├── .gitignore
├── APT
├── APT_Derusbi.yar
├── APT_KimSuky_dllbckdr.yar
├── APT_MiniASP_pdb.yar
├── APT_Operation_SoftCell.yar
├── APT_Tortoiseshell_Syskit
├── APT_Tortoiseshell_Syskit.yar
├── APT_Troj_HermWiper.yar
├── APT_acidbox.yar
├── APT_auriga_biscuit.yar
├── APT_babar_pdb.yar
├── APT_blackenergy_pdb.yar
├── APT_decade_of_RATs.yar
├── APT_elise_pdb.yar
├── APT_gdocupload_pdb.yar
├── APT_hangover.yar
├── APT_hikit_rootkit_pdb.yar
├── APT_karkoff_dnspionaje.yar
├── APT_lagulon_pdb.yar
├── APT_manitsme_trojan_pdb.yar
├── APT_milum_wildpressure.yar
├── APT_mirage_pdb.yar
├── APT_operation_aurora.yar
├── APT_operation_skeleton.yar
├── APT_operation_troy.yar
├── APT_turla_pdb.yar
├── APT_winnti.yar
├── enfal_pdb.yar
├── flamer_pdb.yar
├── gauss_pdb.yar
└── ixeshe_bled_pdb.yar
├── LICENSE
├── README.md
├── malware
├── MALDOC_rtf_bluetea_builder.yar
├── MALW_Eicar.yar
├── MALW_MsWordExploit_DOC.yar
├── MALW_NionSpy.yar
├── MALW_Rovnix.yar
├── MALW_Shifu.yar
├── MALW_VPNfilter.yar
├── MALW_alina_pos_pdb.yar
├── MALW_backdoor_havex_pdb.yar
├── MALW_backdoor_kankan_pdb.yar
├── MALW_backdoor_katorxa_pdb.yar
├── MALW_blackpos_pdb.yar
├── MALW_browser_fox_adware.yar
├── MALW_chickdos_pdb.yar
├── MALW_cobaltstrike.yar
├── MALW_cutwail.yar
├── MALW_downloader_darkmegi.yar
├── MALW_dridex_p2p_pdb.yar
├── MALW_dropper_demekaf_pdb.yar
├── MALW_emotet.yar
├── MALW_festi_botnet_pdb.yar
├── MALW_fritzfrog.yar
├── MALW_inabot_worm_pdb.yar
├── MALW_jatboss.yar
├── MALW_kelhios_botnet_pdb.yar
├── MALW_likseput_backdoor_pdb.yar
├── MALW_liquorbot.yar
├── MALW_mangzamel_trojan_pdb.yar
├── MALW_masslogger_stealer.yar
├── MALW_medfos_pdb.yar
├── MALW_redline.yar
├── MALW_rietspoof_loader.yar
├── MALW_screenlocker_5h311_1nj3c706.yar
├── MALW_shellcode_mykins_botnet.yar
├── MALW_vbs_mykins_botnet.yar
└── MAL_cyax_sharp_loader.yar
├── miners
├── MINER_Monero.yar
└── Trojan_CoinMiner.yar
├── ransomware
├── RANSOM_Anatova.yar
├── RANSOM_Avoslocker.yar
├── RANSOM_BabukLocker_Jan2021.yar
├── RANSOM_Babuk_Packed_Feb2021.yar
├── RANSOM_BadRabbit.yar
├── RANSOM_Bitpaymer.yar
├── RANSOM_BlackMatter
├── RANSOM_Buran.yar
├── RANSOM_CTBLocker.yar
├── RANSOM_ClopRansomNote.yar
├── RANSOM_CryptoNar.yar
├── RANSOM_Cryptolocker.yar
├── RANSOM_Darkside.yar
├── RANSOM_Exorcist.yar
├── RANSOM_GPGQwerty.yar
├── RANSOM_Kraken.yar
├── RANSOM_Linux_HelloKitty0721.yar
├── RANSOM_Lockbit2.yar
├── RANSOM_LockerGoga.yar
├── RANSOM_Loocipher.yar
├── RANSOM_MONGOLOCK.yar
├── RANSOM_MegaCortex.yar
├── RANSOM_NEFILIM.yar
├── RANSOM_Nemty.yar
├── RANSOM_Pico.yar
├── RANSOM_PureLocker.yar
├── RANSOM_RobbinHood.yar
├── RANSOM_Ryuk.yar
├── RANSOM_SamSam.yar
├── RANSOM_Shiva.yar
├── RANSOM_Sodinokibi.yar
├── RANSOM_Suncrypt.yar
├── RANSOM_acroware.yar
├── RANSOM_amba.yar
├── RANSOM_coronavirus.yar
├── RANSOM_egregor.yar
├── RANSOM_jeff_dev.yar
├── RANSOM_locdoor.yar
├── RANSOM_makop.yar
├── RANSOM_mountlocker.yar
├── RANSOM_netwalker.yar
├── RANSOM_ragnarlocker.yar
├── RANSOM_shrug2.yar
├── RANSOM_snake_ransomware.yar
├── RANSOM_termite.yar
├── RANSOM_thiefquest.yar
├── RANSOM_wannaren.yar
├── RANSOM_wastedlocker.yar
├── RANSOM_xinof.yar
├── Ransom_Conti.yar
├── Ransom_Maze.yar
├── Ransom_Mespinoza.yar
├── Ransom_ThunderX.yar
├── Ransom_Vovalex1.yar
├── Ransom_Win_BlackCat_public.yar
└── ransom_BlackKingDom.yar
└── stealer
├── STEALER_EmiratesStatement.yar
├── STEALER_Lokibot.yar
└── STEALER_credstealer.yar
/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | .DS_Store
3 |
--------------------------------------------------------------------------------
/APT/APT_Derusbi.yar:
--------------------------------------------------------------------------------
1 | rule apt_nix_elf_derusbi {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the APT Derusbi ELF file"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2017-05-31"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:ELF/Derusbi"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://attack.mitre.org/software/S0021/"
14 |
15 |
16 | strings:
17 |
18 | $s1 = "LxMain"
19 | $s2 = "execve"
20 | $s3 = "kill"
21 | $s4 = "cp -a %s %s"
22 | $s5 = "%s &"
23 | $s6 = "dbus-daemon"
24 | $s7 = "--noprofile"
25 | $s8 = "--norc"
26 | $s9 = "TERM=vt100"
27 | $s10 = "/proc/%u/cmdline"
28 | $s11 = "loadso"
29 | $s12 = "/proc/self/exe"
30 | $s13 = "Proxy-Connection: Keep-Alive"
31 | $s14 = "Connection: Keep-Alive"
32 | $s15 = "CONNECT %s"
33 | $s16 = "HOST: %s:%d"
34 | $s17 = "User-Agent: Mozilla/4.0"
35 | $s18 = "Proxy-Authorization: Basic %s"
36 | $s19 = "Server: Apache"
37 | $s20 = "Proxy-Authenticate"
38 | $s21 = "gettimeofday"
39 | $s22 = "pthread_create"
40 | $s23 = "pthread_join"
41 | $s24 = "pthread_mutex_init"
42 | $s25 = "pthread_mutex_destroy"
43 | $s26 = "pthread_mutex_lock"
44 | $s27 = "getsockopt"
45 | $s28 = "socket"
46 | $s29 = "setsockopt"
47 | $s30 = "select"
48 | $s31 = "bind"
49 | $s32 = "shutdown"
50 | $s33 = "listen"
51 | $s34 = "opendir"
52 | $s35 = "readdir"
53 | $s36 = "closedir"
54 | $s37 = "rename"
55 |
56 | condition:
57 |
58 | (uint32(0) == 0x4464c457f) and
59 | filesize < 200KB and
60 | all of them
61 | }
62 |
63 | rule apt_nix_elf_derusbi_kernelModule {
64 |
65 | meta:
66 |
67 | description = "Rule to detect the Derusbi ELK Kernel module"
68 | author = "Marc Rivero | McAfee ATR Team"
69 | date = "2017-05-31"
70 | rule_version = "v1"
71 | malware_type = "backdoor"
72 | malware_family = "Backdoor:ELF/Derusbi"
73 | actor_type = "Cybercrime"
74 | actor_group = "Unknown"
75 | reference = "https://attack.mitre.org/software/S0021/"
76 |
77 | strings:
78 |
79 | $s1 = "__this_module"
80 | $s2 = "init_module"
81 | $s3 = "unhide_pid"
82 | $s4 = "is_hidden_pid"
83 | $s5 = "clear_hidden_pid"
84 | $s6 = "hide_pid"
85 | $s7 = "license"
86 | $s8 = "description"
87 | $s9 = "srcversion="
88 | $s10 = "depends="
89 | $s11 = "vermagic="
90 | $s12 = "current_task"
91 | $s13 = "sock_release"
92 | $s14 = "module_layout"
93 | $s15 = "init_uts_ns"
94 | $s16 = "init_net"
95 | $s17 = "init_task"
96 | $s18 = "filp_open"
97 | $s19 = "__netlink_kernel_create"
98 | $s20 = "kfree_skb"
99 |
100 | condition:
101 |
102 | (uint32(0) == 0x4464c457f) and
103 | filesize < 200KB and
104 | all of them
105 | }
106 |
107 | rule apt_nix_elf_Derusbi_Linux_SharedMemCreation {
108 |
109 | meta:
110 |
111 | description = "Rule to detect Derusbi Linux Shared Memory creation"
112 | author = "Marc Rivero | McAfee ATR Team"
113 | date = "2017-05-31"
114 | rule_version = "v1"
115 | malware_type = "backdoor"
116 | malware_family = "Backdoor:ELF/Derusbi"
117 | actor_type = "Cybercrime"
118 | actor_group = "Unknown"
119 | reference = "https://attack.mitre.org/software/S0021/"
120 |
121 | strings:
122 |
123 | $byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 }
124 |
125 | condition:
126 |
127 | (uint32(0) == 0x464C457F) and
128 | filesize < 200KB and
129 | all of them
130 | }
131 |
132 | rule apt_nix_elf_Derusbi_Linux_Strings {
133 |
134 | meta:
135 |
136 | description = "Rule to detect APT Derusbi Linux Strings"
137 | author = "Marc Rivero | McAfee ATR Team"
138 | date = "2017-05-31"
139 | rule_version = "v1"
140 | malware_type = "backdoor"
141 | malware_family = "Backdoor:ELF/Derusbi"
142 | actor_type = "Cybercrime"
143 | actor_group = "Unknown"
144 | reference = "https://attack.mitre.org/software/S0021/"
145 |
146 | strings:
147 |
148 | $a1 = "loadso" wide ascii fullword
149 | $a2 = "\nuname -a\n\n" wide ascii
150 | $a3 = "/dev/shm/.x11.id" wide ascii
151 | $a4 = "LxMain64" wide ascii nocase
152 | $a5 = "# \\u@\\h:\\w \\$ " wide ascii
153 | $b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide
154 | $b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide
155 | $b3 = "ret %d" wide fullword
156 | $b4 = "uname -a\n\n" wide ascii
157 | $b5 = "/proc/%u/cmdline" wide ascii
158 | $b6 = "/proc/self/exe" wide ascii
159 | $b7 = "cp -a %s %s" wide ascii
160 | $c1 = "/dev/pts/4" wide ascii fullword
161 | $c2 = "/tmp/1408.log" wide ascii fullword
162 |
163 | condition:
164 |
165 | uint32(0) == 0x464C457F and
166 | filesize < 200KB and
167 | ((1 of ($a*) and
168 | 4 of ($b*)) or
169 | (1 of ($a*) and
170 | 1 of ($c*)) or
171 | 2 of ($a*) or
172 | all of ($b*))
173 | }
174 |
175 | rule apt_win_exe_trojan_derusbi {
176 |
177 | meta:
178 |
179 | description = "Rule to detect Derusbi Trojan"
180 | author = "Marc Rivero | McAfee ATR Team"
181 | date = "2017-05-31"
182 | rule_version = "v1"
183 | malware_type = "backdoor"
184 | malware_family = "Backdoor:ELF/Derusbi"
185 | actor_type = "Cybercrime"
186 | actor_group = "Unknown"
187 | reference = "https://attack.mitre.org/software/S0021/"
188 |
189 | strings:
190 |
191 | $sa_1 = "USB" wide ascii
192 | $sa_2 = "RAM" wide ascii
193 | $sa_3 = "SHARE" wide ascii
194 | $sa_4 = "HOST: %s:%d"
195 | $sa_5 = "POST"
196 | $sa_6 = "User-Agent: Mozilla"
197 | $sa_7 = "Proxy-Connection: Keep-Alive"
198 | $sa_8 = "Connection: Keep-Alive"
199 | $sa_9 = "Server: Apache"
200 | $sa_10 = "HTTP/1.1"
201 | $sa_11 = "ImagePath"
202 | $sa_12 = "ZwUnloadDriver"
203 | $sa_13 = "ZwLoadDriver"
204 | $sa_14 = "ServiceMain"
205 | $sa_15 = "regsvr32.exe"
206 | $sa_16 = "/s /u" wide ascii
207 | $sa_17 = "rand"
208 | $sa_18 = "_time64"
209 | $sa_19 = "DllRegisterServer"
210 | $sa_20 = "DllUnregisterServer"
211 | $sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver
212 | $sb_1 = "PCC_CMD_PACKET"
213 | $sb_2 = "PCC_CMD"
214 | $sb_3 = "PCC_BASEMOD"
215 | $sb_4 = "PCC_PROXY"
216 | $sb_5 = "PCC_SYS"
217 | $sb_6 = "PCC_PROCESS"
218 | $sb_7 = "PCC_FILE"
219 | $sb_8 = "PCC_SOCK"
220 | $sc_1 = "bcdedit -set testsigning" wide ascii
221 | $sc_2 = "update.microsoft.com" wide ascii
222 | $sc_3 = "_crt_debugger_hook" wide ascii
223 | $sc_4 = "ue8G5" wide ascii
224 | $sd_1 = "NET" wide ascii
225 | $sd_2 = "\\\\.\\pipe\\%s" wide ascii
226 | $sd_3 = ".dat" wide ascii
227 | $sd_4 = "CONNECT %s:%d" wide ascii
228 | $sd_5 = "\\Device\\" wide ascii
229 | $se_1 = "-%s-%04d" wide ascii
230 | $se_2 = "-%04d" wide ascii
231 | $se_3 = "FAL" wide ascii
232 | $se_4 = "OK" wide ascii
233 | $se_5 = "2.03" wide ascii
234 | $se_6 = "XXXXXXXXXXXXXXX" wide ascii
235 |
236 | condition:
237 |
238 | (uint16(0) == 0x5A4D) and
239 | filesize < 200KB and
240 | ( (all of ($sa_*)) or
241 | ((13 of ($sa_*)) and
242 | ( (5 of ($sb_*)) or
243 | (3 of ($sc_*)) or
244 | (all of ($sd_*)) or
245 | ( (1 of ($sc_*)) and
246 | (all of ($se_*)) ) ) ) )
247 | }
248 |
249 |
--------------------------------------------------------------------------------
/APT/APT_KimSuky_dllbckdr.yar:
--------------------------------------------------------------------------------
1 | rule APT_KimSuky_bckdr_dll {
2 |
3 | meta:
4 |
5 | description = "Armadillo packed DLL used in Kimsuky campaign"
6 | author = "Christiaan Beek - McAfee Advanced Threat Research"
7 | date = "2018-02-09"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Kimsuky"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/"
14 | hash = "afe4237ff1a3415072d2e1c2c8954b013471491c6afdce3f04d2f77e91b0b688"
15 |
16 | strings:
17 |
18 | $x1 = "taskmgr.exe Execute Ok!!!" fullword ascii
19 | $x2 = "taskmgr.exe Execute Err!!!" fullword ascii
20 | $x3 = "kkk.exe Executing!!!" fullword ascii
21 | $s4 = "ShellExecuteA Ok!!!" fullword ascii
22 | $s5 = "ShellExecuteA Err!!!" fullword ascii
23 | $s6 = "Manage.dll" fullword ascii
24 | $s7 = "%s_%s.txt" fullword ascii
25 | $s8 = "kkk.exe Copy Ok!" fullword ascii
26 | $s9 = "File Executing!" fullword ascii
27 | $s10 = "////// KeyLog End //////" fullword ascii
28 | $s11 = "//////// SystemInfo End ///////" fullword ascii
29 | $s12 = "//////// SystemInfo ///////" fullword ascii
30 | $s13 = "///// UserId //////" fullword ascii
31 | $s14 = "///// UserId End //////" fullword ascii
32 | $s15 = "////// KeyLog //////" fullword ascii
33 | $s16 = "Decrypt Erro!!!" fullword ascii
34 | $s17 = "File Delete Ok!" fullword ascii
35 | $s18 = "Down Ok!!!" fullword ascii
36 |
37 | $op0 = { be 40 e9 00 10 8d bd 3c ff ff ff 83 c4 48 f3 a5 }
38 | $op1 = { 8b ce 33 c0 8b d1 8d bc 24 34 02 00 00 c1 e9 02 }
39 | $op2 = { be dc e9 00 10 8d bd 1c ff ff ff f3 a5 8d bd 1c }
40 |
41 | condition:
42 |
43 | ( uint16(0) == 0x5a4d and
44 | filesize < 200KB and
45 | ( 1 of ($x*) and
46 | 4 of them ) and
47 | all of ($op*)) or
48 | ( all of them )
49 | }
50 |
51 |
--------------------------------------------------------------------------------
/APT/APT_MiniASP_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_miniasp_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect MiniASP based on PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2012-07-12"
8 | rule_version = "v1"
9 | malware_type = "trojan"
10 | malware_family = "Trojan:W32/MiniASP"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
14 | hash = "42334f2119069b8c0ececfb14a7030e480b5d18ca1cc35f1ceaee847bc040e53"
15 |
16 | strings:
17 |
18 | $pdb = "\\Project\\mm\\Wininet\\Attack\\MiniAsp4\\Release\\MiniAsp.pdb"
19 | $pdb1 = "\\XiaoME\\AiH\\20120410\\Attack\\MiniAsp3\\Release\\MiniAsp.pdb"
20 |
21 | condition:
22 |
23 | uint16(0) == 0x5a4d and
24 | filesize < 80KB and
25 | any of them
26 | }
27 |
--------------------------------------------------------------------------------
/APT/APT_Tortoiseshell_Syskit:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule syskit {
4 |
5 | meta:
6 |
7 | description = "SYSkit backdoor"
8 | author = "Christiaan | McAfee ATR Team"
9 | reference = "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain"
10 | date = "2019-09-17"
11 | rule_version = "v1"
12 | malware_type = "backdoor"
13 | malware_family = "Backdoor:W32/SysKit"
14 | actor_type = "Apt"
15 | actor_group = "Unknown"
16 | hash = "07d123364d8d04e3fe0bfa4e0e23ddc7050ef039602ecd72baed70e6553c3ae4"
17 |
18 | strings:
19 |
20 | $x1 = "timeout /t 10 & sc stop dllhost & timeout /t 10 & del C:\\Windows\\Temp\\BAK.exe" fullword wide
21 | $s2 = "lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii
22 | $s3 = "C:\\Windows\\Temp\\rconfig.xml" fullword wide
23 | $s4 = "Add-Type -AssemblyName System.IO.Compression.FileSystem" fullword wide
24 | $s5 = "serviceProcessInstaller1" fullword ascii
25 | $s6 = " [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)" fullword wide
26 | $s7 = "exec_cmd2" fullword ascii
27 | $s8 = "exec_cmd" fullword ascii
28 | $s9 = "send_command_result" fullword ascii
29 | $s10 = "mycontent" fullword ascii
30 | $s11 = "Diagnostic Server Host" fullword wide
31 | $s12 = "bytesToBeEncrypted" fullword ascii
32 | $s13 = "createPostRequest" fullword ascii
33 | $s14 = "myhash" fullword ascii
34 | $s15 = "DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5" ascii
35 | $s16 = "circle_time" fullword ascii
36 | $s17 = "ServiceStart_AfterInstall" fullword ascii
37 | $s18 = "serviceInstaller1" fullword ascii
38 | $s19 = "BAK.ProjectInstaller.resources" fullword ascii
39 | $s20 = "Dll host" fullword wide
40 |
41 | $op0 = { 96 00 f1 0a 57 02 05 00 34 25 }
42 | $op1 = { 96 00 83 05 5a 01 0e 00 38 28 }
43 | $op2 = { 06 00 00 11 28 4d 00 00 0a 02 6f 4e 00 00 0a 28 }
44 |
45 | condition:
46 |
47 | ( uint16(0) == 0x5a4d and
48 | filesize < 50KB and
49 | pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and
50 | ( 1 of ($x*) and
51 | 4 of them ) and
52 | all of ($op*)) or
53 | ( all of them )
54 | }
55 |
--------------------------------------------------------------------------------
/APT/APT_Tortoiseshell_Syskit.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule syskit {
4 | meta:
5 | description = "SYSkit backdoor"
6 | author = "Christiaan @ McAfee ATR"
7 | reference = "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain"
8 | date = "2019-09-17"
9 | hash1 = "07d123364d8d04e3fe0bfa4e0e23ddc7050ef039602ecd72baed70e6553c3ae4"
10 | hash2 = "f71732f997c53fa45eef5c988697eb4aa62c8655d8f0be3268636fc23addd193"
11 | hash3 = "02a3296238a3d127a2e517f4949d31914c15d96726fb4902322c065153b364b2"
12 | strings:
13 | $x1 = "timeout /t 10 & sc stop dllhost & timeout /t 10 & del C:\\Windows\\Temp\\BAK.exe" fullword wide
14 | $s2 = "lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii
15 | $s3 = "C:\\Windows\\Temp\\rconfig.xml" fullword wide
16 | $s4 = "Add-Type -AssemblyName System.IO.Compression.FileSystem" fullword wide
17 | $s5 = "serviceProcessInstaller1" fullword ascii
18 | $s6 = " [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)" fullword wide
19 | $s7 = "exec_cmd2" fullword ascii
20 | $s8 = "exec_cmd" fullword ascii
21 | $s9 = "send_command_result" fullword ascii
22 | $s10 = "mycontent" fullword ascii
23 | $s11 = "Diagnostic Server Host" fullword wide
24 | $s12 = "bytesToBeEncrypted" fullword ascii
25 | $s13 = "createPostRequest" fullword ascii
26 | $s14 = "myhash" fullword ascii
27 | $s15 = "DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5" ascii
28 | $s16 = "circle_time" fullword ascii
29 | $s17 = "ServiceStart_AfterInstall" fullword ascii
30 | $s18 = "serviceInstaller1" fullword ascii
31 | $s19 = "BAK.ProjectInstaller.resources" fullword ascii
32 | $s20 = "Dll host" fullword wide
33 |
34 | $op0 = { 96 00 f1 0a 57 02 05 00 34 25 }
35 | $op1 = { 96 00 83 05 5a 01 0e 00 38 28 }
36 | $op2 = { 06 00 00 11 28 4d 00 00 0a 02 6f 4e 00 00 0a 28 }
37 | condition:
38 | ( uint16(0) == 0x5a4d and filesize < 50KB and pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and ( 1 of ($x*) and 4 of them ) and all of ($op*)
39 | ) or ( all of them )
40 | }
41 |
--------------------------------------------------------------------------------
/APT/APT_Troj_HermWiper.yar:
--------------------------------------------------------------------------------
1 | rule HermeticWiper {
2 |
3 | meta:
4 | description = "Detecting variants of Hermetic Wiper malware discovered in UA"
5 | author = " cb @ Trellix ATR"
6 | date = "2022-02-24"
7 | rule_version = "v1"
8 | malware_type = "Trojan"
9 |
10 | strings:
11 | $0 = {E4B5518CD941310A015E4AF8E5968C8231492FE19246A293A569D5D7A36F56EB2FC5B68FFF6F3359C19AF6806920C3FE6628F90A75440E6616297A031BA6075100D72DFAA9829E772E45D77B89F862081EAFDB19B4B2DCEF3F273FF645ACCEAA4B991F98373973C0FB25829E860D9BC195EF1A0AD9219456AD077D42868EE03EE00E88D04C434BA97E88DF99273A35E2C668A1C69954B4762390ABDFBE4CD4AF}
12 | $1 = {90506F1C825F7AE0D8605F5C627CA325BFF199AB60A63DE8A90E923F4B18D7FB039E1DEC89D573AAB0A14C1D4BA70EB444753A41C03082A60CB4DB551393F2C50988A3181E7F31D01B5AAD94070432D98F18655AB8A555919FEFEA9DE1EDF1}
13 | $2 = {D5EEF61336015A85FF04ED298A6BDD6742FF153E33DAF9B383A5FFDCE7E64D47748DB5FF2609DF9BD5C66735FF6916797B2D365313FF1461EAEB9DAEA754FF6D4D55D1956CC8CBFF75C10CE74BF88C8DFF3B553B839D42609FFF2916227230}
14 | $3 = {6C750DDC932124500CE9B5AB91CE101BE9AD348220E9423124512282373675152281023428825C51770FE9841F853375125382F732750A5B83F60FEB6AEE2282647462228269745AEE22826F7452228275744AEE2282787442}
15 | $4 = {19A8A063FFAAAF6C1E7F78A896FFFA5C8F30BA98B69CFF1961E107BEB7636AFF9EA56A4FC4EDE3F1FF295235ACD0185726FFADA6B8CB54B342C9FF86F58524DC91617BFFB4388DBE01B6CF86}
16 | $5 = {50C449606B20184A6328556032197660AAF9507861609F6160640560B4546160C3A194056070C4A09EC4A01A0461A4C4A0831B16600561916069A291607061C09160AA1CB6204A}
17 | $6 = {FFEB19D2636B8B95273156BB63E8C78470D55970F47CF26574B46DE86EE084704590CA8053F15320258BBD1AACF18B04F2E965C6605CB10880B7E8FCF53DF5EB0621635EFF}
18 | $7 = {7E31126E14B8FF98554F6FCFB64207FFCF8D93B2573609C2FF99E4409F73BB9322FF1E5E380DC0BBABCAFF4B901EDF61BD6A68FFEE3253728C7769ABFF7BCDA939C959A282}
19 | $8 = {1970FFC6F8AA7C32EE693CFF369579E5355EF62CFF682CEAF20BA3EA1CFF1AAC638666431B20FF54293D1E709C231AFFCD11B55599F64CB9FF1E5A9015DC867F}
20 | $9 = {8DFF93B2573609C299E4FF409F73BB93221E5EFF380DC0BBABCA4B90FF1EDF61BD6A68EE32FF53728C7769AB7BCDFFA939C959A282D312FF5DD04F0370CE811F}
21 | $10 = {DF5519064E31101CF3DA96C15FF96728B708F358F51759E3A22FFA1CF1BB986A2038D6753E6BF037945B8469ADF20BAB71E10F3DE27735F640704C970DFE8672}
22 | condition:
23 |
24 | uint16(0) == 0x5a4d and
25 | filesize < 200KB and
26 | all of them
27 | }
28 |
--------------------------------------------------------------------------------
/APT/APT_acidbox.yar:
--------------------------------------------------------------------------------
1 | rule APT_acidbox_kernelmode_module
2 | {
3 | meta:
4 |
5 | description = "Rule to detect the kernel mode component of AcidBox"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2020-07-24"
8 | rule_version = "v1"
9 | malware_type = "kerneldriver"
10 | malware_family = "Rootkit:W32/Acidbox"
11 | actor_type = "APT"
12 | actor_group = "Turla"
13 | hash1 = "3ef071e0327e7014dd374d96bed023e6c434df6f98cce88a1e7335a667f6749d"
14 |
15 | strings:
16 |
17 | $pattern_0 = { 897c2434 8978b8 8d5f28 448bc3 33d2 }
18 | $pattern_1 = { 4c8d842470010000 488d942418010000 498bcf e8???????? 8bd8 89442460 }
19 | $pattern_2 = { 4c8bf1 49d1eb 4585c9 0f88a2000000 440fb717 498bd0 }
20 | $pattern_3 = { ff15???????? 4c8d9c2480000000 498b5b10 498b7318 498b7b20 4d8b7328 498be3 }
21 | $pattern_4 = { 33d2 41b8???????? 895c2420 e8???????? }
22 | $pattern_5 = { 895c2420 4885ff 0f8424010000 440f20c0 84c0 0f8518010000 }
23 | $pattern_6 = { 85f6 0f8469fdffff 488d8424c8010000 41b9???????? }
24 | $pattern_7 = { 894c2404 750a ffc7 893c24 41ffc3 ebcb 85c9 }
25 | $pattern_8 = { 488b5c2450 488b742458 488b7c2460 4883c430 }
26 | $pattern_9 = { 33d2 488b4c2428 e8???????? 448b842450040000 4503c0 4c8d8c2450040000 488bd7 }
27 |
28 | condition:
29 |
30 | 7 of them and
31 | filesize < 78848
32 | }
33 |
34 | rule APT_acidbox_main_module_dll
35 | {
36 | meta:
37 |
38 | description = "Rule to detect the Main mode component of AcidBox"
39 | author = "Marc Rivero | McAfee ATR Team"
40 | date = "2020-07-24"
41 | rule_version = "v1"
42 | malware_type = "backdoor"
43 | malware_family = "Backdoor:W32/Acidbox"
44 | actor_type = "APT"
45 | actor_group = "Turla"
46 | hash1 = "eb30a1822bd6f503f8151cb04bfd315a62fa67dbfe1f573e6fcfd74636ecedd5"
47 |
48 | strings:
49 |
50 | $pattern_0 = { 7707 b8022d03a0 eb05 e8???????? }
51 | $pattern_1 = { 4403c8 8bc3 41d1c6 33c6 81c6d6c162ca c1cb02 33c7 }
52 | $pattern_2 = { e9???????? 412b5c2418 8b45dc 412b442408 41015c241c 410144240c 015f1c }
53 | $pattern_3 = { 48895c2408 57 4883ec30 488bfa 33db 4885c9 7479 }
54 | $pattern_4 = { 48895c2408 57 4883ec30 498bd8 488bfa 488364245800 85c9 }
55 | $pattern_5 = { 488987e0010000 e9???????? 81cb001003a0 e9???????? 488b87a0010000 44847806 742e }
56 | $pattern_6 = { 4d8bcc 4c8d0596c50100 498bd4 488bce e8???????? 498b9de0010000 c74605aa993355 }
57 | $pattern_7 = { 4533c0 8d5608 e8???????? 488bf0 4889442460 4885c0 750b }
58 | $pattern_8 = { 488d5558 41c1ee08 41b802000000 44887559 e8???????? 4c8b4de0 894718 }
59 | $pattern_9 = { 4d03c2 4d3bc2 4d13cc 4d0303 4d3b03 4d8903 4c8b13 }
60 |
61 | condition:
62 |
63 | 7 of them and
64 | filesize < 550912
65 | }
66 |
67 | rule APT_acidbox_ssp_dll_module
68 | {
69 | meta:
70 |
71 | description = "Rule to detect the SSP DLL component of AcidBox"
72 | author = "Marc Rivero | McAfee ATR Team"
73 | date = "2020-07-24"
74 | rule_version = "v1"
75 | malware_type = "backdoor"
76 | malware_family = "Backdoor:W32/Acidbox"
77 | actor_type = "APT"
78 | actor_group = "Turla"
79 | hash1 = "003669761229d3e1db0f5a5b333ef62b3dffcc8e27c821ce9018362e0a2df7e9"
80 |
81 | strings:
82 |
83 | $pattern_0 = { 49897ba0 8bc7 49894398 49897ba8 33c9 49894bb0 }
84 | $pattern_1 = { 8b8424a8000000 c1e818 88443108 66895c310a 498b0e }
85 | $pattern_2 = { 8b5f48 413bdd 410f47dd 85db 0f84f1000000 488b4720 4885c0 }
86 | $pattern_3 = { e8???????? 85c0 78c7 488d9424a0020000 488d8c24e0030000 ff15???????? 4c8bf8 }
87 | $pattern_4 = { ff15???????? 488bc8 4c8bc6 33d2 ff15???????? 8bfb 895c2420 }
88 | $pattern_5 = { 415f c3 4c8bdc 49895b10 }
89 | $pattern_6 = { 488d842488010000 4889442420 41bf???????? 458bcf 4c8bc7 418bd7 488d8c2490000000 }
90 | $pattern_7 = { c1e908 0fb6c9 3bce 77b6 8bd0 b9???????? c1ea10 }
91 | $pattern_8 = { 4c8bc3 ba???????? 488d4c2438 e8???????? 89442430 85c0 7508 }
92 | $pattern_9 = { bb02160480 8bc3 488b5c2440 488b742448 488b7c2450 4883c430 }
93 |
94 | condition:
95 |
96 | 7 of them and
97 | filesize < 199680
98 | }
--------------------------------------------------------------------------------
/APT/APT_auriga_biscuit.yar:
--------------------------------------------------------------------------------
1 | rule apt_auriga_driver {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the Auriga driver"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-03-13"
8 | reference = "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
9 | rule_version = "v1"
10 | malware_type = "kerneldriver"
11 | malware_family = "Driver:W32/Auriga"
12 | actor_type = "APT"
13 | actor_group = "APT1"
14 | hash = "207eee627a76449ac6d2ca43338d28087c8b184e7b7b50fdc60a11950c8283ec"
15 |
16 | strings:
17 |
18 | $s1 = "\\SystemRoot\\System32\\netui.dll" fullword wide
19 | $s2 = "\\SystemRoot\\System32\\drivers\\riodrv32.sys" fullword wide
20 | $s3 = "\\SystemRoot\\System32\\arp.exe" fullword wide
21 | $s4 = "netui.dll" fullword ascii
22 | $s5 = "riodrv32.sys" fullword wide
23 | $s6 = "\\netui.dll" fullword wide
24 | $s7 = "d:\\drizt\\projects\\auriga\\branches\\stone_~1\\server\\exe\\i386\\riodrv32.pdb" fullword ascii
25 | $s8 = "\\riodrv32.sys" fullword wide
26 | $s9 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\riodrv32" fullword wide
27 | $s10 = "\\DosDevices\\rio32drv" fullword wide
28 | $s11 = "e\\Driver\\nsiproxy" fullword wide
29 | $s12 = "(C) S3/Diamond Multimedia Systems. All rights reserved." fullword wide
30 | $s13 = "\\Device\\rio32drv" fullword wide
31 | $s14 = "\\Registry\\Machine\\SOFTWARE\\riodrv" fullword wide
32 | $s15 = "\\Registry\\Machine\\SOFTWARE\\riodrv32" fullword wide
33 |
34 | condition:
35 |
36 | uint16(0) == 0x5a4d and
37 | filesize < 50KB and
38 | all of them
39 | }
--------------------------------------------------------------------------------
/APT/APT_babar_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_babar_malware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Babar malware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2015-02-18"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Babar"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
14 | hash = "c72a055b677cd9e5e2b2dcbba520425d023d906e6ee609b79c643d9034938ebf"
15 |
16 | strings:
17 |
18 | $s1 = "c:\\Documents and Settings\\admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper Release\\Release.pdb" fullword ascii
19 | $s2 = "%COMMON_APPDATA%" fullword ascii
20 | $s3 = "%%WINDIR%%\\%s\\%s" fullword ascii
21 | $s4 = "/s /n %s \"%s\"" fullword ascii
22 | $s5 = "/c start /wait " fullword ascii
23 | $s6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
24 | $s7 = "constructor or from DllMain." fullword ascii
25 | $s8 = "ComSpec" fullword ascii
26 | $s9 = "APPDATA" fullword ascii
27 | $s10 = "WINDIR" fullword ascii
28 | $s11 = "USERPROFILE" fullword ascii
29 |
30 | condition:
31 |
32 | uint16(0) == 0x5a4d and
33 | filesize < 2000KB and
34 | all of them
35 | }
--------------------------------------------------------------------------------
/APT/APT_blackenergy_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_blackenergy_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the BlackEnergy trojan"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-02-15"
8 | rule_version = "v1"
9 | malware_type = "trojan"
10 | malware_family = "Trojan:W32/BlackEngergy"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.kaspersky.com.au/resource-center/threats/blackenergy"
14 | hash = "4b2efcda5269f4b80dc417a2b01332185f2fafabd8ba7114fa0306baaab5a72d"
15 |
16 | strings:
17 |
18 | $s1 = "msiexec.exe /i \"%s\" %s REBOOT=\"ReallySuppress\"" fullword wide
19 | $s2 = "InstallUpdate: CreateProcess failed, Cmdline=%s Error=%d ." fullword wide
20 | $s3 = "Portuguese=Instalando o Tempo de Execu" fullword wide
21 | $s4 = "Initialization: Failed to initialize - Unable to get Upgrade Code." fullword wide
22 | $s5 = "This version of Internet Explorer is not supported. You should upgrade Internet Explorer to version %s and run setup again. Se" wide
23 | $s6 = "Initialization: Failed to open %s file, Make sure the file is not used by another process." fullword wide
24 | $s7 = "o %s e execute a configura" fullword wide
25 | $s8 = "Initialization: Failed to initialize - Unable to get Product Version." fullword wide
26 | $s9 = "f:\\CB\\11X_Security\\Acrobat\\Installers\\BootStrapExe_Small\\Release\\Setup.pdb" fullword ascii
27 | $s10 = "BootStrap.log" fullword wide
28 | $s11 = "ACDownloaderDlg" fullword ascii
29 | $s12 = "Initialization: Failed to initialize Product - msi key not specified." fullword wide
30 | $s13 = "rio atualizar para o Service Pack %s e executar a instala" fullword wide
31 | $s14 = "\\Msi.dll" fullword wide
32 |
33 | condition:
34 |
35 | uint16(0) == 0x5a4d and
36 | filesize < 2000KB and
37 | all of them
38 | }
--------------------------------------------------------------------------------
/APT/APT_elise_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_elise_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Elise APT based on the PDB reference"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2017-05-31"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Elise"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://attack.mitre.org/software/S0081/"
14 | hash = "b426dbe0f281fe44495c47b35c0fb61b28558b5c8d9418876e22ec3de4df9e7b"
15 |
16 | strings:
17 |
18 | $pdb = "\\lstudio\\projects\\lotus\\elise\\Release\\EliseDLL\\i386\\EliseDLL.pdb"
19 | $pdb1 = "\\LStudio\\Projects\\Lotus\\Elise\\Release\\SetElise.pdb"
20 | $pdb2 = "\\lstudio\\projects\\lotus\\elise\\Release\\SetElise\\i386\\SetElise.pdb"
21 | $pdb3 = "\\LStudio\\Projects\\Lotus\\Elise\\Release\\Uninstaller.pdb"
22 | $pdb4 = "\\lstudio\\projects\\lotus\\evora\\Release\\EvoraDLL\\i386\\EvoraDLL.pdb"
23 |
24 | condition:
25 |
26 | uint16(0) == 0x5a4d and
27 | filesize < 50KB and
28 | any of them
29 | }
30 |
--------------------------------------------------------------------------------
/APT/APT_gdocupload_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_gdocupload_glooxmail {
2 |
3 | meta:
4 |
5 | description = "Rule to detect gdocupload tool used by APT1"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-02-19"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Gdocupload"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
14 | hash = "295c5c7aa5fa29628dec9f42ed657fce0bc789079c4e51932bcbc99a28dfd440"
15 |
16 | strings:
17 |
18 | $s1 = "https://www.google.com/accounts/ServiceLogin?service=writely&passive=1209600&continue=http://docs.google.com/&followup=http://do" ascii
19 | $s2 = "Referer: http://sn114w.snt114.mail.live.com/mail/AttachmentUploader.aspx?_ec=1" fullword ascii
20 | $s3 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET " ascii
21 | $s4 = "e:\\Project\\mm\\Webmail\\Bin\\gdocs.pdb" fullword ascii
22 | $s5 = "http://docs.google.com/?auth=" fullword ascii
23 | $s6 = "x-guploader-client-info: mechanism=scotty flash; clientVersion=18067216" fullword ascii
24 | $s7 = "http://docs.google.com/" fullword ascii
25 | $s8 = "Referer: http://sn114w.snt114.mail.live.com/mail/EditMessageLight.aspx?n=%s" fullword ascii
26 |
27 | condition:
28 |
29 | uint16(0) == 0x5a4d and
30 | filesize < 300KB and
31 | all of them
32 | }
--------------------------------------------------------------------------------
/APT/APT_hikit_rootkit_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_hikit_rootkit {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the rootkit hikit based on PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2012-08-20"
8 | rule_version = "v1"
9 | malware_type = "rootkit"
10 | malware_family = "Rootkit:W32/Hikit"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html"
14 |
15 |
16 | strings:
17 |
18 | $pdb = "\\JmVodServer\\hikit\\bin32\\RServer.pdb"
19 | $pdb1 = "\\JmVodServer\\hikit\\bin32\\w7fw.pdb"
20 | $pdb2 = "\\JmVodServer\\hikit\\bin32\\w7fw_2k.pdb"
21 | $pdb3 = "\\JmVodServer\\hikit\\bin64\\w7fw_x64.pdb"
22 |
23 | condition:
24 |
25 | uint16(0) == 0x5a4d and
26 | filesize < 100KB and
27 | any of them
28 | }
29 |
--------------------------------------------------------------------------------
/APT/APT_karkoff_dnspionaje.yar:
--------------------------------------------------------------------------------
1 | rule karkoff_dnspionaje {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the Karkoff malware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2019-04-23"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Karkoff"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html"
14 | hash = "5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c"
15 |
16 | strings:
17 |
18 | $s1 = "DropperBackdoor.Newtonsoft.Json.dll" fullword wide
19 | $s2 = "C:\\Windows\\Temp\\MSEx_log.txt" fullword wide
20 | $s3 = "DropperBackdoor.exe" fullword wide
21 | $s4 = "get_ProcessExtensionDataNames" fullword ascii
22 | $s5 = "get_ProcessDictionaryKeys" fullword ascii
23 | $s6 = "https://www.newtonsoft.com/json 0" fullword ascii
24 |
25 | condition:
26 |
27 | uint16(0) == 0x5a4d and
28 | filesize < 1000KB
29 | and all of them
30 | }
31 |
--------------------------------------------------------------------------------
/APT/APT_lagulon_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_lagulon_trojan_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect trojan Lagulon based on PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-08-31"
8 | rule_version = "v1"
9 | malware_type = "trojan"
10 | malware_family = "Trojan:W32/lagulon"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://www.cylance.com/operation-cleaver-cylance"
14 | hash = "e401340020688cdd0f5051b7553815eee6bc04a5a962900883f1b3676bf1de53"
15 |
16 | strings:
17 |
18 | $pdb = "\\proj\\wndTest\\Release\\wndTest.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 50KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/APT/APT_manitsme_trojan_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_manitsme_trojan {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the Manitsme trojan"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-03-08"
8 | rule_version = "v1"
9 | malware_type = "trojan"
10 | malware_family = "Trojan:W32/Manitsme"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
14 | hash = "c1c0ea096ec4d36c1312171de2a9ebe258c588528a20dbb06a7e3cf97bf1e197"
15 |
16 | strings:
17 |
18 | $s1 = "SvcMain.dll" fullword ascii
19 | $s2 = "rj.soft.misecure.com" fullword ascii
20 | $s3 = "d:\\rouji\\SvcMain.pdb" fullword ascii
21 | $s4 = "constructor or from DllMain." fullword ascii
22 | $s5 = "Open File Error" fullword ascii
23 | $s6 = "nRet == SOCKET_ERROR" fullword ascii
24 | $s7 = "Oh,shit" fullword ascii
25 | $s8 = "Paraing" fullword ascii
26 | $s9 = "Hallelujah" fullword ascii
27 | $s10 = "ComSpec" fullword ascii /* Goodware String - occured 11 times */
28 | $s11 = "ServiceMain" fullword ascii /* Goodware String - occured 486 times */
29 | $s12 = "SendTo(s,(char *)&sztop,sizeof(sztop),FILETYPE) == ERRTYPE" fullword ascii
30 |
31 | condition:
32 |
33 | uint16(0) == 0x5a4d and
34 | filesize < 200KB and
35 | all of them
36 | }
--------------------------------------------------------------------------------
/APT/APT_milum_wildpressure.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule milum_trojan {
4 |
5 | meta:
6 |
7 | description = "Rule to detect Milum trojan from the Wildpressure operation"
8 | author = "Marc Rivero | McAfee ATR Team"
9 | date = "2020-04-24"
10 | rule_version = "v1"
11 | malware_type = "trojan"
12 | malware_family = "Trojan:W32/Milum"
13 | actor_type = "Apt"
14 | actor_group = "Unknown"
15 | reference = "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/"
16 | hash = "86456ebf6b807e8253faf1262e7a2b673131c80174f6133b253b2e5f0da442a9"
17 |
18 | strings:
19 |
20 | $pattern = { 558B??6A??68????????64??????????5081??????????A1????????33??89????535657508D????64??????????8B????89??????????C7????????????8D????C7??????????33??6A??89??????????89????E8????????83????3B??0F84????????89????89??8B????89????8B????89????8B????C6??????8B????C6??????C6??????8B??????????BE????????89????89????88????C6??????6A??68????????8D??????????89??????????89??????????88??????????E8????????C6??????6A??538D????528D??????????89??????????89??????????88??????????E8????????C6??????8D??????????508B??E8????????508D??????????5157E8????????C6??????83????????????72??8B??????????52E8????????83????89??????????89??????????88??????????C6??????83????????????72??8B??????????50E8????????83????6A??68????????8D????89??????????89??????????88??????????89????89????88????E8????????C6??????6A??538D????518D????89????89????88????E8????????C6??????8D????528B??E8????????508D??????????5057E8????????C6??????83??????72??8B????51E8????????83????89????89????88????C6??????83??????72??8B????52E8????????83????6A??68????????8D????89????89????88????89????89????88????E8????????C6??????6A??538D????508D????89????89????88????E8????????C6??????83????8B??89??????????6A??89????89????68????????88??E8????????C6??????83????8B??89??????????6A??538D????89????89????5288??E8????????C6??????8D??????????50C6??????E8????????83????C6??????8B??????????2B??????????B8????????F7??03??C1????8B??C1????03??83????75??8B??????????6A??53528D????E8????????8B??????????6A??83????53508D????E8????????6A??538D????508D????89????89????88????E8????????C6??????6A??538D????518D????89????89????88????E8????????C6??????8D????528B??E8????????508D??????????5057E8????????C6??????BF????????39????72??8B????51E8????????83????89????89????88????C6??????39????72??8B????52E8????????83????89????89????88????C6??????8B??????????3B??74??8B??????????E8????????8B??????????50E8????????83????BF????????89??????????89??????????89??????????C6??????39????72??8B????51E8????????83????89????89????88????C6??????39????72??8B????52E8????????83????89????89????88????C6??????39????72??8B????50E8????????83????89????89????88????88????39????72??8B????51E8????????83????89????89????88????C7????????????39????72??8B????52E8????????83????8B??????????89????89????88????8B????64????????????595F5E5B8B????33??E8????????8B??5DC2????8D??????????508D??????????89??????????E8????????C6??????C7??????????????????C6??????68????????8D??????????51E8????????CCCC558B??6A??68????????64??????????5051535657A1????????33??508D????64??????????8B????C7??????????C7????????????8D????33??83??????89????72??8B??EB??8B??8D????88??8B????8B????518B??E8????????8B????89????8B????89??8B????89????89????88????83??????72??8B??50E8????????83????89????C7????????????88??83????89????89????C7????????????8B????8B??50518D????E8????????89????8B????52E8????????83????8B????64????????????595F5E5B8B??5DC2????CCCCCCCCCCCCCCCCCCCCCCCCCC558B??6A??68????????64??????????505156A1????????33??508D????64??????????83????C7????????????8B????5156E8????????C7????????????C7????????????8B??8B????64????????????595E8B??5DC2????CCCCCCCCCCCC558B??6A??68????????64??????????5081??????????A1????????33??89????535657508D????64??????????8B????33??8B??89??????????8B????8B??89??????????89??????????89??????????3B??0F84????????8D????39??????????0F85????????68????????8D????5750E8????????C7????????????83????8D????57518B??E8????????83????C6??????8B??????????6A??535083????E8????????C6??????BF????????39????72??8B????52E8????????83????C7????????????89????88????88????39????72??8B????50E8????????83????C7????????????89????88????E9????????578D????68????????51E8????????C7????????????508D??????????52BA????????E8????????C6??????83????8D????57518B??E8????????83????C6??????8B??????????6A??535083????E8????????C6??????BF????????39????72??8B????52E8????????83????C7????????????89????88????C6??????39??????????72??8B??????????50E8????????83????C7??????????????????89??????????88??????????88????39????72??8B????51E8????????83????C7????????????89????88????FF??????????38????75??8B????38????75??8B??8B??38????75??8D????8B??8B??38????74??EB??8B????38????75??3B????75??8B??8B????38????74??8B??8B??????????3B????0F85????????8B??????????8B??6A??5383????C7????????????89????508B??88??E8????????89????C7??????????????????8B??8B????64????????????595F5E5B8B????33??E8????????8B??5DC2????CCCCCCCCCCCCCCCCCCCCCCCCCCCC558B??6A??68????????64??????????50515356A1????????33??508D????64??????????8B??89????C7??????????33??89????83??????72??8B????50E8????????83????C7????????????89????88????C7????????????83??????72??8B????50E8????????83????C7????????????89????88????8B????64????????????595E5B8B??5DC3CCCCCCCCCC558B??6A??68????????64??????????5083????A1????????33??89????5356508D????64??????????33??89????538B??68????????8D????89????C7????????????89????88????E8????????C7????????????6A??8D????38????74??68????????EB??68????????E8????????8D????5083????8D????5651E8????????C6??????8D????52578B??E8????????83????C7????????????C6??????BE????????39????72??8B????50E8????????83????C7????????????89????88????88????39????72??8B????51E8????????83????C7????????????89????88????8B??8B????64????????????595E5B8B????33??E8????????8B??5DC3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC558B??6A??68????????64??????????50515356A1????????33??508D????64??????????8B??89????C7??????????33??89????83??????72??8B????50E8????????83????C7????????????89????88????C7????????????83??????72??8B????50E8????????83????F6??????C7????????????89????88????74??56E8????????83????8B??8B????64????????????595E5B8B??5DC2????CCCC558B??6A??68????????64??????????50A1????????33??508D????64??????????C7????????????6A??6A??8D????5083????E8????????C7????????????83??????72??8B????51E8????????83????C7????????????C7????????????C6??????8B????64????????????598B??5DC2????CCCCCCCCCCCCCCCCCCCCCC558B??6A??68????????64??????????5083????A1????????33??89????535657508D????64??????????33??89????8B????89????89????B8????????89????C7????????????89????88??89????8D????BF????????39????72??8B??8B????39????73??8D????8B????518D????518B??E8????????C6??????508B??E8????????C6??????39????72??8B????52E8????????83????C7????????????89????88????88????39????72??8B????50E8????????83????C7????????????89????88????8B??8B????64????????????595F5E5B8B????33??E8????????8B??5DC2????CCCCCCCCCCCCCCCC558B??6A??68????????64??????????5081??????????A1????????33??89????535657508D????64??????????8B??33??89????8B????89??????????89?????????? }
21 |
22 | condition:
23 |
24 | uint16(0) == 0x5a4d and
25 | filesize < 2000KB and
26 | pe.imphash() == "548d9f5f1e74f34b85612667335d41f2" and
27 | all of them
28 | }
29 |
30 |
--------------------------------------------------------------------------------
/APT/APT_mirage_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_mirage_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Mirage samples based on PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2012-09-18"
8 | rule_version = "v1"
9 | malware_type = "trojan"
10 | malware_family = "Trojan:W32/Mirage"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://www.secureworks.com/research/the-mirage-campaign"
14 | hash = "0107a12f05bea4040a467dd5bc5bd130fd8a4206a09135d452875da89f121019"
15 |
16 | strings:
17 |
18 | $pdb = "\\MF-v1.2\\Server\\Debug\\Server.pdb"
19 | $pdb1 = "\\fox_1.2 20110307\\MF-v1.2\\Server\\Release\\MirageFox_Server.pdb"
20 |
21 | condition:
22 |
23 | uint16(0) == 0x5a4d and
24 | filesize < 150KB and
25 | any of them
26 | }
27 |
--------------------------------------------------------------------------------
/APT/APT_operation_aurora.yar:
--------------------------------------------------------------------------------
1 | rule apt_aurora_pdb_samples {
2 |
3 | meta:
4 |
5 | description = "Aurora APT Malware 2006-2010"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2010-01-11"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Aurora"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://en.wikipedia.org/wiki/Operation_Aurora"
14 | hash = "ce7debbcf1ca3a390083fe5753f231e632017ca041dfa662ad56095a500f2364"
15 |
16 | strings:
17 |
18 | $pdb = "\\AuroraVNC\\VedioDriver\\Release\\VedioDriver.pdb"
19 | $pdb1 = "\\Aurora_Src\\AuroraVNC\\Avc\\Release\\AVC.pdb"
20 |
21 | condition:
22 |
23 | uint16(0) == 0x5a4d and
24 | filesize < 150KB and
25 | any of them
26 | }
27 |
--------------------------------------------------------------------------------
/APT/APT_operation_skeleton.yar:
--------------------------------------------------------------------------------
1 | rule chimera_recordedtv_modified {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the modified version of RecordedTV.ms found in the Operation Skeleton"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2020-04-21"
8 | rule_version = "v1"
9 | malware_type = "trojan"
10 | malware_family = "Trojan:W32/RecordedTV"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf"
14 | reference = "https://medium.com/@cycraft_corp/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730"
15 | hash = "66f13964c87fc6fe093a9d8cc0de0bf2b3bdaea9564210283fdb97a1dde9893b"
16 |
17 |
18 | strings:
19 |
20 | // Modified byte
21 | $byte = { C0 0E 5B C3 }
22 | $s1 = "Encrypted file: CRC failed in %s (password incorrect ?)" fullword wide
23 | $s2 = "EBorland C++ - Copyright 1999 Inprise Corporation" fullword ascii
24 | $s3 = " MacOS file type: %c%c%c%c ; " fullword wide
25 | $s4 = "rar.lng" fullword ascii
26 |
27 | condition:
28 |
29 | uint16(0) == 0x5a4d and
30 | filesize < 900KB and
31 | all of them
32 |
33 | }
34 |
--------------------------------------------------------------------------------
/APT/APT_operation_troy.yar:
--------------------------------------------------------------------------------
1 | rule troy_malware_campaign_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the Operation Troy based on the PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-06-23"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/OperationTroy"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf"
14 | hash = "2ca6b7e9488c1e9f39392e696704ad3f2b82069e35bc8001d620024ebbf2d65a"
15 |
16 | strings:
17 |
18 | $pdb = "\\Work\\Make Troy\\Concealment Troy\\Exe_Concealment_Troy(Winlogon_Shell)\\SetKey_WinlogOn_Shell_Modify\\BD_Installer\\Release\\BD_Installer.pdb"
19 | $pdb1 = "\\Work\\Make Troy\\Concealment Troy\\Exe_Concealment_Troy(Winlogon_Shell)\\Dll\\Concealment_Troy(Dll)\\Release\\Concealment_Troy.pdb"
20 |
21 | condition:
22 |
23 | uint16(0) == 0x5a4d and
24 | filesize < 500KB and
25 | any of them
26 | }
27 |
--------------------------------------------------------------------------------
/APT/APT_turla_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_turla_pdb
2 | {
3 | meta:
4 |
5 | description = "Rule to detect a component of the APT Turla"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2017-05-31"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Turla"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://attack.mitre.org/groups/G0010/"
14 | hash = "3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122"
15 |
16 | strings:
17 |
18 | $pdb = "\\Workshop\\Projects\\cobra\\carbon_system\\x64\\Release\\carbon_system.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 650KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/APT/enfal_pdb.yar:
--------------------------------------------------------------------------------
1 | rule enfal_pdb
2 | {
3 | meta:
4 |
5 | description = "Rule to detect Enfal malware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-08-27"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Enfal"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/enfal"
14 | hash = "6756808313359cbd7c50cd779f809bc9e2d83c08da90dbd80f5157936673d0bf"
15 |
16 | strings:
17 |
18 | $pdb = "\\Documents and Settings\\Administrator\\My Documents\\Work\\EtenFalcon\\Release\\DllServiceTrojan.pdb"
19 | $pdb1 = "\\Documents and Settings\\Administrator\\My Documents\\Work\\EtenFalcon\\Release\\ServiceDll.pdb"
20 | $pdb2 = "\\Release\\ServiceDll.pdb"
21 | $pdb3 = "\\muma\\0511\\Release\\ServiceDll.pdb"
22 | $pdb4 = "\\programs\\LuridDownLoader\\LuridDownloader for Falcon\\ServiceDll\\Release\\ServiceDll.pdb"
23 |
24 | condition:
25 |
26 | uint16(0) == 0x5a4d and
27 | filesize < 150KB and
28 | any of them
29 | }
30 |
--------------------------------------------------------------------------------
/APT/flamer_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_flamer_pdb
2 | {
3 | meta:
4 |
5 | description = "Rule to detect Flamer based on the PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2012-05-29"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Flamer"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://www.forcepoint.com/ko/blog/x-labs/flameflamerskywiper-one-most-advanced-malware-found-yet"
14 | hash = "554924ebdde8e68cb8d367b8e9a016c5908640954ec9fb936ece07ac4c5e1b75"
15 |
16 | strings:
17 |
18 | $pdb = "\\Projects\\Jimmy\\jimmydll_v2.0\\JimmyForClan\\Jimmy\\bin\\srelease\\jimmydll\\indsvc32.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 500KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/APT/gauss_pdb.yar:
--------------------------------------------------------------------------------
1 | rule apt_gauss_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Gauss based on PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2012-08-14"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Gauss"
11 | actor_type = "Apt"
12 | actor_group = "Unknown"
13 | reference = "https://securelist.com/the-mystery-of-the-encrypted-gauss-payload-5/33561/"
14 | hash = "7b0d0612b4ecc889a901115c2e77776ef0ea65c056b283d12e80f863062cea28"
15 |
16 | strings:
17 |
18 | $pdb = "\\projects\\gauss\\bin\\release\\winshell.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 550KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/APT/ixeshe_bled_pdb.yar:
--------------------------------------------------------------------------------
1 | rule ixeshe_bled_malware_pdb {
2 | meta:
3 |
4 | description = "Rule to detect Ixeshe_bled malware based on PDB"
5 | author = "Marc Rivero | McAfee ATR Team"
6 | date = "2012-05-30"
7 | rule_version = "v1"
8 | malware_type = "backdoor"
9 | malware_family = "Backdoor:W32/Ixeshe"
10 | actor_type = "Apt"
11 | actor_group = "Unknown"
12 | reference = "https://attack.mitre.org/software/S0015/"
13 | hash = "d1be51ef9a873de85fb566d157b034234377a4a1f24dfaf670e6b94b29f35482"
14 |
15 | strings:
16 |
17 | $pdb = "\\code\\Blade2009.6.30\\Blade2009.6.30\\EdgeEXE_20003OC\\Debug\\EdgeEXE.pdb"
18 |
19 | condition:
20 |
21 | uint16(0) == 0x5a4d and
22 | filesize < 200KB and
23 | any of them
24 | }
25 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | #### Yara-Rules ####
3 |
4 | Repository of YARA rules to accompany the Trellix ATR blogposts & investigations
5 |
6 | We endorse contributing to improve our rules - please send us a pull request with your proposal
7 |
8 | In case you discovered a false positive with our rules, please share with us your details in an issue report and we’ll try to improve our Yara rules.
9 |
10 | Happy Hunting!
11 |
12 |
--------------------------------------------------------------------------------
/malware/MALW_Eicar.yar:
--------------------------------------------------------------------------------
1 | rule malw_eicar {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the EICAR pattern"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | reference = "https://www.eicar.org/"
8 | rule_version = "v1"
9 | malware_type = "eicar"
10 | malware_family = "W32/Eicar"
11 | actor_type = "Unknown"
12 | actor_group = "Unknown"
13 | hash = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
14 |
15 | strings:
16 |
17 | $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
18 |
19 | condition:
20 |
21 | any of them
22 | }
23 |
--------------------------------------------------------------------------------
/malware/MALW_MsWordExploit_DOC.yar:
--------------------------------------------------------------------------------
1 | rule msworldexploit_builder_doc {
2 |
3 | meta:
4 |
5 | description = "Rule to detect RTF/Docs files created by MsWordExploit Builder"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | rule_version = "v1"
8 | malware_type = "maldoc"
9 | malware_family = "Maldoc:W32/MSwordExploit"
10 | actor_type = "Cybercrime"
11 | actor_group = "Unknown"
12 |
13 | strings:
14 |
15 | //http://api.mswordexploit.com
16 | $s1 = { 68 74 74 70 3A 2F 2F 61 70 69 2E 6D 73 77 6F 72 64 65 78 70 6C 6F 69 74 2E 63 6F 6D }
17 | $s2 = "{\\*\\generator mswordexploit 6.3.9600}" fullword ascii
18 |
19 | condition:
20 |
21 | uint16(0) == 0x3030 and
22 | filesize < 4000KB and
23 | any of them
24 | }
25 |
--------------------------------------------------------------------------------
/malware/MALW_NionSpy.yar:
--------------------------------------------------------------------------------
1 | rule NionSpy
2 | {
3 |
4 | meta:
5 |
6 | description = "Triggers on old and new variants of W32/NionSpy file infector"
7 | rule_version = "v1"
8 | malware_type = "fileinfector"
9 | malware_family = "FileInfector:W32/NionSpy"
10 | actor_type = "Cybercrime"
11 | actor_group = "Unknown"
12 | reference = "https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector"
13 |
14 | strings:
15 |
16 | $variant2015_infmarker = "aCfG92KXpcSo4Y94BnUrFmnNk27EhW6CqP5EnT"
17 | $variant2013_infmarker = "ad6af8bd5835d19cc7fdc4c62fdf02a1"
18 | $variant2013_string = "%s?cstorage=shell&comp=%s"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5A4D and
23 | uint32(uint32(0x3C)) == 0x00004550 and
24 | 1 of ($variant*)
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_Rovnix.yar:
--------------------------------------------------------------------------------
1 | rule rovnix_downloader
2 | {
3 | meta:
4 |
5 | description = "Rovnix downloader with sinkhole checks"
6 | author = "Intel Security"
7 | rule_version = "v1"
8 | malware_type = "downloader"
9 | malware_family = "Downloader:W32/Rovnix"
10 | actor_type = "Cybercrime"
11 | actor_group = "Unknown"
12 | reference = "https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/"
13 |
14 | strings:
15 |
16 | $sink1= "control"
17 | $sink2 = "sink"
18 | $sink3 = "hole"
19 | $sink4= "dynadot"
20 | $sink5= "block"
21 | $sink6= "malw"
22 | $sink7= "anti"
23 | $sink8= "googl"
24 | $sink9= "hack"
25 | $sink10= "trojan"
26 | $sink11= "abuse"
27 | $sink12= "virus"
28 | $sink13= "black"
29 | $sink14= "spam"
30 | $boot= "BOOTKIT_DLL.dll"
31 | $mz = { 4D 5A }
32 |
33 | condition:
34 |
35 | $mz in (0..2) and
36 | all of ($sink*) and
37 | $boot
38 | }
39 |
--------------------------------------------------------------------------------
/malware/MALW_Shifu.yar:
--------------------------------------------------------------------------------
1 | rule Shifu {
2 |
3 | meta:
4 |
5 | author = "McAfee Labs"
6 | rule_version = "v1"
7 | malware_type = "financial"
8 | malware_family = "Backdoor:W32/Shifu"
9 | actor_type = "Cybercrime"
10 | actor_group = "Unknown"
11 | reference = "https://blogs.mcafee.com/mcafee-labs/japanese-banking-trojan-shifu-combines-malware-tools/"
12 |
13 | strings:
14 |
15 | $b = "RegCreateKeyA"
16 | $a = "CryptCreateHash"
17 | $c = {2F 00 63 00 20 00 73 00 74 00 61 00 72 00 74 00 20 00 22 00 22 00 20 00 22 00 25 00 73 00 22 00 20 00 25 00 73 00 00 00 00 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 00 72 00 75 00 6E}
18 | $d = {53 00 6E 00 64 00 56 00 6F 00 6C 00 2E 00 65 00 78 00 65}
19 | $e = {52 00 65 00 64 00 69 00 72 00 65 00 63 00 74 00 45 00 58 00 45}
20 |
21 | condition:
22 |
23 | all of them
24 | }
25 |
--------------------------------------------------------------------------------
/malware/MALW_VPNfilter.yar:
--------------------------------------------------------------------------------
1 | rule VPNFilter {
2 |
3 | meta:
4 |
5 | description = "Filter for 2nd stage malware used in VPNfilter attack"
6 | author = "Christiaan Beek @ McAfee Advanced Threat Research"
7 | date = "2018-05-23"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/VPNfilter"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://blog.talosintelligence.com/2018/05/VPNFilter.html"
14 | hash = "9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387"
15 |
16 | strings:
17 |
18 | $s1 = "id-at-postalAddress" fullword ascii
19 | $s2 = "/bin/shell" fullword ascii
20 | $s3 = "/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB" fullword ascii
21 | $s4 = "Usage does not match the keyUsage extension" fullword ascii
22 | $s5 = "id-at-postalCode" fullword ascii
23 | $s6 = "vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU" fullword ascii
24 | $s7 = "id-ce-extKeyUsage" fullword ascii
25 | $s8 = "/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV" fullword ascii
26 | $s9 = "/etc/config/hosts" fullword ascii
27 | $s10 = "%s%-18s: %d bits" fullword ascii
28 | $s11 = "id-ce-keyUsage" fullword ascii
29 | $s12 = "Machine is not on the network" fullword ascii
30 | $s13 = "No XENIX semaphores available" fullword ascii
31 | $s14 = "No CSI structure available" fullword ascii
32 | $s15 = "Name not unique on network" fullword ascii
33 |
34 | condition:
35 |
36 | ( uint16(0) == 0x457f and
37 | filesize < 500KB and
38 | ( 8 of them )) or
39 | ( all of them )
40 | }
41 |
42 |
--------------------------------------------------------------------------------
/malware/MALW_alina_pos_pdb.yar:
--------------------------------------------------------------------------------
1 | rule Alina_POS_PDB {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Alina POS"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-08-08"
8 | rule_version = "v1"
9 | malware_type = "pos"
10 | malware_family = "Pos:W32/Alina"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.pandasecurity.com/mediacenter/pandalabs/alina-pos-malware/"
14 | hash = "28b0c52c0630c15adcc857d0957b3b8002a4aeda3c7ec40049014ce33c7f67c3"
15 |
16 | strings:
17 |
18 | $pdb = "\\Users\\dice\\Desktop\\SRC_adobe\\src\\grab\\Release\\Alina.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 100KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_backdoor_havex_pdb.yar:
--------------------------------------------------------------------------------
1 | rule havex_backdoor_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect backdoor Havex based on PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2012-11-17"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Havex"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.f-secure.com/v-descs/backdoor_w32_havex.shtml"
14 | hash = "0f4046be5de15727e8ac786e54ad7230807d26ef86c3e8c0e997ea76ab3de255"
15 |
16 | strings:
17 |
18 | $pdb = "\\Workspace\\PhalangX 3D\\Src\\Build\\Release\\Phalanx-3d.ServerAgent.pdb"
19 | $pdb1 = "\\Workspace\\PhalangX 3D\\Src\\Build\\Release\\Tmprovider.pdb"
20 |
21 | condition:
22 |
23 | uint16(0) == 0x5a4d and
24 | filesize < 500KB and
25 | any of them
26 | }
27 |
--------------------------------------------------------------------------------
/malware/MALW_backdoor_kankan_pdb.yar:
--------------------------------------------------------------------------------
1 | rule backdoor_kankan_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect kankan PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-08-01"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Kankan"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=malwarefamily&threatId=650"
14 | hash = "73f9e28d2616ee990762ab8e0a280d513f499a5ab2cae9f8cf467701f810b98a"
15 |
16 | strings:
17 |
18 | $pdb = "\\Projects\\OfficeAddin\\INPEnhSvc\\Release\\INPEnhSvc.pdb"
19 | $pdb1 = "\\Projects\\OfficeAddin\\OfficeAddin\\Release\\INPEn.pdb"
20 | $pdb2 = "\\Projects\\OfficeAddinXJ\\VOCEnhUD\\Release\\VOCEnhUD.pdb"
21 |
22 | condition:
23 |
24 | uint16(0) == 0x5a4d and
25 | filesize < 500KB and
26 | any of them
27 | }
28 |
--------------------------------------------------------------------------------
/malware/MALW_backdoor_katorxa_pdb.yar:
--------------------------------------------------------------------------------
1 | rule kartoxa_malware_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Kartoxa POS based on the PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2010-10-09"
8 | rule_version = "v1"
9 | malware_type = "pos"
10 | malware_family = "Pos:W32/Kartoxa"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://securitynews.sonicwall.com/xmlpost/guatambu-new-multi-component-infostealer-drops-kartoxa-pos-malware-apr-08-2016/"
14 | hash = "86dd21b8388f23371d680e2632d0855b442f0fa7e93cd009d6e762715ba2d054"
15 |
16 | strings:
17 |
18 | $pdb = "\\vm\\devel\\dark\\mmon\\Release\\mmon.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 200KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_blackpos_pdb.yar:
--------------------------------------------------------------------------------
1 | rule MALWARE_blackPOS_pdb {
2 |
3 | meta:
4 |
5 | description = "BlackPOS PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2014-01-24"
8 | rule_version = "v1"
9 | malware_type = "pos"
10 | malware_family = "Pos:W32/BlackPos"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://en.wikipedia.org/wiki/BlackPOS_Malware"
14 | hash = "5a963e8aca62f3cf5872c6bff02d6dee0399728554c6ac3f5cb312b2ba7d7dbf"
15 |
16 | strings:
17 |
18 | $pdb = "\\Projects\\Rescator\\MmonNew\\Debug\\mmon.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 300KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_browser_fox_adware.yar:
--------------------------------------------------------------------------------
1 | rule malw_browser_fox_adware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Browser Fox Adware based on the PDB reference"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2015-01-15"
8 | rule_version = "v1"
9 | malware_type = "adware"
10 | malware_family = "Adware:W32/BrowserFox"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/Browse%20Fox.aspx"
14 | hash = "c6f3d6024339940896dd18f32064c0773d51f0261ecbee8b0534fdd9a149ac64"
15 |
16 | strings:
17 |
18 | $pdb = "\\Utilities\\130ijkfv.o4g\\Desktop\\Desktop.OptChecker\\bin\\Release\\ BooZaka.Opt"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 800KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_chickdos_pdb.yar:
--------------------------------------------------------------------------------
1 | rule chikdos_malware_pdb
2 | {
3 | meta:
4 |
5 | description = "Chikdos PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-12-02"
8 | rule_version = "v1"
9 | malware_type = "dos"
10 | malware_family = "Dos:W32/ChickDos"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "http://hackermedicine.com/tag/trojan-chickdos/"
14 | hash = "c2a0e9f8e880ac22098d550a74940b1d81bc9fda06cebcf67f74782e55e9d9cc"
15 |
16 | strings:
17 |
18 | $pdb = "\\IntergrateCHK\\Release\\IntergrateCHK.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 600KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_cobaltstrike.yar:
--------------------------------------------------------------------------------
1 | rule MALW_cobaltrike
2 | {
3 | meta:
4 |
5 | description = "Rule to detect CobaltStrike beacon"
6 | author = "Felix Bilstein - yara-signator at cocacoding dot com"
7 | date = "2020-07-19"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/CobaltStrike"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash1 = "f47a627880bfa4a117fec8be74ab206690e5eb0e9050331292e032cd22883f5b"
14 | reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike"
15 |
16 | strings:
17 |
18 | $pattern_0 = { e9???????? eb0a b801000000 e9???????? }
19 | $pattern_1 = { 3bc7 750d ff15???????? 3d33270000 }
20 | $pattern_2 = { 8bd0 e8???????? 85c0 7e0e }
21 | $pattern_3 = { 50 8d8d24efffff 51 e8???????? }
22 | $pattern_4 = { 03b5d4eeffff 89b5c8eeffff 3bf7 72bd 3bf7 }
23 | $pattern_5 = { 8b450c 8945f4 8d45f4 50 }
24 | $pattern_6 = { 33c5 8945fc 8b4508 53 56 ff750c 33db }
25 | $pattern_7 = { e8???????? e9???????? 833d????????01 7505 e8???????? }
26 | $pattern_8 = { 53 53 8d85f4faffff 50 }
27 | $pattern_9 = { 68???????? 53 50 e8???????? 83c424 }
28 | $pattern_10 = { 488b4c2420 8b0401 8b4c2408 33c8 8bc1 89442408 }
29 | $pattern_11 = { 488d4d97 e8???????? 4c8d9c24d0000000 418bc7 498b5b20 498b7328 498b7b30 }
30 | $pattern_12 = { bd08000000 85d2 7459 ffcf 4d85ed }
31 | $pattern_13 = { 4183c9ff 33d2 ff15???????? 4c63c0 4983f8ff }
32 | $pattern_14 = { 49c1e002 e8???????? 03f3 4d8d349e 3bf5 7d13 }
33 | $pattern_15 = { 752c 4c8d45af 488d55af 488d4d27 }
34 |
35 | condition:
36 |
37 | 7 of them and filesize < 696320
38 | }
39 |
--------------------------------------------------------------------------------
/malware/MALW_cutwail.yar:
--------------------------------------------------------------------------------
1 | rule malw_cutwail_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect cutwail based on the PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2008-04-16"
8 | rule_version = "v1"
9 | malware_type = "botnet"
10 | malware_family = "Botnet:W32/Cutwail"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/CUTWAIL"
14 | hash = "d702f823eefb50d9ea5b336c638f65a40c2342f8eb88278da60aa8a498c75010"
15 |
16 | strings:
17 |
18 | $pdb = "\\0bulknet\\FLASH\\Release\\flashldr.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 440KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_downloader_darkmegi.yar:
--------------------------------------------------------------------------------
1 | rule downloader_darkmegi_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect DarkMegi downloader based on PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-03-06"
8 | rule_version = "v1"
9 | malware_type = "downloader"
10 | malware_family = "Downloader:W32/DarkMegi"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi"
14 | hash = "bf849b1e8f170142176d2a3b4f0f34b40c16d0870833569824809b5c65b99fc1"
15 |
16 | strings:
17 |
18 | $pdb = "\\RKTDOW~1\\RKTDRI~1\\RKTDRI~1\\objchk\\i386\\RktDriver.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize > 20000KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_dridex_p2p_pdb.yar:
--------------------------------------------------------------------------------
1 | rule Dridex_P2P_pdb
2 | {
3 | meta:
4 |
5 | description = "Rule to detect Dridex P2P based on the PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2014-11-29"
8 | rule_version = "v1"
9 | malware_type = "backdoor"
10 | malware_family = "Backdoor:W32/Dridex"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.us-cert.gov/ncas/alerts/aa19-339a"
14 | hash = "5345a9405212f3b8ef565d5d793e407ae8db964865a85c97e096295ba3f39a78"
15 |
16 | strings:
17 |
18 | $pdb = "\\c0da\\j.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 400KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_dropper_demekaf_pdb.yar:
--------------------------------------------------------------------------------
1 | rule dropper_demekaf_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Demekaf dropper based on PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2011-03-26"
8 | rule_version = "v1"
9 | malware_type = "dropper"
10 | malware_family = "Dropper:W32/Demekaf"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://v.virscan.org/Trojan-Dropper.Win32.Demekaf.html"
14 | hash = "fab320fceb38ba2c5398debdc828a413a41672ce9745afc0d348a0e96c5de56e"
15 |
16 | strings:
17 |
18 | $pdb = "\\vc\\res\\fake1.19-jpg\\fake\\Release\\fake.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 150KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_emotet.yar:
--------------------------------------------------------------------------------
1 | rule MALW_emotet
2 | {
3 | meta:
4 |
5 | description = "Rule to detect unpacked Emotet"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2020-07-21"
8 | rule_version = "v1"
9 | malware_type = "financial"
10 | malware_family = "Backdoor:W32/Emotet"
11 | actor_type = "Cybercrime"
12 | hash1 = "a6621c093047446e0e8ae104769af93a5a8ed147ab8865afaafbbd22adbd052d"
13 | actor_type = "Cybercrime"
14 | actor_group = "Unknown"
15 |
16 | strings:
17 |
18 | $pattern_0 = { 8b45fc 8be5 5d c3 55 8bec }
19 | $pattern_1 = { 3c39 7e13 3c61 7c04 3c7a 7e0b 3c41 }
20 | $pattern_2 = { 7c04 3c39 7e13 3c61 7c04 3c7a 7e0b }
21 | $pattern_3 = { 5f 8bc6 5e 5b 8be5 }
22 | $pattern_4 = { 5f 668906 5e 5b }
23 | $pattern_5 = { 3c30 7c04 3c39 7e13 3c61 7c04 }
24 | $pattern_6 = { 53 56 57 8bfa 8bf1 }
25 | $pattern_7 = { 3c39 7e13 3c61 7c04 3c7a 7e0b }
26 | $pattern_8 = { 55 8bec 83ec14 53 }
27 | $pattern_9 = { 5e 8be5 5d c3 55 8bec }
28 |
29 | condition:
30 |
31 | 7 of them and filesize < 180224
32 | }
33 |
--------------------------------------------------------------------------------
/malware/MALW_festi_botnet_pdb.yar:
--------------------------------------------------------------------------------
1 | rule festi_botnet_pdb {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the Festi botnet based on PDB"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2013-03-04"
8 | rule_version = "v1"
9 | malware_type = "botnet"
10 | malware_family = "Botnet:W32/Festi"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.welivesecurity.com/2012/05/11/king-of-spam-festi-botnet-analysis/"
14 | hash = "e55913523f5ae67593681ecb28d0fa1accee6739fdc3d52860615e1bc70dcb99"
15 |
16 | strings:
17 |
18 | $pdb = "\\eclipse\\botnet\\drivers\\Bin\\i386\\kernel.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 80KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_fritzfrog.yar:
--------------------------------------------------------------------------------
1 | rule MALW_fritzfrog
2 | {
3 | meta:
4 |
5 | description = "Rule to detect Fritzfrog"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2020-08-20"
8 | rule_version = "v1"
9 | malware_type = "botnet"
10 | malware_family = "Botnet:W32/Fritzfrog"
11 | actor_type = "Cybercrime"
12 | hash1 = "103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046"
13 | actor_type = "Cybercrime"
14 | actor_group = "Unknown"
15 |
16 | strings:
17 |
18 | $pattern = { 7F454C4602010100000000000000000002003E000100000090D34500000000004000000000000000C8010000000000000000000040003800070040000D000300060000000400000040000000000000004000400000000000400040000000000088010000000000008801000000000000001000000000000004000000040000009C0F0000000000009C0F4000000000009C0F400000000000640000000000000064000000000000000400000000000000010000000500000000000000000000000000400000000000000040000000000083F23E000000000083F23E00000000000010000000000000010000000400000000003F000000000000007F000000000000007F00000000006C834500000000006C834500000000000010000000000000010000000600000000908400000000000090C400000000000090C4000000000060EC0400000000005809070000000000001000000000000051E574640600000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000080150465002A000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000006000000000000000010400000000000001000000000000083E23E00000000000000000000000000100000000000000000000000000000004100000001000000020000000000000000007F000000000000003F0000000000C0271B0000000000000000000000000020000000000000000000000000000000720000000300000000000000000000000000000000000000C0275A00000000007C000000000000000000000000000000010000000000000000000000000000004900000001000000020000000000000040289A000000000040285A0000000000D83600000000000000000000000000002000000000000000000000000000000053000000010000000200000000000000185F9A0000000000185F5A0000000000380D0000000000000000000000000000080000000000000000000000000000005D000000010000000200000000000000506C9A0000000000506C5A0000000000000000000000000000000000000000000100000000000000000000000000000067000000010000000200000000000000606C9A0000000000606C5A00000000000C172A0000000000000000000000000020000000000000000000000000000000070000000100000003000000000000000090C400000000000090840000000000004B0300000000000000000000000000200000000000000000000000000000001200000001000000030000000000000000DBC7000000000000DB87000000000050A101000000000000000000000000002000000000000000000000000000000018000000080000000300000000000000607CC90000000000607C890000000000D0E80100000000000000000000000000200000000000000000000000000000001D0000000800000003000000000000004065CB000000000040658B00000000001834000000000000000000000000000020000000000000000000000000000000270000000700000002000000000000009C0F4000000000009C0F00000000000064000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 }
19 |
20 | condition:
21 |
22 | uint16(0) == 0x457f and
23 | filesize < 26000KB and
24 | all of them
25 |
26 | }
27 |
--------------------------------------------------------------------------------
/malware/MALW_inabot_worm_pdb.yar:
--------------------------------------------------------------------------------
1 | rule malw_inabot_worm
2 | {
3 | meta:
4 | description = "Rule to detect inabot worm based on PDB"
5 | author = "Marc Rivero | McAfee ATR Team"
6 | reference = "http://verwijderspyware.blogspot.com/2013/04/elimineren-w32inabot-worm-hoe-te.html"
7 | date = "2013-04-19"
8 | rule_version = "v1"
9 | malware_type = "worm"
10 | malware_family = "Worm:W32/Inabot"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash = "c9c010228254aae222e31c669dda639cdd30695729b8ef2b6ece06d899a496aa"
14 |
15 | strings:
16 |
17 | $pdb = "\\trasser\\portland.pdb"
18 | $pdb1 = "\\mainstream\\archive.pdb"
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 180KB and
24 | any of them
25 | }
26 |
--------------------------------------------------------------------------------
/malware/MALW_jatboss.yar:
--------------------------------------------------------------------------------
1 | rule jatboss {
2 |
3 | meta:
4 |
5 | description = "Rule to detect PDF files from Jatboss campaign and MSG files that contained those attachents"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2019-12-04"
8 | rule_version = "v1"
9 | malware_type = "phishing"
10 | malware_family = "Phishing:W32/Jatboss"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://exchange.xforce.ibmcloud.com/collection/JATBOSS-Phishing-Kit-17c74b38860de5cb9fc727e6c0b6d5b5"
14 | hash = "b81fb37dc48812f6ad61984ecf2a8dbbfe581120257cb4becad5375a12e755bb"
15 |
16 | strings:
17 |
18 | //<= 15KB and filesize <= 90KB and
24 | 1 of ($s*) and 3 of ($pattern*)
25 | }
26 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Babuk_Packed_Feb2021.yar:
--------------------------------------------------------------------------------
1 | rule RANSOM_Babuk_Packed_Feb2021 {
2 |
3 | meta:
4 | description = "Rule to detect Babuk Locker packed"
5 | author = "McAfee ATR"
6 | date = "2021-02-19"
7 | hash = "48e0f7d87fe74a2b61c74f0d32e6a8a5"
8 | rule_version = "v1"
9 | malware_family = "Ransom:Win/Babuk"
10 | malware_type = "Ransom"
11 | mitre_attack = "T1027.005, T1027, T1083, T1082, T1059, T1129"
12 |
13 | strings:
14 |
15 | // First stage
16 | $first_stage1 = { 81 ec 30 04 00 00 68 6c 49 43 00 ff 15 74 20 43 00 a3 60 4e f8 02 b8 db d9 2b 00 ba c5 62 8e 76 b9 35 11 5f 39 eb 09 8d a4 24 00 00 00 00 8b ff 89 14 24 89 4c 24 04 81 04 24 25 10 a3 3b 81 04 24 cf e0 fb 07 81 04 24 35 26 9f 42 81 04 24 65 2b 39 06 81 04 24 3c 37 33 5b 81 44 24 04 48 4f c2 5d 83 e8 01 c7 05 54 4e f8 02 00 00 00 00 75 bf 8b 0d 54 aa 43 00 53 8b 1d 58 20 43 00 55 8b 2d 60 20 43 00 56 81 c1 01 24 0a 00 57 8b 3d 50 20 43 00 89 0d 64 4e f8 02 33 f6 eb 03 8d 49 00 81 f9 fc 00 00 00 75 08 6a 00 ff 15 40 20 43 00 6a 00 ff d7 8b 0d 64 4e f8 02 81 f9 7c 0e 00 00 75 19 6a 00 ff d3 6a 00 6a 00 8d 44 24 48 50 6a 00 6a 00 ff d5 8b 0d 64 4e f8 02 81 fe e5 84 c1 09 7e 0a 81 7c 24 2c 0f 11 00 00 75 12 46 8b c6 99 83 fa 14 7c aa 7f 07 3d 30 c1 cf c7 72 a1 51 6a 00 ff 15 2c 20 43 00 8b 0d 08 a4 43 00 33 f6 a3 f4 31 f8 02 89 0d f4 07 fb 02 39 35 64 4e f8 02 76 10 8b c6 e8 56 e4 ff ff 46 3b 35 64 4e f8 02 72 f0 8b 35 80 20 43 00 bf f0 72 e9 00 8b ff 81 3d 64 4e f8 02 4d 09 00 00 75 04 6a 00 ff d6 83 ef 01 75 eb e8 d6 e3 ff ff e8 11 fe ff ff e8 0c e4 ff ff 5f 5e 5d 33 c0 5b 81 c4 30 04 00 00 c3 }
17 | $first_stage2 = {81ec3??4????68????????ff??????????a3????????b8????????ba????????b9????????eb??891424894c240481????????????81????????????81????????????81????????????81????????????81??????????????83e801c7??????????????????75??8b??????????538b??????????558b??????????5681??????????578b??????????89??????????33f6eb??81??????????75??6a??ff??????????6a??ffd78b??????????81??????????75??6a??ffd36a??6a??8d442448506a??6a??ffd58b??????????81??????????7e??817c242c0f11????75??468bc69983????7c??7f??3d????????72??516a??ff??????????8b??????????33f6a3????????89??????????39??????????76??8bc6e8????????463b??????????72??8b??????????bf????????8bff81??????????????????75??6a??ffd683ef0175??e8????????e8????????e8????????5f5e5d33c05b81c43??4????c3}
18 | $first_stage3 = {81ec3??4????68????????ff??????????a3????????b8????????ba????????b9????????[2-6]891424894c240481????????????81????????????81????????????81????????????81????????????81??????????????83e801c7??????????????????[2-6]8b??????????538b??????????558b??????????5681??????????578b??????????89??????????33f6[2-6]81??????????[2-6]6a??ff??????????6a??ffd78b??????????81??????????[2-6]6a??ffd36a??6a??8d442448506a??6a??ffd58b??????????81??????????[2-6]817c242c0f11????[2-6]468bc69983????[2-6][2-6]3d????????[2-6]516a??ff??????????8b??????????33f6a3????????89??????????39??????????[2-6]8bc6e8????????463b??????????[2-6]8b??????????bf????????8bff81??????????????????[2-6]6a??ffd683ef01[2-6]e8????????e8????????e8????????5f5e5d33c05b81c43??4????c3}
19 | $first_stage4 = { 81 EC 30 04 00 00 68 6C 49 43 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? B8 DB D9 2B 00 BA C5 62 8E 76 B9 35 11 5F 39 EB ?? 8D A4 24 ?? ?? ?? ?? 8B FF 89 14 24 89 4C 24 ?? 81 04 24 25 10 A3 3B 81 04 24 CF E0 FB 07 81 04 24 35 26 9F 42 81 04 24 65 2B 39 06 81 04 24 3C 37 33 5B 81 44 24 ?? 48 4F C2 5D 83 E8 01 C7 05 ?? ?? ?? ?? 00 00 00 00 75 ?? 8B 0D ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 55 8B 2D ?? ?? ?? ?? 56 81 C1 01 24 0A 00 57 8B 3D ?? ?? ?? ?? 89 0D ?? ?? ?? ?? 33 F6 EB ?? 8D 49 ?? 81 F9 FC 00 00 00 75 ?? 6A 00 FF 15 ?? ?? ?? ?? 6A 00 FF D7 8B 0D ?? ?? ?? ?? 81 F9 7C 0E 00 00 75 ?? 6A 00 FF D3 6A 00 6A 00 8D 44 24 ?? 50 6A 00 6A 00 FF D5 8B 0D ?? ?? ?? ?? 81 FE E5 84 C1 09 7E ?? 81 7C 24 ?? 0F 11 00 00 75 ?? 46 8B C6 99 83 FA 14 7C ?? 7F ?? 3D 30 C1 CF C7 72 ?? 51 6A 00 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 33 F6 A3 ?? ?? ?? ?? 89 0D ?? ?? ?? ?? 39 35 ?? ?? ?? ?? 76 ?? 8B C6 E8 ?? ?? ?? ?? 46 3B 35 ?? ?? ?? ?? 72 ?? 8B 35 ?? ?? ?? ?? BF F0 72 E9 00 8B FF 81 3D ?? ?? ?? ?? 4D 09 00 00 75 ?? 6A 00 FF D6 83 EF 01 75 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F 5E 5D 33 C0 5B 81 C4 30 04 00 00 C3}
20 |
21 | // Files encryption function
22 | $files_encryption1 = { 8a 46 02 c1 e9 02 88 47 02 83 ee 02 83 ef 02 83 f9 08 72 88 fd f3 a5 fc ff 24 95 20 81 40 00 }
23 | $files_encryption2 = {8a4602c1e90288470283ee0283ef0283????72??fdf3a5fcff????????????}
24 | $files_encryption3 = { 8A 46 ?? C1 E9 02 88 47 ?? 83 EE 02 83 EF 02 83 F9 08 72 ?? FD F3 A5 FC FF 24 95 ?? ?? ?? ??}
25 |
26 | condition:
27 | filesize <= 300KB and
28 | any of ($first_stage*) and
29 | any of ($files_encryption*)
30 | }
31 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_BadRabbit.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule BadBunny {
4 |
5 | meta:
6 |
7 | description = "Bad Rabbit Ransomware"
8 | author = "Christiaan Beek"
9 | date = "2017-10-24"
10 | rule_version = "v1"
11 | malware_type = "ransomware"
12 | malware_family = "Ransom:W32/BadRabbit"
13 | actor_type = "Cybercrime"
14 | actor_group = "Unknown"
15 | hash1 = "8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93"
16 |
17 | strings:
18 |
19 | $x1 = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00" fullword wide
20 | $x2 = "need to do is submit the payment and get the decryption password." fullword ascii
21 | $s3 = "If you have already got the password, please enter it below." fullword ascii
22 | $s4 = "dispci.exe" fullword wide
23 | $s5 = "\\\\.\\GLOBALROOT\\ArcName\\multi(0)disk(0)rdisk(0)partition(1)" fullword wide
24 | $s6 = "Run DECRYPT app at your desktop after system boot" fullword ascii
25 | $s7 = "Enter password#1: " fullword wide
26 | $s8 = "Enter password#2: " fullword wide
27 | $s9 = "C:\\Windows\\cscc.dat" fullword wide
28 | $s10 = "schtasks /Delete /F /TN %ws" fullword wide
29 | $s11 = "Password#1: " fullword ascii
30 | $s12 = "\\AppData" fullword wide
31 | $s13 = "Disk decryption completed" fullword wide
32 | $s14 = "Files decryption completed" fullword wide
33 | $s15 = "http://diskcryptor.net/" fullword wide
34 | $s16 = "Your personal installation key#1:" fullword ascii
35 | $s17 = ".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg." wide
36 | $s18 = "Disable your anti-virus and anti-malware programs" fullword wide
37 | $s19 = "bootable partition not mounted" fullword ascii
38 |
39 | condition:
40 |
41 | ( uint16(0) == 0x5a4d and
42 | filesize < 400KB and
43 | pe.imphash() == "94f57453c539227031b918edd52fc7f1" and
44 | ( 1 of ($x*) or
45 | 4 of them )) or
46 | ( all of them )
47 | }
48 |
49 | rule badrabbit_ransomware {
50 |
51 | meta:
52 |
53 | description = "Rule to detect Bad Rabbit Ransomware"
54 | author = "Marc Rivero | McAfee ATR Team"
55 | rule_version = "v1"
56 | malware_type = "ransomware"
57 | malware_family = "Ransom:W32/BadRabbit"
58 | actor_type = "Cybercrime"
59 | actor_group = "Unknown"
60 | reference = "https://securelist.com/bad-rabbit-ransomware/82851/"
61 |
62 | strings:
63 |
64 | $s1 = "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"%ws /C Start \\\"\\\" \\\"%wsdispci.exe\\\" -id %u && exit\"" fullword wide
65 | $s2 = "C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\" fullword wide
66 | $s3 = "process call create \"C:\\Windows\\System32\\rundll32.exe" fullword wide
67 | $s4 = "need to do is submit the payment and get the decryption password." fullword wide
68 | $s5 = "schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00" fullword wide
69 | $s6 = "rundll32 %s,#2 %s" fullword ascii
70 | $s7 = " \\\"C:\\Windows\\%s\\\" #1 " fullword wide
71 | $s8 = "Readme.txt" fullword wide
72 | $s9 = "wbem\\wmic.exe" fullword wide
73 | $s10 = "SYSTEM\\CurrentControlSet\\services\\%ws" fullword wide
74 |
75 | $og1 = { 39 74 24 34 74 0a 39 74 24 20 0f 84 9f }
76 | $og2 = { 74 0c c7 46 18 98 dd 00 10 e9 34 f0 ff ff 8b 43 }
77 | $og3 = { 8b 3d 34 d0 00 10 8d 44 24 28 50 6a 04 8d 44 24 }
78 |
79 | $oh1 = { 39 5d fc 0f 84 03 01 00 00 89 45 c8 6a 34 8d 45 }
80 | $oh2 = { e8 14 13 00 00 b8 ff ff ff 7f eb 5b 8b 4d 0c 85 }
81 | $oh3 = { e8 7b ec ff ff 59 59 8b 75 08 8d 34 f5 48 b9 40 }
82 |
83 | $oj4 = { e8 30 14 00 00 b8 ff ff ff 7f 48 83 c4 28 c3 48 }
84 | $oj5 = { ff d0 48 89 45 e0 48 85 c0 0f 84 68 ff ff ff 4c }
85 | $oj6 = { 85 db 75 09 48 8b 0e ff 15 34 8f 00 00 48 8b 6c }
86 |
87 | $ok1 = { 74 0c c7 46 18 c8 4a 40 00 e9 34 f0 ff ff 8b 43 }
88 | $ok2 = { 68 f8 6c 40 00 8d 95 e4 f9 ff ff 52 ff 15 34 40 }
89 | $ok3 = { e9 ef 05 00 00 6a 10 58 3b f8 73 30 8b 45 f8 85 }
90 |
91 |
92 | condition:
93 |
94 | uint16(0) == 0x5a4d and
95 | filesize < 1000KB and
96 | (all of ($s*) and
97 | all of ($og*)) or
98 | all of ($oh*) or
99 | all of ($oj*) or
100 | all of ($ok*)
101 | }
102 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Bitpaymer.yar:
--------------------------------------------------------------------------------
1 | rule bitpaymer_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect BitPaymer Ransomware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2019-11-08"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/BitPaymer"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spanish-mssp-targeted-by-bitpaymer-ransomware/"
14 |
15 | strings:
16 |
17 | $s1 = "IEncrypt.dll" fullword wide
18 | $op0 = { e8 5f f3 ff ff ff b6 e0 }
19 | $op1 = { e8 ad e3 ff ff 59 59 8b 75 08 8d 34 f5 38 eb 42 }
20 | $op2 = { e9 45 ff ff ff 33 ff 8b 75 0c 6a 04 e8 c1 d1 ff }
21 |
22 | $pdb = "S:\\Work\\_bin\\Release-Win32\\wp_encrypt.pdb" fullword ascii
23 | $oj0 = { 39 74 24 34 75 53 8d 4c 24 18 e8 b8 d1 ff ff ba }
24 | $oj1 = { 5f 8b c6 5e c2 08 00 56 8b f1 8d 4e 34 e8 91 af }
25 | $oj2 = { 8b cb 8d bd 50 ff ff ff 8b c1 89 5f 04 99 83 c1 }
26 |
27 | $t1 = ".C:\\aaa_TouchMeNot_.txt" fullword wide
28 | $ok0 = { e8 b5 34 00 00 ff 74 24 18 8d 4c 24 54 e8 80 39 }
29 | $ok1 = { 8b 5d 04 33 ff 8b 44 24 34 89 44 24 5c 85 db 7e }
30 | $ok2 = { 55 55 ff 74 24 20 8d 4c 24 34 e8 31 bf 00 00 55 }
31 |
32 | $random = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+" fullword ascii
33 | $oi0 = { a1 04 30 ac 00 8b ce 0f af c2 03 c0 99 8b e8 89 }
34 | $oi1 = { e8 64 a2 ff ff 85 c0 74 0c 8d 4d d8 51 ff 35 64 }
35 | $oi2 = { c7 03 d4 21 ac 00 e8 86 53 00 00 89 73 10 89 7b }
36 | $ou0 = { e8 64 a2 ff ff 85 c0 74 0c 8d 4d d8 51 ff 35 60 }
37 | $ou1 = { a1 04 30 04 00 8b ce 0f af c2 03 c0 99 8b e8 89 }
38 | $ou2 = { 8d 4c 24 10 e8 a0 da ff ff 68 d0 21 04 00 8d 4c }
39 | $oa1 = { 56 52 ba 00 10 0c 00 8b f1 e8 28 63 00 00 8b c6 }
40 | $oa2 = { 81 3d 50 30 0c 00 53 c6 d2 43 56 8b f1 75 23 ba }
41 | $oy0 = { c7 06 cc 21 a6 00 c7 46 08 }
42 | $oy1 = { c7 06 cc 21 a6 00 c7 46 08 }
43 | $oy2 = { c7 06 cc 21 a6 00 c7 46 08 }
44 | $oh1 = { e8 74 37 00 00 a3 00 30 fe 00 8d 4c 24 1c 8d 84 }
45 | $oh2 = { 56 52 ba 00 10 fe 00 8b f1 e8 28 63 00 00 8b c6 }
46 |
47 | condition:
48 |
49 | (uint16(0) == 0x5a4d and
50 | filesize < 1000KB) and
51 | ($s1 and
52 | all of ($op*)) or
53 | ($pdb and
54 | all of ($oj*)) or
55 | ($t1 and
56 | all of ($ok*)) or
57 | ($random and
58 | all of ($oi*)) or
59 | ($random and
60 | all of ($ou*)) or
61 | ($random and
62 | all of ($oa*) and
63 | $ou0) or
64 | ($random and
65 | all of ($oy*)) or
66 | ($random and
67 | all of ($oh*)) or
68 | ($random and
69 | $ou0) or
70 | ($random and
71 | $oi1)
72 | }
73 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_BlackMatter:
--------------------------------------------------------------------------------
1 | rule BlackMatter
2 | {
3 | /*
4 | Rule to detect first version of BlackMatter
5 | */
6 | meta:
7 | author = "ATR McAfee"
8 |
9 | strings:
10 | $a = { 30 26 46 4B 85 DB 75 02 EB 15 C1 E8 10 30 06 46 4B 85 DB 75 02 EB 08 30 26 46 4B 85 DB 75 C8 }
11 | condition:
12 | uint16(0) == 0x5A4D and $a
13 | }
14 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Buran.yar:
--------------------------------------------------------------------------------
1 | rule buran_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Buran ransomware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2019-11-05"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Buran"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/"
14 |
15 | strings:
16 |
17 | $s1 = { 5? 8B ?? 81 C? ?? ?? ?? ?? 5? 5? 5? 33 ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? C6 ?? ?? ?? ?? ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 8D ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8B ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 }
18 | $s2 = { 4? 33 ?? 8D ?? ?? 0F B6 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 7? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? FF 5? ?? FF 7? ?? 8D ?? ?? 0F B6 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 7? ?? 8D ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 8D ?? ?? 0F B6 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 7? ?? 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? FF 7? ?? 8D ?? ?? 0F B6 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 7? ?? 8D ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 74 }
19 | $s3 = { A1 ?? ?? ?? ?? 99 5? 5? A1 ?? ?? ?? ?? 99 5? 5? 8B ?? ?? 8B ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 5? 5? 8B ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 03 ?? ?? 13 ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 5? 5? 8B ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 03 ?? ?? 13 ?? ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? A1 ?? ?? ?? ?? 99 5? 5? 8B ?? ?? 8B ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 03 ?? ?? ?? 13 ?? ?? ?? 89 ?? ?? 89 ?? ?? A1 ?? ?? ?? ?? 4? 99 89 ?? ?? 89 ?? ?? FF 7? ?? FF 7? ?? 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 3B ?? ?? 75 }
20 | $s4 = { 5? 5? 5? 5? 8B ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 8D ?? ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 }
21 | $s5 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 89 ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? 5? 5? A1 ?? ?? ?? ?? 99 E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 8B ?? 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? 8B ?? 4? 5? 8B ?? ?? 8B ?? 83 ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 8C }
22 |
23 | condition:
24 |
25 | uint16(0) == 0x5a4d and
26 | all of them
27 | }
28 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_CTBLocker.yar:
--------------------------------------------------------------------------------
1 | rule BackdoorFCKG: CTB_Locker_Ransomware
2 | {
3 |
4 | meta:
5 |
6 | description = "CTB_Locker"
7 | author = "ISG"
8 | date = "2015-01-20"
9 | rule_version = "v1"
10 | malware_type = "ransomware"
11 | malware_family = "Ransom:W32/CTBLocker"
12 | actor_type = "Cybercrime"
13 | actor_group = "Unknown"
14 | reference = "https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker"
15 |
16 | strings:
17 |
18 | $string0 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
19 | $stringl = "RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
20 | $string2 = "keme132.DLL"
21 | $string3 = "klospad.pdb"
22 |
23 | condition:
24 |
25 | 3 of them
26 | }
--------------------------------------------------------------------------------
/ransomware/RANSOM_ClopRansomNote.yar:
--------------------------------------------------------------------------------
1 | rule clop_ransom_note {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Clop Ransomware Note"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2019-08-01"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Clop"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/"
14 |
15 | strings:
16 |
17 | $s1 = "If you want to restore your files write to emails" fullword ascii
18 | $s2 = "All files on each host in the network have been encrypted with a strong algorithm." fullword ascii
19 | $s3 = "Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover." fullword ascii
20 | $s4 = "You will receive decrypted samples and our conditions how to get the decoder." fullword ascii
21 | $s5 = "DO NOT RENAME OR MOVE the encrypted and readme files." fullword ascii
22 | $s6 = "(Less than 6 Mb each, non-archived and your files should not contain valuable information" fullword ascii
23 | $s7 = "We exclusively have decryption software for your situation" fullword ascii
24 | $s8 = "Do not rename encrypted files." fullword ascii
25 | $s9 = "DO NOT DELETE readme files." fullword ascii
26 | $s10 = "Nothing personal just business" fullword ascii
27 | $s11 = "eqaltech.su" fullword ascii
28 |
29 | condition:
30 |
31 | ( uint16(0) == 0x6f59) and
32 | filesize < 10KB and
33 | all of them
34 | }
35 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_CryptoNar.yar:
--------------------------------------------------------------------------------
1 | rule cryptonar_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect CryptoNar Ransomware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | rule_version = "v1"
8 | malware_type = "ransomware"
9 | malware_family = "Ransom:W32/CryptoNar"
10 | actor_type = "Cybercrime"
11 | actor_group = "Unknown"
12 | reference = "https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/"
13 |
14 | strings:
15 |
16 | $s1 = "C:\\narnar\\CryptoNar\\CryptoNarDecryptor\\obj\\Debug\\CryptoNar.pdb" fullword ascii
17 | $s2 = "CryptoNarDecryptor.exe" fullword wide
18 | $s3 = "server will eliminate the key after 72 hours since its generation (since the moment your computer was infected). Once this has " fullword ascii
19 | $s4 = "Do not delete this file, else the decryption process will be broken" fullword wide
20 | $s5 = "key you received, and wait until the decryption process is done." fullword ascii
21 | $s6 = "In order to receive your decryption key, you will have to pay $200 in bitcoins to this bitcoin address: [bitcoin address]" fullword ascii
22 | $s7 = "Decryption process failed" fullword wide
23 | $s8 = "CryptoNarDecryptor.KeyValidationWindow.resources" fullword ascii
24 | $s9 = "Important note: Removing CryptoNar will not restore access to your encrypted files." fullword ascii
25 | $s10 = "johnsmith987654@tutanota.com" fullword wide
26 | $s11 = "Decryption process will start soon" fullword wide
27 | $s12 = "CryptoNarDecryptor.DecryptionProgressBarForm.resources" fullword ascii
28 | $s13 = "DecryptionProcessProgressBar" fullword wide
29 | $s14 = "CryptoNarDecryptor.Properties.Resources.resources" fullword ascii
30 |
31 | condition:
32 |
33 | ( uint16(0) == 0x5a4d and
34 | filesize < 2000KB) and
35 | all of them
36 | }
37 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Cryptolocker.yar:
--------------------------------------------------------------------------------
1 | rule CryptoLocker_set1
2 | {
3 |
4 | meta:
5 |
6 | description = "Detection of Cryptolocker Samples"
7 | author = "Christiaan Beek, Christiaan_Beek@McAfee.com"
8 | date = "2014-04-13"
9 | rule_version = "v1"
10 | malware_type = "ransomware"
11 | malware_family = "Ransom:W32/Cryptolocker"
12 | actor_type = "Cybercrime"
13 | actor_group = "Unknown"
14 |
15 |
16 | strings:
17 |
18 | $string0 = "static"
19 | $string1 = " kscdS"
20 | $string2 = "Romantic"
21 | $string3 = "CompanyName" wide
22 | $string4 = "ProductVersion" wide
23 | $string5 = "9%9R9f9q9"
24 | $string6 = "IDR_VERSION1" wide
25 | $string7 = " "
26 | $string8 = "LookFor" wide
27 | $string9 = ":n;t;y;"
28 | $string10 = " --> " fullword ascii
56 |
57 | condition:
58 |
59 | uint16(0) == 0x5a4d and
60 | filesize < 600KB and
61 | all of ($fw*) or
62 | all of ($s*) or
63 | $uac
64 | }
65 |
66 | rule ransom_note_kraken_cryptor_ransomware {
67 |
68 | meta:
69 |
70 | description = "Rule to detect the ransom note delivered by Kraken Cryptor Ransomware"
71 | author = "Marc Rivero | McAfee ATR Team"
72 | date = "2018-09-30"
73 | rule_version = "v1"
74 | malware_type = "ransomware"
75 | malware_family = "Ransom:W32/Kraken"
76 | actor_type = "Cybercrime"
77 | actor_group = "Unknown"
78 | reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/"
79 |
80 | strings:
81 |
82 | $s1 = "No way to recovery your files without \"KRAKEN DECRYPTOR\" software and your computer \"UNIQUE KEY\"!" fullword ascii
83 | $s2 = "Are you want to decrypt all of your encrypted files? If yes! You need to pay for decryption service to us!" fullword ascii
84 | $s3 = "The speed, power and complexity of this encryption have been high and if you are now viewing this guide." fullword ascii
85 | $s4 = "Project \"KRAKEN CRYPTOR\" doesn't damage any of your files, this action is reversible if you follow the instructions above." fullword ascii
86 | $s5 = "https://localBitcoins.com" fullword ascii
87 | $s6 = "For the decryption service, we also need your \"KRAKEN ENCRYPTED UNIQUE KEY\" you can see this in the top!" fullword ascii
88 | $s7 = "-----BEGIN KRAKEN ENCRYPTED UNIQUE KEY----- " fullword ascii
89 | $s8 = "All your files has been encrypted by \"KRAKEN CRYPTOR\"." fullword ascii
90 | $s9 = "It means that \"KRAKEN CRYPTOR\" immediately removed form your system!" fullword ascii
91 | $s10 = "After your payment made, all of your encrypted files has been decrypted." fullword ascii
92 | $s11 = "Don't delete .XKHVE files! there are not virus and are your files, but encrypted!" fullword ascii
93 | $s12 = "You can decrypt one of your encrypted smaller file for free in the first contact with us." fullword ascii
94 | $s13 = "You must register on this site and click \"BUY Bitcoins\" then choose your country to find sellers and their prices." fullword ascii
95 | $s14 = "-----END KRAKEN ENCRYPTED UNIQUE KEY-----" fullword ascii
96 | $s15 = "DON'T MODIFY \"KRAKEN ENCRYPT UNIQUE KEY\"." fullword ascii
97 | $s16 = "# Read the following instructions carefully to decrypt your files." fullword ascii
98 | $s17 = "We use best and easy way to communications. It's email support, you can see our emails below." fullword ascii
99 | $s18 = "DON'T USE THIRD PARTY, PUBLIC TOOLS/SOFTWARE TO DECRYPT YOUR FILES, THIS CAUSE DAMAGE YOUR FILES PERMANENTLY." fullword ascii
100 | $s19 = "https://en.wikipedia.org/wiki/Bitcoin" fullword ascii
101 | $s20 = "Please send your message with same subject to both address." fullword ascii
102 |
103 | condition:
104 |
105 | uint16(0) == 0x4120 and
106 | filesize < 9KB and
107 | all of them
108 | }
109 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Linux_HelloKitty0721.yar:
--------------------------------------------------------------------------------
1 | rule ransom_Linux_HelloKitty_0721 {
2 | meta:
3 | description = "rule to detect Linux variant of the Hello Kitty Ransomware"
4 | author = "Christiaan @ ATR"
5 | date = "2021-07-19"
6 | Rule_Version = "v1"
7 | malware_type = "ransomware"
8 | malware_family = "Ransom:Linux/HelloKitty"
9 | hash1 = "ca607e431062ee49a21d69d722750e5edbd8ffabcb54fa92b231814101756041"
10 | hash2 = "556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed"
11 |
12 | strings:
13 | $v1 = "esxcli vm process kill -t=force -w=%d" fullword ascii
14 | $v2 = "esxcli vm process kill -t=hard -w=%d" fullword ascii
15 | $v3 = "esxcli vm process kill -t=soft -w=%d" fullword ascii
16 | $v4 = "error encrypt: %s rename back:%s" fullword ascii
17 | $v5 = "esxcli vm process list" fullword ascii
18 | $v6 = "Total VM run on host:" fullword ascii
19 | $v7 = "error lock_exclusively:%s owner pid:%d" fullword ascii
20 | $v8 = "Error open %s in try_lock_exclusively" fullword ascii
21 | $v9 = "Mode:%d Verbose:%d Daemon:%d AESNI:%d RDRAND:%d " fullword ascii
22 | $v10 = "pthread_cond_signal() error" fullword ascii
23 | $v11 = "ChaCha20 for x86_64, CRYPTOGAMS by " fullword ascii
24 |
25 | condition:
26 | ( uint16(0) == 0x457f and filesize < 200KB and ( 8 of them )
27 | ) or ( all of them )
28 | }
29 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Lockbit2.yar:
--------------------------------------------------------------------------------
1 | rule Lockbit2_Jul21 {
2 | meta:
3 | description = "simple rule to detect latest Lockbit ransomware Jul 2021"
4 | author = "CB @ ATR"
5 | date = "2021-07-28"
6 | version = "v1"
7 | hash1 = "f32e9fb8b1ea73f0a71f3edaebb7f2b242e72d2a4826d6b2744ad3d830671202"
8 | hash2 = "dd8fe3966ab4d2d6215c63b3ac7abf4673d9c19f2d9f35a6bf247922c642ec2d"
9 |
10 | strings:
11 | $seq1 = " /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 \"%s\" & Del /f /q \"%s\"" fullword wide
12 | $seq2 = "\"C:\\Windows\\system32\\mshta.exe\" \"%s\"" fullword wide
13 | $p1 = "C:\\windows\\system32\\%X%X%X.ico" fullword wide
14 | $p2 = "\\??\\C:\\windows\\system32\\%X%X%X.ico" fullword wide
15 | $p3 = "\\Registry\\Machine\\Software\\Classes\\Lockbit\\shell\\Open\\Command" fullword wide
16 | $p4 = "use ToxID: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7" fullword wide
17 | $p5 = "https://tox.chat/download.html" fullword wide
18 | $p6 = "Software\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration" fullword wide
19 | $p7 = "http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion" fullword wide
20 | $p8 = "\\LockBit_Ransomware.hta" fullword wide
21 |
22 | condition:
23 | ( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($seq*) and 4 of them )
24 | ) or ( all of them )
25 | }
26 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_LockerGoga.yar:
--------------------------------------------------------------------------------
1 | rule LockerGogaRansomware {
2 |
3 | meta:
4 |
5 | description = "LockerGoga Ransomware"
6 | author = "Christiaan Beek - McAfee ATR team"
7 | date = "2019-03-20"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/LockerGoga"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash = "ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f"
14 |
15 | strings:
16 |
17 | $1 = "boost::interprocess::spin_recursive_mutex recursive lock overflow" fullword ascii
18 | $2 = ".?AU?$error_info_injector@Usync_queue_is_closed@concurrent@boost@@@exception_detail@boost@@" fullword ascii
19 | $3 = ".?AV?$CipherModeFinalTemplate_CipherHolder@V?$BlockCipherFinal@$00VDec@RC6@CryptoPP@@@CryptoPP@@VCBC_Decryption@2@@CryptoPP@@" fullword ascii
20 | $4 = "?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v" fullword ascii
21 | $5 = "cipher.exe" fullword ascii
22 | $6 = ".?AU?$placement_destroy@Utrace_queue@@@ipcdetail@interprocess@boost@@" fullword ascii
23 | $7 = "3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%" fullword ascii
24 | $8 = "CreateProcess failed" fullword ascii
25 | $9 = "boost::dll::shared_library::load() failed" fullword ascii
26 | $op1 = { 8b df 83 cb 0f 81 fb ff ff ff 7f 76 07 bb ff ff }
27 | $op2 = { 8b df 83 cb 0f 81 fb ff ff ff 7f 76 07 bb ff ff }
28 |
29 | condition:
30 |
31 | ( uint16(0) == 0x5a4d and
32 | filesize < 2000KB and
33 | ( 6 of them ) and
34 | all of ($op*)) or
35 | ( all of them )
36 | }
37 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Loocipher.yar:
--------------------------------------------------------------------------------
1 | rule loocipher_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Loocipher ransomware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2019-12-05"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Loocipher"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-of-loocipher-a-new-ransomware-family-observed-this-year/"
14 | hash = "7720aa6eb206e589493e440fec8690ceef9e70b5e6712a9fec9208c03cac7ff0"
15 |
16 | strings:
17 |
18 | $x1 = "c:\\users\\usuario\\desktop\\cryptolib\\gfpcrypt.h" fullword ascii
19 | $x2 = "c:\\users\\usuario\\desktop\\cryptolib\\eccrypto.h" fullword ascii
20 | $s3 = "c:\\users\\usuario\\desktop\\cryptolib\\gf2n.h" fullword ascii
21 | $s4 = "c:\\users\\usuario\\desktop\\cryptolib\\queue.h" fullword ascii
22 | $s5 = "ThreadUserTimer: GetThreadTimes failed with error " fullword ascii
23 | $s6 = "std::_Vector_const_iterator > >::operator *" fullword wide
24 | $s7 = "std::_Vector_const_iterator > >::operator +=" fullword wide
25 | $s8 = "std::basic_string,class std::allocator >::operator []" fullword wide
26 | $s9 = "std::vector >::operator []" fullword wide
27 | $s10 = "std::_Vector_const_iterator > >::operator *" fullword wide
28 | $s11 = "std::_Vector_const_iterator > >::operator +=" fullword wide
29 | $s12 = "std::vector >::operator []" fullword wide
30 | $s13 = "std::istreambuf_iterator >::operator ++" fullword wide
31 | $s14 = "std::istreambuf_iterator >::operator *" fullword wide
32 | $s15 = "std::_Vector_const_iterator > >::_Compat" fullword wide
33 | $s16 = "std::vector >::operator []" fullword wide
34 | $s17 = "DL_ElgamalLikeSignatureAlgorithm: this signature scheme does not support message recovery" fullword ascii
35 | $s18 = "std::vector >::operator []" fullword wide
36 | $s19 = "std::vector >::operator []" fullword wide
37 | $s20 = "std::_Vector_const_iterator > >::_Compat" fullword wide
38 |
39 | condition:
40 |
41 | ( uint16(0) == 0x5a4d and
42 | filesize < 17000KB and
43 | ( 1 of ($x*) and
44 | 4 of them ) ) or
45 | ( all of them )
46 | }
47 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_MONGOLOCK.yar:
--------------------------------------------------------------------------------
1 | rule ransom_monglock {
2 |
3 | meta:
4 |
5 | description = "Ransomware encrypting Mongo Databases "
6 | author = "Christiaan Beek - McAfee ATR team"
7 | date = "2019-04-25"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/MongLock"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash5 = "c4de2d485ec862b308d00face6b98a7801ce4329a8fc10c63cf695af537194a8"
14 |
15 | strings:
16 |
17 | $x1 = "C:\\Windows\\system32\\cmd.exe" fullword wide
18 | $s1 = "and a Proof of Payment together will be ignored. We will drop the backup after 24 hours. You are welcome! " fullword ascii
19 | $s2 = "Your File and DataBase is downloaded and backed up on our secured servers. To recover your lost data : Send 0.1 BTC to our BitCoin" ascii
20 | $s3 = "No valid port number in connect to host string (%s)" fullword ascii
21 | $s4 = "SOCKS4%s: connecting to HTTP proxy %s port %d" fullword ascii
22 | $s5 = "# https://curl.haxx.se/docs/http-cookies.html" fullword ascii
23 | $s6 = "Connection closure while negotiating auth (HTTP 1.0?)" fullword ascii
24 | $s7 = "detail may be available in the Windows System event log." fullword ascii
25 | $s8 = "Found bundle for host %s: %p [%s]" fullword ascii
26 | $s9 = "No valid port number in proxy string (%s)" fullword ascii
27 |
28 |
29 | $op0 = { 50 8d 85 78 f6 ff ff 50 ff b5 70 f6 ff ff ff 15 }
30 | $op1 = { 83 fb 01 75 45 83 7e 14 08 72 34 8b 0e 66 8b 45 }
31 | $op2 = { c7 41 0c df ff ff ff c7 41 10 }
32 |
33 | condition:
34 | ( uint16(0) == 0x5a4d and
35 | filesize < 2000KB and
36 | ( 1 of ($x*) and
37 | 4 of them ) and
38 | all of ($op*)
39 | ) or
40 | ( all of them )
41 | }
42 |
43 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_MegaCortex.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule megacortex_signed {
4 |
5 | meta:
6 |
7 | description = "Rule to detect MegaCortex samples digitally signed"
8 | author = "Marc Rivero | McAfee ATR Team"
9 | rule_version = "v1"
10 | malware_type = "ransomware"
11 | malware_family = "Ransom:W32/MegaCortex"
12 | actor_type = "Cybercrime"
13 | actor_group = "Unknown"
14 | reference = "https://blog.malwarebytes.com/detections/ransom-megacortex/"
15 |
16 | condition:
17 |
18 | uint16(0) == 0x5a4d and
19 | for any i in (0 .. pe.number_of_signatures) : (
20 | pe.signatures[i].subject contains "/C=GB/L=ROMFORD/O=3AN LIMITED/CN=3AN LIMITED" and
21 | pe.signatures[i].serial == "04:c7:cd:cc:16:98:e2:5b:49:3e:b4:33:8d:5e:2f:8b" or
22 | pe.signatures[i].subject contains "/C=GB/postalCode=RM6 4DE/ST=ROMFORD/L=ROMFORD/street=8 Quarles Park Road/O=3AN LIMITED/CN=3AN LIMITED" and
23 | pe.signatures[i].serial == "53:cc:4c:69:e5:6a:7d:bc:36:67:d5:ff:d5:24:aa:4b" or
24 | pe.signatures[i].subject contains "/C=GB/postalCode=RM6 4DE/ST=ROMFORD/L=ROMFORD/street=8 Quarles Park Road/O=3AN LIMITED/CN=3AN LIMITED" or
25 | pe.signatures[i].serial == "00:ad:72:9a:65:f1:78:47:ac:b8:f8:49:6a:76:80:ff:1e")
26 | }
27 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Pico.yar:
--------------------------------------------------------------------------------
1 | rule pico_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Pico Ransomware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2018-08-30"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Pico"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://twitter.com/siri_urz/status/1035138577934557184"
14 | hash = "cc4a9e410d38a29d0b6c19e79223b270e3a1c326b79c03bec73840b37778bc06"
15 |
16 | strings:
17 |
18 | $s1 = "C:\\Users\\rikfe\\Desktop\\Ransomware\\ThanatosSource\\Release\\Ransomware.pdb" fullword ascii
19 | $s2 = "\\Downloads\\README.txt" fullword ascii
20 | $s3 = "\\Music\\README.txt" fullword ascii
21 | $s4 = "\\Videos\\README.txt" fullword ascii
22 | $s5 = "\\Pictures\\README.txt" fullword ascii
23 | $s6 = "\\Desktop\\README.txt" fullword ascii
24 | $s7 = "\\Documents\\README.txt" fullword ascii
25 | $s8 = "/c taskkill /im " fullword ascii
26 | $s9 = "\\AppData\\Roaming\\" fullword ascii
27 | $s10 = "gMozilla/5.0 (Windows NT 6.1) Thanatos/1.1" fullword wide
28 | $s11 = "AppData\\Roaming" fullword ascii
29 | $s12 = "\\Downloads" fullword ascii
30 | $s13 = "operator co_await" fullword ascii
31 |
32 | condition:
33 |
34 | ( uint16(0) == 0x5a4d and
35 | filesize < 700KB ) and
36 | all of them
37 | }
38 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_PureLocker.yar:
--------------------------------------------------------------------------------
1 | rule purelocker_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect PureLocker ransomware based on binary sequences"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2019-11-13"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/PureLocker"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.pandasecurity.com/mediacenter/security/purelocker-ransomware-servers/"
14 |
15 |
16 | strings:
17 |
18 | $sequence = { 31??FF????E8????????83????5BC2????555357BA????????83????C7????????????4A75??E8????????8B????????????8D????E8????????8B????????????8D??????E8????????FF????8D??????????59E8????????75??FF??????8D??????????59E8????????75??EB??B8????????EB??31??21??74??31??0FBE??E9????????8D??????C7????????????C7????????????66??????????FF??????E8????????89??????52E8????????5A5052E8????????5A50FF??????E8????????8D????????????50E8????????8B??????01??89??????8B??????83????53E8????????89??????8B??????21??75??31??0FBE??E9????????68????????68????????FF????????????FF??????E8????????FF????E8????????89??01??89????????????8B????????????83????53E8????????89????????????8B????????????21??75??FF??????E8????????31??0FBE??E9????????68????????68????????FF??????FF????????????E8????????0FBE??????????83????0F85????????8B??????83????53E8????????89????????????8B????????????21??75??E9????????68????????68????????FF??????FF????????????E8????????FF??????E8????????68????????8D??????508D??????5068????????68????????68????????31??5068????????68????????FF????????????FF????????????68????????E8????????89??????8B??????21??75??31??0FBE??E9????????8D??????FF????E8????????8D??????FF????E8????????FF????????????E8????????FF????????????E8????????B8????????0FBE??E9????????EB??68????????8D??????508D??????5068????????68????????68????????31??5068????????68????????FF??????FF????????????68????????E8????????89??????8B??????21??75??31??0FBE??E9????????8D??????508D??????FF????E8????????89????????????FF??????E8????????C7??????????????FF????????????E8????????C7????????????????????C7????????????????????8B????????????21??74??E9????????0FBE????????????83????75??68????????68????????8D????????????5068????????8D??????FF????E8????????89??????EB??68????????68????????8D????????????5068????????8D??????FF????E8????????89??????8B??????21??74??E9????????0FBE????????????83????75??8D????????????8D????FF????FF??8F??????8F??????EB??8D????????????8B????9952508F??????8F??????FF??????FF??????5B5F83????7F??7C??83????77??31??EB??B8????????09??75??E9????????0FBE????????????83????75??68????????E8????????89????????????8B????????????21??75??E9????????68????????68????????68????????FF????????????FF????????????FF????????????8D??????FF????E8????????89????????????EB??68????????E8????????89??????8B??????21??75??E9????????68????????68????????FF??????8B????????????508D??????FF????E8????????89????????????8B????????????21??74??E9????????0FBE????????????83????75??8B????????????21??75??E9????????8B????????????8D????FF????FF??5B5F83????75??83????74??31??EB??B8????????09??74??E9????????EB??8B??????21??75??E9????????8B??????8B????21??75??E9????????0FBE????????????83????75??C7????????????????????FF????????????E8????????89????????????C7????????????????????68????????68????????FF????????????FF????????????8B????????????8D????FF????FF??8D??????FF????E8????????89????????????EB??C7????????????????????FF????????????E8????????89????????????C7????????????????????68????????FF????????????FF????????????8B????????????FF????8D??????FF????E8????????89????????????8B????????????21??74??E9????????0FBE????????????83????75??8B????????????21??7E??68????????68????????FF????????????E8????????FF????????????E8????????C7????????????????????EB??8B??????21??7E??68????????68????????FF??????E8????????FF??????E8????????C7??????????????0FBE????????????83????75??8B????????????21??75??E9????????8B????????????8D????89??21??75??E9????????EB??8B????????????21??75??E9????????8B????????????8D????89??21??75??E9????????8B??????83????53E8????????89????????????8B????????????21??75??E9????????68????????68????????FF??????FF????????????E8????????0FBE????????????83????75??68????????68????????FF??????FF????????????8B????????????8D????FF????FF??8D??????FF????E8????????89????????????EB??68????????FF??????FF????????????8B????????????FF????8D??????FF????E8????????89????????????FF????????????E8????????C7????????????????????0FBE????????????83????75??68????????68????????FF????????????E8????????FF????????????E8????????C7????????????????????EB??68????????68????????FF????????????E8????????FF????????????E8????????C7????????????????????8B????????????21??74??EB??68????????8D??????FF????E8????????89????????????8B????????????21??74??EB??0FBE????????????83????75??68????????31??508D??????FF????E8????????C6????????8D??????FF????E8????????8D??????FF????E8????????0FBE??????0FBE??E9????????8B????????????21??7E??FF????????????E8????????8B????????????21??7E??FF????????????E8????????8B????????????21??7E??FF????????????E8????????8B??????21??7E??FF??????E8????????8B????????????21??7E??FF????????????E8????????8D??????8B????21??7E??68????????8D??????FF????E8????????8D??????8B????21??7E??8D??????FF????E8????????8D??????8B????21??7E??8D??????FF????E8????????31??0FBE??EB??31??FF????E8????????FF????????????E8????????FF??????E8????????81??????????5F5B5DC2????31??50E8????????83????????????74??FF??????????5889????FF??????FF??????FF??????FF??????EB??EB??B8????????EB??31??83????C2????31??C2????5553BA????????83????C7????????????4A75??E8????????8B??????8D????E8????????83????????????0F84????????FF????E8????????89??01??89??????8B??????83????53E8????????89??????83????????74??68????????68????????FF??????FF??????E8????????89??3B??????75??8B??????83????538D??????5866??????FF??????5866??????FF??????5889????FF??????????5889??????8D??????508D??????5068????????68????????FF??????89??21??75??FF??????5889??????FF??????E8????????8B??????EB??31??FF????E8????????83????5B5DC2????31??50E8????????83????????????74??FF??????????5889????FF??????FF??????FF??????FF??????EB??EB??B8????????EB??31??83????C2????31??5050E8????????FF??????E8????????52E8????????5A50FF??????????8D??????????50E8????????8D??????50E8????????52E8????????5A5052E8????????5A50FF??????????8D??????????50E8????????E8????????01????E8????????8D??????50E8????????FF????8D??????????59E8????????74??52E8????????5A5052E8????????5A50FF??????????8D??????????50E8????????E8????????01????E8????????52E8????????5A5052E8????????5A50FF??????????8D??????????50E8????????E8????????01????E8????????588B??????52E8????????8D??????50E8????????EB??8B????52E8????????5A5052E8????????8B??????52E8????????8D??????50E8????????8B????52E8????????5A5052E8????????5850E8????????5A01??EB??E8????????66????????FF????E8????????FF??????E8????????83????C331??50E8????????83????????????74??FF??????????5889????FF??????FF??????FF??????FF??????FF??????FF??????FF??????FF??????FF??????FF??????FF??????EB??EB??B8????????EB??31??83????C2????555331??50505050E8????????C7??????????????FF??????E8????????89????8B????21??75??31??EB??8D??????50FF??????FF??????68????????E8????????89??21??75??8B????FF????5889??????68????????68????????FF??????E8????????FF????E8????????8B??????EB??31??83????5B5DC35331??50505050E8????????8B??????8D????E8????????FF????E8????????89??????8B??????83????53E8????????89??????83????????74??68????????FF??????FF??????FF??????E8????????21??74??FF??????FF??????68????????E8????????89??F7??89??????FF??????E8????????8B??????EB??31??FF????E8????????83????5BC2????31??50E8????????83????????????74??FF??????????5889????FF??????FF??????FF??????FF??????FF??????FF??????EB??EB??B8????????EB??31??83????C2????5553BA????????83????C7????????????4A75??E8????????8B??????8D????E8????????FF????8D??????????59E8????????74??31??E9????????52E8????????5A50FF??????????8D??????????50E8????????8B??????52E8????????8D??????50E8????????FF??????E8????????89??01??89??????8B??????83????53E8????????89??????83????????0F84????????68????????68????????FF??????FF??????E8????????89??3B??????0F85????????FF??????8D??????5866??????8B??????83????535866??????FF??????5889????C7??????????????8D??????????8D??????E8????????8D??????C7????????????C7????????????8D??????505889????68????????68????????8D??????508D??????5068????????8D??????50E8????????89??21??75??8B??????21??7E??B8????????EB??31??21??74??FF??????E8????????C7??????????????68????????68????????8D??????508D??????50FF??????E8????????89??21??75??8D??????FF????5889??????FF??????E8????????8B??????21??7E??FF??????E8????????8B??????EB??31??FF??????E8????????FF????E8????????83????5B5DC2????555357BA????????83????C7???????????? }
19 |
20 | condition:
21 |
22 | uint16(0) == 0x5a4d and
23 | filesize < 300KB and
24 | all of them
25 | }
26 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_RobbinHood.yar:
--------------------------------------------------------------------------------
1 | rule Robbinhood_ransomware {
2 |
3 | meta:
4 |
5 | description = "Robbinhood GoLang ransowmare"
6 | author = "Christiaan Beek | McAfee ATR"
7 | date = "2019-05-10"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Robbinhood"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash = "9977ba861016edef0c3fb38517a8a68dbf7d3c17de07266cfa515b750b0d249e"
14 |
15 | strings:
16 |
17 | $s1 = ".enc_robbinhood" nocase
18 | $s2 = "sc.exe stop SQLAgent$SQLEXPRESS" nocase
19 | $s3 = "pub.key" nocase
20 | $s4 = "main.EnableShadowFucks" nocase
21 | $s5 = "main.EnableRecoveryFCK" nocase
22 | $s6 = "main.EnableLogLaunders" nocase
23 | $s7 = "main.EnableServiceFuck" nocase
24 |
25 |
26 | $op0 = { 8d 05 2d 98 51 00 89 44 24 30 c7 44 24 34 1d }
27 | $op1 = { 8b 5f 10 01 c3 8b 47 04 81 c3 b5 bc b0 34 8b 4f }
28 | $op2 = { 0f b6 34 18 8d 7e d0 97 80 f8 09 97 77 39 81 fd }
29 |
30 | condition:
31 |
32 | ( uint16(0) == 0x5a4d and
33 | filesize < 3000KB and
34 | ( 1 of ($s*) ) and
35 | all of ($op*)) or
36 | ( all of them )
37 | }
38 |
39 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Ryuk.yar:
--------------------------------------------------------------------------------
1 | rule Ryuk_Ransomware {
2 |
3 | meta:
4 |
5 | description = "Ryuk Ransomware hunting rule"
6 | author = "Christiaan Beek - McAfee ATR team"
7 | date = "2019-04-25"
8 | rule_version = "v2"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Ryuk"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/"
14 |
15 |
16 | strings:
17 |
18 | $x1 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
19 | $x2 = "\\System32\\cmd.exe" fullword wide
20 | $s1 = "C:\\Users\\Admin\\Documents\\Visual Studio 2015\\Projects\\ConsoleApplication54new crypted" ascii
21 | $s2 = "fg4tgf4f3.dll" fullword wide
22 | $s3 = "lsaas.exe" fullword wide
23 | $s4 = "\\Documents and Settings\\Default User\\sys" fullword wide
24 | $s5 = "\\Documents and Settings\\Default User\\finish" fullword wide
25 | $s6 = "\\users\\Public\\sys" fullword wide
26 | $s7 = "\\users\\Public\\finish" fullword wide
27 | $s8 = "You will receive btc address for payment in the reply letter" fullword ascii
28 | $s9 = "hrmlog" fullword wide
29 | $s10 = "No system is safe" fullword ascii
30 | $s11 = "keystorage2" fullword wide
31 | $s12 = "klnagent" fullword wide
32 | $s13 = "sqbcoreservice" fullword wide
33 | $s14 = "tbirdconfig" fullword wide
34 | $s15 = "taskkill" fullword wide
35 |
36 | $op0 = { 8b 40 10 89 44 24 34 c7 84 24 c4 }
37 | $op1 = { c7 44 24 34 00 40 00 00 c7 44 24 38 01 }
38 |
39 | condition:
40 |
41 | ( uint16(0) == 0x5a4d and
42 | filesize < 400KB and
43 | ( 1 of ($x*) and
44 | 4 of them ) and
45 | all of ($op*)) or
46 | ( all of them )
47 | }
48 |
49 | rule Ransom_Ryuk_sept2020 {
50 | meta:
51 | description = "Detecting latest Ryuk samples"
52 | author = "McAfe ATR"
53 | date = "2020-10-13"
54 | malware_type = "ransomware"
55 | malware_family = "Ransom:W32/Ryuk"
56 | actor_type = "Cybercrime"
57 | actor_group = "Unknown"
58 | hash1 = "cfdc2cb47ef3d2396307c487fc3c9fe55b3802b2e570bee9aea4ab1e4ed2ec28"
59 | strings:
60 | $x1 = "\" /TR \"C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p " fullword ascii
61 | $x2 = "cmd.exe /c \"bcdedit /set {default} recoveryenabled No & bcdedit /set {default}\"" fullword ascii
62 | $x3 = "cmd.exe /c \"bootstatuspolicy ignoreallfailures\"" fullword ascii
63 | $x4 = "cmd.exe /c \"vssadmin.exe Delete Shadows /all /quiet\"" fullword ascii
64 | $x5 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
65 | $x6 = "cmd.exe /c \"WMIC.exe shadowcopy delete\"" fullword ascii
66 | $x7 = "/C REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"EV\" /t REG_SZ /d \"" fullword wide
67 | $x8 = "W/C REG DELETE \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"EV\" /f" fullword wide
68 | $x9 = "\\System32\\cmd.exe" fullword wide
69 | $s10 = "Ncsrss.exe" fullword wide
70 | $s11 = "lsaas.exe" fullword wide
71 | $s12 = "lan.exe" fullword wide
72 | $s13 = "$WGetCurrentProcess" fullword ascii
73 | $s14 = "\\Documents and Settings\\Default User\\sys" fullword wide
74 | $s15 = "Ws2_32.dll" fullword ascii
75 | $s16 = " explorer.exe" fullword wide
76 | $s17 = "e\\Documents and Settings\\Default User\\" fullword wide
77 | $s18 = "\\users\\Public\\" fullword ascii
78 | $s19 = "\\users\\Public\\sys" fullword wide
79 | $s20 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
80 |
81 | $seq0 = { 2b c7 50 e8 30 d3 ff ff ff b6 8c }
82 | $seq1 = { d1 e0 8b 4d fc 8b 14 01 89 95 34 ff ff ff c7 45 }
83 | $seq2 = { d1 e0 8b 4d fc 8b 14 01 89 95 34 ff ff ff c7 45 }
84 | condition:
85 | ( uint16(0) == 0x5a4d and
86 | filesize < 400KB and
87 | ( 1 of ($x*) and 5 of them ) and
88 | all of ($seq*)) or ( all of them )
89 | }
90 |
91 | rule RANSOM_RYUK_May2021 : ransomware
92 | {
93 | meta:
94 | description = "Rule to detect latest May 2021 compiled Ryuk variant"
95 | author = "Marc Elias | McAfee ATR Team"
96 | date = "2021-05-21"
97 | hash = "8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a"
98 | version = "0.1"
99 |
100 | strings:
101 | $ryuk_filemarker = "RYUKTM" fullword wide ascii
102 |
103 | $sleep_constants = { 68 F0 49 02 00 FF (15|D1) [0-4] 68 ?? ?? ?? ?? 6A 01 }
104 | $icmp_echo_constants = { 68 A4 06 00 00 6A 44 8D [1-6] 5? 6A 00 6A 20 [5-20] FF 15 }
105 |
106 | condition:
107 | uint16(0) == 0x5a4d
108 | and uint32(uint32(0x3C)) == 0x00004550
109 | and filesize < 200KB
110 | and ( $ryuk_filemarker
111 | or ( $sleep_constants
112 | and $icmp_echo_constants ))
113 | }
114 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_SamSam.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule SAmSAmRansom2016 {
4 |
5 | meta:
6 |
7 | author = "Christiaan Beek | McAfee ATR Team"
8 | date = "2018-01-25"
9 | rule_version = "v1"
10 | malware_type = "ransomware"
11 | malware_family = "Ransom:W32/SamSam"
12 | actor_type = "Cybercrime"
13 | actor_group = "Unknown"
14 | hash1 = "45e00fe90c8aa8578fce2b305840e368d62578c77e352974da6b8f8bc895d75b"
15 |
16 | strings:
17 |
18 | $x1 = "Could not list processes locking resource. Failed to get size of result." fullword wide
19 | $s2 = "Could not list processes locking resource." fullword wide
20 | $s3 = "samsam.del.exe" fullword ascii
21 | $s4 = "samsam.exe" fullword wide
22 | $s5 = "RM_UNIQUE_PROCESS" fullword ascii
23 | $s6 = "KillProcessWithWait" fullword ascii
24 | $s7 = "killOpenedProcessTree" fullword ascii
25 | $s8 = "RM_PROCESS_INFO" fullword ascii
26 | $s9 = "Exception caught in process: {0}" fullword wide
27 | $s10 = "Could not begin restart session. Unable to determine file locker." fullword wide
28 | $s11 = "samsam.Properties.Resources.resources" fullword ascii
29 | $s12 = "EncryptStringToBytes" fullword ascii
30 | $s13 = "recursivegetfiles" fullword ascii
31 | $s14 = "RSAEncryptBytes" fullword ascii
32 | $s15 = "encryptFile" fullword ascii
33 | $s16 = "samsam.Properties.Resources" fullword wide
34 | $s17 = "TSSessionId" fullword ascii
35 | $s18 = "Could not register resource." fullword wide
36 | $s19 = "b__0" fullword ascii
37 | $s20 = "create_from_resource" fullword ascii
38 |
39 | $op0 = { 96 00 e0 00 29 00 0b 00 34 23 }
40 | $op1 = { 96 00 12 04 f9 00 34 00 6c 2c }
41 | $op2 = { 72 a5 0a 00 70 a2 06 20 94 }
42 |
43 | condition:
44 |
45 | ( uint16(0) == 0x5a4d and
46 | filesize < 700KB and
47 | pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and
48 | ( 1 of ($x*) and
49 | 4 of them ) and
50 | all of ($op*)) or
51 | ( all of them )
52 | }
53 |
54 | rule SamSam_Ransomware_Latest
55 | {
56 |
57 | meta:
58 |
59 | description = "Latest SamSA ransomware samples"
60 | author = "Christiaan Beek"
61 | date = "2018-01-23"
62 | rule_version = "v1"
63 | malware_type = "ransomware"
64 | malware_family = "Ransom:W32/SamSam"
65 | actor_type = "Cybercrime"
66 | actor_group = "Unknown"
67 | reference = "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html"
68 | hash = "88e344977bf6451e15fe202d65471a5f75d22370050fe6ba4dfa2c2d0fae7828"
69 |
70 | strings:
71 |
72 | $s1 = "bedf08175d319a2f879fe720032d11e5" fullword wide
73 | $s2 = "ksdghksdghkddgdfgdfgfd" fullword ascii
74 | $s3 = "osieyrgvbsgnhkflkstesadfakdhaksjfgyjqqwgjrwgehjgfdjgdffg" fullword ascii
75 | $s4 = "5c2d376c976669efaf9cb107f5a83d0c" fullword wide
76 | $s5 = "B917754BCFE717EB4F7CE04A5B11A6351EEC5015" fullword ascii
77 | $s6 = "f99e47c1d4ccb2b103f5f730f8eb598a" fullword wide
78 | $s7 = "d2db284217a6e5596913e2e1a5b2672f" fullword wide
79 | $s8 = "0bddb8acd38f6da118f47243af48d8af" fullword wide
80 | $s9 = "f73623dcb4f62b0e5b9b4d83e1ee4323" fullword wide
81 | $s10 = "916ab48e32e904b8e1b87b7e3ced6d55" fullword wide
82 | $s11 = "c6e61622dc51e17195e4df6e359218a2" fullword wide
83 | $s12 = "2a9e8d549af13031f6bf7807242ce27f" fullword wide
84 | $s13 = "e3208957ad76d2f2e249276410744b29" fullword wide
85 | $s14 = "b4d28bbd65da97431f494dd7741bee70" fullword wide
86 | $s15 = "81ee346489c272f456f2b17d96365c34" fullword wide
87 | $s16 = "94682debc6f156b7e90e0d6dc772734d" fullword wide
88 | $s17 = "6943e17a989f11af750ea0441a713b89" fullword wide
89 | $s18 = "b1c7e24b315ff9c73a9a89afac5286be" fullword wide
90 | $s19 = "90928fd1250435589cc0150849bc0cff" fullword wide
91 | $s20 = "67da807268764a7badc4904df351932e" fullword wide
92 |
93 | $op0 = { 30 01 00 2b 68 79 33 38 68 34 77 65 36 34 74 72 }
94 | $op1 = { 01 00 b2 04 00 00 01 00 84 }
95 | $op2 = { 68 09 00 00 38 66 00 00 23 55 53 00 a0 6f 00 00 }
96 |
97 | condition:
98 |
99 | ( uint16(0) == 0x5a4d and
100 | filesize < 100KB and
101 | pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and
102 | ( 8 of them ) and
103 | all of ($op*)) or
104 | ( all of them )
105 | }
106 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Shiva.yar:
--------------------------------------------------------------------------------
1 | rule unpacked_shiva_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect an unpacked sample of Shiva ransomware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2018-09-05"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Shiva"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://twitter.com/malwrhunterteam/status/1037424962569732096"
14 | hash = "299bebcb18e218254960ef96c2e65a4dc1945dcdfe9fc68550022f99a474f56d"
15 |
16 | strings:
17 |
18 | $s1 = "c:\\Users\\sys\\Desktop\\v 0.5\\Shiva\\Shiva\\obj\\Debug\\shiva.pdb" fullword ascii
19 | $s2 = "This email will be as confirmation you are ready to pay for decryption key." fullword wide
20 | $s3 = "Your important files are now encrypted due to a security problem with your PC!" fullword wide
21 | $s4 = "write.php?info=" fullword wide
22 | $s5 = " * Do not try to decrypt your data using third party software, it may cause permanent data loss." fullword wide
23 | $s6 = " * Do not rename encrypted files." fullword wide
24 | $s7 = ".compositiontemplate" fullword wide
25 | $s8 = "You have to pay for decryption in Bitcoins. The price depends on how fast you write to us." fullword wide
26 | $s9 = "\\READ_IT.txt" fullword wide
27 | $s10 = ".lastlogin" fullword wide
28 | $s11 = ".logonxp" fullword wide
29 | $s12 = " * Decryption of your files with the help of third parties may cause increased price" fullword wide
30 | $s13 = "After payment we will send you the decryption tool that will decrypt all your files." fullword wide
31 |
32 | condition:
33 |
34 | ( uint16(0) == 0x5a4d and
35 | filesize < 800KB ) and
36 | all of them
37 | }
38 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_Sodinokibi.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule ransomware_sodinokibi {
4 | meta:
5 | description = "Using a recently disclosed vulnerability in Oracle WebLogic, criminals use it to install a new variant of ransomware called “Sodinokibi"
6 | author = "Christiaan Beek | McAfee ATR team"
7 | date = "2019-05-13"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Sodinokibi"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash4 = "9b62f917afa1c1a61e3be0978c8692dac797dd67ce0e5fd2305cc7c6b5fef392"
14 |
15 | strings:
16 |
17 | $x1 = "sodinokibi.exe" fullword wide
18 |
19 | $y0 = { 8d 85 6c ff ff ff 50 53 50 e8 62 82 00 00 83 c4 }
20 | $y1 = { e8 24 ea ff ff ff 75 08 8b ce e8 61 fc ff ff 8b }
21 | $y2 = { e8 01 64 ff ff ff b6 b0 }
22 |
23 | condition:
24 |
25 | ( uint16(0) == 0x5a4d and
26 | filesize < 900KB and
27 | pe.imphash() == "672b84df309666b9d7d2bc8cc058e4c2" and
28 | all of ($y*)) or
29 | ( all of them )
30 | }
31 |
32 | rule Sodinokobi
33 | {
34 | meta:
35 |
36 | description = "This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future."
37 | author = "McAfee ATR team"
38 | rule_version = "v1"
39 | malware_type = "ransomware"
40 | malware_family = "Ransom:W32/Sodinokibi"
41 | actor_type = "Cybercrime"
42 | actor_group = "Unknown"
43 | version = "1.0"
44 |
45 | strings:
46 |
47 | $a = { 40 0F B6 C8 89 4D FC 8A 94 0D FC FE FF FF 0F B6 C2 03 C6 0F B6 F0 8A 84 35 FC FE FF FF 88 84 0D FC FE FF FF 88 94 35 FC FE FF FF 0F B6 8C 0D FC FE FF FF }
48 | $b = { 0F B6 C2 03 C8 8B 45 14 0F B6 C9 8A 8C 0D FC FE FF FF 32 0C 07 88 08 40 89 45 14 8B 45 FC 83 EB 01 75 AA }
49 |
50 | condition:
51 |
52 | all of them
53 | }
54 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_acroware.yar:
--------------------------------------------------------------------------------
1 | rule screenlocker_acroware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the ScreenLocker Acroware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2018-08-28"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Acroware"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
14 | hash = "f9efcfc5328e6502cbbbff752a940ac221e437d8732052fc265618f6a6ad72ae"
15 |
16 | strings:
17 |
18 | $s1 = "C:\\Users\\patri\\Documents\\Visual Studio 2015\\Projects\\Advanced Ransi\\Advanced Ransi\\obj\\Debug\\Advanced Ransi.pdb" fullword ascii
19 | $s2 = "All your Personal Data got encrypted and the decryption key is stored on a hidden" fullword ascii
20 | $s3 = "alphaoil@mail2tor.com any try of removing this Ransomware will result in an instantly " fullword ascii
21 | $s4 = "HKEY_CURRENT_USER\\SoftwareE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide
22 | $s5 = "webserver, after 72 hours thedecryption key will get removed and your personal" fullword ascii
23 |
24 | condition:
25 |
26 | ( uint16(0) == 0x5a4d and
27 | filesize < 2000KB ) and
28 | all of them
29 | }
30 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_amba.yar:
--------------------------------------------------------------------------------
1 | rule amba_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Amba Ransomware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2017-07-03"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Amba"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.enigmasoftware.com/ambaransomware-removal/"
14 | hash = "b9b6045a45dd22fcaf2fc13d39eba46180d489cb4eb152c87568c2404aecac2f"
15 |
16 | strings:
17 |
18 | $s1 = "64DCRYPT.SYS" fullword wide
19 | $s2 = "32DCRYPT.SYS" fullword wide
20 | $s3 = "64DCINST.EXE" fullword wide
21 | $s4 = "32DCINST.EXE" fullword wide
22 | $s5 = "32DCCON.EXE" fullword wide
23 | $s6 = "64DCCON.EXE" fullword wide
24 | $s8 = "32DCAPI.DLL" fullword wide
25 | $s9 = "64DCAPI.DLL" fullword wide
26 | $s10 = "ICYgc2h1dGRvd24gL2YgL3IgL3QgMA==" fullword ascii
27 | $s11 = "QzpcVXNlcnNcQUJDRFxuZXRwYXNzLnR4dA==" fullword ascii
28 | $s12 = ")!pssx}v!pssx}v))!pssx}v!pssx}v))!pssx}v!pssx}v))!pssx}v!pssx}v))!pssx}v!pssx}v))!pssx}v!pssx}v))!pssx}v!pssx}v)" fullword ascii
29 | $s13 = "RGVmcmFnbWVudFNlcnZpY2U="
30 | $s14 = "LWVuY3J5cHQgcHQ5IC1wIA=="
31 | $s15 = "LWVuY3J5cHQgcHQ3IC1wIA=="
32 | $s16 = "LWVuY3J5cHQgcHQ2IC1wIA=="
33 | $s17 = "LWVuY3J5cHQgcHQzIC1wIA=="
34 |
35 | condition:
36 |
37 | ( uint16(0) == 0x5a4d and
38 | filesize < 3000KB and
39 | ( 8 of them )) or
40 | ( all of them )
41 | }
42 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_egregor.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 | import "hash"
3 |
4 | rule ransom_egregor {
5 |
6 | meta:
7 | description = "Detect Egregor ransomware"
8 | author = "Thomas Roccia | McAfee ATR team"
9 | reference = "https://bazaar.abuse.ch/sample/004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a/"
10 | date = "2020-10-28"
11 | rule_version = "v1"
12 | malware_type = "ransomware"
13 | malware_family = "Ransom/Egregor"
14 | actor_type = "Cybercrime"
15 | actor_group = "egregor"
16 | hash = "5f9fcbdf7ad86583eb2bbcaa5741d88a"
17 |
18 | strings:
19 | $p1 = "ewdk.pdb" fullword ascii
20 | $p2 = "testbuild.pdb" fullword ascii
21 |
22 | $s1 = "M:\\" nocase ascii
23 | $s2 = "1z1M9U9" fullword wide
24 | $s3 = "C:\\Logmein\\{888-8888-9999}\\Logmein.log" fullword wide
25 |
26 | condition:
27 | uint16(0) == 0x5a4d and filesize < 2000KB and
28 | hash.sha256(pe.rich_signature.clear_data) == "b030ed1a7ca222a0923a59f321be7e55b8d0fc24c1134df1ba775bcf0994c79c" or
29 | (pe.sections[4].name == ".gfids" and pe.sections[5].name == ".00cfg") and
30 | (any of ($p*) or 2 of ($s*))
31 | }
32 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_jeff_dev.yar:
--------------------------------------------------------------------------------
1 | rule jeff_dev_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Jeff Dev Ransomware"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2018-08-26"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Jeff"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
14 | hash = "386d4617046790f7f1fcf37505be4ffe51d165ba7cbd42324aed723288ca7e0a"
15 |
16 | strings:
17 |
18 | $s1 = "C:\\Users\\Umut\\Desktop\\takemeon" fullword wide
19 | $s2 = "C:\\Users\\Umut\\Desktop\\" fullword ascii
20 | $s3 = "PRESS HERE TO STOP THIS CREEPY SOUND AND VIEW WHAT HAPPENED TO YOUR COMPUTER" fullword wide
21 | $s4 = "WHAT YOU DO TO MY COMPUTER??!??!!!" fullword wide
22 |
23 | condition:
24 |
25 | ( uint16(0) == 0x5a4d and
26 | filesize < 5000KB ) and
27 | all of them
28 | }
29 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_locdoor.yar:
--------------------------------------------------------------------------------
1 | rule locdoor_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Locdoor/DryCry"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2018-09-02"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Locdoor"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://twitter.com/leotpsc/status/1036180615744376832"
14 | hash = "0000c55f7cdbbad9bacba0e79637696f3bfeb95a5f71dfa0b398bc77a207eb41"
15 |
16 | strings:
17 |
18 | $s1 = "copy \"Locdoor.exe\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\temp00000000.exe\"" fullword ascii
19 | $s2 = "copy wscript.vbs C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\wscript.vbs" fullword ascii
20 | $s3 = "!! Your computer's important files have been encrypted! Your computer's important files have been encrypted!" fullword ascii
21 | $s4 = "echo CreateObject(\"SAPI.SpVoice\").Speak \"Your computer's important files have been encrypted! " fullword ascii
22 | $s5 = "! Your computer's important files have been encrypted! " fullword ascii
23 | $s7 = "This program is not supported on your operating system." fullword ascii
24 | $s8 = "echo Your computer's files have been encrypted to Locdoor Ransomware! To make a recovery go to localbitcoins.com and create a wa" ascii
25 | $s9 = "Please enter the password." fullword ascii
26 |
27 | condition:
28 |
29 | ( uint16(0) == 0x5a4d and
30 | filesize < 600KB ) and
31 | all of them
32 | }
33 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_makop.yar:
--------------------------------------------------------------------------------
1 | rule RANSOM_makop
2 | {
3 | meta:
4 |
5 | description = "Rule to detect the unpacked Makop ransomware samples"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2020-07-19"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Makop"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash = "008e4c327875110b96deef1dd8ef65cefa201fef60ca1cbb9ab51b5304e66fe1"
14 |
15 | strings:
16 |
17 | $pattern_0 = { 50 8d7c2420 e8???????? 84c0 0f84a6020000 8b742460 ba???????? }
18 | $pattern_1 = { 51 52 53 ffd5 85c0 746d 8b4c240c }
19 | $pattern_2 = { 7521 68000000f0 6a18 6a00 6a00 56 ff15???????? }
20 | $pattern_3 = { 83c40c 8d4e0c 51 66c7060802 66c746041066 c6460820 }
21 | $pattern_4 = { 51 ffd3 50 ffd7 8b4628 85c0 }
22 | $pattern_5 = { 85c9 741e 8b4508 8b4d0c 8a11 }
23 | $pattern_6 = { 83c002 6685c9 75f5 2bc6 d1f8 66390c46 8d3446 }
24 | $pattern_7 = { 895a2c 8b7f04 85ff 0f85f7feffff 55 6a00 }
25 | $pattern_8 = { 8b3d???????? 6a01 6a00 ffd7 50 ff15???????? }
26 | $pattern_9 = { 85c0 7407 50 ff15???????? }
27 |
28 | condition:
29 |
30 | 7 of them and
31 | filesize < 237568
32 | }
33 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_mountlocker.yar:
--------------------------------------------------------------------------------
1 | rule RANSOM_mountlocker
2 | {
3 | meta:
4 |
5 | description = "Rule to detect Mount Locker ransomware"
6 | author = "McAfee ATR Team"
7 | date = "2020-09-25"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransomware:W32/MountLocker"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash1 = "4b917b60f4df6d6d08e895d179a22dcb7c38c6a6a6f39c96c3ded10368d86273"
14 | hash2 = "f570d5b17671e6f3e56eae6ad87be3a6bbfac46c677e478618afd9f59bf35963"
15 |
16 | strings:
17 |
18 | $s1 = {63 69 64 3d 25 43 4c 49 45 4e 54 5f 49 44}
19 | $s2 = {7a 73 61 33 77 78 76 62 62 37 67 76 36 35 77 6e 6c 37 6c 65 72 73 6c 65 65 33 63 37 69 32 37 6e 64 71 67 68 71 6d 36 6a 74 32 70 72 69 76 61 32 71 63 64 70 6f 6e 61 64 2e 6f 6e 69 6f 6e}
20 | $s3 = {36 6d 6c 7a 61 68 6b 63 37 76 65 6a 79 74 70 70 62 71 68 71 6a 6f 75 34 69 70 66 74 67 73 33 67 69 7a 6f 66 32 78 34 7a 6b 6c 62 6c 6c 69 61 79 68 73 71 62 33 77 61 64 2e 6f 6e 69 6f 6e}
21 |
22 |
23 | condition:
24 |
25 | uint16(0) == 0x5a4d and
26 | filesize < 300KB and
27 | ($s1 and
28 | $s2) or
29 | ($s1 and
30 | $s3) or
31 | $s1
32 | }
33 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_ragnarlocker.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule ragnarlocker_ransomware {
4 |
5 | meta:
6 |
7 | description = "Rule to detect RagnarLocker samples"
8 | author = "McAfee ATR Team"
9 | date = "2020-04-15"
10 | rule_version = "v1"
11 | malware_type = "ransomware"
12 | malware_family = "Ransom:W32/RagnarLocker"
13 | actor_type = "Cybercrime"
14 | actor_group = "Unknown"
15 | reference = "https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/"
16 | hash = "9706a97ffa43a0258571def8912dc2b8bf1ee207676052ad1b9c16ca9953fc2c"
17 |
18 | strings:
19 |
20 | //---RAGNAR SECRET---
21 | $s1 = {2D 2D 2D 52 41 47 4E 41 52 20 53 45 43 52 45 54 2D 2D 2D}
22 | $s2 = { 66 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? B8 ?? ?? ?? ?? 0F 44 }
23 | $s3 = { 5? 8B ?? 5? 5? 8B ?? ?? 8B ?? 85 ?? 0F 84 }
24 | $s4 = { FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 }
25 | $s5 = { 8D ?? ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 }
26 |
27 | $op1 = { 0f 11 85 70 ff ff ff 8b b5 74 ff ff ff 0f 10 41 }
28 |
29 | $p0 = { 72 eb fe ff 55 8b ec 81 ec 00 01 00 00 53 56 57 }
30 | $p1 = { 60 be 00 00 41 00 8d be 00 10 ff ff 57 eb 0b 90 }
31 |
32 | $bp0 = { e8 b7 d2 ff ff ff b6 84 }
33 | $bp1 = { c7 85 7c ff ff ff 24 d2 00 00 8b 8d 7c ff ff ff }
34 | $bp2 = { 8d 85 7c ff ff ff 89 85 64 ff ff ff 8d 4d 84 89 }
35 |
36 | condition:
37 |
38 | uint16(0) == 0x5a4d and
39 | filesize < 100KB and
40 | (4 of ($s*) and $op1) or
41 | all of ($p*) and
42 | pe.imphash() == "9f611945f0fe0109fe728f39aad47024" or
43 | all of ($bp*) and
44 | pe.imphash() == "489a2424d7a14a26bfcfb006de3cd226"
45 | }
46 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_shrug2.yar:
--------------------------------------------------------------------------------
1 | rule shrug2_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the Shrug Ransomware"
6 | author = "McAfee ATR Team"
7 | date = "2018-07-12"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Shrug"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://blogs.quickheal.com/new-net-ransomware-shrug2/"
14 | hash = "c89833833885bafdcfa1c6ee84d7dbcf2389b85d7282a6d5747da22138bd5c59"
15 |
16 | strings:
17 |
18 | $s1 = "C:\\Users\\Gamer\\Desktop\\Shrug2\\ShrugTwo\\ShrugTwo\\obj\\Debug\\ShrugTwo.pdb" fullword ascii
19 | $s2 = "http://tempacc11vl.000webhostapp.com/" fullword wide
20 | $s3 = "Shortcut for @ShrugDecryptor@.exe" fullword wide
21 | $s4 = "C:\\Users\\" fullword wide
22 | $s5 = "http://clients3.google.com/generate_204" fullword wide
23 | $s6 = "\\Desktop\\@ShrugDecryptor@.lnk" fullword wide
24 |
25 | condition:
26 |
27 | ( uint16(0) == 0x5a4d and
28 | filesize < 2000KB ) and
29 | all of them
30 | }
31 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_snake_ransomware.yar:
--------------------------------------------------------------------------------
1 | rule snake_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect Snake ransomware"
6 | author = "McAfee ATR Team"
7 | date = "2020-02-20"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/EKANS"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/"
14 | hash = "e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60"
15 |
16 | strings:
17 |
18 | $snake = { 43 3A 2F 55 73 ?? 72 ?? 2F 57 49 4E 31 2F 67 6F 2F 73 ?? 63 2F 6A 6F 62 6E 68 62 67 6E 6E 69 66 70 6F 64 68 68 70 ?? 6D 66 2F 6E 66 64 6C 68 6F 70 68 6B 65 69 6A 61 64 67 66 64 64 69 6D 2F 6E 66 64 6C 68 6F 70 68 6B 65 69 6A 61 64 67 66 64 64 69 6D 2F 76 74 5F 73 74 ?? 69 6E 67 2E 67 6F 00 }
19 |
20 | condition:
21 |
22 | ( uint16(0) == 0x5a4d and
23 | filesize < 11000KB ) and
24 | all of them
25 |
26 | }
27 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_termite.yar:
--------------------------------------------------------------------------------
1 | rule termite_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect the Termite Ransomware"
6 | author = "McAfee ATR Team"
7 | date = "2018-08-28"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Termite"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
14 | hash = "021ca4692d3a721af510f294326a31780d6f8fcd9be2046d1c2a0902a7d58133"
15 |
16 | strings:
17 |
18 | $s1 = "C:\\Windows\\SysNative\\mswsock.dll" fullword ascii
19 | $s2 = "C:\\Windows\\SysWOW64\\mswsock.dll" fullword ascii
20 | $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Termite.exe" fullword ascii
21 | $s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Payment.exe" fullword ascii
22 | $s5 = "C:\\Windows\\Termite.exe" fullword ascii
23 | $s6 = "\\Shell\\Open\\Command\\" fullword ascii
24 | $s7 = "t314.520@qq.com" fullword ascii
25 | $s8 = "(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" fullword ascii
26 |
27 | condition:
28 |
29 | ( uint16(0) == 0x5a4d and
30 | filesize < 6000KB ) and
31 | all of them
32 | }
33 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_thiefquest.yar:
--------------------------------------------------------------------------------
1 | rule MALW_thiefquest
2 | {
3 | meta:
4 |
5 | description = "Rule to detect the Evilquest/ThiefQuest malware"
6 | author = "McAfee ATR Team"
7 | date = "2020-07-09"
8 | rule_version = "v1"
9 | malware_type = "keylogger, backdoor, ransomware"
10 | actor_type = "Cybercrime"
11 | malware_family = "Ransom:OSX/ThiefQuest"
12 | reference = "https://www.bleepingcomputer.com/news/security/thiefquest-ransomware-is-a-file-stealing-mac-wiper-in-disguise/"
13 | hash = "5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b"
14 |
15 | strings:
16 |
17 | $pattern_0 = { 01c1 48 83c102 48 }
18 | $pattern_1 = { 8c1471 80c1c1 98 1c8c }
19 | $pattern_2 = { d8974f0dc89a 9f c9 9adf70cd595390 }
20 | $pattern_3 = { d897c56f028c 2393a0a42e92 8ea2c27affc2 f8 }
21 | $pattern_4 = { 477006 baa6a1cb82 ae f9 e8???????? d8a32bd0d519 }
22 | $pattern_5 = { d898ab5c757b 2f f26f 5d }
23 | $pattern_6 = { bc007a846b 2b54adaf 93 35eddf38e6 cdd0 b246 }
24 | $pattern_7 = { ae 49b00e 01d1 45da611b 44839db656691674 }
25 | $pattern_8 = { 01c1 48 83c101 48 }
26 | $pattern_9 = { 6be3c6 5c 99 ae ed bf370e2f47 }
27 | $pattern_10 = { fd d7 43bd18fd6f06 7937 fa }
28 | $pattern_11 = { 01c2 48 83c201 bf01000000 }
29 | $pattern_12 = { d89825ed4469 29f1 5c e12d }
30 | $pattern_13 = { d8992062f7f9 73ff 90 085fc6 }
31 | $pattern_14 = { 01c1 6689ca 668995cefeffff e9???????? }
32 | $pattern_15 = { 01c1 41 89c8 44 }
33 | $pattern_16 = { d89935c487a7 bcdffa587c be6cadbb3c 185fc4 }
34 | $pattern_17 = { 01c1 48 8b75a8 48 }
35 | $pattern_18 = { 0000 48 8945f8 e9???????? }
36 | $pattern_19 = { d89959d6472d a2???????? 3525c7eec9 95 }
37 | $pattern_20 = { 01c2 48 83c203 bf01000000 }
38 | $pattern_21 = { 4a7888 ab 23e7 cf 11f3 }
39 | $pattern_22 = { d8982fbf222d 49 92 1d25b42bba }
40 | $pattern_23 = { e2d7 8437 6b4696d9 92 9d a6 }
41 |
42 | condition:
43 |
44 | 7 of them and
45 | filesize < 124322606
46 | }
47 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_wannaren.yar:
--------------------------------------------------------------------------------
1 | rule wannaren_ransomware {
2 |
3 | meta:
4 |
5 | description = "Rule to detect WannaRen Ransomware"
6 | author = "McAfee ATR Team"
7 | date = "2020-04-25"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/WannaRen"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | reference = "https://blog.360totalsecurity.com/en/attention-you-may-have-become-a-susceptible-group-of-wannaren-ransomware/"
14 | hash = "7b364f1c854e6891c8d09766bcc9a49420e0b5b4084d74aa331ae94e2cfb7e1d"
15 |
16 | strings:
17 |
18 | $sq0 = { 92 93 a91c2ea521 59 334826 }
19 | $sq1 = { d0ce 6641 c1e9c0 41 80f652 49 c1f94d }
20 | $sq2 = { 80f8b5 4d 63c9 f9 4d 03d9 41 }
21 | $sq3 = { 34b7 d2ea 660fbafa56 0f99c2 32d8 660fbafaed 99 }
22 | $sq4 = { f9 f7c70012355f 35c01f5226 f9 8d8056c800b0 f6c4b2 f9 }
23 | $sq5 = { f5 f9 44 3aeb 45 33cd 41 }
24 | $sq6 = { 890f c0ff12 44 b4a3 ee 2b4e70 7361 }
25 | $sq7 = { 81c502000000 6689542500 6681d97a1e 660fabe1 660fbae1a5 8b0f 8dbf04000000 }
26 | $sq8 = { 8d13 de11 d7 677846 f1 0d8cd45f87 bb34b98f33 }
27 | $sq9 = { 1440 4b 41 e8???????? 397c0847 }
28 |
29 | condition:
30 |
31 | uint16(0) == 0x5a4d and
32 | filesize < 21000KB and
33 | 7 of them
34 | }
35 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_wastedlocker.yar:
--------------------------------------------------------------------------------
1 | rule RANSOM_wastedlocker
2 | {
3 | meta:
4 |
5 | description = "Rule to detect unpacked samples of WastedLocker"
6 | author = "McAfee ATR Team"
7 | date = "2020-07-27"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/WastedLocker"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash1 = "ae255679f487e2e9075ffd5e8c7836dd425229c1e3bd40cfc46fbbceceec7cf4"
14 |
15 | strings:
16 |
17 | $pattern_0 = { 8d45fc 50 53 53 6a19 ff75f8 }
18 | $pattern_1 = { 66833b00 8bf3 0f8485000000 8b7d10 8b472c 85c0 7410 }
19 | $pattern_2 = { e8???????? 8b4d08 8b4518 8d0441 6683600200 83c40c 837d1400 }
20 | $pattern_3 = { 8701 e9???????? 8bc7 5f 5e 5b }
21 | $pattern_4 = { 8bf8 3bfb 742f 53 8d45fc 50 56 }
22 | $pattern_5 = { 6a10 8d45f0 6a00 50 e8???????? 83c40c 5e }
23 | $pattern_6 = { 5f 5d c20800 55 8bec }
24 | $pattern_7 = { 8d7e04 ff15???????? 85c0 8945e8 740e 2b4510 }
25 | $pattern_8 = { ff15???????? 8b45dc 8b4dbc 69c00d661900 055ff36e3c 8945dc }
26 | $pattern_9 = { 8b4d08 8b19 03d8 f7d0 c1c60f 03f2 0bc6 }
27 |
28 | condition:
29 |
30 | 7 of them and
31 | filesize < 1806288
32 | }
33 |
--------------------------------------------------------------------------------
/ransomware/RANSOM_xinof.yar:
--------------------------------------------------------------------------------
1 | private rule ransom_xinof_chunk
2 | {
3 | meta:
4 | description = "Detect chunk of Xinof ransomware"
5 | author = "Thomas Roccia | McAfee ATR Team"
6 | date = "2020-11-20"
7 | reference = "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/"
8 | date = "2020-11-20"
9 | rule_version = "v1"
10 | malware_type = "ransomware"
11 | malware_family = "Ransom/XINOF"
12 | actor_type = "Cybercrime"
13 | actor_group = "FONIX"
14 | hash = "0C1E6299A2392239DBE7FEAD33EF4146"
15 |
16 | strings:
17 | $chunk1 = {
18 | C6 45 ?? ??
19 | 68 ?? ?? ?? ??
20 | 50
21 | E8 ?? ?? ?? ??
22 | 53
23 | 50
24 | 8D 85 ?? ?? ?? ??
25 | C6 45 ?? ??
26 | 50
27 | E8 ?? ?? ?? ??
28 | 56
29 | 50
30 | 8D 85 ?? ?? ?? ??
31 | C6 45 ?? ??
32 | 50
33 | E8 ?? ?? ?? ??
34 | 83 C4 ??
35 | C6 45 ?? ??
36 | 8B CC
37 | 57
38 | 50
39 | 51
40 | E8 ?? ?? ?? ??
41 | 83 C4 ??
42 | 8D 8D ?? ?? ?? ??
43 | E8 ?? ?? ?? ??
44 | 83 C4 ??
45 | 8D 8D ?? ?? ?? ??
46 | E8 ?? ?? ?? ??
47 | }
48 |
49 | condition:
50 | any of them
51 | }
52 |
53 | rule ransom_xinof
54 | {
55 | meta:
56 | description = "Detect Xinof ransomware"
57 | author = "Thomas Roccia | McAfee ATR team"
58 | reference = "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/"
59 | date = "2020-11-20"
60 | rule_version = "v1"
61 | malware_type = "ransomware"
62 | malware_family = "Ransom/XINOF"
63 | actor_type = "Cybercrime"
64 | actor_group = "FONIX"
65 | hash = "0C1E6299A2392239DBE7FEAD33EF4146"
66 |
67 | strings:
68 | $s1 = "XINOF.exe" nocase ascii
69 | $s2 = "C:\\Users\\Phoenix" nocase ascii
70 | $s3 = "How To Decrypt Files.hta" nocase ascii
71 | $s4 = "C:\\ProgramData\\norunanyway" nocase ascii
72 | $s5 = "C:\\ProgramData\\clast" nocase ascii
73 | $s6 = "fonix1" nocase ascii
74 | $s7 = "C:\\Windows\\System32\\shatdown.exe" nocase ascii
75 | $s8 = "XINOF Ransomw" nocase ascii
76 | $s9 = "XINOF v4.2" nocase ascii
77 | $s10 = "XINOF Ransomware Version 3.3" nocase ascii
78 |
79 | condition:
80 | uint16(0) == 0x5a4d and filesize < 2000KB and
81 | 5 of ($s*) or ransom_xinof_chunk
82 | }
83 |
--------------------------------------------------------------------------------
/ransomware/Ransom_Conti.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule ransom_conti {
4 |
5 | meta:
6 |
7 | description = "Conti ransomware is havnig capability too scan and encrypt oover the network"
8 | author = "McAfee ATR team"
9 | reference = "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/"
10 | date = "2020-07-09"
11 | rule_version = "v1"
12 | malware_type = "ransomware"
13 | malware_family = "Ransom:W32/Conti"
14 | actor_type = "Cybercrime"
15 | actor_group = "Unknown"
16 | hash = "eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe"
17 |
18 | strings:
19 |
20 | $string1 = "HOW_TO_DECRYPTP" fullword ascii
21 | $string2 = "The system is LOCKED." fullword ascii
22 | $string3 = "The network is LOCKED." fullword ascii
23 |
24 |
25 | $code1 = { ff b4 b5 48 ff ff ff 53 ff 15 bc b0 41 00 85 c0 }
26 | $code2 = { 6a 02 6a 00 6a ff 68 ec fd ff ff ff 76 0c ff 15 }
27 | $code3 = { 56 8d 85 38 ff ff ff 50 ff d7 85 c0 0f 84 f2 01 }
28 |
29 | condition:
30 |
31 | uint16(0) == 0x5a4d and
32 | filesize < 300KB and
33 | pe.number_of_sections == 5 and
34 | ( pe.imphash() == "30fe3f044289487cddc09bfb16ee1fde" or
35 | ( all of them and
36 | all of ($code*) ) )
37 | }
38 |
--------------------------------------------------------------------------------
/ransomware/Ransom_Maze.yar:
--------------------------------------------------------------------------------
1 | rule Ransom_Maze {
2 |
3 | meta:
4 |
5 | description = "Detecting MAZE Ransomware"
6 | author = "McAfee ATR"
7 | date = "2020-04-19"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransom:W32/Maze"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash = "5badaf28bde6dcf77448b919e2290f95cd8d4e709ef2d699aae21f7bae68a76c"
14 |
15 | strings:
16 |
17 | $x1 = "process call create \"cmd /c start %s\"" fullword wide
18 | $s1 = "%spagefile.sys" fullword wide
19 | $s2 = "%sswapfile.sys" fullword wide
20 | $s3 = "%shiberfil.sys" fullword wide
21 | $s4 = "\\wbem\\wmic.exe" fullword wide
22 | $s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" fullword ascii
23 | $s6 = "NO MUTEX | " fullword wide
24 | $s7 = "--nomutex" fullword wide
25 | $s8 = ".Logging enabled | Maze" fullword wide
26 | $s9 = "DECRYPT-FILES.txt" fullword wide
27 |
28 | $op0 = { 85 db 0f 85 07 ff ff ff 31 c0 44 44 44 44 5e 5f }
29 | $op1 = { 66 90 89 df 39 ef 89 fb 0f 85 64 ff ff ff eb 5a }
30 | $op2 = { 56 e8 34 ca ff ff 83 c4 08 55 e8 0b ca ff ff 83 }
31 |
32 | condition:
33 | ( uint16(0) == 0x5a4d and
34 | filesize < 500KB and
35 | ( 1 of ($x*) and
36 | 4 of them ) and
37 | all of ($op*)) or
38 | ( all of them )
39 | }
40 |
41 |
--------------------------------------------------------------------------------
/ransomware/Ransom_Mespinoza.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule ransom_mespinoza {
4 | meta:
5 | description = "rule to detect Mespinoza ransomware"
6 | author = "Christiaan Beek @ McAfee ATR"
7 | date = "2020-11-24"
8 | malware_family = "ransom_Win_Mespinoza"
9 | hash1 = "e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead"
10 | hash2 = "48355bd2a57d92e017bdada911a4b31aa7225c0b12231c9cbda6717616abaea3"
11 | hash3 = "e4287e9708a73ce6a9b7a3e7c72462b01f7cc3c595d972cf2984185ac1a3a4a8"
12 |
13 | strings:
14 | $s1 = "update.bat" fullword ascii
15 | $s2 = "protonmail.com" fullword ascii
16 | $s3 = "Every byte on any types of your devices was encrypted." fullword ascii
17 | $s4 = "To get all your data back contact us:" fullword ascii
18 | $s5 = "What to do to get all data back?" fullword ascii
19 | $s6 = "Don't try to use backups because it were encrypted too." fullword ascii
20 |
21 | $op0 = { 83 f8 4b 75 9e 0f be 46 ff 8d 4d e0 ff 34 85 50 }
22 | $op1 = { c6 05 34 9b 47 00 00 e8 1f 0c 03 00 59 c3 cc cc }
23 | $op2 = { e8 ef c5 fe ff b8 ff ff ff 7f eb 76 8b 4d 0c 85 }
24 | condition:
25 | ( uint16(0) == 0x5a4d and filesize < 600KB and pe.imphash() == "b5e8bd2552848bb7bf2f28228d014742" and ( 8 of them ) and 2 of ($op*)
26 | ) or ( all of them )
27 | }
28 |
--------------------------------------------------------------------------------
/ransomware/Ransom_ThunderX.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule Ransom_TunderX {
4 | meta:
5 | description = "Rule to detect tthe ThunderX ransomware family"
6 | author = "McAfee ATR team"
7 | date = "2020-09-14"
8 | rule_version = "v1"
9 | malware_type = "ransomware"
10 | malware_family = "Ransomware:W32/ThunderX"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash1 = "7bab5dedef124803668580a59b6bf3c53cc31150d19591567397bbc131b9ccb6"
14 | hash2 = "0fbfdb8340108fafaca4c5ff4d3c9f9a2296efeb9ae89fcd9210e3d4c7239666"
15 | hash3 = "7527459500109b3bb48665236c5c5cb2ec71ba789867ad2b6417b38b9a46615e"
16 |
17 | strings:
18 |
19 | $pattern1 = "626364656469742E657865202F736574207B64656661756C747D20626F6F74737461747573706F6C6963792069676E6F7265616C6C6661696C75726573"
20 |
21 | $s3 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550202D64656C6574654F6C64657374" ascii
22 | $s4 = "626364656469742E657865202F736574207B64656661756C747D207265636F76657279656E61626C6564204E6F" ascii
23 | $s5 = "776261646D696E2044454C4554452053595354454D53544154454241434B5550" ascii
24 | $s6 = "433A5C50726F6772616D2046696C65732028783836295C4D6963726F736F66742053514C20536572766572" ascii
25 | $s7 = "476C6F62616C5C33353335354641352D303745392D343238422D423541352D314338384341423242343838" ascii
26 | $s8 = "433A5C50726F6772616D2046696C65735C4D6963726F736F66742053514C20536572766572" ascii
27 | $s9 = "76737361646D696E2E6578652044656C65746520536861646F7773202F416C6C202F5175696574" ascii
28 | $s10 = "776D69632E65786520534841444F57434F5059202F6E6F696E746572616374697665" ascii
29 | $s11 = "534F4654574152455C4D6963726F736F66745C45524944" ascii
30 | $s12 = "AppPolicyGetProcessTerminationMethod" fullword ascii
31 | $s13 = "7B5041545445524E5F49447D" ascii
32 | $s14 = "726561646D652E747874" ascii
33 | $s15 = "226E6574776F726B223A22" ascii
34 | $s16 = "227375626964223A22" ascii
35 | $s17 = "226C616E67223A22" ascii
36 | $s18 = "22657874223A22" ascii
37 | $s19 = "69642E6B6579" ascii
38 | $s20 = "7B5549447D" ascii
39 |
40 | $seq0 = { eb 34 66 0f 12 0d 10 c4 41 00 f2 0f 59 c1 ba cc }
41 | $seq1 = { 6a 07 50 e8 51 ff ff ff 8d 86 d0 }
42 | $seq2 = { ff 15 34 81 41 00 eb 15 83 f8 fc 75 10 8b 45 f4 }
43 | condition:
44 | ( uint16(0) == 0x5a4d and filesize < 400KB and pe.imphash() == "ea7e408cd2a264fd13492973e97d8d70" and $pattern1 and 4 of them ) and all of ($seq*) or ( all of them )
45 | }
46 |
47 |
--------------------------------------------------------------------------------
/ransomware/Ransom_Vovalex1.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule ransom_vovalex_part2{
4 | meta:
5 | description = "Vovalex ransomware detection part 2"
6 | author = "CB @ ATR"
7 | date = "2021-02-01"
8 | malware_type = "Ransom"
9 | malware_family = "Ransom:Win/Vovalex"
10 | hash1 = "0604acc15196120db2f4ca922feb2a4c858a46123cb26e9af2ef97b4c7839121"
11 | hash2 = "fe9ff27ec0a1a48cbb8bc043f260a656c221c6c61704187a390bc8da6f91103a"
12 | hash3 = "3b198c367aca1d239abc48bdeb8caabf9b8f2b630071b8e0fd1e86940eab14d6"
13 |
14 | strings:
15 | $x1 = "If you don't know where to buy Monero - visit these websites: https://www.bestchange.ru/ https://www.bestchange.com" fullword ascii
16 | $s2 = "Full list: https://www.getmonero.org/community/merchants/#exchanges" fullword ascii
17 | $s3 = ": https://www.getmonero.org/community/merchants/#exchanges" fullword ascii
18 | $s4 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\file.d" fullword ascii
19 | $s5 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\utf.d" fullword ascii
20 | $s6 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\stdio.d" fullword ascii
21 | $s7 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\format.d" fullword ascii
22 | $s8 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\random.d" fullword ascii
23 | $s9 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\conv.d" fullword ascii
24 | $s10 = "3. If everything is good, you will receive the decryptor." fullword ascii
25 | $s11 = "Attempting to flush() in an unopened file" fullword ascii
26 | $s12 = "Monero: 4B45W7V1sJAZBnPSnvcipa5k7BRyC4w8GCTfQCUL2XRx5CFzG3iJtEk2kqEvFbF7FagEafRYFfQ6FJnZmep5TsnrSfxpMkS" fullword ascii
27 | $s13 = "..\\AppData\\Local\\dub\\packages\\crypto-0.2.16\\crypto\\src\\crypto\\padding.d" fullword ascii
28 | $s14 = "crypto.aes.AES!(4u, 8u, 14u).AES" fullword ascii
29 | $s15 = "..\\AppData\\Local\\dub\\packages\\crypto-0.2.16\\crypto\\src\\crypto\\aes.d" fullword ascii
30 | $s16 = "Monero - " fullword ascii
31 | $s17 = "std.random.uniform(): invalid bounding interval " fullword ascii
32 | $s18 = "crypto.aes.AESUtils" fullword ascii
33 | $s19 = "2. Send us a mail with proofs of transaction: VovanAndLexus@cock.li" fullword ascii
34 | $s20 = "crypto.aes" fullword ascii
35 |
36 | $op0 = { 48 8d 8d 10 ff ff ff e8 4a 22 fe ff f7 df 89 bd }
37 | $op1 = { e8 60 6e fb ff 34 01 75 d6 4c 8b 46 40 48 8b 56 }
38 | $op2 = { 4c 8d 85 40 ff ff ff 4c 8d 15 d2 78 02 00 4c 89 }
39 | condition:
40 | ( uint16(0) == 0x5a4d and filesize < 17000KB and ( 1 of ($x*) and 4 of them ) and all of ($op*)
41 | ) or ( all of them )
42 | }
--------------------------------------------------------------------------------
/ransomware/Ransom_Win_BlackCat_public.yar:
--------------------------------------------------------------------------------
1 |
2 | rule Ransom_Win_BlackCat
3 | {
4 | meta:
5 | description = "Detecting variants of Windows BlackCat malware"
6 | author = " Trellix ATR"
7 | date = "2022-01-06"
8 | malware_type = "Ransomware"
9 | detection_name = "Ransom_Win_BlackCat"
10 | actor_group = "Unknown"
11 |
12 | strings:
13 |
14 | $URL1 = "zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion" ascii wide
15 | $URL2 = "mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion" ascii wide
16 |
17 | $API = { 3a 7c d8 3f }
18 |
19 | condition:
20 | uint16(0) == 0x5a4d and
21 | filesize < 3500KB and
22 | 1 of ($URL*) and
23 | $API
24 | }
25 |
--------------------------------------------------------------------------------
/ransomware/ransom_BlackKingDom.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule ransom_Black_KingDom
4 | {
5 |
6 | meta:
7 |
8 | description = "Rule to detect Black Kingdom ransomware that is spread using the latest Exchange vulns"
9 | author = "McAfee ATR"
10 | date = "20210326"
11 | rule_version = "v1"
12 | malware_type = "ransomware"
13 | malware_family = "Ransomware:W32/BlackKingdom_March2021"
14 | actor_type = "Cybercrime"
15 | actor_group = "Unknown"
16 |
17 | strings:
18 | $0 = {7D3F634F627C5EC4D893189F1731F624A6AD458C3D89E9CB22C69EC4B4B588B1A7307D8963EC294C5B718C3D85692B8EB1A730732F8EB16F65EA5CEC17834A665E}
19 | $1 = {3E774F2038FDE77377253CD11BFEB6FB82CF6A03E1B34E134C78A2CFDC1B7CD63AD167EE4E78A227FEF694EE3369143D1B0E84CF7CDAE7C3037C263DD15B979F}
20 | $2 = {0C674D0A2427CDDD9B68213EC0B4A5DF94B19D39BEC0C562346FC7A1D32C0FA5BC9D963440910709A2365360650F5A909685912220EEC0F8157B3E2B95EA2CE9}
21 | $3 = {7B7251266178C52BA731333F9E8A1C327A239FB81B901BAB2755FCAFD8A753F47991516A5C98A6CAAC9A1D5065DE565D87F120B3519DD91E09D353B7120EF9F2}
22 | $4 = {2E233E25767037CA68F9C0F026A5CDDCC08FC0DCE21F61C612F1983A29BD3D986F8239A7692B0EBD478B6C8115564D5B0671346CF7CDDB612247EA7A4FAA7C71}
23 | $5 = {2B2C3249094C8A1A9734E7515D10F78FD1B9339DF1902AC1D4ADE70C27C8A2CA7F3416B7B9F0D10E67519D589B8AD64D6435CC2DF4C2092A4BCEF7053B194AE5}
24 | $6 = {0B297C7D79ECD339B30E87775B6769909CD886D1FBBAF2041DCC4FB11B5BA777AA626A9E8CAC14F64BEA5299A8E304A22BA25FA4F7AC4B95E8ACC42EC33A3DE4}
25 | $7 = {0D46503D4DFD825DED41C94C055E1FCE1134C6F63AD80DCD7427F4BD502FA186077BD22653AB098C96ECDDA26557FB82BBA053CB2067C9DEA7EE0AF6A44C468A}
26 | $8 = {2E774F2038FDE77277253CD11BFEB6FB82CB6A03E1B34E134C78A2CFDC1B5CD63AD167EE4E78A227FEF694EE3269143D1B0E84CF7CDAE5C3035C263DD15B979B}
27 | $9 = {5C4250510A8DEF3463BF7410DEE0E72759B8A94A4D0544BD9B4FC0846E61844F4E06B779ABF906A450F5A2AC4C57CF761798C539175F092FD2429DC27909E382}
28 | $10 = {7C787B386177B4D7F1F6B9E6FE17154FF15BD9E3F1DA94A1E1064654E7500A0B86A20A4AA16BD4E16F19A8733960DE868F10F382CDEEC1F15CE718839241DA10}
29 | $11 = {2C3C6F6B2E597AC746FF7664087C7E899ABCC27AC60FA545D9CF4323063896D299F57132FE3E63E567EBFADF296365A1B2C0163DD8A4F3DABA04C77FA39A99CB}
30 | $12 = {7B3C5D7C73D34D1A6C66B91990D162CACD89ECEAF591AC56C95AB3151EBAC1687FB749924B7BC27917FE50CA6C1417FEDBCC5BA2B7C03B1AEE4F5732E69DAC14}
31 | $13 = {406357775C42584F11A1610D3A8A31F094FA252BC3E10738BD310D536D3A2F9EC5C21996AC4DCF5237AE3A4467D5678EE2983E4282ADFB1FDEA16352109BA7A7}
32 | $14 = {2F265663680CACC66731B11AA78D588D7B54AC06C6348905D6B8F52C608D8208B0C6C5F1C11A2F69608D363DFA2A365AA387DAFCC906B486548F3DA8FE36312E}
33 | $15 = {2B37480D634C799C468B775404368C7B891ADE3A556DF888566EB8CB3ED6F0171B59C35BB57F3B75D9017B7C9D52D1E87F48795AA58A16695B98BAFEAF66A769}
34 | $16 = {0A76372D4F488ED5649A19B42E9E42B1DCC2E62655E7041711A6235B825D791CD6519492309D46964594F78B1DCAD17A5BEA574166B8A8EB76A52CA1052D724A}
35 | $17 = {3D0B635F789C6CA6ADAC549548AA509C99D0C8DD823C99704423B90175B062E70EBBA67F937D622FF41B59D21E763A26D36759F3297D12B7454D82676C5B7B4A}
36 | $18 = {225B642B7A09E7B06A4D3B95D97927AC46DABAE3ECE93AA4B307259DB9C01361C905B240678DB830EB7E172EB939ECB188ED3504B3709A746772B7BC94C83FB6}
37 | $19 = {27465E49761EECAF449A3AB147907CF1C3D5F161D353E236BF9940AEC099EA4AC0352576803626029A15B3E978AB84D0024A1E345FFE58A81CDA2FBD61408971}
38 | $20 = {3B7431210BEE4762B447DF044B5D6F41D53824C3E2CD17A35D71029352B47DA3811C60458EAADEBA532F75C54A3DDFC74AB3BEA7A51AF81A4A688F5D7A10378C}
39 | $21 = {276C41453F8F2D8279980EAD3328E2478A3D84C55EB668231A12EED150E496622FCB2C04D9CBCE257BD97B9ECE404037589A185573F936A78DA88AD43EFC3948}
40 | $22 = {2727495F5B1B4D920E35A52B6A5DB6A7F8B31A26873E20C53388696567D692B4B1F4A0B9267E4BBDA1728A5E883FD69029A07669AC1D0DC22E3157C028705C19}
41 | $23 = {3E5552672C26C4F22824AF196F222D370F9EEDBEF119B8C3DD96414CF3529912234CB08AA7B2A034A51635319EAC44D47FA68747BA4B2FD2A884373ADEFB5C84}
42 | $24 = {20735E632C6C70375BCA935EE39B7FA508205E9CC034CBD193A0D1C1E3A9A13818B9EB7FEFB11891E71221DB7143286C7D36A91C1FF7615E38F02E5C1BA24AFF}
43 | $25 = {0A3D69344860D944AA8A46908019AB085E025AA693D381A34D8DCF116B25B0C62355D93893D1F64B983986C7E956C22303A9AB109680BF4B74460C5B087412AF}
44 | $26 = {7C5B79652BC66C9BC36B11730D556FFA1CA1616CA59C0C344FD1F6B50C9C259329D699CDF0B894F1540AFDC4F431957206B0748AB6AE3B9069CD91147E09709B}
45 | $27 = {2257442B42DB79A5E6CAD745E9A8D9775E4216C95F6094A05F05D7DAADBB03EC4B3444983DD291C2E32FC39299BCB4D22219386E75DAABB8D2EA93DFC52A248B}
46 | $28 = {3C0D4A68792594D2F23F10A465B38B75D272318CA0E532A8A183F8CE5DEE6B45ECFDC96E4FF9158832472ED8CDFA69F92868A503F821D848CBB97B58332D8F84}
47 | condition:
48 | uint16(0) == 0x5a4d and all of them
49 | }
50 |
--------------------------------------------------------------------------------
/stealer/STEALER_EmiratesStatement.yar:
--------------------------------------------------------------------------------
1 | rule STEALER_emirates_statement
2 | {
3 | meta:
4 |
5 | description = "Credentials Stealing Attack"
6 | author = "Christiaan Beek | McAfee ATR Team"
7 | date = "2013-06-30"
8 | rule_version = "v1"
9 | malware_type = "stealer"
10 | malware_family = "Stealer:W32/DarkSide"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash = "7cf757e0943b0a6598795156c156cb90feb7d87d4a22c01044499c4e1619ac57"
14 |
15 | strings:
16 |
17 | $string0 = "msn.klm"
18 | $string1 = "wmsn.klm"
19 | $string2 = "bms.klm"
20 |
21 | condition:
22 |
23 | all of them
24 | }
25 |
--------------------------------------------------------------------------------
/stealer/STEALER_Lokibot.yar:
--------------------------------------------------------------------------------
1 | rule STEALER_Lokibot
2 | {
3 | meta:
4 |
5 | description = "Rule to detect Lokibot stealer"
6 | author = "Marc Rivero | McAfee ATR Team"
7 | date = "2020-09-23"
8 | rule_version = "v1"
9 | malware_type = "stealer"
10 | malware_family = "Ransomware:W32/Lokibot"
11 | actor_type = "Cybercrime"
12 | actor_group = "Unknown"
13 | hash1 = "0e40f4fdd77e1f90279c585cfc787942b8474e5216ff4d324d952ef6b74f25d2"
14 | hash2 = "3ad36afad12d8cf245904285c21a8db43f9ed9c82304fdc2f27c4dd1438e4a1d"
15 | hash3 = "26fbdd516b3c1bfa36784ef35d6bc216baeb0ef2d0c0ba036ff9296da2ce2c84"
16 |
17 | strings:
18 |
19 | $sq1 = { 55 8B EC 56 8B 75 08 57 56 E8 ?? ?? ?? ?? 8B F8 59 85 FF 75 04 33 C0 EB 20 56 6A 00 57 E8 ?? ?? ?? ?? 6A 0C E8 ?? ?? ?? ?? 83 C4 10 85 C0 74 E5 83 60 08 00 89 38 89 70 04 5F 5E 5D C3 }
20 | $sq2 = { 55 8B EC 83 EC 0C 53 56 57 33 DB BE ?? ?? ?? ?? 53 53 56 6A 09 E8 ?? ?? ?? ?? 6A 10 6A 01 53 53 8D 4D F8 51 FF D0 53 53 56 6A 09 E8 ?? ?? ?? ?? 6A 08 6A 01 53 53 8D 4D F8 51 FF D0 85 C0 0F 84 2B 01 00 00 6A 24 E8 ?? ?? ?? ?? 59 8B D8 33 C0 6A 09 59 8B FB F3 AB 66 8B 4D 24 B8 03 66 00 00 C7 03 08 02 00 00 66 85 C9 74 03 0F B7 C1 8B 4D 08 33 D2 0F B7 C0 89 43 04 89 53 08 85 C9 74 12 C7 43 08 08 00 00 00 8B 01 89 43 0C 8B 41 04 89 43 10 8B 4D 0C 85 C9 74 0F 83 43 08 08 8B 01 89 43 14 8B 41 04 89 43 18 8B 4D 10 85 C9 74 0F 83 43 08 08 8B 01 89 43 1C 8B 41 04 89 43 20 8B 7B 08 8B 75 F8 83 C7 0C 52 52 68 ?? ?? ?? ?? 6A 09 E8 ?? ?? ?? ?? 8D 4D FC 51 6A 00 6A 00 57 53 56 FF D0 85 C0 74 75 8B 75 FC 33 C0 40 83 7D 20 00 0F 45 45 20 33 FF 57 57 68 ?? ?? ?? ?? 6A 09 89 45 F4 E8 ?? ?? ?? ?? 57 8D 4D F4 51 6A 04 56 FF D0 85 C0 74 3B 39 7D 14 74 1A 8B 75 FC 57 57 68 ?? ?? ?? ?? 6A 09 E8 ?? ?? ?? ?? 57 FF 75 14 6A 01 56 FF D0 8B 55 18 8B 4D FC 53 89 0A 8B 55 1C 8B 4D F8 89 0A E8 ?? ?? ?? ?? 33 C0 59 40 EB 21 FF 75 FC E8 BF FB FF FF 59 EB 02 33 FF 53 E8 ?? ?? ?? ?? 57 FF 75 F8 E8 6B FB FF FF 83 C4 0C 33 C0 5F 5E 5B 8B E5 5D C3 }
21 | $sq3 = { 55 8B EC 83 EC 0C 53 8B 5D 0C 56 57 6A 10 33 F6 89 75 F8 89 75 FC 58 89 45 F4 85 DB 75 0E FF 75 08 E8 ?? ?? ?? ?? 8B D8 8B 45 F4 59 50 E8 ?? ?? ?? ?? 8B F8 59 85 FF 0F 84 B6 00 00 00 FF 75 F4 56 57 E8 C4 ?? ?? ?? 83 C4 0C 56 56 68 ?? ?? ?? ?? 6A 09 E8 ?? ?? ?? ?? 68 00 00 00 F0 6A 01 56 56 8D 4D F8 51 FF D0 85 C0 0F 84 84 00 00 00 8B 75 F8 6A 00 6A 00 68 ?? ?? ?? ?? 6A 09 E8 ?? ?? ?? ?? 8D 4D FC 51 6A 00 6A 00 68 03 80 00 00 56 FF D0 85 C0 74 51 6A 00 53 FF 75 08 FF 75 FC E8 7F FD FF FF 83 C4 10 85 C0 74 3C 8B 75 FC 6A 00 6A 00 68 ?? ?? ?? ?? 6A 09 E8 ?? ?? ?? ?? 6A 00 8D 4D F4 51 57 6A 02 56 FF D0 85 C0 74 19 FF 75 FC E8 16 FD FF FF 6A 00 FF 75 F8 E8 26 FD FF FF 83 C4 0C 8B C7 EB 0E 6A 00 FF 75 F8 E8 15 FD FF FF 59 59 33 C0 5F 5E 5B 8B E5 5D C3 }
22 | $sq4 = { 55 8B EC 83 7D 10 00 56 57 8B 7D 0C 57 74 0E E8 ?? ?? ?? ?? 8B F0 33 C0 03 F6 40 EB 09 E8 ?? ?? ?? ?? 8B F0 33 C0 83 7D 14 00 59 75 24 50 FF 75 08 E8 2C 00 00 00 59 59 83 F8 01 74 04 33 C0 EB 1D 56 FF 75 08 E8 C5 FE FF FF 59 59 83 F8 01 75 EC 56 57 FF 75 08 E8 CA FE FF FF 83 C4 0C 5F 5E 5D C3 }
23 | $sq5 = { 55 8B EC 53 56 8B 75 0C 57 85 F6 75 0B FF 75 08 E8 ?? ?? ?? ?? 59 8B F0 6B C6 03 89 45 0C 8D 58 01 53 E8 ?? ?? ?? ?? 8B F8 59 85 FF 74 42 53 6A 00 57 E8 ?? ?? ?? ?? 83 C4 0C 33 D2 85 F6 74 27 8B 45 08 0F B6 0C 02 8B C1 83 E1 0F C1 E8 04 8A 80 ?? ?? ?? ?? 88 04 57 8A 81 ?? ?? ?? ?? 88 44 57 01 42 3B D6 72 D9 8B 45 0C C6 04 07 00 8B C7 5F 5E 5B 5D C3 }
24 | $sq6 = { 55 8B EC 53 56 57 FF 75 08 E8 ?? ?? ?? ?? 33 C9 6A 02 5B 8D B8 A0 1F 00 00 8B C7 F7 E3 0F 90 C1 F7 D9 0B C8 51 E8 ?? ?? ?? ?? 8B F0 59 59 85 F6 74 6F 8D 0C 3F 51 6A 00 56 E8 ?? ?? ?? ?? 8D 45 0C 50 FF 75 08 56 E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B F8 83 C4 1C 85 FF 74 40 33 C9 8D 47 02 F7 E3 0F 90 C1 F7 D9 0B C8 51 E8 ?? ?? ?? ?? 8B D8 59 85 DB 74 25 8D 0C 7D 02 00 00 00 51 6A 00 53 E8 ?? ?? ?? ?? 57 56 53 E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 1C 8B C3 EB 09 56 E8 ?? ?? ?? ?? 59 33 C0 5F 5E 5B 5D C3 }
25 | $sq7 = { 55 8B EC 81 EC 80 00 00 00 56 57 E8 ?? ?? ?? ?? 6A 1F 59 BE ?? ?? ?? ?? 8D 7D 80 F3 A5 33 C9 6A 02 5A 66 A5 8B 7D 08 8D 47 01 F7 E2 0F 90 C1 F7 D9 0B C8 51 E8 ?? ?? ?? ?? 8B F0 59 85 F6 74 4D 8D 04 7D 02 00 00 00 4F 89 45 08 53 50 6A 00 56 E8 ?? ?? ?? ?? 83 C4 0C 33 DB 85 FF 74 1C E8 ?? ?? ?? ?? 33 D2 6A 7E 59 F7 F1 D1 EA 66 8B 44 55 80 66 89 04 5E 43 3B DF 72 E4 56 E8 ?? ?? ?? ?? 3B F8 8B 45 08 59 77 C4 8B C6 5B EB 02 33 C0 5F 5E 8B E5 5D C3 }
26 | $sq8 = { 55 8B EC 81 EC 50 02 00 00 53 56 57 6A 0A E8 ?? ?? ?? ?? 59 33 DB 6A 2E 5E 39 5D 14 0F 84 13 01 00 00 FF 75 08 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 59 59 85 F6 0F 84 F7 00 00 00 53 53 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 8D 8D B0 FD FF FF 51 56 FF D0 8B D8 83 FB FF 0F 84 CC 00 00 00 F6 85 B0 FD FF FF 10 0F 84 97 00 00 00 83 7D 1C 00 74 2E 8D 85 DC FD FF FF 68 ?? ?? ?? ?? 50 E8 0A ?? ?? ?? 59 59 85 C0 75 7A 8D 85 DC FD FF FF 68 ?? ?? ?? ?? 50 E8 F3 ?? ?? ?? 59 59 85 C0 75 63 8D 85 DC FD FF FF 50 E8 ?? ?? ?? ?? 59 83 F8 03 73 0C 6A 2E 58 66 39 85 DC FD FF FF 74 45 8D 85 DC FD FF FF 50 FF 75 08 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 0C 89 45 14 85 C0 74 27 6A 01 6A 00 6A 01 FF 75 10 FF 75 0C 50 E8 14 FF FF FF FF 75 14 8B F8 E8 ?? ?? ?? ?? 83 C4 1C 85 FF 0F 85 EE 00 00 00 33 C0 50 50 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 8D B0 FD FF FF 51 53 FF D0 85 C0 0F 85 3B FF FF FF 53 E8 ?? ?? ?? ?? 59 56 E8 ?? ?? ?? ?? 59 33 DB 6A 2E 5E FF 75 0C FF 75 08 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 83 C4 0C 85 FF 0F 84 CF 00 00 00 53 53 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 8D 8D B0 FD FF FF 51 57 FF D0 8B D8 83 FB FF 0F 84 A6 00 00 00 8D 85 DC FD FF FF 50 E8 ?? ?? ?? ?? 59 83 F8 03 73 09 66 39 B5 DC FD FF FF 74 3E 83 BD B0 FD FF FF 10 75 06 83 7D 18 00 74 2F 8D 85 DC FD FF FF 50 FF 75 08 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 83 C4 0C 85 F6 74 12 83 7D 10 00 74 40 56 FF 55 10 56 E8 ?? ?? ?? ?? 59 59 33 C0 50 50 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 8D B0 FD FF FF 51 53 FF D0 85 C0 74 29 6A 2E 5E EB 85 56 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 59 59 8B C7 EB 22 57 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 59 59 8B C6 EB 10 53 E8 ?? ?? ?? ?? 59 57 E8 ?? ?? ?? ?? 59 33 C0 5F 5E 5B 8B E5 5D C3 }
27 | $sq9 = { 83 3D 14 ?? ?? ?? ?? 56 74 0A 8B 35 20 ?? ?? ?? 85 F6 75 66 53 57 BB E0 01 00 00 33 FF 53 89 3D 14 ?? ?? ?? E8 F0 F8 FF FF 33 F6 A3 14 ?? ?? ?? 46 59 85 C0 74 12 6A 78 57 50 89 35 20 ?? ?? ?? E8 A6 F8 FF FF 83 C4 0C 53 89 3D 18 ?? ?? ?? E8 C5 F8 FF FF A3 18 ?? ?? ?? 59 85 C0 74 14 6A 78 57 50 89 35 20 ?? ?? ?? E8 7E F8 FF FF 83 C4 0C EB 06 8B 35 20 ?? ?? ?? 5F 5B 8B C6 5E C3 }
28 | $sq10 = { 55 8B EC 51 51 83 65 FC 00 53 56 57 64 A1 30 00 00 00 89 45 FC 8B 45 FC 8B 40 0C 8B 58 0C 8B F3 8B 46 18 FF 76 28 89 45 F8 E8 CE FA FF FF 8B F8 59 85 FF 74 1F 6A 00 57 E8 32 01 00 00 57 E8 ?? ?? ?? ?? 03 C0 50 57 E8 71 FA FF FF 83 C4 14 39 45 08 74 11 8B 36 3B DE 75 C6 33 C0 5F 5E 5B 8B E5 5D C2 04 00 8B 45 F8 EB F2 }
29 | $sq11 = { A1 ?? ?? ?? ?? 85 C0 74 07 50 E8 ?? ?? ?? ?? 59 A1 ?? ?? ?? ?? 85 C0 74 07 50 E8 ?? ?? ?? ?? 59 A1 ?? ?? ?? ?? 85 C0 74 07 50 E8 ?? ?? ?? ?? 59 33 C0 A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? C3 }
30 | $sq12 = { 55 8B EC 56 8B 75 0C 57 85 F6 74 48 56 E8 ?? ?? ?? ?? 59 85 C0 74 3D 56 E8 ?? ?? ?? ?? 59 85 C0 74 32 83 65 0C 00 8D 45 0C 6A 01 50 56 E8 ?? ?? ?? ?? 8B F8 83 C4 0C 85 FF 74 19 8B 45 0C 85 C0 74 12 83 7D 14 00 74 12 39 45 14 73 0D 57 E8 ?? ?? ?? ?? 59 33 C0 5F 5E 5D C3 83 7D 10 00 74 1A 6A 00 6A 01 56 E8 ?? ?? ?? ?? 59 50 FF 75 08 E8 1F 00 00 00 8B 45 0C 83 C4 10 50 57 FF 75 08 E8 FF FE FF FF 57 8B F0 E8 ?? ?? ?? ?? 83 C4 10 8B C6 EB C3 }
31 | $sq13 = { 55 8B EC 83 EC 18 56 FF 75 08 E8 ?? ?? ?? ?? 50 89 45 F0 E8 ?? ?? ?? ?? 8B F0 59 59 85 F6 0F 84 C0 00 00 00 53 8B 5D 0C 33 C9 57 6A 04 5A 8B C3 F7 E2 0F 90 C1 F7 D9 0B C8 51 E8 ?? ?? ?? ?? 83 65 F4 00 8B F8 83 65 FC 00 59 85 DB 74 6D 8B 45 10 83 C0 FC FF 75 F0 83 C0 04 89 45 E8 6A 00 56 8B 00 89 45 EC E8 ?? ?? ?? ?? FF 75 F0 FF 75 08 56 E8 ?? ?? ?? ?? 83 65 F8 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 20 EB 1F FF 75 EC 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 32 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? FF 45 F8 59 59 85 C0 75 DD 8B 45 FC 40 89 45 FC 3B C3 8B 45 E8 72 99 56 E8 ?? ?? ?? ?? 59 39 5D F4 75 12 8B C7 EB 17 8B 45 FC 8B 4D F8 FF 45 F4 89 0C 87 EB D7 57 E8 ?? ?? ?? ?? 59 33 C0 5F 5B 5E 8B E5 5D C3 }
32 | $sq14 = { 55 8B EC 8B 45 0C 53 56 8B 75 08 57 8B 4E 04 03 C1 8D 3C 09 3B F8 77 06 8D B8 F4 01 00 00 33 C9 8B C7 6A 04 5A F7 E2 0F 90 C1 F7 D9 0B C8 51 E8 ?? ?? ?? ?? 8B D8 59 85 DB 74 26 57 6A 00 53 E8 ?? ?? ?? ?? FF 76 08 FF 36 53 E8 ?? ?? ?? ?? FF 36 E8 ?? ?? ?? ?? 33 C0 89 1E 83 C4 1C 89 7E 04 40 5F 5E 5B 5D C3 }
33 | $sq15 = { 55 8B EC 83 7D 0C 00 57 74 39 8B 7D 10 85 FF 74 32 56 8B 75 08 8B 46 08 03 C7 3B 46 04 76 09 57 56 E8 3F FF FF FF 59 59 8B 46 08 03 06 57 FF 75 0C 50 E8 ?? ?? ?? ?? 01 7E 08 83 C4 0C 33 C0 40 5E EB 02 33 C0 5F 5D C3 }
34 |
35 | condition:
36 |
37 | uint16(0) == 0x5a4d and
38 | any of them
39 | }
40 |
41 |
--------------------------------------------------------------------------------
/stealer/STEALER_credstealer.yar:
--------------------------------------------------------------------------------
1 | rule STEALER_credstealesy
2 | {
3 |
4 | meta:
5 |
6 | description = "Generic Rule to detect the CredStealer Malware"
7 | author = "IsecG – McAfee Labs"
8 | date = "2015-05-08"
9 | rule_version = "v1"
10 | malware_type = "stealer"
11 | malware_family = "Stealer:W32/CredStealer"
12 | actor_type = "Cybercrime"
13 | actor_group = "Unknown"
14 | reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign/"
15 |
16 | strings:
17 |
18 | $my_hex_string = "CurrentControlSet\\Control\\Keyboard Layouts\\" wide //malware trying to get keyboard layout
19 | $my_hex_string2 = {89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E8} //specific decryption module
20 |
21 | condition:
22 |
23 | $my_hex_string and $my_hex_string2
24 | }
25 |
--------------------------------------------------------------------------------