Skip to content

R
rules
Commit ef45a0e4 by Vlad S
Options

Merged branch master into master

parents 0d49336b 40055d8d
Showing with 1833 additions and 1331 deletions
malware/Exploit_CVE_2015_2426.yar CVE_Rules/CVE-2015-2426.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Exploit_MS15_077_078 {
rule Exploit_MS15_077_078: Exploit {
meta:
description = "MS15-078 / MS15-077 exploit - generic signature"
author = "Florian Roth"
......@@ -28,7 +28,7 @@ rule Exploit_MS15_077_078 {
uint16(0) == 0x5a4d and filesize < 2000KB and all of ($s*) or all of ($op*)
}
rule Exploit_MS15_077_078_HackingTeam {
rule Exploit_MS15_077_078_HackingTeam: Exploit {
meta:
description = "MS15-078 / MS15-077 exploit - Hacking Team code"
author = "Florian Roth"
......
malware/APT_Danti_svcmondr.yar CVE_Rules/CVE-2015-2545.yar
......@@ -13,7 +13,7 @@
/* Rule Set ----------------------------------------------------------------- */
rule Mal_Dropper_httpEXE_from_CAB {
rule Mal_Dropper_httpEXE_from_CAB : Dropper {
meta:
description = "Detects a dropper from a CAB file mentioned in the article"
author = "Florian Roth"
......@@ -28,7 +28,7 @@ rule Mal_Dropper_httpEXE_from_CAB {
( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) )
}
rule Mal_http_EXE {
rule Mal_http_EXE : Trojan {
meta:
description = "Detects trojan from APT report named http.exe"
author = "Florian Roth"
......@@ -58,7 +58,7 @@ rule Mal_http_EXE {
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 2 of ($s*) ) ) or ( 3 of ($x*) )
}
rule Mal_PotPlayer_DLL {
rule Mal_PotPlayer_DLL : dll {
meta:
description = "Detects a malicious PotPlayer.dll"
author = "Florian Roth"
......
malware/APT_CVE2015_5119.yar CVE_Rules/CVE-2015-5119.yar
......@@ -3,12 +3,11 @@
*/
rule Flash_CVE_2015_5119_APT3 {
rule Flash_CVE_2015_5119_APT3 : Exploit {
meta:
description = "Exploit Sample CVE-2015-5119"
author = "Florian Roth"
score = 70
yaraexchange = "No distribution without author's consent"
date = "2015-08-01"
strings:
$s0 = "HT_exploit" fullword ascii
......
Exploit-Kits/Angler_EK.yar Exploit-Kits/EK_Angler.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule AnglerEKredirector
rule AnglerEKredirector : EK
{
meta:
description = "Angler Exploit Kit Redirector"
......@@ -20,7 +20,7 @@ rule AnglerEKredirector
condition:
all of them
}
rule angler_flash
rule angler_flash : EK
{
meta:
author = "Josh Berry"
......@@ -48,7 +48,7 @@ strings:
condition:
14 of them
}
rule angler_flash2
rule angler_flash2 : EK
{
meta:
author = "Josh Berry"
......@@ -76,7 +76,7 @@ strings:
condition:
14 of them
}
rule angler_flash4
rule angler_flash4 : EK
{
meta:
author = "Josh Berry"
......@@ -106,7 +106,7 @@ strings:
condition:
16 of them
}
rule angler_flash5
rule angler_flash5 : EK
{
meta:
author = "Josh Berry"
......@@ -132,7 +132,7 @@ strings:
condition:
12 of them
}
rule angler_flash_uncompressed
rule angler_flash_uncompressed : EK
{
meta:
author = "Josh Berry"
......@@ -163,7 +163,7 @@ strings:
condition:
17 of them
}
rule angler_html
rule angler_html : EK
{
meta:
author = "Josh Berry"
......@@ -195,7 +195,7 @@ strings:
condition:
18 of them
}
rule angler_html2
rule angler_html2 : EK
{
meta:
author = "Josh Berry"
......@@ -227,7 +227,7 @@ strings:
condition:
18 of them
}
rule angler_jar
rule angler_jar : EK
{
meta:
author = "Josh Berry"
......@@ -250,7 +250,7 @@ strings:
condition:
9 of them
}
rule angler_js
rule angler_js : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Blackhole_EK.yar Exploit-Kits/EK_Blackhole.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule blackhole2_jar
rule blackhole2_jar : EK
{
meta:
author = "Josh Berry"
......@@ -29,7 +29,7 @@ strings:
condition:
13 of them
}
rule blackhole2_jar2
rule blackhole2_jar2 : EK
{
meta:
author = "Josh Berry"
......@@ -55,7 +55,7 @@ strings:
condition:
12 of them
}
rule blackhole2_jar3
rule blackhole2_jar3 : EK
{
meta:
author = "Josh Berry"
......@@ -81,7 +81,7 @@ strings:
condition:
12 of them
}
rule blackhole2_pdf
rule blackhole2_pdf : EK PDF
{
meta:
author = "Josh Berry"
......@@ -113,7 +113,7 @@ strings:
condition:
18 of them
}
rule blackhole_basic : exploit_kit
rule blackhole_basic : EK
{
strings:
$a = /\.php\?\.*\?\:[a-zA-Z0-9\:]{6,}\&\.*\?\&/
......@@ -146,7 +146,7 @@ strings:
condition:
12 of them
}
rule blackhole2_css
rule blackhole2_css : EK
{
meta:
author = "Josh Berry"
......@@ -168,7 +168,7 @@ strings:
condition:
18 of them
}
rule blackhole2_htm
rule blackhole2_htm : EK
{
meta:
author = "Josh Berry"
......@@ -204,7 +204,7 @@ strings:
condition:
14 of them
}
rule blackhole2_htm10
rule blackhole2_htm10 : EK
{
meta:
author = "Josh Berry"
......@@ -241,7 +241,7 @@ strings:
condition:
15 of them
}
rule blackhole2_htm11
rule blackhole2_htm11 : EK
{
meta:
author = "Josh Berry"
......@@ -274,7 +274,7 @@ strings:
condition:
11 of them
}
rule blackhole2_htm12
rule blackhole2_htm12 : EK
{
meta:
author = "Josh Berry"
......@@ -310,7 +310,7 @@ strings:
condition:
14 of them
}
rule blackhole2_htm3
rule blackhole2_htm3 : EK
{
meta:
author = "Josh Berry"
......@@ -329,7 +329,7 @@ strings:
condition:
3 of them
}
rule blackhole2_htm4
rule blackhole2_htm4 : EK
{
meta:
author = "Josh Berry"
......@@ -359,7 +359,7 @@ strings:
condition:
8 of them
}
rule blackhole2_htm5
rule blackhole2_htm5 : EK
{
meta:
author = "Josh Berry"
......@@ -393,7 +393,7 @@ strings:
condition:
12 of them
}
rule blackhole2_htm6
rule blackhole2_htm6 : EK
{
meta:
author = "Josh Berry"
......@@ -423,7 +423,7 @@ strings:
condition:
8 of them
}
rule blackhole2_htm8
rule blackhole2_htm8 : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/BleedingLife_EK.yar Exploit-Kits/EK_BleedingLife.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule bleedinglife2_adobe_2010_1297_exploit
rule bleedinglife2_adobe_2010_1297_exploit : EK PDF
{
meta:
author = "Josh Berry"
......@@ -33,7 +33,7 @@ strings:
condition:
17 of them
}
rule bleedinglife2_adobe_2010_2884_exploit
rule bleedinglife2_adobe_2010_2884_exploit : EK
{
meta:
author = "Josh Berry"
......@@ -64,7 +64,7 @@ strings:
condition:
17 of them
}
rule bleedinglife2_jar2
rule bleedinglife2_jar2 : EK
{
meta:
author = "Josh Berry"
......@@ -87,7 +87,7 @@ strings:
condition:
9 of them
}
rule bleedinglife2_java_2010_0842_exploit
rule bleedinglife2_java_2010_0842_exploit : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Crimepack_EK.yar Exploit-Kits/EK_Crimepack.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule crimepack_jar
rule crimepack_jar : EK
{
meta:
author = "Josh Berry"
......@@ -22,7 +22,7 @@ strings:
condition:
6 of them
}
rule crimepack_jar3
rule crimepack_jar3 : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Eleonore_EK.yar Exploit-Kits/EK_Eleonore.yar
rule eleonore_jar
rule eleonore_jar : EK
{
meta:
author = "Josh Berry"
......@@ -24,7 +24,7 @@ strings:
condition:
12 of them
}
rule eleonore_jar2
rule eleonore_jar2 : EK
{
meta:
author = "Josh Berry"
......@@ -52,7 +52,7 @@ strings:
condition:
14 of them
}
rule eleonore_jar3
rule eleonore_jar3 : EK
{
meta:
author = "Josh Berry"
......@@ -78,7 +78,7 @@ strings:
condition:
12 of them
}
rule eleonore_js
rule eleonore_js : EK
{
meta:
author = "Josh Berry"
......@@ -103,7 +103,7 @@ strings:
condition:
11 of them
}
rule eleonore_js2
rule eleonore_js2 : EK
{
meta:
author = "Josh Berry"
......@@ -132,7 +132,7 @@ strings:
condition:
15 of them
}
rule eleonore_js3
rule eleonore_js3 : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Fragus_EK.yar Exploit-Kits/EK_Fragus.yar
rule fragus_htm
rule fragus_htm : EK
{
meta:
author = "Josh Berry"
......@@ -28,7 +28,7 @@ strings:
condition:
16 of them
}
rule fragus_js
rule fragus_js : EK
{
meta:
author = "Josh Berry"
......@@ -60,7 +60,7 @@ strings:
condition:
18 of them
}
rule fragus_js2
rule fragus_js2 : EK
{
meta:
author = "Josh Berry"
......@@ -91,7 +91,7 @@ strings:
condition:
17 of them
}
rule fragus_js_flash
rule fragus_js_flash : EK
{
meta:
author = "Josh Berry"
......@@ -120,7 +120,7 @@ strings:
condition:
15 of them
}
rule fragus_js_java
rule fragus_js_java : EK
{
meta:
author = "Josh Berry"
......@@ -151,7 +151,7 @@ strings:
condition:
17 of them
}
rule fragus_js_quicktime
rule fragus_js_quicktime : EK
{
meta:
author = "Josh Berry"
......@@ -180,7 +180,7 @@ strings:
condition:
15 of them
}
rule fragus_js_vml
rule fragus_js_vml : EK
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Phoenix_EK.yar Exploit-Kits/EK_Phoenix.yar
rule phoenix_html
rule phoenix_html : EK
{
meta:
author = "Josh Berry"
......@@ -21,7 +21,7 @@ strings:
condition:
10 of them
}
rule phoenix_html10
rule phoenix_html10 : EK
{
meta:
author = "Josh Berry"
......@@ -52,7 +52,7 @@ strings:
condition:
17 of them
}
rule phoenix_html11
rule phoenix_html11 : EK
{
meta:
author = "Josh Berry"
......@@ -84,7 +84,7 @@ strings:
condition:
18 of them
}
rule phoenix_html2
rule phoenix_html2 : EK
{
meta:
author = "Josh Berry"
......@@ -115,7 +115,7 @@ strings:
condition:
17 of them
}
rule phoenix_html3
rule phoenix_html3 : EK
{
meta:
author = "Josh Berry"
......@@ -147,7 +147,7 @@ strings:
condition:
18 of them
}
rule phoenix_html4
rule phoenix_html4 : EK
{
meta:
author = "Josh Berry"
......@@ -174,7 +174,7 @@ strings:
condition:
13 of them
}
rule phoenix_html5
rule phoenix_html5 : EK
{
meta:
author = "Josh Berry"
......@@ -204,7 +204,7 @@ strings:
condition:
16 of them
}
rule phoenix_html6
rule phoenix_html6 : EK
{
meta:
author = "Josh Berry"
......@@ -235,7 +235,7 @@ strings:
condition:
17 of them
}
rule phoenix_html7
rule phoenix_html7 : EK
{
meta:
author = "Josh Berry"
......@@ -266,7 +266,7 @@ strings:
condition:
17 of them
}
rule phoenix_html8
rule phoenix_html8 : EK
{
meta:
author = "Josh Berry"
......@@ -296,7 +296,7 @@ strings:
condition:
16 of them
}
rule phoenix_html9
rule phoenix_html9 : EK
{
meta:
author = "Josh Berry"
......@@ -328,7 +328,7 @@ strings:
condition:
18 of them
}
rule phoenix_jar
rule phoenix_jar : EK
{
meta:
author = "Josh Berry"
......@@ -352,7 +352,7 @@ strings:
condition:
10 of them
}
rule phoenix_jar2
rule phoenix_jar2 : EK
{
meta:
author = "Josh Berry"
......@@ -380,7 +380,7 @@ strings:
condition:
14 of them
}
rule phoenix_jar3
rule phoenix_jar3 : EK Jar
{
meta:
author = "Josh Berry"
......@@ -403,7 +403,7 @@ strings:
condition:
9 of them
}
rule phoenix_pdf
rule phoenix_pdf : EK PDF
{
meta:
author = "Josh Berry"
......@@ -429,7 +429,7 @@ strings:
condition:
11 of them
}
rule phoenix_pdf2
rule phoenix_pdf2 : EK PDF
{
meta:
author = "Josh Berry"
......@@ -456,7 +456,7 @@ strings:
condition:
13 of them
}
rule phoenix_pdf3
rule phoenix_pdf3 : EK PDF
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Sakura_EK.yar Exploit-Kits/EK_Sakura.yar
rule sakura_jar
rule sakura_jar : EK
{
meta:
author = "Josh Berry"
......@@ -29,7 +29,7 @@ strings:
condition:
17 of them
}
rule sakura_jar2
rule sakura_jar2 : EK jar
{
meta:
author = "Josh Berry"
......
Exploit-Kits/ZeroAcces_EK.yar Exploit-Kits/EK_ZeroAcces.yar
rule zeroaccess_css
rule zeroaccess_css : EK
{
meta:
author = "Josh Berry"
......@@ -30,7 +30,7 @@ strings:
condition:
18 of them
}
rule zeroaccess_css2
rule zeroaccess_css2 : EK css
{
meta:
author = "Josh Berry"
......@@ -55,7 +55,7 @@ strings:
condition:
11 of them
}
rule zeroaccess_htm
rule zeroaccess_htm : EK html
{
meta:
author = "Josh Berry"
......@@ -85,7 +85,7 @@ strings:
condition:
16 of them
}
rule zeroaccess_js
rule zeroaccess_js : EK js
{
meta:
author = "Josh Berry"
......@@ -117,7 +117,7 @@ strings:
condition:
18 of them
}
rule zeroaccess_js2
rule zeroaccess_js2 : EK js
{
meta:
author = "Josh Berry"
......@@ -149,7 +149,7 @@ strings:
condition:
18 of them
}
rule zeroaccess_js3
rule zeroaccess_js3 : EK js
{
meta:
author = "Josh Berry"
......@@ -178,7 +178,7 @@ strings:
condition:
15 of them
}
rule zeroaccess_js4
rule zeroaccess_js4 : EK js
{
meta:
author = "Josh Berry"
......
Exploit-Kits/Zeus_EK.yar Exploit-Kits/EK_Zeus.yar
rule zeus_js
rule zeus_js : EK
{
meta:
author = "Josh Berry"
......
malware/APT_OLE_JSRat.yar Malicious_Documents/Maldoc_APT_OLE_JSRat.yar
......@@ -3,7 +3,7 @@
*/
rule APT_OLE_JSRat
rule APT_OLE_JSRat : maldoc APT
{
meta:
author = "Rahul Mohandas"
......
Malicious_Documents/Maldoc_Contains_VBE_File.yar
......@@ -15,7 +15,7 @@
2016/03/21: start
*/
rule Contains_VBE_File
rule Contains_VBE_File : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
......
malware/DRIDEX_phish_gina_dec15.yar Malicious_Documents/Maldoc_Dridex.yar
......@@ -2,6 +2,35 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Dridex_Trojan_XML : maldoc {
meta:
description = "Dridex Malware in XML Document"
author = "Florian Roth @4nc4p"
reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
date = "2015/03/08"
hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
strings:
// can be ascii or wide formatted - therefore no restriction
$c_xml = "<?xml version="
$c_word = "<?mso-application progid=\"Word.Document\"?>"
$c_macro = "w:macrosPresent=\"yes\""
$c_binary = "<w:binData w:name="
$c_0_chars = "<o:Characters>0</o:Characters>"
$c_1_line = "<o:Lines>1</o:Lines>"
condition:
all of ($c*)
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Yara Rule Set
Author: Florian Roth
......@@ -46,3 +75,4 @@ rule PHISH_02Dez2015_attach_P_ORD_C_10156_124658 {
condition:
uint16(0) == 0xcfd0 and filesize < 200KB and all of them
}
Malicious_Documents/Maldoc_Hidden_PE_file.yar
......@@ -3,7 +3,7 @@
*/
rule Contains_hidden_PE_File_inside_a_sequence_of_numbers
rule Contains_hidden_PE_File_inside_a_sequence_of_numbers : maldoc
{
meta:
author = "Martin Willing (https://evild3ad.com)"
......
Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar
......@@ -3,7 +3,7 @@
*/
rule MIME_MSO_ActiveMime_base64
rule MIME_MSO_ActiveMime_base64 : maldoc
{
meta:
author = "Martin Willing (https://evild3ad.com)"
......
malware/APT_Laudanum_Webshells.yar Webshells/WShell_APT_Laudanum.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule asp_file {
rule asp_file : webshell {
meta:
description = "Laudanum Injector Tools - file file.asp"
author = "Florian Roth"
......@@ -20,7 +20,7 @@ rule asp_file {
uint16(0) == 0x253c and filesize < 30KB and 5 of them
}
rule php_killnc {
rule php_killnc : webshell {
meta:
description = "Laudanum Injector Tools - file killnc.php"
author = "Florian Roth"
......@@ -37,7 +37,7 @@ rule php_killnc {
filesize < 15KB and 4 of them
}
rule asp_shell {
rule asp_shell : webshell {
meta:
description = "Laudanum Injector Tools - file shell.asp"
author = "Florian Roth"
......@@ -56,7 +56,7 @@ rule asp_shell {
filesize < 15KB and 4 of them
}
rule settings {
rule settings : webshell {
meta:
description = "Laudanum Injector Tools - file settings.php"
author = "Florian Roth"
......@@ -71,7 +71,7 @@ rule settings {
filesize < 13KB and all of them
}
rule asp_proxy {
rule asp_proxy : webshell {
meta:
description = "Laudanum Injector Tools - file proxy.asp"
author = "Florian Roth"
......@@ -89,7 +89,7 @@ rule asp_proxy {
filesize < 50KB and all of them
}
rule cfm_shell {
rule cfm_shell : webshell {
meta:
description = "Laudanum Injector Tools - file shell.cfm"
author = "Florian Roth"
......@@ -104,7 +104,7 @@ rule cfm_shell {
filesize < 20KB and 2 of them
}
rule aspx_shell {
rule aspx_shell : webshell{
meta:
description = "Laudanum Injector Tools - file shell.aspx"
author = "Florian Roth"
......@@ -120,7 +120,7 @@ rule aspx_shell {
filesize < 20KB and all of them
}
rule php_shell {
rule php_shell : webshell{
meta:
description = "Laudanum Injector Tools - file shell.php"
author = "Florian Roth"
......@@ -136,7 +136,7 @@ rule php_shell {
filesize < 40KB and all of them
}
rule php_reverse_shell {
rule php_reverse_shell : webshell {
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
author = "Florian Roth"
......@@ -151,7 +151,7 @@ rule php_reverse_shell {
filesize < 15KB and all of them
}
rule php_dns {
rule php_dns : webshell{
meta:
description = "Laudanum Injector Tools - file dns.php"
author = "Florian Roth"
......@@ -167,7 +167,7 @@ rule php_dns {
filesize < 15KB and all of them
}
rule WEB_INF_web {
rule WEB_INF_web : webshell{
meta:
description = "Laudanum Injector Tools - file web.xml"
author = "Florian Roth"
......@@ -181,7 +181,7 @@ rule WEB_INF_web {
filesize < 1KB and all of them
}
rule jsp_cmd {
rule jsp_cmd : webshell {
meta:
description = "Laudanum Injector Tools - file cmd.war"
author = "Florian Roth"
......@@ -198,7 +198,7 @@ rule jsp_cmd {
uint16(0) == 0x4b50 and filesize < 2KB and all of them
}
rule laudanum {
rule laudanum : webshell {
meta:
description = "Laudanum Injector Tools - file laudanum.php"
author = "Florian Roth"
......@@ -212,7 +212,7 @@ rule laudanum {
filesize < 5KB and all of them
}
rule php_file {
rule php_file : webshell{
meta:
description = "Laudanum Injector Tools - file file.php"
author = "Florian Roth"
......@@ -228,7 +228,7 @@ rule php_file {
filesize < 10KB and all of them
}
rule warfiles_cmd {
rule warfiles_cmd : webshell {
meta:
description = "Laudanum Injector Tools - file cmd.jsp"
author = "Florian Roth"
......@@ -244,7 +244,7 @@ rule warfiles_cmd {
filesize < 2KB and all of them
}
rule asp_dns {
rule asp_dns : webshell{
meta:
description = "Laudanum Injector Tools - file dns.asp"
author = "Florian Roth"
......@@ -260,7 +260,7 @@ rule asp_dns {
filesize < 21KB and all of them
}
rule php_reverse_shell_2 {
rule php_reverse_shell_2 : webshell{
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
author = "Florian Roth"
......@@ -274,7 +274,7 @@ rule php_reverse_shell_2 {
filesize < 10KB and all of them
}
rule Laudanum_Tools_Generic {
rule Laudanum_Tools_Generic : webshell Toolkit{
meta:
description = "Laudanum Injector Tools"
author = "Florian Roth"
......
malware/THOR_Webshells.yar Webshells/WShell_THOR_Webshells.yar
......@@ -19,7 +19,7 @@
*/
rule Weevely_Webshell {
rule Weevely_Webshell : webshell {
meta:
description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell"
author = "Florian Roth"
......@@ -36,7 +36,7 @@ rule Weevely_Webshell {
$php at 0 and all of ($s*) and filesize > 570 and filesize < 800
}
rule webshell_h4ntu_shell_powered_by_tsoi_ {
rule webshell_h4ntu_shell_powered_by_tsoi_ : webshell {
meta:
description = "Web Shell - file h4ntu shell [powered by tsoi].php"
author = "Florian Roth"
......@@ -51,7 +51,7 @@ rule webshell_h4ntu_shell_powered_by_tsoi_ {
condition:
all of them
}
rule webshell_PHP_sql {
rule webshell_PHP_sql : webshell {
meta:
description = "Web Shell - file sql.php"
author = "Florian Roth"
......@@ -64,7 +64,7 @@ rule webshell_PHP_sql {
condition:
all of them
}
rule webshell_PHP_a {
rule webshell_PHP_a : webshell {
meta:
description = "Web Shell - file a.php"
author = "Florian Roth"
......@@ -78,7 +78,7 @@ rule webshell_PHP_a {
condition:
2 of them
}
rule webshell_iMHaPFtp_2 {
rule webshell_iMHaPFtp_2 : webshell{
meta:
description = "Web Shell - file iMHaPFtp.php"
author = "Florian Roth"
......@@ -91,7 +91,7 @@ rule webshell_iMHaPFtp_2 {
condition:
1 of them
}
rule webshell_Jspspyweb {
rule webshell_Jspspyweb : webshell{
meta:
description = "Web Shell - file Jspspyweb.jsp"
author = "Florian Roth"
......@@ -104,7 +104,7 @@ rule webshell_Jspspyweb {
condition:
all of them
}
rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 : webshell{
meta:
description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
author = "Florian Roth"
......@@ -117,7 +117,7 @@ rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
condition:
1 of them
}
rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend {
rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend : webshell{
meta:
description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
author = "Florian Roth"
......@@ -130,7 +130,7 @@ rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend {
condition:
1 of them
}
rule webshell_phpshell_2_1_pwhash {
rule webshell_phpshell_2_1_pwhash : webshell{
meta:
description = "Web Shell - file pwhash.php"
author = "Florian Roth"
......@@ -143,7 +143,7 @@ rule webshell_phpshell_2_1_pwhash {
condition:
1 of them
}
rule webshell_PHPRemoteView {
rule webshell_PHPRemoteView : webshell{
meta:
description = "Web Shell - file PHPRemoteView.php"
author = "Florian Roth"
......@@ -156,7 +156,7 @@ rule webshell_PHPRemoteView {
condition:
1 of them
}
rule webshell_jsp_12302 {
rule webshell_jsp_12302 : webshell{
meta:
description = "Web Shell - file 12302.jsp"
author = "Florian Roth"
......@@ -170,7 +170,7 @@ rule webshell_jsp_12302 {
condition:
all of them
}
rule webshell_caidao_shell_guo {
rule webshell_caidao_shell_guo : webshell{
meta:
description = "Web Shell - file guo.php"
author = "Florian Roth"
......@@ -183,7 +183,7 @@ rule webshell_caidao_shell_guo {
condition:
1 of them
}
rule webshell_PHP_redcod {
rule webshell_PHP_redcod : webshell{
meta:
description = "Web Shell - file redcod.php"
author = "Florian Roth"
......@@ -196,7 +196,7 @@ rule webshell_PHP_redcod {
condition:
all of them
}
rule webshell_remview_fix {
rule webshell_remview_fix : webshell{
meta:
description = "Web Shell - file remview_fix.php"
author = "Florian Roth"
......@@ -209,7 +209,7 @@ rule webshell_remview_fix {
condition:
1 of them
}
rule webshell_asp_cmd {
rule webshell_asp_cmd : webshell {
meta:
description = "Web Shell - file cmd.asp"
author = "Florian Roth"
......@@ -223,7 +223,7 @@ rule webshell_asp_cmd {
condition:
1 of them
}
rule webshell_php_sh_server {
rule webshell_php_sh_server : webshell {
meta:
description = "Web Shell - file server.php"
author = "Florian Roth"
......@@ -235,7 +235,7 @@ rule webshell_php_sh_server {
condition:
all of them
}
rule webshell_PH_Vayv_PH_Vayv {
rule webshell_PH_Vayv_PH_Vayv : webshell {
meta:
description = "Web Shell - file PH Vayv.php"
author = "Florian Roth"
......@@ -248,7 +248,7 @@ rule webshell_PH_Vayv_PH_Vayv {
condition:
1 of them
}
rule webshell_caidao_shell_ice {
rule webshell_caidao_shell_ice : webshell{
meta:
description = "Web Shell - file ice.asp"
author = "Florian Roth"
......@@ -260,7 +260,7 @@ rule webshell_caidao_shell_ice {
condition:
all of them
}
rule webshell_cihshell_fix {
rule webshell_cihshell_fix : webshell {
meta:
description = "Web Shell - file cihshell_fix.php"
author = "Florian Roth"
......@@ -273,7 +273,7 @@ rule webshell_cihshell_fix {
condition:
1 of them
}
rule webshell_asp_shell {
rule webshell_asp_shell : webshell {
meta:
description = "Web Shell - file shell.asp"
author = "Florian Roth"
......@@ -286,7 +286,7 @@ rule webshell_asp_shell {
condition:
all of them
}
rule webshell_Private_i3lue {
rule webshell_Private_i3lue : webshell{
meta:
description = "Web Shell - file Private-i3lue.php"
author = "Florian Roth"
......@@ -298,7 +298,7 @@ rule webshell_Private_i3lue {
condition:
all of them
}
rule webshell_php_up {
rule webshell_php_up : webshell {
meta:
description = "Web Shell - file up.php"
author = "Florian Roth"
......
Webshells/chinese-spam.yar Webshells/Wshell_ChineseSpam.yar
......@@ -5,7 +5,7 @@
(echoers), file(s) which use file_get_contents()
to get and echo the HTML (chinese blog/shop/???).
*/
rule chinese_spam_spreader
rule chinese_spam_spreader : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
......@@ -19,7 +19,7 @@ rule chinese_spam_spreader
all of them
}
rule chinese_spam_echoer
rule chinese_spam_echoer : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
......
Webshells/fire2013.yar Webshells/Wshell_fire2013.yar
......@@ -12,7 +12,7 @@
info on "h4x4rwow@yahoo.com" as written in the "system32()"
function.
*/
rule fire2013
rule fire2013 : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
......
malware/APT_c16.yar malware/APT_C16.yar
......@@ -4,7 +4,7 @@
import "pe"
rule apt_c16_win_memory_pcclient
rule apt_c16_win_memory_pcclient : Memory APT
{
meta:
author = "@dragonthreatlab"
......@@ -21,7 +21,7 @@ rule apt_c16_win_memory_pcclient
all of them
}
rule apt_c16_win_disk_pcclient
rule apt_c16_win_disk_pcclient : Disk
{
meta:
author = "@dragonthreatlab"
......@@ -35,7 +35,7 @@ rule apt_c16_win_disk_pcclient
$header at 0
}
rule apt_c16_win32_dropper
rule apt_c16_win32_dropper : Dropper
{
meta:
author = "@dragonthreatlab"
......@@ -54,7 +54,7 @@ rule apt_c16_win32_dropper
$mz at 0 and all of ($str*)
}
rule apt_c16_win_swisyn
rule apt_c16_win_swisyn : Memory
{
meta:
author = "@dragonthreatlab"
......@@ -87,7 +87,7 @@ rule apt_c16_win_wateringhole
any of ($str*)
}
rule apt_c16_win64_dropper
rule apt_c16_win64_dropper : Dropper
{
meta:
author = "@dragonthreatlab"
......
malware/APT_Carbanak2.yar malware/APT_Carbanak.yar
......@@ -11,7 +11,7 @@
/* Rule Set ----------------------------------------------------------------- */
rule Carbanak_0915_1 {
rule Carbanak_0915_1 : APT {
meta:
description = "Carbanak Malware"
author = "Florian Roth"
......@@ -25,7 +25,7 @@ rule Carbanak_0915_1 {
uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
}
rule Carbanak_0915_2 {
rule Carbanak_0915_2 : APT {
meta:
description = "Carbanak Malware"
author = "Florian Roth"
......@@ -46,7 +46,7 @@ rule Carbanak_0915_2 {
uint16(0) == 0x5a4d and filesize < 500KB and ( $x1 or all of ($s*) )
}
rule Carbanak_0915_3 {
rule Carbanak_0915_3 : APT {
meta:
description = "Carbanak Malware"
author = "Florian Roth"
......
malware/APT_Careto.yar
......@@ -4,7 +4,7 @@
import "pe"
rule Careto_SGH {
rule Careto_SGH : APT Careto {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto SGH component signature"
......@@ -19,7 +19,7 @@ rule Careto_SGH {
2 of them
}
rule Careto_OSX_SBD {
rule Careto_OSX_SBD : APT Careto {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto OSX component signature"
......@@ -32,7 +32,7 @@ rule Careto_OSX_SBD {
all of them
}
rule Careto_CnC {
rule Careto_CnC : APT Careto {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto CnC communication signature"
......@@ -47,7 +47,7 @@ rule Careto_CnC {
all of them
}
rule Careto_CnC_domains {
rule Careto_CnC_domains : APT Careto {
meta:
author = "AlienVault (Alberto Ortega)"
description = "TheMask / Careto known command and control domains"
......
malware/Casper.yar malware/APT_Casper.yar
......@@ -5,7 +5,7 @@
import "pe"
rule Casper_Backdoor_x86 {
rule Casper_Backdoor_x86 : APT Backdoor {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
author = "Florian Roth"
......@@ -36,7 +36,7 @@ rule Casper_Backdoor_x86 {
( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
}
rule Casper_EXE_Dropper {
rule Casper_EXE_Dropper : Dropper {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
author = "Florian Roth"
......
malware/APT_Cloudduke.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule CloudDuke_Malware {
rule CloudDuke_Malware : APT CloudDuke {
meta:
description = "Detects CloudDuke Malware"
author = "Florian Roth"
......@@ -40,7 +40,7 @@ rule CloudDuke_Malware {
/* Super Rules ------------------------------------------------------------- */
rule SFXRAR_Acrotray {
rule SFXRAR_Acrotray : APT CloudDuke {
meta:
description = "Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe"
author = "Florian Roth"
......
malware/APT_DeputyDog_Fexel.yar malware/APT_DeputyDog.yar
......@@ -4,7 +4,7 @@
import "pe"
rule APT_DeputyDog_Fexel
rule APT_DeputyDog_Fexel : APT DeputyDog
{
meta:
author = "ThreatConnect Intelligence Research Team"
......@@ -18,7 +18,7 @@ condition:
any of them
}
rule APT_DeputyDog
rule APT_DeputyDog : APT DeputyDog
{
meta:
Author = "FireEye Labs"
......@@ -32,4 +32,4 @@ rule APT_DeputyDog
condition:
($mz at 0) and $a
}
\ No newline at end of file
}
malware/APT_Derusbi.yar
......@@ -5,7 +5,7 @@
import "pe"
rule apt_nix_elf_derusbi
rule apt_nix_elf_derusbi : APT Derusbi ELF
{
meta:
Author = "@seifreed"
......@@ -51,7 +51,7 @@ rule apt_nix_elf_derusbi
condition:
(uint32(0) == 0x4464c457f) and (all of them)
}
rule apt_nix_elf_derusbi_kernelModule
rule apt_nix_elf_derusbi_kernelModule : APT Derusbi ELF
{
meta:
Author = "@seifreed"
......@@ -80,7 +80,7 @@ rule apt_nix_elf_derusbi_kernelModule
condition:
(uint32(0) == 0x4464c457f) and (all of them)
}
rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
rule apt_nix_elf_Derusbi_Linux_SharedMemCreation : APT Derusbi ELF
{
meta:
Author = "@seifreed"
......@@ -90,7 +90,7 @@ rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
(uint32(0) == 0x464C457F) and (any of them)
}
rule apt_nix_elf_Derusbi_Linux_Strings
rule apt_nix_elf_Derusbi_Linux_Strings : APT Derusbi ELF
{
meta:
Author = "@seifreed"
......@@ -117,7 +117,7 @@ rule apt_nix_elf_Derusbi_Linux_Strings
all of ($b*))
}
rule apt_win_exe_trojan_derusbi
rule apt_win_exe_trojan_derusbi : APT Derusbi
{
meta:
Author = "@seifreed"
......@@ -179,7 +179,7 @@ rule apt_win_exe_trojan_derusbi
}
rule Trojan_Derusbi {
rule Trojan_Derusbi : APT Derusbi {
meta:
Author = "RSA_IR"
Date = "4Sept13"
......@@ -200,7 +200,7 @@ rule Trojan_Derusbi {
2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
}
rule APT_Derusbi_DeepPanda
rule APT_Derusbi_DeepPanda : APT Derusbi ELF DeepPanda
{
meta:
author = "ThreatConnect Intelligence Research Team"
......@@ -212,7 +212,7 @@ condition:
}
rule APT_Derusbi_Gen
rule APT_Derusbi_Gen : APT Derusbi
{
meta:
author = "ThreatConnect Intelligence Research Team"
......@@ -240,7 +240,7 @@ condition:
Identifier: Derusbi Dez 2015
*/
rule derusbi_kernel
rule derusbi_kernel : APT Derusbi
{
meta:
description = "Derusbi Driver version"
......@@ -256,7 +256,7 @@ rule derusbi_kernel
$MZ at 0 and $token1 and $token2 and $cfg and $class
}
rule derusbi_linux
rule derusbi_linux : APT Derusbi ELF
{
meta:
description = "Derusbi Server Linux version"
......@@ -279,7 +279,7 @@ rule derusbi_linux
Identifier: Derusbi Dez 2015
*/
rule Derusbi_Kernel_Driver_WD_UDFS {
rule Derusbi_Kernel_Driver_WD_UDFS : APT Derusbi {
meta:
description = "Detects Derusbi Kernel Driver"
author = "Florian Roth"
......@@ -310,7 +310,7 @@ rule Derusbi_Kernel_Driver_WD_UDFS {
)
}
rule Derusbi_Code_Signing_Cert {
rule Derusbi_Code_Signing_Cert : APT Derusbi {
meta:
description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
author = "Florian Roth"
......@@ -325,7 +325,7 @@ rule Derusbi_Code_Signing_Cert {
uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
}
rule XOR_4byte_Key {
rule XOR_4byte_Key : APT Derusbi {
meta:
description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
author = "Florian Roth"
......@@ -347,3 +347,28 @@ rule XOR_4byte_Key {
condition:
uint16(0) == 0x5a4d and filesize < 900KB and all of them
}
rule apt_win32_dll_bergard_pgv_pvid_variant : Win32 Derusbi
{
meta:
copyright = "Fidelis Cybersecurity"
reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
strings:
$ = "Accept:"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Cache-Control: no-cache"
$ = "Connection: Keep-Alive"
$ = "Cookie: pgv_pvid="
$ = "Content-Type: application/x-octet-stream"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Pragma: no-cache"
$ = "Connection: Keep-Alive"
$ = "HTTP/1.0"
condition:
(uint16(0) == 0x5A4D) and (all of them)
}
malware/Equation.yar malware/APT_Equation.yar
......@@ -7,7 +7,7 @@ import "pe"
/* Equation APT ------------------------------------------------------------ */
rule apt_equation_exploitlib_mutexes {
rule apt_equation_exploitlib_mutexes : mutex {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
......@@ -59,7 +59,7 @@ rule apt_equation_equationlaser_runtimeclasses {
any of them
}
rule apt_equation_cryptotable {
rule apt_equation_cryptotable : crypto {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect the crypto library used in Equation group malware"
......
malware/APT_HackingTeam.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule bin_ndisk {
rule bin_ndisk : disk HackingTeam {
meta:
description = "Hacking Team Disclosure Sample - file ndisk.sys"
author = "Florian Roth"
......@@ -22,7 +22,7 @@ rule bin_ndisk {
uint16(0) == 0x5a4d and filesize < 30KB and 6 of them
}
rule Hackingteam_Elevator_DLL {
rule Hackingteam_Elevator_DLL : dll HackingTeam {
meta:
description = "Hacking Team Disclosure Sample - file elevator.dll"
author = "Florian Roth"
......@@ -44,7 +44,7 @@ rule Hackingteam_Elevator_DLL {
uint16(0) == 0x5a4d and filesize < 1000KB and 6 of them
}
rule HackingTeam_Elevator_EXE {
rule HackingTeam_Elevator_EXE : HackingTeam {
meta:
description = "Hacking Team Disclosure Sample - file elevator.exe"
author = "Florian Roth"
......@@ -70,3 +70,70 @@ rule HackingTeam_Elevator_EXE {
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*)
}
import "pe"
rule RCS_Backdoor
{
meta:
description = "Hacking Team RCS Backdoor"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$debug3"
$filter2 = "$log2"
$filter3 = "error2"
$debug1 = /\- (C)hecking components/ wide ascii
$debug2 = /\- (A)ctivating hiding system/ wide ascii
$debug3 = /(f)ully operational/ wide ascii
$log1 = /\- Browser activity \(FF\)/ wide ascii
$log2 = /\- Browser activity \(IE\)/ wide ascii
// Cause false positives.
//$log3 = /\- About to call init routine at %p/ wide ascii
//$log4 = /\- Calling init routine at %p/ wide ascii
$error1 = /\[Unable to deploy\]/ wide ascii
$error2 = /\[The system is already monitored\]/ wide ascii
condition:
(2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
}
rule RCS_Scout
{
meta:
description = "Hacking Team RCS Scout"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$engine5"
$filter2 = "$start4"
$filter3 = "$upd2"
$filter4 = "$lookma6"
$engine1 = /(E)ngine started/ wide ascii
$engine2 = /(R)unning in background/ wide ascii
$engine3 = /(L)ocking doors/ wide ascii
$engine4 = /(R)otors engaged/ wide ascii
$engine5 = /(I)\'m going to start it/ wide ascii
$start1 = /Starting upgrade\!/ wide ascii
$start2 = /(I)\'m going to start the program/ wide ascii
$start3 = /(i)s it ok\?/ wide ascii
$start4 = /(C)lick to start the program/ wide ascii
$upd1 = /(U)pdJob/ wide ascii
$upd2 = /(U)pdTimer/ wide ascii
$lookma1 = /(O)wning PCI bus/ wide
$lookma2 = /(F)ormatting bios/ wide
$lookma3 = /(P)lease insert a disk in drive A:/ wide
$lookma4 = /(U)pdating CPU microcode/ wide
$lookma5 = /(N)ot sure what's happening/ wide
$lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide
condition:
(all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
}
malware/APT_Irontiger_Trendmicro.yar malware/APT_Irontiger.yar
......@@ -16,7 +16,7 @@ rule IronTiger_ASPXSpy
any of ($str*)
}
rule IronTiger_ChangePort_Toolkit_driversinstall
rule IronTiger_ChangePort_Toolkit_driversinstall : driver
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -31,7 +31,7 @@ rule IronTiger_ChangePort_Toolkit_driversinstall
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule IronTiger_ChangePort_Toolkit_ChangePortExe
rule IronTiger_ChangePort_Toolkit_ChangePortExe : Toolkit
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -47,7 +47,7 @@ rule IronTiger_ChangePort_Toolkit_ChangePortExe
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule IronTiger_dllshellexc2010
rule IronTiger_dllshellexc2010 : Backdoor
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -63,7 +63,7 @@ rule IronTiger_dllshellexc2010
(uint16(0) == 0x5a4d) and ((any of ($str*)) or (all of ($bla*)))
}
rule IronTiger_dnstunnel
rule IronTiger_dnstunnel : Tunnel
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -83,7 +83,7 @@ rule IronTiger_dnstunnel
(uint16(0) == 0x5a4d) and ((any of ($str*)) or (any of ($mistake*)))
}
rule IronTiger_EFH3_encoder
rule IronTiger_EFH3_encoder : Encoder
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -144,7 +144,7 @@ rule IronTiger_Gh0stRAT_variant
uint16(0) == 0x5a4d and (any of ($str*))
}
rule IronTiger_GTalk_Trojan
rule IronTiger_GTalk_Trojan : trojan
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -159,7 +159,7 @@ rule IronTiger_GTalk_Trojan
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule IronTiger_HTTPBrowser_Dropper
rule IronTiger_HTTPBrowser_Dropper : Dropper
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -189,7 +189,7 @@ rule IronTiger_HTTP_SOCKS_Proxy_soexe
uint16(0) == 0x5a4d and (3 of ($str*))
}
rule IronTiger_NBDDos_Gh0stvariant_dropper
rule IronTiger_NBDDos_Gh0stvariant_dropper : Dropper
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
......@@ -305,3 +305,148 @@ rule IronTiger_wmiexec
condition:
2 of ($str*)
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-09-16
Identifier: Iron Panda
*/
/* Rule Set ----------------------------------------------------------------- */
rule IronPanda_DNSTunClient {
meta:
description = "Iron Panda malware DnsTunClient - file named.exe"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
score = 80
hash = "a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431"
strings:
$s1 = "dnstunclient -d or -domain <domain>" fullword ascii
$s2 = "dnstunclient -ip <server ip address>" fullword ascii
$s3 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"\\Microsoft\\Windows\\PLA\\System\\Microsoft Windows\" /tr " fullword ascii
$s4 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"Microsoft Windows\" /tr " fullword ascii
$s5 = "taskkill /im conime.exe" fullword ascii
$s6 = "\\dns control\\t-DNSTunnel\\DnsTunClient\\DnsTunClient.cpp" fullword ascii
$s7 = "UDP error:can not bing the port(if there is unclosed the bind process?)" fullword ascii
$s8 = "use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s)" fullword ascii
$s9 = "error: packet num error.the connection have condurt,pls try later" fullword ascii
$s10 = "Coversation produce one error:%s,coversation fail" fullword ascii
$s11 = "try to add many same pipe to select group(or mark is too easy)." fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 2 of them )
or
5 of them
}
rule IronPanda_Malware1 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a"
strings:
$x1 = "activedsimp.dll" fullword wide
$s1 = "get_BadLoginAddress" fullword ascii
$s2 = "get_LastFailedLogin" fullword ascii
$s3 = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" fullword ascii
$s4 = "get_PasswordExpirationDate" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule IronPanda_Webshell_JSP {
meta:
description = "Iron Panda Malware JSP"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6"
strings:
$s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii
$s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" fullword ascii
$s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" fullword ascii
condition:
filesize < 330KB and 1 of them
}
rule IronPanda_Malware_Htran {
meta:
description = "Iron Panda Malware Htran"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
strings:
$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
$s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
$s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s4 = "[-] ERROR: Must supply logfile name." fullword ascii
$s5 = "[SERVER]connection to %s:%d error" fullword ascii
$s6 = "[+] Make a Connection to %s:%d...." fullword ascii
$s7 = "[+] Waiting another Client on port:%d...." fullword ascii
$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
$s9 = "[+] Make a Connection to %s:%d ......" fullword ascii
$s10 = "cmshared_get_ptr_from_atom" fullword ascii
$s11 = "_cmshared_get_ptr_from_atom" fullword ascii
$s12 = "[+] OK! I Closed The Two Socket." fullword ascii
$s13 = "[-] TransmitPort invalid." fullword ascii
$s14 = "[+] Waiting for Client on port:%d ......" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them )
or
5 of them
}
rule IronPanda_Malware2 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91"
strings:
$s0 = "\\setup.exe" fullword ascii
$s1 = "msi.dll.urlUT" fullword ascii
$s2 = "msi.dllUT" fullword ascii
$s3 = "setup.exeUT" fullword ascii
$s4 = "/c del /q %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
rule IronPanda_Malware3 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742"
strings:
$s0 = "PluginDeflater.exe" fullword wide
$s1 = ".Deflated" fullword wide
$s2 = "PluginDeflater" fullword ascii
$s3 = "DeflateStream" fullword ascii /* Goodware String - occured 1 times */
$s4 = "CompressionMode" fullword ascii /* Goodware String - occured 4 times */
$s5 = "System.IO.Compression" fullword ascii /* Goodware String - occured 6 times */
condition:
uint16(0) == 0x5a4d and filesize < 10KB and all of them
}
rule IronPanda_Malware4 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c"
strings:
$s0 = "TestPlugin.dll" fullword wide
$s1 = "<a href='http://www.baidu.com'>aasd</a>" fullword wide
$s2 = "Zcg.Test.AspxSpyPlugins" fullword ascii
$s6 = "TestPlugin" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 10KB and all of them
}
malware/APT_TidePool.yar malware/APT_Ke3Chang_TidePool.yar
......@@ -10,7 +10,7 @@
Identifier: TidePool (Ke3chang)
*/
rule TidePool_Malware {
rule TidePool_Malware : Ke3Chang {
meta:
description = "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks"
author = "Florian Roth"
......
