Skip to content

R
rules
Commit ae82fb6e by Xumeiquer
Options

Added one index per category plus a glonal index. Added bash script to… 

Added one index per category plus a glonal index. Added bash script to (re)generate indeces. Removed malware/MALW_AdGholas.yar
parent cf753b74
Showing with 209 additions and 137 deletions
Antidebug_AntiVM_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 29-08-2016
*/
include "./Antidebug_AntiVM/antidebug_antivm.yar"
CVE_Rules_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 29-08-2016
*/
include "./CVE_Rules/CVE-2010-0805.yar"
include "./CVE_Rules/CVE-2010-0887.yar"
include "./CVE_Rules/CVE-2010-1297.yar"
include "./CVE_Rules/CVE-2013-0074.yar"
include "./CVE_Rules/CVE-2013-0422.yar"
include "./CVE_Rules/CVE-2015-1701.yar"
include "./CVE_Rules/CVE-2015-2426.yar"
include "./CVE_Rules/CVE-2015-2545.yar"
include "./CVE_Rules/CVE-2015-5119.yar"
Crypto_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 29-08-2016
*/
include "./Crypto/base64.yar"
include "./Crypto/crypto.yar"
Exploit-Kits_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 29-08-2016
*/
include "./Exploit-Kits/EK_Angler.yar"
include "./Exploit-Kits/EK_Blackhole.yar"
include "./Exploit-Kits/EK_BleedingLife.yar"
include "./Exploit-Kits/EK_Crimepack.yar"
include "./Exploit-Kits/EK_Eleonore.yar"
include "./Exploit-Kits/EK_Fragus.yar"
include "./Exploit-Kits/EK_Phoenix.yar"
include "./Exploit-Kits/EK_Sakura.yar"
include "./Exploit-Kits/EK_ZeroAcces.yar"
include "./Exploit-Kits/EK_Zerox88.yar"
include "./Exploit-Kits/EK_Zeus.yar"
Malicious_Documents_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 29-08-2016
*/
include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
include "./Malicious_Documents/Maldoc_Dridex.yar"
include "./Malicious_Documents/Maldoc_Hidden_PE_file.yar"
include "./Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar"
include "./Malicious_Documents/Maldoc_PDF.yar"
include "./Malicious_Documents/maldoc_somerules.yar"
include "./Malicious_Documents/Maldoc_UserForm.yar"
include "./Malicious_Documents/Maldoc_VBA_macro_code.yar"
Mobile_Malware_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 29-08-2016
*/
include "./Mobile_Malware/Amtrckr_20160519.yar"
include "./Mobile_Malware/Android_adware.yar"
include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
include "./Mobile_Malware/Android_ASSDdeveloper.yar"
include "./Mobile_Malware/Android_AVITOMMS.yar"
include "./Mobile_Malware/Android_Backdoor.yar"
include "./Mobile_Malware/Android_BadMirror.yar"
include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
include "./Mobile_Malware/Android_Clicker_G.yar"
include "./Mobile_Malware/Android_Copy9.yar"
include "./Mobile_Malware/Android_DeathRing.yar"
include "./Mobile_Malware/Android_Dectus_rswm.yar"
include "./Mobile_Malware/Android_Dendroid_RAT.yar"
include "./Mobile_Malware/Android_Dogspectus.yar"
include "./Mobile_Malware/Android_FakeApps.yar"
include "./Mobile_Malware/Android_FakeBank_Fanta.yar"
include "./Mobile_Malware/Android_generic_adware.yar"
include "./Mobile_Malware/Android_generic_smsfraud.yar"
include "./Mobile_Malware/Android_Godless.yar"
include "./Mobile_Malware/Android_malware_Advertising.yar"
include "./Mobile_Malware/Android_malware_banker.yar"
include "./Mobile_Malware/Android_malware_ChinesePorn.yar"
include "./Mobile_Malware/Android_malware_Dropper.yar"
include "./Mobile_Malware/Android_malware_Fake_MosKow.yar"
include "./Mobile_Malware/Android_malware_HackingTeam.yar"
include "./Mobile_Malware/Android_Malware_Ramsonware.yar"
include "./Mobile_Malware/Android_malware_SMSsender.yar"
include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
include "./Mobile_Malware/Android_Malware_Towelroot.yar"
include "./Mobile_Malware/Android_malware_xbot007.yar"
include "./Mobile_Malware/Android_MalwareCertificates.yar"
include "./Mobile_Malware/Android_mapin.yar"
include "./Mobile_Malware/Android_Marcher_2.yar"
include "./Mobile_Malware/Android_MazarBot_z.yar"
include "./Mobile_Malware/Android_Metasploit.yar"
include "./Mobile_Malware/Android_OmniRat.yar"
include "./Mobile_Malware/Android_Overlayer.yar"
include "./Mobile_Malware/Android_Pink_Locker.yar"
include "./Mobile_Malware/Android_pornClicker.yar"
include "./Mobile_Malware/Android_RuMMS.yar"
include "./Mobile_Malware/Android_SandroRat.yar"
include "./Mobile_Malware/Android_SlemBunk.yar"
include "./Mobile_Malware/Android_SMSFraud.yar"
include "./Mobile_Malware/Android_SpyAgent.yar"
include "./Mobile_Malware/Android_Spynet.yar"
include "./Mobile_Malware/Android_Spywaller.yar"
include "./Mobile_Malware/Android_Tachi.yar"
include "./Mobile_Malware/Android_Triada_Banking.yar"
include "./Mobile_Malware/Android_VikingOrder.yar"
include "./Mobile_Malware/Android_VirusPolicia.yar"
Packers/packer.yar
...@@ -354,7 +354,7 @@ condition: ...@@ -354,7 +354,7 @@ condition:
} }
rule AcidCrypt rule AcidCrypt: Packer
{ {
meta: meta:
author="malware-lu" author="malware-lu"
...@@ -935,7 +935,7 @@ condition: ...@@ -935,7 +935,7 @@ condition:
} }
rule SuperDAT rule SuperDAT: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
...@@ -3273,15 +3273,18 @@ condition: ...@@ -3273,15 +3273,18 @@ condition:
} }
rule MSLRH rule MSLRH: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
note="Added some checks"
strings: strings:
$a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 } $a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 }
$b = { EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 }
$c = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 }
condition: condition:
$a0 at pe.entry_point for any of ($*) : ( $ at pe.entry_point )
} }
...@@ -5654,7 +5657,7 @@ condition: ...@@ -5654,7 +5657,7 @@ condition:
} }
rule DSHIELD rule DSHIELD: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
...@@ -7375,7 +7378,7 @@ condition: ...@@ -7375,7 +7378,7 @@ condition:
} }
rule MASM32 rule MASM32: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
...@@ -8823,7 +8826,7 @@ condition: ...@@ -8823,7 +8826,7 @@ condition:
} }
rule PEShit rule PEShit: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
...@@ -9816,7 +9819,7 @@ condition: ...@@ -9816,7 +9819,7 @@ condition:
} }
rule AdFlt2 rule AdFlt2: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
...@@ -10665,15 +10668,17 @@ condition: ...@@ -10665,15 +10668,17 @@ condition:
} }
rule CrunchPE rule CrunchPE: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
note="Added extra checks"
strings: strings:
$a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 } $a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 }
$b = { EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 E9 06 ?? ?? 89 85 E1 06 ?? ?? FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 03 00 00 89 85 D9 41 00 00 68 EC 49 7B 79 33 C0 50 E8 11 03 00 00 89 85 D1 41 00 00 E8 67 05 00 00 E9 56 05 00 00 51 52 53 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 D8 73 09 66 35 20 83 66 81 F3 B8 ED FE CE 75 EB 33 C8 33 D3 4F 75 D5 F7 D2 F7 D1 5B 8B C2 C1 C0 10 66 8B C1 5A 59 C3 68 03 02 00 00 E8 80 04 00 00 0F 82 A8 02 00 00 96 8B 44 24 04 0F C8 8B D0 25 0F 0F 0F 0F 33 D0 C1 C0 08 0B C2 8B D0 25 33 33 33 33 33 D0 C1 C0 04 0B C2 8B D0 25 55 55 55 55 33 D0 C1 C0 02 0B C2 }
condition: condition:
$a0 at pe.entry_point for any of ($*) : ( $ at pe.entry_point )
} }
...@@ -11667,7 +11672,7 @@ condition: ...@@ -11667,7 +11672,7 @@ condition:
} }
rule FileShield rule FileShield: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
...@@ -11872,7 +11877,7 @@ condition: ...@@ -11872,7 +11877,7 @@ condition:
} }
rule Cygwin32 rule Cygwin32: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
...@@ -14335,7 +14340,7 @@ condition: ...@@ -14335,7 +14340,7 @@ condition:
} }
rule JDPack rule JDPack: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
...@@ -17949,7 +17954,7 @@ condition: ...@@ -17949,7 +17954,7 @@ condition:
} }
rule PENinja rule PENinja: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
...@@ -19316,7 +19321,7 @@ condition: ...@@ -19316,7 +19321,7 @@ condition:
} }
rule CPAV rule CPAV: Packer PEiD
{ {
meta: meta:
author="malware-lu" author="malware-lu"
......
Packers/peid.yar
This source diff could not be displayed because it is too large. You can view the blob instead.
Packers_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 29-08-2016
*/
include "./Packers/Javascript_exploit_and_obfuscation.yar"
include "./Packers/JJencode.yar"
include "./Packers/packer.yar"
include "./Packers/peid.yar"
Webshells_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 29-08-2016
*/
include "./Webshells/WShell_APT_Laudanum.yar"
include "./Webshells/Wshell_ChineseSpam.yar"
include "./Webshells/Wshell_fire2013.yar"
include "./Webshells/WShell_PHP_Anuna.yar"
include "./Webshells/WShell_PHP_in_images.yar"
include "./Webshells/WShell_THOR_Webshells.yar"
email_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 29-08-2016
*/
include "./email/attachment.yar"
include "./email/bank_rule.yar"
include "./email/EMAIL_Cryptowall.yar"
include "./email/email_Ukraine_BE_powerattack.yar"
include "./email/image.yar"
include "./email/scam.yar"
include "./email/urls.yar"
index.yar
// This just includes all files /*
Generated by Yara-Rules
On 29-08-2016
*/
include "./Antidebug_AntiVM/antidebug_antivm.yar" include "./Antidebug_AntiVM/antidebug_antivm.yar"
include "./Crypto/base64.yar"
include "./Crypto/crypto.yar" include "./Crypto/crypto.yar"
include "./CVE_Rules/CVE-2010-0805.yar" include "./CVE_Rules/CVE-2010-0805.yar"
include "./CVE_Rules/CVE-2010-0887.yar" include "./CVE_Rules/CVE-2010-0887.yar"
...@@ -61,6 +63,7 @@ include "./malware/APT_Dubnium.yar" ...@@ -61,6 +63,7 @@ include "./malware/APT_Dubnium.yar"
include "./malware/APT_Duqu2.yar" include "./malware/APT_Duqu2.yar"
include "./malware/APT_Emissary.yar" include "./malware/APT_Emissary.yar"
include "./malware/APT_Equation.yar" include "./malware/APT_Equation.yar"
include "./malware/APT_EQUATIONGRP.yar"
include "./malware/APT_fancybear_dnc.yar" include "./malware/APT_fancybear_dnc.yar"
include "./malware/APT_FiveEyes.yar" include "./malware/APT_FiveEyes.yar"
include "./malware/APT_furtim.yar" include "./malware/APT_furtim.yar"
...@@ -107,10 +110,10 @@ include "./malware/APT_Windigo_Onimiki.yar" ...@@ -107,10 +110,10 @@ include "./malware/APT_Windigo_Onimiki.yar"
include "./malware/APT_Winnti.yar" include "./malware/APT_Winnti.yar"
include "./malware/APT_WoolenGoldfish.yar" include "./malware/APT_WoolenGoldfish.yar"
include "./malware/EXPERIMENTAL_Beef.yar" include "./malware/EXPERIMENTAL_Beef.yar"
include "./malware/MALW_AdGholas.yar"
include "./malware/MALW_Alina.yar" include "./malware/MALW_Alina.yar"
include "./malware/MALW_Andromeda.yar" include "./malware/MALW_Andromeda.yar"
include "./malware/MALW_Athena.yar" include "./malware/MALW_Athena.yar"
include "./malware/MALW_Atmos.yar"
include "./malware/MALW_BackdoorSSH.yar" include "./malware/MALW_BackdoorSSH.yar"
include "./malware/MALW_Backoff.yar" include "./malware/MALW_Backoff.yar"
include "./malware/MALW_Bangat.yar" include "./malware/MALW_Bangat.yar"
...@@ -314,8 +317,8 @@ include "./Mobile_Malware/Android_adware.yar" ...@@ -314,8 +317,8 @@ include "./Mobile_Malware/Android_adware.yar"
include "./Mobile_Malware/Android_AliPay_smsStealer.yar" include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
include "./Mobile_Malware/Android_ASSDdeveloper.yar" include "./Mobile_Malware/Android_ASSDdeveloper.yar"
include "./Mobile_Malware/Android_AVITOMMS.yar" include "./Mobile_Malware/Android_AVITOMMS.yar"
include "./Mobile_Malware/Android_Backdoor.yar"
include "./Mobile_Malware/Android_BadMirror.yar" include "./Mobile_Malware/Android_BadMirror.yar"
include "./Mobile_Malware/Android_Banker_Sberbank.yar"
include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar" include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
include "./Mobile_Malware/Android_Clicker_G.yar" include "./Mobile_Malware/Android_Clicker_G.yar"
include "./Mobile_Malware/Android_Copy9.yar" include "./Mobile_Malware/Android_Copy9.yar"
...@@ -353,6 +356,7 @@ include "./Mobile_Malware/Android_SandroRat.yar" ...@@ -353,6 +356,7 @@ include "./Mobile_Malware/Android_SandroRat.yar"
include "./Mobile_Malware/Android_SlemBunk.yar" include "./Mobile_Malware/Android_SlemBunk.yar"
include "./Mobile_Malware/Android_SMSFraud.yar" include "./Mobile_Malware/Android_SMSFraud.yar"
include "./Mobile_Malware/Android_SpyAgent.yar" include "./Mobile_Malware/Android_SpyAgent.yar"
include "./Mobile_Malware/Android_Spynet.yar"
include "./Mobile_Malware/Android_Spywaller.yar" include "./Mobile_Malware/Android_Spywaller.yar"
include "./Mobile_Malware/Android_Tachi.yar" include "./Mobile_Malware/Android_Tachi.yar"
include "./Mobile_Malware/Android_Triada_Banking.yar" include "./Mobile_Malware/Android_Triada_Banking.yar"
...@@ -368,4 +372,3 @@ include "./Webshells/Wshell_fire2013.yar" ...@@ -368,4 +372,3 @@ include "./Webshells/Wshell_fire2013.yar"
include "./Webshells/WShell_PHP_Anuna.yar" include "./Webshells/WShell_PHP_Anuna.yar"
include "./Webshells/WShell_PHP_in_images.yar" include "./Webshells/WShell_PHP_in_images.yar"
include "./Webshells/WShell_THOR_Webshells.yar" include "./Webshells/WShell_THOR_Webshells.yar"
index_gen.sh 0 → 100755
#!/bin/bash
function get_folders {
local INDECES=()
for folder in $(ls -F | grep -E ".*/"); do
INDECES+="$folder "
done
INDECES+=". "
echo "$INDECES"
}
function gen_index {
IDX_NAME=$1
BASE=$2
> $IDX_NAME
if [ x"$3" != x ]; then
echo -e "/*$3*/" > $IDX_NAME
fi
if [ x"$BASE" == x"." ]; then
find -E $BASE -regex ".*\.yara?" | grep -vE "_?index.yara?" | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
else
find -E $BASE -regex ".*\.yara?" | grep -vE "_?index.yara?" | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME
fi
}
## Main
echo " **************************"
echo " Yara-Rules"
echo " Index generator"
echo " **************************"
for folder in $(get_folders)
do
if [ x"$folder" == x"." ]; then
BASE="."
IDX_NAME="index.yar"
echo "[+] Generating index..."
else
BASE=$(echo $folder | rev | cut -c 2- | rev)
IDX_NAME="$BASE"_index.yar
echo "[+] Generating $BASE index..."
fi
gen_index $IDX_NAME $BASE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n"
done
malware/MALW_AdGholas.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule AdGholas_mem : memory
{
meta:
malfamily = "AdGholas"
ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
strings:
$a1 = "(3e8)!=" ascii wide
$a2 = /href=\x22\.\x22\+[a-z]+\,mimeType\}/ ascii wide
$a3 = /\+[a-z]+\([\x22\x27]divx[^\x22\x27]+torrent[^\x22\x27]*[\x22\x27]\.split/ ascii wide
$a4 = "chls" nocase ascii wide
$a5 = "saz" nocase ascii wide
$a6 = "flac" nocase ascii wide
$a7 = "pcap" nocase ascii wide
condition:
all of ($a*)
}
rule AdGholas_mem_MIME : memory
{
meta:
malfamily = "AdGholas"
ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
strings:
$b1=".300000000" ascii nocase wide fullword
$b2=".saz" ascii nocase wide fullword
$b3=".py" ascii nocase wide fullword
$b4=".pcap" ascii nocase wide fullword
$b5=".chls" ascii nocase wide fullword
condition:
all of ($b*)
}
//expensive
rule AdGholas_mem_antisec : memory
{
meta:
malfamily = "AdGholas"
ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
strings:
$vid1 = "res://c:\\windows\\system32\\atibtmon.exe" nocase ascii wide
$vid2 = "res://c:\\windows\\system32\\aticfx32.dll" nocase ascii wide
$vid3 = "res://c:\\windows\\system32\\drivers\\ati2mtag.sys" nocase ascii wide
$vid4 = "res://c:\\windows\\system32\\drivers\\atihdmi.sys" nocase ascii wide
$vid5 = "res://c:\\windows\\system32\\drivers\\atikmdag.sys" nocase ascii wide
$vid6 = "res://c:\\windows\\system32\\drivers\\igdkmd32.sys" nocase ascii wide
$vid7 = "res://c:\\windows\\system32\\drivers\\igdkmd64.sys" nocase ascii wide
$vid8 = "res://c:\\windows\\system32\\drivers\\igdpmd32.sys" nocase ascii wide
$vid9 = "res://c:\\windows\\system32\\drivers\\igdpmd64.sys" nocase ascii wide
$vid10 = "res://c:\\windows\\system32\\drivers\\mfeavfk.sys" nocase ascii wide
$vid11 = "res://c:\\windows\\system32\\drivers\\mfehidk.sys" nocase ascii wide
$vid12 = "res://c:\\windows\\system32\\drivers\\mfenlfk.sys" nocase ascii wide
$vid13 = "res://c:\\windows\\system32\\drivers\\nvhda32v.sys" nocase ascii wide
$vid14 = "res://c:\\windows\\system32\\drivers\\nvhda64v.sys" nocase ascii wide
$vid15 = "res://c:\\windows\\system32\\drivers\\nvlddmkm.sys" nocase ascii wide
$vid16 = "res://c:\\windows\\system32\\drivers\\pci.sys" nocase ascii wide
$vid17 = "res://c:\\windows\\system32\\igd10umd32.dll" nocase ascii wide
$vid18 = "res://c:\\windows\\system32\\igd10umd64.dll" nocase ascii wide
$vid19 = "res://c:\\windows\\system32\\igdumd32.dll" nocase ascii wide
$vid20 = "res://c:\\windows\\system32\\igdumd64.dll" nocase ascii wide
$vid21 = "res://c:\\windows\\system32\\igdumdim32.dll" nocase ascii wide
$vid22 = "res://c:\\windows\\system32\\igdumdim64.dll" nocase ascii wide
$vid23 = "res://c:\\windows\\system32\\igdusc32.dll" nocase ascii wide
$vid24 = "res://c:\\windows\\system32\\igdusc64.dll" nocase ascii wide
$vid25 = "res://c:\\windows\\system32\\nvcpl.dll" nocase ascii wide
$vid26 = "res://c:\\windows\\system32\\opencl.dll" nocase ascii wide
$antisec = /res:\/\/(c:\\((program files|programme|archivos de programa|programmes|programmi|arquivos de programas|program|programmer|programfiler|programas|fisiere program)( (x86)\\((p(rox(y labs\\proxycap\\pcapui|ifier\\proxifier)|arallels\\parallels tools\\prl_cc)|e(met (5.[012]|4.[01])\\emet_gui|ffetech http sniffer\\ehsniffer)|malwarebytes anti-(exploit\\mbae|malware\\mbam)|oracle\\virtualbox guest additions\\vboxtray|debugging tools for windows (x86)\\windbg|(wireshark\\wiresha|york\\yo)rk|ufasoft\\sockschain\\sockschain|vmware\\vmware tools\\vmtoolsd|nirsoft\\smartsniff\\smsniff|charles\\charles).exe|i(n(vincea\\((browser protection\\invbrowser|enterprise\\invprotect).exe|threat analyzer\\fips\\nss\\lib\\ssl3.dll)|ternet explorer\\iexplore.exe)|einspector\\(httpanalyzerfullv(6\\hookwinsockv6|7\\hookwinsockv7)|iewebdeveloperv2\\iewebdeveloperv2).dll)|geo(edge\\geo(vpn\\bin\\geovpn|proxy\\geoproxy).exe|surf by biscience toolbar\\tbhelper.dll)|s(oftperfect network protocol analyzer\\snpa.exe|andboxie\\sbiedll.dll)|(adclarity toolbar\\tbhelper|httpwatch\\httpwatch).dll|fiddler(coreapi\\fiddlercore.dll|2?\\fiddler.exe))|\\((p(rox(y labs\\proxycap\\pcapui|ifier\\proxifier)|arallels\\parallels tools\\prl_cc)|e(met (5.[012]|4.[01])\\emet_gui|ffetech http sniffer\\ehsniffer)|malwarebytes anti-(exploit\\mbae|malware\\mbam)|oracle\\virtualbox guest additions\\vboxtray|debugging tools for windows (x86)\\windbg|(wireshark\\wiresha|york\\yo)rk|ufasoft\\sockschain\\sockschain|vmware\\vmware tools\\vmtoolsd|nirsoft\\smartsniff\\smsniff|charles\\charles).exe|i(nvincea\\((browser protection\\invbrowser|enterprise\\invprotect).exe|threat analyzer\\fips\\nss\\lib\\ssl3.dll)|einspector\\(httpanalyzerfullv(6\\hookwinsockv6|7\\hookwinsockv7)|iewebdeveloperv2\\iewebdeveloperv2).dll)|geo(edge\\geo(vpn\\bin\\geovpn|proxy\\geoproxy).exe|surf by biscience toolbar\\tbhelper.dll)|s(oftperfect network protocol analyzer\\snpa.exe|andboxie\\sbiedll.dll)|(adclarity toolbar\\tbhelper|httpwatch\\httpwatch).dll|fiddler(coreapi\\fiddlercore.dll|2?\\fiddler.exe)))|windows\\system32\\(drivers\\(tm(actmon|evtmgr|comm|tdi)|nv(hda(32|64)v|lddmkm)|bd(sandbox|fsfltr)|p(ssdklbf|rl_fs)|e(amonm?|hdrv)|v(boxdrv|mci)|hmpalert).sys|(p(rxerdrv|capwsp)|socketspy).dll|v(boxservice|mu?srvc).exe)|python(3[45]|27)\\python.exe)|(h(ookwinsockv[67]|ttpwatch)|s(b(ie|ox)dll|ocketspy)|p(rxerdrv|capwsp)|xproxyplugin|mbae).dll|inv(guestie.dll(\/icon.png)?|redirhostie.dll)|w\/icon.png)/ nocase ascii wide
condition:
any of ($vid*) and #antisec > 20
}
rule AdGholas_mem_antisec_M2 : memory
{
meta:
malfamily = "AdGholas"
ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
strings:
$s1 = "ActiveXObject(\"Microsoft.XMLDOM\")" nocase ascii wide
$s2 = "loadXML" nocase ascii wide fullword
$s3 = "parseError.errorCode" nocase ascii wide
$s4 = /res\x3a\x2f\x2f[\x27\x22]\x2b/ nocase ascii wide
$s5 = /\x251e3\x21\s*\x3d\x3d\s*[a-zA-Z]+\x3f1\x3a0/ nocase ascii wide
condition:
all of ($s*)
}
rule AdGholas_mem_MIME_M2 : memory
{
meta:
malfamily = "AdGholas"
ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
strings:
$s1 = "halog" nocase ascii wide fullword
$s2 = "pcap" nocase ascii wide fullword
$s3 = "saz" nocase ascii wide fullword
$s4 = "chls" nocase ascii wide fullword
$s5 = /return[^\x3b\x7d\n]+href\s*=\s*[\x22\x27]\x2e[\x27\x22]\s*\+\s*[^\x3b\x7d\n]+\s*,\s*[^\x3b\x7d\n]+\.mimeType/ nocase ascii wide
$s6 = /\x21==[a-zA-Z]+\x3f\x210\x3a\x211/ nocase ascii wide
condition:
all of ($s*)
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment