├── LATEST
├── .gitignore
├── logo.png
├── .github
    ├── FUNDING.yml
    └── workflows
    │   └── docker-image.yml
├── w-rules
    ├── rules
    │   ├── signatures
    │   │   ├── UserDB.yar
    │   │   ├── userdb_panda.yar
    │   │   ├── userdb_exeinfope.yar
    │   │   ├── userdb_jclausing.yar
    │   │   ├── sandboxdetect.yar
    │   │   ├── wce.yar
    │   │   ├── dbgdetect.yar
    │   │   └── avdetect.yar
    │   ├── GeorBotBinary.yara
    │   ├── fpu.yara
    │   ├── GeorBotMemory.yara
    │   ├── Loki Rules
    │   │   ├── generic_lsass_dump.yar
    │   │   ├── apt_webshell_chinachopper.yar
    │   │   ├── crime_dexter_trojan.yar
    │   │   ├── apt_shamoon.yar
    │   │   ├── apt_backspace.yar
    │   │   ├── crime_antifw_installrex.yar
    │   │   ├── crime_cmstar.yar
    │   │   ├── crime_cryptowall_svg.yar
    │   │   ├── crime_buzus_softpulse.yar
    │   │   ├── apt_blackenergy_2.yar
    │   │   ├── apt_backdoor_ssh_python.yar
    │   │   ├── apt_poisonivy_gen3.yar
    │   │   ├── crime_kraken_bot1.yar
    │   │   ├── exploit_cve_2015_1674.yar
    │   │   ├── crime_mikey_trojan.yar
    │   │   ├── generic_cryptors.yar
    │   │   ├── apt_fidelis_phishing_plain_sight.yar
    │   │   ├── exploit_cve_2015_1701.yar
    │   │   ├── crime_dridex_xml.yar
    │   │   ├── threat_lenovo_superfish.yar
    │   │   ├── apt_apt17_malware.yar
    │   │   ├── crime_malumpos.yar
    │   │   ├── apt_scanbox_deeppanda.yar
    │   │   ├── pup_lightftp.yar
    │   │   ├── apt_blackenergy_installer.yar
    │   │   ├── apt_snowglobe_babar.yar
    │   │   ├── apt_naikon.yar
    │   │   ├── crime_malware_generic.yar
    │   │   ├── general_cloaking.yar
    │   │   ├── crime_kins_dropper.yar
    │   │   ├── crime_enfal.yar
    │   │   ├── apt_alienspy_rat.yar
    │   │   ├── apt_coreimpact_agent.yar
    │   │   ├── general_officemacros.yar
    │   │   ├── generic_anomalies.yar
    │   │   ├── falsepositive-hashes.txt
    │   │   ├── apt_skeletonkey.yar
    │   │   ├── apt_miniasp.yar
    │   │   ├── apt_casper.yar
    │   │   ├── apt_anthem_deeppanda.yar
    │   │   ├── apt_woolengoldfish.yar
    │   │   ├── apt_sofacy_xtunnel_bundestag.yar
    │   │   ├── apt_volatile_cedar.yar
    │   │   ├── crime_rombertik_carbongrabber.yar
    │   │   ├── apt_apt28.yar
    │   │   ├── apt_hellsing_kaspersky.yar
    │   │   ├── apt_waterbug.yar
    │   │   ├── exploit_uac_elevators.yar
    │   │   ├── apt_kaspersky_duqu2.yar
    │   │   ├── filename-iocs.txt
    │   │   ├── apt_op_cleaver.yar
    │   │   ├── apt_poisonivy.yar
    │   │   └── spy_querty_fiveeyes.yar
    │   ├── APT_NGO_wuaclt_PDF.yara
    │   ├── urausy_skypedat.yar
    │   ├── leverage.yar
    │   ├── CVE_2013_3893.yar
    │   ├── index.yar
    │   ├── embedded.yara
    │   ├── kins.yara
    │   ├── themask.yara
    │   ├── vmdetect.yara
    │   ├── WannaCry.yar
    │   └── hangover.yara
    ├── .dockerignore
    └── Dockerfile
├── 3.4
    ├── .dockerignore
    └── Dockerfile
├── no-py
    ├── .dockerignore
    └── Dockerfile
├── 3.10
    ├── .dockerignore
    └── Dockerfile
├── 3.11
    ├── .dockerignore
    └── Dockerfile
├── 3.5
    ├── .dockerignore
    └── Dockerfile
├── 3.6
    ├── .dockerignore
    └── Dockerfile
├── 3.7
    ├── .dockerignore
    └── Dockerfile
├── 3.8
    ├── .dockerignore
    └── Dockerfile
├── 3.9
    ├── .dockerignore
    └── Dockerfile
├── 4.0
    ├── .dockerignore
    └── Dockerfile
├── 4.1
    ├── .dockerignore
    └── Dockerfile
├── 4.2
    ├── .dockerignore
    └── Dockerfile
├── CHANGELOG.md
├── LICENSE
├── Makefile
└── README.md


/LATEST:
--------------------------------------------------------------------------------
1 | 4.2
2 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | release
3 | *.bu
4 | .circleci/build_num
5 | 


--------------------------------------------------------------------------------
/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/blacktop/docker-yara/HEAD/logo.png


--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # You can add one username per supported platform and one custom link
2 | patreon: blacktop_


--------------------------------------------------------------------------------
/w-rules/rules/signatures/UserDB.yar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/blacktop/docker-yara/HEAD/w-rules/rules/signatures/UserDB.yar


--------------------------------------------------------------------------------
/w-rules/rules/signatures/userdb_panda.yar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/blacktop/docker-yara/HEAD/w-rules/rules/signatures/userdb_panda.yar


--------------------------------------------------------------------------------
/3.4/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | 


--------------------------------------------------------------------------------
/no-py/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | 


--------------------------------------------------------------------------------
/w-rules/rules/signatures/userdb_exeinfope.yar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/blacktop/docker-yara/HEAD/w-rules/rules/signatures/userdb_exeinfope.yar


--------------------------------------------------------------------------------
/w-rules/rules/signatures/userdb_jclausing.yar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/blacktop/docker-yara/HEAD/w-rules/rules/signatures/userdb_jclausing.yar


--------------------------------------------------------------------------------
/w-rules/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | 


--------------------------------------------------------------------------------
/3.10/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | test_rule
11 | 


--------------------------------------------------------------------------------
/3.11/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | test_rule
11 | 


--------------------------------------------------------------------------------
/3.5/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | test_rule
11 | 


--------------------------------------------------------------------------------
/3.6/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | test_rule
11 | 


--------------------------------------------------------------------------------
/3.7/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | test_rule
11 | 


--------------------------------------------------------------------------------
/3.8/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | test_rule
11 | 


--------------------------------------------------------------------------------
/3.9/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | test_rule
11 | 


--------------------------------------------------------------------------------
/4.0/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | test_rule
11 | 


--------------------------------------------------------------------------------
/4.1/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | test_rule
11 | 


--------------------------------------------------------------------------------
/4.2/.dockerignore:
--------------------------------------------------------------------------------
 1 | # Ignore .git folder
 2 | .git*
 3 | 
 4 | README.md
 5 | README.md.bu
 6 | LICENSE
 7 | logo.png
 8 | build
 9 | release
10 | test_rule
11 | 


--------------------------------------------------------------------------------
/w-rules/rules/GeorBotBinary.yara:
--------------------------------------------------------------------------------
1 | rule GeorBotBinary
2 | {
3 | strings:
4 | $a = {63 72 ?? 5F 30 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C}
5 | 
6 | condition:
7 | all of them
8 | }
9 | 


--------------------------------------------------------------------------------
/w-rules/rules/fpu.yara:
--------------------------------------------------------------------------------
 1 | rule undocumentedFPUAtEntryPoint {
 2 | strings:
 3 |     $fpu1 = {D9 D8}
 4 |     $fpu2 = {DF DF}
 5 |     $fpu3 = {DF D8}
 6 |     $fpu4 = {DC D9}
 7 |     $fpu5 = {DF DA}
 8 |     $fpu6 = {DF CB}
 9 | condition:
10 |     (for any of ($fpu*) : ($ at entrypoint)) or $fpu2 in (entrypoint..entrypoint + 10)
11 | }
12 | 


--------------------------------------------------------------------------------
/w-rules/rules/GeorBotMemory.yara:
--------------------------------------------------------------------------------
 1 | rule GeorBotMemory
 2 | {
 3 | strings:
 4 | $a = {53 4F 46 54 57 41 52 45 5C 00 4D 69 63 72 6F 73 6F 66 74 5C 00 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 00 52 75 6E 00 55 53 42 53 45 52 56}
 5 | $b = {73 79 73 74 65 6D 33 32 5C 75 73 62 73 65 72 76 2E 65 78 65}
 6 | $c = {5C 75 73 62 73 65 72 76 2E 65 78 65}
 7 | condition:
 8 | $a and ($b or $c)
 9 | }
10 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/generic_lsass_dump.yar:
--------------------------------------------------------------------------------
 1 | rule LSASS_memory_dump_file {
 2 | 	meta:
 3 | 		description = "Detects a LSASS memory dump file"
 4 | 		author = "Florian Roth"
 5 | 		date = "2015/03/31"
 6 | 		memory = 0
 7 | 		score = 50
 8 | 	strings:
 9 | 		$s1 = "lsass.exe" ascii fullword
10 | 		$s2 = "wdigest.DLL" wide nocase
11 | 	condition:
12 |         uint32(0) == 0x504D444D and all of them
13 | }
14 | 
15 | 


--------------------------------------------------------------------------------
/w-rules/rules/APT_NGO_wuaclt_PDF.yara:
--------------------------------------------------------------------------------
 1 | rule APT_NGO_wuaclt_PDF
 2 | {
 3 | 	strings:
 4 | 		$pdf  = "%PDF" nocase
 5 | 		$comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A}
 6 | 	
 7 | 	condition:
 8 | 		$pdf at 0 and $comment in (0..200)
 9 | }
10 | 	
11 | 	
12 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_webshell_chinachopper.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule ChinaChopper_Generic {
 3 | 	meta:
 4 | 		description = "China Chopper Webshells - PHP and ASPX"
 5 | 		author = "Florian Roth"
 6 | 		reference = "https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf"
 7 | 		date = "2015/03/10"
 8 | 	strings:
 9 | 		$aspx = /%@\sPage\sLanguage=.Jscript.%><%eval\(RequestItem\[.{,100}unsafe/
10 | 		$php = /<?php.\@eval\(\$_POST./
11 | 	condition:
12 | 		1 of them
13 | }
14 | 


--------------------------------------------------------------------------------
/w-rules/rules/urausy_skypedat.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule urausy_skype_dat {
 3 | 	meta:
 4 | 		author = "AlienVault Labs"
 5 | 		description = "Yara rule to match against memory of processes infected by Urausy skype.dat"
 6 | 	strings:
 7 | 		$a = "skype.dat" ascii wide
 8 | 		$b = "skype.ini" ascii wide
 9 | 		$win1 = "CreateWindow"
10 | 		$win2 = "YIWEFHIWQ" ascii wide
11 | 		$desk1 = "CreateDesktop"
12 | 		$desk2 = "MyDesktop" ascii wide
13 | 	condition:
14 | 		$a and $b and (all of ($win*) or all of ($desk*))
15 | }
16 | 
17 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_dexter_trojan.yar:
--------------------------------------------------------------------------------
 1 | rule Dexter_Malware {
 2 | 	meta:
 3 | 		description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b"
 4 | 		author = "Florian Roth"
 5 | 		reference = "http://goo.gl/oBvy8b"
 6 | 		date = "2015/02/10"
 7 | 		score = 70
 8 | 	strings:
 9 | 		$s0 = "Java Security Plugin" fullword wide
10 | 		$s1 = "%s\\%s\\%s.exe" fullword wide
11 | 		$s2 = "Sun Java Security Plugin" fullword wide
12 | 		$s3 = "\\Internet Explorer\\iexplore.exe" fullword wide
13 | 	condition:
14 | 		all of them
15 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_shamoon.yar:
--------------------------------------------------------------------------------
 1 | rule CrowdStrike_Shamoon_DroppedFile { 
 2 | 	meta:
 3 | 		description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
 4 | 		reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
 5 | 	strings:
 6 | 		$testn123 = "test123" wide
 7 | 		$testn456 = "test456" wide
 8 | 		$testn789 = "test789" wide
 9 | 		$testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
10 | 	condition:
11 | 		(any of ($testn*) or $pingcmd) and $testdomain
12 | }
13 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_backspace.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | Author: Bit Byte Bitten
 3 | Date: 5/14/2015
 4 | */
 5 | 
 6 | rule apt_backspace{
 7 | 	meta:
 8 | 		description = "Detects APT backspace"
 9 | 		author = "Bit Byte Bitten"
10 | 		date = "2015-05-14"
11 | 		hash = "6cbfeb7526de65eb2e3c848acac05da1e885636d17c1c45c62ad37e44cd84f99"
12 | 	strings:
13 | 		$s1 = "!! Use Splice Socket !!"
14 | 		$s2 = "User-Agent: SJZJ (compatible; MSIE 6.0; Win32)"
15 | 		$s3 = "g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d"
16 | 	condition:
17 | 		uint16(0) == 0x5a4d and all of them
18 | }


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | Change Log
 2 | ==========
 3 | 
 4 | All notable changes to this project will be documented in this file.
 5 | 
 6 | [3.5] - 2016-08-04
 7 | ------------------
 8 | 
 9 | ### Fixed
10 | 
11 | ### Added
12 | 
13 | ### Removed
14 | 
15 | ### Changed
16 | 
17 | 
18 | [3.4] - 2016-07-29
19 | ------------------
20 | 
21 | ### Fixed
22 | 
23 | ### Added
24 | 
25 | -	krallin/tini
26 | -	tianon/gosu
27 | 
28 | ### Removed
29 | 
30 | -	I am not including my rules folder by default anymore, but you can easily add it at runtime as shown in the README.md OR you can use the `w-rules` tag
31 | 
32 | ### Changed
33 | 


--------------------------------------------------------------------------------
/w-rules/rules/signatures/sandboxdetect.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule sandboxdetect_misc : sandboxdetect
 3 | {
 4 | 	meta:
 5 | 		author = "AlienVault Labs"
 6 | 		type = "info"
 7 | 		severity = 1
 8 | 		description = "Sandbox detection tricks"
 9 | 
10 | 	strings:
11 | 		$sbxie1 = "sbiedll" nocase ascii wide
12 | 
13 | 		// CWSandbox
14 | 		$prodid1 = "55274-640-2673064-23950" ascii wide
15 | 		$prodid2 = "76487-644-3177037-23510" ascii wide
16 | 		$prodid3 = "76487-337-8429955-22614" ascii wide
17 | 
18 | 		$proc1 = "joeboxserver" ascii wide
19 | 		$proc2 = "joeboxcontrol" ascii wide
20 | 	condition:
21 | 		any of them
22 | }
23 | 
24 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_antifw_installrex.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule PUP_InstallRex_AntiFWb {
 3 | 	meta:
 4 | 		description = "Malware InstallRex / AntiFW"
 5 | 		author = "Florian Roth"
 6 | 		date = "2015-05-13"
 7 | 		hash = "bb5607cd2ee51f039f60e32cf7edc4e21a2d95cd"
 8 | 		score = 65
 9 | 	strings:
10 | 		$s4 = "Error %u while loading TSU.DLL %ls" fullword ascii
11 | 		$s7 = "GetModuleFileName() failed => %u" fullword ascii
12 | 		$s8 = "TSULoader.exe" fullword wide
13 | 		$s15 = "\\StringFileInfo\\%04x%04x\\Arguments" fullword wide
14 | 		$s17 = "Tsu%08lX.dll" fullword wide
15 | 	condition:
16 | 		uint16(0) == 0x5a4d and all of them
17 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_cmstar.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule ce_enfal_cmstar_debug_msg {
 3 | 	meta:
 4 | 		author = "rfalcone"
 5 | 		description = "Detects the static debug strings within CMSTAR"
 6 | 		reference = "http://goo.gl/JucrP9"
 7 | 		hash = "9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c"
 8 | 		date = "5/10/2015"
 9 | 	strings:
10 | 		$d1 = "EEE\x0d\x0a" fullword
11 | 		$d2 = "TKE\x0d\x0a" fullword
12 | 		$d3 = "VPE\x0d\x0a" fullword
13 | 		$d4 = "VPS\x0d\x0a" fullword
14 | 		$d5 = "WFSE\x0d\x0a" fullword
15 | 		$d6 = "WFSS\x0d\x0a" fullword
16 | 		$d7 = "CM**\x0d\x0a" fullword
17 | 	condition:
18 | 		uint16(0) == 0x5a4d and all of ($d*)
19 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_cryptowall_svg.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule SVG_LoadURL {
 3 | 	meta:
 4 | 		description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)"
 5 | 		author = "Florian Roth"
 6 | 		reference = "http://goo.gl/psjCCc"
 7 | 		date = "2015-05-24"
 8 | 		hash1 = "ac8ef9df208f624be9c7e7804de55318"
 9 | 		hash2 = "3b9e67a38569ebe8202ac90ad60c52e0"
10 | 		hash3 = "7e2be5cc785ef7711282cea8980b9fee"
11 | 		hash4 = "4e2c6f6b3907ec882596024e55c2b58b"
12 | 		score = 50
13 | 	strings:
14 | 		$s1 = "</svg>" nocase
15 | 		$s2 = "<script>" nocase
16 | 		$s3 = "location.href='http" nocase
17 | 	condition:
18 | 		all of ($s*) and filesize < 600
19 | }
20 | 
21 | 		
22 | 		


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_buzus_softpulse.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule Win32_Buzus_Softpulse {
 3 | 	meta:
 4 | 		description = "Trojan Buzus / Softpulse"
 5 | 		author = "Florian Roth"
 6 | 		date = "2015-05-13"
 7 | 		hash = "2f6df200e63a86768471399a74180466d2e99ea9"
 8 | 		score = 75
 9 | 	strings:
10 | 		$x1 = "pi4izd6vp0.com" fullword ascii
11 | 
12 | 		$s1 = "SELECT * FROM Win32_Process" fullword wide
13 | 		$s4 = "CurrentVersion\\Uninstall\\avast" fullword wide
14 | 		$s5 = "Find_RepeatProcess" fullword ascii
15 | 		$s6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\" fullword wide
16 | 		$s7 = "myapp.exe" fullword ascii
17 | 		$s14 = "/c ping -n 1 www.google" wide
18 | 	condition:
19 | 		uint16(0) == 0x5a4d and 
20 | 			( 
21 | 				( $x1 and 2 of ($s*) ) or
22 | 				all of ($s*) 
23 | 			)
24 | }
25 | 


--------------------------------------------------------------------------------
/w-rules/rules/leverage.yar:
--------------------------------------------------------------------------------
 1 | rule leverage_a
 2 | {
 3 | 	meta:
 4 | 		author = "earada@alienvault.com"
 5 | 		version = "1.0"
 6 | 		description = "OSX/Leverage.A"
 7 | 		date = "2013/09"
 8 | 	strings:
 9 | 		$a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
10 | 		$a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:"
11 | 		$a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
12 | 		$script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
13 | 		$script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'"
14 | 		$script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'"
15 | 		$properties = "serverVisible \x00"
16 | 	condition:
17 | 		all of them
18 | }
19 | 


--------------------------------------------------------------------------------
/w-rules/rules/CVE_2013_3893.yar:
--------------------------------------------------------------------------------
 1 | rule CVE_2013_3893
 2 | {
 3 |     meta:
 4 |         author = "Brian Bartholomew iSIGHT Partners"
 5 |         maltype = "apt"
 6 |         yaraexchange = "No distribution without author's consent"
 7 |         date = "09/20/2013"
 8 |         descrption = "This rule will detect CVE-2013-3893"
 9 |         reference_1 = "http://technet.microsoft.com/en-us/security/advisory/2887505"
10 |         reference_2 = "http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx"
11 |         status = "Tested against the one known live sample we were able to find and it works"
12 | 
13 |     strings:
14 |         $String_1 = "onlosecapture" nocase
15 |         $String_2 = "setCapture" nocase
16 |         $String_3 = "CollectGarbage" nocase
17 | 
18 |     condition:
19 |         all of them
20 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_blackenergy_2.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule BlackEnergy_BE_2 {
 3 |         meta:
 4 |                 description = "Detects BlackEnergy 2 Malware"
 5 |                 author = "Florian Roth"
 6 |                 reference = "http://goo.gl/DThzLz"
 7 |                 date = "2015/02/19"
 8 |                 hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77"
 9 |         strings:
10 |                 $mz = { 4d 5a }
11 |                 $s0 = "<description> Windows system utility service  </description>" fullword ascii
12 |                 $s1 = "WindowsSysUtility - Unicode" fullword wide
13 |                 $s2 = "msiexec.exe" fullword wide
14 |                 $s3 = "WinHelpW" fullword ascii
15 |                 $s4 = "ReadProcessMemory" fullword ascii
16 |         condition:
17 |                 ( $mz at 0 ) and filesize < 250KB and all of ($s*)
18 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_backdoor_ssh_python.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule custom_ssh_backdoor_server {
 3 | 	meta:
 4 | 		description = "Custome SSH backdoor based on python and paramiko - file server.py"
 5 | 		author = "Florian Roth"
 6 | 		reference = "https://goo.gl/S46L3o"
 7 | 		date = "2015-05-14"
 8 | 		hash = "0953b6c2181249b94282ca5736471f85d80d41c9"
 9 | 	strings:
10 | 		$s0 = "command= raw_input(\"Enter command: \").strip('n')" fullword ascii
11 | 		$s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" fullword ascii
12 | 		$s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" fullword ascii
13 | 		$s3 = "chan.send(command)" fullword ascii
14 | 		$s4 = "print '[-] SSH negotiation failed.'" fullword ascii
15 | 		$s5 = "except paramiko.SSHException, x:" fullword ascii
16 | 	condition:
17 | 		filesize < 10KB and 5 of them
18 | }
19 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_poisonivy_gen3.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule PoisonIvy_Generic_3 {
 3 | 	meta:
 4 | 		description = "PoisonIvy RAT Generic Rule"
 5 | 		author = "Florian Roth"
 6 | 		date = "2015-05-14"
 7 | 		hash = "e1cbdf740785f97c93a0a7a01ef2614be792afcd"
 8 | 	strings:
 9 | 		$k1 = "Tiger324{" fullword ascii
10 | 		
11 | 		$s2 = "WININET.dll" fullword ascii
12 | 		$s3 = "mscoree.dll" fullword wide
13 | 		$s4 = "WS2_32.dll" fullword
14 | 		$s5 = "Explorer.exe" fullword wide
15 | 		$s6 = "USER32.DLL"
16 | 		$s7 = "CONOUT$"
17 | 		$s8 = "login.asp"
18 | 		
19 | 		$h1 = "HTTP/1.0"
20 | 		$h2 = "POST"
21 | 		$h3 = "login.asp"
22 | 		$h4 = "check.asp"
23 | 		$h5 = "result.asp"
24 | 		$h6 = "upload.asp"
25 | 	condition:
26 | 		uint16(0) == 0x5a4d and filesize < 500KB and
27 | 			( 
28 | 				$k1 or all of ($s*) or all of ($h*)
29 | 			)
30 | }
31 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_kraken_bot1.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | 	Yara Rule Set
 3 | 	Author: Florian Roth
 4 | 	Date: 2015-05-07
 5 | 	Identifier: Kraken_Malware
 6 | */
 7 | 
 8 | rule Kraken_Bot_Sample {
 9 | 	meta:
10 | 		description = "Kraken Bot Sample - file inf.bin"
11 | 		author = "Florian Roth"
12 | 		reference = "https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html"
13 | 		date = "2015-05-07"
14 | 		hash = "798e9f43fc199269a3ec68980eb4d91eb195436d"
15 | 		score = 90
16 | 	strings:
17 | 		$s2 = "%s=?getname" fullword ascii
18 | 		$s4 = "&COMPUTER=^" fullword ascii
19 | 		$s5 = "xJWFwcGRhdGElAA=" fullword ascii /* base64 encoded string '%appdata%' */
20 | 		$s8 = "JVdJTkRJUi" fullword ascii /* base64 encoded string '%WINDIR' */
21 | 		$s20 = "btcplug" fullword ascii
22 | 	condition:
23 | 		uint16(0) == 0x5a4d and all of them
24 | }
25 | 
26 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/exploit_cve_2015_1674.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | 	Yara Rule Set
 3 | 	Author: Florian Roth
 4 | 	Date: 2015-05-14
 5 | 	Identifier: CVE-2015-1674
 6 | */
 7 | 
 8 | /* Rule Set ----------------------------------------------------------------- */
 9 | 
10 | rule CVE_2015_1674_CNGSYS {
11 | 	meta:
12 | 		description = "Detects exploits for CVE-2015-1674"
13 | 		author = "Florian Roth"
14 | 		reference = "http://www.binvul.com/viewthread.php?tid=508"
15 | 		date = "2015-05-14"
16 | 		hash = "af4eb2a275f6bbc2bfeef656642ede9ce04fad36"
17 | 	strings:
18 | 		$s1 = "\\Device\\CNG" fullword wide
19 | 		
20 | 		$s2 = "GetProcAddress" fullword ascii
21 | 		$s3 = "LoadLibrary" ascii
22 | 		$s4 = "KERNEL32.dll" fullword ascii
23 | 		$s5 = "ntdll.dll" fullword ascii
24 | 	condition:
25 | 		uint16(0) == 0x5a4d and filesize < 60KB and all of them
26 | }
27 | 
28 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_mikey_trojan.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule Gen_Trojan_Mikey {
 3 | 	meta:
 4 | 		description = "Trojan Mikey - file sample_mikey.exe"
 5 | 		author = "Florian Roth"
 6 | 		date = "2015-05-07"
 7 | 		hash = "a8e6c3ca056b3ff2495d7728654b780735b3a4cb"
 8 | 		score = 70
 9 | 	strings:
10 | 		$s0 = "nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\ERAWTFOS" fullword ascii 
11 | 						/* reversed string 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' */
12 | 		$x1 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)" fullword ascii
13 | 		$x2 = "User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01)" fullword ascii
14 | 		$x3 = "%d*%u%s" fullword ascii
15 | 		$x4 = "%s %s:%d" fullword ascii
16 | 		$x5 = "Mnopqrst Vwxyabcde Ghijklm Opqrstuv Xya" fullword ascii
17 | 	condition:
18 | 		uint16(0) == 0x5a4d and $s0 and 2 of ($x*)
19 | }
20 | 
21 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/generic_cryptors.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule DarkEYEv3_Cryptor {
 3 | 	meta:
 4 | 		description = "Rule to detect DarkEYEv3 encrypted executables (often malware)"
 5 | 		author = "Florian Roth"
 6 | 		reference = "http://darkeyev3.blogspot.fi/"
 7 | 		date = "2015-05-24"
 8 | 		hash0 = "6b854b967397f7de0da2326bdd5d39e710e2bb12"
 9 | 		hash1 = "d53149968eca654fc0e803f925e7526fdac2786c"
10 | 		hash2 = "7e3a8940d446c57504d6a7edb6445681cca31c65"
11 | 		hash3 = "d3dd665dd77b02d7024ac16eb0949f4f598299e7"
12 | 		hash4 = "a907a7b74a096f024efe57953c85464e87275ba3"
13 | 		hash5 = "b1c422155f76f992048377ee50c79fe164b22293"
14 | 		hash6 = "29f5322ce5e9147f09e0a86cc23a7c8dc88721b9"
15 | 		hash7 = "a0382d7c12895489cb37efef74c5f666ea750b05"
16 | 		hash8 = "f3d5b71b7aeeb6cc917d5bb67e2165cf8a2fbe61"
17 | 		score = 55
18 | 	strings:
19 | 		$s0 = "\\DarkEYEV3-" 
20 | 	condition:
21 | 		uint16(0) == 0x5a4d and $s0
22 | }
23 | 


--------------------------------------------------------------------------------
/w-rules/rules/index.yar:
--------------------------------------------------------------------------------
 1 | // Copyright (C) 2013-2014 Josh "blacktop" Maine
 2 | // This file is part of Malice - https://github.com/blacktop/malice
 3 | // See the file 'docs/LICENSE' for copying permission.
 4 | 
 5 | include "signatures/avdetect.yar"
 6 | include "signatures/dbgdetect.yar"
 7 | include "signatures/sandboxdetect.yar"
 8 | include "signatures/capabilities.yar"
 9 | include "signatures/wce.yar"
10 | include "signatures/UserDB.yar"
11 | /*include "signatures/eppackersigs.yar"*/
12 | 
13 | include "APT_NGO_wuaclt_PDF.yara"
14 | include "CVE_2013_3893.yar"
15 | include "GeorBotMemory.yara"
16 | include "citizenlab.yara"
17 | include "fpu.yara"
18 | include "kins.yara"
19 | include "rats.yara"
20 | include "urausy_skypedat.yar"
21 | include "GeorBotBinary.yara"
22 | include "apt1.yara"
23 | include "embedded.yara"
24 | include "hangover.yara"
25 | include "leverage.yar"
26 | include "themask.yara"
27 | include "vmdetect.yara"
28 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_fidelis_phishing_plain_sight.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule Fidelis_Advisory_Purchase_Order_pps {
 3 |     meta:
 4 |         description = "Detects a string found in a malicious document named Purchase_Order.pps"
 5 |         author = "Florian Roth"
 6 |         reference = "http://goo.gl/ZjJyti"
 7 |         date = "2015-06-09"
 8 |     strings:
 9 |         $s0 = "Users\\Gozie\\Desktop\\Purchase-Order.gif" ascii
10 |     condition:
11 |         all of them
12 | }
13 | 
14 | rule Fidelis_Advisory_cedt370 {
15 |     meta:
16 |         description = "Detects a string found in memory of malware cedt370r(3).exe"
17 |         author = "Florian Roth"
18 |         reference = "http://goo.gl/ZjJyti"
19 |         date = "2015-06-09"
20 |     strings:
21 |         $s0 = "PO.exe" ascii fullword
22 |         $s1 = "Important.exe" ascii fullword
23 |         $s2 = "&username=" ascii fullword
24 |         $s3 = "Browsers.txt" ascii fullword
25 |     condition:
26 |         all of them
27 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/exploit_cve_2015_1701.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule CVE_2015_1701_Taihou {
 3 | 	meta:
 4 | 		description = "CVE-2015-1701 compiled exploit code"
 5 | 		author = "Florian Roth"
 6 | 		reference = "http://goo.gl/W4nU0q"
 7 | 		date = "2015-05-13"
 8 | 		hash1 = "90d17ebd75ce7ff4f15b2df951572653efe2ea17"
 9 | 		hash2 = "acf181d6c2c43356e92d4ee7592700fa01e30ffb"
10 | 		hash3 = "b8aabe12502f7d55ae332905acee80a10e3bc399"
11 | 		hash4 = "d9989a46d590ebc792f14aa6fec30560dfe931b1"
12 | 		hash5 = "63d1d33e7418daf200dc4660fc9a59492ddd50d9"
13 | 		score = 70
14 | 	strings:	
15 | 		$s3 = "VirtualProtect" fullword
16 | 		$s4 = "RegisterClass"
17 | 		$s5 = "LoadIcon"
18 | 		$s6 = "PsLookupProcessByProcessId" fullword ascii 
19 | 		$s7 = "LoadLibraryExA" fullword ascii
20 | 		$s8 = "gSharedInfo" fullword
21 | 
22 | 		$w1 = "user32.dll" wide
23 | 		$w2 = "ntdll" wide	
24 | 	condition:
25 | 		uint16(0) == 0x5a4d and filesize < 160KB and all of ($s*) and 1 of ($w*)
26 | }
27 | 
28 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_dridex_xml.yar:
--------------------------------------------------------------------------------
 1 | rule Dridex_Trojan_XML {
 2 | 	meta:
 3 | 		description = "Dridex Malware in XML Document"
 4 | 		author = "Florian Roth @4nc4p"
 5 | 		reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
 6 | 		date = "2015/03/08"
 7 | 		hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
 8 | 		hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
 9 | 		hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
10 | 		hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
11 | 		hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
12 | 	strings:
13 | 		// can be ascii or wide formatted - therefore no restriction
14 | 		$c_xml      = "<?xml version="
15 | 		$c_word     = "<?mso-application progid=\"Word.Document\"?>"
16 | 		$c_macro    = "w:macrosPresent=\"yes\""
17 | 		$c_binary   = "<w:binData w:name="
18 | 		$c_0_chars  = "<o:Characters>0</o:Characters>"
19 | 		$c_1_line   = "<o:Lines>1</o:Lines>"
20 | 	condition:
21 | 		all of ($c*)
22 | }
23 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/threat_lenovo_superfish.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | /* LENOVO Superfish -------------------------------------------------------- */
 3 | 
 4 | rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
 5 | 	meta:
 6 | 		description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
 7 | 		author = "Florian Roth / improved by kbandla"
 8 | 		reference = "https://twitter.com/4nc4p/status/568325493558272000"
 9 | 		date = "2015/02/19"
10 | 		hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
11 | 		hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
12 | 		hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
13 | 		hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
14 | 	strings:
15 | 		$mz = { 4d 5a }
16 | 		//$s1 = "VisualDiscovery.exe" fullword wide
17 | 		$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
18 | 		$s3 = "GetPCProxyHandler" fullword ascii
19 | 		$s4 = "StartPCProxy" fullword ascii
20 | 		$s5 = "SetPCProxyHandler" fullword ascii
21 | 	condition:
22 | 		( $mz at 0 ) and filesize < 2MB and all of ($s*)
23 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_apt17_malware.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | 	Yara Rule Set
 3 | 	Author: Florian Roth
 4 | 	Date: 2015-05-14
 5 | 	Identifier: APT17
 6 | */
 7 | 
 8 | /* Rule Set ----------------------------------------------------------------- */
 9 | 
10 | rule APT17_Sample_FXSST_DLL {
11 | 	meta:
12 | 		description = "Detects Samples related to APT17 activity - file FXSST.DLL"
13 | 		author = "Florian Roth"
14 | 		reference = "https://goo.gl/ZiJyQv"
15 | 		date = "2015-05-14"
16 | 		hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3"
17 | 	strings:
18 | 		$x1 = "Microsoft? Windows? Operating System" fullword wide
19 | 		$x2 = "fxsst.dll" fullword ascii
20 | 		
21 | 		$y1 = "DllRegisterServer" fullword ascii
22 | 		$y2 = ".cSV" fullword ascii
23 | 		
24 | 		$s1 = "GetLastActivePopup"
25 | 		$s2 = "Sleep"
26 | 		$s3 = "GetModuleFileName"
27 | 		$s4 = "VirtualProtect"
28 | 		$s5 = "HeapAlloc"
29 | 		$s6 = "GetProcessHeap"
30 | 		$s7 = "GetCommandLine"
31 | 	condition:
32 | 		uint16(0) == 0x5a4d and filesize < 800KB and 
33 | 			( 1 of ($x*) or all of ($y*) ) and all of ($s*)
34 | }
35 | 
36 | 


--------------------------------------------------------------------------------
/no-py/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.16
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 4.2.3
 6 | 
 7 | RUN apk add --no-cache openssl file jansson bison su-exec
 8 | RUN apk add --no-cache -t .build-deps \
 9 |   openssl-dev \
10 |   jansson-dev \
11 |   build-base \
12 |   libc-dev \
13 |   file-dev \
14 |   automake \
15 |   autoconf \
16 |   libtool \
17 |   flex \
18 |   git \
19 |   git \
20 |   && set -x \
21 |   && echo "Install Yara from source..." \
22 |   && cd /tmp/ \
23 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
24 |   && cd /tmp/yara \
25 |   && ./bootstrap.sh \
26 |   && sync \
27 |   && ./configure --with-crypto \
28 |   --enable-magic \
29 |   --enable-cuckoo \
30 |   --enable-dotnet \
31 |   && make \
32 |   && make install \
33 |   && echo "Make test_rule..." \
34 |   && mkdir /rules \
35 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
36 |   && rm -rf /tmp/* \
37 |   && apk del --purge .build-deps
38 | 
39 | VOLUME ["/malware"]
40 | VOLUME ["/rules"]
41 | 
42 | WORKDIR /malware
43 | 
44 | ENTRYPOINT ["su-exec","nobody","yara"]
45 | CMD ["--help"]
46 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2014-2016 Josh 'blacktop' Maine
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_malumpos.yar:
--------------------------------------------------------------------------------
 1 | rule PoS_Malware_MalumPOS
 2 | {
 3 |     meta:
 4 |         author = "Trend Micro, Inc."
 5 |         date = "2015-05-25"
 6 |         description = "Used to detect MalumPOS memory dumper"
 7 |         sample_filtype = "exe"
 8 |     strings:
 9 |         $string1 = "SOFTWARE\\Borland\\Delphi\\RTL"
10 |         $string2 = "B)[0-9]{13,19}\\"
11 |         $string3 = "[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\"
12 |         $string4 = "TRegExpr(exec): ExecNext Without Exec[Pos]"
13 |         $string5 = /Y:\\PROGRAMS\\.{20,300}\.pas/ 
14 |     condition:
15 |         all of ($string*)
16 | }
17 | 
18 | rule PoS_Malware_MalumPOS_Config
19 | {
20 |     meta:
21 |         author = "Florian Roth"
22 |         date = "2015-06-25"
23 |         description = "MalumPOS Config File"
24 |         reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/"
25 |     strings:
26 |         $s1 = "[PARAMS]"
27 |         $s2 = "Name="
28 |         $s3 = "InterfacesIP="
29 |         $s4 = "Port="
30 |     condition:
31 |         all of ($s*) and filename == "log.ini" and filesize < 20KB
32 | }
33 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_scanbox_deeppanda.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule ScanBox_Malware_Generic {
 3 | 	meta:
 4 | 		description = "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP"
 5 | 		author = "Florian Roth"
 6 | 		reference1 = "http://goo.gl/MUUfjv"
 7 | 		reference2 = "http://goo.gl/WXUQcP"
 8 | 		date = "2015/02/28"
 9 | 		hash1 = "8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9"
10 | 		hash2 = "d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d"
11 | 		hash3 = "3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2"
12 | 	strings:
13 | 		/* Sample 1 */
14 | 		$s0 = "http://142.91.76.134/p.dat" fullword ascii
15 | 		$s1 = "HttpDump 1.1" fullword ascii
16 | 		
17 | 		/* Sample 2 */
18 | 		$s3 = "SecureInput .exe" fullword wide
19 | 		$s4 = "http://extcitrix.we11point.com/vpn/index.php?ref=1" fullword ascii
20 | 		
21 | 		/* Sample 3 */
22 | 		$s5 = "%SystemRoot%\\System32\\svchost.exe -k msupdate" fullword ascii
23 | 		$s6 = "ServiceMaix" fullword ascii		
24 | 		
25 | 		/* Certificate and Keywords */
26 | 		$x1 = "Management Support Team1" fullword ascii
27 | 		$x2 = "DTOPTOOLZ Co.,Ltd.0" fullword ascii
28 | 		$s3 = "SEOUL1" fullword ascii
29 | 	condition:
30 | 		( 1 of ($s*) and 2 of ($x*) ) or 
31 | 		( 3 of ($x*) )
32 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/pup_lightftp.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule LightFTP_fftp_x86_64 {
 3 | 	meta:
 4 | 		description = "Detects a light FTP server"
 5 | 		author = "Florian Roth"
 6 | 		reference = "https://github.com/hfiref0x/LightFTP"
 7 | 		date = "2015-05-14"
 8 | 		hash1 = "989525f85abef05581ccab673e81df3f5d50be36"
 9 | 		hash2 = "5884aeca33429830b39eba6d3ddb00680037faf4"
10 | 		score = 50
11 | 	strings:
12 | 		$s1 = "fftp.cfg" fullword wide
13 | 		$s2 = "220 LightFTP server v1.0 ready" fullword ascii
14 | 		$s3 = "*FTP thread exit*" fullword wide
15 | 		$s4 = "PASS->logon successful" fullword ascii
16 | 		$s5 = "250 Requested file action okay, completed." fullword ascii
17 | 	condition:
18 | 		uint16(0) == 0x5a4d and filesize < 250KB and 4 of them
19 | }
20 | 
21 | rule LightFTP_Config {
22 | 	meta:
23 | 		description = "Detects a light FTP server - config file"
24 | 		author = "Florian Roth"
25 | 		reference = "https://github.com/hfiref0x/LightFTP"
26 | 		date = "2015-05-14"
27 | 		hash = "ce9821213538d39775af4a48550eefa3908323c5"
28 | 	strings:
29 | 		$s2 = "maxusers=" wide
30 | 		$s6 = "[ftpconfig]" fullword wide
31 | 		$s8 = "accs=readonly" fullword wide
32 | 		$s9 = "[anonymous]" fullword wide
33 | 		$s10 = "accs=" fullword wide
34 | 		$s11 = "pswd=" fullword wide
35 | 	condition:
36 | 		uint16(0) == 0xfeff and filesize < 1KB and all of them
37 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_blackenergy_installer.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule blackenergy3_installer
 3 | {
 4 | 	meta:
 5 | 		author = "Mike Schladt"
 6 | 		date = "2015-05-29"
 7 | 		description = "Matches unique code block for import name construction "
 8 | 		md5 = "78387651DD9608FCDF6BFB9DF8B84DB4"
 9 | 		sha1 = "78636F7BBD52EA80D79B4E2A7882403092BBB02D"
10 | 		reference  = "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
11 | 	strings:
12 | 		$import_names = { C7 45 D0 75 73 65 72 C7 45 D4 33 32 2E 64 66 C7 45 D8 6C 6C 88 5D DA C7 45 84 61 64 76 61 C7 45 88 70 69 33 32 C7 45 8C 2E 64 6C 6C 88 5D 90 C7 45 B8 77 69 6E 69 C7 45 BC 6E 65 74 2E C7 45 C0 64 6C 6C 00 C7 45 C4 77 73 32 5F C7 45 C8 33 32 2E 64 66 C7 45 CC 6C 6C 88 5D CE C7 45 94 73 68 65 6C C7 45 98 6C 33 32 2E C7 45 9C 64 6C 6C 00 C7 45 E8 70 73 61 70 C7 45 EC 69 2E 64 6C 66 C7 45 F0 6C 00 C7 85 74 FF FF FF 6E 65 74 61 C7 85 78 FF FF FF 70 69 33 32 C7 85 7C FF FF FF 2E 64 6C 6C 88 5D 80 C7 85 64 FF FF FF 6F 6C 65 61 C7 85 68 FF FF FF 75 74 33 32 C7 85 6C FF FF FF 2E 64 6C 6C 88 9D 70 FF FF FF C7 45 DC 6F 6C 65 33 C7 45 E0 32 2E 64 6C 66 C7 45 E4 6C 00 C7 45 A0 76 65 72 73 C7 45 A4 69 6F 6E 2E C7 45 A8 64 6C 6C 00 C7 85 54 FF FF FF 69 6D 61 67 C7 85 58 FF FF FF 65 68 6C 70 C7 85 5C FF FF FF 2E 64 6C 6C 88 9D 60 FF FF FF C7 45 AC 61 70 70 68 C7 45 B0 65 6C 70 2E C7 45 B4 64 6C 6C 00 C7 45 F4 2E 64 6C 6C 88 5D F8 }            
13 | 	condition : 
14 | 		any of them
15 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_snowglobe_babar.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | /* SnowGlobe Babar ---------------------------------------------------------- */
 3 | 
 4 | rule SNOWGLOBE_Babar_Malware {
 5 | 	meta:
 6 | 		description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
 7 | 		author = "Florian Roth"
 8 | 		reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
 9 | 		date = "2015/02/18"
10 | 		hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
11 | 		score = 80
12 | 	strings:
13 | 		$mz = { 4d 5a }
14 | 		$z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
15 | 		$z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
16 | 		$z2 = "ExecQueryFailled!" fullword ascii
17 | 		$z3 = "NBOT_COMMAND_LINE" fullword
18 | 		$z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
19 | 
20 | 		$s1 = "/s /n %s \"%s\"" fullword ascii
21 | 		$s2 = "%%WINDIR%%\\%s\\%s" fullword ascii
22 | 		$s3 = "/c start /wait " fullword ascii
23 | 		$s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
24 | 
25 | 		$x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
26 | 		$x2 = "%COMMON_APPDATA%" fullword ascii
27 | 		$x4 = "CONOUT$" fullword ascii
28 | 		$x5 = "cmd.exe" fullword ascii
29 | 		$x6 = "DLLPATH" fullword ascii
30 | 	condition:
31 | 		( $mz at 0 ) and filesize < 1MB and
32 | 		(
33 | 			( 1 of ($z*) and 1 of ($x*) ) or
34 | 			( 3 of ($s*) and 4 of ($x*) )
35 | 		)
36 | }
37 | 


--------------------------------------------------------------------------------
/3.8/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.8
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 3.8.1
 6 | ENV YARA_PY_VERSION 3.8.1
 7 | 
 8 | RUN apk add --no-cache openssl file jansson bison python tini su-exec
 9 | RUN apk add --no-cache -t .build-deps py-setuptools \
10 |   openssl-dev \
11 |   jansson-dev \
12 |   python-dev \
13 |   build-base \
14 |   libc-dev \
15 |   file-dev \
16 |   automake \
17 |   autoconf \
18 |   libtool \
19 |   flex \
20 |   git \
21 |   git \
22 |   && set -x \
23 |   && echo "Install Yara from source..." \
24 |   && cd /tmp/ \
25 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
26 |   && cd /tmp/yara \
27 |   && ./bootstrap.sh \
28 |   && sync \
29 |   && ./configure --with-crypto \
30 |   --enable-magic \
31 |   --enable-cuckoo \
32 |   --enable-dotnet \
33 |   && make \
34 |   && make install \
35 |   && echo "Install yara-python..." \
36 |   && cd /tmp/ \
37 |   && git clone --recursive --branch v$YARA_PY_VERSION https://github.com/VirusTotal/yara-python \
38 |   && cd yara-python \
39 |   && python setup.py build --dynamic-linking \
40 |   && python setup.py install \
41 |   && echo "Make test_rule..." \
42 |   && mkdir /rules \
43 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
44 |   && rm -rf /tmp/* \
45 |   && apk del --purge .build-deps
46 | 
47 | VOLUME ["/malware"]
48 | VOLUME ["/rules"]
49 | 
50 | WORKDIR /malware
51 | 
52 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
53 | CMD ["--help"]
54 | 


--------------------------------------------------------------------------------
/3.9/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.9
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 3.9.0
 6 | ENV YARA_PY_VERSION 3.9.0
 7 | 
 8 | RUN apk add --no-cache openssl file jansson bison python tini su-exec
 9 | RUN apk add --no-cache -t .build-deps py-setuptools \
10 |   openssl-dev \
11 |   jansson-dev \
12 |   python-dev \
13 |   build-base \
14 |   libc-dev \
15 |   file-dev \
16 |   automake \
17 |   autoconf \
18 |   libtool \
19 |   flex \
20 |   git \
21 |   git \
22 |   && set -x \
23 |   && echo "Install Yara from source..." \
24 |   && cd /tmp/ \
25 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
26 |   && cd /tmp/yara \
27 |   && ./bootstrap.sh \
28 |   && sync \
29 |   && ./configure --with-crypto \
30 |   --enable-magic \
31 |   --enable-cuckoo \
32 |   --enable-dotnet \
33 |   && make \
34 |   && make install \
35 |   && echo "Install yara-python..." \
36 |   && cd /tmp/ \
37 |   && git clone --recursive --branch v$YARA_PY_VERSION https://github.com/VirusTotal/yara-python \
38 |   && cd yara-python \
39 |   && python setup.py build --dynamic-linking \
40 |   && python setup.py install \
41 |   && echo "Make test_rule..." \
42 |   && mkdir /rules \
43 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
44 |   && rm -rf /tmp/* \
45 |   && apk del --purge .build-deps
46 | 
47 | VOLUME ["/malware"]
48 | VOLUME ["/rules"]
49 | 
50 | WORKDIR /malware
51 | 
52 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
53 | CMD ["--help"]
54 | 


--------------------------------------------------------------------------------
/3.10/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.10
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 3.10.0
 6 | ENV YARA_PY_VERSION 3.10.0
 7 | 
 8 | RUN apk add --no-cache openssl file jansson bison python tini su-exec
 9 | RUN apk add --no-cache -t .build-deps py-setuptools \
10 |   openssl-dev \
11 |   jansson-dev \
12 |   python-dev \
13 |   build-base \
14 |   libc-dev \
15 |   file-dev \
16 |   automake \
17 |   autoconf \
18 |   libtool \
19 |   flex \
20 |   git \
21 |   git \
22 |   && set -x \
23 |   && echo "Install Yara from source..." \
24 |   && cd /tmp/ \
25 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
26 |   && cd /tmp/yara \
27 |   && ./bootstrap.sh \
28 |   && sync \
29 |   && ./configure --with-crypto \
30 |   --enable-magic \
31 |   --enable-cuckoo \
32 |   --enable-dotnet \
33 |   && make \
34 |   && make install \
35 |   && echo "Install yara-python..." \
36 |   && cd /tmp/ \
37 |   && git clone --recursive --branch v$YARA_PY_VERSION https://github.com/VirusTotal/yara-python \
38 |   && cd yara-python \
39 |   && python setup.py build --dynamic-linking \
40 |   && python setup.py install \
41 |   && echo "Make test_rule..." \
42 |   && mkdir /rules \
43 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
44 |   && rm -rf /tmp/* \
45 |   && apk del --purge .build-deps
46 | 
47 | VOLUME ["/malware"]
48 | VOLUME ["/rules"]
49 | 
50 | WORKDIR /malware
51 | 
52 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
53 | CMD ["--help"]
54 | 


--------------------------------------------------------------------------------
/3.11/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.10
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 3.11.0
 6 | ENV YARA_PY_VERSION 3.11.0
 7 | 
 8 | RUN apk add --no-cache openssl file jansson bison python tini su-exec
 9 | RUN apk add --no-cache -t .build-deps py-setuptools \
10 |   openssl-dev \
11 |   jansson-dev \
12 |   python-dev \
13 |   build-base \
14 |   libc-dev \
15 |   file-dev \
16 |   automake \
17 |   autoconf \
18 |   libtool \
19 |   flex \
20 |   git \
21 |   git \
22 |   && set -x \
23 |   && echo "Install Yara from source..." \
24 |   && cd /tmp/ \
25 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
26 |   && cd /tmp/yara \
27 |   && ./bootstrap.sh \
28 |   && sync \
29 |   && ./configure --with-crypto \
30 |   --enable-magic \
31 |   --enable-cuckoo \
32 |   --enable-dotnet \
33 |   && make \
34 |   && make install \
35 |   && echo "Install yara-python..." \
36 |   && cd /tmp/ \
37 |   && git clone --recursive --branch v$YARA_PY_VERSION https://github.com/VirusTotal/yara-python \
38 |   && cd yara-python \
39 |   && python setup.py build --dynamic-linking \
40 |   && python setup.py install \
41 |   && echo "Make test_rule..." \
42 |   && mkdir /rules \
43 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
44 |   && rm -rf /tmp/* \
45 |   && apk del --purge .build-deps
46 | 
47 | VOLUME ["/malware"]
48 | VOLUME ["/rules"]
49 | 
50 | WORKDIR /malware
51 | 
52 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
53 | CMD ["--help"]
54 | 


--------------------------------------------------------------------------------
/4.0/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.12
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 4.0.2
 6 | ENV YARA_PY_VERSION 4.0.2
 7 | 
 8 | RUN apk add --no-cache openssl file jansson bison python3 tini su-exec
 9 | RUN apk add --no-cache -t .build-deps py3-setuptools \
10 |   openssl-dev \
11 |   jansson-dev \
12 |   python3-dev \
13 |   build-base \
14 |   libc-dev \
15 |   file-dev \
16 |   automake \
17 |   autoconf \
18 |   libtool \
19 |   flex \
20 |   git \
21 |   git \
22 |   && set -x \
23 |   && echo "Install Yara from source..." \
24 |   && cd /tmp/ \
25 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
26 |   && cd /tmp/yara \
27 |   && ./bootstrap.sh \
28 |   && sync \
29 |   && ./configure --with-crypto \
30 |   --enable-magic \
31 |   --enable-cuckoo \
32 |   --enable-dotnet \
33 |   && make \
34 |   && make install \
35 |   && echo "Install yara-python..." \
36 |   && cd /tmp/ \
37 |   && git clone --recursive --branch v$YARA_PY_VERSION https://github.com/VirusTotal/yara-python \
38 |   && cd yara-python \
39 |   && python3 setup.py build --dynamic-linking \
40 |   && python3 setup.py install \
41 |   && echo "Make test_rule..." \
42 |   && mkdir /rules \
43 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
44 |   && rm -rf /tmp/* \
45 |   && apk del --purge .build-deps
46 | 
47 | VOLUME ["/malware"]
48 | VOLUME ["/rules"]
49 | 
50 | WORKDIR /malware
51 | 
52 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
53 | CMD ["--help"]
54 | 


--------------------------------------------------------------------------------
/4.1/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.14
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 4.1.3
 6 | ENV YARA_PY_VERSION 4.1.3
 7 | 
 8 | RUN apk add --no-cache openssl file jansson bison python3 tini su-exec
 9 | RUN apk add --no-cache -t .build-deps py3-setuptools \
10 |   openssl-dev \
11 |   jansson-dev \
12 |   python3-dev \
13 |   build-base \
14 |   libc-dev \
15 |   file-dev \
16 |   automake \
17 |   autoconf \
18 |   libtool \
19 |   flex \
20 |   git \
21 |   git \
22 |   && set -x \
23 |   && echo "Install Yara from source..." \
24 |   && cd /tmp/ \
25 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
26 |   && cd /tmp/yara \
27 |   && ./bootstrap.sh \
28 |   && sync \
29 |   && ./configure --with-crypto \
30 |   --enable-magic \
31 |   --enable-cuckoo \
32 |   --enable-dotnet \
33 |   && make \
34 |   && make install \
35 |   && echo "Install yara-python..." \
36 |   && cd /tmp/ \
37 |   && git clone --recursive --branch v$YARA_PY_VERSION https://github.com/VirusTotal/yara-python \
38 |   && cd yara-python \
39 |   && python3 setup.py build --dynamic-linking \
40 |   && python3 setup.py install \
41 |   && echo "Make test_rule..." \
42 |   && mkdir /rules \
43 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
44 |   && rm -rf /tmp/* \
45 |   && apk del --purge .build-deps
46 | 
47 | VOLUME ["/malware"]
48 | VOLUME ["/rules"]
49 | 
50 | WORKDIR /malware
51 | 
52 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
53 | CMD ["--help"]
54 | 


--------------------------------------------------------------------------------
/4.2/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.16
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 4.2.3
 6 | ENV YARA_PY_VERSION 4.2.3
 7 | 
 8 | RUN apk add --no-cache openssl file jansson bison python3 tini su-exec
 9 | RUN apk add --no-cache -t .build-deps py3-setuptools \
10 |   openssl-dev \
11 |   jansson-dev \
12 |   python3-dev \
13 |   build-base \
14 |   libc-dev \
15 |   file-dev \
16 |   automake \
17 |   autoconf \
18 |   libtool \
19 |   flex \
20 |   git \
21 |   git \
22 |   && set -x \
23 |   && echo "Install Yara from source..." \
24 |   && cd /tmp/ \
25 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
26 |   && cd /tmp/yara \
27 |   && ./bootstrap.sh \
28 |   && sync \
29 |   && ./configure --with-crypto \
30 |   --enable-magic \
31 |   --enable-cuckoo \
32 |   --enable-dotnet \
33 |   && make \
34 |   && make install \
35 |   && echo "Install yara-python..." \
36 |   && cd /tmp/ \
37 |   && git clone --recursive --branch v$YARA_PY_VERSION https://github.com/VirusTotal/yara-python \
38 |   && cd yara-python \
39 |   && python3 setup.py build --dynamic-linking \
40 |   && python3 setup.py install \
41 |   && echo "Make test_rule..." \
42 |   && mkdir /rules \
43 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
44 |   && rm -rf /tmp/* \
45 |   && apk del --purge .build-deps
46 | 
47 | VOLUME ["/malware"]
48 | VOLUME ["/rules"]
49 | 
50 | WORKDIR /malware
51 | 
52 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
53 | CMD ["--help"]
54 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_naikon.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule Backdoor_Naikon_APT_Sample1 {
 3 | 	meta:
 4 | 		description = "Detects backdoors related to the Naikon APT"
 5 | 		author = "Florian Roth"
 6 | 		reference = "https://goo.gl/7vHyvh"
 7 | 		date = "2015-05-14"
 8 | 		hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba"
 9 | 		hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96"
10 | 	strings:
11 | 		$x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii
12 | 		$x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii
13 | 		$x2 = "greensky27.vicp.net" fullword ascii
14 | 		$x3 = "\\tempvxd.vxd.dll" fullword wide
15 | 		$x4 = "otna.vicp.net" fullword ascii
16 | 		$x5 = "smithking19.gicp.net" fullword ascii
17 | 		
18 | 		$s1 = "User-Agent: webclient" fullword ascii
19 | 		$s2 = "\\User.ini" fullword ascii
20 | 		$s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii
21 | 		$s4 = "\\UserProfile.dll" fullword wide
22 | 		$s5 = "Connection:Keep-Alive: %d" fullword ascii
23 | 		$s6 = "Referer: http://%s:%d/" fullword ascii
24 | 		$s7 = "%s %s %s %d %d %d " fullword ascii
25 | 		$s8 = "%s--%s" fullword wide
26 | 		$s9 = "Run File Success!" fullword wide
27 | 		$s10 = "DRIVE_REMOTE" fullword wide
28 | 		$s11 = "ProxyEnable" fullword wide
29 | 		$s12 = "\\cmd.exe" fullword wide
30 | 	condition:
31 | 		uint16(0) == 0x5a4d and filesize < 1000KB and
32 | 		(
33 | 			1 of ($x*) or 7 of ($s*)
34 | 		)
35 | }
36 | 
37 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_malware_generic.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | /* Malware ----------------------------------------------------------------- */
 3 | 
 4 | rule TrojanDownloader {
 5 | 	meta:
 6 | 		description = "Trojan Downloader - Flash Exploit Feb15"
 7 | 		author = "Florian Roth"
 8 | 		reference = "http://goo.gl/wJ8V1I"
 9 | 		date = "2015/02/11"
10 | 		hash = "5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e"
11 | 		score = 60
12 | 	strings:
13 | 		$x1 = "Hello World!" fullword ascii
14 | 		$x2 = "CONIN$" fullword ascii
15 | 			
16 | 		$s6 = "GetCommandLineA" fullword ascii
17 | 		$s7 = "ExitProcess" fullword ascii
18 | 		$s8 = "CreateFileA" fullword ascii						
19 | 
20 | 		$s5 = "SetConsoleMode" fullword ascii		
21 | 		$s9 = "TerminateProcess" fullword ascii	
22 | 		$s10 = "GetCurrentProcess" fullword ascii
23 | 		$s11 = "UnhandledExceptionFilter" fullword ascii
24 | 		$s3 = "user32.dll" fullword ascii
25 | 		$s16 = "GetEnvironmentStrings" fullword ascii
26 | 		$s2 = "GetLastActivePopup" fullword ascii		
27 | 		$s17 = "GetFileType" fullword ascii
28 | 		$s19 = "HeapCreate" fullword ascii
29 | 		$s20 = "VirtualFree" fullword ascii
30 | 		$s21 = "WriteFile" fullword ascii
31 | 		$s22 = "GetOEMCP" fullword ascii
32 | 		$s23 = "VirtualAlloc" fullword ascii
33 | 		$s24 = "GetProcAddress" fullword ascii
34 | 		$s26 = "FlushFileBuffers" fullword ascii
35 | 		$s27 = "SetStdHandle" fullword ascii
36 | 		$s28 = "KERNEL32.dll" fullword ascii
37 | 	condition:
38 | 		$x1 and $x2 and ( all of ($s*) ) and filesize < 35000
39 | }
40 | 


--------------------------------------------------------------------------------
/w-rules/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.16
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 4.2.3
 6 | ENV YARA_PY_VERSION 4.2.3
 7 | 
 8 | RUN apk add --no-cache openssl file jansson bison python3 tini su-exec
 9 | RUN apk add --no-cache -t .build-deps py3-setuptools \
10 |   openssl-dev \
11 |   jansson-dev \
12 |   python3-dev \
13 |   build-base \
14 |   libc-dev \
15 |   file-dev \
16 |   automake \
17 |   autoconf \
18 |   libtool \
19 |   flex \
20 |   git \
21 |   git \
22 |   && set -x \
23 |   && echo "Install Yara from source..." \
24 |   && cd /tmp/ \
25 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
26 |   && cd /tmp/yara \
27 |   && ./bootstrap.sh \
28 |   && sync \
29 |   && ./configure --with-crypto \
30 |   --enable-magic \
31 |   --enable-cuckoo \
32 |   --enable-dotnet \
33 |   && make \
34 |   && make install \
35 |   && echo "Install yara-python..." \
36 |   && cd /tmp/ \
37 |   && git clone --recursive --branch v$YARA_PY_VERSION https://github.com/VirusTotal/yara-python \
38 |   && cd yara-python \
39 |   && python3 setup.py build --dynamic-linking \
40 |   && python3 setup.py install \
41 |   && echo "Make test_rule..." \
42 |   && mkdir /rules \
43 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
44 |   && rm -rf /tmp/* \
45 |   && apk del --purge .build-deps
46 | 
47 | COPY rules /rules
48 | 
49 | VOLUME ["/malware"]
50 | VOLUME ["/rules"]
51 | 
52 | WORKDIR /malware
53 | 
54 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
55 | CMD ["--help"]
56 | 


--------------------------------------------------------------------------------
/w-rules/rules/embedded.yara:
--------------------------------------------------------------------------------
 1 | // Copyright (C) 2013 Claudio "nex" Guarnieri
 2 | 
 3 | rule embedded_macho
 4 | {
 5 |     meta:
 6 |         author = "nex"
 7 |         description = "Contains an embedded Mach-O file"
 8 | 
 9 |     strings:
10 |         $magic1 = { ca fe ba be }
11 |         $magic2 = { ce fa ed fe }
12 |         $magic3 = { fe ed fa ce }
13 |     condition:
14 |         any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0)
15 | }
16 | 
17 | rule embedded_pe
18 | {
19 |     meta:
20 |         author = "nex"
21 |         description = "Contains an embedded PE32 file"
22 | 
23 |     strings:
24 |         $a = "PE32"
25 |         $b = "This program"
26 |         $mz = { 4d 5a }
27 |     condition:
28 |         ($a and $b) and not ($mz at 0)
29 | }
30 | 
31 | rule embedded_win_api
32 | {
33 |     meta:
34 |         author = "nex"
35 |         description = "A non-Windows executable contains win32 API functions names"
36 | 
37 |     strings:
38 |         $mz = { 4d 5a }
39 |         $api1 = "CreateFileA"
40 |         $api2 = "GetProcAddress"
41 |         $api3 = "LoadLibraryA"
42 |         $api4 = "WinExec"
43 |         $api5 = "GetSystemDirectoryA"
44 |         $api6 = "WriteFile"
45 |         $api7 = "ShellExecute"
46 |         $api8 = "GetWindowsDirectory"
47 |         $api9 = "URLDownloadToFile"
48 |         $api10 = "IsBadReadPtr"
49 |         $api11 = "IsBadWritePtr"
50 |         $api12 = "SetFilePointer"
51 |         $api13 = "GetTempPath"
52 |         $api14 = "GetWindowsDirectory"
53 |     condition:
54 |         not ($mz at 0) and any of ($api*)
55 | }
56 | 


--------------------------------------------------------------------------------
/w-rules/rules/signatures/wce.yar:
--------------------------------------------------------------------------------
 1 | rule wce : HackerTools
 2 | {
 3 | meta:
 4 | 	author = "Josh Maine"
 5 | 	date = "2013-06-12"
 6 | 	description = "Windows Credential Editor"
 7 | 	hash0 = "b5d8086fe3cf6fa96306b036674553da"
 8 | 	hash2 = "0a061bf035bec3abcddfb2b406c5cb67"
 9 | 	hash3 = "4fb08ad6583c2d44a098e325699789cb"
10 | 	hash4 = "30df6e7310edc6510c0844626ee51c1d"
11 | 	hash5 = "47738922e60d863046ee88af530e0347"
12 | 	hash6 = "df840ac27051d26555a109cc47d03fe4"
13 | 	hash7 = "bd73c74819d8db09c645c738bbd3f5b9"
14 | 	hash8 = "13181dcf9965c89cfafe0828b127966d"
15 | 	hash9 = "9012ed6c4dada6f495545299d0ce38b3"
16 | 	hash10 = "018cca70e20293d5d9bc45b0f76ca2d4"
17 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
18 | strings:
19 | 	$string0 = "Error in InjectDllAndCallFunction"
20 | 	$string1 = "WCEAddNTLMCredentials"
21 | 	$string2 = "Specify LUID instead of use current logon session."
22 | 	$string3 = "An error occurred changing the NTLM credentials."
23 | 	$string4 = "domain is too long"
24 | 	$string5 = "Cannot set event hook"
25 | 	$string6 = "- not enough space for environment" wide
26 | 	$string7 = "Friday"
27 | 	$string8 = "Refreshes every time a logon event occurs."
28 | 	$string9 = "domain: %s"
29 | 	$string10 = "- unexpected multithread lock error" wide
30 | 	$string11 = "username is too long"
31 | 	$string12 = "mscoree.dll" wide
32 | 	$string13 = "ERROR: CreateProcessWithLogonW"
33 | 	$string14 = "Security"
34 | 	$string15 = "- not enough space for arguments" wide
35 | 	$string16 = "WCEDelNTLMCredentials"
36 | 	$string17 = "- not enough space for locale information" wide
37 | condition:
38 | 	17 of them
39 | }
40 | 


--------------------------------------------------------------------------------
/w-rules/rules/kins.yara:
--------------------------------------------------------------------------------
 1 | 
 2 | rule KINS_dropper {
 3 | 	meta:
 4 | 		author = "AlienVault Labs aortega@alienvault.com"
 5 | 		description = "Match protocol, process injects and windows exploit present in KINS dropper"
 6 | 	strings:
 7 | 		// Network protocol
 8 | 		$n1 = "tid=%d&ta=%s-%x" fullword
 9 | 		$n2 = "fid=%d" fullword
10 | 		$n3 = "%[^.].%[^(](%[^)])" fullword
11 | 		// Injects
12 | 		$i0 = "%s [%s %d] 77 %s"
13 | 		$i01 = "Global\\%s%x"
14 | 		$i1 = "Inject::InjectProcessByName()"
15 | 		$i2 = "Inject::CopyImageToProcess()"
16 | 		$i3 = "Inject::InjectProcess()"
17 | 		$i4 = "Inject::InjectImageToProcess()"
18 | 		$i5 = "Drop::InjectStartThread()"
19 | 		// UAC bypass
20 | 		$uac1 = "ExploitMS10_092"
21 | 		$uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
22 | 		$uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
23 | 	condition:
24 | 		2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
25 | }
26 | 
27 | rule KINS_DLL_zeus {
28 | 	meta:
29 | 		author = "AlienVault Labs aortega@alienvault.com"
30 | 		description = "Match default bot in KINS leaked dropper, Zeus"
31 | 	strings:
32 | 		// Network protocol
33 | 		$n1 = "%BOTID%" fullword
34 | 		$n2 = "%opensocks%" fullword
35 | 		$n3 = "%openvnc%" fullword
36 | 		$n4 = /Global\\(s|v)_ev/ fullword
37 | 		// Crypted strings
38 | 		$s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
39 | 		$s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
40 | 		$s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
41 | 		$s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
42 | 		$s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
43 | 	condition:
44 | 		all of ($n*) and 1 of ($s*)
45 | }
46 | 
47 | 


--------------------------------------------------------------------------------
/w-rules/rules/signatures/dbgdetect.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule dbgdetect_funcs : dbgdetect
 3 | {
 4 | 	meta:
 5 | 		author = "AlienVault Labs"
 6 | 		type = "info"
 7 | 		severity = 1
 8 | 		description = "Debugger detection tricks"
 9 | 
10 | 	strings:
11 | 		$func1 = "IsDebuggerPresent"
12 | 		$func2 = "OutputDebugString"
13 | 		$func3 = "ZwQuerySystemInformation"
14 | 		$func4 = "ZwQueryInformationProcess"
15 | 		$func5 = "IsDebugged"
16 | 		$func6 = "NtGlobalFlags"
17 | 		$func7 = "CheckRemoteDebuggerPresent"
18 | 		$func8 = "SetInformationThread"
19 | 		$func9 = "DebugActiveProcess"
20 | 
21 | 	condition:
22 | 		2 of them
23 | }
24 | 
25 | rule dbgdetect_procs : dbgdetect
26 | {
27 | 	meta:
28 | 		author = "AlienVault Labs"
29 | 		type = "info"
30 | 		severity = 1
31 | 		description = "Debugger detection tricks"
32 | 
33 | 	strings:
34 | 		$proc1 = "wireshark" nocase ascii wide
35 | 		$proc2 = "filemon" nocase ascii wide
36 | 		$proc3 = "procexp" nocase ascii wide
37 | 		$proc4 = "procmon" nocase ascii wide
38 | 		$proc5 = "regmon" nocase ascii wide
39 | 		$proc6 = "idag" nocase ascii wide
40 | 		$proc7 = "immunitydebugger" nocase ascii wide
41 | 		$proc8 = "ollydbg" nocase ascii wide
42 | 		$proc9 = "petools" nocase ascii wide
43 | 
44 | 	condition:
45 | 		2 of them
46 | }
47 | 
48 | rule dbgdetect_files : dbgdetect
49 | {
50 | 	meta:
51 | 		author = "AlienVault Labs"
52 | 		type = "info"
53 | 		severity = 1
54 | 		description = "Debugger detection tricks"
55 | 	strings:
56 | 		$file1 = "syserdbgmsg" nocase ascii wide
57 | 		$file2 = "syserboot" nocase ascii wide
58 | 		$file3 = "SICE" nocase ascii wide
59 | 		$file4 = "NTICE" nocase ascii wide
60 | 	condition:
61 | 		2 of them
62 | }
63 | 
64 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/general_cloaking.yar:
--------------------------------------------------------------------------------
 1 | rule EXE_cloaked_as_TXT {
 2 | 	meta:
 3 | 		description = "Executable with TXT extension"
 4 | 		author = "Florian Roth"
 5 | 	condition:
 6 | 		uint16(0) == 0x5a4d 					// Executable
 7 | 		and filename matches /\.txt$/is   // TXT extension (case insensitive)
 8 | }
 9 | 
10 | rule EXE_extension_cloaking {
11 | 	meta:
12 | 		description = "Executable showing different extension (Windows default 'hide known extension')"
13 | 		author = "Florian Roth"
14 | 	condition:
15 | 		filename matches /\.txt\.exe$/is or	// Special file extensions
16 | 		filename matches /\.pdf\.exe$/is		// Special file extensions
17 | }
18 | 
19 | rule Cloaked_RAR_File {
20 | 	meta:
21 | 		description = "RAR file cloaked by a different extension"
22 | 		author = "Florian Roth"
23 | 	condition:
24 | 		uint32be(0) == 0x52617221							// RAR File Magic Header
25 | 		and not filename matches /(rarnew.dat|\.rar)$/is	// not the .RAR extension
26 | 		and not filepath contains "Recycle" 				// not a deleted RAR file in recycler
27 | }
28 | 
29 | rule Base64_encoded_Executable {
30 | 	meta:
31 | 		description = "Detects an base64 encoded executable (often embedded)"
32 | 		author = "Florian Roth"
33 | 		date = "2015-05-28"
34 | 		score = 40
35 | 	strings:
36 | 		$s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" // 14 samples in goodware archive
37 | 		$s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" // 26 samples in goodware archive
38 | 		$s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" // 75 samples in goodware archive
39 | 		$s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" // 168 samples in goodware archive
40 | 		$s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" // 28,529 samples in goodware archive
41 | 	condition:
42 | 		1 of them and not filepath contains "Thunderbird"
43 | }
44 | 
45 | 


--------------------------------------------------------------------------------
/3.4/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.7
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 3.4.0
 6 | 
 7 | RUN apk add --no-cache openssl file jansson bison python tini su-exec
 8 | RUN apk add --no-cache -t .build-deps py-setuptools \
 9 |                                 openssl-dev \
10 |                                 jansson-dev \
11 |                                 python-dev \
12 |                                 build-base \
13 |                                 libc-dev \
14 |                                 file-dev \
15 |                                 automake \
16 |                                 autoconf \
17 |                                 libtool \
18 |                                 flex \
19 |                                 git \
20 |                                 git \
21 |   && set -x \
22 |   && echo "===> Install Yara from source..." \
23 |   && cd /tmp/ \
24 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
25 |   && cd /tmp/yara \
26 |   && ./bootstrap.sh \
27 |   && sync \
28 |   && ./configure --enable-cuckoo \
29 |                  --enable-magic \
30 |                  --with-crypto \
31 |   && make \
32 |   && make install \
33 |   && echo "===> Install yara-python..." \
34 |   && cd yara-python \
35 |   && python setup.py build \
36 |   && python setup.py install \
37 |   && echo "===> Make test_rule..." \
38 |   && mkdir /rules \
39 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
40 |   && rm -rf /tmp/* \
41 |   && apk del --purge .build-deps
42 | 
43 | VOLUME ["/malware"]
44 | VOLUME ["/rules"]
45 | 
46 | WORKDIR /malware
47 | 
48 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
49 | CMD ["--help"]
50 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_kins_dropper.yar:
--------------------------------------------------------------------------------
 1 | rule KINS_dropper {
 2 | 	meta:
 3 | 		author = "AlienVault Labs aortega@alienvault.com"
 4 | 		description = "Match protocol, process injects and windows exploit present in KINS dropper"
 5 | 		reference = "http://goo.gl/arPhm3"
 6 | 	strings:
 7 | 		// Network protocol
 8 | 		$n1 = "tid=%d&ta=%s-%x" fullword
 9 | 		$n2 = "fid=%d" fullword
10 | 		$n3 = "%[^.].%[^(](%[^)])" fullword
11 | 		// Injects
12 | 		$i0 = "%s [%s %d] 77 %s"
13 | 		$i01 = "Global\\%s%x"
14 | 		$i1 = "Inject::InjectProcessByName()"
15 | 		$i2 = "Inject::CopyImageToProcess()"
16 | 		$i3 = "Inject::InjectProcess()"
17 | 		$i4 = "Inject::InjectImageToProcess()"
18 | 		$i5 = "Drop::InjectStartThread()"
19 | 		// UAC bypass
20 | 		$uac1 = "ExploitMS10_092"
21 | 		$uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide
22 | 		$uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide
23 | 	condition:
24 | 		2 of ($n*) and 2 of ($i*) and 2 of ($uac*)
25 | }
26 | 
27 | rule KINS_DLL_zeus {
28 | 	meta:
29 | 		author = "AlienVault Labs aortega@alienvault.com"
30 | 		description = "Match default bot in KINS leaked dropper, Zeus"
31 | 		reference = "http://goo.gl/arPhm3"
32 | 	strings:
33 | 		// Network protocol
34 | 		$n1 = "%BOTID%" fullword
35 | 		$n2 = "%opensocks%" fullword
36 | 		$n3 = "%openvnc%" fullword
37 | 		$n4 = /Global\\(s|v)_ev/ fullword
38 | 		// Crypted strings
39 | 		$s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"
40 | 		$s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13"
41 | 		$s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F"
42 | 		$s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65"
43 | 		$s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71"
44 | 	condition:
45 | 		all of ($n*) and 1 of ($s*)
46 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_enfal.yar:
--------------------------------------------------------------------------------
 1 | rule Enfal_Malware {
 2 | 	meta:
 3 | 		description = "Detects a certain type of Enfal Malware"
 4 | 		author = "Florian Roth"
 5 | 		reference = "not set"
 6 | 		date = "2015/02/10"
 7 | 		hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16"
 8 | 		score = 60
 9 | 	strings:
10 | 		$s0 = "POWERPNT.exe" fullword ascii
11 | 		$s1 = "%APPDATA%\\Microsoft\\Windows\\" fullword ascii
12 | 		$s2 = "%HOMEPATH%" fullword ascii
13 | 		$s3 = "Server2008" fullword ascii
14 | 		$s4 = "Server2003" fullword ascii
15 | 		$s5 = "Server2003R2" fullword ascii
16 | 		$s6 = "Server2008R2" fullword ascii
17 | 		$s9 = "%HOMEDRIVE%" fullword ascii
18 | 		$s13 = "%ComSpec%" fullword ascii
19 | 	condition:
20 | 		all of them
21 | }
22 | 
23 | rule Enfal_Malware_Backdoor {
24 | 	meta:
25 | 		description = "Generic Rule to detect the Enfal Malware"
26 | 		author = "Florian Roth"
27 | 		date = "2015/02/10"
28 | 		super_rule = 1
29 | 		hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790"
30 | 		hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b"
31 | 		hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
32 | 		score = 60
33 | 	strings:
34 | 		$mz = { 4d 5a }
35 | 			
36 | 		$x1 = "Micorsoft Corportation" fullword wide
37 | 		$x2 = "IM Monnitor Service" fullword wide
38 | 		
39 | 		$s1 = "imemonsvc.dll" fullword wide
40 | 		$s2 = "iphlpsvc.tmp" fullword
41 | 		
42 | 		$z1 = "urlmon" fullword
43 | 		$z2 = "Registered trademarks and service marks are the property of their respec" wide		
44 | 		$z3 = "XpsUnregisterServer" fullword
45 | 		$z4 = "XpsRegisterServer" fullword
46 | 		$z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
47 | 	condition:
48 | 		( $mz at 0 ) and 
49 | 		( 
50 | 			1 of ($x*) or 
51 | 			( all of ($s*) and all of ($z*) )
52 | 		)
53 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_alienspy_rat.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule crime_win_rat_AlienSpy
 3 | {
 4 | meta:
 5 | 	description = "Alien Spy Remote Access Trojan"
 6 | 	author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
 7 | 	reference_1 = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf"
 8 | 	reference_2 = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv"
 9 | 	date = "04-Apr-15"
10 | 	filetype = "Java"
11 | 	hash_1 = "075fa0567d3415fbab3514b8aa64cfcb"
12 | 	hash_2 = "818afea3040a887f191ee9d0579ac6ed"
13 | 	hash_3 = "973de705f2f01e82c00db92eaa27912c"
14 | 	hash_4 = "7f838907f9cc8305544bd0ad4cfd278e"
15 | 	hash_5 = "071e12454731161d47a12a8c4b3adfea"
16 | 	hash_6 = "a7d50760d49faff3656903c1130fd20b"
17 | 	hash_7 = "f399afb901fcdf436a1b2a135da3ee39"
18 | 	hash_8 = "3698a3630f80a632c0c7c12e929184fb"
19 | 	hash_9 = "fdb674cadfa038ff9d931e376f89f1b6"
20 | 
21 |    strings:
22 | 		
23 |         $sa_1 = "META-INF/MANIFEST.MF"
24 |         $sa_2 = "Main.classPK"
25 |         $sa_3 = "plugins/Server.classPK"
26 |         $sa_4 = "IDPK"
27 | 		
28 |         $sb_1 = "config.iniPK"
29 |         $sb_2 = "password.iniPK"
30 |         $sb_3 = "plugins/Server.classPK"
31 |         $sb_4 = "LoadStub.classPK"
32 |         $sb_5 = "LoadStubDecrypted.classPK"
33 |         $sb_7 = "LoadPassword.classPK"
34 |         $sb_8 = "DecryptStub.classPK"
35 |         $sb_9 = "ClassLoaders.classPK"
36 | 		
37 |         $sc_1 = "config.xml"
38 |         $sc_2 = "options"
39 |         $sc_3 = "plugins"
40 |         $sc_4 = "util"
41 |         $sc_5 = "util/OSHelper"
42 |         $sc_6 = "Start.class"
43 |         $sc_7 = "AlienSpy"
44 |         $sc_8 = "PK"
45 | 	
46 |   condition:
47 |     
48 | 	uint16(0) == 0x4B50 and filesize < 800KB and ( (all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)) )
49 | }


--------------------------------------------------------------------------------
/3.5/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.7
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 3.5.0
 6 | 
 7 | RUN apk add --no-cache openssl file jansson bison python tini su-exec
 8 | RUN apk add --no-cache -t .build-deps py-setuptools \
 9 |                                 openssl-dev \
10 |                                 jansson-dev \
11 |                                 python-dev \
12 |                                 build-base \
13 |                                 libc-dev \
14 |                                 file-dev \
15 |                                 automake \
16 |                                 autoconf \
17 |                                 libtool \
18 |                                 flex \
19 |                                 git \
20 |                                 git \
21 |   && set -x \
22 |   && echo "Install Yara from source..." \
23 |   && cd /tmp/ \
24 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
25 |   && cd /tmp/yara \
26 |   && ./bootstrap.sh \
27 |   && sync \
28 |   && ./configure --enable-cuckoo \
29 |                  --enable-magic \
30 |                  --with-crypto \
31 |   && make \
32 |   && make install \
33 |   && echo "Install yara-python..." \
34 |   && cd /tmp/ \
35 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara-python \
36 |   && cd yara-python \
37 |   && python setup.py build --dynamic-linking \
38 |   && python setup.py install \
39 |   && echo "Make test_rule..." \
40 |   && mkdir /rules \
41 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
42 |   && rm -rf /tmp/* \
43 |   && apk del --purge .build-deps
44 | 
45 | VOLUME ["/malware"]
46 | VOLUME ["/rules"]
47 | 
48 | WORKDIR /malware
49 | 
50 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
51 | CMD ["--help"]
52 | 


--------------------------------------------------------------------------------
/3.6/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.7
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 3.6.3
 6 | 
 7 | RUN apk add --no-cache openssl file jansson bison python tini su-exec
 8 | RUN apk add --no-cache -t .build-deps py-setuptools \
 9 |                                 openssl-dev \
10 |                                 jansson-dev \
11 |                                 python-dev \
12 |                                 build-base \
13 |                                 libc-dev \
14 |                                 file-dev \
15 |                                 automake \
16 |                                 autoconf \
17 |                                 libtool \
18 |                                 flex \
19 |                                 git \
20 |                                 git \
21 |   && set -x \
22 |   && echo "Install Yara from source..." \
23 |   && cd /tmp/ \
24 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
25 |   && cd /tmp/yara \
26 |   && ./bootstrap.sh \
27 |   && sync \
28 |   && ./configure --enable-cuckoo \
29 |                  --enable-magic \
30 |                  --with-dotnet \
31 |   && make \
32 |   && make install \
33 |   && echo "Install yara-python..." \
34 |   && cd /tmp/ \
35 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara-python \
36 |   && cd yara-python \
37 |   && python setup.py build --dynamic-linking \
38 |   && python setup.py install \
39 |   && echo "Make test_rule..." \
40 |   && mkdir /rules \
41 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
42 |   && rm -rf /tmp/* \
43 |   && apk del --purge .build-deps
44 | 
45 | VOLUME ["/malware"]
46 | VOLUME ["/rules"]
47 | 
48 | WORKDIR /malware
49 | 
50 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
51 | CMD ["--help"]
52 | 


--------------------------------------------------------------------------------
/3.7/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.7
 2 | 
 3 | LABEL maintainer "https://github.com/blacktop"
 4 | 
 5 | ENV YARA_VERSION 3.7.1
 6 | ENV YARA_PY_VERSION 3.7.0
 7 | 
 8 | RUN apk add --no-cache openssl file jansson bison python tini su-exec
 9 | RUN apk add --no-cache -t .build-deps py-setuptools \
10 |                                 openssl-dev \
11 |                                 jansson-dev \
12 |                                 python-dev \
13 |                                 build-base \
14 |                                 libc-dev \
15 |                                 file-dev \
16 |                                 automake \
17 |                                 autoconf \
18 |                                 libtool \
19 |                                 flex \
20 |                                 git \
21 |                                 git \
22 |   && set -x \
23 |   && echo "Install Yara from source..." \
24 |   && cd /tmp/ \
25 |   && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
26 |   && cd /tmp/yara \
27 |   && ./bootstrap.sh \
28 |   && sync \
29 |   && ./configure --with-crypto \
30 |                  --enable-magic \
31 |                  --enable-cuckoo \
32 |                  --enable-dotnet \
33 |   && make \
34 |   && make install \
35 |   && echo "Install yara-python..." \
36 |   && cd /tmp/ \
37 |   && git clone --recursive --branch v$YARA_PY_VERSION https://github.com/VirusTotal/yara-python \
38 |   && cd yara-python \
39 |   && python setup.py build --dynamic-linking \
40 |   && python setup.py install \
41 |   && echo "Make test_rule..." \
42 |   && mkdir /rules \
43 |   && echo "rule dummy { condition: true }" > /rules/test_rule \
44 |   && rm -rf /tmp/* \
45 |   && apk del --purge .build-deps
46 | 
47 | VOLUME ["/malware"]
48 | VOLUME ["/rules"]
49 | 
50 | WORKDIR /malware
51 | 
52 | ENTRYPOINT ["su-exec","nobody","/sbin/tini","--","yara"]
53 | CMD ["--help"]
54 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_coreimpact_agent.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | 	Core Impact Agent known from RocketKitten and WoolenGoldfish APT
 3 | */
 4 | 
 5 | 
 6 | rule CoreImpact_sysdll_exe {
 7 | 	meta:
 8 | 		description = "Detects a malware sysdll.exe from the Rocket Kitten APT"
 9 | 		author = "Florian Roth"
10 | 		score = 70
11 | 		date = "27.12.2014"
12 | 		hash = "f89a4d4ae5cca6d69a5256c96111e707"
13 | 	strings:
14 | 		$s0 = "d:\\nightly\\sandbox_avg10_vc9_SP1_2011\\source\\avg10\\avg9_all_vs90\\bin\\Rele" ascii
15 | 		
16 | 		$x1 = "Mozilla/5.0" fullword ascii
17 | 		$x2 = "index.php?c=%s&r=%lx&u=1&t=%s" fullword ascii
18 | 		$x3 = "index.php?c=%s&r=%lx" fullword ascii
19 | 		$x4 = "index.php?c=%s&r=%x" fullword ascii
20 | 		$x5 = "127.0.0.1" fullword ascii
21 | 		$x6 = "/info.dat" fullword ascii
22 | 				
23 | 		$z1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide	
24 | 		$z2 = "Encountered error sending error message to client" fullword ascii
25 | 		$z3 = "Encountered error building error message to client" fullword ascii
26 | 		$z4 = "Attempting to unlock uninitialized lock!" fullword ascii
27 | 		$z5 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
28 | 		$z6 = "select_event_get(): fd not found" fullword ascii
29 | 		$z7 = "Encountered error sending syscall response to client" fullword ascii
30 | 		$z8 = "GetProcAddress() error" fullword ascii
31 | 		$z9 = "Error entering thread lock" fullword ascii
32 | 		$z10 = "Error exiting thread lock" fullword ascii
33 | 		$z11 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
34 | 		$z12 = "event_add() failed for ev." fullword ascii
35 | 		$z13 = "Uh, oh, exit() failed" fullword ascii
36 | 		$z14 = "event_add() failed for ev." fullword ascii
37 | 		$z15 = "event_add() failed." fullword ascii
38 | 		$z16 = "needroot" fullword ascii
39 | 		$z17 = "./plugins/" fullword ascii	
40 | 	condition:
41 | 		$s0 or 
42 | 		all of ($x*) or 
43 | 		8 of ($z*)
44 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/general_officemacros.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule Office_AutoOpen_Macro {
 3 | 	meta:
 4 | 		description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
 5 | 		author = "Florian Roth"
 6 | 		date = "2015-05-28"
 7 | 		score = 60
 8 | 		hash1 = "4d00695d5011427efc33c9722c61ced2"
 9 | 		hash2 = "63f6b20cb39630b13c14823874bd3743"
10 | 		hash3 = "66e67c2d84af85a569a04042141164e6"
11 | 		hash4 = "a3035716fe9173703941876c2bde9d98"
12 | 		hash5 = "7c06cab49b9332962625b16f15708345"
13 | 		hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
14 | 		hash7 = "25285b8fe2c41bd54079c92c1b761381"
15 | 	strings:
16 | 		$s1 = "AutoOpen" ascii fullword
17 | 		$s2 = "Macros" wide fullword
18 | 	condition:
19 | 		( 
20 | 			uint32be(0) == 0xd0cf11e0 or 	// DOC, PPT, XLS
21 | 			uint32be(0) == 0x504b0304		// DOCX, PPTX, XLSX (PKZIP)
22 | 		)
23 | 		and all of ($s*) and filesize < 300000
24 | }
25 | 
26 | rule Office_as_MHTML {
27 | 	meta:
28 | 		description = "Detects an Microsoft Office saved as a MHTML file (false positives are possible but rare; many matches on CVE-2012-0158)"
29 | 		author = "Florian Roth"
30 | 		date = "2015-05-28"
31 | 		score = 40
32 | 		reference = "https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/"
33 | 		hash1 = "8391d6992bc037a891d2e91fd474b91bd821fe6cb9cfc62d1ee9a013b18eca80"
34 | 		hash2 = "1ff3573fe995f35e70597c75d163bdd9bed86e2238867b328ccca2a5906c4eef"
35 | 		hash3 = "d44a76120a505a9655f0224c6660932120ef2b72fee4642bab62ede136499590"
36 | 		hash4 = "5b8019d339907ab948a413d2be4bdb3e5fdabb320f5edc726dc60b4c70e74c84"
37 | 	strings:
38 | 		$s1 = "Content-Transfer-Encoding: base64" ascii fullword
39 | 		$s2 = "Content-Type: application/x-mso" ascii fullword
40 | 
41 | 		$x1 = "QWN0aXZlTWltZQA" ascii 	// Base64 encoded 'ActiveMime'
42 | 		$x2 = "0M8R4KGxGuE" ascii 		// Base64 encoded office header D0CF11E0A1B11AE1..
43 | 	condition:
44 | 		uint32be(0) == 0x4d494d45 // "MIME" header 
45 | 		and all of ($s*) and 1 of ($x*)
46 | }
47 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/generic_anomalies.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule Embedded_EXE_Cloaking {
 3 |         meta:
 4 |                 description = "Detects an embedded executable in a non-executable file"
 5 |                 author = "Florian Roth"
 6 |                 date = "2015/02/27"
 7 |                 score = 80
 8 |         strings:
 9 |                 $noex_png = { 89 50 4E 47 }
10 |                 $noex_pdf = { 25 50 44 46 }
11 |                 $noex_rtf = { 7B 5C 72 74 66 31 }
12 |                 $noex_jpg = { FF D8 FF E0 }
13 |                 $noex_gif = { 47 49 46 38 }
14 |                 $mz  = { 4D 5A }
15 |                 $a1 = "This program cannot be run in DOS mode"
16 |                 $a2 = "This program must be run under Win32"
17 |         condition:
18 |                 (
19 |                         ( $noex_png at 0 ) or
20 |                         ( $noex_pdf at 0 ) or
21 |                         ( $noex_rtf at 0 ) or
22 |                         ( $noex_jpg at 0 ) or
23 |                         ( $noex_gif at 0 )
24 |                 )
25 |                 and
26 |                 for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
27 | }
28 | 
29 | rule Cloaked_as_JPG {
30 |         meta:
31 |                 description = "Detects a cloaked file as JPG"
32 |                 author = "Florian Roth (eval section from Didier Stevens)"
33 |                 date = "2015/02/29"
34 |                 score = 70
35 |         strings:
36 |                 $ext = "extension: .jpg"
37 |         condition:
38 |                 $ext and uint16be(0x00) != 0xFFD8
39 | }
40 | 
41 | rule GIFCloaked_Webshell {
42 | 	meta:
43 | 		description = "Detects a webshell that cloakes itself with GIF header(s) - Based on Dark Security Team Webshell"
44 | 		author = "Florian Roth"
45 | 		hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
46 | 		score = 50
47 | 	strings:
48 | 		$magic = "GIF"
49 | 		$s0 = "input type"
50 | 		$s1 = "<%eval request"
51 | 		$s2 = "<%eval(Request.Item["
52 | 		$s3 = "LANGUAGE='VBScript'"
53 | 	condition:
54 | 		( $magic at 0 ) and ( 1 of ($s*) )
55 | }
56 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/falsepositive-hashes.txt:
--------------------------------------------------------------------------------
 1 | #
 2 | # LOKI CUSTOM FALSE POSITIVE HASHES
 3 | # This file contains MD5, SHA1 and SHA256 hashes and a short info like file name
 4 | # or hash origin
 5 | #
 6 | # FORMAT -----------------------------------------------------------------------
 7 | #
 8 | # MD5;COMMENT
 9 | # SHA1;COMMENT
10 | # SHA256;COMMENT
11 | #
12 | 
13 | 5cfbe1fb8df52bfba6d021319b0da899;Yara Rules of v0.2
14 | 6e5ebbc8b70c1d593634daf0c190deadfda18c3cbc8f552a76f156f3869ef05b;REGIN False Positive - Microsoft USB Scanner Driver
15 | 7565e7de9532c75b3a16e3ed0103bc092dbca63c6bdc19053dfef01250029e59;REGIN False Positive - NSRL listed
16 | a26db2eb9f3e2509b4eba949db97595cc32332d9321df68283bfc102e66d766f;REGIN False Positive - Windows Serial Driver
17 | 18cd54d163c9c5f16e824d13c411e21fd7616d34e9f1cf2adcbf869ed6aeeed4;REGIN False Positive - CD Tower Web Client
18 | 0099940a366b401f30faaf820f4815083778383a2b1e9fab58e16d10b8965e3f;REGIN False Positive - USB Scanner Driver
19 | b04a85ef2edbc5ac7b312e9d57b533d9d355d0c7cbbd24a8085c6873baf9411f;REGIN False Positive - SCSI Driver Windows
20 | 581730d7cce49af90efad5f904ce205ee7123e6c0d206867fb8ad22559fa0556;REGIN False Positive - Windows Media Component Setup Application
21 | 519a0d7ebc75dcf65c80d61f952768e49c33c5c7c320a4cc4b4a12a0e9f3337d;REGIN False Positive - SP1.CAB MSDN Disc 3498 (Microsoft)
22 | 5d7509ee8bf1c3c14c10b9c2be3d58d56acedfb08444f9c774e5d8caa8659043;REGIN False Positive - Client.exe
23 | fe0253432d1dd217b9d342f442a50b3647125a1c;Regin FP
24 | ba833714e98efd8c07518bd1303e33e40884ea70;Regin FP
25 | 54263888c64a7f010d3b5e399369b0f3ff3af0a0de8adb502b98277533e4d45f;REGIN False Positive - Windows Serial Driver
26 | d566bd2f46aebcad47261775d64fd970e297542fd846fde2685e45efc4669901;REGIN False Positive - Windows Serial Driver
27 | c541cf35129e7effb57ac60d72bc45f821956a7e6f6a85d9a42364e1ddce3485;REGIN False Positive - Windows Serial Driver
28 | d566bd2f46aebcad47261775d64fd970e297542fd846fde2685e45efc4669901;REGIN False Positive - Windows Serial Driver
29 | 40beeeca4c797a3355f4b01c57c2763c33028f27826315062320789a496d0810;REGIN False Positive - Windows Serial Driver
30 | d64d63805beef5f6ea2e791c6fe61d9f9c740e42;REGIN FP
31 | 14f3e6b05e5693b1cbd9091bafe2649f830799a3;Malwarebytes Winlogon
32 | accc2e5afb242d348da00bd3edf9b8033e81320bf33f790f1ac9ed8e9db78975;Novell nwfilter


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_skeletonkey.yar:
--------------------------------------------------------------------------------
 1 | /* SKELETON KEY ---------------------------------------------------------------------------- */
 2 | 
 3 | rule skeleton_key_patcher
 4 | {
 5 | 	meta:
 6 | 		description = "Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN"
 7 | 		author = "Dell SecureWorks Counter Threat Unit"
 8 | 		reference = "http://goo.gl/aAk3lN"
 9 | 		date = "2015/01/13"
10 | 		score = 70
11 | 	strings:
12 | 		$target_process = "lsass.exe" wide
13 | 		$dll1 = "cryptdll.dll"
14 | 		$dll2 = "samsrv.dll"
15 | 
16 | 		$name = "HookDC.dll"
17 | 
18 | 		$patched1 = "CDLocateCSystem"
19 | 		$patched2 = "SamIRetrievePrimaryCredentials"
20 | 		$patched3 = "SamIRetrieveMultiplePrimaryCredentials"
21 | 	condition:
22 | 		all of them
23 | }
24 | 
25 | rule skeleton_key_injected_code
26 | {
27 | 	meta:
28 | 		description = "Skeleton Key injected Code http://goo.gl/aAk3lN"
29 | 		author = "Dell SecureWorks Counter Threat Unit"
30 | 		reference = "http://goo.gl/aAk3lN"
31 | 		date = "2015/01/13"
32 | 		score = 70
33 | 	strings:
34 | 		$injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 00 48 81 C4 58 01 00 00 C3 }
35 | 
36 | 		$patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 }
37 | 
38 | 		$patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
39 | 
40 | 		$patch_SamIRetrieveMultiplePrimaryCredential  = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 }
41 | 
42 | 	condition:
43 | 		any of them
44 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_miniasp.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule APT_Malware_CommentCrew_MiniASP {
 3 | 	meta:
 4 | 		description = "CommentCrew Malware MiniASP APT"
 5 | 		author = "Florian Roth"
 6 | 		reference = "VT Analysis"
 7 | 		date = "2015-06-03"
 8 | 		super_rule = 1
 9 | 		hash0 = "0af4360a5ae54d789a8814bf7791d5c77136d625"
10 | 		hash1 = "777bf8def279942a25750feffc11d8a36cc0acf9"
11 | 		hash2 = "173f20b126cb57fc8ab04d01ae223071e2345f97"
12 | 	strings:
13 | 		$x1 = "\\MiniAsp4\\Release\\MiniAsp.pdb" ascii /* score: '19.02' */
14 | 		$x2 = "run http://%s/logo.png setup.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '37.02' */
15 | 		$x3 = "d:\\command.txt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
16 | 
17 | 		$z1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR " ascii /* PEStudio Blacklist: strings */ /* score: '24.02' */
18 | 		$z2 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '22.03' */
19 | 		$z3 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC" ascii /* PEStudio Blacklist: agent */ /* score: '32.03' */
20 | 		
21 | 		$s1 = "http://%s/device_command.asp?device_id=%s&cv=%s&command=%s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.02' */
22 | 		$s2 = "kill process error!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '24.04' */
23 | 		$s3 = "kill process success!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '21.04' */
24 | 		$s4 = "pickup command error!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '21.04' */
25 | 		$s5 = "http://%s/record.asp?device_t=%s&key=%s&device_id=%s&cv=%s&result=%s" fullword ascii /* score: '20.01' */
26 | 		$s6 = "no command" fullword ascii /* PEStudio Blacklist: strings */ /* score: '19.05' */
27 | 		$s7 = "software\\microsoft\\windows\\currentversion\\run" fullword ascii /* score: '19.02' */
28 | 		$s8 = "command is null!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.05' */
29 | 		$s9 = "pickup command Ok!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.04' */
30 | 		$s10 = "http://%s/result_%s.htm" fullword ascii /* score: '18.01' */
31 | 	condition:
32 | 		uint16(0) == 0x5a4d and 
33 | 		( 1 of ($x*) ) or 
34 | 		( all of ($z*) ) or 
35 | 		( 8 of ($s*) )
36 | }


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | REPO=blacktop/docker-yara
 2 | ORG=blacktop
 3 | NAME=yara
 4 | BUILD ?=$(shell cat LATEST)
 5 | LATEST ?=$(shell cat LATEST)
 6 | 
 7 | 
 8 | all: build size test
 9 | 
10 | build: ## Build docker image
11 | 	cd $(BUILD); docker build -t $(ORG)/$(NAME):$(BUILD) .
12 | 
13 | .PHONY: size
14 | size: build ## Get built image size
15 | ifeq "$(BUILD)" "$(LATEST)"
16 | 	sed -i.bu 's/docker%20image-.*-blue/docker%20image-$(shell docker images --format "{{.Size}}" $(ORG)/$(NAME):$(BUILD)| cut -d' ' -f1)-blue/' README.md
17 | 	sed -i.bu '/latest/ s/[0-9.]\{3,5\}MB/$(shell docker images --format "{{.Size}}" $(ORG)/$(NAME):$(BUILD))/' README.md
18 | endif
19 | 	sed -i.bu '/$(BUILD)/ s/[0-9.]\{3,5\}MB/$(shell docker images --format "{{.Size}}" $(ORG)/$(NAME):$(BUILD))/' README.md
20 | 
21 | .PHONY: tags
22 | tags:
23 | 	docker images --format "table {{.Repository}}\t{{.Tag}}\t{{.Size}}" $(ORG)/$(NAME)
24 | 
25 | test: ## Test docker image
26 | 	@docker run --rm $(ORG)/$(NAME):$(BUILD) /rules/test_rule /rules/test_rule
27 | 
28 | .PHONY: tar
29 | tar: ## Export tar of docker image
30 | 	docker save $(ORG)/$(NAME):$(BUILD) -o $(NAME).tar
31 | 
32 | .PHONY: push
33 | push: build ## Push docker image to docker registry
34 | 	@echo "===> Pushing $(ORG)/$(NAME):$(BUILD) to docker hub..."
35 | 	@docker push $(ORG)/$(NAME):$(BUILD)
36 | 
37 | .PHONY: run
38 | run: stop ## Run docker container
39 | 	@docker run --init -d --name $(NAME) -p 9200:9200 $(ORG)/$(NAME):$(BUILD)
40 | 
41 | .PHONY: ssh
42 | ssh: ## SSH into docker image
43 | 	@docker run --init -it --rm --entrypoint=bash $(ORG)/$(NAME):$(BUILD)
44 | 
45 | .PHONY: stop
46 | stop: ## Kill running docker containers
47 | 	@docker rm -f $(NAME) || true
48 | 
49 | .PHONY: circle
50 | circle: ci-size ## Get docker image size from CircleCI
51 | 	@sed -i.bu 's/docker%20image-.*-blue/docker%20image-$(shell cat .circleci/SIZE)-blue/' README.md
52 | 	@echo "===> Image size is: $(shell cat .circleci/SIZE)"
53 | 
54 | ci-build:
55 | 	@echo "===> Getting CircleCI build number"
56 | 	@http https://circleci.com/api/v1.1/project/github/${REPO} | jq '.[0].build_num' > .circleci/build_num
57 | 
58 | ci-size: ci-build
59 | 	@echo "===> Getting image build size from CircleCI"
60 | 	@http "$(shell http https://circleci.com/api/v1.1/project/github/${REPO}/$(shell cat .circleci/build_num)/artifacts circle-token==${CIRCLE_TOKEN} | jq '.[].url')" > .circleci/SIZE
61 | 
62 | clean: ## Clean docker image and stop all running containers
63 | 	docker-clean stop
64 | 	docker rmi $(ORG)/$(NAME):$(BUILD) || true
65 | 
66 | # Absolutely awesome: http://marmelab.com/blog/2016/02/29/auto-documented-makefile.html
67 | help:
68 | 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
69 | 
70 | .DEFAULT_GOAL := help
71 | 


--------------------------------------------------------------------------------
/w-rules/rules/themask.yara:
--------------------------------------------------------------------------------
 1 | 
 2 | rule Careto {
 3 | 	meta:
 4 | 		author = "AlienVault (Alberto Ortega)"
 5 | 		description = "TheMask / Careto generic malware signature"
 6 | 		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
 7 | 	strings:
 8 | 
 9 | 		/* General */
10 | 		$name1 = "Careto" ascii wide
11 | 		$s_1 = "GetSystemReport" ascii wide
12 | 		$s_2 = "SystemReport.txt" ascii wide
13 | 		$s_3 = /URL_AUX\w*=/ ascii wide
14 | 		$s_4 = /CaretoPruebas.+release/
15 | 
16 | 		/* Certificate */
17 | 		$sign_0 = "Sofia"
18 | 		$sign_1 = "TecSystem Ltd"
19 | 		$sign_2 = "<<<Obsolete>>>" wide
20 | 
21 | 		/* Encryption keys */
22 | 		$rc4_1 = "!$7be&.Kaw-12[}" ascii wide
23 | 		$rc4_2 = "Caguen1aMar" ascii wide
24 | 		/* http://laboratorio.blogs.hispasec.com/2014/02/analisis-del-algoritmo-de-descifrado.html */
25 | 		$rc4_3 = {8d 85 86 8a 8f 80 88 83 8d 82 88 85 86 8f 8f 87 8d 82 83 82 8c 8e 83 8d 89 82 86 87 82 83 83 81}
26 | 
27 | 		/* Decryption routine fragment */
28 | 		$dec_1 = {8b 4d 08 0f be 04 59 0f be 4c 59 01 2b c7 c1 e0 04 2b cf 0b c1 50 8d 85 f0 fe ff ff}
29 | 		$dec_2 = {8b 4d f8 8b 16 88 04 11 8b 06 41 89 4d f8 c6 04 01 00 43 3b 5d fc}
30 | 
31 | 	condition:
32 | 		$name1 and (any of ($s_*)) or all of ($sign_*) or any of ($rc4_*) or all of ($dec_*)
33 | }
34 | 
35 | rule Careto_SGH {
36 | 	meta:
37 | 		author = "AlienVault (Alberto Ortega)"
38 | 		description = "TheMask / Careto SGH component signature"
39 | 		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
40 | 	strings:
41 | 		$m1 = "PGPsdkDriver" ascii wide fullword
42 | 		$m2 = "jpeg1x32" ascii wide fullword
43 | 		$m3 = "SkypeIE6Plugin" ascii wide fullword
44 | 		$m4 = "CDllUninstall" ascii wide fullword
45 | 	condition:
46 | 		2 of them
47 | }
48 | 
49 | rule Careto_OSX_SBD {
50 | 	meta:
51 | 		author = "AlienVault (Alberto Ortega)"
52 | 		description = "TheMask / Careto OSX component signature"
53 | 		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
54 | 	strings:
55 | 		/* XORed "/dev/null strdup() setuid(geteuid())" */
56 | 		$1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12}
57 | 	condition:
58 | 		all of them
59 | }
60 | 
61 | rule Careto_CnC {
62 | 	meta:
63 | 		author = "AlienVault (Alberto Ortega)"
64 | 		description = "TheMask / Careto CnC communication signature"
65 | 		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
66 | 	strings:
67 | 		$1 = "cgi-bin/commcgi.cgi" ascii wide
68 | 		$2 = "Group" ascii wide
69 | 		$3 = "Install" ascii wide
70 | 		$4 = "Bn" ascii wide
71 | 	condition:
72 | 		all of them
73 | }
74 | 
75 | rule Careto_CnC_domains {
76 | 	meta:
77 | 		author = "AlienVault (Alberto Ortega)"
78 | 		description = "TheMask / Careto known command and control domains"
79 | 		reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
80 | 	strings:
81 | 		$1 = "linkconf.net" ascii wide nocase
82 | 		$2 = "redirserver.net" ascii wide nocase
83 | 		$3 = "swupdt.com" ascii wide nocase
84 | 	condition:
85 | 		any of them
86 | }
87 | 


--------------------------------------------------------------------------------
/w-rules/rules/vmdetect.yara:
--------------------------------------------------------------------------------
 1 | // Copyright (C) 2013 Claudio "nex" Guarnieri
 2 | 
 3 | rule vmdetect
 4 | {
 5 |     meta:
 6 |         author = "nex"
 7 |         description = "Possibly employs anti-virtualization techniques"
 8 | 
 9 |     strings:
10 |         // Binary tricks
11 |         $vmware = {56 4D 58 68}
12 |         $virtualpc = {0F 3F 07 0B}
13 |         $ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF}
14 |         $vmcheckdll = {45 C7 00 01}
15 |         $redpill = {0F 01 0D 00 00 00 00 C3}
16 | 
17 |         // Random strings
18 |         $vmware1 = "VMXh"
19 |         $vmware2 = "Ven_VMware_" nocase
20 |         $vmware3 = "Prod_VMware_Virtual_" nocase
21 |         $vmware4 = "hgfs.sys" nocase
22 |         $vmware5 = "mhgfs.sys" nocase
23 |         $vmware6 = "prleth.sys" nocase
24 |         $vmware7 = "prlfs.sys" nocase
25 |         $vmware8 = "prlmouse.sys" nocase
26 |         $vmware9 = "prlvideo.sys" nocase
27 |         $vmware10 = "prl_pv32.sys" nocase
28 |         $vmware11 = "vpc-s3.sys" nocase
29 |         $vmware12 = "vmsrvc.sys" nocase
30 |         $vmware13 = "vmx86.sys" nocase
31 |         $vmware14 = "vmnet.sys" nocase
32 |         $vmware15 = "vmicheartbeat" nocase
33 |         $vmware16 = "vmicvss" nocase
34 |         $vmware17 = "vmicshutdown" nocase
35 |         $vmware18 = "vmicexchange" nocase
36 |         $vmware19 = "vmdebug" nocase
37 |         $vmware20 = "vmmouse" nocase
38 |         $vmware21 = "vmtools" nocase
39 |         $vmware22 = "VMMEMCTL" nocase
40 |         $vmware23 = "vmx86" nocase
41 |         $vmware24 = "vmware" nocase
42 |         $virtualpc1 = "vpcbus" nocase
43 |         $virtualpc2 = "vpc-s3" nocase
44 |         $virtualpc3 = "vpcuhub" nocase
45 |         $virtualpc4 = "msvmmouf" nocase
46 |         $xen1 = "xenevtchn" nocase
47 |         $xen2 = "xennet" nocase
48 |         $xen3 = "xennet6" nocase
49 |         $xen4 = "xensvc" nocase
50 |         $xen5 = "xenvdb" nocase
51 |         $xen6 = "XenVMM" nocase
52 |         $virtualbox1 = "VBoxHook.dll" nocase
53 |         $virtualbox2 = "VBoxService" nocase
54 |         $virtualbox3 = "VBoxTray" nocase
55 |         $virtualbox4 = "VBoxMouse" nocase
56 |         $virtualbox5 = "VBoxGuest" nocase
57 |         $virtualbox6 = "VBoxSF" nocase
58 |         $virtualbox7 = "VBoxGuestAdditions" nocase
59 |         $virtualbox8 = "VBOX HARDDISK"  nocase
60 | 
61 |         // MAC addresses
62 |         $vmware_mac_1a = "00-05-69"
63 |         $vmware_mac_1b = "00:05:69"
64 |         $vmware_mac_1c = "000569"
65 |         $vmware_mac_2a = "00-50-56"
66 |         $vmware_mac_2b = "00:50:56"
67 |         $vmware_mac_2c = "005056"
68 |         $vmware_mac_3a = "00-0C-29" nocase
69 |         $vmware_mac_3b = "00:0C:29" nocase
70 |         $vmware_mac_3c = "000C29" nocase
71 |         $vmware_mac_4a = "00-1C-14" nocase
72 |         $vmware_mac_4b = "00:1C:14" nocase
73 |         $vmware_mac_4c = "001C14" nocase
74 |         $virtualbox_mac_1a = "08-00-27"
75 |         $virtualbox_mac_1b = "08:00:27"
76 |         $virtualbox_mac_1c = "080027"
77 | 
78 |     condition:
79 |         any of them
80 | }
81 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_casper.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | /* State-sponsored Casper Malware Rules by @4nc4p - attribution and analysis by @pinkflawd @r00tbsd @circl_lu */
 3 | 
 4 | rule Casper_Backdoor_x86 {
 5 | 	meta:
 6 | 		description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
 7 | 		author = "Florian Roth"
 8 | 		reference = "http://goo.gl/VRJNLo"
 9 | 		date = "2015/03/05"
10 | 		hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
11 | 		score = 80
12 | 	strings:
13 | 		$s1 = "\"svchost.exe\"" fullword wide
14 | 		$s2 = "firefox.exe" fullword ascii
15 | 		$s3 = "\"Host Process for Windows Services\"" fullword wide
16 | 		
17 | 		$x1 = "\\Users\\*" fullword ascii
18 | 		$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
19 | 		$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
20 | 		$x4 = "\\Documents and Settings\\*" fullword ascii
21 | 		
22 | 		$y1 = "%s; %S=%S" fullword wide
23 | 		$y2 = "%s; %s=%s" fullword ascii
24 | 		$y3 = "Cookie: %s=%s" fullword ascii
25 | 		$y4 = "http://%S:%d" fullword wide
26 | 		
27 | 		$z1 = "http://google.com/" fullword ascii
28 | 		$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
29 | 		$z3 = "Operating System\"" fullword wide
30 | 	condition:
31 | 		( all of ($s*) ) or
32 | 		( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
33 | }
34 | 
35 | rule Casper_EXE_Dropper {
36 | 	meta:
37 | 		description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
38 | 		author = "Florian Roth"
39 | 		reference = "http://goo.gl/VRJNLo"
40 | 		date = "2015/03/05"
41 | 		hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
42 | 		score = 80
43 | 	strings:
44 | 		$s0 = "<Command>" fullword ascii
45 | 		$s1 = "</Command>" fullword ascii
46 | 		$s2 = "\" /d \"" fullword ascii
47 | 		$s4 = "'%s' %s" fullword ascii
48 | 		$s5 = "nKERNEL32.DLL" fullword wide
49 | 		$s6 = "@ReturnValue" fullword wide
50 | 		$s7 = "ID: 0x%x" fullword ascii
51 | 		$s8 = "Name: %S" fullword ascii
52 | 	condition:
53 | 		7 of them
54 | }
55 | 
56 | rule Casper_Included_Strings {
57 | 	meta:
58 | 		description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
59 | 		author = "Florian Roth"
60 | 		reference = "http://goo.gl/VRJNLo"
61 | 		date = "2015/03/06"
62 | 		score = 50
63 | 	strings:
64 | 		$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
65 | 		$a1 = "& SYSTEMINFO) ELSE EXIT"
66 | 		
67 | 		$mz = { 4d 5a }
68 | 		$c1 = "domcommon.exe" wide fullword							// File Name
69 | 		$c2 = "jpic.gov.sy" fullword 								// C2 Server
70 | 		$c3 = "aiomgr.exe" wide fullword							// File Name
71 | 		$c4 = "perfaudio.dat" fullword								// Temp File Name
72 | 		$c5 = "Casper_DLL.dll" fullword								// Name 
73 | 		$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } 	// Decryption Key
74 | 		$c7 = "{4216567A-4512-9825-7745F856}" fullword 				// Mutex
75 | 	condition:
76 | 		all of ($a*) or
77 | 		( $mz at 0 ) and ( 1 of ($c*) )
78 | }
79 | 
80 | rule Casper_SystemInformation_Output {
81 | 	meta:
82 | 		description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
83 | 		author = "Florian Roth"
84 | 		reference = "http://goo.gl/VRJNLo"
85 | 		date = "2015/03/06"
86 | 		score = 70	
87 | 	strings:
88 | 		$a0 = "***** SYSTEM INFORMATION ******"
89 | 		$a1 = "***** SECURITY INFORMATION ******"
90 | 		$a2 = "Antivirus: "
91 | 		$a3 = "Firewall: "
92 | 		$a4 = "***** EXECUTION CONTEXT ******"
93 | 		$a5 = "Identity: "
94 | 		$a6 = "<CONFIG TIMESTAMP="
95 | 	condition:
96 | 		all of them
97 | }


--------------------------------------------------------------------------------
/.github/workflows/docker-image.yml:
--------------------------------------------------------------------------------
  1 | # This workflow uses actions that are not certified by GitHub.
  2 | # They are provided by a third-party and are governed by
  3 | # separate terms of service, privacy policy, and support
  4 | # documentation.
  5 | 
  6 | name: Publish Docker Image
  7 | 
  8 | on:
  9 |   push:
 10 |     branches:
 11 |       - '**'
 12 | 
 13 | jobs:
 14 |   push_to_registries:
 15 |     name: Push Docker image to multiple registries
 16 |     runs-on: ubuntu-latest
 17 |     permissions:
 18 |       packages: write
 19 |       contents: read
 20 |     steps:
 21 |       -
 22 |         name: Check out the repo
 23 |         uses: actions/checkout@v2
 24 | 
 25 |       -
 26 |         name: Extract metadata (tags, labels) for Docker
 27 |         id: meta
 28 |         uses: docker/metadata-action@v3
 29 |         with:
 30 |           images: |
 31 |             blacktop/yara
 32 |             ghcr.io/${{ github.repository }}
 33 |             
 34 |       -
 35 |         name: Set up QEMU
 36 |         uses: docker/setup-qemu-action@v2
 37 | 
 38 |       -
 39 |         name: Set up Docker Buildx
 40 |         uses: docker/setup-buildx-action@v2            
 41 | 
 42 |       -
 43 |         name: Docker Login
 44 |         uses: docker/login-action@v1
 45 |         with:
 46 |           username: ${{ secrets.DOCKER_USERNAME }}
 47 |           password: ${{ secrets.DOCKERHUB_TOKEN }}
 48 | 
 49 |       -
 50 |         name: Log in to the Container registry
 51 |         uses: docker/login-action@v1
 52 |         with:
 53 |           registry: ghcr.io
 54 |           username: ${{ github.actor }}
 55 |           password: ${{ secrets.GITHUB_TOKEN }}
 56 | 
 57 |       - name: Build and push Docker image (v4)
 58 |         id: docker_build_4
 59 |         uses: docker/build-push-action@v2
 60 |         with:
 61 |           context: ./4.2
 62 |           push: ${{ github.event_name != 'pull_request' }}
 63 |           tags: |
 64 |             blacktop/yara:4
 65 |             blacktop/yara:4.2
 66 |             blacktop/yara:4.2.3
 67 |             blacktop/yara:latest
 68 |             ghcr.io/blacktop/yara:4
 69 |             ghcr.io/blacktop/yara:4.2
 70 |             ghcr.io/blacktop/yara:4.2.3
 71 |             ghcr.io/blacktop/yara:latest
 72 |           platforms: linux/amd64,linux/arm64            
 73 |           labels: ${{ steps.meta.outputs.labels }}
 74 | 
 75 |       - name: Build and push Docker image (no-py)
 76 |         id: docker_build_no_py
 77 |         uses: docker/build-push-action@v2
 78 |         with:
 79 |           context: ./no-py
 80 |           push: ${{ github.event_name != 'pull_request' }}
 81 |           tags: |
 82 |             blacktop/yara:no-py
 83 |             blacktop/yara:4-no-py
 84 |             blacktop/yara:4.2-no-py
 85 |             blacktop/yara:4.2.3-no-py
 86 |             ghcr.io/blacktop/yara:no-py
 87 |             ghcr.io/blacktop/yara:4-no-py
 88 |             ghcr.io/blacktop/yara:4.2-no-py
 89 |             ghcr.io/blacktop/yara:4.2.3-no-py
 90 |           platforms: linux/amd64,linux/arm64            
 91 |           labels: ${{ steps.meta.outputs.labels }}
 92 | 
 93 |       - name: Build and push Docker image (w-rules)
 94 |         id: docker_build_w_rules
 95 |         uses: docker/build-push-action@v2
 96 |         with:
 97 |           context: ./w-rules
 98 |           push: ${{ github.event_name != 'pull_request' }}
 99 |           tags: |
100 |             blacktop/yara:w-rules
101 |             blacktop/yara:4-w-rules
102 |             blacktop/yara:4.2-w-rules
103 |             blacktop/yara:4.2.3-w-rules
104 |             ghcr.io/blacktop/yara:w-rules
105 |             ghcr.io/blacktop/yara:4-w-rules
106 |             ghcr.io/blacktop/yara:4.2-w-rules
107 |             ghcr.io/blacktop/yara:4.2.3-w-rules
108 |           platforms: linux/amd64,linux/arm64            
109 |           labels: ${{ steps.meta.outputs.labels }}
110 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_anthem_deeppanda.yar:
--------------------------------------------------------------------------------
 1 | /* Anthem Deep Panda APT */
 2 | 
 3 | rule DeepPanda_sl_txt_packed {
 4 | 	meta:
 5 | 		description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed"
 6 | 		author = "Florian Roth"
 7 | 		date = "2015/02/08"
 8 | 		hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34"
 9 | 	strings:
10 | 		$s0 = "Command line port scanner" fullword wide
11 | 		$s1 = "sl.exe" fullword wide
12 | 		$s2 = "CPports.txt" fullword ascii
13 | 		$s3 = ",GET / HTTP/.}" fullword ascii
14 | 		$s4 = "Foundstone Inc." fullword wide
15 | 		$s9 = " 2002 Foundstone Inc." fullword wide
16 | 		$s15 = ", Inc. 2002" fullword ascii
17 | 		$s20 = "ICMP Time" fullword ascii
18 | 	condition:
19 | 		all of them
20 | }
21 | 
22 | rule Anthem_DeepPanda_lot1 {
23 | 	meta:
24 | 		description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"
25 | 		author = "Florian Roth"
26 | 		date = "2015/02/08"
27 | 		hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
28 | 	strings:
29 | 		$s0 = "Unable to open target process: %d, pid %d" fullword ascii
30 | 		$s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
31 | 		$s2 = "Target: Failed to load SAM functions." fullword ascii
32 | 		$s5 = "Error writing the test file %s, skipping this share" fullword ascii
33 | 		$s6 = "Failed to create service (%s/%s), error %d" fullword ascii
34 | 		$s8 = "Service start failed: %d (%s/%s)" fullword ascii
35 | 		$s12 = "PwDump.exe" fullword ascii
36 | 		$s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii
37 | 		$s14 = ":\\\\.\\pipe\\%s" fullword ascii
38 | 		$s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii
39 | 		$s16 = "dump logon session" fullword ascii
40 | 		$s17 = "Timed out waiting to get our pipe back" fullword ascii
41 | 		$s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
42 | 		$s20 = "%s\\%s.exe" fullword ascii
43 | 	condition:
44 | 		10 of them
45 | }
46 | 
47 | rule DeepPanda_htran_exe {
48 | 	meta:
49 | 		description = "Anthem Hack Deep Panda - htran-exe"
50 | 		author = "Florian Roth"
51 | 		date = "2015/02/08"
52 | 		hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9"
53 | 	strings:
54 | 		$s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii
55 | 		$s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii
56 | 		$s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" fullword ascii
57 | 		$s3 = "[SERVER]connection to %s:%d error" fullword ascii
58 | 		$s4 = "-tran  <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
59 | 		$s5 = "[-] ERROR: Must supply logfile name." fullword ascii
60 | 		$s6 = "[-] There is a error...Create a new connection." fullword ascii
61 | 		$s7 = "[+] Accept a Client on port %d from %s" fullword ascii
62 | 		$s8 = "======================== htran V%s =======================" fullword ascii
63 | 		$s9 = "[-] Socket Listen error." fullword ascii
64 | 		$s10 = "[-] ERROR: open logfile" fullword ascii
65 | 		$s11 = "-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
66 | 		$s12 = "[+] Make a Connection to %s:%d ......" fullword ascii
67 | 		$s14 = "Recv %5d bytes from %s:%d" fullword ascii
68 | 		$s15 = "[+] OK! I Closed The Two Socket." fullword ascii
69 | 		$s16 = "[+] Waiting another Client on port:%d...." fullword ascii
70 | 		$s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii
71 | 		$s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
72 | 	condition:
73 | 		10 of them
74 | }
75 | 
76 | rule Anthem_DeepPanda_Trojan_Kakfum {
77 | 	meta:
78 | 		description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll"
79 | 		author = "Florian Roth"
80 | 		date = "2015/02/08"
81 | 		hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
82 | 		hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f"
83 | 	strings:
84 | 		$s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii
85 | 		$s1 = "%s\\sqlsrv32.dll" fullword ascii
86 | 		$s2 = "%s\\sqlsrv64.dll" fullword ascii
87 | 		$s3 = "%s\\%d.tmp" fullword ascii
88 | 		$s4 = "ServiceMaix" fullword ascii
89 | 		$s15 = "sqlserver" fullword ascii
90 | 	condition:
91 | 		all of them
92 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_woolengoldfish.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | 	Operation WoolenGoldfish Rules (Trendmicro Report)
  3 | 	v0.1 25.03.2015
  4 | 
  5 | 	These rules detect 26 of the samples mentioned in the report
  6 | 	Reference: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-woolen-goldfish-when-kittens-go-phishing/
  7 | 
  8 | 	Tested against 20GB goodware sample archiv - pls report back false positives
  9 | 	on LOKI's github page https://github.com/Neo23x0/Loki/issues
 10 | 
 11 | */
 12 | 
 13 | rule WoolenGoldfish_Sample_1 {
 14 | 	meta:
 15 | 		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
 16 | 		author = "Florian Roth"
 17 | 		reference = "http://goo.gl/NpJpVZ"
 18 | 		date = "2015/03/25"
 19 | 		score = 60
 20 | 		hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a"
 21 | 	strings:
 22 | 		$s1 = "Cannot execute (%d)" fullword ascii
 23 | 		$s16 = "SvcName" fullword ascii
 24 | 	condition:
 25 | 		all of them
 26 | }
 27 | 
 28 | rule WoolenGoldfish_Generic_1 {
 29 | 	meta:
 30 | 		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
 31 | 		author = "Florian Roth"
 32 | 		reference = "http://goo.gl/NpJpVZ"
 33 | 		date = "2015/03/25"
 34 | 		score = 90
 35 | 		super_rule = 1
 36 | 		hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3"
 37 | 		hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e"
 38 | 		hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475"
 39 | 	strings:
 40 | 		$x0 = "Users\\Wool3n.H4t\\"
 41 | 		$x1 = "C-CPP\\CWoolger"
 42 | 		$x2 = "NTSuser.exe" fullword wide
 43 | 
 44 | 		$s1 = "107.6.181.116" fullword wide
 45 | 		$s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword
 46 | 		$s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword
 47 | 		$s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword
 48 | 		$s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword
 49 | 		$s6 = "wlg.dat" fullword
 50 | 		$s7 = "woolger" fullword wide
 51 | 		$s8 = "[Enter]" fullword
 52 | 		$s9 = "[Control]" fullword
 53 | 	condition:
 54 | 		( 1 of ($x*) and 2 of ($s*) ) or
 55 | 		( 6 of ($s*) )
 56 | }
 57 | 
 58 | rule WoolenGoldfish_Generic_2 {
 59 | 	meta:
 60 | 		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
 61 | 		author = "Florian Roth"
 62 | 		reference = "http://goo.gl/NpJpVZ"
 63 | 		date = "2015/03/25"
 64 | 		score = 90
 65 | 		hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f"
 66 | 		hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a"
 67 | 		hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8"
 68 | 		hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564"
 69 | 	strings:
 70 | 		$s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii
 71 | 	condition:
 72 | 		all of them
 73 | }
 74 | 
 75 | rule WoolenGoldfish_Generic_3 {
 76 | 	meta:
 77 | 		description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ"
 78 | 		author = "Florian Roth"
 79 | 		reference = "http://goo.gl/NpJpVZ"
 80 | 		date = "2015/03/25"
 81 | 		score = 90
 82 | 		hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7"
 83 | 		hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5"
 84 | 	strings:
 85 | 		$x1 = "... get header FATAL ERROR !!!  %d bytes read > header_size" fullword ascii
 86 | 		$x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide
 87 | 		$x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii
 88 | 
 89 | 		$s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii
 90 | 		$s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide
 91 | 		$s2 = "Attempting to unlock uninitialized lock!" fullword ascii
 92 | 		$s4 = "unable to load kernel32.dll" fullword ascii
 93 | 		$s5 = "index.php?c=%S&r=%x" fullword wide
 94 | 		$s6 = "%s len:%d " fullword ascii
 95 | 		$s7 = "Encountered error sending syscall response to client" fullword ascii
 96 | 		$s9 = "/info.dat" fullword ascii
 97 | 		$s10 = "Error entering thread lock" fullword ascii
 98 | 		$s11 = "Error exiting thread lock" fullword ascii
 99 | 		$s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii
100 | 	condition:
101 | 		( 1 of ($x*) ) or
102 | 		( 8 of ($s*) )
103 | }
104 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_sofacy_xtunnel_bundestag.yar:
--------------------------------------------------------------------------------
  1 | 
  2 | rule apt_sofacy_xtunnel {
  3 |     meta:
  4 |         author = "Claudio Guarnieri"
  5 |         description = "Sofacy Malware - German Bundestag"
  6 |         score = 75
  7 |     strings:
  8 |         $xaps = ":\\PROJECT\\XAPS_"
  9 |         $variant11 = "XAPS_OBJECTIVE.dll" $variant12 = "start"
 10 |         $variant21 = "User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
 11 |         $variant22 = "is you live?"
 12 |         $mix1 = "176.31.112.10"
 13 |         $mix2 = "error in select, errno %d" $mix3 = "no msg"
 14 |         $mix4 = "is you live?"
 15 |         $mix5 = "127.0.0.1"
 16 |         $mix6 = "err %d"
 17 |         $mix7 = "i`m wait"
 18 |         $mix8 = "hello"
 19 |         $mix9 = "OpenSSL 1.0.1e 11 Feb 2013" $mix10 = "Xtunnel.exe"
 20 |     condition:
 21 |         ((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*))) 
 22 | }
 23 | 
 24 | rule Sofacy_Bundestag_Winexe {
 25 |     meta:
 26 |         description = "Winexe tool used by Sofacy group in Bundestag APT"
 27 |         author = "Florian Roth"
 28 |         reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
 29 |         date = "2015-06-19"
 30 |         hash = "5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d"
 31 |         score = 70
 32 |     strings:
 33 |         $s1 = "\\\\.\\pipe\\ahexec" fullword ascii 
 34 |         $s2 = "implevel" fullword ascii
 35 |     condition:
 36 |         uint16(0) == 0x5a4d and filesize < 115KB and all of them
 37 | }
 38 | 
 39 | rule Sofacy_Bundestag_Mal2 {
 40 |     meta:
 41 |         description = "Sofacy Group Malware Sample 2"
 42 |         author = "Florian Roth"
 43 |         reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
 44 |         date = "2015-06-19"
 45 |         hash = "566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092"
 46 |         score = 70
 47 |     strings:
 48 |         $x1 = "PROJECT\\XAPS_OBJECTIVE_DLL\\" ascii
 49 |         $x2 = "XAPS_OBJECTIVE.dll" fullword ascii
 50 | 
 51 |         $s1 = "i`m wait" fullword ascii 
 52 |     condition:
 53 |         uint16(0) == 0x5a4d and ( 1 of ($x*) ) and $s1
 54 | }
 55 | 
 56 | rule Sofacy_Bundestag_Mal3 {
 57 |     meta:
 58 |         description = "Sofacy Group Malware Sample 3"
 59 |         author = "Florian Roth"
 60 |         reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
 61 |         date = "2015-06-19"
 62 |         hash = "5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1"
 63 |         score = 70
 64 |     strings:
 65 |         $s1 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" fullword ascii 
 66 |         $s2 = ".?AVAgentModuleRemoteKeyLogger@@" fullword ascii 
 67 |         $s3 = "<font size=4 color=red>process isn't exist</font>" fullword ascii 
 68 |         $s4 = "<font size=4 color=red>process is exist</font>" fullword ascii 
 69 |         $s5 = ".winnt.check-fix.com" fullword ascii 
 70 |         $s6 = ".update.adobeincorp.com" fullword ascii 
 71 |         $s7 = ".microsoft.checkwinframe.com" fullword ascii
 72 |         $s8 = "adobeincorp.com" fullword wide 
 73 |         $s9 = "# EXC: HttpSender - Cannot create Get Channel!" fullword ascii 
 74 | 
 75 |         $x1 = "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/" wide 
 76 |         $x2 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2" wide 
 77 |         $x3 = "C:\\Windows\\System32\\cmd.exe" fullword wide 
 78 |     condition:
 79 |         uint16(0) == 0x5a4d and filesize < 300KB and (
 80 |             2 of ($s*) or 
 81 |             ( 1 of ($s*) and all of ($x*) )
 82 |         ) 
 83 | }
 84 | 
 85 | rule Sofacy_Bundestag_Batch {
 86 |     meta:
 87 |         description = "Sofacy Bundestags APT Batch Script"
 88 |         author = "Florian Roth"
 89 |         reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
 90 |         date = "2015-06-19"
 91 |         score = 70
 92 |     strings:
 93 |         $s1 = "for %%G in (.pdf, .xls, .xlsx, .doc, .docx) do (" ascii 
 94 |         $s2 = "cmd /c copy"
 95 |         $s3 = "forfiles"
 96 |     condition:
 97 |         filesize < 10KB and all of them
 98 | }
 99 | 
100 | 
101 | 
102 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_volatile_cedar.yar:
--------------------------------------------------------------------------------
  1 | rule Explosive_EXE : APT { 
  2 | 	meta:
  3 | 		description = "Explosion/Explosive Malware - Volatile Cedar APT"
  4 | 		author = "Check Point Software Technologies Inc." 
  5 | 	strings:
  6 | 		$DLD_S = "DLD-S:" 
  7 | 		$DLD_E = "DLD-E:"
  8 | 	condition:
  9 | 		all of them and
 10 |         uint16(0) == 0x5A4D
 11 | }
 12 | 
 13 | rule Explosion_Sample_1 {
 14 | 	meta:
 15 | 		description = "Explosion/Explosive Malware - Volatile Cedar APT - file b74bd5660baf67038353136978ed16dbc7d105c60c121cf64c61d8f3d31de32c"
 16 | 		author = "Florian Roth"
 17 | 		reference = "http://goo.gl/5vYaNb"
 18 | 		date = "2015/04/03"
 19 | 		score = 70
 20 | 		hash = "c97693ecb36247bdb44ab3f12dfeae8be4d299bb"
 21 | 	strings:
 22 | 		$s5 = "REG ADD \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii
 23 | 		$s9 = "WinAutologon From Winlogon Reg" fullword ascii
 24 | 		$s10 = "82BD0E67-9FEA-4748-8672-D5EFE5B779B0" fullword ascii
 25 | 		$s11 = "IE:Password-Protected sites" fullword ascii
 26 | 		$s12 = "\\his.sys" fullword ascii
 27 | 		$s13 = "HTTP Password" fullword ascii
 28 | 		$s14 = "\\data.sys" fullword ascii
 29 | 		$s15 = "EL$_RasDefaultCredentials#0" fullword wide
 30 | 		$s17 = "Office Outlook HTTP" fullword ascii
 31 | 		$s20 = "Hist :<b> %ws</b>  :%s </br></br>" fullword ascii
 32 | 	condition:
 33 | 		all of them and  
 34 |         uint16(0) == 0x5A4D
 35 | }
 36 | 
 37 | rule Explosion_Sample_2 {
 38 | 	meta:
 39 | 		description = "Explosion/Explosive Malware - Volatile Cedar APT - file bfc63b30624332f4fc2e510f95b69d18dd0241eb0d2fcd33ed2e81b7275ab488"
 40 | 		author = "Florian Roth"
 41 | 		reference = "http://goo.gl/5vYaNb"
 42 | 		date = "2015/04/03"
 43 | 		score = 70
 44 | 		hash = "62fe6e9e395f70dd632c70d5d154a16ff38dcd29"
 45 | 	strings:
 46 | 		$s0 = "serverhelp.dll" fullword wide
 47 | 		$s1 = "Windows Help DLL" fullword wide
 48 | 		$s5 = "SetWinHoK" fullword ascii
 49 | 	condition:
 50 | 		all of them and  
 51 |         uint16(0) == 0x5A4D
 52 | }
 53 | 
 54 | rule Explosion_Generic_1 {
 55 | 	meta:
 56 | 		description = "Generic Rule for Explosion/Explosive Malware - Volatile Cedar APT"
 57 | 		author = "Florian Roth"
 58 | 		reference = "not set"
 59 | 		date = "2015/04/03"
 60 | 		score = 70
 61 | 		super_rule = 1
 62 | 		hash0 = "d0f059ba21f06021579835a55220d1e822d1233f95879ea6f7cb9d301408c821"
 63 | 		hash1 = "1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908"
 64 | 		hash2 = "d8fdcdaad652c19f4f4676cd2f89ae834dbc19e2759a206044b18601875f2726"
 65 | 		hash3 = "e2e6ed82703de21eb4c5885730ba3db42f3ddda8b94beb2ee0c3af61bc435747"
 66 | 		hash4 = "03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0"
 67 | 	strings:
 68 | 		$s0 = "autorun.exe" fullword
 69 | 		$s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 5.1; .NET CL"
 70 | 		$s2 = "%drp.exe" fullword
 71 | 		$s3 = "%s_%s%d.exe" fullword
 72 | 		$s4 = "open=autorun.exe" fullword
 73 | 		$s5 = "http://www.microsoft.com/en-us/default.aspx" fullword
 74 | 		$s10 = "error.renamefile" fullword
 75 | 		$s12 = "insufficient lookahead" fullword
 76 | 		$s13 = "%s %s|" fullword
 77 | 		$s16 = ":\\autorun.exe" fullword
 78 | 	condition:
 79 | 		7 of them and  
 80 |         uint16(0) == 0x5A4D 
 81 | }
 82 | 
 83 | rule Explosive_UA {
 84 | 	meta:
 85 | 		description = "Explosive Malware Embedded User Agent - Volatile Cedar APT http://goo.gl/HQRCdw"
 86 | 		author = "Florian Roth"
 87 | 		reference = "http://goo.gl/HQRCdw"
 88 | 		date = "2015/04/03"
 89 | 		score = 60
 90 | 	strings:	
 91 | 		$x1 = "Mozilla/4.0 (compatible; MSIE 7.0; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" fullword
 92 | 	condition:
 93 | 		$x1 and  
 94 |         uint16(0) == 0x5A4D 
 95 | }
 96 | 
 97 | rule Webshell_Caterpillar_ASPX {
 98 | 	meta:
 99 | 		description = "Volatile Cedar Webshell - from file caterpillar.aspx"
100 | 		author = "Florian Roth"
101 | 		reference = "http://goo.gl/emons5"
102 | 		date = "2015/04/03"
103 | 		super_rule = 1
104 | 		hash0 = "af4c99208fb92dc42bc98c4f96c3536ec8f3fe56"
105 | 	strings:
106 | 		$s0 = "Dim objNewRequest As WebRequest = HttpWebRequest.Create(sURL)" fullword
107 | 		$s1 = "command = \"ipconfig /all\"" fullword
108 | 		$s3 = "For Each xfile In mydir.GetFiles()" fullword
109 | 		$s6 = "Dim oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")" fullword
110 | 		$s10 = "recResult = adoConn.Execute(strQuery)" fullword
111 | 		$s12 = "b = Request.QueryString(\"src\")" fullword
112 | 		$s13 = "rw(\"<a href='\" + link + \"' target='\" + target + \"'>\" + title + \"</a>\")" fullword
113 | 	condition:
114 | 		all of them
115 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ![YARA-logo](https://raw.githubusercontent.com/blacktop/docker-yara/master/logo.png)
  2 | 
  3 | # Yara Dockerfile
  4 | 
  5 | [![Publish Docker Image](https://github.com/blacktop/docker-yara/actions/workflows/docker-image.yml/badge.svg)](https://github.com/blacktop/docker-yara/actions/workflows/docker-image.yml) [![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) [![Docker Stars](https://img.shields.io/docker/stars/blacktop/yara.svg)](https://hub.docker.com/r/blacktop/yara/) [![Docker Pulls](https://img.shields.io/docker/pulls/blacktop/yara.svg)](https://hub.docker.com/r/blacktop/yara/) [![Docker Image](https://img.shields.io/badge/docker%20image-64.6MB-blue.svg)](https://hub.docker.com/r/blacktop/yara/)
  6 | 
  7 | This repository contains a **Dockerfile** of [Yara](http://virustotal.github.io/yara/).
  8 | 
  9 | ---
 10 | 
 11 | ## Dependencies
 12 | 
 13 | - [alpine](https://hub.docker.com/_/alpine)
 14 | 
 15 | ## Image Tags
 16 | 
 17 | ```bash
 18 | REPOSITORY          TAG                 SIZE
 19 | blacktop/yara       latest              64.6MB
 20 | blacktop/yara       4.2                 64.6MB
 21 | blacktop/yara       4.1                 63.1MB
 22 | blacktop/yara       4.0                 60MB
 23 | blacktop/yara       3.11                57.6MB
 24 | blacktop/yara       3.10                53.6MB
 25 | blacktop/yara       3.9                 53.6MB
 26 | blacktop/yara       3.8                 55.8MB
 27 | blacktop/yara       3.7                 55.2MB
 28 | blacktop/yara       3.6                 55.8MB
 29 | blacktop/yara       3.5                 54.3MB
 30 | blacktop/yara       w-rules             60.4MB
 31 | blacktop/yara       no-py               15MB
 32 | blacktop/yara       3.4                 54.3MB
 33 | blacktop/yara       3.1.0               163.7MB (debian:jessie)
 34 | ```
 35 | 
 36 | > **NOTE:**
 37 | >
 38 | > - tag **no-py** is `yara:4.1` without yara-python<br>
 39 | > - tag **w-rules** is `yara:4.1` with some default yara rules included in the /rules directory.
 40 | 
 41 | ## Installation
 42 | 
 43 | 1. Install [Docker](https://docs.docker.com).
 44 | 2. Download [trusted build](https://hub.docker.com/r/blacktop/yara/) from public [Docker Registry](https://hub.docker.com/): `docker pull blacktop/yara`
 45 | 
 46 | ## Getting Started
 47 | 
 48 | ```bash
 49 | $ docker run --rm -v /path/to/rules:/rules:ro \
 50 |                   -v /path/to/malware:/malware:ro \
 51 |                   blacktop/yara /rules/RULES_FILE FILE
 52 | ```
 53 | 
 54 | ```
 55 | YARA 3.6.0, the pattern matching swiss army knife.
 56 | Usage: yara [OPTION]... RULES_FILE FILE | DIR | PID
 57 | 
 58 | Mandatory arguments to long options are mandatory for short options too.
 59 | 
 60 |   -t,  --tag=TAG                   print only rules tagged as TAG
 61 |   -i,  --identifier=IDENTIFIER     print only rules named IDENTIFIER
 62 |   -n,  --negate                    print only not satisfied rules (negate)
 63 |   -D,  --print-module-data         print module data
 64 |   -g,  --print-tags                print tags
 65 |   -m,  --print-meta                print metadata
 66 |   -s,  --print-strings             print matching strings
 67 |   -L,  --print-string-length       print length of matched strings
 68 |   -e,  --print-namespace           print rules' namespace
 69 |   -p,  --threads=NUMBER            use the specified NUMBER of threads to scan a directory
 70 |   -l,  --max-rules=NUMBER          abort scanning after matching a NUMBER of rules
 71 |   -d VAR=VALUE                     define external variable
 72 |   -x MODULE=FILE                   pass FILE's content as extra data to MODULE
 73 |   -a,  --timeout=SECONDS           abort scanning after the given number of SECONDS
 74 |   -k,  --stack-size=SLOTS          set maximum stack size (default=16384)
 75 |   -r,  --recursive                 recursively search directories
 76 |   -f,  --fast-scan                 fast matching mode
 77 |   -w,  --no-warnings               disable warnings
 78 |        --fail-on-warnings          fail on warnings
 79 |   -v,  --version                   show version information
 80 |   -h,  --help                      show this help and exit
 81 | 
 82 | Send bug reports and suggestions to: vmalvarez@virustotal.com.
 83 | ```
 84 | 
 85 | Add the following to your bash or zsh profile
 86 | 
 87 | ```bash
 88 | alias yara='docker run -it --rm -v "$(pwd)":/malware:ro blacktop/yara $@'
 89 | ```
 90 | 
 91 | ## Documentation
 92 | 
 93 | ### Usage
 94 | 
 95 | ```bash
 96 | $ yara [OPTION]... RULES_FILE FILE | DIR | PID
 97 | ```
 98 | 
 99 | ## Issues
100 | 
101 | Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to [file an issue](https://github.com/blacktop/docker-yara/issues/new) and I'll get right on it.
102 | 
103 | ## License
104 | 
105 | MIT Copyright (c) 2014-2021 **blacktop**
106 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/crime_rombertik_carbongrabber.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | 	Yara Rule Set
  3 | 	Author: Florian Roth
  4 | 	Date: 2015-05-05
  5 | 	Identifier: CarbonGrabber
  6 | */
  7 | 
  8 | /* Rule Set ----------------------------------------------------------------- */
  9 | 
 10 | rule Rombertik_CarbonGrabber {
 11 | 	meta:
 12 | 		description = "Detects CarbonGrabber alias Rombertik - file Copy#064046.scr"
 13 | 		author = "Florian Roth"
 14 | 		reference = "http://blogs.cisco.com/security/talos/rombertik"
 15 | 		date = "2015-05-05"
 16 | 		hash1 = "2f9b26b90311e62662c5946a1ac600d2996d3758"
 17 | 		hash2 = "aeb94064af2a6107a14fd32f39cb502e704cd0ab"
 18 | 		hash3 = "c2005c8d1a79da5e02e6a15d00151018658c264c" 
 19 | 		hash4 = "98223d4ec272d3a631498b621618d875dd32161d" 	
 20 | 	strings:
 21 | 		$x1 = "ZwGetWriteWatch" fullword ascii
 22 | 		$x2 = "OutputDebugStringA" fullword ascii
 23 | 		$x3 = "malwar" fullword ascii
 24 | 		$x4 = "sampl" fullword ascii
 25 | 		$x5 = "viru" fullword ascii
 26 | 		$x6 = "sandb" fullword ascii
 27 | 	condition:
 28 | 		uint16(0) == 0x5a4d and filesize < 5MB and all of them
 29 | }
 30 | 
 31 | rule Rombertik_CarbonGrabber_Panel_InstallScript {
 32 | 	meta:
 33 | 		description = "Detects CarbonGrabber alias Rombertik panel install script - file install.php"
 34 | 		author = "Florian Roth"
 35 | 		reference = "http://blogs.cisco.com/security/talos/rombertik"
 36 | 		date = "2015-05-05"
 37 | 		hash = "cd6c152dd1e0689e0bede30a8bd07fef465fbcfa"
 38 | 	strings:
 39 | 		$s0 = "$insert = \"INSERT INTO `logs` (`id`, `ip`, `name`, `host`, `post`, `time`, `bro" ascii
 40 | 		$s3 = "`post` text NOT NULL," fullword ascii
 41 | 		$s4 = "`host` text NOT NULL," fullword ascii
 42 | 		$s5 = ") ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=5 ;\" ;" fullword ascii
 43 | 		$s6 = "$db->exec($columns); //or die(print_r($db->errorInfo(), true));;" fullword ascii
 44 | 		$s9 = "$db->exec($insert);" fullword ascii
 45 | 		$s10 = "`browser` text NOT NULL," fullword ascii
 46 | 		$s13 = "`ip` text NOT NULL," fullword ascii
 47 | 	condition:
 48 | 		filesize < 3KB and all of them
 49 | }
 50 | 
 51 | rule Rombertik_CarbonGrabber_Panel {
 52 | 	meta:
 53 | 		description = "Detects CarbonGrabber alias Rombertik Panel - file index.php"
 54 | 		author = "Florian Roth"
 55 | 		reference = "http://blogs.cisco.com/security/talos/rombertik"
 56 | 		date = "2015-05-05"
 57 | 		hash = "e6e9e4fc3772ff33bbeeda51f217e9149db60082"
 58 | 	strings:
 59 | 		$s0 = "echo '<meta http-equiv=\"refresh\" content=\"0;url=index.php?a=login\">';" fullword ascii
 60 | 		$s1 = "echo '<meta http-equiv=\"refresh\" content=\"2;url='.$website.'/index.php?a=login" ascii
 61 | 		$s2 = "header(\"location: $website/index.php?a=login\");" fullword ascii
 62 | 		$s3 = "$insertLogSQL -> execute(array(':id' => NULL, ':ip' => $ip, ':name' => $name, ':" ascii
 63 | 		$s16 = "if($_POST['username'] == $username && $_POST['password'] == $password){" fullword ascii
 64 | 		$s17 = "$SQL = $db -> prepare(\"TRUNCATE TABLE `logs`\");" fullword ascii
 65 | 	condition:
 66 | 		filesize < 46KB and all of them
 67 | }
 68 | 
 69 | rule Rombertik_CarbonGrabber_Builder {
 70 | 	meta:
 71 | 		description = "Detects CarbonGrabber alias Rombertik Builder - file Builder.exe"
 72 | 		author = "Florian Roth"
 73 | 		reference = "http://blogs.cisco.com/security/talos/rombertik"
 74 | 		date = "2015-05-05"
 75 | 		hash = "b50ecc0ba3d6ec19b53efe505d14276e9e71285f"
 76 | 	strings:
 77 | 		$s0 = "c:\\users\\iden\\documents\\visual studio 2010\\Projects\\FormGrabberBuilderC++" ascii
 78 | 		$s1 = "Host(www.panel.com): " fullword ascii
 79 | 		$s2 = "Path(/form/index.php?a=insert): " fullword ascii
 80 | 		$s3 = "FileName: " fullword ascii
 81 | 		$s4 = "~Rich8" fullword ascii
 82 | 	condition:
 83 | 		uint16(0) == 0x5a4d and filesize < 35KB and all of them
 84 | }
 85 | 
 86 | rule Rombertik_CarbonGrabber_Builder_Server {
 87 | 	meta:
 88 | 		description = "Detects CarbonGrabber alias Rombertik Builder Server - file Server.exe"
 89 | 		author = "Florian Roth"
 90 | 		reference = "http://blogs.cisco.com/security/talos/rombertik"
 91 | 		date = "2015-05-05"
 92 | 		hash = "895fab8d55882eac51d4b27a188aa67205ff0ae5"
 93 | 	strings:
 94 | 		$s0 = "C:\\WINDOWS\\system32\\svchost.exe" fullword ascii
 95 | 		$s3 = "Software\\Microsoft\\Windows\\Currentversion\\RunOnce" fullword ascii
 96 | 		$s4 = "chrome.exe" fullword ascii
 97 | 		$s5 = "firefox.exe" fullword ascii
 98 | 		$s6 = "chrome.dll" fullword ascii
 99 | 		$s7 = "@KERNEL32.DLL" fullword wide
100 | 		$s8 = "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome" ascii
101 | 		$s10 = "&post=" fullword ascii
102 | 		$s11 = "&host=" fullword ascii
103 | 		$s12 = "Ws2_32.dll" fullword ascii
104 | 		$s16 = "&browser=" fullword ascii
105 | 	condition:
106 | 		uint16(0) == 0x5a4d and filesize < 250KB and 8 of them
107 | }
108 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_apt28.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | 	Yara Rule Set
 3 | 	Author: YarGen Rule Generator
 4 | 	Date: 2015-06-02
 5 | 	Identifier: APT28
 6 | */
 7 | 
 8 | /* Rule Set ----------------------------------------------------------------- */
 9 | 
10 | rule APT28_CHOPSTICK {
11 | 	meta:
12 | 		description = "Detects a malware that behaves like CHOPSTICK mentioned in APT28 report"
13 | 		author = "Florian Roth"
14 | 		reference = "https://goo.gl/v3ebal"
15 | 		date = "2015-06-02"
16 | 		hash = "f4db2e0881f83f6a2387ecf446fcb4a4c9f99808"
17 | 		score = 60
18 | 	strings:
19 | 		$s0 = "jhuhugit.tmp" fullword ascii /* score: '14.005' */
20 | 		$s8 = "KERNEL32.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 14405 times */
21 | 		$s9 = "IsDebuggerPresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 3518 times */
22 | 		$s10 = "IsProcessorFeaturePresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1383 times */
23 | 		$s11 = "TerminateProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 13081 times */
24 | 		$s13 = "DeleteFileA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1384 times */
25 | 		$s15 = "GetProcessHeap" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5875 times */
26 | 		$s16 = "!This program cannot be run in DOS mode." fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 20908 times */
27 | 		$s17 = "LoadLibraryA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5461 times */
28 | 	condition:
29 | 		uint16(0) == 0x5a4d and filesize < 722KB and all of them
30 | }
31 | 
32 | rule APT28_SourFace_Malware1 {
33 | 	meta:
34 | 		description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
35 | 		author = "Florian Roth"
36 | 		reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
37 | 		date = "2015-06-01"
38 | 		hash1 = "e2450dffa675c61aa43077b25b12851a910eeeb6"
39 | 		hash2 = "d9c53adce8c35ec3b1e015ec8011078902e6800b"
40 | 		score = 60
41 | 	strings:
42 | 		$s0 = "coreshell.dll" fullword wide /* PEStudio Blacklist: strings */
43 | 		$s1 = "Core Shell Runtime Service" fullword wide /* PEStudio Blacklist: strings */
44 | 		$s2 = "\\chkdbg.log" fullword wide
45 | 	condition:
46 | 		uint16(0) == 0x5a4d and filesize < 62KB and all of them
47 | }
48 | 
49 | rule APT28_SourFace_Malware2 {
50 | 	meta:
51 | 		description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
52 | 		author = "Florian Roth"
53 | 		reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
54 | 		date = "2015-06-01"
55 | 		super_rule = 1
56 | 		hash0 = "367d40465fd1633c435b966fa9b289188aa444bc"
57 | 		hash1 = "cf3220c867b81949d1ce2b36446642de7894c6dc"
58 | 		hash2 = "ed48ef531d96e8c7360701da1c57e2ff13f12405"
59 | 		hash3 = "682e49efa6d2549147a21993d64291bfa40d815a"
60 | 		hash4 = "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca"
61 | 		hash5 = "f5b3e98c6b5d65807da66d50bd5730d35692174d"
62 | 		score = 60
63 | 	strings:
64 | 		$s0 = "coreshell.dll" fullword ascii /* PEStudio Blacklist: strings */
65 | 		$s1 = "Applicate" fullword ascii
66 | 	condition:
67 | 		uint16(0) == 0x5a4d and filesize < 550KB and all of them
68 | }
69 | 
70 | rule APT28_SourFace_Malware3 {
71 | 	meta:
72 | 		description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
73 | 		author = "Florian Roth"
74 | 		reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
75 | 		date = "2015-06-01"
76 | 		super_rule = 1
77 | 		hash0 = "85522190958c82589fa290c0835805f3d9a2f8d6"
78 | 		hash1 = "d9c53adce8c35ec3b1e015ec8011078902e6800b"
79 | 		hash2 = "367d40465fd1633c435b966fa9b289188aa444bc"
80 | 		hash3 = "d87b310aa81ae6254fff27b7d57f76035f544073"
81 | 		hash4 = "cf3220c867b81949d1ce2b36446642de7894c6dc"
82 | 		hash5 = "ed48ef531d96e8c7360701da1c57e2ff13f12405"
83 | 		hash6 = "682e49efa6d2549147a21993d64291bfa40d815a"
84 | 		hash7 = "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca"
85 | 		hash8 = "f5b3e98c6b5d65807da66d50bd5730d35692174d"
86 | 		hash9 = "e2450dffa675c61aa43077b25b12851a910eeeb6"
87 | 		score = 60
88 | 	strings:
89 | 		$s0 = "coreshell.dll" fullword wide /* PEStudio Blacklist: strings */
90 | 		$s1 = "Core Shell Runtime Service" fullword wide /* PEStudio Blacklist: strings */
91 | 	condition:
92 | 		uint16(0) == 0x5a4d and filesize < 550KB and all of them
93 | }
94 | 
95 | 


--------------------------------------------------------------------------------
/w-rules/rules/WannaCry.yar:
--------------------------------------------------------------------------------
  1 | rule FE_RANSOMWARE_WANNACRY {
  2 |             meta:version=".4"
  3 |             filetype="PE"
  4 |             author="Ian.Ahl@fireeye.com @TekDefense"
  5 |             date="2017-05-12"
  6 |             description="Generic detection for most WannaCry variants"
  7 | strings:
  8 |             // Bitcoin URLs
  9 |             $bcURL1 = "http://www.btcfrog.com/qr/bitcoinPNG.php?address=%" ascii wide nocase
 10 |             $bcURL2 = "https://www.google.com/search?q=how+to+buy+bitcoin" ascii wide nocase
 11 | 
 12 |             // Ransom Message
 13 |             $msg1 = "Congratulations! Succeed to check your payment!" ascii wide
 14 |             $msg2 = "Start decrypting now!" ascii wide
 15 |             $msg3 = "All your files have been decrypted!" ascii wide
 16 |             $msg4 = "Pay now, if you want to decrypt ALL your files!" ascii wide
 17 |             $msg5 = "Send $%d worth of bitcoin to this address:" ascii wide
 18 |             $msg6 = "Ooops, your files have been encrypted!" ascii wide
 19 | 
 20 |             // WANNA Strings
 21 |             $wanna1 = "Wanna Decryptor 1.0" ascii wide
 22 |             $wanna2 = "Wana Decrypt0r" ascii wide
 23 |             $wanna3 = "Wana Decryptor" ascii wide
 24 |             $wanna4 = "WANNACRY" ascii wide nocase
 25 |             $wanna5 = "WanaCrypt0r" ascii wide nocase
 26 |             $wanna6 = "WANACRY!" ascii wide
 27 |             $wanna7 = "WNcry@2ol7" ascii wide
 28 |             $wanna8 = "wcry@123"
 29 |             $wanna9 = "wcry@2016"
 30 | 
 31 |             // File references
 32 |             $fileA1 = "!WannaCryptor!.bmp" ascii wide
 33 |             $fileA2 = "!WannaDecryptor!.exe.lnk" ascii wide
 34 |             $fileA3 = "!Please Read Me!.txt" ascii wide
 35 | 
 36 |             $fileB1 = "@WanaDecryptor@.bmp" ascii wide
 37 |             $fileB2 = "@WanaDecryptor@.exe.lnk" ascii wide
 38 |             $fileB3 = "@Please_Read_Me@.txt" ascii wide
 39 | 
 40 |             // CMDS
 41 |             $cmd1 = "cmd.exe /c start /b vssadmin.exe Delete Shadows /All /Quiet" ascii wide nocase
 42 |             $cmd2 = "wmic shadowcopy delete" ascii wide
 43 |             $cmd3 = "bcdedit /set {default} bootstatuspolicy ignoreallfailures" ascii wide
 44 |             $cmd4 = "bcdedit /set {default} recoveryenabled no" ascii wide
 45 |             $cmd5 = "wbadmin delete catalog -quiet" ascii wide
 46 |             $cmd6 = "icacls . /grant Everyone:F /T /C /Q" ascii wide
 47 | 
 48 |             // MISC
 49 |             $misc1 = "StartTask" wide ascii
 50 |             $misc2 = "b.wry" wide ascii
 51 |             $misc3 = "c.wry" wide ascii
 52 |             $misc4 = "m.wry" wide ascii
 53 |             $misc5 = "inflate 1.1.3 Copyright 1995-1998 Mark Adler" wide ascii
 54 |             $misc6 = "?AVtype_info@@" wide ascii
 55 | 
 56 | condition:
 57 |             (
 58 |                         (
 59 |                                     (uint16(0) == 0x5A4D)
 60 |                         )
 61 |                         and
 62 |                         (
 63 |                                     all of ($fileA*)
 64 |                                     or
 65 |                                     all of ($fileB*)
 66 |                                     or
 67 |                                     (4 of ($msg*) and 2 of ($bcURL*))
 68 |                                     or
 69 |                                     2 of ($wanna*)
 70 |                                     or
 71 |                                     (2 of ($msg*) and 1 of ($cmd*))
 72 |                                     or
 73 |                                     4 of ($cmd*)
 74 |                                     or
 75 |                                     (1 of ($wanna*) and 1 of ($cmd*))
 76 |                                     or
 77 |                                     (1 of ($wanna*) and 3 of ($misc*))
 78 |                         )
 79 |             )
 80 | }
 81 | 
 82 | rule FE_RANSOMWARE_WANNACRY_EB {
 83 |            meta:version=".1"
 84 |            filetype="PE"
 85 |            author="Ian.Ahl@fireeye.com @TekDefense"
 86 |            date="2017-05-12"
 87 |            description="Focusing on the WannaCry variants with worm capabilities"
 88 | strings:
 89 | 
 90 |             // EB related strings in WANNACRY
 91 |             $eb1 = "__USERID__PLACEHOLDER__@" ascii wide
 92 |             $eb2 = "__TREEID__PLACEHOLDER__" ascii wide
 93 |             $eb3 = "LANMAN1.0" ascii wide
 94 |             $eb4 = "LANMAN2.1" ascii wide
 95 |             $eb5 = "\\PIPE\\" ascii wide
 96 |             $eb6 = "\\\\%s\\IPC$" ascii wide
 97 |             $eb7 = "__TREEPATH_REPLACE__" ascii wide
 98 |             $eb8 = "/K__USERID__PLACEHOLDER__" ascii wide
 99 | 
100 | condition:
101 |             (
102 |                         (
103 |                                     (uint16(0) == 0x5A4D)
104 |                         )
105 |                         and
106 |                         (
107 |                                     all of ($eb*)
108 |                         )
109 |             )
110 | }
111 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_hellsing_kaspersky.yar:
--------------------------------------------------------------------------------
  1 | 
  2 | rule apt_hellsing_implantstrings { 
  3 | 	meta:
  4 | 		version = "1.0"
  5 | 		filetype = "PE"
  6 | 		author = "Costin Raiu, Kaspersky Lab" 
  7 | 		copyright = "Kaspersky Lab"
  8 | 		date = "2015-04-07"
  9 | 		description = "detection for Hellsing implants"
 10 | 	strings: 
 11 | 		$mz = "MZ"
 12 | 		$a1 = "the file uploaded failed !"
 13 | 		$a2 = "ping 127.0.0.1"
 14 | 		$b1 = "the file downloaded failed !"
 15 | 		$b2 = "common.asp"
 16 | 		$c = "xweber_server.exe" 
 17 | 		$d = "action="
 18 | 		$debugpath1 = "d:\\Hellsing\\release\\msger\\" nocase 
 19 | 		$debugpath2 = "d:\\hellsing\\sys\\xrat\\" nocase 
 20 | 		$debugpath3 = "D:\\Hellsing\\release\\exe\\" nocase 
 21 | 		$debugpath4 = "d:\\hellsing\\sys\\xkat\\" nocase 
 22 | 		$debugpath5 = "e:\\Hellsing\\release\\clare" nocase 
 23 | 		$debugpath6 = "e:\\Hellsing\\release\\irene\\" nocase 
 24 | 		$debugpath7 = "d:\\hellsing\\sys\\irene\\" nocase
 25 | 		$e = "msger_server.dll" 
 26 | 		$f = "ServiceMain"
 27 | 	condition:
 28 | 		($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
 29 | }
 30 | 
 31 | rule apt_hellsing_installer { 
 32 | 	meta:
 33 | 		version = "1.0"
 34 | 		filetype = "PE"
 35 | 		author = "Costin Raiu, Kaspersky Lab"
 36 | 		copyright = "Kaspersky Lab"
 37 | 		date = "2015-04-07"
 38 | 		description = "detection for Hellsing xweber/msger installers"
 39 | 	strings: 
 40 | 		$mz = "MZ"
 41 | 		$cmd = "cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
 42 | 		$a1 = "xweber_install_uac.exe"
 43 | 		$a2 = "system32\\cmd.exe" wide
 44 | 		$a4 = "S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
 45 | 		$a5 = "S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" 
 46 | 		$a6 = "7dqm2ODf5N/Y2N/m6+br3dnZpunl44g=" $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
 47 | 		$a8 = "vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSINjl2tyI"
 48 | 		$a9 = "C:\\Windows\\System32\\sysprep\\sysprep.exe" wide 
 49 | 		$a10 = "%SystemRoot%\\system32\\cmd.exe" wide 
 50 | 		$a11 = "msger_install.dll"
 51 | 		$a12 = {00 65 78 2E 64 6C 6C 00}
 52 | 	condition:
 53 | 		($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
 54 | }
 55 | 
 56 | rule apt_hellsing_proxytool { 
 57 | 	meta:
 58 | 		version = "1.0"
 59 | 		filetype = "PE"
 60 | 		author = "Costin Raiu, Kaspersky Lab"
 61 | 		copyright = "Kaspersky Lab"
 62 | 		date = "2015-04-07"
 63 | 		description = "detection for Hellsing proxy testing tool"
 64 | 	strings: 
 65 | 		$mz = "MZ"
 66 | 		$a1 = "PROXY_INFO: automatic proxy url => %s"
 67 | 		$a2 = "PROXY_INFO: connection type => %d"
 68 | 		$a3 = "PROXY_INFO: proxy server => %s"
 69 | 		$a4 = "PROXY_INFO: bypass list => %s"
 70 | 		$a5 = "InternetQueryOption failed with GetLastError() %d"
 71 | 		$a6 = "D:\\Hellsing\\release\\exe\\exe\\" nocase
 72 | 	condition:
 73 | 		($mz at 0) and (2 of ($a*)) and filesize < 300000
 74 | }
 75 | 
 76 | rule apt_hellsing_xkat { 
 77 | 	meta:
 78 | 		version = "1.0"
 79 | 		filetype = "PE"
 80 | 		author = "Costin Raiu, Kaspersky Lab" copyright = "Kaspersky Lab"
 81 | 		date = "2015-04-07"
 82 | 		description = "detection for Hellsing xKat tool"
 83 | 	strings: 
 84 | 		$mz = "MZ"
 85 | 		$a1 = "\\Dbgv.sys" $a2="XKAT_BIN" $a3="release sys file error."
 86 | 		$a4 = "driver_load error. "
 87 | 		$a5 = "driver_create error."
 88 | 		$a6 = "delete file:%s error." 
 89 | 		$a7 = "delete file:%s ok."
 90 | 		$a8 = "kill pid:%d error."
 91 | 		$a9 = "kill pid:%d ok."
 92 | 		$a10 = "-pid-delete"
 93 | 		$a11 = "kill and delete pid:%d error."
 94 | 		$a12 = "kill and delete pid:%d ok."
 95 | 	condition:
 96 | 		($mz at 0) and (6 of ($a*)) and filesize < 300000
 97 | }
 98 | 
 99 | rule apt_hellsing_msgertype2 { 
100 | 	meta:
101 | 		version = "1.0"
102 | 		filetype = "PE"
103 | 		author = "Costin Raiu, Kaspersky Lab"
104 | 		copyright = "Kaspersky Lab"
105 | 		date = "2015-04-07"
106 | 		description = "detection for Hellsing msger type 2 implants"
107 | 	strings: 
108 | 		$mz = "MZ"
109 | 		$a1 = "%s\\system\\%d.txt"
110 | 		$a2 = "_msger" 
111 | 		$a3 = "http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s"
112 | 		$a4 = "http://%s/data/%s.1000001000" 
113 | 		$a5 = "/lib/common.asp?action=user_upload&file="
114 | 		$a6 = "%02X-%02X-%02X-%02X-%02X-%02X"
115 | 	condition:
116 | 		($mz at 0) and (4 of ($a*)) and filesize < 500000
117 | }
118 | 
119 | rule apt_hellsing_irene { 
120 | 	meta:
121 | 		version = "1.0"
122 | 		filetype = "PE"
123 | 		author = "Costin Raiu, Kaspersky Lab"
124 | 		copyright = "Kaspersky Lab"
125 | 		date = "2015-04-07"
126 | 		description = "detection for Hellsing msger irene installer"
127 | 	strings: 
128 | 		$mz = "MZ"
129 | 		$a1 = "\\Drivers\\usbmgr.tmp" wide
130 | 		$a2 = "\\Drivers\\usbmgr.sys" wide
131 | 		$a3 = "common_loadDriver CreateFile error!"
132 | 		$a4 = "common_loadDriver StartService error && GetLastError():%d!"
133 | 		$a5 = "irene" wide
134 | 		$a6 = "aPLib v0.43 - the smaller the better" 
135 | 	condition:
136 | 		($mz at 0) and (4 of ($a*)) and filesize < 500000
137 | }
138 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_waterbug.yar:
--------------------------------------------------------------------------------
  1 | /* WATERBUG ----------------------------------------------------------------- */
  2 | 
  3 | rule WaterBug_wipbot_2013_core_PDF {
  4 | 	meta:
  5 | 		description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
  6 | 		author = "Symantec Security Response"
  7 | 		date = "22.01.2015"
  8 | 		reference = "http://t.co/rF35OaAXrl"
  9 | 	strings:
 10 | 		$PDF = "%PDF-"
 11 | 		$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/ 
 12 | 		$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
 13 | 	condition:
 14 | 		($PDF at 0) and #a > 150 and #b > 200
 15 | }
 16 | 
 17 | rule WaterBug_wipbot_2013_dll {
 18 | 	meta:
 19 | 		description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
 20 | 		author = "Symantec Security Response"
 21 | 		date = "22.01.2015"
 22 | 		reference = "http://t.co/rF35OaAXrl"		
 23 | 	strings:
 24 | 		$string1 = "/%s?rank=%s"
 25 | 		$string2 = "ModuleStart\x00ModuleStop\x00start"
 26 | 		$string3 = "1156fd22-3443-4344-c4ffff"
 27 | 		//read file... error..
 28 | 		$string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
 29 | 	condition:
 30 | 		2 of them
 31 | }
 32 | 
 33 | rule WaterBug_wipbot_2013_core {
 34 | 	meta:
 35 | 		description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
 36 | 		author = "Symantec Security Response"
 37 | 		date = "22.01.2015"
 38 | 		reference = "http://t.co/rF35OaAXrl"			
 39 | 	strings:
 40 | 		$mz = "MZ"
 41 | 		$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
 42 | 		$code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
 43 | 		$code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
 44 | 	condition:
 45 | 		$mz at 0 and (($code1 or $code2) or ($code3 and $code4))
 46 | }
 47 | 
 48 | rule WaterBug_turla_dropper {
 49 | 	meta:
 50 | 		description = "Symantec Waterbug Attack - Trojan Turla Dropper"
 51 | 		author = "Symantec Security Response"
 52 | 		date = "22.01.2015"
 53 | 		reference = "http://t.co/rF35OaAXrl"
 54 | 	strings: 
 55 | 		$a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
 56 | 		$b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
 57 | 	condition: 
 58 | 		all of them
 59 | }
 60 | 
 61 | rule WaterBug_fa_malware { 
 62 | 	meta: 
 63 | 		description = "Symantec Waterbug Attack - FA malware variant"
 64 | 		author = "Symantec Security Response"
 65 | 		date = "22.01.2015"
 66 | 		reference = "http://t.co/rF35OaAXrl"
 67 | 	strings:
 68 | 		$mz = "MZ"
 69 | 		$string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
 70 | 		$string2 = "d:\\proj\\cn\\fa64\\"
 71 | 		$string3 = "sengoku_Win32.sys\x00"
 72 | 		$string4 = "rk_ntsystem.c"
 73 | 		$string5 = "\\uroboros\\"
 74 | 		$string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
 75 | 	condition:
 76 | 		($mz at 0) and (any of ($string*))
 77 | }
 78 | 
 79 | /* pe module memory leak problem
 80 | 
 81 | 
 82 | rule WaterBug_turla_dll {
 83 | 	meta: 
 84 | 		description = "Symantec Waterbug Attack - Trojan Turla DLL"
 85 | 		author = "Symantec Security Response"
 86 | 		date = "22.01.2015"
 87 | 		reference = "http://t.co/rF35OaAXrl"	
 88 | 	strings:
 89 | 		$a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
 90 | 	condition:
 91 | 		pe.exports("ee") and $a
 92 | }
 93 | 
 94 | rule WaterBug_sav_dropper {
 95 | 	meta: 
 96 | 		description = "Symantec Waterbug Attack - SAV Dropper"
 97 | 		author = "Symantec Security Response"
 98 | 		date = "22.01.2015"
 99 | 		reference = "http://t.co/rF35OaAXrl" 
100 | 	strings:
101 | 		$mz = "MZ"
102 | 		$a = /[a-z]{,10}_x64.sys\x00hMZ\x00/
103 | 	condition:
104 | 		($mz at 0) and uint32(0x400) == 0x000000c3 and pe.number_of_sections == 6 and $a 
105 | }
106 | 
107 | */ 
108 | 
109 | rule WaterBug_sav {
110 | 	meta: 
111 | 		description = "Symantec Waterbug Attack - SAV Malware"
112 | 		author = "Symantec Security Response"
113 | 		date = "22.01.2015"
114 | 		reference = "http://t.co/rF35OaAXrl" 	
115 | 	strings:
116 | 		$mz = "MZ"
117 | 		$code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
118 | 		$code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC	3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
119 | 		$code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
120 | 		$code2 =  { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
121 | 	condition:
122 | 		($mz at 0) and (($code1a or $code1b or $code1c) and $code2) 
123 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/exploit_uac_elevators.yar:
--------------------------------------------------------------------------------
  1 | 
  2 | rule Win7Elevatev2 {
  3 | 	meta:
  4 | 		description = "Detects Win7Elevate - Windows UAC bypass utility"
  5 | 		author = "Florian Roth"
  6 | 		reference = "http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html"
  7 | 		date = "2015-05-14"
  8 | 		hash1 = "4f53ff6a04e46eda92b403faf42219a545c06c29" /* x64 */
  9 | 		hash2 = "808d04c187a524db402c5b2be17ce799d2654bd1" /* x86 */
 10 | 		score = 60
 11 | 	strings:
 12 | 		$x1 = "This program attempts to bypass Windows 7's default UAC settings to run " wide
 13 | 		$x2 = "Win7ElevateV2\\x64\\Release\\" ascii
 14 | 		$x3 = "Run the command normally (without code injection)" wide	
 15 | 		$x4 = "Inject file copy && elevate command" fullword wide
 16 | 		$x5 = "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html" fullword wide
 17 | 		$x6 = "For injection, pick any unelevated Windows process with ASLR on:" fullword wide
 18 | 		
 19 | 		$s1 = "\\cmd.exe" wide
 20 | 		$s2 = "runas" wide
 21 | 		$s3 = "explorer.exe" wide
 22 | 		$s4 = "Couldn't load kernel32.dll" wide
 23 | 		$s5 = "CRYPTBASE.dll" wide
 24 | 		$s6 = "shell32.dll" wide
 25 | 		$s7 = "ShellExecuteEx" ascii
 26 | 		$s8 = "COMCTL32.dll" ascii 
 27 | 		$s9 = "ShellExecuteEx" ascii
 28 | 		$s10 = "HeapAlloc" ascii
 29 | 	condition:
 30 | 		uint16(0) == 0x5a4d and ( 1 of ($x*) or all of ($s*) )
 31 | }
 32 | 
 33 | rule UACME_Akagi {
 34 | 	meta:
 35 | 		description = "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor"
 36 | 		author = "Florian Roth"
 37 | 		reference = "https://github.com/hfiref0x/UACME"
 38 | 		date = "2015-05-14"
 39 | 		hash1 = "edd2138bbd9e76c343051c6dc898054607f2040a"
 40 | 		hash2 = "e3a919ccc2e759e618208ededa8a543954d49f8a"
 41 | 		score = 60
 42 | 	strings:
 43 | 		$x1 = "UACMe injected, Fubuki at your service." wide fullword
 44 | 		$x3 = "%temp%\\Hibiki.dll" fullword wide
 45 | 		$x4 = "[UCM] Cannot write to the target process memory." fullword wide
 46 | 		
 47 | 		$s1 = "%systemroot%\\system32\\cmd.exe" wide
 48 | 		$s2 = "D:(A;;GA;;;WD)" wide
 49 | 		$s3 = "%systemroot%\\system32\\sysprep\\sysprep.exe" fullword wide
 50 | 		$s4 = "/c wusa %ws /extract:%%windir%%\\system32" fullword wide
 51 | 		$s5 = "Fubuki.dll" ascii fullword
 52 | 		
 53 | 		$l1 = "ntdll.dll" ascii
 54 | 		$l2 = "Cabinet.dll" ascii
 55 | 		$l3 = "GetProcessHeap" ascii
 56 | 		$l4 = "WriteProcessMemory" ascii
 57 | 		$l5 = "ShellExecuteEx" ascii
 58 | 	condition:
 59 | 		( 1 of ($x*) ) or ( 3 of ($s*) and all of ($l*) ) 
 60 | }
 61 | 
 62 | rule UACElevator {
 63 | 	meta:
 64 | 		description = "UACElevator bypassing UAC - file UACElevator.exe"
 65 | 		author = "Florian Roth"
 66 | 		reference = "https://github.com/MalwareTech/UACElevator"
 67 | 		date = "2015-05-14"
 68 | 		hash = "fd29d5a72d7a85b7e9565ed92b4d7a3884defba6"
 69 | 	strings:
 70 | 		$x1 = "\\UACElevator.pdb" ascii
 71 | 		
 72 | 		$s1 = "%userprofile%\\Downloads\\dwmapi.dll" fullword ascii
 73 | 		$s2 = "%windir%\\system32\\dwmapi.dll" fullword ascii
 74 | 		$s3 = "Infection module: %s" fullword ascii
 75 | 		$s4 = "Could not save module to %s" fullword ascii
 76 | 		$s5 = "%s%s%p%s%ld%s%d%s" fullword ascii
 77 | 		$s6 = "Stack area around _alloca memory reserved by this function is corrupted" fullword ascii
 78 | 		$s7 = "Stack around the variable '" fullword ascii
 79 | 		$s8 = "MSVCR120D.dll" fullword wide
 80 | 		$s9 = "Address: 0x" fullword ascii
 81 | 	condition:
 82 | 		uint16(0) == 0x5a4d and filesize < 172KB and 
 83 | 			( $x1 or 8 of ($s*) )
 84 | }
 85 | 
 86 | rule s4u {
 87 | 	meta:
 88 | 		description = "Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe"
 89 | 		author = "Florian Roth"
 90 | 		reference = "https://github.com/aurel26/s-4-u-for-windows"
 91 | 		date = "2015-06-05"
 92 | 		hash = "cfc18f3d5306df208461459a8e667d89ce44ed77"
 93 | 		score = 50
 94 | 	strings:
 95 | 		// Specific strings (may change)
 96 | 		$x0 = "s4u.exe Domain\\Username [Extra SID]" fullword ascii 
 97 | 		$x1 = "\\Release\\s4u.pdb" ascii
 98 | 
 99 | 		// Less specific strings
100 | 		$s0 = "CreateProcessAsUser failed (error %u)." fullword ascii 
101 | 		$s1 = "GetTokenInformation failed (error: %u)." fullword ascii 
102 | 		$s2 = "LsaLogonUser failed (error 0x%x)." fullword ascii 
103 | 		$s3 = "LsaLogonUser: OK, LogonId: 0x%x-0x%x" fullword ascii 
104 | 		$s4 = "LookupPrivilegeValue failed (error: %u)." fullword ascii 
105 | 		$s5 = "The token does not have the specified privilege (%S)." fullword ascii 
106 | 		$s6 = "Unable to parse command line." fullword ascii 
107 | 		$s7 = "Unable to find logon SID." fullword ascii 
108 | 		$s8 = "AdjustTokenPrivileges failed (error: %u)." fullword ascii
109 | 		$s9 = "AdjustTokenPrivileges (%S): OK" fullword ascii 
110 | 		
111 | 		// Generic
112 | 		$g1 = "%systemroot%\\system32\\cmd.exe" wide
113 | 		$g2 = "SeTcbPrivilege" wide
114 | 		$g3 = "winsta0\\default" wide
115 | 		$g4 = ".rsrc"
116 | 		$g5 = "HeapAlloc"
117 | 		$g6 = "GetCurrentProcess"
118 | 		$g7 = "HeapFree"
119 | 		$g8 = "GetProcessHeap"
120 | 		$g9 = "ExpandEnvironmentStrings"
121 | 		$g10 = "ConvertStringSidToSid"
122 | 		$g11 = "LookupPrivilegeValue"
123 | 		$g12 = "AllocateLocallyUniqueId"
124 | 		$g13 = "ADVAPI32.dll"
125 | 		$g14 = "LsaLookupAuthenticationPackage"
126 | 		$g15 = "Secur32.dll"
127 | 		$g16 = "MSVCR120.dll"		
128 | 
129 | 	condition:
130 | 		uint16(0) == 0x5a4d and filesize < 60KB and ( 1 of ($x*) or all of ($s*) or all of ($g*) ) 
131 | }
132 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_kaspersky_duqu2.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | 	Yara Rule Set
  3 | 	Author: Mixed - Kasperksy & Florian Roth
  4 | 	Date: 2015-06-10
  5 | 	Identifier: Duqu2
  6 | */
  7 | 
  8 | /* Rules by Kaspersky ------------------------------------------------------ */
  9 | 
 10 | rule apt_duqu2_loaders { 
 11 | 	meta:
 12 | 		copyright = "Kaspersky Lab"
 13 | 		description = "Rule to detect Duqu 2.0 samples"
 14 | 		last_modified = "2015-06-09"
 15 | 		version = "1.0"
 16 | 	strings:
 17 | 		$a1 = "{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide 
 18 | 		$a2 = "\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide
 19 | 		$a4 = "\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide
 20 | 		$a5 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide
 21 | 		$a8 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide
 22 | 		$a9 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide
 23 | 		$a7 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide
 24 | 		$b1 = "MSI.dll"
 25 | 		$b2 = "msi.dll"
 26 | 		$b3 = "StartAction"
 27 | 		$c1 = "msisvc_32@" wide
 28 | 		$c2 = "PROP=" wide
 29 | 		$c3 = "-Embedding" wide
 30 | 		$c4 = "S:(ML;;NW;;;LW)" wide
 31 | 		$d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase
 32 | 		$d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40}
 33 | 	condition:
 34 | 		( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 )
 35 | 		or
 36 | 		( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) and filesize < 20000000 )
 37 | }
 38 | 
 39 | rule apt_duqu2_drivers { 
 40 | 	meta:
 41 | 		copyright = "Kaspersky Lab"
 42 | 		description = "Rule to detect Duqu 2.0 drivers"
 43 | 		last_modified = "2015-06-09"
 44 | 		version = "1.0"
 45 | 	strings:
 46 | 		$a1 = "\\DosDevices\\port_optimizer" wide nocase 
 47 | 		$a2 = "romanian.antihacker" 
 48 | 		$a3 = "PortOptimizerTermSrv" wide 
 49 | 		$a4 = "ugly.gorilla1"
 50 | 		$b1 = "NdisIMCopySendCompletePerPacketInfo" 
 51 | 		$b2 = "NdisReEnumerateProtocolBindings"
 52 | 		$b3 = "NdisOpenProtocolConfiguration"
 53 | 	condition:
 54 | 		uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000
 55 | }
 56 | 
 57 | /* Action Loader Samples --------------------------------------------------- */
 58 | 
 59 | rule Duqu2_Generic1 {
 60 | 	meta:
 61 | 		description = "Kaspersky APT Report - Duqu2 Sample - Generic Rule"
 62 | 		author = "Florian Roth"
 63 | 		reference = "https://goo.gl/7yKyOj"
 64 | 		date = "2015-06-10"
 65 | 		super_rule = 1
 66 | 		hash0 = "3f9168facb13429105a749d35569d1e91465d313"
 67 | 		hash1 = "0a574234615fb2382d85cd6d1a250d6c437afecc"
 68 | 		hash2 = "38447ed1d5e3454fe17699f86c0039f30cc64cde"
 69 | 		hash3 = "5282d073ee1b3f6ce32222ccc2f6066e2ca9c172"
 70 | 		hash4 = "edfca3f0196788f7fde22bd92a8817a957c10c52"
 71 | 		hash5 = "6a4ffa6ca4d6fde8a30b6c8739785f4bd2b5c415"
 72 | 		hash6 = "00170bf9983e70e8dd4f7afe3a92ce1d12664467"
 73 | 		hash7 = "32f8689fd18c723339414618817edec6239b18f3"
 74 | 		hash8 = "f860acec9920bc009a1ad5991f3d5871c2613672"
 75 | 		hash9 = "413ba509e41c526373f991d1244bc7c7637d3e13"
 76 | 		hash10 = "29cd99a9b6d11a09615b3f9ef63f1f3cffe7ead8"
 77 | 		hash11 = "dfe1cb775719b529138e054e7246717304db00b1"
 78 | 	strings:
 79 | 		$s0 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" fullword wide
 80 | 		$s1 = "SetSecurityDescriptorSacl" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 189 times */
 81 | 		$s2 = "msisvc_32@" fullword wide
 82 | 		$s3 = "CompareStringA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1392 times */
 83 | 		$s4 = "GetCommandLineW" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1680 times */
 84 | 	condition:
 85 | 		uint16(0) == 0x5a4d and filesize < 150KB and all of them
 86 | }
 87 | 
 88 | rule APT_Kaspersky_Duqu2_procexp {
 89 | 	meta:
 90 | 		description = "Kaspersky APT Report - Duqu2 Sample - Malicious MSI"
 91 | 		author = "Florian Roth"
 92 | 		reference = "https://goo.gl/7yKyOj"
 93 | 		date = "2015-06-10"
 94 | 		hash1 = "2422835716066b6bcecb045ddd4f1fbc9486667a"
 95 | 		hash2 = "b120620b5d82b05fee2c2153ceaf305807fa9f79"
 96 | 		hash3 = "288ebfe21a71f83b5575dfcc92242579fb13910d"
 97 | 	strings:
 98 | 		$x1 = "svcmsi_32.dll" fullword wide
 99 | 		$x2 = "msi3_32.dll" fullword wide
100 | 		$x3 = "msi4_32.dll" fullword wide
101 | 		$x4 = "MSI.dll" fullword ascii
102 | 
103 | 		$s1 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" fullword wide
104 | 		$s2 = "Sysinternals installer" fullword wide /* PEStudio Blacklist: strings */
105 | 		$s3 = "Process Explorer" fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 5 times */
106 | 	condition:
107 | 		uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) ) and ( all of ($s*) )
108 | }
109 | 
110 | rule APT_Kaspersky_Duqu2_SamsungPrint {
111 | 	meta:
112 | 		description = "Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69"
113 | 		author = "Florian Roth"
114 | 		reference = "https://goo.gl/7yKyOj"
115 | 		date = "2015-06-10"
116 | 		hash = "ce39f41eb4506805efca7993d3b0b506ab6776ca"
117 | 	strings:
118 | 		$s0 = "Installer for printer drivers and applications" fullword wide /* PEStudio Blacklist: strings */
119 | 		$s1 = "msi4_32.dll" fullword wide
120 | 		$s2 = "HASHVAL" fullword wide
121 | 		$s3 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" fullword wide
122 | 		$s4 = "ca.dll" fullword ascii
123 | 		$s5 = "Samsung Electronics Co., Ltd." fullword wide
124 | 	condition:
125 | 		uint16(0) == 0x5a4d and filesize < 82KB and all of them
126 | }
127 | 
128 | rule APT_Kaspersky_Duqu2_msi3_32 {
129 | 	meta:
130 | 		description = "Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3"
131 | 		author = "Florian Roth"
132 | 		reference = "https://goo.gl/7yKyOj"
133 | 		date = "2015-06-10"
134 | 		hash = "53d9ef9e0267f10cc10f78331a9e491b3211046b"
135 | 	strings:
136 | 		$s0 = "ProcessUserAccounts" fullword ascii /* PEStudio Blacklist: strings */
137 | 		$s1 = "SELECT `UserName`, `Password`, `Attributes` FROM `CustomUserAccounts`" fullword wide /* PEStudio Blacklist: strings */
138 | 		$s2 = "SELECT `UserName` FROM `CustomUserAccounts`" fullword wide /* PEStudio Blacklist: strings */
139 | 		$s3 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" fullword wide
140 | 		$s4 = "msi3_32.dll" fullword wide
141 | 		$s5 = "RunDLL" fullword ascii
142 | 		$s6 = "MSI Custom Action v3" fullword wide
143 | 		$s7 = "msi3_32" fullword wide
144 | 		$s8 = "Operating System" fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 9203 times */
145 | 	condition:
146 | 		uint16(0) == 0x5a4d and filesize < 72KB and all of them
147 | }
148 | 


--------------------------------------------------------------------------------
/w-rules/rules/hangover.yara:
--------------------------------------------------------------------------------
  1 | rule Hangover_ron_babylon
  2 | {
  3 |   strings:
  4 |     $a = "Content-Disposition: form-data; name=\"uploaddir\""
  5 |     $b1 = "MBVDFRESCT"
  6 |     $b2 = "EMSCBVDFRT"
  7 |     $b3 = "EMSFRTCBVD"
  8 |     $b4= "sendFile"
  9 |     $b5 = "BUGMAAL"
 10 |     $b6 = "sMAAL"
 11 |     $b7 = "SIMPLE"
 12 |     $b8 = "SPLIME"
 13 |     $b9 = "getkey.php"
 14 |     $b10 = "MBVDFRESCT"
 15 |     $b11 = "DSMBVCTFRE"
 16 |     $b12 = "MBESCVDFRT"
 17 |     $b13 = "TCBFRVDEMS"
 18 |     $b14 = "DEMOMAKE"
 19 |     $b15 = "DEMO"
 20 |     $b16 = "UPHTTP"
 21 |     
 22 | 
 23 |     $c1 = "F39D45E70395ABFB8D8D2BFFC8BBD152"
 24 |     $c2 = "90B452BFFF3F395ABDC878D8BEDBD152"
 25 |     $c3 = "FFF3F395A90B452BB8BEDC878DDBD152"
 26 |     $c4 = "5A9DCB8FFF3F02B8B45BE39D152"
 27 |     $c5 = "5A902B8B45BEDCB8FFF3F39D152"
 28 |     $c6 = "78DDB5A902BB8FFF3F398B45BEDCD152"
 29 |     $c7 = "905ABEB452BFFFBDC878D83F39DBD152"
 30 |     $c8 = "D2BFFC8BBD152F3B8D89D45E70395ABF"
 31 |     $c9 = "8765F3F395A90B452BB8BEDC878"
 32 |     $c10 = "90ABDC878D8BEDBB452BFFF3F395D152"
 33 |     $c11 = "F12BDC94490B452AA8AEDC878DCBD187"
 34 |     
 35 |   condition:
 36 |     $a and (1 of ($b*) or 1 of ($c*))
 37 |     
 38 | }
 39 | 
 40 | rule Hangover_Fuddol {
 41 |     strings:
 42 |         $a = "\\Http downloader(fud)"
 43 |         $b = "Fileexists"
 44 |     condition:
 45 |         all of them
 46 | 
 47 | }
 48 | 
 49 | rule Hangover_UpdateEx {
 50 |     strings:
 51 |         $a1 = "UpdateEx"
 52 |         $a2 = "VBA6.DLL"
 53 |         $a3 = "MainEx"
 54 |         $a4 = "GetLogs"
 55 |         $a5 = "ProMan"
 56 |         $a6 = "RedMod"
 57 |         
 58 |     condition:
 59 |         all of them
 60 | 
 61 | }
 62 | 
 63 | rule Hangover_Tymtin_Degrab {
 64 |     strings:
 65 |         $a1 = "&dis=no&utp=op&mfol="
 66 |         $a2 = "value1=1&value2=2"
 67 |         
 68 |     condition:
 69 |         all of them
 70 | 
 71 | }
 72 | 
 73 | 
 74 | rule Hangover_Smackdown_Downloader {
 75 |     strings:
 76 |         $a1 = "DownloadComplete"
 77 |         $a2 = "DownloadProgress"
 78 |         $a3 = "DownloadError"
 79 |         $a4 = "UserControl"
 80 |         $a5 = "MSVBVM60.DLL"
 81 | 
 82 |         $b1 = "syslide"
 83 |         $b2 = "frmMina"
 84 |         $b3 = "Soundsman"
 85 |         $b4 = "New_upl"
 86 |         $b5 = "MCircle"
 87 |         $b6 = "shells_DataArrival"
 88 |         
 89 |     condition:
 90 |         3 of ($a*) and 1 of ($b*)
 91 | 
 92 | }
 93 | 
 94 | 
 95 | rule Hangover_Vacrhan_Downloader {
 96 |     strings:
 97 |         $a1 = "pranVacrhan"
 98 |         $a2 = "VBA6.DLL"
 99 |         $a3 = "Timer1"
100 |         $a4 = "Timer2"
101 |         $a5 = "IsNTAdmin"
102 |         
103 |     condition:
104 |         all of them
105 | 
106 | }
107 | 
108 | 
109 | rule Hangover_Smackdown_various {
110 |     strings:
111 |         $a1 = "pranVacrhan"
112 |         $a2 = "NaramGaram"
113 |         $a3 = "vampro"
114 |         $a4 = "AngelPro"
115 |         
116 |         $b1 = "VBA6.DLL"
117 |         $b2 = "advpack"
118 |         $b3 = "IsNTAdmin"
119 |         
120 |         
121 |     condition:
122 |         1 of ($a*) and all of ($b*)
123 | 
124 | }
125 | 
126 | rule Hangover_Foler {
127 |     strings:
128 |         $a1 = "\\MyHood"
129 |         $a2 = "UsbP"
130 |         $a3 = "ID_MON"
131 |         
132 |     condition:
133 |         all of them
134 | 
135 | }
136 | 
137 | rule Hangover_Appinbot {
138 |     strings:
139 |         $a1 = "CreateToolhelp32Snapshot"
140 |         $a2 = "Process32First"
141 |         $a3 = "Process32Next"
142 |         $a4 = "FIDR/"
143 |         $a5 = "SUBSCRIBE %d"
144 |         $a6 = "CLOSE %d"
145 |         
146 |     condition:
147 |         all of them
148 | 
149 | }
150 | 
151 | rule Hangover_Linog {
152 |     strings:
153 |         $a1 = "uploadedfile"
154 |         $a2 = "Error in opening a file.."
155 |         $a3 = "The file could not be opened"
156 |         $a4 = "%sContent-Disposition: form-data; name=\"%s\";filename=\"%s\""
157 | 
158 |     condition:
159 |         all of them
160 | 
161 | }
162 | 
163 | 
164 | rule Hangover_Iconfall {
165 |     strings:
166 |         $a1 = "iconfall"
167 |         $a2 = "78DDB5A902BB8FFF3F398B45BEDCD152"
168 |         
169 |     condition:
170 |         all of them
171 | 
172 | }
173 | 
174 | 
175 | rule Hangover_Deksila {
176 |     strings:
177 |         $a1 = "WinInetGet/0.1"
178 |         $a2 = "dekstop2007.ico"
179 |         $a3 = "mozila20"
180 |         
181 |     condition:
182 |         all of them
183 | 
184 | }
185 | 
186 | rule Hangover_Auspo {
187 |     strings:
188 |         $a1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV2)"
189 |         $a2 = "POWERS"
190 |         $a3 = "AUSTIN"
191 |         
192 |     condition:
193 |         all of them
194 | 
195 | }
196 | 
197 | rule Hangover_Slidewin {
198 |     strings:
199 |         $a1 = "[NumLock]"
200 |         $a2 = "[ScrlLock]"
201 |         $a3 = "[LtCtrl]"
202 |         $a4 = "[RtCtrl]"
203 |         $a5 = "[LtAlt]"
204 |         $a6 = "[RtAlt]"
205 |         $a7 = "[HomePage]"
206 |         $a8 = "[MuteOn/Off]"
207 |         $a9 = "[VolDn]"
208 |         $a10 = "[VolUp]"
209 |         $a11 = "[Play/Pause]"
210 |         $a12 = "[MailBox]"
211 |         $a14 = "[Calc]"
212 |         $a15 = "[Unknown]"
213 |         
214 |     condition:
215 |         all of them
216 | 
217 | }
218 | 
219 | 
220 | rule Hangover_Gimwlog {
221 |     strings:
222 |         $a1 = "file closed---------------------"
223 |         $a2 = "new file------------------"
224 |         $a3 = "md C:\\ApplicationData\\Prefetch\\"
225 |         
226 |     condition:
227 |         all of them
228 | 
229 | }
230 | 
231 | 
232 | rule Hangover_Gimwup {
233 |     strings:
234 |         $a1 = "=======inside while==========="
235 |         $a2 = "scan finished"
236 |         $a3 = "logFile.txt"
237 |         
238 |     condition:
239 |         all of them
240 | 
241 | }
242 | 
243 | rule Hangover2_Downloader {
244 | 
245 |   strings:
246 | 
247 |     $a = "WinInetGet/0.1" wide ascii
248 | 
249 |     $b = "Excep while up" wide ascii
250 | 
251 |     $c = "&file=" wide ascii
252 | 
253 |     $d = "&str=" wide ascii
254 | 
255 |     $e = "?cn=" wide ascii
256 | 
257 |   condition:
258 | 
259 |     all of them
260 | }
261 | 
262 | rule Hangover2_stealer {
263 | 
264 |   strings:
265 | 
266 |     $a = "MyWebClient" wide ascii
267 | 
268 |     $b = "Location: {[0-9]+}" wide ascii
269 | 
270 |     $c = "[%s]:[C-%s]:[A-%s]:[W-%s]:[S-%d]" wide ascii
271 | 
272 |   condition:
273 | 
274 |     all of them
275 | }
276 | 
277 | rule Hangover2_backdoor_shell {
278 | 
279 |   strings:
280 | 
281 |     $a = "Shell started at: " wide ascii
282 | 
283 |     $b = "Shell closed at: " wide ascii
284 | 
285 |     $c = "Shell is already closed!" wide ascii
286 | 
287 |     $d = "Shell is not Running!" wide ascii
288 | 
289 |   condition:
290 | 
291 |     all of them
292 | }
293 | 
294 | rule Hangover2_Keylogger {
295 | 
296 |   strings:
297 | 
298 |     $a = "iconfall" wide ascii
299 | 
300 |     $b = "/c ipconfig /all > " wide ascii
301 | 
302 |     $c = "Global\\{CHKAJESKRB9-35NA7-94Y436G37KGT}" wide ascii
303 | 
304 |   condition:
305 | 
306 |     all of them
307 | }
308 | 
309 | 


--------------------------------------------------------------------------------
/w-rules/rules/signatures/avdetect.yar:
--------------------------------------------------------------------------------
  1 | 
  2 | rule avdetect_procs : avdetect
  3 | {
  4 | 	meta:
  5 | 		author = "AlienVault Labs"
  6 | 		type = "info"
  7 | 		severity = 1
  8 | 		description = "Antivirus detection tricks"
  9 | 
 10 | 	strings:
 11 | 		$proc2 = "LMon.exe" ascii wide
 12 | 		$proc3 = "sagui.exe" ascii wide
 13 | 		$proc4 = "RDTask.exe" ascii wide
 14 | 		$proc5 = "kpf4gui.exe" ascii wide
 15 | 		$proc6 = "ALsvc.exe" ascii wide
 16 | 		$proc7 = "pxagent.exe" ascii wide
 17 | 		$proc8 = "fsma32.exe" ascii wide
 18 | 		$proc9 = "licwiz.exe" ascii wide
 19 | 		$proc10 = "SavService.exe" ascii wide
 20 | 		$proc11 = "prevxcsi.exe" ascii wide
 21 | 		$proc12 = "alertwall.exe" ascii wide
 22 | 		$proc13 = "livehelp.exe" ascii wide
 23 | 		$proc14 = "SAVAdminService.exe" ascii wide
 24 | 		$proc15 = "csi-eui.exe" ascii wide
 25 | 		$proc16 = "mpf.exe" ascii wide
 26 | 		$proc17 = "lookout.exe" ascii wide
 27 | 		$proc18 = "savprogress.exe" ascii wide
 28 | 		$proc19 = "lpfw.exe" ascii wide
 29 | 		$proc20 = "mpfcm.exe" ascii wide
 30 | 		$proc21 = "emlproui.exe" ascii wide
 31 | 		$proc22 = "savmain.exe" ascii wide
 32 | 		$proc23 = "outpost.exe" ascii wide
 33 | 		$proc24 = "fameh32.exe" ascii wide
 34 | 		$proc25 = "emlproxy.exe" ascii wide
 35 | 		$proc26 = "savcleanup.exe" ascii wide
 36 | 		$proc27 = "filemon.exe" ascii wide
 37 | 		$proc28 = "AntiHook.exe" ascii wide
 38 | 		$proc29 = "endtaskpro.exe" ascii wide
 39 | 		$proc30 = "savcli.exe" ascii wide
 40 | 		$proc31 = "procmon.exe" ascii wide
 41 | 		$proc32 = "xfilter.exe" ascii wide
 42 | 		$proc33 = "netguardlite.exe" ascii wide
 43 | 		$proc34 = "backgroundscanclient.exe" ascii wide
 44 | 		$proc35 = "Sniffer.exe" ascii wide
 45 | 		$proc36 = "scfservice.exe" ascii wide
 46 | 		$proc37 = "oasclnt.exe" ascii wide
 47 | 		$proc38 = "sdcservice.exe" ascii wide
 48 | 		$proc39 = "acs.exe" ascii wide
 49 | 		$proc40 = "scfmanager.exe" ascii wide
 50 | 		$proc41 = "omnitray.exe" ascii wide
 51 | 		$proc42 = "sdcdevconx.exe" ascii wide
 52 | 		$proc43 = "aupdrun.exe" ascii wide
 53 | 		$proc44 = "spywaretermin" ascii wide
 54 | 		$proc45 = "atorshield.exe" ascii wide
 55 | 		$proc46 = "onlinent.exe" ascii wide
 56 | 		$proc47 = "sdcdevconIA.exe" ascii wide
 57 | 		$proc48 = "sppfw.exe" ascii wide
 58 | 		$proc49 = "spywat~1.exe" ascii wide
 59 | 		$proc50 = "opf.exe" ascii wide
 60 | 		$proc51 = "sdcdevcon.exe" ascii wide
 61 | 		$proc52 = "spfirewallsvc.exe" ascii wide
 62 | 		$proc53 = "ssupdate.exe" ascii wide
 63 | 		$proc54 = "pctavsvc.exe" ascii wide
 64 | 		$proc55 = "configuresav.exe" ascii wide
 65 | 		$proc56 = "fwsrv.exe" ascii wide
 66 | 		$proc57 = "terminet.exe" ascii wide
 67 | 		$proc58 = "pctav.exe" ascii wide
 68 | 		$proc59 = "alupdate.exe" ascii wide
 69 | 		$proc60 = "opfsvc.exe" ascii wide
 70 | 		$proc61 = "tscutynt.exe" ascii wide
 71 | 		$proc62 = "pcviper.exe" ascii wide
 72 | 		$proc63 = "InstLsp.exe" ascii wide
 73 | 		$proc64 = "uwcdsvr.exe" ascii wide
 74 | 		$proc65 = "umxtray.exe" ascii wide
 75 | 		$proc66 = "persfw.exe" ascii wide
 76 | 		$proc67 = "CMain.exe" ascii wide
 77 | 		$proc68 = "dfw.exe" ascii wide
 78 | 		$proc69 = "updclient.exe" ascii wide
 79 | 		$proc70 = "pgaccount.exe" ascii wide
 80 | 		$proc71 = "CavAUD.exe" ascii wide
 81 | 		$proc72 = "ipatrol.exe" ascii wide
 82 | 		$proc73 = "webwall.exe" ascii wide
 83 | 		$proc74 = "privatefirewall3.exe" ascii wide
 84 | 		$proc75 = "CavEmSrv.exe" ascii wide
 85 | 		$proc76 = "pcipprev.exe" ascii wide
 86 | 		$proc77 = "winroute.exe" ascii wide
 87 | 		$proc78 = "protect.exe" ascii wide
 88 | 		$proc79 = "Cavmr.exe" ascii wide
 89 | 		$proc80 = "prifw.exe" ascii wide
 90 | 		$proc81 = "apvxdwin.exe" ascii wide
 91 | 		$proc82 = "rtt_crc_service.exe" ascii wide
 92 | 		$proc83 = "Cavvl.exe" ascii wide
 93 | 		$proc84 = "tzpfw.exe" ascii wide
 94 | 		$proc85 = "as3pf.exe" ascii wide
 95 | 		$proc86 = "schedulerdaemon.exe" ascii wide
 96 | 		$proc87 = "CavApp.exe" ascii wide
 97 | 		$proc88 = "privatefirewall3.exe" ascii wide
 98 | 		$proc89 = "avas.exe" ascii wide
 99 | 		$proc90 = "sdtrayapp.exe" ascii wide
100 | 		$proc91 = "CavCons.exe" ascii wide
101 | 		$proc92 = "pfft.exe" ascii wide
102 | 		$proc93 = "avcom.exe" ascii wide
103 | 		$proc94 = "siteadv.exe" ascii wide
104 | 		$proc95 = "CavMud.exe" ascii wide
105 | 		$proc96 = "armorwall.exe" ascii wide
106 | 		$proc97 = "avkproxy.exe" ascii wide
107 | 		$proc98 = "sndsrvc.exe" ascii wide
108 | 		$proc99 = "CavUMAS.exe" ascii wide
109 | 		$proc100 = "app_firewall.exe" ascii wide
110 | 		$proc101 = "avkservice.exe" ascii wide
111 | 		$proc102 = "snsmcon.exe" ascii wide
112 | 		$proc103 = "UUpd.exe" ascii wide
113 | 		$proc104 = "blackd.exe" ascii wide
114 | 		$proc105 = "avktray.exe" ascii wide
115 | 		$proc106 = "snsupd.exe" ascii wide
116 | 		$proc107 = "cavasm.exe" ascii wide
117 | 		$proc108 = "blackice.exe" ascii wide
118 | 		$proc109 = "avkwctrl.exe" ascii wide
119 | 		$proc110 = "procguard.exe" ascii wide
120 | 		$proc111 = "CavSub.exe" ascii wide
121 | 		$proc112 = "umxagent.exe" ascii wide
122 | 		$proc113 = "avmgma.exe" ascii wide
123 | 		$proc114 = "DCSUserProt.exe" ascii wide
124 | 		$proc115 = "CavUserUpd.exe" ascii wide
125 | 		$proc116 = "kpf4ss.exe" ascii wide
126 | 		$proc117 = "avtask.exe" ascii wide
127 | 		$proc118 = "avkwctl.exe" ascii wide
128 | 		$proc119 = "CavQ.exe" ascii wide
129 | 		$proc120 = "tppfdmn.exe" ascii wide
130 | 		$proc121 = "aws.exe" ascii wide
131 | 		$proc122 = "firewall.exe" ascii wide
132 | 		$proc123 = "Cavoar.exe" ascii wide
133 | 		$proc124 = "blinksvc.exe" ascii wide
134 | 		$proc125 = "bgctl.exe" ascii wide
135 | 		$proc126 = "THGuard.exe" ascii wide
136 | 		$proc127 = "CEmRep.exe" ascii wide
137 | 		$proc128 = "sp_rsser.exe" ascii wide
138 | 		$proc129 = "bgnt.exe" ascii wide
139 | 		$proc130 = "spybotsd.exe" ascii wide
140 | 		$proc131 = "OnAccessInstaller.exe" ascii wide
141 | 		$proc132 = "op_mon.exe" ascii wide
142 | 		$proc133 = "bootsafe.exe" ascii wide
143 | 		$proc134 = "xauth_service.exe" ascii wide
144 | 		$proc135 = "SoftAct.exe" ascii wide
145 | 		$proc136 = "cmdagent.exe" ascii wide
146 | 		$proc137 = "bullguard.exe" ascii wide
147 | 		$proc138 = "xfilter.exe" ascii wide
148 | 		$proc139 = "CavSn.exe" ascii wide
149 | 		$proc140 = "VCATCH.EXE" ascii wide
150 | 		$proc141 = "cdas2.exe" ascii wide
151 | 		$proc142 = "zlh.exe" ascii wide
152 | 		$proc143 = "Packetizer.exe" ascii wide
153 | 		$proc144 = "SpyHunter3.exe" ascii wide
154 | 		$proc145 = "cmgrdian.exe" ascii wide
155 | 		$proc146 = "adoronsfirewall.exe" ascii wide
156 | 		$proc147 = "Packetyzer.exe" ascii wide
157 | 		$proc148 = "wwasher.exe" ascii wide
158 | 		$proc149 = "configmgr.exe" ascii wide
159 | 		$proc150 = "scfservice.exe" ascii wide
160 | 		$proc151 = "zanda.exe" ascii wide
161 | 		$proc152 = "authfw.exe" ascii wide
162 | 		$proc153 = "cpd.exe" ascii wide
163 | 		$proc154 = "scfmanager.exe" ascii wide
164 | 		$proc155 = "zerospywarele.exe" ascii wide
165 | 		$proc156 = "dvpapi.exe" ascii wide
166 | 		$proc157 = "espwatch.exe" ascii wide
167 | 		$proc158 = "dltray.exe" ascii wide
168 | 		$proc159 = "zerospywarelite_installer.exe" ascii wide
169 | 		$proc160 = "clamd.exe" ascii wide
170 | 		$proc161 = "fgui.exe" ascii wide
171 | 		$proc162 = "dlservice.exe" ascii wide
172 | 		$proc163 = "Wireshark.exe" ascii wide
173 | 		$proc164 = "sab_wab.exe" ascii wide
174 | 		$proc165 = "filedeleter.exe" ascii wide
175 | 		$proc166 = "ashwebsv.exe" ascii wide
176 | 		$proc167 = "tshark.exe" ascii wide
177 | 		$proc168 = "SUPERAntiSpyware.exe" ascii wide
178 | 		$proc169 = "firewall.exe" ascii wide
179 | 		$proc170 = "ashdisp.exe" ascii wide
180 | 		$proc171 = "rawshark.exe" ascii wide
181 | 		$proc172 = "vdtask.exe" ascii wide
182 | 		$proc173 = "firewall2004.exe" ascii wide
183 | 		$proc174 = "ashmaisv.exe" ascii wide
184 | 		$proc175 = "Ethereal.exe" ascii wide
185 | 		$proc176 = "asr.exe" ascii wide
186 | 		$proc177 = "firewallgui.exe" ascii wide
187 | 		$proc178 = "ashserv.exe" ascii wide
188 | 		$proc179 = "Tethereal.exe" ascii wide
189 | 		$proc180 = "NetguardLite.exe" ascii wide
190 | 		$proc181 = "gateway.exe" ascii wide
191 | 		$proc182 = "aswupdsv.exe" ascii wide
192 | 		$proc183 = "Windump.exe" ascii wide
193 | 		$proc184 = "nstzerospywarelite.exe" ascii wide
194 | 		$proc185 = "hpf_.exe" ascii wide
195 | 		$proc186 = "avastui.exe" ascii wide
196 | 		$proc187 = "Tcpdump.exe" ascii wide
197 | 		$proc188 = "cdinstx.exe" ascii wide
198 | 		$proc189 = "iface.exe" ascii wide
199 | 		$proc190 = "avastsvc.exe" ascii wide
200 | 		$proc191 = "Netcap.exe" ascii wide
201 | 		$proc192 = "cdas17.exe" ascii wide
202 | 		$proc193 = "invent.exe" ascii wide
203 | 		$proc194 = "Netmon.exe" ascii wide
204 | 		$proc195 = "fsrt.exe" ascii wide
205 | 		$proc196 = "ipcserver.exe" ascii wide
206 | 		$proc197 = "CV.exe" ascii wide
207 | 		$proc198 = "VSDesktop.exe" ascii wide
208 | 		$proc199 = "ipctray.exe" ascii wide
209 | 	condition:
210 | 		3 of them
211 | }
212 | 
213 | 


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/filename-iocs.txt:
--------------------------------------------------------------------------------
  1 | #
  2 | # LOKI File Name Characteristics
  3 | # This file contains regex definitions and a description
  4 | #
  5 | # APPLICATION ------------------------------------------------------------------
  6 | #
  7 | # Every line is treated as REGEX case sensitive.
  8 | # Every line includes a description that gives information about the file name
  9 | # based IOC
 10 | #
 11 | # FORMAT -----------------------------------------------------------------------
 12 | #
 13 | # # COMMENT
 14 | # REGEX;SCORE
 15 | #
 16 | # EXAMPLES ---------------------------------------------------------------------
 17 | #
 18 | # # Various examples from APT case X
 19 | # \\svcsstat\.exe;70
 20 | # \\(server|servisces|smrr|srrm|svchost|svhost|svshost|taskmrg)\.exe$;50
 21 | # ProgramData\\Mail\\MailAg\\;80
 22 | # (Anwendungsdaten|Application Data|APPDATA)\\sydmain\.dll;80
 23 | # (TEMP|Temp)\\[^\\]+\.(xmd|yls)$;80
 24 | # (LOCAL SETTINGS\\Temp|Local Settings\\Temp|Local\\Temp)\\(word\.exe|winword\.exe);80
 25 | #
 26 | 
 27 | # Ncat Example
 28 | # bin\\nc\.exe;80
 29 | 
 30 | # Regin
 31 | \\usbclass\.sys;80
 32 | \\adpu160\.sys;80
 33 | \\msrdc64\.dat;80
 34 | \\msdcsvc\.dat;80
 35 | \\config\\SystemAudit\.Evt;80
 36 | \\config\\SecurityAudit\.Evt;80
 37 | \\config\\SystemLog\.evt;80
 38 | \\config\\ApplicationLog\.evt;80
 39 | \\ime\\imesc5\\dicts\\pintlgbs\.imd;80
 40 | \\ime\\imesc5\\dicts\\pintlgbp\.imd;80
 41 | ystem32\\winhttpc\.dll;80
 42 | ystem32\\wshnetc\.dll;80
 43 | \\SysWow64\\wshnetc\.dll;80
 44 | ystem32\\svcstat\.exe;80
 45 | ystem32\\svcsstat\.exe;80
 46 | IME\\IMESC5\\DICTS\\PINTLGBP\.IMD;80
 47 | ystem32\\wsharp\.dll;80
 48 | ystem32\\wshnetc\.dll;80
 49 | pchealth\\helpctr\\Database\\cdata\.dat;80
 50 | pchealth\\helpctr\\Database\\cdata\.edb;80
 51 | Windows\\Panther\\setup\.etl\.000;80
 52 | ystem32\\wbem\\repository\\INDEX2\.DATA;80
 53 | ystem32\\wbem\\repository\\OBJECTS2\.DATA;80
 54 | ystem32\\dnscache\.dat;80
 55 | ystem32\\mregnx\.dat;80
 56 | ystem32\\displn32\.dat;80
 57 | ystem32\\dmdskwk\.dat;80
 58 | ystem32\\nvwrsnu\.dat;80
 59 | ystem32\\tapiscfg\.dat;80
 60 | ystem32\\pciclass\.sys;80
 61 | 
 62 | # Five Eyes
 63 | \\20120\.dll;80
 64 | \\20121\.dll;80
 65 | \\20123\.sys;80
 66 | 
 67 | # Skeleton Key File Names
 68 | \\msuta64\.dll;80
 69 | \\ole64\.dll;80
 70 | 
 71 | # IXESHE APT Malware
 72 | \\winhlps\.exe;80
 73 | \\acrotry\.exe;80
 74 | 
 75 | # PlugX
 76 | (TEMP|TMP|Temp)\\DW20\.dll;80
 77 | (TEMP|TMP|Temp)\\DW20\.dll;80
 78 | (TEMP|TMP|Temp)\\dl_[0-9]{2}\.exe;80
 79 | (TEMP|TMP|Temp)\\dl_[0-9]{2}\.txt;80
 80 | (Mailing|Shipment).*Label\.exe;80
 81 | 
 82 | # Mandiant APT
 83 | \\Temp\\~df~;80
 84 | \\Temp\\~hf~;80
 85 | \\Temp\\~[a-z][a-z]~;80
 86 | \\start menu\\programs\\startup\\adobe_sl.exe;80
 87 | Temp\\Updatasched\.exe;80
 88 | \\adobere\.exe;80
 89 | 
 90 | # Mandiant APT - SHELLDC.DLL (BACKDOOR)
 91 | \\Temp\\svchost\.exe;80
 92 | \\shelldc\.dll;80
 93 | \\recyle64\.dll;80
 94 | \\ws_18\.dll;80
 95 | 
 96 | # Mandiant APT - LIGHTDART (FAMILY)
 97 | \\ret\.log;80
 98 | \\1\.rar;80
 99 | \\qy\.htm;80
100 | \\shsat\.exe;80
101 | \\imxgy\.exe;80
102 | 
103 | # Kaspersky Carbanak APT Malware Hash http://goo.gl/0Nhax2
104 | (application data|AppData|Anwendungsdaten)\\mozilla\\[^\\]+\.bin;80
105 | \\System32\\com\\svchost\.exe;80
106 | \\ProgramData\\mozilla\\[^\\]+\.bin;80
107 | \\(Windows|WinXP)\\paexec;80
108 | SysWOW64\\com\\svchost\.exe;80
109 | 
110 | # Equation Group Malware http://goo.gl/d5ujEH
111 | ystem32\\ee\.dll;80
112 | # Equation Related File Name http://pastebin.com/QvZNtuQW
113 | ystem32\\msregstr\.exe;80
114 | ystem32\\khlp894u\.dll;80
115 | \\__c__\.lnk;80
116 | temp\\msupdate\.exe;80
117 | \\fanny\.bmp;80
118 | WINDOWS\\mlan\.exe;80
119 | Windows\\mlan\.exe;80
120 | 
121 | # Former Suspicious File Signatures ###########################################
122 | # They get a lower score by default
123 | 
124 | # ThreatExpert Statistics
125 | \\winsvc\.exe$;45
126 | \\blaah\.exe;45
127 | \\ldr\.exe$;45
128 | \\t\.exe$;45
129 | \\user0\.exe;45
130 | \\mxplay_installer\.exe;45
131 | \\pak\-[0-9]{3,}.exe$;45
132 | \\rundll\.exe$;45
133 | \\windowsservice\\starter\.exe$;45
134 | \\starter\.exe$;45
135 | \\wrar[0-9a-z]+\\.exe$;45
136 | \\av[0-9]+\.exe$;45
137 | \\eixplorer\.exe;45
138 | \\win\.exe$;45
139 | \\cleanup\.exe$;45
140 | \\winsystem\.exe;45
141 | Fonts\\[\w]+\.exe$;45
142 | \\(temp|tmp)\\server\.exe;45
143 | \\interxpoler\.exe;45
144 | \\networkservice\.exe;45
145 | \\favorites\.exe;45
146 | \\microsoft\.exe$;45
147 | \\adobe\.exe$;45
148 | \\cncdown\.exe$;45
149 | \\ntcom\.dll$;45
150 | \\nthead\.dll$;45
151 | \\services32\.exe;45
152 | \\recycled\.exe;45
153 | \\sofware.exe;45
154 | \\explorer[0-9]\.exe;45
155 | \\criptor\.exe;45
156 | \\crypt3r\.exe;45
157 | \\temp\\copy\.exe;45
158 | \\cuda\.exe;45
159 | 
160 | # Typical Malware Name
161 | [\s]{7,}\.(exe|com|dll|bat|scr|vbs);45
162 | \\[0-9]\.(exe|dll)$;45
163 | \\[a-zA-Z]\.exe$;45
164 | \.(doc|docx|pdf|txt)\.(exe|bat|com|scr|vbs)$;45
165 | \\\.tmp$;45
166 | (temp|tmp)\\[a-z]\.(zip|exe|txt)$;45
167 | (temp|tmp)\\[a-z]\.rar;45
168 | \\32\.exe;45
169 | \\64\.exe;45
170 | \\d\.exe;45
171 | \\s\.exe;45
172 | \\ss\.exe;45
173 | \\sss\.exe;45
174 | 
175 | # Malware locations
176 | AppData\\[\w]+\.exe;45
177 | [Tt]emp\\[\w]{1,2}\.(exe|com|scr);45
178 | [Cc]:\\[\w]{1,2}\.(exe|com|scr);45
179 | 
180 | # Symantec Waterbug Attack http://goo.gl/9Tlk90
181 | \\tcpdump32c\.exe;45
182 | \\typecli\.exe;45
183 | \\msc32\.exe;45
184 | \\dxsnd32x\.exe;45
185 | \\msnetsrv\.exe;45
186 | \\mswme32\.exe;45
187 | \\msnetserv\.exe;45
188 | \\msnet32\.exe;45
189 | \\rpcsrv\.exe;45
190 | \\charmap32\.exe;45
191 | \\mqsvc32\.exe;45
192 | \\msrss\.exe;45
193 | \\dc1\.exe;45
194 | \\svcmgr\.exe;45
195 | \\msx32\.exe;45
196 | \.XOR$;45
197 | 
198 | # Suspected Anthem Deep Panda APT 
199 | \\lot1\.tmp;45
200 | 
201 | # Trojan Characteristics
202 | \\EXPL0RER\.exe;55
203 | \\srv32\.exe;55
204 | \\csrnss\.exe;55
205 | \\0\.exe;55
206 | \\ntldm\.exe;55
207 | \\xxxc\.bat;55
208 | \\winkept\.exe;55
209 | Temp\\iexplore\.exe;55
210 | \\hidserv\.exe;55
211 | [Cc]:\\Inetpub\.lnk;55
212 | \\zggjmyd\.exe;55
213 | ystem32\\2bed\.exe;55
214 | 360\\sendlog\.txt;55
215 | Windows\\[0-9a-z]+.flv;55
216 | ystem32\\[0-9a-z]+.flv;55
217 | \\downloaded[0-9]+\.exe;55
218 | \\New\sFolder[^\\]+\.exe;55
219 | \\myloveever\.exe;55
220 | \\killer\.exe;55
221 | \\mspool\.DLL;55
222 | \\superproxy\.exe;55
223 | \\zoufoo\.exe;55
224 | \\omesuperv\.exe;50
225 | ystem32\\dpisca\.exe;45
226 | ystem32\\razorp\.exe;45
227 | \\aaaaaaaa\.exe;55
228 | \\d1\.tmp\.dll;55
229 | \\fotos\.exe;55
230 | \\new\.exe;60
231 | \\image\.exe;60
232 | \\movie\.exe;60
233 | \\files\.exe;55
234 | \\fun\.exe;60
235 | \\freepdf\.exe;60
236 | \\iexplorei\.exe;80
237 | \\imagens\.exe;60
238 | \\lost\.dir\.exe;70
239 | \\new_folder\.exe;70
240 | \\picture\.exe;65
241 | \\play me\.exe;65
242 | \\ppts\.exe;65
243 | \\recycler\.exe;65
244 | \\share_apps\.exe;65
245 | [^s]\\video\.exe;65
246 | \\whatsapp\.exe;65
247 | \\xx\.exe;65
248 | \\keygen1\.exe;65
249 | \\meta\.exe;50
250 | \\tmp\.exe;60
251 | \\userfiles\.exe;65
252 | \\nuevo\.exe;65
253 | \\photo\.exe;65
254 | \\pdf\.exe;65
255 | \\_thumbs\.exe;65
256 | \\music\.exe;65
257 | \\picture\.exe;65
258 | \\music\.exe;65
259 | \\movie\.exe;65
260 | \\skypee\.exe;65
261 | 
262 | # Rombertik / CarbonGrabber http://goo.gl/SGcS2H
263 | \\fgf\.vbs;65
264 | \\rsr\\yfoye\.bat;75
265 | \\rsr\\yfoye\.exe;75
266 | 
267 | # Mimikatz Output
268 | \.kirbi$;70
269 | 
270 | # Kraken / Laziok Bot https://goo.gl/5jvv9q
271 | System\\Oracle\\smss\.exe;80
272 | 
273 | # CryptoWall http://goo.gl/psjCCc
274 | \\HELP_DECRYPT\.URL;60
275 | 
276 | # Hawkeye Keylogger https://goo.gl/th5q2v
277 | \\HawkEye_Keylogger_;70
278 | 
279 | # Kaspersky RAT Report https://goo.gl/th5q2v
280 | \\AppData\\Roaming\\Microsoft\\[^\\]{1,32}\.(exe|doc|zip);50
281 | \\AudioEndpointBuilder\.exe;60
282 | \\BrokerInfrastructure\.exe;60
283 | \\WindowsUpdate\.exe;50
284 | 
285 | # APT28 https://goo.gl/6Xiayq
286 | Microsoft\\MediaPlayer\\updatewindws\.exe;100
287 | \\updatewindws\.exe;70
288 | \\netui\.dll;50
289 | \\edg6EF885E2\.tmp;60
290 | \\AppData\\Local\\conhost\.dll;70
291 | \\Application Data\\conhost\.dll;70
292 | \\Application Data\\svchost\.exe;70
293 | \\Application Data\\conhost\.dll;70
294 | \\AppData\\Local\\svchost\.exe;70
295 | \\AppData\\Local\\conhost\.dll;70
296 | 
297 | # Fidelis Threat Advisory http://goo.gl/ZjJyti
298 | \\9i86vdi3l1zi1v\\;60
299 | \\cvaniocol\.cmd;60
300 | \\flrsqgyy\.DVZ;60
301 | \\ibdyambl\.vbs;60
302 | \\ouhlolswfixh$;60
303 | \\slie\.RJD$;60
304 | \\znimialt\.exe;60
305 | (Temp|Tmp|TEMP)\\cedt370r\(3\)\.exe;60
306 | (Temp|Tmp|TEMP)\\penguin\.exe;60
307 | \\Microsoft\\Windows\\hknswc\.exe;60
308 | \\Microsoft\\Windows\\AppMgnt\.exe;60
309 | \\PolicyManager$;60
310 | \\FILE_127\.127\.ppt;60
311 | \\FILE_127\.127\.ppsx;60
312 | (Temp|Tmp|TEMP)\\destsx\.inf;50
313 | (Temp|Tmp|TEMP)\\Alsa\\doub\.tmp;60
314 | (Temp|Tmp|TEMP)\\muysf\\ipbuy.exe;70 
315 | \\Order Details\.xls\.pps;60
316 | 
317 | # Sofacy - Malware Bundestag http://goo.gl/OtmPzq
318 | Windows\\winexesvc\.exe;70
319 | \\svchost\.exe\.exe;70


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_op_cleaver.yar:
--------------------------------------------------------------------------------
  1 | /* Op Cleaver -------------------------------------------------------------- */
  2 | 
  3 | rule OPCLEAVER_BackDoorLogger
  4 | {
  5 | 	meta:
  6 | 		description = "Keylogger used by attackers in Operation Cleaver"
  7 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
  8 | 		date = "2014/12/02"
  9 | 		author = "Cylance Inc."
 10 | 		score = "70"
 11 | 	strings:
 12 | 		$s1 = "BackDoorLogger"
 13 | 		$s2 = "zhuAddress"
 14 | 	condition:
 15 | 		all of them
 16 | }
 17 | 
 18 | rule OPCLEAVER_Jasus
 19 | {
 20 | 	meta:
 21 | 		description = "ARP cache poisoner used by attackers in Operation Cleaver"
 22 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
 23 | 		date = "2014/12/02"
 24 | 		author = "Cylance Inc."
 25 | 		score = "70"
 26 | 	strings:
 27 | 		$s1 = "pcap_dump_open"
 28 | 		$s2 = "Resolving IPs to poison..."
 29 | 		$s3 = "WARNNING: Gateway IP can not be found"
 30 | 	condition:
 31 | 		all of them
 32 | }
 33 | 
 34 | rule OPCLEAVER_LoggerModule
 35 | {
 36 | 	meta:
 37 | 		description = "Keylogger used by attackers in Operation Cleaver"
 38 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
 39 | 		date = "2014/12/02"
 40 | 		author = "Cylance Inc."
 41 | 		score = "70"
 42 | 	strings:
 43 | 		$s1 = "%s-%02d%02d%02d%02d%02d.r"
 44 | 		$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
 45 | 	condition:
 46 | 		all of them
 47 | }
 48 | 
 49 | rule OPCLEAVER_NetC
 50 | {
 51 | 	meta:
 52 | 		description = "Net Crawler used by attackers in Operation Cleaver"
 53 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
 54 | 		date = "2014/12/02"
 55 | 		author = "Cylance Inc."
 56 | 		score = "70"
 57 | 	strings:
 58 | 		$s1 = "NetC.exe" wide
 59 | 		$s2 = "Net Service"
 60 | 	condition:
 61 | 		all of them
 62 | }
 63 | 
 64 | rule OPCLEAVER_ShellCreator2
 65 | {
 66 | 	meta:
 67 | 		description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
 68 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
 69 | 		date = "2014/12/02"
 70 | 		author = "Cylance Inc."
 71 | 		score = "70"
 72 | 	strings:
 73 | 		$s1 = "ShellCreator2.Properties"
 74 | 		$s2 = "set_IV"
 75 | 	condition:
 76 | 		all of them
 77 | }
 78 | 
 79 | rule OPCLEAVER_SmartCopy2
 80 | {
 81 | 	meta:
 82 | 		description = "Malware or hack tool used by attackers in Operation Cleaver"
 83 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
 84 | 		date = "2014/12/02"
 85 | 		author = "Cylance Inc."
 86 | 		score = "70"
 87 | 	strings:
 88 | 		$s1 = "SmartCopy2.Properties"
 89 | 		$s2 = "ZhuFrameWork"
 90 | 	condition:
 91 | 		all of them
 92 | }
 93 | 
 94 | rule OPCLEAVER_SynFlooder
 95 | {
 96 | 	meta:
 97 | 		description = "Malware or hack tool used by attackers in Operation Cleaver"
 98 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
 99 | 		date = "2014/12/02"
100 | 		author = "Cylance Inc."
101 | 		score = "70"
102 | 	strings:
103 | 		$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
104 | 		$s2 = "your target’s IP is : %s"
105 | 		$s3 = "Raw TCP Socket Created successfully."
106 | 	condition:
107 | 		all of them
108 | }
109 | 
110 | rule OPCLEAVER_TinyZBot
111 | {
112 | 	meta:
113 | 		description = "Tiny Bot used by attackers in Operation Cleaver"
114 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
115 | 		date = "2014/12/02"
116 | 		author = "Cylance Inc."
117 | 		score = "70"
118 | 	strings:
119 | 		$s1 = "NetScp" wide
120 | 		$s2 = "TinyZBot.Properties.Resources.resources"
121 | 		$s3 = "Aoao WaterMark"
122 | 		$s4 = "Run_a_exe"
123 | 		$s5 = "netscp.exe"
124 | 		$s6 = "get_MainModule_WebReference_DefaultWS"
125 | 		$s7 = "remove_CheckFileMD5Completed"
126 | 		$s8 = "http://tempuri.org/"
127 | 		$s9 = "Zhoupin_Cleaver"
128 | 	condition:
129 | 		(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
130 | }
131 | 
132 | rule OPCLEAVER_ZhoupinExploitCrew
133 | {
134 | 	meta:
135 | 		description = "Keywords used by attackers in Operation Cleaver"
136 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
137 | 		date = "2014/12/02"
138 | 		author = "Cylance Inc."
139 | 		score = "70"
140 | 	strings:
141 | 		$s1 = "zhoupin exploit crew" nocase
142 | 		$s2 = "zhopin exploit crew" nocase
143 | 	condition:
144 | 		1 of them
145 | }
146 | 
147 | rule OPCLEAVER_antivirusdetector
148 | {
149 | 	meta:
150 | 		description = "Hack tool used by attackers in Operation Cleaver"
151 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
152 | 		date = "2014/12/02"
153 | 		author = "Cylance Inc."
154 | 		score = "70"
155 | 	strings:
156 | 		$s1 = "getShadyProcess"
157 | 		$s2 = "getSystemAntiviruses"
158 | 		$s3 = "AntiVirusDetector"
159 | 	condition:
160 | 		all of them
161 | }
162 | 
163 | rule OPCLEAVER_csext
164 | {
165 | 	meta:
166 | 		description = "Backdoor used by attackers in Operation Cleaver"
167 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
168 | 		date = "2014/12/02"
169 | 		author = "Cylance Inc."
170 | 		score = "70"
171 | 	strings:
172 | 		$s1 = "COM+ System Extentions"
173 | 		$s2 = "csext.exe"
174 | 		$s3 = "COM_Extentions_bin"
175 | 	condition:
176 | 		all of them
177 | }
178 | 
179 | rule OPCLEAVER_kagent
180 | {
181 | 	meta:
182 | 		description = "Backdoor used by attackers in Operation Cleaver"
183 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
184 | 		date = "2014/12/02"
185 | 		author = "Cylance Inc."
186 | 		score = "70"
187 | 	strings:
188 | 		$s1 = "kill command is in last machine, going back"
189 | 		$s2 = "message data length in B64: %d Bytes"
190 | 	condition:
191 | 		all of them
192 | }
193 | 
194 | rule OPCLEAVER_mimikatzWrapper
195 | {
196 | 	meta:
197 | 		description = "Mimikatz Wrapper used by attackers in Operation Cleaver"
198 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
199 | 		date = "2014/12/02"
200 | 		author = "Cylance Inc."
201 | 		score = "70"
202 | 	strings:
203 | 		$s1 = "mimikatzWrapper"
204 | 		$s2 = "get_mimikatz"
205 | 	condition:
206 | 		all of them
207 | }
208 | 
209 | rule OPCLEAVER_pvz_in
210 | {
211 | 	meta:
212 | 		description = "Parviz tool used by attackers in Operation Cleaver"
213 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
214 | 		date = "2014/12/02"
215 | 		author = "Cylance Inc."
216 | 		score = "70"
217 | 	strings:
218 | 		$s1 = "LAST_TIME=00/00/0000:00:00PM$"
219 | 		$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
220 | 	condition:
221 | 		all of them
222 | }
223 | 
224 | rule OPCLEAVER_pvz_out
225 | {
226 | 	meta:
227 | 		description = "Parviz tool used by attackers in Operation Cleaver"
228 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
229 | 		date = "2014/12/02"
230 | 		author = "Cylance Inc."
231 | 		score = "70"
232 | 	strings:
233 | 		$s1 = "Network Connectivity Module" wide
234 | 		$s2 = "OSPPSVC" wide
235 | 	condition:
236 | 		all of them
237 | }
238 | 
239 | rule OPCLEAVER_wndTest
240 | {
241 | 	meta:
242 | 		description = "Backdoor used by attackers in Operation Cleaver"
243 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
244 | 		date = "2014/12/02"
245 | 		author = "Cylance Inc."
246 | 		score = "70"
247 | 	strings:
248 | 		$s1 = "[Alt]" wide
249 | 		$s2 = "<< %s >>:" wide
250 | 		$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
251 | 	condition:
252 | 		all of them
253 | }
254 | 
255 | rule OPCLEAVER_zhCat
256 | {
257 | 	meta:
258 | 		description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
259 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
260 | 		date = "2014/12/02"
261 | 		author = "Cylance Inc."
262 | 		score = "70"
263 | 	strings:
264 | 		$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
265 | 		$s2 = "ABC ( A Big Company )" wide fullword
266 | 	condition:
267 | 		all of them
268 | }
269 | 
270 | rule OPCLEAVER_zhLookUp
271 | {
272 | 	meta:
273 | 		description = "Hack tool used by attackers in Operation Cleaver"
274 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
275 | 		date = "2014/12/02"
276 | 		author = "Cylance Inc."
277 | 		score = "70"
278 | 	strings:
279 | 		$s1 = "zhLookUp.Properties"
280 | 	condition:
281 | 		all of them
282 | }
283 | 
284 | rule OPCLEAVER_zhmimikatz
285 | {
286 | 	meta:
287 | 		description = "Mimikatz wrapper used by attackers in Operation Cleaver"
288 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
289 | 		date = "2014/12/02"
290 | 		author = "Cylance Inc."
291 | 		score = "70"
292 | 	strings:
293 | 		$s1 = "MimikatzRunner"
294 | 		$s2 = "zhmimikatz"
295 | 	condition:
296 | 		all of them
297 | }
298 | 
299 | rule OPCLEAVER_Parviz_Developer
300 | {
301 | 	meta:
302 | 		description = "Parviz developer known from Operation Cleaver"
303 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
304 | 		date = "2014/12/02"
305 | 		author = "Florian Roth"
306 | 		score = "70"
307 | 	strings:
308 | 		$s1 = "Users\\parviz\\documents\\" nocase
309 | 	condition:
310 | 		$s1 
311 | }
312 | 
313 | rule OPCLEAVER_CCProxy_Config
314 | {
315 | 	meta:
316 | 		description = "CCProxy config known from Operation Cleaver"
317 | 		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
318 | 		date = "2014/12/02"
319 | 		author = "Florian Roth"
320 | 		score = "70"
321 | 	strings:
322 | 		$s1 = "UserName=User-001" fullword ascii
323 | 		$s2 = "Web=1" fullword ascii
324 | 		$s3 = "Mail=1" fullword ascii
325 | 		$s4 = "FTP=0" fullword ascii
326 | 		$x1 = "IPAddressLow=78.109.194.114" fullword ascii
327 | 	condition:
328 | 		all of ($s*) or $x1 
329 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/apt_poisonivy.yar:
--------------------------------------------------------------------------------
  1 | 
  2 | rule PoisonIvy_Sample_APT {
  3 | 	meta:
  4 | 		description = "Detects a PoisonIvy APT malware group"
  5 | 		author = "Florian Roth"
  6 | 		score = 70
  7 | 		reference = "VT Analysis"
  8 | 		date = "2015-06-03"
  9 | 		hash = "b874b76ff7b281c8baa80e4a71fc9be514093c70"
 10 | 	strings:
 11 | 		$s0 = "pidll.dll" fullword ascii /* score: '11.02' */
 12 | 		$s1 = "sens32.dll" fullword wide /* score: '11.015' */
 13 | 		$s3 = "FileDescription" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 19311 times */
 14 | 		$s4 = "OriginalFilename" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 19040 times */
 15 | 		$s5 = "ZwSetInformationProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 31 times */
 16 | 		$s9 = "Microsoft Media Device Service Provider" fullword wide /* score: '-3' */ /* Goodware String - occured 8 times */
 17 | 	condition:
 18 | 		uint16(0) == 0x5a4d and filesize < 47KB and all of them
 19 | }
 20 | 
 21 | 
 22 | rule PoisonIvy_Sample_APT_2 {
 23 | 	meta:
 24 | 		description = "Detects a PoisonIvy Malware"
 25 | 		author = "Florian Roth"
 26 | 		score = 70
 27 | 		reference = "VT Analysis"
 28 | 		date = "2015-06-03"
 29 | 		hash = "333f956bf3d5fc9b32183e8939d135bc0fcc5770"
 30 | 	strings:
 31 | 		$s0 = "pidll.dll" fullword ascii /* score: '11.02' */
 32 | 		$s1 = "sens32.dll" fullword wide /* score: '11.015' */
 33 | 		$s2 = "9.0.1.56" fullword wide /* score: '9.5' */
 34 | 		$s3 = "FileDescription" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 19311 times */
 35 | 		$s4 = "OriginalFilename" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 19040 times */
 36 | 		$s5 = "ZwSetInformationProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 31 times */
 37 | 		$s6 = "\"%=%14=" fullword ascii /* score: '4.5' */
 38 | 		$s7 = "091A1G1R1_1g1u1z1" fullword ascii /* score: '4' */ /* Goodware String - occured 1 times */
 39 | 		$s8 = "gHsMZz" fullword ascii /* score: '3.005' */
 40 | 		$s9 = "Microsoft Media Device Service Provider" fullword wide /* score: '-3' */ /* Goodware String - occured 8 times */
 41 | 		$s10 = "Copyright (C) Microsoft Corp." fullword wide /* score: '-7' */ /* Goodware String - occured 12 times */
 42 | 		$s11 = "MFC42.DLL" fullword ascii /* score: '-31' */ /* Goodware String - occured 36 times */
 43 | 		$s12 = "MSVCRT.dll" fullword ascii /* score: '-235' */ /* Goodware String - occured 240 times */
 44 | 		$s13 = "SpecialBuild" fullword wide /* score: '-1561' */ /* Goodware String - occured 1566 times */
 45 | 		$s14 = "PrivateBuild" fullword wide /* score: '-1585' */ /* Goodware String - occured 1590 times */
 46 | 		$s15 = "Comments" fullword wide /* score: '-2149' */ /* Goodware String - occured 2154 times */
 47 | 		$s16 = "040904b0" fullword wide /* score: '-2365' */ /* Goodware String - occured 2370 times */
 48 | 		$s17 = "LegalTrademarks" fullword wide /* score: '-3518' */ /* Goodware String - occured 3523 times */
 49 | 		$s18 = "CreateThread" fullword ascii /* score: '-3909' */ /* Goodware String - occured 3914 times */
 50 | 		$s19 = "ntdll.dll" fullword ascii /* score: '-4675' */ /* Goodware String - occured 4680 times */
 51 | 		$s20 = "_adjust_fdiv" fullword ascii /* score: '-5450' */ /* Goodware String - occured 5455 times */
 52 | 	condition:
 53 | 		uint16(0) == 0x5a4d and filesize < 47KB and all of them
 54 | }
 55 | 
 56 | rule PoisonIvy_Sample_APT_3 {
 57 | 	meta:
 58 | 		description = "Detects a PoisonIvy Malware"
 59 | 		author = "Florian Roth"
 60 | 		score = 70
 61 | 		reference = "VT Analysis"
 62 | 		date = "2015-06-03"
 63 | 		hash = "df3e1668ac20edecc12f2c1a873667ea1a6c3d6a"
 64 | 	strings:
 65 | 		$s0 = "\\notepad.exe" fullword ascii /* score: '11.025' */
 66 | 		$s1 = "\\RasAuto.dll" fullword ascii /* score: '11.025' */
 67 | 		$s3 = "winlogon.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 13 times */
 68 | 	condition:
 69 | 		uint16(0) == 0x5a4d and all of them
 70 | }
 71 | 
 72 | 
 73 | rule PoisonIvy_Sample_APT_4 {
 74 | 	meta:
 75 | 		description = "Detects a PoisonIvy Sample APT"
 76 | 		author = "Florian Roth"
 77 | 		score = 70
 78 | 		reference = "VT Analysis"
 79 | 		date = "2015-06-03"
 80 | 		hash = "558f0f0b728b6da537e2666fbf32f3c9c7bd4c0c"
 81 | 	strings:
 82 | 		$s0 = "Microsoft Software installation Service" fullword wide /* PEStudio Blacklist: strings */ /* score: '15.04' */
 83 | 		$s1 = "idll.dll" fullword ascii /* score: '11.02' */
 84 | 		$s2 = "mgmts.dll" fullword wide /* score: '11.0' */
 85 | 		$s3 = "Microsoft(R) Windows(R)" fullword wide /* score: '6.025' */
 86 | 		$s4 = "ServiceMain" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 322 times */
 87 | 		$s5 = "Software installation Service" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 3 times */
 88 | 		$s6 = "SetServiceStatus" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 741 times */
 89 | 		$s7 = "OriginalFilename" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 19040 times */
 90 | 		$s8 = "ZwSetInformationProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 31 times */
 91 | 	condition:
 92 | 		uint16(0) == 0x5a4d and filesize < 100KB and 7 of them
 93 | }
 94 | 
 95 | rule PoisonIvy_Sample_5 {
 96 | 	meta:
 97 | 		description = "Detects PoisonIvy RAT sample set"
 98 | 		author = "Florian Roth"
 99 | 		score = 70
100 | 		reference = "VT Analysis"
101 | 		date = "2015-06-03"
102 | 		hash = "545e261b3b00d116a1d69201ece8ca78d9704eb2"
103 | 	strings:
104 | 		$s0 = "Microsoft Software installation Service" fullword wide /* PEStudio Blacklist: strings */ /* score: '15.04' */
105 | 		$s2 = "pidll.dll" fullword ascii /* score: '11.02' */
106 | 		$s3 = "\\mspmsnsv.dll" fullword ascii /* score: '11.005' */
107 | 		$s4 = "\\sfc.exe" fullword ascii /* score: '11.005' */
108 | 		$s13 = "ServiceMain" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 322 times */
109 | 		$s15 = "ZwSetInformationProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 31 times */
110 | 		$s17 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 336 times */
111 | condition:
112 | 		uint16(0) == 0x5a4d and filesize < 300KB and all of them
113 | }
114 | 
115 | 
116 | rule PoisonIvy_Sample_6 {
117 | 	meta:
118 | 		description = "Detects PoisonIvy RAT sample set"
119 | 		author = "Florian Roth"
120 | 		score = 70
121 | 		reference = "VT Analysis"
122 | 		date = "2015-06-03"
123 | 		hash1 = "8c2630ab9b56c00fd748a631098fa4339f46d42b"
124 | 		hash2 = "36b4cbc834b2f93a8856ff0e03b7a6897fb59bd3"		
125 | 	strings:
126 | 		$x1 = "124.133.252.150" fullword ascii /* score: '9.5' */
127 | 		$x3 = "http://124.133.254.171/up/up.asp?id=%08x&pcname=%s" fullword ascii /* score: '24.01' */
128 | 
129 | 		$z1 = "\\temp\\si.txt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.01' */
130 | 		$z2 = "Daemon Dynamic Link Library" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.02' */
131 | 		$z3 = "Microsoft Windows CTF Loader" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.03' */
132 | 		$z4 = "\\tappmgmts.dll" fullword ascii /* score: '11.005' */
133 | 		$z5 = "\\appmgmts.dll" fullword ascii /* score: '11.0' */
134 | 
135 | 		$s0 = "%USERPROFILE%\\AppData\\Local\\Temp\\Low\\ctfmon.log" fullword ascii /* PEStudio Blacklist: strings */ /* score: '43.015' */
136 | 		$s1 = "%USERPROFILE%\\AppData\\Local\\Temp\\ctfmon.tmp" fullword ascii /* PEStudio Blacklist: strings */ /* score: '37.015' */
137 | 		$s2 = "\\temp\\ctfmon.tmp" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */
138 | 		$s3 = "SOFTWARE\\Classes\\http\\shell\\open\\commandV" fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.025' */
139 | 		$s4 = "CONNECT %s:%i HTTP/1.0" fullword ascii /* PEStudio Blacklist: strings */ /* score: '19.02' */
140 | 		$s5 = "start read histry key" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.04' */
141 | 		$s6 = "Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"" fullword ascii /* score: '18.03' */
142 | 		$s7 = "[password]%s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.025' */
143 | 		$s8 = "Daemon.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.02' */
144 | 		$s9 = "[username]%s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '12.035' */
145 | 		$s10 = "advpack" fullword ascii /* score: '7.005' */
146 | 		$s11 = "%s%2.2X" fullword ascii /* score: '7.0' */
147 | 		$s12 = "advAPI32" fullword ascii /* score: '6.015' */
148 | 	condition:
149 | 		( uint16(0) == 0x5a4d and 1 of ($x*) ) or 
150 | 		( 8 of ($s*) ) or
151 | 		( 1 of ($z*) and 3 of ($s*) )
152 | }
153 | 
154 | rule PoisonIvy_Sample_7 {
155 | 	meta:
156 | 		description = "Detects PoisonIvy RAT sample set"
157 | 		author = "Florian Roth"
158 | 		score = 70
159 | 		reference = "VT Analysis"
160 | 		date = "2015-06-03"
161 | 		hash = "9480cf544beeeb63ffd07442233eb5c5f0cf03b3"
162 | 	strings:
163 | 		$s0 = "Microsoft Software installation Service" fullword wide /* PEStudio Blacklist: strings */ /* score: '15.04' */
164 | 		$s2 = "pidll.dll" fullword ascii /* score: '11.02' */
165 | 		$s10 = "ServiceMain" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 322 times */
166 | 		$s11 = "ZwSetInformationProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 31 times */
167 | 		$s12 = "Software installation Service" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 3 times */
168 | 		$s13 = "Microsoft(R) Windows(R) Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 128 times */
169 | 	condition:
170 | 		uint16(0) == 0x5a4d and filesize < 100KB and all of them
171 | }


--------------------------------------------------------------------------------
/w-rules/rules/Loki Rules/spy_querty_fiveeyes.yar:
--------------------------------------------------------------------------------
  1 | /* FIVE EYES ------------------------------------------------------------------------------- */
  2 | 
  3 | rule FiveEyes_QUERTY_Malwareqwerty_20121 {
  4 | 	meta:
  5 | 		description = "FiveEyes QUERTY Malware - file 20121.xml"
  6 | 		author = "Florian Roth"
  7 | 		reference = "http://www.spiegel.de/media/media-35668.pdf"
  8 | 		date = "2015/01/18"
  9 | 		hash = "8263fb58350f3b1d3c4220a602421232d5e40726"
 10 | 	strings:
 11 | 		$s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii
 12 | 		$s1 = "<name>20121.dll</name>" fullword ascii
 13 | 		$s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
 14 | 		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
 15 | 		$s4 = "<platform type=\"1\">" fullword ascii
 16 | 		$s5 = "</plugin>" fullword ascii
 17 | 		$s6 = "</pluginConfig>" fullword ascii
 18 | 		$s7 = "<pluginConfig>" fullword ascii
 19 | 		$s8 = "</platform>" fullword ascii
 20 | 		$s9 = "</lpConfig>" fullword ascii
 21 | 		$s10 = "<lpConfig>" fullword ascii
 22 | 	condition:
 23 | 		9 of them
 24 | }
 25 | 
 26 | rule FiveEyes_QUERTY_Malwaresig_20123_sys {
 27 | 	meta:
 28 | 		description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
 29 | 		author = "Florian Roth"
 30 | 		reference = "http://www.spiegel.de/media/media-35668.pdf"
 31 | 		date = "2015/01/18"
 32 | 		hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
 33 | 	strings:
 34 | 		$s0 = "20123.dll" fullword ascii
 35 | 		$s1 = "kbdclass.sys" fullword wide
 36 | 		$s2 = "IoFreeMdl" fullword ascii
 37 | 		$s3 = "ntoskrnl.exe" fullword ascii
 38 | 		$s4 = "KfReleaseSpinLock" fullword ascii
 39 | 	condition:
 40 | 		all of them
 41 | }
 42 | 
 43 | rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef {
 44 | 	meta:
 45 | 		description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml"
 46 | 		author = "Florian Roth"
 47 | 		reference = "http://www.spiegel.de/media/media-35668.pdf"
 48 | 		date = "2015/01/18"
 49 | 		hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd"
 50 | 	strings:
 51 | 		$s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii
 52 | 		$s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii
 53 | 		$s2 = "<commands/>" fullword ascii
 54 | 		$s3 = "</version>" fullword ascii
 55 | 		$s4 = "<associatedImplantId>20121</associatedImplantId>" fullword ascii
 56 | 		$s5 = "<rightsRequired>System or Administrator (if Administrator, I think the DriverIns" ascii
 57 | 		$s6 = "<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii
 58 | 		$s7 = "<projectpath>plugin/Collection</projectpath>" fullword ascii
 59 | 		$s8 = "<dllDepend>None</dllDepend>" fullword ascii
 60 | 		$s9 = "<minorType>0</minorType>" fullword ascii
 61 | 		$s10 = "<pluginname>E_QwertyKM</pluginname>" fullword ascii
 62 | 		$s11 = "</comments>" fullword ascii
 63 | 		$s12 = "<comments>" fullword ascii
 64 | 		$s13 = "<majorType>1</majorType>" fullword ascii
 65 | 		$s14 = "<files>None</files>" fullword ascii
 66 | 		$s15 = "<poc>Erebus</poc>" fullword ascii
 67 | 		$s16 = "</plugin>" fullword ascii
 68 | 		$s17 = "<team>None</team>" fullword ascii
 69 | 		$s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii
 70 | 		$s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii
 71 | 		$s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii
 72 | 	condition:
 73 | 		14 of them
 74 | }
 75 | 
 76 | rule FiveEyes_QUERTY_Malwaresig_20121_dll {
 77 | 	meta:
 78 | 		description = "FiveEyes QUERTY Malware - file 20121.dll.bin"
 79 | 		author = "Florian Roth"
 80 | 		reference = "http://www.spiegel.de/media/media-35668.pdf"
 81 | 		date = "2015/01/18"
 82 | 		hash = "89504d91c5539a366e153894c1bc17277116342b"
 83 | 	strings:
 84 | 		$s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii
 85 | 		$s1 = "20121.dll" fullword ascii
 86 | 	condition:
 87 | 		all of them
 88 | }
 89 | rule FiveEyes_QUERTY_Malwareqwerty_20123 {
 90 | 	meta:
 91 | 		description = "FiveEyes QUERTY Malware - file 20123.xml"
 92 | 		author = "Florian Roth"
 93 | 		reference = "http://www.spiegel.de/media/media-35668.pdf"
 94 | 		date = "2015/01/18"
 95 | 		hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9"
 96 | 	strings:
 97 | 		$s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii
 98 | 		$s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii
 99 | 		$s2 = "<name>20123.sys</name>" fullword ascii
100 | 		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
101 | 		$s4 = "<codebase>/bin/i686-pc-win32/debug</codebase>" fullword ascii
102 | 		$s5 = "<platform type=\"1\">" fullword ascii
103 | 		$s6 = "</plugin>" fullword ascii
104 | 		$s7 = "</pluginConfig>" fullword ascii
105 | 		$s8 = "<pluginConfig>" fullword ascii
106 | 		$s9 = "</platform>" fullword ascii
107 | 		$s10 = "</lpConfig>" fullword ascii
108 | 		$s11 = "<lpConfig>" fullword ascii
109 | 	condition:
110 | 		9 of them
111 | }
112 | 
113 | rule FiveEyes_QUERTY_Malwaresig_20120_dll {
114 | 	meta:
115 | 		description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
116 | 		author = "Florian Roth"
117 | 		reference = "http://www.spiegel.de/media/media-35668.pdf"
118 | 		date = "2015/01/18"
119 | 		hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
120 | 	strings:
121 | 		$s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide
122 | 		$s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide
123 | 		$s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii
124 | 		$s3 = "- Log Used (number of windows) - %d" fullword wide
125 | 		$s4 = "- Log Limit (number of windows) - %d" fullword wide
126 | 		$s5 = "Process or User Default Language" fullword wide
127 | 		$s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide
128 | 		$s7 = "- Logging of keystrokes is switched ON" fullword wide
129 | 		$s8 = "- Logging of keystrokes is switched OFF" fullword wide
130 | 		$s9 = "Qwerty is currently logging active windows with titles containing the fo" wide
131 | 		$s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide
132 | 		$s11 = "FAILED to get Qwerty Status" fullword wide
133 | 		$s12 = "- Successfully retrieved Log from Implant." fullword wide
134 | 		$s13 = "- Logging of all Windows is toggled ON" fullword wide
135 | 		$s14 = "- Logging of all Windows is toggled OFF" fullword wide
136 | 		$s15 = "Qwerty FAILED to retrieve window list." fullword wide
137 | 		$s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide
138 | 		$s17 = "The implant failed to return a valid status" fullword ascii
139 | 		$s18 = "- Log files were NOT generated!" fullword wide
140 | 		$s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide
141 | 		$s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide
142 | 	condition:
143 | 		10 of them
144 | }
145 | 
146 | rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef {
147 | 	meta:
148 | 		description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml"
149 | 		author = "Florian Roth"
150 | 		reference = "http://www.spiegel.de/media/media-35668.pdf"
151 | 		date = "2015/01/18"
152 | 		hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea"
153 | 	strings:
154 | 		$s0 = "This PPC gets the current keystroke log." fullword ascii
155 | 		$s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii
156 | 		$s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii
157 | 		$s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii
158 | 		$s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii
159 | 		$s5 = "<definition>Turn logging of all keys on|off</definition>" fullword ascii
160 | 		$s6 = "<name>Get Keystroke Log</name>" fullword ascii
161 | 		$s7 = "<description>Keystroke Logger Lp Plugin</description>" fullword ascii
162 | 		$s8 = "<definition>display help for this function</definition>" fullword ascii
163 | 		$s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii
164 | 		$s10 = "Set the log limit (in number of windows)" fullword ascii
165 | 		$s11 = "<example>qwgetlog</example>" fullword ascii
166 | 		$s12 = "<aliasName>qwgetlog</aliasName>" fullword ascii
167 | 		$s13 = "<definition>The title of the Window whose keys you wish to Log once it becomes a" ascii
168 | 		$s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii
169 | 		$s15 = "<definition>The title of the Window whose keys you no longer whish to log</defin" ascii
170 | 		$s16 = "<command id=\"32\">" fullword ascii
171 | 		$s17 = "<command id=\"3\">" fullword ascii
172 | 		$s18 = "<command id=\"7\">" fullword ascii
173 | 		$s19 = "<command id=\"1\">" fullword ascii
174 | 		$s20 = "<command id=\"4\">" fullword ascii
175 | 	condition:
176 | 		10 of them
177 | }
178 | 
179 | rule FiveEyes_QUERTY_Malwareqwerty_20120 {
180 | 	meta:
181 | 		description = "FiveEyes QUERTY Malware - file 20120.xml"
182 | 		author = "Florian Roth"
183 | 		reference = "http://www.spiegel.de/media/media-35668.pdf"
184 | 		date = "2015/01/18"
185 | 		hash = "597082f05bfd3225587d480c30f54a7a1326a892"
186 | 	strings:
187 | 		$s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii
188 | 		$s1 = "<name>20120.dll</name>" fullword ascii
189 | 		$s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii
190 | 		$s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii
191 | 		$s4 = "<platform type=\"1\">" fullword ascii
192 | 		$s5 = "</plugin>" fullword ascii
193 | 		$s6 = "</pluginConfig>" fullword ascii
194 | 		$s7 = "<pluginConfig>" fullword ascii
195 | 		$s8 = "</platform>" fullword ascii
196 | 		$s9 = "</lpConfig>" fullword ascii
197 | 		$s10 = "<lpConfig>" fullword ascii
198 | 	condition:
199 | 		all of them
200 | }
201 | 
202 | rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef {
203 | 	meta:
204 | 		description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml"
205 | 		author = "Florian Roth"
206 | 		reference = "http://www.spiegel.de/media/media-35668.pdf"
207 | 		date = "2015/01/18"
208 | 		hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907"
209 | 	strings:
210 | 		$s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii
211 | 		$s1 = "<message>Failed to get File Time</message>" fullword ascii
212 | 		$s2 = "<description>Keystroke Logger Plugin.</description>" fullword ascii
213 | 		$s3 = "<message>Failed to set File Time</message>" fullword ascii
214 | 		$s4 = "</commands>" fullword ascii
215 | 		$s5 = "<commands>" fullword ascii
216 | 		$s6 = "</version>" fullword ascii
217 | 		$s7 = "<associatedImplantId>20120</associatedImplantId>" fullword ascii
218 | 		$s8 = "<message>No Comms. with Driver</message>" fullword ascii
219 | 		$s9 = "</error>" fullword ascii
220 | 		$s10 = "<message>Invalid File Size</message>" fullword ascii
221 | 		$s11 = "<platforms>Windows (User/Win32)</platforms>" fullword ascii
222 | 		$s12 = "<message>File Size Mismatch</message>" fullword ascii
223 | 		$s13 = "<projectpath>plugin/Utility</projectpath>" fullword ascii
224 | 		$s14 = "<pluginsDepend>None</pluginsDepend>" fullword ascii
225 | 		$s15 = "<dllDepend>None</dllDepend>" fullword ascii
226 | 		$s16 = "<pluginname>E_QwertyIM</pluginname>" fullword ascii
227 | 		$s17 = "<rightsRequired>None</rightsRequired>" fullword ascii
228 | 		$s18 = "<minorType>0</minorType>" fullword ascii
229 | 		$s19 = "<code>00001002</code>" fullword ascii
230 | 		$s20 = "<code>00001001</code>" fullword ascii
231 | 	condition:
232 | 		12 of them
233 | }


--------------------------------------------------------------------------------