Unverified Commit 87e9b46f by Jaume Martin Committed by GitHub

Merge pull request #368 from knowmalware/move_to_capabilities2

Move more generic rules to capabilities category.
parents fd3351aa d2bc685a
......@@ -813,3 +813,102 @@ rule win_files_operation {
condition:
$f1 and 3 of ($c*)
}
rule Str_Win32_Winsock2_Library
{
meta:
author = "@adricnet"
description = "Match Winsock 2 API library declaration"
method = "String match"
reference = "https://github.com/dfirnotes/rules"
strings:
$ws2_lib = "Ws2_32.dll" nocase
$wsock2_lib = "WSock32.dll" nocase
condition:
(any of ($ws2_lib, $wsock2_lib))
}
rule Str_Win32_Wininet_Library
{
meta:
author = "@adricnet"
description = "Match Windows Inet API library declaration"
method = "String match"
reference = "https://github.com/dfirnotes/rules"
strings:
$wininet_lib = "WININET.dll" nocase
condition:
(all of ($wininet*))
}
rule Str_Win32_Internet_API
{
meta:
author = "@adricnet"
description = "Match Windows Inet API call"
method = "String match, trim the As"
reference = "https://github.com/dfirnotes/rules"
strings:
$wininet_call_closeh = "InternetCloseHandle"
$wininet_call_readf = "InternetReadFile"
$wininet_call_connect = "InternetConnect"
$wininet_call_open = "InternetOpen"
condition:
(any of ($wininet_call*))
}
rule Str_Win32_Http_API
{
meta:
author = "@adricnet"
description = "Match Windows Http API call"
method = "String match, trim the As"
reference = "https://github.com/dfirnotes/rules"
strings:
$wininet_call_httpr = "HttpSendRequest"
$wininet_call_httpq = "HttpQueryInfo"
$wininet_call_httpo = "HttpOpenRequest"
condition:
(any of ($wininet_call_http*))
}
rule ldpreload
{
meta:
author="xorseed"
reference= "https://stuff.rop.io/"
strings:
$a = "dlopen" nocase ascii wide
$b = "dlsym" nocase ascii wide
$c = "fopen" nocase ascii wide
$d = "fopen64" nocase ascii wide
$e = "__fxstat" nocase ascii wide
$f = "__fxstat64" nocase ascii wide
$g = "accept" nocase ascii wide
$h = "__lxstat" nocase ascii wide
$i = "__lxstat64" nocase ascii wide
$j = "open" nocase ascii wide
$k = "rmdir" nocase ascii wide
$l = "__xstat" nocase ascii wide
$m = "__xstat64" nocase ascii wide
$n = "unlink" nocase ascii wide
$o = "unlikat" nocase ascii wide
$p = "fdopendir" nocase ascii wide
$q = "opendir" nocase ascii wide
$r = "readdir" nocase ascii wide
$s = "readdir64" nocase ascii wide
condition:
($a or $b) and 5 of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
github.com/dfirnotes/rules
Version 0.0.0
*/
rule Str_Win32_Winsock2_Library
{
meta:
author = "@adricnet"
description = "Match Winsock 2 API library declaration"
method = "String match"
strings:
$ws2_lib = "Ws2_32.dll" nocase
$wsock2_lib = "WSock32.dll" nocase
condition:
(any of ($ws2_lib, $wsock2_lib))
}
rule Str_Win32_Wininet_Library
{
meta:
author = "@adricnet"
description = "Match Windows Inet API library declaration"
method = "String match"
strings:
$wininet_lib = "WININET.dll" nocase
condition:
(all of ($wininet*))
}
rule Str_Win32_Internet_API
{
meta:
author = "@adricnet"
description = "Match Windows Inet API call"
method = "String match, trim the As"
strings:
$wininet_call_closeh = "InternetCloseHandle"
$wininet_call_readf = "InternetReadFile"
$wininet_call_connect = "InternetConnect"
$wininet_call_open = "InternetOpen"
condition:
(any of ($wininet_call*))
}
rule Str_Win32_Http_API
{
meta:
author = "@adricnet"
description = "Match Windows Http API call"
method = "String match, trim the As"
strings:
$wininet_call_httpr = "HttpSendRequest"
$wininet_call_httpq = "HttpQueryInfo"
$wininet_call_httpo = "HttpOpenRequest"
condition:
(any of ($wininet_call_http*))
}
......@@ -155,33 +155,3 @@ rule exploit
7 of them
}
rule ldpreload
{
meta:
author="xorseed"
reference= "https://stuff.rop.io/"
strings:
$a = "dlopen" nocase ascii wide
$b = "dlsym" nocase ascii wide
$c = "fopen" nocase ascii wide
$d = "fopen64" nocase ascii wide
$e = "__fxstat" nocase ascii wide
$f = "__fxstat64" nocase ascii wide
$g = "accept" nocase ascii wide
$h = "__lxstat" nocase ascii wide
$i = "__lxstat64" nocase ascii wide
$j = "open" nocase ascii wide
$k = "rmdir" nocase ascii wide
$l = "__xstat" nocase ascii wide
$m = "__xstat64" nocase ascii wide
$n = "unlink" nocase ascii wide
$o = "unlikat" nocase ascii wide
$p = "fdopendir" nocase ascii wide
$q = "opendir" nocase ascii wide
$r = "readdir" nocase ascii wide
$s = "readdir64" nocase ascii wide
condition:
($a or $b) and 5 of them
}
......@@ -116,7 +116,6 @@ include "./malware/MALW_Boouset.yar"
include "./malware/MALW_Bublik.yar"
include "./malware/MALW_Buzus_Softpulse.yar"
include "./malware/MALW_CAP_HookExKeylogger.yar"
include "./malware/MALW_CAP_Win32Inet.yara"
include "./malware/MALW_Chicken.yar"
include "./malware/MALW_Citadel.yar"
include "./malware/MALW_Cloaking.yar"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment