Merged branch master into master

malware/Exploit_CVE_2015_2426.yar → CVE_Rules/CVE-2015-2426.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule Exploit_MS15_077_078 {
+rule Exploit_MS15_077_078: Exploit {
 	meta:
 		description = "MS15-078 / MS15-077 exploit - generic signature"
 		author = "Florian Roth"
@@ -28,7 +28,7 @@ rule Exploit_MS15_077_078 {
 		uint16(0) == 0x5a4d and filesize < 2000KB and all of ($s*) or all of ($op*)
 }
 
-rule Exploit_MS15_077_078_HackingTeam {
+rule Exploit_MS15_077_078_HackingTeam: Exploit {
 	meta:
 		description = "MS15-078 / MS15-077 exploit - Hacking Team code"
 		author = "Florian Roth"

malware/APT_Danti_svcmondr.yar → CVE_Rules/CVE-2015-2545.yar

@@ -13,7 +13,7 @@
 
 /* Rule Set ----------------------------------------------------------------- */
 
-rule Mal_Dropper_httpEXE_from_CAB {
+rule Mal_Dropper_httpEXE_from_CAB : Dropper {
 	meta:
 		description = "Detects a dropper from a CAB file mentioned in the article"
 		author = "Florian Roth"
@@ -28,7 +28,7 @@ rule Mal_Dropper_httpEXE_from_CAB {
 		( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) )
 }
 
-rule Mal_http_EXE {
+rule Mal_http_EXE : Trojan {
 	meta:
 		description = "Detects trojan from APT report named http.exe"
 		author = "Florian Roth"
@@ -58,7 +58,7 @@ rule Mal_http_EXE {
 		( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 2 of ($s*) ) ) or ( 3 of ($x*) )
 }
 
-rule Mal_PotPlayer_DLL {
+rule Mal_PotPlayer_DLL : dll {
 	meta:
 		description = "Detects a malicious PotPlayer.dll"
 		author = "Florian Roth"

malware/APT_CVE2015_5119.yar → CVE_Rules/CVE-2015-5119.yar

@@ -3,12 +3,11 @@
 
 */
 
-rule Flash_CVE_2015_5119_APT3 {
+rule Flash_CVE_2015_5119_APT3 : Exploit {
     meta:
         description = "Exploit Sample CVE-2015-5119"
         author = "Florian Roth"
         score = 70
-        yaraexchange = "No distribution without author's consent" 
         date = "2015-08-01"
     strings:
         $s0 = "HT_exploit" fullword ascii

Exploit-Kits/Angler_EK.yar → Exploit-Kits/EK_Angler.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule AnglerEKredirector
+rule AnglerEKredirector : EK
 {
    meta:
       description = "Angler Exploit Kit Redirector"
@@ -20,7 +20,7 @@ rule AnglerEKredirector
    condition:
       all of them
 }
-rule angler_flash
+rule angler_flash : EK
 {
 meta:
    author = "Josh Berry"
@@ -48,7 +48,7 @@ strings:
 condition:
    14 of them
 }
-rule angler_flash2
+rule angler_flash2 : EK
 {
 meta:
    author = "Josh Berry"
@@ -76,7 +76,7 @@ strings:
 condition:
    14 of them
 }
-rule angler_flash4
+rule angler_flash4 : EK
 {
 meta:
    author = "Josh Berry"
@@ -106,7 +106,7 @@ strings:
 condition:
    16 of them
 }
-rule angler_flash5
+rule angler_flash5 : EK
 {
 meta:
    author = "Josh Berry"
@@ -132,7 +132,7 @@ strings:
 condition:
    12 of them
 }
-rule angler_flash_uncompressed
+rule angler_flash_uncompressed : EK
 {
 meta:
    author = "Josh Berry"
@@ -163,7 +163,7 @@ strings:
 condition:
    17 of them
 }
-rule angler_html
+rule angler_html : EK
 {
 meta:
    author = "Josh Berry"
@@ -195,7 +195,7 @@ strings:
 condition:
    18 of them
 }
-rule angler_html2
+rule angler_html2 : EK
 {
 meta:
    author = "Josh Berry"
@@ -227,7 +227,7 @@ strings:
 condition:
    18 of them
 }
-rule angler_jar
+rule angler_jar : EK
 {
 meta:
    author = "Josh Berry"
@@ -250,7 +250,7 @@ strings:
 condition:
    9 of them
 }
-rule angler_js
+rule angler_js : EK
 {
 meta:
    author = "Josh Berry"

Exploit-Kits/Blackhole_EK.yar → Exploit-Kits/EK_Blackhole.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule blackhole2_jar
+rule blackhole2_jar : EK
 {
 meta:
    author = "Josh Berry"
@@ -29,7 +29,7 @@ strings:
 condition:
    13 of them
 }
-rule blackhole2_jar2
+rule blackhole2_jar2 : EK
 {
 meta:
    author = "Josh Berry"
@@ -55,7 +55,7 @@ strings:
 condition:
    12 of them
 }
-rule blackhole2_jar3
+rule blackhole2_jar3 : EK
 {
 meta:
    author = "Josh Berry"
@@ -81,7 +81,7 @@ strings:
 condition:
    12 of them
 }
-rule blackhole2_pdf
+rule blackhole2_pdf : EK PDF
 {
 meta:
    author = "Josh Berry"
@@ -113,7 +113,7 @@ strings:
 condition:
    18 of them
 }
-rule blackhole_basic : exploit_kit
+rule blackhole_basic :  EK
 {
     strings:
         $a = /\.php\?\.*\?\:[a-zA-Z0-9\:]{6,}\&\.*\?\&/
@@ -146,7 +146,7 @@ strings:
 condition:
    12 of them
 }
-rule blackhole2_css
+rule blackhole2_css : EK
 {
 meta:
    author = "Josh Berry"
@@ -168,7 +168,7 @@ strings:
 condition:
    18 of them
 }
-rule blackhole2_htm
+rule blackhole2_htm : EK
 {
 meta:
    author = "Josh Berry"
@@ -204,7 +204,7 @@ strings:
 condition:
    14 of them
 }
-rule blackhole2_htm10
+rule blackhole2_htm10 : EK
 {
 meta:
    author = "Josh Berry"
@@ -241,7 +241,7 @@ strings:
 condition:
    15 of them
 }
-rule blackhole2_htm11
+rule blackhole2_htm11 : EK
 {
 meta:
    author = "Josh Berry"
@@ -274,7 +274,7 @@ strings:
 condition:
    11 of them
 }
-rule blackhole2_htm12
+rule blackhole2_htm12 : EK
 {
 meta:
    author = "Josh Berry"
@@ -310,7 +310,7 @@ strings:
 condition:
    14 of them
 }
-rule blackhole2_htm3
+rule blackhole2_htm3 : EK
 {
 meta:
    author = "Josh Berry"
@@ -329,7 +329,7 @@ strings:
 condition:
    3 of them
 }
-rule blackhole2_htm4
+rule blackhole2_htm4 : EK
 {
 meta:
    author = "Josh Berry"
@@ -359,7 +359,7 @@ strings:
 condition:
    8 of them
 }
-rule blackhole2_htm5
+rule blackhole2_htm5 : EK
 {
 meta:
    author = "Josh Berry"
@@ -393,7 +393,7 @@ strings:
 condition:
    12 of them
 }
-rule blackhole2_htm6
+rule blackhole2_htm6 : EK
 {
 meta:
    author = "Josh Berry"
@@ -423,7 +423,7 @@ strings:
 condition:
    8 of them
 }
-rule blackhole2_htm8
+rule blackhole2_htm8 : EK
 {
 meta:
    author = "Josh Berry"

Exploit-Kits/BleedingLife_EK.yar → Exploit-Kits/EK_BleedingLife.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule bleedinglife2_adobe_2010_1297_exploit
+rule bleedinglife2_adobe_2010_1297_exploit : EK PDF
 {
 meta:
    author = "Josh Berry"
@@ -33,7 +33,7 @@ strings:
 condition:
    17 of them
 }
-rule bleedinglife2_adobe_2010_2884_exploit
+rule bleedinglife2_adobe_2010_2884_exploit : EK
 {
 meta:
    author = "Josh Berry"
@@ -64,7 +64,7 @@ strings:
 condition:
    17 of them
 }
-rule bleedinglife2_jar2
+rule bleedinglife2_jar2 : EK
 {
 meta:
    author = "Josh Berry"
@@ -87,7 +87,7 @@ strings:
 condition:
    9 of them
 }
-rule bleedinglife2_java_2010_0842_exploit
+rule bleedinglife2_java_2010_0842_exploit : EK
 {
 meta:
    author = "Josh Berry"

Exploit-Kits/Crimepack_EK.yar → Exploit-Kits/EK_Crimepack.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule crimepack_jar
+rule crimepack_jar : EK
 {
 meta:
 	author = "Josh Berry"
@@ -22,7 +22,7 @@ strings:
 condition:
 	6 of them
 }
-rule crimepack_jar3
+rule crimepack_jar3 : EK
 {
 meta:
 	author = "Josh Berry"

Exploit-Kits/Eleonore_EK.yar → Exploit-Kits/EK_Eleonore.yar

-rule eleonore_jar
+rule eleonore_jar : EK
 {
 meta:
    author = "Josh Berry"
@@ -24,7 +24,7 @@ strings:
 condition:
    12 of them
 }
-rule eleonore_jar2
+rule eleonore_jar2 : EK
 {
 meta:
    author = "Josh Berry"
@@ -52,7 +52,7 @@ strings:
 condition:
    14 of them
 }
-rule eleonore_jar3
+rule eleonore_jar3 : EK
 {
 meta:
    author = "Josh Berry"
@@ -78,7 +78,7 @@ strings:
 condition:
    12 of them
 }
-rule eleonore_js
+rule eleonore_js : EK
 {
 meta:
    author = "Josh Berry"
@@ -103,7 +103,7 @@ strings:
 condition:
    11 of them
 }
-rule eleonore_js2
+rule eleonore_js2 : EK
 {
 meta:
    author = "Josh Berry"
@@ -132,7 +132,7 @@ strings:
 condition:
    15 of them
 }
-rule eleonore_js3
+rule eleonore_js3 : EK
 {
 meta:
    author = "Josh Berry"

Exploit-Kits/Fragus_EK.yar → Exploit-Kits/EK_Fragus.yar

-rule fragus_htm
+rule fragus_htm : EK
 {
 meta:
    author = "Josh Berry"
@@ -28,7 +28,7 @@ strings:
 condition:
    16 of them
 }
-rule fragus_js
+rule fragus_js : EK
 {
 meta:
    author = "Josh Berry"
@@ -60,7 +60,7 @@ strings:
 condition:
    18 of them
 }
-rule fragus_js2
+rule fragus_js2 : EK
 {
 meta:
    author = "Josh Berry"
@@ -91,7 +91,7 @@ strings:
 condition:
    17 of them
 }
-rule fragus_js_flash
+rule fragus_js_flash : EK
 {
 meta:
    author = "Josh Berry"
@@ -120,7 +120,7 @@ strings:
 condition:
    15 of them
 }
-rule fragus_js_java
+rule fragus_js_java : EK
 {
 meta:
    author = "Josh Berry"
@@ -151,7 +151,7 @@ strings:
 condition:
    17 of them
 }
-rule fragus_js_quicktime
+rule fragus_js_quicktime : EK
 {
 meta:
    author = "Josh Berry"
@@ -180,7 +180,7 @@ strings:
 condition:
    15 of them
 }
-rule fragus_js_vml
+rule fragus_js_vml : EK
 {
 meta:
    author = "Josh Berry"

Exploit-Kits/Phoenix_EK.yar → Exploit-Kits/EK_Phoenix.yar

-rule phoenix_html
+rule phoenix_html : EK
 {
 meta:
    author = "Josh Berry"
@@ -21,7 +21,7 @@ strings:
 condition:
    10 of them
 }
-rule phoenix_html10
+rule phoenix_html10 : EK
 {
 meta:
    author = "Josh Berry"
@@ -52,7 +52,7 @@ strings:
 condition:
    17 of them
 }
-rule phoenix_html11
+rule phoenix_html11 : EK
 {
 meta:
    author = "Josh Berry"
@@ -84,7 +84,7 @@ strings:
 condition:
    18 of them
 }
-rule phoenix_html2
+rule phoenix_html2 : EK
 {
 meta:
    author = "Josh Berry"
@@ -115,7 +115,7 @@ strings:
 condition:
    17 of them
 }
-rule phoenix_html3
+rule phoenix_html3 : EK
 {
 meta:
    author = "Josh Berry"
@@ -147,7 +147,7 @@ strings:
 condition:
    18 of them
 }
-rule phoenix_html4
+rule phoenix_html4 : EK
 {
 meta:
    author = "Josh Berry"
@@ -174,7 +174,7 @@ strings:
 condition:
    13 of them
 }
-rule phoenix_html5
+rule phoenix_html5 : EK
 {
 meta:
    author = "Josh Berry"
@@ -204,7 +204,7 @@ strings:
 condition:
    16 of them
 }
-rule phoenix_html6
+rule phoenix_html6 : EK
 {
 meta:
    author = "Josh Berry"
@@ -235,7 +235,7 @@ strings:
 condition:
    17 of them
 }
-rule phoenix_html7
+rule phoenix_html7 : EK
 {
 meta:
    author = "Josh Berry"
@@ -266,7 +266,7 @@ strings:
 condition:
    17 of them
 }
-rule phoenix_html8
+rule phoenix_html8 : EK
 {
 meta:
    author = "Josh Berry"
@@ -296,7 +296,7 @@ strings:
 condition:
    16 of them
 }
-rule phoenix_html9
+rule phoenix_html9 : EK
 {
 meta:
    author = "Josh Berry"
@@ -328,7 +328,7 @@ strings:
 condition:
    18 of them
 }
-rule phoenix_jar
+rule phoenix_jar : EK
 {
 meta:
    author = "Josh Berry"
@@ -352,7 +352,7 @@ strings:
 condition:
    10 of them
 }
-rule phoenix_jar2
+rule phoenix_jar2 : EK
 {
 meta:
    author = "Josh Berry"
@@ -380,7 +380,7 @@ strings:
 condition:
    14 of them
 }
-rule phoenix_jar3
+rule phoenix_jar3 : EK Jar
 {
 meta:
    author = "Josh Berry"
@@ -403,7 +403,7 @@ strings:
 condition:
    9 of them
 }
-rule phoenix_pdf
+rule phoenix_pdf : EK PDF
 {
 meta:
    author = "Josh Berry"
@@ -429,7 +429,7 @@ strings:
 condition:
    11 of them
 }
-rule phoenix_pdf2
+rule phoenix_pdf2 : EK PDF
 {
 meta:
    author = "Josh Berry"
@@ -456,7 +456,7 @@ strings:
 condition:
    13 of them
 }
-rule phoenix_pdf3
+rule phoenix_pdf3 : EK PDF
 {
 meta:
    author = "Josh Berry"

Exploit-Kits/Sakura_EK.yar → Exploit-Kits/EK_Sakura.yar

-rule sakura_jar
+rule sakura_jar : EK
 {
 meta:
    author = "Josh Berry"
@@ -29,7 +29,7 @@ strings:
 condition:
    17 of them
 }
-rule sakura_jar2
+rule sakura_jar2 : EK jar
 {
 meta:
    author = "Josh Berry"

Exploit-Kits/ZeroAcces_EK.yar → Exploit-Kits/EK_ZeroAcces.yar

-rule zeroaccess_css
+rule zeroaccess_css : EK
 {
 meta:
    author = "Josh Berry"
@@ -30,7 +30,7 @@ strings:
 condition:
    18 of them
 }
-rule zeroaccess_css2
+rule zeroaccess_css2 : EK css
 {
 meta:
    author = "Josh Berry"
@@ -55,7 +55,7 @@ strings:
 condition:
    11 of them
 }
-rule zeroaccess_htm
+rule zeroaccess_htm : EK html
 {
 meta:
    author = "Josh Berry"
@@ -85,7 +85,7 @@ strings:
 condition:
    16 of them
 }
-rule zeroaccess_js
+rule zeroaccess_js : EK js
 {
 meta:
    author = "Josh Berry"
@@ -117,7 +117,7 @@ strings:
 condition:
    18 of them
 }
-rule zeroaccess_js2
+rule zeroaccess_js2 : EK js
 {
 meta:
    author = "Josh Berry"
@@ -149,7 +149,7 @@ strings:
 condition:
    18 of them
 }
-rule zeroaccess_js3
+rule zeroaccess_js3 : EK js
 {
 meta:
    author = "Josh Berry"
@@ -178,7 +178,7 @@ strings:
 condition:
    15 of them
 }
-rule zeroaccess_js4
+rule zeroaccess_js4 : EK js
 {
 meta:
    author = "Josh Berry"

Exploit-Kits/Zeus_EK.yar → Exploit-Kits/EK_Zeus.yar

-rule zeus_js
+rule zeus_js : EK
 {
 meta:
 	author = "Josh Berry"

malware/APT_OLE_JSRat.yar → Malicious_Documents/Maldoc_APT_OLE_JSRat.yar

@@ -3,7 +3,7 @@
 
 */
 
-rule APT_OLE_JSRat
+rule APT_OLE_JSRat : maldoc APT
 {
 meta:
 	author = "Rahul Mohandas"

Malicious_Documents/Maldoc_Contains_VBE_File.yar

@@ -15,7 +15,7 @@
     2016/03/21: start
 */
 
-rule Contains_VBE_File
+rule Contains_VBE_File : maldoc
 {
     meta:
         author = "Didier Stevens (https://DidierStevens.com)"

malware/DRIDEX_phish_gina_dec15.yar → Malicious_Documents/Maldoc_Dridex.yar

@@ -2,6 +2,35 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
+
+import "pe"
+
+rule Dridex_Trojan_XML : maldoc {
+	meta:
+		description = "Dridex Malware in XML Document"
+		author = "Florian Roth @4nc4p"
+		reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
+		date = "2015/03/08"
+		hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
+		hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
+		hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
+		hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
+		hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
+	strings:
+		// can be ascii or wide formatted - therefore no restriction
+		$c_xml      = "<?xml version="
+		$c_word     = "<?mso-application progid=\"Word.Document\"?>"
+		$c_macro    = "w:macrosPresent=\"yes\""
+		$c_binary   = "<w:binData w:name="
+		$c_0_chars  = "<o:Characters>0</o:Characters>"
+		$c_1_line   = "<o:Lines>1</o:Lines>"
+	condition:
+		all of ($c*)
+}
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
 /*
 	Yara Rule Set
 	Author: Florian Roth
@@ -46,3 +75,4 @@ rule PHISH_02Dez2015_attach_P_ORD_C_10156_124658 {
 	condition:
 		uint16(0) == 0xcfd0 and filesize < 200KB and all of them
 }
+

Malicious_Documents/Maldoc_Hidden_PE_file.yar

@@ -3,7 +3,7 @@
 
 */
 
-rule Contains_hidden_PE_File_inside_a_sequence_of_numbers
+rule Contains_hidden_PE_File_inside_a_sequence_of_numbers : maldoc
 {
 	meta:
 		author = "Martin Willing (https://evild3ad.com)"

Malicious_Documents/Maldoc_MIME_ActiveMime_b64.yar

@@ -3,7 +3,7 @@
 
 */
 
-rule MIME_MSO_ActiveMime_base64
+rule MIME_MSO_ActiveMime_base64 : maldoc
 {
 	meta:
 		author = "Martin Willing (https://evild3ad.com)"

malware/APT_Laudanum_Webshells.yar → Webshells/WShell_APT_Laudanum.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule asp_file {
+rule asp_file : webshell {
 	meta:
 		description = "Laudanum Injector Tools - file file.asp"
 		author = "Florian Roth"
@@ -20,7 +20,7 @@ rule asp_file {
 		uint16(0) == 0x253c and filesize < 30KB and 5 of them
 }
 
-rule php_killnc {
+rule php_killnc : webshell {
 	meta:
 		description = "Laudanum Injector Tools - file killnc.php"
 		author = "Florian Roth"
@@ -37,7 +37,7 @@ rule php_killnc {
 		filesize < 15KB and 4 of them
 }
 
-rule asp_shell {
+rule asp_shell : webshell {
 	meta:
 		description = "Laudanum Injector Tools - file shell.asp"
 		author = "Florian Roth"
@@ -56,7 +56,7 @@ rule asp_shell {
 		filesize < 15KB and 4 of them
 }
 
-rule settings {
+rule settings : webshell {
 	meta:
 		description = "Laudanum Injector Tools - file settings.php"
 		author = "Florian Roth"
@@ -71,7 +71,7 @@ rule settings {
 		filesize < 13KB and all of them
 }
 
-rule asp_proxy {
+rule asp_proxy : webshell {
 	meta:
 		description = "Laudanum Injector Tools - file proxy.asp"
 		author = "Florian Roth"
@@ -89,7 +89,7 @@ rule asp_proxy {
 		filesize < 50KB and all of them
 }
 
-rule cfm_shell {
+rule cfm_shell : webshell {
 	meta:
 		description = "Laudanum Injector Tools - file shell.cfm"
 		author = "Florian Roth"
@@ -104,7 +104,7 @@ rule cfm_shell {
 		filesize < 20KB and 2 of them
 }
 
-rule aspx_shell {
+rule aspx_shell  : webshell{
 	meta:
 		description = "Laudanum Injector Tools - file shell.aspx"
 		author = "Florian Roth"
@@ -120,7 +120,7 @@ rule aspx_shell {
 		filesize < 20KB and all of them
 }
 
-rule php_shell {
+rule php_shell  : webshell{
 	meta:
 		description = "Laudanum Injector Tools - file shell.php"
 		author = "Florian Roth"
@@ -136,7 +136,7 @@ rule php_shell {
 		filesize < 40KB and all of them
 }
 
-rule php_reverse_shell {
+rule php_reverse_shell : webshell {
 	meta:
 		description = "Laudanum Injector Tools - file php-reverse-shell.php"
 		author = "Florian Roth"
@@ -151,7 +151,7 @@ rule php_reverse_shell {
 		filesize < 15KB and all of them
 }
 
-rule php_dns {
+rule php_dns  : webshell{
 	meta:
 		description = "Laudanum Injector Tools - file dns.php"
 		author = "Florian Roth"
@@ -167,7 +167,7 @@ rule php_dns {
 		filesize < 15KB and all of them
 }
 
-rule WEB_INF_web {
+rule WEB_INF_web  : webshell{
 	meta:
 		description = "Laudanum Injector Tools - file web.xml"
 		author = "Florian Roth"
@@ -181,7 +181,7 @@ rule WEB_INF_web {
 		filesize < 1KB and all of them
 }
 
-rule jsp_cmd {
+rule jsp_cmd : webshell {
 	meta:
 		description = "Laudanum Injector Tools - file cmd.war"
 		author = "Florian Roth"
@@ -198,7 +198,7 @@ rule jsp_cmd {
 		uint16(0) == 0x4b50 and filesize < 2KB and all of them
 }
 
-rule laudanum {
+rule laudanum : webshell {
 	meta:
 		description = "Laudanum Injector Tools - file laudanum.php"
 		author = "Florian Roth"
@@ -212,7 +212,7 @@ rule laudanum {
 		filesize < 5KB and all of them
 }
 
-rule php_file {
+rule php_file  : webshell{
 	meta:
 		description = "Laudanum Injector Tools - file file.php"
 		author = "Florian Roth"
@@ -228,7 +228,7 @@ rule php_file {
 		filesize < 10KB and all of them
 }
 
-rule warfiles_cmd {
+rule warfiles_cmd : webshell {
 	meta:
 		description = "Laudanum Injector Tools - file cmd.jsp"
 		author = "Florian Roth"
@@ -244,7 +244,7 @@ rule warfiles_cmd {
 		filesize < 2KB and all of them
 }
 
-rule asp_dns {
+rule asp_dns  : webshell{
 	meta:
 		description = "Laudanum Injector Tools - file dns.asp"
 		author = "Florian Roth"
@@ -260,7 +260,7 @@ rule asp_dns {
 		filesize < 21KB and all of them
 }
 
-rule php_reverse_shell_2 {
+rule php_reverse_shell_2  : webshell{
 	meta:
 		description = "Laudanum Injector Tools - file php-reverse-shell.php"
 		author = "Florian Roth"
@@ -274,7 +274,7 @@ rule php_reverse_shell_2 {
 		filesize < 10KB and all of them
 }
 
-rule Laudanum_Tools_Generic {
+rule Laudanum_Tools_Generic  : webshell Toolkit{
 	meta:
 		description = "Laudanum Injector Tools"
 		author = "Florian Roth"

malware/THOR_Webshells.yar → Webshells/WShell_THOR_Webshells.yar

@@ -19,7 +19,7 @@
 
 */
 
-rule Weevely_Webshell {
+rule Weevely_Webshell : webshell {
 	meta:
 		description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell"
 		author = "Florian Roth"
@@ -36,7 +36,7 @@ rule Weevely_Webshell {
 		$php at 0 and all of ($s*) and filesize > 570 and filesize < 800
 }
 
-rule webshell_h4ntu_shell_powered_by_tsoi_ {
+rule webshell_h4ntu_shell_powered_by_tsoi_  : webshell {
 	meta:
 		description = "Web Shell - file h4ntu shell [powered by tsoi].php"
 		author = "Florian Roth"
@@ -51,7 +51,7 @@ rule webshell_h4ntu_shell_powered_by_tsoi_ {
 	condition:
 		all of them
 }
-rule webshell_PHP_sql {
+rule webshell_PHP_sql  : webshell {
 	meta:
 		description = "Web Shell - file sql.php"
 		author = "Florian Roth"
@@ -64,7 +64,7 @@ rule webshell_PHP_sql {
 	condition:
 		all of them
 }
-rule webshell_PHP_a {
+rule webshell_PHP_a : webshell {
 	meta:
 		description = "Web Shell - file a.php"
 		author = "Florian Roth"
@@ -78,7 +78,7 @@ rule webshell_PHP_a {
 	condition:
 		2 of them
 }
-rule webshell_iMHaPFtp_2 {
+rule webshell_iMHaPFtp_2  : webshell{
 	meta:
 		description = "Web Shell - file iMHaPFtp.php"
 		author = "Florian Roth"
@@ -91,7 +91,7 @@ rule webshell_iMHaPFtp_2 {
 	condition:
 		1 of them
 }
-rule webshell_Jspspyweb {
+rule webshell_Jspspyweb  : webshell{
 	meta:
 		description = "Web Shell - file Jspspyweb.jsp"
 		author = "Florian Roth"
@@ -104,7 +104,7 @@ rule webshell_Jspspyweb {
 	condition:
 		all of them
 }
-rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
+rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2  : webshell{
 	meta:
 		description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
 		author = "Florian Roth"
@@ -117,7 +117,7 @@ rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
 	condition:
 		1 of them
 }
-rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend {
+rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend  : webshell{
 	meta:
 		description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
 		author = "Florian Roth"
@@ -130,7 +130,7 @@ rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend {
 	condition:
 		1 of them
 }
-rule webshell_phpshell_2_1_pwhash {
+rule webshell_phpshell_2_1_pwhash  : webshell{
 	meta:
 		description = "Web Shell - file pwhash.php"
 		author = "Florian Roth"
@@ -143,7 +143,7 @@ rule webshell_phpshell_2_1_pwhash {
 	condition:
 		1 of them
 }
-rule webshell_PHPRemoteView {
+rule webshell_PHPRemoteView  : webshell{
 	meta:
 		description = "Web Shell - file PHPRemoteView.php"
 		author = "Florian Roth"
@@ -156,7 +156,7 @@ rule webshell_PHPRemoteView {
 	condition:
 		1 of them
 }
-rule webshell_jsp_12302 {
+rule webshell_jsp_12302  : webshell{
 	meta:
 		description = "Web Shell - file 12302.jsp"
 		author = "Florian Roth"
@@ -170,7 +170,7 @@ rule webshell_jsp_12302 {
 	condition:
 		all of them
 }
-rule webshell_caidao_shell_guo {
+rule webshell_caidao_shell_guo  : webshell{
 	meta:
 		description = "Web Shell - file guo.php"
 		author = "Florian Roth"
@@ -183,7 +183,7 @@ rule webshell_caidao_shell_guo {
 	condition:
 		1 of them
 }
-rule webshell_PHP_redcod {
+rule webshell_PHP_redcod  : webshell{
 	meta:
 		description = "Web Shell - file redcod.php"
 		author = "Florian Roth"
@@ -196,7 +196,7 @@ rule webshell_PHP_redcod {
 	condition:
 		all of them
 }
-rule webshell_remview_fix {
+rule webshell_remview_fix  : webshell{
 	meta:
 		description = "Web Shell - file remview_fix.php"
 		author = "Florian Roth"
@@ -209,7 +209,7 @@ rule webshell_remview_fix {
 	condition:
 		1 of them
 }
-rule webshell_asp_cmd {
+rule webshell_asp_cmd : webshell {
 	meta:
 		description = "Web Shell - file cmd.asp"
 		author = "Florian Roth"
@@ -223,7 +223,7 @@ rule webshell_asp_cmd {
 	condition:
 		1 of them
 }
-rule webshell_php_sh_server {
+rule webshell_php_sh_server : webshell {
 	meta:
 		description = "Web Shell - file server.php"
 		author = "Florian Roth"
@@ -235,7 +235,7 @@ rule webshell_php_sh_server {
 	condition:
 		all of them
 }
-rule webshell_PH_Vayv_PH_Vayv {
+rule webshell_PH_Vayv_PH_Vayv : webshell {
 	meta:
 		description = "Web Shell - file PH Vayv.php"
 		author = "Florian Roth"
@@ -248,7 +248,7 @@ rule webshell_PH_Vayv_PH_Vayv {
 	condition:
 		1 of them
 }
-rule webshell_caidao_shell_ice {
+rule webshell_caidao_shell_ice  : webshell{
 	meta:
 		description = "Web Shell - file ice.asp"
 		author = "Florian Roth"
@@ -260,7 +260,7 @@ rule webshell_caidao_shell_ice {
 	condition:
 		all of them
 }
-rule webshell_cihshell_fix {
+rule webshell_cihshell_fix : webshell {
 	meta:
 		description = "Web Shell - file cihshell_fix.php"
 		author = "Florian Roth"
@@ -273,7 +273,7 @@ rule webshell_cihshell_fix {
 	condition:
 		1 of them
 }
-rule webshell_asp_shell {
+rule webshell_asp_shell : webshell {
 	meta:
 		description = "Web Shell - file shell.asp"
 		author = "Florian Roth"
@@ -286,7 +286,7 @@ rule webshell_asp_shell {
 	condition:
 		all of them
 }
-rule webshell_Private_i3lue {
+rule webshell_Private_i3lue  : webshell{
 	meta:
 		description = "Web Shell - file Private-i3lue.php"
 		author = "Florian Roth"
@@ -298,7 +298,7 @@ rule webshell_Private_i3lue {
 	condition:
 		all of them
 }
-rule webshell_php_up {
+rule webshell_php_up : webshell {
 	meta:
 		description = "Web Shell - file up.php"
 		author = "Florian Roth"

Webshells/chinese-spam.yar → Webshells/Wshell_ChineseSpam.yar

@@ -5,7 +5,7 @@
     (echoers), file(s) which use file_get_contents()
     to get and echo the HTML (chinese blog/shop/???).
 */
-rule chinese_spam_spreader
+rule chinese_spam_spreader : webshell
 {
     meta:
         author      = "Vlad https://github.com/vlad-s"
@@ -19,7 +19,7 @@ rule chinese_spam_spreader
         all of them
 }
 
-rule chinese_spam_echoer
+rule chinese_spam_echoer : webshell
 {
     meta:
         author      = "Vlad https://github.com/vlad-s"

Webshells/fire2013.yar → Webshells/Wshell_fire2013.yar

@@ -12,7 +12,7 @@
     info on "h4x4rwow@yahoo.com" as written in the "system32()"
     function.
 */
-rule fire2013
+rule fire2013 : webshell
 {
     meta:
         author      = "Vlad https://github.com/vlad-s"

malware/APT_c16.yar → malware/APT_C16.yar

@@ -4,7 +4,7 @@
 
 import "pe"
 
-rule apt_c16_win_memory_pcclient 
+rule apt_c16_win_memory_pcclient : Memory APT 
 {
   meta:
     author = "@dragonthreatlab"
@@ -21,7 +21,7 @@ rule apt_c16_win_memory_pcclient
     all of them
 }
 
-rule apt_c16_win_disk_pcclient 
+rule apt_c16_win_disk_pcclient : Disk
 {
   meta:
     author = "@dragonthreatlab"
@@ -35,7 +35,7 @@ rule apt_c16_win_disk_pcclient
     $header at 0
 }
 
-rule apt_c16_win32_dropper 
+rule apt_c16_win32_dropper : Dropper
 {
   meta:
     author = "@dragonthreatlab"
@@ -54,7 +54,7 @@ rule apt_c16_win32_dropper
     $mz at 0 and all of ($str*)
 }
 
-rule apt_c16_win_swisyn 
+rule apt_c16_win_swisyn : Memory
 {
   meta:
     author = "@dragonthreatlab"
@@ -87,7 +87,7 @@ rule apt_c16_win_wateringhole
     any of ($str*)
 }
 
-rule apt_c16_win64_dropper
+rule apt_c16_win64_dropper : Dropper
 {
     meta:
         author      = "@dragonthreatlab"

malware/APT_Carbanak2.yar → malware/APT_Carbanak.yar

@@ -11,7 +11,7 @@
 
 /* Rule Set ----------------------------------------------------------------- */
 
-rule Carbanak_0915_1 {
+rule Carbanak_0915_1 : APT {
 	meta:
 		description = "Carbanak Malware"
 		author = "Florian Roth"
@@ -25,7 +25,7 @@ rule Carbanak_0915_1 {
 		uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
 }
 
-rule Carbanak_0915_2 {
+rule Carbanak_0915_2 : APT {
 	meta:
 		description = "Carbanak Malware"
 		author = "Florian Roth"
@@ -46,7 +46,7 @@ rule Carbanak_0915_2 {
 		uint16(0) == 0x5a4d and filesize < 500KB and ( $x1 or all of ($s*) )
 }
 
-rule Carbanak_0915_3 {
+rule Carbanak_0915_3 : APT {
 	meta:
 		description = "Carbanak Malware"
 		author = "Florian Roth"

malware/APT_Careto.yar

@@ -4,7 +4,7 @@
 
 import "pe"
 
-rule Careto_SGH {
+rule Careto_SGH : APT Careto  {
 	meta:
 		author = "AlienVault (Alberto Ortega)"
 		description = "TheMask / Careto SGH component signature"
@@ -19,7 +19,7 @@ rule Careto_SGH {
 		2 of them
 }
 
-rule Careto_OSX_SBD {
+rule Careto_OSX_SBD : APT Careto {
 	meta:
 		author = "AlienVault (Alberto Ortega)"
 		description = "TheMask / Careto OSX component signature"
@@ -32,7 +32,7 @@ rule Careto_OSX_SBD {
 		all of them
 }
 
-rule Careto_CnC {
+rule Careto_CnC : APT Careto {
 	meta:
 		author = "AlienVault (Alberto Ortega)"
 		description = "TheMask / Careto CnC communication signature"
@@ -47,7 +47,7 @@ rule Careto_CnC {
 		all of them
 }
 
-rule Careto_CnC_domains {
+rule Careto_CnC_domains : APT Careto {
 	meta:
 		author = "AlienVault (Alberto Ortega)"
 		description = "TheMask / Careto known command and control domains"

malware/Casper.yar → malware/APT_Casper.yar

@@ -5,7 +5,7 @@
 
 import "pe"
 
-rule Casper_Backdoor_x86 {
+rule Casper_Backdoor_x86 : APT Backdoor {
 	meta:
 		description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
 		author = "Florian Roth"
@@ -36,7 +36,7 @@ rule Casper_Backdoor_x86 {
 		( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
 }
 
-rule Casper_EXE_Dropper {
+rule Casper_EXE_Dropper : Dropper {
 	meta:
 		description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
 		author = "Florian Roth"

malware/APT_Cloudduke.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule CloudDuke_Malware {
+rule CloudDuke_Malware : APT CloudDuke {
 	meta:
 		description = "Detects CloudDuke Malware"
 		author = "Florian Roth"
@@ -40,7 +40,7 @@ rule CloudDuke_Malware {
 
 /* Super Rules ------------------------------------------------------------- */
 
-rule SFXRAR_Acrotray {
+rule SFXRAR_Acrotray : APT CloudDuke {
 	meta:
 		description = "Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe"
 		author = "Florian Roth"

malware/APT_DeputyDog_Fexel.yar → malware/APT_DeputyDog.yar

@@ -4,7 +4,7 @@
 
 import "pe"
 
-rule APT_DeputyDog_Fexel
+rule APT_DeputyDog_Fexel : APT DeputyDog
 {
 meta:
 	author = "ThreatConnect Intelligence Research Team"
@@ -18,7 +18,7 @@ condition:
 	any of them
 }
 
-rule APT_DeputyDog
+rule APT_DeputyDog : APT DeputyDog
 {
     meta:
         Author      = "FireEye Labs"

malware/APT_Derusbi.yar

@@ -5,7 +5,7 @@
 
 import "pe"
 
-rule apt_nix_elf_derusbi
+rule apt_nix_elf_derusbi : APT Derusbi ELF
 {
         meta:
         Author = "@seifreed"
@@ -51,7 +51,7 @@ rule apt_nix_elf_derusbi
 	condition:
 		(uint32(0) == 0x4464c457f) and (all of them)
 }
-rule apt_nix_elf_derusbi_kernelModule
+rule apt_nix_elf_derusbi_kernelModule : APT Derusbi ELF
 {
 	meta:
         Author = "@seifreed"
@@ -80,7 +80,7 @@ rule apt_nix_elf_derusbi_kernelModule
 	condition:
 		(uint32(0) == 0x4464c457f) and (all of them)
 }
-rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
+rule apt_nix_elf_Derusbi_Linux_SharedMemCreation : APT Derusbi ELF
 {
 	meta:
         Author = "@seifreed"
@@ -90,7 +90,7 @@ rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
 		(uint32(0) == 0x464C457F) and (any of them)
 }
 
-rule apt_nix_elf_Derusbi_Linux_Strings
+rule apt_nix_elf_Derusbi_Linux_Strings : APT Derusbi ELF
 {
 	meta:
         Author = "@seifreed"
@@ -117,7 +117,7 @@ rule apt_nix_elf_Derusbi_Linux_Strings
 		all of ($b*))
 }
 
-rule apt_win_exe_trojan_derusbi
+rule apt_win_exe_trojan_derusbi : APT Derusbi 
 {
    meta:
           Author = "@seifreed"
@@ -179,7 +179,7 @@ rule apt_win_exe_trojan_derusbi
 }
 
 
-rule Trojan_Derusbi {
+rule Trojan_Derusbi : APT Derusbi  {
     meta:
         Author = "RSA_IR"
         Date     = "4Sept13"
@@ -200,7 +200,7 @@ rule Trojan_Derusbi {
         2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8)
 }
 
-rule APT_Derusbi_DeepPanda
+rule APT_Derusbi_DeepPanda : APT Derusbi ELF DeepPanda
 {
 meta:
 	author = "ThreatConnect Intelligence Research Team"
@@ -212,7 +212,7 @@ condition:
 }
 
 
-rule APT_Derusbi_Gen
+rule APT_Derusbi_Gen : APT Derusbi 
 {
 meta:
 	author = "ThreatConnect Intelligence Research Team"
@@ -240,7 +240,7 @@ condition:
 	Identifier: Derusbi Dez 2015
 */
 
-rule derusbi_kernel
+rule derusbi_kernel : APT Derusbi 
 {
     meta:
         description = "Derusbi Driver version"
@@ -256,7 +256,7 @@ rule derusbi_kernel
         $MZ at 0 and $token1 and $token2 and $cfg and $class
 }
 
-rule derusbi_linux
+rule derusbi_linux  : APT Derusbi ELF
 {
     meta:
         description = "Derusbi Server Linux version"
@@ -279,7 +279,7 @@ rule derusbi_linux
 	Identifier: Derusbi Dez 2015
 */
 
-rule Derusbi_Kernel_Driver_WD_UDFS {
+rule Derusbi_Kernel_Driver_WD_UDFS : APT Derusbi  {
 	meta:
 		description = "Detects Derusbi Kernel Driver"
 		author = "Florian Roth"
@@ -310,7 +310,7 @@ rule Derusbi_Kernel_Driver_WD_UDFS {
       )
 }
 
-rule Derusbi_Code_Signing_Cert {
+rule Derusbi_Code_Signing_Cert : APT Derusbi  {
 	meta:
 		description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious"
 		author = "Florian Roth"
@@ -325,7 +325,7 @@ rule Derusbi_Code_Signing_Cert {
       uint16(0) == 0x5a4d and filesize < 800KB and 1 of them
 }
 
-rule XOR_4byte_Key {
+rule XOR_4byte_Key : APT Derusbi  {
 	meta:
 		description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)"
 		author = "Florian Roth"
@@ -347,3 +347,28 @@ rule XOR_4byte_Key {
    condition:
       uint16(0) == 0x5a4d and filesize < 900KB and all of them
 }
+
+rule apt_win32_dll_bergard_pgv_pvid_variant : Win32 Derusbi
+{
+
+    meta:
+        copyright = "Fidelis Cybersecurity"
+        reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
+    strings:
+        $ = "Accept:"
+        $ = "User-Agent: %s"
+        $ = "Host: %s:%d"
+        $ = "Cache-Control: no-cache"
+        $ = "Connection: Keep-Alive"
+        $ = "Cookie: pgv_pvid="
+        $ = "Content-Type: application/x-octet-stream"
+        $ = "User-Agent: %s"
+        $ = "Host: %s:%d"
+        $ = "Pragma: no-cache"
+        $ = "Connection: Keep-Alive"
+        $ = "HTTP/1.0"
+
+    condition:
+
+        (uint16(0) == 0x5A4D) and (all of them)
+}

malware/Equation.yar → malware/APT_Equation.yar

@@ -7,7 +7,7 @@ import "pe"
 
 /* Equation APT ------------------------------------------------------------ */
 
-rule apt_equation_exploitlib_mutexes {
+rule apt_equation_exploitlib_mutexes : mutex {
     meta:
         copyright = "Kaspersky Lab"
         description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW"
@@ -59,7 +59,7 @@ rule apt_equation_equationlaser_runtimeclasses {
 	    any of them
 }
 
-rule apt_equation_cryptotable {
+rule apt_equation_cryptotable : crypto {
 	meta:
 	    copyright = "Kaspersky Lab"
 	    description = "Rule to detect the crypto library used in Equation group malware"

malware/APT_HackingTeam.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
 */
 
-rule bin_ndisk {
+rule bin_ndisk : disk HackingTeam {
 	meta:
 		description = "Hacking Team Disclosure Sample - file ndisk.sys"
 		author = "Florian Roth"
@@ -22,7 +22,7 @@ rule bin_ndisk {
 		uint16(0) == 0x5a4d and filesize < 30KB and 6 of them
 }
 
-rule Hackingteam_Elevator_DLL {
+rule Hackingteam_Elevator_DLL : dll HackingTeam {
 	meta:
 		description = "Hacking Team Disclosure Sample - file elevator.dll"
 		author = "Florian Roth"
@@ -44,7 +44,7 @@ rule Hackingteam_Elevator_DLL {
 		uint16(0) == 0x5a4d and filesize < 1000KB and 6 of them
 }
 
-rule HackingTeam_Elevator_EXE {
+rule HackingTeam_Elevator_EXE : HackingTeam {
 	meta:
 		description = "Hacking Team Disclosure Sample - file elevator.exe"
 		author = "Florian Roth"
@@ -70,3 +70,70 @@ rule HackingTeam_Elevator_EXE {
 	condition:
 		uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*)
 }
+import "pe"
+
+rule RCS_Backdoor
+{
+    meta:
+        description = "Hacking Team RCS Backdoor"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $filter1 = "$debug3"
+        $filter2 = "$log2"
+        $filter3 = "error2"
+
+        $debug1 = /\- (C)hecking components/ wide ascii
+        $debug2 = /\- (A)ctivating hiding system/ wide ascii
+        $debug3 = /(f)ully operational/ wide ascii
+
+        $log1 = /\- Browser activity \(FF\)/ wide ascii
+        $log2 = /\- Browser activity \(IE\)/ wide ascii
+        
+        // Cause false positives.
+        //$log3 = /\- About to call init routine at %p/ wide ascii
+        //$log4 = /\- Calling init routine at %p/ wide ascii
+
+        $error1 = /\[Unable to deploy\]/ wide ascii
+        $error2 = /\[The system is already monitored\]/ wide ascii
+
+    condition:
+        (2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*)
+}
+
+rule RCS_Scout
+{
+    meta:
+        description = "Hacking Team RCS Scout"
+	author = "botherder https://github.com/botherder"
+
+    strings:
+        $filter1 = "$engine5"
+        $filter2 = "$start4"
+        $filter3 = "$upd2"
+        $filter4 = "$lookma6"
+
+        $engine1 = /(E)ngine started/ wide ascii
+        $engine2 = /(R)unning in background/ wide ascii
+        $engine3 = /(L)ocking doors/ wide ascii
+        $engine4 = /(R)otors engaged/ wide ascii
+        $engine5 = /(I)\'m going to start it/ wide ascii
+
+        $start1 = /Starting upgrade\!/ wide ascii
+        $start2 = /(I)\'m going to start the program/ wide ascii
+        $start3 = /(i)s it ok\?/ wide ascii
+        $start4 = /(C)lick to start the program/ wide ascii
+
+        $upd1 = /(U)pdJob/ wide ascii
+        $upd2 = /(U)pdTimer/ wide ascii
+
+        $lookma1 = /(O)wning PCI bus/ wide
+        $lookma2 = /(F)ormatting bios/ wide
+        $lookma3 = /(P)lease insert a disk in drive A:/ wide
+        $lookma4 = /(U)pdating CPU microcode/ wide
+        $lookma5 = /(N)ot sure what's happening/ wide
+        $lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide        
+
+    condition:
+        (all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*)
+}

malware/APT_Irontiger_Trendmicro.yar → malware/APT_Irontiger.yar

@@ -16,7 +16,7 @@ rule IronTiger_ASPXSpy
 		any of ($str*)
 }
 
-rule IronTiger_ChangePort_Toolkit_driversinstall
+rule IronTiger_ChangePort_Toolkit_driversinstall : driver 
 {
 	meta:
 		author = "Cyber Safety Solutions, Trend Micro"
@@ -31,7 +31,7 @@ rule IronTiger_ChangePort_Toolkit_driversinstall
 		uint16(0) == 0x5a4d and (2 of ($str*))
 }
 
-rule IronTiger_ChangePort_Toolkit_ChangePortExe
+rule IronTiger_ChangePort_Toolkit_ChangePortExe : Toolkit
 {
 	meta:
 		author = "Cyber Safety Solutions, Trend Micro"
@@ -47,7 +47,7 @@ rule IronTiger_ChangePort_Toolkit_ChangePortExe
 		uint16(0) == 0x5a4d and (2 of ($str*))
 }
 
-rule IronTiger_dllshellexc2010
+rule IronTiger_dllshellexc2010 : Backdoor
 {
 	meta:
 		author = "Cyber Safety Solutions, Trend Micro"
@@ -63,7 +63,7 @@ rule IronTiger_dllshellexc2010
 		(uint16(0) == 0x5a4d) and ((any of ($str*)) or (all of ($bla*)))
 }
 
-rule IronTiger_dnstunnel
+rule IronTiger_dnstunnel : Tunnel
 {
 	meta:
 		author = "Cyber Safety Solutions, Trend Micro"
@@ -83,7 +83,7 @@ rule IronTiger_dnstunnel
 		(uint16(0) == 0x5a4d) and ((any of ($str*)) or (any of ($mistake*)))
 }
 
-rule IronTiger_EFH3_encoder
+rule IronTiger_EFH3_encoder : Encoder
 {
 	meta:
 		author = "Cyber Safety Solutions, Trend Micro"
@@ -144,7 +144,7 @@ rule IronTiger_Gh0stRAT_variant
 		uint16(0) == 0x5a4d and (any of ($str*))
 }
 
-rule IronTiger_GTalk_Trojan
+rule IronTiger_GTalk_Trojan : trojan
 {
 	meta:
 		author = "Cyber Safety Solutions, Trend Micro"
@@ -159,7 +159,7 @@ rule IronTiger_GTalk_Trojan
 		uint16(0) == 0x5a4d and (2 of ($str*))
 }
 
-rule IronTiger_HTTPBrowser_Dropper
+rule IronTiger_HTTPBrowser_Dropper : Dropper
 {
 	meta:
 		author = "Cyber Safety Solutions, Trend Micro"
@@ -189,7 +189,7 @@ rule IronTiger_HTTP_SOCKS_Proxy_soexe
 		uint16(0) == 0x5a4d and (3 of ($str*))
 }
 
-rule IronTiger_NBDDos_Gh0stvariant_dropper
+rule IronTiger_NBDDos_Gh0stvariant_dropper : Dropper
 {
 	meta:
 		author = "Cyber Safety Solutions, Trend Micro"
@@ -305,3 +305,148 @@ rule IronTiger_wmiexec
 	condition:
 		2 of ($str*)
 }
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2015-09-16
+	Identifier: Iron Panda
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule IronPanda_DNSTunClient {
+	meta:
+		description = "Iron Panda malware DnsTunClient - file named.exe"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		score = 80
+		hash = "a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431"
+	strings:
+		$s1 = "dnstunclient -d or -domain <domain>" fullword ascii
+		$s2 = "dnstunclient -ip <server ip address>" fullword ascii
+		$s3 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"\\Microsoft\\Windows\\PLA\\System\\Microsoft Windows\" /tr " fullword ascii
+		$s4 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"Microsoft Windows\" /tr " fullword ascii
+		$s5 = "taskkill /im conime.exe" fullword ascii
+		$s6 = "\\dns control\\t-DNSTunnel\\DnsTunClient\\DnsTunClient.cpp" fullword ascii
+		$s7 = "UDP error:can not bing the port(if there is unclosed the bind process?)" fullword ascii
+		$s8 = "use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s)" fullword ascii
+		$s9 = "error: packet num error.the connection have condurt,pls try later" fullword ascii
+		$s10 = "Coversation produce one error:%s,coversation fail" fullword ascii
+		$s11 = "try to add many same pipe to select group(or mark is too easy)." fullword ascii
+	condition:
+		( uint16(0) == 0x5a4d and filesize < 400KB and 2 of them ) 
+		or
+		5 of them
+}
+
+rule IronPanda_Malware1 {
+	meta:
+		description = "Iron Panda Malware"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a"
+	strings:
+		$x1 = "activedsimp.dll" fullword wide
+		$s1 = "get_BadLoginAddress" fullword ascii
+		$s2 = "get_LastFailedLogin" fullword ascii
+		$s3 = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" fullword ascii
+		$s4 = "get_PasswordExpirationDate" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 300KB and all of them
+}
+
+rule IronPanda_Webshell_JSP {
+	meta:
+		description = "Iron Panda Malware JSP"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6"
+	strings:
+		$s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii
+		$s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" fullword ascii
+		$s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" fullword ascii
+	condition:
+		filesize < 330KB and 1 of them
+}
+
+rule IronPanda_Malware_Htran {
+	meta:
+		description = "Iron Panda Malware Htran"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
+	strings:
+		$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
+		$s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
+		$s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
+		$s4 = "[-] ERROR: Must supply logfile name." fullword ascii
+		$s5 = "[SERVER]connection to %s:%d error" fullword ascii
+		$s6 = "[+] Make a Connection to %s:%d...." fullword ascii
+		$s7 = "[+] Waiting another Client on port:%d...." fullword ascii
+		$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
+		$s9 = "[+] Make a Connection to %s:%d ......" fullword ascii
+		$s10 = "cmshared_get_ptr_from_atom" fullword ascii
+		$s11 = "_cmshared_get_ptr_from_atom" fullword ascii
+		$s12 = "[+] OK! I Closed The Two Socket." fullword ascii
+		$s13 = "[-] TransmitPort invalid." fullword ascii
+		$s14 = "[+] Waiting for Client on port:%d ......" fullword ascii
+	condition:
+		 ( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them ) 
+		 or 
+		 5 of them
+}
+
+rule IronPanda_Malware2 {
+	meta:
+		description = "Iron Panda Malware"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91"
+	strings:
+		$s0 = "\\setup.exe" fullword ascii
+		$s1 = "msi.dll.urlUT" fullword ascii
+		$s2 = "msi.dllUT" fullword ascii
+		$s3 = "setup.exeUT" fullword ascii
+		$s4 = "/c del /q %s" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 180KB and all of them
+}
+
+rule IronPanda_Malware3 {
+	meta:
+		description = "Iron Panda Malware"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742"
+	strings:
+		$s0 = "PluginDeflater.exe" fullword wide
+		$s1 = ".Deflated" fullword wide
+		$s2 = "PluginDeflater" fullword ascii
+		$s3 = "DeflateStream" fullword ascii /* Goodware String - occured 1 times */
+		$s4 = "CompressionMode" fullword ascii /* Goodware String - occured 4 times */
+		$s5 = "System.IO.Compression" fullword ascii /* Goodware String - occured 6 times */
+	condition:
+		uint16(0) == 0x5a4d and filesize < 10KB and all of them
+}
+
+rule IronPanda_Malware4 {
+	meta:
+		description = "Iron Panda Malware"
+		author = "Florian Roth"
+		reference = "https://goo.gl/E4qia9"
+		date = "2015-09-16"
+		hash = "0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c"
+	strings:
+		$s0 = "TestPlugin.dll" fullword wide
+		$s1 = "<a href='http://www.baidu.com'>aasd</a>" fullword wide
+		$s2 = "Zcg.Test.AspxSpyPlugins" fullword ascii
+		$s6 = "TestPlugin" fullword ascii
+	condition:
+		uint16(0) == 0x5a4d and filesize < 10KB and all of them
+}

malware/APT_TidePool.yar → malware/APT_Ke3Chang_TidePool.yar

@@ -10,7 +10,7 @@
 	Identifier: TidePool (Ke3chang)
 */
 
-rule TidePool_Malware {
+rule TidePool_Malware : Ke3Chang {
 	meta:
 		description = "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks"
 		author = "Florian Roth"

malware/KeyBoy.yar → malware/APT_KeyBoy.yar

@@ -5,7 +5,7 @@
 
 import "pe"
 
-rule KeyBoy_Dropper  
+rule KeyBoy_Dropper  : dropper
 {  
     meta:
         Author      = "Rapid7 Labs"
@@ -25,7 +25,7 @@ rule KeyBoy_Dropper
         all of them  
 }
 
-rule KeyBoy_Backdoor  
+rule KeyBoy_Backdoor  : Backdoor APT
 {
     meta:
         Author      = "Rapid7 Labs"

malware/APT_NGO_wuaclt.yar → malware/APT_NGO.yar

@@ -25,7 +25,7 @@ rule APT_NGO_wuaclt
     ($a and $b and $c) or ($d and $e) or ($f and $g and $h)
 }
 
-rule APT_NGO_wuaclt_PDF
+rule APT_NGO_wuaclt_PDF : PDF
 {
     	meta:
         	author = "AlienVault Labs"

malware/APT_OPCleaver.yar

@@ -18,7 +18,7 @@ rule ZhoupinExploitCrew
   	1 of them
 }
 
-rule BackDoorLogger
+rule BackDoorLogger : Backdoor APT
 {
   meta:
     author = "Cylance"
@@ -31,7 +31,7 @@ rule BackDoorLogger
     all of them
 }
 
-rule Jasus
+rule Jasus : APT 
 {
   meta:
     author = "Cylance"
@@ -134,7 +134,7 @@ rule TinyZBot
     ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
 }
 
-rule antivirusdetector
+rule antivirusdetector : antivirus
 {
   meta:
     author = "Cylance"
@@ -175,7 +175,7 @@ rule kagent
     all of them
 }
 
-rule mimikatzWrapper
+rule mimikatzWrapper : Toolkit
 {
   meta:
     author = "Cylance"
@@ -253,7 +253,7 @@ rule zhLookUp
     all of them
 }
 
-rule zhmimikatz
+rule zhmimikatz : Toolkit
 {
   meta:
     author = "Cylance"
@@ -277,3 +277,333 @@ rule Zh0uSh311
   condition:
   	all of them
 }
+import "pe"
+
+
+rule OPCLEAVER_BackDoorLogger
+{
+	meta:
+		description = "Keylogger used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "BackDoorLogger"
+		$s2 = "zhuAddress"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_Jasus
+{
+	meta:
+		description = "ARP cache poisoner used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "pcap_dump_open"
+		$s2 = "Resolving IPs to poison..."
+		$s3 = "WARNNING: Gateway IP can not be found"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_LoggerModule
+{
+	meta:
+		description = "Keylogger used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "%s-%02d%02d%02d%02d%02d.r"
+		$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_NetC
+{
+	meta:
+		description = "Net Crawler used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "NetC.exe" wide
+		$s2 = "Net Service"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_ShellCreator2
+{
+	meta:
+		description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "ShellCreator2.Properties"
+		$s2 = "set_IV"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_SmartCopy2
+{
+	meta:
+		description = "Malware or hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "SmartCopy2.Properties"
+		$s2 = "ZhuFrameWork"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_SynFlooder
+{
+	meta:
+		description = "Malware or hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
+		$s2 = "your target’s IP is : %s"
+		$s3 = "Raw TCP Socket Created successfully."
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_TinyZBot
+{
+	meta:
+		description = "Tiny Bot used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "NetScp" wide
+		$s2 = "TinyZBot.Properties.Resources.resources"
+		$s3 = "Aoao WaterMark"
+		$s4 = "Run_a_exe"
+		$s5 = "netscp.exe"
+		$s6 = "get_MainModule_WebReference_DefaultWS"
+		$s7 = "remove_CheckFileMD5Completed"
+		$s8 = "http://tempuri.org/"
+		$s9 = "Zhoupin_Cleaver"
+	condition:
+		(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
+}
+
+rule OPCLEAVER_ZhoupinExploitCrew
+{
+	meta:
+		description = "Keywords used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "zhoupin exploit crew" nocase
+		$s2 = "zhopin exploit crew" nocase
+	condition:
+		1 of them
+}
+
+rule OPCLEAVER_antivirusdetector
+{
+	meta:
+		description = "Hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "getShadyProcess"
+		$s2 = "getSystemAntiviruses"
+		$s3 = "AntiVirusDetector"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_csext
+{
+	meta:
+		description = "Backdoor used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "COM+ System Extentions"
+		$s2 = "csext.exe"
+		$s3 = "COM_Extentions_bin"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_kagent
+{
+	meta:
+		description = "Backdoor used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "kill command is in last machine, going back"
+		$s2 = "message data length in B64: %d Bytes"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_mimikatzWrapper
+{
+	meta:
+		description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "mimikatzWrapper"
+		$s2 = "get_mimikatz"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_pvz_in
+{
+	meta:
+		description = "Parviz tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "LAST_TIME=00/00/0000:00:00PM$"
+		$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_pvz_out
+{
+	meta:
+		description = "Parviz tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "Network Connectivity Module" wide
+		$s2 = "OSPPSVC" wide
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_wndTest
+{
+	meta:
+		description = "Backdoor used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "[Alt]" wide
+		$s2 = "<< %s >>:" wide
+		$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_zhCat
+{
+	meta:
+		description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
+		$s2 = "ABC ( A Big Company )" wide fullword
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_zhLookUp
+{
+	meta:
+		description = "Hack tool used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "zhLookUp.Properties"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_zhmimikatz
+{
+	meta:
+		description = "Mimikatz wrapper used by attackers in Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Cylance Inc."
+		score = "70"
+	strings:
+		$s1 = "MimikatzRunner"
+		$s2 = "zhmimikatz"
+	condition:
+		all of them
+}
+
+rule OPCLEAVER_Parviz_Developer
+{
+	meta:
+		description = "Parviz developer known from Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Florian Roth"
+		score = "70"
+	strings:
+		$s1 = "Users\\parviz\\documents\\" nocase
+	condition:
+		$s1 
+}
+
+rule OPCLEAVER_CCProxy_Config
+{
+	meta:
+		description = "CCProxy config known from Operation Cleaver"
+		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
+		date = "2014/12/02"
+		author = "Florian Roth"
+		score = "70"
+	strings:
+		$s1 = "UserName=User-001" fullword ascii
+		$s2 = "Web=1" fullword ascii
+		$s3 = "Mail=1" fullword ascii
+		$s4 = "FTP=0" fullword ascii
+		$x1 = "IPAddressLow=78.109.194.114" fullword ascii
+	condition:
+		all of ($s*) or $x1 
+}

malware/APT_pcclient.yar → malware/APT_PCclient.yar

@@ -5,7 +5,7 @@
 
 import "pe"
 
-rule backdoor_apt_pcclient
+rule backdoor_apt_pcclient : Backdoor Dropper
 {
 meta:
 	author = "@patrickrolsen"

malware/APT_Win_Pipcreat.yar → malware/APT_Pipcreat.yar

@@ -3,7 +3,7 @@
 
 */
 
-rule APT_Win_Pipcreat { 
+rule APT_Win_Pipcreat : pe dll backdoor { 
   meta: 
     author = "chort (@chort0)"
     description = "APT backdoor Pipcreat"

malware/APT_putterpanda.yar → malware/APT_PutterPanda.yar

@@ -125,7 +125,7 @@ rule APT_Malware_PutterPanda_Gen1 {
 		uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them
 }
 
-rule Malware_MsUpdater_String_in_EXE {
+rule Malware_MsUpdater_String_in_EXE : PutterPanda {
 	meta:
 		description = "MSUpdater String in Executable"
 		author = "Florian Roth"

malware/APT_Ruag.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-/*
-  Yara Rule Set
-  Author: Florian Roth
-  Date: 2016-05-23
-  Identifier: Swiss RUAG APT Case
-  Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case 
-*/
-
-rule RUAG_Tavdig_Malformed_Executable {
-  meta:
-    description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
-    author = "Florian Roth"
-    reference = "https://goo.gl/N5MEj0"
-    score = 60
-  condition:
-    uint16(0) == 0x5a4d and /* MZ Header */
-    uint32(uint32(0x3C)) == 0x0000AD0B /* malformed PE header > 0x0bad */
-}
-
-rule RUAG_Bot_Config_File {
-  meta:
-    description = "Detects a specific config file used by malware in RUAG APT case"
-    author = "Florian Roth"
-    reference = "https://goo.gl/N5MEj0"
-    score = 60
-  strings:
-    $s1 = "[CONFIG]" ascii
-    $s2 = "name = " ascii
-    $s3 = "exe = cmd.exe" ascii
-  condition:
-    $s1 at 0 and $s2 and $s3 and filesize < 160 
-}
-
-rule RUAG_Cobra_Malware {
-  meta:
-    description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
-    author = "Florian Roth"
-    reference = "https://goo.gl/N5MEj0"
-    score = 60
-  strings:
-    $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
-  condition:
-    uint16(0) == 0x5a4d and $s1
-}
-
-rule RUAG_Cobra_Config_File {
-  meta:
-    description = "Detects a config text file used by malware Cobra in RUAG case"
-    author = "Florian Roth"
-    reference = "https://goo.gl/N5MEj0"
-    score = 60
-  strings:
-    $h1 = "[NAME]" ascii
-
-    $s1 = "object_id=" ascii
-    $s2 = "[TIME]" ascii fullword
-    $s3 = "lastconnect" ascii 
-    $s4 = "[CW_LOCAL]" ascii fullword
-    $s5 = "system_pipe" ascii
-    $s6 = "user_pipe" ascii
-    $s7 = "[TRANSPORT]" ascii
-    $s8 = "run_task_system" ascii
-    $s9 = "[WORKDATA]" ascii 
-    $s10 = "address1" ascii
-  condition:
-    $h1 at 0 and 8 of ($s*) and filesize < 5KB
-}
-
-rule RUAG_Exfil_Config_File {
-  meta:
-    description = "Detects a config text file used in data exfiltration in RUAG case"
-    author = "Florian Roth"
-    reference = "https://goo.gl/N5MEj0"
-    score = 60
-  strings:
-    $h1 = "[TRANSPORT]" ascii
-
-    $s1 = "system_pipe" ascii
-    $s2 = "spstatus" ascii
-    $s3 = "adaptable" ascii 
-    $s4 = "post_frag" ascii
-    $s5 = "pfsgrowperiod" ascii
-  condition:
-    $h1 at 0 and all of ($s*) and filesize < 1KB
-}

malware/APT_Sofacy_xtunnel_bundestag.yar → malware/APT_Sofacy_Bundestag.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule apt_sofacy_xtunnel {
+rule apt_sofacy_xtunnel : APT28 Sofacy {
     meta:
         author = "Claudio Guarnieri"
         description = "Sofacy Malware - German Bundestag"
@@ -24,7 +24,7 @@ rule apt_sofacy_xtunnel {
         ((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*))) 
 }
 
-rule Sofacy_Bundestag_Winexe {
+rule Sofacy_Bundestag_Winexe : APT28 Sofacy {
     meta:
         description = "Winexe tool used by Sofacy group in Bundestag APT"
         author = "Florian Roth"
@@ -39,7 +39,7 @@ rule Sofacy_Bundestag_Winexe {
         uint16(0) == 0x5a4d and filesize < 115KB and all of them
 }
 
-rule Sofacy_Bundestag_Mal2 {
+rule Sofacy_Bundestag_Mal2 : APT28 Sofacy {
     meta:
         description = "Sofacy Group Malware Sample 2"
         author = "Florian Roth"
@@ -56,7 +56,7 @@ rule Sofacy_Bundestag_Mal2 {
         uint16(0) == 0x5a4d and ( 1 of ($x*) ) and $s1
 }
 
-rule Sofacy_Bundestag_Mal3 {
+rule Sofacy_Bundestag_Mal3 : APT28 Sofacy {
     meta:
         description = "Sofacy Group Malware Sample 3"
         author = "Florian Roth"
@@ -85,7 +85,7 @@ rule Sofacy_Bundestag_Mal3 {
         ) 
 }
 
-rule Sofacy_Bundestag_Batch {
+rule Sofacy_Bundestag_Batch : APT28 Sofacy {
     meta:
         description = "Sofacy Bundestags APT Batch Script"
         author = "Florian Roth"

malware/APT_Sofacy_Fysbis.yar

@@ -9,7 +9,7 @@
 	Identifier: Sofacy Fysbis
 */
 
-rule Sofacy_Fybis_ELF_Backdoor_Gen1 {
+rule Sofacy_Fybis_ELF_Backdoor_Gen1 : Sofacy Linux Backdoor APT APT28 {
 	meta:
 		description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1"
 		author = "Florian Roth"
@@ -34,7 +34,7 @@ rule Sofacy_Fybis_ELF_Backdoor_Gen1 {
 		( 1 of ($x*) and 3 of ($s*) )
 }
 
-rule Sofacy_Fysbis_ELF_Backdoor_Gen2 {
+rule Sofacy_Fysbis_ELF_Backdoor_Gen2  : Sofacy Linux Backdoor APT APT28 {
 	meta:
 		description = "Detects Sofacy Fysbis Linux Backdoor"
 		author = "Florian Roth"

malware/APT_Sofacy_jun16.yar → malware/APT_Sofacy_Jun16.yar

@@ -7,7 +7,7 @@
 
 /* Rule Set ----------------------------------------------------------------- */
 
-rule Sofacy_Jun16_Sample1 {
+rule Sofacy_Jun16_Sample1  : Sofacy APT APT28  {
 	meta:
 		description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
 		author = "Florian Roth"
@@ -22,7 +22,7 @@ rule Sofacy_Jun16_Sample1 {
 		( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($s*) ) ) or ( all of them )
 }
 
-rule Sofacy_Jun16_Sample2 {
+rule Sofacy_Jun16_Sample2  : Sofacy APT APT28  {
 	meta:
 		description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
 		author = "Florian Roth"
@@ -44,7 +44,7 @@ rule Sofacy_Jun16_Sample2 {
 		( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($x*) ) ) or ( 3 of them )
 }
 
-rule Sofacy_Jun16_Sample3 {
+rule Sofacy_Jun16_Sample3  : Sofacy APT APT28 {
 	meta:
 		description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report"
 		author = "Florian Roth"

malware/APT_Terracota.yar

@@ -100,3 +100,34 @@ rule LiuDoor_Malware_2 {
 	condition:
 		uint16(0) == 0x5a4d and filesize < 100KB and all of them
 }
+
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule liudoor : Backdoor
+{
+meta:
+        author = "RSA FirstWatch"
+        date = "2015-07-23"
+        description = "Detects Liudoor daemon backdoor"
+        hash0 = "78b56bc3edbee3a425c96738760ee406"
+        hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
+        hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
+        hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
+        hash4 = "6093505c7f7ec25b1934d3657649ef07"
+        type = "Win32 DLL"
+
+strings:
+        $string0 = "Succ"
+        $string1 = "Fail"
+        $string2 = "pass"
+        $string3 = "exit"
+        $string4 = "svchostdllserver.dll"
+        $string5 = "L$,PQR"
+        $string6 = "0/0B0H0Q0W0k0"
+        $string7 = "QSUVWh"
+        $string8 = "Ht Hu["
+condition:
+        all of them
+}

malware/APT_Terracota_Liudoor.yar

-
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-rule liudoor
-{
-meta:
-        author = "RSA FirstWatch"
-        date = "2015-07-23"
-        description = "Detects Liudoor daemon backdoor"
-        hash0 = "78b56bc3edbee3a425c96738760ee406"
-        hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
-        hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
-        hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
-        hash4 = "6093505c7f7ec25b1934d3657649ef07"
-        type = "Win32 DLL"
-
-strings:
-        $string0 = "Succ"
-        $string1 = "Fail"
-        $string2 = "pass"
-        $string3 = "exit"
-        $string4 = "svchostdllserver.dll"
-        $string5 = "L$,PQR"
-        $string6 = "0/0B0H0Q0W0k0"
-        $string7 = "QSUVWh"
-        $string8 = "Ht Hu["
-condition:
-        all of them
-}

malware/APT_threatgroup_3390.yar → malware/APT_ThreatGroup3390.yar

@@ -9,7 +9,7 @@
 	Identifier: Threat Group 3390
 */
 
-rule HttpBrowser_RAT_dropper_Gen1 {
+rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT {
 	meta:
 		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
 		author = "Florian Roth"
@@ -49,7 +49,7 @@ rule HttpBrowser_RAT_dropper_Gen1 {
 		uint16(0) == 0x5a4d and filesize < 400KB and all of ($x*) and 1 of ($op*)
 }
 
-rule HttpBrowser_RAT_Sample1 {
+rule HttpBrowser_RAT_Sample1  : RAT APT  {
 	meta:
 		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
 		author = "Florian Roth"
@@ -64,7 +64,7 @@ rule HttpBrowser_RAT_Sample1 {
 		uint16(0) == 0x5a4d and filesize < 100KB and $s0
 }
 
-rule HttpBrowser_RAT_Sample2 {
+rule HttpBrowser_RAT_Sample2  : RAT APT {
 	meta:
 		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
 		author = "Florian Roth"
@@ -81,7 +81,7 @@ rule HttpBrowser_RAT_Sample2 {
 		uint16(0) == 0x5a4d and filesize < 250KB and all of them
 }
 
-rule HttpBrowser_RAT_Gen {
+rule HttpBrowser_RAT_Gen : RAT APT  {
 	meta:
 		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic"
 		author = "Florian Roth"
@@ -119,7 +119,7 @@ rule HttpBrowser_RAT_Gen {
 		uint16(0) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them
 }
 
-rule PlugX_NvSmartMax_Gen {
+rule PlugX_NvSmartMax_Gen : PlugX APT {
 	meta:
 		description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
 		author = "Florian Roth"
@@ -147,7 +147,7 @@ rule PlugX_NvSmartMax_Gen {
 		uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*)
 }
 
-rule HttpBrowser_RAT_dropper_Gen2 {
+rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT {
 	meta:
 		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
 		author = "Florian Roth"
@@ -174,7 +174,7 @@ rule HttpBrowser_RAT_dropper_Gen2 {
 		uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*)
 }
 
-rule ThreatGroup3390_Strings {
+rule ThreatGroup3390_Strings : APT {
 	meta:
 		description = "Threat Group 3390 APT - Strings"
 		author = "Florian Roth"
@@ -191,7 +191,7 @@ rule ThreatGroup3390_Strings {
 		1 of them and filesize < 30KB
 }
 
-rule ThreatGroup3390_C2 {
+rule ThreatGroup3390_C2 : C2 APT {
 	meta:
 		description = "Threat Group 3390 APT - C2 Server"
 		author = "Florian Roth"

malware/APT_Turla_RUAG.yar

@@ -144,3 +144,109 @@ rule Turla_APT_Malware_Gen3 {
 		( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 6 of ($s*) ) )
 		or ( 10 of them )
 }
+/*
+  Yara Rule Set
+  Author: Florian Roth
+  Date: 2016-05-23
+  Identifier: Swiss RUAG APT Case
+  Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case 
+*/
+
+rule RUAG_Tavdig_Malformed_Executable {
+  meta:
+    description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  condition:
+    uint16(0) == 0x5a4d and /* MZ Header */
+    uint32(uint32(0x3C)) == 0x0000AD0B /* malformed PE header > 0x0bad */
+}
+
+rule RUAG_Bot_Config_File {
+  meta:
+    description = "Detects a specific config file used by malware in RUAG APT case"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $s1 = "[CONFIG]" ascii
+    $s2 = "name = " ascii
+    $s3 = "exe = cmd.exe" ascii
+  condition:
+    $s1 at 0 and $s2 and $s3 and filesize < 160 
+}
+
+rule RUAG_Cobra_Malware {
+  meta:
+    description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii
+  condition:
+    uint16(0) == 0x5a4d and $s1
+}
+
+rule RUAG_Cobra_Config_File {
+  meta:
+    description = "Detects a config text file used by malware Cobra in RUAG case"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $h1 = "[NAME]" ascii
+
+    $s1 = "object_id=" ascii
+    $s2 = "[TIME]" ascii fullword
+    $s3 = "lastconnect" ascii 
+    $s4 = "[CW_LOCAL]" ascii fullword
+    $s5 = "system_pipe" ascii
+    $s6 = "user_pipe" ascii
+    $s7 = "[TRANSPORT]" ascii
+    $s8 = "run_task_system" ascii
+    $s9 = "[WORKDATA]" ascii 
+    $s10 = "address1" ascii
+  condition:
+    $h1 at 0 and 8 of ($s*) and filesize < 5KB
+}
+
+rule RUAG_Exfil_Config_File {
+  meta:
+    description = "Detects a config text file used in data exfiltration in RUAG case"
+    author = "Florian Roth"
+    reference = "https://goo.gl/N5MEj0"
+    score = 60
+  strings:
+    $h1 = "[TRANSPORT]" ascii
+
+    $s1 = "system_pipe" ascii
+    $s2 = "spstatus" ascii
+    $s3 = "adaptable" ascii 
+    $s4 = "post_frag" ascii
+    $s5 = "pfsgrowperiod" ascii
+  condition:
+    $h1 at 0 and all of ($s*) and filesize < 1KB
+}
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule WaterBug_turla_dll 
+{
+    meta:
+        description = "Symantec Waterbug Attack - Trojan Turla DLL"
+        author = "Symantec Security Response"
+        date = "22.01.2015"
+        reference = "http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats"   
+
+    strings:
+        $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
+   
+    condition:
+        pe.exports("ee") and $a
+}

malware/APT_UP007_SLServer.yar

@@ -30,7 +30,7 @@ rule dubseven_file_set
         3 of ($file*)
 }
 
-rule dubseven_dropper_registry_checks
+rule dubseven_dropper_registry_checks : Dropper
 {
     meta:
         author = "Matt Brooks, @cmatthewbrooks"
@@ -55,7 +55,7 @@ rule dubseven_dropper_registry_checks
         all of ($reg*)
 }
 
-rule dubseven_dropper_dialog_remains
+rule dubseven_dropper_dialog_remains : Dropper
 {
     meta:
         author = "Matt Brooks, @cmatthewbrooks"
@@ -76,7 +76,7 @@ rule dubseven_dropper_dialog_remains
 }
         
 
-rule maindll_mutex
+rule maindll_mutex : Mutex
 {
     meta:
         author = "Matt Brooks, @cmatthewbrooks"
@@ -117,7 +117,7 @@ rule SLServer_dialog_remains
         $slserver
 }
 
-rule SLServer_mutex
+rule SLServer_mutex : Mutex
 {
     meta:
         author = "Matt Brooks, @cmatthewbrooks"
@@ -137,7 +137,7 @@ rule SLServer_mutex
         $mutex
 }
 
-rule SLServer_command_and_control
+rule SLServer_command_and_control : C2
 {
     meta:
         author = "Matt Brooks, @cmatthewbrooks"

malware/APT_unit78020_malware.yar → malware/APT_Unit78020.yar

@@ -64,7 +64,7 @@ rule Unit78020_Malware_Gen1 {
 
 }
 
-rule Unit78020_Malware_1 {
+rule Unit78020_Malware_1 : APT {
 	meta:
 		description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe"
 		author = "Florian Roth"

malware/Waterbug.yar → malware/APT_Waterbug.yar

@@ -5,7 +5,7 @@
 
 import "pe"
 
-rule WaterBug_wipbot_2013_core_PDF {
+rule WaterBug_wipbot_2013_core_PDF : PDF {
 	meta:
 		description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
 		author = "Symantec Security Response"

malware/APT_Winnti.yar

@@ -132,3 +132,21 @@ rule Winnti_malware_StreamPortal_Gen {
 	condition:
 		uint16(0) == 0x5a4d and filesize < 275KB and all of them
 }
+rule WinntiPharma : Backdoor 
+{
+meta:
+	author = "Jose Ramon Palanco"
+	copyright = "Drainware, Inc."
+	date = "2015-06-23"
+	description = "Backdoor Win64 Winnti Pharma"
+	ref = "https://securelist.com/blog/research/70991/games-are-over/"
+
+strings:
+	$s0 = "Cookie: SN="
+	$s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}"
+	$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
+	$s3 = "master secret"
+	$s4 = "MyEngineNetEvent"
+condition:
+	all of ($s*)
+}

malware/APT_irontiger.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-/*
-	Yara Rule Set
-	Author: Florian Roth
-	Date: 2015-09-16
-	Identifier: Iron Panda
-*/
-
-/* Rule Set ----------------------------------------------------------------- */
-
-rule IronPanda_DNSTunClient {
-	meta:
-		description = "Iron Panda malware DnsTunClient - file named.exe"
-		author = "Florian Roth"
-		reference = "https://goo.gl/E4qia9"
-		date = "2015-09-16"
-		score = 80
-		hash = "a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431"
-	strings:
-		$s1 = "dnstunclient -d or -domain <domain>" fullword ascii
-		$s2 = "dnstunclient -ip <server ip address>" fullword ascii
-		$s3 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"\\Microsoft\\Windows\\PLA\\System\\Microsoft Windows\" /tr " fullword ascii
-		$s4 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"Microsoft Windows\" /tr " fullword ascii
-		$s5 = "taskkill /im conime.exe" fullword ascii
-		$s6 = "\\dns control\\t-DNSTunnel\\DnsTunClient\\DnsTunClient.cpp" fullword ascii
-		$s7 = "UDP error:can not bing the port(if there is unclosed the bind process?)" fullword ascii
-		$s8 = "use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s)" fullword ascii
-		$s9 = "error: packet num error.the connection have condurt,pls try later" fullword ascii
-		$s10 = "Coversation produce one error:%s,coversation fail" fullword ascii
-		$s11 = "try to add many same pipe to select group(or mark is too easy)." fullword ascii
-	condition:
-		( uint16(0) == 0x5a4d and filesize < 400KB and 2 of them ) 
-		or
-		5 of them
-}
-
-rule IronPanda_Malware1 {
-	meta:
-		description = "Iron Panda Malware"
-		author = "Florian Roth"
-		reference = "https://goo.gl/E4qia9"
-		date = "2015-09-16"
-		hash = "a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a"
-	strings:
-		$x1 = "activedsimp.dll" fullword wide
-		$s1 = "get_BadLoginAddress" fullword ascii
-		$s2 = "get_LastFailedLogin" fullword ascii
-		$s3 = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" fullword ascii
-		$s4 = "get_PasswordExpirationDate" fullword ascii
-	condition:
-		uint16(0) == 0x5a4d and filesize < 300KB and all of them
-}
-
-rule IronPanda_Webshell_JSP {
-	meta:
-		description = "Iron Panda Malware JSP"
-		author = "Florian Roth"
-		reference = "https://goo.gl/E4qia9"
-		date = "2015-09-16"
-		hash = "3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6"
-	strings:
-		$s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii
-		$s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" fullword ascii
-		$s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" fullword ascii
-	condition:
-		filesize < 330KB and 1 of them
-}
-
-rule IronPanda_Malware_Htran {
-	meta:
-		description = "Iron Panda Malware Htran"
-		author = "Florian Roth"
-		reference = "https://goo.gl/E4qia9"
-		date = "2015-09-16"
-		hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7"
-	strings:
-		$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
-		$s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
-		$s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
-		$s4 = "[-] ERROR: Must supply logfile name." fullword ascii
-		$s5 = "[SERVER]connection to %s:%d error" fullword ascii
-		$s6 = "[+] Make a Connection to %s:%d...." fullword ascii
-		$s7 = "[+] Waiting another Client on port:%d...." fullword ascii
-		$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
-		$s9 = "[+] Make a Connection to %s:%d ......" fullword ascii
-		$s10 = "cmshared_get_ptr_from_atom" fullword ascii
-		$s11 = "_cmshared_get_ptr_from_atom" fullword ascii
-		$s12 = "[+] OK! I Closed The Two Socket." fullword ascii
-		$s13 = "[-] TransmitPort invalid." fullword ascii
-		$s14 = "[+] Waiting for Client on port:%d ......" fullword ascii
-	condition:
-		 ( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them ) 
-		 or 
-		 5 of them
-}
-
-rule IronPanda_Malware2 {
-	meta:
-		description = "Iron Panda Malware"
-		author = "Florian Roth"
-		reference = "https://goo.gl/E4qia9"
-		date = "2015-09-16"
-		hash = "a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91"
-	strings:
-		$s0 = "\\setup.exe" fullword ascii
-		$s1 = "msi.dll.urlUT" fullword ascii
-		$s2 = "msi.dllUT" fullword ascii
-		$s3 = "setup.exeUT" fullword ascii
-		$s4 = "/c del /q %s" fullword ascii
-	condition:
-		uint16(0) == 0x5a4d and filesize < 180KB and all of them
-}
-
-rule IronPanda_Malware3 {
-	meta:
-		description = "Iron Panda Malware"
-		author = "Florian Roth"
-		reference = "https://goo.gl/E4qia9"
-		date = "2015-09-16"
-		hash = "5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742"
-	strings:
-		$s0 = "PluginDeflater.exe" fullword wide
-		$s1 = ".Deflated" fullword wide
-		$s2 = "PluginDeflater" fullword ascii
-		$s3 = "DeflateStream" fullword ascii /* Goodware String - occured 1 times */
-		$s4 = "CompressionMode" fullword ascii /* Goodware String - occured 4 times */
-		$s5 = "System.IO.Compression" fullword ascii /* Goodware String - occured 6 times */
-	condition:
-		uint16(0) == 0x5a4d and filesize < 10KB and all of them
-}
-
-rule IronPanda_Malware4 {
-	meta:
-		description = "Iron Panda Malware"
-		author = "Florian Roth"
-		reference = "https://goo.gl/E4qia9"
-		date = "2015-09-16"
-		hash = "0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c"
-	strings:
-		$s0 = "TestPlugin.dll" fullword wide
-		$s1 = "<a href='http://www.baidu.com'>aasd</a>" fullword wide
-		$s2 = "Zcg.Test.AspxSpyPlugins" fullword ascii
-		$s6 = "TestPlugin" fullword ascii
-	condition:
-		uint16(0) == 0x5a4d and filesize < 10KB and all of them
-}

malware/APT_win32_dll_bergard_pgv_pvid_variant.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-rule apt_win32_dll_bergard_pgv_pvid_variant
-{
-
-    meta:
-        copyright = "Fidelis Cybersecurity"
-        reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
-    strings:
-        $ = "Accept:"
-        $ = "User-Agent: %s"
-        $ = "Host: %s:%d"
-        $ = "Cache-Control: no-cache"
-        $ = "Connection: Keep-Alive"
-        $ = "Cookie: pgv_pvid="
-        $ = "Content-Type: application/x-octet-stream"
-        $ = "User-Agent: %s"
-        $ = "Host: %s:%d"
-        $ = "Pragma: no-cache"
-        $ = "Connection: Keep-Alive"
-        $ = "HTTP/1.0"
-
-    condition:
-
-        (uint16(0) == 0x5A4D) and (all of them)
-}

malware/APT_win32_dll_rat_hiZorRAT.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-rule apt_win32_dll_rat_hiZorRAT
-{             
-               meta:
-                              hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
-                              hash2 = "d9821468315ccd3b9ea03161566ef18e"
-                              hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
-                              ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
-                              ref2 = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
-                             
-               strings:
-                             
-                              // Part of the encoded User-Agent = Mozilla
-                              $ = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 } 
-                             
-                              // XOR to decode User-Agent after string stacking 0x10001630
-                              $ = { 66 [7] 0d 40 83 ?? ?? 7c ?? } 
-                             
-                              // XOR with 0x2E - 0x10002EF6
-                             
-                              $ = { 80 [2] 2e 40 3b ?? 72 ?? } 
-                             
-                              $ = "CmdProcessExited" wide ascii
-                              $ = "rootDir" wide ascii
-                              $ = "DllRegisterServer" wide ascii
-                              $ = "GetNativeSystemInfo" wide ascii
-                              $ = "%08x%08x%08x%08x" wide ascii
-                             
-               condition:
-                              (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)
-}

malware/Adwind_JAR_PACKA.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-rule Adwind_JAR_PACKA : binary 
-{
- meta:
-  author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
-  reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
-  last_modified = "2015-11-30"
- strings:
-  $b1 = ".class" ascii
-  $b2 = "c/a/a/" ascii
-  $b3 = "b/a/" ascii
-  $b4 = "a.dat" ascii
-  $b5 = "META-INF/MANIFEST.MF" ascii
- condition:
-  int16(0) == 0x4B50 and ($b1 and $b2 and $b3 and $b4 and $b5)
-}

malware/Adwind_JAR_PACKB.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-rule Adwind_JAR_PACKB {
- meta:
-  author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com"
-  reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
-  last_modified = "2015-11-30"
- strings:
-  $c1 = "META-INF/MANIFEST.MF" ascii
-  $c2 = "main/Start.class" ascii
-  $a1 = "con g/con g.perl" ascii
-  $b1 = "java/textito.isn" ascii
- condition:
-  int16(0) == 0x4B50 and ($c1 and $c2 and ($a1 or $b1))
-}

malware/Backdoor_WinntiPharma.yar

-rule WinntiPharma
-{
-meta:
-	author = "Jose Ramon Palanco"
-	copyright = "Drainware, Inc."
-	date = "2015-06-23"
-	description = "Backdoor Win64 Winnti Pharma"
-	ref = "https://securelist.com/blog/research/70991/games-are-over/"
-
-strings:
-	$s0 = "Cookie: SN="
-	$s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}"
-	$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
-	$s3 = "master secret"
-	$s4 = "MyEngineNetEvent"
-condition:
-	all of ($s*)
-}

malware/Crypren_ransomware.yar

-rule Ransom : Crypren{
-    meta:
-        weight = 1
-        Author = "@pekeinfo"
-        reference = "https://github.com/pekeinfo/DecryptCrypren"
-    strings: 
-        $a = "won't be able to recover your files anymore.</p>"
-        $b = {6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ??}
-        $c = "Please restart your computer and wait for instructions for decrypting your files"
-    condition:
-        any of them
-}

malware/Dridex.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-import "pe"
-
-rule Dridex_Trojan_XML {
-	meta:
-		description = "Dridex Malware in XML Document"
-		author = "Florian Roth @4nc4p"
-		reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
-		date = "2015/03/08"
-		hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
-		hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
-		hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
-		hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
-		hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
-	strings:
-		// can be ascii or wide formatted - therefore no restriction
-		$c_xml      = "<?xml version="
-		$c_word     = "<?mso-application progid=\"Word.Document\"?>"
-		$c_macro    = "w:macrosPresent=\"yes\""
-		$c_binary   = "<w:binData w:name="
-		$c_0_chars  = "<o:Characters>0</o:Characters>"
-		$c_1_line   = "<o:Lines>1</o:Lines>"
-	condition:
-		all of ($c*)
-}

malware/EXPERIMENTAL_Beef_pretty_theft.yar → malware/EXPERIMENTAL_Beef.yar

@@ -11,7 +11,7 @@
 
 /* Rule Set ----------------------------------------------------------------- */
 
-rule src_ptheft_command {
+rule src_ptheft_command : experimental {
 	meta:
 		description = "Auto-generated rule - file command.js"
 		author = "Pasquale Stirparo"
@@ -40,3 +40,39 @@ rule src_ptheft_command {
 	condition:
 		13 of them
 }
+/*
+	This Yara Rule is to be considered as "experimental"
+	It reperesents a first attempt to detect BeEF hook function in memory
+	It still requires further refinement 
+
+*/
+
+rule BeEF_browser_hooked : experimental  {
+	meta:
+		description = "Yara rule related to hook.js, BeEF Browser hooking capability"
+		author = "Pasquale Stirparo"
+		date = "2015-10-07"
+		hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
+	strings:
+		$s0 = "mitb.poisonAnchor" wide ascii
+		$s1 = "this.request(this.httpproto" wide ascii
+		$s2 = "beef.logger.get_dom_identifier" wide ascii
+		$s3 = "return (!!window.opera" wide ascii 
+		$s4 = "history.pushState({ Be:\"EF\" }" wide ascii 
+		$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii 
+		$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii 
+		$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii 
+		$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii 
+		$s9 = "mitb.sniff(" wide ascii 
+		$s10 = "Method XMLHttpRequest.open override" wide ascii 
+		$s11 = ".browser.hasWebSocket" wide ascii 
+		$s12 = ".mitb.poisonForm" wide ascii 
+		$s13 = "resolved=require.resolve(file,cwd||" wide ascii 
+		$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii 
+		$s15 = "beef.net.request" wide ascii 
+		$s16 = "uagent.search(engineOpera)" wide ascii 
+		$s17 = "mitb.sniff" wide ascii
+		$s18 = "beef.logger.start" wide ascii
+	condition:
+		all of them
+}

malware/EXPERIMENTAL_Beef_Hooked.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-/*
-	This Yara Rule is to be considered as "experimental"
-	It reperesents a first attempt to detect BeEF hook function in memory
-	It still requires further refinement 
-
-*/
-
-rule BeEF_browser_hooked {
-	meta:
-		description = "Yara rule related to hook.js, BeEF Browser hooking capability"
-		author = "Pasquale Stirparo"
-		date = "2015-10-07"
-		hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
-	strings:
-		$s0 = "mitb.poisonAnchor" wide ascii
-		$s1 = "this.request(this.httpproto" wide ascii
-		$s2 = "beef.logger.get_dom_identifier" wide ascii
-		$s3 = "return (!!window.opera" wide ascii 
-		$s4 = "history.pushState({ Be:\"EF\" }" wide ascii 
-		$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii 
-		$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii 
-		$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii 
-		$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii 
-		$s9 = "mitb.sniff(" wide ascii 
-		$s10 = "Method XMLHttpRequest.open override" wide ascii 
-		$s11 = ".browser.hasWebSocket" wide ascii 
-		$s12 = ".mitb.poisonForm" wide ascii 
-		$s13 = "resolved=require.resolve(file,cwd||" wide ascii 
-		$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii 
-		$s15 = "beef.net.request" wide ascii 
-		$s16 = "uagent.search(engineOpera)" wide ascii 
-		$s17 = "mitb.sniff" wide ascii
-		$s18 = "beef.logger.start" wide ascii
-	condition:
-		all of them
-}

malware/Gamarue.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-
-rule Worm_Gamarue {
-	meta:
-		author = "Centro Criptológico Nacional (CCN)"
-		ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
-		description = "Gamarue_Andromeda"		
-	strings:
-		$a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 }
-	condition:
-		$a 
-}

malware/Havex_Memdump.yar

-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-rule SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump
-	{
-	meta:
-		description = "Detects Havex Windows process executable from memory dump"
-		date = "2015-12-2"
-		author = "Chris Sistrunk"
-		hash = "8065674de8d79d1c0e7b3baf81246e7d"
-	strings:
-		$magic = { 4d 5a }	
-	
-	        $s1 = "~tracedscn.yls" fullword wide
-		$s2 = "[!]Start" fullword wide
-		$s3 = "[+]Get WSADATA" fullword wide
-		$s4 = "[-]Can not get local ip" fullword wide
-		$s5 = "[+]Local:" fullword wide
-		$s6 = "[-]Threads number > Hosts number" fullword wide
-		$s7 = "[-]Connection error" fullword wide
-		
-		$x1 = "bddd4e2b84fa2ad61eb065e7797270ff.exe" fullword wide
-	condition:
-	    $magic at 0 and ( 3 of ($s*) or $x1 )
-}

malware/LURK0_CCTV0.yar

-rule LURK0Header : Family LURK0 {
-meta:
-description = "5 char code for LURK0"
-author = "Katie Kleemola"
-last_updated = "07-21-2014"
-
-strings:
-$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
-
-condition:
-any of them
-}
-
-rule CCTV0Header : Family CCTV0 {
-meta:
-description = "5 char code for LURK0"
-author = "Katie Kleemola"
-last_updated = "07-21-2014"
-
-strings:
-//if its just one char a time
-$ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 }
-// bit hacky but for when samples dont just simply mov 1 char at a time
-$ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) }
-
-condition:
-any of them
-}
-
-rule SharedStrings : Family {
-meta:
-description = "Internal names found in LURK0/CCTV0 samples"
-author = "Katie Kleemola"
-last_updated = "07-22-2014"
-
-strings:
-// internal names
-$i1 = "Butterfly.dll"
-$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
-$i3 = "ETClientDLL"
-
-// dbx
-$d1 = "\\DbxUpdateET\\" wide
-$d2 = "\\DbxUpdateBT\\" wide
-$d3 = "\\DbxUpdate\\" wide
-
-// other folders
-$mc1 = "\\Micet\\"
-
-// embedded file names
-$n1 = "IconCacheEt.dat" wide
-$n2 = "IconConfigEt.dat" wide
-
-
- 
-$m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
-$m2 = "\x00\x00111\x00\x00" wide
-$m3 = "\x00\x00ETUN\x00\x00" wide
-$m4 = "\x00\x00ER\x00\x00" wide
-
-condition:
-any of them //todo: finetune this
-
-}
-
-rule LURK0 : Family LURK0 {
-
-meta:
-description = "rule for lurk0"
-author = "Katie Kleemola"
-last_updated = "07-22-2014"
-
-condition:
-LURK0Header and SharedStrings
-
-}
-
-rule CCTV0 : Family CCTV0 {
-
-meta:
-description = "rule for cctv0"
-author = "Katie Kleemola"
-last_updated = "07-22-2014"
-
-condition:
-CCTV0Header and SharedStrings
-
-}

malware/Andromeda.yar → malware/MALW_Andromeda.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
     long as you use it under this license.
 */
-rule andromeda : binary
+rule andromeda : binary bot
 {
     meta:
         author = "Brian Wallace @botnet_hunter"
@@ -15,3 +15,13 @@ rule andromeda : binary
     condition:
         all of them
 }
+rule Worm_Gamarue {
+	meta:
+		author = "Centro Criptológico Nacional (CCN)"
+		ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html"
+		description = "Gamarue_Andromeda"		
+	strings:
+		$a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 }
+	condition:
+		$a 
+}

malware/Chicken.yar → malware/MALW_Chicken.yar

@@ -24,7 +24,7 @@ rule ChickenDOS{
         ($pdb1 or $pdb2) and 5 of ($str*)
 }
 
-rule ChickenDOS_Linux {
+rule ChickenDOS_Linux : DoS Linux {
     meta:
         author = "Jason Jones <jasonjones@arbor.net>"
         description = "Linux-variant of Chicken ident for both dropper and dropped file"

malware/Citadel.yar → malware/MALW_Citadel.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule citadel13xy : banker
+rule citadel13xy : banker memory
 {
 	meta:
 		author = "Jean-Philippe Teissier / @Jipe_"

malware/CorkowDLL.yar → malware/MALW_Corkow.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule CorkowDLL {
+rule CorkowDLL : dll {
 	meta:
 		description = "Rule to detect the Corkow DLL files" 
 		reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"

malware/DDoSTf.yar → malware/MALW_DDoSTf.yar

@@ -2,7 +2,7 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-rule DDosTf : DDoS
+rule DDosTf : DDoS ELF
 {
   meta:
     author = "benkow_ - MalwareMustDie"