Skip to content

R
rules
Commit 842dd653 by wesinator
Options

Merge remote-tracking branch 'upstream/master' into patch-1

parents ebeb9400 2bb79cb6
Showing with 320 additions and 179 deletions
.github/FUNDING.yml 0 → 100644
liberapay: yararules
.github/ISSUE_TEMPLATE/bug_report.md 0 → 100644
---
name: Bug report
about: Create a report to help us improve
title: "[BUG]"
labels: bug
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Desktop (please complete the following information):**
- OS: [e.g. iOS]
- Yara version [e.g. 3.11.0]
- Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
.github/ISSUE_TEMPLATE/new-rule-request.md 0 → 100644
---
name: New rule request
about: Suggest a new rule for this project
title: "[New Rule]"
labels: new rule
assignees: ''
---
**Is your feature request related to an article or investigation? Please describe.**
A clear and concise description of what the article or investigation is.
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
.github/workflows/main.yml 0 → 100644
name: CI
on:
# Trigger the workflow on push or pull request,
# but only for the master branch
push:
branches:
- master
pull_request:
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.head_ref }}
- name: Run gen index
run: "./index_gen.sh"
shell: bash
- name: Add & Commit
uses: github-actions-x/commit@v2.4
with:
commit-message: 'Index updated'
name: '${{ secrets.GH_USER }}'
email: '${{ secrets.GH_EMAIL }}'
push-branch: ${{ github.head_ref }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Push
uses: ad-m/github-push-action@v0.5.0
with:
github_token: ${{ secrets.GH_TOKEN }}
branch: ${{ github.head_ref }}
.travis.yml
language: c
sudo: required
#dist: trusty
before_install:
- sudo apt-get -qq update
- sudo apt-get install jq
- sudo apt-get install -y automake libtool make gcc pkg-config flex bison libjansson-dev libmagic-dev libssl-dev jq
# Yara
- wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara.tar.gz
#- wget $(wget -O - https://api.github.com/repos/VirusTotal/yara/releases/9250110 | jq -r ".tarball_url") -O yara.tar.gz
- wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara-latest.tar.gz
- mkdir yara
- tar -C yara -xzvf yara.tar.gz --strip-components 1
# Androguard for Yara
- wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/androguard.c -O yara/libyara/modules/androguard.c
- wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/dist/yara-3.7.0/libyara/modules/module_list -O yara/libyara/modules/module_list
- wget https://raw.githubusercontent.com/Koodous/androguard-yara/master/dist/yara-3.7.0/libyara/Makefile.am -O yara/libyara/Makefile.am
# libjansson
- wget http://www.digip.org/jansson/releases/jansson-2.7.tar.gz
- tar -xzvf jansson-2.7.tar.gz
- cd jansson-2.7
- ./configure
- make
- sudo make install
- tar -xzvf yara-latest.tar.gz -C yara --strip-components 1
# Compile Yara
- cd ../yara
- cd yara
# Update per issue 176
- sed -i 's/#define RE_MAX_SPLIT_ID 128/#define RE_MAX_SPLIT_ID 255/g' libyara/re.c
- sed -i 's/#define RE_MAX_SPLIT_ID 128/#define RE_MAX_SPLIT_ID 255/g' libyara/include/yara/limits.h
- ./bootstrap.sh
- ./configure --enable-cuckoo
- ./configure --enable-cuckoo --enable-magic --with-crypto
- make
- sudo make install
- sudo ldconfig
......@@ -34,8 +21,6 @@ before_install:
script:
- echo "test" > testfile
- echo "{}" > androguard_report.json
- FALLO=0
# - for j in $(ls -d */); do for i in $(find $j -type f -name "*.yara" ; find $j -type f -name "*.yar"); do echo $i; yara -x androguard=androguard_report.json $i testfile; if [[ $? -ne 0 ]]; then FALLO=1; fi; done; done
- for i in $(ls *_index.yar); do echo $i; yara -w -x androguard=androguard_report.json $i testfile; if [[ $? -ne 0 ]]; then FALLO=1; fi; done
- for i in $(ls *_index.yar); do echo $i; yara -w $i testfile; if [[ $? -ne 0 ]]; then FALLO=1; fi; done
- exit $FALLO
CVE_Rules_index.yar deleted 100644 → 0
/*
Generated by Yara-Rules
On 26-11-2019
*/
include "./CVE_Rules/CVE-2010-0805.yar"
include "./CVE_Rules/CVE-2010-0887.yar"
include "./CVE_Rules/CVE-2010-1297.yar"
include "./CVE_Rules/CVE-2012-0158.yar"
include "./CVE_Rules/CVE-2013-0074.yar"
include "./CVE_Rules/CVE-2013-0422.yar"
include "./CVE_Rules/CVE-2015-1701.yar"
include "./CVE_Rules/CVE-2015-2426.yar"
include "./CVE_Rules/CVE-2015-2545.yar"
include "./CVE_Rules/CVE-2015-5119.yar"
include "./CVE_Rules/CVE-2016-5195.yar"
include "./CVE_Rules/CVE-2017-11882.yar"
include "./CVE_Rules/CVE-2018-20250.yar"
include "./CVE_Rules/CVE-2018-4878.yar"
Exploit-Kits_index.yar deleted 100644 → 0
/*
Generated by Yara-Rules
On 26-11-2019
*/
include "./Exploit-Kits/EK_Angler.yar"
include "./Exploit-Kits/EK_Blackhole.yar"
include "./Exploit-Kits/EK_BleedingLife.yar"
include "./Exploit-Kits/EK_Crimepack.yar"
include "./Exploit-Kits/EK_Eleonore.yar"
include "./Exploit-Kits/EK_Fragus.yar"
include "./Exploit-Kits/EK_Phoenix.yar"
include "./Exploit-Kits/EK_Sakura.yar"
include "./Exploit-Kits/EK_ZeroAcces.yar"
include "./Exploit-Kits/EK_Zerox88.yar"
include "./Exploit-Kits/EK_Zeus.yar"
Malicious_Documents_index.yar deleted 100644 → 0
/*
Generated by Yara-Rules
On 26-11-2019
*/
include "./Malicious_Documents/Maldoc_APT10_MenuPass.yar"
include "./Malicious_Documents/Maldoc_APT19_CVE-2017-1099.yar"
include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
include "./Malicious_Documents/Maldoc_CVE_2017_8759.yar"
include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
include "./Malicious_Documents/Maldoc_DDE.yar"
include "./Malicious_Documents/Maldoc_Dridex.yar"
include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
include "./Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar"
include "./Malicious_Documents/Maldoc_PDF.yar"
include "./Malicious_Documents/Maldoc_PowerPointMouse.yar"
include "./Malicious_Documents/Maldoc_Suspicious_OLE_target.yar"
include "./Malicious_Documents/Maldoc_UserForm.yar"
include "./Malicious_Documents/Maldoc_VBA_macro_code.yar"
include "./Malicious_Documents/Maldoc_Word_2007_XML_Flat_OPC.yar"
include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
include "./Malicious_Documents/maldoc_somerules.yar"
Mobile_Malware_index.yar deleted 100644 → 0
/*
Generated by Yara-Rules
On 26-11-2019
*/
include "./Mobile_Malware/Android_ASSDdeveloper.yar"
include "./Mobile_Malware/Android_AVITOMMS.yar"
include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
include "./Mobile_Malware/Android_Amtrckr_20160519.yar"
include "./Mobile_Malware/Android_Backdoor.yar"
include "./Mobile_Malware/Android_Backdoor_script.yar"
include "./Mobile_Malware/Android_BadMirror.yar"
include "./Mobile_Malware/Android_Banker_Acecard.yar"
include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
include "./Mobile_Malware/Android_Clicker_G.yar"
include "./Mobile_Malware/Android_Copy9.yar"
include "./Mobile_Malware/Android_DeathRing.yar"
include "./Mobile_Malware/Android_Dectus_rswm.yar"
include "./Mobile_Malware/Android_Dendroid_RAT.yar"
include "./Mobile_Malware/Android_Dogspectus.yar"
include "./Mobile_Malware/Android_FakeApps.yar"
include "./Mobile_Malware/Android_FakeBank_Fanta.yar"
include "./Mobile_Malware/Android_Godless.yar"
include "./Mobile_Malware/Android_HackintTeam_Implant.yar"
include "./Mobile_Malware/Android_Libyan_Scorpions.yar"
include "./Mobile_Malware/Android_MalwareCertificates.yar"
include "./Mobile_Malware/Android_Malware_Ramsonware.yar"
include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
include "./Mobile_Malware/Android_Malware_Towelroot.yar"
include "./Mobile_Malware/Android_Marcher_2.yar"
include "./Mobile_Malware/Android_MazarBot_z.yar"
include "./Mobile_Malware/Android_Metasploit.yar"
include "./Mobile_Malware/Android_Metasploit_Payload.yar"
include "./Mobile_Malware/Android_OmniRat.yar"
include "./Mobile_Malware/Android_Overlayer.yar"
include "./Mobile_Malware/Android_Pink_Locker.yar"
include "./Mobile_Malware/Android_Polish_Bankbot.yar"
include "./Mobile_Malware/Android_RuMMS.yar"
include "./Mobile_Malware/Android_SMSFraud.yar"
include "./Mobile_Malware/Android_SandroRat.yar"
include "./Mobile_Malware/Android_SlemBunk.yar"
include "./Mobile_Malware/Android_SpyAgent.yar"
include "./Mobile_Malware/Android_SpyNote.yar"
include "./Mobile_Malware/Android_Spynet.yar"
include "./Mobile_Malware/Android_Spywaller.yar"
include "./Mobile_Malware/Android_Switcher.yar"
include "./Mobile_Malware/Android_Tachi.yar"
include "./Mobile_Malware/Android_Tempting_Cedar_Spyware.yar"
include "./Mobile_Malware/Android_Tordow.yar"
include "./Mobile_Malware/Android_Triada_Banking.yar"
include "./Mobile_Malware/Android_Trojan_Dendroid.yar"
include "./Mobile_Malware/Android_Trojan_Droidjack.yar"
include "./Mobile_Malware/Android_VikingOrder.yar"
include "./Mobile_Malware/Android_VirusPolicia.yar"
include "./Mobile_Malware/Android_adware.yar"
include "./Mobile_Malware/Android_generic_adware.yar"
include "./Mobile_Malware/Android_generic_smsfraud.yar"
include "./Mobile_Malware/Android_malware_Advertising.yar"
include "./Mobile_Malware/Android_malware_ChinesePorn.yar"
include "./Mobile_Malware/Android_malware_Dropper.yar"
include "./Mobile_Malware/Android_malware_Fake_MosKow.yar"
include "./Mobile_Malware/Android_malware_HackingTeam.yar"
include "./Mobile_Malware/Android_malware_SMSsender.yar"
include "./Mobile_Malware/Android_malware_banker.yar"
include "./Mobile_Malware/Android_malware_xbot007.yar"
include "./Mobile_Malware/Android_mapin.yar"
include "./Mobile_Malware/Android_pornClicker.yar"
include "./Mobile_Malware/Android_sk_bankTr.yar"
Packers_index.yar deleted 100644 → 0
/*
Generated by Yara-Rules
On 26-11-2019
*/
include "./Packers/JJencode.yar"
include "./Packers/Javascript_exploit_and_obfuscation.yar"
include "./Packers/packer.yar"
include "./Packers/packer_compiler_signatures.yar"
include "./Packers/peid.yar"
README.md
[![Build Status](https://travis-ci.org/Yara-Rules/rules.svg)](https://travis-ci.org/Yara-Rules/rules)
[![Build Status](https://travis-ci.org/Yara-Rules/rules.svg)](https://travis-ci.org/Yara-Rules/rules) <img src="http://img.shields.io/liberapay/patrons/yararules.svg?logo=liberapay">
# Project
......@@ -14,8 +15,6 @@ If you’re interested in sharing your Yara rules with us and the Security Commu
Twitter account: https://twitter.com/yararules
Mailing list : http://list.yararules.com/mailman/listinfo/yararules.com.signatures
# Requirements
Yara **version 3.0** or higher is required for most of our rules to work. This is mainly due to the use of the "pe" module introduced in that version.
......@@ -24,7 +23,9 @@ You can check your installed version with `yara -v`
Packages available in Ubuntu 14.04 LTS default repositories are too old. You can alternatively install from source or use the packages available in the [Remnux repository](https://launchpad.net/~remnux/+archive/ubuntu/stable).
Also, you will need [Androguard Module](https://github.com/Koodous/androguard-yara) if you want to use the rules in the 'mobile_malware' category.
~~Also, you will need [Androguard Module](https://github.com/Koodous/androguard-yara) if you want to use the rules in the 'mobile_malware' category.~~
We have deprecated mobile_malware rules that depend on Androguard Module because it seems an abandoned project.
# Categories
......@@ -36,7 +37,7 @@ In this section you will find Yara Rules aimed toward the detection of anti-debu
In this section you will find Yara rules to detect capabilities that do not fit into any of the other categories. They are useful to know for analysis but may not be malicious indicators on their own.
## CVE_Rules
## CVE Rules
In this section you will find Yara Rules specialised toward the identification of specific Common Vulnerabilities and Exposures (CVEs)
......@@ -72,9 +73,9 @@ In this section you will find Yara rules specialised toward the identification o
In this section you will find Yara rules specialised toward the identification of well-known mobile malware.
Many rules in this section use the Androguard module developed by the people over at https://koodous.com/.
## Deprecated
You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
In this section you will find Yara rules deprecated.
# Contact
......@@ -82,4 +83,3 @@ Webpage: http://yararules.com
Twitter account: https://twitter.com/yararules
Mail list : http://list.yararules.com/mailman/listinfo/yararules.com.signatures
Webshells_index.yar deleted 100644 → 0
/*
Generated by Yara-Rules
On 26-11-2019
*/
include "./Webshells/WShell_APT_Laudanum.yar"
include "./Webshells/WShell_ASPXSpy.yar"
include "./Webshells/WShell_PHP_Anuna.yar"
include "./Webshells/WShell_PHP_in_images.yar"
include "./Webshells/WShell_THOR_Webshells.yar"
include "./Webshells/Wshell_ChineseSpam.yar"
include "./Webshells/Wshell_fire2013.yar"
antidebug_antivm_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 24-02-2020
*/
include "./antidebug_antivm/antidebug_antivm.yar"
Capabilities/capabilities.yar capabilities/capabilities.yar
......@@ -813,3 +813,102 @@ rule win_files_operation {
condition:
$f1 and 3 of ($c*)
}
rule Str_Win32_Winsock2_Library
{
meta:
author = "@adricnet"
description = "Match Winsock 2 API library declaration"
method = "String match"
reference = "https://github.com/dfirnotes/rules"
strings:
$ws2_lib = "Ws2_32.dll" nocase
$wsock2_lib = "WSock32.dll" nocase
condition:
(any of ($ws2_lib, $wsock2_lib))
}
rule Str_Win32_Wininet_Library
{
meta:
author = "@adricnet"
description = "Match Windows Inet API library declaration"
method = "String match"
reference = "https://github.com/dfirnotes/rules"
strings:
$wininet_lib = "WININET.dll" nocase
condition:
(all of ($wininet*))
}
rule Str_Win32_Internet_API
{
meta:
author = "@adricnet"
description = "Match Windows Inet API call"
method = "String match, trim the As"
reference = "https://github.com/dfirnotes/rules"
strings:
$wininet_call_closeh = "InternetCloseHandle"
$wininet_call_readf = "InternetReadFile"
$wininet_call_connect = "InternetConnect"
$wininet_call_open = "InternetOpen"
condition:
(any of ($wininet_call*))
}
rule Str_Win32_Http_API
{
meta:
author = "@adricnet"
description = "Match Windows Http API call"
method = "String match, trim the As"
reference = "https://github.com/dfirnotes/rules"
strings:
$wininet_call_httpr = "HttpSendRequest"
$wininet_call_httpq = "HttpQueryInfo"
$wininet_call_httpo = "HttpOpenRequest"
condition:
(any of ($wininet_call_http*))
}
rule ldpreload
{
meta:
author="xorseed"
reference= "https://stuff.rop.io/"
strings:
$a = "dlopen" nocase ascii wide
$b = "dlsym" nocase ascii wide
$c = "fopen" nocase ascii wide
$d = "fopen64" nocase ascii wide
$e = "__fxstat" nocase ascii wide
$f = "__fxstat64" nocase ascii wide
$g = "accept" nocase ascii wide
$h = "__lxstat" nocase ascii wide
$i = "__lxstat64" nocase ascii wide
$j = "open" nocase ascii wide
$k = "rmdir" nocase ascii wide
$l = "__xstat" nocase ascii wide
$m = "__xstat64" nocase ascii wide
$n = "unlink" nocase ascii wide
$o = "unlikat" nocase ascii wide
$p = "fdopendir" nocase ascii wide
$q = "opendir" nocase ascii wide
$r = "readdir" nocase ascii wide
$s = "readdir64" nocase ascii wide
condition:
($a or $b) and 5 of them
}
Capabilities_index.yar capabilities_index.yar
/*
Generated by Yara-Rules
On 26-11-2019
On 24-02-2020
*/
include "./Capabilities/capabilities.yar"
include "./capabilities/capabilities.yar"
Crypto/crypto_signatures.yar crypto/crypto_signatures.yar
......@@ -378,6 +378,26 @@ rule SHA512_Constants {
5 of them
}
rule SHA2_BLAKE2_IVs {
meta:
author = "spelissier"
description = "Look for SHA2/BLAKE2/Argon2 IVs"
date = "2019-12"
version = "0.1"
strings:
$c0 = { 67 E6 09 6A }
$c1 = { 85 AE 67 BB }
$c2 = { 72 F3 6E 3C }
$c3 = { 3A F5 4F A5 }
$c4 = { 7F 52 0E 51 }
$c5 = { 8C 68 05 9B }
$c6 = { AB D9 83 1F }
$c7 = { 19 CD E0 5B }
condition:
all of them
}
rule TEAN {
meta:
author = "_pusher_"
......@@ -1431,3 +1451,45 @@ rule DCP_DES_EncryptECB {
condition:
any of them
}
rule Chacha_128_constant {
meta:
author = "spelissier"
description = "Look for 128-bit key Chacha stream cipher constant"
date = "2019-12"
reference = "https://www.ecrypt.eu.org/stream/salsa20pf.html"
strings:
$c0 = "expand 16-byte k"
condition:
$c0
}
rule Chacha_256_constant {
meta:
author = "spelissier"
description = "Look for 256-bit key Chacha stream cipher constant"
date = "2019-12"
reference = "https://tools.ietf.org/html/rfc8439#page-8"
strings:
$c0 = "expand 32-byte k"
condition:
$c0
}
rule ecc_order {
meta:
author = "spelissier"
description = "Look for known Elliptic curve orders"
date = "2020-01"
version = "0.1"
strings:
$secp192k1 = { FF FF FF FF FF FF FF FF FF FF FF FE 26 F2 FC 17 0F 69 46 6A 74 DE FD 8D}
$secp192r1 = { FF FF FF FF FF FF FF FF FF FF FF FF 99 DE F8 36 14 6B C9 B1 B4 D2 28 31}
$secp224k1 = { 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 DC E8 D2 EC 61 84 CA F0 A9 71 76 9F B1 F7}
$secp224r1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF 16 A2 E0 B8 F0 3E 13 DD 29 45 5C 5C 2A 3D}
$secp256k1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FE BA AE DC E6 AF 48 A0 3B BF D2 5E 8C D0 36 41 41 }
$prime256v1 = { FF FF FF FF 00 00 00 00 FF FF FF FF FF FF FF FF BC E6 FA AD A7 17 9E 84 F3 B9 CA C2 FC 63 25 51 }
$secp384r1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF C7 63 4D 81 F4 37 2D DF 58 1A 0D B2 48 B0 A7 7A EC EC 19 6A CC C5 29 73 }
condition:
any of them
}
\ No newline at end of file
Crypto_index.yar crypto_index.yar
/*
Generated by Yara-Rules
On 26-11-2019
On 24-02-2020
*/
include "./Crypto/crypto_signatures.yar"
include "./crypto/crypto_signatures.yar"
cve_rules_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 24-02-2020
*/
include "./cve_rules/CVE-2010-0805.yar"
include "./cve_rules/CVE-2010-0887.yar"
include "./cve_rules/CVE-2010-1297.yar"
include "./cve_rules/CVE-2012-0158.yar"
include "./cve_rules/CVE-2013-0074.yar"
include "./cve_rules/CVE-2013-0422.yar"
include "./cve_rules/CVE-2015-1701.yar"
include "./cve_rules/CVE-2015-2426.yar"
include "./cve_rules/CVE-2015-2545.yar"
include "./cve_rules/CVE-2015-5119.yar"
include "./cve_rules/CVE-2016-5195.yar"
include "./cve_rules/CVE-2017-11882.yar"
include "./cve_rules/CVE-2018-20250.yar"
include "./cve_rules/CVE-2018-4878.yar"
deprecated/Android_Finspy.yar 0 → 100644
// Published under the GNU-GPLv2 license. It’s open to any user or organization,
// as long as you use it under this license.
rule finspy : cdshide android
{
meta:
description = "Detect Gamma/FinFisher FinSpy for Android #GovWare"
date = "2020/01/07"
author = "Thorsten Schröder - ths @ ccc.de (https://twitter.com/__ths__)"
reference1 = "https://github.com/devio/FinSpy-Tools"
reference2 = "https://github.com/Linuzifer/FinSpy-Dokumentation"
reference3 = "https://www.ccc.de/de/updates/2019/finspy"
sample = "c2ce202e6e08c41e8f7a0b15e7d0781704e17f8ed52d1b2ad7212ac29926436e"
strings:
$re = /\x50\x4B\x01\x02[\x00-\xff]{32}[A-Za-z0-9+\/]{6}/
condition:
$re and (#re > 50)
}
email_index.yar
/*
Generated by Yara-Rules
On 26-11-2019
On 24-02-2020
*/
include "./email/EMAIL_Cryptowall.yar"
include "./email/attachment.yar"
......
Packers/packer.yar packers/packer.yar
This source diff could not be displayed because it is too large. You can view the blob instead.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment