Delete generic_anomalies.yar

malware/generic_anomalies.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-*/
-
-/*
-
-   Generic Anomalies
-
-   Florian Roth
-   BSK Consulting GmbH
-
-	License: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)
-	Copyright and related rights waived via https://creativecommons.org/licenses/by-nc-sa/4.0/
-
-*/
-rule Embedded_EXE_Cloaking {
-        meta:
-                description = "Detects an embedded executable in a non-executable file"
-                author = "Florian Roth"
-                date = "2015/02/27"
-                score = 65
-        strings:
-                $noex_png = { 89 50 4E 47 }
-                $noex_pdf = { 25 50 44 46 }
-                $noex_rtf = { 7B 5C 72 74 66 31 }
-                $noex_jpg = { FF D8 FF E0 }
-                $noex_gif = { 47 49 46 38 }
-                $mz  = { 4D 5A }
-                $a1 = "This program cannot be run in DOS mode"
-                $a2 = "This program must be run under Win32"
-        condition:
-                (
-                        ( $noex_png at 0 ) or
-                        ( $noex_pdf at 0 ) or
-                        ( $noex_rtf at 0 ) or
-                        ( $noex_jpg at 0 ) or
-                        ( $noex_gif at 0 )
-                )
-                and
-                for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
-}
-
-rule Cloaked_as_JPG {
-        meta:
-                description = "Detects a cloaked file as JPG"
-                author = "Florian Roth (eval section from Didier Stevens)"
-                date = "2015/02/29"
-                score = 40
-        condition:
-                uint16be(0x00) != 0xFFD8 and
-                extension matches /\.jpg/i and
-                filetype != "GIF"
-                /* and
-                not filepath contains "ASP.NET" */
-}
-
-rule GIFCloaked_Webshell {
-    meta:
-        description = "Detects a webshell that cloakes itself with GIF header(s) - Based on Dark Security Team Webshell"
-        author = "Florian Roth"
-        hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
-        score = 60
-    strings:
-        $magic = "GIF"
-        $s0 = "input type"
-        $s1 = "<%eval request"
-        $s2 = "<%eval(Request.Item["
-        $s3 = "LANGUAGE='VBScript'"
-    condition:
-        ( $magic at 0 ) and ( 1 of ($s*) )
-}
-
-/*
-    Yara Rule Set
-    Author: Florian Roth
-    Date: 2015-12-21
-    Identifier: Uncommon File Sizes
-*/
-
-rule Suspicious_Size_explorer_exe {
-    meta:
-        description = "Detects uncommon file size of explorer.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-21"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "explorer.exe"
-        and ( filesize < 1000KB or filesize > 3000KB )
-}
-
-rule Suspicious_Size_chrome_exe {
-    meta:
-        description = "Detects uncommon file size of chrome.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-21"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "chrome.exe"
-        and ( filesize < 500KB or filesize > 1300KB )
-}
-
-rule Suspicious_Size_csrss_exe {
-    meta:
-        description = "Detects uncommon file size of csrss.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-21"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "csrss.exe"
-        and ( filesize > 18KB )
-}
-
-rule Suspicious_Size_iexplore_exe {
-    meta:
-        description = "Detects uncommon file size of iexplore.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-21"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "iexplore.exe"
-        and ( filesize < 75KB or filesize > 910KB )
-}
-
-rule Suspicious_Size_firefox_exe {
-    meta:
-        description = "Detects uncommon file size of firefox.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-21"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "firefox.exe"
-        and ( filesize < 265KB or filesize > 910KB )
-}
-
-rule Suspicious_Size_java_exe {
-    meta:
-        description = "Detects uncommon file size of java.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-21"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "java.exe"
-        and ( filesize < 130KB or filesize > 900KB )
-}
-
-rule Suspicious_Size_lsass_exe {
-    meta:
-        description = "Detects uncommon file size of lsass.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-21"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "lsass.exe"
-        and ( filesize < 13KB or filesize > 58KB )
-}
-
-rule Suspicious_Size_svchost_exe {
-    meta:
-        description = "Detects uncommon file size of svchost.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-21"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "svchost.exe"
-        and ( filesize < 14KB or filesize > 40KB )
-}
-
-rule Suspicious_Size_winlogon_exe {
-    meta:
-        description = "Detects uncommon file size of winlogon.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-21"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "winlogon.exe"
-        and ( filesize < 279KB or filesize > 580KB )
-}
-
-rule Suspicious_Size_igfxhk_exe {
-    meta:
-        description = "Detects uncommon file size of igfxhk.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-21"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "igfxhk.exe"
-        and ( filesize < 200KB or filesize > 265KB )
-}
-
-rule Suspicious_Size_servicehost_dll {
-    meta:
-        description = "Detects uncommon file size of servicehost.dll"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-23"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "servicehost.dll"
-        and filesize > 150KB
-}
-
-rule Suspicious_Size_rundll32_exe {
-    meta:
-        description = "Detects uncommon file size of rundll32.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-23"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "rundll32.exe"
-        and ( filesize < 30KB or filesize > 60KB )
-}
-
-rule Suspicious_Size_taskhost_exe {
-    meta:
-        description = "Detects uncommon file size of taskhost.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-23"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "taskhost.exe"
-        and ( filesize < 45KB or filesize > 85KB )
-}
-
-rule Suspicious_Size_spoolsv_exe {
-    meta:
-        description = "Detects uncommon file size of spoolsv.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-23"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "spoolsv.exe"
-        and ( filesize < 50KB or filesize > 800KB )
-}
-
-rule Suspicious_Size_smss_exe {
-    meta:
-        description = "Detects uncommon file size of smss.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-23"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "smss.exe"
-        and ( filesize < 40KB or filesize > 140KB )
-}
-
-rule Suspicious_Size_wininit_exe {
-    meta:
-        description = "Detects uncommon file size of wininit.exe"
-        author = "Florian Roth"
-        score = 60
-        date = "2015-12-23"
-    condition:
-        uint16(0) == 0x5a4d
-        and filename == "wininit.exe"
-        and ( filesize < 90KB or filesize > 300KB )
-}