├── .github ├── FUNDING.yml ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── new-rule-request.md └── workflows │ └── main.yml ├── .gitmodules ├── .travis.yml ├── LICENSE ├── README.md ├── antidebug_antivm └── antidebug_antivm.yar ├── antidebug_antivm_index.yar ├── capabilities └── capabilities.yar ├── capabilities_index.yar ├── crypto └── crypto_signatures.yar ├── crypto_index.yar ├── cve_rules ├── CVE-2010-0805.yar ├── CVE-2010-0887.yar ├── CVE-2010-1297.yar ├── CVE-2012-0158.yar ├── CVE-2013-0074.yar ├── CVE-2013-0422.yar ├── CVE-2015-1701.yar ├── CVE-2015-2426.yar ├── CVE-2015-2545.yar ├── CVE-2015-5119.yar ├── CVE-2016-5195.yar ├── CVE-2017-11882.yar ├── CVE-2018-20250.yar └── CVE-2018-4878.yar ├── cve_rules_index.yar ├── deprecated ├── Android │ ├── Android_ASSDdeveloper.yar │ ├── Android_AVITOMMS.yar │ ├── Android_AliPay_smsStealer.yar │ ├── Android_Amtrckr_20160519.yar │ ├── Android_Backdoor.yar │ ├── Android_Backdoor_script.yar │ ├── Android_BadMirror.yar │ ├── Android_Banker_Acecard.yar │ ├── Android_BatteryBot_ClickFraud.yar │ ├── Android_Clicker_G.yar │ ├── Android_Copy9.yar │ ├── Android_DeathRing.yar │ ├── Android_Dectus_rswm.yar │ ├── Android_Dendroid_RAT.yar │ ├── Android_Dogspectus.yar │ ├── Android_FakeApps.yar │ ├── Android_FakeBank_Fanta.yar │ ├── Android_Finspy.yar │ ├── Android_Godless.yar │ ├── Android_HackintTeam_Implant.yar │ ├── Android_Libyan_Scorpions.yar │ ├── Android_MalwareCertificates.yar │ ├── Android_Malware_Ramsonware.yar │ ├── Android_Malware_Tinhvan.yar │ ├── Android_Malware_Towelroot.yar │ ├── Android_Marcher_2.yar │ ├── Android_MazarBot_z.yar │ ├── Android_Metasploit.yar │ ├── Android_Metasploit_Payload.yar │ ├── Android_OmniRat.yar │ ├── Android_Overlayer.yar │ ├── Android_Pink_Locker.yar │ ├── Android_Polish_Bankbot.yar │ ├── Android_RuMMS.yar │ ├── Android_SMSFraud.yar │ ├── Android_SandroRat.yar │ ├── Android_SlemBunk.yar │ ├── Android_SpyAgent.yar │ ├── Android_SpyNote.yar │ ├── Android_Spynet.yar │ ├── Android_Spywaller.yar │ ├── Android_Switcher.yar │ ├── Android_Tachi.yar │ ├── Android_Tempting_Cedar_Spyware.yar │ ├── Android_Tordow.yar │ ├── Android_Triada_Banking.yar │ ├── Android_Trojan_Dendroid.yar │ ├── Android_Trojan_Droidjack.yar │ ├── Android_VikingOrder.yar │ ├── Android_VirusPolicia.yar │ ├── Android_adware.yar │ ├── Android_fake_mario_app │ ├── Android_generic_adware.yar │ ├── Android_generic_smsfraud.yar │ ├── Android_malware_Advertising.yar │ ├── Android_malware_ChinesePorn.yar │ ├── Android_malware_Dropper.yar │ ├── Android_malware_Fake_MosKow.yar │ ├── Android_malware_HackingTeam.yar │ ├── Android_malware_SMSsender.yar │ ├── Android_malware_banker.yar │ ├── Android_malware_xbot007.yar │ ├── Android_mapin.yar │ ├── Android_pornClicker.yar │ └── Android_sk_bankTr.yar ├── Malware │ └── MALW_Retefe.yar └── bank_rule.yar ├── email ├── EMAIL_Cryptowall.yar ├── Email_PHP_Mailer.yar ├── Email_fake_it_maintenance_bulletin.yar ├── Email_generic_phishing.yar ├── Email_quota_limit_warning.yar ├── attachment.yar ├── email_Ukraine_BE_powerattack.yar ├── eml │ ├── davivienda.eml │ ├── transferencia1.eml │ └── transferencia2.eml ├── extortion_email.yar ├── image.yar ├── scam.yar └── urls.yar ├── email_index.yar ├── exploit_kits ├── EK_Angler.yar ├── EK_Blackhole.yar ├── EK_BleedingLife.yar ├── EK_Crimepack.yar ├── EK_Eleonore.yar ├── EK_Fragus.yar ├── EK_Phoenix.yar ├── EK_Sakura.yar ├── EK_ZeroAcces.yar ├── EK_Zerox88.yar └── EK_Zeus.yar ├── exploit_kits_index.yar ├── index.yar ├── index_gen.sh ├── index_w_mobile.yar ├── maldocs ├── Maldoc_APT10_MenuPass.yar ├── Maldoc_APT19_CVE-2017-0199.yar ├── Maldoc_APT_OLE_JSRat.yar ├── Maldoc_CVE-2017-0199.yar ├── Maldoc_CVE_2017_11882.yar ├── Maldoc_CVE_2017_8759.yar ├── Maldoc_Contains_VBE_File.yar ├── Maldoc_DDE.yar ├── Maldoc_Dridex.yar ├── Maldoc_Hidden_PE_file.yar ├── Maldoc_MIME_ActiveMime_b64.yar ├── Maldoc_PDF.yar ├── Maldoc_PowerPointMouse.yar ├── Maldoc_Suspicious_OLE_target.yar ├── Maldoc_UserForm.yar ├── Maldoc_VBA_macro_code.yar ├── Maldoc_Word_2007_XML_Flat_OPC.yar ├── Maldoc_hancitor_dropper.yar ├── Maldoc_malrtf_ole2link.yar └── maldoc_somerules.yar ├── maldocs_index.yar ├── malware ├── 000_common_rules.yar ├── APT_APT1.yar ├── APT_APT10.yar ├── APT_APT15.yar ├── APT_APT17.yar ├── APT_APT29_Grizzly_Steppe.yar ├── APT_APT3102.yar ├── APT_APT9002.yar ├── APT_Backspace.yar ├── APT_Bestia.yar ├── APT_Blackenergy.yar ├── APT_Bluetermite_Emdivi.yar ├── APT_C16.yar ├── APT_Carbanak.yar ├── APT_Careto.yar ├── APT_Casper.yar ├── APT_CheshireCat.yar ├── APT_Cloudduke.yar ├── APT_Cobalt.yar ├── APT_Codoso.yar ├── APT_CrashOverride.yar ├── APT_DPRK_ROKRAT.yar ├── APT_DeepPanda_Anthem.yar ├── APT_DeputyDog.yar ├── APT_Derusbi.yar ├── APT_Dubnium.yar ├── APT_Duqu2.yar ├── APT_EQUATIONGRP.yar ├── APT_Emissary.yar ├── APT_EnergeticBear_backdoored_ssh.yar ├── APT_Equation.yar ├── APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar ├── APT_FiveEyes.yar ├── APT_Grasshopper.yar ├── APT_Greenbug.yar ├── APT_Grizzlybear_uscert.yar ├── APT_HackingTeam.yar ├── APT_Hellsing.yar ├── APT_HiddenCobra.yar ├── APT_Hikit.yar ├── APT_Industroyer.yar ├── APT_Irontiger.yar ├── APT_Kaba.yar ├── APT_Ke3Chang_TidePool.yar ├── APT_KeyBoy.yar ├── APT_LotusBlossom.yar ├── APT_Minidionis.yar ├── APT_Mirage.yar ├── APT_Molerats.yar ├── APT_Mongall.yar ├── APT_MoonlightMaze.yar ├── APT_NGO.yar ├── APT_OPCleaver.yar ├── APT_Oilrig.yar ├── APT_OpClandestineWolf.yar ├── APT_OpDustStorm.yar ├── APT_OpPotao.yar ├── APT_PCclient.yar ├── APT_Passcv.yar ├── APT_Pipcreat.yar ├── APT_Platinum.yar ├── APT_Poseidon_Group.yar ├── APT_Prikormka.yar ├── APT_PutterPanda.yar ├── APT_RedLeaves.yar ├── APT_Regin.yar ├── APT_RemSec.yar ├── APT_Sauron.yar ├── APT_Sauron_extras.yar ├── APT_Scarab_Scieron.yar ├── APT_Seaduke.yar ├── APT_Shamoon_StoneDrill.yar ├── APT_Snowglobe_Babar.yar ├── APT_Sofacy_Bundestag.yar ├── APT_Sofacy_Fysbis.yar ├── APT_Sofacy_Jun16.yar ├── APT_Sphinx_Moth.yar ├── APT_Stuxnet.yar ├── APT_Terracota.yar ├── APT_ThreatGroup3390.yar ├── APT_TradeSecret.yar ├── APT_Turla_Neuron.yar ├── APT_Turla_RUAG.yar ├── APT_UP007_SLServer.yar ├── APT_Unit78020.yar ├── APT_Uppercut.yar ├── APT_Waterbug.yar ├── APT_WildNeutron.yar ├── APT_Windigo_Onimiki.yar ├── APT_Winnti.yar ├── APT_WoolenGoldfish.yar ├── APT_eqgrp_apr17.yar ├── APT_fancybear_dnc.yar ├── APT_fancybear_downdelph.yar ├── APT_furtim.yar ├── EXPERIMENTAL_Beef.yar ├── GEN_PowerShell.yar ├── MALW_ATMPot.yar ├── MALW_ATM_HelloWorld.yar ├── MALW_AZORULT.yar ├── MALW_AgentTesla.yar ├── MALW_AgentTesla_SMTP.yar ├── MALW_AlMashreq.yar ├── MALW_Alina.yar ├── MALW_Andromeda.yar ├── MALW_Arkei.yar ├── MALW_Athena.yar ├── MALW_Atmos.yar ├── MALW_BackdoorSSH.yar ├── MALW_Backoff.yar ├── MALW_Bangat.yar ├── MALW_Batel.yar ├── MALW_BlackRev.yar ├── MALW_BlackWorm.yar ├── MALW_Boouset.yar ├── MALW_Bublik.yar ├── MALW_Buzus_Softpulse.yar ├── MALW_CAP_HookExKeylogger.yar ├── MALW_Chicken.yar ├── MALW_Citadel.yar ├── MALW_Cloaking.yar ├── MALW_Cookies.yar ├── MALW_Corkow.yar ├── MALW_Cxpid.yar ├── MALW_Cythosia.yar ├── MALW_DDoSTf.yar ├── MALW_Derkziel.yar ├── MALW_Dexter.yar ├── MALW_DiamondFox.yar ├── MALW_DirtJumper.yar ├── MALW_Eicar.yar ├── MALW_Elex.yar ├── MALW_Elknot.yar ├── MALW_Emotet.yar ├── MALW_Empire.yar ├── MALW_Enfal.yar ├── MALW_Exploit_UAC_Elevators.yar ├── MALW_Ezcob.yar ├── MALW_F0xy.yar ├── MALW_FALLCHILL.yar ├── MALW_FUDCrypt.yar ├── MALW_FakeM.yar ├── MALW_Fareit.yar ├── MALW_Favorite.yar ├── MALW_Furtim.yar ├── MALW_Gafgyt.yar ├── MALW_Genome.yar ├── MALW_Glasses.yar ├── MALW_Gozi.yar ├── MALW_Grozlex.yar ├── MALW_Hajime.yar ├── MALW_Hsdfihdf_banking.yar ├── MALW_Httpsd_ELF.yar ├── MALW_IMuler.yar ├── MALW_IcedID.yar ├── MALW_Iexpl0ree.yar ├── MALW_Install11.yar ├── MALW_Intel_Virtualization.yar ├── MALW_IotReaper.yar ├── MALW_Jolob_Backdoor.yar ├── MALW_KINS.yar ├── MALW_Kelihos.yar ├── MALW_KeyBase.yar ├── MALW_Korlia.yar ├── MALW_Korplug.yar ├── MALW_Kovter.yar ├── MALW_Kraken.yar ├── MALW_Kwampirs.yar ├── MALW_LURK0.yar ├── MALW_Lateral_Movement.yar ├── MALW_Lenovo_Superfish.yar ├── MALW_LinuxBew.yar ├── MALW_LinuxHelios.yar ├── MALW_LinuxMoose.yar ├── MALW_LostDoor.yar ├── MALW_LuaBot.yar ├── MALW_LuckyCat.yar ├── MALW_MSILStealer.yar ├── MALW_MacControl.yar ├── MALW_MacGyver.yar ├── MALW_Madness.yar ├── MALW_Magento_backend.yar ├── MALW_Magento_frontend.yar ├── MALW_Magento_suspicious.yar ├── MALW_Mailers.yar ├── MALW_MedusaHTTP_2019.yar ├── MALW_Miancha.yar ├── MALW_MiniAsp3_mem.yar ├── MALW_Mirai.yar ├── MALW_Mirai_Okiru_ELF.yar ├── MALW_Mirai_Satori_ELF.yar ├── MALW_Miscelanea.yar ├── MALW_Miscelanea_Linux.yar ├── MALW_Monero_Miner_installer.yar ├── MALW_NSFree.yar ├── MALW_Naikon.yar ├── MALW_Naspyupdate.yar ├── MALW_NetTraveler.yar ├── MALW_NionSpy.yar ├── MALW_Notepad.yar ├── MALW_OSX_Leverage.yar ├── MALW_Odinaff.yar ├── MALW_Olyx.yar ├── MALW_PE_sections.yar ├── MALW_PittyTiger.yar ├── MALW_PolishBankRat.yar ├── MALW_Ponmocup.yar ├── MALW_Pony.yar ├── MALW_Predator.yar ├── MALW_PubSab.yar ├── MALW_PurpleWave.yar ├── MALW_PyPI.yar ├── MALW_Pyinstaller.yar ├── MALW_Pyinstaller_OSX.yar ├── MALW_Quarian.yar ├── MALW_Rebirth_Vulcan_ELF.yar ├── MALW_Regsubdat.yar ├── MALW_Rockloader.yar ├── MALW_Rooter.yar ├── MALW_Rovnix.yar ├── MALW_Safenet.yar ├── MALW_Sakurel.yar ├── MALW_Sayad.yar ├── MALW_Scarhikn.yar ├── MALW_Sendsafe.yar ├── MALW_Shamoon.yar ├── MALW_Shifu.yar ├── MALW_Skeleton.yar ├── MALW_Spora.yar ├── MALW_Sqlite.yar ├── MALW_Stealer.yar ├── MALW_Surtr.yar ├── MALW_T5000.yar ├── MALW_TRITON_HATMAN.yar ├── MALW_TRITON_ICS_FRAMEWORK.yar ├── MALW_Tedroo.yar ├── MALW_Tinba.yar ├── MALW_TinyShell_Backdoor_gen.yar ├── MALW_Torte_ELF.yar ├── MALW_TreasureHunt.yar ├── MALW_TrickBot.yar ├── MALW_Trumpbot.yar ├── MALW_Upatre.yar ├── MALW_Urausy.yar ├── MALW_Vidgrab.yar ├── MALW_Virut_FileInfector_UNK_VERSION.yar ├── MALW_Volgmer.yar ├── MALW_Wabot.yar ├── MALW_Warp.yar ├── MALW_Wimmie.yar ├── MALW_XHide.yar ├── MALW_XMRIG_Miner.yar ├── MALW_XOR_DDos.yar ├── MALW_Yayih.yar ├── MALW_Yordanyan_ActiveAgent.yar ├── MALW_Zegost.yar ├── MALW_Zeus.yar ├── MALW_adwind_RAT.yar ├── MALW_hancitor.yar ├── MALW_kirbi_mimikatz.yar ├── MALW_kpot.yar ├── MALW_marap.yar ├── MALW_shifu_shiz.yar ├── MALW_sitrof_fortis_scar.yar ├── MALW_viotto_keylogger.yar ├── MALW_xDedic_marketplace.yar ├── MalConfScan.yar ├── Operation_Blockbuster │ ├── DeltaCharlie.yara │ ├── HotelAlfa.yara │ ├── IndiaAlfa.yara │ ├── IndiaBravo.yara │ ├── IndiaCharlie.yara │ ├── IndiaDelta.yara │ ├── IndiaEcho.yara │ ├── IndiaGolf.yara │ ├── IndiaHotel.yara │ ├── IndiaJuliett.yara │ ├── IndiaWhiskey.yara │ ├── KiloAlfa.yara │ ├── LimaAlfa.yara │ ├── LimaBravo.yara │ ├── LimaCharlie.yara │ ├── LimaDelta.yara │ ├── PapaAlfa.yara │ ├── RomeoAlfa.yara │ ├── RomeoBravo.yara │ ├── RomeoCharlie.yara │ ├── RomeoDelta.yara │ ├── RomeoEcho.yara │ ├── RomeoFoxtrot_mod.yara │ ├── RomeoGolf_mod.yara │ ├── RomeoHotel.yara │ ├── RomeoWhiskey.yara │ ├── SierraAlfa.yara │ ├── SierraBravo.yara │ ├── SierraCharlie.yara │ ├── SierraJuliettMikeOne.yara │ ├── SierraJuliettMikeTwo.yara │ ├── TangoAlfa.yara │ ├── TangoBravo.yara │ ├── UniformAlfa.yara │ ├── UniformJuliett.yara │ ├── WhiskeyAlfa.yara │ ├── WhiskeyBravo_mod.yara │ ├── WhiskeyCharlie.yara │ ├── WhiskeyDelta.yara │ ├── cert_wiper.yara │ ├── general.yara │ ├── mastersig │ ├── sharedcode.yara │ └── suicidescripts.yara ├── POS.yar ├── POS_Bernhard.yar ├── POS_BruteforcingBot.yar ├── POS_Easterjack.yar ├── POS_FastPOS.yar ├── POS_LogPOS.yar ├── POS_MalumPOS.yar ├── POS_Mozart.yar ├── RANSOM_.CRYPTXXX.yar ├── RANSOM_777.yar ├── RANSOM_Alpha.yar ├── RANSOM_BadRabbit.yar ├── RANSOM_Cerber.yar ├── RANSOM_Comodosec.yar ├── RANSOM_Crypren.yar ├── RANSOM_CryptoNar.yar ├── RANSOM_Cryptolocker.yar ├── RANSOM_DMALocker.yar ├── RANSOM_DoublePulsar_Petya.yar ├── RANSOM_Erebus.yar ├── RANSOM_GPGQwerty.yar ├── RANSOM_GoldenEye.yar ├── RANSOM_Locky.yar ├── RANSOM_MS17-010_Wannacrypt.yar ├── RANSOM_Maze.yar ├── RANSOM_PetrWrap.yar ├── RANSOM_Petya.yar ├── RANSOM_Petya_MS17_010.yar ├── RANSOM_Pico.yar ├── RANSOM_Revix.yar ├── RANSOM_SamSam.yar ├── RANSOM_Satana.yar ├── RANSOM_Shiva.yar ├── RANSOM_Sigma.yar ├── RANSOM_Snake.yar ├── RANSOM_Stampado.yar ├── RANSOM_TeslaCrypt.yar ├── RANSOM_Tox.yar ├── RANSOM_acroware.yar ├── RANSOM_jeff_dev.yar ├── RANSOM_locdoor.yar ├── RANSOM_screenlocker_5h311_1nj3c706.yar ├── RANSOM_shrug2.yar ├── RANSOM_termite.yar ├── RAT_Adwind.yar ├── RAT_Adzok.yar ├── RAT_Asyncrat.yar ├── RAT_BlackShades.yar ├── RAT_Bolonyokte.yar ├── RAT_Bozok.yar ├── RAT_Cerberus.yar ├── RAT_Crimson.yar ├── RAT_CrossRAT.yar ├── RAT_CyberGate.yar ├── RAT_DarkComet.yar ├── RAT_FlyingKitten.yar ├── RAT_Gh0st.yar ├── RAT_Gholee.yar ├── RAT_Glass.yar ├── RAT_Havex.yar ├── RAT_Hizor.yar ├── RAT_Indetectables.yar ├── RAT_Inocnation.yar ├── RAT_Meterpreter_Reverse_Tcp.yar ├── RAT_Nanocore.yar ├── RAT_NetwiredRC.yar ├── RAT_Njrat.yar ├── RAT_Orcus.yar ├── RAT_PlugX.yar ├── RAT_PoetRATDoc.yar ├── RAT_PoetRATPython.yar ├── RAT_PoisonIvy.yar ├── RAT_Ratdecoders.yar ├── RAT_Sakula.yar ├── RAT_ShadowTech.yar ├── RAT_Shim.yar ├── RAT_Terminator.yar ├── RAT_Xtreme.yar ├── RAT_ZoxPNG.yar ├── RAT_jRAT.yar ├── RAT_xRAT.yar ├── RAT_xRAT20.yar ├── TOOLKIT_Chinese_Hacktools.yar ├── TOOLKIT_Dubrute.yar ├── TOOLKIT_FinFisher_.yar ├── TOOLKIT_Gen_powerkatz.yar ├── TOOLKIT_Mandibule.yar ├── TOOLKIT_PassTheHash.yar ├── TOOLKIT_Powerstager.yar ├── TOOLKIT_Pwdump.yar ├── TOOLKIT_Redteam_Tools_by_GUID.yar ├── TOOLKIT_Redteam_Tools_by_Name.yar ├── TOOLKIT_Solarwinds_credential_stealer.yar ├── TOOLKIT_THOR_HackTools.yar ├── TOOLKIT_Wineggdrop.yar └── TOOLKIT_exe2hex_payload.yar ├── malware_index.yar ├── mobile_malware └── .gitKeep ├── mobile_malware_index.yar ├── packers ├── JJencode.yar ├── Javascript_exploit_and_obfuscation.yar ├── packer.yar ├── packer_compiler_signatures.yar ├── peid.yar └── tweetable-polyglot-png.yar ├── packers_index.yar ├── utils ├── README ├── base64.yar ├── domain.yar ├── ip.yar ├── magic.yar ├── suspicious_strings.yar ├── url.yar └── virustotal.yar ├── webshells ├── WShell_APT_Laudanum.yar ├── WShell_ASPXSpy.yar ├── WShell_ChinaChopper.yar ├── WShell_Drupalgeddon2_icos.yar ├── WShell_PHP_Anuna.yar ├── WShell_PHP_in_images.yar ├── WShell_THOR_Webshells.yar ├── Wshell_ChineseSpam.yar └── Wshell_fire2013.yar └── webshells_index.yar /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | liberapay: yararules 2 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: "[BUG]" 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Yara version [e.g. 3.11.0] 29 | 30 | - Version [e.g. 22] 31 | **Additional context** 32 | Add any other context about the problem here. 33 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/new-rule-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: New rule request 3 | about: Suggest a new rule for this project 4 | title: "[New Rule]" 5 | labels: new rule 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to an article or investigation? Please describe.** 11 | A clear and concise description of what the article or investigation is. 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | # Trigger the workflow on push or pull request, 5 | # but only for the master branch 6 | push: 7 | branches: 8 | - master 9 | pull_request: 10 | branches: 11 | - master 12 | 13 | jobs: 14 | build: 15 | 16 | runs-on: ubuntu-latest 17 | 18 | steps: 19 | - uses: actions/checkout@v2 20 | with: 21 | ref: ${{ github.head_ref }} 22 | 23 | - name: Run gen index 24 | run: "./index_gen.sh" 25 | shell: bash 26 | 27 | - name: Add & Commit 28 | uses: github-actions-x/commit@v2.4 29 | with: 30 | commit-message: 'Index updated' 31 | name: '${{ secrets.GH_USER }}' 32 | email: '${{ secrets.GH_EMAIL }}' 33 | push-branch: ${{ github.head_ref }} 34 | github-token: ${{ secrets.GITHUB_TOKEN }} 35 | 36 | - name: Push 37 | uses: ad-m/github-push-action@v0.5.0 38 | with: 39 | github_token: ${{ secrets.GH_TOKEN }} 40 | branch: ${{ github.head_ref }} 41 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "utils/yara-forensics"] 2 | path = utils/yara-forensics 3 | url = https://github.com/Xumeiquer/yara-forensics.git 4 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: c 2 | sudo: required 3 | 4 | before_install: 5 | - sudo apt-get -qq update 6 | - sudo apt-get install -y automake libtool make gcc pkg-config flex bison libjansson-dev libmagic-dev libssl-dev jq 7 | # Yara 8 | - wget $(curl -s https://api.github.com/repos/VirusTotal/yara/releases/latest | jq -r ".tarball_url") -O yara-latest.tar.gz 9 | - mkdir yara 10 | - tar -xzvf yara-latest.tar.gz -C yara --strip-components 1 11 | # Compile Yara 12 | - cd yara 13 | # Update per issue 176 14 | - sed -i 's/#define RE_MAX_SPLIT_ID 128/#define RE_MAX_SPLIT_ID 255/g' libyara/include/yara/limits.h 15 | - ./bootstrap.sh 16 | - ./configure --enable-cuckoo --enable-magic --with-crypto 17 | - make 18 | - sudo make install 19 | - sudo ldconfig 20 | - cd ../ 21 | 22 | script: 23 | - echo "test" > testfile 24 | - FALLO=0 25 | - for i in $(ls *_index.yar); do echo $i; yara -w $i testfile; if [[ $? -ne 0 ]]; then FALLO=1; fi; done 26 | - exit $FALLO 27 | -------------------------------------------------------------------------------- /antidebug_antivm_index.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Generated by Yara-Rules 3 | On 12-04-2022 4 | */ 5 | include "./antidebug_antivm/antidebug_antivm.yar" 6 | -------------------------------------------------------------------------------- /capabilities_index.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Generated by Yara-Rules 3 | On 12-04-2022 4 | */ 5 | include "./capabilities/capabilities.yar" 6 | -------------------------------------------------------------------------------- /crypto_index.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Generated by Yara-Rules 3 | On 12-04-2022 4 | */ 5 | include "./crypto/crypto_signatures.yar" 6 | -------------------------------------------------------------------------------- /cve_rules/CVE-2010-0805.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule MSIETabularActivex 7 | { 8 | meta: 9 | ref = "CVE-2010-0805" 10 | impact = 7 11 | hide = true 12 | author = "@d3t0n4t0r" 13 | strings: 14 | $cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword 15 | $cve20100805_2 = "DataURL" nocase fullword 16 | $cve20100805_3 = "true" 17 | condition: 18 | ($cve20100805_1 and $cve20100805_3) or (all of them) 19 | } 20 | -------------------------------------------------------------------------------- /cve_rules/CVE-2010-0887.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule JavaDeploymentToolkit 7 | { 8 | meta: 9 | ref = "CVE-2010-0887" 10 | impact = 7 11 | author = "@d3t0n4t0r" 12 | strings: 13 | $cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword 14 | $cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword 15 | $cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword 16 | $cve20100887_4 = "application/java-deployment-toolkit" nocase fullword 17 | $cve20100887_5 = "document.body.appendChild(" nocase fullword 18 | $cve20100887_6 = "launch(" 19 | $cve20100887_7 = "-J-jar -J" nocase fullword 20 | condition: 21 | 3 of them 22 | } 23 | -------------------------------------------------------------------------------- /cve_rules/CVE-2010-1297.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule FlashNewfunction: decodedPDF 7 | { 8 | meta: 9 | ref = "CVE-2010-1297" 10 | hide = true 11 | impact = 5 12 | ref = "http://blog.xanda.org/tag/jsunpack/" 13 | strings: 14 | $unescape = "unescape" fullword nocase 15 | $shellcode = /%u[A-Fa-f0-9]{4}/ 16 | $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/ 17 | $cve20101297 = /\/Subtype ?\/Flash/ 18 | condition: 19 | ($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297) 20 | } 21 | -------------------------------------------------------------------------------- /cve_rules/CVE-2013-0074.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule cve_2013_0074 7 | { 8 | meta: 9 | author = "Kaspersky Lab" 10 | filetype = "Win32 EXE" 11 | date = "2015-07-23" 12 | version = "1.0" 13 | 14 | strings: 15 | $b2="Can't find Payload() address" ascii wide 16 | $b3="/SilverApp1;component/App.xaml" ascii wide 17 | $b4="Can't allocate ums after buf[]" ascii wide 18 | $b5="------------ START ------------" 19 | 20 | condition: 21 | ( (2 of ($b*)) ) 22 | } 23 | -------------------------------------------------------------------------------- /cve_rules/CVE-2013-0422.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | rule CVE_2013_0422 6 | { 7 | meta: 8 | description = "Java Applet JMX Remote Code Execution" 9 | cve = "CVE-2013-0422" 10 | ref = "http://pastebin.com/JVedyrCe" 11 | author = "adnan.shukor@gmail.com" 12 | date = "12-Jan-2013" 13 | version = "1" 14 | impact = 4 15 | hide = false 16 | strings: 17 | $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword 18 | $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword 19 | $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword 20 | $0422_4 = "findClass" fullword 21 | $0422_5 = "publicLookup" fullword 22 | $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword 23 | condition: 24 | (all of ($0422_*)) or (all of them) 25 | } 26 | -------------------------------------------------------------------------------- /cve_rules/CVE-2015-1701.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule CVE_2015_1701_Taihou { 7 | meta: 8 | description = "CVE-2015-1701 compiled exploit code" 9 | author = "Florian Roth" 10 | reference = "http://goo.gl/W4nU0q" 11 | date = "2015-05-13" 12 | hash1 = "90d17ebd75ce7ff4f15b2df951572653efe2ea17" 13 | hash2 = "acf181d6c2c43356e92d4ee7592700fa01e30ffb" 14 | hash3 = "b8aabe12502f7d55ae332905acee80a10e3bc399" 15 | hash4 = "d9989a46d590ebc792f14aa6fec30560dfe931b1" 16 | hash5 = "63d1d33e7418daf200dc4660fc9a59492ddd50d9" 17 | score = 70 18 | strings: 19 | $s3 = "VirtualProtect" fullword 20 | $s4 = "RegisterClass" 21 | $s5 = "LoadIcon" 22 | $s6 = "PsLookupProcessByProcessId" fullword ascii 23 | $s7 = "LoadLibraryExA" fullword ascii 24 | $s8 = "gSharedInfo" fullword 25 | 26 | $w1 = "user32.dll" wide 27 | $w2 = "ntdll" wide 28 | condition: 29 | uint16(0) == 0x5a4d and filesize < 160KB and all of ($s*) and 1 of ($w*) 30 | } 31 | -------------------------------------------------------------------------------- /cve_rules/CVE-2015-5119.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule Flash_CVE_2015_5119_APT3 : Exploit { 7 | meta: 8 | description = "Exploit Sample CVE-2015-5119" 9 | author = "Florian Roth" 10 | score = 70 11 | date = "2015-08-01" 12 | strings: 13 | $s0 = "HT_exploit" fullword ascii 14 | $s1 = "HT_Exploit" fullword ascii 15 | $s2 = "flash_exploit_" ascii 16 | $s3 = "exp1_fla/MainTimeline" ascii fullword 17 | $s4 = "exp2_fla/MainTimeline" ascii fullword 18 | $s5 = "_shellcode_32" fullword ascii 19 | $s6 = "todo: unknown 32-bit target" fullword ascii 20 | condition: 21 | uint16(0) == 0x5746 and 1 of them 22 | } 23 | -------------------------------------------------------------------------------- /cve_rules/CVE-2018-20250.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP 6 | { 7 | meta: 8 | description = "Generic rule for hostile ACE archive using CVE-2018-20250" 9 | author = "xylitol@temari.fr" 10 | date = "2019-03-17" 11 | reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/" 12 | // May only the challenge guide you 13 | strings: 14 | $string1 = "**ACE**" ascii wide 15 | $string2 = "*UNREGISTERED VERSION*" ascii wide 16 | // $hexstring1 = C:\C:\ 17 | $hexstring1 = {?? 3A 5C ?? 3A 5C} 18 | // $hexstring2 = C:\C:C:.. 19 | $hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E} 20 | condition: 21 | $string1 at 7 and $string2 at 31 and 1 of ($hexstring*) 22 | } 23 | -------------------------------------------------------------------------------- /cve_rules_index.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Generated by Yara-Rules 3 | On 12-04-2022 4 | */ 5 | include "./cve_rules/CVE-2010-0805.yar" 6 | include "./cve_rules/CVE-2010-0887.yar" 7 | include "./cve_rules/CVE-2010-1297.yar" 8 | include "./cve_rules/CVE-2012-0158.yar" 9 | include "./cve_rules/CVE-2013-0074.yar" 10 | include "./cve_rules/CVE-2013-0422.yar" 11 | include "./cve_rules/CVE-2015-1701.yar" 12 | include "./cve_rules/CVE-2015-2426.yar" 13 | include "./cve_rules/CVE-2015-2545.yar" 14 | include "./cve_rules/CVE-2015-5119.yar" 15 | include "./cve_rules/CVE-2016-5195.yar" 16 | include "./cve_rules/CVE-2017-11882.yar" 17 | include "./cve_rules/CVE-2018-20250.yar" 18 | include "./cve_rules/CVE-2018-4878.yar" 19 | -------------------------------------------------------------------------------- /deprecated/Android/Android_ASSDdeveloper.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | /* 6 | Androguard module used in this rule file is under development by people at https://koodous.com/. 7 | 8 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 9 | */ 10 | 11 | import "androguard" 12 | 13 | rule assd_developer : official android 14 | { 15 | meta: 16 | author = "Fernando Denis Ramirez https://twitter.com/fdrg21" 17 | reference = "https://koodous.com/" 18 | description = "This rule detects apks fom ASSD developer" 19 | sample = "cb9721c524f155478e9402d213e240b9f99eaba86fcbce0571cd7da4e258a79e" 20 | 21 | condition: 22 | androguard.certificate.sha1("ED9A1CE1F18A1097DCCC5C0CB005E3861DA9C34A") 23 | 24 | } 25 | -------------------------------------------------------------------------------- /deprecated/Android/Android_AVITOMMS.yar: -------------------------------------------------------------------------------- 1 | import "androguard" 2 | 3 | rule Android_AVITOMMS_Variant 4 | { 5 | meta: 6 | author = "Jacob Soo Lead Re" 7 | date = "28-May-2016" 8 | description = "This rule try to detects Spy.Banker AVITO-MMS Variant" 9 | source = "https://blog.avast.com/android-banker-trojan-preys-on-credit-card-information" 10 | 11 | condition: 12 | (androguard.receiver(/AlarmReceiverKnock/) and 13 | androguard.receiver(/BootReciv/) and 14 | androguard.receiver(/AlarmReceiverAdm/)) 15 | 16 | } 17 | 18 | rule Android_AVITOMMS_Rule2 19 | { 20 | meta: 21 | author = "Jacob Soo Lead Re" 22 | date = "01-July-2016" 23 | description = "This rule try to detects Spy.Banker AVITO-MMS Variant" 24 | source = "https://blog.avast.com/android-banker-trojan-preys-on-credit-card-information" 25 | 26 | condition: 27 | androguard.service(/IMService/) and 28 | androguard.receiver(/BootReciv/) and 29 | androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/i) and 30 | androguard.permission(/android.permission.KILL_BACKGROUND_PROCESSES/i) and 31 | androguard.permission(/android.permission.SEND_SMS/i) and 32 | androguard.permission(/android.permission.INTERNET/i) 33 | } 34 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Backdoor.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and 3 | open to any user or organization, as long as you use it under this license. 4 | */ 5 | 6 | /* 7 | Androguard module used in this rule file is under development by people at https://koodous.com/. 8 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 9 | */ 10 | 11 | import "androguard" 12 | 13 | rule backdoor: dropper 14 | { 15 | meta: 16 | author = "Antonio Sanchez " 17 | description = "This rule detects fake samples with a backdoor/dropper" 18 | sample = "0c3bc51952c71e5bb05c35346005da3baa098faf3911b9b45c3487844de9f539" 19 | source = "https://koodous.com/rulesets/1765" 20 | 21 | condition: 22 | androguard.url("http://sys.wksnkys7.com") 23 | or androguard.url("http://sys.hdyfhpoi.com") 24 | or androguard.url("http://sys.syllyq1n.com") 25 | or androguard.url("http://sys.aedxdrcb.com") 26 | or androguard.url("http://sys.aedxdrcb.com") 27 | } -------------------------------------------------------------------------------- /deprecated/Android/Android_Backdoor_script.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | /* 6 | Androguard module used in this rule file is under development by people at https://koodous.com/. 7 | 8 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 9 | */ 10 | import "androguard" 11 | 12 | 13 | rule koodous : official 14 | { 15 | meta: 16 | description = "Detects samples repackaged by backdoor-apk shell script" 17 | Reference = "https://github.com/dana-at-cp/backdoor-apk" 18 | 19 | strings: 20 | $str_1 = "cnlybnq.qrk" // encrypted string "payload.dex" 21 | 22 | condition: 23 | $str_1 and 24 | androguard.receiver(/\.AppBoot$/) 25 | } 26 | -------------------------------------------------------------------------------- /deprecated/Android/Android_BadMirror.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "androguard" 7 | 8 | rule Android_BadMirror 9 | { 10 | meta: 11 | author = "Jacob Soo Lead Re" 12 | date = "06-June-2016" 13 | description = "BadMirror is Android malware. The malware sends information to its remote CnC (phone number, MAC adddress, list of installed applications...) but it also has the capability to execute a few commands such as \"app\" (download an APK) or \"page\" (display a given URL)." 14 | source = "https://blog.fortinet.com/post/badmirror-new-android-malware-family-spotted-by-sherlockdroid" 15 | 16 | condition: 17 | androguard.service(/SimInsService/i) and 18 | androguard.permission(/android.permission.READ_PHONE_STATE/i) 19 | } 20 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Banker_Acecard.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | /* 6 | Androguard module used in this rule file is under development by people at https://koodous.com/. 7 | 8 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 9 | */ 10 | import "androguard" 11 | 12 | rule Banker_Acecard 13 | { 14 | meta: 15 | author = "https://twitter.com/SadFud75" 16 | more_information = "https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Acecard/" 17 | samples_sha1 = "ad9fff7fd019cf2a2684db650ea542fdeaaeaebb 53cca0a642d2f120dea289d4c7bd0d644a121252" 18 | strings: 19 | $str_1 = "Cardholder name" 20 | $str_2 = "instagram.php" 21 | condition: 22 | ((androguard.package_name("starter.fl") and androguard.service("starter.CosmetiqFlServicesCallHeadlessSmsSendService")) or androguard.package_name("cosmetiq.fl") or all of ($str_*)) and androguard.permissions_number > 19 23 | } 24 | -------------------------------------------------------------------------------- /deprecated/Android/Android_BatteryBot_ClickFraud.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | /* 6 | Androguard module used in this rule file is under development by people at https://koodous.com/. 7 | 8 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 9 | */ 10 | 11 | import "androguard" 12 | 13 | rule batterybotpro : ClickFraud AdFraud SMS Downloader_Trojan android 14 | { 15 | meta: 16 | description = "http://research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html" 17 | sample = "cc4e024db858d7fa9b03d7422e760996de6a4674161efbba22d05f8b826e69d5" 18 | author = "https://twitter.com/fdrg21" 19 | 20 | condition: 21 | 22 | androguard.activity(/com\.polaris\.BatteryIndicatorPro\.BatteryInfoActivity/i) and 23 | androguard.permission(/android\.permission\.SEND_SMS/) 24 | 25 | } 26 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Clicker_G.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "androguard" 7 | 8 | rule Android_Clicker_G 9 | { 10 | meta: 11 | author = "Jacob Soo Lead Re" 12 | date = "01-July-2016" 13 | description = "This rule try to detects Clicker.G samples" 14 | reference = "https://blogs.mcafee.com/mcafee-labs/android-malware-clicker-dgen-found-google-play/" 15 | strings: 16 | $a = "upd.php?text=" 17 | condition: 18 | androguard.receiver(/MyBroadCastReceiver/i) and $a 19 | } 20 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Copy9.yar: -------------------------------------------------------------------------------- 1 | import "androguard" 2 | 3 | rule Android_Copy9 4 | { 5 | meta: 6 | author = "Jacob Soo Lead Re" 7 | date = "06-June-2016" 8 | description = "This rule try to detect commercial spyware from Copy9" 9 | source = "http://copy9.com/" 10 | 11 | condition: 12 | androguard.service(/com.ispyoo/i) and 13 | androguard.receiver(/com.ispyoo/i) 14 | } 15 | -------------------------------------------------------------------------------- /deprecated/Android/Android_DeathRing.yar: -------------------------------------------------------------------------------- 1 | import "androguard" 2 | 3 | rule Android_DeathRing 4 | { 5 | meta: 6 | author = "Jacob Soo Lead Re" 7 | date = "06-June-2016" 8 | description = "DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries. Detection volumes are moderate, though we consider this a concerning threat given its pre-loaded nature and the fact that we are actively seeing detections of it around the world." 9 | source = "https://blog.lookout.com/blog/2014/12/04/deathring/" 10 | 11 | condition: 12 | androguard.service(/MainOsService/i) and 13 | androguard.receiver(/ApkUninstallReceiver/i) 14 | } 15 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Dogspectus.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "androguard" 7 | 8 | rule Android_Dogspectus 9 | { 10 | meta: 11 | author = "Jacob Soo Lead Re" 12 | date = "20-July-2016" 13 | description = "This rule try to detects Dogspectus" 14 | source = "https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware" 15 | 16 | condition: 17 | androguard.activity(/PanickedActivity/i) and 18 | androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/i) and 19 | androguard.permission(/android.permission.INTERNET/i) and 20 | androguard.permission(/android.permission.WAKE_LOCK/i) 21 | } 22 | -------------------------------------------------------------------------------- /deprecated/Android/Android_FakeBank_Fanta.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "androguard" 7 | 8 | rule Android_FakeBank_Fanta 9 | { 10 | meta: 11 | author = "Jacob Soo Lead Re" 12 | date = "14-July-2016" 13 | description = "This rule try to detects Android FakeBank_Fanta" 14 | source = "https://blog.trendmicro.com/trendlabs-security-intelligence/fake-bank-app-phishes-credentials-locks-users-out/" 15 | 16 | condition: 17 | androguard.service(/SocketService/i) and 18 | androguard.receiver(/MyAdmin/i) and 19 | androguard.receiver(/Receiver/i) and 20 | androguard.receiver(/NetworkChangeReceiver/i) 21 | 22 | } 23 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Finspy.yar: -------------------------------------------------------------------------------- 1 | // Published under the GNU-GPLv2 license. It’s open to any user or organization, 2 | // as long as you use it under this license. 3 | 4 | rule finspy : cdshide android 5 | { 6 | 7 | meta: 8 | description = "Detect Gamma/FinFisher FinSpy for Android #GovWare" 9 | date = "2020/01/07" 10 | author = "Thorsten Schröder - ths @ ccc.de (https://twitter.com/__ths__)" 11 | reference1 = "https://github.com/devio/FinSpy-Tools" 12 | reference2 = "https://github.com/Linuzifer/FinSpy-Dokumentation" 13 | reference3 = "https://www.ccc.de/de/updates/2019/finspy" 14 | sample = "c2ce202e6e08c41e8f7a0b15e7d0781704e17f8ed52d1b2ad7212ac29926436e" 15 | 16 | strings: 17 | $re = /\x50\x4B\x01\x02[\x00-\xff]{32}[A-Za-z0-9+\/]{6}/ 18 | 19 | condition: 20 | $re and (#re > 50) 21 | } 22 | -------------------------------------------------------------------------------- /deprecated/Android/Android_MalwareCertificates.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | /* 6 | Androguard module used in this rule file is under development by people at https://koodous.com/. 7 | 8 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 9 | */ 10 | 11 | import "androguard" 12 | 13 | rule fraudulents_2 : certificates android 14 | { 15 | meta: 16 | description = "This rule automatically adds certificates present in malware" 17 | author = "https://twitter.com/fdrg21" 18 | 19 | condition: 20 | androguard.certificate.sha1("A5D9C9A40A3786D631210E8FCB9CF7A1BC5B3062") or 21 | androguard.certificate.sha1("B4142B617997345809736842147F97F46059FDE3") or 22 | androguard.certificate.sha1("950A545EA156A0E44B3BAB5F432DCD35005A9B70") or 23 | androguard.certificate.sha1("DE18FA0C68E6C9E167262F1F4ED984A5F00FD78C") or 24 | androguard.certificate.sha1("81E8E202C539F7AEDF6138804BE870338F81B356") or 25 | androguard.certificate.sha1("5A051047F2434DDB2CAA65898D9B19ED9665F759") 26 | 27 | } 28 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Malware_Tinhvan.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | /* 7 | Androguard module used in this rule file is under development by people at https://koodous.com/. 8 | 9 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 10 | */ 11 | 12 | import "androguard" 13 | 14 | rule tinhvan : android 15 | { 16 | meta: 17 | author = "https://twitter.com/plutec_net" 18 | reference = "https://koodous.com/" 19 | sample = "0f7e995ff7075af2d0f8d60322975d610e888884922a89fda9a61c228374c5c5" 20 | 21 | condition: 22 | androguard.certificate.sha1("0DFBBDB7735517748C3DEF3B6DEC2A800182D1D5") 23 | 24 | } 25 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Metasploit_Payload.yar: -------------------------------------------------------------------------------- 1 | import "androguard" 2 | 3 | rule Metasploit_Payload 4 | { 5 | meta: 6 | author = "https://www.twitter.com/SadFud75" 7 | information = "Detection of payloads generated with metasploit" 8 | strings: 9 | $s1 = "-com.metasploit.meterpreter.AndroidMeterpreter" 10 | $s2 = ",Lcom/metasploit/stage/MainBroadcastReceiver;" 11 | $s3 = "#Lcom/metasploit/stage/MainActivity;" 12 | $s4 = "Lcom/metasploit/stage/Payload;" 13 | $s5 = "Lcom/metasploit/stage/a;" 14 | $s6 = "Lcom/metasploit/stage/c;" 15 | $s7 = "Lcom/metasploit/stage/b;" 16 | condition: 17 | androguard.package_name("com.metasploit.stage") or any of them 18 | } 19 | -------------------------------------------------------------------------------- /deprecated/Android/Android_OmniRat.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "androguard" 7 | 8 | rule Android_OmniRat 9 | { 10 | meta: 11 | author = "Jacob Soo Lead Re" 12 | date = "01-July-2016" 13 | description = "This rule try to detects OmniRat" 14 | source = "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" 15 | 16 | strings: 17 | $a = "android.engine.apk" 18 | condition: 19 | (androguard.activity(/com.app.MainActivity/i) and 20 | androguard.permission(/android.permission.WRITE_EXTERNAL_STORAGE/i) and 21 | androguard.package_name(/com.app/i)) and $a 22 | } 23 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Overlayer.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "androguard" 7 | 8 | rule android_overlayer 9 | { 10 | meta: 11 | description = "This rule detects the banker trojan with overlaying functionality" 12 | source = "https://www.zscaler.com/blogs/research/android-banker-malware-goes-social" 13 | author = "https://twitter.com/5h1vang" 14 | 15 | strings: 16 | $str_1 = "tel:" 17 | $str_2 = "lockNow" nocase 18 | $str_3 = "android.app.action.ADD_DEVICE_ADMIN" 19 | $str_4 = "Cmd_conf" nocase 20 | $str_5 = "Sms_conf" nocase 21 | $str_6 = "filter2" 22 | 23 | condition: 24 | androguard.certificate.sha1("6994ED892E7F0019BCA74B5847C6D5113391D127") or 25 | 26 | (androguard.permission(/android.permission.INTERNET/) and 27 | androguard.permission(/android.permission.READ_SMS/) and 28 | androguard.permission(/android.permission.READ_PHONE_STATE/) and 29 | all of ($str_*)) 30 | } 31 | -------------------------------------------------------------------------------- /deprecated/Android/Android_SandroRat.yar: -------------------------------------------------------------------------------- 1 | import "androguard" 2 | 3 | 4 | rule SandroRat 5 | { 6 | meta: 7 | author = "Jacob Soo Lead Re" 8 | date = "21-May-2016" 9 | description = "This rule detects SandroRat" 10 | source = "https://blogs.mcafee.com/mcafee-labs/sandrorat-android-rat-targeting-polish-banking-users-via-e-mail-phishing/" 11 | 12 | condition: 13 | androguard.activity(/net.droidjack.server/i) 14 | } 15 | -------------------------------------------------------------------------------- /deprecated/Android/Android_SlemBunk.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | 6 | rule SlemBunk : android 7 | { 8 | meta: 9 | description = "Rule to detect trojans imitating banks of North America, Eurpope and Asia" 10 | author = "@plutec_net" 11 | sample = "e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b" 12 | source = "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html" 13 | 14 | strings: 15 | $a = "#intercept_sms_start" 16 | $b = "#intercept_sms_stop" 17 | $c = "#block_numbers" 18 | $d = "#wipe_data" 19 | $e = "Visa Electron" 20 | 21 | condition: 22 | all of them 23 | 24 | } 25 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Spynet.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule SpyNet : malware 7 | { 8 | meta: 9 | description = "Ruleset to detect SpyNetV2 samples. " 10 | sample = "e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b" 11 | 12 | strings: 13 | $a = "odNotice.txt" 14 | $b = "camera This device has camera!" 15 | $c = "camera This device has Nooo camera!" 16 | $d = "send|1sBdBBbbBBF|K|" 17 | $e = "send|372|ScreamSMS|senssd" 18 | $f = "send|5ms5gs5annc" 19 | $g = "send|45CLCLCa01" 20 | $h = "send|999SAnd|TimeStart" 21 | $i = "!s!c!r!e!a!m!" 22 | condition: 23 | 4 of them 24 | } 25 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Spywaller.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | /* 6 | Androguard module used in this rule file is under development by people at https://koodous.com/. 7 | 8 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 9 | */ 10 | import "androguard" 11 | 12 | 13 | rule android_spywaller : android 14 | { 15 | meta: 16 | description = "Rule for detection of Android Spywaller samples" 17 | sample = "7b31656b9722f288339cb2416557241cfdf69298a749e49f07f912aeb1e5931b" 18 | source = "http://blog.fortinet.com/post/android-spywaller-firewall-style-antivirus-blocking" 19 | 20 | strings: 21 | $str_1 = "droid.png" 22 | $str_2 = "getSrvAddr" 23 | $str_3 = "getSrvPort" 24 | $str_4 = "android.intent.action.START_GOOGLE_SERVICE" 25 | 26 | condition: 27 | androguard.certificate.sha1("165F84B05BD33DA1BA0A8E027CEF6026B7005978") or 28 | androguard.permission(/android.permission.INTERNET/) and 29 | androguard.permission(/android.permission.READ_PHONE_STATE/) and 30 | all of ($str_*) 31 | } 32 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Tachi.yar: -------------------------------------------------------------------------------- 1 | rule tachi : android 2 | { 3 | meta: 4 | author = "https://twitter.com/plutec_net" 5 | source = "https://analyst.koodous.com/rulesets/1332" 6 | description = "This rule detects tachi apps (not all malware)" 7 | sample = "10acdf7db989c3acf36be814df4a95f00d370fe5b5fda142f9fd94acf46149ec" 8 | 9 | strings: 10 | $a = "svcdownload" 11 | $xml_1 = "" 12 | $xml_2 = "" 13 | $xml_3 = "" 14 | $xml_4 = "" 15 | $xml_5 = "" 16 | $xml_6 = "" 17 | $xml_7 = "" 18 | $xml_8 = "" 19 | $xml_9 = "" 20 | $xml_10 = "" 21 | $xml_11 = "" 22 | $xml_12 = "" 23 | $xml_13 = "" 24 | $xml_14 = "" 25 | $xml_15 = "" 26 | $xml_16 = "" 27 | 28 | 29 | condition: 30 | $a and 4 of ($xml_*) 31 | } 32 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Tempting_Cedar_Spyware.yar: -------------------------------------------------------------------------------- 1 | rule android_tempting_cedar_spyware 2 | { 3 | meta: 4 | Author = "@X0RC1SM" 5 | Date = "2018-03-06" 6 | Reference = "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" 7 | strings: 8 | $PK_HEADER = {50 4B 03 04} 9 | $MANIFEST = "META-INF/MANIFEST.MF" 10 | $DEX_FILE = "classes.dex" 11 | $string = "rsdroid.crt" 12 | 13 | condition: 14 | $PK_HEADER in (0..4) and $MANIFEST and $DEX_FILE and any of ($string*) 15 | } 16 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Trojan_Dendroid.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | /* 6 | Androguard module used in this rule file is under development by people at https://koodous.com/. 7 | 8 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 9 | */ 10 | 11 | rule Trojan_Dendroid 12 | { 13 | meta: 14 | author = "https://www.twitter.com/SadFud75" 15 | description = "Detection of dendroid trojan" 16 | strings: 17 | $s1 = "/upload-pictures.php?" 18 | $s2 = "/get-functions.php?" 19 | $s3 = "/new-upload.php?" 20 | $s4 = "/message.php?" 21 | $s5 = "/get.php?" 22 | condition: 23 | 3 of them 24 | } 25 | -------------------------------------------------------------------------------- /deprecated/Android/Android_Trojan_Droidjack.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | /* 6 | Androguard module used in this rule file is under development by people at https://koodous.com/. 7 | 8 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 9 | */ 10 | 11 | import "androguard" 12 | 13 | rule Trojan_Droidjack 14 | { 15 | meta: 16 | author = "https://twitter.com/SadFud75" 17 | condition: 18 | androguard.package_name("net.droidjack.server") or androguard.activity(/net.droidjack.server/i) 19 | } 20 | -------------------------------------------------------------------------------- /deprecated/Android/Android_VikingOrder.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | import "androguard" 6 | import "cuckoo" 7 | 8 | 9 | rule VikingBotnet 10 | { 11 | meta: 12 | author = "https://twitter.com/koodous_project" 13 | description = "Rule to detect Viking Order Botnet." 14 | sample = "85e6d5b3569e5b22a16245215a2f31df1ea3a1eb4d53b4c286a6ad2a46517b0c" 15 | 16 | strings: 17 | $a = "cv7obBkPVC2pvJmWSfHzXh" 18 | $b = "http://joyappstech.biz:11111/knock/" 19 | $c = "I HATE TESTERS onGlobalLayout" 20 | $d = "http://144.76.70.213:7777/ecspectapatronum/" 21 | 22 | condition: 23 | ($a and $c) or ($b and $d) 24 | } 25 | -------------------------------------------------------------------------------- /deprecated/Android/Android_adware.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | rule adware : ads android 6 | { 7 | meta: 8 | author = "Fernando Denis Ramirez https://twitter.com/fdrg21" 9 | reference = "https://koodous.com/" 10 | description = "Adware" 11 | sample = "5a331231f997decca388ba2d73b7dec1554e966a0795b0cb8447a336bdafd71b" 12 | 13 | strings: 14 | $string_a = "banner_layout" 15 | $string_b = "activity_adpath_sms" 16 | $string_c = "adpath_title_one" 17 | $string_d = "7291-2ec9362bd699d0cd6f53a5ca6cd" 18 | 19 | condition: 20 | all of ($string_*) 21 | 22 | } 23 | -------------------------------------------------------------------------------- /deprecated/Android/Android_generic_adware.yar: -------------------------------------------------------------------------------- 1 | rule dowgin:adware android 2 | { 3 | meta: 4 | author = "https://twitter.com/plutec_net" 5 | reference = "https://koodous.com/" 6 | sample = "4d7f2d6ff4ed8ced6f8f7f96e9899273cc3090ea108f2cc3b32dd1a06e63cf70" 7 | sample2 = "cde8160d09c486bdd6d96b2ed81bd52390d77094d13ff9cfbc6949ed00206a83" 8 | sample3 = "d2e81e6db5f4964246d10241588e0e97cde524815c4de7c0ea1c34a48da1bcaf" 9 | sample4 = "cc2d0b3d8f00690298b0e5813f6ace8f4d4b04c9704292407c2b83a12c69617b" 10 | 11 | strings: 12 | $a = "http://112.74.111.42:8000" 13 | $b = "SHA1-Digest: oIx4iYWeTtKib4fBH7hcONeHuaE=" 14 | $c = "ONLINEGAMEPROCEDURE_WHICH_WAP_ID" 15 | $d = "http://da.mmarket.com/mmsdk/mmsdk?func=mmsdk:posteventlog" 16 | 17 | condition: 18 | all of them 19 | 20 | } 21 | -------------------------------------------------------------------------------- /deprecated/Android/Android_malware_Advertising.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | /* 6 | Androguard module used in this rule file is under development by people at https://koodous.com/. 7 | 8 | You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara 9 | */ 10 | 11 | import "androguard" 12 | 13 | rule leadbolt : advertising android 14 | { 15 | meta: 16 | author = "https://twitter.com/plutec_net" 17 | reference = "https://koodous.com/" 18 | description = "Leadbolt" 19 | 20 | condition: 21 | androguard.url(/http:\/\/ad.leadbolt.net/) 22 | } 23 | -------------------------------------------------------------------------------- /deprecated/Android/Android_malware_Dropper.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as 3 | long as you use it under this license. 4 | */ 5 | 6 | rule dropper:realshell android { 7 | meta: 8 | author = "https://twitter.com/plutec_net" 9 | reference = "https://koodous.com/" 10 | source = "https://blog.malwarebytes.org/mobile-2/2015/06/complex-method-of-obfuscation-found-in-dropper-realshell/" 11 | strings: 12 | $b = "Decrypt.malloc.memset.free.pluginSMS_encrypt.Java_com_skymobi_pay_common_util_LocalDataDecrpty_Encrypt.strcpy" 13 | 14 | condition: 15 | $b 16 | } 17 | -------------------------------------------------------------------------------- /deprecated/Android/Android_malware_Fake_MosKow.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | 6 | //41dce59ace9cce668e893c9d2c35d6859dc1c86d631a0567bfde7d34dd5cae0b 7 | //61f7909512c5caf6dd125659428cf764631d5a52c59c6b50112af4a02047774c 8 | //2c89d0d37257c90311436115c1cf06295c39cd0a8c117730e07be029bd8121a0 9 | rule moscow_fake : banker androoid 10 | { 11 | meta: 12 | author = "Fernando Denis" 13 | reference = "https://koodous.com/ https://twitter.com/fdrg21" 14 | description = "Moskow Droid Development" 15 | thread_level = 3 16 | in_the_wild = true 17 | 18 | strings: 19 | $string_a = "%ioperator%" 20 | $string_b = "%imodel%" 21 | $string_c = "%ideviceid%" 22 | $string_d = "%ipackname%" 23 | $string_e = "VILLLLLL" 24 | 25 | condition: 26 | all of ($string_*) 27 | } 28 | -------------------------------------------------------------------------------- /deprecated/Android/Android_malware_xbot007.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | 6 | rule xbot007 : android 7 | { 8 | meta: 9 | reference = "https://github.com/maldroid/maldrolyzer/blob/master/plugins/xbot007.py" 10 | 11 | strings: 12 | $a = "xbot007" 13 | 14 | condition: 15 | any of them 16 | } 17 | -------------------------------------------------------------------------------- /deprecated/Android/Android_pornClicker.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | import "androguard" 7 | 8 | 9 | 10 | rule trojan: pornClicker 11 | { 12 | meta: 13 | description = "Ruleset to detect android pornclicker trojan, connects to a remote host and obtains javascript and a list from urls generated, leading to porn in the end." 14 | sample = "5a863fe4b141e14ba3d9d0de3a9864c1339b2358386e10ba3b4caec73b5d06ca" 15 | reference = "https://blog.malwarebytes.org/cybercrime/2016/06/trojan-clickers-gaze-cast-upon-google-play-store/?utm_source=facebook&utm_medium=social" 16 | author = "Koodous Project" 17 | 18 | strings: 19 | $a = "SELEN3333" 20 | $b = "SELEN33" 21 | $c = "SELEN333" 22 | $api = "http://mayis24.4tubetv.xyz/dmr/ya" 23 | 24 | condition: 25 | ($a and $b and $c and $api) or androguard.url(/mayis24\.4tubetv\.xyz/) 26 | } 27 | -------------------------------------------------------------------------------- /deprecated/Malware/MALW_Retefe.yar: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 4 | 5 | */ 6 | 7 | rule Retefe 8 | { 9 | meta: 10 | author = "bartblaze" 11 | description = "Retefe" 12 | strings: 13 | $string0 = "01050000" 14 | $string1 = "00000000" 15 | $string2 = "5061636b61676500" 16 | $string3 = "000000000000000000000000000000000000000000000000000000000000000000000000000000" 17 | $string4 = "{\\stylesheet{ Normal;}{\\s1 heading 1;}{\\s2 heading 2;}}" 18 | $string5 = "02000000" 19 | condition: 20 | 5 of them 21 | } 22 | -------------------------------------------------------------------------------- /deprecated/bank_rule.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and 3 | open to any user or organization, as long as you use it under this license. 4 | */ 5 | 6 | rule davivienda : mail { 7 | strings: 8 | $nombre = "davivienda" nocase 9 | condition: 10 | all of them 11 | } 12 | -------------------------------------------------------------------------------- /email/Email_generic_phishing.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 3 | and open to any user or organization, as long as you use it under this license. 4 | 5 | */ 6 | 7 | rule Email_Generic_Phishing : email 8 | { 9 | meta: 10 | Author = "Tyler <@InfoSecTyler>" 11 | Description ="Generic rule to identify phishing emails" 12 | 13 | strings: 14 | $eml_1="From:" 15 | $eml_2="To:" 16 | $eml_3="Subject:" 17 | 18 | $greeting_1="Hello sir/madam" nocase 19 | $greeting_2="Attention" nocase 20 | $greeting_3="Dear user" nocase 21 | $greeting_4="Account holder" nocase 22 | 23 | $url_1="Click" nocase 24 | $url_2="Confirm" nocase 25 | $url_3="Verify" nocase 26 | $url_4="Here" nocase 27 | $url_5="Now" nocase 28 | $url_6="Change password" nocase 29 | 30 | $lie_1="Unauthorized" nocase 31 | $lie_2="Expired" nocase 32 | $lie_3="Deleted" nocase 33 | $lie_4="Suspended" nocase 34 | $lie_5="Revoked" nocase 35 | $lie_6="Unable" nocase 36 | 37 | condition: 38 | all of ($eml*) and 39 | any of ($greeting*) and 40 | any of ($url*) and 41 | any of ($lie*) 42 | } 43 | -------------------------------------------------------------------------------- /email/attachment.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and 3 | open to any user or organization, as long as you use it under this license. 4 | */ 5 | 6 | rule with_attachment : mail { 7 | meta: 8 | author = "Antonio Sanchez " 9 | reference = "http://laboratorio.blogs.hispasec.com/" 10 | description = "Rule to detect the presence of an or several attachments" 11 | strings: 12 | $attachment_id = "X-Attachment-Id" 13 | condition: 14 | $attachment_id 15 | } 16 | 17 | 18 | rule without_attachments : mail { 19 | meta: 20 | author = "Antonio Sanchez " 21 | reference = "http://laboratorio.blogs.hispasec.com/" 22 | description = "Rule to detect the no presence of any attachment" 23 | strings: 24 | $eml_01 = "From:" 25 | $eml_02 = "To:" 26 | $eml_03 = "Subject:" 27 | $attachment_id = "X-Attachment-Id" 28 | $mime_type = "Content-Type: multipart/mixed" 29 | condition: 30 | all of ( $eml_* ) and 31 | not $attachment_id and 32 | not $mime_type 33 | } 34 | 35 | -------------------------------------------------------------------------------- /email/urls.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and 3 | open to any user or organization, as long as you use it under this license. 4 | */ 5 | 6 | rule with_urls : mail { 7 | meta: 8 | author = "Antonio Sanchez " 9 | reference = "http://laboratorio.blogs.hispasec.com/" 10 | description = "Rule to detect the presence of an or several urls" 11 | strings: 12 | $eml_01 = "From:" 13 | $eml_02 = "To:" 14 | $eml_03 = "Subject:" 15 | 16 | $url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/ 17 | condition: 18 | all of them 19 | } 20 | 21 | rule without_urls : mail { 22 | meta: 23 | author = "Antonio Sanchez " 24 | reference = "http://laboratorio.blogs.hispasec.com/" 25 | description = "Rule to detect the no presence of any url" 26 | strings: 27 | $eml_01 = "From:" 28 | $eml_02 = "To:" 29 | $eml_03 = "Subject:" 30 | 31 | $url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/ 32 | condition: 33 | all of ( $eml_* ) and 34 | not $url_regex 35 | } 36 | -------------------------------------------------------------------------------- /email_index.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Generated by Yara-Rules 3 | On 12-04-2022 4 | */ 5 | include "./email/EMAIL_Cryptowall.yar" 6 | include "./email/Email_PHP_Mailer.yar" 7 | include "./email/Email_fake_it_maintenance_bulletin.yar" 8 | include "./email/Email_generic_phishing.yar" 9 | include "./email/Email_quota_limit_warning.yar" 10 | include "./email/attachment.yar" 11 | include "./email/email_Ukraine_BE_powerattack.yar" 12 | include "./email/extortion_email.yar" 13 | include "./email/image.yar" 14 | include "./email/scam.yar" 15 | include "./email/urls.yar" 16 | -------------------------------------------------------------------------------- /exploit_kits/EK_Zeus.yar: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | 4 | */ 5 | 6 | rule zeus_js : EK 7 | { 8 | meta: 9 | author = "Josh Berry" 10 | date = "2016-06-26" 11 | description = "Zeus Exploit Kit Detection" 12 | hash0 = "c87ac7a25168df49a64564afb04dc961" 13 | sample_filetype = "js-html" 14 | yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" 15 | strings: 16 | $string0 = "var jsmLastMenu " 17 | $string1 = "position:absolute; z-index:99' " 18 | $string2 = " -1)jsmSetDisplayStyle('popupmenu' " 19 | $string3 = " '