Merge pull request #2 from Yara-Rules/master

sync my repo with the reference base yara-rules

.travis.yml

@@ -5,8 +5,8 @@ before_install:
   - sudo apt-get -qq update
   - sudo apt-get install jq
 # Yara
-#  - wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara.tar.gz
-  - wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/9250110 | jq -r ".tarball_url") -O yara.tar.gz
+  - wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara.tar.gz
+  #- wget $(wget -O - https://api.github.com/repos/VirusTotal/yara/releases/9250110 | jq -r ".tarball_url") -O yara.tar.gz
   - mkdir yara
   - tar -C yara -xzvf yara.tar.gz --strip-components 1
 # Androguard for Yara

Antidebug_AntiVM_index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./Antidebug_AntiVM/antidebug_antivm.yar"

CVE_Rules/CVE-2018-20250.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
+{
+    meta:
+        description = "Generic rule for hostile ACE archive using CVE-2018-20250"
+        author = "xylitol@temari.fr"
+        date = "2019-03-17"
+        reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
+        // May only the challenge guide you
+    strings:
+        $string1 = "**ACE**" ascii wide
+        $string2 = "*UNREGISTERED VERSION*" ascii wide
+        // $hexstring1 = C:\C:\
+        $hexstring1 = {?? 3A 5C ?? 3A 5C}
+        // $hexstring2 = C:\C:C:..
+        $hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E}
+    condition:  
+         $string1 at 7 and $string2 at 31 and 1 of ($hexstring*)
+}

CVE_Rules_index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./CVE_Rules/CVE-2010-0805.yar"
 include "./CVE_Rules/CVE-2010-0887.yar"
@@ -14,4 +14,5 @@ include "./CVE_Rules/CVE-2015-2545.yar"
 include "./CVE_Rules/CVE-2015-5119.yar"
 include "./CVE_Rules/CVE-2016-5195.yar"
 include "./CVE_Rules/CVE-2017-11882.yar"
+include "./CVE_Rules/CVE-2018-20250.yar"
 include "./CVE_Rules/CVE-2018-4878.yar"

Capabilities_index.yar

+/*
+Generated by Yara-Rules
+On 27-03-2019
+*/
+include "./Capabilities/capabilities.yar"

Crypto_index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./Crypto/crypto_signatures.yar"

Exploit-Kits_index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./Exploit-Kits/EK_Angler.yar"
 include "./Exploit-Kits/EK_Blackhole.yar"

Malicious_Documents_index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
+include "./Malicious_Documents/Maldoc_APT10_MenuPass.yar"
+include "./Malicious_Documents/Maldoc_APT19_CVE-2017-1099.yar"
 include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
 include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
 include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"

Mobile_Malware_index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./Mobile_Malware/Android_ASSDdeveloper.yar"
 include "./Mobile_Malware/Android_AVITOMMS.yar"

Packers_index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./Packers/JJencode.yar"
 include "./Packers/Javascript_exploit_and_obfuscation.yar"

README.md

@@ -32,6 +32,10 @@ Also, you will need [Androguard Module](https://github.com/Koodous/androguard-ya
 
 In this section you will find Yara Rules aimed toward the detection of anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
 
+## Capabilities
+
+In this section you will find Yara rules to detect capabilities that do not fit into any of the other categories.  They are useful to know for analysis but may not be malicious indicators on their own.
+
 ## CVE_Rules
 
 In this section you will find Yara Rules specialised toward the identification of specific Common Vulnerabilities and Exposures (CVEs)

Webshells/WShell_ASPXSpy.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule Backdoor_WebShell_asp : ASPXSpy
+{
+    meta:
+    description= "Detect ASPXSpy"
+    author = "xylitol@temari.fr"
+    date = "2019-02-26"
+    // May only the challenge guide you
+    strings:
+    $string1 = "CmdShell" wide ascii
+    $string2 = "ADSViewer" wide ascii
+    $string3 = "ASPXSpy.Bin" wide ascii
+    $string4 = "PortScan" wide ascii
+    $plugin = "Test.AspxSpyPlugins" wide ascii
+ 
+    condition:
+    3 of ($string*) or $plugin
+}

Webshells_index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./Webshells/WShell_APT_Laudanum.yar"
+include "./Webshells/WShell_ASPXSpy.yar"
 include "./Webshells/WShell_PHP_Anuna.yar"
 include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/WShell_THOR_Webshells.yar"

email_index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./email/EMAIL_Cryptowall.yar"
 include "./email/attachment.yar"

index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./Antidebug_AntiVM/antidebug_antivm.yar"
 include "./CVE_Rules/CVE-2010-0805.yar"
@@ -15,7 +15,9 @@ include "./CVE_Rules/CVE-2015-2545.yar"
 include "./CVE_Rules/CVE-2015-5119.yar"
 include "./CVE_Rules/CVE-2016-5195.yar"
 include "./CVE_Rules/CVE-2017-11882.yar"
+include "./CVE_Rules/CVE-2018-20250.yar"
 include "./CVE_Rules/CVE-2018-4878.yar"
+include "./Capabilities/capabilities.yar"
 include "./Crypto/crypto_signatures.yar"
 include "./Exploit-Kits/EK_Angler.yar"
 include "./Exploit-Kits/EK_Blackhole.yar"
@@ -28,6 +30,8 @@ include "./Exploit-Kits/EK_Sakura.yar"
 include "./Exploit-Kits/EK_ZeroAcces.yar"
 include "./Exploit-Kits/EK_Zerox88.yar"
 include "./Exploit-Kits/EK_Zeus.yar"
+include "./Malicious_Documents/Maldoc_APT10_MenuPass.yar"
+include "./Malicious_Documents/Maldoc_APT19_CVE-2017-1099.yar"
 include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
 include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
 include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
@@ -51,6 +55,7 @@ include "./Packers/packer.yar"
 include "./Packers/packer_compiler_signatures.yar"
 include "./Packers/peid.yar"
 include "./Webshells/WShell_APT_Laudanum.yar"
+include "./Webshells/WShell_ASPXSpy.yar"
 include "./Webshells/WShell_PHP_Anuna.yar"
 include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/WShell_THOR_Webshells.yar"
@@ -144,6 +149,7 @@ include "./malware/APT_Turla_Neuron.yar"
 include "./malware/APT_Turla_RUAG.yar"
 include "./malware/APT_UP007_SLServer.yar"
 include "./malware/APT_Unit78020.yar"
+include "./malware/APT_Uppercut.yar"
 include "./malware/APT_Waterbug.yar"
 include "./malware/APT_WildNeutron.yar"
 include "./malware/APT_Windigo_Onimiki.yar"
@@ -155,6 +161,8 @@ include "./malware/APT_fancybear_downdelph.yar"
 include "./malware/APT_furtim.yar"
 include "./malware/EXPERIMENTAL_Beef.yar"
 include "./malware/GEN_PowerShell.yar"
+include "./malware/MALW_ATMPot.yar"
+include "./malware/MALW_ATM_HelloWorld.yar"
 include "./malware/MALW_AZORULT.yar"
 include "./malware/MALW_AgentTesla.yar"
 include "./malware/MALW_AgentTesla_SMTP.yar"
@@ -216,6 +224,7 @@ include "./malware/MALW_IotReaper.yar"
 include "./malware/MALW_Jolob_Backdoor.yar"
 include "./malware/MALW_KINS.yar"
 include "./malware/MALW_Kelihos.yar"
+include "./malware/MALW_KeyBase.yar"
 include "./malware/MALW_Korlia.yar"
 include "./malware/MALW_Korplug.yar"
 include "./malware/MALW_Kovter.yar"
@@ -257,6 +266,7 @@ include "./malware/MALW_PE_sections.yar"
 include "./malware/MALW_PittyTiger.yar"
 include "./malware/MALW_Ponmocup.yar"
 include "./malware/MALW_Pony.yar"
+include "./malware/MALW_Predator.yar"
 include "./malware/MALW_PubSab.yar"
 include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Pyinstaller.yar"
@@ -301,9 +311,11 @@ include "./malware/MALW_XHide.yar"
 include "./malware/MALW_XMRIG_Miner.yar"
 include "./malware/MALW_XOR_DDos.yar"
 include "./malware/MALW_Yayih.yar"
+include "./malware/MALW_Yordanyan_ActiveAgent.yar"
 include "./malware/MALW_Zegost.yar"
 include "./malware/MALW_Zeus.yar"
 include "./malware/MALW_adwind_RAT.yar"
+include "./malware/MALW_hancitor.yar"
 include "./malware/MALW_kpot.yar"
 include "./malware/MALW_marap.yar"
 include "./malware/MALW_shifu_shiz.yar"

index_w_mobile.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./Antidebug_AntiVM/antidebug_antivm.yar"
 include "./CVE_Rules/CVE-2010-0805.yar"
@@ -15,7 +15,9 @@ include "./CVE_Rules/CVE-2015-2545.yar"
 include "./CVE_Rules/CVE-2015-5119.yar"
 include "./CVE_Rules/CVE-2016-5195.yar"
 include "./CVE_Rules/CVE-2017-11882.yar"
+include "./CVE_Rules/CVE-2018-20250.yar"
 include "./CVE_Rules/CVE-2018-4878.yar"
+include "./Capabilities/capabilities.yar"
 include "./Crypto/crypto_signatures.yar"
 include "./Exploit-Kits/EK_Angler.yar"
 include "./Exploit-Kits/EK_Blackhole.yar"
@@ -28,6 +30,8 @@ include "./Exploit-Kits/EK_Sakura.yar"
 include "./Exploit-Kits/EK_ZeroAcces.yar"
 include "./Exploit-Kits/EK_Zerox88.yar"
 include "./Exploit-Kits/EK_Zeus.yar"
+include "./Malicious_Documents/Maldoc_APT10_MenuPass.yar"
+include "./Malicious_Documents/Maldoc_APT19_CVE-2017-1099.yar"
 include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
 include "./Malicious_Documents/Maldoc_CVE-2017-0199.yar"
 include "./Malicious_Documents/Maldoc_CVE_2017_11882.yar"
@@ -114,6 +118,7 @@ include "./Packers/packer.yar"
 include "./Packers/packer_compiler_signatures.yar"
 include "./Packers/peid.yar"
 include "./Webshells/WShell_APT_Laudanum.yar"
+include "./Webshells/WShell_ASPXSpy.yar"
 include "./Webshells/WShell_PHP_Anuna.yar"
 include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/WShell_THOR_Webshells.yar"
@@ -207,6 +212,7 @@ include "./malware/APT_Turla_Neuron.yar"
 include "./malware/APT_Turla_RUAG.yar"
 include "./malware/APT_UP007_SLServer.yar"
 include "./malware/APT_Unit78020.yar"
+include "./malware/APT_Uppercut.yar"
 include "./malware/APT_Waterbug.yar"
 include "./malware/APT_WildNeutron.yar"
 include "./malware/APT_Windigo_Onimiki.yar"
@@ -218,6 +224,8 @@ include "./malware/APT_fancybear_downdelph.yar"
 include "./malware/APT_furtim.yar"
 include "./malware/EXPERIMENTAL_Beef.yar"
 include "./malware/GEN_PowerShell.yar"
+include "./malware/MALW_ATMPot.yar"
+include "./malware/MALW_ATM_HelloWorld.yar"
 include "./malware/MALW_AZORULT.yar"
 include "./malware/MALW_AgentTesla.yar"
 include "./malware/MALW_AgentTesla_SMTP.yar"
@@ -279,6 +287,7 @@ include "./malware/MALW_IotReaper.yar"
 include "./malware/MALW_Jolob_Backdoor.yar"
 include "./malware/MALW_KINS.yar"
 include "./malware/MALW_Kelihos.yar"
+include "./malware/MALW_KeyBase.yar"
 include "./malware/MALW_Korlia.yar"
 include "./malware/MALW_Korplug.yar"
 include "./malware/MALW_Kovter.yar"
@@ -320,6 +329,7 @@ include "./malware/MALW_PE_sections.yar"
 include "./malware/MALW_PittyTiger.yar"
 include "./malware/MALW_Ponmocup.yar"
 include "./malware/MALW_Pony.yar"
+include "./malware/MALW_Predator.yar"
 include "./malware/MALW_PubSab.yar"
 include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Pyinstaller.yar"
@@ -364,9 +374,11 @@ include "./malware/MALW_XHide.yar"
 include "./malware/MALW_XMRIG_Miner.yar"
 include "./malware/MALW_XOR_DDos.yar"
 include "./malware/MALW_Yayih.yar"
+include "./malware/MALW_Yordanyan_ActiveAgent.yar"
 include "./malware/MALW_Zegost.yar"
 include "./malware/MALW_Zeus.yar"
 include "./malware/MALW_adwind_RAT.yar"
+include "./malware/MALW_hancitor.yar"
 include "./malware/MALW_kpot.yar"
 include "./malware/MALW_marap.yar"
 include "./malware/MALW_shifu_shiz.yar"

malware/000_common_rules.yar

@@ -7,7 +7,7 @@
 	Rules that are included in several other files.
 */
 
-rule is__elf {
+private rule is__elf {
 	meta:
 		author = "@mmorenog,@yararules"
 	strings:

malware/MALW_ATMPot.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule Generic_ATMPot : Generic_ATMPot
+{
+    meta:
+        description = "Generic rule for Winpot aka ATMPot"
+        author = "xylitol@temari.fr"
+        date = "2019-02-24"
+        reference = "https://securelist.com/atm-robber-winpot/89611/"
+        // May only the challenge guide you
+    strings:
+        $api1 = "CSCCNG" ascii wide
+        $api2 = "CscCngOpen" ascii wide
+        $api3 = "CscCngClose" ascii wide
+        $string1 = "%d,%02d;" ascii wide
+/*
+0xD:
+.text:004022EC FF 15 20 70 40 00             CALL DWORD PTR DS:[407020]  ; cscwcng.CscCngDispense
+.text:004022F2 F6 C4 80                      TEST AH,80
+winpot:
+.text:004019D4 FF 15 24 60 40 00             CALL DWORD PTR DS:[406024]  ; cscwcng.CscCngDispense
+.text:004019DA F6 C4 80                      TEST AH,80
+*/
+        $hex1 = { FF 15 ?? ?? ?? ?? F6 C4 80 }
+/*
+0xD...: 0040506E  25 31 5B 31 2D 34 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D: %1[1-4]VAL=%8[0-9]
+winpot: 0040404D  25 31 5B 30 2D 39 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D: %1[0-9]VAL=%8[0-9]
+*/
+        $hex2 = { 25 31 5B ?? 2D ?? 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D }
+    condition:  
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
+}

malware/MALW_ATM_HelloWorld.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule ATM_HelloWorld : malware
+{
+    meta:
+        description = "Search strings and procedure in HelloWorld ATM Malware"
+        author = "xylitol@temari.fr"
+        date = "2019-01-13"
+
+    strings:
+        $api1 = "CscCngOpen" ascii wide
+        $api2 = "CscCngClose" ascii wide
+        $string1 = "%d,%02d;" ascii wide
+        $string2 = "MAX_NOTES" ascii wide
+        $hex_var1 = { FF 15 ?? ?? ?? ?? BF 00 80 00 00 85 C7 }
+
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
+}
+

malware/MALW_KeyBase.yar

+rule MALW_KeyBase
+{
+meta:
+	description = "Identifies KeyBase aka Kibex."
+	author = "@bartblaze"
+	date = "2019-02"
+	tlp = "White"
+
+strings:	
+	$s1 = " End:]" ascii wide
+	$s2 = "Keystrokes typed:" ascii wide
+	$s3 = "Machine Time:" ascii wide
+	$s4 = "Text:" ascii wide
+	$s5 = "Time:" ascii wide
+	$s6 = "Window title:" ascii wide
+	
+	$x1 = "&application=" ascii wide
+	$x2 = "&clipboardtext=" ascii wide
+	$x3 = "&keystrokestyped=" ascii wide
+	$x4 = "&link=" ascii wide
+	$x5 = "&username=" ascii wide
+	$x6 = "&windowtitle=" ascii wide
+	$x7 = "=drowssap&" ascii wide
+	$x8 = "=emitenihcam&" ascii wide
+
+condition:
+	uint16(0) == 0x5a4d and (
+		5 of ($s*) or 6 of ($x*) or
+		( 4 of ($s*) and 4 of ($x*) )
+	)
+}

malware/MALW_PE_sections.yar

@@ -82,5 +82,8 @@ rule suspicious_packer_section : packer PE {
         $s63 = "UPX!" wide ascii
 
     condition:
-        (uint16(0) == 0x457f and 1 of them)
+        // DOS stub signature                           PE signature
+        uint16(0) == 0x5a4d and uint32be(uint32(0x3c)) == 0x50450000 and (
+            for any of them : ( $ in (0..1024) )
+        )
 }

malware/RAT_Xtreme.yar

@@ -73,7 +73,7 @@ rule XtremeRATStrings : XtremeRAT Family
         $ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
         
     condition:
-       any of them
+        all of them
 }
 
 rule XtremeRAT : Family

malware_index.yar

 /*
 Generated by Yara-Rules
-On 07-10-2018
+On 27-03-2019
 */
 include "./malware/000_common_rules.yar"
 include "./malware/APT_APT1.yar"
@@ -83,6 +83,7 @@ include "./malware/APT_Turla_Neuron.yar"
 include "./malware/APT_Turla_RUAG.yar"
 include "./malware/APT_UP007_SLServer.yar"
 include "./malware/APT_Unit78020.yar"
+include "./malware/APT_Uppercut.yar"
 include "./malware/APT_Waterbug.yar"
 include "./malware/APT_WildNeutron.yar"
 include "./malware/APT_Windigo_Onimiki.yar"
@@ -94,6 +95,8 @@ include "./malware/APT_fancybear_downdelph.yar"
 include "./malware/APT_furtim.yar"
 include "./malware/EXPERIMENTAL_Beef.yar"
 include "./malware/GEN_PowerShell.yar"
+include "./malware/MALW_ATMPot.yar"
+include "./malware/MALW_ATM_HelloWorld.yar"
 include "./malware/MALW_AZORULT.yar"
 include "./malware/MALW_AgentTesla.yar"
 include "./malware/MALW_AgentTesla_SMTP.yar"
@@ -155,6 +158,7 @@ include "./malware/MALW_IotReaper.yar"
 include "./malware/MALW_Jolob_Backdoor.yar"
 include "./malware/MALW_KINS.yar"
 include "./malware/MALW_Kelihos.yar"
+include "./malware/MALW_KeyBase.yar"
 include "./malware/MALW_Korlia.yar"
 include "./malware/MALW_Korplug.yar"
 include "./malware/MALW_Kovter.yar"
@@ -196,6 +200,7 @@ include "./malware/MALW_PE_sections.yar"
 include "./malware/MALW_PittyTiger.yar"
 include "./malware/MALW_Ponmocup.yar"
 include "./malware/MALW_Pony.yar"
+include "./malware/MALW_Predator.yar"
 include "./malware/MALW_PubSab.yar"
 include "./malware/MALW_PyPI.yar"
 include "./malware/MALW_Pyinstaller.yar"
@@ -240,9 +245,11 @@ include "./malware/MALW_XHide.yar"
 include "./malware/MALW_XMRIG_Miner.yar"
 include "./malware/MALW_XOR_DDos.yar"
 include "./malware/MALW_Yayih.yar"
+include "./malware/MALW_Yordanyan_ActiveAgent.yar"
 include "./malware/MALW_Zegost.yar"
 include "./malware/MALW_Zeus.yar"
 include "./malware/MALW_adwind_RAT.yar"
+include "./malware/MALW_hancitor.yar"
 include "./malware/MALW_kpot.yar"
 include "./malware/MALW_marap.yar"
 include "./malware/MALW_shifu_shiz.yar"