Skip to content

R
rules
Unverified Commit a64cb680 by Jaume Martin Committed by GitHub
Options

Merge branch 'master' into master

parents 3d0cd31b 2995d667
Showing with 56 additions and 15 deletions
antidebug_antivm_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./antidebug_antivm/antidebug_antivm.yar" include "./antidebug_antivm/antidebug_antivm.yar"
capabilities_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./capabilities/capabilities.yar" include "./capabilities/capabilities.yar"
crypto_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./crypto/crypto_signatures.yar" include "./crypto/crypto_signatures.yar"
cve_rules_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./cve_rules/CVE-2010-0805.yar" include "./cve_rules/CVE-2010-0805.yar"
include "./cve_rules/CVE-2010-0887.yar" include "./cve_rules/CVE-2010-0887.yar"
......
email_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./email/EMAIL_Cryptowall.yar" include "./email/EMAIL_Cryptowall.yar"
include "./email/Email_fake_it_maintenance_bulletin.yar" include "./email/Email_fake_it_maintenance_bulletin.yar"
......
exploit_kits_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./exploit_kits/EK_Angler.yar" include "./exploit_kits/EK_Angler.yar"
include "./exploit_kits/EK_Blackhole.yar" include "./exploit_kits/EK_Blackhole.yar"
......
index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./antidebug_antivm/antidebug_antivm.yar" include "./antidebug_antivm/antidebug_antivm.yar"
include "./capabilities/capabilities.yar" include "./capabilities/capabilities.yar"
...@@ -58,6 +58,7 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar" ...@@ -58,6 +58,7 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
include "./maldocs/Maldoc_UserForm.yar" include "./maldocs/Maldoc_UserForm.yar"
include "./maldocs/Maldoc_VBA_macro_code.yar" include "./maldocs/Maldoc_VBA_macro_code.yar"
include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar" include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
include "./maldocs/Maldoc_hancitor_dropper.yar"
include "./maldocs/Maldoc_malrtf_ole2link.yar" include "./maldocs/Maldoc_malrtf_ole2link.yar"
include "./maldocs/maldoc_somerules.yar" include "./maldocs/maldoc_somerules.yar"
include "./malware/000_common_rules.yar" include "./malware/000_common_rules.yar"
...@@ -110,6 +111,7 @@ include "./malware/APT_Minidionis.yar" ...@@ -110,6 +111,7 @@ include "./malware/APT_Minidionis.yar"
include "./malware/APT_Mirage.yar" include "./malware/APT_Mirage.yar"
include "./malware/APT_Molerats.yar" include "./malware/APT_Molerats.yar"
include "./malware/APT_Mongall.yar" include "./malware/APT_Mongall.yar"
include "./malware/APT_MoonlightMaze.yar"
include "./malware/APT_NGO.yar" include "./malware/APT_NGO.yar"
include "./malware/APT_OPCleaver.yar" include "./malware/APT_OPCleaver.yar"
include "./malware/APT_Oilrig.yar" include "./malware/APT_Oilrig.yar"
...@@ -123,8 +125,11 @@ include "./malware/APT_Platinum.yar" ...@@ -123,8 +125,11 @@ include "./malware/APT_Platinum.yar"
include "./malware/APT_Poseidon_Group.yar" include "./malware/APT_Poseidon_Group.yar"
include "./malware/APT_Prikormka.yar" include "./malware/APT_Prikormka.yar"
include "./malware/APT_PutterPanda.yar" include "./malware/APT_PutterPanda.yar"
include "./malware/APT_RedLeaves.yar"
include "./malware/APT_Regin.yar" include "./malware/APT_Regin.yar"
include "./malware/APT_RemSec.yar" include "./malware/APT_RemSec.yar"
include "./malware/APT_Sauron.yar"
include "./malware/APT_Sauron_extras.yar"
include "./malware/APT_Scarab_Scieron.yar" include "./malware/APT_Scarab_Scieron.yar"
include "./malware/APT_Seaduke.yar" include "./malware/APT_Seaduke.yar"
include "./malware/APT_Shamoon_StoneDrill.yar" include "./malware/APT_Shamoon_StoneDrill.yar"
...@@ -186,6 +191,7 @@ include "./malware/MALW_Derkziel.yar" ...@@ -186,6 +191,7 @@ include "./malware/MALW_Derkziel.yar"
include "./malware/MALW_Dexter.yar" include "./malware/MALW_Dexter.yar"
include "./malware/MALW_DiamondFox.yar" include "./malware/MALW_DiamondFox.yar"
include "./malware/MALW_DirtJumper.yar" include "./malware/MALW_DirtJumper.yar"
include "./malware/MALW_Eicar.yar"
include "./malware/MALW_Elex.yar" include "./malware/MALW_Elex.yar"
include "./malware/MALW_Elknot.yar" include "./malware/MALW_Elknot.yar"
include "./malware/MALW_Emotet.yar" include "./malware/MALW_Emotet.yar"
...@@ -311,6 +317,7 @@ include "./malware/MALW_Zegost.yar" ...@@ -311,6 +317,7 @@ include "./malware/MALW_Zegost.yar"
include "./malware/MALW_Zeus.yar" include "./malware/MALW_Zeus.yar"
include "./malware/MALW_adwind_RAT.yar" include "./malware/MALW_adwind_RAT.yar"
include "./malware/MALW_hancitor.yar" include "./malware/MALW_hancitor.yar"
include "./malware/MALW_kirbi_mimikatz.yar"
include "./malware/MALW_kpot.yar" include "./malware/MALW_kpot.yar"
include "./malware/MALW_marap.yar" include "./malware/MALW_marap.yar"
include "./malware/MALW_shifu_shiz.yar" include "./malware/MALW_shifu_shiz.yar"
...@@ -388,13 +395,22 @@ include "./malware/RANSOM_MS17-010_Wannacrypt.yar" ...@@ -388,13 +395,22 @@ include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
include "./malware/RANSOM_Maze.yar" include "./malware/RANSOM_Maze.yar"
include "./malware/RANSOM_PetrWrap.yar" include "./malware/RANSOM_PetrWrap.yar"
include "./malware/RANSOM_Petya.yar" include "./malware/RANSOM_Petya.yar"
include "./malware/RANSOM_Petya_MS17_010.yar"
include "./malware/RANSOM_Pico.yar"
include "./malware/RANSOM_SamSam.yar" include "./malware/RANSOM_SamSam.yar"
include "./malware/RANSOM_Satana.yar" include "./malware/RANSOM_Satana.yar"
include "./malware/RANSOM_Shiva.yar"
include "./malware/RANSOM_Sigma.yar" include "./malware/RANSOM_Sigma.yar"
include "./malware/RANSOM_Snake.yar" include "./malware/RANSOM_Snake.yar"
include "./malware/RANSOM_Stampado.yar" include "./malware/RANSOM_Stampado.yar"
include "./malware/RANSOM_TeslaCrypt.yar" include "./malware/RANSOM_TeslaCrypt.yar"
include "./malware/RANSOM_Tox.yar" include "./malware/RANSOM_Tox.yar"
include "./malware/RANSOM_acroware.yar"
include "./malware/RANSOM_jeff_dev.yar"
include "./malware/RANSOM_locdoor.yar"
include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
include "./malware/RANSOM_shrug2.yar"
include "./malware/RANSOM_termite.yar"
include "./malware/RAT_Adwind.yar" include "./malware/RAT_Adwind.yar"
include "./malware/RAT_Adzok.yar" include "./malware/RAT_Adzok.yar"
include "./malware/RAT_Asyncrat.yar" include "./malware/RAT_Asyncrat.yar"
...@@ -418,6 +434,7 @@ include "./malware/RAT_Meterpreter_Reverse_Tcp.yar" ...@@ -418,6 +434,7 @@ include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
include "./malware/RAT_Nanocore.yar" include "./malware/RAT_Nanocore.yar"
include "./malware/RAT_NetwiredRC.yar" include "./malware/RAT_NetwiredRC.yar"
include "./malware/RAT_Njrat.yar" include "./malware/RAT_Njrat.yar"
include "./malware/RAT_Orcus.yar"
include "./malware/RAT_PlugX.yar" include "./malware/RAT_PlugX.yar"
include "./malware/RAT_PoetRATDoc.yar" include "./malware/RAT_PoetRATDoc.yar"
include "./malware/RAT_PoetRATPython.yar" include "./malware/RAT_PoetRATPython.yar"
......
index_w_mobile.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./antidebug_antivm/antidebug_antivm.yar" include "./antidebug_antivm/antidebug_antivm.yar"
include "./capabilities/capabilities.yar" include "./capabilities/capabilities.yar"
...@@ -58,6 +58,7 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar" ...@@ -58,6 +58,7 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
include "./maldocs/Maldoc_UserForm.yar" include "./maldocs/Maldoc_UserForm.yar"
include "./maldocs/Maldoc_VBA_macro_code.yar" include "./maldocs/Maldoc_VBA_macro_code.yar"
include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar" include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
include "./maldocs/Maldoc_hancitor_dropper.yar"
include "./maldocs/Maldoc_malrtf_ole2link.yar" include "./maldocs/Maldoc_malrtf_ole2link.yar"
include "./maldocs/maldoc_somerules.yar" include "./maldocs/maldoc_somerules.yar"
include "./malware/000_common_rules.yar" include "./malware/000_common_rules.yar"
...@@ -110,6 +111,7 @@ include "./malware/APT_Minidionis.yar" ...@@ -110,6 +111,7 @@ include "./malware/APT_Minidionis.yar"
include "./malware/APT_Mirage.yar" include "./malware/APT_Mirage.yar"
include "./malware/APT_Molerats.yar" include "./malware/APT_Molerats.yar"
include "./malware/APT_Mongall.yar" include "./malware/APT_Mongall.yar"
include "./malware/APT_MoonlightMaze.yar"
include "./malware/APT_NGO.yar" include "./malware/APT_NGO.yar"
include "./malware/APT_OPCleaver.yar" include "./malware/APT_OPCleaver.yar"
include "./malware/APT_Oilrig.yar" include "./malware/APT_Oilrig.yar"
...@@ -123,8 +125,11 @@ include "./malware/APT_Platinum.yar" ...@@ -123,8 +125,11 @@ include "./malware/APT_Platinum.yar"
include "./malware/APT_Poseidon_Group.yar" include "./malware/APT_Poseidon_Group.yar"
include "./malware/APT_Prikormka.yar" include "./malware/APT_Prikormka.yar"
include "./malware/APT_PutterPanda.yar" include "./malware/APT_PutterPanda.yar"
include "./malware/APT_RedLeaves.yar"
include "./malware/APT_Regin.yar" include "./malware/APT_Regin.yar"
include "./malware/APT_RemSec.yar" include "./malware/APT_RemSec.yar"
include "./malware/APT_Sauron.yar"
include "./malware/APT_Sauron_extras.yar"
include "./malware/APT_Scarab_Scieron.yar" include "./malware/APT_Scarab_Scieron.yar"
include "./malware/APT_Seaduke.yar" include "./malware/APT_Seaduke.yar"
include "./malware/APT_Shamoon_StoneDrill.yar" include "./malware/APT_Shamoon_StoneDrill.yar"
...@@ -186,6 +191,7 @@ include "./malware/MALW_Derkziel.yar" ...@@ -186,6 +191,7 @@ include "./malware/MALW_Derkziel.yar"
include "./malware/MALW_Dexter.yar" include "./malware/MALW_Dexter.yar"
include "./malware/MALW_DiamondFox.yar" include "./malware/MALW_DiamondFox.yar"
include "./malware/MALW_DirtJumper.yar" include "./malware/MALW_DirtJumper.yar"
include "./malware/MALW_Eicar.yar"
include "./malware/MALW_Elex.yar" include "./malware/MALW_Elex.yar"
include "./malware/MALW_Elknot.yar" include "./malware/MALW_Elknot.yar"
include "./malware/MALW_Emotet.yar" include "./malware/MALW_Emotet.yar"
...@@ -311,6 +317,7 @@ include "./malware/MALW_Zegost.yar" ...@@ -311,6 +317,7 @@ include "./malware/MALW_Zegost.yar"
include "./malware/MALW_Zeus.yar" include "./malware/MALW_Zeus.yar"
include "./malware/MALW_adwind_RAT.yar" include "./malware/MALW_adwind_RAT.yar"
include "./malware/MALW_hancitor.yar" include "./malware/MALW_hancitor.yar"
include "./malware/MALW_kirbi_mimikatz.yar"
include "./malware/MALW_kpot.yar" include "./malware/MALW_kpot.yar"
include "./malware/MALW_marap.yar" include "./malware/MALW_marap.yar"
include "./malware/MALW_shifu_shiz.yar" include "./malware/MALW_shifu_shiz.yar"
...@@ -388,13 +395,22 @@ include "./malware/RANSOM_MS17-010_Wannacrypt.yar" ...@@ -388,13 +395,22 @@ include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
include "./malware/RANSOM_Maze.yar" include "./malware/RANSOM_Maze.yar"
include "./malware/RANSOM_PetrWrap.yar" include "./malware/RANSOM_PetrWrap.yar"
include "./malware/RANSOM_Petya.yar" include "./malware/RANSOM_Petya.yar"
include "./malware/RANSOM_Petya_MS17_010.yar"
include "./malware/RANSOM_Pico.yar"
include "./malware/RANSOM_SamSam.yar" include "./malware/RANSOM_SamSam.yar"
include "./malware/RANSOM_Satana.yar" include "./malware/RANSOM_Satana.yar"
include "./malware/RANSOM_Shiva.yar"
include "./malware/RANSOM_Sigma.yar" include "./malware/RANSOM_Sigma.yar"
include "./malware/RANSOM_Snake.yar" include "./malware/RANSOM_Snake.yar"
include "./malware/RANSOM_Stampado.yar" include "./malware/RANSOM_Stampado.yar"
include "./malware/RANSOM_TeslaCrypt.yar" include "./malware/RANSOM_TeslaCrypt.yar"
include "./malware/RANSOM_Tox.yar" include "./malware/RANSOM_Tox.yar"
include "./malware/RANSOM_acroware.yar"
include "./malware/RANSOM_jeff_dev.yar"
include "./malware/RANSOM_locdoor.yar"
include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
include "./malware/RANSOM_shrug2.yar"
include "./malware/RANSOM_termite.yar"
include "./malware/RAT_Adwind.yar" include "./malware/RAT_Adwind.yar"
include "./malware/RAT_Adzok.yar" include "./malware/RAT_Adzok.yar"
include "./malware/RAT_Asyncrat.yar" include "./malware/RAT_Asyncrat.yar"
...@@ -418,6 +434,7 @@ include "./malware/RAT_Meterpreter_Reverse_Tcp.yar" ...@@ -418,6 +434,7 @@ include "./malware/RAT_Meterpreter_Reverse_Tcp.yar"
include "./malware/RAT_Nanocore.yar" include "./malware/RAT_Nanocore.yar"
include "./malware/RAT_NetwiredRC.yar" include "./malware/RAT_NetwiredRC.yar"
include "./malware/RAT_Njrat.yar" include "./malware/RAT_Njrat.yar"
include "./malware/RAT_Orcus.yar"
include "./malware/RAT_PlugX.yar" include "./malware/RAT_PlugX.yar"
include "./malware/RAT_PoetRATDoc.yar" include "./malware/RAT_PoetRATDoc.yar"
include "./malware/RAT_PoetRATPython.yar" include "./malware/RAT_PoetRATPython.yar"
......
maldocs/Maldoc_hancitor_dropper.yar
/* /*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/ */
rule hancitor_dropper : vb_win32api rule hancitor_dropper : vb_win32api
{ {
meta: meta:
......
maldocs_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./maldocs/Maldoc_APT10_MenuPass.yar" include "./maldocs/Maldoc_APT10_MenuPass.yar"
include "./maldocs/Maldoc_APT19_CVE-2017-1099.yar" include "./maldocs/Maldoc_APT19_CVE-2017-1099.yar"
...@@ -20,5 +20,6 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar" ...@@ -20,5 +20,6 @@ include "./maldocs/Maldoc_Suspicious_OLE_target.yar"
include "./maldocs/Maldoc_UserForm.yar" include "./maldocs/Maldoc_UserForm.yar"
include "./maldocs/Maldoc_VBA_macro_code.yar" include "./maldocs/Maldoc_VBA_macro_code.yar"
include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar" include "./maldocs/Maldoc_Word_2007_XML_Flat_OPC.yar"
include "./maldocs/Maldoc_hancitor_dropper.yar"
include "./maldocs/Maldoc_malrtf_ole2link.yar" include "./maldocs/Maldoc_malrtf_ole2link.yar"
include "./maldocs/maldoc_somerules.yar" include "./maldocs/maldoc_somerules.yar"
malware/RANSOM_acroware.yar
...@@ -12,7 +12,7 @@ rule screenlocker_acroware { ...@@ -12,7 +12,7 @@ rule screenlocker_acroware {
$s2 = "All your Personal Data got encrypted and the decryption key is stored on a hidden" fullword ascii $s2 = "All your Personal Data got encrypted and the decryption key is stored on a hidden" fullword ascii
$s3 = "alphaoil@mail2tor.com any try of removing this Ransomware will result in an instantly " fullword ascii $s3 = "alphaoil@mail2tor.com any try of removing this Ransomware will result in an instantly " fullword ascii
$s4 = "HKEY_CURRENT_USER\\SoftwareE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide $s4 = "HKEY_CURRENT_USER\\SoftwareE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide
$s5 = "webserver, after 72 hours thedecryption key will get removed and your personal" fullword ascii $s5 = "webserver, after 72 hours the decryption key will get removed and your personal" fullword ascii
condition: condition:
( uint16(0) == 0x5a4d and filesize < 2000KB ) and all of them ( uint16(0) == 0x5a4d and filesize < 2000KB ) and all of them
malware_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./malware/000_common_rules.yar" include "./malware/000_common_rules.yar"
include "./malware/APT_APT1.yar" include "./malware/APT_APT1.yar"
...@@ -260,6 +260,7 @@ include "./malware/MALW_Zegost.yar" ...@@ -260,6 +260,7 @@ include "./malware/MALW_Zegost.yar"
include "./malware/MALW_Zeus.yar" include "./malware/MALW_Zeus.yar"
include "./malware/MALW_adwind_RAT.yar" include "./malware/MALW_adwind_RAT.yar"
include "./malware/MALW_hancitor.yar" include "./malware/MALW_hancitor.yar"
include "./malware/MALW_kirbi_mimikatz.yar"
include "./malware/MALW_kpot.yar" include "./malware/MALW_kpot.yar"
include "./malware/MALW_marap.yar" include "./malware/MALW_marap.yar"
include "./malware/MALW_shifu_shiz.yar" include "./malware/MALW_shifu_shiz.yar"
...@@ -353,6 +354,12 @@ include "./malware/RANSOM_Stampado.yar" ...@@ -353,6 +354,12 @@ include "./malware/RANSOM_Stampado.yar"
include "./malware/RANSOM_termite.yar" include "./malware/RANSOM_termite.yar"
include "./malware/RANSOM_TeslaCrypt.yar" include "./malware/RANSOM_TeslaCrypt.yar"
include "./malware/RANSOM_Tox.yar" include "./malware/RANSOM_Tox.yar"
include "./malware/RANSOM_acroware.yar"
include "./malware/RANSOM_jeff_dev.yar"
include "./malware/RANSOM_locdoor.yar"
include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
include "./malware/RANSOM_shrug2.yar"
include "./malware/RANSOM_termite.yar"
include "./malware/RAT_Adwind.yar" include "./malware/RAT_Adwind.yar"
include "./malware/RAT_Adzok.yar" include "./malware/RAT_Adzok.yar"
include "./malware/RAT_Asyncrat.yar" include "./malware/RAT_Asyncrat.yar"
......
mobile_malware_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
packers_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./packers/JJencode.yar" include "./packers/JJencode.yar"
include "./packers/Javascript_exploit_and_obfuscation.yar" include "./packers/Javascript_exploit_and_obfuscation.yar"
......
webshells_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 21-06-2020 On 01-07-2020
*/ */
include "./webshells/WShell_APT_Laudanum.yar" include "./webshells/WShell_APT_Laudanum.yar"
include "./webshells/WShell_ASPXSpy.yar" include "./webshells/WShell_ASPXSpy.yar"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment