Added one index per category plus a glonal index. Added bash script to…

Added one index per category plus a glonal index. Added bash script to (re)generate indeces. Removed malware/MALW_AdGholas.yar

Added one index per category plus a glonal index. Added bash script to…
Added one index per category plus a glonal index. Added bash script to (re)generate indeces. Removed malware/MALW_AdGholas.yar
ae82fb6e · Xumeiquer · cf753b74 · ae82fb6e · ae82fb6e · ae82fb6e
Commit ae82fb6e authored Aug 29, 2016 by Xumeiquer
15 changed files
--- a/Antidebug_AntiVM_index.yar
+++ b/Antidebug_AntiVM_index.yar
+/*
+Generated by Yara-Rules
+On 29-08-2016
+*/
+include "./Antidebug_AntiVM/antidebug_antivm.yar"
--- a/CVE_Rules_index.yar
+++ b/CVE_Rules_index.yar
+/*
+Generated by Yara-Rules
+On 29-08-2016
+*/
+include "./CVE_Rules/CVE-2010-0805.yar"
+include "./CVE_Rules/CVE-2010-0887.yar"
+include "./CVE_Rules/CVE-2010-1297.yar"
+include "./CVE_Rules/CVE-2013-0074.yar"
+include "./CVE_Rules/CVE-2013-0422.yar"
+include "./CVE_Rules/CVE-2015-1701.yar"
+include "./CVE_Rules/CVE-2015-2426.yar"
+include "./CVE_Rules/CVE-2015-2545.yar"
+include "./CVE_Rules/CVE-2015-5119.yar"
--- a/Crypto_index.yar
+++ b/Crypto_index.yar
+/*
+Generated by Yara-Rules
+On 29-08-2016
+*/
+include "./Crypto/base64.yar"
+include "./Crypto/crypto.yar"
--- a/Exploit-Kits_index.yar
+++ b/Exploit-Kits_index.yar
+/*
+Generated by Yara-Rules
+On 29-08-2016
+*/
+include "./Exploit-Kits/EK_Angler.yar"
+include "./Exploit-Kits/EK_Blackhole.yar"
+include "./Exploit-Kits/EK_BleedingLife.yar"
+include "./Exploit-Kits/EK_Crimepack.yar"
+include "./Exploit-Kits/EK_Eleonore.yar"
+include "./Exploit-Kits/EK_Fragus.yar"
+include "./Exploit-Kits/EK_Phoenix.yar"
+include "./Exploit-Kits/EK_Sakura.yar"
+include "./Exploit-Kits/EK_ZeroAcces.yar"
+include "./Exploit-Kits/EK_Zerox88.yar"
+include "./Exploit-Kits/EK_Zeus.yar"
--- a/Malicious_Documents_index.yar
+++ b/Malicious_Documents_index.yar
+/*
+Generated by Yara-Rules
+On 29-08-2016
+*/
+include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
+include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
+include "./Malicious_Documents/Maldoc_Dridex.yar"
+include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
+include "./Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar"
+include "./Malicious_Documents/Maldoc_PDF.yar"
+include "./Malicious_Documents/maldoc_somerules.yar"
+include "./Malicious_Documents/Maldoc_UserForm.yar"
+include "./Malicious_Documents/Maldoc_VBA_macro_code.yar"
--- a/Mobile_Malware_index.yar
+++ b/Mobile_Malware_index.yar
+/*
+Generated by Yara-Rules
+On 29-08-2016
+*/
+include "./Mobile_Malware/Amtrckr_20160519.yar"
+include "./Mobile_Malware/Android_adware.yar"
+include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
+include "./Mobile_Malware/Android_ASSDdeveloper.yar"
+include "./Mobile_Malware/Android_AVITOMMS.yar"
+include "./Mobile_Malware/Android_Backdoor.yar"
+include "./Mobile_Malware/Android_BadMirror.yar"
+include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
+include "./Mobile_Malware/Android_Clicker_G.yar"
+include "./Mobile_Malware/Android_Copy9.yar"
+include "./Mobile_Malware/Android_DeathRing.yar"
+include "./Mobile_Malware/Android_Dectus_rswm.yar"
+include "./Mobile_Malware/Android_Dendroid_RAT.yar"
+include "./Mobile_Malware/Android_Dogspectus.yar"
+include "./Mobile_Malware/Android_FakeApps.yar"
+include "./Mobile_Malware/Android_FakeBank_Fanta.yar"
+include "./Mobile_Malware/Android_generic_adware.yar"
+include "./Mobile_Malware/Android_generic_smsfraud.yar"
+include "./Mobile_Malware/Android_Godless.yar"
+include "./Mobile_Malware/Android_malware_Advertising.yar"
+include "./Mobile_Malware/Android_malware_banker.yar"
+include "./Mobile_Malware/Android_malware_ChinesePorn.yar"
+include "./Mobile_Malware/Android_malware_Dropper.yar"
+include "./Mobile_Malware/Android_malware_Fake_MosKow.yar"
+include "./Mobile_Malware/Android_malware_HackingTeam.yar"
+include "./Mobile_Malware/Android_Malware_Ramsonware.yar"
+include "./Mobile_Malware/Android_malware_SMSsender.yar"
+include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
+include "./Mobile_Malware/Android_Malware_Towelroot.yar"
+include "./Mobile_Malware/Android_malware_xbot007.yar"
+include "./Mobile_Malware/Android_MalwareCertificates.yar"
+include "./Mobile_Malware/Android_mapin.yar"
+include "./Mobile_Malware/Android_Marcher_2.yar"
+include "./Mobile_Malware/Android_MazarBot_z.yar"
+include "./Mobile_Malware/Android_Metasploit.yar"
+include "./Mobile_Malware/Android_OmniRat.yar"
+include "./Mobile_Malware/Android_Overlayer.yar"
+include "./Mobile_Malware/Android_Pink_Locker.yar"
+include "./Mobile_Malware/Android_pornClicker.yar"
+include "./Mobile_Malware/Android_RuMMS.yar"
+include "./Mobile_Malware/Android_SandroRat.yar"
+include "./Mobile_Malware/Android_SlemBunk.yar"
+include "./Mobile_Malware/Android_SMSFraud.yar"
+include "./Mobile_Malware/Android_SpyAgent.yar"
+include "./Mobile_Malware/Android_Spynet.yar"
+include "./Mobile_Malware/Android_Spywaller.yar"
+include "./Mobile_Malware/Android_Tachi.yar"
+include "./Mobile_Malware/Android_Triada_Banking.yar"
+include "./Mobile_Malware/Android_VikingOrder.yar"
+include "./Mobile_Malware/Android_VirusPolicia.yar"
--- a/Packers/packer.yar
+++ b/Packers/packer.yar
--- a/Packers/peid.yar
+++ b/Packers/peid.yar
--- a/Packers_index.yar
+++ b/Packers_index.yar
+/*
+Generated by Yara-Rules
+On 29-08-2016
+*/
+include "./Packers/Javascript_exploit_and_obfuscation.yar"
+include "./Packers/JJencode.yar"
+include "./Packers/packer.yar"
+include "./Packers/peid.yar"
--- a/Webshells_index.yar
+++ b/Webshells_index.yar
+/*
+Generated by Yara-Rules
+On 29-08-2016
+*/
+include "./Webshells/WShell_APT_Laudanum.yar"
+include "./Webshells/Wshell_ChineseSpam.yar"
+include "./Webshells/Wshell_fire2013.yar"
+include "./Webshells/WShell_PHP_Anuna.yar"
+include "./Webshells/WShell_PHP_in_images.yar"
+include "./Webshells/WShell_THOR_Webshells.yar"
--- a/email_index.yar
+++ b/email_index.yar
+/*
+Generated by Yara-Rules
+On 29-08-2016
+*/
+include "./email/attachment.yar"
+include "./email/bank_rule.yar"
+include "./email/EMAIL_Cryptowall.yar"
+include "./email/email_Ukraine_BE_powerattack.yar"
+include "./email/image.yar"
+include "./email/scam.yar"
+include "./email/urls.yar"
--- a/index.yar
+++ b/index.yar
-// This just includes all files
-
-
+/*
+Generated by Yara-Rules
+On 29-08-2016
+*/
 include "./Antidebug_AntiVM/antidebug_antivm.yar"
+include "./Crypto/base64.yar"
 include "./Crypto/crypto.yar"
 include "./CVE_Rules/CVE-2010-0805.yar"
 include "./CVE_Rules/CVE-2010-0887.yar"
@@ -61,6 +63,7 @@ include "./malware/APT_Dubnium.yar"
 include "./malware/APT_Duqu2.yar"
 include "./malware/APT_Emissary.yar"
 include "./malware/APT_Equation.yar"
+include "./malware/APT_EQUATIONGRP.yar"
 include "./malware/APT_fancybear_dnc.yar"
 include "./malware/APT_FiveEyes.yar"
 include "./malware/APT_furtim.yar"
@@ -107,10 +110,10 @@ include "./malware/APT_Windigo_Onimiki.yar"
 include "./malware/APT_Winnti.yar"
 include "./malware/APT_WoolenGoldfish.yar"
 include "./malware/EXPERIMENTAL_Beef.yar"
-include "./malware/MALW_AdGholas.yar"
 include "./malware/MALW_Alina.yar"
 include "./malware/MALW_Andromeda.yar"
 include "./malware/MALW_Athena.yar"
+include "./malware/MALW_Atmos.yar"
 include "./malware/MALW_BackdoorSSH.yar"
 include "./malware/MALW_Backoff.yar"
 include "./malware/MALW_Bangat.yar"
@@ -314,8 +317,8 @@ include "./Mobile_Malware/Android_adware.yar"
 include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
 include "./Mobile_Malware/Android_ASSDdeveloper.yar"
 include "./Mobile_Malware/Android_AVITOMMS.yar"
+include "./Mobile_Malware/Android_Backdoor.yar"
 include "./Mobile_Malware/Android_BadMirror.yar"
-include "./Mobile_Malware/Android_Banker_Sberbank.yar"
 include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
 include "./Mobile_Malware/Android_Clicker_G.yar"
 include "./Mobile_Malware/Android_Copy9.yar"
@@ -353,6 +356,7 @@ include "./Mobile_Malware/Android_SandroRat.yar"
 include "./Mobile_Malware/Android_SlemBunk.yar"
 include "./Mobile_Malware/Android_SMSFraud.yar"
 include "./Mobile_Malware/Android_SpyAgent.yar"
+include "./Mobile_Malware/Android_Spynet.yar"
 include "./Mobile_Malware/Android_Spywaller.yar"
 include "./Mobile_Malware/Android_Tachi.yar"
 include "./Mobile_Malware/Android_Triada_Banking.yar"
@@ -368,4 +372,3 @@ include "./Webshells/Wshell_fire2013.yar"
 include "./Webshells/WShell_PHP_Anuna.yar"
 include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/WShell_THOR_Webshells.yar"
-
--- a/index_gen.sh
+++ b/index_gen.sh
+#!/bin/bash
+
+function get_folders {
+    local INDECES=()
+    for folder in $(ls -F | grep -E ".*/"); do
+        INDECES+="$folder "
+    done
+    INDECES+=". "
+    echo "$INDECES"
+}
+
+function gen_index {
+    IDX_NAME=$1
+    BASE=$2
+    > $IDX_NAME
+    if [ x"$3" != x ]; then
+        echo -e "/*$3*/" > $IDX_NAME
+    fi
+    if [ x"$BASE" == x"." ]; then
+        find -E $BASE -regex ".*\.yara?" | grep -vE "_?index.yara?" | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
+    else
+        find -E $BASE -regex ".*\.yara?" | grep -vE "_?index.yara?" | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME
+    fi
+}
+
+## Main
+
+echo "   **************************"
+echo "          Yara-Rules"
+echo "        Index generator"
+echo "   **************************"
+
+for folder in $(get_folders)
+do
+    if [ x"$folder" == x"." ]; then
+        BASE="."
+        IDX_NAME="index.yar"
+        echo "[+] Generating index..."
+    else
+        BASE=$(echo $folder | rev | cut -c 2- | rev)
+        IDX_NAME="$BASE"_index.yar
+        echo "[+] Generating $BASE index..."
+    fi
+    gen_index $IDX_NAME $BASE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n"
+done
--- a/malware/MALW_AdGholas.yar
+++ b/malware/MALW_AdGholas.yar
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-rule AdGholas_mem : memory
-{
- meta:
-     malfamily = "AdGholas"
-     ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
-
- strings:
-      $a1 = "(3e8)!=" ascii wide
-      $a2 = /href=\x22\.\x22\+[a-z]+\,mimeType\}/ ascii wide
-      $a3 = /\+[a-z]+\([\x22\x27]divx[^\x22\x27]+torrent[^\x22\x27]*[\x22\x27]\.split/ ascii wide
-      $a4 = "chls" nocase ascii wide
-      $a5 = "saz" nocase ascii wide
-      $a6 = "flac" nocase ascii wide
-      $a7 = "pcap" nocase ascii wide
-
- condition:
-      all of ($a*)
-}
-
-rule AdGholas_mem_MIME : memory
-{
- meta:
-     malfamily = "AdGholas"
-    ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
-
-
- strings:
-      $b1=".300000000" ascii nocase wide fullword
-      $b2=".saz" ascii nocase wide fullword
-      $b3=".py" ascii nocase wide fullword
-      $b4=".pcap" ascii nocase wide fullword
-      $b5=".chls" ascii nocase wide fullword
-
- condition:
-      all of ($b*)
-}
-
-//expensive
-rule AdGholas_mem_antisec : memory
-{
- meta:
-     malfamily = "AdGholas"
-     ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
-
- strings:
-     $vid1 = "res://c:\\windows\\system32\\atibtmon.exe" nocase ascii wide
-     $vid2 = "res://c:\\windows\\system32\\aticfx32.dll" nocase ascii wide
-     $vid3 = "res://c:\\windows\\system32\\drivers\\ati2mtag.sys" nocase ascii wide
-     $vid4 = "res://c:\\windows\\system32\\drivers\\atihdmi.sys" nocase ascii wide
-     $vid5 = "res://c:\\windows\\system32\\drivers\\atikmdag.sys" nocase ascii wide
-     $vid6 = "res://c:\\windows\\system32\\drivers\\igdkmd32.sys" nocase ascii wide
-     $vid7 = "res://c:\\windows\\system32\\drivers\\igdkmd64.sys" nocase ascii wide
-     $vid8 = "res://c:\\windows\\system32\\drivers\\igdpmd32.sys" nocase ascii wide
-     $vid9 = "res://c:\\windows\\system32\\drivers\\igdpmd64.sys" nocase ascii wide
-     $vid10 = "res://c:\\windows\\system32\\drivers\\mfeavfk.sys" nocase ascii wide
-     $vid11 = "res://c:\\windows\\system32\\drivers\\mfehidk.sys" nocase ascii wide
-     $vid12 = "res://c:\\windows\\system32\\drivers\\mfenlfk.sys" nocase ascii wide
-     $vid13 = "res://c:\\windows\\system32\\drivers\\nvhda32v.sys" nocase ascii wide
-     $vid14 = "res://c:\\windows\\system32\\drivers\\nvhda64v.sys" nocase ascii wide
-     $vid15 = "res://c:\\windows\\system32\\drivers\\nvlddmkm.sys" nocase ascii wide
-     $vid16 = "res://c:\\windows\\system32\\drivers\\pci.sys" nocase ascii wide
-     $vid17 = "res://c:\\windows\\system32\\igd10umd32.dll" nocase ascii wide
-     $vid18 = "res://c:\\windows\\system32\\igd10umd64.dll" nocase ascii wide
-     $vid19 = "res://c:\\windows\\system32\\igdumd32.dll" nocase ascii wide
-     $vid20 = "res://c:\\windows\\system32\\igdumd64.dll" nocase ascii wide
-     $vid21 = "res://c:\\windows\\system32\\igdumdim32.dll" nocase ascii wide
-     $vid22 = "res://c:\\windows\\system32\\igdumdim64.dll" nocase ascii wide
-     $vid23 = "res://c:\\windows\\system32\\igdusc32.dll" nocase ascii wide
-     $vid24 = "res://c:\\windows\\system32\\igdusc64.dll" nocase ascii wide
-     $vid25 = "res://c:\\windows\\system32\\nvcpl.dll" nocase ascii wide
-     $vid26 = "res://c:\\windows\\system32\\opencl.dll" nocase ascii wide
-     $antisec = /res:\/\/(c:\\((program files|programme|archivos de programa|programmes|programmi|arquivos de programas|program|programmer|programfiler|programas|fisiere program)( (x86)\\((p(rox(y labs\\proxycap\\pcapui|ifier\\proxifier)|arallels\\parallels tools\\prl_cc)|e(met (5.[012]|4.[01])\\emet_gui|ffetech http sniffer\\ehsniffer)|malwarebytes anti-(exploit\\mbae|malware\\mbam)|oracle\\virtualbox guest additions\\vboxtray|debugging tools for windows (x86)\\windbg|(wireshark\\wiresha|york\\yo)rk|ufasoft\\sockschain\\sockschain|vmware\\vmware tools\\vmtoolsd|nirsoft\\smartsniff\\smsniff|charles\\charles).exe|i(n(vincea\\((browser protection\\invbrowser|enterprise\\invprotect).exe|threat analyzer\\fips\\nss\\lib\\ssl3.dll)|ternet explorer\\iexplore.exe)|einspector\\(httpanalyzerfullv(6\\hookwinsockv6|7\\hookwinsockv7)|iewebdeveloperv2\\iewebdeveloperv2).dll)|geo(edge\\geo(vpn\\bin\\geovpn|proxy\\geoproxy).exe|surf by biscience toolbar\\tbhelper.dll)|s(oftperfect network protocol analyzer\\snpa.exe|andboxie\\sbiedll.dll)|(adclarity toolbar\\tbhelper|httpwatch\\httpwatch).dll|fiddler(coreapi\\fiddlercore.dll|2?\\fiddler.exe))|\\((p(rox(y labs\\proxycap\\pcapui|ifier\\proxifier)|arallels\\parallels tools\\prl_cc)|e(met (5.[012]|4.[01])\\emet_gui|ffetech http sniffer\\ehsniffer)|malwarebytes anti-(exploit\\mbae|malware\\mbam)|oracle\\virtualbox guest additions\\vboxtray|debugging tools for windows (x86)\\windbg|(wireshark\\wiresha|york\\yo)rk|ufasoft\\sockschain\\sockschain|vmware\\vmware tools\\vmtoolsd|nirsoft\\smartsniff\\smsniff|charles\\charles).exe|i(nvincea\\((browser protection\\invbrowser|enterprise\\invprotect).exe|threat analyzer\\fips\\nss\\lib\\ssl3.dll)|einspector\\(httpanalyzerfullv(6\\hookwinsockv6|7\\hookwinsockv7)|iewebdeveloperv2\\iewebdeveloperv2).dll)|geo(edge\\geo(vpn\\bin\\geovpn|proxy\\geoproxy).exe|surf by biscience toolbar\\tbhelper.dll)|s(oftperfect network protocol analyzer\\snpa.exe|andboxie\\sbiedll.dll)|(adclarity toolbar\\tbhelper|httpwatch\\httpwatch).dll|fiddler(coreapi\\fiddlercore.dll|2?\\fiddler.exe)))|windows\\system32\\(drivers\\(tm(actmon|evtmgr|comm|tdi)|nv(hda(32|64)v|lddmkm)|bd(sandbox|fsfltr)|p(ssdklbf|rl_fs)|e(amonm?|hdrv)|v(boxdrv|mci)|hmpalert).sys|(p(rxerdrv|capwsp)|socketspy).dll|v(boxservice|mu?srvc).exe)|python(3[45]|27)\\python.exe)|(h(ookwinsockv[67]|ttpwatch)|s(b(ie|ox)dll|ocketspy)|p(rxerdrv|capwsp)|xproxyplugin|mbae).dll|inv(guestie.dll(\/icon.png)?|redirhostie.dll)|w\/icon.png)/ nocase ascii wide
-
- condition:
-      any of ($vid*) and #antisec > 20
-}
-
-rule AdGholas_mem_antisec_M2 : memory
-{
- meta:
-     malfamily = "AdGholas"
-     ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
-
- strings:
-     $s1 = "ActiveXObject(\"Microsoft.XMLDOM\")" nocase ascii wide
-     $s2 = "loadXML" nocase ascii wide fullword
-     $s3 = "parseError.errorCode" nocase ascii wide
-     $s4 = /res\x3a\x2f\x2f[\x27\x22]\x2b/ nocase ascii wide
-     $s5 = /\x251e3\x21\s*\x3d\x3d\s*[a-zA-Z]+\x3f1\x3a0/ nocase ascii wide
-
- condition:
-     all of ($s*)
-}
-
-rule AdGholas_mem_MIME_M2 : memory
-{
- meta:
-     malfamily = "AdGholas"
-     ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
-
- strings:
-     $s1 = "halog" nocase ascii wide fullword
-     $s2 = "pcap" nocase ascii wide fullword
-     $s3 = "saz" nocase ascii wide fullword
-     $s4 = "chls" nocase ascii wide fullword
-     $s5 = /return[^\x3b\x7d\n]+href\s*=\s*[\x22\x27]\x2e[\x27\x22]\s*\+\s*[^\x3b\x7d\n]+\s*,\s*[^\x3b\x7d\n]+\.mimeType/ nocase ascii wide
-     $s6 = /\x21==[a-zA-Z]+\x3f\x210\x3a\x211/ nocase ascii wide
-
- condition:
-     all of ($s*)
-}
--- a/malware_index.yar
+++ b/malware_index.yar