malware/KeyBoy.yar malware/APT_KeyBoy.yar
......@@ -5,7 +5,7 @@
import "pe"
rule KeyBoy_Dropper
rule KeyBoy_Dropper : dropper
{
meta:
Author = "Rapid7 Labs"
......@@ -25,7 +25,7 @@ rule KeyBoy_Dropper
all of them
}
rule KeyBoy_Backdoor
rule KeyBoy_Backdoor : Backdoor APT
{
meta:
Author = "Rapid7 Labs"
......
malware/APT_NGO_wuaclt.yar malware/APT_NGO.yar
......@@ -25,7 +25,7 @@ rule APT_NGO_wuaclt
($a and $b and $c) or ($d and $e) or ($f and $g and $h)
}
rule APT_NGO_wuaclt_PDF
rule APT_NGO_wuaclt_PDF : PDF
{
meta:
author = "AlienVault Labs"
......
malware/APT_OPCleaver.yar
......@@ -18,7 +18,7 @@ rule ZhoupinExploitCrew
1 of them
}
rule BackDoorLogger
rule BackDoorLogger : Backdoor APT
{
meta:
author = "Cylance"
......@@ -31,7 +31,7 @@ rule BackDoorLogger
all of them
}
rule Jasus
rule Jasus : APT
{
meta:
author = "Cylance"
......@@ -134,7 +134,7 @@ rule TinyZBot
($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
}
rule antivirusdetector
rule antivirusdetector : antivirus
{
meta:
author = "Cylance"
......@@ -175,7 +175,7 @@ rule kagent
all of them
}
rule mimikatzWrapper
rule mimikatzWrapper : Toolkit
{
meta:
author = "Cylance"
......@@ -253,7 +253,7 @@ rule zhLookUp
all of them
}
rule zhmimikatz
rule zhmimikatz : Toolkit
{
meta:
author = "Cylance"
......@@ -277,3 +277,333 @@ rule Zh0uSh311
condition:
all of them
}
import "pe"
rule OPCLEAVER_BackDoorLogger
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "BackDoorLogger"
$s2 = "zhuAddress"
condition:
all of them
}
rule OPCLEAVER_Jasus
{
meta:
description = "ARP cache poisoner used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found"
condition:
all of them
}
rule OPCLEAVER_LoggerModule
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition:
all of them
}
rule OPCLEAVER_NetC
{
meta:
description = "Net Crawler used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "NetC.exe" wide
$s2 = "Net Service"
condition:
all of them
}
rule OPCLEAVER_ShellCreator2
{
meta:
description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "ShellCreator2.Properties"
$s2 = "set_IV"
condition:
all of them
}
rule OPCLEAVER_SmartCopy2
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork"
condition:
all of them
}
rule OPCLEAVER_SynFlooder
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "your target’s IP is : %s"
$s3 = "Raw TCP Socket Created successfully."
condition:
all of them
}
rule OPCLEAVER_TinyZBot
{
meta:
description = "Tiny Bot used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "NetScp" wide
$s2 = "TinyZBot.Properties.Resources.resources"
$s3 = "Aoao WaterMark"
$s4 = "Run_a_exe"
$s5 = "netscp.exe"
$s6 = "get_MainModule_WebReference_DefaultWS"
$s7 = "remove_CheckFileMD5Completed"
$s8 = "http://tempuri.org/"
$s9 = "Zhoupin_Cleaver"
condition:
(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
}
rule OPCLEAVER_ZhoupinExploitCrew
{
meta:
description = "Keywords used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase
condition:
1 of them
}
rule OPCLEAVER_antivirusdetector
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector"
condition:
all of them
}
rule OPCLEAVER_csext
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "COM+ System Extentions"
$s2 = "csext.exe"
$s3 = "COM_Extentions_bin"
condition:
all of them
}
rule OPCLEAVER_kagent
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "kill command is in last machine, going back"
$s2 = "message data length in B64: %d Bytes"
condition:
all of them
}
rule OPCLEAVER_mimikatzWrapper
{
meta:
description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "mimikatzWrapper"
$s2 = "get_mimikatz"
condition:
all of them
}
rule OPCLEAVER_pvz_in
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "LAST_TIME=00/00/0000:00:00PM$"
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
condition:
all of them
}
rule OPCLEAVER_pvz_out
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Network Connectivity Module" wide
$s2 = "OSPPSVC" wide
condition:
all of them
}
rule OPCLEAVER_wndTest
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition:
all of them
}
rule OPCLEAVER_zhCat
{
meta:
description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
$s2 = "ABC ( A Big Company )" wide fullword
condition:
all of them
}
rule OPCLEAVER_zhLookUp
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "zhLookUp.Properties"
condition:
all of them
}
rule OPCLEAVER_zhmimikatz
{
meta:
description = "Mimikatz wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "MimikatzRunner"
$s2 = "zhmimikatz"
condition:
all of them
}
rule OPCLEAVER_Parviz_Developer
{
meta:
description = "Parviz developer known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Florian Roth"
score = "70"
strings:
$s1 = "Users\\parviz\\documents\\" nocase
condition:
$s1
}
rule OPCLEAVER_CCProxy_Config
{
meta:
description = "CCProxy config known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Florian Roth"
score = "70"
strings:
$s1 = "UserName=User-001" fullword ascii
$s2 = "Web=1" fullword ascii
$s3 = "Mail=1" fullword ascii
$s4 = "FTP=0" fullword ascii
$x1 = "IPAddressLow=78.109.194.114" fullword ascii
condition:
all of ($s*) or $x1
}
malware/APT_pcclient.yar malware/APT_PCclient.yar
......@@ -5,7 +5,7 @@
import "pe"
rule backdoor_apt_pcclient
rule backdoor_apt_pcclient : Backdoor Dropper
{
meta:
author = "@patrickrolsen"
......
malware/APT_Win_Pipcreat.yar malware/APT_Pipcreat.yar
......@@ -3,7 +3,7 @@
*/
rule APT_Win_Pipcreat {
rule APT_Win_Pipcreat : pe dll backdoor {
meta:
author = "chort (@chort0)"
description = "APT backdoor Pipcreat"
......
malware/APT_putterpanda.yar malware/APT_PutterPanda.yar
......@@ -125,7 +125,7 @@ rule APT_Malware_PutterPanda_Gen1 {
uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them
}
rule Malware_MsUpdater_String_in_EXE {
rule Malware_MsUpdater_String_in_EXE : PutterPanda {
meta:
description = "MSUpdater String in Executable"
author = "Florian Roth"
......
malware/APT_Ruag.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-05-23
Identifier: Swiss RUAG APT Case
Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
*/
rule RUAG_Tavdig_Malformed_Executable {
meta:
description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
condition:
uint16(0) == 0x5a4d and /* MZ Header */
uint32(uint32(0x3C)) == 0x0000AD0B /* malformed PE header > 0x0bad */
}
rule RUAG_Bot_Config_File {
meta:
description = "Detects a specific config file used by malware in RUAG APT case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$s1 = "[CONFIG]" ascii
$s2 = "name = " ascii
$s3 = "exe = cmd.exe" ascii
condition:
$s1 at 0 and $s2 and $s3 and filesize < 160
}
rule RUAG_Cobra_Malware {
meta:
description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
condition:
uint16(0) == 0x5a4d and $s1
}
rule RUAG_Cobra_Config_File {
meta:
description = "Detects a config text file used by malware Cobra in RUAG case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$h1 = "[NAME]" ascii
$s1 = "object_id=" ascii
$s2 = "[TIME]" ascii fullword
$s3 = "lastconnect" ascii
$s4 = "[CW_LOCAL]" ascii fullword
$s5 = "system_pipe" ascii
$s6 = "user_pipe" ascii
$s7 = "[TRANSPORT]" ascii
$s8 = "run_task_system" ascii
$s9 = "[WORKDATA]" ascii
$s10 = "address1" ascii
condition:
$h1 at 0 and 8 of ($s*) and filesize < 5KB
}
rule RUAG_Exfil_Config_File {
meta:
description = "Detects a config text file used in data exfiltration in RUAG case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$h1 = "[TRANSPORT]" ascii
$s1 = "system_pipe" ascii
$s2 = "spstatus" ascii
$s3 = "adaptable" ascii
$s4 = "post_frag" ascii
$s5 = "pfsgrowperiod" ascii
condition:
$h1 at 0 and all of ($s*) and filesize < 1KB
}
malware/APT_Sofacy_xtunnel_bundestag.yar malware/APT_Sofacy_Bundestag.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule apt_sofacy_xtunnel {
rule apt_sofacy_xtunnel : APT28 Sofacy {
meta:
author = "Claudio Guarnieri"
description = "Sofacy Malware - German Bundestag"
......@@ -24,7 +24,7 @@ rule apt_sofacy_xtunnel {
((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*)))
}
rule Sofacy_Bundestag_Winexe {
rule Sofacy_Bundestag_Winexe : APT28 Sofacy {
meta:
description = "Winexe tool used by Sofacy group in Bundestag APT"
author = "Florian Roth"
......@@ -39,7 +39,7 @@ rule Sofacy_Bundestag_Winexe {
uint16(0) == 0x5a4d and filesize < 115KB and all of them
}
rule Sofacy_Bundestag_Mal2 {
rule Sofacy_Bundestag_Mal2 : APT28 Sofacy {
meta:
description = "Sofacy Group Malware Sample 2"
author = "Florian Roth"
......@@ -56,7 +56,7 @@ rule Sofacy_Bundestag_Mal2 {
uint16(0) == 0x5a4d and ( 1 of ($x*) ) and $s1
}
rule Sofacy_Bundestag_Mal3 {
rule Sofacy_Bundestag_Mal3 : APT28 Sofacy {
meta:
description = "Sofacy Group Malware Sample 3"
author = "Florian Roth"
......@@ -85,7 +85,7 @@ rule Sofacy_Bundestag_Mal3 {
)
}
rule Sofacy_Bundestag_Batch {
rule Sofacy_Bundestag_Batch : APT28 Sofacy {
meta:
description = "Sofacy Bundestags APT Batch Script"
author = "Florian Roth"
......
malware/APT_Sofacy_Fysbis.yar
......@@ -9,7 +9,7 @@
Identifier: Sofacy Fysbis
*/
rule Sofacy_Fybis_ELF_Backdoor_Gen1 {
rule Sofacy_Fybis_ELF_Backdoor_Gen1 : Sofacy Linux Backdoor APT APT28 {
meta:
description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1"
author = "Florian Roth"
......@@ -34,7 +34,7 @@ rule Sofacy_Fybis_ELF_Backdoor_Gen1 {
( 1 of ($x*) and 3 of ($s*) )
}
rule Sofacy_Fysbis_ELF_Backdoor_Gen2 {
rule Sofacy_Fysbis_ELF_Backdoor_Gen2 : Sofacy Linux Backdoor APT APT28 {
meta:
description = "Detects Sofacy Fysbis Linux Backdoor"
author = "Florian Roth"
......
malware/APT_Sofacy_jun16.yar malware/APT_Sofacy_Jun16.yar
......@@ -7,7 +7,7 @@
/* Rule Set ----------------------------------------------------------------- */
rule Sofacy_Jun16_Sample1 {
rule Sofacy_Jun16_Sample1 : Sofacy APT APT28 {
meta:
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth"
......@@ -22,7 +22,7 @@ rule Sofacy_Jun16_Sample1 {
( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($s*) ) ) or ( all of them )
}
rule Sofacy_Jun16_Sample2 {
rule Sofacy_Jun16_Sample2 : Sofacy APT APT28 {
meta:
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth"
......@@ -44,7 +44,7 @@ rule Sofacy_Jun16_Sample2 {
( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($x*) ) ) or ( 3 of them )
}
rule Sofacy_Jun16_Sample3 {
rule Sofacy_Jun16_Sample3 : Sofacy APT APT28 {
meta:
description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
author = "Florian Roth"
......
malware/APT_Terracota.yar
......@@ -100,3 +100,34 @@ rule LiuDoor_Malware_2 {
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule liudoor : Backdoor
{
meta:
author = "RSA FirstWatch"
date = "2015-07-23"
description = "Detects Liudoor daemon backdoor"
hash0 = "78b56bc3edbee3a425c96738760ee406"
hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
hash4 = "6093505c7f7ec25b1934d3657649ef07"
type = "Win32 DLL"
strings:
$string0 = "Succ"
$string1 = "Fail"
$string2 = "pass"
$string3 = "exit"
$string4 = "svchostdllserver.dll"
$string5 = "L$,PQR"
$string6 = "0/0B0H0Q0W0k0"
$string7 = "QSUVWh"
$string8 = "Ht Hu["
condition:
all of them
}
malware/APT_Terracota_Liudoor.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule liudoor
{
meta:
author = "RSA FirstWatch"
date = "2015-07-23"
description = "Detects Liudoor daemon backdoor"
hash0 = "78b56bc3edbee3a425c96738760ee406"
hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
hash4 = "6093505c7f7ec25b1934d3657649ef07"
type = "Win32 DLL"
strings:
$string0 = "Succ"
$string1 = "Fail"
$string2 = "pass"
$string3 = "exit"
$string4 = "svchostdllserver.dll"
$string5 = "L$,PQR"
$string6 = "0/0B0H0Q0W0k0"
$string7 = "QSUVWh"
$string8 = "Ht Hu["
condition:
all of them
}
malware/APT_threatgroup_3390.yar malware/APT_ThreatGroup3390.yar
......@@ -9,7 +9,7 @@
Identifier: Threat Group 3390
*/
rule HttpBrowser_RAT_dropper_Gen1 {
rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
author = "Florian Roth"
......@@ -49,7 +49,7 @@ rule HttpBrowser_RAT_dropper_Gen1 {
uint16(0) == 0x5a4d and filesize < 400KB and all of ($x*) and 1 of ($op*)
}
rule HttpBrowser_RAT_Sample1 {
rule HttpBrowser_RAT_Sample1 : RAT APT {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
author = "Florian Roth"
......@@ -64,7 +64,7 @@ rule HttpBrowser_RAT_Sample1 {
uint16(0) == 0x5a4d and filesize < 100KB and $s0
}
rule HttpBrowser_RAT_Sample2 {
rule HttpBrowser_RAT_Sample2 : RAT APT {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
author = "Florian Roth"
......@@ -81,7 +81,7 @@ rule HttpBrowser_RAT_Sample2 {
uint16(0) == 0x5a4d and filesize < 250KB and all of them
}
rule HttpBrowser_RAT_Gen {
rule HttpBrowser_RAT_Gen : RAT APT {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic"
author = "Florian Roth"
......@@ -119,7 +119,7 @@ rule HttpBrowser_RAT_Gen {
uint16(0) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them
}
rule PlugX_NvSmartMax_Gen {
rule PlugX_NvSmartMax_Gen : PlugX APT {
meta:
description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
author = "Florian Roth"
......@@ -147,7 +147,7 @@ rule PlugX_NvSmartMax_Gen {
uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*)
}
rule HttpBrowser_RAT_dropper_Gen2 {
rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT {
meta:
description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
author = "Florian Roth"
......@@ -174,7 +174,7 @@ rule HttpBrowser_RAT_dropper_Gen2 {
uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*)
}
rule ThreatGroup3390_Strings {
rule ThreatGroup3390_Strings : APT {
meta:
description = "Threat Group 3390 APT - Strings"
author = "Florian Roth"
......@@ -191,7 +191,7 @@ rule ThreatGroup3390_Strings {
1 of them and filesize < 30KB
}
rule ThreatGroup3390_C2 {
rule ThreatGroup3390_C2 : C2 APT {
meta:
description = "Threat Group 3390 APT - C2 Server"
author = "Florian Roth"
......
malware/APT_Turla_RUAG.yar
......@@ -144,3 +144,109 @@ rule Turla_APT_Malware_Gen3 {
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 6 of ($s*) ) )
or ( 10 of them )
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-05-23
Identifier: Swiss RUAG APT Case
Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
*/
rule RUAG_Tavdig_Malformed_Executable {
meta:
description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
condition:
uint16(0) == 0x5a4d and /* MZ Header */
uint32(uint32(0x3C)) == 0x0000AD0B /* malformed PE header > 0x0bad */
}
rule RUAG_Bot_Config_File {
meta:
description = "Detects a specific config file used by malware in RUAG APT case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$s1 = "[CONFIG]" ascii
$s2 = "name = " ascii
$s3 = "exe = cmd.exe" ascii
condition:
$s1 at 0 and $s2 and $s3 and filesize < 160
}
rule RUAG_Cobra_Malware {
meta:
description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
condition:
uint16(0) == 0x5a4d and $s1
}
rule RUAG_Cobra_Config_File {
meta:
description = "Detects a config text file used by malware Cobra in RUAG case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$h1 = "[NAME]" ascii
$s1 = "object_id=" ascii
$s2 = "[TIME]" ascii fullword
$s3 = "lastconnect" ascii
$s4 = "[CW_LOCAL]" ascii fullword
$s5 = "system_pipe" ascii
$s6 = "user_pipe" ascii
$s7 = "[TRANSPORT]" ascii
$s8 = "run_task_system" ascii
$s9 = "[WORKDATA]" ascii
$s10 = "address1" ascii
condition:
$h1 at 0 and 8 of ($s*) and filesize < 5KB
}
rule RUAG_Exfil_Config_File {
meta:
description = "Detects a config text file used in data exfiltration in RUAG case"
author = "Florian Roth"
reference = "https://goo.gl/N5MEj0"
score = 60
strings:
$h1 = "[TRANSPORT]" ascii
$s1 = "system_pipe" ascii
$s2 = "spstatus" ascii
$s3 = "adaptable" ascii
$s4 = "post_frag" ascii
$s5 = "pfsgrowperiod" ascii
condition:
$h1 at 0 and all of ($s*) and filesize < 1KB
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WaterBug_turla_dll
{
meta:
description = "Symantec Waterbug Attack - Trojan Turla DLL"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats"
strings:
$a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
condition:
pe.exports("ee") and $a
}
malware/APT_UP007_SLServer.yar
......@@ -30,7 +30,7 @@ rule dubseven_file_set
3 of ($file*)
}
rule dubseven_dropper_registry_checks
rule dubseven_dropper_registry_checks : Dropper
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
......@@ -55,7 +55,7 @@ rule dubseven_dropper_registry_checks
all of ($reg*)
}
rule dubseven_dropper_dialog_remains
rule dubseven_dropper_dialog_remains : Dropper
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
......@@ -76,7 +76,7 @@ rule dubseven_dropper_dialog_remains
}
rule maindll_mutex
rule maindll_mutex : Mutex
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
......@@ -117,7 +117,7 @@ rule SLServer_dialog_remains
$slserver
}
rule SLServer_mutex
rule SLServer_mutex : Mutex
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
......@@ -137,7 +137,7 @@ rule SLServer_mutex
$mutex
}
rule SLServer_command_and_control
rule SLServer_command_and_control : C2
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
......
malware/APT_unit78020_malware.yar malware/APT_Unit78020.yar
......@@ -64,7 +64,7 @@ rule Unit78020_Malware_Gen1 {
}
rule Unit78020_Malware_1 {
rule Unit78020_Malware_1 : APT {
meta:
description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe"
author = "Florian Roth"
......
malware/Waterbug.yar malware/APT_Waterbug.yar
......@@ -5,7 +5,7 @@
import "pe"
rule WaterBug_wipbot_2013_core_PDF {
rule WaterBug_wipbot_2013_core_PDF : PDF {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
author = "Symantec Security Response"
......
malware/APT_Winnti.yar
......@@ -132,3 +132,21 @@ rule Winnti_malware_StreamPortal_Gen {
condition:
uint16(0) == 0x5a4d and filesize < 275KB and all of them
}
rule WinntiPharma : Backdoor
{
meta:
author = "Jose Ramon Palanco"
copyright = "Drainware, Inc."
date = "2015-06-23"
description = "Backdoor Win64 Winnti Pharma"
ref = "https://securelist.com/blog/research/70991/games-are-over/"
strings:
$s0 = "Cookie: SN="
$s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}"
$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
$s3 = "master secret"
$s4 = "MyEngineNetEvent"
condition:
all of ($s*)
}
malware/APT_irontiger.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-09-16
Identifier: Iron Panda
*/
/* Rule Set ----------------------------------------------------------------- */
rule IronPanda_DNSTunClient {
meta:
description = "Iron Panda malware DnsTunClient - file named.exe"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
score = 80
hash = "a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431"
strings:
$s1 = "dnstunclient -d or -domain <domain>" fullword ascii
$s2 = "dnstunclient -ip <server ip address>" fullword ascii
$s3 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"\\Microsoft\\Windows\\PLA\\System\\Microsoft Windows\" /tr " fullword ascii
$s4 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"Microsoft Windows\" /tr " fullword ascii
$s5 = "taskkill /im conime.exe" fullword ascii
$s6 = "\\dns control\\t-DNSTunnel\\DnsTunClient\\DnsTunClient.cpp" fullword ascii
$s7 = "UDP error:can not bing the port(if there is unclosed the bind process?)" fullword ascii
$s8 = "use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s)" fullword ascii
$s9 = "error: packet num error.the connection have condurt,pls try later" fullword ascii
$s10 = "Coversation produce one error:%s,coversation fail" fullword ascii
$s11 = "try to add many same pipe to select group(or mark is too easy)." fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 2 of them )
or
5 of them
}
rule IronPanda_Malware1 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a"
strings:
$x1 = "activedsimp.dll" fullword wide
$s1 = "get_BadLoginAddress" fullword ascii
$s2 = "get_LastFailedLogin" fullword ascii
$s3 = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" fullword ascii
$s4 = "get_PasswordExpirationDate" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule IronPanda_Webshell_JSP {
meta:
description = "Iron Panda Malware JSP"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6"
strings:
$s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii
$s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" fullword ascii
$s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" fullword ascii
condition:
filesize < 330KB and 1 of them
}
rule IronPanda_Malware_Htran {
meta:
description = "Iron Panda Malware Htran"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
strings:
$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
$s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
$s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s4 = "[-] ERROR: Must supply logfile name." fullword ascii
$s5 = "[SERVER]connection to %s:%d error" fullword ascii
$s6 = "[+] Make a Connection to %s:%d...." fullword ascii
$s7 = "[+] Waiting another Client on port:%d...." fullword ascii
$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
$s9 = "[+] Make a Connection to %s:%d ......" fullword ascii
$s10 = "cmshared_get_ptr_from_atom" fullword ascii
$s11 = "_cmshared_get_ptr_from_atom" fullword ascii
$s12 = "[+] OK! I Closed The Two Socket." fullword ascii
$s13 = "[-] TransmitPort invalid." fullword ascii
$s14 = "[+] Waiting for Client on port:%d ......" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them )
or
5 of them
}
rule IronPanda_Malware2 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91"
strings:
$s0 = "\\setup.exe" fullword ascii
$s1 = "msi.dll.urlUT" fullword ascii
$s2 = "msi.dllUT" fullword ascii
$s3 = "setup.exeUT" fullword ascii
$s4 = "/c del /q %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
rule IronPanda_Malware3 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742"
strings:
$s0 = "PluginDeflater.exe" fullword wide
$s1 = ".Deflated" fullword wide
$s2 = "PluginDeflater" fullword ascii
$s3 = "DeflateStream" fullword ascii /* Goodware String - occured 1 times */
$s4 = "CompressionMode" fullword ascii /* Goodware String - occured 4 times */
$s5 = "System.IO.Compression" fullword ascii /* Goodware String - occured 6 times */
condition:
uint16(0) == 0x5a4d and filesize < 10KB and all of them
}
rule IronPanda_Malware4 {
meta:
description = "Iron Panda Malware"
author = "Florian Roth"
reference = "https://goo.gl/E4qia9"
date = "2015-09-16"
hash = "0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c"
strings:
$s0 = "TestPlugin.dll" fullword wide
$s1 = "<a href='http://www.baidu.com'>aasd</a>" fullword wide
$s2 = "Zcg.Test.AspxSpyPlugins" fullword ascii
$s6 = "TestPlugin" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 10KB and all of them
}
malware/APT_win32_dll_bergard_pgv_pvid_variant.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule apt_win32_dll_bergard_pgv_pvid_variant
{
meta:
copyright = "Fidelis Cybersecurity"
reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
strings:
$ = "Accept:"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Cache-Control: no-cache"
$ = "Connection: Keep-Alive"
$ = "Cookie: pgv_pvid="
$ = "Content-Type: application/x-octet-stream"
$ = "User-Agent: %s"
$ = "Host: %s:%d"
$ = "Pragma: no-cache"
$ = "Connection: Keep-Alive"
$ = "HTTP/1.0"
condition:
(uint16(0) == 0x5A4D) and (all of them)
}
malware/APT_win32_dll_rat_hiZorRAT.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule apt_win32_dll_rat_hiZorRAT
{
meta:
hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
hash2 = "d9821468315ccd3b9ea03161566ef18e"
hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
ref2 = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
strings:
// Part of the encoded User-Agent = Mozilla
$ = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 }
// XOR to decode User-Agent after string stacking 0x10001630
$ = { 66 [7] 0d 40 83 ?? ?? 7c ?? }
// XOR with 0x2E - 0x10002EF6
$ = { 80 [2] 2e 40 3b ?? 72 ?? }
$ = "CmdProcessExited" wide ascii
$ = "rootDir" wide ascii
$ = "DllRegisterServer" wide ascii
$ = "GetNativeSystemInfo" wide ascii
$ = "%08x%08x%08x%08x" wide ascii
condition:
(uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)
}
malware/Adwind_JAR_PACKA.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Adwind_JAR_PACKA : binary
{
meta:
author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
last_modified = "2015-11-30"
strings:
$b1 = ".class" ascii
$b2 = "c/a/a/" ascii
$b3 = "b/a/" ascii
$b4 = "a.dat" ascii
$b5 = "META-INF/MANIFEST.MF" ascii
condition:
int16(0) == 0x4B50 and ($b1 and $b2 and $b3 and $b4 and $b5)
}
malware/Adwind_JAR_PACKB.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Adwind_JAR_PACKB {
meta:
author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
last_modified = "2015-11-30"
strings:
$c1 = "META-INF/MANIFEST.MF" ascii
$c2 = "main/Start.class" ascii
$a1 = "con g/con g.perl" ascii
$b1 = "java/textito.isn" ascii
condition:
int16(0) == 0x4B50 and ($c1 and $c2 and ($a1 or $b1))
}
malware/Backdoor_WinntiPharma.yar deleted 100644 → 0
rule WinntiPharma
{
meta:
author = "Jose Ramon Palanco"
copyright = "Drainware, Inc."
date = "2015-06-23"
description = "Backdoor Win64 Winnti Pharma"
ref = "https://securelist.com/blog/research/70991/games-are-over/"
strings:
$s0 = "Cookie: SN="
$s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}"
$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
$s3 = "master secret"
$s4 = "MyEngineNetEvent"
condition:
all of ($s*)
}
malware/Crypren_ransomware.yar deleted 100644 → 0
rule Ransom : Crypren{
meta:
weight = 1
Author = "@pekeinfo"
reference = "https://github.com/pekeinfo/DecryptCrypren"
strings:
$a = "won't be able to recover your files anymore.</p>"
$b = {6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ??}
$c = "Please restart your computer and wait for instructions for decrypting your files"
condition:
any of them
}
malware/Dridex.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Dridex_Trojan_XML {
meta:
description = "Dridex Malware in XML Document"
author = "Florian Roth @4nc4p"
reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
date = "2015/03/08"
hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
strings:
// can be ascii or wide formatted - therefore no restriction
$c_xml = "<?xml version="
$c_word = "<?mso-application progid=\"Word.Document\"?>"
$c_macro = "w:macrosPresent=\"yes\""
$c_binary = "<w:binData w:name="
$c_0_chars = "<o:Characters>0</o:Characters>"
$c_1_line = "<o:Lines>1</o:Lines>"
condition:
all of ($c*)
}
malware/EXPERIMENTAL_Beef_pretty_theft.yar malware/EXPERIMENTAL_Beef.yar
......@@ -11,7 +11,7 @@
/* Rule Set ----------------------------------------------------------------- */
rule src_ptheft_command {
rule src_ptheft_command : experimental {
meta:
description = "Auto-generated rule - file command.js"
author = "Pasquale Stirparo"
......@@ -40,3 +40,39 @@ rule src_ptheft_command {
condition:
13 of them
}
/*
This Yara Rule is to be considered as "experimental"
It reperesents a first attempt to detect BeEF hook function in memory
It still requires further refinement
*/
rule BeEF_browser_hooked : experimental {
meta:
description = "Yara rule related to hook.js, BeEF Browser hooking capability"
author = "Pasquale Stirparo"
date = "2015-10-07"
hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
strings:
$s0 = "mitb.poisonAnchor" wide ascii
$s1 = "this.request(this.httpproto" wide ascii
$s2 = "beef.logger.get_dom_identifier" wide ascii
$s3 = "return (!!window.opera" wide ascii
$s4 = "history.pushState({ Be:\"EF\" }" wide ascii
$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii
$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii
$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii
$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii
$s9 = "mitb.sniff(" wide ascii
$s10 = "Method XMLHttpRequest.open override" wide ascii
$s11 = ".browser.hasWebSocket" wide ascii
$s12 = ".mitb.poisonForm" wide ascii
$s13 = "resolved=require.resolve(file,cwd||" wide ascii
$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii
$s15 = "beef.net.request" wide ascii
$s16 = "uagent.search(engineOpera)" wide ascii
$s17 = "mitb.sniff" wide ascii
$s18 = "beef.logger.start" wide ascii
condition:
all of them
}
malware/EXPERIMENTAL_Beef_Hooked.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
This Yara Rule is to be considered as "experimental"
It reperesents a first attempt to detect BeEF hook function in memory
It still requires further refinement
*/
rule BeEF_browser_hooked {
meta:
description = "Yara rule related to hook.js, BeEF Browser hooking capability"
author = "Pasquale Stirparo"
date = "2015-10-07"
hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
strings:
$s0 = "mitb.poisonAnchor" wide ascii
$s1 = "this.request(this.httpproto" wide ascii
$s2 = "beef.logger.get_dom_identifier" wide ascii
$s3 = "return (!!window.opera" wide ascii
$s4 = "history.pushState({ Be:\"EF\" }" wide ascii
$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii
$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii
$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii
$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii
$s9 = "mitb.sniff(" wide ascii
$s10 = "Method XMLHttpRequest.open override" wide ascii
$s11 = ".browser.hasWebSocket" wide ascii
$s12 = ".mitb.poisonForm" wide ascii
$s13 = "resolved=require.resolve(file,cwd||" wide ascii
$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii
$s15 = "beef.net.request" wide ascii
$s16 = "uagent.search(engineOpera)" wide ascii
$s17 = "mitb.sniff" wide ascii
$s18 = "beef.logger.start" wide ascii
condition:
all of them
}
malware/Gamarue.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Worm_Gamarue {
meta:
author = "Centro Criptológico Nacional (CCN)"
ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
description = "Gamarue_Andromeda"
strings:
$a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 }
condition:
$a
}
malware/Havex_Memdump.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump
{
meta:
description = "Detects Havex Windows process executable from memory dump"
date = "2015-12-2"
author = "Chris Sistrunk"
hash = "8065674de8d79d1c0e7b3baf81246e7d"
strings:
$magic = { 4d 5a }
$s1 = "~tracedscn.yls" fullword wide
$s2 = "[!]Start" fullword wide
$s3 = "[+]Get WSADATA" fullword wide
$s4 = "[-]Can not get local ip" fullword wide
$s5 = "[+]Local:" fullword wide
$s6 = "[-]Threads number > Hosts number" fullword wide
$s7 = "[-]Connection error" fullword wide
$x1 = "bddd4e2b84fa2ad61eb065e7797270ff.exe" fullword wide
condition:
$magic at 0 and ( 3 of ($s*) or $x1 )
}
malware/LURK0_CCTV0.yar deleted 100644 → 0
rule LURK0Header : Family LURK0 {
meta:
description = "5 char code for LURK0"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
condition:
any of them
}
rule CCTV0Header : Family CCTV0 {
meta:
description = "5 char code for LURK0"
author = "Katie Kleemola"
last_updated = "07-21-2014"
strings:
//if its just one char a time
$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
// bit hacky but for when samples dont just simply mov 1 char at a time
$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
condition:
any of them
}
rule SharedStrings : Family {
meta:
description = "Internal names found in LURK0/CCTV0 samples"
author = "Katie Kleemola"
last_updated = "07-22-2014"
strings:
// internal names
$i1 = "Butterfly.dll"
$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
$i3 = "ETClientDLL"
// dbx
$d1 = "\\DbxUpdateET\\" wide
$d2 = "\\DbxUpdateBT\\" wide
$d3 = "\\DbxUpdate\\" wide
// other folders
$mc1 = "\\Micet\\"
// embedded file names
$n1 = "IconCacheEt.dat" wide
$n2 = "IconConfigEt.dat" wide
$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
$m2 = "\x00\x00111\x00\x00" wide
$m3 = "\x00\x00ETUN\x00\x00" wide
$m4 = "\x00\x00ER\x00\x00" wide
condition:
any of them //todo: finetune this
}
rule LURK0 : Family LURK0 {
meta:
description = "rule for lurk0"
author = "Katie Kleemola"
last_updated = "07-22-2014"
condition:
LURK0Header and SharedStrings
}
rule CCTV0 : Family CCTV0 {
meta:
description = "rule for cctv0"
author = "Katie Kleemola"
last_updated = "07-22-2014"
condition:
CCTV0Header and SharedStrings
}
malware/Andromeda.yar malware/MALW_Andromeda.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
long as you use it under this license.
*/
rule andromeda : binary
rule andromeda : binary bot
{
meta:
author = "Brian Wallace @botnet_hunter"
......@@ -15,3 +15,13 @@ rule andromeda : binary
condition:
all of them
}
rule Worm_Gamarue {
meta:
author = "Centro Criptológico Nacional (CCN)"
ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
description = "Gamarue_Andromeda"
strings:
$a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 }
condition:
$a
}
malware/Athena.yar malware/MALW_Athena.yar
......@@ -81,4 +81,4 @@ rule AthenaIRC {
$acmd7 = ":!btcwallet"
condition:
(all of ($cmd*) and 3 of ($msg*)) or (5 of ($amsg*) and 5 of ($acmd*))
}
\ No newline at end of file
}
malware/BlackRev.yar malware/MALW_BlackRev.yar
......@@ -36,4 +36,4 @@ rule BlackRev
condition:
all of ($base*) and 5 of ($opt*)
}
\ No newline at end of file
}
malware/Chicken.yar malware/MALW_Chicken.yar
......@@ -24,7 +24,7 @@ rule ChickenDOS{
($pdb1 or $pdb2) and 5 of ($str*)
}
rule ChickenDOS_Linux {
rule ChickenDOS_Linux : DoS Linux {
meta:
author = "Jason Jones <jasonjones@arbor.net>"
description = "Linux-variant of Chicken ident for both dropper and dropped file"
......
malware/Citadel.yar malware/MALW_Citadel.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule citadel13xy : banker
rule citadel13xy : banker memory
{
meta:
author = "Jean-Philippe Teissier / @Jipe_"
......
malware/CorkowDLL.yar malware/MALW_Corkow.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule CorkowDLL {
rule CorkowDLL : dll {
meta:
description = "Rule to detect the Corkow DLL files"
reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"
......
malware/DDoSTf.yar malware/MALW_DDoSTf.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule DDosTf : DDoS
rule DDosTf : DDoS ELF
{
meta:
author = "benkow_ - MalwareMustDie"
......
malware/Derkziel_Stealer.yar malware/MALW_Derkziel.yar
......@@ -2,12 +2,11 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Derkziel
rule Derkziel : pe
{
meta:
description = "Derkziel info stealer (Steam, Opera, Yandex, ...)"
author = "The Malware Hunter"
yaraexchange = "No distribution without author's consent"
filetype = "pe"
date = "2015-11"
md5 = "f5956953b7a4acab2e6fa478c0015972"
......
malware/DirtJumper.yar malware/MALW_DirtJumper.yar
......@@ -82,4 +82,4 @@ rule DirtJumper_drive3
$drive3 = "99=1"
condition:
4 of ($cmd*) and all of ($str*) and all of ($newver*) and $drive3
}
\ No newline at end of file
}
malware/KINS.yar malware/MALW_KINS.yar
......@@ -4,7 +4,7 @@
*/
import "pe"
rule KINS_dropper {
rule KINS_dropper : dropper {
meta:
author = "AlienVault Labs aortega@alienvault.com"
description = "Match protocol, process injects and windows exploit present in KINS dropper"
......
malware/LinuxMoose.yar malware/MALW_LinuxMoose.yar
......@@ -79,4 +79,4 @@ rule moose
condition:
is_elf and all of them
}
\ No newline at end of file
}
malware/Madness.yar malware/MALW_Madness.yar
......@@ -3,7 +3,7 @@
long as you use it under this license.
*/
rule Madness {
rule Madness : DoS {
meta:
author = "Jason Jones <jasonjones@arbor.net>"
date = "2014-01-15"
......@@ -20,4 +20,4 @@ rule Madness {
$str6 = "ZXhl" fullword
condition:
all of them
}
\ No newline at end of file
}
malware/MiniAsp3_mem.yar malware/MALW_MiniAsp3_mem.yar
rule MiniAsp3_mem {
rule MiniAsp3_mem : memory {
meta: author = "chort (@chort0)"
description = "Detect MiniASP3 in memory"
strings:
......
malware/W32_NionSpy.yar malware/MALW_NionSpy.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule NionSpy
rule NionSpy : win32
{
meta:
description = "Triggers on old and new variants of W32/NionSpy file infector"
......
malware/CRIME_Shifu_trojan.yar malware/MALW_Shifu.yar
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Shifu_Banking_Trojan {
rule Shifu_Banking_Trojan : banking {
meta:
description = "Detects Shifu Banking Trojan"
author = "Florian Roth"
......@@ -20,7 +20,7 @@ rule Shifu_Banking_Trojan {
uint16(0) == 0x5a4d and filesize < 1000KB and ($x1 or all of ($s*))
}
rule SHIFU_Banking_Trojan {
rule SHIFU_Banking_Trojan : banking {
meta:
description = "Detects SHIFU Banking Trojan"
author = "Florian Roth"
......@@ -53,7 +53,7 @@ rule SHIFU_Banking_Trojan {
condition:
uint16(0) == 0x5a4d and ($x1 or 5 of ($s*))
}
rule Shifu : Shifu {
rule Shifu : Shifu : banking {
meta:
reference = "https://blogs.mcafee.com/mcafee-labs/japanese-banking-trojan-shifu-combines-malware-tools/"
author = "McAfee Labs"
......
malware/ELF_Linux_Torte.yar malware/MALW_Torte_ELF.yar
......@@ -16,7 +16,7 @@ private rule is__elf
$header at 0
}
rule ELF_Linux_Torte
rule ELF_Linux_Torte : Linux ELF
{
meta:
......
malware/Miscelanea_RTF.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule rtf_multiple
{
meta:
author = "@patrickrolsen"
maltype = "Multiple"
version = "0.1"
reference = "fd69a799e21ccb308531ce6056944842"
date = "01/04/2014"
strings:
$rtf = { 7b 5c 72 74 ?? ?? } // {\rt01 {\rtf1 {\rtxa
$string1 = "author user"
$string2 = "title Vjkygdjdtyuj" nocase
$string3 = "company ooo"
$string4 = "password 00000000"
condition:
($rtf at 0) and (all of ($string*))
}
malware/Opcleaver.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule OPCLEAVER_BackDoorLogger
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "BackDoorLogger"
$s2 = "zhuAddress"
condition:
all of them
}
rule OPCLEAVER_Jasus
{
meta:
description = "ARP cache poisoner used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found"
condition:
all of them
}
rule OPCLEAVER_LoggerModule
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition:
all of them
}
rule OPCLEAVER_NetC
{
meta:
description = "Net Crawler used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "NetC.exe" wide
$s2 = "Net Service"
condition:
all of them
}
rule OPCLEAVER_ShellCreator2
{
meta:
description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "ShellCreator2.Properties"
$s2 = "set_IV"
condition:
all of them
}
rule OPCLEAVER_SmartCopy2
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork"
condition:
all of them
}
rule OPCLEAVER_SynFlooder
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "your target’s IP is : %s"
$s3 = "Raw TCP Socket Created successfully."
condition:
all of them
}
rule OPCLEAVER_TinyZBot
{
meta:
description = "Tiny Bot used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "NetScp" wide
$s2 = "TinyZBot.Properties.Resources.resources"
$s3 = "Aoao WaterMark"
$s4 = "Run_a_exe"
$s5 = "netscp.exe"
$s6 = "get_MainModule_WebReference_DefaultWS"
$s7 = "remove_CheckFileMD5Completed"
$s8 = "http://tempuri.org/"
$s9 = "Zhoupin_Cleaver"
condition:
(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
}
rule OPCLEAVER_ZhoupinExploitCrew
{
meta:
description = "Keywords used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase
condition:
1 of them
}
rule OPCLEAVER_antivirusdetector
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector"
condition:
all of them
}
rule OPCLEAVER_csext
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "COM+ System Extentions"
$s2 = "csext.exe"
$s3 = "COM_Extentions_bin"
condition:
all of them
}
rule OPCLEAVER_kagent
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "kill command is in last machine, going back"
$s2 = "message data length in B64: %d Bytes"
condition:
all of them
}
rule OPCLEAVER_mimikatzWrapper
{
meta:
description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "mimikatzWrapper"
$s2 = "get_mimikatz"
condition:
all of them
}
rule OPCLEAVER_pvz_in
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "LAST_TIME=00/00/0000:00:00PM$"
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
condition:
all of them
}
rule OPCLEAVER_pvz_out
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Network Connectivity Module" wide
$s2 = "OSPPSVC" wide
condition:
all of them
}
rule OPCLEAVER_wndTest
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition:
all of them
}
rule OPCLEAVER_zhCat
{
meta:
description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
$s2 = "ABC ( A Big Company )" wide fullword
condition:
all of them
}
rule OPCLEAVER_zhLookUp
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "zhLookUp.Properties"
condition:
all of them
}
rule OPCLEAVER_zhmimikatz
{
meta:
description = "Mimikatz wrapper used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "MimikatzRunner"
$s2 = "zhmimikatz"
condition:
all of them
}
rule OPCLEAVER_Parviz_Developer
{
meta:
description = "Parviz developer known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Florian Roth"
score = "70"
strings:
$s1 = "Users\\parviz\\documents\\" nocase
condition:
$s1
}
rule OPCLEAVER_CCProxy_Config
{
meta:
description = "CCProxy config known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Florian Roth"
score = "70"
strings:
$s1 = "UserName=User-001" fullword ascii
$s2 = "Web=1" fullword ascii
$s3 = "Mail=1" fullword ascii
$s4 = "FTP=0" fullword ascii
$x1 = "IPAddressLow=78.109.194.114" fullword ascii
condition:
all of ($s*) or $x1
}
malware/FastPOS.yar malware/POS_FastPOS.yar
......@@ -3,7 +3,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule PoS_Malware_fastpos : FastPOS
rule PoS_Malware_fastpos : FastPOS POS keylogger
{
meta:
author = "Trend Micro, Inc."
......
malware/APT_alienspy_RAT.yar malware/RAT_Adwind.yar
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
rule crime_win_rat_AlienSpy
*/
rule Adwind_JAR_PACKA : binary RAT Frutas Unrecom AlienSpy
{
meta:
author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
last_modified = "2015-11-30"
strings:
$b1 = ".class" ascii
$b2 = "c/a/a/" ascii
$b3 = "b/a/" ascii
$b4 = "a.dat" ascii
$b5 = "META-INF/MANIFEST.MF" ascii
condition:
int16(0) == 0x4B50 and ($b1 and $b2 and $b3 and $b4 and $b5)
}
rule Adwind_JAR_PACKB : binary RAT Frutas Unrecom AlienSpy {
meta:
author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
last_modified = "2015-11-30"
strings:
$c1 = "META-INF/MANIFEST.MF" ascii
$c2 = "main/Start.class" ascii
$a1 = "con g/con g.perl" ascii
$b1 = "java/textito.isn" ascii
condition:
int16(0) == 0x4B50 and ($c1 and $c2 and ($a1 or $b1))
}
rule crime_win_rat_AlienSpy: binary RAT Frutas Unrecom AlienSpy
{
meta:
description = "Alien Spy Remote Access Trojan"
......
malware/Adzok_RAT.yar malware/RAT_Adzok.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Adzok : binary
rule Adzok : binary RAT Adzok
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
......
malware/BlackShades.yar malware/RAT_BlackShades.yar
......@@ -5,7 +5,7 @@
import "pe"
rule BlackShades_3 : Trojan
rule BlackShades_3 : Trojan RAT
{
meta:
description = "BlackShades RAT"
......@@ -62,7 +62,7 @@ rule BlackShades_3 : Trojan
10 of ($mod*) or 10 of ($tmr*)
}
rule BlackShades2 : Trojan
rule BlackShades2 : Trojan RAT
{
meta:
author="Kevin Falcoz"
......
malware/Bozok.yar malware/RAT_Bozok.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
long as you use it under this license.
*/
rule Bozok
rule Bozok : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
......
malware/Cerberus.yar malware/RAT_Cerberus.yar
......@@ -5,7 +5,7 @@
import "pe"
rule Cerberus : rat
rule Cerberus : RAT memory
{
meta:
description = "Cerberus"
......
malware/Crimson_RAT.yar malware/RAT_Crimson.yar
rule Crimson
rule Crimson: RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
......
malware/CyberGate.yar malware/RAT_CyberGate.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
long as you use it under this license.
*/
rule CyberGate
rule CyberGate : RAT
{
meta:
......
malware/DarkComet.yar malware/RAT_DarkComet.yar
......@@ -5,7 +5,7 @@
import "pe"
rule DarkComet_1
rule DarkComet_1 : RAT
{
meta:
description = "DarkComet RAT"
......@@ -57,7 +57,7 @@ rule DarkComet_2 : rat
condition:
any of them
}
rule DarkComet_3
rule DarkComet_3 : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
......@@ -82,7 +82,7 @@ rule DarkComet_3
all of ($a*) or all of ($b*)
}
rule DarkComet_Keylogger_File
rule DarkComet_Keylogger_File : RAT
{
meta:
author = "Florian Roth"
......@@ -97,7 +97,7 @@ rule DarkComet_Keylogger_File
condition:
($magic at 0) and #entry > 10 and #timestamp > 10
}
rule DarkComet_4
rule DarkComet_4 : RAT
{ meta:
reference = "https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara"
strings:
......
malware/FlyingKitten.yar malware/RAT_FlyingKitten.yar
......@@ -22,7 +22,7 @@ rule FlyingKitten : rat
}
rule CSIT_14003_03 : installer
rule CSIT_14003_03 : installer RAT
{
meta:
Author = "CrowdStrike, Inc"
......
malware/Gh0st.yar malware/RAT_Gh0st.yar
......@@ -5,7 +5,7 @@
import "pe"
rule APT_WIN_Gh0st_ver
rule APT_WIN_Gh0st_ver : RAT
{
meta:
author = "@BryanNolen"
......@@ -29,7 +29,7 @@ meta:
all of them
}
rule Gh0st
rule Gh0st : RAT
{
meta:
description = "Gh0st"
......
malware/GlassRAT.yar malware/RAT_Glass.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
long as you use it under this license.
*/
rule glassrat
rule glassrat: RAT
{
meta:
author = "Brian Wallace @botnet_hunter"
......
malware/Havex.yar malware/RAT_Havex.yar
......@@ -69,3 +69,25 @@ rule Havex_Trojan_PHP_Server
condition:
all of them
}
rule SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump : memory
{
meta:
description = "Detects Havex Windows process executable from memory dump"
date = "2015-12-2"
author = "Chris Sistrunk"
hash = "8065674de8d79d1c0e7b3baf81246e7d"
strings:
$magic = { 4d 5a }
$s1 = "~tracedscn.yls" fullword wide
$s2 = "[!]Start" fullword wide
$s3 = "[+]Get WSADATA" fullword wide
$s4 = "[-]Can not get local ip" fullword wide
$s5 = "[+]Local:" fullword wide
$s6 = "[-]Threads number > Hosts number" fullword wide
$s7 = "[-]Connection error" fullword wide
$x1 = "bddd4e2b84fa2ad61eb065e7797270ff.exe" fullword wide
condition:
$magic at 0 and ( 3 of ($s*) or $x1 )
}
malware/APT_Hizor_RAT.yar malware/RAT_Hizor.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule apt_win32_dll_rat_hiZor_RAT
rule apt_win32_dll_rat_hiZor_RAT: RAT
{
meta:
description = "Detects hiZor RAT"
......
malware/APT_indetectables_RAT.yar malware/RAT_Indetectables.yar
......@@ -9,7 +9,7 @@
Identifier: Indetectables RAT
*/
rule Indetectables_RAT {
rule Indetectables_RAT: RAT {
meta:
description = "Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux"
author = "Florian Roth"
......@@ -34,7 +34,7 @@ rule Indetectables_RAT {
uint16(0) == 0x5a4d and filesize < 5000KB and 1 of them
}
rule BergSilva_Malware {
rule BergSilva_Malware : RAT {
meta:
description = "Detects a malware from the same author as the Indetectables RAT"
author = "Florian Roth"
......
malware/Njrat.yar malware/RAT_Njrat.yar
......@@ -5,7 +5,7 @@
import "pe"
rule Njrat
rule Njrat: RAT
{
meta:
description = "Njrat"
......@@ -33,7 +33,7 @@ rule Njrat
condition:
10 of them
}
rule njrat1
rule njrat1: RAT
{
meta:
author = "Brian Wallace @botnet_hunter"
......
malware/RAT_Ratdecoders.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule AAR : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/AAR"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "Hashtable"
$b = "get_IsDisposed"
$c = "TripleDES"
$d = "testmemory.FRMMain.resources"
$e = "$this.Icon" wide
$f = "{11111-22222-20001-00001}" wide
$g = "@@@@@"
condition:
all of them
}
rule Ap0calypse: RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Ap0calypse"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "Ap0calypse"
$b = "Sifre"
$c = "MsgGoster"
$d = "Baslik"
$e = "Dosyalars"
$f = "Injecsiyon"
condition:
all of them
}
rule Arcom : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Arcom"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a1 = "CVu3388fnek3W(3ij3fkp0930di"
$a2 = "ZINGAWI2"
$a3 = "clWebLightGoldenrodYellow"
$a4 = "Ancestor for '%s' not found" wide
$a5 = "Control-C hit" wide
$a6 = {A3 24 25 21}
condition:
all of them
}
rule Bandook : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/bandook"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "aaaaaa1|"
$b = "aaaaaa2|"
$c = "aaaaaa3|"
$d = "aaaaaa4|"
$e = "aaaaaa5|"
$f = "%s%d.exe"
$g = "astalavista"
$h = "givemecache"
$i = "%s\\system32\\drivers\\blogs\\*"
$j = "bndk13me"
condition:
all of them
}
rule BlackNix : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/BlackNix"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a1 = "SETTINGS" wide
$a2 = "Mark Adler"
$a3 = "Random-Number-Here"
$a4 = "RemoteShell"
$a5 = "SystemInfo"
condition:
all of them
}
rule BlueBanana : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/BlueBanana"
maltype = "Remote Access Trojan"
filetype = "Java"
strings:
$meta = "META-INF"
$conf = "config.txt"
$a = "a/a/a/a/f.class"
$b = "a/a/a/a/l.class"
$c = "a/a/a/b/q.class"
$d = "a/a/a/b/v.class"
condition:
all of them
}
rule ClientMesh : RAT
{
meta:
author = "Kevin Breen <kevin@techanarchy.net>"
date = "2014/06"
ref = "http://malwareconfig.com/stats/ClientMesh"
family = "torct"
strings:
$string1 = "machinedetails"
$string2 = "MySettings"
$string3 = "sendftppasswords"
$string4 = "sendbrowserpasswords"
$string5 = "arma2keyMass"
$string6 = "keylogger"
$conf = {00 00 00 00 00 00 00 00 00 7E}
condition:
all of them
}
rule DarkRAT : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/DarkRAT"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "@1906dark1996coder@"
$b = "SHEmptyRecycleBinA"
$c = "mciSendStringA"
$d = "add_Shutdown"
$e = "get_SaveMySettingsOnExit"
$f = "get_SpecialDirectories"
$g = "Client.My"
condition:
all of them
}
rule Greame : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Greame"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23}
$b = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}
$c = "EditSvr"
$d = "TLoader"
$e = "Stroks"
$f = "Avenger by NhT"
$g = "####@####"
$h = "GREAME"
condition:
all of them
}
rule HawkEye : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2015/06"
ref = "http://malwareconfig.com/stats/HawkEye"
maltype = "KeyLogger"
filetype = "exe"
strings:
$key = "HawkEyeKeylogger" wide
$salt = "099u787978786" wide
$string1 = "HawkEye_Keylogger" wide
$string2 = "holdermail.txt" wide
$string3 = "wallet.dat" wide
$string4 = "Keylog Records" wide
$string5 = "<!-- do not script -->" wide
$string6 = "\\pidloc.txt" wide
$string7 = "BSPLIT" wide
condition:
$key and $salt and all of ($string*)
}
rule Imminent : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Imminent"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$v1a = "DecodeProductKey"
$v1b = "StartHTTPFlood"
$v1c = "CodeKey"
$v1d = "MESSAGEBOX"
$v1e = "GetFilezillaPasswords"
$v1f = "DataIn"
$v1g = "UDPzSockets"
$v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41}
$v2a = "<URL>k__BackingField"
$v2b = "<RunHidden>k__BackingField"
$v2c = "DownloadAndExecute"
$v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide
$v2e = "england.png" wide
$v2f = "Showed Messagebox" wide
condition:
all of ($v1*) or all of ($v2*)
}
rule Infinity : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Infinity"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "CRYPTPROTECT_PROMPTSTRUCT"
$b = "discomouse"
$c = "GetDeepInfo"
$d = "AES_Encrypt"
$e = "StartUDPFlood"
$f = "BATScripting" wide
$g = "FBqINhRdpgnqATxJ.html" wide
$i = "magic_key" wide
condition:
all of them
}
rule JavaDropper : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2015/10"
ref = "http://malwareconfig.com/stats/AlienSpy"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$jar = "META-INF/MANIFEST.MF"
$a1 = "ePK"
$a2 = "kPK"
$b1 = "config.ini"
$b2 = "password.ini"
$c1 = "stub/stub.dll"
$d1 = "c.dat"
condition:
$jar and (all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*))
}
rule LostDoor : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/LostDoor"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a0 = {0D 0A 2A 45 44 49 54 5F 53 45 52 56 45 52 2A 0D 0A}
$a1 = "*mlt* = %"
$a2 = "*ip* = %"
$a3 = "*victimo* = %"
$a4 = "*name* = %"
$b5 = "[START]"
$b6 = "[DATA]"
$b7 = "We Control Your Digital World" wide ascii
$b8 = "RC4Initialize" wide ascii
$b9 = "RC4Decrypt" wide ascii
condition:
all of ($a*) or all of ($b*)
}
rule LuminosityLink : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/LuminosityLink"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "SMARTLOGS" wide
$b = "RUNPE" wide
$c = "b.Resources" wide
$d = "CLIENTINFO*" wide
$e = "Invalid Webcam Driver Download URL, or Failed to Download File!" wide
$f = "Proactive Anti-Malware has been manually activated!" wide
$g = "REMOVEGUARD" wide
$h = "C0n1f8" wide
$i = "Luminosity" wide
$j = "LuminosityCryptoMiner" wide
$k = "MANAGER*CLIENTDETAILS*" wide
condition:
all of them
}
rule LuxNet : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/LuxNet"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "GetHashCode"
$b = "Activator"
$c = "WebClient"
$d = "op_Equality"
$e = "dickcursor.cur" wide
$f = "{0}|{1}|{2}" wide
condition:
all of them
}
rule NanoCore : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/NanoCore"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "NanoCore"
$b = "ClientPlugin"
$c = "ProjectData"
$d = "DESCrypto"
$e = "KeepAlive"
$f = "IPNETROW"
$g = "LogClientMessage"
$h = "|ClientHost"
$i = "get_Connected"
$j = "#=q"
$key = {43 6f 24 cb 95 30 38 39}
condition:
6 of them
}
rule Pandora : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Pandora"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "Can't get the Windows version"
$b = "=M=Q=U=Y=]=a=e=i=m=q=u=y=}="
$c = "JPEG error #%d" wide
$d = "Cannot assign a %s to a %s" wide
$g = "%s, ProgID:"
$h = "clave"
$i = "Shell_TrayWnd"
$j = "melt.bat"
$k = "\\StubPath"
$l = "\\logs.dat"
$m = "1027|Operation has been canceled!"
$n = "466|You need to plug-in! Double click to install... |"
$0 = "33|[Keylogger Not Activated!]"
condition:
all of them
}
rule Paradox : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Paradox"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "ParadoxRAT"
$b = "Form1"
$c = "StartRMCam"
$d = "Flooders"
$e = "SlowLaris"
$f = "SHITEMID"
$g = "set_Remote_Chat"
condition:
all of them
}
rule Plasma : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Plasma"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "Miner: Failed to Inject." wide
$b = "Started GPU Mining on:" wide
$c = "BK: Hard Bot Killer Ran Successfully!" wide
$d = "Uploaded Keylogs Successfully!" wide
$e = "No Slowloris Attack is Running!" wide
$f = "An ARME Attack is Already Running on" wide
$g = "Proactive Bot Killer Enabled!" wide
$h = "PlasmaRAT" wide ascii
$i = "AntiEverything" wide ascii
condition:
all of them
}
rule PredatorPain : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/PredatorPain"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$string1 = "holderwb.txt" wide
$string3 = "There is a file attached to this email" wide
$string4 = "screens\\screenshot" wide
$string5 = "Disablelogger" wide
$string6 = "\\pidloc.txt" wide
$string7 = "clearie" wide
$string8 = "clearff" wide
$string9 = "emails should be sent to you shortly" wide
$string10 = "jagex_cache\\regPin" wide
$string11 = "open=Sys.exe" wide
$ver1 = "PredatorLogger" wide
$ver2 = "EncryptedCredentials" wide
$ver3 = "Predator Pain" wide
condition:
7 of ($string*) and any of ($ver*)
}
rule Punisher : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Punisher"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "abccba"
$b = {5C 00 68 00 66 00 68 00 2E 00 76 00 62 00 73}
$c = {5C 00 73 00 63 00 2E 00 76 00 62 00 73}
$d = "SpyTheSpy" wide ascii
$e = "wireshark" wide
$f = "apateDNS" wide
$g = "abccbaDanabccb"
condition:
all of them
}
rule PythoRAT : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/PythoRAT"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "TKeylogger"
$b = "uFileTransfer"
$c = "TTDownload"
$d = "SETTINGS"
$e = "Unknown" wide
$f = "#@#@#"
$g = "PluginData"
$i = "OnPluginMessage"
condition:
all of them
}
rule QRat : RAT
{
meta:
author = "Kevin Breen @KevTheHermit"
date = "2015/08"
ref = "http://malwareconfig.com"
maltype = "Remote Access Trojan"
filetype = "jar"
strings:
$a0 = "e-data"
$a1 = "quaverse/crypter"
$a2 = "Qrypt.class"
$a3 = "Jarizer.class"
$a4 = "URLConnection.class"
condition:
4 of them
}
rule SmallNet : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/SmallNet"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$split1 = "!!<3SAFIA<3!!"
$split2 = "!!ElMattadorDz!!"
$a1 = "stub_2.Properties"
$a2 = "stub.exe" wide
$a3 = "get_CurrentDomain"
condition:
($split1 or $split2) and (all of ($a*))
}
rule SpyGate : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/SpyGate"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$split = "abccba"
$a1 = "abccbaSpyGateRATabccba" //$a = Version 0.2.6
$a2 = "StubX.pdb"
$a3 = "abccbaDanabccb"
$b1 = "monikerString" nocase //$b = Version 2.0
$b2 = "virustotal1"
$b3 = "get_CurrentDomain"
$c1 = "shutdowncomputer" wide //$c = Version 2.9
$c2 = "shutdown -r -t 00" wide
$c3 = "set cdaudio door closed" wide
$c4 = "FileManagerSplit" wide
$c5 = "Chating With >> [~Hacker~]" wide
condition:
(all of ($a*) and #split > 40) or (all of ($b*) and #split > 10) or (all of ($c*))
}
rule Sub7Nation : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Sub7Nation"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$a = "EnableLUA /t REG_DWORD /d 0 /f"
$b = "*A01*"
$c = "*A02*"
$d = "*A03*"
$e = "*A04*"
$f = "*A05*"
$g = "*A06*"
$h = "#@#@#"
$i = "HostSettings"
$verSpecific1 = "sevane.tmp"
$verSpecific2 = "cmd_.bat"
$verSpecific3 = "a2b7c3d7e4"
$verSpecific4 = "cmd.dll"
condition:
all of them
}
rule UPX : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
strings:
$a = "UPX0"
$b = "UPX1"
$c = "UPX!"
condition:
all of them
}
rule Vertex : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/Vertex"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$string1 = "DEFPATH"
$string2 = "HKNAME"
$string3 = "HPORT"
$string4 = "INSTALL"
$string5 = "IPATH"
$string6 = "MUTEX"
$res1 = "PANELPATH"
$res2 = "ROOTURL"
condition:
all of them
}
rule VirusRat : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/VirusRat"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$string0 = "virustotal"
$string1 = "virusscan"
$string2 = "abccba"
$string3 = "pronoip"
$string4 = "streamWebcam"
$string5 = "DOMAIN_PASSWORD"
$string6 = "Stub.Form1.resources"
$string7 = "ftp://{0}@{1}" wide
$string8 = "SELECT * FROM moz_logins" wide
$string9 = "SELECT * FROM moz_disabledHosts" wide
$string10 = "DynDNS\\Updater\\config.dyndns" wide
$string11 = "|BawaneH|" wide
condition:
all of them
}
rule unrecom : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
date = "2014/04"
ref = "http://malwareconfig.com/stats/AAR"
maltype = "Remote Access Trojan"
filetype = "exe"
strings:
$meta = "META-INF"
$conf = "load/ID"
$a = "load/JarMain.class"
$b = "load/MANIFEST.MF"
$c = "plugins/UnrecomServer.class"
condition:
all of them
}
malware/RAT_Sakula.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule sakula_v1_0
rule sakula_v1_0: RAT
{
meta:
description = "Sakula v1.0"
......@@ -21,7 +21,7 @@ rule sakula_v1_0
$MZ at 0 and all of ($m*) and not $v1_1
}
rule sakula_v1_1
rule sakula_v1_1: RAT
{
meta:
description = "Sakula v1.1"
......@@ -40,7 +40,7 @@ rule sakula_v1_1
$MZ at 0 and all of them
}
rule sakula_v1_2
rule sakula_v1_2: RAT
{
meta:
description = "Sakula v1.2"
......@@ -58,7 +58,7 @@ rule sakula_v1_2
$MZ at 0 and $m1 and $m2 and $m3 and $v1_2 and not $v1_1
}
rule sakula_v1_3
rule sakula_v1_3: RAT
{
meta:
description = "Sakula v1.3"
......@@ -76,7 +76,7 @@ rule sakula_v1_3
$MZ at 0 and all of them
}
rule sakula_v1_4
rule sakula_v1_4: RAT
{
meta:
description = "Sakula v1.4"
......
malware/APT_ShimRat.yar malware/RAT_Shim.yar
rule shimrat
rule shimrat: RAT
{
meta:
description = "Detects ShimRat and the ShimRat loader"
......@@ -26,7 +26,7 @@ rule shimrat
($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or ($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll and $dat and $shim_func1 and $shim_func2 and $shim_func3)
}
rule shimratreporter
rule shimratreporter: RAT
{
meta:
description = "Detects ShimRatReporter"
......
malware/RAT_Terminator.yar
......@@ -6,7 +6,7 @@
import "pe"
rule TerminatorRat : rat
rule TerminatorRat : RAT
{
meta:
description = "Terminator RAT"
......@@ -26,7 +26,7 @@ rule TerminatorRat : rat
rule TROJAN_Notepad_shell_crew {
rule TROJAN_Notepad_shell_crew : Trojan {
meta:
author = "RSA_IR"
Date = "4Jun13"
......
malware/jRAT.yar malware/RAT_jRAT.yar
......@@ -4,7 +4,7 @@
*/
import "pe"
rule jRAT_conf : rat
rule jRAT_conf : RAT
{
meta:
description = "jRAT configuration"
......
malware/xRAT.yar malware/RAT_xRAT.yar
rule xRAT
rule xRAT : RAT
{
meta:
author = " Kevin Breen <kevin@techanarchy.net>"
......
malware/xRAT20.yar malware/RAT_xRAT20.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule xRAT20
rule xRAT20 : RAT
{
meta:
author = "Rottweiler"
......
malware/RCS.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule RCS_Backdoor
{
meta:
description = "Hacking Team RCS Backdoor"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$debug3"
$filter2 = "$log2"
$filter3 = "error2"
$debug1 = /\- (C)hecking components/ wide ascii
$debug2 = /\- (A)ctivating hiding system/ wide ascii
$debug3 = /(f)ully operational/ wide ascii
$log1 = /\- Browser activity \(FF\)/ wide ascii
$log2 = /\- Browser activity \(IE\)/ wide ascii
// Cause false positives.
//$log3 = /\- About to call init routine at %p/ wide ascii
//$log4 = /\- Calling init routine at %p/ wide ascii
$error1 = /\[Unable to deploy\]/ wide ascii
$error2 = /\[The system is already monitored\]/ wide ascii
condition:
(2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
}
rule RCS_Scout
{
meta:
description = "Hacking Team RCS Scout"
author = "botherder https://github.com/botherder"
strings:
$filter1 = "$engine5"
$filter2 = "$start4"
$filter3 = "$upd2"
$filter4 = "$lookma6"
$engine1 = /(E)ngine started/ wide ascii
$engine2 = /(R)unning in background/ wide ascii
$engine3 = /(L)ocking doors/ wide ascii
$engine4 = /(R)otors engaged/ wide ascii
$engine5 = /(I)\'m going to start it/ wide ascii
$start1 = /Starting upgrade\!/ wide ascii
$start2 = /(I)\'m going to start the program/ wide ascii
$start3 = /(i)s it ok\?/ wide ascii
$start4 = /(C)lick to start the program/ wide ascii
$upd1 = /(U)pdJob/ wide ascii
$upd2 = /(U)pdTimer/ wide ascii
$lookma1 = /(O)wning PCI bus/ wide
$lookma2 = /(F)ormatting bios/ wide
$lookma3 = /(P)lease insert a disk in drive A:/ wide
$lookma4 = /(U)pdating CPU microcode/ wide
$lookma5 = /(N)ot sure what's happening/ wide
$lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide
condition:
(all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
}
malware/APT_passthehashtoolkit.yar malware/TOOLKIT _PassTheHash.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule whosthere_alt {
rule whosthere_alt : Toolkit {
meta:
description = "Auto-generated rule - file whosthere-alt.exe"
author = "Florian Roth"
......@@ -23,7 +23,7 @@ rule whosthere_alt {
uint16(0) == 0x5a4d and filesize < 280KB and 2 of them
}
rule iam_alt_iam_alt {
rule iam_alt_iam_alt : Toolkit {
meta:
description = "Auto-generated rule - file iam-alt.exe"
author = "Florian Roth"
......@@ -44,7 +44,7 @@ rule iam_alt_iam_alt {
uint16(0) == 0x5a4d and filesize < 240KB and 2 of them
}
rule genhash_genhash {
rule genhash_genhash : Toolkit {
meta:
description = "Auto-generated rule - file genhash.exe"
author = "Florian Roth"
......@@ -62,7 +62,7 @@ rule genhash_genhash {
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
rule iam_iamdll {
rule iam_iamdll : Toolkit {
meta:
description = "Auto-generated rule - file iamdll.dll"
author = "Florian Roth"
......@@ -78,7 +78,7 @@ rule iam_iamdll {
uint16(0) == 0x5a4d and filesize < 115KB and all of them
}
rule iam_iam {
rule iam_iam : Toolkit {
meta:
description = "Auto-generated rule - file iam.exe"
author = "Florian Roth"
......@@ -98,7 +98,7 @@ rule iam_iam {
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule whosthere_alt_pth {
rule whosthere_alt_pth : Toolkit {
meta:
description = "Auto-generated rule - file pth.dll"
author = "Florian Roth"
......@@ -116,7 +116,7 @@ rule whosthere_alt_pth {
uint16(0) == 0x5a4d and filesize < 240KB and 4 of them
}
rule whosthere {
rule whosthere : Toolkit {
meta:
description = "Auto-generated rule - file whosthere.exe"
author = "Florian Roth"
......
malware/APT_quarkspwdump.yar malware/TOOLKIT _Pwdump.yar
......@@ -2,7 +2,7 @@
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule QuarksPwDump_Gen {
rule QuarksPwDump_Gen : Toolkit {
meta:
description = "Detects all QuarksPWDump versions"
author = "Florian Roth"
......
malware/Turla.yar deleted 100644 → 0
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule WaterBug_turla_dll
{
meta:
description = "Symantec Waterbug Attack - Trojan Turla DLL"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats"
strings:
$a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
condition:
pe.exports("ee") and $a
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment