├── malware
├── APT_Hikit.yar
├── LostDoor.yar
├── F0xy.yar
├── Bublik_downloader.yar
├── Zegost.yar
├── Grozlex.yar
├── YahLover.yar
├── Notepad.yar
├── Boouset.yar
├── Cerberus.yar
├── Turla.yar
├── ShadowTech.yar
├── Urausy.yar
├── FakeM.yar
├── jRAT.yar
├── Dexter.yar
├── Miscelanea_RTF.yar
├── LuckyCat.yar
├── Stealer.yar
├── Shamoon.yar
├── Mirage.yar
├── Android_Malware.yar
├── LogPOS.yar
├── PoisonIvy.yar
├── APT_pcclient.yar
├── APT_Kaba.yar
├── Leverage.yar
├── APT3102.yar
├── Ezcob.yar
├── BlackEnergy.yar
├── Kelihos.yar
├── Zeus.yar
├── NetPass.yar
├── RAT_Terminator.yar
├── Dridex.yar
├── Warp.yar
├── favorite.yar
├── PubSab.yar
├── Olyx.yar
├── Lenovo_superfish.yar
├── Yayih.yar
├── Njrat.yar
├── APT_NGO_wuaclt.yar
├── netwiredRC.yar
├── APT_DeputyDog_Fexel.yar
├── cxpid.yar
├── Safenet.yar
├── naspyupdate.yar
├── Install11.yar
├── Glasses.yar
├── PlugX.yar
├── Scarhikn.yar
├── NSFree.yar
├── Cookies.yar
├── Naikon.yar
├── Intel_Virtualization.yar
├── Bangat.yar
├── Wimmie.yar
├── T5000.yar
├── Vidgrab.yar
├── Regsubdat.yar
├── Babar.yar
├── NetTraveler.yar
├── Scieron.yar
├── Bolonyokte.yar
├── APT_Mongall.yar
├── MacControl.yar
├── KINS.yar
├── Ramsonware.yar
├── DarkComet.yar
├── APT9002.yar
├── APT_Careto.yar
├── Gh0st.yar
├── IMuler.yar
├── iexpl0ree.yar
├── Derusbi.yar
├── Rooter.yar
├── LURK0.yar
├── Skeleton.yar
├── Quarian.yar
├── RCS.yar
├── Xtreme.yar
├── Surtr.yar
├── Gholee.yar
├── Casper.yar
├── BlackShades.yar
├── WoolenGoldfish.yar
├── Enfal.yar
├── APT_c16.yar
├── Anthem_DeepPanda.yar
├── Waterbug.yar
├── APT_Hellsing.yar
├── FinSpy.yar
├── APT_OPCleaver.yar
├── Miscelanea_Linux.yar
├── Opcleaver.yar
├── FiveEyes.yar
└── APT_Regin.yar
├── README.md
├── crypto.yar
└── malicious_document.yar
/malware/APT_Hikit.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule APT_Hikit_msrv
9 | {
10 | meta:
11 | author = "ThreatConnect Intelligence Research Team"
12 | strings:
13 | $m = {6D 73 72 76 2E 64 6C 6C 00 44 6C 6C}
14 | condition:
15 | any of them
16 | }
17 |
--------------------------------------------------------------------------------
/malware/LostDoor.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule lost_door : Trojan
9 | {
10 | meta:
11 | author="Kevin Falcoz"
12 | date="23/02/2013"
13 | description="Lost Door"
14 |
15 | strings:
16 | $signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/
17 |
18 | condition:
19 | $signature1
20 | }
21 |
--------------------------------------------------------------------------------
/malware/F0xy.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule ws_f0xy_downloader {
9 | meta:
10 | description = "f0xy malware downloader"
11 | author = "Nick Griffin (Websense)"
12 |
13 | strings:
14 | $mz="MZ"
15 | $string1="bitsadmin /transfer"
16 | $string2="del rm.bat"
17 | $string3="av_list="
18 |
19 | condition:
20 | ($mz at 0) and (all of ($string*))
21 | }
22 |
--------------------------------------------------------------------------------
/malware/Bublik_downloader.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Bublik : Downloader
9 | {
10 | meta:
11 | author="Kevin Falcoz"
12 | date="29/09/2013"
13 | description="Bublik Trojan Downloader"
14 |
15 | strings:
16 | $signature1={63 6F 6E 73 6F 6C 61 73}
17 | $signature2={63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69}
18 |
19 | condition:
20 | $signature1 and $signature2
21 | }
22 |
--------------------------------------------------------------------------------
/malware/Zegost.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Zegost : Trojan
9 | {
10 | meta:
11 | author="Kevin Falcoz"
12 | date="10/06/2013"
13 | description="Zegost Trojan"
14 |
15 | strings:
16 | $signature1={39 2F 66 33 30 4C 69 35 75 62 4F 35 44 4E 41 44 44 78 47 38 73 37 36 32 74 71 59 3D}
17 | $signature2={00 BA DA 22 51 42 6F 6D 65 00}
18 |
19 | condition:
20 | $signature1 and $signature2
21 | }
22 |
--------------------------------------------------------------------------------
/malware/Grozlex.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Grozlex : Stealer
9 | {
10 | meta:
11 | author="Kevin Falcoz"
12 | date="20/08/2013"
13 | description="Grozlex Stealer - Possible HCStealer"
14 |
15 | strings:
16 | $signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E}
17 |
18 | condition:
19 | $signature
20 | }
21 |
--------------------------------------------------------------------------------
/malware/YahLover.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule YahLover : Worm
9 | {
10 | meta:
11 | author="Kevin Falcoz"
12 | date="10/06/2013"
13 | description="YahLover"
14 |
15 | strings:
16 | $signature1={42 00 49 00 54 00 52 00 4F 00 54 00 41 00 54 00 45 00 00 00 42 00 49 00 54 00 53 00 48 00 49 00 46 00 54 00 00 00 00 00 42 00 49 00 54 00 58 00 4F 00 52}
17 |
18 | condition:
19 | $signature1
20 | }
21 |
22 |
--------------------------------------------------------------------------------
/malware/Notepad.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule TROJAN_Notepad {
9 | meta:
10 | Author = "RSA_IR"
11 | Date = "4Jun13"
12 | File = "notepad.exe v 1.1"
13 | MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927"
14 | strings:
15 | $s1 = "75BAA77C842BE168B0F66C42C7885997"
16 | $s2 = "B523F63566F407F3834BCC54AAA32524"
17 | condition:
18 | $s1 or $s2
19 | }
20 |
21 |
22 |
--------------------------------------------------------------------------------
/malware/Boouset.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule BoousetCode : Boouset Family
9 | {
10 | meta:
11 | description = "Boouset code tricks"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-19"
14 |
15 | strings:
16 | $boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 }
17 |
18 | condition:
19 | any of them
20 | }
21 |
22 |
--------------------------------------------------------------------------------
/malware/Cerberus.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Cerberus : rat
9 | {
10 | meta:
11 | description = "Cerberus"
12 | author = "Jean-Philippe Teissier / @Jipe_"
13 | date = "2013-01-12"
14 | filetype = "memory"
15 | version = "1.0"
16 |
17 | strings:
18 | $checkin = "Ypmw1Syv023QZD"
19 | $clientpong = "wZ2pla"
20 | $serverping = "wBmpf3Pb7RJe"
21 | $generic = "cerberus" nocase
22 |
23 | condition:
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/Turla.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule WaterBug_turla_dll
9 | {
10 | meta:
11 | description = "Symantec Waterbug Attack - Trojan Turla DLL"
12 | author = "Symantec Security Response"
13 | date = "22.01.2015"
14 | reference = "http://t.co/rF35OaAXrl"
15 |
16 | strings:
17 | $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
18 |
19 | condition:
20 | pe.exports("ee") and $a
21 | }
22 |
--------------------------------------------------------------------------------
/malware/ShadowTech.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule ShadowTech
9 | {
10 | meta:
11 | description = "ShadowTech RAT"
12 | author = "botherder https://github.com/botherder"
13 |
14 | strings:
15 | $string1 = /\#(S)trings/
16 | $string2 = /\#(G)UID/
17 | $string3 = /\#(B)lob/
18 | $string4 = /(S)hadowTech Rat\.exe/
19 | $string5 = /(S)hadowTech_Rat/
20 |
21 | condition:
22 | all of them
23 | }
24 |
--------------------------------------------------------------------------------
/malware/Urausy.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule urausy_skype_dat {
9 | meta:
10 | author = "AlienVault Labs"
11 | description = "Yara rule to match against memory of processes infected by Urausy skype.dat"
12 | strings:
13 | $a = "skype.dat" ascii wide
14 | $b = "skype.ini" ascii wide
15 | $win1 = "CreateWindow"
16 | $win2 = "YIWEFHIWQ" ascii wide
17 | $desk1 = "CreateDesktop"
18 | $desk2 = "MyDesktop" ascii wide
19 | condition:
20 | $a and $b and (all of ($win*) or all of ($desk*))
21 | }
22 |
--------------------------------------------------------------------------------
/malware/FakeM.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule HTMLVariant : FakeM Family HTML Variant
9 | {
10 | meta:
11 | description = "Identifier for html variant of FAKEM"
12 | author = "Katie Kleemola"
13 | last_updated = "2014-05-20"
14 |
15 | strings:
16 | // decryption loop
17 | $s1 = { 8B 55 08 B9 00 50 00 00 8D 3D ?? ?? ?? 00 8B F7 AD 33 C2 AB 83 E9 04 85 C9 75 F5 }
18 | //mov byte ptr [ebp - x] y, x: 0x10-0x1 y: 0-9,A-F
19 | $s2 = { C6 45 F? (3?|4?) }
20 |
21 | condition:
22 | $s1 and #s2 == 16
23 |
24 | }
25 |
--------------------------------------------------------------------------------
/malware/jRAT.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 | rule jRAT_conf : rat
8 | {
9 | meta:
10 | description = "jRAT configuration"
11 | author = "Jean-Philippe Teissier / @Jipe_"
12 | date = "2013-10-11"
13 | filetype = "memory"
14 | version = "1.0"
15 | ref1 = "https://github.com/MalwareLu/config_extractor/blob/master/config_jRAT.py"
16 | ref2 = "http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html"
17 |
18 | strings:
19 | $a = /port=[0-9]{1,5}SPLIT/
20 |
21 | condition:
22 | $a
23 | }
24 |
--------------------------------------------------------------------------------
/malware/Dexter.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Dexter_Malware {
9 | meta:
10 | description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b"
11 | author = "Florian Roth"
12 | reference = "http://goo.gl/oBvy8b"
13 | date = "2015/02/10"
14 | score = 70
15 | strings:
16 | $s0 = "Java Security Plugin" fullword wide
17 | $s1 = "%s\\%s\\%s.exe" fullword wide
18 | $s2 = "Sun Java Security Plugin" fullword wide
19 | $s3 = "\\Internet Explorer\\iexplore.exe" fullword wide
20 | condition:
21 | all of them
22 | }
23 |
--------------------------------------------------------------------------------
/malware/Miscelanea_RTF.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 |
9 | rule rtf_multiple
10 | {
11 | meta:
12 | author = "@patrickrolsen"
13 | maltype = "Multiple"
14 | version = "0.1"
15 | reference = "fd69a799e21ccb308531ce6056944842"
16 | date = "01/04/2014"
17 | strings:
18 | $rtf = { 7b 5c 72 74 ?? ?? } // {\rt01 {\rtf1 {\rtxa
19 | $string1 = "author user"
20 | $string2 = "title Vjkygdjdtyuj" nocase
21 | $string3 = "company ooo"
22 | $string4 = "password 00000000"
23 | condition:
24 | ($rtf at 0) and (all of ($string*))
25 | }
26 |
--------------------------------------------------------------------------------
/malware/LuckyCat.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule LuckyCatCode : LuckyCat Family
9 | {
10 | meta:
11 | description = "LuckyCat code tricks"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-19"
14 |
15 | strings:
16 | $xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B }
17 | $dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C }
18 | $commonletters = { B? 63 B? 61 B? 73 B? 65 }
19 |
20 | condition:
21 | $xordecrypt or ($dll and $commonletters)
22 | }
23 |
--------------------------------------------------------------------------------
/malware/Stealer.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule universal_1337_stealer_serveur : Stealer
9 | {
10 | meta:
11 | author="Kevin Falcoz"
12 | date="24/02/2013"
13 | description="Universal 1337 Stealer Serveur"
14 |
15 | strings:
16 | $signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/
17 | $signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/
18 | $signature3={46 54 50 7E} /*FTP~*/
19 | $signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/
20 |
21 | condition:
22 | $signature1 and $signature2 or $signature3 and $signature4
23 | }
24 |
--------------------------------------------------------------------------------
/malware/Shamoon.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 |
9 | rule CrowdStrike_Shamoon_DroppedFile {
10 | meta:
11 | description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
12 | reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
13 | strings:
14 | $testn123 = "test123" wide
15 | $testn456 = "test456" wide
16 | $testn789 = "test789" wide
17 | $testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
18 | condition:
19 | (any of ($testn*) or $pingcmd) and $testdomain
20 | }
21 |
--------------------------------------------------------------------------------
/malware/Mirage.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule MirageStrings : Mirage Family
9 | {
10 | meta:
11 | description = "Mirage Identifying Strings"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-25"
14 |
15 | strings:
16 | $ = "Neo,welcome to the desert of real." wide ascii
17 | $ = "/result?hl=en&id=%s"
18 |
19 | condition:
20 | any of them
21 | }
22 |
23 | rule Mirage : Family
24 | {
25 | meta:
26 | description = "Mirage"
27 | author = "Seth Hardy"
28 | last_modified = "2014-06-25"
29 |
30 | condition:
31 | MirageStrings
32 | }
33 |
--------------------------------------------------------------------------------
/malware/Android_Malware.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Android_Malware : iBanking
9 | {
10 | meta:
11 | author = "Xylitol xylitol@malwareint.com"
12 | date = "2014-02-14"
13 | description = "Match first two bytes, files and string present in iBanking"
14 | reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"
15 |
16 | strings:
17 | // Generic android
18 | $pk = {50 4B}
19 | $file1 = "AndroidManifest.xml"
20 | // iBanking related
21 | $file2 = "res/drawable-xxhdpi/ok_btn.jpg"
22 | $string1 = "bot_id"
23 | $string2 = "type_password2"
24 | condition:
25 | ($pk at 0 and 2 of ($file*) and ($string1 or $string2))
26 | }
27 |
--------------------------------------------------------------------------------
/malware/LogPOS.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 | rule LogPOS
8 | {
9 | meta:
10 | author = "Morphick Security"
11 | description = "Detects Versions of LogPOS"
12 | md5 = "af13e7583ed1b27c4ae219e344a37e2b"
13 | strings:
14 | $mailslot = "\\\\.\\mailslot\\LogCC"
15 | $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="
16 | //64A130000000 mov eax, dword ptr fs:[0x30]
17 | //8B400C mov eax, dword ptr [eax + 0xc]
18 | //8B401C mov eax, dword ptr [eax + 0x1c]
19 | //8B4008 mov eax, dword ptr [eax + 8]
20 | $sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }
21 | condition:
22 | $sc and 1 of ($mailslot,$get)
23 | }
24 |
--------------------------------------------------------------------------------
/malware/PoisonIvy.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule poisonivy : rat
9 | {
10 | meta:
11 | description = "Poison Ivy"
12 | author = "Jean-Philippe Teissier / @Jipe_"
13 | date = "2013-02-01"
14 | filetype = "memory"
15 | version = "1.0"
16 | ref1 = "https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py"
17 |
18 | strings:
19 | $a = { 53 74 75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76 65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C }
20 |
21 | condition:
22 | $a
23 | }
24 |
25 |
--------------------------------------------------------------------------------
/malware/APT_pcclient.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule backdoor_apt_pcclient
9 | {
10 | meta:
11 | author = "@patrickrolsen"
12 | maltype = "APT.PCCLient"
13 | filetype = "DLL"
14 | version = "0.1"
15 | description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
16 | date = "2012-10"
17 | strings:
18 | $magic = { 4d 5a } // MZ
19 | $string1 = "www.micro1.zyns.com"
20 | $string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
21 | $string3 = "msacm32.drv" wide
22 | $string4 = "C:\\Windows\\Explorer.exe" wide
23 | $string5 = "Elevation:Administrator!" wide
24 | $string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
25 | condition:
26 | $magic at 0 and 4 of ($string*)
27 | }
28 |
--------------------------------------------------------------------------------
/malware/APT_Kaba.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule rtf_Kaba_jDoe
9 | {
10 | meta:
11 | author = "@patrickrolsen"
12 | maltype = "APT.Kaba"
13 | filetype = "RTF"
14 | version = "0.1"
15 | description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
16 | date = "2013-12-10"
17 | strings:
18 | $magic1 = { 7b 5c 72 74 30 31 } // {\rt01
19 | $magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
20 | $magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
21 | $author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"
22 | $author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"
23 | $string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
24 | condition:
25 | ($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
26 | }
27 |
--------------------------------------------------------------------------------
/malware/Leverage.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule leverage_a
9 | {
10 | meta:
11 | author = "earada@alienvault.com"
12 | version = "1.0"
13 | description = "OSX/Leverage.A"
14 | date = "2013/09"
15 | strings:
16 | $a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
17 | $a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:"
18 | $a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
19 | $script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
20 | $script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'"
21 | $script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'"
22 | $properties = "serverVisible \x00"
23 | condition:
24 | all of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/APT3102.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule APT3102Code : APT3102 Family
9 | {
10 | meta:
11 | description = "3102 code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-25"
14 |
15 | strings:
16 | $setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
17 |
18 | condition:
19 | any of them
20 | }
21 |
22 | rule APT3102Strings : APT3102 Family
23 | {
24 | meta:
25 | description = "3102 Identifying Strings"
26 | author = "Seth Hardy"
27 | last_modified = "2014-06-25"
28 |
29 | strings:
30 | $ = "rundll32_exec.dll\x00Update"
31 | // this is in the encrypted code - shares with 9002 variant
32 | //$ = "POST http://%ls:%d/%x HTTP/1.1"
33 |
34 | condition:
35 | any of them
36 | }
37 |
--------------------------------------------------------------------------------
/malware/Ezcob.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule EzcobStrings : Ezcob Family
9 | {
10 | meta:
11 | description = "Ezcob Identifying Strings"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-23"
14 |
15 | strings:
16 | $ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12"
17 | $ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12"
18 | $ = "Ezcob" wide ascii
19 | $ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126"
20 | $ = "20110113144935"
21 |
22 | condition:
23 | any of them
24 | }
25 |
26 | rule Ezcob : Family
27 | {
28 | meta:
29 | description = "Ezcob"
30 | author = "Seth Hardy"
31 | last_modified = "2014-06-23"
32 |
33 | condition:
34 | EzcobStrings
35 | }
36 |
--------------------------------------------------------------------------------
/malware/BlackEnergy.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule BlackEnergy_BE_2 {
9 | meta:
10 | description = "Detects BlackEnergy 2 Malware"
11 | author = "Florian Roth"
12 | reference = "http://goo.gl/DThzLz"
13 | date = "2015/02/19"
14 | hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
15 | strings:
16 | $mz = { 4d 5a }
17 | $s0 = " Windows system utility service " fullword ascii
18 | $s1 = "WindowsSysUtility - Unicode" fullword wide
19 | $s2 = "msiexec.exe" fullword wide
20 | $s3 = "WinHelpW" fullword ascii
21 | $s4 = "ReadProcessMemory" fullword ascii
22 | condition:
23 | ( $mz at 0 ) and filesize < 250KB and all of ($s*)
24 | }
25 |
--------------------------------------------------------------------------------
/malware/Kelihos.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule KelihosHlux
9 | {
10 | meta:
11 | author = "@malpush"
12 | maltype = "KelihosHlux"
13 | description = "http://malwared.ru"
14 | date = "22/02/2014"
15 | strings:
16 | $KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 }
17 |
18 | condition:
19 | $KelihosHlux_HexString
20 | }
21 |
--------------------------------------------------------------------------------
/malware/Zeus.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Windows_Malware : Zeus_1134
9 | {
10 | meta:
11 | author = "Xylitol xylitol@malwareint.com"
12 | date = "2014-03-03"
13 | description = "Match first two bytes, protocol and string present in Zeus 1.1.3.4"
14 | reference = "http://www.xylibox.com/2014/03/zeus-1134.html"
15 |
16 | strings:
17 | $mz = {4D 5A}
18 | $protocol1 = "X_ID: "
19 | $protocol2 = "X_OS: "
20 | $protocol3 = "X_BV: "
21 | $stringR1 = "InitializeSecurityDescriptor"
22 | $stringR2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"
23 | condition:
24 | ($mz at 0 and all of ($protocol*) and ($stringR1 or $stringR2))
25 | }
26 |
--------------------------------------------------------------------------------
/malware/NetPass.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule NetpassStrings : NetPass Variant {
9 |
10 | meta:
11 | description = "Identifiers for netpass variant"
12 | author = "Katie Kleemola"
13 | last_updated = "2014-05-29"
14 |
15 | strings:
16 | $exif1 = "Device Protect ApplicatioN" wide
17 | $exif2 = "beep.sys" wide //embedded exe name
18 | $exif3 = "BEEP Driver" wide //embedded exe description
19 |
20 | $string1 = "\x00NetPass Update\x00"
21 | $string2 = "\x00%s:DOWNLOAD\x00"
22 | $string3 = "\x00%s:UPDATE\x00"
23 | $string4 = "\x00%s:uNINSTALL\x00"
24 |
25 | condition:
26 | all of ($exif*) or any of ($string*)
27 |
28 | }
29 |
30 | rule NetPass : Variant {
31 | meta:
32 | description = "netpass variant"
33 | author = "Katie Kleemola"
34 | last_updated = "2014-07-08"
35 | condition:
36 | NetpassStrings
37 | }
38 |
39 |
40 |
--------------------------------------------------------------------------------
/malware/RAT_Terminator.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 |
9 | rule TerminatorRat : rat
10 | {
11 | meta:
12 | description = "Terminator RAT"
13 | author = "Jean-Philippe Teissier / @Jipe_"
14 | date = "2013-10-24"
15 | filetype = "memory"
16 | version = "1.0"
17 | ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html"
18 |
19 | strings:
20 | $a = "Accelorator"
21 | $b = "12356"
22 |
23 | condition:
24 | all of them
25 | }
26 |
27 |
28 |
29 | rule TROJAN_Notepad_shell_crew {
30 | meta:
31 | author = "RSA_IR"
32 | Date = "4Jun13"
33 | File = "notepad.exe v 1.1"
34 | MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927"
35 | strings:
36 | $s1 = "75BAA77C842BE168B0F66C42C7885997"
37 | $s2 = "B523F63566F407F3834BCC54AAA32524"
38 | condition:
39 | $s1 or $s2
40 | }
41 |
--------------------------------------------------------------------------------
/malware/Dridex.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Dridex_Trojan_XML {
9 | meta:
10 | description = "Dridex Malware in XML Document"
11 | author = "Florian Roth @4nc4p"
12 | reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
13 | date = "2015/03/08"
14 | hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
15 | hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
16 | hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
17 | hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
18 | hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
19 | strings:
20 | // can be ascii or wide formatted - therefore no restriction
21 | $c_xml = ""
23 | $c_macro = "w:macrosPresent=\"yes\""
24 | $c_binary = "0"
26 | $c_1_line = "1"
27 | condition:
28 | all of ($c*)
29 | }
30 |
--------------------------------------------------------------------------------
/malware/Warp.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule WarpCode : Warp Family
9 | {
10 | meta:
11 | description = "Warp code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-07-10"
14 |
15 | strings:
16 | // character replacement
17 | $ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F }
18 |
19 | condition:
20 | any of them
21 | }
22 |
23 | rule WarpStrings : Warp Family
24 | {
25 | meta:
26 | description = "Warp Identifying Strings"
27 | author = "Seth Hardy"
28 | last_modified = "2014-07-10"
29 |
30 | strings:
31 | $ = "/2011/n325423.shtml?"
32 | $ = "wyle"
33 | $ = "\\~ISUN32.EXE"
34 |
35 | condition:
36 | any of them
37 | }
38 |
39 | rule Warp : Family
40 | {
41 | meta:
42 | description = "Warp"
43 | author = "Seth Hardy"
44 | last_modified = "2014-07-10"
45 |
46 | condition:
47 | WarpCode or WarpStrings
48 | }
49 |
--------------------------------------------------------------------------------
/malware/favorite.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule FavoriteCode : Favorite Family
9 | {
10 | meta:
11 | description = "Favorite code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-24"
14 |
15 | strings:
16 | // standard string hiding
17 | $ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F }
18 | $ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 }
19 |
20 | condition:
21 | any of them
22 | }
23 |
24 | rule FavoriteStrings : Favorite Family
25 | {
26 | meta:
27 | description = "Favorite Identifying Strings"
28 | author = "Seth Hardy"
29 | last_modified = "2014-06-24"
30 |
31 | strings:
32 | $string1 = "!QAZ4rfv"
33 | $file1 = "msupdater.exe"
34 | $file2 = "FAVORITES.DAT"
35 |
36 | condition:
37 | any of ($string*) or all of ($file*)
38 | }
39 |
--------------------------------------------------------------------------------
/malware/PubSab.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule PubSabCode : PubSab Family
9 | {
10 | meta:
11 | description = "PubSab code tricks"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-19"
14 |
15 | strings:
16 | $decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 }
17 |
18 | condition:
19 | any of them
20 | }
21 |
22 | rule PubSabStrings : PubSab Family
23 | {
24 | meta:
25 | description = "PubSab Identifying Strings"
26 | author = "Seth Hardy"
27 | last_modified = "2014-06-19"
28 |
29 | strings:
30 | $ = "_deamon_init"
31 | $ = "com.apple.PubSabAgent"
32 | $ = "/tmp/screen.jpeg"
33 |
34 | condition:
35 | any of them
36 | }
37 |
38 | rule PubSab : Family
39 | {
40 | meta:
41 | description = "PubSab"
42 | author = "Seth Hardy"
43 | last_modified = "2014-06-19"
44 |
45 | condition:
46 | PubSabCode or PubSabStrings
47 | }
48 |
--------------------------------------------------------------------------------
/malware/Olyx.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule OlyxCode : Olyx Family
9 | {
10 | meta:
11 | description = "Olyx code tricks"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-19"
14 |
15 | strings:
16 | $six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 }
17 | $slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C }
18 |
19 | condition:
20 | any of them
21 | }
22 |
23 | rule OlyxStrings : Olyx Family
24 | {
25 | meta:
26 | description = "Olyx Identifying Strings"
27 | author = "Seth Hardy"
28 | last_modified = "2014-06-19"
29 |
30 | strings:
31 | $ = "/Applications/Automator.app/Contents/MacOS/DockLight"
32 |
33 | condition:
34 | any of them
35 | }
36 |
37 | rule Olyx : Family
38 | {
39 | meta:
40 | description = "Olyx"
41 | author = "Seth Hardy"
42 | last_modified = "2014-06-19"
43 |
44 | condition:
45 | OlyxCode or OlyxStrings
46 | }
47 |
--------------------------------------------------------------------------------
/malware/Lenovo_superfish.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | /* LENOVO Superfish -------------------------------------------------------- */
9 |
10 | rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
11 | meta:
12 | description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
13 | author = "Florian Roth / improved by kbandla"
14 | reference = "https://twitter.com/4nc4p/status/568325493558272000"
15 | date = "2015/02/19"
16 | hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
17 | hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
18 | hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
19 | hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
20 | strings:
21 | $mz = { 4d 5a }
22 | //$s1 = "VisualDiscovery.exe" fullword wide
23 | $s2 = "Invalid key length used to initialize BlowFish." fullword ascii
24 | $s3 = "GetPCProxyHandler" fullword ascii
25 | $s4 = "StartPCProxy" fullword ascii
26 | $s5 = "SetPCProxyHandler" fullword ascii
27 | condition:
28 | ( $mz at 0 ) and filesize < 2MB and all of ($s*)
29 | }
30 |
--------------------------------------------------------------------------------
/malware/Yayih.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule YayihCode : Yayih Family
9 | {
10 | meta:
11 | description = "Yayih code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-07-11"
14 |
15 | strings:
16 | // encryption
17 | $ = { 80 04 08 7A 03 C1 8B 45 FC 80 34 08 19 03 C1 41 3B 0A 7C E9 }
18 |
19 | condition:
20 | any of them
21 | }
22 |
23 | rule YayihStrings : Yayih Family
24 | {
25 | meta:
26 | description = "Yayih Identifying Strings"
27 | author = "Seth Hardy"
28 | last_modified = "2014-07-11"
29 |
30 | strings:
31 | $ = "/bbs/info.asp"
32 | $ = "\\msinfo.exe"
33 | $ = "%s\\%srcs.pdf"
34 | $ = "\\aumLib.ini"
35 |
36 | condition:
37 | any of them
38 | }
39 |
40 | rule Yayih : Family
41 | {
42 | meta:
43 | description = "Yayih"
44 | author = "Seth Hardy"
45 | last_modified = "2014-07-11"
46 |
47 | condition:
48 | YayihCode or YayihStrings
49 | }
50 |
51 |
--------------------------------------------------------------------------------
/malware/Njrat.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Njrat
9 | {
10 | meta:
11 | description = "Njrat"
12 | author = "botherder https://github.com/botherder"
13 |
14 | strings:
15 | $string1 = /(F)romBase64String/
16 | $string2 = /(B)ase64String/
17 | $string3 = /(C)onnected/ wide ascii
18 | $string4 = /(R)eceive/
19 | $string5 = /(S)end/ wide ascii
20 | $string6 = /(D)ownloadData/ wide ascii
21 | $string7 = /(D)eleteSubKey/ wide ascii
22 | $string8 = /(g)et_MachineName/
23 | $string9 = /(g)et_UserName/
24 | $string10 = /(g)et_LastWriteTime/
25 | $string11 = /(G)etVolumeInformation/
26 | $string12 = /(O)SFullName/ wide ascii
27 | $string13 = /(n)etsh firewall/ wide
28 | $string14 = /(c)md\.exe \/k ping 0 & del/ wide
29 | $string15 = /(c)md\.exe \/c ping 127\.0\.0\.1 & del/ wide
30 | $string16 = /(c)md\.exe \/c ping 0 -n 2 & del/ wide
31 | $string17 = {7C 00 27 00 7C 00 27 00 7C}
32 |
33 | condition:
34 | 10 of them
35 | }
36 |
--------------------------------------------------------------------------------
/malware/APT_NGO_wuaclt.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule APT_NGO_wuaclt
9 | {
10 | meta:
11 | author = "AlienVault Labs"
12 | strings:
13 | $a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat"
14 | $b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
15 | $c = "/news/show.asp?id%d=%d"
16 |
17 | $d = "%%APPDATA%%\\Microsoft\\wuauclt\\"
18 | $e = "0l23kj@nboxu"
19 |
20 | $f = "%%s.asp?id=%%d&Sid=%%d"
21 | $g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)"
22 | $h = "Cookies: UseID=KGIOODAOOK%%s"
23 |
24 | condition:
25 | ($a and $b and $c) or ($d and $e) or ($f and $g and $h)
26 | }
27 |
28 | rule APT_NGO_wuaclt_PDF
29 | {
30 | meta:
31 | author = "AlienVault Labs"
32 |
33 | strings:
34 | $pdf = "%PDF" nocase
35 | $comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A}
36 |
37 | condition:
38 | $pdf at 0 and $comment in (0..200)
39 | }
40 |
--------------------------------------------------------------------------------
/malware/netwiredRC.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 | rule NetWiredRC_B : rat
8 | {
9 | meta:
10 | description = "NetWiredRC"
11 | author = "Jean-Philippe Teissier / @Jipe_"
12 | date = "2014-12-23"
13 | filetype = "memory"
14 | version = "1.1"
15 |
16 | strings:
17 | $mutex = "LmddnIkX"
18 |
19 | $str1 = "%s.Identifier"
20 | $str2 = "%d:%I64u:%s%s;"
21 | $str3 = "%s%.2d-%.2d-%.4d"
22 | $str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
23 | $str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
24 |
25 | $klg1 = "[Backspace]"
26 | $klg2 = "[Enter]"
27 | $klg3 = "[Tab]"
28 | $klg4 = "[Arrow Left]"
29 | $klg5 = "[Arrow Up]"
30 | $klg6 = "[Arrow Right]"
31 | $klg7 = "[Arrow Down]"
32 | $klg8 = "[Home]"
33 | $klg9 = "[Page Up]"
34 | $klg10 = "[Page Down]"
35 | $klg11 = "[End]"
36 | $klg12 = "[Break]"
37 | $klg13 = "[Delete]"
38 | $klg14 = "[Insert]"
39 | $klg15 = "[Print Screen]"
40 | $klg16 = "[Scroll Lock]"
41 | $klg17 = "[Caps Lock]"
42 | $klg18 = "[Alt]"
43 | $klg19 = "[Esc]"
44 | $klg20 = "[Ctrl+%c]"
45 |
46 | condition:
47 | $mutex or (1 of ($str*) and 1 of ($klg*))
48 | }
49 |
--------------------------------------------------------------------------------
/malware/APT_DeputyDog_Fexel.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule APT_DeputyDog_Fexel
9 | {
10 | meta:
11 | author = "ThreatConnect Intelligence Research Team"
12 | strings:
13 | $180 = "180.150.228.102" wide ascii
14 | $0808cmd = {25 30 38 78 30 38 78 00 5C 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 [2-6] 43 00 61 00 6E 00 27 00 74 00 20 00 6F 00 70 00 65 00 6E 00 20 00 73 00 68 00 65 00 6C 00 6C 00 21}
15 | $cUp = "Upload failed! [Remote error code:" nocase wide ascii
16 | $DGGYDSYRL = {00 44 47 47 59 44 53 59 52 4C 00}
17 | $GDGSYDLYR = "GDGSYDLYR_%" wide ascii
18 | condition:
19 | any of them
20 | }
21 |
22 | rule APT_DeputyDog
23 | {
24 | meta:
25 | Author = "FireEye Labs"
26 | Date = "2013/09/21"
27 | Description = "detects string seen in samples used in 2013-3893 0day attacks"
28 | Reference = "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
29 |
30 | strings:
31 | $mz = {4d 5a}
32 | $a = "DGGYDSYRL"
33 |
34 | condition:
35 | ($mz at 0) and $a
36 | }
--------------------------------------------------------------------------------
/malware/cxpid.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule cxpidStrings : cxpid Family
9 | {
10 | meta:
11 | description = "cxpid Identifying Strings"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-23"
14 |
15 | strings:
16 | $ = "/cxpid/submit.php?SessionID="
17 | $ = "/cxgid/"
18 | $ = "E21BC52BEA2FEF26D005CF"
19 | $ = "E21BC52BEA39E435C40CD8"
20 | $ = " -,L-,O+,Q-,R-,Y-,S-"
21 |
22 | condition:
23 | any of them
24 | }
25 |
26 | rule cxpidCode : cxpid Family
27 | {
28 | meta:
29 | description = "cxpid code features"
30 | author = "Seth Hardy"
31 | last_modified = "2014-06-23"
32 |
33 | strings:
34 | $entryjunk = { 55 8B EC B9 38 04 00 00 6A 00 6A 00 49 75 F9 }
35 |
36 | condition:
37 | any of them
38 | }
39 |
40 | rule cxpid : Family
41 | {
42 | meta:
43 | description = "cxpid"
44 | author = "Seth Hardy"
45 | last_modified = "2014-06-23"
46 |
47 | condition:
48 | cxpidCode or cxpidStrings
49 | }
50 |
--------------------------------------------------------------------------------
/malware/Safenet.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule SafeNetCode : SafeNet Family
9 | {
10 | meta:
11 | description = "SafeNet code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-07-16"
14 |
15 | strings:
16 | // add edi, 14h; cmp edi, 50D0F8h
17 | $ = { 83 C7 14 81 FF F8 D0 40 00 }
18 | condition:
19 | any of them
20 | }
21 |
22 | rule SafeNetStrings : SafeNet Family
23 | {
24 | meta:
25 | description = "Strings used by SafeNet"
26 | author = "Seth Hardy"
27 | last_modified = "2014-07-16"
28 |
29 | strings:
30 | $ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr"
31 | $ = "/safe/record.php"
32 | $ = "_Rm.bat" wide ascii
33 | $ = "try\x0d\x0a\x09\x09\x09\x09 del %s" wide ascii
34 | $ = "Ext.org" wide ascii
35 |
36 | condition:
37 | any of them
38 |
39 | }
40 |
41 | rule SafeNet : Family
42 | {
43 | meta:
44 | description = "SafeNet family"
45 |
46 | condition:
47 | SafeNetCode or SafeNetStrings
48 |
49 | }
50 |
51 |
--------------------------------------------------------------------------------
/malware/naspyupdate.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule nAspyUpdateCode : nAspyUpdate Family
9 | {
10 | meta:
11 | description = "nAspyUpdate code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-07-14"
14 |
15 | strings:
16 | // decryption loop in dropper
17 | $ = { 8A 54 24 14 8A 01 32 C2 02 C2 88 01 41 4E 75 F4 }
18 |
19 | condition:
20 | any of them
21 | }
22 |
23 | rule nAspyUpdateStrings : nAspyUpdate Family
24 | {
25 | meta:
26 | description = "nAspyUpdate Identifying Strings"
27 | author = "Seth Hardy"
28 | last_modified = "2014-07-14"
29 |
30 | strings:
31 | $ = "\\httpclient.txt"
32 | $ = "password <=14"
33 | $ = "/%ldn.txt"
34 | $ = "Kill You\x00"
35 |
36 | condition:
37 | any of them
38 | }
39 |
40 | rule nAspyUpdate : Family
41 | {
42 | meta:
43 | description = "nAspyUpdate"
44 | author = "Seth Hardy"
45 | last_modified = "2014-07-14"
46 |
47 | condition:
48 | nAspyUpdateCode or nAspyUpdateStrings
49 | }
50 |
51 |
52 |
--------------------------------------------------------------------------------
/malware/Install11.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Insta11Code : Insta11 Family
9 | {
10 | meta:
11 | description = "Insta11 code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-23"
14 |
15 | strings:
16 | // jmp $+5; push 423h
17 | $jumpandpush = { E9 00 00 00 00 68 23 04 00 00 }
18 |
19 | condition:
20 | any of them
21 | }
22 |
23 | rule Insta11Strings : Insta11 Family
24 | {
25 | meta:
26 | description = "Insta11 Identifying Strings"
27 | author = "Seth Hardy"
28 | last_modified = "2014-06-23"
29 |
30 | strings:
31 | $ = "XTALKER7"
32 | $ = "Insta11 Microsoft" wide ascii
33 | $ = "wudMessage"
34 | $ = "ECD4FC4D-521C-11D0-B792-00A0C90312E1"
35 | $ = "B12AE898-D056-4378-A844-6D393FE37956"
36 |
37 | condition:
38 | any of them
39 | }
40 |
41 | rule Insta11 : Family
42 | {
43 | meta:
44 | description = "Insta11"
45 | author = "Seth Hardy"
46 | last_modified = "2014-06-23"
47 |
48 | condition:
49 | Insta11Code or Insta11Strings
50 | }
51 |
--------------------------------------------------------------------------------
/malware/Glasses.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule GlassesCode : Glasses Family
9 | {
10 | meta:
11 | description = "Glasses code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-07-22"
14 |
15 | strings:
16 | $ = { B8 AB AA AA AA F7 E1 D1 EA 8D 04 52 2B C8 }
17 | $ = { B8 56 55 55 55 F7 E9 8B 4C 24 1C 8B C2 C1 E8 1F 03 D0 49 3B CA }
18 |
19 | condition:
20 | any of them
21 | }
22 |
23 | rule GlassesStrings : Glasses Family
24 | {
25 | meta:
26 | description = "Strings used by Glasses"
27 | author = "Seth Hardy"
28 | last_modified = "2014-07-22"
29 |
30 | strings:
31 | $ = "thequickbrownfxjmpsvalzydg"
32 | $ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)"
33 | $ = "\" target=\"NewRef\">"
34 |
35 | condition:
36 | all of them
37 |
38 | }
39 |
40 | rule Glasses : Family
41 | {
42 | meta:
43 | description = "Glasses family"
44 | author = "Seth Hardy"
45 | last_modified = "2014-07-22"
46 |
47 | condition:
48 | GlassesCode or GlassesStrings
49 |
50 | }
51 |
--------------------------------------------------------------------------------
/malware/PlugX.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule PlugXStrings : PlugX Family
9 | {
10 | meta:
11 | description = "PlugX Identifying Strings"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-12"
14 |
15 | strings:
16 | $BootLDR = "boot.ldr" wide ascii
17 | $Dwork = "d:\\work" nocase
18 | $Plug25 = "plug2.5"
19 | $Plug30 = "Plug3.0"
20 | $Shell6 = "Shell6"
21 |
22 | condition:
23 | $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))
24 | }
25 |
26 | rule plugX : rat
27 | {
28 | meta:
29 | author = "Jean-Philippe Teissier / @Jipe_"
30 | description = "PlugX RAT"
31 | date = "2014-05-13"
32 | filetype = "memory"
33 | version = "1.0"
34 | ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py"
35 |
36 | strings:
37 | $v1a = { 47 55 4C 50 00 00 00 00 }
38 | $v1b = "/update?id=%8.8x"
39 | $v1algoa = { BB 33 33 33 33 2B }
40 | $v1algob = { BB 44 44 44 44 2B }
41 | $v2a = "Proxy-Auth:"
42 | $v2b = { 68 A0 02 00 00 }
43 | $v2k = { C1 8F 3A 71 }
44 |
45 | condition:
46 | $v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))
47 | }
48 |
--------------------------------------------------------------------------------
/malware/Scarhikn.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule ScarhiknStrings : Scarhikn Family
9 | {
10 | meta:
11 | description = "Scarhikn Identifying Strings"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-25"
14 |
15 | strings:
16 | $ = "9887___skej3sd"
17 | $ = "haha123"
18 |
19 | condition:
20 | any of them
21 | }
22 |
23 |
24 |
25 | rule ScarhiknCode : Scarhikn Family
26 | {
27 | meta:
28 | description = "Scarhikn code features"
29 | author = "Seth Hardy"
30 | last_modified = "2014-06-25"
31 |
32 | strings:
33 | // decryption
34 | $ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 }
35 | $ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 }
36 |
37 | condition:
38 | any of them
39 | }
40 |
41 | rule Scarhikn : Family
42 | {
43 | meta:
44 | description = "Scarhikn"
45 | author = "Seth Hardy"
46 | last_modified = "2014-06-25"
47 |
48 | condition:
49 | ScarhiknCode or ScarhiknStrings
50 | }
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
--------------------------------------------------------------------------------
/malware/NSFree.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule NSFreeCode : NSFree Family
9 | {
10 | meta:
11 | description = "NSFree code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-24"
14 |
15 | strings:
16 | // push vars then look for MZ
17 | $ = { 53 56 57 66 81 38 4D 5A }
18 | // nops then look for PE\0\0
19 | $ = { 90 90 90 90 81 3F 50 45 00 00 }
20 |
21 | condition:
22 | all of them
23 | }
24 |
25 | rule NSFreeStrings : NSFree Family
26 | {
27 | meta:
28 | description = "NSFree Identifying Strings"
29 | author = "Seth Hardy"
30 | last_modified = "2014-06-24"
31 |
32 | strings:
33 | $ = "\\MicNS\\" nocase
34 | $ = "NSFreeDll" wide ascii
35 | // xor 0x58 dos stub
36 | $ = { 0c 30 31 2b 78 28 2a 37 3f 2a 39 35 78 3b 39 36 36 37 }
37 |
38 | condition:
39 | any of them
40 | }
41 |
42 | rule NSFree : Family
43 | {
44 | meta:
45 | description = "NSFree"
46 | author = "Seth Hardy"
47 | last_modified = "2014-06-24"
48 |
49 | condition:
50 | NSFreeCode or NSFreeStrings
51 | }
52 |
53 |
54 |
--------------------------------------------------------------------------------
/malware/Cookies.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule CookiesStrings : Cookies Family
9 | {
10 | meta:
11 | description = "Cookies Identifying Strings"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-20"
14 |
15 | strings:
16 | $zip1 = "ntdll.exePK"
17 | $zip2 = "AcroRd32.exePK"
18 | $zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
19 | $zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
20 | $exe1 = "Leave GetCommand!"
21 | $exe2 = "perform exe success!"
22 | $exe3 = "perform exe failure!"
23 | $exe4 = "Entry SendCommandReq!"
24 | $exe5 = "Reqfile not exist!"
25 | $exe6 = "LeaveDealUpfile!"
26 | $exe7 = "Entry PostData!"
27 | $exe8 = "Leave PostFile!"
28 | $exe9 = "Entry PostFile!"
29 | $exe10 = "\\unknow.zip" wide ascii
30 | $exe11 = "the url no respon!"
31 |
32 | condition:
33 | (2 of ($zip*)) or (2 of ($exe*))
34 | }
35 |
36 | rule Cookies : Family
37 | {
38 | meta:
39 | description = "Cookies"
40 | author = "Seth Hardy"
41 | last_modified = "2014-06-20"
42 |
43 | condition:
44 | CookiesStrings
45 | }
46 |
47 |
--------------------------------------------------------------------------------
/malware/Naikon.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule NaikonCode : Naikon Family
9 | {
10 | meta:
11 | description = "Naikon code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-25"
14 |
15 | strings:
16 | // decryption
17 | $ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
18 | $ = { 35 5A 01 00 00} // xor eax, 15ah
19 | $ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
20 |
21 | condition:
22 | all of them
23 | }
24 |
25 | rule NaikonStrings : Naikon Family
26 | {
27 | meta:
28 | description = "Naikon Identifying Strings"
29 | author = "Seth Hardy"
30 | last_modified = "2014-06-25"
31 |
32 | strings:
33 | $ = "NOKIAN95/WEB"
34 | $ = "/tag=info&id=15"
35 | $ = "skg(3)=&3.2d_u1"
36 | $ = "\\Temp\\iExplorer.exe"
37 | $ = "\\Temp\\\"TSG\""
38 |
39 | condition:
40 | any of them
41 | }
42 |
43 | rule Naikon : Family
44 | {
45 | meta:
46 | description = "Naikon"
47 | author = "Seth Hardy"
48 | last_modified = "2014-06-25"
49 |
50 | condition:
51 | NaikonCode or NaikonStrings
52 | }
53 |
54 |
--------------------------------------------------------------------------------
/malware/Intel_Virtualization.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Intel_Virtualization_Wizard_exe {
9 | meta:
10 | author = "cabrel@zerklabs.com"
11 | description = "Dynamic DLL abuse executable"
12 |
13 | file_1_seen = "2013-05-21"
14 | file_1_sha256 = "7787757ae851f4a162f46f794be1532ab78e1928185212bdab83b3106f28c708"
15 |
16 | strings:
17 | $a = {4C 6F 61 64 53 54 52 49 4E 47}
18 | $b = {49 6E 69 74 69 61 6C 69 7A 65 4B 65 79 48 6F 6F 6B}
19 | $c = {46 69 6E 64 52 65 73 6F 75 72 63 65 73}
20 | $d = {4C 6F 61 64 53 54 52 49 4E 47 46 72 6F 6D 48 4B 43 55}
21 | $e = {68 63 63 75 74 69 6C 73 2E 44 4C 4C}
22 | condition:
23 | all of them
24 | }
25 |
26 | rule Intel_Virtualization_Wizard_dll {
27 | meta:
28 | author = "cabrel@zerklabs.com"
29 | description = "Dynamic DLL (Malicious)"
30 |
31 | file_1_seen = "2013-05-21"
32 | file_1_sha256 = "485ae043b6a5758789f1d33766a26d8b45b9fde09cde0512aa32d4bd1ee04f28"
33 |
34 | strings:
35 | $a = {48 3A 5C 46 61 73 74 5C 50 6C 75 67 28 68 6B 63 6D 64 29 5C}
36 | $b = {64 6C 6C 5C 52 65 6C 65 61 73 65 5C 48 69 6A 61 63 6B 44 6C 6C 2E 70 64 62}
37 |
38 | condition:
39 | ($a and $b) and Intel_Virtualization_Wizard_exe
40 | }
41 |
--------------------------------------------------------------------------------
/malware/Bangat.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule BangatCode : Bangat Family
9 | {
10 | meta:
11 | description = "Bangat code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-07-10"
14 |
15 | strings:
16 | // dec [ebp + procname], push eax, push edx, call get procaddress
17 | $ = { FE 4D ?? 8D 4? ?? 50 5? FF }
18 |
19 | condition:
20 | any of them
21 | }
22 |
23 | rule BangatStrings : Bangat Family
24 | {
25 | meta:
26 | description = "Bangat Identifying Strings"
27 | author = "Seth Hardy"
28 | last_modified = "2014-07-10"
29 |
30 | strings:
31 | $lib1 = "DreatePipe"
32 | $lib2 = "HetSystemDirectoryA"
33 | $lib3 = "SeleaseMutex"
34 | $lib4 = "DloseWindowStation"
35 | $lib5 = "DontrolService"
36 | $file = "~hhC2F~.tmp"
37 | $mc = "~_MC_3~"
38 |
39 | condition:
40 | all of ($lib*) or $file or $mc
41 | }
42 |
43 | rule Bangat : Family
44 | {
45 | meta:
46 | description = "Bangat"
47 | author = "Seth Hardy"
48 | last_modified = "2014-07-10"
49 |
50 | condition:
51 | BangatCode or BangatStrings
52 | }
53 |
54 |
55 |
--------------------------------------------------------------------------------
/malware/Wimmie.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule WimmieShellcode : Wimmie Family
9 | {
10 | meta:
11 | description = "Wimmie code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-07-17"
14 |
15 | strings:
16 | // decryption loop
17 | $ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 }
18 | $xordecrypt = {B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 }
19 |
20 | condition:
21 | any of them
22 | }
23 |
24 | rule WimmieStrings : Wimmie Family
25 | {
26 | meta:
27 | description = "Strings used by Wimmie"
28 | author = "Seth Hardy"
29 | last_modified = "2014-07-17"
30 |
31 | strings:
32 | $ = "\x00ScriptMan"
33 | $ = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" wide ascii
34 | $ = "ProbeScriptFint" wide ascii
35 | $ = "ProbeScriptKids"
36 |
37 | condition:
38 | any of them
39 |
40 | }
41 |
42 | rule Wimmie : Family
43 | {
44 | meta:
45 | description = "Wimmie family"
46 | author = "Seth Hardy"
47 | last_modified = "2014-07-17"
48 |
49 | condition:
50 | WimmieShellcode or WimmieStrings
51 |
52 | }
53 |
--------------------------------------------------------------------------------
/malware/T5000.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule T5000Strings : T5000 Family
9 | {
10 | meta:
11 | description = "T5000 Identifying Strings"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-26"
14 |
15 | strings:
16 | $ = "_tmpR.vbs"
17 | $ = "_tmpg.vbs"
18 | $ = "Dtl.dat" wide ascii
19 | $ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
20 | $ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
21 | $ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
22 | $ = "43EE34A9-9063-4d2c-AACD-F5C62B849089"
23 | $ = "A8859547-C62D-4e8b-A82D-BE1479C684C9"
24 | $ = "A59CF429-D0DD-4207-88A1-04090680F714"
25 | $ = "utd_CE31" wide ascii
26 | $ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
27 | $ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
28 | $ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
29 | $ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
30 |
31 | condition:
32 | any of them
33 | }
34 |
35 | rule T5000 : Family
36 | {
37 | meta:
38 | description = "T5000"
39 | author = "Seth Hardy"
40 | last_modified = "2014-06-26"
41 |
42 | condition:
43 | T5000Strings
44 | }
45 |
--------------------------------------------------------------------------------
/malware/Vidgrab.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule VidgrabCode : Vidgrab Family
9 | {
10 | meta:
11 | description = "Vidgrab code tricks"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-20"
14 |
15 | strings:
16 | $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 }
17 | // add eax, ecx; xor byte ptr [eax], ??h; inc ecx
18 | $xorloop = { 03 C1 80 30 (66 | 58) 41 }
19 | $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A }
20 |
21 | condition:
22 | all of them
23 | }
24 |
25 | rule VidgrabStrings : Vidgrab Family
26 | {
27 | meta:
28 | description = "Vidgrab Identifying Strings"
29 | author = "Seth Hardy"
30 | last_modified = "2014-06-20"
31 |
32 | strings:
33 | $ = "IDI_ICON5" wide ascii
34 | $ = "starter.exe"
35 | $ = "wmifw.exe"
36 | $ = "Software\\rar"
37 | $ = "tmp092.tmp"
38 | $ = "temp1.exe"
39 |
40 | condition:
41 | 3 of them
42 | }
43 |
44 | rule Vidgrab : Family
45 | {
46 | meta:
47 | description = "Vidgrab"
48 | author = "Seth Hardy"
49 | last_modified = "2014-06-20"
50 |
51 | condition:
52 | VidgrabCode or VidgrabStrings
53 | }
54 |
--------------------------------------------------------------------------------
/malware/Regsubdat.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule RegSubDatCode : RegSubDat Family
9 | {
10 | meta:
11 | description = "RegSubDat code features"
12 | author = "Seth Hardy"
13 | last_modified = "2014-07-14"
14 |
15 | strings:
16 | // decryption loop
17 | $ = { 80 34 3? 99 40 (3D FB 65 00 00 | 3B C6) 7? F? }
18 | // push then pop values
19 | $ = { 68 FF FF 7F 00 5? }
20 | $ = { 68 FF 7F 00 00 5? }
21 |
22 | condition:
23 | all of them
24 | }
25 |
26 | rule RegSubDatStrings : RegSubDat Family
27 | {
28 | meta:
29 | description = "RegSubDat Identifying Strings"
30 | author = "Seth Hardy"
31 | last_modified = "2014-07-14"
32 |
33 | strings:
34 | $avg1 = "Button"
35 | $avg2 = "Allow"
36 | $avg3 = "Identity Protection"
37 | $avg4 = "Allow for all"
38 | $avg5 = "AVG Firewall Asks For Confirmation"
39 | $mutex = "0x1A7B4C9F"
40 |
41 | condition:
42 | all of ($avg*) or $mutex
43 | }
44 |
45 | rule RegSubDat : Family
46 | {
47 | meta:
48 | description = "RegSubDat"
49 | author = "Seth Hardy"
50 | last_modified = "2014-07-14"
51 |
52 | condition:
53 | RegSubDatCode or RegSubDatStrings
54 | }
55 |
--------------------------------------------------------------------------------
/malware/Babar.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule SNOWGLOBE_Babar_Malware {
9 | meta:
10 | description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
11 | author = "Florian Roth"
12 | reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
13 | date = "2015/02/18"
14 | hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
15 | score = 80
16 | strings:
17 | $mz = { 4d 5a }
18 | $z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
19 | $z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
20 | $z2 = "ExecQueryFailled!" fullword ascii
21 | $z3 = "NBOT_COMMAND_LINE" fullword
22 | $z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
23 |
24 | $s1 = "/s /n %s \"%s\"" fullword ascii
25 | $s2 = "%%WINDIR%%\\%s\\%s" fullword ascii
26 | $s3 = "/c start /wait " fullword ascii
27 | $s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
28 |
29 | $x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
30 | $x2 = "%COMMON_APPDATA%" fullword ascii
31 | $x4 = "CONOUT$" fullword ascii
32 | $x5 = "cmd.exe" fullword ascii
33 | $x6 = "DLLPATH" fullword ascii
34 | condition:
35 | ( $mz at 0 ) and filesize < 1MB and
36 | (
37 | ( 1 of ($z*) and 1 of ($x*) ) or
38 | ( 3 of ($s*) and 4 of ($x*) )
39 | )
40 | }
41 |
--------------------------------------------------------------------------------
/malware/NetTraveler.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule NetTravStrings : NetTraveler Family {
9 |
10 |
11 | meta:
12 | description = "Identifiers for NetTraveler DLL"
13 | author = "Katie Kleemola"
14 | last_updated = "2014-05-20"
15 |
16 | strings:
17 | //network strings
18 | $ = "?action=updated&hostid="
19 | $ = "travlerbackinfo"
20 | $ = "?action=getcmd&hostid="
21 | $ = "%s?action=gotcmd&hostid="
22 | $ = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext="
23 |
24 | //debugging strings
25 | $ = "\x00Method1 Fail!!!!!\x00"
26 | $ = "\x00Method3 Fail!!!!!\x00"
27 | $ = "\x00method currect:\x00"
28 | $ = /\x00\x00[\w\-]+ is Running!\x00\x00/
29 | $ = "\x00OtherTwo\x00"
30 |
31 | condition:
32 | any of them
33 |
34 | }
35 |
36 | rule NetTravExports : NetTraveler Family {
37 |
38 | meta:
39 | description = "Export names for dll component"
40 | author = "Katie Kleemola"
41 | last_updated = "2014-05-20"
42 |
43 | strings:
44 | //dll component exports
45 | $ = "?InjectDll@@YAHPAUHWND__@@K@Z"
46 | $ = "?UnmapDll@@YAHXZ"
47 | $ = "?g_bSubclassed@@3HA"
48 |
49 | condition:
50 | any of them
51 | }
52 |
53 | rule NetTraveler : Family {
54 | meta:
55 | description = "Nettravelr"
56 | author = "Katie Kleemola"
57 | last_updated = "2014-07-08"
58 |
59 | condition:
60 | NetTravExports or NetTravStrings or NetpassStrings
61 |
62 | }
63 |
64 |
--------------------------------------------------------------------------------
/malware/Scieron.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Scieron
9 | {
10 | meta:
11 | author = "Symantec Security Response"
12 | ref = "http://www.symantec.com/connect/tr/blogs/scarab-attackers-took-aim-select-russian-targets-2012"
13 | date = "22.01.15"
14 |
15 | strings:
16 | // .text:10002069 66 83 F8 2C cmp ax, ','
17 | // .text:1000206D 74 0C jz short loc_1000207B
18 | // .text:1000206F 66 83 F8 3B cmp ax, ';'
19 | // .text:10002073 74 06 jz short loc_1000207B
20 | // .text:10002075 66 83 F8 7C cmp ax, '|'
21 | // .text:10002079 75 05 jnz short loc_10002080
22 | $code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05}
23 |
24 | // .text:10001D83 83 F8 09 cmp eax, 9 ; switch 10 cases
25 | // .text:10001D86 0F 87 DB 00 00 00 ja loc_10001E67 ; jumptable 10001D8C default case
26 | // .text:10001D8C FF 24 85 55 1F 00+ jmp ds:off_10001F55[eax*4] ; switch jump
27 | $code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24}
28 |
29 | $str1 = "IP_PADDING_DATA" wide ascii
30 | $str2 = "PORT_NUM" wide ascii
31 |
32 | condition:
33 | all of them
34 | }
35 |
--------------------------------------------------------------------------------
/malware/Bolonyokte.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Bolonyokte : rat
9 | {
10 | meta:
11 | description = "UnknownDotNet RAT - Bolonyokte"
12 | author = "Jean-Philippe Teissier / @Jipe_"
13 | date = "2013-02-01"
14 | filetype = "memory"
15 | version = "1.0"
16 |
17 | strings:
18 | $campaign1 = "Bolonyokte" ascii wide
19 | $campaign2 = "donadoni" ascii wide
20 |
21 | $decoy1 = "nyse.com" ascii wide
22 | $decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide
23 | $decoy3 = "bf13-5d45cb40" ascii wide
24 |
25 | $artifact1 = "Backup.zip" ascii wide
26 | $artifact2 = "updates.txt" ascii wide
27 | $artifact3 = "vdirs.dat" ascii wide
28 | $artifact4 = "default.dat"
29 | $artifact5 = "index.html"
30 | $artifact6 = "mime.dat"
31 |
32 | $func1 = "FtpUrl"
33 | $func2 = "ScreenCapture"
34 | $func3 = "CaptureMouse"
35 | $func4 = "UploadFile"
36 |
37 | $ebanking1 = "Internet Banking" wide
38 | $ebanking2 = "(Online Banking)|(Online banking)"
39 | $ebanking3 = "(e-banking)|(e-Banking)" nocase
40 | $ebanking4 = "login"
41 | $ebanking5 = "en ligne" wide
42 | $ebanking6 = "bancaires" wide
43 | $ebanking7 = "(eBanking)|(Ebanking)" wide
44 | $ebanking8 = "Anmeldung" wide
45 | $ebanking9 = "internet banking" nocase wide
46 | $ebanking10 = "Banking Online" nocase wide
47 | $ebanking11 = "Web Banking" wide
48 | $ebanking12 = "Power"
49 |
50 | condition:
51 | any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*)
52 | }
53 |
--------------------------------------------------------------------------------
/malware/APT_Mongall.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule Backdoor_APT_Mongal
9 | {
10 | meta:
11 | author = "@patrickrolsen"
12 | maltype = "Backdoor.APT.Mongall"
13 | version = "0.1"
14 | reference = "fd69a799e21ccb308531ce6056944842"
15 | date = "01/04/2014"
16 | strings:
17 | $author = "author user"
18 | $title = "title Vjkygdjdtyuj" nocase
19 | $comp = "company ooo"
20 | $cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10"
21 | $passwd = "password 00000000"
22 | condition:
23 | all of them
24 | }
25 |
26 | rule MongalCode : Mongal Family
27 | {
28 | meta:
29 | description = "Mongal code features"
30 | author = "Seth Hardy"
31 | last_modified = "2014-07-15"
32 |
33 | strings:
34 | // gettickcount value checking
35 | $ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB }
36 |
37 | condition:
38 | any of them
39 | }
40 |
41 | rule MongalStrings : Mongal Family
42 | {
43 | meta:
44 | description = "Mongal Identifying Strings"
45 | author = "Seth Hardy"
46 | last_modified = "2014-07-15"
47 |
48 | strings:
49 | $ = "NSCortr.dll"
50 | $ = "NSCortr1.dll"
51 | $ = "Sina.exe"
52 |
53 | condition:
54 | any of them
55 | }
56 |
57 | rule Mongal : Family
58 | {
59 | meta:
60 | description = "Mongal"
61 | author = "Seth Hardy"
62 | last_modified = "2014-07-15"
63 |
64 | condition:
65 | MongalCode or MongalStrings
66 | }
67 |
68 |
69 |
--------------------------------------------------------------------------------
/malware/MacControl.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule MacControlCode : MacControl Family
9 | {
10 | meta:
11 | description = "MacControl code tricks"
12 | author = "Seth Hardy"
13 | last_modified = "2014-06-17"
14 |
15 | strings:
16 | // Load these function strings 4 characters at a time. These check the first two blocks:
17 | $L4_Accept = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 3A 20 }
18 | $L4_AcceptLang = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 2D 4C }
19 | $L4_Pragma = { C7 ?? 50 72 61 67 C7 ?? 04 6D 61 3A 20 }
20 | $L4_Connection = { C7 ?? 43 6F 6E 6E C7 ?? 04 65 63 74 69 }
21 | $GEThgif = { C7 ?? 47 45 54 20 C7 ?? 04 2F 68 2E 67 }
22 |
23 | condition:
24 | all of ($L4*) or $GEThgif
25 | }
26 |
27 | rule MacControlStrings : MacControl Family
28 | {
29 | meta:
30 | description = "MacControl Identifying Strings"
31 | author = "Seth Hardy"
32 | last_modified = "2014-06-17"
33 |
34 | strings:
35 | $ = "HTTPHeadGet"
36 | $ = "/Library/launched"
37 | $ = "My connect error with no ip!"
38 | $ = "Send File is Failed"
39 | $ = "****************************You Have got it!****************************"
40 |
41 | condition:
42 | any of them
43 | }
44 |
45 | rule MacControl : Family
46 | {
47 | meta:
48 | description = "MacControl"
49 | author = "Seth Hardy"
50 | last_modified = "2014-06-16"
51 |
52 | condition:
53 | MacControlCode or MacControlStrings
54 | }
55 |
56 |
57 |
--------------------------------------------------------------------------------
/malware/KINS.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 | rule KINS_dropper {
8 | meta:
9 | author = "AlienVault Labs aortega@alienvault.com"
10 | description = "Match protocol, process injects and windows exploit present in KINS dropper"
11 | reference = "http://goo.gl/arPhm3"
12 | strings:
13 | // Network protocol
14 | $n1 = "tid=%d&ta=%s-%x" fullword
15 | $n2 = "fid=%d" fullword
16 | $n3 = "%[^.].%[^(](%[^)])" fullword
17 | // Injects
18 | $i0 = "%s [%s %d] 77 %s"
19 | $i01 = "Global\\%s%x"
20 | $i1 = "Inject::InjectProcessByName()"
21 | $i2 = "Inject::CopyImageToProcess()"
22 | $i3 = "Inject::InjectProcess()"
23 | $i4 = "Inject::InjectImageToProcess()"
24 | $i5 = "Drop::InjectStartThread()"
25 | // UAC bypass
26 | $uac1 = "ExploitMS10_092"
27 | $uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
28 | $uac3 = "HighestAvailable" ascii wide
29 | condition:
30 | 2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
31 | }
32 |
33 | rule KINS_DLL_zeus {
34 | meta:
35 | author = "AlienVault Labs aortega@alienvault.com"
36 | description = "Match default bot in KINS leaked dropper, Zeus"
37 | reference = "http://goo.gl/arPhm3"
38 | strings:
39 | // Network protocol
40 | $n1 = "%BOTID%" fullword
41 | $n2 = "%opensocks%" fullword
42 | $n3 = "%openvnc%" fullword
43 | $n4 = /Global\\(s|v)_ev/ fullword
44 | // Crypted strings
45 | $s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
46 | $s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
47 | $s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
48 | $s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
49 | $s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
50 | condition:
51 | all of ($n*) and 1 of ($s*)
52 | }
53 |
--------------------------------------------------------------------------------
/malware/Ramsonware.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule CryptoLocker_set1
9 | {
10 | meta:
11 | author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
12 | date = "2014-04-13"
13 | description = "Detection of Cryptolocker Samples"
14 |
15 | strings:
16 | $string0 = "static"
17 | $string1 = " kscdS"
18 | $string2 = "Romantic"
19 | $string3 = "CompanyName" wide
20 | $string4 = "ProductVersion" wide
21 | $string5 = "9%9R9f9q9"
22 | $string6 = "IDR_VERSION1" wide
23 | $string7 = " "
24 | $string8 = "LookFor" wide
25 | $string9 = ":n;t;y;"
26 | $string10 = " 150 and #b > 200
20 | }
21 |
22 | rule WaterBug_wipbot_2013_dll {
23 | meta:
24 | description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
25 | author = "Symantec Security Response"
26 | date = "22.01.2015"
27 | reference = "http://t.co/rF35OaAXrl"
28 | strings:
29 | $string1 = "/%s?rank=%s"
30 | $string2 = "ModuleStart\x00ModuleStop\x00start"
31 | $string3 = "1156fd22-3443-4344-c4ffff"
32 | //read file... error..
33 | $string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
34 | condition:
35 | 2 of them
36 | }
37 |
38 | rule WaterBug_wipbot_2013_core {
39 | meta:
40 | description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
41 | author = "Symantec Security Response"
42 | date = "22.01.2015"
43 | reference = "http://t.co/rF35OaAXrl"
44 | strings:
45 | $mz = "MZ"
46 | $code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
47 | $code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
48 | $code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
49 | condition:
50 | $mz at 0 and (($code1 or $code2) or ($code3 and $code4))
51 | }
52 |
53 | rule WaterBug_turla_dropper {
54 | meta:
55 | description = "Symantec Waterbug Attack - Trojan Turla Dropper"
56 | author = "Symantec Security Response"
57 | date = "22.01.2015"
58 | reference = "http://t.co/rF35OaAXrl"
59 | strings:
60 | $a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
61 | $b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
62 | condition:
63 | all of them
64 | }
65 |
66 | rule WaterBug_fa_malware {
67 | meta:
68 | description = "Symantec Waterbug Attack - FA malware variant"
69 | author = "Symantec Security Response"
70 | date = "22.01.2015"
71 | reference = "http://t.co/rF35OaAXrl"
72 | strings:
73 | $mz = "MZ"
74 | $string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
75 | $string2 = "d:\\proj\\cn\\fa64\\"
76 | $string3 = "sengoku_Win32.sys\x00"
77 | $string4 = "rk_ntsystem.c"
78 | $string5 = "\\uroboros\\"
79 | $string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
80 | condition:
81 | ($mz at 0) and (any of ($string*))
82 | }
83 |
84 |
85 | rule WaterBug_sav {
86 | meta:
87 | description = "Symantec Waterbug Attack - SAV Malware"
88 | author = "Symantec Security Response"
89 | date = "22.01.2015"
90 | reference = "http://t.co/rF35OaAXrl"
91 | strings:
92 | $mz = "MZ"
93 | $code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
94 | $code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC 3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
95 | $code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
96 | $code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
97 | condition:
98 | ($mz at 0) and (($code1a or $code1b or $code1c) and $code2)
99 | }
100 |
101 |
--------------------------------------------------------------------------------
/malicious_document.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | rule maldoc_API_hashing
7 | {
8 | meta:
9 | author = "Didier Stevens (https://DidierStevens.com)"
10 | strings:
11 | $a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}
12 | $a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}
13 | condition:
14 | any of them
15 | }
16 |
17 | rule maldoc_function_prolog_signature
18 | {
19 | meta:
20 | author = "Didier Stevens (https://DidierStevens.com)"
21 | strings:
22 | $a1 = {55 8B EC 81 EC}
23 | $a2 = {55 8B EC 83 C4}
24 | $a3 = {55 8B EC E8}
25 | $a4 = {55 8B EC E9}
26 | $a5 = {55 8B EC EB}
27 | condition:
28 | any of them
29 | }
30 |
31 | rule maldoc_structured_exception_handling
32 | {
33 | meta:
34 | author = "Didier Stevens (https://DidierStevens.com)"
35 | strings:
36 | $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 00 00 00 00}
37 | $a2 = {64 A1 00 00 00 00}
38 | condition:
39 | any of them
40 | }
41 |
42 | rule maldoc_indirect_function_call_1
43 | {
44 | meta:
45 | author = "Didier Stevens (https://DidierStevens.com)"
46 | strings:
47 | $a = {FF 75 ?? FF 55 ??}
48 | condition:
49 | for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
50 | }
51 |
52 | rule maldoc_indirect_function_call_2
53 | {
54 | meta:
55 | author = "Didier Stevens (https://DidierStevens.com)"
56 | strings:
57 | $a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
58 | condition:
59 | for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
60 | }
61 |
62 | rule maldoc_indirect_function_call_3
63 | {
64 | meta:
65 | author = "Didier Stevens (https://DidierStevens.com)"
66 | strings:
67 | $a = {FF B7 ?? ?? ?? ?? FF 57 ??}
68 | condition:
69 | $a
70 | }
71 |
72 | rule maldoc_find_kernel32_base_method_1
73 | {
74 | meta:
75 | author = "Didier Stevens (https://DidierStevens.com)"
76 | strings:
77 | $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
78 | $a2 = {64 A1 30 00 00 00}
79 | condition:
80 | any of them
81 | }
82 |
83 | rule maldoc_find_kernel32_base_method_2
84 | {
85 | meta:
86 | author = "Didier Stevens (https://DidierStevens.com)"
87 | strings:
88 | $a = {31 ?? ?? 30 64 8B ??}
89 | condition:
90 | for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
91 | }
92 |
93 | rule maldoc_find_kernel32_base_method_3
94 | {
95 | meta:
96 | author = "Didier Stevens (https://DidierStevens.com)"
97 | strings:
98 | $a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
99 | condition:
100 | for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
101 | }
102 |
103 | rule maldoc_getEIP_method_1
104 | {
105 | meta:
106 | author = "Didier Stevens (https://DidierStevens.com)"
107 | strings:
108 | $a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
109 | condition:
110 | $a
111 | }
112 |
113 | rule maldoc_getEIP_method_4
114 | {
115 | meta:
116 | author = "Didier Stevens (https://DidierStevens.com)"
117 | strings:
118 | $a1 = {D9 EE D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
119 | $a2 = {D9 EE 9B D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
120 | condition:
121 | any of them
122 | }
123 |
124 | rule maldoc_OLE_file_magic_number
125 | {
126 | meta:
127 | author = "Didier Stevens (https://DidierStevens.com)"
128 | strings:
129 | $a = {D0 CF 11 E0}
130 | condition:
131 | $a
132 | }
133 |
134 | rule maldoc_suspicious_strings
135 | {
136 | meta:
137 | author = "Didier Stevens (https://DidierStevens.com)"
138 | strings:
139 | $a01 = "CloseHandle"
140 | $a02 = "CreateFile"
141 | $a03 = "GetProcAddr"
142 | $a04 = "GetSystemDirectory"
143 | $a05 = "GetTempPath"
144 | $a06 = "GetWindowsDirectory"
145 | $a07 = "IsBadReadPtr"
146 | $a08 = "IsBadWritePtr"
147 | $a09 = "LoadLibrary"
148 | $a10 = "ReadFile"
149 | $a11 = "SetFilePointer"
150 | $a12 = "ShellExecute"
151 | $a13 = "UrlDownloadToFile"
152 | $a14 = "VirtualAlloc"
153 | $a15 = "WinExec"
154 | $a16 = "WriteFile"
155 | condition:
156 | any of them
157 | }
158 |
159 | rule mwi_document : exploitdoc
160 | {
161 | meta:
162 | description = "MWI generated document"
163 | author = "@Ydklijnsma"
164 | source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
165 |
166 | strings:
167 | $field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
168 | $mwistat_url = ".php?id="
169 | $field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
170 |
171 | condition:
172 | all of them
173 | }
174 |
--------------------------------------------------------------------------------
/malware/APT_Hellsing.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 |
9 | rule apt_hellsing_implantstrings : PE
10 | {
11 | meta:
12 | Author = "Costin Raiu, Kaspersky Lab"
13 | Date = "2015-04-07"
14 | Description = "detection for Hellsing implants"
15 | Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
16 |
17 | strings:
18 | $mz="MZ"
19 |
20 | $a1="the file uploaded failed !"
21 | $a2="ping 127.0.0.1"
22 |
23 | $b1="the file downloaded failed !"
24 | $b2="common.asp"
25 |
26 | $c="xweber_server.exe"
27 | $d="action="
28 |
29 | $debugpath1="d:\\Hellsing\\release\\msger\\" nocase
30 | $debugpath2="d:\\hellsing\\sys\\xrat\\" nocase
31 | $debugpath3="D:\\Hellsing\\release\\exe\\" nocase
32 | $debugpath4="d:\\hellsing\\sys\\xkat\\" nocase
33 | $debugpath5="e:\\Hellsing\\release\\clare" nocase
34 | $debugpath6="e:\\Hellsing\\release\\irene\\" nocase
35 | $debugpath7="d:\\hellsing\\sys\\irene\\" nocase
36 |
37 | $e="msger_server.dll"
38 | $f="ServiceMain"
39 |
40 | condition:
41 | ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
42 | }
43 |
44 | rule apt_hellsing_installer : PE
45 | {
46 | meta:
47 | Author = "Costin Raiu, Kaspersky Lab"
48 | Date = "2015-04-07"
49 | Description = "detection for Hellsing xweber/msger installers"
50 | Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
51 |
52 | strings:
53 | $mz="MZ"
54 |
55 | $cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
56 |
57 | $a1="xweber_install_uac.exe"
58 | $a2="system32\\cmd.exe" wide
59 | $a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
60 | $a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
61 | $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
62 | $a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
63 | $a10="%SystemRoot%\\system32\\cmd.exe" wide
64 | $a11="msger_install.dll"
65 | $a12={00 65 78 2E 64 6C 6C 00}
66 |
67 | condition:
68 | ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
69 | }
70 |
71 | rule apt_hellsing_proxytool : PE
72 | {
73 | meta:
74 | Author = "Costin Raiu, Kaspersky Lab"
75 | Date = "2015-04-07"
76 | Description = "detection for Hellsing proxy testing tool"
77 | Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
78 |
79 | strings:
80 | $mz="MZ"
81 | $a1="PROXY_INFO: automatic proxy url => %s "
82 | $a2="PROXY_INFO: connection type => %d "
83 | $a3="PROXY_INFO: proxy server => %s "
84 | $a4="PROXY_INFO: bypass list => %s "
85 | $a5="InternetQueryOption failed with GetLastError() %d"
86 | $a6="D:\\Hellsing\\release\\exe\\exe\\" nocase
87 |
88 | condition:
89 | ($mz at 0) and (2 of ($a*)) and filesize < 300000
90 | }
91 |
92 | rule apt_hellsing_xkat : PE
93 | {
94 | meta:
95 | Author = "Costin Raiu, Kaspersky Lab"
96 | Date = "2015-04-07"
97 | Description = "detection for Hellsing xKat tool"
98 | Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
99 |
100 | strings:
101 | $mz="MZ"
102 | $a1="\\Dbgv.sys"
103 | $a2="XKAT_BIN"
104 | $a3="release sys file error."
105 | $a4="driver_load error. "
106 | $a5="driver_create error."
107 | $a6="delete file:%s error."
108 | $a7="delete file:%s ok."
109 | $a8="kill pid:%d error."
110 | $a9="kill pid:%d ok."
111 | $a10="-pid-delete"
112 | $a11="kill and delete pid:%d error."
113 | $a12="kill and delete pid:%d ok."
114 |
115 | condition:
116 | ($mz at 0) and (6 of ($a*)) and filesize < 300000
117 | }
118 |
119 | rule apt_hellsing_msgertype2 : PE
120 | {
121 | meta:
122 | Author = "Costin Raiu, Kaspersky Lab"
123 | Date = "2015-04-07"
124 | Description = "detection for Hellsing msger type 2 implants"
125 | Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
126 |
127 | strings:
128 | $mz="MZ"
129 | $a1="%s\\system\\%d.txt"
130 | $a2="_msger"
131 | $a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
132 | $a4="http://%s/data/%s.1000001000"
133 | $a5="/lib/common.asp?action=user_upload&file="
134 | $a6="%02X-%02X-%02X-%02X-%02X-%02X"
135 |
136 | condition:
137 | ($mz at 0) and (4 of ($a*)) and filesize < 500000
138 | }
139 |
140 | rule apt_hellsing_irene : PE
141 | {
142 | meta:
143 | Author = "Costin Raiu, Kaspersky Lab"
144 | Date = "2015-04-07"
145 | Description = "detection for Hellsing msger irene installer"
146 | Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
147 |
148 | strings:
149 | $mz="MZ"
150 | $a1="\\Drivers\\usbmgr.tmp" wide
151 | $a2="\\Drivers\\usbmgr.sys" wide
152 | $a3="common_loadDriver CreateFile error! "
153 | $a4="common_loadDriver StartService error && GetLastError():%d! "
154 | $a5="irene" wide
155 | $a6="aPLib v0.43 - the smaller the better"
156 |
157 | condition:
158 | ($mz at 0) and (4 of ($a*)) and filesize < 500000
159 | }
160 |
--------------------------------------------------------------------------------
/malware/FinSpy.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule FinSpy_2
9 | {
10 | meta:
11 | description = "FinFisher FinSpy"
12 | author = "botherder https://github.com/botherder"
13 |
14 | strings:
15 | $password1 = /\/scomma kbd101\.sys/ wide ascii
16 | $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
17 | $password3 = /\/scomma excel2010\.part/ wide ascii
18 | $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
19 | $password5 = /\/stab MSVCR32\.manifest/ wide ascii
20 | $password6 = /\/scomma MSN2010\.dll/ wide ascii
21 | $password7 = /\/scomma Firefox\.base/ wide ascii
22 | $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
23 | $password9 = /\/scomma IE7setup\.sys/ wide ascii
24 | $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
25 | $password11 = /\/scomma office2007\.cab/ wide ascii
26 | $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
27 | $password13 = /\/scomma outlook2007\.dll/ wide ascii
28 | $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
29 |
30 | $screenrec1 = /(s)111o00000000\.dat/ wide ascii
31 | $screenrec2 = /(t)111o00000000\.dat/ wide ascii
32 | $screenrec3 = /(f)113o00000000\.dat/ wide ascii
33 | $screenrec4 = /(w)114o00000000\.dat/ wide ascii
34 | $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
35 | $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
36 | $screenrec7 = /(v)112O00000000\.dat/ wide ascii
37 |
38 | //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
39 | //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
40 |
41 | $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
42 |
43 | $skyperec1 = /\[%19s\] %25s\: %s/ wide ascii
44 | $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
45 | $skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
46 |
47 | $mouserec1 = /(m)sc183Q000\.dat/ wide ascii
48 | $mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
49 |
50 | $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
51 |
52 | $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
53 | $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
54 |
55 | $versions1 = /(f)inspyv2/ nocase
56 | $versions2 = /(f)inspyv4/ nocase
57 |
58 | $bootkit1 = /(b)ootkit_x32driver/
59 | $bootkit2 = /(b)ootkit_x64driver/
60 |
61 | $typo1 = /(S)creenShort Recording/ wide
62 |
63 | $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
64 |
65 | condition:
66 | 8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx
67 | }
68 |
69 | rule FinSpy
70 | {
71 | meta:
72 | description = "FinFisher FinSpy"
73 | author = "AlienVault Labs"
74 |
75 | strings:
76 | $filter1 = "$password14"
77 | $filter2 = "$screenrec7"
78 | $filter3 = "$micrec"
79 | $filter4 = "$skyperec3"
80 | $filter5 = "$mouserec2"
81 | $filter6 = "$driver"
82 | $filter7 = "$janedow2"
83 | $filter8 = "$bootkit2"
84 |
85 | $password1 = /\/scomma kbd101\.sys/ wide ascii
86 | $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii
87 | $password3 = /\/scomma excel2010\.part/ wide ascii
88 | $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii
89 | $password5 = /\/stab MSVCR32\.manifest/ wide ascii
90 | $password6 = /\/scomma MSN2010\.dll/ wide ascii
91 | $password7 = /\/scomma Firefox\.base/ wide ascii
92 | $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii
93 | $password9 = /\/scomma IE7setup\.sys/ wide ascii
94 | $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii
95 | $password11 = /\/scomma office2007\.cab/ wide ascii
96 | $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii
97 | $password13 = /\/scomma outlook2007\.dll/ wide ascii
98 | $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii
99 |
100 | $screenrec1 = /(s)111o00000000\.dat/ wide ascii
101 | $screenrec2 = /(t)111o00000000\.dat/ wide ascii
102 | $screenrec3 = /(f)113o00000000\.dat/ wide ascii
103 | $screenrec4 = /(w)114o00000000\.dat/ wide ascii
104 | $screenrec5 = /(u)112Q00000000\.dat/ wide ascii
105 | $screenrec6 = /(v)112Q00000000\.dat/ wide ascii
106 | $screenrec7 = /(v)112O00000000\.dat/ wide ascii
107 |
108 | //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii
109 | //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii
110 |
111 | $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii
112 |
113 | $skyperec1 = /\[%19s\] %25s\: %s/ wide ascii
114 | $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide
115 | //$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii
116 |
117 | //$mouserec1 = /(m)sc183Q000\.dat/ wide ascii
118 | //$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii
119 |
120 | $driver = /\\\\\\\\\.\\\\driverw/ wide ascii
121 |
122 | $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii
123 | $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii
124 |
125 | //$versions1 = /(f)inspyv2/ nocase
126 | //$versions2 = /(f)inspyv4/ nocase
127 |
128 | $bootkit1 = /(b)ootkit_x32driver/
129 | $bootkit2 = /(b)ootkit_x64driver/
130 |
131 | $typo1 = /(S)creenShort Recording/ wide
132 |
133 | $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide
134 |
135 | condition:
136 | (8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*)
137 | }
138 |
139 |
--------------------------------------------------------------------------------
/malware/APT_OPCleaver.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 | rule ZhoupinExploitCrew
9 | {
10 | meta:
11 | author = "Cylance"
12 | date = "2014-12-02"
13 | description = "http://cylance.com/opcleaver"
14 | strings:
15 | $s1 = "zhoupin exploit crew" nocase
16 | $s2 = "zhopin exploit crew" nocase
17 | condition:
18 | 1 of them
19 | }
20 |
21 | rule BackDoorLogger
22 | {
23 | meta:
24 | author = "Cylance"
25 | date = "2014-12-02"
26 | description = "http://cylance.com/opcleaver"
27 | strings:
28 | $s1 = "BackDoorLogger"
29 | $s2 = "zhuAddress"
30 | condition:
31 | all of them
32 | }
33 |
34 | rule Jasus
35 | {
36 | meta:
37 | author = "Cylance"
38 | date = "2014-12-02"
39 | description = "http://cylance.com/opcleaver"
40 | strings:
41 | $s1 = "pcap_dump_open"
42 | $s2 = "Resolving IPs to poison..."
43 | $s3 = "WARNNING: Gateway IP can not be found"
44 | condition:
45 | all of them
46 | }
47 |
48 | rule LoggerModule
49 | {
50 | meta:
51 | author = "Cylance"
52 | date = "2014-12-02"
53 | description = "http://cylance.com/opcleaver"
54 | strings:
55 | $s1 = "%s-%02d%02d%02d%02d%02d.r"
56 | $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
57 | condition:
58 | all of them
59 | }
60 |
61 | rule NetC
62 | {
63 | meta:
64 | author = "Cylance"
65 | date = "2014-12-02"
66 | description = "http://cylance.com/opcleaver"
67 | strings:
68 | $s1 = "NetC.exe" wide
69 | $s2 = "Net Service"
70 | condition:
71 | all of them
72 | }
73 |
74 | rule ShellCreator2
75 | {
76 | meta:
77 | author = "Cylance"
78 | date = "2014-12-02"
79 | description = "http://cylance.com/opcleaver"
80 | strings:
81 | $s1 = "ShellCreator2.Properties"
82 | $s2 = "set_IV"
83 | condition:
84 | all of them
85 | }
86 |
87 | rule SmartCopy2
88 | {
89 | meta:
90 | author = "Cylance"
91 | date = "2014-12-02"
92 | description = "http://cylance.com/opcleaver"
93 | strings:
94 | $s1 = "SmartCopy2.Properties"
95 | $s2 = "ZhuFrameWork"
96 | condition:
97 | all of them
98 | }
99 |
100 | rule SynFlooder
101 | {
102 | meta:
103 | author = "Cylance"
104 | date = "2014-12-02"
105 | description = "http://cylance.com/opcleaver"
106 | strings:
107 | $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
108 | $s2 = "your target's IP is : %s"
109 | $s3 = "Raw TCP Socket Created successfully."
110 | condition:
111 | all of them
112 | }
113 |
114 | rule TinyZBot
115 | {
116 | meta:
117 | author = "Cylance"
118 | date = "2014-12-02"
119 | description = "http://cylance.com/opcleaver"
120 | strings:
121 | $s1 = "NetScp" wide
122 | $s2 = "TinyZBot.Properties.Resources.resources"
123 |
124 | $s3 = "Aoao WaterMark"
125 | $s4 = "Run_a_exe"
126 | $s5 = "netscp.exe"
127 |
128 | $s6 = "get_MainModule_WebReference_DefaultWS"
129 | $s7 = "remove_CheckFileMD5Completed"
130 | $s8 = "http://tempuri.org/"
131 |
132 | $s9 = "Zhoupin_Cleaver"
133 | condition:
134 | ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
135 | }
136 |
137 | rule antivirusdetector
138 | {
139 | meta:
140 | author = "Cylance"
141 | date = "2014-12-02"
142 | description = "http://cylance.com/opcleaver"
143 | strings:
144 | $s1 = "getShadyProcess"
145 | $s2 = "getSystemAntiviruses"
146 | $s3 = "AntiVirusDetector"
147 | condition:
148 | all of them
149 | }
150 |
151 | rule csext
152 | {
153 | meta:
154 | author = "Cylance"
155 | date = "2014-12-02"
156 | description = "http://cylance.com/opcleaver"
157 | strings:
158 | $s1 = "COM+ System Extentions"
159 | $s2 = "csext.exe"
160 | $s3 = "COM_Extentions_bin"
161 | condition:
162 | all of them
163 | }
164 |
165 | rule kagent
166 | {
167 | meta:
168 | author = "Cylance"
169 | date = "2014-12-02"
170 | description = "http://cylance.com/opcleaver"
171 | strings:
172 | $s1 = "kill command is in last machine, going back"
173 | $s2 = "message data length in B64: %d Bytes"
174 | condition:
175 | all of them
176 | }
177 |
178 | rule mimikatzWrapper
179 | {
180 | meta:
181 | author = "Cylance"
182 | date = "2014-12-02"
183 | description = "http://cylance.com/opcleaver"
184 | strings:
185 | $s1 = "mimikatzWrapper"
186 | $s2 = "get_mimikatz"
187 | condition:
188 | all of them
189 | }
190 |
191 | rule pvz_in
192 | {
193 | meta:
194 | author = "Cylance"
195 | date = "2014-12-02"
196 | description = "http://cylance.com/opcleaver"
197 | strings:
198 | $s1 = "LAST_TIME=00/00/0000:00:00PM$"
199 | $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
200 | condition:
201 | all of them
202 | }
203 |
204 | rule pvz_out
205 | {
206 | meta:
207 | author = "Cylance"
208 | date = "2014-12-02"
209 | description = "http://cylance.com/opcleaver"
210 | strings:
211 | $s1 = "Network Connectivity Module" wide
212 | $s2 = "OSPPSVC" wide
213 | condition:
214 | all of them
215 | }
216 |
217 | rule wndTest
218 | {
219 | meta:
220 | author = "Cylance"
221 | date = "2014-12-02"
222 | description = "http://cylance.com/opcleaver"
223 | strings:
224 | $s1 = "[Alt]" wide
225 | $s2 = "<< %s >>:" wide
226 | $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
227 | condition:
228 | all of them
229 | }
230 |
231 | rule zhCat
232 | {
233 | meta:
234 | author = "Cylance"
235 | date = "2014-12-02"
236 | description = "http://cylance.com/opcleaver"
237 | strings:
238 | $s1 = "zhCat -l -h -tp 1234"
239 | $s2 = "ABC ( A Big Company )" wide
240 | condition:
241 | all of them
242 | }
243 |
244 | rule zhLookUp
245 | {
246 | meta:
247 | author = "Cylance"
248 | date = "2014-12-02"
249 | description = "http://cylance.com/opcleaver"
250 | strings:
251 | $s1 = "zhLookUp.Properties"
252 | condition:
253 | all of them
254 | }
255 |
256 | rule zhmimikatz
257 | {
258 | meta:
259 | author = "Cylance"
260 | date = "2014-12-02"
261 | description = "http://cylance.com/opcleaver"
262 | strings:
263 | $s1 = "MimikatzRunner"
264 | $s2 = "zhmimikatz"
265 | condition:
266 | all of them
267 | }
268 |
269 | rule Zh0uSh311
270 | {
271 | meta:
272 | author = "Cylance"
273 | date = "2014-12-02"
274 | description = "http://cylance.com/opcleaver"
275 | strings:
276 | $s1 = "Zh0uSh311"
277 | condition:
278 | all of them
279 | }
280 |
--------------------------------------------------------------------------------
/malware/Miscelanea_Linux.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 |
9 | rule LinuxAESDDoS
10 | {
11 | meta:
12 | Author = "@benkow_"
13 | Date = "2014/09/12"
14 | Description = "Strings inside"
15 | Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
16 |
17 | strings:
18 | $a = "3AES"
19 | $b = "Hacker"
20 | $c = "VERSONEX"
21 |
22 | condition:
23 | 2 of them
24 | }
25 |
26 | rule LinuxBillGates
27 | {
28 | meta:
29 | Author = "@benkow_"
30 | Date = "2014/08/11"
31 | Description = "Strings inside"
32 | Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429"
33 |
34 | strings:
35 | $a= "12CUpdateGates"
36 | $b= "11CUpdateBill"
37 |
38 | condition:
39 | $a and $b
40 | }
41 |
42 | rule LinuxElknot
43 | {
44 | meta:
45 | Author = "@benkow_"
46 | Date = "2013/12/24"
47 | Description = "Strings inside"
48 | Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099"
49 |
50 | strings:
51 | $a = "ZN8CUtility7DeCryptEPciPKci"
52 | $b = "ZN13CThreadAttack5StartEP11CCmdMessage"
53 |
54 | condition:
55 | all of them
56 | }
57 |
58 | rule LinuxMrBlack
59 | {
60 | meta:
61 | author = "@benkow_"
62 | description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
63 |
64 | strings:
65 | $a = "Mr.Black"
66 | $b = "VERS0NEX:%s|%d|%d|%s"
67 | condition:
68 | $a and $b
69 | }
70 |
71 | rule LinuxTsunami
72 | {
73 | meta:
74 | author = "@benkow_"
75 | description = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"
76 |
77 | strings:
78 | $a = "PRIVMSG %s :[STD]Hitting %s"
79 | $b = "NOTICE %s :TSUNAMI "
80 | $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
81 | condition:
82 | $a or $b or $c
83 | }
84 |
85 | rule rootkit
86 | {
87 | meta:
88 | author="xorseed"
89 | reference= "https://stuff.rop.io/"
90 | strings:
91 | $sys1 = "sys_write" nocase ascii wide
92 | $sys2 = "sys_getdents" nocase ascii wide
93 | $sys3 = "sys_getdents64" nocase ascii wide
94 | $sys4 = "sys_getpgid" nocase ascii wide
95 | $sys5 = "sys_getsid" nocase ascii wide
96 | $sys6 = "sys_setpgid" nocase ascii wide
97 | $sys7 = "sys_kill" nocase ascii wide
98 | $sys8 = "sys_tgkill" nocase ascii wide
99 | $sys9 = "sys_tkill" nocase ascii wide
100 | $sys10 = "sys_sched_setscheduler" nocase ascii wide
101 | $sys11 = "sys_sched_setparam" nocase ascii wide
102 | $sys12 = "sys_sched_getscheduler" nocase ascii wide
103 | $sys13 = "sys_sched_getparam" nocase ascii wide
104 | $sys14 = "sys_sched_setaffinity" nocase ascii wide
105 | $sys15 = "sys_sched_getaffinity" nocase ascii wide
106 | $sys16 = "sys_sched_rr_get_interval" nocase ascii wide
107 | $sys17 = "sys_wait4" nocase ascii wide
108 | $sys18 = "sys_waitid" nocase ascii wide
109 | $sys19 = "sys_rt_tgsigqueueinfo" nocase ascii wide
110 | $sys20 = "sys_rt_sigqueueinfo" nocase ascii wide
111 | $sys21 = "sys_prlimit64" nocase ascii wide
112 | $sys22 = "sys_ptrace" nocase ascii wide
113 | $sys23 = "sys_migrate_pages" nocase ascii wide
114 | $sys24 = "sys_move_pages" nocase ascii wide
115 | $sys25 = "sys_get_robust_list" nocase ascii wide
116 | $sys26 = "sys_perf_event_open" nocase ascii wide
117 | $sys27 = "sys_uname" nocase ascii wide
118 | $sys28 = "sys_unlink" nocase ascii wide
119 | $sys29 = "sys_unlikat" nocase ascii wide
120 | $sys30 = "sys_rename" nocase ascii wide
121 | $sys31 = "sys_read" nocase ascii wide
122 | $sys32 = "kobject_del" nocase ascii wide
123 | $sys33 = "list_del_init" nocase ascii wide
124 | $sys34 = "inet_ioctl" nocase ascii wide
125 | condition:
126 | 9 of them
127 | }
128 |
129 | rule exploit
130 | {
131 | meta:
132 | author="xorseed"
133 | reference= "https://stuff.rop.io/"
134 | strings:
135 | $xpl1 = "set_fs_root" nocase ascii wide
136 | $xpl2 = "set_fs_pwd" nocase ascii wide
137 | $xpl3 = "__virt_addr_valid" nocase ascii wide
138 | $xpl4 = "init_task" nocase ascii wide
139 | $xpl5 = "init_fs" nocase ascii wide
140 | $xpl6 = "bad_file_ops" nocase ascii wide
141 | $xpl7 = "bad_file_aio_read" nocase ascii wide
142 | $xpl8 = "security_ops" nocase ascii wide
143 | $xpl9 = "default_security_ops" nocase ascii wide
144 | $xpl10 = "audit_enabled" nocase ascii wide
145 | $xpl11 = "commit_creds" nocase ascii wide
146 | $xpl12 = "prepare_kernel_cred" nocase ascii wide
147 | $xpl13 = "ptmx_fops" nocase ascii wide
148 | $xpl14 = "node_states" nocase ascii wide
149 | condition:
150 | 7 of them
151 | }
152 |
153 | rule ldpreload
154 | {
155 | meta:
156 | author="xorseed"
157 | reference= "https://stuff.rop.io/"
158 | strings:
159 | $a = "dlopen" nocase ascii wide
160 | $b = "dlsym" nocase ascii wide
161 | $c = "fopen" nocase ascii wide
162 | $d = "fopen64" nocase ascii wide
163 | $e = "__fxstat" nocase ascii wide
164 | $f = "__fxstat64" nocase ascii wide
165 | $g = "accept" nocase ascii wide
166 | $h = "__lxstat" nocase ascii wide
167 | $i = "__lxstat64" nocase ascii wide
168 | $j = "open" nocase ascii wide
169 | $k = "rmdir" nocase ascii wide
170 | $l = "__xstat" nocase ascii wide
171 | $m = "__xstat64" nocase ascii wide
172 | $n = "unlink" nocase ascii wide
173 | $o = "unlikat" nocase ascii wide
174 | $p = "fdopendir" nocase ascii wide
175 | $q = "opendir" nocase ascii wide
176 | $r = "readdir" nocase ascii wide
177 | $s = "readdir64" nocase ascii wide
178 | condition:
179 | ($a or $b) and 5 of them
180 | }
181 |
182 | rule keylogger
183 | {
184 | meta:
185 | author="xorseed"
186 | reference="https://stuff.rop.io/"
187 | strings:
188 | $a = "XListInputDevices" ascii wide
189 | $b = "XOpenDevice" ascii wide
190 | $c = "XOpenIM" ascii wide
191 | $d = "XGetIMValues" ascii wide
192 | $e = "XmbLookupString" ascii wide
193 | $f = "XFree" ascii wide
194 | $g = "XCreateIC" ascii wide
195 | $h = "XOpenDisplay" ascii wide
196 | $i = "XNextEvent" ascii wide
197 | $j = "XInternAtom" ascii wide
198 | $k = "XSelectExtensionEvent" ascii wide
199 | $l = "XFreeDeviceList" ascii wide
200 | $m = "XGetWindowProperty" ascii wide
201 | $n = "XkbKeycodeToKeysym" ascii wide
202 | condition:
203 | all of them
204 | }
205 |
--------------------------------------------------------------------------------
/malware/Opcleaver.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 |
9 | rule OPCLEAVER_BackDoorLogger
10 | {
11 | meta:
12 | description = "Keylogger used by attackers in Operation Cleaver"
13 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
14 | date = "2014/12/02"
15 | author = "Cylance Inc."
16 | score = "70"
17 | strings:
18 | $s1 = "BackDoorLogger"
19 | $s2 = "zhuAddress"
20 | condition:
21 | all of them
22 | }
23 |
24 | rule OPCLEAVER_Jasus
25 | {
26 | meta:
27 | description = "ARP cache poisoner used by attackers in Operation Cleaver"
28 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
29 | date = "2014/12/02"
30 | author = "Cylance Inc."
31 | score = "70"
32 | strings:
33 | $s1 = "pcap_dump_open"
34 | $s2 = "Resolving IPs to poison..."
35 | $s3 = "WARNNING: Gateway IP can not be found"
36 | condition:
37 | all of them
38 | }
39 |
40 | rule OPCLEAVER_LoggerModule
41 | {
42 | meta:
43 | description = "Keylogger used by attackers in Operation Cleaver"
44 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
45 | date = "2014/12/02"
46 | author = "Cylance Inc."
47 | score = "70"
48 | strings:
49 | $s1 = "%s-%02d%02d%02d%02d%02d.r"
50 | $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
51 | condition:
52 | all of them
53 | }
54 |
55 | rule OPCLEAVER_NetC
56 | {
57 | meta:
58 | description = "Net Crawler used by attackers in Operation Cleaver"
59 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
60 | date = "2014/12/02"
61 | author = "Cylance Inc."
62 | score = "70"
63 | strings:
64 | $s1 = "NetC.exe" wide
65 | $s2 = "Net Service"
66 | condition:
67 | all of them
68 | }
69 |
70 | rule OPCLEAVER_ShellCreator2
71 | {
72 | meta:
73 | description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
74 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
75 | date = "2014/12/02"
76 | author = "Cylance Inc."
77 | score = "70"
78 | strings:
79 | $s1 = "ShellCreator2.Properties"
80 | $s2 = "set_IV"
81 | condition:
82 | all of them
83 | }
84 |
85 | rule OPCLEAVER_SmartCopy2
86 | {
87 | meta:
88 | description = "Malware or hack tool used by attackers in Operation Cleaver"
89 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
90 | date = "2014/12/02"
91 | author = "Cylance Inc."
92 | score = "70"
93 | strings:
94 | $s1 = "SmartCopy2.Properties"
95 | $s2 = "ZhuFrameWork"
96 | condition:
97 | all of them
98 | }
99 |
100 | rule OPCLEAVER_SynFlooder
101 | {
102 | meta:
103 | description = "Malware or hack tool used by attackers in Operation Cleaver"
104 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
105 | date = "2014/12/02"
106 | author = "Cylance Inc."
107 | score = "70"
108 | strings:
109 | $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
110 | $s2 = "your target’s IP is : %s"
111 | $s3 = "Raw TCP Socket Created successfully."
112 | condition:
113 | all of them
114 | }
115 |
116 | rule OPCLEAVER_TinyZBot
117 | {
118 | meta:
119 | description = "Tiny Bot used by attackers in Operation Cleaver"
120 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
121 | date = "2014/12/02"
122 | author = "Cylance Inc."
123 | score = "70"
124 | strings:
125 | $s1 = "NetScp" wide
126 | $s2 = "TinyZBot.Properties.Resources.resources"
127 | $s3 = "Aoao WaterMark"
128 | $s4 = "Run_a_exe"
129 | $s5 = "netscp.exe"
130 | $s6 = "get_MainModule_WebReference_DefaultWS"
131 | $s7 = "remove_CheckFileMD5Completed"
132 | $s8 = "http://tempuri.org/"
133 | $s9 = "Zhoupin_Cleaver"
134 | condition:
135 | (($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
136 | }
137 |
138 | rule OPCLEAVER_ZhoupinExploitCrew
139 | {
140 | meta:
141 | description = "Keywords used by attackers in Operation Cleaver"
142 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
143 | date = "2014/12/02"
144 | author = "Cylance Inc."
145 | score = "70"
146 | strings:
147 | $s1 = "zhoupin exploit crew" nocase
148 | $s2 = "zhopin exploit crew" nocase
149 | condition:
150 | 1 of them
151 | }
152 |
153 | rule OPCLEAVER_antivirusdetector
154 | {
155 | meta:
156 | description = "Hack tool used by attackers in Operation Cleaver"
157 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
158 | date = "2014/12/02"
159 | author = "Cylance Inc."
160 | score = "70"
161 | strings:
162 | $s1 = "getShadyProcess"
163 | $s2 = "getSystemAntiviruses"
164 | $s3 = "AntiVirusDetector"
165 | condition:
166 | all of them
167 | }
168 |
169 | rule OPCLEAVER_csext
170 | {
171 | meta:
172 | description = "Backdoor used by attackers in Operation Cleaver"
173 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
174 | date = "2014/12/02"
175 | author = "Cylance Inc."
176 | score = "70"
177 | strings:
178 | $s1 = "COM+ System Extentions"
179 | $s2 = "csext.exe"
180 | $s3 = "COM_Extentions_bin"
181 | condition:
182 | all of them
183 | }
184 |
185 | rule OPCLEAVER_kagent
186 | {
187 | meta:
188 | description = "Backdoor used by attackers in Operation Cleaver"
189 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
190 | date = "2014/12/02"
191 | author = "Cylance Inc."
192 | score = "70"
193 | strings:
194 | $s1 = "kill command is in last machine, going back"
195 | $s2 = "message data length in B64: %d Bytes"
196 | condition:
197 | all of them
198 | }
199 |
200 | rule OPCLEAVER_mimikatzWrapper
201 | {
202 | meta:
203 | description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
204 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
205 | date = "2014/12/02"
206 | author = "Cylance Inc."
207 | score = "70"
208 | strings:
209 | $s1 = "mimikatzWrapper"
210 | $s2 = "get_mimikatz"
211 | condition:
212 | all of them
213 | }
214 |
215 | rule OPCLEAVER_pvz_in
216 | {
217 | meta:
218 | description = "Parviz tool used by attackers in Operation Cleaver"
219 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
220 | date = "2014/12/02"
221 | author = "Cylance Inc."
222 | score = "70"
223 | strings:
224 | $s1 = "LAST_TIME=00/00/0000:00:00PM$"
225 | $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
226 | condition:
227 | all of them
228 | }
229 |
230 | rule OPCLEAVER_pvz_out
231 | {
232 | meta:
233 | description = "Parviz tool used by attackers in Operation Cleaver"
234 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
235 | date = "2014/12/02"
236 | author = "Cylance Inc."
237 | score = "70"
238 | strings:
239 | $s1 = "Network Connectivity Module" wide
240 | $s2 = "OSPPSVC" wide
241 | condition:
242 | all of them
243 | }
244 |
245 | rule OPCLEAVER_wndTest
246 | {
247 | meta:
248 | description = "Backdoor used by attackers in Operation Cleaver"
249 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
250 | date = "2014/12/02"
251 | author = "Cylance Inc."
252 | score = "70"
253 | strings:
254 | $s1 = "[Alt]" wide
255 | $s2 = "<< %s >>:" wide
256 | $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
257 | condition:
258 | all of them
259 | }
260 |
261 | rule OPCLEAVER_zhCat
262 | {
263 | meta:
264 | description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
265 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
266 | date = "2014/12/02"
267 | author = "Cylance Inc."
268 | score = "70"
269 | strings:
270 | $s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
271 | $s2 = "ABC ( A Big Company )" wide fullword
272 | condition:
273 | all of them
274 | }
275 |
276 | rule OPCLEAVER_zhLookUp
277 | {
278 | meta:
279 | description = "Hack tool used by attackers in Operation Cleaver"
280 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
281 | date = "2014/12/02"
282 | author = "Cylance Inc."
283 | score = "70"
284 | strings:
285 | $s1 = "zhLookUp.Properties"
286 | condition:
287 | all of them
288 | }
289 |
290 | rule OPCLEAVER_zhmimikatz
291 | {
292 | meta:
293 | description = "Mimikatz wrapper used by attackers in Operation Cleaver"
294 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
295 | date = "2014/12/02"
296 | author = "Cylance Inc."
297 | score = "70"
298 | strings:
299 | $s1 = "MimikatzRunner"
300 | $s2 = "zhmimikatz"
301 | condition:
302 | all of them
303 | }
304 |
305 | rule OPCLEAVER_Parviz_Developer
306 | {
307 | meta:
308 | description = "Parviz developer known from Operation Cleaver"
309 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
310 | date = "2014/12/02"
311 | author = "Florian Roth"
312 | score = "70"
313 | strings:
314 | $s1 = "Users\\parviz\\documents\\" nocase
315 | condition:
316 | $s1
317 | }
318 |
319 | rule OPCLEAVER_CCProxy_Config
320 | {
321 | meta:
322 | description = "CCProxy config known from Operation Cleaver"
323 | reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
324 | date = "2014/12/02"
325 | author = "Florian Roth"
326 | score = "70"
327 | strings:
328 | $s1 = "UserName=User-001" fullword ascii
329 | $s2 = "Web=1" fullword ascii
330 | $s3 = "Mail=1" fullword ascii
331 | $s4 = "FTP=0" fullword ascii
332 | $x1 = "IPAddressLow=78.109.194.114" fullword ascii
333 | condition:
334 | all of ($s*) or $x1
335 | }
336 |
--------------------------------------------------------------------------------
/malware/FiveEyes.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 |
8 |
9 | /* FIVE EYES ------------------------------------------------------------------------------- */
10 |
11 | rule FiveEyes_QUERTY_Malwareqwerty_20121 {
12 | meta:
13 | description = "FiveEyes QUERTY Malware - file 20121.xml"
14 | author = "Florian Roth"
15 | reference = "http://www.spiegel.de/media/media-35668.pdf"
16 | date = "2015/01/18"
17 | hash = "8263fb58350f3b1d3c4220a602421232d5e40726"
18 | strings:
19 | $s0 = "20121_cmdDef.xml" fullword ascii
20 | $s1 = "20121.dll" fullword ascii
21 | $s2 = "\"Reserved for future use.\"" fullword ascii
22 | $s3 = "" fullword ascii
24 | $s5 = "" fullword ascii
25 | $s6 = "" fullword ascii
26 | $s7 = "" fullword ascii
27 | $s8 = "" fullword ascii
28 | $s9 = "" fullword ascii
29 | $s10 = "" fullword ascii
30 | condition:
31 | 9 of them
32 | }
33 |
34 | rule FiveEyes_QUERTY_Malwaresig_20123_sys {
35 | meta:
36 | description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
37 | author = "Florian Roth"
38 | reference = "http://www.spiegel.de/media/media-35668.pdf"
39 | date = "2015/01/18"
40 | hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
41 | strings:
42 | $s0 = "20123.dll" fullword ascii
43 | $s1 = "kbdclass.sys" fullword wide
44 | $s2 = "IoFreeMdl" fullword ascii
45 | $s3 = "ntoskrnl.exe" fullword ascii
46 | $s4 = "KfReleaseSpinLock" fullword ascii
47 | condition:
48 | all of them
49 | }
50 |
51 | rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef {
52 | meta:
53 | description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
54 | author = "Florian Roth"
55 | reference = "http://www.spiegel.de/media/media-35668.pdf"
56 | date = "2015/01/18"
57 | hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
58 | strings:
59 | $s0 = "Keystroke Collector" fullword ascii
60 | $s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys." fullword ascii
61 | $s2 = "" fullword ascii
62 | $s3 = "" fullword ascii
63 | $s4 = "20121" fullword ascii
64 | $s5 = "System or Administrator (if Administrator, I think the DriverIns" ascii
65 | $s6 = "Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
66 | $s7 = "plugin/Collection" fullword ascii
67 | $s8 = "None" fullword ascii
68 | $s9 = "0" fullword ascii
69 | $s10 = "E_QwertyKM" fullword ascii
70 | $s11 = "" fullword ascii
71 | $s12 = "" fullword ascii
72 | $s13 = "1" fullword ascii
73 | $s14 = "None" fullword ascii
74 | $s15 = "Erebus" fullword ascii
75 | $s16 = "" fullword ascii
76 | $s17 = "None" fullword ascii
77 | $s18 = "" fullword ascii
78 | $s19 = "U_HookManager v1.0, Kernel Covert Store v1.0" fullword ascii
79 | $s20 = "" fullword ascii
111 | $s6 = "" fullword ascii
112 | $s7 = "" fullword ascii
113 | $s8 = "" fullword ascii
114 | $s9 = "" fullword ascii
115 | $s10 = "" fullword ascii
116 | $s11 = "" fullword ascii
117 | condition:
118 | 9 of them
119 | }
120 |
121 | rule FiveEyes_QUERTY_Malwaresig_20120_dll {
122 | meta:
123 | description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
124 | author = "Florian Roth"
125 | reference = "http://www.spiegel.de/media/media-35668.pdf"
126 | date = "2015/01/18"
127 | hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
128 | strings:
129 | $s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide
130 | $s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide
131 | $s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii
132 | $s3 = "- Log Used (number of windows) - %d" fullword wide
133 | $s4 = "- Log Limit (number of windows) - %d" fullword wide
134 | $s5 = "Process or User Default Language" fullword wide
135 | $s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide
136 | $s7 = "- Logging of keystrokes is switched ON" fullword wide
137 | $s8 = "- Logging of keystrokes is switched OFF" fullword wide
138 | $s9 = "Qwerty is currently logging active windows with titles containing the fo" wide
139 | $s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide
140 | $s11 = "FAILED to get Qwerty Status" fullword wide
141 | $s12 = "- Successfully retrieved Log from Implant." fullword wide
142 | $s13 = "- Logging of all Windows is toggled ON" fullword wide
143 | $s14 = "- Logging of all Windows is toggled OFF" fullword wide
144 | $s15 = "Qwerty FAILED to retrieve window list." fullword wide
145 | $s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide
146 | $s17 = "The implant failed to return a valid status" fullword ascii
147 | $s18 = "- Log files were NOT generated!" fullword wide
148 | $s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide
149 | $s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide
150 | condition:
151 | 10 of them
152 | }
153 |
154 | rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef {
155 | meta:
156 | description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
157 | author = "Florian Roth"
158 | reference = "http://www.spiegel.de/media/media-35668.pdf"
159 | date = "2015/01/18"
160 | hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
161 | strings:
162 | $s0 = "This PPC gets the current keystroke log." fullword ascii
163 | $s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
164 | $s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
165 | $s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
166 | $s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
167 | $s5 = "Turn logging of all keys on|off" fullword ascii
168 | $s6 = "Get Keystroke Log" fullword ascii
169 | $s7 = "Keystroke Logger Lp Plugin" fullword ascii
170 | $s8 = "display help for this function" fullword ascii
171 | $s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
172 | $s10 = "Set the log limit (in number of windows)" fullword ascii
173 | $s11 = "qwgetlog" fullword ascii
174 | $s12 = "qwgetlog" fullword ascii
175 | $s13 = "The title of the Window whose keys you wish to Log once it becomes a" ascii
176 | $s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii
177 | $s15 = "The title of the Window whose keys you no longer whish to log" fullword ascii
179 | $s17 = "" fullword ascii
180 | $s18 = "" fullword ascii
181 | $s19 = "" fullword ascii
182 | $s20 = "" fullword ascii
183 | condition:
184 | 10 of them
185 | }
186 |
187 | rule FiveEyes_QUERTY_Malwareqwerty_20120 {
188 | meta:
189 | description = "FiveEyes QUERTY Malware - file 20120.xml"
190 | author = "Florian Roth"
191 | reference = "http://www.spiegel.de/media/media-35668.pdf"
192 | date = "2015/01/18"
193 | hash = "597082f05bfd3225587d480c30f54a7a1326a892"
194 | strings:
195 | $s0 = "20120_cmdDef.xml" fullword ascii
196 | $s1 = "20120.dll" fullword ascii
197 | $s2 = "\"Reserved for future use.\"" fullword ascii
198 | $s3 = "" fullword ascii
200 | $s5 = "" fullword ascii
201 | $s6 = "" fullword ascii
202 | $s7 = "" fullword ascii
203 | $s8 = "" fullword ascii
204 | $s9 = "" fullword ascii
205 | $s10 = "" fullword ascii
206 | condition:
207 | all of them
208 | }
209 |
210 | rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef {
211 | meta:
212 | description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
213 | author = "Florian Roth"
214 | reference = "http://www.spiegel.de/media/media-35668.pdf"
215 | date = "2015/01/18"
216 | hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
217 | strings:
218 | $s0 = "Keystroke Logger Plugin." fullword ascii
219 | $s1 = "Failed to get File Time" fullword ascii
220 | $s2 = "Keystroke Logger Plugin." fullword ascii
221 | $s3 = "Failed to set File Time" fullword ascii
222 | $s4 = "" fullword ascii
223 | $s5 = "" fullword ascii
224 | $s6 = "" fullword ascii
225 | $s7 = "20120" fullword ascii
226 | $s8 = "No Comms. with Driver" fullword ascii
227 | $s9 = "" fullword ascii
228 | $s10 = "Invalid File Size" fullword ascii
229 | $s11 = "Windows (User/Win32)" fullword ascii
230 | $s12 = "File Size Mismatch" fullword ascii
231 | $s13 = "plugin/Utility" fullword ascii
232 | $s14 = "None" fullword ascii
233 | $s15 = "None" fullword ascii
234 | $s16 = "E_QwertyIM" fullword ascii
235 | $s17 = "None" fullword ascii
236 | $s18 = "0" fullword ascii
237 | $s19 = "00001002" fullword ascii
238 | $s20 = "00001001" fullword ascii
239 | condition:
240 | 12 of them
241 | }
242 |
--------------------------------------------------------------------------------
/malware/APT_Regin.yar:
--------------------------------------------------------------------------------
1 | /*
2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
3 |
4 | */
5 |
6 | import "pe"
7 | rule Regin_APT_KernelDriver_Generic_A {
8 | meta:
9 | description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
10 | author = "@Malwrsignatures - included in APT Scanner THOR"
11 | date = "23.11.14"
12 | hash1 = "187044596bc1328efa0ed636d8aa4a5c"
13 | hash2 = "06665b96e293b23acc80451abb413e50"
14 | hash3 = "d240f06e98c8d3e647cbf4d442d79475"
15 | strings:
16 | $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
17 | $m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
18 |
19 | $s0 = "atapi.sys" fullword wide
20 | $s1 = "disk.sys" fullword wide
21 | $s3 = "h.data" fullword ascii
22 | $s4 = "\\system32" fullword ascii
23 | $s5 = "\\SystemRoot" fullword ascii
24 | $s6 = "system" fullword ascii
25 | $s7 = "temp" fullword ascii
26 | $s8 = "windows" fullword ascii
27 |
28 | $x1 = "LRich6" fullword ascii
29 | $x2 = "KeServiceDescriptorTable" fullword ascii
30 | condition:
31 | $m0 at 0 and $m1 and
32 | all of ($s*) and 1 of ($x*)
33 | }
34 |
35 | rule Regin_APT_KernelDriver_Generic_B {
36 | meta:
37 | description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
38 | author = "@Malwrsignatures - included in APT Scanner THOR"
39 | date = "23.11.14"
40 | hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
41 | hash2 = "bfbe8c3ee78750c3a520480700e440f8"
42 | hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
43 | hash4 = "06665b96e293b23acc80451abb413e50"
44 | hash5 = "2c8b9d2885543d7ade3cae98225e263b"
45 | hash6 = "4b6b86c7fec1c574706cecedf44abded"
46 | hash7 = "187044596bc1328efa0ed636d8aa4a5c"
47 | hash8 = "d240f06e98c8d3e647cbf4d442d79475"
48 | hash9 = "6662c390b2bbbd291ec7987388fc75d7"
49 | hash10 = "1c024e599ac055312a4ab75b3950040a"
50 | hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
51 | hash12 = "b505d65721bb2453d5039a389113b566"
52 | hash13 = "b269894f434657db2b15949641a67532"
53 | strings:
54 | $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
55 | $s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
56 | $s2 = "H.data" fullword ascii nocase
57 | $s3 = "INIT" fullword ascii
58 | $s4 = "ntoskrnl.exe" fullword ascii
59 |
60 | $v1 = "\\system32" fullword ascii
61 | $v2 = "\\SystemRoot" fullword ascii
62 | $v3 = "KeServiceDescriptorTable" fullword ascii
63 |
64 | $w1 = "\\system32" fullword ascii
65 | $w2 = "\\SystemRoot" fullword ascii
66 | $w3 = "LRich6" fullword ascii
67 |
68 | $x1 = "_snprintf" fullword ascii
69 | $x2 = "_except_handler3" fullword ascii
70 |
71 | $y1 = "mbstowcs" fullword ascii
72 | $y2 = "wcstombs" fullword ascii
73 | $y3 = "KeGetCurrentIrql" fullword ascii
74 |
75 | $z1 = "wcscpy" fullword ascii
76 | $z2 = "ZwCreateFile" fullword ascii
77 | $z3 = "ZwQueryInformationFile" fullword ascii
78 | $z4 = "wcslen" fullword ascii
79 | $z5 = "atoi" fullword ascii
80 | condition:
81 | $m0 at 0 and all of ($s*) and
82 | ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) )
83 | and filesize < 20KB
84 | }
85 |
86 | rule Regin_APT_KernelDriver_Generic_C {
87 | meta:
88 | description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
89 | author = "@Malwrsignatures - included in APT Scanner THOR"
90 | date = "23.11.14"
91 | hash1 = "e0895336617e0b45b312383814ec6783556d7635"
92 | hash2 = "732298fa025ed48179a3a2555b45be96f7079712"
93 | strings:
94 | $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
95 |
96 | $s0 = "KeGetCurrentIrql" fullword ascii
97 | $s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
98 | $s2 = "usbclass" fullword wide
99 |
100 | $x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
101 | $x2 = "Universal Serial Bus Class Driver" fullword wide
102 | $x3 = "5.2.3790.0" fullword wide
103 |
104 | $y1 = "LSA Shell" fullword wide
105 | $y2 = "0Richw" fullword ascii
106 | condition:
107 | $m0 at 0 and all of ($s*) and
108 | ( all of ($x*) or all of ($y*) )
109 | and filesize < 20KB
110 | }
111 |
112 | /* Update 27.11.14 */
113 |
114 | rule Regin_sig_svcsstat {
115 | meta:
116 | description = "Detects svcstat from Regin report - file svcsstat.exe_sample"
117 | author = "@MalwrSignatures"
118 | date = "26.11.14"
119 | hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"
120 | strings:
121 | $s0 = "Service Control Manager" fullword ascii
122 | $s1 = "_vsnwprintf" fullword ascii
123 | $s2 = "Root Agency" fullword ascii
124 | $s3 = "Root Agency0" fullword ascii
125 | $s4 = "StartServiceCtrlDispatcherA" fullword ascii
126 | $s5 = "\\\\?\\UNC" fullword wide
127 | $s6 = "%ls%ls" fullword wide
128 | condition:
129 | all of them and filesize < 15KB and filesize > 10KB
130 | }
131 |
132 | rule Regin_Sample_1 {
133 | meta:
134 | description = "Auto-generated rule - file-3665415_sys"
135 | author = "@MalwrSignatures"
136 | date = "26.11.14"
137 | hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2"
138 | strings:
139 | $s0 = "Getting PortName/Identifier failed - %x" fullword ascii
140 | $s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii
141 | $s2 = "External Naming Failed - Status %x" fullword ascii
142 | $s3 = "------- Same multiport - different interrupts" fullword ascii
143 | $s4 = "%x occurred prior to the wait - starting the" fullword ascii
144 | $s5 = "'user registry info - userPortIndex: %d" fullword ascii
145 | $s6 = "Could not report legacy device - %x" fullword ascii
146 | $s7 = "entering SerialGetPortInfo" fullword ascii
147 | $s8 = "'user registry info - userPort: %x" fullword ascii
148 | $s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii
149 | $s10 = "Kernel debugger is using port at address %X" fullword ascii
150 | $s12 = "Release - freeing multi context" fullword ascii
151 | $s13 = "Serial driver will not load port" fullword ascii
152 | $s14 = "'user registry info - userAddressSpace: %d" fullword ascii
153 | $s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii
154 | $s20 = "'user registry info - userIndexed: %d" fullword ascii
155 | condition:
156 | all of them and filesize < 110KB and filesize > 80KB
157 | }
158 |
159 | rule Regin_Sample_2 {
160 | meta:
161 | description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin"
162 | author = "@MalwrSignatures"
163 | date = "26.11.14"
164 | hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400"
165 | strings:
166 | $s0 = "\\SYSTEMROOT\\system32\\lsass.exe" fullword wide
167 | $s1 = "atapi.sys" fullword wide
168 | $s2 = "disk.sys" fullword wide
169 | $s3 = "IoGetRelatedDeviceObject" fullword ascii
170 | $s4 = "HAL.dll" fullword ascii
171 | $s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" fullword ascii
172 | $s6 = "PsGetCurrentProcessId" fullword ascii
173 | $s7 = "KeGetCurrentIrql" fullword ascii
174 | $s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
175 | $s9 = "KeSetImportanceDpc" fullword ascii
176 | $s10 = "KeQueryPerformanceCounter" fullword ascii
177 | $s14 = "KeInitializeEvent" fullword ascii
178 | $s15 = "KeDelayExecutionThread" fullword ascii
179 | $s16 = "KeInitializeTimerEx" fullword ascii
180 | $s18 = "PsLookupProcessByProcessId" fullword ascii
181 | $s19 = "ExReleaseFastMutexUnsafe" fullword ascii
182 | $s20 = "ExAcquireFastMutexUnsafe" fullword ascii
183 | condition:
184 | all of them and filesize < 40KB and filesize > 30KB
185 | }
186 |
187 | rule Regin_Sample_3 {
188 | meta:
189 | description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
190 | author = "@Malwrsignatures"
191 | date = "27.11.14"
192 | hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
193 | strings:
194 | $hd = { fe ba dc fe }
195 |
196 | $s0 = "Service Pack x" fullword wide
197 | $s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
198 | $s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
199 | $s3 = "mntoskrnl.exe" fullword wide
200 | $s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" fullword wide
201 | $s5 = "Memory location: 0x%p, size 0x%08x" wide fullword
202 | $s6 = "Service Pack" fullword wide
203 | $s7 = ".sys" fullword wide
204 | $s8 = ".dll" fullword wide
205 |
206 | $s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" fullword wide
207 | $s11 = "IoGetRelatedDeviceObject" fullword ascii
208 | $s12 = "VMEM.sys" fullword ascii
209 | $s13 = "RtlGetVersion" fullword wide
210 | $s14 = "ntkrnlpa.exe" fullword ascii
211 | condition:
212 | ( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB
213 | }
214 |
215 | rule Regin_Sample_Set_1 {
216 | meta:
217 | description = "Auto-generated rule - file SHF-000052 and ndisips.sys"
218 | author = "@MalwrSignatures"
219 | date = "26.11.14"
220 | hash1 = "8487a961c8244004c9276979bb4b0c14392fc3b8"
221 | hash2 = "bcf3461d67b39a427c83f9e39b9833cfec977c61"
222 | strings:
223 | $s0 = "HAL.dll" fullword ascii
224 | $s1 = "IoGetDeviceObjectPointer" fullword ascii
225 | $s2 = "MaximumPortsServiced" fullword wide
226 | $s3 = "KeGetCurrentIrql" fullword ascii
227 | $s4 = "ntkrnlpa.exe" fullword ascii
228 | $s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide
229 | $s6 = "ConnectMultiplePorts" fullword wide
230 | $s7 = "\\SYSTEMROOT" fullword wide
231 | $s8 = "IoWriteErrorLogEntry" fullword ascii
232 | $s9 = "KeQueryPerformanceCounter" fullword ascii
233 | $s10 = "KeServiceDescriptorTable" fullword ascii
234 | $s11 = "KeRemoveEntryDeviceQueue" fullword ascii
235 | $s12 = "SeSinglePrivilegeCheck" fullword ascii
236 | $s13 = "KeInitializeEvent" fullword ascii
237 | $s14 = "IoBuildDeviceIoControlRequest" fullword ascii
238 | $s15 = "KeRemoveDeviceQueue" fullword ascii
239 | $s16 = "IofCompleteRequest" fullword ascii
240 | $s17 = "KeInitializeSpinLock" fullword ascii
241 | $s18 = "MmIsNonPagedSystemAddressValid" fullword ascii
242 | $s19 = "IoCreateDevice" fullword ascii
243 | $s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
244 | condition:
245 | all of them and filesize < 40KB and filesize > 30KB
246 | }
247 |
248 | rule Regin_Sample_Set_2 {
249 | meta:
250 | description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
251 | author = "@MalwrSignatures"
252 | date = "27.11.14"
253 | hash1 = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
254 | hash2 = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
255 | strings:
256 | $hd = { fe ba dc fe }
257 |
258 | $s0 = "d%ls%ls" fullword wide
259 | $s1 = "\\\\?\\UNC" fullword wide
260 | $s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide
261 | $s3 = "\\\\?\\UNC\\" fullword wide
262 | $s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
263 | $s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword
264 | $s6 = "\\\\.\\Global\\%s" fullword wide
265 | $s7 = "temp" fullword wide
266 | $s8 = "\\\\.\\%s" fullword wide
267 | $s9 = "Memory location: 0x%p, size 0x%08x" fullword wide
268 |
269 | $s10 = "sscanf" fullword ascii
270 | $s11 = "disp.dll" fullword ascii
271 | $s12 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii
272 | $s13 = "%d.%d.%d.%d%c" fullword ascii
273 | $s14 = "imagehlp.dll" fullword ascii
274 | $s15 = "%hd %d" fullword ascii
275 | condition:
276 | ( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB
277 | }
278 |
279 | rule apt_regin_legspin {
280 | meta:
281 | copyright = "Kaspersky Lab"
282 | description = "Rule to detect Regin's Legspin module"
283 | version = "1.0"
284 | last_modified = "2015-01-22"
285 | reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
286 | md5 = "29105f46e4d33f66fee346cfd099d1cc"
287 | strings:
288 | $mz="MZ"
289 | $a1="sharepw"
290 | $a2="reglist"
291 | $a3="logdump"
292 | $a4="Name:" wide
293 | $a5="Phys Avail:"
294 | $a6="cmd.exe" wide
295 | $a7="ping.exe" wide
296 | $a8="millisecs"
297 | condition:
298 | ($mz at 0) and all of ($a*)
299 | }
300 |
301 | rule apt_regin_hopscotch {
302 | meta:
303 | copyright = "Kaspersky Lab"
304 | description = "Rule to detect Regin's Hopscotch module"
305 | version = "1.0"
306 | last_modified = "2015-01-22"
307 | reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
308 | md5 = "6c34031d7a5fc2b091b623981a8ae61c"
309 | strings:
310 |
311 | $mz="MZ"
312 |
313 | $a1="AuthenticateNetUseIpc"
314 | $a2="Failed to authenticate to"
315 | $a3="Failed to disconnect from"
316 | $a4="%S\\ipc$" wide
317 | $a5="Not deleting..."
318 | $a6="CopyServiceToRemoteMachine"
319 | $a7="DH Exchange failed"
320 | $a8="ConnectToNamedPipes"
321 | condition:
322 | ($mz at 0) and all of ($a*)
323 | }
324 |
325 |
326 | rule apt_regin_2011_32bit_stage1 {
327 | meta:
328 | copyright = "Kaspersky Lab"
329 | description = "Rule to detect Regin 32 bit stage 1 loaders"
330 | version = "1.0"
331 | last_modified = "2014-11-18"
332 | strings:
333 | $key1={331015EA261D38A7}
334 | $key2={9145A98BA37617DE}
335 | $key3={EF745F23AA67243D}
336 | $mz="MZ"
337 | condition:
338 | ($mz at 0) and any of ($key*) and filesize < 300000
339 | }
340 | rule apt_regin_rc5key {
341 | meta:
342 | copyright = "Kaspersky Lab"
343 | description = "Rule to detect Regin RC5 decryption keys"
344 | version = "1.0"
345 | last_modified = "2014-11-18"
346 | strings:
347 | $key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01}
348 | $key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78}
349 | condition:
350 | any of ($key*)
351 | }
352 |
353 | rule apt_regin_vfs {
354 | meta:
355 | copyright = "Kaspersky Lab"
356 | author = "Kaspersky Lab"
357 | description = "Rule to detect Regin VFSes"
358 | version = "1.0"
359 | last_modified = "2014-11-18"
360 | strings:
361 | $a1={00 02 00 08 00 08 03 F6 D7 F3 52}
362 | $a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
363 | $a3={00 04 00 10 00 10 03 C2 D3 1C 93}
364 | $a4={00 04 00 10 C8 00 04 C8 93 06 D8}
365 | condition:
366 | ($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0)
367 | }
368 |
369 | rule apt_regin_dispatcher_disp_dll {
370 |
371 | meta:
372 | copyright = "Kaspersky Lab"
373 | author = "Kaspersky Lab"
374 | description = "Rule to detect Regin disp.dll dispatcher"
375 | version = "1.0"
376 | last_modified = "2014-11-18"
377 |
378 | strings:
379 | $mz="MZ"
380 | $string1="shit"
381 | $string2="disp.dll"
382 | $string3="255.255.255.255"
383 | $string4="StackWalk64"
384 | $string5="imagehlp.dll"
385 | condition:
386 | ($mz at 0) and (all of ($string*))
387 | }
388 |
389 | rule apt_regin_2013_64bit_stage1 {
390 | meta:
391 | copyright = "Kaspersky Lab"
392 | description = "Rule to detect Regin 64 bit stage 1 loaders"
393 | version = "1.0"
394 | last_modified = "2014-11-18"
395 | filename="wshnetc.dll"
396 | md5="bddf5afbea2d0eed77f2ad4e9a4f044d"
397 | filename="wsharp.dll"
398 | md5="c053a0a3f1edcbbfc9b51bc640e808ce"
399 | strings:
400 | $mz="MZ"
401 | $a1="PRIVHEAD"
402 | $a2="\\\\.\\PhysicalDrive%d"
403 | $a3="ZwDeviceIoControlFile"
404 | condition:
405 | ($mz at 0) and (all of ($a*)) and filesize < 100000
406 | }
407 |
408 |
--------------------------------------------------------------------------------