Skip to content

R
rules
Commit d9c8783f by Xumeiquer
Options

Adding malware/APT_Grasshopper.yar

parent 35e8f200
Showing with 342 additions and 185 deletions
Antidebug_AntiVM/antidebug_antivm.yar
...@@ -331,7 +331,7 @@ rule Check_VBox_Description ...@@ -331,7 +331,7 @@ rule Check_VBox_Description
strings: strings:
$key = "HARDWARE\\Description\\System" nocase wide ascii $key = "HARDWARE\\Description\\System" nocase wide ascii
$value = "SystemBiosVersion" nocase wide ascii $value = "SystemBiosVersion" nocase wide ascii
$data = "VBOX" nocase wide ascii $data = "VBOX" nocase wide ascii
condition: condition:
all of them all of them
} }
...@@ -357,7 +357,7 @@ rule Check_VBox_Guest_Additions ...@@ -357,7 +357,7 @@ rule Check_VBox_Guest_Additions
strings: strings:
$key = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" wide ascii nocase $key = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" wide ascii nocase
condition: condition:
any of them any of them
} }
rule Check_VBox_VideoDrivers rule Check_VBox_VideoDrivers
{ {
...@@ -494,7 +494,7 @@ rule Check_Debugger ...@@ -494,7 +494,7 @@ rule Check_Debugger
Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent" Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent"
Sample = "de1af0e97e94859d372be7fcf3a5daa5" Sample = "de1af0e97e94859d372be7fcf3a5daa5"
condition: condition:
pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and
pe.imports("kernel32.dll","IsDebuggerPresent") pe.imports("kernel32.dll","IsDebuggerPresent")
} }
...@@ -507,10 +507,10 @@ rule Check_DriveSize ...@@ -507,10 +507,10 @@ rule Check_DriveSize
strings: strings:
$physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase $physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase
$dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO $dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO
condition: condition:
pe.imports("kernel32.dll","CreateFileA") and pe.imports("kernel32.dll","CreateFileA") and
pe.imports("kernel32.dll","DeviceIoControl") and pe.imports("kernel32.dll","DeviceIoControl") and
$dwIoControlCode and $dwIoControlCode and
$physicaldrive $physicaldrive
} }
...@@ -520,7 +520,7 @@ rule Check_FilePaths ...@@ -520,7 +520,7 @@ rule Check_FilePaths
Author = "Nick Hoffman" Author = "Nick Hoffman"
Description = "Checks for filepaths containing popular sandbox names" Description = "Checks for filepaths containing popular sandbox names"
Sample = "de1af0e97e94859d372be7fcf3a5daa5" Sample = "de1af0e97e94859d372be7fcf3a5daa5"
strings: strings:
$path1 = "SANDBOX" wide ascii $path1 = "SANDBOX" wide ascii
$path2 = "\\SAMPLE" wide ascii $path2 = "\\SAMPLE" wide ascii
$path3 = "\\VIRUS" wide ascii $path3 = "\\VIRUS" wide ascii
...@@ -563,12 +563,12 @@ rule Check_unhandledExceptionFiler_iat { ...@@ -563,12 +563,12 @@ rule Check_unhandledExceptionFiler_iat {
meta: meta:
Author = "http://twitter.com/j0sm1" Author = "http://twitter.com/j0sm1"
Description = "it's checked if UnhandledExceptionFilter is imported" Description = "it's checked if UnhandledExceptionFilter is imported"
Date = "20/04/2015" Date = "20/04/2015"
Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter" Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter"
condition: condition:
pe.imports("kernel32.dll","UnhandledExceptionFilter") pe.imports("kernel32.dll","UnhandledExceptionFilter")
} }
*/ */
...@@ -578,12 +578,12 @@ rule check_RaiseException_iat { ...@@ -578,12 +578,12 @@ rule check_RaiseException_iat {
meta: meta:
Author = "http://twitter.com/j0sm1" Author = "http://twitter.com/j0sm1"
Description = "it's checked if RaiseException is imported" Description = "it's checked if RaiseException is imported"
Date = "20/04/2015" Date = "20/04/2015"
Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html" Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html"
condition: condition:
pe.imports("kernel32.dll","RaiseException") pe.imports("kernel32.dll","RaiseException")
} }
*/ */
...@@ -591,14 +591,14 @@ rule Check_FindWindowA_iat { ...@@ -591,14 +591,14 @@ rule Check_FindWindowA_iat {
meta: meta:
Author = "http://twitter.com/j0sm1" Author = "http://twitter.com/j0sm1"
Description = "it's checked if FindWindowA() is imported" Description = "it's checked if FindWindowA() is imported"
Date = "20/04/2015" Date = "20/04/2015"
Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow" Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow"
strings: strings:
$ollydbg = "OLLYDBG" $ollydbg = "OLLYDBG"
$windbg = "WinDbgFrameClass" $windbg = "WinDbgFrameClass"
condition: condition:
pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg) pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg)
} }
...@@ -618,14 +618,14 @@ rule DebuggerCheck__MemoryWorkingSet : AntiDebug DebuggerCheck { ...@@ -618,14 +618,14 @@ rule DebuggerCheck__MemoryWorkingSet : AntiDebug DebuggerCheck {
rule WMI_VM_Detect : WMI_VM_Detect rule WMI_VM_Detect : WMI_VM_Detect
{ {
meta: meta:
version = 2 version = 2
threat = "Using WMI to detect virtual machines via querying video card information" threat = "Using WMI to detect virtual machines via querying video card information"
behaviour_class = "Evasion" behaviour_class = "Evasion"
author = "Joe Giron" author = "Joe Giron"
date = "2015-09-25" date = "2015-09-25"
description = "Detection of Virtual Appliances through the use of WMI for use of evasion." description = "Detection of Virtual Appliances through the use of WMI for use of evasion."
strings: strings:
$selstr = "SELECT Description FROM Win32_VideoController" nocase ascii wide $selstr = "SELECT Description FROM Win32_VideoController" nocase ascii wide
...@@ -637,7 +637,7 @@ rule WMI_VM_Detect : WMI_VM_Detect ...@@ -637,7 +637,7 @@ rule WMI_VM_Detect : WMI_VM_Detect
$vm5 = "remotefx" nocase ascii wide $vm5 = "remotefx" nocase ascii wide
$vm6 = "cirrus logic" nocase ascii wide $vm6 = "cirrus logic" nocase ascii wide
$vm7 = "matrox" nocase ascii wide $vm7 = "matrox" nocase ascii wide
condition: condition:
any of ($selstr*) and any of ($vm*) any of ($selstr*) and any of ($vm*)
...@@ -651,11 +651,11 @@ rule anti_dbg { ...@@ -651,11 +651,11 @@ rule anti_dbg {
version = "0.2" version = "0.2"
strings: strings:
$d1 = "Kernel32.dll" nocase $d1 = "Kernel32.dll" nocase
$c1 = "CheckRemoteDebuggerPresent" $c1 = "CheckRemoteDebuggerPresent"
$c2 = "IsDebuggerPresent" $c2 = "IsDebuggerPresent"
$c3 = "OutputDebugString" $c3 = "OutputDebugString"
$c4 = "ContinueDebugEvent" $c4 = "ContinueDebugEvent"
$c5 = "DebugActiveProcess" $c5 = "DebugActiveProcess"
condition: condition:
$d1 and 1 of ($c*) $d1 and 1 of ($c*)
} }
...@@ -673,14 +673,14 @@ rule anti_dbgtools { ...@@ -673,14 +673,14 @@ rule anti_dbgtools {
$f5 = "fiddler.exe" nocase $f5 = "fiddler.exe" nocase
$f6 = "windbg.exe" nocase $f6 = "windbg.exe" nocase
$f7 = "ollydbg.exe" nocase $f7 = "ollydbg.exe" nocase
$f8 = "winhex.exe" nocase $f8 = "winhex.exe" nocase
$f9 = "processhacker.exe" nocase $f9 = "processhacker.exe" nocase
$f10 = "hiew32.exe" nocase $f10 = "hiew32.exe" nocase
$c11 = "\\\\.\\NTICE" $c11 = "\\\\.\\NTICE"
$c12 = "\\\\.\\SICE" $c12 = "\\\\.\\SICE"
$c13 = "\\\\.\\Syser" $c13 = "\\\\.\\Syser"
$c14 = "\\\\.\\SyserBoot" $c14 = "\\\\.\\SyserBoot"
$c15 = "\\\\.\\SyserDbgMsg" $c15 = "\\\\.\\SyserDbgMsg"
condition: condition:
any of them any of them
} }
...@@ -692,8 +692,8 @@ rule antisb_joesanbox { ...@@ -692,8 +692,8 @@ rule antisb_joesanbox {
version = "0.1" version = "0.1"
strings: strings:
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
$c1 = "RegQueryValue" $c1 = "RegQueryValue"
$s1 = "55274-640-2673064-23950" $s1 = "55274-640-2673064-23950"
condition: condition:
all of them all of them
} }
...@@ -705,9 +705,9 @@ rule antisb_anubis { ...@@ -705,9 +705,9 @@ rule antisb_anubis {
version = "0.1" version = "0.1"
strings: strings:
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
$c1 = "RegQueryValue" $c1 = "RegQueryValue"
$s1 = "76487-337-8429955-22614" $s1 = "76487-337-8429955-22614"
$s2 = "76487-640-1457236-23837" $s2 = "76487-640-1457236-23837"
condition: condition:
$p1 and $c1 and 1 of ($s*) $p1 and $c1 and 1 of ($s*)
} }
...@@ -718,7 +718,7 @@ rule antisb_threatExpert { ...@@ -718,7 +718,7 @@ rule antisb_threatExpert {
description = "Anti-Sandbox checks for ThreatExpert" description = "Anti-Sandbox checks for ThreatExpert"
version = "0.1" version = "0.1"
strings: strings:
$f1 = "dbghelp.dll" nocase $f1 = "dbghelp.dll" nocase
condition: condition:
all of them all of them
} }
...@@ -729,7 +729,7 @@ rule antisb_sandboxie { ...@@ -729,7 +729,7 @@ rule antisb_sandboxie {
description = "Anti-Sandbox checks for Sandboxie" description = "Anti-Sandbox checks for Sandboxie"
version = "0.1" version = "0.1"
strings: strings:
$f1 = "SbieDLL.dll" nocase $f1 = "SbieDLL.dll" nocase
condition: condition:
all of them all of them
} }
...@@ -741,7 +741,7 @@ rule antisb_cwsandbox { ...@@ -741,7 +741,7 @@ rule antisb_cwsandbox {
version = "0.1" version = "0.1"
strings: strings:
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
$s1 = "76487-644-3177037-23510" $s1 = "76487-644-3177037-23510"
condition: condition:
all of them all of them
} }
...@@ -783,10 +783,10 @@ rule antivm_bios { ...@@ -783,10 +783,10 @@ rule antivm_bios {
strings: strings:
$p1 = "HARDWARE\\DESCRIPTION\\System" nocase $p1 = "HARDWARE\\DESCRIPTION\\System" nocase
$p2 = "HARDWARE\\DESCRIPTION\\System\\BIOS" nocase $p2 = "HARDWARE\\DESCRIPTION\\System\\BIOS" nocase
$c1 = "RegQueryValue" $c1 = "RegQueryValue"
$r1 = "SystemBiosVersion" $r1 = "SystemBiosVersion"
$r2 = "VideoBiosVersion" $r2 = "VideoBiosVersion"
$r3 = "SystemManufacturer" $r3 = "SystemManufacturer"
condition: condition:
1 of ($p*) and 1 of ($c*) and 1 of ($r*) 1 of ($p*) and 1 of ($c*) and 1 of ($r*)
} }
...@@ -800,13 +800,13 @@ rule disable_antivirus { ...@@ -800,13 +800,13 @@ rule disable_antivirus {
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" nocase $p1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" nocase
$p2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" nocase $p2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" nocase
$p3 = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" nocase $p3 = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" nocase
$c1 = "RegSetValue" $c1 = "RegSetValue"
$r1 = "AntiVirusDisableNotify" $r1 = "AntiVirusDisableNotify"
$r2 = "DontReportInfectionInformation" $r2 = "DontReportInfectionInformation"
$r3 = "DisableAntiSpyware" $r3 = "DisableAntiSpyware"
$r4 = "RunInvalidSignatures" $r4 = "RunInvalidSignatures"
$r5 = "AntiVirusOverride" $r5 = "AntiVirusOverride"
$r6 = "CheckExeSignatures" $r6 = "CheckExeSignatures"
$f1 = "blackd.exe" nocase $f1 = "blackd.exe" nocase
$f2 = "blackice.exe" nocase $f2 = "blackice.exe" nocase
$f3 = "lockdown.exe" nocase $f3 = "lockdown.exe" nocase
...@@ -841,10 +841,10 @@ rule disable_firewall { ...@@ -841,10 +841,10 @@ rule disable_firewall {
version = "0.1" version = "0.1"
strings: strings:
$p1 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" nocase $p1 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" nocase
$c1 = "RegSetValue" $c1 = "RegSetValue"
$r1 = "FirewallPolicy" $r1 = "FirewallPolicy"
$r2 = "EnableFirewall" $r2 = "EnableFirewall"
$r3 = "FirewallDisableNotify" $r3 = "FirewallDisableNotify"
$s1 = "netsh firewall add allowedprogram" $s1 = "netsh firewall add allowedprogram"
condition: condition:
(1 of ($p*) and $c1 and 1 of ($r*)) or $s1 (1 of ($p*) and $c1 and 1 of ($r*)) or $s1
...@@ -857,9 +857,9 @@ rule disable_registry { ...@@ -857,9 +857,9 @@ rule disable_registry {
version = "0.1" version = "0.1"
strings: strings:
$p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase
$c1 = "RegSetValue" $c1 = "RegSetValue"
$r1 = "DisableRegistryTools" $r1 = "DisableRegistryTools"
$r2 = "DisableRegedit" $r2 = "DisableRegedit"
condition: condition:
1 of ($p*) and $c1 and 1 of ($r*) 1 of ($p*) and $c1 and 1 of ($r*)
} }
...@@ -870,11 +870,11 @@ rule disable_dep { ...@@ -870,11 +870,11 @@ rule disable_dep {
description = "Bypass DEP" description = "Bypass DEP"
version = "0.1" version = "0.1"
strings: strings:
$c1 = "EnableExecuteProtectionSupport" $c1 = "EnableExecuteProtectionSupport"
$c2 = "NtSetInformationProcess" $c2 = "NtSetInformationProcess"
$c3 = "VirtualProctectEx" $c3 = "VirtualProctectEx"
$c4 = "SetProcessDEPPolicy" $c4 = "SetProcessDEPPolicy"
$c5 = "ZwProtectVirtualMemory" $c5 = "ZwProtectVirtualMemory"
condition: condition:
any of them any of them
} }
...@@ -886,7 +886,7 @@ rule disable_taskmanager { ...@@ -886,7 +886,7 @@ rule disable_taskmanager {
version = "0.1" version = "0.1"
strings: strings:
$p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase
$r1 = "DisableTaskMgr" $r1 = "DisableTaskMgr"
condition: condition:
1 of ($p*) and 1 of ($r*) 1 of ($p*) and 1 of ($r*)
} }
...@@ -897,13 +897,13 @@ rule inject_thread { ...@@ -897,13 +897,13 @@ rule inject_thread {
description = "Code injection with CreateRemoteThread in a remote process" description = "Code injection with CreateRemoteThread in a remote process"
version = "0.1" version = "0.1"
strings: strings:
$c1 = "OpenProcess" $c1 = "OpenProcess"
$c2 = "VirtualAllocEx" $c2 = "VirtualAllocEx"
$c3 = "NtWriteVirtualMemory" $c3 = "NtWriteVirtualMemory"
$c4 = "WriteProcessMemory" $c4 = "WriteProcessMemory"
$c5 = "CreateRemoteThread" $c5 = "CreateRemoteThread"
$c6 = "CreateThread" $c6 = "CreateThread"
$c7 = "OpenProcess" $c7 = "OpenProcess"
condition: condition:
$c1 and $c2 and ( $c3 or $c4 ) and ( $c5 or $c6 or $c7 ) $c1 and $c2 and ( $c3 or $c4 ) and ( $c5 or $c6 or $c7 )
} }
...@@ -917,8 +917,8 @@ rule create_process { ...@@ -917,8 +917,8 @@ rule create_process {
strings: strings:
$f1 = "Shell32.dll" nocase $f1 = "Shell32.dll" nocase
$f2 = "Kernel32.dll" nocase $f2 = "Kernel32.dll" nocase
$c1 = "ShellExecute" $c1 = "ShellExecute"
$c2 = "WinExec" $c2 = "WinExec"
$c3 = "CreateProcess" $c3 = "CreateProcess"
$c4 = "CreateThread" $c4 = "CreateThread"
condition: condition:
...@@ -978,10 +978,10 @@ rule create_service { ...@@ -978,10 +978,10 @@ rule create_service {
version = "0.2" version = "0.2"
strings: strings:
$f1 = "Advapi32.dll" nocase $f1 = "Advapi32.dll" nocase
$c1 = "CreateService" $c1 = "CreateService"
$c2 = "ControlService" $c2 = "ControlService"
$c3 = "StartService" $c3 = "StartService"
$c4 = "QueryServiceStatus" $c4 = "QueryServiceStatus"
condition: condition:
all of them all of them
} }
...@@ -993,10 +993,10 @@ rule create_com_service { ...@@ -993,10 +993,10 @@ rule create_com_service {
version = "0.1" version = "0.1"
strings: strings:
$c1 = "DllCanUnloadNow" nocase $c1 = "DllCanUnloadNow" nocase
$c2 = "DllGetClassObject" $c2 = "DllGetClassObject"
$c3 = "DllInstall" $c3 = "DllInstall"
$c4 = "DllRegisterServer" $c4 = "DllRegisterServer"
$c5 = "DllUnregisterServer" $c5 = "DllUnregisterServer"
condition: condition:
all of them all of them
} }
...@@ -1010,12 +1010,12 @@ rule network_udp_sock { ...@@ -1010,12 +1010,12 @@ rule network_udp_sock {
$f1 = "Ws2_32.dll" nocase $f1 = "Ws2_32.dll" nocase
$f2 = "System.Net" nocase $f2 = "System.Net" nocase
$f3 = "wsock32.dll" nocase $f3 = "wsock32.dll" nocase
$c0 = "WSAStartup" $c0 = "WSAStartup"
$c1 = "sendto" $c1 = "sendto"
$c2 = "recvfrom" $c2 = "recvfrom"
$c3 = "WSASendTo" $c3 = "WSASendTo"
$c4 = "WSARecvFrom" $c4 = "WSARecvFrom"
$c5 = "UdpClient" $c5 = "UdpClient"
condition: condition:
(($f1 or $f3) and 2 of ($c*)) or ($f2 and $c5) (($f1 or $f3) and 2 of ($c*)) or ($f2 and $c5)
} }
...@@ -1030,14 +1030,14 @@ rule network_tcp_listen { ...@@ -1030,14 +1030,14 @@ rule network_tcp_listen {
$f2 = "Mswsock.dll" nocase $f2 = "Mswsock.dll" nocase
$f3 = "System.Net" nocase $f3 = "System.Net" nocase
$f4 = "wsock32.dll" nocase $f4 = "wsock32.dll" nocase
$c1 = "bind" $c1 = "bind"
$c2 = "accept" $c2 = "accept"
$c3 = "GetAcceptExSockaddrs" $c3 = "GetAcceptExSockaddrs"
$c4 = "AcceptEx" $c4 = "AcceptEx"
$c5 = "WSAStartup" $c5 = "WSAStartup"
$c6 = "WSAAccept" $c6 = "WSAAccept"
$c7 = "WSASocket" $c7 = "WSASocket"
$c8 = "TcpListener" $c8 = "TcpListener"
$c9 = "AcceptTcpClient" $c9 = "AcceptTcpClient"
$c10 = "listen" $c10 = "listen"
condition: condition:
...@@ -1049,7 +1049,7 @@ rule network_dyndns { ...@@ -1049,7 +1049,7 @@ rule network_dyndns {
author = "x0r" author = "x0r"
description = "Communications dyndns network" description = "Communications dyndns network"
version = "0.1" version = "0.1"
strings: strings:
$s1 =".no-ip.org" $s1 =".no-ip.org"
$s2 =".publicvm.com" $s2 =".publicvm.com"
$s3 =".linkpc.net" $s3 =".linkpc.net"
...@@ -1092,7 +1092,7 @@ rule network_toredo { ...@@ -1092,7 +1092,7 @@ rule network_toredo {
author = "x0r" author = "x0r"
description = "Communications over Toredo network" description = "Communications over Toredo network"
version = "0.1" version = "0.1"
strings: strings:
$f1 = "FirewallAPI.dll" nocase $f1 = "FirewallAPI.dll" nocase
$p1 = "\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\" nocase $p1 = "\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\" nocase
condition: condition:
...@@ -1104,7 +1104,7 @@ rule network_smtp_dotNet { ...@@ -1104,7 +1104,7 @@ rule network_smtp_dotNet {
author = "x0r" author = "x0r"
description = "Communications smtp" description = "Communications smtp"
version = "0.1" version = "0.1"
strings: strings:
$f1 = "System.Net.Mail" nocase $f1 = "System.Net.Mail" nocase
$p1 = "SmtpClient" nocase $p1 = "SmtpClient" nocase
condition: condition:
...@@ -1116,7 +1116,7 @@ rule network_smtp_raw { ...@@ -1116,7 +1116,7 @@ rule network_smtp_raw {
author = "x0r" author = "x0r"
description = "Communications smtp" description = "Communications smtp"
version = "0.1" version = "0.1"
strings: strings:
$s1 = "MAIL FROM:" nocase $s1 = "MAIL FROM:" nocase
$s2 = "RCPT TO:" nocase $s2 = "RCPT TO:" nocase
condition: condition:
...@@ -1128,7 +1128,7 @@ rule network_smtp_vb { ...@@ -1128,7 +1128,7 @@ rule network_smtp_vb {
author = "x0r" author = "x0r"
description = "Communications smtp" description = "Communications smtp"
version = "0.1" version = "0.1"
strings: strings:
$c1 = "CDO.Message" nocase $c1 = "CDO.Message" nocase
$c2 = "cdoSMTPServer" nocase $c2 = "cdoSMTPServer" nocase
$c3 = "cdoSendUsingMethod" nocase $c3 = "cdoSendUsingMethod" nocase
...@@ -1143,7 +1143,7 @@ rule network_p2p_win { ...@@ -1143,7 +1143,7 @@ rule network_p2p_win {
author = "x0r" author = "x0r"
description = "Communications over P2P network" description = "Communications over P2P network"
version = "0.1" version = "0.1"
strings: strings:
$c1 = "PeerCollabExportContact" $c1 = "PeerCollabExportContact"
$c2 = "PeerCollabGetApplicationRegistrationInfo" $c2 = "PeerCollabGetApplicationRegistrationInfo"
$c3 = "PeerCollabGetEndpointName" $c3 = "PeerCollabGetEndpointName"
...@@ -1187,11 +1187,11 @@ rule network_irc { ...@@ -1187,11 +1187,11 @@ rule network_irc {
description = "Communications over IRC network" description = "Communications over IRC network"
version = "0.1" version = "0.1"
strings: strings:
$s1 = "NICK" $s1 = "NICK"
$s2 = "PING" $s2 = "PING"
$s3 = "JOIN" $s3 = "JOIN"
$s4 = "USER" $s4 = "USER"
$s5 = "PRIVMSG" $s5 = "PRIVMSG"
condition: condition:
all of them all of them
} }
...@@ -1203,14 +1203,14 @@ rule network_http { ...@@ -1203,14 +1203,14 @@ rule network_http {
version = "0.1" version = "0.1"
strings: strings:
$f1 = "wininet.dll" nocase $f1 = "wininet.dll" nocase
$c1 = "InternetConnect" $c1 = "InternetConnect"
$c2 = "InternetOpen" $c2 = "InternetOpen"
$c3 = "InternetOpenUrl" $c3 = "InternetOpenUrl"
$c4 = "InternetReadFile" $c4 = "InternetReadFile"
$c5 = "InternetWriteFile" $c5 = "InternetWriteFile"
$c6 = "HttpOpenRequest" $c6 = "HttpOpenRequest"
$c7 = "HttpSendRequest" $c7 = "HttpSendRequest"
$c8 = "IdHTTPHeaderInfo" $c8 = "IdHTTPHeaderInfo"
condition: condition:
$f1 and $c1 and ($c2 or $c3) and ($c4 or $c5 or $c6 or $c7 or $c8) $f1 and $c1 and ($c2 or $c3) and ($c4 or $c5 or $c6 or $c7 or $c8)
} }
...@@ -1218,14 +1218,14 @@ rule network_http { ...@@ -1218,14 +1218,14 @@ rule network_http {
rule network_dropper { rule network_dropper {
meta: meta:
author = "x0r" author = "x0r"
description = "File downloader/dropper" description = "File downloader/dropper"
version = "0.1" version = "0.1"
strings: strings:
$f1 = "urlmon.dll" nocase $f1 = "urlmon.dll" nocase
$c1 = "URLDownloadToFile" $c1 = "URLDownloadToFile"
$c2 = "URLDownloadToCacheFile" $c2 = "URLDownloadToCacheFile"
$c3 = "URLOpenStream" $c3 = "URLOpenStream"
$c4 = "URLOpenPullStream" $c4 = "URLOpenPullStream"
condition: condition:
$f1 and 1 of ($c*) $f1 and 1 of ($c*)
} }
...@@ -1233,23 +1233,23 @@ rule network_dropper { ...@@ -1233,23 +1233,23 @@ rule network_dropper {
rule network_ftp { rule network_ftp {
meta: meta:
author = "x0r" author = "x0r"
description = "Communications over FTP" description = "Communications over FTP"
version = "0.1" version = "0.1"
strings: strings:
$f1 = "Wininet.dll" nocase $f1 = "Wininet.dll" nocase
$c1 = "FtpGetCurrentDirectory" $c1 = "FtpGetCurrentDirectory"
$c2 = "FtpGetFile" $c2 = "FtpGetFile"
$c3 = "FtpPutFile" $c3 = "FtpPutFile"
$c4 = "FtpSetCurrentDirectory" $c4 = "FtpSetCurrentDirectory"
$c5 = "FtpOpenFile" $c5 = "FtpOpenFile"
$c6 = "FtpGetFileSize" $c6 = "FtpGetFileSize"
$c7 = "FtpDeleteFile" $c7 = "FtpDeleteFile"
$c8 = "FtpCreateDirectory" $c8 = "FtpCreateDirectory"
$c9 = "FtpRemoveDirectory" $c9 = "FtpRemoveDirectory"
$c10 = "FtpRenameFile" $c10 = "FtpRenameFile"
$c11 = "FtpDownload" $c11 = "FtpDownload"
$c12 = "FtpUpload" $c12 = "FtpUpload"
$c13 = "FtpGetDirectory" $c13 = "FtpGetDirectory"
condition: condition:
$f1 and (4 of ($c*)) $f1 and (4 of ($c*))
} }
...@@ -1262,10 +1262,10 @@ rule network_tcp_socket { ...@@ -1262,10 +1262,10 @@ rule network_tcp_socket {
strings: strings:
$f1 = "Ws2_32.dll" nocase $f1 = "Ws2_32.dll" nocase
$f2 = "wsock32.dll" nocase $f2 = "wsock32.dll" nocase
$c1 = "WSASocket" $c1 = "WSASocket"
$c2 = "socket" $c2 = "socket"
$c3 = "send" $c3 = "send"
$c4 = "WSASend" $c4 = "WSASend"
$c5 = "WSAConnect" $c5 = "WSAConnect"
$c6 = "connect" $c6 = "connect"
$c7 = "WSAStartup" $c7 = "WSAStartup"
...@@ -1281,17 +1281,17 @@ rule network_dns { ...@@ -1281,17 +1281,17 @@ rule network_dns {
description = "Communications use DNS" description = "Communications use DNS"
version = "0.1" version = "0.1"
strings: strings:
$f1 = "System.Net" $f1 = "System.Net"
$f2 = "Ws2_32.dll" nocase $f2 = "Ws2_32.dll" nocase
$f3 = "Dnsapi.dll" nocase $f3 = "Dnsapi.dll" nocase
$f4 = "wsock32.dll" nocase $f4 = "wsock32.dll" nocase
$c2 = "GetHostEntry" $c2 = "GetHostEntry"
$c3 = "getaddrinfo" $c3 = "getaddrinfo"
$c4 = "gethostbyname" $c4 = "gethostbyname"
$c5 = "WSAAsyncGetHostByName" $c5 = "WSAAsyncGetHostByName"
$c6 = "DnsQuery" $c6 = "DnsQuery"
condition: condition:
1 of ($f*) and 1 of ($c*) 1 of ($f*) and 1 of ($c*)
} }
rule network_ssl { rule network_ssl {
...@@ -1313,22 +1313,22 @@ rule network_dga { ...@@ -1313,22 +1313,22 @@ rule network_dga {
author = "x0r" author = "x0r"
description = "Communication using dga" description = "Communication using dga"
version = "0.1" version = "0.1"
strings: strings:
$dll1 = "Advapi32.dll" nocase $dll1 = "Advapi32.dll" nocase
$dll2 = "wininet.dll" nocase $dll2 = "wininet.dll" nocase
$dll3 = "Crypt32.dll" nocase $dll3 = "Crypt32.dll" nocase
$time1 = "SystemTimeToFileTime" $time1 = "SystemTimeToFileTime"
$time2 = "GetSystemTime" $time2 = "GetSystemTime"
$time3 = "GetSystemTimeAsFileTime" $time3 = "GetSystemTimeAsFileTime"
$hash1 = "CryptCreateHash" $hash1 = "CryptCreateHash"
$hash2 = "CryptAcquireContext" $hash2 = "CryptAcquireContext"
$hash3 = "CryptHashData" $hash3 = "CryptHashData"
$net1 = "InternetOpen" $net1 = "InternetOpen"
$net2 = "InternetOpenUrl" $net2 = "InternetOpenUrl"
$net3 = "gethostbyname" $net3 = "gethostbyname"
$net4 = "getaddrinfo" $net4 = "getaddrinfo"
condition: condition:
all of ($dll*) and 1 of ($time*) and 1 of ($hash*) and 1 of ($net*) all of ($dll*) and 1 of ($time*) and 1 of ($hash*) and 1 of ($net*)
} }
...@@ -1358,7 +1358,7 @@ rule certificate { ...@@ -1358,7 +1358,7 @@ rule certificate {
strings: strings:
$f1 = "Crypt32.dll" nocase $f1 = "Crypt32.dll" nocase
$r1 = "software\\microsoft\\systemcertificates\\spc\\certificates" nocase $r1 = "software\\microsoft\\systemcertificates\\spc\\certificates" nocase
$c1 = "CertOpenSystemStore" $c1 = "CertOpenSystemStore"
condition: condition:
all of them all of them
} }
...@@ -1370,8 +1370,8 @@ rule escalate_priv { ...@@ -1370,8 +1370,8 @@ rule escalate_priv {
version = "0.1" version = "0.1"
strings: strings:
$d1 = "Advapi32.dll" nocase $d1 = "Advapi32.dll" nocase
$c1 = "SeDebugPrivilege" $c1 = "SeDebugPrivilege"
$c2 = "AdjustTokenPrivileges" $c2 = "AdjustTokenPrivileges"
condition: condition:
1 of ($d*) and 1 of ($c*) 1 of ($d*) and 1 of ($c*)
} }
...@@ -1384,8 +1384,8 @@ rule screenshot { ...@@ -1384,8 +1384,8 @@ rule screenshot {
strings: strings:
$d1 = "Gdi32.dll" nocase $d1 = "Gdi32.dll" nocase
$d2 = "User32.dll" nocase $d2 = "User32.dll" nocase
$c1 = "BitBlt" $c1 = "BitBlt"
$c2 = "GetDC" $c2 = "GetDC"
condition: condition:
1 of ($d*) and 1 of ($c*) 1 of ($d*) and 1 of ($c*)
} }
...@@ -1434,9 +1434,9 @@ rule keylogger { ...@@ -1434,9 +1434,9 @@ rule keylogger {
version = "0.1" version = "0.1"
strings: strings:
$f1 = "User32.dll" nocase $f1 = "User32.dll" nocase
$c1 = "GetAsyncKeyState" $c1 = "GetAsyncKeyState"
$c2 = "GetKeyState" $c2 = "GetKeyState"
$c3 = "MapVirtualKey" $c3 = "MapVirtualKey"
$c4 = "GetKeyboardType" $c4 = "GetKeyboardType"
condition: condition:
$f1 and 1 of ($c*) $f1 and 1 of ($c*)
...@@ -1511,7 +1511,7 @@ rule cred_ie7 { ...@@ -1511,7 +1511,7 @@ rule cred_ie7 {
version = "0.1" version = "0.1"
strings: strings:
$f1 = "Crypt32.dll" nocase $f1 = "Crypt32.dll" nocase
$c1 = "CryptUnprotectData" $c1 = "CryptUnprotectData"
$s1 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" nocase $s1 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" nocase
condition: condition:
all of them all of them
...@@ -1537,8 +1537,8 @@ rule migrate_apc { ...@@ -1537,8 +1537,8 @@ rule migrate_apc {
description = "APC queue tasks migration" description = "APC queue tasks migration"
version = "0.1" version = "0.1"
strings: strings:
$c1 = "OpenThread" $c1 = "OpenThread"
$c2 = "QueueUserAPC" $c2 = "QueueUserAPC"
condition: condition:
all of them all of them
} }
...@@ -1563,8 +1563,8 @@ rule spreading_share { ...@@ -1563,8 +1563,8 @@ rule spreading_share {
version = "0.1" version = "0.1"
strings: strings:
$f1 = "netapi32.dll" nocase $f1 = "netapi32.dll" nocase
$c1 = "NetShareGetInfo" $c1 = "NetShareGetInfo"
$c2 = "NetShareEnum" $c2 = "NetShareEnum"
condition: condition:
$f1 and 1 of ($c*) $f1 and 1 of ($c*)
} }
...@@ -1576,8 +1576,8 @@ rule rat_vnc { ...@@ -1576,8 +1576,8 @@ rule rat_vnc {
version = "0.1" version = "0.1"
strings: strings:
$f1 = "ultravnc.ini" nocase $f1 = "ultravnc.ini" nocase
$c2 = "StartVNC" $c2 = "StartVNC"
$c3 = "StopVNC" $c3 = "StopVNC"
condition: condition:
any of them any of them
} }
...@@ -1639,7 +1639,7 @@ rule win_mutex { ...@@ -1639,7 +1639,7 @@ rule win_mutex {
description = "Create or check mutex" description = "Create or check mutex"
version = "0.1" version = "0.1"
strings: strings:
$c1 = "CreateMutex" $c1 = "CreateMutex"
condition: condition:
1 of ($c*) 1 of ($c*)
} }
...@@ -1656,7 +1656,7 @@ rule win_registry { ...@@ -1656,7 +1656,7 @@ rule win_registry {
$c3 = "RegCloseKey" $c3 = "RegCloseKey"
$c4 = "RegSetValueExA" $c4 = "RegSetValueExA"
$c5 = "RegCreateKeyA" $c5 = "RegCreateKeyA"
$c6 = "RegCloseKey" $c6 = "RegCloseKey"
condition: condition:
$f1 and 1 of ($c*) $f1 and 1 of ($c*)
} }
...@@ -1671,7 +1671,7 @@ rule win_token { ...@@ -1671,7 +1671,7 @@ rule win_token {
$c1 = "DuplicateTokenEx" $c1 = "DuplicateTokenEx"
$c2 = "AdjustTokenPrivileges" $c2 = "AdjustTokenPrivileges"
$c3 = "OpenProcessToken" $c3 = "OpenProcessToken"
$c4 = "LookupPrivilegeValueA" $c4 = "LookupPrivilegeValueA"
condition: condition:
$f1 and 1 of ($c*) $f1 and 1 of ($c*)
} }
...@@ -1685,7 +1685,7 @@ rule win_private_profile { ...@@ -1685,7 +1685,7 @@ rule win_private_profile {
$f1 = "kernel32.dll" nocase $f1 = "kernel32.dll" nocase
$c1 = "GetPrivateProfileIntA" $c1 = "GetPrivateProfileIntA"
$c2 = "GetPrivateProfileStringA" $c2 = "GetPrivateProfileStringA"
$c3 = "WritePrivateProfileStringA" $c3 = "WritePrivateProfileStringA"
condition: condition:
$f1 and 1 of ($c*) $f1 and 1 of ($c*)
} }
...@@ -1723,7 +1723,7 @@ rule win_hook { ...@@ -1723,7 +1723,7 @@ rule win_hook {
$f1 = "user32.dll" nocase $f1 = "user32.dll" nocase
$c1 = "UnhookWindowsHookEx" $c1 = "UnhookWindowsHookEx"
$c2 = "SetWindowsHookExA" $c2 = "SetWindowsHookExA"
$c3 = "CallNextHookEx" $c3 = "CallNextHookEx"
condition: condition:
$f1 and 1 of ($c*) $f1 and 1 of ($c*)
} }
......
Antidebug_AntiVM_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./Antidebug_AntiVM/antidebug_antivm.yar" include "./Antidebug_AntiVM/antidebug_antivm.yar"
CVE_Rules/CVE-2010-0805.yar
...@@ -8,7 +8,7 @@ rule MSIETabularActivex ...@@ -8,7 +8,7 @@ rule MSIETabularActivex
strings: strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword $cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword $cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword $cve20100805_3 = true
condition: condition:
($cve20100805_1 and $cve20100805_3) or (all of them) ($cve20100805_1 and $cve20100805_3) or (all of them)
} }
CVE_Rules_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./CVE_Rules/CVE-2010-0805.yar" include "./CVE_Rules/CVE-2010-0805.yar"
include "./CVE_Rules/CVE-2010-0887.yar" include "./CVE_Rules/CVE-2010-0887.yar"
......
Crypto_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./Crypto/base64.yar" include "./Crypto/base64.yar"
include "./Crypto/crypto_signatures.yar" include "./Crypto/crypto_signatures.yar"
Exploit-Kits_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./Exploit-Kits/EK_Angler.yar" include "./Exploit-Kits/EK_Angler.yar"
include "./Exploit-Kits/EK_Blackhole.yar" include "./Exploit-Kits/EK_Blackhole.yar"
......
Malicious_Documents_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar" include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar" include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
......
Mobile_Malware_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./Mobile_Malware/Android_adware.yar" include "./Mobile_Malware/Android_adware.yar"
include "./Mobile_Malware/Android_AliPay_smsStealer.yar" include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
......
Packers_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./Packers/Javascript_exploit_and_obfuscation.yar" include "./Packers/Javascript_exploit_and_obfuscation.yar"
include "./Packers/JJencode.yar" include "./Packers/JJencode.yar"
......
Webshells_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./Webshells/WShell_APT_Laudanum.yar" include "./Webshells/WShell_APT_Laudanum.yar"
include "./Webshells/Wshell_ChineseSpam.yar" include "./Webshells/Wshell_ChineseSpam.yar"
......
email_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./email/attachment.yar" include "./email/attachment.yar"
include "./email/bank_rule.yar" include "./email/bank_rule.yar"
......
index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./Antidebug_AntiVM/antidebug_antivm.yar" include "./Antidebug_AntiVM/antidebug_antivm.yar"
include "./Crypto/base64.yar" include "./Crypto/base64.yar"
...@@ -71,6 +71,9 @@ include "./malware/APT_fancybear_dnc.yar" ...@@ -71,6 +71,9 @@ include "./malware/APT_fancybear_dnc.yar"
include "./malware/APT_FiveEyes.yar" include "./malware/APT_FiveEyes.yar"
include "./malware/APT_furtim.yar" include "./malware/APT_furtim.yar"
include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar" include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
include "./malware/APT_Grasshopper.yar"
include "./malware/APT_Greenbug.yar"
include "./malware/APT_Grizzlybear_uscert.yar"
include "./malware/APT_HackingTeam.yar" include "./malware/APT_HackingTeam.yar"
include "./malware/APT_Hellsing.yar" include "./malware/APT_Hellsing.yar"
include "./malware/APT_Hikit.yar" include "./malware/APT_Hikit.yar"
...@@ -99,6 +102,7 @@ include "./malware/APT_PutterPanda.yar" ...@@ -99,6 +102,7 @@ include "./malware/APT_PutterPanda.yar"
include "./malware/APT_Regin.yar" include "./malware/APT_Regin.yar"
include "./malware/APT_Scarab_Scieron.yar" include "./malware/APT_Scarab_Scieron.yar"
include "./malware/APT_Seaduke.yar" include "./malware/APT_Seaduke.yar"
include "./malware/APT_Shamoon_StoneDrill.yar"
include "./malware/APT_Snowglobe_Babar.yar" include "./malware/APT_Snowglobe_Babar.yar"
include "./malware/APT_Sofacy_Bundestag.yar" include "./malware/APT_Sofacy_Bundestag.yar"
include "./malware/APT_Sofacy_Fysbis.yar" include "./malware/APT_Sofacy_Fysbis.yar"
...@@ -218,6 +222,7 @@ include "./malware/MALW_Sendsafe.yar" ...@@ -218,6 +222,7 @@ include "./malware/MALW_Sendsafe.yar"
include "./malware/MALW_Shamoon.yar" include "./malware/MALW_Shamoon.yar"
include "./malware/MALW_Shifu.yar" include "./malware/MALW_Shifu.yar"
include "./malware/MALW_Skeleton.yar" include "./malware/MALW_Skeleton.yar"
include "./malware/MALW_Spora.yar"
include "./malware/MALW_Sqlite.yar" include "./malware/MALW_Sqlite.yar"
include "./malware/MALW_Stealer.yar" include "./malware/MALW_Stealer.yar"
include "./malware/MALW_Surtr.yar" include "./malware/MALW_Surtr.yar"
......
index_w_mobile.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./Antidebug_AntiVM/antidebug_antivm.yar" include "./Antidebug_AntiVM/antidebug_antivm.yar"
include "./Crypto/base64.yar" include "./Crypto/base64.yar"
...@@ -71,6 +71,9 @@ include "./malware/APT_fancybear_dnc.yar" ...@@ -71,6 +71,9 @@ include "./malware/APT_fancybear_dnc.yar"
include "./malware/APT_FiveEyes.yar" include "./malware/APT_FiveEyes.yar"
include "./malware/APT_furtim.yar" include "./malware/APT_furtim.yar"
include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar" include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
include "./malware/APT_Grasshopper.yar"
include "./malware/APT_Greenbug.yar"
include "./malware/APT_Grizzlybear_uscert.yar"
include "./malware/APT_HackingTeam.yar" include "./malware/APT_HackingTeam.yar"
include "./malware/APT_Hellsing.yar" include "./malware/APT_Hellsing.yar"
include "./malware/APT_Hikit.yar" include "./malware/APT_Hikit.yar"
...@@ -99,6 +102,7 @@ include "./malware/APT_PutterPanda.yar" ...@@ -99,6 +102,7 @@ include "./malware/APT_PutterPanda.yar"
include "./malware/APT_Regin.yar" include "./malware/APT_Regin.yar"
include "./malware/APT_Scarab_Scieron.yar" include "./malware/APT_Scarab_Scieron.yar"
include "./malware/APT_Seaduke.yar" include "./malware/APT_Seaduke.yar"
include "./malware/APT_Shamoon_StoneDrill.yar"
include "./malware/APT_Snowglobe_Babar.yar" include "./malware/APT_Snowglobe_Babar.yar"
include "./malware/APT_Sofacy_Bundestag.yar" include "./malware/APT_Sofacy_Bundestag.yar"
include "./malware/APT_Sofacy_Fysbis.yar" include "./malware/APT_Sofacy_Fysbis.yar"
...@@ -218,6 +222,7 @@ include "./malware/MALW_Sendsafe.yar" ...@@ -218,6 +222,7 @@ include "./malware/MALW_Sendsafe.yar"
include "./malware/MALW_Shamoon.yar" include "./malware/MALW_Shamoon.yar"
include "./malware/MALW_Shifu.yar" include "./malware/MALW_Shifu.yar"
include "./malware/MALW_Skeleton.yar" include "./malware/MALW_Skeleton.yar"
include "./malware/MALW_Spora.yar"
include "./malware/MALW_Sqlite.yar" include "./malware/MALW_Sqlite.yar"
include "./malware/MALW_Stealer.yar" include "./malware/MALW_Stealer.yar"
include "./malware/MALW_Surtr.yar" include "./malware/MALW_Surtr.yar"
......
malware/APT_Grasshopper.yar 0 → 100644
/*
Set of rules for Grasshopper APT.
Infected DLL hashes of Stolen Goods 2.1.
Ref: https://wikileaks.org/vault7/document/StolenGoods-2_1-UserGuide/StolenGoods-2_1-UserGuide.pdf
Author: Jaume Martin
Date: 07-04-2017
*/
rule Control32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "b3dc808fc7cb4492669ec019911ef22a"
}
rule Control64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "bec30379078d5c5c7845d3be33707b89"
}
rule GH_PM32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "2f2c5b3f3b1f97908074f526ac90a28d"
}
rule GH_PM64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "fe6c0097412b2c7b7f4b8a489004dd14"
}
rule MemStub32-GH1 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "0a579ad25fdd4db8110aac4dbb7d2da3"
}
rule MemStub32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "8987652f26732607b769247adb4e9cce"
}
rule MemStub64-GH1 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "2350403a09e6928f0a7ba5d74da58cb9"
}
rule MemStub64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "6b5b46d3212fc3fc5b455d9efd8d3ffa"
}
rule msvcrt_Win7AMD64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "c8fc794cc5a22b5a1e0803b0b8acce77"
}
rule msvcrt_Win7x86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "7713e5c5a48b020c9575b1b50f2e5e9e"
}
rule msvcrt_WIN8AMD64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "33c59fcdf027470e0ab1d366f54a6ebf"
}
rule msvcrt_WIN8x86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "95490c2b284a9bb63f0ee49254ab727e"
}
rule msvcrt_WinXPx86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "b68f72d77754f8b76168ced0924a4174"
}
rule Network_Win7AMD64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "eb92031a38f17d0e63285b5142b31966"
}
rule Network_Win7x86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "548889baed7768b828d9c2f373abd225"
}
rule Network_WinXPx86 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "877341a16d5d223435c43a9db7f721bc"
}
rule RabbitStew32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "a9d2e8ae5ddbf8f2842d96f7de2faef8"
}
rule RabbitStew64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "fa415b6280104e813770df520b303897"
}
rule Vbr {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "961d2fd68fde2ae0b7c52e0c90767d0d"
}
malware/MALW_Corkow.yar
...@@ -3,17 +3,17 @@ ...@@ -3,17 +3,17 @@
*/ */
rule CorkowDLL rule CorkowDLL
{ {
meta: meta:
description = "Rule to detect the Corkow DLL files" description = "Rule to detect the Corkow DLL files"
reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf" reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"
strings: strings:
$mz = { 4d 5a } $mz = { 4d 5a }
$binary1 = {60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3} $binary1 = {60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3}
$binary2 = {(FF75??|53)FF7510FF750CFF7508E8????????[3-9]C9C20C 00} $binary2 = {(FF75??|53)FF7510FF750CFF7508E8????????[3-9]C9C20C 00}
$export1 = "Control_RunDLL" $export1 = "Control_RunDLL"
$export2 = "ServiceMain" $export2 = "ServiceMain"
$export3 = "DllGetClassObject" $export3 = "DllGetClassObject"
......
malware_index.yar
/* /*
Generated by Yara-Rules Generated by Yara-Rules
On 04-02-2017 On 08-04-2017
*/ */
include "./malware/APT_APT1.yar" include "./malware/APT_APT1.yar"
include "./malware/APT_APT17.yar" include "./malware/APT_APT17.yar"
...@@ -30,6 +30,9 @@ include "./malware/APT_fancybear_dnc.yar" ...@@ -30,6 +30,9 @@ include "./malware/APT_fancybear_dnc.yar"
include "./malware/APT_FiveEyes.yar" include "./malware/APT_FiveEyes.yar"
include "./malware/APT_furtim.yar" include "./malware/APT_furtim.yar"
include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar" include "./malware/APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar"
include "./malware/APT_Grasshopper.yar"
include "./malware/APT_Greenbug.yar"
include "./malware/APT_Grizzlybear_uscert.yar"
include "./malware/APT_HackingTeam.yar" include "./malware/APT_HackingTeam.yar"
include "./malware/APT_Hellsing.yar" include "./malware/APT_Hellsing.yar"
include "./malware/APT_Hikit.yar" include "./malware/APT_Hikit.yar"
...@@ -58,6 +61,7 @@ include "./malware/APT_PutterPanda.yar" ...@@ -58,6 +61,7 @@ include "./malware/APT_PutterPanda.yar"
include "./malware/APT_Regin.yar" include "./malware/APT_Regin.yar"
include "./malware/APT_Scarab_Scieron.yar" include "./malware/APT_Scarab_Scieron.yar"
include "./malware/APT_Seaduke.yar" include "./malware/APT_Seaduke.yar"
include "./malware/APT_Shamoon_StoneDrill.yar"
include "./malware/APT_Snowglobe_Babar.yar" include "./malware/APT_Snowglobe_Babar.yar"
include "./malware/APT_Sofacy_Bundestag.yar" include "./malware/APT_Sofacy_Bundestag.yar"
include "./malware/APT_Sofacy_Fysbis.yar" include "./malware/APT_Sofacy_Fysbis.yar"
...@@ -177,6 +181,7 @@ include "./malware/MALW_Sendsafe.yar" ...@@ -177,6 +181,7 @@ include "./malware/MALW_Sendsafe.yar"
include "./malware/MALW_Shamoon.yar" include "./malware/MALW_Shamoon.yar"
include "./malware/MALW_Shifu.yar" include "./malware/MALW_Shifu.yar"
include "./malware/MALW_Skeleton.yar" include "./malware/MALW_Skeleton.yar"
include "./malware/MALW_Spora.yar"
include "./malware/MALW_Sqlite.yar" include "./malware/MALW_Sqlite.yar"
include "./malware/MALW_Stealer.yar" include "./malware/MALW_Stealer.yar"
include "./malware/MALW_Surtr.yar" include "./malware/MALW_Surtr.yar"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment