Updated indexes and index_gen.sh

f7549240 · Xumeiquer · 4189008c · f7549240 · f7549240 · f7549240
Commit f7549240 authored Oct 25, 2016 by Xumeiquer
13 changed files
--- a/Antidebug_AntiVM_index.yar
+++ b/Antidebug_AntiVM_index.yar
 /*
 Generated by Yara-Rules
-On 24-10-2016
+On 25-10-2016
 */
 include "./Antidebug_AntiVM/antidebug_antivm.yar"
--- a/CVE_Rules_index.yar
+++ b/CVE_Rules_index.yar
 /*
 Generated by Yara-Rules
-On 24-10-2016
+On 25-10-2016
 */
 include "./CVE_Rules/CVE-2010-0805.yar"
 include "./CVE_Rules/CVE-2010-0887.yar"

--- a/Crypto_index.yar
+++ b/Crypto_index.yar
 /*
 Generated by Yara-Rules
-On 24-10-2016
+On 25-10-2016
 */
 include "./Crypto/base64.yar"
 include "./Crypto/crypto_signatures.yar"
--- a/Exploit-Kits_index.yar
+++ b/Exploit-Kits_index.yar
 /*
 Generated by Yara-Rules
-On 24-10-2016
+On 25-10-2016
 */
 include "./Exploit-Kits/EK_Angler.yar"
 include "./Exploit-Kits/EK_Blackhole.yar"

--- a/Malicious_Documents_index.yar
+++ b/Malicious_Documents_index.yar
 /*
 Generated by Yara-Rules
-On 24-10-2016
+On 25-10-2016
 */
 include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
 include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"

--- a/Mobile_Malware_index.yar
+++ b/Mobile_Malware_index.yar
 /*
 Generated by Yara-Rules
-On 24-10-2016
+On 25-10-2016
 */
 include "./Mobile_Malware/Android_adware.yar"
 include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
@@ -22,7 +22,6 @@ include "./Mobile_Malware/Android_generic_adware.yar"
 include "./Mobile_Malware/Android_generic_smsfraud.yar"
 include "./Mobile_Malware/Android_Godless.yar"
 include "./Mobile_Malware/Android_Libyan_Scorpions.yar"
-include "./Mobile_Malware/Android_MalwareCertificates.yar"
 include "./Mobile_Malware/Android_malware_Advertising.yar"
 include "./Mobile_Malware/Android_malware_banker.yar"
 include "./Mobile_Malware/Android_malware_ChinesePorn.yar"
@@ -34,6 +33,7 @@ include "./Mobile_Malware/Android_malware_SMSsender.yar"
 include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
 include "./Mobile_Malware/Android_Malware_Towelroot.yar"
 include "./Mobile_Malware/Android_malware_xbot007.yar"
+include "./Mobile_Malware/Android_MalwareCertificates.yar"
 include "./Mobile_Malware/Android_mapin.yar"
 include "./Mobile_Malware/Android_Marcher_2.yar"
 include "./Mobile_Malware/Android_MazarBot_z.yar"

--- a/Packers_index.yar
+++ b/Packers_index.yar
 /*
 Generated by Yara-Rules
-On 24-10-2016
+On 25-10-2016
 */
 include "./Packers/Javascript_exploit_and_obfuscation.yar"
 include "./Packers/JJencode.yar"

--- a/Webshells_index.yar
+++ b/Webshells_index.yar
 /*
 Generated by Yara-Rules
-On 24-10-2016
+On 25-10-2016
 */
 include "./Webshells/WShell_APT_Laudanum.yar"
 include "./Webshells/Wshell_ChineseSpam.yar"

--- a/email_index.yar
+++ b/email_index.yar
 /*
 Generated by Yara-Rules
-On 24-10-2016
+On 25-10-2016
 */
 include "./email/attachment.yar"
 include "./email/bank_rule.yar"

--- a/index.yar
+++ b/index.yar
 /*
 Generated by Yara-Rules
-On 06-10-2016
+On 25-10-2016
 */
 include "./Antidebug_AntiVM/antidebug_antivm.yar"
 include "./Crypto/base64.yar"
@@ -32,6 +32,7 @@ include "./Exploit-Kits/EK_Sakura.yar"
 include "./Exploit-Kits/EK_ZeroAcces.yar"
 include "./Exploit-Kits/EK_Zerox88.yar"
 include "./Exploit-Kits/EK_Zeus.yar"
+include "./index_w_mobile.yar"
 include "./Malicious_Documents/Maldoc_APT_OLE_JSRat.yar"
 include "./Malicious_Documents/Maldoc_Contains_VBE_File.yar"
 include "./Malicious_Documents/Maldoc_Dridex.yar"
@@ -117,6 +118,7 @@ include "./malware/MALW_Atmos.yar"
 include "./malware/MALW_BackdoorSSH.yar"
 include "./malware/MALW_Backoff.yar"
 include "./malware/MALW_Bangat.yar"
+include "./malware/MALW_Batel.yar"
 include "./malware/MALW_BlackRev.yar"
 include "./malware/MALW_BlackWorm.yar"
 include "./malware/MALW_Boouset.yar"
@@ -182,6 +184,7 @@ include "./malware/MALW_Notepad.yar"
 include "./malware/MALW_NSFree.yar"
 include "./malware/MALW_Olyx.yar"
 include "./malware/MALW_OSX_Leverage.yar"
+include "./malware/MALW_PE_sections.yar"
 include "./malware/MALW_PittyTiger.yar"
 include "./malware/MALW_Ponmocup.yar"
 include "./malware/MALW_Pony.yar"
@@ -212,6 +215,7 @@ include "./malware/MALW_TreasureHunt.yar"
 include "./malware/MALW_Upatre.yar"
 include "./malware/MALW_Urausy.yar"
 include "./malware/MALW_Vidgrab.yar"
+include "./malware/MALW_viotto_keylogger.yar"
 include "./malware/MALW_Wabot.yar"
 include "./malware/MALW_Warp.yar"
 include "./malware/MALW_Wimmie.yar"
@@ -278,6 +282,8 @@ include "./malware/RANSOM_Cryptolocker.yar"
 include "./malware/RANSOM_DMALocker.yar"
 include "./malware/RANSOM_Locky.yar"
 include "./malware/RANSOM_Petya.yar"
+include "./malware/RANSOM_Satana.yar"
+include "./malware/RANSOM_Stampado.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
 include "./malware/RANSOM_Tox.yar"
 include "./malware/RAT_Adwind.yar"
@@ -320,66 +326,11 @@ include "./malware/TOOLKIT_PassTheHash.yar"
 include "./malware/TOOLKIT_Pwdump.yar"
 include "./malware/TOOLKIT_THOR_HackTools.yar"
 include "./malware/TOOLKIT_Wineggdrop.yar"
-include "./Mobile_Malware/Android_adware.yar"
-include "./Mobile_Malware/Android_AliPay_smsStealer.yar"
-include "./Mobile_Malware/Android_Amtrckr_20160519.yar"
-include "./Mobile_Malware/Android_ASSDdeveloper.yar"
-include "./Mobile_Malware/Android_AVITOMMS.yar"
-include "./Mobile_Malware/Android_Backdoor.yar"
-include "./Mobile_Malware/Android_BadMirror.yar"
-include "./Mobile_Malware/Android_BatteryBot_ClickFraud.yar"
-include "./Mobile_Malware/Android_Clicker_G.yar"
-include "./Mobile_Malware/Android_Copy9.yar"
-include "./Mobile_Malware/Android_DeathRing.yar"
-include "./Mobile_Malware/Android_Dectus_rswm.yar"
-include "./Mobile_Malware/Android_Dendroid_RAT.yar"
-include "./Mobile_Malware/Android_Dogspectus.yar"
-include "./Mobile_Malware/Android_FakeApps.yar"
-include "./Mobile_Malware/Android_FakeBank_Fanta.yar"
-include "./Mobile_Malware/Android_generic_adware.yar"
-include "./Mobile_Malware/Android_generic_smsfraud.yar"
-include "./Mobile_Malware/Android_Godless.yar"
-include "./Mobile_Malware/Android_Libyan_Scorpions.yar"
-include "./Mobile_Malware/Android_malware_Advertising.yar"
-include "./Mobile_Malware/Android_malware_banker.yar"
-include "./Mobile_Malware/Android_malware_ChinesePorn.yar"
-include "./Mobile_Malware/Android_malware_Dropper.yar"
-include "./Mobile_Malware/Android_malware_Fake_MosKow.yar"
-include "./Mobile_Malware/Android_malware_HackingTeam.yar"
-include "./Mobile_Malware/Android_Malware_Ramsonware.yar"
-include "./Mobile_Malware/Android_malware_SMSsender.yar"
-include "./Mobile_Malware/Android_Malware_Tinhvan.yar"
-include "./Mobile_Malware/Android_Malware_Towelroot.yar"
-include "./Mobile_Malware/Android_malware_xbot007.yar"
-include "./Mobile_Malware/Android_MalwareCertificates.yar"
-include "./Mobile_Malware/Android_mapin.yar"
-include "./Mobile_Malware/Android_Marcher_2.yar"
-include "./Mobile_Malware/Android_MazarBot_z.yar"
-include "./Mobile_Malware/Android_Metasploit.yar"
-include "./Mobile_Malware/Android_OmniRat.yar"
-include "./Mobile_Malware/Android_Overlayer.yar"
-include "./Mobile_Malware/Android_Pink_Locker.yar"
-include "./Mobile_Malware/Android_pornClicker.yar"
-include "./Mobile_Malware/Android_RuMMS.yar"
-include "./Mobile_Malware/Android_SandroRat.yar"
-include "./Mobile_Malware/Android_sk_bankTr.yar"
-include "./Mobile_Malware/Android_SlemBunk.yar"
-include "./Mobile_Malware/Android_SMSFraud.yar"
-include "./Mobile_Malware/Android_SpyAgent.yar"
-include "./Mobile_Malware/Android_Spynet.yar"
-include "./Mobile_Malware/Android_SpyNote.yar"
-include "./Mobile_Malware/Android_Spywaller.yar"
-include "./Mobile_Malware/Android_Tachi.yar"
-include "./Mobile_Malware/Android_Tordow.yar"
-include "./Mobile_Malware/Android_Triada_Banking.yar"
-include "./Mobile_Malware/Android_VikingOrder.yar"
-include "./Mobile_Malware/Android_VirusPolicia.yar"
 include "./Packers/Javascript_exploit_and_obfuscation.yar"
 include "./Packers/JJencode.yar"
 include "./Packers/packer.yar"
 include "./Packers/packer_compiler_signatures.yar"
 include "./Packers/peid.yar"
-include "./utils/ip.yar"
 include "./Webshells/WShell_APT_Laudanum.yar"
 include "./Webshells/Wshell_ChineseSpam.yar"
 include "./Webshells/Wshell_fire2013.yar"

--- a/index_gen.sh
+++ b/index_gen.sh
@@ -12,24 +12,35 @@ function get_folders {
 function gen_index {
    IDX_NAME=$1
    BASE=$2
+    INC_MOBILE=$3
    > $IDX_NAME
-    if [ x"$3" != x ]; then
+    if [ x"$4" != x ]; then
-        echo -e "/*$3*/" > $IDX_NAME
+        echo -e "/*$4*/" > $IDX_NAME
    fi
    OS=$(uname)
+    AVOID="_?index.yara?|utils"
    if [ x"$BASE" == x"." ]; then
+        if [ $INC_MOBILE == false ]; then
            if [ $OS == "Darwin" ]; then
-            find -E $BASE -regex ".*\.yara?" | grep -vE "_?index.yara?" | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
+                find -E $BASE -regex ".*\.yara?" | grep -vE "$AVOID|Mobile" | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
            else
                # Linux version and potentialy Cygwin
-            find $BASE -regex ".*\.yara?" | grep -vE "_?index.yara?" | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
+                find $BASE -regex ".*\.yara?" | grep -vE "$AVOID|Mobile" | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
            fi
        else
            if [ $OS == "Darwin" ]; then
-            find -E $BASE -regex ".*\.yara?" | grep -vE "_?index.yara?" | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME
+                find -E $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
            else
                # Linux version and potentialy Cygwin
-            find $BASE -regex ".*\.yara?" | grep -vE "_?index.yara?" | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME
+                find $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | awk '{print "include \"" $0 "\""}' >> $IDX_NAME
+            fi
+        fi
+    else
+        if [ $OS == "Darwin" ]; then
+            find -E $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME
+        else
+            # Linux version and potentialy Cygwin
+            find $BASE -regex ".*\.yara?" | grep -vE "$AVOID" | awk '{print "include \"./" $0 "\""}' >> $IDX_NAME
        fi
    fi
 }
@@ -41,16 +52,27 @@ echo "          Yara-Rules"
 echo "        Index generator"
 echo "   **************************"
+INC_MOBILE=true
 for folder in $(get_folders)
 do
    if [ x"$folder" == x"." ]; then
        BASE="."
-        IDX_NAME="index.yar"
+        IDX_NAME="index_w_mobile.yar"
-        echo "[+] Generating index..."
+        echo "[+] Generating index_w_mobile..."
    else
        BASE=$(echo $folder | rev | cut -c 2- | rev)
        IDX_NAME="$BASE"_index.yar
        echo "[+] Generating $BASE index..."
    fi
-    gen_index $IDX_NAME $BASE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n"
+    gen_index $IDX_NAME $BASE $INC_MOBILE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n"
+    if [ x"$folder" == x"." ]; then
+        INC_MOBILE=false
+        IDX_NAME="index.yar"
+        gen_index $IDX_NAME $BASE $INC_MOBILE "\nGenerated by Yara-Rules\nOn $(date +%d-%m-%Y)\n"
+        echo "[+] Generating index..."
+    fi
 done
--- a/index_w_mobile.yar
+++ b/index_w_mobile.yar
--- a/malware_index.yar
+++ b/malware_index.yar
 /*
 Generated by Yara-Rules
-On 24-10-2016
+On 25-10-2016
 */
 include "./malware/APT_APT1.yar"
 include "./malware/APT_APT17.yar"