240f06e98c8d3e647cbf4d442d79475"
strings:
$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
$m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
$s0 = "atapi.sys" fullword wide
$s1 = "disk.sys" fullword wide
$s3 = "h.data" fullword ascii
$s4 = "\\system32" fullword ascii
$s5 = "\\SystemRoot" fullword ascii
$s6 = "system" fullword ascii
$s7 = "temp" fullword ascii
$s8 = "windows" fullword ascii
$x1 = "LRich6" fullword ascii
$x2 = "KeServiceDescriptorTable" fullword ascii
condition:
$m0 at 0 and $m1 and
all of ($s*) and 1 of ($x*)
}
rule Regin_APT_KernelDriver_Generic_B {
meta:
description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
author = "@Malwrsignatures - included in APT Scanner THOR"
date = "23.11.14"
hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
hash2 = "bfbe8c3ee78750c3a520480700e440f8"
hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
hash4 = "06665b96e293b23acc80451abb413e50"
hash5 = "2c8b9d2885543d7ade3cae98225e263b"
hash6 = "4b6b86c7fec1c574706cecedf44abded"
hash7 = "187044596bc1328efa0ed636d8aa4a5c"
hash8 = "d240f06e98c8d3e647cbf4d442d79475"
hash9 = "6662c390b2bbbd291ec7987388fc75d7"
hash10 = "1c024e599ac055312a4ab75b3950040a"
hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
hash12 = "b505d65721bb2453d5039a389113b566"
hash13 = "b269894f434657db2b15949641a67532"
strings:
$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
$s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
$s2 = "H.data" fullword ascii nocase
$s3 = "INIT" fullword ascii
$s4 = "ntoskrnl.exe" fullword ascii
$v1 = "\\system32" fullword ascii
$v2 = "\\SystemRoot" fullword ascii
$v3 = "KeServiceDescriptorTable" fullword ascii
$w1 = "\\system32" fullword ascii
$w2 = "\\SystemRoot" fullword ascii
$w3 = "LRich6" fullword ascii
$x1 = "_snprintf" fullword ascii
$x2 = "_except_handler3" fullword ascii
$y1 = "mbstowcs" fullword ascii
$y2 = "wcstombs" fullword ascii
$y3 = "KeGetCurrentIrql" fullword ascii
$z1 = "wcscpy" fullword ascii
$z2 = "ZwCreateFile" fullword ascii
$z3 = "ZwQueryInformationFile" fullword ascii
$z4 = "wcslen" fullword ascii
$z5 = "atoi" fullword ascii
condition:
$m0 at 0 and all of ($s*) and
( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) )
and filesize < 20KB
}
rule Regin_APT_KernelDriver_Generic_C {
meta:
description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
author = "@Malwrsignatures - included in APT Scanner THOR"
date = "23.11.14"
hash1 = "e0895336617e0b45b312383814ec6783556d7635"
hash2 = "732298fa025ed48179a3a2555b45be96f7079712"
strings:
$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
$s0 = "KeGetCurrentIrql" fullword ascii
$s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
$s2 = "usbclass" fullword wide
$x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
$x2 = "Universal Serial Bus Class Driver" fullword wide
$x3 = "5.2.3790.0" fullword wide
$y1 = "LSA Shell" fullword wide
$y2 = "0Richw" fullword ascii
condition:
$m0 at 0 and all of ($s*) and
( all of ($x*) or all of ($y*) )
and filesize < 20KB
}
/* Update 27.11.14 */
rule Regin_sig_svcsstat {
meta:
description = "Detects svcstat from Regin report - file svcsstat.exe_sample"
author = "@MalwrSignatures"
date = "26.11.14"
hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"
strings:
$s0 = "Service Control Manager" fullword ascii
$s1 = "_vsnwprintf" fullword ascii
$s2 = "Root Agency" fullword ascii
$s3 = "Root Agency0" fullword ascii
$s4 = "StartServiceCtrlDispatcherA" fullword ascii
$s5 = "\\\\?\\UNC" fullword wide
$s6 = "%ls%ls" fullword wide
condition:
all of them and filesize < 15KB and filesize > 10KB
}
rule Regin_Sample_1 {
meta:
description = "Auto-generated rule - file-3665415_sys"
author = "@MalwrSignatures"
date = "26.11.14"
hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2"
strings:
$s0 = "Getting PortName/Identifier failed - %x" fullword ascii
$s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii
$s2 = "External Naming Failed - Status %x" fullword ascii
$s3 = "------- Same multiport - different interrupts" fullword ascii
$s4 = "%x occurred prior to the wait - starting the" fullword ascii
$s5 = "'user registry info - userPortIndex: %d" fullword ascii
$s6 = "Could not report legacy device - %x" fullword ascii
$s7 = "entering SerialGetPortInfo" fullword ascii
$s8 = "'user registry info - userPort: %x" fullword ascii
$s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii
$s10 = "Kernel debugger is using port at address %X" fullword ascii
$s12 = "Release - freeing multi context" fullword ascii
$s13 = "Serial driver will not load port" fullword ascii
$s14 = "'user registry info - userAddressSpace: %d" fullword ascii
$s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii
$s20 = "'user registry info - userIndexed: %d" fullword ascii
condition:
all of them and filesize < 110KB and filesize > 80KB
}
rule Regin_Sample_2 {
meta:
description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin"
author = "@MalwrSignatures"
date = "26.11.14"
hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
strings:
$s0 = "\\SYSTEMROOT\\system32\\lsass.exe" fullword wide
$s1 = "atapi.sys" fullword wide
$s2 = "disk.sys" fullword wide
$s3 = "IoGetRelatedDeviceObject" fullword ascii
$s4 = "HAL.dll" fullword ascii
$s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" fullword ascii
$s6 = "PsGetCurrentProcessId" fullword ascii
$s7 = "KeGetCurrentIrql" fullword ascii
$s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
$s9 = "KeSetImportanceDpc" fullword ascii
$s10 = "KeQueryPerformanceCounter" fullword ascii
$s14 = "KeInitializeEvent" fullword ascii
$s15 = "KeDelayExecutionThread" fullword ascii
$s16 = "KeInitializeTimerEx" fullword ascii
$s18 = "PsLookupProcessByProcessId" fullword ascii
$s19 = "ExReleaseFastMutexUnsafe" fullword ascii
$s20 = "ExAcquireFastMutexUnsafe" fullword ascii
condition:
all of them and filesize < 40KB and filesize > 30KB
}
rule Regin_Sample_3 {
meta:
description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
author = "@Malwrsignatures"
date = "27.11.14"
hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
strings:
$hd = { fe ba dc fe }
$s0 = "Service Pack x" fullword wide
$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
$s3 = "mntoskrnl.exe" fullword wide
$s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" fullword wide
$s5 = "Memory location: 0x%p, size 0x%08x" wide fullword
$s6 = "Service Pack" fullword wide
$s7 = ".sys" fullword wide
$s8 = ".dll" fullword wide
$s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" fullword wide
$s11 = "IoGetRelatedDeviceObject" fullword ascii
$s12 = "VMEM.sys" fullword ascii
$s13 = "RtlGetVersion" fullword wide
$s14 = "ntkrnlpa.exe" fullword ascii
condition:
( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB
}
rule Regin_Sample_Set_1 {
meta:
description = "Auto-generated rule - file SHF-000052 and ndisips.sys"
author = "@MalwrSignatures"
date = "26.11.14"
hash1 = "8487a961c8244004c9276979bb4b0c14392fc3b8"
hash2 = "bcf3461d67b39a427c83f9e39b9833cfec977c61"
strings:
$s0 = "HAL.dll" fullword ascii
$s1 = "IoGetDeviceObjectPointer" fullword ascii
$s2 = "MaximumPortsServiced" fullword wide
$s3 = "KeGetCurrentIrql" fullword ascii
$s4 = "ntkrnlpa.exe" fullword ascii
$s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
$s6 = "ConnectMultiplePorts" fullword wide
$s7 = "\\SYSTEMROOT" fullword wide
$s8 = "IoWriteErrorLogEntry" fullword ascii
$s9 = "KeQueryPerformanceCounter" fullword ascii
$s10 = "KeServiceDescriptorTable" fullword ascii
$s11 = "KeRemoveEntryDeviceQueue" fullword ascii
$s12 = "SeSinglePrivilegeCheck" fullword ascii
$s13 = "KeInitializeEvent" fullword ascii
$s14 = "IoBuildDeviceIoControlRequest" fullword ascii
$s15 = "KeRemoveDeviceQueue" fullword ascii
$s16 = "IofCompleteRequest" fullword ascii
$s17 = "KeInitializeSpinLock" fullword ascii
$s18 = "MmIsNonPagedSystemAddressValid" fullword ascii
$s19 = "IoCreateDevice" fullword ascii
$s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
condition:
all of them and filesize < 40KB and filesize > 30KB
}
rule Regin_Sample_Set_2 {
meta:
description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
author = "@MalwrSignatures"
date = "27.11.14"
hash1 = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
hash2 = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
strings:
$hd = { fe ba dc fe }
$s0 = "d%ls%ls" fullword wide
$s1 = "\\\\?\\UNC" fullword wide
$s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide
$s3 = "\\\\?\\UNC\\" fullword wide
$s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
$s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword
$s6 = "\\\\.\\Global\\%s" fullword wide
$s7 = "temp" fullword wide
$s8 = "\\\\.\\%s" fullword wide
$s9 = "Memory location: 0x%p, size 0x%08x" fullword wide
$s10 = "sscanf" fullword ascii
$s11 = "disp.dll" fullword ascii
$s12 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii
$s13 = "%d.%d.%d.%d%c" fullword ascii
$s14 = "imagehlp.dll" fullword ascii
$s15 = "%hd %d" fullword ascii
condition:
( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB
}
rule apt_regin_legspin {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin's Legspin module"
version = "1.0"
last_modified = "2015-01-22"
reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
md5 = "29105f46e4d33f66fee346cfd099d1cc"
strings:
$mz="MZ"
$a1="sharepw"
$a2="reglist"
$a3="logdump"
$a4="Name:" wide
$a5="Phys Avail:"
$a6="cmd.exe" wide
$a7="ping.exe" wide
$a8="millisecs"
condition:
($mz at 0) and all of ($a*)
}
rule apt_regin_hopscotch {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin's Hopscotch module"
version = "1.0"
last_modified = "2015-01-22"
reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
md5 = "6c34031d7a5fc2b091b623981a8ae61c"
strings:
$mz="MZ"
$a1="AuthenticateNetUseIpc"
$a2="Failed to authenticate to"
$a3="Failed to disconnect from"
$a4="%S\\ipc$" wide
$a5="Not deleting..."
$a6="CopyServiceToRemoteMachine"
$a7="DH Exchange failed"
$a8="ConnectToNamedPipes"
condition:
($mz at 0) and all of ($a*)
}
rule apt_regin_2011_32bit_stage1 {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin 32 bit stage 1 loaders"
version = "1.0"
last_modified = "2014-11-18"
strings:
$key1={331015EA261D38A7}
$key2={9145A98BA37617DE}
$key3={EF745F23AA67243D}
$mz="MZ"
condition:
($mz at 0) and any of ($key*) and filesize < 300000
}
rule apt_regin_rc5key {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin RC5 decryption keys"
version = "1.0"
last_modified = "2014-11-18"
strings:
$key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01}
$key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78}
condition:
any of ($key*)
}
rule apt_regin_vfs {
meta:
copyright = "Kaspersky Lab"
author = "Kaspersky Lab"
description = "Rule to detect Regin VFSes"
version = "1.0"
last_modified = "2014-11-18"
strings:
$a1={00 02 00 08 00 08 03 F6 D7 F3 52}
$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
$a3={00 04 00 10 00 10 03 C2 D3 1C 93}
$a4={00 04 00 10 C8 00 04 C8 93 06 D8}
condition:
($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
}
rule apt_regin_dispatcher_disp_dll {
meta:
copyright = "Kaspersky Lab"
author = "Kaspersky Lab"
description = "Rule to detect Regin disp.dll dispatcher"
version = "1.0"
last_modified = "2014-11-18"
strings:
$mz="MZ"
$string1="shit"
$string2="disp.dll"
$string3="255.255.255.255"
$string4="StackWalk64"
$string5="imagehlp.dll"
condition:
($mz at 0) and (all of ($string*))
}
rule apt_regin_2013_64bit_stage1 {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin 64 bit stage 1 loaders"
version = "1.0"
last_modified = "2014-11-18"
filename="wshnetc.dll"
md5="bddf5afbea2d0eed77f2ad4e9a4f044d"
filename="wsharp.dll"
md5="c053a0a3f1edcbbfc9b51bc640e808ce"
strings:
$mz="MZ"
$a1="PRIVHEAD"
$a2="\\\\.\\PhysicalDrive%d"
$a3="ZwDeviceIoControlFile"
condition:
($mz at 0) and (all of ($a*)) and filesize < 100000
}
malware/APT_c16.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule apt_c16_win_memory_pcclient
{
meta:
author = "@dragonthreatlab "
md5 = "ec532bbe9d0882d403473102e9724557"
description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
strings:
$str1 = "Kill You" ascii
$str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
$str3 = "%4.2f KB" ascii
$encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}
condition:
all of them
}
rule apt_c16_win_disk_pcclient
{
meta:
author = "@dragonthreatlab "
md5 = "55f84d88d84c221437cd23cdbc541d2e"
description = "Encoded version of pcclient found on disk"
strings:
$header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06}
condition:
$header at 0
}
rule apt_c16_win32_dropper
{
meta:
author = "@dragonthreatlab"
md5 = "ad17eff26994df824be36db246c8fb6a"
description = "APT malware used to drop PcClient RAT"
strings:
$mz = {4D 5A}
$str1 = "clbcaiq.dll" ascii
$str2 = "profapi_104" ascii
$str3 = "/ShowWU" ascii
$str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii
$str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E}
condition:
$mz at 0 and all of ($str*)
}
rule apt_c16_win_swisyn
{
meta:
author = "@dragonthreatlab"
md5 = "a6a18c846e5179259eba9de238f67e41"
description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
strings:
$mz = {4D 5A}
$str1 = "/ShowWU" ascii
$str2 = "IsWow64Process"
$str3 = "regsvr32 "
$str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10}
condition:
$mz at 0 and all of ($str*)
}
rule apt_c16_win_wateringhole
{
meta:
author = "@dragonthreatlab "
description = "Detects code from APT wateringhole"
strings:
$str1 = "function runmumaa()"
$str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("
$str3 = "function MoSaklgEs7(k)"
condition:
any of ($str*)
}
malware/APT_pcclient.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule backdoor_apt_pcclient
{
meta:
author = "@patrickrolsen"
maltype = "APT.PCCLient"
filetype = "DLL"
version = "0.1"
description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
date = "2012-10"
strings:
$magic = { 4d 5a } // MZ
$string1 = "www.micro1.zyns.com"
$string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string3 = "msacm32.drv" wide
$string4 = "C:\\Windows\\Explorer.exe" wide
$string5 = "Elevation:Administrator!" wide
$string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
condition:
$magic at 0 and 4 of ($string*)
}
malware/Android_Malware.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Android_Malware : iBanking
{
meta:
author = "Xylitol xylitol@malwareint.com"
date = "2014-02-14"
description = "Match first two bytes, files and string present in iBanking"
reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"
strings:
// Generic android
$pk = {50 4B}
$file1 = "AndroidManifest.xml"
// iBanking related
$file2 = "res/drawable-xxhdpi/ok_btn.jpg"
$string1 = "bot_id"
$string2 = "type_password2"
condition:
($pk at 0 and 2 of ($file*) and ($string1 or $string2))
}
malware/Anthem_DeepPanda.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
/* Anthem Deep Panda APT */
rule Anthem_DeepPanda_sl_txt_packed {
meta:
description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"
author = "Florian Roth"
date = "2015/02/08"
hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
strings:
$s0 = "Command line port scanner" fullword wide
$s1 = "sl.exe" fullword wide
$s2 = "CPports.txt" fullword ascii
$s3 = ",GET / HTTP/.}" fullword ascii
$s4 = "Foundstone Inc." fullword wide
$s9 = " 2002 Foundstone Inc." fullword wide
$s15 = ", Inc. 2002" fullword ascii
$s20 = "ICMP Time" fullword ascii
condition:
all of them
}
rule Anthem_DeepPanda_lot1 {
meta:
description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"
author = "Florian Roth"
date = "2015/02/08"
hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
strings:
$s0 = "Unable to open target process: %d, pid %d" fullword ascii
$s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
$s2 = "Target: Failed to load SAM functions." fullword ascii
$s5 = "Error writing the test file %s, skipping this share" fullword ascii
$s6 = "Failed to create service (%s/%s), error %d" fullword ascii
$s8 = "Service start failed: %d (%s/%s)" fullword ascii
$s12 = "PwDump.exe" fullword ascii
$s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii
$s14 = ":\\\\.\\pipe\\%s" fullword ascii
$s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii
$s16 = "dump logon session" fullword ascii
$s17 = "Timed out waiting to get our pipe back" fullword ascii
$s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
$s20 = "%s\\%s.exe" fullword ascii
condition:
10 of them
}
rule Anthem_DeepPanda_htran_exe {
meta:
description = "Anthem Hack Deep Panda - htran-exe"
author = "Florian Roth"
date = "2015/02/08"
hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
strings:
$s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
$s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" fullword ascii
$s3 = "[SERVER]connection to %s:%d error" fullword ascii
$s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s5 = "[-] ERROR: Must supply logfile name." fullword ascii
$s6 = "[-] There is a error...Create a new connection." fullword ascii
$s7 = "[+] Accept a Client on port %d from %s" fullword ascii
$s8 = "======================== htran V%s =======================" fullword ascii
$s9 = "[-] Socket Listen error." fullword ascii
$s10 = "[-] ERROR: open logfile" fullword ascii
$s11 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s12 = "[+] Make a Connection to %s:%d ......" fullword ascii
$s14 = "Recv %5d bytes from %s:%d" fullword ascii
$s15 = "[+] OK! I Closed The Two Socket." fullword ascii
$s16 = "[+] Waiting another Client on port:%d...." fullword ascii
$s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii
$s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
condition:
10 of them
}
rule Anthem_DeepPanda_Trojan_Kakfum {
meta:
description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
author = "Florian Roth"
date = "2015/02/08"
hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
strings:
$s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
$s1 = "%s\\sqlsrv32.dll" fullword ascii
$s2 = "%s\\sqlsrv64.dll" fullword ascii
$s3 = "%s\\%d.tmp" fullword ascii
$s4 = "ServiceMaix" fullword ascii
$s15 = "sqlserver" fullword ascii
condition:
all of them
}
malware/Babar.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule SNOWGLOBE_Babar_Malware {
meta:
description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
author = "Florian Roth"
reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
date = "2015/02/18"
hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
score = 80
strings:
$mz = { 4d 5a }
$z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
$z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
$z2 = "ExecQueryFailled!" fullword ascii
$z3 = "NBOT_COMMAND_LINE" fullword
$z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
$s1 = "/s /n %s \"%s\"" fullword ascii
$s2 = "%%WINDIR%%\\%s\\%s" fullword ascii
$s3 = "/c start /wait " fullword ascii
$s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
$x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
$x2 = "%COMMON_APPDATA%" fullword ascii
$x4 = "CONOUT$" fullword ascii
$x5 = "cmd.exe" fullword ascii
$x6 = "DLLPATH" fullword ascii
condition:
( $mz at 0 ) and filesize < 1MB and
(
( 1 of ($z*) and 1 of ($x*) ) or
( 3 of ($s*) and 4 of ($x*) )
)
}
malware/Bangat.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule BangatCode : Bangat Family
{
meta:
description = "Bangat code features"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
// dec [ebp + procname], push eax, push edx, call get procaddress
$ = { FE 4D ?? 8D 4? ?? 50 5? FF }
condition:
any of them
}
rule BangatStrings : Bangat Family
{
meta:
description = "Bangat Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
$lib1 = "DreatePipe"
$lib2 = "HetSystemDirectoryA"
$lib3 = "SeleaseMutex"
$lib4 = "DloseWindowStation"
$lib5 = "DontrolService"
$file = "~hhC2F~.tmp"
$mc = "~_MC_3~"
condition:
all of ($lib*) or $file or $mc
}
rule Bangat : Family
{
meta:
description = "Bangat"
author = "Seth Hardy"
last_modified = "2014-07-10"
condition:
BangatCode or BangatStrings
}
malware/BlackEnergy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule BlackEnergy_BE_2 {
meta:
description = "Detects BlackEnergy 2 Malware"
author = "Florian Roth"
reference = "http://goo.gl/DThzLz"
date = "2015/02/19"
hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
strings:
$mz = { 4d 5a }
$s0 = "<description> Windows system utility service </description>" fullword ascii
$s1 = "WindowsSysUtility - Unicode" fullword wide
$s2 = "msiexec.exe" fullword wide
$s3 = "WinHelpW" fullword ascii
$s4 = "ReadProcessMemory" fullword ascii
condition:
( $mz at 0 ) and filesize < 250KB and all of ($s*)
}
malware/BlackShades.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule BlackShades_3 : Trojan
{
meta:
description = "BlackShades RAT"
author = "botherder https://github.com/botherder"
strings:
$mod1 = /(m)odAPI/
$mod2 = /(m)odAudio/
$mod3 = /(m)odBtKiller/
$mod4 = /(m)odCrypt/
$mod5 = /(m)odFuctions/
$mod6 = /(m)odHijack/
$mod7 = /(m)odICallBack/
$mod8 = /(m)odIInet/
$mod9 = /(m)odInfect/
$mod10 = /(m)odInjPE/
$mod11 = /(m)odLaunchWeb/
$mod12 = /(m)odOS/
$mod13 = /(m)odPWs/
$mod14 = /(m)odRegistry/
$mod15 = /(m)odScreencap/
$mod16 = /(m)odSniff/
$mod17 = /(m)odSocketMaster/
$mod18 = /(m)odSpread/
$mod19 = /(m)odSqueezer/
$mod20 = /(m)odSS/
$mod21 = /(m)odTorrentSeed/
$tmr1 = /(t)mrAlarms/
$tmr2 = /(t)mrAlive/
$tmr3 = /(t)mrAnslut/
$tmr4 = /(t)mrAudio/
$tmr5 = /(t)mrBlink/
$tmr6 = /(t)mrCheck/
$tmr7 = /(t)mrCountdown/
$tmr8 = /(t)mrCrazy/
$tmr9 = /(t)mrDOS/
$tmr10 = /(t)mrDoWork/
$tmr11 = /(t)mrFocus/
$tmr12 = /(t)mrGrabber/
$tmr13 = /(t)mrInaktivitet/
$tmr14 = /(t)mrInfoTO/
$tmr15 = /(t)mrIntervalUpdate/
$tmr16 = /(t)mrLiveLogger/
$tmr17 = /(t)mrPersistant/
$tmr18 = /(t)mrScreenshot/
$tmr19 = /(t)mrSpara/
$tmr20 = /(t)mrSprid/
$tmr21 = /(t)mrTCP/
$tmr22 = /(t)mrUDP/
$tmr23 = /(t)mrWebHide/
condition:
10 of ($mod*) or 10 of ($tmr*)
}
rule BlackShades2 : Trojan
{
meta:
author="Kevin Falcoz"
date="26/06/2013"
description="BlackShades Server"
strings:
$signature1={62 73 73 5F 73 65 72 76 65 72}
$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
$signature3={6D 6F 64 49 6E 6A 50 45}
condition:
$signature1 and $signature2 and $signature3
}
rule BlackShades_4 : rat
{
meta:
description = "BlackShades"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-01-12"
filetype = "memory"
version = "1.0"
strings:
$a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 }
$b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B }
$c = { 62 73 73 5F 73 65 72 76 65 72 }
$d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 }
$e = { 6D 6F 64 49 6E 6A 50 45 }
$apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439"
condition:
any of ($a, $b, $c, $d, $e) or $apikey
}
rule BlackShades : Trojan
{
meta:
author="Kevin Falcoz"
date="26/06/2013"
description="BlackShades Server"
strings:
$signature1={62 73 73 5F 73 65 72 76 65 72}
$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
$signature3={6D 6F 64 49 6E 6A 50 45}
condition:
$signature1 and $signature2 and $signature3
}
malware/Bolonyokte.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Bolonyokte : rat
{
meta:
description = "UnknownDotNet RAT - Bolonyokte"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-02-01"
filetype = "memory"
version = "1.0"
strings:
$campaign1 = "Bolonyokte" ascii wide
$campaign2 = "donadoni" ascii wide
$decoy1 = "nyse.com" ascii wide
$decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide
$decoy3 = "bf13-5d45cb40" ascii wide
$artifact1 = "Backup.zip" ascii wide
$artifact2 = "updates.txt" ascii wide
$artifact3 = "vdirs.dat" ascii wide
$artifact4 = "default.dat"
$artifact5 = "index.html"
$artifact6 = "mime.dat"
$func1 = "FtpUrl"
$func2 = "ScreenCapture"
$func3 = "CaptureMouse"
$func4 = "UploadFile"
$ebanking1 = "Internet Banking" wide
$ebanking2 = "(Online Banking)|(Online banking)"
$ebanking3 = "(e-banking)|(e-Banking)" nocase
$ebanking4 = "login"
$ebanking5 = "en ligne" wide
$ebanking6 = "bancaires" wide
$ebanking7 = "(eBanking)|(Ebanking)" wide
$ebanking8 = "Anmeldung" wide
$ebanking9 = "internet banking" nocase wide
$ebanking10 = "Banking Online" nocase wide
$ebanking11 = "Web Banking" wide
$ebanking12 = "Power"
condition:
any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*)
}
malware/Boouset.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule BoousetCode : Boouset Family
{
meta:
description = "Boouset code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 }
condition:
any of them
}
malware/Bublik_downloader.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Bublik : Downloader
{
meta:
author="Kevin Falcoz"
date="29/09/2013"
description="Bublik Trojan Downloader"
strings:
$signature1={63 6F 6E 73 6F 6C 61 73}
$signature2={63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69}
condition:
$signature1 and $signature2
}
malware/Casper.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Casper_Backdoor_x86 {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/05"
hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
score = 80
strings:
$s1 = "\"svchost.exe\"" fullword wide
$s2 = "firefox.exe" fullword ascii
$s3 = "\"Host Process for Windows Services\"" fullword wide
$x1 = "\\Users\\*" fullword ascii
$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x4 = "\\Documents and Settings\\*" fullword ascii
$y1 = "%s; %S=%S" fullword wide
$y2 = "%s; %s=%s" fullword ascii
$y3 = "Cookie: %s=%s" fullword ascii
$y4 = "http://%S:%d" fullword wide
$z1 = "http://google.com/" fullword ascii
$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
$z3 = "Operating System\"" fullword wide
condition:
( all of ($s*) ) or
( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
}
rule Casper_EXE_Dropper {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/05"
hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
score = 80
strings:
$s0 = "<Command>" fullword ascii
$s1 = "</Command>" fullword ascii
$s2 = "\" /d \"" fullword ascii
$s4 = "'%s' %s" fullword ascii
$s5 = "nKERNEL32.DLL" fullword wide
$s6 = "@ReturnValue" fullword wide
$s7 = "ID: 0x%x" fullword ascii
$s8 = "Name: %S" fullword ascii
condition:
7 of them
}
rule Casper_Included_Strings {
meta:
description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 50
strings:
$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
$a1 = "& SYSTEMINFO) ELSE EXIT"
$mz = { 4d 5a }
$c1 = "domcommon.exe" wide fullword // File Name
$c2 = "jpic.gov.sy" fullword // C2 Server
$c3 = "aiomgr.exe" wide fullword // File Name
$c4 = "perfaudio.dat" fullword // Temp File Name
$c5 = "Casper_DLL.dll" fullword // Name
$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key
$c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex
condition:
all of ($a*) or
( $mz at 0 ) and ( 1 of ($c*) )
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
malware/Cerberus.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Cerberus : rat
{
meta:
description = "Cerberus"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-01-12"
filetype = "memory"
version = "1.0"
strings:
$checkin = "Ypmw1Syv023QZD"
$clientpong = "wZ2pla"
$serverping = "wBmpf3Pb7RJe"
$generic = "cerberus" nocase
condition:
any of them
}
malware/Cookies.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule CookiesStrings : Cookies Family
{
meta:
description = "Cookies Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-20"
strings:
$zip1 = "ntdll.exePK"
$zip2 = "AcroRd32.exePK"
$zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
$zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
$exe1 = "Leave GetCommand!"
$exe2 = "perform exe success!"
$exe3 = "perform exe failure!"
$exe4 = "Entry SendCommandReq!"
$exe5 = "Reqfile not exist!"
$exe6 = "LeaveDealUpfile!"
$exe7 = "Entry PostData!"
$exe8 = "Leave PostFile!"
$exe9 = "Entry PostFile!"
$exe10 = "\\unknow.zip" wide ascii
$exe11 = "the url no respon!"
condition:
(2 of ($zip*)) or (2 of ($exe*))
}
rule Cookies : Family
{
meta:
description = "Cookies"
author = "Seth Hardy"
last_modified = "2014-06-20"
condition:
CookiesStrings
}
malware/DarkComet.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule DarkComet_2
{
meta:
description = "DarkComet RAT"
author = "botherder https://github.com/botherder"
strings:
$bot1 = /(#)BOT#OpenUrl/ wide ascii
$bot2 = /(#)BOT#Ping/ wide ascii
$bot3 = /(#)BOT#RunPrompt/ wide ascii
$bot4 = /(#)BOT#SvrUninstall/ wide ascii
$bot5 = /(#)BOT#URLDownload/ wide ascii
$bot6 = /(#)BOT#URLUpdate/ wide ascii
$bot7 = /(#)BOT#VisitUrl/ wide ascii
$bot8 = /(#)BOT#CloseServer/ wide ascii
$ddos1 = /(D)DOSHTTPFLOOD/ wide ascii
$ddos2 = /(D)DOSSYNFLOOD/ wide ascii
$ddos3 = /(D)DOSUDPFLOOD/ wide ascii
$keylogger1 = /(A)ctiveOnlineKeylogger/ wide ascii
$keylogger2 = /(U)nActiveOnlineKeylogger/ wide ascii
$keylogger3 = /(A)ctiveOfflineKeylogger/ wide ascii
$keylogger4 = /(U)nActiveOfflineKeylogger/ wide ascii
$shell1 = /(A)CTIVEREMOTESHELL/ wide ascii
$shell2 = /(S)UBMREMOTESHELL/ wide ascii
$shell3 = /(K)ILLREMOTESHELL/ wide ascii
condition:
4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*)
}
rule DarkComet : rat
{
meta:
description = "DarkComet"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-01-12"
filetype = "memory"
version = "1.0"
strings:
$a = "#BEGIN DARKCOMET DATA --"
$b = "#EOF DARKCOMET DATA --"
$c = "DC_MUTEX-"
$k1 = "#KCMDDC5#-890"
$k2 = "#KCMDDC51#-890"
condition:
any of them
}
malware/Derusbi.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Trojan_Derusbi {
meta:
Author = "RSA_IR"
Date = "4Sept13"
File = "derusbi_variants v 1.3"
MD5 = " c0d4c5b669cc5b51862db37e972d31ec "
strings:
$b1 = {8b 15 ?? ?? ?? ?? 8b ce d3 ea 83 c6 ?? 30 90 ?? ?? ?? ?? 40 3b 05 ?? ?? ?? ?? 72 ??}
$b2 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E F7 5D 88 2E 0C A2 88 2E 4B 5D 88 2E F3 5D 88 2E}
$b3 = {4E E6 40 BB}
$b4 = {B1 19 BF 44}
$b5 = {6A F5 44 3D ?? ?? 00 00 27 AF D4 3D 69 F5 44 3D 6E F5 44 3D 95 0A 44 3D D2 F5 44 3D 6A F5 44 3D}
$b6 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E}
$b7 = {D6 D5 A4 A3 ?? ?? 00 00 9B 8F 34 A3 D5 D5 A4 A3 D2 D5 A4 A3 29 2A A4 A3}
$b8 = {C3 76 33 9F ?? ?? 00 00 8E 2C A3 9F C0 76 33 9F C7 76 33 9F 3C 89 33 9F}
condition:
2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
}
rule APT_Derusbi_DeepPanda
{
meta:
author = "ThreatConnect Intelligence Research Team"
reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf"
strings:
$D = "Dom4!nUserP4ss" wide ascii
condition:
$D
}
rule APT_Derusbi_Gen
{
meta:
author = "ThreatConnect Intelligence Research Team"
strings:
$2 = "273ce6-b29f-90d618c0" wide ascii
$A = "Ace123dx" fullword wide ascii
$A1 = "Ace123dxl!" fullword wide ascii
$A2 = "Ace123dx!@#x" fullword wide ascii
$C = "/Catelog/login1.asp" wide ascii
$DF = "~DFTMP$$$$$.1" wide ascii
$G = "GET /Query.asp?loginid=" wide ascii
$L = "LoadConfigFromReg failded" wide ascii
$L1 = "LoadConfigFromBuildin success" wide ascii
$ph = "/photoe/photo.asp HTTP" wide ascii
$PO = "POST /photos/photo.asp" wide ascii
$PC = "PCC_IDENT" wide ascii
condition:
any of them
}
malware/Dexter.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Dexter_Malware {
meta:
description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b"
author = "Florian Roth"
reference = "http://goo.gl/oBvy8b"
date = "2015/02/10"
score = 70
strings:
$s0 = "Java Security Plugin" fullword wide
$s1 = "%s\\%s\\%s.exe" fullword wide
$s2 = "Sun Java Security Plugin" fullword wide
$s3 = "\\Internet Explorer\\iexplore.exe" fullword wide
condition:
all of them
}
malware/Dridex.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Dridex_Trojan_XML {
meta:
description = "Dridex Malware in XML Document"
author = "Florian Roth @4nc4p"
reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
date = "2015/03/08"
hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
strings:
// can be ascii or wide formatted - therefore no restriction
$c_xml = "<?xml version="
$c_word = "<?mso-application progid=\"Word.Document\"?>"
$c_macro = "w:macrosPresent=\"yes\""
$c_binary = "<w:binData w:name="
$c_0_chars = "<o:Characters>0</o:Characters>"
$c_1_line = "<o:Lines>1</o:Lines>"
condition:
all of ($c*)
}
malware/Enfal.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule EnfalCode : Enfal Family
{
meta:
description = "Enfal code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
// mov al, 20h; sub al, bl; add [ebx+esi], al; push esi; inc ebx; call edi; cmp ebx, eax
$decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 }
condition:
any of them
}
rule EnfalStrings : Enfal Family
{
meta:
description = "Enfal Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb"
$ = "e:\\programs\\LuridDownLoader"
$ = "LuridDownloader for Falcon"
$ = "DllServiceTrojan"
$ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\"
$ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89"
$ = "Madonna\x00Jesus"
$ = "/iupw82/netstate"
$ = "fuckNodAgain"
$ = "iloudermao"
$ = "Crpq2.cgi"
$ = "Clnpp5.cgi"
$ = "Dqpq3ll.cgi"
$ = "dieosn83.cgi"
$ = "Rwpq1.cgi"
$ = "/Ccmwhite"
$ = "/Cmwhite"
$ = "/Crpwhite"
$ = "/Dfwhite"
$ = "/Query.txt"
$ = "/Ufwhite"
$ = "/cgl-bin/Clnpp5.cgi"
$ = "/cgl-bin/Crpq2.cgi"
$ = "/cgl-bin/Dwpq3ll.cgi"
$ = "/cgl-bin/Owpq4.cgi"
$ = "/cgl-bin/Rwpq1.cgi"
$ = "/trandocs/mm/"
$ = "/trandocs/netstat"
$ = "NFal.exe"
$ = "LINLINVMAN"
$ = "7NFP4R9W"
condition:
any of them
}
rule Enfal : Family
{
meta:
description = "Enfal"
author = "Seth Hardy"
last_modified = "2014-06-19"
condition:
EnfalCode or EnfalStrings
}
rule Enfal_Malware {
meta:
description = "Detects a certain type of Enfal Malware"
author = "Florian Roth"
reference = "not set"
date = "2015/02/10"
hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16"
score = 60
strings:
$s0 = "POWERPNT.exe" fullword ascii
$s1 = "%APPDATA%\\Microsoft\\Windows\\" fullword ascii
$s2 = "%HOMEPATH%" fullword ascii
$s3 = "Server2008" fullword ascii
$s4 = "Server2003" fullword ascii
$s5 = "Server2003R2" fullword ascii
$s6 = "Server2008R2" fullword ascii
$s9 = "%HOMEDRIVE%" fullword ascii
$s13 = "%ComSpec%" fullword ascii
condition:
all of them
}
rule Enfal_Malware_Backdoor {
meta:
description = "Generic Rule to detect the Enfal Malware"
author = "Florian Roth"
date = "2015/02/10"
super_rule = 1
hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790"
hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b"
hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
score = 60
strings:
$mz = { 4d 5a }
$x1 = "Micorsoft Corportation" fullword wide
$x2 = "IM Monnitor Service" fullword wide
$s1 = "imemonsvc.dll" fullword wide
$s2 = "iphlpsvc.tmp" fullword
$z1 = "urlmon" fullword
$z2 = "Registered trademarks and service marks are the property of their respec" wide
$z3 = "XpsUnregisterServer" fullword
$z4 = "XpsRegisterServer" fullword
$z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
condition:
( $mz at 0 ) and
(
1 of ($x*) or
( all of ($s*) and all of ($z*) )
)
}
malware/Equation.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
/* Equation APT ------------------------------------------------------------ */
rule apt_equation_exploitlib_mutexes {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
version = "1.0"
last_modified = "2015-02-16"
reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
strings:
$mz="MZ"
$a1="prkMtx" wide
$a2="cnFormSyncExFBC" wide
$a3="cnFormVoidFBC" wide
$a4="cnFormSyncExFBC"
$a5="cnFormVoidFBC"
condition:
(($mz at 0) and any of ($a*))
}
rule apt_equation_doublefantasy_genericresource {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW"
version = "1.0"
last_modified = "2015-02-16"
reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
strings:
$mz="MZ"
$a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00}
$a2="yyyyyyyyyyyyyyyy"
$a3="002"
condition:
(($mz at 0) and all of ($a*)) and filesize < 500000
}
rule apt_equation_equationlaser_runtimeclasses {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect the EquationLaser malware"
version = "1.0"
last_modified = "2015-02-16"
reference = "https://securelist.com/blog/"
strings:
$a1="?a73957838_2@@YAXXZ"
$a2="?a84884@@YAXXZ"
$a3="?b823838_9839@@YAXXZ"
$a4="?e747383_94@@YAXXZ"
$a5="?e83834@@YAXXZ"
$a6="?e929348_827@@YAXXZ"
condition:
any of them
}
rule apt_equation_cryptotable {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect the crypto library used in Equation group malware"
version = "1.0"
last_modified = "2015-02-16"
reference = "https://securelist.com/blog/"
strings:
$a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1}
condition:
$a
}
/* Equation Group - Kaspersky ---------------------------------------------- */
rule Equation_Kaspersky_TripleFantasy_1 {
meta:
description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
strings:
$mz = { 4d 5a }
$s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
$s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
$s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
$s3 = "Global\\{8c38e4f3-591f-91cf-06a6-67b84d8a0102}" fullword wide
$s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide
$s5 = "Chrome" fullword wide
$s6 = "StringIndex" fullword ascii
$x1 = "itemagic.net@443" fullword wide
$x2 = "team4heat.net@443" fullword wide
$x5 = "62.216.152.69@443" fullword wide
$x6 = "84.233.205.37@443" fullword wide
$z1 = "www.microsoft.com@80" fullword wide
$z2 = "www.google.com@80" fullword wide
$z3 = "127.0.0.1:3128" fullword wide
condition:
( $mz at 0 ) and filesize < 300000 and
(
( all of ($s*) and all of ($z*) ) or
( all of ($s*) and 1 of ($x*) )
)
}
rule Equation_Kaspersky_DoubleFantasy_1 {
meta:
description = "Equation Group Malware - DoubleFantasy"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
strings:
$mz = { 4d 5a }
$z1 = "msvcp5%d.dll" fullword ascii
$s0 = "actxprxy.GetProxyDllInfo" fullword ascii
$s3 = "actxprxy.DllGetClassObject" fullword ascii
$s5 = "actxprxy.DllRegisterServer" fullword ascii
$s6 = "actxprxy.DllUnregisterServer" fullword ascii
$x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
$x2 = "191H1a1" fullword ascii
$x3 = "November " fullword ascii
$x4 = "abababababab" fullword ascii
$x5 = "January " fullword ascii
$x6 = "October " fullword ascii
$x7 = "September " fullword ascii
condition:
( $mz at 0 ) and filesize < 350000 and
(
( $z1 ) or
( all of ($s*) and 6 of ($x*) )
)
}
rule Equation_Kaspersky_GROK_Keylogger {
meta:
description = "Equation Group Malware - GROK keylogger"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
strings:
$mz = { 4d 5a }
$s0 = "c:\\users\\rmgree5\\" ascii
$s1 = "msrtdv.sys" fullword wide
$x1 = "svrg.pdb" fullword ascii
$x2 = "W32pServiceTable" fullword ascii
$x3 = "In forma" fullword ascii
$x4 = "ReleaseF" fullword ascii
$x5 = "criptor" fullword ascii
$x6 = "astMutex" fullword ascii
$x7 = "ARASATAU" fullword ascii
$x8 = "R0omp4ar" fullword ascii
$z1 = "H.text" fullword ascii
$z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
condition:
( $mz at 0 ) and filesize < 250000 and
(
$s0 or
( $s1 and 6 of ($x*) ) or
( 6 of ($x*) and all of ($z*) )
)
}
rule Equation_Kaspersky_GreyFishInstaller {
meta:
description = "Equation Group Malware - Grey Fish"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35"
strings:
$s0 = "DOGROUND.exe" fullword wide
$s1 = "Windows Configuration Services" fullword wide
$s2 = "GetMappedFilenameW" fullword ascii
condition:
all of them
}
rule Equation_Kaspersky_EquationDrugInstaller {
meta:
description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
strings:
$mz = { 4d 5a }
$s0 = "\\system32\\win32k.sys" fullword wide
$s1 = "ALL_FIREWALLS" fullword ascii
$x1 = "@prkMtx" fullword wide
$x2 = "STATIC" fullword wide
$x3 = "windir" fullword wide
$x4 = "cnFormVoidFBC" fullword wide
$x5 = "CcnFormSyncExFBC" fullword wide
$x6 = "WinStaObj" fullword wide
$x7 = "BINRES" fullword wide
condition:
( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
}
rule Equation_Kaspersky_EquationLaserInstaller {
meta:
description = "Equation Group Malware - EquationLaser Installer"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
strings:
$mz = { 4d 5a }
$s0 = "Failed to get Windows version" fullword ascii
$s1 = "lsasrv32.dll and lsass.exe" fullword wide
$s2 = "\\\\%s\\mailslot\\%s" fullword ascii
$s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii
$s4 = "lsasrv32.dll" fullword ascii
$s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" fullword ascii
$s6 = "%s %02x %s" fullword ascii
$s7 = "VIEWERS" fullword ascii
$s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
condition:
( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
}
rule Equation_Kaspersky_FannyWorm {
meta:
description = "Equation Group Malware - Fanny Worm"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
strings:
$mz = { 4d 5a }
$s1 = "x:\\fanny.bmp" fullword ascii
$s2 = "32.exe" fullword ascii
$s3 = "d:\\fanny.bmp" fullword ascii
$x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii
$x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii
$x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii
$x4 = "\\system32\\win32k.sys" fullword wide
$x5 = "\\AGENTCPD.DLL" fullword ascii
$x6 = "agentcpd.dll" fullword ascii
$x7 = "PADupdate.exe" fullword ascii
$x8 = "dll_installer.dll" fullword ascii
$x9 = "\\restore\\" fullword ascii
$x10 = "Q:\\__?__.lnk" fullword ascii
$x11 = "Software\\Microsoft\\MSNetMng" fullword ascii
$x12 = "\\shelldoc.dll" fullword ascii
$x13 = "file size = %d bytes" fullword ascii
$x14 = "\\MSAgent" fullword ascii
$x15 = "Global\\RPCMutex" fullword ascii
$x16 = "Global\\DirectMarketing" fullword ascii
condition:
( $mz at 0 ) and filesize < 300000 and
(
( 2 of ($s*) ) or
( 1 of ($s*) and 6 of ($x*) ) or
( 14 of ($x*) )
)
}
rule Equation_Kaspersky_HDD_reprogramming_module {
meta:
description = "Equation Group Malware - HDD reprogramming module"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
strings:
$mz = { 4d 5a }
$s0 = "nls_933w.dll" fullword ascii
$s1 = "BINARY" fullword wide
$s2 = "KfAcquireSpinLock" fullword ascii
$s3 = "HAL.dll" fullword ascii
$s4 = "READ_REGISTER_UCHAR" fullword ascii
condition:
( $mz at 0 ) and filesize < 300000 and all of ($s*)
}
rule Equation_Kaspersky_EOP_Package {
meta:
description = "Equation Group Malware - EoP package and malware launcher"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
strings:
$mz = { 4d 5a }
$s0 = "abababababab" fullword ascii
$s1 = "abcdefghijklmnopq" fullword ascii
$s2 = "@STATIC" fullword wide
$s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" fullword ascii
$s4 = "@prkMtx" fullword wide
$s5 = "prkMtx" fullword wide
$s6 = "cnFormVoidFBC" fullword wide
condition:
( $mz at 0 ) and filesize < 100000 and all of ($s*)
}
rule Equation_Kaspersky_TripleFantasy_Loader {
meta:
description = "Equation Group Malware - TripleFantasy Loader"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/16"
hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
strings:
$mz = { 4d 5a }
$x1 = "Original Innovations, LLC" fullword wide
$x2 = "Moniter Resource Protocol" fullword wide
$x3 = "ahlhcib.dll" fullword wide
$s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii
$s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii
$s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii
$s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii
$s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
$s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
condition:
( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
}
/* Rule generated from the mentioned keywords */
rule Equation_Kaspersky_SuspiciousString {
meta:
description = "Equation Group Malware - suspicious string found in sample"
author = "Florian Roth"
reference = "http://goo.gl/ivt8EW"
date = "2015/02/17"
score = 60
strings:
$mz = { 4d 5a }
$s1 = "i386\\DesertWinterDriver.pdb" fullword
$s2 = "Performing UR-specific post-install..."
$s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
$s4 = "STRAITSHOOTER30.exe"
$s5 = "standalonegrok_2.1.1.1"
$s6 = "c:\\users\\rmgree5\\"
condition:
( $mz at 0 ) and filesize < 500000 and all of ($s*)
}
/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */
rule EquationDrug_NetworkSniffer1 {
meta:
description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce"
strings:
$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
$s3 = "sys\\mstcp32.dbg" fullword ascii
$s7 = "mstcp32.sys" fullword wide
$s8 = "p32.sys" fullword ascii
$s9 = "\\Device\\%ws_%ws" fullword wide
$s10 = "\\DosDevices\\%ws" fullword wide
$s11 = "\\Device\\%ws" fullword wide
condition:
all of them
}
rule EquationDrug_CompatLayer_UnilayDLL {
meta:
description = "EquationDrug - Unilay.DLL"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "a3a31937956f161beba8acac35b96cb74241cd0f"
strings:
$mz = { 4d 5a }
$s0 = "unilay.dll" fullword ascii
condition:
( $mz at 0 ) and $s0
}
rule EquationDrug_HDDSSD_Op {
meta:
description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
strings:
$s0 = "nls_933w.dll" fullword ascii
condition:
all of them
}
rule EquationDrug_NetworkSniffer2 {
meta:
description = "EquationDrug - Network Sniffer - tdip.sys"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "7e3cd36875c0e5ccb076eb74855d627ae8d4627f"
strings:
$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
$s1 = "IP Transport Driver" fullword wide
$s2 = "tdip.sys" fullword wide
$s3 = "sys\\tdip.dbg" fullword ascii
$s4 = "dip.sys" fullword ascii
$s5 = "\\Device\\%ws_%ws" fullword wide
$s6 = "\\DosDevices\\%ws" fullword wide
$s7 = "\\Device\\%ws" fullword wide
condition:
all of them
}
rule EquationDrug_NetworkSniffer3 {
meta:
description = "EquationDrug - Network Sniffer - tdip.sys"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "14599516381a9646cd978cf962c4f92386371040"
strings:
$s0 = "Corporation. All rights reserved." fullword wide
$s1 = "IP Transport Driver" fullword wide
$s2 = "tdip.sys" fullword wide
$s3 = "tdip.pdb" fullword ascii
condition:
all of them
}
rule EquationDrug_VolRec_Driver {
meta:
description = "EquationDrug - Collector plugin for Volrec - msrstd.sys"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c"
strings:
$s0 = "msrstd.sys" fullword wide
$s1 = "msrstd.pdb" fullword ascii
$s2 = "msrstd driver" fullword wide
condition:
all of them
}
rule EquationDrug_KernelRootkit {
meta:
description = "EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "597715224249e9fb77dc733b2e4d507f0cc41af6"
strings:
$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
$s1 = "Parmsndsrv.dbg" fullword ascii
$s2 = "\\Registry\\User\\CurrentUser\\" fullword wide
$s3 = "msndsrv.sys" fullword wide
$s5 = "\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Control\\Windows" fullword wide
$s6 = "\\Device\\%ws_%ws" fullword wide
$s7 = "\\DosDevices\\%ws" fullword wide
$s9 = "\\Device\\%ws" fullword wide
condition:
all of them
}
rule EquationDrug_Keylogger {
meta:
description = "EquationDrug - Key/clipboard logger driver - msrtvd.sys"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "b93aa17b19575a6e4962d224c5801fb78e9a7bb5"
strings:
$s0 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$s2 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\En" wide
$s3 = "\\DosDevices\\Gk" fullword wide
$s5 = "\\Device\\Gk0" fullword wide
condition:
all of them
}
rule EquationDrug_NetworkSniffer4 {
meta:
description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "cace40965f8600a24a2457f7792efba3bd84d9ba"
strings:
$s0 = "Copyright 1999 RAVISENT Technologies Inc." fullword wide
$s1 = "\\systemroot\\" fullword ascii
$s2 = "RAVISENT Technologies Inc." fullword wide
$s3 = "Created by VIONA Development" fullword wide
$s4 = "\\Registry\\User\\CurrentUser\\" fullword wide
$s5 = "\\device\\harddiskvolume" fullword wide
$s7 = "ATMDKDRV.SYS" fullword wide
$s8 = "\\Device\\%ws_%ws" fullword wide
$s9 = "\\DosDevices\\%ws" fullword wide
$s10 = "CineMaster C 1.1 WDM Main Driver" fullword wide
$s11 = "\\Device\\%ws" fullword wide
$s13 = "CineMaster C 1.1 WDM" fullword wide
condition:
all of them
}
rule EquationDrug_PlatformOrchestrator {
meta:
description = "EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "febc4f30786db7804008dc9bc1cebdc26993e240"
strings:
$s0 = "SERVICES.EXE" fullword wide
$s1 = "\\command.com" fullword wide
$s2 = "Microsoft(R) Windows (TM) Operating System" fullword wide
$s3 = "LSASS.EXE" fullword wide
$s4 = "Windows Configuration Services" fullword wide
$s8 = "unilay.dll" fullword ascii
condition:
all of them
}
rule EquationDrug_NetworkSniffer5 {
meta:
description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "09399b9bd600d4516db37307a457bc55eedcbd17"
strings:
$s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide
$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
$s2 = "atmdkdrv.sys" fullword wide
$s4 = "\\Device\\%ws_%ws" fullword wide
$s5 = "\\DosDevices\\%ws" fullword wide
$s6 = "\\Device\\%ws" fullword wide
condition:
all of them
}
rule EquationDrug_FileSystem_Filter {
meta:
description = "EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys"
author = "Florian Roth @4nc4p"
reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
date = "2015/03/11"
hash = "57fa4a1abbf39f4899ea76543ebd3688dcc11e13"
strings:
$s0 = "volrec.sys" fullword wide
$s1 = "volrec.pdb" fullword ascii
$s2 = "Volume recognizer driver" fullword wide
condition:
all of them
}
malware/Ezcob.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule EzcobStrings : Ezcob Family
{
meta:
description = "Ezcob Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
$ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12"
$ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12"
$ = "Ezcob" wide ascii
$ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126"
$ = "20110113144935"
condition:
any of them
}
rule Ezcob : Family
{
meta:
description = "Ezcob"
author = "Seth Hardy"
last_modified = "2014-06-23"
condition:
EzcobStrings
}
malware/F0xy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule ws_f0xy_downloader {
meta:
description = "f0xy malware downloader"
author = "Nick Griffin (Websense)"
strings:
$mz="MZ"
$string1="bitsadmin /transfer"
$string2="del rm.bat"
$string3="av_list="
condition:
($mz at 0) and (all of ($string*))
}
malware/FakeM.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule HTMLVariant : FakeM Family HTML Variant
{
meta:
description = "Identifier for html variant of FAKEM"
author = "Katie Kleemola"
last_updated = "2014-05-20"
strings:
// decryption loop
$s1 = { 8B 55 08 B9 00 50 00 00 8D 3D ?? ?? ?? 00 8B F7 AD 33 C2 AB 83 E9 04 85 C9 75 F5 }
//mov byte ptr [ebp - x] y, x: 0x10-0x1 y: 0-9,A-F
$s2 = { C6 45 F? (3?|4?) }
condition:
$s1 and #s2 == 16
}
malware/FinSpy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule FinSpy_2
{
meta:
description = "FinFisher FinSpy"
author = "botherder https://github.com/botherder"
strings:
$password1 = /\/scomma kbd101\.sys/ wide ascii
$password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
$password3 = /\/scomma excel2010\.part/ wide ascii
$password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
$password5 = /\/stab MSVCR32\.manifest/ wide ascii
$password6 = /\/scomma MSN2010\.dll/ wide ascii
$password7 = /\/scomma Firefox\.base/ wide ascii
$password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
$password9 = /\/scomma IE7setup\.sys/ wide ascii
$password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
$password11 = /\/scomma office2007\.cab/ wide ascii
$password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
$password13 = /\/scomma outlook2007\.dll/ wide ascii
$password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
$screenrec1 = /(s)111o00000000\.dat/ wide ascii
$screenrec2 = /(t)111o00000000\.dat/ wide ascii
$screenrec3 = /(f)113o00000000\.dat/ wide ascii
$screenrec4 = /(w)114o00000000\.dat/ wide ascii
$screenrec5 = /(u)112Q00000000\.dat/ wide ascii
$screenrec6 = /(v)112Q00000000\.dat/ wide ascii
$screenrec7 = /(v)112O00000000\.dat/ wide ascii
//$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
//$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
$micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
$skyperec1 = /\[%19s\] %25s\: %s/ wide ascii
$skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
$driver = /\\\\\\\\\.\\\\driverw/ wide ascii
$janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
$janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
$versions1 = /(f)inspyv2/ nocase
$versions2 = /(f)inspyv4/ nocase
$bootkit1 = /(b)ootkit_x32driver/
$bootkit2 = /(b)ootkit_x64driver/
$typo1 = /(S)creenShort Recording/ wide
$mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
condition:
8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
}
rule FinSpy
{
meta:
description = "FinFisher FinSpy"
author = "AlienVault Labs"
strings:
$filter1 = "$password14"
$filter2 = "$screenrec7"
$filter3 = "$micrec"
$filter4 = "$skyperec3"
$filter5 = "$mouserec2"
$filter6 = "$driver"
$filter7 = "$janedow2"
$filter8 = "$bootkit2"
$password1 = /\/scomma kbd101\.sys/ wide ascii
$password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
$password3 = /\/scomma excel2010\.part/ wide ascii
$password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
$password5 = /\/stab MSVCR32\.manifest/ wide ascii
$password6 = /\/scomma MSN2010\.dll/ wide ascii
$password7 = /\/scomma Firefox\.base/ wide ascii
$password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
$password9 = /\/scomma IE7setup\.sys/ wide ascii
$password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
$password11 = /\/scomma office2007\.cab/ wide ascii
$password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
$password13 = /\/scomma outlook2007\.dll/ wide ascii
$password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
$screenrec1 = /(s)111o00000000\.dat/ wide ascii
$screenrec2 = /(t)111o00000000\.dat/ wide ascii
$screenrec3 = /(f)113o00000000\.dat/ wide ascii
$screenrec4 = /(w)114o00000000\.dat/ wide ascii
$screenrec5 = /(u)112Q00000000\.dat/ wide ascii
$screenrec6 = /(v)112Q00000000\.dat/ wide ascii
$screenrec7 = /(v)112O00000000\.dat/ wide ascii
//$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
//$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
$micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
$skyperec1 = /\[%19s\] %25s\: %s/ wide ascii
$skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
//$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
//$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
//$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
$driver = /\\\\\\\\\.\\\\driverw/ wide ascii
$janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
$janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
//$versions1 = /(f)inspyv2/ nocase
//$versions2 = /(f)inspyv4/ nocase
$bootkit1 = /(b)ootkit_x32driver/
$bootkit2 = /(b)ootkit_x64driver/
$typo1 = /(S)creenShort Recording/ wide
$mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
condition:
(8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*)
}
malware/FiveEyes.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
/* FIVE EYES ------------------------------------------------------------------------------- */
rule FiveEyes_QUERTY_Malwareqwerty_20121 {
meta:
description = "FiveEyes QUERTY Malware - file 20121.xml"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "8263fb58350f3b1d3c4220a602421232d5e40726"
strings:
$s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii
$s1 = "<name>20121.dll</name>" fullword ascii
$s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
$s4 = "<platform type=\"1\">" fullword ascii
$s5 = "</plugin>" fullword ascii
$s6 = "</pluginConfig>" fullword ascii
$s7 = "<pluginConfig>" fullword ascii
$s8 = "</platform>" fullword ascii
$s9 = "</lpConfig>" fullword ascii
$s10 = "<lpConfig>" fullword ascii
condition:
9 of them
}
rule FiveEyes_QUERTY_Malwaresig_20123_sys {
meta:
description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
strings:
$s0 = "20123.dll" fullword ascii
$s1 = "kbdclass.sys" fullword wide
$s2 = "IoFreeMdl" fullword ascii
$s3 = "ntoskrnl.exe" fullword ascii
$s4 = "KfReleaseSpinLock" fullword ascii
condition:
all of them
}
rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef {
meta:
description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
strings:
$s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii
$s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii
$s2 = "<commands/>" fullword ascii
$s3 = "</version>" fullword ascii
$s4 = "<associatedImplantId>20121</associatedImplantId>" fullword ascii
$s5 = "<rightsRequired>System or Administrator (if Administrator, I think the DriverIns" ascii
$s6 = "<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
$s7 = "<projectpath>plugin/Collection</projectpath>" fullword ascii
$s8 = "<dllDepend>None</dllDepend>" fullword ascii
$s9 = "<minorType>0</minorType>" fullword ascii
$s10 = "<pluginname>E_QwertyKM</pluginname>" fullword ascii
$s11 = "</comments>" fullword ascii
$s12 = "<comments>" fullword ascii
$s13 = "<majorType>1</majorType>" fullword ascii
$s14 = "<files>None</files>" fullword ascii
$s15 = "<poc>Erebus</poc>" fullword ascii
$s16 = "</plugin>" fullword ascii
$s17 = "<team>None</team>" fullword ascii
$s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii
$s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii
$s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii
condition:
14 of them
}
rule FiveEyes_QUERTY_Malwaresig_20121_dll {
meta:
description = "FiveEyes QUERTY Malware - file 20121.dll.bin"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "89504d91c5539a366e153894c1bc17277116342b"
strings:
$s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii
$s1 = "20121.dll" fullword ascii
condition:
all of them
}
rule FiveEyes_QUERTY_Malwareqwerty_20123 {
meta:
description = "FiveEyes QUERTY Malware - file 20123.xml"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9"
strings:
$s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii
$s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii
$s2 = "<name>20123.sys</name>" fullword ascii
$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
$s4 = "<codebase>/bin/i686-pc-win32/debug</codebase>" fullword ascii
$s5 = "<platform type=\"1\">" fullword ascii
$s6 = "</plugin>" fullword ascii
$s7 = "</pluginConfig>" fullword ascii
$s8 = "<pluginConfig>" fullword ascii
$s9 = "</platform>" fullword ascii
$s10 = "</lpConfig>" fullword ascii
$s11 = "<lpConfig>" fullword ascii
condition:
9 of them
}
rule FiveEyes_QUERTY_Malwaresig_20120_dll {
meta:
description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
strings:
$s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide
$s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide
$s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii
$s3 = "- Log Used (number of windows) - %d" fullword wide
$s4 = "- Log Limit (number of windows) - %d" fullword wide
$s5 = "Process or User Default Language" fullword wide
$s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide
$s7 = "- Logging of keystrokes is switched ON" fullword wide
$s8 = "- Logging of keystrokes is switched OFF" fullword wide
$s9 = "Qwerty is currently logging active windows with titles containing the fo" wide
$s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide
$s11 = "FAILED to get Qwerty Status" fullword wide
$s12 = "- Successfully retrieved Log from Implant." fullword wide
$s13 = "- Logging of all Windows is toggled ON" fullword wide
$s14 = "- Logging of all Windows is toggled OFF" fullword wide
$s15 = "Qwerty FAILED to retrieve window list." fullword wide
$s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide
$s17 = "The implant failed to return a valid status" fullword ascii
$s18 = "- Log files were NOT generated!" fullword wide
$s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide
$s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide
condition:
10 of them
}
rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef {
meta:
description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
strings:
$s0 = "This PPC gets the current keystroke log." fullword ascii
$s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
$s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
$s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
$s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
$s5 = "<definition>Turn logging of all keys on|off</definition>" fullword ascii
$s6 = "<name>Get Keystroke Log</name>" fullword ascii
$s7 = "<description>Keystroke Logger Lp Plugin</description>" fullword ascii
$s8 = "<definition>display help for this function</definition>" fullword ascii
$s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
$s10 = "Set the log limit (in number of windows)" fullword ascii
$s11 = "<example>qwgetlog</example>" fullword ascii
$s12 = "<aliasName>qwgetlog</aliasName>" fullword ascii
$s13 = "<definition>The title of the Window whose keys you wish to Log once it becomes a" ascii
$s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii
$s15 = "<definition>The title of the Window whose keys you no longer whish to log</defin" ascii
$s16 = "<command id=\"32\">" fullword ascii
$s17 = "<command id=\"3\">" fullword ascii
$s18 = "<command id=\"7\">" fullword ascii
$s19 = "<command id=\"1\">" fullword ascii
$s20 = "<command id=\"4\">" fullword ascii
condition:
10 of them
}
rule FiveEyes_QUERTY_Malwareqwerty_20120 {
meta:
description = "FiveEyes QUERTY Malware - file 20120.xml"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "597082f05bfd3225587d480c30f54a7a1326a892"
strings:
$s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii
$s1 = "<name>20120.dll</name>" fullword ascii
$s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
$s4 = "<platform type=\"1\">" fullword ascii
$s5 = "</plugin>" fullword ascii
$s6 = "</pluginConfig>" fullword ascii
$s7 = "<pluginConfig>" fullword ascii
$s8 = "</platform>" fullword ascii
$s9 = "</lpConfig>" fullword ascii
$s10 = "<lpConfig>" fullword ascii
condition:
all of them
}
rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef {
meta:
description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
strings:
$s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii
$s1 = "<message>Failed to get File Time</message>" fullword ascii
$s2 = "<description>Keystroke Logger Plugin.</description>" fullword ascii
$s3 = "<message>Failed to set File Time</message>" fullword ascii
$s4 = "</commands>" fullword ascii
$s5 = "<commands>" fullword ascii
$s6 = "</version>" fullword ascii
$s7 = "<associatedImplantId>20120</associatedImplantId>" fullword ascii
$s8 = "<message>No Comms. with Driver</message>" fullword ascii
$s9 = "</error>" fullword ascii
$s10 = "<message>Invalid File Size</message>" fullword ascii
$s11 = "<platforms>Windows (User/Win32)</platforms>" fullword ascii
$s12 = "<message>File Size Mismatch</message>" fullword ascii
$s13 = "<projectpath>plugin/Utility</projectpath>" fullword ascii
$s14 = "<pluginsDepend>None</pluginsDepend>" fullword ascii
$s15 = "<dllDepend>None</dllDepend>" fullword ascii
$s16 = "<pluginname>E_QwertyIM</pluginname>" fullword ascii
$s17 = "<rightsRequired>None</rightsRequired>" fullword ascii
$s18 = "<minorType>0</minorType>" fullword ascii
$s19 = "<code>00001002</code>" fullword ascii
$s20 = "<code>00001001</code>" fullword ascii
condition:
12 of them
}
malware/Gh0st.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule APT_WIN_Gh0st_ver
{
meta:
author = "@BryanNolen"
date = "2012-12"
type = "APT"
version = "1.1"
ref = "Detection of Gh0st RAT server DLL component"
ref1 = "http://www.mcafee.com/au/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf"
strings:
$library = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"
$capability = "GetClipboardData"
$capability1 = "capCreateCaptureWindowA"
$capability2 = "CreateRemoteThread"
$capability3 = "WriteProcessMemory"
$capability4 = "LsaRetrievePrivateData"
$capability5 = "AdjustTokenPrivileges"
$function = "ResetSSDT"
$window = "WinSta0\\Default"
$magic = {47 6C 6F 62 61 6C 5C [5-9] 20 25 64} /* $magic = "Gh0st" */
condition:
all of them
}
rule Gh0st
{
meta:
description = "Gh0st"
author = "botherder https://github.com/botherder"
strings:
$ = /(G)host/
$ = /(i)nflate 1\.1\.4 Copyright 1995-2002 Mark Adler/
$ = /(d)eflate 1\.1\.4 Copyright 1995-2002 Jean-loup Gailly/
$ = /(%)s\\shell\\open\\command/
$ = /(G)etClipboardData/
$ = /(W)riteProcessMemory/
$ = /(A)djustTokenPrivileges/
$ = /(W)inSta0\\Default/
$ = /(#)32770/
$ = /(#)32771/
$ = /(#)32772/
$ = /(#)32774/
condition:
all of them
}
rule gh0st
{
meta:
author = "https://github.com/jackcr/"
strings:
$a = { 47 68 30 73 74 ?? ?? ?? ?? ?? ?? ?? ?? 78 9C }
$b = "Gh0st Update"
condition:
any of them
}
malware/Gholee.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule gholeeV1
{
meta:
Author = "@GelosSnake"
Date = "2014/08"
Description = "Gholee first discovered variant "
Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
strings:
$a = "sandbox_avg10_vc9_SP1_2011"
$b = "gholee"
condition:
all of them
}
rule gholeeV2
{
meta:
Author = "@GelosSnake"
Date = "2015-02-12"
Description = "Gholee first discovered variant "
Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html"
strings:
$string0 = "RichHa"
$string1 = " ((((( H" wide
$string2 = "1$1,141<1D1L1T1\\1d1l1t1"
$string3 = "<8;$O' "
$string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]"
$string5 = "jYPQTVTSkllZTTXRTUiHceWda/"
$string6 = "urn:schemas-microsoft-com:asm.v1"
$string7 = "8.848H8O8i8s8y8"
$string8 = "wrapper3" wide
$string9 = "pwwwwwwww"
$string10 = "Sunday"
$string11 = "YYuTVWh"
$string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN"
$string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt"
$string15 = "wrapper3 Version 1.0" wide
$string16 = "77A779"
$string17 = "<C<G<M<R<X<"
$string18 = "9 9-9N9X9s9"
condition:
18 of them
}
malware/Glasses.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule GlassesCode : Glasses Family
{
meta:
description = "Glasses code features"
author = "Seth Hardy"
last_modified = "2014-07-22"
strings:
$ = { B8 AB AA AA AA F7 E1 D1 EA 8D 04 52 2B C8 }
$ = { B8 56 55 55 55 F7 E9 8B 4C 24 1C 8B C2 C1 E8 1F 03 D0 49 3B CA }
condition:
any of them
}
rule GlassesStrings : Glasses Family
{
meta:
description = "Strings used by Glasses"
author = "Seth Hardy"
last_modified = "2014-07-22"
strings:
$ = "thequickbrownfxjmpsvalzydg"
$ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)"
$ = "\" target=\"NewRef\"></a>"
condition:
all of them
}
rule Glasses : Family
{
meta:
description = "Glasses family"
author = "Seth Hardy"
last_modified = "2014-07-22"
condition:
GlassesCode or GlassesStrings
}
malware/Grozlex.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Grozlex : Stealer
{
meta:
author="Kevin Falcoz"
date="20/08/2013"
description="Grozlex Stealer - Possible HCStealer"
strings:
$signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E}
condition:
$signature
}
malware/HackTools.yar 0 → 100644
This source diff could not be displayed because it is too large. You can view the blob instead.
malware/IMuler.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule IMulerCode : IMuler Family
{
meta:
description = "IMuler code tricks"
author = "Seth Hardy"
last_modified = "2014-06-16"
strings:
// Load these function strings 4 characters at a time. These check the first two blocks:
$L4_tmpSpotlight = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 53 70 6F }
$L4_TMPAAABBB = { C7 ?? ?? ?? ?? ?? 54 4D 50 41 C7 ?? ?? ?? ?? ?? 41 41 42 42 }
$L4_FILEAGENTVer = { C7 ?? 46 49 4C 45 C7 ?? 04 41 47 45 4E }
$L4_TMP0M34JDF8 = { C7 ?? ?? ?? ?? ?? 54 4D 50 30 C7 ?? ?? ?? ?? ?? 4D 33 34 4A }
$L4_tmpmdworker = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 2E 6D 64 }
condition:
any of ($L4*)
}
rule IMulerStrings : IMuler Family
{
meta:
description = "IMuler Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-16"
strings:
$ = "/cgi-mac/"
$ = "xnocz1"
$ = "checkvir.plist"
$ = "/Users/apple/Documents/mac back"
$ = "iMuler2"
$ = "/Users/imac/Desktop/macback/"
$ = "xntaskz.gz"
$ = "2wmsetstatus.cgi"
$ = "launch-0rp.dat"
$ = "2wmupload.cgi"
$ = "xntmpz"
$ = "2wmrecvdata.cgi"
$ = "xnorz6"
$ = "2wmdelfile.cgi"
$ = "/LanchAgents/checkvir"
$ = "0PERA:%s"
$ = "/tmp/Spotlight"
$ = "/tmp/launch-ICS000"
condition:
any of them
}
rule IMuler : Family
{
meta:
description = "IMuler"
author = "Seth Hardy"
last_modified = "2014-06-16"
condition:
IMulerCode or IMulerStrings
}
malware/Install11.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Insta11Code : Insta11 Family
{
meta:
description = "Insta11 code features"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
// jmp $+5; push 423h
$jumpandpush = { E9 00 00 00 00 68 23 04 00 00 }
condition:
any of them
}
rule Insta11Strings : Insta11 Family
{
meta:
description = "Insta11 Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
$ = "XTALKER7"
$ = "Insta11 Microsoft" wide ascii
$ = "wudMessage"
$ = "ECD4FC4D-521C-11D0-B792-00A0C90312E1"
$ = "B12AE898-D056-4378-A844-6D393FE37956"
condition:
any of them
}
rule Insta11 : Family
{
meta:
description = "Insta11"
author = "Seth Hardy"
last_modified = "2014-06-23"
condition:
Insta11Code or Insta11Strings
}
malware/Intel_Virtualization.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Intel_Virtualization_Wizard_exe {
meta:
author = "cabrel@zerklabs.com"
description = "Dynamic DLL abuse executable"
file_1_seen = "2013-05-21"
file_1_sha256 = "7787757ae851f4a162f46f794be1532ab78e1928185212bdab83b3106f28c708"
strings:
$a = {4C 6F 61 64 53 54 52 49 4E 47}
$b = {49 6E 69 74 69 61 6C 69 7A 65 4B 65 79 48 6F 6F 6B}
$c = {46 69 6E 64 52 65 73 6F 75 72 63 65 73}
$d = {4C 6F 61 64 53 54 52 49 4E 47 46 72 6F 6D 48 4B 43 55}
$e = {68 63 63 75 74 69 6C 73 2E 44 4C 4C}
condition:
all of them
}
rule Intel_Virtualization_Wizard_dll {
meta:
author = "cabrel@zerklabs.com"
description = "Dynamic DLL (Malicious)"
file_1_seen = "2013-05-21"
file_1_sha256 = "485ae043b6a5758789f1d33766a26d8b45b9fde09cde0512aa32d4bd1ee04f28"
strings:
$a = {48 3A 5C 46 61 73 74 5C 50 6C 75 67 28 68 6B 63 6D 64 29 5C}
$b = {64 6C 6C 5C 52 65 6C 65 61 73 65 5C 48 69 6A 61 63 6B 44 6C 6C 2E 70 64 62}
condition:
($a and $b) and Intel_Virtualization_Wizard_exe
}
malware/KINS.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule KINS_dropper {
meta:
author = "AlienVault Labs aortega@alienvault.com"
description = "Match protocol, process injects and windows exploit present in KINS dropper"
reference = "http://goo.gl/arPhm3"
strings:
// Network protocol
$n1 = "tid=%d&ta=%s-%x" fullword
$n2 = "fid=%d" fullword
$n3 = "%[^.].%[^(](%[^)])" fullword
// Injects
$i0 = "%s [%s %d] 77 %s"
$i01 = "Global\\%s%x"
$i1 = "Inject::InjectProcessByName()"
$i2 = "Inject::CopyImageToProcess()"
$i3 = "Inject::InjectProcess()"
$i4 = "Inject::InjectImageToProcess()"
$i5 = "Drop::InjectStartThread()"
// UAC bypass
$uac1 = "ExploitMS10_092"
$uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
$uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
condition:
2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
}
rule KINS_DLL_zeus {
meta:
author = "AlienVault Labs aortega@alienvault.com"
description = "Match default bot in KINS leaked dropper, Zeus"
reference = "http://goo.gl/arPhm3"
strings:
// Network protocol
$n1 = "%BOTID%" fullword
$n2 = "%opensocks%" fullword
$n3 = "%openvnc%" fullword
$n4 = /Global\\(s|v)_ev/ fullword
// Crypted strings
$s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
$s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
$s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
$s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
$s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
condition:
all of ($n*) and 1 of ($s*)
}
malware/Kelihos.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule KelihosHlux
{
meta:
author = "@malpush"
maltype = "KelihosHlux"
description = "http://malwared.ru"
date = "22/02/2014"
strings:
$KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 }
condition:
$KelihosHlux_HexString
}
malware/LURK0.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule LURK0Header : Family LURK0 {
meta:
description = "5 char code for LURK0"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
condition:
any of them
}
rule CCTV0Header : Family CCTV0 {
meta:
description = "5 char code for LURK0"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
//if its just one char a time
$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
// bit hacky but for when samples dont just simply mov 1 char at a time
$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
condition:
any of them
}
rule SharedStrings : Family {
meta:
description = "Internal names found in LURK0/CCTV0 samples"
author = "Katie Kleemola"
last_updated = "07-22-2014"
strings:
// internal names
$i1 = "Butterfly.dll"
$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
$i3 = "ETClientDLL"
// dbx
$d1 = "\\DbxUpdateET\\" wide
$d2 = "\\DbxUpdateBT\\" wide
$d3 = "\\DbxUpdate\\" wide
// other folders
$mc1 = "\\Micet\\"
// embedded file names
$n1 = "IconCacheEt.dat" wide
$n2 = "IconConfigEt.dat" wide
$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
$m2 = "\x00\x00111\x00\x00" wide
$m3 = "\x00\x00ETUN\x00\x00" wide
$m4 = "\x00\x00ER\x00\x00" wide
condition:
any of them //todo: finetune this
}
rule LURK0 : Family LURK0 {
meta:
description = "rule for lurk0"
author = "Katie Kleemola"
last_updated = "07-22-2014"
condition:
LURK0Header and SharedStrings
}
rule CCTV0 : Family CCTV0 {
meta:
description = "rule for cctv0"
author = "Katie Kleemola"
last_updated = "07-22-2014"
condition:
CCTV0Header and SharedStrings
}
malware/Lenovo_superfish.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
/* LENOVO Superfish -------------------------------------------------------- */
rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
meta:
description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
author = "Florian Roth / improved by kbandla"
reference = "https://twitter.com/4nc4p/status/568325493558272000"
date = "2015/02/19"
hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
strings:
$mz = { 4d 5a }
//$s1 = "VisualDiscovery.exe" fullword wide
$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
$s3 = "GetPCProxyHandler" fullword ascii
$s4 = "StartPCProxy" fullword ascii
$s5 = "SetPCProxyHandler" fullword ascii
condition:
( $mz at 0 ) and filesize < 2MB and all of ($s*)
}
malware/Leverage.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule leverage_a
{
meta:
author = "earada@alienvault.com"
version = "1.0"
description = "OSX/Leverage.A"
date = "2013/09"
strings:
$a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
$a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:"
$a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
$script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
$script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'"
$script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'"
$properties = "serverVisible \x00"
condition:
all of them
}
malware/LogPOS.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule LogPOS
{
meta:
author = "Morphick Security"
description = "Detects Versions of LogPOS"
md5 = "af13e7583ed1b27c4ae219e344a37e2b"
strings:
$mailslot = "\\\\.\\mailslot\\LogCC"
$get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="
//64A130000000 mov eax, dword ptr fs:[0x30]
//8B400C mov eax, dword ptr [eax + 0xc]
//8B401C mov eax, dword ptr [eax + 0x1c]
//8B4008 mov eax, dword ptr [eax + 8]
$sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }
condition:
$sc and 1 of ($mailslot,$get)
}
malware/LostDoor.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule lost_door : Trojan
{
meta:
author="Kevin Falcoz"
date="23/02/2013"
description="Lost Door"
strings:
$signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/
condition:
$signature1
}
malware/LuckyCat.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule LuckyCatCode : LuckyCat Family
{
meta:
description = "LuckyCat code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B }
$dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C }
$commonletters = { B? 63 B? 61 B? 73 B? 65 }
condition:
$xordecrypt or ($dll and $commonletters)
}
malware/MacControl.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule MacControlCode : MacControl Family
{
meta:
description = "MacControl code tricks"
author = "Seth Hardy"
last_modified = "2014-06-17"
strings:
// Load these function strings 4 characters at a time. These check the first two blocks:
$L4_Accept = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 3A 20 }
$L4_AcceptLang = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 2D 4C }
$L4_Pragma = { C7 ?? 50 72 61 67 C7 ?? 04 6D 61 3A 20 }
$L4_Connection = { C7 ?? 43 6F 6E 6E C7 ?? 04 65 63 74 69 }
$GEThgif = { C7 ?? 47 45 54 20 C7 ?? 04 2F 68 2E 67 }
condition:
all of ($L4*) or $GEThgif
}
rule MacControlStrings : MacControl Family
{
meta:
description = "MacControl Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-17"
strings:
$ = "HTTPHeadGet"
$ = "/Library/launched"
$ = "My connect error with no ip!"
$ = "Send File is Failed"
$ = "****************************You Have got it!****************************"
condition:
any of them
}
rule MacControl : Family
{
meta:
description = "MacControl"
author = "Seth Hardy"
last_modified = "2014-06-16"
condition:
MacControlCode or MacControlStrings
}
malware/Mirage.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule MirageStrings : Mirage Family
{
meta:
description = "Mirage Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "Neo,welcome to the desert of real." wide ascii
$ = "/result?hl=en&id=%s"
condition:
any of them
}
rule Mirage : Family
{
meta:
description = "Mirage"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
MirageStrings
}
malware/Miscelanea.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule tran_duy_linh
{
meta:
author = "@patrickrolsen"
maltype = "Misc."
version = "0.2"
reference = "8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc."
date = "01/03/2014"
strings:
$doc = {D0 CF 11 E0} //DOCFILE0
$string1 = "Tran Duy Linh" fullword
$string2 = "DLC Corporation" fullword
condition:
($doc at 0) and (all of ($string*))
}
rule misc_iocs
{
meta:
author = "@patrickrolsen"
maltype = "Misc."
version = "0.1"
reference = "N/A"
strings:
$doc = {D0 CF 11 E0} //DOCFILE0
$s1 = "dw20.exe"
$s2 = "cmd /"
condition:
($doc at 0) and (1 of ($s*))
}
rule malicious_LNK_files
{
meta:
author = "@patrickrolsen"
strings:
$magic = {4C 00 00 00 01 14 02 00} // L.......
$s1 = "\\RECYCLER\\" wide
$s2 = "%temp%" wide
$s3 = "%systemroot%\\system32\\cmd.exe" wide
//$s4 = "./start" wide
$s5 = "svchost.exe" wide
$s6 = "lsass.exe" wide
$s7 = "csrss.exe" wide
$s8 = "winlogon.exe" wide
//$s9 = "%cd%" wide
$s10 = "%appdata%" wide
$s11 = "%programdata%" wide
$s12 = "%localappdata%" wide
$s13 = ".cpl" wide
condition:
($magic at 0) and any of ($s*)
}
rule memory_pivy
{
meta:
author = "https://github.com/jackcr/"
strings:
$a = {00 00 00 00 00 00 00 00 00 00 00 53 74 75 62 50 61 74 68 00} // presence of pivy in memory
condition:
any of them
}
rule memory_shylock
{
meta:
author = "https://github.com/jackcr/"
strings:
$a = /pipe\\[A-F0-9]{32}/ //Named pipe created by the malware
$b = /id=[A-F0-9]{32}/ //Portion or the uri beacon
$c = /MASTER_[A-F0-9]{32}/ //Mutex created by the malware
$d = "***Load injects by PIPE (%s)" //String found in binary
$e = "***Load injects url=%s (%s)" //String found in binary
$f = "*********************** Ping Ok ************************" //String found in binary
$g = "*** LOG INJECTS *** %s" //String found in binary
condition:
any of them
}
rule RookieStrings : Rookie Family
{
meta:
description = "Rookie Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "RookIE/1.0"
condition:
any of them
}
rule ScanBox_Malware_Generic {
meta:
description = "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP"
author = "Florian Roth"
reference1 = "http://goo.gl/MUUfjv"
reference2 = "http://goo.gl/WXUQcP"
date = "2015/02/28"
hash1 = "8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9"
hash2 = "d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d"
hash3 = "3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2"
strings:
/* Sample 1 */
$s0 = "http://142.91.76.134/p.dat" fullword ascii
$s1 = "HttpDump 1.1" fullword ascii
/* Sample 2 */
$s3 = "SecureInput .exe" fullword wide
$s4 = "http://extcitrix.we11point.com/vpn/index.php?ref=1" fullword ascii
/* Sample 3 */
$s5 = "%SystemRoot%\\System32\\svchost.exe -k msupdate" fullword ascii
$s6 = "ServiceMaix" fullword ascii
/* Certificate and Keywords */
$x1 = "Management Support Team1" fullword ascii
$x2 = "DTOPTOOLZ Co.,Ltd.0" fullword ascii
$s3 = "SEOUL1" fullword ascii
condition:
( 1 of ($s*) and 2 of ($x*) ) or
( 3 of ($x*) )
}
rule TrojanDownloader {
meta:
description = "Trojan Downloader - Flash Exploit Feb15"
author = "Florian Roth"
reference = "http://goo.gl/wJ8V1I"
date = "2015/02/11"
hash = "5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e"
score = 60
strings:
$x1 = "Hello World!" fullword ascii
$x2 = "CONIN$" fullword ascii
$s6 = "GetCommandLineA" fullword ascii
$s7 = "ExitProcess" fullword ascii
$s8 = "CreateFileA" fullword ascii
$s5 = "SetConsoleMode" fullword ascii
$s9 = "TerminateProcess" fullword ascii
$s10 = "GetCurrentProcess" fullword ascii
$s11 = "UnhandledExceptionFilter" fullword ascii
$s3 = "user32.dll" fullword ascii
$s16 = "GetEnvironmentStrings" fullword ascii
$s2 = "GetLastActivePopup" fullword ascii
$s17 = "GetFileType" fullword ascii
$s19 = "HeapCreate" fullword ascii
$s20 = "VirtualFree" fullword ascii
$s21 = "WriteFile" fullword ascii
$s22 = "GetOEMCP" fullword ascii
$s23 = "VirtualAlloc" fullword ascii
$s24 = "GetProcAddress" fullword ascii
$s26 = "FlushFileBuffers" fullword ascii
$s27 = "SetStdHandle" fullword ascii
$s28 = "KERNEL32.dll" fullword ascii
condition:
$x1 and $x2 and ( all of ($s*) ) and filesize < 35000
}
rule Embedded_EXE_Cloaking {
meta:
description = "Detects an embedded executable in a non-executable file"
author = "Florian Roth"
date = "2015/02/27"
score = 80
strings:
$noex_png = { 89 50 4E 47 }
$noex_pdf = { 25 50 44 46 }
$noex_rtf = { 7B 5C 72 74 66 31 }
$noex_jpg = { FF D8 FF E0 }
$noex_gif = { 47 49 46 38 }
$mz = { 4D 5A }
$a1 = "This program cannot be run in DOS mode"
$a2 = "This program must be run under Win32"
condition:
(
( $noex_png at 0 ) or
( $noex_pdf at 0 ) or
( $noex_rtf at 0 ) or
( $noex_jpg at 0 ) or
( $noex_gif at 0 )
)
and
for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
}
rule Cloaked_as_JPG {
meta:
description = "Detects a cloaked file as JPG"
author = "Florian Roth (eval section from Didier Stevens)"
date = "2015/02/29"
score = 70
strings:
$ext = "extension: .jpg"
condition:
$ext and uint16be(0x00) != 0xFFD8
}
rule WindowsCredentialEditor
{
meta:
description = "Windows Credential Editor" threat_level = 10 score = 90
strings:
$a = "extract the TGT session key"
$b = "Windows Credentials Editor"
condition:
$a or $b
}
rule Amplia_Security_Tool
{
meta:
description = "Amplia Security Tool"
score = 60
nodeepdive = 1
strings:
$a = "Amplia Security"
$b = "Hernan Ochoa"
$c = "getlsasrvaddr.exe"
$d = "Cannot get PID of LSASS.EXE"
$e = "extract the TGT session key"
$f = "PPWDUMP_DATA"
condition: 1 of them
}
rule perlbot_pl {
meta:
description = "Semi-Auto-generated - file perlbot.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "7e4deb9884ffffa5d82c22f8dc533a45"
strings:
$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
$s1 = "#Acesso a Shel - 1 ON 0 OFF"
condition:
1 of them
}
rule php_backdoor_php {
meta:
description = "Semi-Auto-generated - file php-backdoor.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
strings:
$s0 = "http://michaeldaw.org 2006"
$s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"
$s3 = "coded by z0mbie"
condition:
1 of them
}
rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {
meta:
description = "Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
strings:
$s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"
$s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"
$s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
condition:
1 of them
}
rule Nshell__1__php_php {
meta:
description = "Semi-Auto-generated - file Nshell (1).php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "973fc89694097a41e684b43a21b1b099"
strings:
$s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"
$s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
condition:
1 of them
}
rule shankar_php_php {
meta:
description = "Semi-Auto-generated - file shankar.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "6eb9db6a3974e511b7951b8f7e7136bb"
strings:
$sAuthor = "ShAnKaR"
$s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"
$s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"
condition:
1 of ($s*) and $sAuthor
}
rule Casus15_php_php {
meta:
description = "Semi-Auto-generated - file Casus15.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"
strings:
$s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"
$s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"
$s3 = "value='Calistirmak istediginiz "
condition:
1 of them
}
rule small_php_php {
meta:
description = "Semi-Auto-generated - file small.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "fcee6226d09d150bfa5f103bee61fbde"
strings:
$s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
$s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"
$s4 = "@ini_set('error_log',NULL);" fullword
condition:
2 of them
}
rule shellbot_pl {
meta:
description = "Semi-Auto-generated - file shellbot.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
strings:
$s0 = "ShellBOT"
$s1 = "PacktsGr0up"
$s2 = "CoRpOrAtIoN"
$s3 = "# Servidor de irc que vai ser usado "
$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
condition:
2 of them
}
rule fuckphpshell_php {
meta:
description = "Semi-Auto-generated - file fuckphpshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "554e50c1265bb0934fcc8247ec3b9052"
strings:
$s0 = "$succ = \"Warning! "
$s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"
$s2 = "\\*=-- MEMBERS AREA --=*/"
$s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"
condition:
2 of them
}
rule ngh_php_php {
meta:
description = "Semi-Auto-generated - file ngh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c372b725419cdfd3f8a6371cfeebc2fd"
strings:
$s0 = "Cr4sh_aka_RKL"
$s1 = "NGH edition"
$s2 = "/* connectback-backdoor on perl"
$s3 = "<form action=<?=$script?>?act=bindshell method=POST>"
$s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"
condition:
1 of them
}
rule jsp_reverse_jsp {
meta:
description = "Semi-Auto-generated - file jsp-reverse.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8b0e6779f25a17f0ffb3df14122ba594"
strings:
$s0 = "// backdoor.jsp"
$s1 = "JSP Backdoor Reverse Shell"
$s2 = "http://michaeldaw.org"
condition:
1 of them
}
rule Tool_asp {
meta:
description = "Semi-Auto-generated - file Tool.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"
strings:
$s0 = "mailto:rhfactor@antisocial.com"
$s2 = "?raiz=root"
$s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"
$s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"
condition:
2 of them
}
rule NT_Addy_asp {
meta:
description = "Semi-Auto-generated - file NT Addy.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2e0d1bae844c9a8e6e351297d77a1fec"
strings:
$s0 = "NTDaddy v1.9 by obzerve of fux0r inc"
$s2 = "<ERROR: THIS IS NOT A TEXT FILE>"
$s4 = "RAW D.O.S. COMMAND INTERFACE"
condition:
1 of them
}
rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {
meta:
description = "Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "089ff24d978aeff2b4b2869f0c7d38a3"
strings:
$s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"
$s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
$s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"
condition:
1 of them
}
rule RemExp_asp {
meta:
description = "Semi-Auto-generated - file RemExp.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "aa1d8491f4e2894dbdb91eec1abc2244"
strings:
$s0 = "<title>Remote Explorer</title>"
$s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"
$s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
condition:
2 of them
}
rule phvayvv_php_php {
meta:
description = "Semi-Auto-generated - file phvayvv.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "35fb37f3c806718545d97c6559abd262"
strings:
$s0 = "{mkdir(\"$dizin/$duzenx2\",777)"
$s1 = "$baglan=fopen($duzkaydet,'w');"
$s2 = "PHVayv 1.0"
condition:
1 of them
}
rule klasvayv_asp {
meta:
description = "Semi-Auto-generated - file klasvayv.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2b3e64bf8462fc3d008a3d1012da64ef"
strings:
$s1 = "set aktifklas=request.querystring(\"aktifklas\")"
$s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"
$s3 = "<font color=\"#858585\">www.aventgrup.net"
$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
condition:
1 of them
}
rule r57shell_php_php {
meta:
description = "Semi-Auto-generated - file r57shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d28445de424594a5f14d0fe2a7c4e94f"
strings:
$s0 = "r57shell" fullword
$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
$s2 = "RusH security team"
$s3 = "'ru_text12' => 'back-connect"
condition:
1 of them
}
rule rst_sql_php_php {
meta:
description = "Semi-Auto-generated - file rst_sql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0961641a4ab2b8cb4d2beca593a92010"
strings:
$s0 = "C:\\tmp\\dump_"
$s1 = "RST MySQL"
$s2 = "http://rst.void.ru"
$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
condition:
2 of them
}
rule wh_bindshell_py {
meta:
description = "Semi-Auto-generated - file wh_bindshell.py.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "fab20902862736e24aaae275af5e049c"
strings:
$s0 = "#Use: python wh_bindshell.py [port] [password]"
$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
condition:
1 of them
}
rule lurm_safemod_on_cgi {
meta:
description = "Semi-Auto-generated - file lurm_safemod_on.cgi.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5ea4f901ce1abdf20870c214b3231db3"
strings:
$s0 = "Network security team :: CGI Shell" fullword
$s1 = "#########################<<KONEC>>#####################################" fullword
$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
condition:
1 of them
}
rule c99madshell_v2_0_php_php {
meta:
description = "Semi-Auto-generated - file c99madshell_v2.0.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d27292895da9afa5b60b9d3014f39294"
strings:
$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
condition:
all of them
}
rule backupsql_php_often_with_c99shell {
meta:
description = "Semi-Auto-generated - file backupsql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"
strings:
$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
condition:
all of them
}
rule uploader_php_php {
meta:
description = "Semi-Auto-generated - file uploader.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0b53b67bb3b004a8681e1458dd1895d0"
strings:
$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
$s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
$s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
condition:
2 of them
}
rule telnet_pl {
meta:
description = "Semi-Auto-generated - file telnet.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "dd9dba14383064e219e29396e242c1ec"
strings:
$s0 = "W A R N I N G: Private Server"
$s2 = "$Message = q$<pre><font color=\"#669999\"> _____ _____ _____ _____ "
condition:
all of them
}
rule w3d_php_php {
meta:
description = "Semi-Auto-generated - file w3d.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "987f66b29bfb209a0b4f097f84f57c3b"
strings:
$s0 = "W3D Shell"
$s1 = "By: Warpboy"
$s2 = "No Query Executed"
condition:
2 of them
}
rule rtf_yahoo_ken
{
meta:
author = "@patrickrolsen"
maltype = "Yahoo Ken"
filetype = "RTF"
version = "0.1"
description = "Test rule"
date = "2013-12-14"
strings:
$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
$author1 = { 79 61 68 6f 6f 20 6b 65 63 } // "yahoo ken"
condition:
($magic1 or $magic2 or $magic3 at 0) and $author1
}
rule ZXProxy
{
meta:
author = "ThreatConnect Intelligence Research Team"
strings:
$C = "\\Control\\zxplug" nocase wide ascii
$h = "http://www.facebook.com/comment/update.exe" wide ascii
$S = "Shared a shell to %s:%s Successfully" nocase wide ascii
condition:
any of them
}
malware/Miscelanea_Linux.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule LinuxAESDDoS
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
strings:
$a = "3AES"
$b = "Hacker"
$c = "VERSONEX"
condition:
2 of ($a,$b,$c)
}
rule LinuxBillGates
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429"
strings:
$a= "12CUpdateGates"
$b= "11CUpdateBill"
condition:
$a and $b
}
rule LinuxElknot
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"
strings:
$a = "ZN8CUtility7DeCryptEPciPKci"
$b = "ZN13CThreadAttack5StartEP11CCmdMessage"
condition:
$a and $b
}
rule LinuxMrBlack
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
strings:
$a = "Mr.Black"
$b = "VERS0NEX:%s|%d|%d|%s"
condition:
$a and $b
}
rule LinuxTsunami
{
meta:
author = "@benkow_"
description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
strings:
$a = "PRIVMSG %s :[STD]Hitting %s"
$b = "NOTICE %s :TSUNAMI <target> <secs>"
$c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
condition:
$a or $b or $c
}
malware/Miscelanea_RTF.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule rtf_multiple
{
meta:
author = "@patrickrolsen"
maltype = "Multiple"
version = "0.1"
reference = "fd69a799e21ccb308531ce6056944842"
date = "01/04/2014"
strings:
$rtf = { 7b 5c 72 74 ?? ?? } // {\rt01 {\rtf1 {\rtxa
$string1 = "author user"
$string2 = "title Vjkygdjdtyuj" nocase
$string3 = "company ooo"
$string4 = "password 00000000"
condition:
($rtf at 0) and (all of ($string*))
}
malware/NSFree.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule NSFreeCode : NSFree Family
{
meta:
description = "NSFree code features"
author = "Seth Hardy"
last_modified = "2014-06-24"
strings:
// push vars then look for MZ
$ = { 53 56 57 66 81 38 4D 5A }
// nops then look for PE\0\0
$ = { 90 90 90 90 81 3F 50 45 00 00 }
condition:
all of them
}
rule NSFreeStrings : NSFree Family
{
meta:
description = "NSFree Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-24"
strings:
$ = "\\MicNS\\" nocase
$ = "NSFreeDll" wide ascii
// xor 0x58 dos stub
$ = { 0c 30 31 2b 78 28 2a 37 3f 2a 39 35 78 3b 39 36 36 37 }
condition:
any of them
}
rule NSFree : Family
{
meta:
description = "NSFree"
author = "Seth Hardy"
last_modified = "2014-06-24"
condition:
NSFreeCode or NSFreeStrings
}
malware/Naikon.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule NaikonCode : Naikon Family
{
meta:
description = "Naikon code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// decryption
$ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
$ = { 35 5A 01 00 00} // xor eax, 15ah
$ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
condition:
all of them
}
rule NaikonStrings : Naikon Family
{
meta:
description = "Naikon Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "NOKIAN95/WEB"
$ = "/tag=info&id=15"
$ = "skg(3)=&3.2d_u1"
$ = "\\Temp\\iExplorer.exe"
$ = "\\Temp\\\"TSG\""
condition:
any of them
}
rule Naikon : Family
{
meta:
description = "Naikon"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
NaikonCode or NaikonStrings
}
malware/NetPass.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule NetpassStrings : NetPass Variant {
meta:
description = "Identifiers for netpass variant"
author = "Katie Kleemola"
last_updated = "2014-05-29"
strings:
$exif1 = "Device Protect ApplicatioN" wide
$exif2 = "beep.sys" wide //embedded exe name
$exif3 = "BEEP Driver" wide //embedded exe description
$string1 = "\x00NetPass Update\x00"
$string2 = "\x00%s:DOWNLOAD\x00"
$string3 = "\x00%s:UPDATE\x00"
$string4 = "\x00%s:uNINSTALL\x00"
condition:
all of ($exif*) or any of ($string*)
}
rule NetPass : Variant {
meta:
description = "netpass variant"
author = "Katie Kleemola"
last_updated = "2014-07-08"
condition:
NetpassStrings
}
malware/NetTraveler.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule NetTravStrings : NetTraveler Family {
meta:
description = "Identifiers for NetTraveler DLL"
author = "Katie Kleemola"
last_updated = "2014-05-20"
strings:
//network strings
$ = "?action=updated&hostid="
$ = "travlerbackinfo"
$ = "?action=getcmd&hostid="
$ = "%s?action=gotcmd&hostid="
$ = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext="
//debugging strings
$ = "\x00Method1 Fail!!!!!\x00"
$ = "\x00Method3 Fail!!!!!\x00"
$ = "\x00method currect:\x00"
$ = /\x00\x00[\w\-]+ is Running!\x00\x00/
$ = "\x00OtherTwo\x00"
condition:
any of them
}
rule NetTravExports : NetTraveler Family {
meta:
description = "Export names for dll component"
author = "Katie Kleemola"
last_updated = "2014-05-20"
strings:
//dll component exports
$ = "?InjectDll@@YAHPAUHWND__@@K@Z"
$ = "?UnmapDll@@YAHXZ"
$ = "?g_bSubclassed@@3HA"
condition:
any of them
}
rule NetTraveler : Family {
meta:
description = "Nettravelr"
author = "Katie Kleemola"
last_updated = "2014-07-08"
condition:
NetTravExports or NetTravStrings or NetpassStrings
}
malware/Njrat.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Njrat
{
meta:
description = "Njrat"
author = "botherder https://github.com/botherder"
strings:
$string1 = /(F)romBase64String/
$string2 = /(B)ase64String/
$string3 = /(C)onnected/ wide ascii
$string4 = /(R)eceive/
$string5 = /(S)end/ wide ascii
$string6 = /(D)ownloadData/ wide ascii
$string7 = /(D)eleteSubKey/ wide ascii
$string8 = /(g)et_MachineName/
$string9 = /(g)et_UserName/
$string10 = /(g)et_LastWriteTime/
$string11 = /(G)etVolumeInformation/
$string12 = /(O)SFullName/ wide ascii
$string13 = /(n)etsh firewall/ wide
$string14 = /(c)md\.exe \/k ping 0 & del/ wide
$string15 = /(c)md\.exe \/c ping 127\.0\.0\.1 & del/ wide
$string16 = /(c)md\.exe \/c ping 0 -n 2 & del/ wide
$string17 = {7C 00 27 00 7C 00 27 00 7C}
condition:
10 of them
}
malware/Notepad.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule TROJAN_Notepad {
meta:
Author = "RSA_IR"
Date = "4Jun13"
File = "notepad.exe v 1.1"
MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927"
strings:
$s1 = "75BAA77C842BE168B0F66C42C7885997"
$s2 = "B523F63566F407F3834BCC54AAA32524"
condition:
$s1 or $s2
}
malware/Olyx.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule OlyxCode : Olyx Family
{
meta:
description = "Olyx code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 }
$slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C }
condition:
any of them
}
rule OlyxStrings : Olyx Family
{
meta:
description = "Olyx Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$ = "/Applications/Automator.app/Contents/MacOS/DockLight"
condition:
any of them
}
rule Olyx : Family
{
meta:
description = "Olyx"
author = "Seth Hardy"
last_modified = "2014-06-19"
condition:
OlyxCode or OlyxStrings
}
malware/Opcleaver.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule OPCLEAVER_BackDoorLogger
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "BackDoorLogger"
$s2 = "zhuAddress"
condition:
all of them
}
rule OPCLEAVER_Jasus
{
meta:
description = "ARP cache poisoner used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found"
condition:
all of them
}
rule OPCLEAVER_LoggerModule
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition:
all of them
}
rule OPCLEAVER_NetC
{
meta:
description = "Net Crawler used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "NetC.exe" wide
$s2 = "Net Service"
condition:
all of them
}
rule OPCLEAVER_ShellCreator2
{
meta:
description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "ShellCreator2.Properties"
$s2 = "set_IV"
condition:
all of them
}
rule OPCLEAVER_SmartCopy2
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork"
condition:
all of them
}
rule OPCLEAVER_SynFlooder
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "your target’s IP is : %s"
$s3 = "Raw TCP Socket Created successfully."
condition:
all of them
}
rule OPCLEAVER_TinyZBot
{
meta:
description = "Tiny Bot used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "NetScp" wide
$s2 = "TinyZBot.Properties.Resources.resources"
$s3 = "Aoao WaterMark"
$s4 = "Run_a_exe"
$s5 = "netscp.exe"
$s6 = "get_MainModule_WebReference_DefaultWS"
$s7 = "remove_CheckFileMD5Completed"
$s8 = "http://tempuri.org/"
$s9 = "Zhoupin_Cleaver"
condition:
(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
}
rule OPCLEAVER_ZhoupinExploitCrew
{
meta:
description = "Keywords used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase
condition:
1 of them
}
rule OPCLEAVER_antivirusdetector
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector"
condition:
all of them
}
rule OPCLEAVER_csext
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "COM+ System Extentions"
$s2 = "csext.exe"
$s3 = "COM_Extentions_bin"
condition:
all of them
}
rule OPCLEAVER_kagent
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "kill command is in last machine, going back"
$s2 = "message data length in B64: %d Bytes"
condition:
all of them
}
rule OPCLEAVER_mimikatzWrapper
{
meta:
description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "mimikatzWrapper"
$s2 = "get_mimikatz"
condition:
all of them
}
rule OPCLEAVER_pvz_in
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "LAST_TIME=00/00/0000:00:00PM$"
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
condition:
all of them
}
rule OPCLEAVER_pvz_out
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Network Connectivity Module" wide
$s2 = "OSPPSVC" wide
condition:
all of them
}
rule OPCLEAVER_wndTest
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition:
all of them
}
rule OPCLEAVER_zhCat
{
meta:
description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
$s2 = "ABC ( A Big Company )" wide fullword
condition:
all of them
}
rule OPCLEAVER_zhLookUp
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "zhLookUp.Properties"
condition:
all of them
}
rule OPCLEAVER_zhmimikatz
{
meta:
description = "Mimikatz wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "MimikatzRunner"
$s2 = "zhmimikatz"
condition:
all of them
}
rule OPCLEAVER_Parviz_Developer
{
meta:
description = "Parviz developer known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Florian Roth"
score = "70"
strings:
$s1 = "Users\\parviz\\documents\\" nocase
condition:
$s1
}
rule OPCLEAVER_CCProxy_Config
{
meta:
description = "CCProxy config known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Florian Roth"
score = "70"
strings:
$s1 = "UserName=User-001" fullword ascii
$s2 = "Web=1" fullword ascii
$s3 = "Mail=1" fullword ascii
$s4 = "FTP=0" fullword ascii
$x1 = "IPAddressLow=78.109.194.114" fullword ascii
condition:
all of ($s*) or $x1
}
malware/PlugX.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule PlugXStrings : PlugX Family
{
meta:
description = "PlugX Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-12"
strings:
$BootLDR = "boot.ldr" wide ascii
$Dwork = "d:\\work" nocase
$Plug25 = "plug2.5"
$Plug30 = "Plug3.0"
$Shell6 = "Shell6"
condition:
$BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))
}
rule plugX : rat
{
meta:
author = "Jean-Philippe Teissier / @Jipe_"
description = "PlugX RAT"
date = "2014-05-13"
filetype = "memory"
version = "1.0"
ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py"
strings:
$v1a = { 47 55 4C 50 00 00 00 00 }
$v1b = "/update?id=%8.8x"
$v1algoa = { BB 33 33 33 33 2B }
$v1algob = { BB 44 44 44 44 2B }
$v2a = "Proxy-Auth:"
$v2b = { 68 A0 02 00 00 }
$v2k = { C1 8F 3A 71 }
condition:
$v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))
}
malware/PoisonIvy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule poisonivy : rat
{
meta:
description = "Poison Ivy"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-02-01"
filetype = "memory"
version = "1.0"
ref1 = "https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py"
strings:
$a = { 53 74 75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76 65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C }
condition:
$a
}
malware/PubSab.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule PubSabCode : PubSab Family
{
meta:
description = "PubSab code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 }
condition:
any of them
}
rule PubSabStrings : PubSab Family
{
meta:
description = "PubSab Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$ = "_deamon_init"
$ = "com.apple.PubSabAgent"
$ = "/tmp/screen.jpeg"
condition:
any of them
}
rule PubSab : Family
{
meta:
description = "PubSab"
author = "Seth Hardy"
last_modified = "2014-06-19"
condition:
PubSabCode or PubSabStrings
}
malware/Quarian.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule QuarianStrings : Quarian Family
{
meta:
description = "Quarian Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-09"
strings:
$ = "s061779s061750"
$ = "[OnUpLoadFile]"
$ = "[OnDownLoadFile]"
$ = "[FileTransfer]"
$ = "---- Not connect the Manager, so start UnInstall ----"
$ = "------- Enter CompressDownLoadDir ---------"
$ = "------- Enter DownLoadDirectory ---------"
$ = "[HandleAdditionalData]"
$ = "[mswsocket.dll]"
$ = "msupdate.dll........Enter ThreadCmd!"
$ = "ok1-1"
$ = "msupdate_tmp.dll"
$ = "replace Rpcss.dll successfully!"
$ = "f:\\loadhiddendriver-mdl\\objfre_win7_x86\\i386\\intelnat.pdb"
$ = "\\drivercashe\\" wide ascii
$ = "\\microsoft\\windwos\\" wide ascii
$ = "\\DosDevices\\LOADHIDDENDRIVER" wide ascii
$ = "\\Device\\LOADHIDDENDRIVER" wide ascii
$ = "Global\\state_maping" wide ascii
$ = "E:\\Code\\2.0\\2.0_multi-port\\2.0\\ServerInstall_New-2010-0913_sp3\\msupdataDll\\Release\\msupdate_tmp.pdb"
$ = "Global\\unInstall_event_1554_Ower" wide ascii
condition:
any of them
}
rule QuarianCode : Quarian Family
{
meta:
description = "Quarian code features"
author = "Seth Hardy"
last_modified = "2014-07-09"
strings:
// decrypt in intelnat.sys
$ = { C1 E? 04 8B ?? F? C1 E? 05 33 C? }
// decrypt in mswsocket.dll
$ = { C1 EF 05 C1 E3 04 33 FB }
$ = { 33 D8 81 EE 47 86 C8 61 }
// loop in msupdate.dll
$ = { FF 45 E8 81 45 EC CC 00 00 00 E9 95 FE FF FF }
condition:
any of them
}
rule Quarian : Family
{
meta:
description = "Quarian"
author = "Seth Hardy"
last_modified = "2014-07-09"
condition:
QuarianCode or QuarianStrings
}
malware/RAT_Terminator.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule TerminatorRat : rat
{
meta:
description = "Terminator RAT"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-10-24"
filetype = "memory"
version = "1.0"
ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html"
strings:
$a = "Accelorator"
$b = "<html><title>12356</title><body>"
condition:
all of them
}
rule TROJAN_Notepad_shell_crew {
meta:
author = "RSA_IR"
Date = "4Jun13"
File = "notepad.exe v 1.1"
MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927"
strings:
$s1 = "75BAA77C842BE168B0F66C42C7885997"
$s2 = "B523F63566F407F3834BCC54AAA32524"
condition:
$s1 or $s2
}
malware/RCS.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RCS_Backdoor
{
meta:
description = "Hacking Team RCS Backdoor"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$debug3"
$filter2 = "$log2"
$filter3 = "error2"
$debug1 = /\- (C)hecking components/ wide ascii
$debug2 = /\- (A)ctivating hiding system/ wide ascii
$debug3 = /(f)ully operational/ wide ascii
$log1 = /\- Browser activity \(FF\)/ wide ascii
$log2 = /\- Browser activity \(IE\)/ wide ascii
// Cause false positives.
//$log3 = /\- About to call init routine at %p/ wide ascii
//$log4 = /\- Calling init routine at %p/ wide ascii
$error1 = /\[Unable to deploy\]/ wide ascii
$error2 = /\[The system is already monitored\]/ wide ascii
condition:
(2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
}
rule RCS_Scout
{
meta:
description = "Hacking Team RCS Scout"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$engine5"
$filter2 = "$start4"
$filter3 = "$upd2"
$filter4 = "$lookma6"
$engine1 = /(E)ngine started/ wide ascii
$engine2 = /(R)unning in background/ wide ascii
$engine3 = /(L)ocking doors/ wide ascii
$engine4 = /(R)otors engaged/ wide ascii
$engine5 = /(I)\'m going to start it/ wide ascii
$start1 = /Starting upgrade\!/ wide ascii
$start2 = /(I)\'m going to start the program/ wide ascii
$start3 = /(i)s it ok\?/ wide ascii
$start4 = /(C)lick to start the program/ wide ascii
$upd1 = /(U)pdJob/ wide ascii
$upd2 = /(U)pdTimer/ wide ascii
$lookma1 = /(O)wning PCI bus/ wide
$lookma2 = /(F)ormatting bios/ wide
$lookma3 = /(P)lease insert a disk in drive A:/ wide
$lookma4 = /(U)pdating CPU microcode/ wide
$lookma5 = /(N)ot sure what's happening/ wide
$lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide
condition:
(all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
}
malware/Ramsonware.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule CryptoLocker_set1
{
meta:
author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
date = "2014-04-13"
description = "Detection of Cryptolocker Samples"
strings:
$string0 = "static"
$string1 = " kscdS"
$string2 = "Romantic"
$string3 = "CompanyName" wide
$string4 = "ProductVersion" wide
$string5 = "9%9R9f9q9"
$string6 = "IDR_VERSION1" wide
$string7 = " </trustInfo>"
$string8 = "LookFor" wide
$string9 = ":n;t;y;"
$string10 = " <requestedExecutionLevel level"
$string11 = "VS_VERSION_INFO" wide
$string12 = "2.0.1.0" wide
$string13 = "<assembly xmlns"
$string14 = " <trustInfo xmlns"
$string15 = "srtWd@@"
$string16 = "515]5z5"
$string17 = "C:\\lZbvnoVe.exe" wide
condition:
8 of ($string*)
}
rule CryptoLocker_rule2
{
meta:
author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
date = "2014-04-14"
description = "Detection of CryptoLocker Variants"
strings:
$string0 = "2.0.1.7" wide
$string1 = " <security>"
$string2 = "Romantic"
$string3 = "ProductVersion" wide
$string4 = "9%9R9f9q9"
$string5 = "IDR_VERSION1" wide
$string6 = "button"
$string7 = " </security>"
$string8 = "VFileInfo" wide
$string9 = "LookFor" wide
$string10 = " </requestedPrivileges>"
$string11 = " uiAccess"
$string12 = " <trustInfo xmlns"
$string13 = "last.inf"
$string14 = " manifestVersion"
$string15 = "FFFF04E3" wide
$string16 = "3,31363H3P3m3u3z3"
condition:
8 of ($string*)
}
malware/Regsubdat.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RegSubDatCode : RegSubDat Family
{
meta:
description = "RegSubDat code features"
author = "Seth Hardy"
last_modified = "2014-07-14"
strings:
// decryption loop
$ = { 80 34 3? 99 40 (3D FB 65 00 00 | 3B C6) 7? F? }
// push then pop values
$ = { 68 FF FF 7F 00 5? }
$ = { 68 FF 7F 00 00 5? }
condition:
all of them
}
rule RegSubDatStrings : RegSubDat Family
{
meta:
description = "RegSubDat Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-14"
strings:
$avg1 = "Button"
$avg2 = "Allow"
$avg3 = "Identity Protection"
$avg4 = "Allow for all"
$avg5 = "AVG Firewall Asks For Confirmation"
$mutex = "0x1A7B4C9F"
condition:
all of ($avg*) or $mutex
}
rule RegSubDat : Family
{
meta:
description = "RegSubDat"
author = "Seth Hardy"
last_modified = "2014-07-14"
condition:
RegSubDatCode or RegSubDatStrings
}
malware/Rooter.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RooterCode : Rooter Family
{
meta:
description = "Rooter code features"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
// xor 0x30 decryption
$ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 }
condition:
any of them
}
rule RooterStrings : Rooter Family
{
meta:
description = "Rooter Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
$group1 = "seed\x00"
$group2 = "prot\x00"
$group3 = "ownin\x00"
$group4 = "feed0\x00"
$group5 = "nown\x00"
condition:
3 of ($group*)
}
rule Rooter : Family
{
meta:
description = "Rooter"
author = "Seth Hardy"
last_modified = "2014-07-10"
condition:
RooterCode or RooterStrings
}
rule RookieCode : Rookie Family
{
meta:
description = "Rookie code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// hidden AutoConfigURL
$ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 }
// hidden ProxyEnable
$ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 }
// xor on rand value?
$ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 }
condition:
any of them
}
rule Rookie : Family
{
meta:
description = "Rookie"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
RookieCode or RookieStrings
}
malware/Safenet.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule SafeNetCode : SafeNet Family
{
meta:
description = "SafeNet code features"
author = "Seth Hardy"
last_modified = "2014-07-16"
strings:
// add edi, 14h; cmp edi, 50D0F8h
$ = { 83 C7 14 81 FF F8 D0 40 00 }
condition:
any of them
}
rule SafeNetStrings : SafeNet Family
{
meta:
description = "Strings used by SafeNet"
author = "Seth Hardy"
last_modified = "2014-07-16"
strings:
$ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr"
$ = "/safe/record.php"
$ = "_Rm.bat" wide ascii
$ = "try\x0d\x0a\x09\x09\x09\x09 del %s" wide ascii
$ = "Ext.org" wide ascii
condition:
any of them
}
rule SafeNet : Family
{
meta:
description = "SafeNet family"
condition:
SafeNetCode or SafeNetStrings
}
malware/Scarhikn.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule ScarhiknStrings : Scarhikn Family
{
meta:
description = "Scarhikn Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "9887___skej3sd"
$ = "haha123"
condition:
any of them
}
rule ScarhiknCode : Scarhikn Family
{
meta:
description = "Scarhikn code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// decryption
$ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 }
$ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 }
condition:
any of them
}
rule Scarhikn : Family
{
meta:
description = "Scarhikn"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
ScarhiknCode or ScarhiknStrings
}
malware/Scieron.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Scieron
{
meta:
author = "Symantec Security Response"
ref = "http://www.symantec.com/connect/tr/blogs/scarab-attackers-took-aim-select-russian-targets-2012"
date = "22.01.15"
strings:
// .text:10002069 66 83 F8 2C cmp ax, ','
// .text:1000206D 74 0C jz short loc_1000207B
// .text:1000206F 66 83 F8 3B cmp ax, ';'
// .text:10002073 74 06 jz short loc_1000207B
// .text:10002075 66 83 F8 7C cmp ax, '|'
// .text:10002079 75 05 jnz short loc_10002080
$code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05}
// .text:10001D83 83 F8 09 cmp eax, 9 ; switch 10 cases
// .text:10001D86 0F 87 DB 00 00 00 ja loc_10001E67 ; jumptable 10001D8C default case
// .text:10001D8C FF 24 85 55 1F 00+ jmp ds:off_10001F55[eax*4] ; switch jump
$code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24}
$str1 = "IP_PADDING_DATA" wide ascii
$str2 = "PORT_NUM" wide ascii
condition:
all of them
}
malware/ShadowTech.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule ShadowTech
{
meta:
description = "ShadowTech RAT"
author = "botherder https://github.com/botherder"
strings:
$string1 = /\#(S)trings/
$string2 = /\#(G)UID/
$string3 = /\#(B)lob/
$string4 = /(S)hadowTech Rat\.exe/
$string5 = /(S)hadowTech_Rat/
condition:
all of them
}
malware/Shamoon.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule CrowdStrike_Shamoon_DroppedFile {
meta:
description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
strings:
$testn123 = "test123" wide
$testn456 = "test456" wide
$testn789 = "test789" wide
$testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
condition:
(any of ($testn*) or $pingcmd) and $testdomain
}
malware/Skeleton.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule skeleton_key_patcher
{
meta:
description = "Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN"
author = "Dell SecureWorks Counter Threat Unit"
reference = "http://goo.gl/aAk3lN"
date = "2015/01/13"
score = 70
strings:
$target_process = "lsass.exe" wide
$dll1 = "cryptdll.dll"
$dll2 = "samsrv.dll"
$name = "HookDC.dll"
$patched1 = "CDLocateCSystem"
$patched2 = "SamIRetrievePrimaryCredentials"
$patched3 = "SamIRetrieveMultiplePrimaryCredentials"
condition:
all of them
}
rule skeleton_key_injected_code
{
meta:
description = "Skeleton Key injected Code http://goo.gl/aAk3lN"
author = "Dell SecureWorks Counter Threat Unit"
reference = "http://goo.gl/aAk3lN"
date = "2015/01/13"
score = 70
strings:
$injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 00 48 81 C4 58 01 00 00 C3 }
$patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
$patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
$patch_SamIRetrieveMultiplePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
condition:
any of them
}
malware/Stealer.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule universal_1337_stealer_serveur : Stealer
{
meta:
author="Kevin Falcoz"
date="24/02/2013"
description="Universal 1337 Stealer Serveur"
strings:
$signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/
$signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/
$signature3={46 54 50 7E} /*FTP~*/
$signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/
condition:
$signature1 and $signature2 or $signature3 and $signature4
}
malware/Surtr.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RSharedStrings : Surtr Family {
meta:
description = "identifiers for remote and gmremote"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = "nView_DiskLoydb" wide
$ = "nView_KeyLoydb" wide
$ = "nView_skins" wide
$ = "UsbLoydb" wide
$ = "%sBurn%s" wide
$ = "soul" wide
condition:
any of them
}
rule RemoteStrings : Remote Variant Surtr Family {
meta:
description = "indicators for remote.dll - surtr stage 2"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = "\x00Remote.dll\x00"
$ = "\x00CGm_PlugBase::"
$ = "\x00ServiceMain\x00_K_H_K_UH\x00"
$ = "\x00_Remote_\x00" wide
condition:
any of them
}
rule GmRemoteStrings : GmRemote Variant Family Surtr {
meta:
description = "identifiers for gmremote: surtr stage 2"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = "\x00x86_GmRemote.dll\x00"
$ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00"
$ = "\x00GmShutPoint\x00"
$ = "\x00GmRecvPoint\x00"
$ = "\x00GmInitPoint\x00"
$ = "\x00GmVerPoint\x00"
$ = "\x00GmNumPoint\x00"
$ = "_Gt_Remote_" wide
$ = "%sBurn\\workdll.tmp" wide
condition:
any of them
}
rule GmRemote : Family Surtr Variant GmRemote {
meta:
description = "identifier for gmremote"
author = "Katie Kleemola"
last_updated = "07-25-2014"
condition:
RSharedStrings and GmRemoteStrings
}
rule Remote : Family Surtr Variant Remote {
meta:
description = "identifier for remote"
author = "Katie Kleemola"
last_updated = "07-25-2014"
condition:
RSharedStrings and RemoteStrings
}
rule SurtrStrings : Surtr Family {
meta:
author = "Katie Kleemola"
description = "Strings for Surtr"
last_updated = "2014-07-16"
strings:
$ = "\x00soul\x00"
$ = "\x00InstallDll.dll\x00"
$ = "\x00_One.dll\x00"
$ = "_Fra.dll"
$ = "CrtRunTime.log"
$ = "Prod.t"
$ = "Proe.t"
$ = "Burn\\"
$ = "LiveUpdata_Mem\\"
condition:
any of them
}
rule SurtrCode : Surtr Family {
meta:
author = "Katie Kleemola"
description = "Code features for Surtr Stage1"
last_updated = "2014-07-16"
strings:
//decrypt config
$ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? }
//if Burn folder name is not in strings
$ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C }
//mov char in _Fire
$ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 }
condition:
any of them
}
rule Surtr : Family {
meta:
author = "Katie Kleemola"
description = "Rule for Surtr Stage One"
last_updated = "2014-07-16"
condition:
SurtrStrings or SurtrCode
}
malware/T5000.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule T5000Strings : T5000 Family
{
meta:
description = "T5000 Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-26"
strings:
$ = "_tmpR.vbs"
$ = "_tmpg.vbs"
$ = "Dtl.dat" wide ascii
$ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
$ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
$ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
$ = "43EE34A9-9063-4d2c-AACD-F5C62B849089"
$ = "A8859547-C62D-4e8b-A82D-BE1479C684C9"
$ = "A59CF429-D0DD-4207-88A1-04090680F714"
$ = "utd_CE31" wide ascii
$ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
$ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
$ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
$ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
condition:
any of them
}
rule T5000 : Family
{
meta:
description = "T5000"
author = "Seth Hardy"
last_modified = "2014-06-26"
condition:
T5000Strings
}
malware/Turla.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WaterBug_turla_dll
{
meta:
description = "Symantec Waterbug Attack - Trojan Turla DLL"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
condition:
pe.exports("ee") and $a
}
malware/Urausy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule urausy_skype_dat {
meta:
author = "AlienVault Labs"
description = "Yara rule to match against memory of processes infected by Urausy skype.dat"
strings:
$a = "skype.dat" ascii wide
$b = "skype.ini" ascii wide
$win1 = "CreateWindow"
$win2 = "YIWEFHIWQ" ascii wide
$desk1 = "CreateDesktop"
$desk2 = "MyDesktop" ascii wide
condition:
$a and $b and (all of ($win*) or all of ($desk*))
}
malware/Vidgrab.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule VidgrabCode : Vidgrab Family
{
meta:
description = "Vidgrab code tricks"
author = "Seth Hardy"
last_modified = "2014-06-20"
strings:
$divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
// add eax, ecx; xor byte ptr [eax], ??h; inc ecx
$xorloop = { 03 C1 80 30 (66 | 58) 41 }
$junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
condition:
all of them
}
rule VidgrabStrings : Vidgrab Family
{
meta:
description = "Vidgrab Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-20"
strings:
$ = "IDI_ICON5" wide ascii
$ = "starter.exe"
$ = "wmifw.exe"
$ = "Software\\rar"
$ = "tmp092.tmp"
$ = "temp1.exe"
condition:
3 of them
}
rule Vidgrab : Family
{
meta:
description = "Vidgrab"
author = "Seth Hardy"
last_modified = "2014-06-20"
condition:
VidgrabCode or VidgrabStrings
}
malware/Warp.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WarpCode : Warp Family
{
meta:
description = "Warp code features"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
// character replacement
$ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F }
condition:
any of them
}
rule WarpStrings : Warp Family
{
meta:
description = "Warp Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
$ = "/2011/n325423.shtml?"
$ = "wyle"
$ = "\\~ISUN32.EXE"
condition:
any of them
}
rule Warp : Family
{
meta:
description = "Warp"
author = "Seth Hardy"
last_modified = "2014-07-10"
condition:
WarpCode or WarpStrings
}
malware/Waterbug.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WaterBug_wipbot_2013_core_PDF {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$PDF = "%PDF-"
$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
condition:
($PDF at 0) and #a > 150 and #b > 200
}
rule WaterBug_wipbot_2013_dll {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$string1 = "/%s?rank=%s"
$string2 = "ModuleStart\x00ModuleStop\x00start"
$string3 = "1156fd22-3443-4344-c4ffff"
//read file... error..
$string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
condition:
2 of them
}
rule WaterBug_wipbot_2013_core {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
$code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
$code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
condition:
$mz at 0 and (($code1 or $code2) or ($code3 and $code4))
}
rule WaterBug_turla_dropper {
meta:
description = "Symantec Waterbug Attack - Trojan Turla Dropper"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
$b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
condition:
all of them
}
rule WaterBug_fa_malware {
meta:
description = "Symantec Waterbug Attack - FA malware variant"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
$string2 = "d:\\proj\\cn\\fa64\\"
$string3 = "sengoku_Win32.sys\x00"
$string4 = "rk_ntsystem.c"
$string5 = "\\uroboros\\"
$string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
condition:
($mz at 0) and (any of ($string*))
}
rule WaterBug_sav {
meta:
description = "Symantec Waterbug Attack - SAV Malware"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
$code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC 3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
$code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
$code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
condition:
($mz at 0) and (($code1a or $code1b or $code1c) and $code2)
}
malware/Webshell-shell.yar 0 → 100644
This source diff could not be displayed because it is too large. You can view the blob instead.
malware/Wimmie.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WimmieShellcode : Wimmie Family
{
meta:
description = "Wimmie code features"
author = "Seth Hardy"
last_modified = "2014-07-17"
strings:
// decryption loop
$ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 }
$xordecrypt = {B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 }
condition:
any of them
}
rule WimmieStrings : Wimmie Family
{
meta:
description = "Strings used by Wimmie"
author = "Seth Hardy"
last_modified = "2014-07-17"
strings:
$ = "\x00ScriptMan"
$ = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" wide ascii
$ = "ProbeScriptFint" wide ascii
$ = "ProbeScriptKids"
condition:
any of them
}
rule Wimmie : Family
{
meta:
description = "Wimmie family"
author = "Seth Hardy"
last_modified = "2014-07-17"
condition:
WimmieShellcode or WimmieStrings
}
malware/WoolenGoldfish.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WoolenGoldfish_Sample_1 {
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 60
hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
strings:
$s1 = "Cannot execute (%d)" fullword ascii
$s16 = "SvcName" fullword ascii
condition:
all of them
}
rule WoolenGoldfish_Generic_1 {
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 90
super_rule = 1
hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
strings:
$x0 = "Users\\Wool3n.H4t\\"
$x1 = "C-CPP\\CWoolger"
$x2 = "NTSuser.exe" fullword wide
$s1 = "107.6.181.116" fullword wide
$s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
$s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
$s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
$s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
$s6 = "wlg.dat" fullword
$s7 = "woolger" fullword wide
$s8 = "[Enter]" fullword
$s9 = "[Control]" fullword
condition:
( 1 of ($x*) and 2 of ($s*) ) or
( 6 of ($s*) )
}
rule WoolenGoldfish_Generic_2 {
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 90
hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
strings:
$s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
condition:
all of them
}
rule WoolenGoldfish_Generic_3 {
meta:
description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
author = "Florian Roth"
reference = "http://goo.gl/NpJpVZ"
date = "2015/03/25"
score = 90
hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
strings:
$x1 = "... get header FATAL ERROR !!! %d bytes read > header_size" fullword ascii
$x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide
$x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
$s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii
$s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide
$s2 = "Attempting to unlock uninitialized lock!" fullword ascii
$s4 = "unable to load kernel32.dll" fullword ascii
$s5 = "index.php?c=%S&r=%x" fullword wide
$s6 = "%s len:%d " fullword ascii
$s7 = "Encountered error sending syscall response to client" fullword ascii
$s9 = "/info.dat" fullword ascii
$s10 = "Error entering thread lock" fullword ascii
$s11 = "Error exiting thread lock" fullword ascii
$s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
condition:
( 1 of ($x*) ) or
( 8 of ($s*) )
}
malware/Xtreme.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Xtreme
{
meta:
description = "Xtreme RAT"
author = "botherder https://github.com/botherder"
strings:
$string1 = /(X)tremeKeylogger/ wide ascii
$string2 = /(X)tremeRAT/ wide ascii
$string3 = /(X)TREMEUPDATE/ wide ascii
$string4 = /(S)TUBXTREMEINJECTED/ wide ascii
$unit1 = /(U)nitConfigs/ wide ascii
$unit2 = /(U)nitGetServer/ wide ascii
$unit3 = /(U)nitKeylogger/ wide ascii
$unit4 = /(U)nitCryptString/ wide ascii
$unit5 = /(U)nitInstallServer/ wide ascii
$unit6 = /(U)nitInjectServer/ wide ascii
$unit7 = /(U)nitBinder/ wide ascii
$unit8 = /(U)nitInjectProcess/ wide ascii
condition:
5 of them
}
rule xtreme_rat : Trojan
{
meta:
author="Kevin Falcoz"
date="23/02/2013"
description="Xtreme RAT"
strings:
$signature1={58 00 54 00 52 00 45 00 4D 00 45} /*X.T.R.E.M.E*/
condition:
$signature1
}
rule XtremeRATCode : XtremeRAT Family
{
meta:
description = "XtremeRAT code features"
author = "Seth Hardy"
last_modified = "2014-07-09"
strings:
// call; fstp st
$ = { E8 ?? ?? ?? ?? DD D8 }
// hiding string
$ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }
condition:
all of them
}
rule XtremeRATStrings : XtremeRAT Family
{
meta:
description = "XtremeRAT Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-09"
strings:
$ = "dqsaazere"
$ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
condition:
any of them
}
rule XtremeRAT : Family
{
meta:
description = "XtremeRAT"
author = "Seth Hardy"
last_modified = "2014-07-09"
condition:
XtremeRATCode or XtremeRATStrings
}
rule xtremrat : rat
{
meta:
author = "Jean-Philippe Teissier / @Jipe_"
description = "Xtrem RAT v3.5"
date = "2012-07-12"
version = "1.0"
filetype = "memory"
strings:
$a = "XTREME" wide
$b = "XTREMEBINDER" wide
$c = "STARTSERVERBUFFER" wide
$d = "SOFTWARE\\XtremeRAT" wide
$e = "XTREMEUPDATE" wide
$f = "XtremeKeylogger" wide
$g = "myversion|3.5" wide
$h = "xtreme rat" wide nocase
condition:
2 of them
}
malware/YahLover.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule YahLover : Worm
{
meta:
author="Kevin Falcoz"
date="10/06/2013"
description="YahLover"
strings:
$signature1={42 00 49 00 54 00 52 00 4F 00 54 00 41 00 54 00 45 00 00 00 42 00 49 00 54 00 53 00 48 00 49 00 46 00 54 00 00 00 00 00 42 00 49 00 54 00 58 00 4F 00 52}
condition:
$signature1
}
malware/Yayih.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule YayihCode : Yayih Family
{
meta:
description = "Yayih code features"
author = "Seth Hardy"
last_modified = "2014-07-11"
strings:
// encryption
$ = { 80 04 08 7A 03 C1 8B 45 FC 80 34 08 19 03 C1 41 3B 0A 7C E9 }
condition:
any of them
}
rule YayihStrings : Yayih Family
{
meta:
description = "Yayih Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-11"
strings:
$ = "/bbs/info.asp"
$ = "\\msinfo.exe"
$ = "%s\\%srcs.pdf"
$ = "\\aumLib.ini"
condition:
any of them
}
rule Yayih : Family
{
meta:
description = "Yayih"
author = "Seth Hardy"
last_modified = "2014-07-11"
condition:
YayihCode or YayihStrings
}
malware/Zegost.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Zegost : Trojan
{
meta:
author="Kevin Falcoz"
date="10/06/2013"
description="Zegost Trojan"
strings:
$signature1={39 2F 66 33 30 4C 69 35 75 62 4F 35 44 4E 41 44 44 78 47 38 73 37 36 32 74 71 59 3D}
$signature2={00 BA DA 22 51 42 6F 6D 65 00}
condition:
$signature1 and $signature2
}
malware/Zeus.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Windows_Malware : Zeus_1134
{
meta:
author = "Xylitol xylitol@malwareint.com"
date = "2014-03-03"
description = "Match first two bytes, protocol and string present in Zeus 1.1.3.4"
reference = "http://www.xylibox.com/2014/03/zeus-1134.html"
strings:
$mz = {4D 5A}
$protocol1 = "X_ID: "
$protocol2 = "X_OS: "
$protocol3 = "X_BV: "
$stringR1 = "InitializeSecurityDescriptor"
$stringR2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"
condition:
($mz at 0 and all of ($protocol*) and ($stringR1 or $stringR2))
}
malware/cxpid.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule cxpidStrings : cxpid Family
{
meta:
description = "cxpid Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
$ = "/cxpid/submit.php?SessionID="
$ = "/cxgid/"
$ = "E21BC52BEA2FEF26D005CF"
$ = "E21BC52BEA39E435C40CD8"
$ = " -,L-,O+,Q-,R-,Y-,S-"
condition:
any of them
}
rule cxpidCode : cxpid Family
{
meta:
description = "cxpid code features"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
$entryjunk = { 55 8B EC B9 38 04 00 00 6A 00 6A 00 49 75 F9 }
condition:
any of them
}
rule cxpid : Family
{
meta:
description = "cxpid"
author = "Seth Hardy"
last_modified = "2014-06-23"
condition:
cxpidCode or cxpidStrings
}
malware/favorite.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule FavoriteCode : Favorite Family
{
meta:
description = "Favorite code features"
author = "Seth Hardy"
last_modified = "2014-06-24"
strings:
// standard string hiding
$ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F }
$ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 }
condition:
any of them
}
rule FavoriteStrings : Favorite Family
{
meta:
description = "Favorite Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-24"
strings:
$string1 = "!QAZ4rfv"
$file1 = "msupdater.exe"
$file2 = "FAVORITES.DAT"
condition:
any of ($string*) or all of ($file*)
}
malware/iexpl0ree.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule iexpl0reCode : iexpl0ree Family
{
meta:
description = "iexpl0re code features"
author = "Seth Hardy"
last_modified = "2014-07-21"
strings:
$ = { 47 83 FF 64 0F 8C 6D FF FF FF 33 C0 5F 5E 5B C9 C3 }
$ = { 80 74 0D A4 44 41 3B C8 7C F6 68 04 01 00 00 }
$ = { 8A C1 B2 07 F6 EA 30 04 31 41 3B 4D 10 7C F1 }
$ = { 47 83 FF 64 0F 8C 79 FF FF FF 33 C0 5F 5E 5B C9 C3 }
// 88h decrypt
$ = { 68 88 00 00 00 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
$ = { BB 88 00 00 00 53 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 }
condition:
any of them
}
rule iexpl0reStrings : iexpl0re Family
{
meta:
description = "Strings used by iexpl0re"
author = "Seth Hardy"
last_modified = "2014-07-21"
strings:
$ = "%USERPROFILE%\\IEXPL0RE.EXE"
$ = "\"<770j (("
$ = "\\Users\\%s\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IEXPL0RE.LNK"
$ = "\\Documents and Settings\\%s\\Application Data\\Microsoft\\Internet Explorer\\IEXPL0RE.EXE"
$ = "LoaderV5.dll"
// stage 2
$ = "POST /index%0.9d.asp HTTP/1.1"
$ = "GET /search?n=%0.9d&"
$ = "DUDE_AM_I_SHARP-3.14159265358979x6.626176"
$ = "WHO_A_R_E_YOU?2.99792458x1.25663706143592"
$ = "BASTARD_&&_BITCHES_%0.8x"
$ = "c:\\bbb\\eee.txt"
condition:
any of them
}
rule iexpl0re : Family
{
meta:
description = "iexpl0re family"
author = "Seth Hardy"
last_modified = "2014-07-21"
condition:
iexpl0reCode or iexpl0reStrings
}
malware/jRAT.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule jRAT_conf : rat
{
meta:
description = "jRAT configuration"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-10-11"
filetype = "memory"
version = "1.0"
ref1 = "https://github.com/MalwareLu/config_extractor/blob/master/config_jRAT.py"
ref2 = "http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html"
strings:
$a = /port=[0-9]{1,5}SPLIT/
condition:
$a
}
malware/naspyupdate.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule nAspyUpdateCode : nAspyUpdate Family
{
meta:
description = "nAspyUpdate code features"
author = "Seth Hardy"
last_modified = "2014-07-14"
strings:
// decryption loop in dropper
$ = { 8A 54 24 14 8A 01 32 C2 02 C2 88 01 41 4E 75 F4 }
condition:
any of them
}
rule nAspyUpdateStrings : nAspyUpdate Family
{
meta:
description = "nAspyUpdate Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-14"
strings:
$ = "\\httpclient.txt"
$ = "password <=14"
$ = "/%ldn.txt"
$ = "Kill You\x00"
condition:
any of them
}
rule nAspyUpdate : Family
{
meta:
description = "nAspyUpdate"
author = "Seth Hardy"
last_modified = "2014-07-14"
condition:
nAspyUpdateCode or nAspyUpdateStrings
}
malware/netwiredRC.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule NetWiredRC_B : rat
{
meta:
description = "NetWiredRC"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2014-12-23"
filetype = "memory"
version = "1.1"
strings:
$mutex = "LmddnIkX"
$str1 = "%s.Identifier"
$str2 = "%d:%I64u:%s%s;"
$str3 = "%s%.2d-%.2d-%.4d"
$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
$klg1 = "[Backspace]"
$klg2 = "[Enter]"
$klg3 = "[Tab]"
$klg4 = "[Arrow Left]"
$klg5 = "[Arrow Up]"
$klg6 = "[Arrow Right]"
$klg7 = "[Arrow Down]"
$klg8 = "[Home]"
$klg9 = "[Page Up]"
$klg10 = "[Page Down]"
$klg11 = "[End]"
$klg12 = "[Break]"
$klg13 = "[Delete]"
$klg14 = "[Insert]"
$klg15 = "[Print Screen]"
$klg16 = "[Scroll Lock]"
$klg17 = "[Caps Lock]"
$klg18 = "[Alt]"
$klg19 = "[Esc]"
$klg20 = "[Ctrl+%c]"
condition:
$mutex or (1 of ($str*) and 1 of ($klg*))
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment