Merge remote-tracking branch 'upstream/master' into patch-1

.github/FUNDING.yml

+liberapay: yararules

.github/ISSUE_TEMPLATE/bug_report.md

+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. iOS]
+ - Yara version [e.g. 3.11.0]
+
+ - Version [e.g. 22]
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/new-rule-request.md

+---
+name: New rule request
+about: Suggest a new rule for this project
+title: "[New Rule]"
+labels: new rule
+assignees: ''
+
+---
+
+**Is your feature request related to an article or investigation? Please describe.**
+A clear and concise description of what the article or investigation is.
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/workflows/main.yml

+name: CI
+
+on:
+  # Trigger the workflow on push or pull request,
+  # but only for the master branch
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.head_ref }}
+
+    - name: Run gen index
+      run: "./index_gen.sh"
+      shell: bash
+
+    - name: Add & Commit
+      uses: github-actions-x/commit@v2.4
+      with:
+        commit-message: 'Index updated'
+        name: '${{ secrets.GH_USER }}'
+        email: '${{ secrets.GH_EMAIL }}'
+        push-branch: ${{ github.head_ref }}
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Push
+      uses: ad-m/github-push-action@v0.5.0
+      with:
+        github_token: ${{ secrets.GH_TOKEN }}
+        branch: ${{ github.head_ref }}

.travis.yml

 language: c
 sudo: required
-#dist: trusty
+
 before_install:
   - sudo apt-get -qq update
-  - sudo apt-get install jq
+  - sudo apt-get install -y automake libtool make gcc pkg-config flex bison libjansson-dev libmagic-dev libssl-dev jq
 # Yara
-  - wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara.tar.gz
-  #- wget $(wget -O - https://api.github.com/repos/VirusTotal/yara/releases/9250110 | jq -r ".tarball_url") -O yara.tar.gz
+  - wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara-latest.tar.gz
   - mkdir yara
-  - tar -C yara -xzvf yara.tar.gz --strip-components 1
-# Androguard for Yara
-  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/androguard.c -O yara/libyara/modules/androguard.c
-  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/dist/yara-3.7.0/libyara/modules/module_list -O yara/libyara/modules/module_list
-  - wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/dist/yara-3.7.0/libyara/Makefile.am -O yara/libyara/Makefile.am
-# libjansson
-  - wget http://www.digip.org/jansson/releases/jansson-2.7.tar.gz
-  - tar -xzvf jansson-2.7.tar.gz
-  - cd jansson-2.7
-  - ./configure
-  - make
-  - sudo make install
-
+  - tar -xzvf yara-latest.tar.gz -C yara --strip-components 1
 # Compile Yara
-  - cd ../yara
+  - cd yara
   # Update per issue 176
-  - sed -i 's/#define RE_MAX_SPLIT_ID     128/#define RE_MAX_SPLIT_ID     255/g' libyara/re.c
+  - sed -i 's/#define RE_MAX_SPLIT_ID     128/#define RE_MAX_SPLIT_ID     255/g' libyara/include/yara/limits.h
   - ./bootstrap.sh
-  - ./configure --enable-cuckoo
+  - ./configure --enable-cuckoo --enable-magic --with-crypto
   - make
   - sudo make install
   - sudo ldconfig
@@ -34,8 +21,6 @@ before_install:
 
 script:
   - echo "test" > testfile
-  - echo "{}" > androguard_report.json
   - FALLO=0
-#  - for j in $(ls -d */); do for i in $(find $j -type f -name "*.yara" ; find $j -type f -name "*.yar"); do echo $i; yara -x androguard=androguard_report.json $i testfile; if [[ $? -ne 0 ]]; then FALLO=1; fi; done; done
-  - for i in $(ls *_index.yar); do echo $i; yara -w -x androguard=androguard_report.json $i testfile; if [[ $? -ne 0 ]]; then FALLO=1; fi; done
+  - for i in $(ls *_index.yar); do echo $i; yara -w $i testfile; if [[ $? -ne 0 ]]; then FALLO=1; fi; done
   - exit $FALLO

CVE_Rules_index.yar

-/*
-Generated by Yara-Rules
-On 26-11-2019
-*/
-include "./CVE_Rules/CVE-2010-0805.yar"
-include "./CVE_Rules/CVE-2010-0887.yar"
-include "./CVE_Rules/CVE-2010-1297.yar"
-include "./CVE_Rules/CVE-2012-0158.yar"
-include "./CVE_Rules/CVE-2013-0074.yar"
-include "./CVE_Rules/CVE-2013-0422.yar"
-include "./CVE_Rules/CVE-2015-1701.yar"
-include "./CVE_Rules/CVE-2015-2426.yar"
-include "./CVE_Rules/CVE-2015-2545.yar"
-include "./CVE_Rules/CVE-2015-5119.yar"
-include "./CVE_Rules/CVE-2016-5195.yar"
-include "./CVE_Rules/CVE-2017-11882.yar"
-include "./CVE_Rules/CVE-2018-20250.yar"
-include "./CVE_Rules/CVE-2018-4878.yar"

Exploit-Kits_index.yar

-/*
-Generated by Yara-Rules
-On 26-11-2019
-*/
-include "./Exploit-Kits/EK_Angler.yar"
-include "./Exploit-Kits/EK_Blackhole.yar"
-include "./Exploit-Kits/EK_BleedingLife.yar"
-include "./Exploit-Kits/EK_Crimepack.yar"
-include "./Exploit-Kits/EK_Eleonore.yar"
-include "./Exploit-Kits/EK_Fragus.yar"
-include "./Exploit-Kits/EK_Phoenix.yar"
-include "./Exploit-Kits/EK_Sakura.yar"
-include "./Exploit-Kits/EK_ZeroAcces.yar"
-include "./Exploit-Kits/EK_Zerox88.yar"
-include "./Exploit-Kits/EK_Zeus.yar"

Malicious_Documents_index.yar

-/*
-Generated by Yara-Rules
-On 26-11-2019
-*/
-include "./Malicious_Documents/Maldoc_APT10_MenuPass.yar"
-include "./Malicious_Documents/Maldoc_APT19_CVE-2017-1099.yar"
-include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
-include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
-include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
-include "./Malicious_Documents/Maldoc_CVE_2017_8759.yar"
-include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
-include "./Malicious_Documents/Maldoc_DDE.yar"
-include "./Malicious_Documents/Maldoc_Dridex.yar"
-include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
-include "./Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar"
-include "./Malicious_Documents/Maldoc_PDF.yar"
-include "./Malicious_Documents/Maldoc_PowerPointMouse.yar"
-include "./Malicious_Documents/Maldoc_Suspicious_OLE_target.yar"
-include "./Malicious_Documents/Maldoc_UserForm.yar"
-include "./Malicious_Documents/Maldoc_VBA_macro_code.yar"
-include "./Malicious_Documents/Maldoc_Word_2007_XML_Flat_OPC.yar"
-include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
-include "./Malicious_Documents/maldoc_somerules.yar"

Mobile_Malware_index.yar

-/*
-Generated by Yara-Rules
-On 26-11-2019
-*/
-include "./Mobile_Malware/Android_ASSDdeveloper.yar"
-include "./Mobile_Malware/Android_AVITOMMS.yar"
-include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
-include "./Mobile_Malware/Android_Amtrckr_20160519.yar"
-include "./Mobile_Malware/Android_Backdoor.yar"
-include "./Mobile_Malware/Android_Backdoor_script.yar"
-include "./Mobile_Malware/Android_BadMirror.yar"
-include "./Mobile_Malware/Android_Banker_Acecard.yar"
-include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
-include "./Mobile_Malware/Android_Clicker_G.yar"
-include "./Mobile_Malware/Android_Copy9.yar"
-include "./Mobile_Malware/Android_DeathRing.yar"
-include "./Mobile_Malware/Android_Dectus_rswm.yar"
-include "./Mobile_Malware/Android_Dendroid_RAT.yar"
-include "./Mobile_Malware/Android_Dogspectus.yar"
-include "./Mobile_Malware/Android_FakeApps.yar"
-include "./Mobile_Malware/Android_FakeBank_Fanta.yar"
-include "./Mobile_Malware/Android_Godless.yar"
-include "./Mobile_Malware/Android_HackintTeam_Implant.yar"
-include "./Mobile_Malware/Android_Libyan_Scorpions.yar"
-include "./Mobile_Malware/Android_MalwareCertificates.yar"
-include "./Mobile_Malware/Android_Malware_Ramsonware.yar"
-include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
-include "./Mobile_Malware/Android_Malware_Towelroot.yar"
-include "./Mobile_Malware/Android_Marcher_2.yar"
-include "./Mobile_Malware/Android_MazarBot_z.yar"
-include "./Mobile_Malware/Android_Metasploit.yar"
-include "./Mobile_Malware/Android_Metasploit_Payload.yar"
-include "./Mobile_Malware/Android_OmniRat.yar"
-include "./Mobile_Malware/Android_Overlayer.yar"
-include "./Mobile_Malware/Android_Pink_Locker.yar"
-include "./Mobile_Malware/Android_Polish_Bankbot.yar"
-include "./Mobile_Malware/Android_RuMMS.yar"
-include "./Mobile_Malware/Android_SMSFraud.yar"
-include "./Mobile_Malware/Android_SandroRat.yar"
-include "./Mobile_Malware/Android_SlemBunk.yar"
-include "./Mobile_Malware/Android_SpyAgent.yar"
-include "./Mobile_Malware/Android_SpyNote.yar"
-include "./Mobile_Malware/Android_Spynet.yar"
-include "./Mobile_Malware/Android_Spywaller.yar"
-include "./Mobile_Malware/Android_Switcher.yar"
-include "./Mobile_Malware/Android_Tachi.yar"
-include "./Mobile_Malware/Android_Tempting_Cedar_Spyware.yar"
-include "./Mobile_Malware/Android_Tordow.yar"
-include "./Mobile_Malware/Android_Triada_Banking.yar"
-include "./Mobile_Malware/Android_Trojan_Dendroid.yar"
-include "./Mobile_Malware/Android_Trojan_Droidjack.yar"
-include "./Mobile_Malware/Android_VikingOrder.yar"
-include "./Mobile_Malware/Android_VirusPolicia.yar"
-include "./Mobile_Malware/Android_adware.yar"
-include "./Mobile_Malware/Android_generic_adware.yar"
-include "./Mobile_Malware/Android_generic_smsfraud.yar"
-include "./Mobile_Malware/Android_malware_Advertising.yar"
-include "./Mobile_Malware/Android_malware_ChinesePorn.yar"
-include "./Mobile_Malware/Android_malware_Dropper.yar"
-include "./Mobile_Malware/Android_malware_Fake_MosKow.yar"
-include "./Mobile_Malware/Android_malware_HackingTeam.yar"
-include "./Mobile_Malware/Android_malware_SMSsender.yar"
-include "./Mobile_Malware/Android_malware_banker.yar"
-include "./Mobile_Malware/Android_malware_xbot007.yar"
-include "./Mobile_Malware/Android_mapin.yar"
-include "./Mobile_Malware/Android_pornClicker.yar"
-include "./Mobile_Malware/Android_sk_bankTr.yar"

Packers_index.yar

-/*
-Generated by Yara-Rules
-On 26-11-2019
-*/
-include "./Packers/JJencode.yar"
-include "./Packers/Javascript_exploit_and_obfuscation.yar"
-include "./Packers/packer.yar"
-include "./Packers/packer_compiler_signatures.yar"
-include "./Packers/peid.yar"

README.md

-[![Build Status](https://travis-ci.org/Yara-Rules/rules.svg)](https://travis-ci.org/Yara-Rules/rules)
+[![Build Status](https://travis-ci.org/Yara-Rules/rules.svg)](https://travis-ci.org/Yara-Rules/rules) <img src="http://img.shields.io/liberapay/patrons/yararules.svg?logo=liberapay">
+
 
 # Project
 
@@ -14,8 +15,6 @@ If you’re interested in sharing your Yara rules with us and the Security Commu
 
 Twitter account: https://twitter.com/yararules
 
-Mailing list : http://list.yararules.com/mailman/listinfo/yararules.com.signatures
-
 # Requirements
 
 Yara **version 3.0** or higher is required for most of our rules to work. This is mainly due to the use of the "pe" module introduced in that version.
@@ -24,7 +23,9 @@ You can check your installed version with `yara -v`
 
 Packages available in Ubuntu 14.04 LTS default repositories are too old.  You can alternatively install from source or use the packages available in the [Remnux repository](https://launchpad.net/~remnux/+archive/ubuntu/stable).
 
-Also, you will need [Androguard Module](https://github.com/Koodous/androguard-yara) if you want to use the rules in the 'mobile_malware' category.
+~~Also, you will need [Androguard Module](https://github.com/Koodous/androguard-yara) if you want to use the rules in the 'mobile_malware' category.~~
+
+We have deprecated mobile_malware rules that depend on Androguard Module because it seems an abandoned project.
 
 # Categories
 
@@ -36,7 +37,7 @@ In this section you will find Yara Rules aimed toward the detection of anti-debu
 
 In this section you will find Yara rules to detect capabilities that do not fit into any of the other categories.  They are useful to know for analysis but may not be malicious indicators on their own.
 
-## CVE_Rules
+## CVE Rules
 
 In this section you will find Yara Rules specialised toward the identification of specific Common Vulnerabilities and Exposures (CVEs)
 
@@ -72,9 +73,9 @@ In this section you will find Yara rules specialised toward the identification o
 
 In this section you will find Yara rules specialised toward the identification of well-known mobile malware.
 
-Many rules in this section use the Androguard module developed by the people over at https://koodous.com/.
+## Deprecated
 
-You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+In this section you will find Yara rules deprecated.
 
 # Contact
 
@@ -82,4 +83,3 @@ Webpage: http://yararules.com
 
 Twitter account: https://twitter.com/yararules
 
-Mail list : http://list.yararules.com/mailman/listinfo/yararules.com.signatures

Webshells_index.yar

-/*
-Generated by Yara-Rules
-On 26-11-2019
-*/
-include "./Webshells/WShell_APT_Laudanum.yar"
-include "./Webshells/WShell_ASPXSpy.yar"
-include "./Webshells/WShell_PHP_Anuna.yar"
-include "./Webshells/WShell_PHP_in_images.yar"
-include "./Webshells/WShell_THOR_Webshells.yar"
-include "./Webshells/Wshell_ChineseSpam.yar"
-include "./Webshells/Wshell_fire2013.yar"

antidebug_antivm_index.yar

+/*
+Generated by Yara-Rules
+On 24-02-2020
+*/
+include "./antidebug_antivm/antidebug_antivm.yar"

Capabilities/capabilities.yar → capabilities/capabilities.yar

@@ -813,3 +813,102 @@ rule win_files_operation {
     condition:
         $f1 and 3 of ($c*)
 }
+
+
+rule Str_Win32_Winsock2_Library
+{
+    meta:
+        author = "@adricnet"
+        description = "Match Winsock 2 API library declaration"
+        method = "String match"
+        reference = "https://github.com/dfirnotes/rules"
+
+    strings:
+        $ws2_lib = "Ws2_32.dll" nocase
+        $wsock2_lib = "WSock32.dll" nocase
+
+    condition:
+        (any of ($ws2_lib, $wsock2_lib))
+}
+
+rule Str_Win32_Wininet_Library
+{
+
+    meta:
+        author = "@adricnet"
+        description = "Match Windows Inet API library declaration"
+        method = "String match"
+        reference = "https://github.com/dfirnotes/rules"
+
+    strings:
+        $wininet_lib = "WININET.dll" nocase
+
+    condition:
+        (all of ($wininet*))
+}
+
+rule Str_Win32_Internet_API
+{
+
+    meta:
+        author = "@adricnet"
+        description = "Match Windows Inet API call"
+        method = "String match, trim the As"
+        reference = "https://github.com/dfirnotes/rules"
+
+    strings:
+        $wininet_call_closeh = "InternetCloseHandle"
+        $wininet_call_readf = "InternetReadFile"
+        $wininet_call_connect = "InternetConnect"
+        $wininet_call_open = "InternetOpen"
+
+    condition:
+        (any of ($wininet_call*))
+}
+
+rule Str_Win32_Http_API
+{
+    meta:
+        author = "@adricnet"
+        description = "Match Windows Http API call"
+        method = "String match, trim the As"
+        reference = "https://github.com/dfirnotes/rules"
+
+    strings:
+        $wininet_call_httpr = "HttpSendRequest"
+        $wininet_call_httpq = "HttpQueryInfo"
+        $wininet_call_httpo = "HttpOpenRequest"
+
+     condition:
+        (any of ($wininet_call_http*))
+}
+
+
+rule ldpreload
+{
+        meta:
+                author="xorseed"
+                reference= "https://stuff.rop.io/"
+	strings:
+		$a = "dlopen" nocase ascii wide
+		$b = "dlsym" nocase ascii wide
+		$c = "fopen" nocase ascii wide
+		$d = "fopen64" nocase ascii wide
+		$e = "__fxstat" nocase ascii wide
+		$f = "__fxstat64" nocase ascii wide
+		$g = "accept" nocase ascii wide
+		$h = "__lxstat" nocase ascii wide
+		$i = "__lxstat64" nocase ascii wide
+		$j = "open" nocase ascii wide
+		$k = "rmdir" nocase ascii wide
+		$l = "__xstat" nocase ascii wide
+		$m = "__xstat64" nocase ascii wide
+		$n = "unlink" nocase ascii wide
+		$o = "unlikat" nocase ascii wide
+		$p = "fdopendir" nocase ascii wide
+		$q = "opendir" nocase ascii wide
+		$r = "readdir" nocase ascii wide
+		$s = "readdir64" nocase ascii wide
+	condition:
+		($a or $b) and 5 of them
+}

Capabilities_index.yar → capabilities_index.yar

 /*
 Generated by Yara-Rules
-On 26-11-2019
+On 24-02-2020
 */
-include "./Capabilities/capabilities.yar"
+include "./capabilities/capabilities.yar"

Crypto/crypto_signatures.yar → crypto/crypto_signatures.yar

@@ -378,6 +378,26 @@ rule SHA512_Constants {
 		5 of them
 }
 
+rule SHA2_BLAKE2_IVs {
+	meta:
+		author = "spelissier"
+		description = "Look for SHA2/BLAKE2/Argon2 IVs"
+		date = "2019-12"
+		version = "0.1"
+	strings:
+		$c0 = { 67 E6 09 6A }
+		$c1 = { 85 AE 67 BB }
+		$c2 = { 72 F3 6E 3C }
+		$c3 = { 3A F5 4F A5 }
+		$c4 = { 7F 52 0E 51 }
+		$c5 = { 8C 68 05 9B }
+		$c6 = { AB D9 83 1F }
+		$c7 = { 19 CD E0 5B }
+
+	condition:
+		all of them
+}
+
 rule TEAN {
 	meta:
 		author = "_pusher_"
@@ -1431,3 +1451,45 @@ rule DCP_DES_EncryptECB {
 	condition:
 		any of them
 }
+
+rule Chacha_128_constant {
+    meta:
+		author = "spelissier"
+		description = "Look for 128-bit key Chacha stream cipher constant"
+		date = "2019-12"
+		reference = "https://www.ecrypt.eu.org/stream/salsa20pf.html"
+	strings:
+		$c0 = "expand 16-byte k"
+	condition:
+		$c0
+}
+
+rule Chacha_256_constant {
+    meta:
+		author = "spelissier"
+		description = "Look for 256-bit key Chacha stream cipher constant"
+		date = "2019-12"
+		reference = "https://tools.ietf.org/html/rfc8439#page-8"
+	strings:
+		$c0 = "expand 32-byte k"
+	condition:
+		$c0
+}
+
+rule ecc_order {
+    meta:
+		author = "spelissier"
+		description = "Look for known Elliptic curve orders"
+		date = "2020-01"
+		version = "0.1"
+	strings:
+		$secp192k1 = { FF FF FF FF FF FF FF FF FF FF FF FE 26 F2 FC 17 0F 69 46 6A 74 DE FD 8D}
+		$secp192r1 = { FF FF FF FF FF FF FF FF FF FF FF FF 99 DE F8 36 14 6B C9 B1 B4 D2 28 31}
+		$secp224k1 = { 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 DC E8 D2 EC 61 84 CA F0 A9 71 76 9F B1 F7}
+		$secp224r1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF 16 A2 E0 B8 F0 3E 13 DD 29 45 5C 5C 2A 3D}
+		$secp256k1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FE BA AE DC E6 AF 48 A0 3B BF D2 5E 8C D0 36 41 41 }
+		$prime256v1 = { FF FF FF FF 00 00 00 00 FF FF FF FF FF FF FF FF BC E6 FA AD A7 17 9E 84 F3 B9 CA C2 FC 63 25 51 }
+		$secp384r1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF C7 63 4D 81 F4 37 2D DF 58 1A 0D B2 48 B0 A7 7A EC EC 19 6A CC C5 29 73 }
+	condition:
+		any of them
+}
\ No newline at end of file

Crypto_index.yar → crypto_index.yar

 /*
 Generated by Yara-Rules
-On 26-11-2019
+On 24-02-2020
 */
-include "./Crypto/crypto_signatures.yar"
+include "./crypto/crypto_signatures.yar"

cve_rules_index.yar

+/*
+Generated by Yara-Rules
+On 24-02-2020
+*/
+include "./cve_rules/CVE-2010-0805.yar"
+include "./cve_rules/CVE-2010-0887.yar"
+include "./cve_rules/CVE-2010-1297.yar"
+include "./cve_rules/CVE-2012-0158.yar"
+include "./cve_rules/CVE-2013-0074.yar"
+include "./cve_rules/CVE-2013-0422.yar"
+include "./cve_rules/CVE-2015-1701.yar"
+include "./cve_rules/CVE-2015-2426.yar"
+include "./cve_rules/CVE-2015-2545.yar"
+include "./cve_rules/CVE-2015-5119.yar"
+include "./cve_rules/CVE-2016-5195.yar"
+include "./cve_rules/CVE-2017-11882.yar"
+include "./cve_rules/CVE-2018-20250.yar"
+include "./cve_rules/CVE-2018-4878.yar"

deprecated/Android_Finspy.yar

+// Published under the GNU-GPLv2 license. It’s open to any user or organization,
+//    as long as you use it under this license.
+
+rule finspy : cdshide android
+{
+	
+	meta:
+		description = "Detect Gamma/FinFisher FinSpy for Android #GovWare"
+		date = "2020/01/07"
+		author = "Thorsten Schröder - ths @ ccc.de (https://twitter.com/__ths__)"
+		reference1 = "https://github.com/devio/FinSpy-Tools"
+		reference2 = "https://github.com/Linuzifer/FinSpy-Dokumentation"
+		reference3 = "https://www.ccc.de/de/updates/2019/finspy"
+		sample = "c2ce202e6e08c41e8f7a0b15e7d0781704e17f8ed52d1b2ad7212ac29926436e"
+	
+	strings:
+		$re = /\x50\x4B\x01\x02[\x00-\xff]{32}[A-Za-z0-9+\/]{6}/
+	
+	condition:
+		$re and (#re > 50)
+}

email_index.yar

 /*
 Generated by Yara-Rules
-On 26-11-2019
+On 24-02-2020
 */
 include "./email/EMAIL_Cryptowall.yar"
 include "./email/attachment.yar"

exploit_kits_index.yar

+/*
+Generated by Yara-Rules
+On 24-02-2020
+*/
+include "./exploit_kits/EK_Angler.yar"
+include "./exploit_kits/EK_Blackhole.yar"
+include "./exploit_kits/EK_BleedingLife.yar"
+include "./exploit_kits/EK_Crimepack.yar"
+include "./exploit_kits/EK_Eleonore.yar"
+include "./exploit_kits/EK_Fragus.yar"
+include "./exploit_kits/EK_Phoenix.yar"
+include "./exploit_kits/EK_Sakura.yar"
+include "./exploit_kits/EK_ZeroAcces.yar"
+include "./exploit_kits/EK_Zerox88.yar"
+include "./exploit_kits/EK_Zeus.yar"

index.yar

 /*
 Generated by Yara-Rules
-On 26-11-2019
+On 24-02-2020
 */
-include "./Antidebug_AntiVM/antidebug_antivm.yar"
-include "./CVE_Rules/CVE-2010-0805.yar"
-include "./CVE_Rules/CVE-2010-0887.yar"
-include "./CVE_Rules/CVE-2010-1297.yar"
-include "./CVE_Rules/CVE-2012-0158.yar"
-include "./CVE_Rules/CVE-2013-0074.yar"
-include "./CVE_Rules/CVE-2013-0422.yar"
-include "./CVE_Rules/CVE-2015-1701.yar"
-include "./CVE_Rules/CVE-2015-2426.yar"
-include "./CVE_Rules/CVE-2015-2545.yar"
-include "./CVE_Rules/CVE-2015-5119.yar"
-include "./CVE_Rules/CVE-2016-5195.yar"
-include "./CVE_Rules/CVE-2017-11882.yar"
-include "./CVE_Rules/CVE-2018-20250.yar"
-include "./CVE_Rules/CVE-2018-4878.yar"
-include "./Capabilities/capabilities.yar"
-include "./Crypto/crypto_signatures.yar"
-include "./Exploit-Kits/EK_Angler.yar"
-include "./Exploit-Kits/EK_Blackhole.yar"
-include "./Exploit-Kits/EK_BleedingLife.yar"
-include "./Exploit-Kits/EK_Crimepack.yar"
-include "./Exploit-Kits/EK_Eleonore.yar"
-include "./Exploit-Kits/EK_Fragus.yar"
-include "./Exploit-Kits/EK_Phoenix.yar"
-include "./Exploit-Kits/EK_Sakura.yar"
-include "./Exploit-Kits/EK_ZeroAcces.yar"
-include "./Exploit-Kits/EK_Zerox88.yar"
-include "./Exploit-Kits/EK_Zeus.yar"
-include "./Malicious_Documents/Maldoc_APT10_MenuPass.yar"
-include "./Malicious_Documents/Maldoc_APT19_CVE-2017-1099.yar"
-include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
-include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
-include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
-include "./Malicious_Documents/Maldoc_CVE_2017_8759.yar"
-include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
-include "./Malicious_Documents/Maldoc_DDE.yar"
-include "./Malicious_Documents/Maldoc_Dridex.yar"
-include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
-include "./Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar"
-include "./Malicious_Documents/Maldoc_PDF.yar"
-include "./Malicious_Documents/Maldoc_PowerPointMouse.yar"
-include "./Malicious_Documents/Maldoc_Suspicious_OLE_target.yar"
-include "./Malicious_Documents/Maldoc_UserForm.yar"
-include "./Malicious_Documents/Maldoc_VBA_macro_code.yar"
-include "./Malicious_Documents/Maldoc_Word_2007_XML_Flat_OPC.yar"
-include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
-include "./Malicious_Documents/maldoc_somerules.yar"
-include "./Packers/JJencode.yar"
-include "./Packers/Javascript_exploit_and_obfuscation.yar"
-include "./Packers/packer.yar"
-include "./Packers/packer_compiler_signatures.yar"
-include "./Packers/peid.yar"
-include "./Webshells/WShell_APT_Laudanum.yar"
-include "./Webshells/WShell_ASPXSpy.yar"
-include "./Webshells/WShell_PHP_Anuna.yar"
-include "./Webshells/WShell_PHP_in_images.yar"
-include "./Webshells/WShell_THOR_Webshells.yar"
-include "./Webshells/Wshell_ChineseSpam.yar"
-include "./Webshells/Wshell_fire2013.yar"
+include "./antidebug_antivm/antidebug_antivm.yar"
+include "./capabilities/capabilities.yar"
+include "./crypto/crypto_signatures.yar"
+include "./cve_rules/CVE-2010-0805.yar"
+include "./cve_rules/CVE-2010-0887.yar"
+include "./cve_rules/CVE-2010-1297.yar"
+include "./cve_rules/CVE-2012-0158.yar"
+include "./cve_rules/CVE-2013-0074.yar"
+include "./cve_rules/CVE-2013-0422.yar"
+include "./cve_rules/CVE-2015-1701.yar"
+include "./cve_rules/CVE-2015-2426.yar"
+include "./cve_rules/CVE-2015-2545.yar"
+include "./cve_rules/CVE-2015-5119.yar"
+include "./cve_rules/CVE-2016-5195.yar"
+include "./cve_rules/CVE-2017-11882.yar"
+include "./cve_rules/CVE-2018-20250.yar"
+include "./cve_rules/CVE-2018-4878.yar"
 include "./email/EMAIL_Cryptowall.yar"
 include "./email/attachment.yar"
 include "./email/bank_rule.yar"
@@ -68,6 +26,36 @@ include "./email/email_Ukraine_BE_powerattack.yar"
 include "./email/image.yar"
 include "./email/scam.yar"
 include "./email/urls.yar"
+include "./exploit_kits/EK_Angler.yar"
+include "./exploit_kits/EK_Blackhole.yar"
+include "./exploit_kits/EK_BleedingLife.yar"
+include "./exploit_kits/EK_Crimepack.yar"
+include "./exploit_kits/EK_Eleonore.yar"
+include "./exploit_kits/EK_Fragus.yar"
+include "./exploit_kits/EK_Phoenix.yar"
+include "./exploit_kits/EK_Sakura.yar"
+include "./exploit_kits/EK_ZeroAcces.yar"
+include "./exploit_kits/EK_Zerox88.yar"
+include "./exploit_kits/EK_Zeus.yar"
+include "./maldocs/Maldoc_APT10_MenuPass.yar"
+include "./maldocs/Maldoc_APT19_CVE-2017-1099.yar"
+include "./maldocs/Maldoc_APT_OLE_JSRat.yar"
+include "./maldocs/Maldoc_CVE-2017-0199.yar"
+include "./maldocs/Maldoc_CVE_2017_11882.yar"
+include "./maldocs/Maldoc_CVE_2017_8759.yar"
+include "./maldocs/Maldoc_Contains_VBE_File.yar"
+include "./maldocs/Maldoc_DDE.yar"
+include "./maldocs/Maldoc_Dridex.yar"
+include "./maldocs/Maldoc_Hidden_PE_file.yar"
+include "./maldocs/Maldoc_MIME_ActiveMime_b64.yar"
+include "./maldocs/Maldoc_PDF.yar"
+include "./maldocs/Maldoc_PowerPointMouse.yar"
+include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
+include "./maldocs/Maldoc_UserForm.yar"
+include "./maldocs/Maldoc_VBA_macro_code.yar"
+include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
+include "./maldocs/Maldoc_malrtf_ole2link.yar"
+include "./maldocs/maldoc_somerules.yar"
 include "./malware/000_common_rules.yar"
 include "./malware/APT_APT1.yar"
 include "./malware/APT_APT10.yar"
@@ -182,7 +170,6 @@ include "./malware/MALW_Boouset.yar"
 include "./malware/MALW_Bublik.yar"
 include "./malware/MALW_Buzus_Softpulse.yar"
 include "./malware/MALW_CAP_HookExKeylogger.yar"
-include "./malware/MALW_CAP_Win32Inet.yara"
 include "./malware/MALW_Chicken.yar"
 include "./malware/MALW_Citadel.yar"
 include "./malware/MALW_Cloaking.yar"
@@ -204,6 +191,7 @@ include "./malware/MALW_Exploit_UAC_Elevators.yar"
 include "./malware/MALW_Ezcob.yar"
 include "./malware/MALW_F0xy.yar"
 include "./malware/MALW_FALLCHILL.yar"
+include "./malware/MALW_FUDCrypt.yar"
 include "./malware/MALW_FakeM.yar"
 include "./malware/MALW_Fareit.yar"
 include "./malware/MALW_Favorite.yar"
@@ -240,6 +228,7 @@ include "./malware/MALW_LinuxMoose.yar"
 include "./malware/MALW_LostDoor.yar"
 include "./malware/MALW_LuaBot.yar"
 include "./malware/MALW_LuckyCat.yar"
+include "./malware/MALW_MSILStealer.yar"
 include "./malware/MALW_MacControl.yar"
 include "./malware/MALW_Madness.yar"
 include "./malware/MALW_Magento_backend.yar"
@@ -324,6 +313,7 @@ include "./malware/MALW_shifu_shiz.yar"
 include "./malware/MALW_sitrof_fortis_scar.yar"
 include "./malware/MALW_viotto_keylogger.yar"
 include "./malware/MALW_xDedic_marketplace.yar"
+include "./malware/MalConfScan.yar"
 include "./malware/Operation_Blockbuster/DeltaCharlie.yara"
 include "./malware/Operation_Blockbuster/HotelAlfa.yara"
 include "./malware/Operation_Blockbuster/IndiaAlfa.yara"
@@ -346,6 +336,7 @@ include "./malware/Operation_Blockbuster/RomeoBravo.yara"
 include "./malware/Operation_Blockbuster/RomeoCharlie.yara"
 include "./malware/Operation_Blockbuster/RomeoDelta.yara"
 include "./malware/Operation_Blockbuster/RomeoEcho.yara"
+include "./malware/Operation_Blockbuster/RomeoFoxtrot_mod.yara"
 include "./malware/Operation_Blockbuster/RomeoGolf_mod.yara"
 include "./malware/Operation_Blockbuster/RomeoHotel.yara"
 include "./malware/Operation_Blockbuster/RomeoWhiskey.yara"
@@ -390,6 +381,7 @@ include "./malware/RANSOM_GPGQwerty.yar"
 include "./malware/RANSOM_GoldenEye.yar"
 include "./malware/RANSOM_Locky.yar"
 include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
+include "./malware/RANSOM_Maze.yar"
 include "./malware/RANSOM_PetrWrap.yar"
 include "./malware/RANSOM_Petya.yar"
 include "./malware/RANSOM_SamSam.yar"
@@ -443,3 +435,16 @@ include "./malware/TOOLKIT_Pwdump.yar"
 include "./malware/TOOLKIT_THOR_HackTools.yar"
 include "./malware/TOOLKIT_Wineggdrop.yar"
 include "./malware/TOOLKIT_exe2hex_payload.yar"
+include "./packers/JJencode.yar"
+include "./packers/Javascript_exploit_and_obfuscation.yar"
+include "./packers/packer.yar"
+include "./packers/packer_compiler_signatures.yar"
+include "./packers/peid.yar"
+include "./webshells/WShell_APT_Laudanum.yar"
+include "./webshells/WShell_ASPXSpy.yar"
+include "./webshells/WShell_Drupalgeddon2_icos.yar"
+include "./webshells/WShell_PHP_Anuna.yar"
+include "./webshells/WShell_PHP_in_images.yar"
+include "./webshells/WShell_THOR_Webshells.yar"
+include "./webshells/Wshell_ChineseSpam.yar"
+include "./webshells/Wshell_fire2013.yar"

index_gen.sh

@@ -2,7 +2,8 @@
 
 function get_folders {
     local INDECES=()
-    for folder in $(ls -d */ | grep -v utils); do
+    AVOID="utils|deprecated"
+    for folder in $(ls -d */ | grep -vE $AVOID); do
         INDECES+="$folder "
     done
     INDECES+=". "
@@ -18,7 +19,7 @@ function gen_index {
         echo -e "/*$4*/" > $IDX_NAME
     fi
     OS=$(uname)
-    AVOID="_?index.yara?|index_|utils"
+    AVOID="_?index.yara?|index_|utils|deprecated"
     if [ x"$BASE" == x"." ]; then
         if [ $INC_MOBILE == false ]; then
             AVOID+="|Mobile"

index_w_mobile.yar

 /*
 Generated by Yara-Rules
-On 26-11-2019
+On 24-02-2020
 */
-include "./Antidebug_AntiVM/antidebug_antivm.yar"
-include "./CVE_Rules/CVE-2010-0805.yar"
-include "./CVE_Rules/CVE-2010-0887.yar"
-include "./CVE_Rules/CVE-2010-1297.yar"
-include "./CVE_Rules/CVE-2012-0158.yar"
-include "./CVE_Rules/CVE-2013-0074.yar"
-include "./CVE_Rules/CVE-2013-0422.yar"
-include "./CVE_Rules/CVE-2015-1701.yar"
-include "./CVE_Rules/CVE-2015-2426.yar"
-include "./CVE_Rules/CVE-2015-2545.yar"
-include "./CVE_Rules/CVE-2015-5119.yar"
-include "./CVE_Rules/CVE-2016-5195.yar"
-include "./CVE_Rules/CVE-2017-11882.yar"
-include "./CVE_Rules/CVE-2018-20250.yar"
-include "./CVE_Rules/CVE-2018-4878.yar"
-include "./Capabilities/capabilities.yar"
-include "./Crypto/crypto_signatures.yar"
-include "./Exploit-Kits/EK_Angler.yar"
-include "./Exploit-Kits/EK_Blackhole.yar"
-include "./Exploit-Kits/EK_BleedingLife.yar"
-include "./Exploit-Kits/EK_Crimepack.yar"
-include "./Exploit-Kits/EK_Eleonore.yar"
-include "./Exploit-Kits/EK_Fragus.yar"
-include "./Exploit-Kits/EK_Phoenix.yar"
-include "./Exploit-Kits/EK_Sakura.yar"
-include "./Exploit-Kits/EK_ZeroAcces.yar"
-include "./Exploit-Kits/EK_Zerox88.yar"
-include "./Exploit-Kits/EK_Zeus.yar"
-include "./Malicious_Documents/Maldoc_APT10_MenuPass.yar"
-include "./Malicious_Documents/Maldoc_APT19_CVE-2017-1099.yar"
-include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
-include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
-include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
-include "./Malicious_Documents/Maldoc_CVE_2017_8759.yar"
-include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
-include "./Malicious_Documents/Maldoc_DDE.yar"
-include "./Malicious_Documents/Maldoc_Dridex.yar"
-include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
-include "./Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar"
-include "./Malicious_Documents/Maldoc_PDF.yar"
-include "./Malicious_Documents/Maldoc_PowerPointMouse.yar"
-include "./Malicious_Documents/Maldoc_Suspicious_OLE_target.yar"
-include "./Malicious_Documents/Maldoc_UserForm.yar"
-include "./Malicious_Documents/Maldoc_VBA_macro_code.yar"
-include "./Malicious_Documents/Maldoc_Word_2007_XML_Flat_OPC.yar"
-include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
-include "./Malicious_Documents/maldoc_somerules.yar"
-include "./Mobile_Malware/Android_ASSDdeveloper.yar"
-include "./Mobile_Malware/Android_AVITOMMS.yar"
-include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
-include "./Mobile_Malware/Android_Amtrckr_20160519.yar"
-include "./Mobile_Malware/Android_Backdoor.yar"
-include "./Mobile_Malware/Android_Backdoor_script.yar"
-include "./Mobile_Malware/Android_BadMirror.yar"
-include "./Mobile_Malware/Android_Banker_Acecard.yar"
-include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
-include "./Mobile_Malware/Android_Clicker_G.yar"
-include "./Mobile_Malware/Android_Copy9.yar"
-include "./Mobile_Malware/Android_DeathRing.yar"
-include "./Mobile_Malware/Android_Dectus_rswm.yar"
-include "./Mobile_Malware/Android_Dendroid_RAT.yar"
-include "./Mobile_Malware/Android_Dogspectus.yar"
-include "./Mobile_Malware/Android_FakeApps.yar"
-include "./Mobile_Malware/Android_FakeBank_Fanta.yar"
-include "./Mobile_Malware/Android_Godless.yar"
-include "./Mobile_Malware/Android_HackintTeam_Implant.yar"
-include "./Mobile_Malware/Android_Libyan_Scorpions.yar"
-include "./Mobile_Malware/Android_MalwareCertificates.yar"
-include "./Mobile_Malware/Android_Malware_Ramsonware.yar"
-include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
-include "./Mobile_Malware/Android_Malware_Towelroot.yar"
-include "./Mobile_Malware/Android_Marcher_2.yar"
-include "./Mobile_Malware/Android_MazarBot_z.yar"
-include "./Mobile_Malware/Android_Metasploit.yar"
-include "./Mobile_Malware/Android_Metasploit_Payload.yar"
-include "./Mobile_Malware/Android_OmniRat.yar"
-include "./Mobile_Malware/Android_Overlayer.yar"
-include "./Mobile_Malware/Android_Pink_Locker.yar"
-include "./Mobile_Malware/Android_Polish_Bankbot.yar"
-include "./Mobile_Malware/Android_RuMMS.yar"
-include "./Mobile_Malware/Android_SMSFraud.yar"
-include "./Mobile_Malware/Android_SandroRat.yar"
-include "./Mobile_Malware/Android_SlemBunk.yar"
-include "./Mobile_Malware/Android_SpyAgent.yar"
-include "./Mobile_Malware/Android_SpyNote.yar"
-include "./Mobile_Malware/Android_Spynet.yar"
-include "./Mobile_Malware/Android_Spywaller.yar"
-include "./Mobile_Malware/Android_Switcher.yar"
-include "./Mobile_Malware/Android_Tachi.yar"
-include "./Mobile_Malware/Android_Tempting_Cedar_Spyware.yar"
-include "./Mobile_Malware/Android_Tordow.yar"
-include "./Mobile_Malware/Android_Triada_Banking.yar"
-include "./Mobile_Malware/Android_Trojan_Dendroid.yar"
-include "./Mobile_Malware/Android_Trojan_Droidjack.yar"
-include "./Mobile_Malware/Android_VikingOrder.yar"
-include "./Mobile_Malware/Android_VirusPolicia.yar"
-include "./Mobile_Malware/Android_adware.yar"
-include "./Mobile_Malware/Android_generic_adware.yar"
-include "./Mobile_Malware/Android_generic_smsfraud.yar"
-include "./Mobile_Malware/Android_malware_Advertising.yar"
-include "./Mobile_Malware/Android_malware_ChinesePorn.yar"
-include "./Mobile_Malware/Android_malware_Dropper.yar"
-include "./Mobile_Malware/Android_malware_Fake_MosKow.yar"
-include "./Mobile_Malware/Android_malware_HackingTeam.yar"
-include "./Mobile_Malware/Android_malware_SMSsender.yar"
-include "./Mobile_Malware/Android_malware_banker.yar"
-include "./Mobile_Malware/Android_malware_xbot007.yar"
-include "./Mobile_Malware/Android_mapin.yar"
-include "./Mobile_Malware/Android_pornClicker.yar"
-include "./Mobile_Malware/Android_sk_bankTr.yar"
-include "./Packers/JJencode.yar"
-include "./Packers/Javascript_exploit_and_obfuscation.yar"
-include "./Packers/packer.yar"
-include "./Packers/packer_compiler_signatures.yar"
-include "./Packers/peid.yar"
-include "./Webshells/WShell_APT_Laudanum.yar"
-include "./Webshells/WShell_ASPXSpy.yar"
-include "./Webshells/WShell_PHP_Anuna.yar"
-include "./Webshells/WShell_PHP_in_images.yar"
-include "./Webshells/WShell_THOR_Webshells.yar"
-include "./Webshells/Wshell_ChineseSpam.yar"
-include "./Webshells/Wshell_fire2013.yar"
+include "./antidebug_antivm/antidebug_antivm.yar"
+include "./capabilities/capabilities.yar"
+include "./crypto/crypto_signatures.yar"
+include "./cve_rules/CVE-2010-0805.yar"
+include "./cve_rules/CVE-2010-0887.yar"
+include "./cve_rules/CVE-2010-1297.yar"
+include "./cve_rules/CVE-2012-0158.yar"
+include "./cve_rules/CVE-2013-0074.yar"
+include "./cve_rules/CVE-2013-0422.yar"
+include "./cve_rules/CVE-2015-1701.yar"
+include "./cve_rules/CVE-2015-2426.yar"
+include "./cve_rules/CVE-2015-2545.yar"
+include "./cve_rules/CVE-2015-5119.yar"
+include "./cve_rules/CVE-2016-5195.yar"
+include "./cve_rules/CVE-2017-11882.yar"
+include "./cve_rules/CVE-2018-20250.yar"
+include "./cve_rules/CVE-2018-4878.yar"
 include "./email/EMAIL_Cryptowall.yar"
 include "./email/attachment.yar"
 include "./email/bank_rule.yar"
@@ -131,6 +26,36 @@ include "./email/email_Ukraine_BE_powerattack.yar"
 include "./email/image.yar"
 include "./email/scam.yar"
 include "./email/urls.yar"
+include "./exploit_kits/EK_Angler.yar"
+include "./exploit_kits/EK_Blackhole.yar"
+include "./exploit_kits/EK_BleedingLife.yar"
+include "./exploit_kits/EK_Crimepack.yar"
+include "./exploit_kits/EK_Eleonore.yar"
+include "./exploit_kits/EK_Fragus.yar"
+include "./exploit_kits/EK_Phoenix.yar"
+include "./exploit_kits/EK_Sakura.yar"
+include "./exploit_kits/EK_ZeroAcces.yar"
+include "./exploit_kits/EK_Zerox88.yar"
+include "./exploit_kits/EK_Zeus.yar"
+include "./maldocs/Maldoc_APT10_MenuPass.yar"
+include "./maldocs/Maldoc_APT19_CVE-2017-1099.yar"
+include "./maldocs/Maldoc_APT_OLE_JSRat.yar"
+include "./maldocs/Maldoc_CVE-2017-0199.yar"
+include "./maldocs/Maldoc_CVE_2017_11882.yar"
+include "./maldocs/Maldoc_CVE_2017_8759.yar"
+include "./maldocs/Maldoc_Contains_VBE_File.yar"
+include "./maldocs/Maldoc_DDE.yar"
+include "./maldocs/Maldoc_Dridex.yar"
+include "./maldocs/Maldoc_Hidden_PE_file.yar"
+include "./maldocs/Maldoc_MIME_ActiveMime_b64.yar"
+include "./maldocs/Maldoc_PDF.yar"
+include "./maldocs/Maldoc_PowerPointMouse.yar"
+include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
+include "./maldocs/Maldoc_UserForm.yar"
+include "./maldocs/Maldoc_VBA_macro_code.yar"
+include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
+include "./maldocs/Maldoc_malrtf_ole2link.yar"
+include "./maldocs/maldoc_somerules.yar"
 include "./malware/000_common_rules.yar"
 include "./malware/APT_APT1.yar"
 include "./malware/APT_APT10.yar"
@@ -245,7 +170,6 @@ include "./malware/MALW_Boouset.yar"
 include "./malware/MALW_Bublik.yar"
 include "./malware/MALW_Buzus_Softpulse.yar"
 include "./malware/MALW_CAP_HookExKeylogger.yar"
-include "./malware/MALW_CAP_Win32Inet.yara"
 include "./malware/MALW_Chicken.yar"
 include "./malware/MALW_Citadel.yar"
 include "./malware/MALW_Cloaking.yar"
@@ -267,6 +191,7 @@ include "./malware/MALW_Exploit_UAC_Elevators.yar"
 include "./malware/MALW_Ezcob.yar"
 include "./malware/MALW_F0xy.yar"
 include "./malware/MALW_FALLCHILL.yar"
+include "./malware/MALW_FUDCrypt.yar"
 include "./malware/MALW_FakeM.yar"
 include "./malware/MALW_Fareit.yar"
 include "./malware/MALW_Favorite.yar"
@@ -303,6 +228,7 @@ include "./malware/MALW_LinuxMoose.yar"
 include "./malware/MALW_LostDoor.yar"
 include "./malware/MALW_LuaBot.yar"
 include "./malware/MALW_LuckyCat.yar"
+include "./malware/MALW_MSILStealer.yar"
 include "./malware/MALW_MacControl.yar"
 include "./malware/MALW_Madness.yar"
 include "./malware/MALW_Magento_backend.yar"
@@ -387,6 +313,7 @@ include "./malware/MALW_shifu_shiz.yar"
 include "./malware/MALW_sitrof_fortis_scar.yar"
 include "./malware/MALW_viotto_keylogger.yar"
 include "./malware/MALW_xDedic_marketplace.yar"
+include "./malware/MalConfScan.yar"
 include "./malware/Operation_Blockbuster/DeltaCharlie.yara"
 include "./malware/Operation_Blockbuster/HotelAlfa.yara"
 include "./malware/Operation_Blockbuster/IndiaAlfa.yara"
@@ -409,6 +336,7 @@ include "./malware/Operation_Blockbuster/RomeoBravo.yara"
 include "./malware/Operation_Blockbuster/RomeoCharlie.yara"
 include "./malware/Operation_Blockbuster/RomeoDelta.yara"
 include "./malware/Operation_Blockbuster/RomeoEcho.yara"
+include "./malware/Operation_Blockbuster/RomeoFoxtrot_mod.yara"
 include "./malware/Operation_Blockbuster/RomeoGolf_mod.yara"
 include "./malware/Operation_Blockbuster/RomeoHotel.yara"
 include "./malware/Operation_Blockbuster/RomeoWhiskey.yara"
@@ -453,6 +381,7 @@ include "./malware/RANSOM_GPGQwerty.yar"
 include "./malware/RANSOM_GoldenEye.yar"
 include "./malware/RANSOM_Locky.yar"
 include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
+include "./malware/RANSOM_Maze.yar"
 include "./malware/RANSOM_PetrWrap.yar"
 include "./malware/RANSOM_Petya.yar"
 include "./malware/RANSOM_SamSam.yar"
@@ -506,3 +435,16 @@ include "./malware/TOOLKIT_Pwdump.yar"
 include "./malware/TOOLKIT_THOR_HackTools.yar"
 include "./malware/TOOLKIT_Wineggdrop.yar"
 include "./malware/TOOLKIT_exe2hex_payload.yar"
+include "./packers/JJencode.yar"
+include "./packers/Javascript_exploit_and_obfuscation.yar"
+include "./packers/packer.yar"
+include "./packers/packer_compiler_signatures.yar"
+include "./packers/peid.yar"
+include "./webshells/WShell_APT_Laudanum.yar"
+include "./webshells/WShell_ASPXSpy.yar"
+include "./webshells/WShell_Drupalgeddon2_icos.yar"
+include "./webshells/WShell_PHP_Anuna.yar"
+include "./webshells/WShell_PHP_in_images.yar"
+include "./webshells/WShell_THOR_Webshells.yar"
+include "./webshells/Wshell_ChineseSpam.yar"
+include "./webshells/Wshell_fire2013.yar"

maldocs_index.yar

+/*
+Generated by Yara-Rules
+On 24-02-2020
+*/
+include "./maldocs/Maldoc_APT10_MenuPass.yar"
+include "./maldocs/Maldoc_APT19_CVE-2017-1099.yar"
+include "./maldocs/Maldoc_APT_OLE_JSRat.yar"
+include "./maldocs/Maldoc_CVE-2017-0199.yar"
+include "./maldocs/Maldoc_CVE_2017_11882.yar"
+include "./maldocs/Maldoc_CVE_2017_8759.yar"
+include "./maldocs/Maldoc_Contains_VBE_File.yar"
+include "./maldocs/Maldoc_DDE.yar"
+include "./maldocs/Maldoc_Dridex.yar"
+include "./maldocs/Maldoc_Hidden_PE_file.yar"
+include "./maldocs/Maldoc_MIME_ActiveMime_b64.yar"
+include "./maldocs/Maldoc_PDF.yar"
+include "./maldocs/Maldoc_PowerPointMouse.yar"
+include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
+include "./maldocs/Maldoc_UserForm.yar"
+include "./maldocs/Maldoc_VBA_macro_code.yar"
+include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
+include "./maldocs/Maldoc_malrtf_ole2link.yar"
+include "./maldocs/maldoc_somerules.yar"

malware/MALW_CAP_Win32Inet.yara

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-*/
-
-/* 
-  github.com/dfirnotes/rules
-  Version 0.0.0
-*/
-
-rule Str_Win32_Winsock2_Library
-{
-
-    meta:
-        author = "@adricnet"
-        description = "Match Winsock 2 API library declaration"
-        method = "String match"
-
-    strings:
-        $ws2_lib = "Ws2_32.dll" nocase
-        $wsock2_lib = "WSock32.dll" nocase
-
-    condition:
-    (any of ($ws2_lib, $wsock2_lib))
-}
-
-rule Str_Win32_Wininet_Library
-{
-    
-    meta:
-        author = "@adricnet"
-        description = "Match Windows Inet API library declaration"
-        method = "String match"
-    
-    strings:
-        $wininet_lib = "WININET.dll" nocase
-    
-    condition:
-    (all of ($wininet*))
-}
-
-rule Str_Win32_Internet_API
-{
-   
-    meta:
-        author = "@adricnet"
-        description = "Match Windows Inet API call"
-        method = "String match, trim the As"
-   
-    strings:
-        $wininet_call_closeh = "InternetCloseHandle"
-        $wininet_call_readf = "InternetReadFile"
-        $wininet_call_connect = "InternetConnect"
-        $wininet_call_open = "InternetOpen"
-
-    condition:
-        (any of ($wininet_call*))
-}
-
-rule Str_Win32_Http_API
-{
-    meta:
-        author = "@adricnet"
-        description = "Match Windows Http API call"
-        method = "String match, trim the As"
-   
-    strings:
-        $wininet_call_httpr = "HttpSendRequest"
-        $wininet_call_httpq = "HttpQueryInfo"
-        $wininet_call_httpo = "HttpOpenRequest"
-     condition:
-        (any of ($wininet_call_http*))
-}

malware/MALW_FUDCrypt.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+rule FUDCrypter
+{
+    meta:
+        description = "Detects unmodified FUDCrypt samples"
+        reference = "https://github.com/gigajew/FudCrypt/"
+        author = "https://github.com/hwvs"
+        last_modified = "2019-11-21"
+
+    strings:
+        $ = "OcYjzPUtJkNbLOABqYvNbvhZf" wide ascii
+        $ = "gwiXxyIDDtoYzgMSRGMckRbJi" wide ascii
+        $ = "BclWgISTcaGjnwrzSCIuKruKm" wide ascii
+        $ = "CJyUSiUNrIVbgksjxpAMUkAJJ" wide ascii
+        $ = "fAMVdoPUEyHEWdxQIEJPRYbEN" wide ascii
+        $ = "CIGQUctdcUPqUjoucmcoffECY" wide ascii
+        $ = "wcZfHOgetgAExzSoWFJFQdAyO" wide ascii
+        $ = "DqYKDnIoLeZDWYlQWoxZnpfPR" wide ascii
+        $ = "MkhMoOHCbGUMqtnRDJKnBYnOj" wide ascii
+        $ = "sHEqLMGglkBAOIUfcSAgMvZfs" wide ascii
+        $ = "JtZApJhbFAIFxzHLjjyEQvtgd" wide ascii
+        $ = "IIQrSWZEMmoQIKGuxxwoTwXka" wide ascii
+
+    condition:
+        1 of them
+}

malware/MALW_MSILStealer.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+rule MSILStealer
+{
+    meta:
+        description = "Detects strings from C#/VB Stealers and QuasarRat"
+        reference = "https://github.com/quasar/QuasarRAT"
+        author = "https://github.com/hwvs"
+        last_modified = "2019-11-21"
+
+    strings:
+        $ = "Firefox does not have any profiles, has it ever been launched?" wide ascii
+        $ = "Firefox is not installed, or the install path could not be located" wide ascii
+        $ = "No installs of firefox recorded in its key." wide ascii
+        $ = "{0}\\\\FileZilla\\\\recentservers.xml" wide ascii
+        $ = "{1}{0}Cookie Name: {2}{0}Value: {3}{0}Path" wide ascii
+        $ = "[PRIVATE KEY LOCATION: \\\"{0}\\\"]" wide ascii
+
+    condition:
+        1 of them
+}

malware/MALW_Miscelanea_Linux.yar

@@ -155,33 +155,3 @@ rule exploit
 		7 of them
 }
 
-rule ldpreload
-{
-        meta:
-                author="xorseed"
-                reference= "https://stuff.rop.io/"
-	strings:
-		$a = "dlopen" nocase ascii wide
-		$b = "dlsym" nocase ascii wide
-		$c = "fopen" nocase ascii wide
-		$d = "fopen64" nocase ascii wide
-		$e = "__fxstat" nocase ascii wide
-		$f = "__fxstat64" nocase ascii wide
-		$g = "accept" nocase ascii wide
-		$h = "__lxstat" nocase ascii wide
-		$i = "__lxstat64" nocase ascii wide
-		$j = "open" nocase ascii wide
-		$k = "rmdir" nocase ascii wide
-		$l = "__xstat" nocase ascii wide
-		$m = "__xstat64" nocase ascii wide
-		$n = "unlink" nocase ascii wide
-		$o = "unlikat" nocase ascii wide
-		$p = "fdopendir" nocase ascii wide
-		$q = "opendir" nocase ascii wide
-		$r = "readdir" nocase ascii wide
-		$s = "readdir64" nocase ascii wide
-	condition:
-		($a or $b) and 5 of them
-}
-
-

malware/MalConfScan.yar

+/*
+    YARA Rule Set for MalConfScan
+    Author: JPCERT/CC Incident Response Group
+    Date: 2019/04/22
+    Reference: https://github.com/JPCERTCC/MalConfScan/
+*/
+
+rule TSCookie {
+          meta:
+            description = "detect TSCookie in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html"
+            hash1 = "6d2f5675630d0dae65a796ac624fb90f42f35fbe5dec2ec8f4adce5ebfaabf75"
+
+          strings:
+            $v1 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" wide
+            $b1 = { 68 D4 08 00 00 }
+
+          condition: all of them
+}
+
+rule TSC_Loader {
+          meta:
+            description = "detect TSCookie Loader in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $v1 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" wide
+            $b1 = { 68 78 0B 00 00 }
+
+          condition: all of them
+}
+
+rule CobaltStrike {
+          meta:
+            description = "detect CobaltStrike Beacon in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html"
+            hash1 = "154db8746a9d0244146648006cc94f120390587e02677b97f044c25870d512c3"
+            hash2 = "f9b93c92ed50743cd004532ab379e3135197b6fb5341322975f4d7a98a0fcde7"
+
+          strings:
+            $v1 = { 73 70 72 6E 67 00 }
+            $v2 = { 69 69 69 69 69 69 69 69 }
+
+          condition: all of them
+}
+
+rule RedLeaves {
+          meta:
+            description = "detect RedLeaves in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory block scan"
+            reference = "https://blogs.jpcert.or.jp/en/2017/05/volatility-plugin-for-detecting-redleaves-malware.html"
+            hash1 = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481"
+
+          strings:
+            $v1 = "red_autumnal_leaves_dllmain.dll"
+            $b1 = { FF FF 90 00 }
+
+          condition: $v1 and $b1 at 0
+}
+
+rule Himawari {
+          meta:
+            description = "detect Himawari(a variant of RedLeaves) in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf"
+            hash1 = "3938436ab73dcd10c495354546265d5498013a6d17d9c4f842507be26ea8fafb"
+
+          strings:
+            $h1 = "himawariA"
+            $h2 = "himawariB"
+            $h3 = "HimawariDemo"
+
+          condition: all of them
+}
+
+rule Lavender {
+          meta:
+            description = "detect Lavender(a variant of RedLeaves) in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+            hash1 = "db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d"
+
+          strings:
+            $a1 = { C7 ?? ?? 4C 41 56 45 }
+            $a2 = { C7 ?? ?? 4E 44 45 52 }
+
+          condition: all of them
+}
+
+rule Armadill {
+          meta:
+            description = "detect Armadill(a variant of RedLeaves) in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $a1 = { C7 ?? ?? 41 72 6D 61 }
+            $a2 = { C7 ?? ?? 64 69 6C 6C }
+
+          condition: all of them
+}
+
+rule zark20rk {
+          meta:
+            description = "detect zark20rk(a variant of RedLeaves) in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+            hash1 = "d95ad7bbc15fdd112594584d92f0bff2c348f48c748c07930a2c4cc6502cd4b0"
+
+          strings:
+            $a1 = { C7 ?? ?? 7A 61 72 6B }
+            $a2 = { C7 ?? ?? 32 30 72 6B }
+
+          condition: all of them
+}
+
+rule Ursnif {
+          meta:
+            description = "detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+            hash1 = "0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85"
+            hash2 = "ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714"
+            hash3 = "1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510"
+
+          strings:
+            $a1 = "soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x"
+            $b1 = "client.dll" fullword
+            $c1 = "version=%u"
+            $c2 = "user=%08x%08x%08x%08x"
+            $c3 = "server=%u"
+            $c4 = "id=%u"
+            $c5 = "crc=%u"
+            $c6 = "guid=%08x%08x%08x%08x"
+            $c7 = "name=%s"
+            $c8 = "soft=%u"
+            $d1 = "%s://%s%s"
+            $d2 = "PRI \x2A HTTP/2.0"
+            $e1 = { A1 ?? ?? ?? 00 35 E7 F7 8A 40 50 }
+            $e2 = { 56 56 56 6A 06 5? FF ?? ?? ?? ?? 00 }
+            $f1 = { 56 57 BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A5 }
+            $f2 = { 35 8F E3 B7 3F }
+            $f3 = { 35 0A 60 2E 51 }
+
+         condition: $a1 or ($b1 and 3 of ($c*)) or (5 of ($c*)) or ($b1 and all of ($d*)) or all of ($e*) or all of ($f*)
+}
+
+rule Emotet {
+          meta:
+            description = "detect Emotet in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $v4a = { BB 00 C3 4C 84 }
+            $v4b = { B8 00 C3 CC 84 }
+            $v5a = { 69 01 6D 4E C6 41 05 39 30 00 00 }
+            $v5b = { 6D 4E C6 41 33 D2 81 C1 39 30 00 00 }
+
+          condition: ($v4a and $v4b) or $v5a or $v5b
+}
+
+rule SmokeLoader {
+          meta:
+            description = "detect SmokeLoader in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "https://www.cert.pl/en/news/single/dissecting-smoke-loader/"
+
+          strings:
+            $a1 = { B8 25 30 38 58 }
+            $b1 = { 81 3D ?? ?? ?? ?? 25 00 41 00 }
+            $c1 = { C7 ?? ?? ?? 25 73 25 73 }
+
+          condition: $a1 and $b1 and $c1
+}
+
+rule Datper {
+          meta:
+            description = "detect Datper in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html"
+
+          strings:
+            $a1 = { E8 03 00 00 }
+            $b1 = "|||"
+            $c1 = "Content-Type: application/x-www-form-urlencoded"
+            $push7530h64 = { C7 C1 30 75 00 00 }
+            $push7530h = { 68 30 75 00 00 }
+
+          condition: $a1 and $b1 and $c1 and ($push7530h64 or $push7530h)
+}
+
+rule PlugX {
+          meta:
+            description = "detect PlugX in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $v1 = { 47 55 4c 50 00 00 00 00 }
+            $v2a = { 68 40 25 00 00 }
+            $v2c = { 68 58 2D 00 00 }
+            $v2b = { 68 a0 02 00 00 }
+            $v2d = { 68 a4 36 00 00 }
+            $v2e = { 8D 46 10 68 }
+            $v2f = { 68 24 0D 00 00 }
+            $v2g = { 68 a0 02 00 00 }
+            $v2h = { 68 e4 0a 00 00 }
+            $enc1 = { C1 E? 03 C1 E? 07 2B ?? }
+            $enc2 = { 32 5? ?? 81 E? ?? ?? 00 00 2A 5? ?? 89 ?? ?? 32 ?? 2A ?? 32 5? ?? 2A 5? ?? 32 }
+            $enc3 = { B? 33 33 33 33 }
+            $enc4 = { B? 44 44 44 44 }
+         condition: $v1 at 0 or ($v2a and $v2b and $enc1) or ($v2c and $v2b and $enc1) or ($v2d and $v2b and $enc2) or ($v2d and $v2e and $enc2) or ($v2f and $v2g and $enc3 and $enc4) or ($v2h and $v2g and $enc3 and $enc4)
+}
+
+rule Ramnit {
+          meta:
+            description = "detect Ramnit"
+            author = "nazywam"
+            module = "ramnit"
+            reference = "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/"
+
+          strings:
+            $guid = "{%08X-%04X-%04X-%04X-%08X%04X}"
+            $md5_magic_1 = "15Bn99gT"
+            $md5_magic_2 = "1E4hNy1O"
+            $init_dga = { C7 ?? ?? ?? ?? ?? FF FF FF FF FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0B C0 75 ?? }
+            $xor_secret = { 8A ?? ?? 32 ?? 88 ?? 4? 4? E2 ?? }
+            $init_function = { FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 }
+            $dga_rand_int = { B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 }
+            $cookies = "cookies4.dat"
+            $s3 = "pdatesDisableNotify"
+            $get_domains = { a3 [4] a1 [4] 80 3? 00 75 ?? c7 05 [4] ff ff ff ff ff 35 [4] ff 35 [4] ff 35 [4] e8 }
+            $add_tld = { 55 8B EC  83 ?? ?? 57 C7 ?? ?? 00 00 00 00 B? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? 75 ?? 8B ?? }
+            $get_port = { 90 68 [4] 68 [4] FF 35 [4] FF 35 [4] E8 [4] 83 }
+
+          condition: $init_dga and $init_function and 2 of ($guid, $md5_magic_*, $cookies, $s3) and any of ( $get_port, $add_tld, $dga_rand_int, $get_domains, $xor_secret)
+}
+
+rule Hawkeye {
+          meta:
+            description = "detect HawkEye in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $hawkstr1 = "HawkEye Keylogger" wide
+            $hawkstr2 = "Dear HawkEye Customers!" wide
+            $hawkstr3 = "HawkEye Logger Details:" wide
+
+          condition: all of them
+}
+
+rule Lokibot {
+          meta:
+            description = "detect Lokibot in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+            hash1 = "6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c"
+
+          strings:
+            $des3 = { 68 03 66 00 00 }
+            $param = "MAC=%02X%02X%02XINSTALL=%08X%08X"
+            $string = { 2d 00 75 00 00 00 46 75 63 6b 61 76 2e 72 75 00 00}
+
+          condition: all of them
+}
+
+rule Bebloh {
+          meta:
+            description = "detect Bebloh(a.k.a. URLZone) in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $crc32f = { b8 EE 56 0b ca }
+            $dga = "qwertyuiopasdfghjklzxcvbnm123945678"
+            $post1 = "&vcmd="
+            $post2 = "?tver="
+
+          condition: all of them
+}
+
+rule xxmm {
+          meta:
+            description = "detect xxmm in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $v1 = "setupParameter:"
+            $v2 = "loaderParameter:"
+            $v3 = "parameter:"
+
+          condition: all of them
+}
+
+rule Azorult {
+          meta:
+            description = "detect Azorult in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $v1 = "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)"
+            $v2 = "http://ip-api.com/json"
+            $v3 = { c6 07 1e c6 47 01 15 c6 47 02 34 }
+
+          condition: all of them
+}
+
+rule PoisonIvy {
+           meta:
+            description = "detect PoisonIvy in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $a1 = { 0E 89 02 44 }
+            $b1 = { AD D1 34 41 }
+            $c1 = { 66 35 20 83 66 81 F3 B8 ED }
+
+          condition: all of them
+}
+
+rule netwire {
+           meta:
+            description = "detect netwire in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $v1 = "HostId-%Rand%"
+            $v2 = "mozsqlite3"
+            $v3 = "[Scroll Lock]"
+            $v4 = "GetRawInputData"
+            $ping = "ping 192.0.2.2"
+            $log = "[Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
+
+          condition: ($v1) or ($v2 and $v3 and $v4) or ($ping and $log)
+}
+
+rule Nanocore {
+          meta:
+            description = "detect Nanocore in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $v1 = "NanoCore Client"
+            $v2 = "PluginCommand"
+            $v3 = "CommandType"
+
+          condition: all of them
+}
+
+rule Formbook {
+          meta:
+            description = "detect Formbook in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $sqlite3step = { 68 34 1c 7b e1 }
+            $sqlite3text = { 68 38 2a 90 c5 }
+            $sqlite3blob = { 68 53 d8 7f 8c }
+
+          condition: all of them
+}
+
+rule Agenttesla_type1 {
+          meta:
+            description = "detect Agenttesla in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+
+          strings:
+            $iestr = "C:\\\\Users\\\\Admin\\\\Desktop\\\\IELibrary\\\\IELibrary\\\\obj\\\\Debug\\\\IELibrary.pdb"
+            $atstr = "C:\\\\Users\\\\Admin\\\\Desktop\\\\ConsoleApp1\\\\ConsoleApp1\\\\obj\\\\Debug\\\\ConsoleApp1.pdb"
+            $sqlitestr = "Not a valid SQLite 3 Database File" wide
+          condition: all of them
+}
+
+rule Agenttesla_type2 {
+          meta:
+            description = "detect Agenttesla in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "internal research"
+            hash1 = "670a00c65eb6f7c48c1e961068a1cb7fd3653bd29377161cd04bf15c9d010da2 "
+
+          strings:
+            $type2db1 = "1.85 (Hash, version 2, native byte-order)" wide
+            $type2db2 = "Unknow database format" wide
+            $type2db3 = "SQLite format 3" wide
+          condition: all of them
+}
+
+rule Noderat {
+          meta:
+            description = "detect Noderat in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            reference = "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html"
+
+          strings:
+            $config = "/config/app.json"
+            $key = "/config/.regeditKey.rc"
+            $message = "uninstall error when readFileSync: "
+
+          condition: all of them
+}
+
+rule Njrat2 {
+          meta:
+            description = "detect njRAT in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            hash1 = "d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d"
+
+          strings:
+            $reg = "SEE_MASK_NOZONECHECKS" wide fullword
+            $msg = "Execute ERROR" wide fullword
+            $ping = "cmd.exe /c ping 0 -n 2 & del" wide fullword
+          condition: all of them
+}
+
+rule Trickbot {
+          meta:
+            description = "detect TrickBot in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            hash1 = "2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c"
+
+          strings:
+            $tagm1 = "<mcconf><ver>" wide
+            $tagm2 = "</autorun></mcconf>" wide
+            $tagc1 = "<moduleconfig><autostart>" wide
+            $tagc2 = "</autoconf></moduleconfig>" wide
+            $tagi1 = "<igroup><dinj>" wide
+            $tagi2 = "</dinj></igroup>" wide
+            $tags1 = "<servconf><expir>" wide
+            $tags2 = "</plugins></servconf>" wide
+            $tagl1 = "<slist><sinj>" wide
+            $tagl2 = "</sinj></slist>" wide
+          condition: all of ($tagm*) or all of ($tagc*) or all of ($tagi*) or all of ($tags*) or all of ($tagl*)
+}
+
+rule Remcos {
+          meta:
+            description = "detect Remcos in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            hash1 = "7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5"
+
+          strings:
+            $remcos = "Remcos" ascii fullword
+            $url = "Breaking-Security.Net" ascii fullword
+            $resource = "SETTINGS" wide fullword
+          condition:  all of them
+}
+
+rule Quasar {
+          meta:
+            description = "detect Remcos in memory"
+            author = "JPCERT/CC Incident Response Group"
+            rule_usage = "memory scan"
+            hash1 = "390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724"
+
+          strings:
+            $quasarstr1 = "Client.exe" wide
+            $quasarstr2 = "({0}:{1}:{2})" wide
+            $class = { 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 73 00 00 17 69 00 6E 00 66 00 6F 00 72 00 6D 00 61 00 74 00 69 00 6F 00 6E 00 00 80 }
+          condition: all of them
+}

malware/Operation_Blockbuster/RomeoFoxtrot_mod.yara.error → malware/Operation_Blockbuster/RomeoFoxtrot_mod.yara

@@ -47,11 +47,10 @@ rule RomeoFoxtrot
 		FF D7                    call    edi ; setsockopt								<--- this could be a relative call in some variants
 	*/
 
-		//$connect = {C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] (FF 15 [4] | E8 [4]) 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 (FF 15 [4] | E8 [4]) 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? (FF D? | E8 [4]) 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? (FF D? | E8 [4])}
-		$connect = {C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] FF 15 [4] 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 FF 15 E8 [4] 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? FF D? 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? FF D?}
+		$connect = { C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] ( FF 15 | E8 ) [4] 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 ( FF 15 | E8 ) [4] 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? ( FF D? | E8 [3] ??) 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? ( FF D? | E8 [3] ??) }
 		$response = "RESPONSE 200 OK!!!"
 
 	condition:
-		($challenge and $response) or 
+		$response or 
 		$connect in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
 }

malware/Operation_Blockbuster/WhiskeyBravo_mod.yara

@@ -8,7 +8,6 @@ rule WhiskeyBravo
 		copyright = "2015 Novetta Solutions"
 		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
 		Source = "74eac0461c40316689ac2d598f606caa3965195b22f23d5acefeedfcdf056c5b"
-		Source = "41badf10ef6f469dd1c3be201aba809f9c42f86ad77d7f83bc3895bfa289c635"
 		Source = "d079a266ed2a852c33cdac3df115d163ebbf2c8dae32d935e895cf8193163b13"
 
 	strings:

malware/RANSOM_Maze.yar

+rule Maze
+{
+meta:
+	description = "Identifies Maze ransomware in memory or unpacked."
+	author = "@bartblaze"
+	date = "2019-11"
+	tlp = "White"
+
+strings:	
+	$ = "Enc: %s" ascii wide
+	$ = "Encrypting whole system" ascii wide
+	$ = "Encrypting specified folder in --path parameter..." ascii wide
+	$ = "!Finished in %d ms!" ascii wide
+	$ = "--logging" ascii wide
+	$ = "--nomutex" ascii wide
+	$ = "--noshares" ascii wide
+	$ = "--path" ascii wide
+	$ = "Logging enabled | Maze" ascii wide
+	$ = "NO SHARES | " ascii wide
+	$ = "NO MUTEX | " ascii wide
+	$ = "Encrypting:" ascii wide
+	$ = "You need to buy decryptor in order to restore the files." ascii wide
+	$ = "Dear %s, your files have been encrypted by RSA-2048 and ChaCha algorithms" ascii wide
+	$ = "%s! Alert! %s! Alert! Dear %s Your files have been encrypted by %s! Attention! %s" ascii wide
+	$ = "DECRYPT-FILES.txt" ascii wide fullword
+
+condition:
+	5 of them
+}

malware_index.yar

 /*
 Generated by Yara-Rules
-On 26-11-2019
+On 24-02-2020
 */
 include "./malware/000_common_rules.yar"
 include "./malware/APT_APT1.yar"
@@ -116,7 +116,6 @@ include "./malware/MALW_Boouset.yar"
 include "./malware/MALW_Bublik.yar"
 include "./malware/MALW_Buzus_Softpulse.yar"
 include "./malware/MALW_CAP_HookExKeylogger.yar"
-include "./malware/MALW_CAP_Win32Inet.yara"
 include "./malware/MALW_Chicken.yar"
 include "./malware/MALW_Citadel.yar"
 include "./malware/MALW_Cloaking.yar"
@@ -138,6 +137,7 @@ include "./malware/MALW_Exploit_UAC_Elevators.yar"
 include "./malware/MALW_Ezcob.yar"
 include "./malware/MALW_F0xy.yar"
 include "./malware/MALW_FALLCHILL.yar"
+include "./malware/MALW_FUDCrypt.yar"
 include "./malware/MALW_FakeM.yar"
 include "./malware/MALW_Fareit.yar"
 include "./malware/MALW_Favorite.yar"
@@ -174,6 +174,7 @@ include "./malware/MALW_LinuxMoose.yar"
 include "./malware/MALW_LostDoor.yar"
 include "./malware/MALW_LuaBot.yar"
 include "./malware/MALW_LuckyCat.yar"
+include "./malware/MALW_MSILStealer.yar"
 include "./malware/MALW_MacControl.yar"
 include "./malware/MALW_Madness.yar"
 include "./malware/MALW_Magento_backend.yar"
@@ -258,6 +259,7 @@ include "./malware/MALW_shifu_shiz.yar"
 include "./malware/MALW_sitrof_fortis_scar.yar"
 include "./malware/MALW_viotto_keylogger.yar"
 include "./malware/MALW_xDedic_marketplace.yar"
+include "./malware/MalConfScan.yar"
 include "./malware/Operation_Blockbuster/DeltaCharlie.yara"
 include "./malware/Operation_Blockbuster/HotelAlfa.yara"
 include "./malware/Operation_Blockbuster/IndiaAlfa.yara"
@@ -280,6 +282,7 @@ include "./malware/Operation_Blockbuster/RomeoBravo.yara"
 include "./malware/Operation_Blockbuster/RomeoCharlie.yara"
 include "./malware/Operation_Blockbuster/RomeoDelta.yara"
 include "./malware/Operation_Blockbuster/RomeoEcho.yara"
+include "./malware/Operation_Blockbuster/RomeoFoxtrot_mod.yara"
 include "./malware/Operation_Blockbuster/RomeoGolf_mod.yara"
 include "./malware/Operation_Blockbuster/RomeoHotel.yara"
 include "./malware/Operation_Blockbuster/RomeoWhiskey.yara"
@@ -324,6 +327,7 @@ include "./malware/RANSOM_GPGQwerty.yar"
 include "./malware/RANSOM_GoldenEye.yar"
 include "./malware/RANSOM_Locky.yar"
 include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
+include "./malware/RANSOM_Maze.yar"
 include "./malware/RANSOM_PetrWrap.yar"
 include "./malware/RANSOM_Petya.yar"
 include "./malware/RANSOM_SamSam.yar"

Antidebug_AntiVM_index.yar → mobile_malware_index.yar

 /*
 Generated by Yara-Rules
-On 26-11-2019
+On 24-02-2020
 */
-include "./Antidebug_AntiVM/antidebug_antivm.yar"

packers_index.yar

+/*
+Generated by Yara-Rules
+On 24-02-2020
+*/
+include "./packers/JJencode.yar"
+include "./packers/Javascript_exploit_and_obfuscation.yar"
+include "./packers/packer.yar"
+include "./packers/packer_compiler_signatures.yar"
+include "./packers/peid.yar"

utils/suspicious_strings.yar

@@ -1324,3 +1324,17 @@ rule BITS_CLSID
     condition:
         any of them
 }
+
+rule HexEncodedTextPE
+{
+    meta:
+        author = "Malware Utkonos"
+        date = "2020-01-28"
+        reference = "https://blog.reversinglabs.com/blog/rats-in-the-library"
+        description = "Text string with hexadecimal encoded MZ/PE and comma+ separation"
+    strings:
+        $mz = /4D,.{0,6}5A/ nocase
+        $pe = /50,.{0,6}45/
+    condition:
+        all of them
+}

webshells/WShell_Drupalgeddon2_icos.yar

+/*
+This Yara ruleset is under the GNU-GPLv2 license 
+(http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or 
+organization, as long as you use it under this license.
+*/
+
+/*
+Author: Luis Fueris 
+Date: 4 october, 2019
+Description: Drupalgeddon 2 - Web Shells Extract. This rules matchs with
+webshells that inserts the Drupal core vulnerability SA-CORE-2018-002 
+(https://www.drupal.org/sa-core-2018-002)
+*/
+
+rule Dotico_PHP_webshell : webshell {
+    meta:
+        description = ".ico PHP webshell - file <eight-num-letter-chars>.ico"
+        author = "Luis Fueris"
+        reference = "https://rankinstudio.com/Drupal_ico_index_hack"
+        date = "2019/12/04"
+    strings:
+        $php = "<?php" ascii
+        $regexp = /basename\/\*[a-z0-9]{,6}\*\/\(\/\*[a-z0-9]{,5}\*\/trim\/\*[a-z0-9]{,5}\*\/\(\/\*[a-z0-9]{,5}\*\//
+    condition:
+        $php at 0 and $regexp and filesize > 70KB and filesize < 110KB
+}

webshells_index.yar

+/*
+Generated by Yara-Rules
+On 24-02-2020
+*/
+include "./webshells/WShell_APT_Laudanum.yar"
+include "./webshells/WShell_ASPXSpy.yar"
+include "./webshells/WShell_Drupalgeddon2_icos.yar"
+include "./webshells/WShell_PHP_Anuna.yar"
+include "./webshells/WShell_PHP_in_images.yar"
+include "./webshells/WShell_THOR_Webshells.yar"
+include "./webshells/Wshell_ChineseSpam.yar"
+include "./webshells/Wshell_fire2013.yar"