Skip to content

R
rules
Commit ef45a0e4 by Vlad S
Options

Merged branch master into master

parents 0d49336b 40055d8d
Showing with 1012 additions and 817 deletions
malware/Exploit_CVE_2015_2426.yar CVE_Rules/CVE-2015-2426.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Exploit_MS15_077_078 {
rule Exploit_MS15_077_078: Exploit {
meta:
description = "MS15-078 / MS15-077 exploit - generic signature"
author = "Florian Roth"
......@@ -28,7 +28,7 @@ rule Exploit_MS15_077_078 {
uint16(0) == 0x5a4d and filesize < 2000KB and all of ($s*) or all of ($op*)
}
rule Exploit_MS15_077_078_HackingTeam {
rule Exploit_MS15_077_078_HackingTeam: Exploit {
meta:
description = "MS15-078 / MS15-077 exploit - Hacking Team code"
author = "Florian Roth"
......
malware/APT_Danti_svcmondr.yar CVE_Rules/CVE-2015-2545.yar
......@@ -13,7 +13,7 @@
/* Rule Set ----------------------------------------------------------------- */
rule Mal_Dropper_httpEXE_from_CAB {
rule Mal_Dropper_httpEXE_from_CAB : Dropper {
meta:
description = "Detects a dropper from a CAB file mentioned in the article"
author = "Florian Roth"
......@@ -28,7 +28,7 @@ rule Mal_Dropper_httpEXE_from_CAB {
( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) )
}
rule Mal_http_EXE {
rule Mal_http_EXE : Trojan {
meta:
description = "Detects trojan from APT report named http.exe"
author = "Florian Roth"
......@@ -58,7 +58,7 @@ rule Mal_http_EXE {
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 2 of ($s*) ) ) or ( 3 of ($x*) )
}
rule Mal_PotPlayer_DLL {
rule Mal_PotPlayer_DLL : dll {
meta:
description = "Detects a malicious PotPlayer.dll"
author = "Florian Roth"
......
malware/APT_CVE2015_5119.yar CVE_Rules/CVE-2015-5119.yar
......@@ -3,12 +3,11 @@
*/
rule Flash_CVE_2015_5119_APT3 {
rule Flash_CVE_2015_5119_APT3 : Exploit {
meta:
description = "Exploit Sample CVE-2015-5119"
author = "Florian Roth"
score = 70
yaraexchange = "No distribution without author's consent"
date = "2015-08-01"
strings:
$s0 = "HT_exploit" fullword ascii
......
Exploit-Kits/Angler_EK.yar Exploit-Kits/EK_Angler.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule AnglerEKredirector
rule AnglerEKredirector : EK
{
meta:
description = "Angler Exploit Kit Redirector"
......@@ -20,7 +20,7 @@ rule AnglerEKredirector
condition:
all of them
}
rule angler_flash
rule angler_flash : EK
{
meta:
author = "Josh Berry"
......@@ -48,7 +48,7 @@ strings:
condition:
14 of them
}
rule angler_flash2
rule angler_flash2 : EK
{
meta:
author = "Josh Berry"
......@@ -76,7 +76,7 @@ strings:
condition:
14 of them
}
rule angler_flash4
rule angler_flash4 : EK
{
meta:
author = "Josh Berry"
......@@ -106,7 +106,7 @@ strings:
condition:
16 of them
}
rule angler_flash5
rule angler_flash5 : EK
{
meta:
author = "Josh Berry"
......@@ -132,7 +132,7 @@ strings:
condition:
12 of them
}
rule angler_flash_uncompressed
rule angler_flash_uncompressed : EK
{
meta:
author = "Josh Berry"
......@@ -163,7 +163,7 @@ strings:
condition:
17 of them
}
rule angler_html
rule angler_html : EK
{
meta:
author = "Josh Berry"
......@@ -195,7 +195,7 @@ strings:
condition:
18 of them
}
rule angler_html2
rule angler_html2 : EK
{
meta:
author = "Josh Berry"
......@@ -227,7 +227,7 @@ strings:
condition:
18 of them
}
rule angler_jar
rule angler_jar : EK
{
meta:
author = "Josh Berry"
......@@ -250,7 +250,7 @@ strings:
condition:
9 of them
}
rule angler_js
rule angler_js : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Blackhole_EK.yar Exploit-Kits/EK_Blackhole.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule blackhole2_jar
rule blackhole2_jar : EK
{
meta:
author = "Josh Berry"
......@@ -29,7 +29,7 @@ strings:
condition:
13 of them
}
rule blackhole2_jar2
rule blackhole2_jar2 : EK
{
meta:
author = "Josh Berry"
......@@ -55,7 +55,7 @@ strings:
condition:
12 of them
}
rule blackhole2_jar3
rule blackhole2_jar3 : EK
{
meta:
author = "Josh Berry"
......@@ -81,7 +81,7 @@ strings:
condition:
12 of them
}
rule blackhole2_pdf
rule blackhole2_pdf : EK PDF
{
meta:
author = "Josh Berry"
......@@ -113,7 +113,7 @@ strings:
condition:
18 of them
}
rule blackhole_basic : exploit_kit
rule blackhole_basic : EK
{
strings:
$a = /\.php\?\.*\?\:[a-zA-Z0-9\:]{6,}\&\.*\?\&/
......@@ -146,7 +146,7 @@ strings:
condition:
12 of them
}
rule blackhole2_css
rule blackhole2_css : EK
{
meta:
author = "Josh Berry"
......@@ -168,7 +168,7 @@ strings:
condition:
18 of them
}
rule blackhole2_htm
rule blackhole2_htm : EK
{
meta:
author = "Josh Berry"
......@@ -204,7 +204,7 @@ strings:
condition:
14 of them
}
rule blackhole2_htm10
rule blackhole2_htm10 : EK
{
meta:
author = "Josh Berry"
......@@ -241,7 +241,7 @@ strings:
condition:
15 of them
}
rule blackhole2_htm11
rule blackhole2_htm11 : EK
{
meta:
author = "Josh Berry"
......@@ -274,7 +274,7 @@ strings:
condition:
11 of them
}
rule blackhole2_htm12
rule blackhole2_htm12 : EK
{
meta:
author = "Josh Berry"
......@@ -310,7 +310,7 @@ strings:
condition:
14 of them
}
rule blackhole2_htm3
rule blackhole2_htm3 : EK
{
meta:
author = "Josh Berry"
......@@ -329,7 +329,7 @@ strings:
condition:
3 of them
}
rule blackhole2_htm4
rule blackhole2_htm4 : EK
{
meta:
author = "Josh Berry"
......@@ -359,7 +359,7 @@ strings:
condition:
8 of them
}
rule blackhole2_htm5
rule blackhole2_htm5 : EK
{
meta:
author = "Josh Berry"
......@@ -393,7 +393,7 @@ strings:
condition:
12 of them
}
rule blackhole2_htm6
rule blackhole2_htm6 : EK
{
meta:
author = "Josh Berry"
......@@ -423,7 +423,7 @@ strings:
condition:
8 of them
}
rule blackhole2_htm8
rule blackhole2_htm8 : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/BleedingLife_EK.yar Exploit-Kits/EK_BleedingLife.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule bleedinglife2_adobe_2010_1297_exploit
rule bleedinglife2_adobe_2010_1297_exploit : EK PDF
{
meta:
author = "Josh Berry"
......@@ -33,7 +33,7 @@ strings:
condition:
17 of them
}
rule bleedinglife2_adobe_2010_2884_exploit
rule bleedinglife2_adobe_2010_2884_exploit : EK
{
meta:
author = "Josh Berry"
......@@ -64,7 +64,7 @@ strings:
condition:
17 of them
}
rule bleedinglife2_jar2
rule bleedinglife2_jar2 : EK
{
meta:
author = "Josh Berry"
......@@ -87,7 +87,7 @@ strings:
condition:
9 of them
}
rule bleedinglife2_java_2010_0842_exploit
rule bleedinglife2_java_2010_0842_exploit : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Crimepack_EK.yar Exploit-Kits/EK_Crimepack.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule crimepack_jar
rule crimepack_jar : EK
{
meta:
author = "Josh Berry"
......@@ -22,7 +22,7 @@ strings:
condition:
6 of them
}
rule crimepack_jar3
rule crimepack_jar3 : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Eleonore_EK.yar Exploit-Kits/EK_Eleonore.yar
rule eleonore_jar
rule eleonore_jar : EK
{
meta:
author = "Josh Berry"
......@@ -24,7 +24,7 @@ strings:
condition:
12 of them
}
rule eleonore_jar2
rule eleonore_jar2 : EK
{
meta:
author = "Josh Berry"
......@@ -52,7 +52,7 @@ strings:
condition:
14 of them
}
rule eleonore_jar3
rule eleonore_jar3 : EK
{
meta:
author = "Josh Berry"
......@@ -78,7 +78,7 @@ strings:
condition:
12 of them
}
rule eleonore_js
rule eleonore_js : EK
{
meta:
author = "Josh Berry"
......@@ -103,7 +103,7 @@ strings:
condition:
11 of them
}
rule eleonore_js2
rule eleonore_js2 : EK
{
meta:
author = "Josh Berry"
......@@ -132,7 +132,7 @@ strings:
condition:
15 of them
}
rule eleonore_js3
rule eleonore_js3 : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Fragus_EK.yar Exploit-Kits/EK_Fragus.yar
rule fragus_htm
rule fragus_htm : EK
{
meta:
author = "Josh Berry"
......@@ -28,7 +28,7 @@ strings:
condition:
16 of them
}
rule fragus_js
rule fragus_js : EK
{
meta:
author = "Josh Berry"
......@@ -60,7 +60,7 @@ strings:
condition:
18 of them
}
rule fragus_js2
rule fragus_js2 : EK
{
meta:
author = "Josh Berry"
......@@ -91,7 +91,7 @@ strings:
condition:
17 of them
}
rule fragus_js_flash
rule fragus_js_flash : EK
{
meta:
author = "Josh Berry"
......@@ -120,7 +120,7 @@ strings:
condition:
15 of them
}
rule fragus_js_java
rule fragus_js_java : EK
{
meta:
author = "Josh Berry"
......@@ -151,7 +151,7 @@ strings:
condition:
17 of them
}
rule fragus_js_quicktime
rule fragus_js_quicktime : EK
{
meta:
author = "Josh Berry"
......@@ -180,7 +180,7 @@ strings:
condition:
15 of them
}
rule fragus_js_vml
rule fragus_js_vml : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Phoenix_EK.yar Exploit-Kits/EK_Phoenix.yar
rule phoenix_html
rule phoenix_html : EK
{
meta:
author = "Josh Berry"
......@@ -21,7 +21,7 @@ strings:
condition:
10 of them
}
rule phoenix_html10
rule phoenix_html10 : EK
{
meta:
author = "Josh Berry"
......@@ -52,7 +52,7 @@ strings:
condition:
17 of them
}
rule phoenix_html11
rule phoenix_html11 : EK
{
meta:
author = "Josh Berry"
......@@ -84,7 +84,7 @@ strings:
condition:
18 of them
}
rule phoenix_html2
rule phoenix_html2 : EK
{
meta:
author = "Josh Berry"
......@@ -115,7 +115,7 @@ strings:
condition:
17 of them
}
rule phoenix_html3
rule phoenix_html3 : EK
{
meta:
author = "Josh Berry"
......@@ -147,7 +147,7 @@ strings:
condition:
18 of them
}
rule phoenix_html4
rule phoenix_html4 : EK
{
meta:
author = "Josh Berry"
......@@ -174,7 +174,7 @@ strings:
condition:
13 of them
}
rule phoenix_html5
rule phoenix_html5 : EK
{
meta:
author = "Josh Berry"
......@@ -204,7 +204,7 @@ strings:
condition:
16 of them
}
rule phoenix_html6
rule phoenix_html6 : EK
{
meta:
author = "Josh Berry"
......@@ -235,7 +235,7 @@ strings:
condition:
17 of them
}
rule phoenix_html7
rule phoenix_html7 : EK
{
meta:
author = "Josh Berry"
......@@ -266,7 +266,7 @@ strings:
condition:
17 of them
}
rule phoenix_html8
rule phoenix_html8 : EK
{
meta:
author = "Josh Berry"
......@@ -296,7 +296,7 @@ strings:
condition:
16 of them
}
rule phoenix_html9
rule phoenix_html9 : EK
{
meta:
author = "Josh Berry"
......@@ -328,7 +328,7 @@ strings:
condition:
18 of them
}
rule phoenix_jar
rule phoenix_jar : EK
{
meta:
author = "Josh Berry"
......@@ -352,7 +352,7 @@ strings:
condition:
10 of them
}
rule phoenix_jar2
rule phoenix_jar2 : EK
{
meta:
author = "Josh Berry"
......@@ -380,7 +380,7 @@ strings:
condition:
14 of them
}
rule phoenix_jar3
rule phoenix_jar3 : EK Jar
{
meta:
author = "Josh Berry"
......@@ -403,7 +403,7 @@ strings:
condition:
9 of them
}
rule phoenix_pdf
rule phoenix_pdf : EK PDF
{
meta:
author = "Josh Berry"
......@@ -429,7 +429,7 @@ strings:
condition:
11 of them
}
rule phoenix_pdf2
rule phoenix_pdf2 : EK PDF
{
meta:
author = "Josh Berry"
......@@ -456,7 +456,7 @@ strings:
condition:
13 of them
}
rule phoenix_pdf3
rule phoenix_pdf3 : EK PDF
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Sakura_EK.yar Exploit-Kits/EK_Sakura.yar
rule sakura_jar
rule sakura_jar : EK
{
meta:
author = "Josh Berry"
......@@ -29,7 +29,7 @@ strings:
condition:
17 of them
}
rule sakura_jar2
rule sakura_jar2 : EK jar
{
meta:
author = "Josh Berry"
......
Exploit-Kits/ZeroAcces_EK.yar Exploit-Kits/EK_ZeroAcces.yar
rule zeroaccess_css
rule zeroaccess_css : EK
{
meta:
author = "Josh Berry"
......@@ -30,7 +30,7 @@ strings:
condition:
18 of them
}
rule zeroaccess_css2
rule zeroaccess_css2 : EK css
{
meta:
author = "Josh Berry"
......@@ -55,7 +55,7 @@ strings:
condition:
11 of them
}
rule zeroaccess_htm
rule zeroaccess_htm : EK html
{
meta:
author = "Josh Berry"
......@@ -85,7 +85,7 @@ strings:
condition:
16 of them
}
rule zeroaccess_js
rule zeroaccess_js : EK js
{
meta:
author = "Josh Berry"
......@@ -117,7 +117,7 @@ strings:
condition:
18 of them
}
rule zeroaccess_js2
rule zeroaccess_js2 : EK js
{
meta:
author = "Josh Berry"
......@@ -149,7 +149,7 @@ strings:
condition:
18 of them
}
rule zeroaccess_js3
rule zeroaccess_js3 : EK js
{
meta:
author = "Josh Berry"
......@@ -178,7 +178,7 @@ strings:
condition:
15 of them
}
rule zeroaccess_js4
rule zeroaccess_js4 : EK js
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Zeus_EK.yar Exploit-Kits/EK_Zeus.yar
rule zeus_js
rule zeus_js : EK
{
meta:
author = "Josh Berry"
......
malware/APT_OLE_JSRat.yar Malicious_Documents/Maldoc_APT_OLE_JSRat.yar
......@@ -3,7 +3,7 @@
*/
rule APT_OLE_JSRat
rule APT_OLE_JSRat : maldoc APT
{
meta:
author = "Rahul Mohandas"
......
Malicious_Documents/Maldoc_Contains_VBE_File.yar
......@@ -15,7 +15,7 @@
2016/03/21: start
*/
rule Contains_VBE_File
rule Contains_VBE_File : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
......
malware/DRIDEX_phish_gina_dec15.yar Malicious_Documents/Maldoc_Dridex.yar
......@@ -2,6 +2,35 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Dridex_Trojan_XML : maldoc {
meta:
description = "Dridex Malware in XML Document"
author = "Florian Roth @4nc4p"
reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
date = "2015/03/08"
hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
strings:
// can be ascii or wide formatted - therefore no restriction
$c_xml = "<?xml version="
$c_word = "<?mso-application progid=\"Word.Document\"?>"
$c_macro = "w:macrosPresent=\"yes\""
$c_binary = "<w:binData w:name="
$c_0_chars = "<o:Characters>0</o:Characters>"
$c_1_line = "<o:Lines>1</o:Lines>"
condition:
all of ($c*)
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Yara Rule Set
Author: Florian Roth
......@@ -46,3 +75,4 @@ rule PHISH_02Dez2015_attach_P_ORD_C_10156_124658 {
condition:
uint16(0) == 0xcfd0 and filesize < 200KB and all of them
}
Malicious_Documents/Maldoc_Hidden_PE_file.yar
......@@ -3,7 +3,7 @@
*/
rule Contains_hidden_PE_File_inside_a_sequence_of_numbers
rule Contains_hidden_PE_File_inside_a_sequence_of_numbers : maldoc
{
meta:
author = "Martin Willing (https://evild3ad.com)"
......
Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar
......@@ -3,7 +3,7 @@
*/
rule MIME_MSO_ActiveMime_base64
rule MIME_MSO_ActiveMime_base64 : maldoc
{
meta:
author = "Martin Willing (https://evild3ad.com)"
......
malware/APT_Laudanum_Webshells.yar Webshells/WShell_APT_Laudanum.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule asp_file {
rule asp_file : webshell {
meta:
description = "Laudanum Injector Tools - file file.asp"
author = "Florian Roth"
......@@ -20,7 +20,7 @@ rule asp_file {
uint16(0) == 0x253c and filesize < 30KB and 5 of them
}
rule php_killnc {
rule php_killnc : webshell {
meta:
description = "Laudanum Injector Tools - file killnc.php"
author = "Florian Roth"
......@@ -37,7 +37,7 @@ rule php_killnc {
filesize < 15KB and 4 of them
}
rule asp_shell {
rule asp_shell : webshell {
meta:
description = "Laudanum Injector Tools - file shell.asp"
author = "Florian Roth"
......@@ -56,7 +56,7 @@ rule asp_shell {
filesize < 15KB and 4 of them
}
rule settings {
rule settings : webshell {
meta:
description = "Laudanum Injector Tools - file settings.php"
author = "Florian Roth"
......@@ -71,7 +71,7 @@ rule settings {
filesize < 13KB and all of them
}
rule asp_proxy {
rule asp_proxy : webshell {
meta:
description = "Laudanum Injector Tools - file proxy.asp"
author = "Florian Roth"
......@@ -89,7 +89,7 @@ rule asp_proxy {
filesize < 50KB and all of them
}
rule cfm_shell {
rule cfm_shell : webshell {
meta:
description = "Laudanum Injector Tools - file shell.cfm"
author = "Florian Roth"
......@@ -104,7 +104,7 @@ rule cfm_shell {
filesize < 20KB and 2 of them
}
rule aspx_shell {
rule aspx_shell : webshell{
meta:
description = "Laudanum Injector Tools - file shell.aspx"
author = "Florian Roth"
......@@ -120,7 +120,7 @@ rule aspx_shell {
filesize < 20KB and all of them
}
rule php_shell {
rule php_shell : webshell{
meta:
description = "Laudanum Injector Tools - file shell.php"
author = "Florian Roth"
......@@ -136,7 +136,7 @@ rule php_shell {
filesize < 40KB and all of them
}
rule php_reverse_shell {
rule php_reverse_shell : webshell {
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
author = "Florian Roth"
......@@ -151,7 +151,7 @@ rule php_reverse_shell {
filesize < 15KB and all of them
}
rule php_dns {
rule php_dns : webshell{
meta:
description = "Laudanum Injector Tools - file dns.php"
author = "Florian Roth"
......@@ -167,7 +167,7 @@ rule php_dns {
filesize < 15KB and all of them
}
rule WEB_INF_web {
rule WEB_INF_web : webshell{
meta:
description = "Laudanum Injector Tools - file web.xml"
author = "Florian Roth"
......@@ -181,7 +181,7 @@ rule WEB_INF_web {
filesize < 1KB and all of them
}
rule jsp_cmd {
rule jsp_cmd : webshell {
meta:
description = "Laudanum Injector Tools - file cmd.war"
author = "Florian Roth"
......@@ -198,7 +198,7 @@ rule jsp_cmd {
uint16(0) == 0x4b50 and filesize < 2KB and all of them
}
rule laudanum {
rule laudanum : webshell {
meta:
description = "Laudanum Injector Tools - file laudanum.php"
author = "Florian Roth"
......@@ -212,7 +212,7 @@ rule laudanum {
filesize < 5KB and all of them
}
rule php_file {
rule php_file : webshell{
meta:
description = "Laudanum Injector Tools - file file.php"
author = "Florian Roth"
......@@ -228,7 +228,7 @@ rule php_file {
filesize < 10KB and all of them
}
rule warfiles_cmd {
rule warfiles_cmd : webshell {
meta:
description = "Laudanum Injector Tools - file cmd.jsp"
author = "Florian Roth"
......@@ -244,7 +244,7 @@ rule warfiles_cmd {
filesize < 2KB and all of them
}
rule asp_dns {
rule asp_dns : webshell{
meta:
description = "Laudanum Injector Tools - file dns.asp"
author = "Florian Roth"
......@@ -260,7 +260,7 @@ rule asp_dns {
filesize < 21KB and all of them
}
rule php_reverse_shell_2 {
rule php_reverse_shell_2 : webshell{
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
author = "Florian Roth"
......@@ -274,7 +274,7 @@ rule php_reverse_shell_2 {
filesize < 10KB and all of them
}
rule Laudanum_Tools_Generic {
rule Laudanum_Tools_Generic : webshell Toolkit{
meta:
description = "Laudanum Injector Tools"
author = "Florian Roth"
......
malware/THOR_Webshells.yar Webshells/WShell_THOR_Webshells.yar
......@@ -19,7 +19,7 @@
*/
rule Weevely_Webshell {
rule Weevely_Webshell : webshell {
meta:
description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell"
author = "Florian Roth"
......@@ -36,7 +36,7 @@ rule Weevely_Webshell {
$php at 0 and all of ($s*) and filesize > 570 and filesize < 800
}
rule webshell_h4ntu_shell_powered_by_tsoi_ {
rule webshell_h4ntu_shell_powered_by_tsoi_ : webshell {
meta:
description = "Web Shell - file h4ntu shell [powered by tsoi].php"
author = "Florian Roth"
......@@ -51,7 +51,7 @@ rule webshell_h4ntu_shell_powered_by_tsoi_ {
condition:
all of them
}
rule webshell_PHP_sql {
rule webshell_PHP_sql : webshell {
meta:
description = "Web Shell - file sql.php"
author = "Florian Roth"
......@@ -64,7 +64,7 @@ rule webshell_PHP_sql {
condition:
all of them
}
rule webshell_PHP_a {
rule webshell_PHP_a : webshell {
meta:
description = "Web Shell - file a.php"
author = "Florian Roth"
......@@ -78,7 +78,7 @@ rule webshell_PHP_a {
condition:
2 of them
}
rule webshell_iMHaPFtp_2 {
rule webshell_iMHaPFtp_2 : webshell{
meta:
description = "Web Shell - file iMHaPFtp.php"
author = "Florian Roth"
......@@ -91,7 +91,7 @@ rule webshell_iMHaPFtp_2 {
condition:
1 of them
}
rule webshell_Jspspyweb {
rule webshell_Jspspyweb : webshell{
meta:
description = "Web Shell - file Jspspyweb.jsp"
author = "Florian Roth"
......@@ -104,7 +104,7 @@ rule webshell_Jspspyweb {
condition:
all of them
}
rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 : webshell{
meta:
description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
author = "Florian Roth"
......@@ -117,7 +117,7 @@ rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
condition:
1 of them
}
rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend {
rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend : webshell{
meta:
description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
author = "Florian Roth"
......@@ -130,7 +130,7 @@ rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend {
condition:
1 of them
}
rule webshell_phpshell_2_1_pwhash {
rule webshell_phpshell_2_1_pwhash : webshell{
meta:
description = "Web Shell - file pwhash.php"
author = "Florian Roth"
......@@ -143,7 +143,7 @@ rule webshell_phpshell_2_1_pwhash {
condition:
1 of them
}
rule webshell_PHPRemoteView {
rule webshell_PHPRemoteView : webshell{
meta:
description = "Web Shell - file PHPRemoteView.php"
author = "Florian Roth"
......@@ -156,7 +156,7 @@ rule webshell_PHPRemoteView {
condition:
1 of them
}
rule webshell_jsp_12302 {
rule webshell_jsp_12302 : webshell{
meta:
description = "Web Shell - file 12302.jsp"
author = "Florian Roth"
......@@ -170,7 +170,7 @@ rule webshell_jsp_12302 {
condition:
all of them
}
rule webshell_caidao_shell_guo {
rule webshell_caidao_shell_guo : webshell{
meta:
description = "Web Shell - file guo.php"
author = "Florian Roth"
......@@ -183,7 +183,7 @@ rule webshell_caidao_shell_guo {
condition:
1 of them
}
rule webshell_PHP_redcod {
rule webshell_PHP_redcod : webshell{
meta:
description = "Web Shell - file redcod.php"
author = "Florian Roth"
......@@ -196,7 +196,7 @@ rule webshell_PHP_redcod {
condition:
all of them
}
rule webshell_remview_fix {
rule webshell_remview_fix : webshell{
meta:
description = "Web Shell - file remview_fix.php"
author = "Florian Roth"
......@@ -209,7 +209,7 @@ rule webshell_remview_fix {
condition:
1 of them
}
rule webshell_asp_cmd {
rule webshell_asp_cmd : webshell {
meta:
description = "Web Shell - file cmd.asp"
author = "Florian Roth"
......@@ -223,7 +223,7 @@ rule webshell_asp_cmd {
condition:
1 of them
}
rule webshell_php_sh_server {
rule webshell_php_sh_server : webshell {
meta:
description = "Web Shell - file server.php"
author = "Florian Roth"
......@@ -235,7 +235,7 @@ rule webshell_php_sh_server {
condition:
all of them
}
rule webshell_PH_Vayv_PH_Vayv {
rule webshell_PH_Vayv_PH_Vayv : webshell {
meta:
description = "Web Shell - file PH Vayv.php"
author = "Florian Roth"
......@@ -248,7 +248,7 @@ rule webshell_PH_Vayv_PH_Vayv {
condition:
1 of them
}
rule webshell_caidao_shell_ice {
rule webshell_caidao_shell_ice : webshell{
meta:
description = "Web Shell - file ice.asp"
author = "Florian Roth"
......@@ -260,7 +260,7 @@ rule webshell_caidao_shell_ice {
condition:
all of them
}
rule webshell_cihshell_fix {
rule webshell_cihshell_fix : webshell {
meta:
description = "Web Shell - file cihshell_fix.php"
author = "Florian Roth"
......@@ -273,7 +273,7 @@ rule webshell_cihshell_fix {
condition:
1 of them
}
rule webshell_asp_shell {
rule webshell_asp_shell : webshell {
meta:
description = "Web Shell - file shell.asp"
author = "Florian Roth"
......@@ -286,7 +286,7 @@ rule webshell_asp_shell {
condition:
all of them
}
rule webshell_Private_i3lue {
rule webshell_Private_i3lue : webshell{
meta:
description = "Web Shell - file Private-i3lue.php"
author = "Florian Roth"
......@@ -298,7 +298,7 @@ rule webshell_Private_i3lue {
condition:
all of them
}
rule webshell_php_up {
rule webshell_php_up : webshell {
meta:
description = "Web Shell - file up.php"
author = "Florian Roth"
......
Webshells/chinese-spam.yar Webshells/Wshell_ChineseSpam.yar
......@@ -5,7 +5,7 @@
(echoers), file(s) which use file_get_contents()
to get and echo the HTML (chinese blog/shop/???).
*/
rule chinese_spam_spreader
rule chinese_spam_spreader : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
......@@ -19,7 +19,7 @@ rule chinese_spam_spreader
all of them
}
rule chinese_spam_echoer
rule chinese_spam_echoer : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
......
Webshells/fire2013.yar Webshells/Wshell_fire2013.yar
......@@ -12,7 +12,7 @@
info on "h4x4rwow@yahoo.com" as written in the "system32()"
function.
*/
rule fire2013
rule fire2013 : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
......
malware/APT_c16.yar malware/APT_C16.yar
......@@ -4,7 +4,7 @@
import "pe"
rule apt_c16_win_memory_pcclient
rule apt_c16_win_memory_pcclient : Memory APT
{
meta:
author = "@dragonthreatlab"
......@@ -21,7 +21,7 @@ rule apt_c16_win_memory_pcclient
all of them
}
rule apt_c16_win_disk_pcclient
rule apt_c16_win_disk_pcclient : Disk
{
meta:
author = "@dragonthreatlab"
......@@ -35,7 +35,7 @@ rule apt_c16_win_disk_pcclient
$header at 0
}
rule apt_c16_win32_dropper
rule apt_c16_win32_dropper : Dropper
{
meta:
author = "@dragonthreatlab"
......@@ -54,7 +54,7 @@ rule apt_c16_win32_dropper
$mz at 0 and all of ($str*)
}
rule apt_c16_win_swisyn
rule apt_c16_win_swisyn : Memory
{
meta:
author = "@dragonthreatlab"
......@@ -87,7 +87,7 @@ rule apt_c16_win_wateringhole
any of ($str*)
}
rule apt_c16_win64_dropper
rule apt_c16_win64_dropper : Dropper
{
meta:
author = "@dragonthreatlab"
......
malware/APT_Carbanak2.yar malware/APT_Carbanak.yar
......@@ -11,7 +11,7 @@
/* Rule Set ----------------------------------------------------------------- */
rule Carbanak_0915_1 {
rule Carbanak_0915_1 : APT {
meta:
description = "Carbanak Malware"
author = "Florian Roth"
......@@ -25,7 +25,7 @@ rule Carbanak_0915_1 {
uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
}
rule Carbanak_0915_2 {
rule Carbanak_0915_2 : APT {
meta:
description = "Carbanak Malware"
author = "Florian Roth"
......@@ -46,7 +46,7 @@ rule Carbanak_0915_2 {
uint16(0) == 0x5a4d and filesize < 500KB and ( $x1 or all of ($s*) )
}
rule Carbanak_0915_3 {
rule Carbanak_0915_3 : APT {
meta:
description = "Carbanak Malware"
author = "Florian Roth"
......
malware/APT_Careto.yar
......@@ -4,7 +4,7 @@
import "pe"
rule Careto_SGH {
rule Careto_SGH : APT Careto {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto SGH component signature"
......@@ -19,7 +19,7 @@ rule Careto_SGH {
2 of them
}
rule Careto_OSX_SBD {
rule Careto_OSX_SBD : APT Careto {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto OSX component signature"
......@@ -32,7 +32,7 @@ rule Careto_OSX_SBD {
all of them
}
rule Careto_CnC {
rule Careto_CnC : APT Careto {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto CnC communication signature"
......@@ -47,7 +47,7 @@ rule Careto_CnC {
all of them
}
rule Careto_CnC_domains {
rule Careto_CnC_domains : APT Careto {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto known command and control domains"
......
malware/Casper.yar malware/APT_Casper.yar
......@@ -5,7 +5,7 @@
import "pe"
rule Casper_Backdoor_x86 {
rule Casper_Backdoor_x86 : APT Backdoor {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
author = "Florian Roth"
......@@ -36,7 +36,7 @@ rule Casper_Backdoor_x86 {
( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
}
rule Casper_EXE_Dropper {
rule Casper_EXE_Dropper : Dropper {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
author = "Florian Roth"
......
malware/APT_Cloudduke.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule CloudDuke_Malware {
rule CloudDuke_Malware : APT CloudDuke {
meta:
description = "Detects CloudDuke Malware"
author = "Florian Roth"
......@@ -40,7 +40,7 @@ rule CloudDuke_Malware {
/* Super Rules ------------------------------------------------------------- */
rule SFXRAR_Acrotray {
rule SFXRAR_Acrotray : APT CloudDuke {
meta:
description = "Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe"
author = "Florian Roth"
......
malware/APT_DeputyDog_Fexel.yar malware/APT_DeputyDog.yar
......@@ -4,7 +4,7 @@
import "pe"
rule APT_DeputyDog_Fexel
rule APT_DeputyDog_Fexel : APT DeputyDog
{
meta:
author = "ThreatConnect Intelligence Research Team"
......@@ -18,7 +18,7 @@ condition:
any of them
}
rule APT_DeputyDog
rule APT_DeputyDog : APT DeputyDog
{
meta:
Author = "FireEye Labs"
......@@ -32,4 +32,4 @@ rule APT_DeputyDog
condition:
($mz at 0) and $a
}
\ No newline at end of file
}
malware/APT_Derusbi.yar
......@@ -5,7 +5,7 @@
import "pe"
rule apt_nix_elf_derusbi
rule apt_nix_elf_derusbi : APT Derusbi ELF
{
meta:
Author = "@seifreed"
......@@ -51,7 +51,7 @@ rule apt_nix_elf_derusbi
condition:
(uint32(0) == 0x4464c457f) and (all of them)
}
rule apt_nix_elf_derusbi_kernelModule
rule apt_nix_elf_derusbi_kernelModule : APT Derusbi ELF
{
meta:
Author = "@seifreed"
......@@ -80,7 +80,7 @@ rule apt_nix_elf_derusbi_kernelModule
condition:
(uint32(0) == 0x4464c457f) and (all of them)
}
rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
rule apt_nix_elf_Derusbi_Linux_SharedMemCreation : APT Derusbi ELF
{
meta:
Author = "@seifreed"
......@@ -90,7 +90,7 @@ rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
(uint32(0) == 0x464C457F) and (any of them)
}
rule apt_nix_elf_Derusbi_Linux_Strings
rule apt_nix_elf_Derusbi_Linux_Strings : APT Derusbi ELF
{
meta:
Author = "@seifreed"
......@@ -117,7 +117,7 @@ rule apt_nix_elf_Derusbi_Linux_Strings
all of ($b*))
}
rule apt_win_exe_trojan_derusbi
rule apt_win_exe_trojan_derusbi : APT Derusbi
{
meta:
Author = "@seifreed"
......@@ -179,7 +179,7 @@ rule apt_win_exe_trojan_derusbi
}
rule Trojan_Derusbi {
rule Trojan_Derusbi : APT Derusbi {
meta:
Author = "RSA_IR"
Date = "4Sept13"
......@@ -200,7 +200,7 @@ rule Trojan_Derusbi {
2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
}
rule APT_Derusbi_DeepPanda
rule APT_Derusbi_DeepPanda : APT Derusbi ELF DeepPanda
{
meta:
author = "ThreatConnect Intelligence Research Team"
......@@ -212,7 +212,7 @@ condition:
}
rule APT_Derusbi_Gen
rule APT_Derusbi_Gen : APT Derusbi
{
meta:
author = "ThreatConnect Intelligence Research Team"
......@@ -240,7 +240,7 @@ condition:
Identifier: Derusbi Dez 2015
*/
rule derusbi_kernel
rule derusbi_kernel : APT Derusbi
{
meta:
description = "Derusbi Driver version"
......@@ -256,7 +256,7 @@ rule derusbi_kernel
$MZ at 0 and $token1 and $token2 and $cfg and $class
}
rule derusbi_linux
rule derusbi_linux : APT Derusbi ELF
{
meta:
description = "Derusbi Server Linux version"
......@@ -279,7 +279,7 @@ rule derusbi_linux
Identifier: Derusbi Dez 2015
*/
rule Derusbi_Kernel_Driver_WD_UDFS {
rule Derusbi_Kernel_Driver_WD_UDFS : APT Derusbi {
meta:
description = "Detects Derusbi Kernel Driver"
author = "Florian Roth"
......@@ -310,7 +310,7 @@ rule Derusbi_Kernel_Driver_WD_UDFS {
)
}
rule Derusbi_Code_Signing_Cert {
rule Derusbi_Code_Signing_Cert : APT Derusbi {
meta:
description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
author = "Florian Roth"
......@@ -325,7 +325,7 @@ rule Derusbi_Code_Signing_Cert {
uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
}
rule XOR_4byte_Key {
rule XOR_4byte_Key : APT Derusbi {
meta:
description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
author = "Florian Roth"
......@@ -347,3 +347,28 @@ rule XOR_4byte_Key {
condition:
uint16(0) == 0x5a4d and filesize < 900KB and all of them
}
rule apt_win32_dll_bergard_pgv_pvid_variant : Win32 Derusbi
{
meta:
copyright = "Fidelis Cybersecurity"
reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
strings:
$ = "Accept:"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Cache-Control: no-cache"
$ = "Connection: Keep-Alive"
$ = "Cookie: pgv_pvid="
$ = "Content-Type: application/x-octet-stream"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Pragma: no-cache"
$ = "Connection: Keep-Alive"
$ = "HTTP/1.0"
condition:
(uint16(0) == 0x5A4D) and (all of them)
}
malware/Equation.yar malware/APT_Equation.yar
......@@ -7,7 +7,7 @@ import "pe"
/* Equation APT ------------------------------------------------------------ */
rule apt_equation_exploitlib_mutexes {
rule apt_equation_exploitlib_mutexes : mutex {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
......@@ -59,7 +59,7 @@ rule apt_equation_equationlaser_runtimeclasses {
any of them
}
rule apt_equation_cryptotable {
rule apt_equation_cryptotable : crypto {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect the crypto library used in Equation group malware"
......
malware/APT_HackingTeam.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule bin_ndisk {
rule bin_ndisk : disk HackingTeam {
meta:
description = "Hacking Team Disclosure Sample - file ndisk.sys"
author = "Florian Roth"
......@@ -22,7 +22,7 @@ rule bin_ndisk {
uint16(0) == 0x5a4d and filesize < 30KB and 6 of them
}
rule Hackingteam_Elevator_DLL {
rule Hackingteam_Elevator_DLL : dll HackingTeam {
meta:
description = "Hacking Team Disclosure Sample - file elevator.dll"
author = "Florian Roth"
......@@ -44,7 +44,7 @@ rule Hackingteam_Elevator_DLL {
uint16(0) == 0x5a4d and filesize < 1000KB and 6 of them
}
rule HackingTeam_Elevator_EXE {
rule HackingTeam_Elevator_EXE : HackingTeam {
meta:
description = "Hacking Team Disclosure Sample - file elevator.exe"
author = "Florian Roth"
......@@ -70,3 +70,70 @@ rule HackingTeam_Elevator_EXE {
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*)
}
import "pe"
rule RCS_Backdoor
{
meta:
description = "Hacking Team RCS Backdoor"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$debug3"
$filter2 = "$log2"
$filter3 = "error2"
$debug1 = /\- (C)hecking components/ wide ascii
$debug2 = /\- (A)ctivating hiding system/ wide ascii
$debug3 = /(f)ully operational/ wide ascii
$log1 = /\- Browser activity \(FF\)/ wide ascii
$log2 = /\- Browser activity \(IE\)/ wide ascii
// Cause false positives.
//$log3 = /\- About to call init routine at %p/ wide ascii
//$log4 = /\- Calling init routine at %p/ wide ascii
$error1 = /\[Unable to deploy\]/ wide ascii
$error2 = /\[The system is already monitored\]/ wide ascii
condition:
(2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
}
rule RCS_Scout
{
meta:
description = "Hacking Team RCS Scout"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$engine5"
$filter2 = "$start4"
$filter3 = "$upd2"
$filter4 = "$lookma6"
$engine1 = /(E)ngine started/ wide ascii
$engine2 = /(R)unning in background/ wide ascii
$engine3 = /(L)ocking doors/ wide ascii
$engine4 = /(R)otors engaged/ wide ascii
$engine5 = /(I)\'m going to start it/ wide ascii
$start1 = /Starting upgrade\!/ wide ascii
$start2 = /(I)\'m going to start the program/ wide ascii
$start3 = /(i)s it ok\?/ wide ascii
$start4 = /(C)lick to start the program/ wide ascii
$upd1 = /(U)pdJob/ wide ascii
$upd2 = /(U)pdTimer/ wide ascii
$lookma1 = /(O)wning PCI bus/ wide
$lookma2 = /(F)ormatting bios/ wide
$lookma3 = /(P)lease insert a disk in drive A:/ wide
$lookma4 = /(U)pdating CPU microcode/ wide
$lookma5 = /(N)ot sure what's happening/ wide
$lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide
condition:
(all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
}
malware/APT_Irontiger_Trendmicro.yar malware/APT_Irontiger.yar
......@@ -16,7 +16,7 @@ rule IronTiger_ASPXSpy
any of ($str*)
}
rule IronTiger_ChangePort_Toolkit_driversinstall
rule IronTiger_ChangePort_Toolkit_driversinstall : driver
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -31,7 +31,7 @@ rule IronTiger_ChangePort_Toolkit_driversinstall
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule IronTiger_ChangePort_Toolkit_ChangePortExe
rule IronTiger_ChangePort_Toolkit_ChangePortExe : Toolkit
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -47,7 +47,7 @@ rule IronTiger_ChangePort_Toolkit_ChangePortExe
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule IronTiger_dllshellexc2010
rule IronTiger_dllshellexc2010 : Backdoor
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -63,7 +63,7 @@ rule IronTiger_dllshellexc2010
(uint16(0) == 0x5a4d) and ((any of ($str*)) or (all of ($bla*)))
}
rule IronTiger_dnstunnel
rule IronTiger_dnstunnel : Tunnel
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -83,7 +83,7 @@ rule IronTiger_dnstunnel
(uint16(0) == 0x5a4d) and ((any of ($str*)) or (any of ($mistake*)))
}
rule IronTiger_EFH3_encoder
rule IronTiger_EFH3_encoder : Encoder
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -144,7 +144,7 @@ rule IronTiger_Gh0stRAT_variant
uint16(0) == 0x5a4d and (any of ($str*))
}
rule IronTiger_GTalk_Trojan
rule IronTiger_GTalk_Trojan : trojan
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -159,7 +159,7 @@ rule IronTiger_GTalk_Trojan
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule IronTiger_HTTPBrowser_Dropper
rule IronTiger_HTTPBrowser_Dropper : Dropper
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -189,7 +189,7 @@ rule IronTiger_HTTP_SOCKS_Proxy_soexe
uint16(0) == 0x5a4d and (3 of ($str*))
}
rule IronTiger_NBDDos_Gh0stvariant_dropper
rule IronTiger_NBDDos_Gh0stvariant_dropper : Dropper
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -305,3 +305,148 @@ rule IronTiger_wmiexec
condition:
2 of ($str*)
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-09-16
Identifier: Iron Panda
*/
/* Rule Set ----------------------------------------------------------------- */
rule IronPanda_DNSTunClient {
meta:
description = "Iron Panda malware DnsTunClient - file named.exe"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
score = 80
hash = "a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431"
strings:
$s1 = "dnstunclient -d or -domain <domain>" fullword ascii
$s2 = "dnstunclient -ip <server ip address>" fullword ascii
$s3 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"\\Microsoft\\Windows\\PLA\\System\\Microsoft Windows\" /tr " fullword ascii
$s4 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"Microsoft Windows\" /tr " fullword ascii
$s5 = "taskkill /im conime.exe" fullword ascii
$s6 = "\\dns control\\t-DNSTunnel\\DnsTunClient\\DnsTunClient.cpp" fullword ascii
$s7 = "UDP error:can not bing the port(if there is unclosed the bind process?)" fullword ascii
$s8 = "use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s)" fullword ascii
$s9 = "error: packet num error.the connection have condurt,pls try later" fullword ascii
$s10 = "Coversation produce one error:%s,coversation fail" fullword ascii
$s11 = "try to add many same pipe to select group(or mark is too easy)." fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 2 of them )
or
5 of them
}
rule IronPanda_Malware1 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a"
strings:
$x1 = "activedsimp.dll" fullword wide
$s1 = "get_BadLoginAddress" fullword ascii
$s2 = "get_LastFailedLogin" fullword ascii
$s3 = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" fullword ascii
$s4 = "get_PasswordExpirationDate" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule IronPanda_Webshell_JSP {
meta:
description = "Iron Panda Malware JSP"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6"
strings:
$s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii
$s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" fullword ascii
$s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" fullword ascii
condition:
filesize < 330KB and 1 of them
}
rule IronPanda_Malware_Htran {
meta:
description = "Iron Panda Malware Htran"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
strings:
$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
$s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
$s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s4 = "[-] ERROR: Must supply logfile name." fullword ascii
$s5 = "[SERVER]connection to %s:%d error" fullword ascii
$s6 = "[+] Make a Connection to %s:%d...." fullword ascii
$s7 = "[+] Waiting another Client on port:%d...." fullword ascii
$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
$s9 = "[+] Make a Connection to %s:%d ......" fullword ascii
$s10 = "cmshared_get_ptr_from_atom" fullword ascii
$s11 = "_cmshared_get_ptr_from_atom" fullword ascii
$s12 = "[+] OK! I Closed The Two Socket." fullword ascii
$s13 = "[-] TransmitPort invalid." fullword ascii
$s14 = "[+] Waiting for Client on port:%d ......" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them )
or
5 of them
}
rule IronPanda_Malware2 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91"
strings:
$s0 = "\\setup.exe" fullword ascii
$s1 = "msi.dll.urlUT" fullword ascii
$s2 = "msi.dllUT" fullword ascii
$s3 = "setup.exeUT" fullword ascii
$s4 = "/c del /q %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
rule IronPanda_Malware3 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742"
strings:
$s0 = "PluginDeflater.exe" fullword wide
$s1 = ".Deflated" fullword wide
$s2 = "PluginDeflater" fullword ascii
$s3 = "DeflateStream" fullword ascii /* Goodware String - occured 1 times */
$s4 = "CompressionMode" fullword ascii /* Goodware String - occured 4 times */
$s5 = "System.IO.Compression" fullword ascii /* Goodware String - occured 6 times */
condition:
uint16(0) == 0x5a4d and filesize < 10KB and all of them
}
rule IronPanda_Malware4 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c"
strings:
$s0 = "TestPlugin.dll" fullword wide
$s1 = "<a href='http://www.baidu.com'>aasd</a>" fullword wide
$s2 = "Zcg.Test.AspxSpyPlugins" fullword ascii
$s6 = "TestPlugin" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 10KB and all of them
}
malware/APT_TidePool.yar malware/APT_Ke3Chang_TidePool.yar
......@@ -10,7 +10,7 @@
Identifier: TidePool (Ke3chang)
*/
rule TidePool_Malware {
rule TidePool_Malware : Ke3Chang {
meta:
description = "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks"
author = "Florian Roth"
......
malware/KeyBoy.yar malware/APT_KeyBoy.yar
......@@ -5,7 +5,7 @@
import "pe"
rule KeyBoy_Dropper
rule KeyBoy_Dropper : dropper
{
meta:
Author = "Rapid7 Labs"
......@@ -25,7 +25,7 @@ rule KeyBoy_Dropper
all of them
}
rule KeyBoy_Backdoor
rule KeyBoy_Backdoor : Backdoor APT
{
meta:
Author = "Rapid7 Labs"
......
malware/APT_NGO_wuaclt.yar malware/APT_NGO.yar
......@@ -25,7 +25,7 @@ rule APT_NGO_wuaclt
($a and $b and $c) or ($d and $e) or ($f and $g and $h)
}
rule APT_NGO_wuaclt_PDF
rule APT_NGO_wuaclt_PDF : PDF
{
meta:
author = "AlienVault Labs"
......
malware/APT_OPCleaver.yar
......@@ -18,7 +18,7 @@ rule ZhoupinExploitCrew
1 of them
}
rule BackDoorLogger
rule BackDoorLogger : Backdoor APT
{
meta:
author = "Cylance"
......@@ -31,7 +31,7 @@ rule BackDoorLogger
all of them
}
rule Jasus
rule Jasus : APT
{
meta:
author = "Cylance"
......@@ -134,7 +134,7 @@ rule TinyZBot
($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
}
rule antivirusdetector
rule antivirusdetector : antivirus
{
meta:
author = "Cylance"
......@@ -175,7 +175,7 @@ rule kagent
all of them
}
rule mimikatzWrapper
rule mimikatzWrapper : Toolkit
{
meta:
author = "Cylance"
......@@ -253,7 +253,7 @@ rule zhLookUp
all of them
}
rule zhmimikatz
rule zhmimikatz : Toolkit
{
meta:
author = "Cylance"
......@@ -277,3 +277,333 @@ rule Zh0uSh311
condition:
all of them
}
import "pe"
rule OPCLEAVER_BackDoorLogger
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "BackDoorLogger"
$s2 = "zhuAddress"
condition:
all of them
}
rule OPCLEAVER_Jasus
{
meta:
description = "ARP cache poisoner used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found"
condition:
all of them
}
rule OPCLEAVER_LoggerModule
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition:
all of them
}
rule OPCLEAVER_NetC
{
meta:
description = "Net Crawler used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "NetC.exe" wide
$s2 = "Net Service"
condition:
all of them
}
rule OPCLEAVER_ShellCreator2
{
meta:
description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "ShellCreator2.Properties"
$s2 = "set_IV"
condition:
all of them
}
rule OPCLEAVER_SmartCopy2
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork"
condition:
all of them
}
rule OPCLEAVER_SynFlooder
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "your target’s IP is : %s"
$s3 = "Raw TCP Socket Created successfully."
condition:
all of them
}
rule OPCLEAVER_TinyZBot
{
meta:
description = "Tiny Bot used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "NetScp" wide
$s2 = "TinyZBot.Properties.Resources.resources"
$s3 = "Aoao WaterMark"
$s4 = "Run_a_exe"
$s5 = "netscp.exe"
$s6 = "get_MainModule_WebReference_DefaultWS"
$s7 = "remove_CheckFileMD5Completed"
$s8 = "http://tempuri.org/"
$s9 = "Zhoupin_Cleaver"
condition:
(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
}
rule OPCLEAVER_ZhoupinExploitCrew
{
meta:
description = "Keywords used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase
condition:
1 of them
}
rule OPCLEAVER_antivirusdetector
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector"
condition:
all of them
}
rule OPCLEAVER_csext
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "COM+ System Extentions"
$s2 = "csext.exe"
$s3 = "COM_Extentions_bin"
condition:
all of them
}
rule OPCLEAVER_kagent
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "kill command is in last machine, going back"
$s2 = "message data length in B64: %d Bytes"
condition:
all of them
}
rule OPCLEAVER_mimikatzWrapper
{
meta:
description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "mimikatzWrapper"
$s2 = "get_mimikatz"
condition:
all of them
}
rule OPCLEAVER_pvz_in
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "LAST_TIME=00/00/0000:00:00PM$"
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
condition:
all of them
}
rule OPCLEAVER_pvz_out
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Network Connectivity Module" wide
$s2 = "OSPPSVC" wide
condition:
all of them
}
rule OPCLEAVER_wndTest
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition:
all of them
}
rule OPCLEAVER_zhCat
{
meta:
description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
$s2 = "ABC ( A Big Company )" wide fullword
condition:
all of them
}
rule OPCLEAVER_zhLookUp
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "zhLookUp.Properties"
condition:
all of them
}
rule OPCLEAVER_zhmimikatz
{
meta:
description = "Mimikatz wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "MimikatzRunner"
$s2 = "zhmimikatz"
condition:
all of them
}
rule OPCLEAVER_Parviz_Developer
{
meta:
description = "Parviz developer known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Florian Roth"
score = "70"
strings:
$s1 = "Users\\parviz\\documents\\" nocase
condition:
$s1
}
rule OPCLEAVER_CCProxy_Config
{
meta:
description = "CCProxy config known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Florian Roth"
score = "70"
strings:
$s1 = "UserName=User-001" fullword ascii
$s2 = "Web=1" fullword ascii
$s3 = "Mail=1" fullword ascii
$s4 = "FTP=0" fullword ascii
$x1 = "IPAddressLow=78.109.194.114" fullword ascii
condition:
all of ($s*) or $x1
}
malware/APT_pcclient.yar malware/APT_PCclient.yar
......@@ -5,7 +5,7 @@
import "pe"
rule backdoor_apt_pcclient
rule backdoor_apt_pcclient : Backdoor Dropper
{
meta:
author = "@patrickrolsen"
......
malware/APT_Win_Pipcreat.yar malware/APT_Pipcreat.yar
......@@ -3,7 +3,7 @@
*/
rule APT_Win_Pipcreat {
rule APT_Win_Pipcreat : pe dll backdoor {
meta:
author = "chort (@chort0)"
description = "APT backdoor Pipcreat"
......
malware/APT_putterpanda.yar malware/APT_PutterPanda.yar
......@@ -125,7 +125,7 @@ rule APT_Malware_PutterPanda_Gen1 {
uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them
}
rule Malware_MsUpdater_String_in_EXE {
rule Malware_MsUpdater_String_in_EXE : PutterPanda {
meta:
description = "MSUpdater String in Executable"
author = "Florian Roth"
......
malware/APT_Ruag.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-05-23
Identifier: Swiss RUAG APT Case
Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
*/
rule RUAG_Tavdig_Malformed_Executable {
meta:
description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
condition:
uint16(0) == 0x5a4d and /* MZ Header */
uint32(uint32(0x3C)) == 0x0000AD0B /* malformed PE header > 0x0bad */
}
rule RUAG_Bot_Config_File {
meta:
description = "Detects a specific config file used by malware in RUAG APT case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$s1 = "[CONFIG]" ascii
$s2 = "name = " ascii
$s3 = "exe = cmd.exe" ascii
condition:
$s1 at 0 and $s2 and $s3 and filesize < 160
}
rule RUAG_Cobra_Malware {
meta:
description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
condition:
uint16(0) == 0x5a4d and $s1
}
rule RUAG_Cobra_Config_File {
meta:
description = "Detects a config text file used by malware Cobra in RUAG case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$h1 = "[NAME]" ascii
$s1 = "object_id=" ascii
$s2 = "[TIME]" ascii fullword
$s3 = "lastconnect" ascii
$s4 = "[CW_LOCAL]" ascii fullword
$s5 = "system_pipe" ascii
$s6 = "user_pipe" ascii
$s7 = "[TRANSPORT]" ascii
$s8 = "run_task_system" ascii
$s9 = "[WORKDATA]" ascii
$s10 = "address1" ascii
condition:
$h1 at 0 and 8 of ($s*) and filesize < 5KB
}
rule RUAG_Exfil_Config_File {
meta:
description = "Detects a config text file used in data exfiltration in RUAG case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$h1 = "[TRANSPORT]" ascii
$s1 = "system_pipe" ascii
$s2 = "spstatus" ascii
$s3 = "adaptable" ascii
$s4 = "post_frag" ascii
$s5 = "pfsgrowperiod" ascii
condition:
$h1 at 0 and all of ($s*) and filesize < 1KB
}
malware/APT_Sofacy_xtunnel_bundestag.yar malware/APT_Sofacy_Bundestag.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule apt_sofacy_xtunnel {
rule apt_sofacy_xtunnel : APT28 Sofacy {
meta:
author = "Claudio Guarnieri"
description = "Sofacy Malware - German Bundestag"
......@@ -24,7 +24,7 @@ rule apt_sofacy_xtunnel {
((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*)))
}
rule Sofacy_Bundestag_Winexe {
rule Sofacy_Bundestag_Winexe : APT28 Sofacy {
meta:
description = "Winexe tool used by Sofacy group in Bundestag APT"
author = "Florian Roth"
......@@ -39,7 +39,7 @@ rule Sofacy_Bundestag_Winexe {
uint16(0) == 0x5a4d and filesize < 115KB and all of them
}
rule Sofacy_Bundestag_Mal2 {
rule Sofacy_Bundestag_Mal2 : APT28 Sofacy {
meta:
description = "Sofacy Group Malware Sample 2"
author = "Florian Roth"
......@@ -56,7 +56,7 @@ rule Sofacy_Bundestag_Mal2 {
uint16(0) == 0x5a4d and ( 1 of ($x*) ) and $s1
}
rule Sofacy_Bundestag_Mal3 {
rule Sofacy_Bundestag_Mal3 : APT28 Sofacy {
meta:
description = "Sofacy Group Malware Sample 3"
author = "Florian Roth"
......@@ -85,7 +85,7 @@ rule Sofacy_Bundestag_Mal3 {
)
}
rule Sofacy_Bundestag_Batch {
rule Sofacy_Bundestag_Batch : APT28 Sofacy {
meta:
description = "Sofacy Bundestags APT Batch Script"
author = "Florian Roth"
......
malware/APT_Sofacy_Fysbis.yar
......@@ -9,7 +9,7 @@
Identifier: Sofacy Fysbis
*/
rule Sofacy_Fybis_ELF_Backdoor_Gen1 {
rule Sofacy_Fybis_ELF_Backdoor_Gen1 : Sofacy Linux Backdoor APT APT28 {
meta:
description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1"
author = "Florian Roth"
......@@ -34,7 +34,7 @@ rule Sofacy_Fybis_ELF_Backdoor_Gen1 {
( 1 of ($x*) and 3 of ($s*) )
}
rule Sofacy_Fysbis_ELF_Backdoor_Gen2 {
rule Sofacy_Fysbis_ELF_Backdoor_Gen2 : Sofacy Linux Backdoor APT APT28 {
meta:
description = "Detects Sofacy Fysbis Linux Backdoor"
author = "Florian Roth"
......
malware/APT_Sofacy_jun16.yar malware/APT_Sofacy_Jun16.yar
......@@ -7,7 +7,7 @@
/* Rule Set ----------------------------------------------------------------- */
rule Sofacy_Jun16_Sample1 {
rule Sofacy_Jun16_Sample1 : Sofacy APT APT28 {
meta:
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth"
......@@ -22,7 +22,7 @@ rule Sofacy_Jun16_Sample1 {
( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($s*) ) ) or ( all of them )
}
rule Sofacy_Jun16_Sample2 {
rule Sofacy_Jun16_Sample2 : Sofacy APT APT28 {
meta:
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth"
......@@ -44,7 +44,7 @@ rule Sofacy_Jun16_Sample2 {
( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($x*) ) ) or ( 3 of them )
}
rule Sofacy_Jun16_Sample3 {
rule Sofacy_Jun16_Sample3 : Sofacy APT APT28 {
meta:
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth"
......
malware/APT_Terracota.yar
......@@ -100,3 +100,34 @@ rule LiuDoor_Malware_2 {
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule liudoor : Backdoor
{
meta:
author = "RSA FirstWatch"
date = "2015-07-23"
description = "Detects Liudoor daemon backdoor"
hash0 = "78b56bc3edbee3a425c96738760ee406"
hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
hash4 = "6093505c7f7ec25b1934d3657649ef07"
type = "Win32 DLL"
strings:
$string0 = "Succ"
$string1 = "Fail"
$string2 = "pass"
$string3 = "exit"
$string4 = "svchostdllserver.dll"
$string5 = "L$,PQR"
$string6 = "0/0B0H0Q0W0k0"
$string7 = "QSUVWh"
$string8 = "Ht Hu["
condition:
all of them
}
malware/APT_Terracota_Liudoor.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule liudoor
{
meta:
author = "RSA FirstWatch"
date = "2015-07-23"
description = "Detects Liudoor daemon backdoor"
hash0 = "78b56bc3edbee3a425c96738760ee406"
hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
hash4 = "6093505c7f7ec25b1934d3657649ef07"
type = "Win32 DLL"
strings:
$string0 = "Succ"
$string1 = "Fail"
$string2 = "pass"
$string3 = "exit"
$string4 = "svchostdllserver.dll"
$string5 = "L$,PQR"
$string6 = "0/0B0H0Q0W0k0"
$string7 = "QSUVWh"
$string8 = "Ht Hu["
condition:
all of them
}
malware/APT_threatgroup_3390.yar malware/APT_ThreatGroup3390.yar
......@@ -9,7 +9,7 @@
Identifier: Threat Group 3390
*/
rule HttpBrowser_RAT_dropper_Gen1 {
rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
author = "Florian Roth"
......@@ -49,7 +49,7 @@ rule HttpBrowser_RAT_dropper_Gen1 {
uint16(0) == 0x5a4d and filesize < 400KB and all of ($x*) and 1 of ($op*)
}
rule HttpBrowser_RAT_Sample1 {
rule HttpBrowser_RAT_Sample1 : RAT APT {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
author = "Florian Roth"
......@@ -64,7 +64,7 @@ rule HttpBrowser_RAT_Sample1 {
uint16(0) == 0x5a4d and filesize < 100KB and $s0
}
rule HttpBrowser_RAT_Sample2 {
rule HttpBrowser_RAT_Sample2 : RAT APT {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
author = "Florian Roth"
......@@ -81,7 +81,7 @@ rule HttpBrowser_RAT_Sample2 {
uint16(0) == 0x5a4d and filesize < 250KB and all of them
}
rule HttpBrowser_RAT_Gen {
rule HttpBrowser_RAT_Gen : RAT APT {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic"
author = "Florian Roth"
......@@ -119,7 +119,7 @@ rule HttpBrowser_RAT_Gen {
uint16(0) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them
}
rule PlugX_NvSmartMax_Gen {
rule PlugX_NvSmartMax_Gen : PlugX APT {
meta:
description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
author = "Florian Roth"
......@@ -147,7 +147,7 @@ rule PlugX_NvSmartMax_Gen {
uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*)
}
rule HttpBrowser_RAT_dropper_Gen2 {
rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
author = "Florian Roth"
......@@ -174,7 +174,7 @@ rule HttpBrowser_RAT_dropper_Gen2 {
uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*)
}
rule ThreatGroup3390_Strings {
rule ThreatGroup3390_Strings : APT {
meta:
description = "Threat Group 3390 APT - Strings"
author = "Florian Roth"
......@@ -191,7 +191,7 @@ rule ThreatGroup3390_Strings {
1 of them and filesize < 30KB
}
rule ThreatGroup3390_C2 {
rule ThreatGroup3390_C2 : C2 APT {
meta:
description = "Threat Group 3390 APT - C2 Server"
author = "Florian Roth"
......
malware/APT_Turla_RUAG.yar
......@@ -144,3 +144,109 @@ rule Turla_APT_Malware_Gen3 {
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 6 of ($s*) ) )
or ( 10 of them )
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-05-23
Identifier: Swiss RUAG APT Case
Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
*/
rule RUAG_Tavdig_Malformed_Executable {
meta:
description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
condition:
uint16(0) == 0x5a4d and /* MZ Header */
uint32(uint32(0x3C)) == 0x0000AD0B /* malformed PE header > 0x0bad */
}
rule RUAG_Bot_Config_File {
meta:
description = "Detects a specific config file used by malware in RUAG APT case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$s1 = "[CONFIG]" ascii
$s2 = "name = " ascii
$s3 = "exe = cmd.exe" ascii
condition:
$s1 at 0 and $s2 and $s3 and filesize < 160
}
rule RUAG_Cobra_Malware {
meta:
description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
condition:
uint16(0) == 0x5a4d and $s1
}
rule RUAG_Cobra_Config_File {
meta:
description = "Detects a config text file used by malware Cobra in RUAG case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$h1 = "[NAME]" ascii
$s1 = "object_id=" ascii
$s2 = "[TIME]" ascii fullword
$s3 = "lastconnect" ascii
$s4 = "[CW_LOCAL]" ascii fullword
$s5 = "system_pipe" ascii
$s6 = "user_pipe" ascii
$s7 = "[TRANSPORT]" ascii
$s8 = "run_task_system" ascii
$s9 = "[WORKDATA]" ascii
$s10 = "address1" ascii
condition:
$h1 at 0 and 8 of ($s*) and filesize < 5KB
}
rule RUAG_Exfil_Config_File {
meta:
description = "Detects a config text file used in data exfiltration in RUAG case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$h1 = "[TRANSPORT]" ascii
$s1 = "system_pipe" ascii
$s2 = "spstatus" ascii
$s3 = "adaptable" ascii
$s4 = "post_frag" ascii
$s5 = "pfsgrowperiod" ascii
condition:
$h1 at 0 and all of ($s*) and filesize < 1KB
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WaterBug_turla_dll
{
meta:
description = "Symantec Waterbug Attack - Trojan Turla DLL"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats"
strings:
$a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
condition:
pe.exports("ee") and $a
}
malware/APT_UP007_SLServer.yar
......@@ -30,7 +30,7 @@ rule dubseven_file_set
3 of ($file*)
}
rule dubseven_dropper_registry_checks
rule dubseven_dropper_registry_checks : Dropper
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
......@@ -55,7 +55,7 @@ rule dubseven_dropper_registry_checks
all of ($reg*)
}
rule dubseven_dropper_dialog_remains
rule dubseven_dropper_dialog_remains : Dropper
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
......@@ -76,7 +76,7 @@ rule dubseven_dropper_dialog_remains
}
rule maindll_mutex
rule maindll_mutex : Mutex
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
......@@ -117,7 +117,7 @@ rule SLServer_dialog_remains
$slserver
}
rule SLServer_mutex
rule SLServer_mutex : Mutex
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
......@@ -137,7 +137,7 @@ rule SLServer_mutex
$mutex
}
rule SLServer_command_and_control
rule SLServer_command_and_control : C2
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
......
malware/APT_unit78020_malware.yar malware/APT_Unit78020.yar
......@@ -64,7 +64,7 @@ rule Unit78020_Malware_Gen1 {
}
rule Unit78020_Malware_1 {
rule Unit78020_Malware_1 : APT {
meta:
description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe"
author = "Florian Roth"
......
malware/Waterbug.yar malware/APT_Waterbug.yar
......@@ -5,7 +5,7 @@
import "pe"
rule WaterBug_wipbot_2013_core_PDF {
rule WaterBug_wipbot_2013_core_PDF : PDF {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
author = "Symantec Security Response"
......
malware/APT_Winnti.yar
......@@ -132,3 +132,21 @@ rule Winnti_malware_StreamPortal_Gen {
condition:
uint16(0) == 0x5a4d and filesize < 275KB and all of them
}
rule WinntiPharma : Backdoor
{
meta:
author = "Jose Ramon Palanco"
copyright = "Drainware, Inc."
date = "2015-06-23"
description = "Backdoor Win64 Winnti Pharma"
ref = "https://securelist.com/blog/research/70991/games-are-over/"
strings:
$s0 = "Cookie: SN="
$s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}"
$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
$s3 = "master secret"
$s4 = "MyEngineNetEvent"
condition:
all of ($s*)
}
malware/APT_irontiger.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-09-16
Identifier: Iron Panda
*/
/* Rule Set ----------------------------------------------------------------- */
rule IronPanda_DNSTunClient {
meta:
description = "Iron Panda malware DnsTunClient - file named.exe"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
score = 80
hash = "a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431"
strings:
$s1 = "dnstunclient -d or -domain <domain>" fullword ascii
$s2 = "dnstunclient -ip <server ip address>" fullword ascii
$s3 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"\\Microsoft\\Windows\\PLA\\System\\Microsoft Windows\" /tr " fullword ascii
$s4 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"Microsoft Windows\" /tr " fullword ascii
$s5 = "taskkill /im conime.exe" fullword ascii
$s6 = "\\dns control\\t-DNSTunnel\\DnsTunClient\\DnsTunClient.cpp" fullword ascii
$s7 = "UDP error:can not bing the port(if there is unclosed the bind process?)" fullword ascii
$s8 = "use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s)" fullword ascii
$s9 = "error: packet num error.the connection have condurt,pls try later" fullword ascii
$s10 = "Coversation produce one error:%s,coversation fail" fullword ascii
$s11 = "try to add many same pipe to select group(or mark is too easy)." fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 2 of them )
or
5 of them
}
rule IronPanda_Malware1 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a"
strings:
$x1 = "activedsimp.dll" fullword wide
$s1 = "get_BadLoginAddress" fullword ascii
$s2 = "get_LastFailedLogin" fullword ascii
$s3 = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" fullword ascii
$s4 = "get_PasswordExpirationDate" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule IronPanda_Webshell_JSP {
meta:
description = "Iron Panda Malware JSP"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6"
strings:
$s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii
$s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" fullword ascii
$s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" fullword ascii
condition:
filesize < 330KB and 1 of them
}
rule IronPanda_Malware_Htran {
meta:
description = "Iron Panda Malware Htran"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
strings:
$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
$s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
$s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s4 = "[-] ERROR: Must supply logfile name." fullword ascii
$s5 = "[SERVER]connection to %s:%d error" fullword ascii
$s6 = "[+] Make a Connection to %s:%d...." fullword ascii
$s7 = "[+] Waiting another Client on port:%d...." fullword ascii
$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
$s9 = "[+] Make a Connection to %s:%d ......" fullword ascii
$s10 = "cmshared_get_ptr_from_atom" fullword ascii
$s11 = "_cmshared_get_ptr_from_atom" fullword ascii
$s12 = "[+] OK! I Closed The Two Socket." fullword ascii
$s13 = "[-] TransmitPort invalid." fullword ascii
$s14 = "[+] Waiting for Client on port:%d ......" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them )
or
5 of them
}
rule IronPanda_Malware2 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91"
strings:
$s0 = "\\setup.exe" fullword ascii
$s1 = "msi.dll.urlUT" fullword ascii
$s2 = "msi.dllUT" fullword ascii
$s3 = "setup.exeUT" fullword ascii
$s4 = "/c del /q %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
rule IronPanda_Malware3 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742"
strings:
$s0 = "PluginDeflater.exe" fullword wide
$s1 = ".Deflated" fullword wide
$s2 = "PluginDeflater" fullword ascii
$s3 = "DeflateStream" fullword ascii /* Goodware String - occured 1 times */
$s4 = "CompressionMode" fullword ascii /* Goodware String - occured 4 times */
$s5 = "System.IO.Compression" fullword ascii /* Goodware String - occured 6 times */
condition:
uint16(0) == 0x5a4d and filesize < 10KB and all of them
}
rule IronPanda_Malware4 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c"
strings:
$s0 = "TestPlugin.dll" fullword wide
$s1 = "<a href='http://www.baidu.com'>aasd</a>" fullword wide
$s2 = "Zcg.Test.AspxSpyPlugins" fullword ascii
$s6 = "TestPlugin" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 10KB and all of them
}
malware/APT_win32_dll_bergard_pgv_pvid_variant.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule apt_win32_dll_bergard_pgv_pvid_variant
{
meta:
copyright = "Fidelis Cybersecurity"
reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
strings:
$ = "Accept:"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Cache-Control: no-cache"
$ = "Connection: Keep-Alive"
$ = "Cookie: pgv_pvid="
$ = "Content-Type: application/x-octet-stream"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Pragma: no-cache"
$ = "Connection: Keep-Alive"
$ = "HTTP/1.0"
condition:
(uint16(0) == 0x5A4D) and (all of them)
}
malware/APT_win32_dll_rat_hiZorRAT.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule apt_win32_dll_rat_hiZorRAT
{
meta:
hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
hash2 = "d9821468315ccd3b9ea03161566ef18e"
hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
ref2 = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
strings:
// Part of the encoded User-Agent = Mozilla
$ = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 }
// XOR to decode User-Agent after string stacking 0x10001630
$ = { 66 [7] 0d 40 83 ?? ?? 7c ?? }
// XOR with 0x2E - 0x10002EF6
$ = { 80 [2] 2e 40 3b ?? 72 ?? }
$ = "CmdProcessExited" wide ascii
$ = "rootDir" wide ascii
$ = "DllRegisterServer" wide ascii
$ = "GetNativeSystemInfo" wide ascii
$ = "%08x%08x%08x%08x" wide ascii
condition:
(uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)
}
malware/Adwind_JAR_PACKA.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Adwind_JAR_PACKA : binary
{
meta:
author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
last_modified = "2015-11-30"
strings:
$b1 = ".class" ascii
$b2 = "c/a/a/" ascii
$b3 = "b/a/" ascii
$b4 = "a.dat" ascii
$b5 = "META-INF/MANIFEST.MF" ascii
condition:
int16(0) == 0x4B50 and ($b1 and $b2 and $b3 and $b4 and $b5)
}
malware/Adwind_JAR_PACKB.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Adwind_JAR_PACKB {
meta:
author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
last_modified = "2015-11-30"
strings:
$c1 = "META-INF/MANIFEST.MF" ascii
$c2 = "main/Start.class" ascii
$a1 = "con g/con g.perl" ascii
$b1 = "java/textito.isn" ascii
condition:
int16(0) == 0x4B50 and ($c1 and $c2 and ($a1 or $b1))
}
malware/Backdoor_WinntiPharma.yar deleted 100644 → 0
rule WinntiPharma
{
meta:
author = "Jose Ramon Palanco"
copyright = "Drainware, Inc."
date = "2015-06-23"
description = "Backdoor Win64 Winnti Pharma"
ref = "https://securelist.com/blog/research/70991/games-are-over/"
strings:
$s0 = "Cookie: SN="
$s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}"
$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
$s3 = "master secret"
$s4 = "MyEngineNetEvent"
condition:
all of ($s*)
}
malware/Crypren_ransomware.yar deleted 100644 → 0
rule Ransom : Crypren{
meta:
weight = 1
Author = "@pekeinfo"
reference = "https://github.com/pekeinfo/DecryptCrypren"
strings:
$a = "won't be able to recover your files anymore.</p>"
$b = {6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ??}
$c = "Please restart your computer and wait for instructions for decrypting your files"
condition:
any of them
}
malware/Dridex.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Dridex_Trojan_XML {
meta:
description = "Dridex Malware in XML Document"
author = "Florian Roth @4nc4p"
reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
date = "2015/03/08"
hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
strings:
// can be ascii or wide formatted - therefore no restriction
$c_xml = "<?xml version="
$c_word = "<?mso-application progid=\"Word.Document\"?>"
$c_macro = "w:macrosPresent=\"yes\""
$c_binary = "<w:binData w:name="
$c_0_chars = "<o:Characters>0</o:Characters>"
$c_1_line = "<o:Lines>1</o:Lines>"
condition:
all of ($c*)
}
malware/EXPERIMENTAL_Beef_pretty_theft.yar malware/EXPERIMENTAL_Beef.yar
......@@ -11,7 +11,7 @@
/* Rule Set ----------------------------------------------------------------- */
rule src_ptheft_command {
rule src_ptheft_command : experimental {
meta:
description = "Auto-generated rule - file command.js"
author = "Pasquale Stirparo"
......@@ -40,3 +40,39 @@ rule src_ptheft_command {
condition:
13 of them
}
/*
This Yara Rule is to be considered as "experimental"
It reperesents a first attempt to detect BeEF hook function in memory
It still requires further refinement
*/
rule BeEF_browser_hooked : experimental {
meta:
description = "Yara rule related to hook.js, BeEF Browser hooking capability"
author = "Pasquale Stirparo"
date = "2015-10-07"
hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
strings:
$s0 = "mitb.poisonAnchor" wide ascii
$s1 = "this.request(this.httpproto" wide ascii
$s2 = "beef.logger.get_dom_identifier" wide ascii
$s3 = "return (!!window.opera" wide ascii
$s4 = "history.pushState({ Be:\"EF\" }" wide ascii
$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii
$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii
$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii
$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii
$s9 = "mitb.sniff(" wide ascii
$s10 = "Method XMLHttpRequest.open override" wide ascii
$s11 = ".browser.hasWebSocket" wide ascii
$s12 = ".mitb.poisonForm" wide ascii
$s13 = "resolved=require.resolve(file,cwd||" wide ascii
$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii
$s15 = "beef.net.request" wide ascii
$s16 = "uagent.search(engineOpera)" wide ascii
$s17 = "mitb.sniff" wide ascii
$s18 = "beef.logger.start" wide ascii
condition:
all of them
}
malware/EXPERIMENTAL_Beef_Hooked.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
This Yara Rule is to be considered as "experimental"
It reperesents a first attempt to detect BeEF hook function in memory
It still requires further refinement
*/
rule BeEF_browser_hooked {
meta:
description = "Yara rule related to hook.js, BeEF Browser hooking capability"
author = "Pasquale Stirparo"
date = "2015-10-07"
hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
strings:
$s0 = "mitb.poisonAnchor" wide ascii
$s1 = "this.request(this.httpproto" wide ascii
$s2 = "beef.logger.get_dom_identifier" wide ascii
$s3 = "return (!!window.opera" wide ascii
$s4 = "history.pushState({ Be:\"EF\" }" wide ascii
$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii
$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii
$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii
$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii
$s9 = "mitb.sniff(" wide ascii
$s10 = "Method XMLHttpRequest.open override" wide ascii
$s11 = ".browser.hasWebSocket" wide ascii
$s12 = ".mitb.poisonForm" wide ascii
$s13 = "resolved=require.resolve(file,cwd||" wide ascii
$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii
$s15 = "beef.net.request" wide ascii
$s16 = "uagent.search(engineOpera)" wide ascii
$s17 = "mitb.sniff" wide ascii
$s18 = "beef.logger.start" wide ascii
condition:
all of them
}
malware/Gamarue.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Worm_Gamarue {
meta:
author = "Centro Criptológico Nacional (CCN)"
ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
description = "Gamarue_Andromeda"
strings:
$a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 }
condition:
$a
}
malware/Havex_Memdump.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump
{
meta:
description = "Detects Havex Windows process executable from memory dump"
date = "2015-12-2"
author = "Chris Sistrunk"
hash = "8065674de8d79d1c0e7b3baf81246e7d"
strings:
$magic = { 4d 5a }
$s1 = "~tracedscn.yls" fullword wide
$s2 = "[!]Start" fullword wide
$s3 = "[+]Get WSADATA" fullword wide
$s4 = "[-]Can not get local ip" fullword wide
$s5 = "[+]Local:" fullword wide
$s6 = "[-]Threads number > Hosts number" fullword wide
$s7 = "[-]Connection error" fullword wide
$x1 = "bddd4e2b84fa2ad61eb065e7797270ff.exe" fullword wide
condition:
$magic at 0 and ( 3 of ($s*) or $x1 )
}
malware/LURK0_CCTV0.yar deleted 100644 → 0
rule LURK0Header : Family LURK0 {
meta:
description = "5 char code for LURK0"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
condition:
any of them
}
rule CCTV0Header : Family CCTV0 {
meta:
description = "5 char code for LURK0"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
//if its just one char a time
$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
// bit hacky but for when samples dont just simply mov 1 char at a time
$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
condition:
any of them
}
rule SharedStrings : Family {
meta:
description = "Internal names found in LURK0/CCTV0 samples"
author = "Katie Kleemola"
last_updated = "07-22-2014"
strings:
// internal names
$i1 = "Butterfly.dll"
$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
$i3 = "ETClientDLL"
// dbx
$d1 = "\\DbxUpdateET\\" wide
$d2 = "\\DbxUpdateBT\\" wide
$d3 = "\\DbxUpdate\\" wide
// other folders
$mc1 = "\\Micet\\"
// embedded file names
$n1 = "IconCacheEt.dat" wide
$n2 = "IconConfigEt.dat" wide
$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
$m2 = "\x00\x00111\x00\x00" wide
$m3 = "\x00\x00ETUN\x00\x00" wide
$m4 = "\x00\x00ER\x00\x00" wide
condition:
any of them //todo: finetune this
}
rule LURK0 : Family LURK0 {
meta:
description = "rule for lurk0"
author = "Katie Kleemola"
last_updated = "07-22-2014"
condition:
LURK0Header and SharedStrings
}
rule CCTV0 : Family CCTV0 {
meta:
description = "rule for cctv0"
author = "Katie Kleemola"
last_updated = "07-22-2014"
condition:
CCTV0Header and SharedStrings
}
malware/Andromeda.yar malware/MALW_Andromeda.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
long as you use it under this license.
*/
rule andromeda : binary
rule andromeda : binary bot
{
meta:
author = "Brian Wallace @botnet_hunter"
......@@ -15,3 +15,13 @@ rule andromeda : binary
condition:
all of them
}
rule Worm_Gamarue {
meta:
author = "Centro Criptológico Nacional (CCN)"
ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
description = "Gamarue_Andromeda"
strings:
$a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 }
condition:
$a
}
malware/Athena.yar malware/MALW_Athena.yar
......@@ -81,4 +81,4 @@ rule AthenaIRC {
$acmd7 = ":!btcwallet"
condition:
(all of ($cmd*) and 3 of ($msg*)) or (5 of ($amsg*) and 5 of ($acmd*))
}
\ No newline at end of file
}
malware/BlackRev.yar malware/MALW_BlackRev.yar
......@@ -36,4 +36,4 @@ rule BlackRev
condition:
all of ($base*) and 5 of ($opt*)
}
\ No newline at end of file
}
malware/Chicken.yar malware/MALW_Chicken.yar
......@@ -24,7 +24,7 @@ rule ChickenDOS{
($pdb1 or $pdb2) and 5 of ($str*)
}
rule ChickenDOS_Linux {
rule ChickenDOS_Linux : DoS Linux {
meta:
author = "Jason Jones <jasonjones@arbor.net>"
description = "Linux-variant of Chicken ident for both dropper and dropped file"
......
malware/Citadel.yar malware/MALW_Citadel.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule citadel13xy : banker
rule citadel13xy : banker memory
{
meta:
author = "Jean-Philippe Teissier / @Jipe_"
......
malware/CorkowDLL.yar malware/MALW_Corkow.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule CorkowDLL {
rule CorkowDLL : dll {
meta:
description = "Rule to detect the Corkow DLL files"
reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"
......
malware/DDoSTf.yar malware/MALW_DDoSTf.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule DDosTf : DDoS
rule DDosTf : DDoS ELF
{
meta:
author = "benkow_ - MalwareMustDie"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment