Skip to content

R
rules
Unverified Commit b21ea3d0 by techhelplist Committed by GitHub
Options

Merge pull request #2 from Yara-Rules/master 

sync my repo with the reference base yara-rules
parents 90cac274 71d524f5
Showing with 1041 additions and 829 deletions
.travis.yml
......@@ -5,8 +5,8 @@ before_install:
- sudo apt-get -qq update
- sudo apt-get install jq
# Yara
# - wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara.tar.gz
- wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/9250110 | jq -r ".tarball_url") -O yara.tar.gz
- wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara.tar.gz
#- wget $(wget -O - https://api.github.com/repos/VirusTotal/yara/releases/9250110 | jq -r ".tarball_url") -O yara.tar.gz
- mkdir yara
- tar -C yara -xzvf yara.tar.gz --strip-components 1
# Androguard for Yara
......
Antidebug_AntiVM/antidebug_antivm.yar
......@@ -4,6 +4,12 @@
import "pe"
private rule WindowsPE
{
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550
}
rule DebuggerCheck__PEB : AntiDebug DebuggerCheck {
meta:
weight = 1
......@@ -275,6 +281,31 @@ rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern {
}
*/
rule SEH_Save : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH
{
meta:
author = "Malware Utkonos"
original_author = "naxonez"
source = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$a = { 64 ff 35 00 00 00 00 }
condition:
WindowsPE and $a
}
rule SEH_Init : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH
{
meta:
author = "Malware Utkonos"
original_author = "naxonez"
source = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$a = { 64 A3 00 00 00 00 }
$b = { 64 89 25 00 00 00 00 }
condition:
WindowsPE and ($a or $b)
}
rule Check_Dlls
{
......@@ -891,737 +922,6 @@ rule disable_taskmanager {
1 of ($p*) and 1 of ($r*)
}
rule inject_thread {
meta:
author = "x0r"
description = "Code injection with CreateRemoteThread in a remote process"
version = "0.1"
strings:
$c1 = "OpenProcess"
$c2 = "VirtualAllocEx"
$c3 = "NtWriteVirtualMemory"
$c4 = "WriteProcessMemory"
$c5 = "CreateRemoteThread"
$c6 = "CreateThread"
$c7 = "OpenProcess"
condition:
$c1 and $c2 and ( $c3 or $c4 ) and ( $c5 or $c6 or $c7 )
}
// Issue #101 - Commented because of High FP rate
/*
rule create_process {
meta:
author = "x0r"
description = "Create a new process"
version = "0.2"
strings:
$f1 = "Shell32.dll" nocase
$f2 = "Kernel32.dll" nocase
$c1 = "ShellExecute"
$c2 = "WinExec"
$c3 = "CreateProcess"
$c4 = "CreateThread"
condition:
($f1 and $c1 ) or $f2 and ($c2 or $c3 or $c4)
}
*/
// Issue #101 - Commented because of High FP rate
/*
rule persistence {
meta:
author = "x0r"
description = "Install itself for autorun at Windows startup"
version = "0.1"
strings:
$p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" nocase
$p2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase
$p3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" nocase
$p4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" nocase
$p5 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" nocase
$p6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" nocase
$p7 = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\" nocase
$p8 = "SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Windows" nocase
$p9 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler" nocase
$p10 = "comfile\\shell\\open\\command" nocase
$p11 = "piffile\\shell\\open\\command" nocase
$p12 = "exefile\\shell\\open\\command" nocase
$p13 = "txtfile\\shell\\open\\command" nocase
$p14 = "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
$f1 = "win.ini" nocase
$f2 = "system.ini" nocase
$f3 = "Start Menu\\Programs\\Startup" nocase
condition:
any of them
}
*/
rule hijack_network {
meta:
author = "x0r"
description = "Hijack network configuration"
version = "0.1"
strings:
$p1 = "SOFTWARE\\Classes\\PROTOCOLS\\Handler" nocase
$p2 = "SOFTWARE\\Classes\\PROTOCOLS\\Filter" nocase
$p3 = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer" nocase
$p4 = "software\\microsoft\\windows\\currentversion\\internet settings\\proxyenable" nocase
$f1 = "drivers\\etc\\hosts" nocase
condition:
any of them
}
rule create_service {
meta:
author = "x0r"
description = "Create a windows service"
version = "0.2"
strings:
$f1 = "Advapi32.dll" nocase
$c1 = "CreateService"
$c2 = "ControlService"
$c3 = "StartService"
$c4 = "QueryServiceStatus"
condition:
all of them
}
rule create_com_service {
meta:
author = "x0r"
description = "Create a COM server"
version = "0.1"
strings:
$c1 = "DllCanUnloadNow" nocase
$c2 = "DllGetClassObject"
$c3 = "DllInstall"
$c4 = "DllRegisterServer"
$c5 = "DllUnregisterServer"
condition:
all of them
}
rule network_udp_sock {
meta:
author = "x0r"
description = "Communications over UDP network"
version = "0.1"
strings:
$f1 = "Ws2_32.dll" nocase
$f2 = "System.Net" nocase
$f3 = "wsock32.dll" nocase
$c0 = "WSAStartup"
$c1 = "sendto"
$c2 = "recvfrom"
$c3 = "WSASendTo"
$c4 = "WSARecvFrom"
$c5 = "UdpClient"
condition:
(($f1 or $f3) and 2 of ($c*)) or ($f2 and $c5)
}
rule network_tcp_listen {
meta:
author = "x0r"
description = "Listen for incoming communication"
version = "0.1"
strings:
$f1 = "Ws2_32.dll" nocase
$f2 = "Mswsock.dll" nocase
$f3 = "System.Net" nocase
$f4 = "wsock32.dll" nocase
$c1 = "bind"
$c2 = "accept"
$c3 = "GetAcceptExSockaddrs"
$c4 = "AcceptEx"
$c5 = "WSAStartup"
$c6 = "WSAAccept"
$c7 = "WSASocket"
$c8 = "TcpListener"
$c9 = "AcceptTcpClient"
$c10 = "listen"
condition:
1 of ($f*) and 2 of ($c*)
}
rule network_dyndns {
meta:
author = "x0r"
description = "Communications dyndns network"
version = "0.1"
strings:
$s1 =".no-ip.org"
$s2 =".publicvm.com"
$s3 =".linkpc.net"
$s4 =".dynu.com"
$s5 =".dynu.net"
$s6 =".afraid.org"
$s7 =".chickenkiller.com"
$s8 =".crabdance.com"
$s9 =".ignorelist.com"
$s10 =".jumpingcrab.com"
$s11 =".moo.com"
$s12 =".strangled.com"
$s13 =".twillightparadox.com"
$s14 =".us.to"
$s15 =".strangled.net"
$s16 =".info.tm"
$s17 =".homenet.org"
$s18 =".biz.tm"
$s19 =".continent.kz"
$s20 =".ax.lt"
$s21 =".system-ns.com"
$s22 =".adultdns.com"
$s23 =".craftx.biz"
$s24 =".ddns01.com"
$s25 =".dns53.biz"
$s26 =".dnsapi.info"
$s27 =".dnsd.info"
$s28 =".dnsdynamic.com"
$s29 =".dnsdynamic.net"
$s30 =".dnsget.org"
$s31 =".fe100.net"
$s32 =".flashserv.net"
$s33 =".ftp21.net"
condition:
any of them
}
rule network_toredo {
meta:
author = "x0r"
description = "Communications over Toredo network"
version = "0.1"
strings:
$f1 = "FirewallAPI.dll" nocase
$p1 = "\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\" nocase
condition:
all of them
}
rule network_smtp_dotNet {
meta:
author = "x0r"
description = "Communications smtp"
version = "0.1"
strings:
$f1 = "System.Net.Mail" nocase
$p1 = "SmtpClient" nocase
condition:
all of them
}
rule network_smtp_raw {
meta:
author = "x0r"
description = "Communications smtp"
version = "0.1"
strings:
$s1 = "MAIL FROM:" nocase
$s2 = "RCPT TO:" nocase
condition:
all of them
}
rule network_smtp_vb {
meta:
author = "x0r"
description = "Communications smtp"
version = "0.1"
strings:
$c1 = "CDO.Message" nocase
$c2 = "cdoSMTPServer" nocase
$c3 = "cdoSendUsingMethod" nocase
$c4 = "cdoex.dll" nocase
$c5 = "/cdo/configuration/smtpserver" nocase
condition:
any of them
}
rule network_p2p_win {
meta:
author = "x0r"
description = "Communications over P2P network"
version = "0.1"
strings:
$c1 = "PeerCollabExportContact"
$c2 = "PeerCollabGetApplicationRegistrationInfo"
$c3 = "PeerCollabGetEndpointName"
$c4 = "PeerCollabGetEventData"
$c5 = "PeerCollabGetInvitationResponse"
$c6 = "PeerCollabGetPresenceInfo"
$c7 = "PeerCollabGetSigninOptions"
$c8 = "PeerCollabInviteContact"
$c9 = "PeerCollabInviteEndpoint"
$c10 = "PeerCollabParseContact"
$c11 = "PeerCollabQueryContactData"
$c12 = "PeerCollabRefreshEndpointData"
$c13 = "PeerCollabRegisterApplication"
$c14 = "PeerCollabRegisterEvent"
$c15 = "PeerCollabSetEndpointName"
$c16 = "PeerCollabSetObject"
$c17 = "PeerCollabSetPresenceInfo"
$c18 = "PeerCollabSignout"
$c19 = "PeerCollabUnregisterApplication"
$c20 = "PeerCollabUpdateContact"
condition:
5 of them
}
rule network_tor {
meta:
author = "x0r"
description = "Communications over TOR network"
version = "0.1"
strings:
$p1 = "tor\\hidden_service\\private_key" nocase
$p2 = "tor\\hidden_service\\hostname" nocase
$p3 = "tor\\lock" nocase
$p4 = "tor\\state" nocase
condition:
any of them
}
rule network_irc {
meta:
author = "x0r"
description = "Communications over IRC network"
version = "0.1"
strings:
$s1 = "NICK"
$s2 = "PING"
$s3 = "JOIN"
$s4 = "USER"
$s5 = "PRIVMSG"
condition:
all of them
}
rule network_http {
meta:
author = "x0r"
description = "Communications over HTTP"
version = "0.1"
strings:
$f1 = "wininet.dll" nocase
$c1 = "InternetConnect"
$c2 = "InternetOpen"
$c3 = "InternetOpenUrl"
$c4 = "InternetReadFile"
$c5 = "InternetWriteFile"
$c6 = "HttpOpenRequest"
$c7 = "HttpSendRequest"
$c8 = "IdHTTPHeaderInfo"
condition:
$f1 and $c1 and ($c2 or $c3) and ($c4 or $c5 or $c6 or $c7 or $c8)
}
rule network_dropper {
meta:
author = "x0r"
description = "File downloader/dropper"
version = "0.1"
strings:
$f1 = "urlmon.dll" nocase
$c1 = "URLDownloadToFile"
$c2 = "URLDownloadToCacheFile"
$c3 = "URLOpenStream"
$c4 = "URLOpenPullStream"
condition:
$f1 and 1 of ($c*)
}
rule network_ftp {
meta:
author = "x0r"
description = "Communications over FTP"
version = "0.1"
strings:
$f1 = "Wininet.dll" nocase
$c1 = "FtpGetCurrentDirectory"
$c2 = "FtpGetFile"
$c3 = "FtpPutFile"
$c4 = "FtpSetCurrentDirectory"
$c5 = "FtpOpenFile"
$c6 = "FtpGetFileSize"
$c7 = "FtpDeleteFile"
$c8 = "FtpCreateDirectory"
$c9 = "FtpRemoveDirectory"
$c10 = "FtpRenameFile"
$c11 = "FtpDownload"
$c12 = "FtpUpload"
$c13 = "FtpGetDirectory"
condition:
$f1 and (4 of ($c*))
}
rule network_tcp_socket {
meta:
author = "x0r"
description = "Communications over RAW socket"
version = "0.1"
strings:
$f1 = "Ws2_32.dll" nocase
$f2 = "wsock32.dll" nocase
$c1 = "WSASocket"
$c2 = "socket"
$c3 = "send"
$c4 = "WSASend"
$c5 = "WSAConnect"
$c6 = "connect"
$c7 = "WSAStartup"
$c8 = "closesocket"
$c9 = "WSACleanup"
condition:
1 of ($f*) and 2 of ($c*)
}
rule network_dns {
meta:
author = "x0r"
description = "Communications use DNS"
version = "0.1"
strings:
$f1 = "System.Net"
$f2 = "Ws2_32.dll" nocase
$f3 = "Dnsapi.dll" nocase
$f4 = "wsock32.dll" nocase
$c2 = "GetHostEntry"
$c3 = "getaddrinfo"
$c4 = "gethostbyname"
$c5 = "WSAAsyncGetHostByName"
$c6 = "DnsQuery"
condition:
1 of ($f*) and 1 of ($c*)
}
rule network_ssl {
meta:
author = "x0r"
description = "Communications over SSL"
version = "0.1"
strings:
$f1 = "ssleay32.dll" nocase
$f2 = "libeay32.dll" nocase
$f3 = "libssl32.dll" nocase
$c1 = "IdSSLOpenSSL" nocase
condition:
any of them
}
rule network_dga {
meta:
author = "x0r"
description = "Communication using dga"
version = "0.1"
strings:
$dll1 = "Advapi32.dll" nocase
$dll2 = "wininet.dll" nocase
$dll3 = "Crypt32.dll" nocase
$time1 = "SystemTimeToFileTime"
$time2 = "GetSystemTime"
$time3 = "GetSystemTimeAsFileTime"
$hash1 = "CryptCreateHash"
$hash2 = "CryptAcquireContext"
$hash3 = "CryptHashData"
$net1 = "InternetOpen"
$net2 = "InternetOpenUrl"
$net3 = "gethostbyname"
$net4 = "getaddrinfo"
condition:
all of ($dll*) and 1 of ($time*) and 1 of ($hash*) and 1 of ($net*)
}
rule bitcoin {
meta:
author = "x0r"
description = "Perform crypto currency mining"
version = "0.1"
strings:
$f1 = "OpenCL.dll" nocase
$f2 = "nvcuda.dll" nocase
$f3 = "opengl32.dll" nocase
$s1 = "cpuminer 2.2.2X-Mining-Extensions"
$s2 = "cpuminer 2.2.3X-Mining-Extensions"
$s3 = "Ufasoft bitcoin-miner/0.20"
$s4 = "bitcoin" nocase
$s5 = "stratum" nocase
condition:
1 of ($f*) and 1 of ($s*)
}
rule certificate {
meta:
author = "x0r"
description = "Inject certificate in store"
version = "0.1"
strings:
$f1 = "Crypt32.dll" nocase
$r1 = "software\\microsoft\\systemcertificates\\spc\\certificates" nocase
$c1 = "CertOpenSystemStore"
condition:
all of them
}
rule escalate_priv {
meta:
author = "x0r"
description = "Escalade priviledges"
version = "0.1"
strings:
$d1 = "Advapi32.dll" nocase
$c1 = "SeDebugPrivilege"
$c2 = "AdjustTokenPrivileges"
condition:
1 of ($d*) and 1 of ($c*)
}
rule screenshot {
meta:
author = "x0r"
description = "Take screenshot"
version = "0.1"
strings:
$d1 = "Gdi32.dll" nocase
$d2 = "User32.dll" nocase
$c1 = "BitBlt"
$c2 = "GetDC"
condition:
1 of ($d*) and 1 of ($c*)
}
rule lookupip {
meta:
author = "x0r"
description = "Lookup external IP"
version = "0.1"
strings:
$n1 = "checkip.dyndns.org" nocase
$n2 = "whatismyip.org" nocase
$n3 = "whatsmyipaddress.com" nocase
$n4 = "getmyip.org" nocase
$n5 = "getmyip.co.uk" nocase
condition:
any of them
}
rule dyndns {
meta:
author = "x0r"
description = "Dynamic DNS"
version = "0.1"
strings:
$s1 = "SOFTWARE\\Vitalwerks\\DUC" nocase
condition:
any of them
}
rule lookupgeo {
meta:
author = "x0r"
description = "Lookup Geolocation"
version = "0.1"
strings:
$n1 = "j.maxmind.com" nocase
condition:
any of them
}
rule keylogger {
meta:
author = "x0r"
description = "Run a keylogger"
version = "0.1"
strings:
$f1 = "User32.dll" nocase
$c1 = "GetAsyncKeyState"
$c2 = "GetKeyState"
$c3 = "MapVirtualKey"
$c4 = "GetKeyboardType"
condition:
$f1 and 1 of ($c*)
}
rule cred_local {
meta:
author = "x0r"
description = "Steal credential"
version = "0.1"
strings:
$c1 = "LsaEnumerateLogonSessions"
$c2 = "SamIConnect"
$c3 = "SamIGetPrivateData"
$c4 = "SamQueryInformationUse"
$c5 = "CredEnumerateA"
$c6 = "CredEnumerateW"
$r1 = "software\\microsoft\\internet account manager" nocase
$r2 = "software\\microsoft\\identitycrl\\creds" nocase
$r3 = "Security\\Policy\\Secrets"
condition:
any of them
}
rule sniff_audio {
meta:
author = "x0r"
description = "Record Audio"
version = "0.1"
strings:
$f1 = "winmm.dll" nocase
$c1 = "waveInStart"
$c2 = "waveInReset"
$c3 = "waveInAddBuffer"
$c4 = "waveInOpen"
$c5 = "waveInClose"
condition:
$f1 and 2 of ($c*)
}
rule cred_ff {
meta:
author = "x0r"
description = "Steal Firefox credential"
version = "0.1"
strings:
$f1 = "signons.sqlite"
$f2 = "signons3.txt"
$f3 = "secmod.db"
$f4 = "cert8.db"
$f5 = "key3.db"
condition:
any of them
}
rule cred_vnc {
meta:
author = "x0r"
description = "Steal VNC credential"
version = "0.1"
strings:
$s1 = "VNCPassView"
condition:
all of them
}
rule cred_ie7 {
meta:
author = "x0r"
description = "Steal IE 7 credential"
version = "0.1"
strings:
$f1 = "Crypt32.dll" nocase
$c1 = "CryptUnprotectData"
$s1 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" nocase
condition:
all of them
}
rule sniff_lan {
meta:
author = "x0r"
description = "Sniff Lan network traffic"
version = "0.1"
strings:
$f1 = "packet.dll" nocase
$f2 = "npf.sys" nocase
$f3 = "wpcap.dll" nocase
$f4 = "winpcap.dll" nocase
condition:
any of them
}
rule migrate_apc {
meta:
author = "x0r"
description = "APC queue tasks migration"
version = "0.1"
strings:
$c1 = "OpenThread"
$c2 = "QueueUserAPC"
condition:
all of them
}
rule spreading_file {
meta:
author = "x0r"
description = "Malware can spread east-west file"
version = "0.1"
strings:
$f1 = "autorun.inf" nocase
$f2 = "desktop.ini" nocase
$f3 = "desktop.lnk" nocase
condition:
any of them
}
rule spreading_share {
meta:
author = "x0r"
description = "Malware can spread east-west using share drive"
version = "0.1"
strings:
$f1 = "netapi32.dll" nocase
$c1 = "NetShareGetInfo"
$c2 = "NetShareEnum"
condition:
$f1 and 1 of ($c*)
}
rule rat_vnc {
meta:
author = "x0r"
description = "Remote Administration toolkit VNC"
version = "0.1"
strings:
$f1 = "ultravnc.ini" nocase
$c2 = "StartVNC"
$c3 = "StopVNC"
condition:
any of them
}
rule rat_rdp {
meta:
author = "x0r"
description = "Remote Administration toolkit enable RDP"
version = "0.1"
strings:
$p1 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server" nocase
$p2 = "software\\microsoft\\windows nt\\currentversion\\terminal server" nocase
$p3 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" nocase
$r1 = "EnableAdminTSRemote"
$c1 = "net start termservice"
$c2 = "sc config termservice start"
condition:
any of them
}
rule rat_telnet {
meta:
author = "x0r"
description = "Remote Administration toolkit enable Telnet"
version = "0.1"
strings:
$r1 = "software\\microsoft\\telnetserver" nocase
condition:
any of them
}
rule rat_webcam {
meta:
author = "x0r"
description = "Remote Administration toolkit using webcam"
version = "0.1"
strings:
$f1 = "avicap32.dll" nocase
$c1 = "capCreateCaptureWindow" nocase
condition:
all of them
}
rule check_patchlevel {
meta:
author = "x0r"
......@@ -1633,87 +933,6 @@ rule check_patchlevel {
any of them
}
rule win_mutex {
meta:
author = "x0r"
description = "Create or check mutex"
version = "0.1"
strings:
$c1 = "CreateMutex"
condition:
1 of ($c*)
}
rule win_registry {
meta:
author = "x0r"
description = "Affect system registries"
version = "0.1"
strings:
$f1 = "advapi32.dll" nocase
$c1 = "RegQueryValueExA"
$c2 = "RegOpenKeyExA"
$c3 = "RegCloseKey"
$c4 = "RegSetValueExA"
$c5 = "RegCreateKeyA"
$c6 = "RegCloseKey"
condition:
$f1 and 1 of ($c*)
}
rule win_token {
meta:
author = "x0r"
description = "Affect system token"
version = "0.1"
strings:
$f1 = "advapi32.dll" nocase
$c1 = "DuplicateTokenEx"
$c2 = "AdjustTokenPrivileges"
$c3 = "OpenProcessToken"
$c4 = "LookupPrivilegeValueA"
condition:
$f1 and 1 of ($c*)
}
rule win_private_profile {
meta:
author = "x0r"
description = "Affect private profile"
version = "0.1"
strings:
$f1 = "kernel32.dll" nocase
$c1 = "GetPrivateProfileIntA"
$c2 = "GetPrivateProfileStringA"
$c3 = "WritePrivateProfileStringA"
condition:
$f1 and 1 of ($c*)
}
rule win_files_operation {
meta:
author = "x0r"
description = "Affect private profile"
version = "0.1"
strings:
$f1 = "kernel32.dll" nocase
$c1 = "WriteFile"
$c2 = "SetFilePointer"
$c3 = "WriteFile"
$c4 = "ReadFile"
$c5 = "DeleteFileA"
$c6 = "CreateFileA"
$c7 = "FindFirstFileA"
$c8 = "MoveFileExA"
$c9 = "FindClose"
$c10 = "SetFileAttributesA"
$c11 = "CopyFile"
condition:
$f1 and 3 of ($c*)
}
rule win_hook {
meta:
author = "x0r"
......@@ -1727,6 +946,7 @@ rule win_hook {
condition:
$f1 and 1 of ($c*)
}
rule vmdetect_misc : vmdetect
{
meta:
......
Antidebug_AntiVM_index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./Antidebug_AntiVM/antidebug_antivm.yar"
CVE_Rules/CVE-2018-20250.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
{
meta:
description = "Generic rule for hostile ACE archive using CVE-2018-20250"
author = "xylitol@temari.fr"
date = "2019-03-17"
reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
// May only the challenge guide you
strings:
$string1 = "**ACE**" ascii wide
$string2 = "*UNREGISTERED VERSION*" ascii wide
// $hexstring1 = C:\C:\
$hexstring1 = {?? 3A 5C ?? 3A 5C}
// $hexstring2 = C:\C:C:..
$hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E}
condition:
$string1 at 7 and $string2 at 31 and 1 of ($hexstring*)
}
CVE_Rules_index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./CVE_Rules/CVE-2010-0805.yar"
include "./CVE_Rules/CVE-2010-0887.yar"
......@@ -14,4 +14,5 @@ include "./CVE_Rules/CVE-2015-2545.yar"
include "./CVE_Rules/CVE-2015-5119.yar"
include "./CVE_Rules/CVE-2016-5195.yar"
include "./CVE_Rules/CVE-2017-11882.yar"
include "./CVE_Rules/CVE-2018-20250.yar"
include "./CVE_Rules/CVE-2018-4878.yar"
Capabilities/capabilities.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule inject_thread {
meta:
author = "x0r"
description = "Code injection with CreateRemoteThread in a remote process"
version = "0.1"
strings:
$c1 = "OpenProcess"
$c2 = "VirtualAllocEx"
$c3 = "NtWriteVirtualMemory"
$c4 = "WriteProcessMemory"
$c5 = "CreateRemoteThread"
$c6 = "CreateThread"
$c7 = "OpenProcess"
condition:
$c1 and $c2 and ( $c3 or $c4 ) and ( $c5 or $c6 or $c7 )
}
// Issue #101 - Commented because of High FP rate
/*
rule create_process {
meta:
author = "x0r"
description = "Create a new process"
version = "0.2"
strings:
$f1 = "Shell32.dll" nocase
$f2 = "Kernel32.dll" nocase
$c1 = "ShellExecute"
$c2 = "WinExec"
$c3 = "CreateProcess"
$c4 = "CreateThread"
condition:
($f1 and $c1 ) or $f2 and ($c2 or $c3 or $c4)
}
*/
// Issue #101 - Commented because of High FP rate
/*
rule persistence {
meta:
author = "x0r"
description = "Install itself for autorun at Windows startup"
version = "0.1"
strings:
$p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" nocase
$p2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase
$p3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" nocase
$p4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" nocase
$p5 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" nocase
$p6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" nocase
$p7 = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\" nocase
$p8 = "SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Windows" nocase
$p9 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler" nocase
$p10 = "comfile\\shell\\open\\command" nocase
$p11 = "piffile\\shell\\open\\command" nocase
$p12 = "exefile\\shell\\open\\command" nocase
$p13 = "txtfile\\shell\\open\\command" nocase
$p14 = "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"
$f1 = "win.ini" nocase
$f2 = "system.ini" nocase
$f3 = "Start Menu\\Programs\\Startup" nocase
condition:
any of them
}
*/
rule hijack_network {
meta:
author = "x0r"
description = "Hijack network configuration"
version = "0.1"
strings:
$p1 = "SOFTWARE\\Classes\\PROTOCOLS\\Handler" nocase
$p2 = "SOFTWARE\\Classes\\PROTOCOLS\\Filter" nocase
$p3 = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer" nocase
$p4 = "software\\microsoft\\windows\\currentversion\\internet settings\\proxyenable" nocase
$f1 = "drivers\\etc\\hosts" nocase
condition:
any of them
}
rule create_service {
meta:
author = "x0r"
description = "Create a windows service"
version = "0.2"
strings:
$f1 = "Advapi32.dll" nocase
$c1 = "CreateService"
$c2 = "ControlService"
$c3 = "StartService"
$c4 = "QueryServiceStatus"
condition:
all of them
}
rule create_com_service {
meta:
author = "x0r"
description = "Create a COM server"
version = "0.1"
strings:
$c1 = "DllCanUnloadNow" nocase
$c2 = "DllGetClassObject"
$c3 = "DllInstall"
$c4 = "DllRegisterServer"
$c5 = "DllUnregisterServer"
condition:
all of them
}
rule network_udp_sock {
meta:
author = "x0r"
description = "Communications over UDP network"
version = "0.1"
strings:
$f1 = "Ws2_32.dll" nocase
$f2 = "System.Net" nocase
$f3 = "wsock32.dll" nocase
$c0 = "WSAStartup"
$c1 = "sendto"
$c2 = "recvfrom"
$c3 = "WSASendTo"
$c4 = "WSARecvFrom"
$c5 = "UdpClient"
condition:
(($f1 or $f3) and 2 of ($c*)) or ($f2 and $c5)
}
rule network_tcp_listen {
meta:
author = "x0r"
description = "Listen for incoming communication"
version = "0.1"
strings:
$f1 = "Ws2_32.dll" nocase
$f2 = "Mswsock.dll" nocase
$f3 = "System.Net" nocase
$f4 = "wsock32.dll" nocase
$c1 = "bind"
$c2 = "accept"
$c3 = "GetAcceptExSockaddrs"
$c4 = "AcceptEx"
$c5 = "WSAStartup"
$c6 = "WSAAccept"
$c7 = "WSASocket"
$c8 = "TcpListener"
$c9 = "AcceptTcpClient"
$c10 = "listen"
condition:
1 of ($f*) and 2 of ($c*)
}
rule network_dyndns {
meta:
author = "x0r"
description = "Communications dyndns network"
version = "0.1"
strings:
$s1 =".no-ip.org"
$s2 =".publicvm.com"
$s3 =".linkpc.net"
$s4 =".dynu.com"
$s5 =".dynu.net"
$s6 =".afraid.org"
$s7 =".chickenkiller.com"
$s8 =".crabdance.com"
$s9 =".ignorelist.com"
$s10 =".jumpingcrab.com"
$s11 =".moo.com"
$s12 =".strangled.com"
$s13 =".twillightparadox.com"
$s14 =".us.to"
$s15 =".strangled.net"
$s16 =".info.tm"
$s17 =".homenet.org"
$s18 =".biz.tm"
$s19 =".continent.kz"
$s20 =".ax.lt"
$s21 =".system-ns.com"
$s22 =".adultdns.com"
$s23 =".craftx.biz"
$s24 =".ddns01.com"
$s25 =".dns53.biz"
$s26 =".dnsapi.info"
$s27 =".dnsd.info"
$s28 =".dnsdynamic.com"
$s29 =".dnsdynamic.net"
$s30 =".dnsget.org"
$s31 =".fe100.net"
$s32 =".flashserv.net"
$s33 =".ftp21.net"
condition:
any of them
}
rule network_toredo {
meta:
author = "x0r"
description = "Communications over Toredo network"
version = "0.1"
strings:
$f1 = "FirewallAPI.dll" nocase
$p1 = "\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\" nocase
condition:
all of them
}
rule network_smtp_dotNet {
meta:
author = "x0r"
description = "Communications smtp"
version = "0.1"
strings:
$f1 = "System.Net.Mail" nocase
$p1 = "SmtpClient" nocase
condition:
all of them
}
rule network_smtp_raw {
meta:
author = "x0r"
description = "Communications smtp"
version = "0.1"
strings:
$s1 = "MAIL FROM:" nocase
$s2 = "RCPT TO:" nocase
condition:
all of them
}
rule network_smtp_vb {
meta:
author = "x0r"
description = "Communications smtp"
version = "0.1"
strings:
$c1 = "CDO.Message" nocase
$c2 = "cdoSMTPServer" nocase
$c3 = "cdoSendUsingMethod" nocase
$c4 = "cdoex.dll" nocase
$c5 = "/cdo/configuration/smtpserver" nocase
condition:
any of them
}
rule network_p2p_win {
meta:
author = "x0r"
description = "Communications over P2P network"
version = "0.1"
strings:
$c1 = "PeerCollabExportContact"
$c2 = "PeerCollabGetApplicationRegistrationInfo"
$c3 = "PeerCollabGetEndpointName"
$c4 = "PeerCollabGetEventData"
$c5 = "PeerCollabGetInvitationResponse"
$c6 = "PeerCollabGetPresenceInfo"
$c7 = "PeerCollabGetSigninOptions"
$c8 = "PeerCollabInviteContact"
$c9 = "PeerCollabInviteEndpoint"
$c10 = "PeerCollabParseContact"
$c11 = "PeerCollabQueryContactData"
$c12 = "PeerCollabRefreshEndpointData"
$c13 = "PeerCollabRegisterApplication"
$c14 = "PeerCollabRegisterEvent"
$c15 = "PeerCollabSetEndpointName"
$c16 = "PeerCollabSetObject"
$c17 = "PeerCollabSetPresenceInfo"
$c18 = "PeerCollabSignout"
$c19 = "PeerCollabUnregisterApplication"
$c20 = "PeerCollabUpdateContact"
condition:
5 of them
}
rule network_tor {
meta:
author = "x0r"
description = "Communications over TOR network"
version = "0.1"
strings:
$p1 = "tor\\hidden_service\\private_key" nocase
$p2 = "tor\\hidden_service\\hostname" nocase
$p3 = "tor\\lock" nocase
$p4 = "tor\\state" nocase
condition:
any of them
}
rule network_irc {
meta:
author = "x0r"
description = "Communications over IRC network"
version = "0.1"
strings:
$s1 = "NICK"
$s2 = "PING"
$s3 = "JOIN"
$s4 = "USER"
$s5 = "PRIVMSG"
condition:
all of them
}
rule network_http {
meta:
author = "x0r"
description = "Communications over HTTP"
version = "0.1"
strings:
$f1 = "wininet.dll" nocase
$c1 = "InternetConnect"
$c2 = "InternetOpen"
$c3 = "InternetOpenUrl"
$c4 = "InternetReadFile"
$c5 = "InternetWriteFile"
$c6 = "HttpOpenRequest"
$c7 = "HttpSendRequest"
$c8 = "IdHTTPHeaderInfo"
condition:
$f1 and $c1 and ($c2 or $c3) and ($c4 or $c5 or $c6 or $c7 or $c8)
}
rule network_dropper {
meta:
author = "x0r"
description = "File downloader/dropper"
version = "0.1"
strings:
$f1 = "urlmon.dll" nocase
$c1 = "URLDownloadToFile"
$c2 = "URLDownloadToCacheFile"
$c3 = "URLOpenStream"
$c4 = "URLOpenPullStream"
condition:
$f1 and 1 of ($c*)
}
rule network_ftp {
meta:
author = "x0r"
description = "Communications over FTP"
version = "0.1"
strings:
$f1 = "Wininet.dll" nocase
$c1 = "FtpGetCurrentDirectory"
$c2 = "FtpGetFile"
$c3 = "FtpPutFile"
$c4 = "FtpSetCurrentDirectory"
$c5 = "FtpOpenFile"
$c6 = "FtpGetFileSize"
$c7 = "FtpDeleteFile"
$c8 = "FtpCreateDirectory"
$c9 = "FtpRemoveDirectory"
$c10 = "FtpRenameFile"
$c11 = "FtpDownload"
$c12 = "FtpUpload"
$c13 = "FtpGetDirectory"
condition:
$f1 and (4 of ($c*))
}
rule network_tcp_socket {
meta:
author = "x0r"
description = "Communications over RAW socket"
version = "0.1"
strings:
$f1 = "Ws2_32.dll" nocase
$f2 = "wsock32.dll" nocase
$c1 = "WSASocket"
$c2 = "socket"
$c3 = "send"
$c4 = "WSASend"
$c5 = "WSAConnect"
$c6 = "connect"
$c7 = "WSAStartup"
$c8 = "closesocket"
$c9 = "WSACleanup"
condition:
1 of ($f*) and 2 of ($c*)
}
rule network_dns {
meta:
author = "x0r"
description = "Communications use DNS"
version = "0.1"
strings:
$f1 = "System.Net"
$f2 = "Ws2_32.dll" nocase
$f3 = "Dnsapi.dll" nocase
$f4 = "wsock32.dll" nocase
$c2 = "GetHostEntry"
$c3 = "getaddrinfo"
$c4 = "gethostbyname"
$c5 = "WSAAsyncGetHostByName"
$c6 = "DnsQuery"
condition:
1 of ($f*) and 1 of ($c*)
}
rule network_ssl {
meta:
author = "x0r"
description = "Communications over SSL"
version = "0.1"
strings:
$f1 = "ssleay32.dll" nocase
$f2 = "libeay32.dll" nocase
$f3 = "libssl32.dll" nocase
$c1 = "IdSSLOpenSSL" nocase
condition:
any of them
}
rule network_dga {
meta:
author = "x0r"
description = "Communication using dga"
version = "0.1"
strings:
$dll1 = "Advapi32.dll" nocase
$dll2 = "wininet.dll" nocase
$dll3 = "Crypt32.dll" nocase
$time1 = "SystemTimeToFileTime"
$time2 = "GetSystemTime"
$time3 = "GetSystemTimeAsFileTime"
$hash1 = "CryptCreateHash"
$hash2 = "CryptAcquireContext"
$hash3 = "CryptHashData"
$net1 = "InternetOpen"
$net2 = "InternetOpenUrl"
$net3 = "gethostbyname"
$net4 = "getaddrinfo"
condition:
all of ($dll*) and 1 of ($time*) and 1 of ($hash*) and 1 of ($net*)
}
rule bitcoin {
meta:
author = "x0r"
description = "Perform crypto currency mining"
version = "0.1"
strings:
$f1 = "OpenCL.dll" nocase
$f2 = "nvcuda.dll" nocase
$f3 = "opengl32.dll" nocase
$s1 = "cpuminer 2.2.2X-Mining-Extensions"
$s2 = "cpuminer 2.2.3X-Mining-Extensions"
$s3 = "Ufasoft bitcoin-miner/0.20"
$s4 = "bitcoin" nocase
$s5 = "stratum" nocase
condition:
1 of ($f*) and 1 of ($s*)
}
rule certificate {
meta:
author = "x0r"
description = "Inject certificate in store"
version = "0.1"
strings:
$f1 = "Crypt32.dll" nocase
$r1 = "software\\microsoft\\systemcertificates\\spc\\certificates" nocase
$c1 = "CertOpenSystemStore"
condition:
all of them
}
rule escalate_priv {
meta:
author = "x0r"
description = "Escalade priviledges"
version = "0.1"
strings:
$d1 = "Advapi32.dll" nocase
$c1 = "SeDebugPrivilege"
$c2 = "AdjustTokenPrivileges"
condition:
1 of ($d*) and 1 of ($c*)
}
rule screenshot {
meta:
author = "x0r"
description = "Take screenshot"
version = "0.1"
strings:
$d1 = "Gdi32.dll" nocase
$d2 = "User32.dll" nocase
$c1 = "BitBlt"
$c2 = "GetDC"
condition:
1 of ($d*) and 1 of ($c*)
}
rule lookupip {
meta:
author = "x0r"
description = "Lookup external IP"
version = "0.1"
strings:
$n1 = "checkip.dyndns.org" nocase
$n2 = "whatismyip.org" nocase
$n3 = "whatsmyipaddress.com" nocase
$n4 = "getmyip.org" nocase
$n5 = "getmyip.co.uk" nocase
condition:
any of them
}
rule dyndns {
meta:
author = "x0r"
description = "Dynamic DNS"
version = "0.1"
strings:
$s1 = "SOFTWARE\\Vitalwerks\\DUC" nocase
condition:
any of them
}
rule lookupgeo {
meta:
author = "x0r"
description = "Lookup Geolocation"
version = "0.1"
strings:
$n1 = "j.maxmind.com" nocase
condition:
any of them
}
rule keylogger {
meta:
author = "x0r"
description = "Run a keylogger"
version = "0.1"
strings:
$f1 = "User32.dll" nocase
$c1 = "GetAsyncKeyState"
$c2 = "GetKeyState"
$c3 = "MapVirtualKey"
$c4 = "GetKeyboardType"
condition:
$f1 and 1 of ($c*)
}
rule cred_local {
meta:
author = "x0r"
description = "Steal credential"
version = "0.1"
strings:
$c1 = "LsaEnumerateLogonSessions"
$c2 = "SamIConnect"
$c3 = "SamIGetPrivateData"
$c4 = "SamQueryInformationUse"
$c5 = "CredEnumerateA"
$c6 = "CredEnumerateW"
$r1 = "software\\microsoft\\internet account manager" nocase
$r2 = "software\\microsoft\\identitycrl\\creds" nocase
$r3 = "Security\\Policy\\Secrets"
condition:
any of them
}
rule sniff_audio {
meta:
author = "x0r"
description = "Record Audio"
version = "0.1"
strings:
$f1 = "winmm.dll" nocase
$c1 = "waveInStart"
$c2 = "waveInReset"
$c3 = "waveInAddBuffer"
$c4 = "waveInOpen"
$c5 = "waveInClose"
condition:
$f1 and 2 of ($c*)
}
rule cred_ff {
meta:
author = "x0r"
description = "Steal Firefox credential"
version = "0.1"
strings:
$f1 = "signons.sqlite"
$f2 = "signons3.txt"
$f3 = "secmod.db"
$f4 = "cert8.db"
$f5 = "key3.db"
condition:
any of them
}
rule cred_vnc {
meta:
author = "x0r"
description = "Steal VNC credential"
version = "0.1"
strings:
$s1 = "VNCPassView"
condition:
all of them
}
rule cred_ie7 {
meta:
author = "x0r"
description = "Steal IE 7 credential"
version = "0.1"
strings:
$f1 = "Crypt32.dll" nocase
$c1 = "CryptUnprotectData"
$s1 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" nocase
condition:
all of them
}
rule sniff_lan {
meta:
author = "x0r"
description = "Sniff Lan network traffic"
version = "0.1"
strings:
$f1 = "packet.dll" nocase
$f2 = "npf.sys" nocase
$f3 = "wpcap.dll" nocase
$f4 = "winpcap.dll" nocase
condition:
any of them
}
rule migrate_apc {
meta:
author = "x0r"
description = "APC queue tasks migration"
version = "0.1"
strings:
$c1 = "OpenThread"
$c2 = "QueueUserAPC"
condition:
all of them
}
rule spreading_file {
meta:
author = "x0r"
description = "Malware can spread east-west file"
version = "0.1"
strings:
$f1 = "autorun.inf" nocase
$f2 = "desktop.ini" nocase
$f3 = "desktop.lnk" nocase
condition:
any of them
}
rule spreading_share {
meta:
author = "x0r"
description = "Malware can spread east-west using share drive"
version = "0.1"
strings:
$f1 = "netapi32.dll" nocase
$c1 = "NetShareGetInfo"
$c2 = "NetShareEnum"
condition:
$f1 and 1 of ($c*)
}
rule rat_vnc {
meta:
author = "x0r"
description = "Remote Administration toolkit VNC"
version = "0.1"
strings:
$f1 = "ultravnc.ini" nocase
$c2 = "StartVNC"
$c3 = "StopVNC"
condition:
any of them
}
rule rat_rdp {
meta:
author = "x0r"
description = "Remote Administration toolkit enable RDP"
version = "0.1"
strings:
$p1 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server" nocase
$p2 = "software\\microsoft\\windows nt\\currentversion\\terminal server" nocase
$p3 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" nocase
$r1 = "EnableAdminTSRemote"
$c1 = "net start termservice"
$c2 = "sc config termservice start"
condition:
any of them
}
rule rat_telnet {
meta:
author = "x0r"
description = "Remote Administration toolkit enable Telnet"
version = "0.1"
strings:
$r1 = "software\\microsoft\\telnetserver" nocase
condition:
any of them
}
rule rat_webcam {
meta:
author = "x0r"
description = "Remote Administration toolkit using webcam"
version = "0.1"
strings:
$f1 = "avicap32.dll" nocase
$c1 = "capCreateCaptureWindow" nocase
condition:
all of them
}
rule win_mutex {
meta:
author = "x0r"
description = "Create or check mutex"
version = "0.1"
strings:
$c1 = "CreateMutex"
condition:
1 of ($c*)
}
rule win_registry {
meta:
author = "x0r"
description = "Affect system registries"
version = "0.1"
strings:
$f1 = "advapi32.dll" nocase
$c1 = "RegQueryValueExA"
$c2 = "RegOpenKeyExA"
$c3 = "RegCloseKey"
$c4 = "RegSetValueExA"
$c5 = "RegCreateKeyA"
$c6 = "RegCloseKey"
condition:
$f1 and 1 of ($c*)
}
rule win_token {
meta:
author = "x0r"
description = "Affect system token"
version = "0.1"
strings:
$f1 = "advapi32.dll" nocase
$c1 = "DuplicateTokenEx"
$c2 = "AdjustTokenPrivileges"
$c3 = "OpenProcessToken"
$c4 = "LookupPrivilegeValueA"
condition:
$f1 and 1 of ($c*)
}
rule win_private_profile {
meta:
author = "x0r"
description = "Affect private profile"
version = "0.1"
strings:
$f1 = "kernel32.dll" nocase
$c1 = "GetPrivateProfileIntA"
$c2 = "GetPrivateProfileStringA"
$c3 = "WritePrivateProfileStringA"
condition:
$f1 and 1 of ($c*)
}
rule win_files_operation {
meta:
author = "x0r"
description = "Affect private profile"
version = "0.1"
strings:
$f1 = "kernel32.dll" nocase
$c1 = "WriteFile"
$c2 = "SetFilePointer"
$c3 = "WriteFile"
$c4 = "ReadFile"
$c5 = "DeleteFileA"
$c6 = "CreateFileA"
$c7 = "FindFirstFileA"
$c8 = "MoveFileExA"
$c9 = "FindClose"
$c10 = "SetFileAttributesA"
$c11 = "CopyFile"
condition:
$f1 and 3 of ($c*)
}
Capabilities_index.yar 0 → 100644
/*
Generated by Yara-Rules
On 27-03-2019
*/
include "./Capabilities/capabilities.yar"
Crypto_index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./Crypto/crypto_signatures.yar"
Exploit-Kits_index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./Exploit-Kits/EK_Angler.yar"
include "./Exploit-Kits/EK_Blackhole.yar"
......
Malicious_Documents_index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./Malicious_Documents/Maldoc_APT10_MenuPass.yar"
include "./Malicious_Documents/Maldoc_APT19_CVE-2017-1099.yar"
include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
......
Mobile_Malware_index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./Mobile_Malware/Android_ASSDdeveloper.yar"
include "./Mobile_Malware/Android_AVITOMMS.yar"
......
Packers_index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./Packers/JJencode.yar"
include "./Packers/Javascript_exploit_and_obfuscation.yar"
......
README.md
......@@ -32,6 +32,10 @@ Also, you will need [Androguard Module](https://github.com/Koodous/androguard-ya
In this section you will find Yara Rules aimed toward the detection of anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
## Capabilities
In this section you will find Yara rules to detect capabilities that do not fit into any of the other categories. They are useful to know for analysis but may not be malicious indicators on their own.
## CVE_Rules
In this section you will find Yara Rules specialised toward the identification of specific Common Vulnerabilities and Exposures (CVEs)
......
Webshells/WShell_ASPXSpy.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Backdoor_WebShell_asp : ASPXSpy
{
meta:
description= "Detect ASPXSpy"
author = "xylitol@temari.fr"
date = "2019-02-26"
// May only the challenge guide you
strings:
$string1 = "CmdShell" wide ascii
$string2 = "ADSViewer" wide ascii
$string3 = "ASPXSpy.Bin" wide ascii
$string4 = "PortScan" wide ascii
$plugin = "Test.AspxSpyPlugins" wide ascii
condition:
3 of ($string*) or $plugin
}
Webshells_index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./Webshells/WShell_APT_Laudanum.yar"
include "./Webshells/WShell_ASPXSpy.yar"
include "./Webshells/WShell_PHP_Anuna.yar"
include "./Webshells/WShell_PHP_in_images.yar"
include "./Webshells/WShell_THOR_Webshells.yar"
......
email_index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./email/EMAIL_Cryptowall.yar"
include "./email/attachment.yar"
......
index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./Antidebug_AntiVM/antidebug_antivm.yar"
include "./CVE_Rules/CVE-2010-0805.yar"
......@@ -15,7 +15,9 @@ include "./CVE_Rules/CVE-2015-2545.yar"
include "./CVE_Rules/CVE-2015-5119.yar"
include "./CVE_Rules/CVE-2016-5195.yar"
include "./CVE_Rules/CVE-2017-11882.yar"
include "./CVE_Rules/CVE-2018-20250.yar"
include "./CVE_Rules/CVE-2018-4878.yar"
include "./Capabilities/capabilities.yar"
include "./Crypto/crypto_signatures.yar"
include "./Exploit-Kits/EK_Angler.yar"
include "./Exploit-Kits/EK_Blackhole.yar"
......@@ -28,6 +30,8 @@ include "./Exploit-Kits/EK_Sakura.yar"
include "./Exploit-Kits/EK_ZeroAcces.yar"
include "./Exploit-Kits/EK_Zerox88.yar"
include "./Exploit-Kits/EK_Zeus.yar"
include "./Malicious_Documents/Maldoc_APT10_MenuPass.yar"
include "./Malicious_Documents/Maldoc_APT19_CVE-2017-1099.yar"
include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
......@@ -51,6 +55,7 @@ include "./Packers/packer.yar"
include "./Packers/packer_compiler_signatures.yar"
include "./Packers/peid.yar"
include "./Webshells/WShell_APT_Laudanum.yar"
include "./Webshells/WShell_ASPXSpy.yar"
include "./Webshells/WShell_PHP_Anuna.yar"
include "./Webshells/WShell_PHP_in_images.yar"
include "./Webshells/WShell_THOR_Webshells.yar"
......@@ -144,6 +149,7 @@ include "./malware/APT_Turla_Neuron.yar"
include "./malware/APT_Turla_RUAG.yar"
include "./malware/APT_UP007_SLServer.yar"
include "./malware/APT_Unit78020.yar"
include "./malware/APT_Uppercut.yar"
include "./malware/APT_Waterbug.yar"
include "./malware/APT_WildNeutron.yar"
include "./malware/APT_Windigo_Onimiki.yar"
......@@ -155,6 +161,8 @@ include "./malware/APT_fancybear_downdelph.yar"
include "./malware/APT_furtim.yar"
include "./malware/EXPERIMENTAL_Beef.yar"
include "./malware/GEN_PowerShell.yar"
include "./malware/MALW_ATMPot.yar"
include "./malware/MALW_ATM_HelloWorld.yar"
include "./malware/MALW_AZORULT.yar"
include "./malware/MALW_AgentTesla.yar"
include "./malware/MALW_AgentTesla_SMTP.yar"
......@@ -216,6 +224,7 @@ include "./malware/MALW_IotReaper.yar"
include "./malware/MALW_Jolob_Backdoor.yar"
include "./malware/MALW_KINS.yar"
include "./malware/MALW_Kelihos.yar"
include "./malware/MALW_KeyBase.yar"
include "./malware/MALW_Korlia.yar"
include "./malware/MALW_Korplug.yar"
include "./malware/MALW_Kovter.yar"
......@@ -257,6 +266,7 @@ include "./malware/MALW_PE_sections.yar"
include "./malware/MALW_PittyTiger.yar"
include "./malware/MALW_Ponmocup.yar"
include "./malware/MALW_Pony.yar"
include "./malware/MALW_Predator.yar"
include "./malware/MALW_PubSab.yar"
include "./malware/MALW_PyPI.yar"
include "./malware/MALW_Pyinstaller.yar"
......@@ -301,9 +311,11 @@ include "./malware/MALW_XHide.yar"
include "./malware/MALW_XMRIG_Miner.yar"
include "./malware/MALW_XOR_DDos.yar"
include "./malware/MALW_Yayih.yar"
include "./malware/MALW_Yordanyan_ActiveAgent.yar"
include "./malware/MALW_Zegost.yar"
include "./malware/MALW_Zeus.yar"
include "./malware/MALW_adwind_RAT.yar"
include "./malware/MALW_hancitor.yar"
include "./malware/MALW_kpot.yar"
include "./malware/MALW_marap.yar"
include "./malware/MALW_shifu_shiz.yar"
......
index_w_mobile.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./Antidebug_AntiVM/antidebug_antivm.yar"
include "./CVE_Rules/CVE-2010-0805.yar"
......@@ -15,7 +15,9 @@ include "./CVE_Rules/CVE-2015-2545.yar"
include "./CVE_Rules/CVE-2015-5119.yar"
include "./CVE_Rules/CVE-2016-5195.yar"
include "./CVE_Rules/CVE-2017-11882.yar"
include "./CVE_Rules/CVE-2018-20250.yar"
include "./CVE_Rules/CVE-2018-4878.yar"
include "./Capabilities/capabilities.yar"
include "./Crypto/crypto_signatures.yar"
include "./Exploit-Kits/EK_Angler.yar"
include "./Exploit-Kits/EK_Blackhole.yar"
......@@ -28,6 +30,8 @@ include "./Exploit-Kits/EK_Sakura.yar"
include "./Exploit-Kits/EK_ZeroAcces.yar"
include "./Exploit-Kits/EK_Zerox88.yar"
include "./Exploit-Kits/EK_Zeus.yar"
include "./Malicious_Documents/Maldoc_APT10_MenuPass.yar"
include "./Malicious_Documents/Maldoc_APT19_CVE-2017-1099.yar"
include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
......@@ -114,6 +118,7 @@ include "./Packers/packer.yar"
include "./Packers/packer_compiler_signatures.yar"
include "./Packers/peid.yar"
include "./Webshells/WShell_APT_Laudanum.yar"
include "./Webshells/WShell_ASPXSpy.yar"
include "./Webshells/WShell_PHP_Anuna.yar"
include "./Webshells/WShell_PHP_in_images.yar"
include "./Webshells/WShell_THOR_Webshells.yar"
......@@ -207,6 +212,7 @@ include "./malware/APT_Turla_Neuron.yar"
include "./malware/APT_Turla_RUAG.yar"
include "./malware/APT_UP007_SLServer.yar"
include "./malware/APT_Unit78020.yar"
include "./malware/APT_Uppercut.yar"
include "./malware/APT_Waterbug.yar"
include "./malware/APT_WildNeutron.yar"
include "./malware/APT_Windigo_Onimiki.yar"
......@@ -218,6 +224,8 @@ include "./malware/APT_fancybear_downdelph.yar"
include "./malware/APT_furtim.yar"
include "./malware/EXPERIMENTAL_Beef.yar"
include "./malware/GEN_PowerShell.yar"
include "./malware/MALW_ATMPot.yar"
include "./malware/MALW_ATM_HelloWorld.yar"
include "./malware/MALW_AZORULT.yar"
include "./malware/MALW_AgentTesla.yar"
include "./malware/MALW_AgentTesla_SMTP.yar"
......@@ -279,6 +287,7 @@ include "./malware/MALW_IotReaper.yar"
include "./malware/MALW_Jolob_Backdoor.yar"
include "./malware/MALW_KINS.yar"
include "./malware/MALW_Kelihos.yar"
include "./malware/MALW_KeyBase.yar"
include "./malware/MALW_Korlia.yar"
include "./malware/MALW_Korplug.yar"
include "./malware/MALW_Kovter.yar"
......@@ -320,6 +329,7 @@ include "./malware/MALW_PE_sections.yar"
include "./malware/MALW_PittyTiger.yar"
include "./malware/MALW_Ponmocup.yar"
include "./malware/MALW_Pony.yar"
include "./malware/MALW_Predator.yar"
include "./malware/MALW_PubSab.yar"
include "./malware/MALW_PyPI.yar"
include "./malware/MALW_Pyinstaller.yar"
......@@ -364,9 +374,11 @@ include "./malware/MALW_XHide.yar"
include "./malware/MALW_XMRIG_Miner.yar"
include "./malware/MALW_XOR_DDos.yar"
include "./malware/MALW_Yayih.yar"
include "./malware/MALW_Yordanyan_ActiveAgent.yar"
include "./malware/MALW_Zegost.yar"
include "./malware/MALW_Zeus.yar"
include "./malware/MALW_adwind_RAT.yar"
include "./malware/MALW_hancitor.yar"
include "./malware/MALW_kpot.yar"
include "./malware/MALW_marap.yar"
include "./malware/MALW_shifu_shiz.yar"
......
malware/000_common_rules.yar
......@@ -7,7 +7,7 @@
Rules that are included in several other files.
*/
rule is__elf {
private rule is__elf {
meta:
author = "@mmorenog,@yararules"
strings:
......
malware/MALW_ATMPot.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Generic_ATMPot : Generic_ATMPot
{
meta:
description = "Generic rule for Winpot aka ATMPot"
author = "xylitol@temari.fr"
date = "2019-02-24"
reference = "https://securelist.com/atm-robber-winpot/89611/"
// May only the challenge guide you
strings:
$api1 = "CSCCNG" ascii wide
$api2 = "CscCngOpen" ascii wide
$api3 = "CscCngClose" ascii wide
$string1 = "%d,%02d;" ascii wide
/*
0xD:
.text:004022EC FF 15 20 70 40 00 CALL DWORD PTR DS:[407020] ; cscwcng.CscCngDispense
.text:004022F2 F6 C4 80 TEST AH,80
winpot:
.text:004019D4 FF 15 24 60 40 00 CALL DWORD PTR DS:[406024] ; cscwcng.CscCngDispense
.text:004019DA F6 C4 80 TEST AH,80
*/
$hex1 = { FF 15 ?? ?? ?? ?? F6 C4 80 }
/*
0xD...: 0040506E 25 31 5B 31 2D 34 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D: %1[1-4]VAL=%8[0-9]
winpot: 0040404D 25 31 5B 30 2D 39 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D: %1[0-9]VAL=%8[0-9]
*/
$hex2 = { 25 31 5B ?? 2D ?? 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
malware/MALW_ATM_HelloWorld.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule ATM_HelloWorld : malware
{
meta:
description = "Search strings and procedure in HelloWorld ATM Malware"
author = "xylitol@temari.fr"
date = "2019-01-13"
strings:
$api1 = "CscCngOpen" ascii wide
$api2 = "CscCngClose" ascii wide
$string1 = "%d,%02d;" ascii wide
$string2 = "MAX_NOTES" ascii wide
$hex_var1 = { FF 15 ?? ?? ?? ?? BF 00 80 00 00 85 C7 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
malware/MALW_KeyBase.yar 0 → 100644
rule MALW_KeyBase
{
meta:
description = "Identifies KeyBase aka Kibex."
author = "@bartblaze"
date = "2019-02"
tlp = "White"
strings:
$s1 = " End:]" ascii wide
$s2 = "Keystrokes typed:" ascii wide
$s3 = "Machine Time:" ascii wide
$s4 = "Text:" ascii wide
$s5 = "Time:" ascii wide
$s6 = "Window title:" ascii wide
$x1 = "&application=" ascii wide
$x2 = "&clipboardtext=" ascii wide
$x3 = "&keystrokestyped=" ascii wide
$x4 = "&link=" ascii wide
$x5 = "&username=" ascii wide
$x6 = "&windowtitle=" ascii wide
$x7 = "=drowssap&" ascii wide
$x8 = "=emitenihcam&" ascii wide
condition:
uint16(0) == 0x5a4d and (
5 of ($s*) or 6 of ($x*) or
( 4 of ($s*) and 4 of ($x*) )
)
}
malware/MALW_PE_sections.yar
......@@ -82,5 +82,8 @@ rule suspicious_packer_section : packer PE {
$s63 = "UPX!" wide ascii
condition:
(uint16(0) == 0x457f and 1 of them)
// DOS stub signature PE signature
uint16(0) == 0x5a4d and uint32be(uint32(0x3c)) == 0x50450000 and (
for any of them : ( $ in (0..1024) )
)
}
malware/RAT_Xtreme.yar
......@@ -73,7 +73,7 @@ rule XtremeRATStrings : XtremeRAT Family
$ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
condition:
any of them
all of them
}
rule XtremeRAT : Family
......
malware_index.yar
/*
Generated by Yara-Rules
On 07-10-2018
On 27-03-2019
*/
include "./malware/000_common_rules.yar"
include "./malware/APT_APT1.yar"
......@@ -83,6 +83,7 @@ include "./malware/APT_Turla_Neuron.yar"
include "./malware/APT_Turla_RUAG.yar"
include "./malware/APT_UP007_SLServer.yar"
include "./malware/APT_Unit78020.yar"
include "./malware/APT_Uppercut.yar"
include "./malware/APT_Waterbug.yar"
include "./malware/APT_WildNeutron.yar"
include "./malware/APT_Windigo_Onimiki.yar"
......@@ -94,6 +95,8 @@ include "./malware/APT_fancybear_downdelph.yar"
include "./malware/APT_furtim.yar"
include "./malware/EXPERIMENTAL_Beef.yar"
include "./malware/GEN_PowerShell.yar"
include "./malware/MALW_ATMPot.yar"
include "./malware/MALW_ATM_HelloWorld.yar"
include "./malware/MALW_AZORULT.yar"
include "./malware/MALW_AgentTesla.yar"
include "./malware/MALW_AgentTesla_SMTP.yar"
......@@ -155,6 +158,7 @@ include "./malware/MALW_IotReaper.yar"
include "./malware/MALW_Jolob_Backdoor.yar"
include "./malware/MALW_KINS.yar"
include "./malware/MALW_Kelihos.yar"
include "./malware/MALW_KeyBase.yar"
include "./malware/MALW_Korlia.yar"
include "./malware/MALW_Korplug.yar"
include "./malware/MALW_Kovter.yar"
......@@ -196,6 +200,7 @@ include "./malware/MALW_PE_sections.yar"
include "./malware/MALW_PittyTiger.yar"
include "./malware/MALW_Ponmocup.yar"
include "./malware/MALW_Pony.yar"
include "./malware/MALW_Predator.yar"
include "./malware/MALW_PubSab.yar"
include "./malware/MALW_PyPI.yar"
include "./malware/MALW_Pyinstaller.yar"
......@@ -240,9 +245,11 @@ include "./malware/MALW_XHide.yar"
include "./malware/MALW_XMRIG_Miner.yar"
include "./malware/MALW_XOR_DDos.yar"
include "./malware/MALW_Yayih.yar"
include "./malware/MALW_Yordanyan_ActiveAgent.yar"
include "./malware/MALW_Zegost.yar"
include "./malware/MALW_Zeus.yar"
include "./malware/MALW_adwind_RAT.yar"
include "./malware/MALW_hancitor.yar"
include "./malware/MALW_kpot.yar"
include "./malware/MALW_marap.yar"
include "./malware/MALW_shifu_shiz.yar"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment