Skip to content

R
rules
Commit e72d310c by Yara Rules
Options

pr/23

parents 656d3a8d 0a910b8c
Showing with 126 additions and 0 deletions
malware/DarkComet.yar
...@@ -79,9 +79,27 @@ rule DarkComet_3 ...@@ -79,9 +79,27 @@ rule DarkComet_3
$b4 = "#BOT#VisitUrl" $b4 = "#BOT#VisitUrl"
$b5 = "#KCMDDC" $b5 = "#KCMDDC"
<<<<<<< HEAD
condition: condition:
all of ($a*) or all of ($b*) all of ($a*) or all of ($b*)
} }
=======
rule DarkComet_Keylogger_File
{
meta:
author = "Florian Roth"
description = "Looks like a keylogger file created by DarkComet Malware"
date = "25.07.14"
reference = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
score = 50
strings:
$magic = "::"
$entry = /\n:: [A-Z]/
$timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/
condition:
($magic at 0) and #entry > 10 and #timestamp > 10
}
>>>>>>> pr/23
malware/Miscelanea.yar
...@@ -819,6 +819,7 @@ rule LightFTP_Config { ...@@ -819,6 +819,7 @@ rule LightFTP_Config {
condition: condition:
uint16(0) == 0xfeff and filesize < 1KB and all of them uint16(0) == 0xfeff and filesize < 1KB and all of them
} }
<<<<<<< HEAD
rule SpyGate_v2_9 rule SpyGate_v2_9
{ {
meta: meta:
...@@ -854,10 +855,28 @@ rule PythoRAT ...@@ -854,10 +855,28 @@ rule PythoRAT
$g = "PluginData" $g = "PluginData"
$i = "OnPluginMessage" $i = "OnPluginMessage"
=======
rule CN_Toolset_sig_1433_135_sqlr {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
strings:
$s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii
$s11 = ";DATABASE=master" fullword ascii
$s12 = "xp_cmdshell '" fullword ascii
$s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii
>>>>>>> pr/23
condition: condition:
all of them all of them
} }
<<<<<<< HEAD
rule VirusRat rule VirusRat
{ {
meta: meta:
...@@ -1121,3 +1140,92 @@ rule DownExecute_A ...@@ -1121,3 +1140,92 @@ rule DownExecute_A
condition: condition:
all of ($winver*) or any of ($pdb*) or any of ($magic*) or 2 of ($str*) all of ($winver*) or any of ($pdb*) or any of ($magic*) or 2 of ($str*)
} }
=======
rule CN_Toolset__XScanLib_XScanLib_XScanLib {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
super_rule = 1
hash0 = "af419603ac28257134e39683419966ab3d600ed2"
hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"
strings:
$s1 = "Plug-in thread causes an exception, failed to alert user." fullword
$s2 = "PlugGetUdpPort" fullword
$s3 = "XScanLib.dll" fullword
$s4 = "PlugGetTcpPort" fullword
$s11 = "PlugGetVulnNum" fullword
condition:
all of them
}
rule CN_Toolset_NTscan_PipeCmd {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
strings:
$s2 = "Please Use NTCmd.exe Run This Program." fullword ascii
$s3 = "PipeCmd.exe" fullword wide
$s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii
$s5 = "%s\\pipe\\%s%s%d" fullword ascii
$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
$s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii
$s9 = "PipeCmdSrv.exe" fullword ascii
$s10 = "This is a service executable! Couldn't start directly." fullword ascii
$s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii
$s14 = "PIPECMDSRV" fullword wide
$s15 = "PipeCmd Service" fullword ascii
condition:
4 of them
}
rule CN_Toolset_LScanPortss_2 {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "4631ec57756466072d83d49fbc14105e230631a0"
strings:
$s1 = "LScanPort.EXE" fullword wide
$s3 = "www.honker8.com" fullword wide
$s4 = "DefaultPort.lst" fullword ascii
$s5 = "Scan over.Used %dms!" fullword ascii
$s6 = "www.hf110.com" fullword wide
$s15 = "LScanPort Microsoft " fullword wide
$s18 = "L-ScanPort2.0 CooFly" fullword wide
condition:
4 of them
}
rule CVE_2015_1674_CNGSYS {
meta:
description = "Detects exploits for CVE-2015-1674"
author = "Florian Roth"
reference = "http://www.binvul.com/viewthread.php?tid=508"
reference2 = "https://github.com/Neo23x0/Loki/blob/master/signatures/exploit_cve_2015_1674.yar"
date = "2015-05-14"
hash = "af4eb2a275f6bbc2bfeef656642ede9ce04fad36"
strings:
$s1 = "\\Device\\CNG" fullword wide
$s2 = "GetProcAddress" fullword ascii
$s3 = "LoadLibrary" ascii
$s4 = "KERNEL32.dll" fullword ascii
$s5 = "ntdll.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 60KB and all of them
}
>>>>>>> pr/23
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment