Skip to content

R
rules
Commit d9c8783f by Xumeiquer
Options

Adding malware/APT_Grasshopper.yar

parent 35e8f200
Showing with 342 additions and 185 deletions
Antidebug_AntiVM/antidebug_antivm.yar
......@@ -331,7 +331,7 @@ rule Check_VBox_Description
strings:
$key = "HARDWARE\\Description\\System" nocase wide ascii
$value = "SystemBiosVersion" nocase wide ascii
$data = "VBOX" nocase wide ascii
$data = "VBOX" nocase wide ascii
condition:
all of them
}
......@@ -357,7 +357,7 @@ rule Check_VBox_Guest_Additions
strings:
$key = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" wide ascii nocase
condition:
any of them
any of them
}
rule Check_VBox_VideoDrivers
{
......@@ -494,7 +494,7 @@ rule Check_Debugger
Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
condition:
pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and
pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and
pe.imports("kernel32.dll","IsDebuggerPresent")
}
......@@ -507,10 +507,10 @@ rule Check_DriveSize
strings:
$physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase
$dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO
$dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO
condition:
pe.imports("kernel32.dll","CreateFileA") and
pe.imports("kernel32.dll","DeviceIoControl") and
pe.imports("kernel32.dll","CreateFileA") and
pe.imports("kernel32.dll","DeviceIoControl") and
$dwIoControlCode and
$physicaldrive
}
......@@ -520,7 +520,7 @@ rule Check_FilePaths
Author = "Nick Hoffman"
Description = "Checks for filepaths containing popular sandbox names"
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings:
strings:
$path1 = "SANDBOX" wide ascii
$path2 = "\\SAMPLE" wide ascii
$path3 = "\\VIRUS" wide ascii
......@@ -563,12 +563,12 @@ rule Check_unhandledExceptionFiler_iat {
meta:
Author = "http://twitter.com/j0sm1"
Description = "it's checked if UnhandledExceptionFilter is imported"
Description = "it's checked if UnhandledExceptionFilter is imported"
Date = "20/04/2015"
Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter"
condition:
pe.imports("kernel32.dll","UnhandledExceptionFilter")
pe.imports("kernel32.dll","UnhandledExceptionFilter")
}
*/
......@@ -578,12 +578,12 @@ rule check_RaiseException_iat {
meta:
Author = "http://twitter.com/j0sm1"
Description = "it's checked if RaiseException is imported"
Description = "it's checked if RaiseException is imported"
Date = "20/04/2015"
Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html"
condition:
pe.imports("kernel32.dll","RaiseException")
pe.imports("kernel32.dll","RaiseException")
}
*/
......@@ -591,14 +591,14 @@ rule Check_FindWindowA_iat {
meta:
Author = "http://twitter.com/j0sm1"
Description = "it's checked if FindWindowA() is imported"
Description = "it's checked if FindWindowA() is imported"
Date = "20/04/2015"
Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow"
strings:
$ollydbg = "OLLYDBG"
$windbg = "WinDbgFrameClass"
condition:
pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
}
......@@ -618,14 +618,14 @@ rule DebuggerCheck__MemoryWorkingSet : AntiDebug DebuggerCheck {
rule WMI_VM_Detect : WMI_VM_Detect
{
meta:
version = 2
threat = "Using WMI to detect virtual machines via querying video card information"
behaviour_class = "Evasion"
author = "Joe Giron"
date = "2015-09-25"
description = "Detection of Virtual Appliances through the use of WMI for use of evasion."
strings:
$selstr = "SELECT Description FROM Win32_VideoController" nocase ascii wide
......@@ -637,7 +637,7 @@ rule WMI_VM_Detect : WMI_VM_Detect
$vm5 = "remotefx" nocase ascii wide
$vm6 = "cirrus logic" nocase ascii wide
$vm7 = "matrox" nocase ascii wide
condition:
any of ($selstr*) and any of ($vm*)
......@@ -651,11 +651,11 @@ rule anti_dbg {
version = "0.2"
strings:
$d1 = "Kernel32.dll" nocase
$c1 = "CheckRemoteDebuggerPresent"
$c2 = "IsDebuggerPresent"
$c3 = "OutputDebugString"
$c4 = "ContinueDebugEvent"
$c5 = "DebugActiveProcess"
$c1 = "CheckRemoteDebuggerPresent"
$c2 = "IsDebuggerPresent"
$c3 = "OutputDebugString"
$c4 = "ContinueDebugEvent"
$c5 = "DebugActiveProcess"
condition:
$d1 and 1 of ($c*)
}
......@@ -673,14 +673,14 @@ rule anti_dbgtools {
$f5 = "fiddler.exe" nocase
$f6 = "windbg.exe" nocase
$f7 = "ollydbg.exe" nocase
$f8 = "winhex.exe" nocase
$f8 = "winhex.exe" nocase
$f9 = "processhacker.exe" nocase
$f10 = "hiew32.exe" nocase
$c11 = "\\\\.\\NTICE"
$c12 = "\\\\.\\SICE"
$c13 = "\\\\.\\Syser"
$c14 = "\\\\.\\SyserBoot"
$c15 = "\\\\.\\SyserDbgMsg"
$c11 = "\\\\.\\NTICE"
$c12 = "\\\\.\\SICE"
$c13 = "\\\\.\\Syser"
$c14 = "\\\\.\\SyserBoot"
$c15 = "\\\\.\\SyserDbgMsg"
condition:
any of them
}
......@@ -692,8 +692,8 @@ rule antisb_joesanbox {
version = "0.1"
strings:
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
$c1 = "RegQueryValue"
$s1 = "55274-640-2673064-23950"
$c1 = "RegQueryValue"
$s1 = "55274-640-2673064-23950"
condition:
all of them
}
......@@ -705,9 +705,9 @@ rule antisb_anubis {
version = "0.1"
strings:
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
$c1 = "RegQueryValue"
$s1 = "76487-337-8429955-22614"
$s2 = "76487-640-1457236-23837"
$c1 = "RegQueryValue"
$s1 = "76487-337-8429955-22614"
$s2 = "76487-640-1457236-23837"
condition:
$p1 and $c1 and 1 of ($s*)
}
......@@ -718,7 +718,7 @@ rule antisb_threatExpert {
description = "Anti-Sandbox checks for ThreatExpert"
version = "0.1"
strings:
$f1 = "dbghelp.dll" nocase
$f1 = "dbghelp.dll" nocase
condition:
all of them
}
......@@ -729,7 +729,7 @@ rule antisb_sandboxie {
description = "Anti-Sandbox checks for Sandboxie"
version = "0.1"
strings:
$f1 = "SbieDLL.dll" nocase
$f1 = "SbieDLL.dll" nocase
condition:
all of them
}
......@@ -741,7 +741,7 @@ rule antisb_cwsandbox {
version = "0.1"
strings:
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
$s1 = "76487-644-3177037-23510"
$s1 = "76487-644-3177037-23510"
condition:
all of them
}
......@@ -783,10 +783,10 @@ rule antivm_bios {
strings:
$p1 = "HARDWARE\\DESCRIPTION\\System" nocase
$p2 = "HARDWARE\\DESCRIPTION\\System\\BIOS" nocase
$c1 = "RegQueryValue"
$r1 = "SystemBiosVersion"
$r2 = "VideoBiosVersion"
$r3 = "SystemManufacturer"
$c1 = "RegQueryValue"
$r1 = "SystemBiosVersion"
$r2 = "VideoBiosVersion"
$r3 = "SystemManufacturer"
condition:
1 of ($p*) and 1 of ($c*) and 1 of ($r*)
}
......@@ -800,13 +800,13 @@ rule disable_antivirus {
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" nocase
$p2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" nocase
$p3 = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" nocase
$c1 = "RegSetValue"
$r1 = "AntiVirusDisableNotify"
$r2 = "DontReportInfectionInformation"
$r3 = "DisableAntiSpyware"
$r4 = "RunInvalidSignatures"
$r5 = "AntiVirusOverride"
$r6 = "CheckExeSignatures"
$c1 = "RegSetValue"
$r1 = "AntiVirusDisableNotify"
$r2 = "DontReportInfectionInformation"
$r3 = "DisableAntiSpyware"
$r4 = "RunInvalidSignatures"
$r5 = "AntiVirusOverride"
$r6 = "CheckExeSignatures"
$f1 = "blackd.exe" nocase
$f2 = "blackice.exe" nocase
$f3 = "lockdown.exe" nocase
......@@ -841,10 +841,10 @@ rule disable_firewall {
version = "0.1"
strings:
$p1 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" nocase
$c1 = "RegSetValue"
$r1 = "FirewallPolicy"
$r2 = "EnableFirewall"
$r3 = "FirewallDisableNotify"
$c1 = "RegSetValue"
$r1 = "FirewallPolicy"
$r2 = "EnableFirewall"
$r3 = "FirewallDisableNotify"
$s1 = "netsh firewall add allowedprogram"
condition:
(1 of ($p*) and $c1 and 1 of ($r*)) or $s1
......@@ -857,9 +857,9 @@ rule disable_registry {
version = "0.1"
strings:
$p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase
$c1 = "RegSetValue"
$r1 = "DisableRegistryTools"
$r2 = "DisableRegedit"
$c1 = "RegSetValue"
$r1 = "DisableRegistryTools"
$r2 = "DisableRegedit"
condition:
1 of ($p*) and $c1 and 1 of ($r*)
}
......@@ -870,11 +870,11 @@ rule disable_dep {
description = "Bypass DEP"
version = "0.1"
strings:
$c1 = "EnableExecuteProtectionSupport"
$c2 = "NtSetInformationProcess"
$c3 = "VirtualProctectEx"
$c4 = "SetProcessDEPPolicy"
$c5 = "ZwProtectVirtualMemory"
$c1 = "EnableExecuteProtectionSupport"
$c2 = "NtSetInformationProcess"
$c3 = "VirtualProctectEx"
$c4 = "SetProcessDEPPolicy"
$c5 = "ZwProtectVirtualMemory"
condition:
any of them
}
......@@ -886,7 +886,7 @@ rule disable_taskmanager {
version = "0.1"
strings:
$p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase
$r1 = "DisableTaskMgr"
$r1 = "DisableTaskMgr"
condition:
1 of ($p*) and 1 of ($r*)
}
......@@ -897,13 +897,13 @@ rule inject_thread {
description = "Code injection with CreateRemoteThread in a remote process"
version = "0.1"
strings:
$c1 = "OpenProcess"
$c2 = "VirtualAllocEx"
$c3 = "NtWriteVirtualMemory"
$c4 = "WriteProcessMemory"
$c1 = "OpenProcess"
$c2 = "VirtualAllocEx"
$c3 = "NtWriteVirtualMemory"
$c4 = "WriteProcessMemory"
$c5 = "CreateRemoteThread"
$c6 = "CreateThread"
$c7 = "OpenProcess"
$c7 = "OpenProcess"
condition:
$c1 and $c2 and ( $c3 or $c4 ) and ( $c5 or $c6 or $c7 )
}
......@@ -917,8 +917,8 @@ rule create_process {
strings:
$f1 = "Shell32.dll" nocase
$f2 = "Kernel32.dll" nocase
$c1 = "ShellExecute"
$c2 = "WinExec"
$c1 = "ShellExecute"
$c2 = "WinExec"
$c3 = "CreateProcess"
$c4 = "CreateThread"
condition:
......@@ -978,10 +978,10 @@ rule create_service {
version = "0.2"
strings:
$f1 = "Advapi32.dll" nocase
$c1 = "CreateService"
$c2 = "ControlService"
$c3 = "StartService"
$c4 = "QueryServiceStatus"
$c1 = "CreateService"
$c2 = "ControlService"
$c3 = "StartService"
$c4 = "QueryServiceStatus"
condition:
all of them
}
......@@ -993,10 +993,10 @@ rule create_com_service {
version = "0.1"
strings:
$c1 = "DllCanUnloadNow" nocase
$c2 = "DllGetClassObject"
$c3 = "DllInstall"
$c4 = "DllRegisterServer"
$c5 = "DllUnregisterServer"
$c2 = "DllGetClassObject"
$c3 = "DllInstall"
$c4 = "DllRegisterServer"
$c5 = "DllUnregisterServer"
condition:
all of them
}
......@@ -1010,12 +1010,12 @@ rule network_udp_sock {
$f1 = "Ws2_32.dll" nocase
$f2 = "System.Net" nocase
$f3 = "wsock32.dll" nocase
$c0 = "WSAStartup"
$c1 = "sendto"
$c2 = "recvfrom"
$c3 = "WSASendTo"
$c4 = "WSARecvFrom"
$c5 = "UdpClient"
$c0 = "WSAStartup"
$c1 = "sendto"
$c2 = "recvfrom"
$c3 = "WSASendTo"
$c4 = "WSARecvFrom"
$c5 = "UdpClient"
condition:
(($f1 or $f3) and 2 of ($c*)) or ($f2 and $c5)
}
......@@ -1030,14 +1030,14 @@ rule network_tcp_listen {
$f2 = "Mswsock.dll" nocase
$f3 = "System.Net" nocase
$f4 = "wsock32.dll" nocase
$c1 = "bind"
$c2 = "accept"
$c1 = "bind"
$c2 = "accept"
$c3 = "GetAcceptExSockaddrs"
$c4 = "AcceptEx"
$c5 = "WSAStartup"
$c6 = "WSAAccept"
$c7 = "WSASocket"
$c8 = "TcpListener"
$c4 = "AcceptEx"
$c5 = "WSAStartup"
$c6 = "WSAAccept"
$c7 = "WSASocket"
$c8 = "TcpListener"
$c9 = "AcceptTcpClient"
$c10 = "listen"
condition:
......@@ -1049,7 +1049,7 @@ rule network_dyndns {
author = "x0r"
description = "Communications dyndns network"
version = "0.1"
strings:
strings:
$s1 =".no-ip.org"
$s2 =".publicvm.com"
$s3 =".linkpc.net"
......@@ -1092,7 +1092,7 @@ rule network_toredo {
author = "x0r"
description = "Communications over Toredo network"
version = "0.1"
strings:
strings:
$f1 = "FirewallAPI.dll" nocase
$p1 = "\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\" nocase
condition:
......@@ -1104,7 +1104,7 @@ rule network_smtp_dotNet {
author = "x0r"
description = "Communications smtp"
version = "0.1"
strings:
strings:
$f1 = "System.Net.Mail" nocase
$p1 = "SmtpClient" nocase
condition:
......@@ -1116,7 +1116,7 @@ rule network_smtp_raw {
author = "x0r"
description = "Communications smtp"
version = "0.1"
strings:
strings:
$s1 = "MAIL FROM:" nocase
$s2 = "RCPT TO:" nocase
condition:
......@@ -1128,7 +1128,7 @@ rule network_smtp_vb {
author = "x0r"
description = "Communications smtp"
version = "0.1"
strings:
strings:
$c1 = "CDO.Message" nocase
$c2 = "cdoSMTPServer" nocase
$c3 = "cdoSendUsingMethod" nocase
......@@ -1143,7 +1143,7 @@ rule network_p2p_win {
author = "x0r"
description = "Communications over P2P network"
version = "0.1"
strings:
strings:
$c1 = "PeerCollabExportContact"
$c2 = "PeerCollabGetApplicationRegistrationInfo"
$c3 = "PeerCollabGetEndpointName"
......@@ -1187,11 +1187,11 @@ rule network_irc {
description = "Communications over IRC network"
version = "0.1"
strings:
$s1 = "NICK"
$s2 = "PING"
$s3 = "JOIN"
$s4 = "USER"
$s5 = "PRIVMSG"
$s1 = "NICK"
$s2 = "PING"
$s3 = "JOIN"
$s4 = "USER"
$s5 = "PRIVMSG"
condition:
all of them
}
......@@ -1203,14 +1203,14 @@ rule network_http {
version = "0.1"
strings:
$f1 = "wininet.dll" nocase
$c1 = "InternetConnect"
$c2 = "InternetOpen"
$c3 = "InternetOpenUrl"
$c4 = "InternetReadFile"
$c5 = "InternetWriteFile"
$c6 = "HttpOpenRequest"
$c7 = "HttpSendRequest"
$c8 = "IdHTTPHeaderInfo"
$c1 = "InternetConnect"
$c2 = "InternetOpen"
$c3 = "InternetOpenUrl"
$c4 = "InternetReadFile"
$c5 = "InternetWriteFile"
$c6 = "HttpOpenRequest"
$c7 = "HttpSendRequest"
$c8 = "IdHTTPHeaderInfo"
condition:
$f1 and $c1 and ($c2 or $c3) and ($c4 or $c5 or $c6 or $c7 or $c8)
}
......@@ -1218,14 +1218,14 @@ rule network_http {
rule network_dropper {
meta:
author = "x0r"
description = "File downloader/dropper"
description = "File downloader/dropper"
version = "0.1"
strings:
$f1 = "urlmon.dll" nocase
$c1 = "URLDownloadToFile"
$c2 = "URLDownloadToCacheFile"
$c3 = "URLOpenStream"
$c4 = "URLOpenPullStream"
$c1 = "URLDownloadToFile"
$c2 = "URLDownloadToCacheFile"
$c3 = "URLOpenStream"
$c4 = "URLOpenPullStream"
condition:
$f1 and 1 of ($c*)
}
......@@ -1233,23 +1233,23 @@ rule network_dropper {
rule network_ftp {
meta:
author = "x0r"
description = "Communications over FTP"
description = "Communications over FTP"
version = "0.1"
strings:
$f1 = "Wininet.dll" nocase
$c1 = "FtpGetCurrentDirectory"
$c2 = "FtpGetFile"
$c3 = "FtpPutFile"
$c4 = "FtpSetCurrentDirectory"
$c5 = "FtpOpenFile"
$c6 = "FtpGetFileSize"
$c7 = "FtpDeleteFile"
$c8 = "FtpCreateDirectory"
$c9 = "FtpRemoveDirectory"
$c10 = "FtpRenameFile"
$c11 = "FtpDownload"
$c12 = "FtpUpload"
$c13 = "FtpGetDirectory"
$c1 = "FtpGetCurrentDirectory"
$c2 = "FtpGetFile"
$c3 = "FtpPutFile"
$c4 = "FtpSetCurrentDirectory"
$c5 = "FtpOpenFile"
$c6 = "FtpGetFileSize"
$c7 = "FtpDeleteFile"
$c8 = "FtpCreateDirectory"
$c9 = "FtpRemoveDirectory"
$c10 = "FtpRenameFile"
$c11 = "FtpDownload"
$c12 = "FtpUpload"
$c13 = "FtpGetDirectory"
condition:
$f1 and (4 of ($c*))
}
......@@ -1262,10 +1262,10 @@ rule network_tcp_socket {
strings:
$f1 = "Ws2_32.dll" nocase
$f2 = "wsock32.dll" nocase
$c1 = "WSASocket"
$c2 = "socket"
$c3 = "send"
$c4 = "WSASend"
$c1 = "WSASocket"
$c2 = "socket"
$c3 = "send"
$c4 = "WSASend"
$c5 = "WSAConnect"
$c6 = "connect"
$c7 = "WSAStartup"
......@@ -1281,17 +1281,17 @@ rule network_dns {
description = "Communications use DNS"
version = "0.1"
strings:
$f1 = "System.Net"
$f1 = "System.Net"
$f2 = "Ws2_32.dll" nocase
$f3 = "Dnsapi.dll" nocase
$f4 = "wsock32.dll" nocase
$c2 = "GetHostEntry"
$f4 = "wsock32.dll" nocase
$c2 = "GetHostEntry"
$c3 = "getaddrinfo"
$c4 = "gethostbyname"
$c5 = "WSAAsyncGetHostByName"
$c6 = "DnsQuery"
condition:
1 of ($f*) and 1 of ($c*)
1 of ($f*) and 1 of ($c*)
}
rule network_ssl {
......@@ -1313,22 +1313,22 @@ rule network_dga {
author = "x0r"
description = "Communication using dga"
version = "0.1"
strings:
strings:
$dll1 = "Advapi32.dll" nocase
$dll2 = "wininet.dll" nocase
$dll3 = "Crypt32.dll" nocase
$time1 = "SystemTimeToFileTime"
$time2 = "GetSystemTime"
$time3 = "GetSystemTimeAsFileTime"
$hash1 = "CryptCreateHash"
$hash2 = "CryptAcquireContext"
$hash3 = "CryptHashData"
$net1 = "InternetOpen"
$net2 = "InternetOpenUrl"
$net3 = "gethostbyname"
$net4 = "getaddrinfo"
$time1 = "SystemTimeToFileTime"
$time2 = "GetSystemTime"
$time3 = "GetSystemTimeAsFileTime"
$hash1 = "CryptCreateHash"
$hash2 = "CryptAcquireContext"
$hash3 = "CryptHashData"
$net1 = "InternetOpen"
$net2 = "InternetOpenUrl"
$net3 = "gethostbyname"
$net4 = "getaddrinfo"
condition:
all of ($dll*) and 1 of ($time*) and 1 of ($hash*) and 1 of ($net*)
all of ($dll*) and 1 of ($time*) and 1 of ($hash*) and 1 of ($net*)
}
......@@ -1358,7 +1358,7 @@ rule certificate {
strings:
$f1 = "Crypt32.dll" nocase
$r1 = "software\\microsoft\\systemcertificates\\spc\\certificates" nocase
$c1 = "CertOpenSystemStore"
$c1 = "CertOpenSystemStore"
condition:
all of them
}
......@@ -1370,8 +1370,8 @@ rule escalate_priv {
version = "0.1"
strings:
$d1 = "Advapi32.dll" nocase
$c1 = "SeDebugPrivilege"
$c2 = "AdjustTokenPrivileges"
$c1 = "SeDebugPrivilege"
$c2 = "AdjustTokenPrivileges"
condition:
1 of ($d*) and 1 of ($c*)
}
......@@ -1384,8 +1384,8 @@ rule screenshot {
strings:
$d1 = "Gdi32.dll" nocase
$d2 = "User32.dll" nocase
$c1 = "BitBlt"
$c2 = "GetDC"
$c1 = "BitBlt"
$c2 = "GetDC"
condition:
1 of ($d*) and 1 of ($c*)
}
......@@ -1434,9 +1434,9 @@ rule keylogger {
version = "0.1"
strings:
$f1 = "User32.dll" nocase
$c1 = "GetAsyncKeyState"
$c2 = "GetKeyState"
$c3 = "MapVirtualKey"
$c1 = "GetAsyncKeyState"
$c2 = "GetKeyState"
$c3 = "MapVirtualKey"
$c4 = "GetKeyboardType"
condition:
$f1 and 1 of ($c*)
......@@ -1511,7 +1511,7 @@ rule cred_ie7 {
version = "0.1"
strings:
$f1 = "Crypt32.dll" nocase
$c1 = "CryptUnprotectData"
$c1 = "CryptUnprotectData"
$s1 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" nocase
condition:
all of them
......@@ -1537,8 +1537,8 @@ rule migrate_apc {
description = "APC queue tasks migration"
version = "0.1"
strings:
$c1 = "OpenThread"
$c2 = "QueueUserAPC"
$c1 = "OpenThread"
$c2 = "QueueUserAPC"
condition:
all of them
}
......@@ -1563,8 +1563,8 @@ rule spreading_share {
version = "0.1"
strings:
$f1 = "netapi32.dll" nocase
$c1 = "NetShareGetInfo"
$c2 = "NetShareEnum"
$c1 = "NetShareGetInfo"
$c2 = "NetShareEnum"
condition:
$f1 and 1 of ($c*)
}
......@@ -1576,8 +1576,8 @@ rule rat_vnc {
version = "0.1"
strings:
$f1 = "ultravnc.ini" nocase
$c2 = "StartVNC"
$c3 = "StopVNC"
$c2 = "StartVNC"
$c3 = "StopVNC"
condition:
any of them
}
......@@ -1639,7 +1639,7 @@ rule win_mutex {
description = "Create or check mutex"
version = "0.1"
strings:
$c1 = "CreateMutex"
$c1 = "CreateMutex"
condition:
1 of ($c*)
}
......@@ -1656,7 +1656,7 @@ rule win_registry {
$c3 = "RegCloseKey"
$c4 = "RegSetValueExA"
$c5 = "RegCreateKeyA"
$c6 = "RegCloseKey"
$c6 = "RegCloseKey"
condition:
$f1 and 1 of ($c*)
}
......@@ -1671,7 +1671,7 @@ rule win_token {
$c1 = "DuplicateTokenEx"
$c2 = "AdjustTokenPrivileges"
$c3 = "OpenProcessToken"
$c4 = "LookupPrivilegeValueA"
$c4 = "LookupPrivilegeValueA"
condition:
$f1 and 1 of ($c*)
}
......@@ -1685,7 +1685,7 @@ rule win_private_profile {
$f1 = "kernel32.dll" nocase
$c1 = "GetPrivateProfileIntA"
$c2 = "GetPrivateProfileStringA"
$c3 = "WritePrivateProfileStringA"
$c3 = "WritePrivateProfileStringA"
condition:
$f1 and 1 of ($c*)
}
......@@ -1723,7 +1723,7 @@ rule win_hook {
$f1 = "user32.dll" nocase
$c1 = "UnhookWindowsHookEx"
$c2 = "SetWindowsHookExA"
$c3 = "CallNextHookEx"
$c3 = "CallNextHookEx"
condition:
$f1 and 1 of ($c*)
}
......
Antidebug_AntiVM_index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./Antidebug_AntiVM/antidebug_antivm.yar"
CVE_Rules/CVE-2010-0805.yar
......@@ -8,7 +8,7 @@ rule MSIETabularActivex
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
$cve20100805_3 = true
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
}
CVE_Rules_index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./CVE_Rules/CVE-2010-0805.yar"
include "./CVE_Rules/CVE-2010-0887.yar"
......
Crypto_index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./Crypto/base64.yar"
include "./Crypto/crypto_signatures.yar"
Exploit-Kits_index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./Exploit-Kits/EK_Angler.yar"
include "./Exploit-Kits/EK_Blackhole.yar"
......
Malicious_Documents_index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
......
Mobile_Malware_index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./Mobile_Malware/Android_adware.yar"
include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
......
Packers_index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./Packers/Javascript_exploit_and_obfuscation.yar"
include "./Packers/JJencode.yar"
......
Webshells_index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./Webshells/WShell_APT_Laudanum.yar"
include "./Webshells/Wshell_ChineseSpam.yar"
......
email_index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./email/attachment.yar"
include "./email/bank_rule.yar"
......
index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./Antidebug_AntiVM/antidebug_antivm.yar"
include "./Crypto/base64.yar"
......@@ -71,6 +71,9 @@ include "./malware/APT_fancybear_dnc.yar"
include "./malware/APT_FiveEyes.yar"
include "./malware/APT_furtim.yar"
include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
include "./malware/APT_Grasshopper.yar"
include "./malware/APT_Greenbug.yar"
include "./malware/APT_Grizzlybear_uscert.yar"
include "./malware/APT_HackingTeam.yar"
include "./malware/APT_Hellsing.yar"
include "./malware/APT_Hikit.yar"
......@@ -99,6 +102,7 @@ include "./malware/APT_PutterPanda.yar"
include "./malware/APT_Regin.yar"
include "./malware/APT_Scarab_Scieron.yar"
include "./malware/APT_Seaduke.yar"
include "./malware/APT_Shamoon_StoneDrill.yar"
include "./malware/APT_Snowglobe_Babar.yar"
include "./malware/APT_Sofacy_Bundestag.yar"
include "./malware/APT_Sofacy_Fysbis.yar"
......@@ -218,6 +222,7 @@ include "./malware/MALW_Sendsafe.yar"
include "./malware/MALW_Shamoon.yar"
include "./malware/MALW_Shifu.yar"
include "./malware/MALW_Skeleton.yar"
include "./malware/MALW_Spora.yar"
include "./malware/MALW_Sqlite.yar"
include "./malware/MALW_Stealer.yar"
include "./malware/MALW_Surtr.yar"
......
index_w_mobile.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./Antidebug_AntiVM/antidebug_antivm.yar"
include "./Crypto/base64.yar"
......@@ -71,6 +71,9 @@ include "./malware/APT_fancybear_dnc.yar"
include "./malware/APT_FiveEyes.yar"
include "./malware/APT_furtim.yar"
include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
include "./malware/APT_Grasshopper.yar"
include "./malware/APT_Greenbug.yar"
include "./malware/APT_Grizzlybear_uscert.yar"
include "./malware/APT_HackingTeam.yar"
include "./malware/APT_Hellsing.yar"
include "./malware/APT_Hikit.yar"
......@@ -99,6 +102,7 @@ include "./malware/APT_PutterPanda.yar"
include "./malware/APT_Regin.yar"
include "./malware/APT_Scarab_Scieron.yar"
include "./malware/APT_Seaduke.yar"
include "./malware/APT_Shamoon_StoneDrill.yar"
include "./malware/APT_Snowglobe_Babar.yar"
include "./malware/APT_Sofacy_Bundestag.yar"
include "./malware/APT_Sofacy_Fysbis.yar"
......@@ -218,6 +222,7 @@ include "./malware/MALW_Sendsafe.yar"
include "./malware/MALW_Shamoon.yar"
include "./malware/MALW_Shifu.yar"
include "./malware/MALW_Skeleton.yar"
include "./malware/MALW_Spora.yar"
include "./malware/MALW_Sqlite.yar"
include "./malware/MALW_Stealer.yar"
include "./malware/MALW_Surtr.yar"
......
malware/APT_Grasshopper.yar 0 → 100644
/*
Set of rules for Grasshopper APT.
Infected DLL hashes of Stolen Goods 2.1.
Ref: https://wikileaks.org/vault7/document/StolenGoods-2_1-UserGuide/StolenGoods-2_1-UserGuide.pdf
Author: Jaume Martin
Date: 07-04-2017
*/
rule Control32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "b3dc808fc7cb4492669ec019911ef22a"
}
rule Control64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "bec30379078d5c5c7845d3be33707b89"
}
rule GH_PM32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "2f2c5b3f3b1f97908074f526ac90a28d"
}
rule GH_PM64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "fe6c0097412b2c7b7f4b8a489004dd14"
}
rule MemStub32-GH1 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "0a579ad25fdd4db8110aac4dbb7d2da3"
}
rule MemStub32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "8987652f26732607b769247adb4e9cce"
}
rule MemStub64-GH1 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "2350403a09e6928f0a7ba5d74da58cb9"
}
rule MemStub64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "6b5b46d3212fc3fc5b455d9efd8d3ffa"
}
rule msvcrt_Win7AMD64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "c8fc794cc5a22b5a1e0803b0b8acce77"
}
rule msvcrt_Win7x86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "7713e5c5a48b020c9575b1b50f2e5e9e"
}
rule msvcrt_WIN8AMD64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "33c59fcdf027470e0ab1d366f54a6ebf"
}
rule msvcrt_WIN8x86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "95490c2b284a9bb63f0ee49254ab727e"
}
rule msvcrt_WinXPx86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "b68f72d77754f8b76168ced0924a4174"
}
rule Network_Win7AMD64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "eb92031a38f17d0e63285b5142b31966"
}
rule Network_Win7x86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "548889baed7768b828d9c2f373abd225"
}
rule Network_WinXPx86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "877341a16d5d223435c43a9db7f721bc"
}
rule RabbitStew32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "a9d2e8ae5ddbf8f2842d96f7de2faef8"
}
rule RabbitStew64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "fa415b6280104e813770df520b303897"
}
rule Vbr {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "961d2fd68fde2ae0b7c52e0c90767d0d"
}
malware/MALW_Corkow.yar
......@@ -3,17 +3,17 @@
*/
rule CorkowDLL
rule CorkowDLL
{
meta:
description = "Rule to detect the Corkow DLL files"
description = "Rule to detect the Corkow DLL files"
reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"
strings:
$mz = { 4d 5a }
$binary1 = {60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3}
$binary2 = {(FF75??|53)FF7510FF750CFF7508E8????????[3-9]C9C20C 00}
$binary1 = {60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3}
$binary2 = {(FF75??|53)FF7510FF750CFF7508E8????????[3-9]C9C20C 00}
$export1 = "Control_RunDLL"
$export2 = "ServiceMain"
$export3 = "DllGetClassObject"
......
malware_index.yar
/*
Generated by Yara-Rules
On 04-02-2017
On 08-04-2017
*/
include "./malware/APT_APT1.yar"
include "./malware/APT_APT17.yar"
......@@ -30,6 +30,9 @@ include "./malware/APT_fancybear_dnc.yar"
include "./malware/APT_FiveEyes.yar"
include "./malware/APT_furtim.yar"
include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
include "./malware/APT_Grasshopper.yar"
include "./malware/APT_Greenbug.yar"
include "./malware/APT_Grizzlybear_uscert.yar"
include "./malware/APT_HackingTeam.yar"
include "./malware/APT_Hellsing.yar"
include "./malware/APT_Hikit.yar"
......@@ -58,6 +61,7 @@ include "./malware/APT_PutterPanda.yar"
include "./malware/APT_Regin.yar"
include "./malware/APT_Scarab_Scieron.yar"
include "./malware/APT_Seaduke.yar"
include "./malware/APT_Shamoon_StoneDrill.yar"
include "./malware/APT_Snowglobe_Babar.yar"
include "./malware/APT_Sofacy_Bundestag.yar"
include "./malware/APT_Sofacy_Fysbis.yar"
......@@ -177,6 +181,7 @@ include "./malware/MALW_Sendsafe.yar"
include "./malware/MALW_Shamoon.yar"
include "./malware/MALW_Shifu.yar"
include "./malware/MALW_Skeleton.yar"
include "./malware/MALW_Spora.yar"
include "./malware/MALW_Sqlite.yar"
include "./malware/MALW_Stealer.yar"
include "./malware/MALW_Surtr.yar"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment