├── README.md
├── all.yar
├── angler_ek_checkpoint.yar
├── angler_ek_redirector.yar
├── angler_flash.yar
├── angler_flash2.yar
├── angler_flash4.yar
├── angler_flash5.yar
├── angler_flash_uncompressed.yar
├── angler_html.yar
├── angler_html2.yar
├── angler_jar.yar
├── angler_js.yar
├── blackhole1_jar.yar
├── blackhole2_css.yar
├── blackhole2_htm.yar
├── blackhole2_htm10.yar
├── blackhole2_htm11.yar
├── blackhole2_htm12.yar
├── blackhole2_htm3.yar
├── blackhole2_htm4.yar
├── blackhole2_htm5.yar
├── blackhole2_htm6.yar
├── blackhole2_htm8.yar
├── blackhole2_jar.yar
├── blackhole2_jar2.yar
├── blackhole2_jar3.yar
├── blackhole2_pdf.yar
├── blackhole_basic.yar
├── bleedinglife2_adobe_2010_1297_exploit.yar
├── bleedinglife2_adobe_2010_2884_exploit.yar
├── bleedinglife2_jar2.yar
├── bleedinglife2_java_2010_0842_exploit.yar
├── crimepack_jar.yar
├── crimepack_jar3.yar
├── cve_2013_0074.yar
├── cve_2013_0422.yar
├── eleonore_jar.yar
├── eleonore_jar2.yar
├── eleonore_jar3.yar
├── eleonore_js.yar
├── eleonore_js2.yar
├── eleonore_js3.yar
├── fragus_htm.yar
├── fragus_js.yar
├── fragus_js2.yar
├── fragus_js_flash.yar
├── fragus_js_java.yar
├── fragus_js_quicktime.yar
├── fragus_js_vml.yar
├── javascript_exploit_and_obfuscation.yar
├── malicious_office.yar
├── malicious_pdf.yar
├── phoenix_html.yar
├── phoenix_html10.yar
├── phoenix_html11.yar
├── phoenix_html2.yar
├── phoenix_html3.yar
├── phoenix_html4.yar
├── phoenix_html5.yar
├── phoenix_html6.yar
├── phoenix_html7.yar
├── phoenix_html8.yar
├── phoenix_html9.yar
├── phoenix_jar.yar
├── phoenix_jar2.yar
├── phoenix_jar3.yar
├── phoenix_pdf.yar
├── phoenix_pdf2.yar
├── phoenix_pdf3.yar
├── redkit_bin_basic.yar
├── sakura_jar.yar
├── sakura_jar2.yar
├── zeroaccess_css.yar
├── zeroaccess_css2.yar
├── zeroaccess_htm.yar
├── zeroaccess_js.yar
├── zeroaccess_js2.yar
├── zeroaccess_js3.yar
├── zeroaccess_js4.yar
├── zerox88_js2.yar
├── zerox88_js3.yar
└── zeus_js.yar


/README.md:
--------------------------------------------------------------------------------
 1 | Burp-Yara-Rules
 2 | ========
 3 | 
 4 | ##Description
 5 | Yara rules to be used with the Burp Yara-Scanner extension
 6 | 
 7 | ##Introduction
 8 | Burp-Yara-Rules is a collection of Yara rules built from malicious code samples found on the Internet, in addition to Yara rules created by third-parties that identify malicious software commonly found hosted on websites.
 9 | 
10 | The rules are intended to be used with the Burp Yara-Scanner extension found here: https://github.com/PolitoInc/Yara-Scanner.  The goal being to identify infected web pages during a web application assessment.
11 | 
12 | ##Usage
13 | Add the Yara-Scanner extension within Burp (follow the directions at the Yara-Scanner link above).  Then use the all.yar rules file as it combines all rules in this repository into a single file.
14 | 
15 | ##Additional Details
16 | The Yara rules in this repository were found by searching the Internet for rules that detect common exploit kits, as well as by running the YaraGenerator (https://github.com/Xen0ph0n/YaraGenerator/) against downloaded exploit kit samples.  The rules look for:
17 | * Signs of infection in HTML code
18 | * Signs of infection in JavaScript code
19 | * Signs of infection in CSS code
20 | * Detection of infected JAR files
21 | * Detection of infected PDF files
22 | * Detection of infected SilverLight XAP files
23 | * Detection of infected Flash SWF files
24 | 


--------------------------------------------------------------------------------
/all.yar:
--------------------------------------------------------------------------------
   1 | rule zerox88_js2
   2 | {
   3 | meta:
   4 | 	author = "Josh Berry"
   5 | 	date = "2016-06-26"
   6 | 	description = "0x88 Exploit Kit Detection"
   7 | 	hash0 = "cad8b652338f5e3bc93069c8aa329301"
   8 | 	sample_filetype = "js-html"
   9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
  10 | strings:
  11 | 	$string0 = "function gSH() {"
  12 | 	$string1 = "200 HEIGHT"
  13 | 	$string2 = "'sh.js'><\\/SCRIPT>"
  14 | 	$string3 = " 2 - 26;"
  15 | 	$string4 = "<IFRAME ID"
  16 | 	$string5 = ",100);"
  17 | 	$string6 = "200></IFRAME>"
  18 | 	$string7 = "setTimeout("
  19 | 	$string8 = "'about:blank' WIDTH"
  20 | 	$string9 = "mf.document.write("
  21 | 	$string10 = "document.write("
  22 | 	$string11 = "Kasper "
  23 | condition:
  24 | 	11 of them
  25 | }
  26 | 
  27 | rule zerox88_js3
  28 | {
  29 | meta:
  30 | 	author = "Josh Berry"
  31 | 	date = "2016-06-26"
  32 | 	description = "0x88 Exploit Kit Detection"
  33 | 	hash0 = "9df0ac2fa92e602ec11bac53555e2d82"
  34 | 	sample_filetype = "js-html"
  35 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
  36 | strings:
  37 | 	$string0 = " new ActiveXObject(szHTTP); "
  38 | 	$string1 = " Csa2;"
  39 | 	$string2 = "var ADO "
  40 | 	$string3 = " new ActiveXObject(szOx88);"
  41 | 	$string4 = " unescape("
  42 | 	$string5 = "/test.exe"
  43 | 	$string6 = " szEtYij;"
  44 | 	$string7 = "var HTTP "
  45 | 	$string8 = "%41%44%4F%44%42%2E"
  46 | 	$string9 = "%4D%65%64%69%61"
  47 | 	$string10 = "var szSRjq"
  48 | 	$string11 = "%43%3A%5C%5C%50%72%6F%67%72%61%6D"
  49 | 	$string12 = "var METHOD "
  50 | 	$string13 = "ADO.Mode "
  51 | 	$string14 = "%61%79%65%72"
  52 | 	$string15 = "%2E%58%4D%4C%48%54%54%50"
  53 | 	$string16 = " 7 - 6; HTTP.Open(METHOD, szURL, i-3); "
  54 | condition:
  55 | 	16 of them
  56 | }
  57 | 
  58 | rule angler_ek_checkpoint
  59 | {
  60 | 	meta:
  61 | 		description = "Angler EK Exploit Kit - Checkpoint Detection"
  62 | 	strings:
  63 | 		$a = "Jul 2039" nocase
  64 | 		$b = "Jul 2040" nocase
  65 | 	condition:
  66 | 		any of them
  67 | }
  68 | 
  69 | rule AnglerEKredirector
  70 | {
  71 |    meta:
  72 |       description = "Angler Exploit Kit Redirector"
  73 |       ref = "http://blog.xanda.org/2015/08/28/yara-rule-for-angler-ek-redirector-js/"
  74 |       author = "adnan.shukor@gmail.com"
  75 |       date = "08-July-2015"
  76 |       impact = "5"
  77 |       version = "1"
  78 |    strings:
  79 |       $ekr1 = "<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000);" fullword
  80 |       $ekr2 = "document.cookie=\"PHP_SESSION_PHP="
  81 |       $ekr3 = "path=/; expires=\"+date.toUTCString();</script>" fullword
  82 |       $ekr4 = "<iframe src=" fullword
  83 |       $ekr5 = "</iframe></div>" fullword
  84 |    condition:
  85 |       all of them
  86 | }
  87 | 
  88 | rule angler_flash
  89 | {
  90 | meta:
  91 | 	author = "Josh Berry"
  92 | 	date = "2016-06-26"
  93 | 	description = "Angler Exploit Kit Detection"
  94 | 	hash0 = "8081397c30b53119716c374dd58fc653"
  95 | 	sample_filetype = "unknown"
  96 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
  97 | strings:
  98 | 	$string0 = "(9OOSp"
  99 | 	$string1 = "r$g@ 0'[A"
 100 | 	$string2 = ";R-1qTP"
 101 | 	$string3 = "xwBtR4"
 102 | 	$string4 = "YbVjxp"
 103 | 	$string5 = "ddgXkF"
 104 | 	$string6 = ")n'URF"
 105 | 	$string7 = "vAzq@W"
 106 | 	$string8 = "rOkX$6m<"
 107 | 	$string9 = "@@DB}q "
 108 | 	$string10 = "TiKV'iV"
 109 | 	$string11 = "538x;B"
 110 | 	$string12 = "9pEM{d"
 111 | 	$string13 = ".SIy/O"
 112 | 	$string14 = "ER<Gu,"
 113 | condition:
 114 | 	14 of them
 115 | }
 116 | 
 117 | rule angler_flash2
 118 | {
 119 | meta:
 120 | 	author = "Josh Berry"
 121 | 	date = "2016-06-26"
 122 | 	description = "Angler Exploit Kit Detection"
 123 | 	hash0 = "23812c5a1d33c9ce61b0882f860d79d6"
 124 | 	sample_filetype = "unknown"
 125 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 126 | strings:
 127 | 	$string0 = "4yOOUj"
 128 | 	$string1 = "CSvI4e"
 129 | 	$string2 = "'fwaEnkI"
 130 | 	$string3 = "'y4m%X"
 131 | 	$string4 = "eOc)a,"
 132 | 	$string5 = "'0{Q5<"
 133 | 	$string6 = "1BdX;P"
 134 | 	$string7 = "D _J)C"
 135 | 	$string8 = "-epZ.E"
 136 | 	$string9 = "QpRkP."
 137 | 	$string10 = "<o/]atel"
 138 | 	$string11 = "@B.,X<"
 139 | 	$string12 = "5r[c)U"
 140 | 	$string13 = "52R7F'"
 141 | 	$string14 = "NZ[FV'P"
 142 | condition:
 143 | 	14 of them
 144 | }
 145 | 
 146 | rule angler_flash4
 147 | {
 148 | meta:
 149 | 	author = "Josh Berry"
 150 | 	date = "2016-06-26"
 151 | 	description = "Angler Exploit Kit Detection"
 152 | 	hash0 = "dbb3f5e90c05602d92e5d6e12f8c1421"
 153 | 	sample_filetype = "unknown"
 154 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 155 | strings:
 156 | 	$string0 = "_u;cwD;"
 157 | 	$string1 = "lhNp74"
 158 | 	$string2 = "Y0GQ%v"
 159 | 	$string3 = "qjqCb,nx"
 160 | 	$string4 = "vn{l{Wl"
 161 | 	$string5 = "5j5jz5"
 162 | 	$string6 = "a3EWwhM"
 163 | 	$string7 = "hVJb/4Aut"
 164 | 	$string8 = ",lm4v,"
 165 | 	$string9 = ",6MekS"
 166 | 	$string10 = "YM.mxzO"
 167 | 	$string11 = ";6 -$E"
 168 | 	$string12 = "QA%: fy"
 169 | 	$string13 = "<@{qvR"
 170 | 	$string14 = "b9'$'6l"
 171 | 	$string15 = ",x:pQ@-"
 172 | 	$string16 = "2Dyyr9"
 173 | condition:
 174 | 	16 of them
 175 | }
 176 | 
 177 | rule angler_flash5
 178 | {
 179 | meta:
 180 | 	author = "Josh Berry"
 181 | 	date = "2016-06-26"
 182 | 	description = "Angler Exploit Kit Detection"
 183 | 	hash0 = "9f809272e59ee9ecd71093035b31eec6"
 184 | 	sample_filetype = "unknown"
 185 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 186 | strings:
 187 | 	$string0 = "0k%2{u"
 188 | 	$string1 = "\\Pb@(R"
 189 | 	$string2 = "ys)dVI"
 190 | 	$string3 = "tk4_y["
 191 | 	$string4 = "LM2Grx"
 192 | 	$string5 = "n}s5fb"
 193 | 	$string6 = "jT Nx<hKO"
 194 | 	$string7 = "5xL>>}"
 195 | 	$string8 = "S%,1{b"
 196 | 	$string9 = "C'3g7j"
 197 | 	$string10 = "}gfoh]"
 198 | 	$string11 = ",KFVQb"
 199 | 	$string12 = "LA;{Dx"
 200 | condition:
 201 | 	12 of them
 202 | }
 203 | 
 204 | rule angler_flash_uncompressed
 205 | {
 206 | meta:
 207 | 	author = "Josh Berry"
 208 | 	date = "2016-06-26"
 209 | 	description = "Angler Exploit Kit Detection"
 210 | 	hash0 = "2543855d992b2f9a576f974c2630d851"
 211 | 	sample_filetype = "unknown"
 212 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 213 | strings:
 214 | 	$string0 = "DisplayObjectContainer"
 215 | 	$string1 = "Xtime2"
 216 | 	$string2 = "(HMRTQ"
 217 | 	$string3 = "flash.events:EventDispatcher$flash.display:DisplayObjectContainer"
 218 | 	$string4 = "_e_-___-__"
 219 | 	$string5 = "ZviJbf"
 220 | 	$string6 = "random-"
 221 | 	$string7 = "_e_-_-_-_"
 222 | 	$string8 = "_e_------"
 223 | 	$string9 = "817677162"
 224 | 	$string10 = "_e_-__-"
 225 | 	$string11 = "-[vNnZZ"
 226 | 	$string12 = "5:unpad: Invalid padding value. expected ["
 227 | 	$string13 = "writeByte/"
 228 | 	$string14 = "enumerateFonts"
 229 | 	$string15 = "_e_---___"
 230 | 	$string16 = "_e_-_-"
 231 | 	$string17 = "f(fOJ4"
 232 | condition:
 233 | 	17 of them
 234 | }
 235 | 
 236 | rule angler_html
 237 | {
 238 | meta:
 239 | 	author = "Josh Berry"
 240 | 	date = "2016-06-26"
 241 | 	description = "Angler Exploit Kit Detection"
 242 | 	hash0 = "afca949ab09c5583a2ea5b2006236666"
 243 | 	sample_filetype = "js-html"
 244 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 245 | strings:
 246 | 	$string0 = " A9 3E AF D5 9AQ FA 14 BC F2 A0H EA 7FfJ A58 A3 B1 BD 85 DB F3 B4 B6 FB B2 B4 14 82 19 88 28 D0 EA 2"
 247 | 	$string1 = " 2BS 25 26p 20 3F 81 0E D3 9C 84 C7 EC C3 C41M C48 D3 B5N 09 C2z 98 7B 09. DF 05 5EQ DF A3 B6 EE D5 "
 248 | 	$string2 = "9 A1Fg A8 837 9A A9 0A 1D 40b02 A5U6 22o 16 DC 5D F5 F5 FA BE FB EDX F0 87 DB C9 7B D6 AC F6D 10 1AJ"
 249 | 	$string3 = "24 AA 17 FB B0 96d DBN 05 EE F6 0F 24 D4 D0 C0 E4 96 03 A3 03 20/ 04 40 DB 8F 7FI A6 DC F5 09 0FWV 1"
 250 | 	$string4 = "Fq B3 94 E3 3E EFw E6 AA9 3A 5B 9E2 D2 EC AF6 10c 83 0F DF BB FBx AF B4 1BV 5C DD F8 9BR 97v D0U 9EG"
 251 | 	$string5 = "29 9B 01E C85 86 B0 09 EC E07 AFCY 19 E5 11 1C 92 E2 DA A9 5D 19P 3A BF AB D6 B3 3FZ B4 92 FF E1 27 "
 252 | 	$string6 = "B A9 88 B8 F0 EBLd 8E 08 18 11P EE BFk 15 5BM D6 B7 CEh AF 9C 8F 04 89 88 5E F6 ED 13 8EN1p 86Vk BC "
 253 | 	$string7 = "w F4 C8 16pV 22 0A BB EB 83 7D BC 89 B6 E06 8B 2A DC E6 7D CE. 0Dh 18 0A8 5E 60 0C BF A4 00M 00 E3 3"
 254 | 	$string8 = "B7 C6 E3 8E DC 3BR 60L 94h D8 AA7k5s 0D 7Fb 8B 80P E0 1BP EBT B5 03zE D0o 2A B97 18 F39 7C 94 99 11 "
 255 | 	$string9 = "kY 24 8E 3E 94 84 D2 00 1EB 16 A4 9C 28 24 C1B BB 22 7D 97c F5 BA AD C4 5C 23 5D 3D 5C A7d5 0C F6 EA"
 256 | 	$string10 = "08 01 3A 15 3B E0 1A E2 89 5B A2 F4 ED 87O F9l A99 124 27 BF BB A1c 2BW 12Z 07 AA D9 81 B7 A6-5 E2 E"
 257 | 	$string11 = " 16 BF A7 0E 00 16 BB 8FB CBn FC D8 9C C7 EA AC C2q 85n A96I D1 9B FC8 BDl B8 3Ajf 7B ADH FD 20 88 F"
 258 | 	$string12 = "  ML    "
 259 | 	$string13 = " AEJ 3B C7 BFy EF F07X D3 A0 1E B4q C4 BE 3A 10 E7 A0 FE D1Jhp 89 A0sj 1CW 08 D5 F7 C8 C6 D5I 81 D2 "
 260 | 	$string14 = "B 24 90 ED CEP C8 C9 9B E5 25 09 C6B- 2B 3B C7 28 C9 C62 EB D3 D5 ED DE A8 7F A9mNs 87 12 82 03 A2 8"
 261 | 	$string15 = "A 3A A2L DFa 18 11P 00 7F1 BBbY FA 5E 04 C4 5D 89 F3S DAN B5 CAi 8D 0A AC A8 0A ABI E6 1E 89 BB 07 D"
 262 | 	$string16 = "C B5 FD 0B F9 0Ch CE 01 14 8Dp AF 24 E0 E3 D90 DD FF B0 07 2Ad 0B 7D B0 B2 D8 BD E6 A7 CE E1 E4 3E5 "
 263 | 	$string17 = "19 0C 85 14r/ 8C F3 84 2B 8C CF 90 93 E2 F6zo C3 D40 A6 94 01 02Q 21G AB B9 CDx 9D FB 21 2C 10 C3 3C"
 264 | 	$string18 = "FAV D7y A0 C7Ld4 01 22 EE B0 1EY FAB BA E0 01 24 15g C5 DA6 19 EEsl BF C7O 9F 8B E8 AF 93 F52 00 06 "
 265 | condition:
 266 | 	18 of them
 267 | }
 268 | 
 269 | rule angler_html2
 270 | {
 271 | meta:
 272 | 	author = "Josh Berry"
 273 | 	date = "2016-06-26"
 274 | 	description = "Angler Exploit Kit Detection"
 275 | 	hash0 = "6c926bf25d1a8a80ab988c8a34c0102e"
 276 | 	sample_filetype = "js-html"
 277 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 278 | strings:
 279 | 	$string0 = "E 06 E7i 1E 91q 9C D0J 1D 9B 14 E7g 1D DD ECK 20c 40 C6 0C AFR5 3D 03 9Em EC 0CB C9 A9 DFw C9 ADP 5B"
 280 | 	$string1 = "14Bc 5C 3Bp CB 2A 12 3D A56 AA 14 87 E3 81 8A 80h 27 1C 3A4 CE 12 AE FAy F0 8A 21 B8I AD 1E B9 2C D1"
 281 | 	$string2 = "0J 95 83 CC 1C 95D CAD 1A EA F3 00 E9 DA_ F2 ED 3CM1 A0 01t 1B EE 2C B6AWKq BF CAY FE D8 F2 7C 96 92"
 282 | 	$string3 = "A8MTCsn C9 DBu D3 10 A0 D4 AC A9 97 06Rn 01 DAK EFFN ADP AE 0E 8FJd 8F DA B6 25RO 18 2A 00 EA F9 8B "
 283 | 	$string4 = "A3 EB C1 CE 1E C4ok C4 19 F2 A7 17 9FCoz B6- C6 25J BB 0B 8C1OZ E4 7B AEz F6 06A 5D C0 D7 E8 FF DB D"
 284 | 	$string5 = " 07 DE A3 F8 B0 B3 20V A4 B2 C8 60 BD EEG 95 BB 04 1Ckw A4 80 E6 23 F02 FA 9C 9A 14F BDC 18 BE BD B4"
 285 | 	$string6 = "7 D1 B9 9B AC 2AN BA D3 00 A9 1CJ3J C0V 8F 8E FC B6p9 00 E1 01 21j B3 27 FF C3 8E 2B 92 8B DEiUI C3 "
 286 | 	$string7 = " 99 2C AF9 F9 3F5 A8 F0 1BU C8e/ 00Q B4 10 DD BC 9D 8A BF B2 17 8F BFd DB D1 B7 E66 21 96 86 1E B2 1"
 287 | 	$string8 = "E86 DF9 22Tg E93 9Em 29 0A 5B B5m E2 DCIF D6 D2 F5B CF F7XkRv BE EA A6 C5 82p 5E B3 B4aD B9 3A E0 22"
 288 | 	$string9 = " 7C 95.q D6f E8 1AE 17 82T 84 F1/O 82 C2q C7 FE 05C E4 E5W F5 0A E4l 12 3Brt 8A E0 E7 DDJ 1F 1F C4 A"
 289 | 	$string10 = "4t 91iE BD 2C 95U E9 1C AE 5B 5B A3 9D B2 F9 0B B5 15S9 AB 9D 94 85 A6 F1 AF B6 FC CAt 91iE BD 2C 95"
 290 | 	$string11 = "  </input>"
 291 | 	$string12 = "2 D12 93 FD AB 0DKK AEN 40 DA 88 7B FA 3B 18 EE 09 92 ED AF A8b 07 002 0A A3S 04 29 F9 A3 EA BB E9 7"
 292 | 	$string13 = "40 C6 0C AFR5E 15 07 EE CBg B3 C6 60G 92tFt D7E 7D F0 C4 A89 29 EC BA E1 D9 3D 23 F0 0B E0o 3E2c B3 "
 293 | 	$string14 = "2 A3. A3 F1 D8 D4 A83K 9C AEu FF EA 02 F4 B8 A0 EE C9 7B 15 C1 07D 80 7C 10 864 96 E3 AA F8 99bgve D"
 294 | 	$string15 = "C 7D DC 0A E9 0D A1k 85s 9D 24 8C D0k E1 7E 3AH E2 052 D8q 16 FC 96 0AR C0 EC 99K4 3F BE ED CC DBE A"
 295 | 	$string16 = "40 DA 88 7B 9E 1A B3 FA DE 90U 5B BD6x 9A 0C 163 AB EA ED B4 B5 98 ADL B7 06 EE E5y B8 9B C9Q 00 E9 "
 296 | 	$string17 = "F BF_ F9 AC 5B CC 0B1 7B 60 20c 40 C6 0C AFR5 0B C7D 09 9D E30 14 AC 027 B2 B9B A7 06 E3z DC- B2 60 "
 297 | 	$string18 = "0 80 97Oi 8C 85 D2 1Bp CDv 11 05 D4 26 E7 FC 3DlO AE 96 D2 1B 89 7C 16H 11 86 D0 A6 B95 FC 01 C5 8E "
 298 | condition:
 299 | 	18 of them
 300 | }
 301 | 
 302 | rule angler_jar
 303 | {
 304 | meta:
 305 | 	author = "Josh Berry"
 306 | 	date = "2016-06-26"
 307 | 	description = "Angler Exploit Kit Detection"
 308 | 	hash0 = "3de78737b728811af38ea780de5f5ed7"
 309 | 	sample_filetype = "unknown"
 310 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 311 | strings:
 312 | 	$string0 = "myftysbrth"
 313 | 	$string1 = "classPK"
 314 | 	$string2 = "8aoadN"
 315 | 	$string3 = "j5/_<F"
 316 | 	$string4 = "FXPreloader.class"
 317 | 	$string5 = "V4w\\K,"
 318 | 	$string6 = "W\\Vr2a"
 319 | 	$string7 = "META-INF/MANIFEST.MF"
 320 | 	$string8 = "Na8$NS"
 321 | 	$string9 = "_YJjB'"
 322 | condition:
 323 | 	9 of them
 324 | }
 325 | 
 326 | rule angler_js
 327 | {
 328 | meta:
 329 | 	author = "Josh Berry"
 330 | 	date = "2016-06-26"
 331 | 	description = "Angler Exploit Kit Detection"
 332 | 	hash0 = "482d6c24a824103f0bcd37fa59e19452"
 333 | 	sample_filetype = "js-html"
 334 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 335 | strings:
 336 | 	$string0 = "    2654435769,   Be"
 337 | 	$string1 = "DFOMIqka "
 338 | 	$string2 = ",  Zydr$>>16"
 339 | 	$string3 = "DFOMIqka( 'OPPj_phuPuiwzDFo')"
 340 | 	$string4 = "U0BNJWZ9J0vM43TnlNZcWnZjZSelQZlb1HGTTllZTm19emc0dlsYF13GvhQJmTZmbVMxallMdhWW948YWi t    P  b50GW"
 341 | 	$string5 = "    auSt;"
 342 | 	$string6 = " eval    (NDbMFR "
 343 | 	$string7 = "jWUwYDZhNVyMI2TzykEYjWk0MDM5MA%ZQ1TD1gEMzj         3  D       ',"
 344 | 	$string8 = "('fE').substr    (2    ,    1 "
 345 | 	$string9 = ",  -1 "
 346 | 	$string10 = "    )  );Zydr$  [ 1]"
 347 | 	$string11 = " 11;PsKnARPQuNNZMP<9;PsKnARPQuNNZMP"
 348 | 	$string12 = "new   Array  (2),  Ykz"
 349 | 	$string13 = "<script> "
 350 | 	$string14 = ");    CYxin "
 351 | 	$string15 = "Zydr$    [    1]"
 352 | 	$string16 = "var tKTGVbw,auSt, vnEihY, gftiUIdV, XnHs, UGlMHG, KWlqCKLfCV;"
 353 | 	$string17 = "reXKyQsob1reXKyQsob3 "
 354 | condition:
 355 | 	17 of them
 356 | }
 357 | 
 358 | rule blackhole1_jar
 359 | {
 360 | meta:
 361 | 	author = "Josh Berry"
 362 | 	date = "2016-06-26"
 363 | 	description = "BlackHole1 Exploit Kit Detection"
 364 | 	hash0 = "724acccdcf01cf2323aa095e6ce59cae"
 365 | 	sample_filetype = "unknown"
 366 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 367 | strings:
 368 | 	$string0 = "Created-By: 1.6.0_18 (Sun Microsystems Inc.)"
 369 | 	$string1 = "workpack/decoder.classmQ]S"
 370 | 	$string2 = "workpack/decoder.classPK"
 371 | 	$string3 = "workpack/editor.classPK"
 372 | 	$string4 = "xmleditor/GUI.classmO"
 373 | 	$string5 = "xmleditor/GUI.classPK"
 374 | 	$string6 = "xmleditor/peers.classPK"
 375 | 	$string7 = "v(SiS]T"
 376 | 	$string8 = ",R3TiV"
 377 | 	$string9 = "META-INF/MANIFEST.MFPK"
 378 | 	$string10 = "xmleditor/PK"
 379 | 	$string11 = "Z[Og8o"
 380 | 	$string12 = "workpack/PK"
 381 | condition:
 382 | 	12 of them
 383 | }
 384 | 
 385 | rule blackhole_basic : exploit_kit
 386 | {
 387 |     strings:
 388 |         $a = /\.php\?.*?\:[a-zA-Z0-9\:]{6,}\&.*?\&/
 389 |     condition:
 390 |         $a
 391 | }
 392 | 
 393 | rule bleedinglife2_adobe_2010_1297_exploit
 394 | {
 395 | meta:
 396 | 	author = "Josh Berry"
 397 | 	date = "2016-06-26"
 398 | 	description = "BleedingLife2 Exploit Kit Detection"
 399 | 	hash0 = "8179a7f91965731daa16722bd95f0fcf"
 400 | 	sample_filetype = "unknown"
 401 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 402 | strings:
 403 | 	$string0 = "getSharedStyle"
 404 | 	$string1 = "currentCount"
 405 | 	$string2 = "String"
 406 | 	$string3 = "setSelection"
 407 | 	$string4 = "BOTTOM"
 408 | 	$string5 = "classToInstancesDict"
 409 | 	$string6 = "buttonDown"
 410 | 	$string7 = "focusRect"
 411 | 	$string8 = "pill11"
 412 | 	$string9 = "TEXT_INPUT"
 413 | 	$string10 = "restrict"
 414 | 	$string11 = "defaultButtonEnabled"
 415 | 	$string12 = "copyStylesToChild"
 416 | 	$string13 = " xmlns:xmpMM"
 417 | 	$string14 = "_editable"
 418 | 	$string15 = "classToDefaultStylesDict"
 419 | 	$string16 = "IMEConversionMode"
 420 | 	$string17 = "Scene 1"
 421 | condition:
 422 | 	17 of them
 423 | }
 424 | 
 425 | rule bleedinglife2_adobe_2010_2884_exploit
 426 | {
 427 | meta:
 428 | 	author = "Josh Berry"
 429 | 	date = "2016-06-26"
 430 | 	description = "BleedingLife2 Exploit Kit Detection"
 431 | 	hash0 = "b22ac6bea520181947e7855cd317c9ac"
 432 | 	sample_filetype = "unknown"
 433 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 434 | strings:
 435 | 	$string0 = "_autoRepeat"
 436 | 	$string1 = "embedFonts"
 437 | 	$string2 = "KeyboardEvent"
 438 | 	$string3 = "instanceStyles"
 439 | 	$string4 = "InvalidationType"
 440 | 	$string5 = "autoRepeat"
 441 | 	$string6 = "getScaleX"
 442 | 	$string7 = "RadioButton_selectedDownIcon"
 443 | 	$string8 = "configUI"
 444 | 	$string9 = "deactivate"
 445 | 	$string10 = "fl.controls:Button"
 446 | 	$string11 = "_mouseStateLocked"
 447 | 	$string12 = "fl.core.ComponentShim"
 448 | 	$string13 = "toString"
 449 | 	$string14 = "_group"
 450 | 	$string15 = "addRadioButton"
 451 | 	$string16 = "inCallLaterPhase"
 452 | 	$string17 = "oldMouseState"
 453 | condition:
 454 | 	17 of them
 455 | }
 456 | 
 457 | rule bleedinglife2_jar2
 458 | {
 459 | meta:
 460 | 	author = "Josh Berry"
 461 | 	date = "2016-06-26"
 462 | 	description = "BleedingLife2 Exploit Kit Detection"
 463 | 	hash0 = "2bc0619f9a0c483f3fd6bce88148a7ab"
 464 | 	sample_filetype = "unknown"
 465 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 466 | strings:
 467 | 	$string0 = "META-INF/MANIFEST.MFPK"
 468 | 	$string1 = "RequiredJavaComponent.classPK"
 469 | 	$string2 = "META-INF/JAVA.SFm"
 470 | 	$string3 = "RequiredJavaComponent.class"
 471 | 	$string4 = "META-INF/MANIFEST.MF"
 472 | 	$string5 = "META-INF/JAVA.DSAPK"
 473 | 	$string6 = "META-INF/JAVA.SFPK"
 474 | 	$string7 = "5EVTwkx"
 475 | 	$string8 = "META-INF/JAVA.DSA3hb"
 476 | 	$string9 = "y\\Dw -"
 477 | condition:
 478 | 	9 of them
 479 | }
 480 | 
 481 | rule bleedinglife2_java_2010_0842_exploit
 482 | {
 483 | meta:
 484 | 	author = "Josh Berry"
 485 | 	date = "2016-06-26"
 486 | 	description = "BleedingLife2 Exploit Kit Detection"
 487 | 	hash0 = "b14ee91a3da82f5acc78abd10078752e"
 488 | 	sample_filetype = "unknown"
 489 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 490 | strings:
 491 | 	$string0 = "META-INF/MANIFEST.MFManifest-Version: 1.0"
 492 | 	$string1 = "ToolsDemo.classPK"
 493 | 	$string2 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProvider5"
 494 | 	$string3 = "Created-By: 1.6.0_22 (Sun Microsystems Inc.)"
 495 | 	$string4 = "META-INF/PK"
 496 | 	$string5 = "ToolsDemo.class"
 497 | 	$string6 = "META-INF/services/PK"
 498 | 	$string7 = "ToolsDemoSubClass.classPK"
 499 | 	$string8 = "META-INF/MANIFEST.MFPK"
 500 | 	$string9 = "ToolsDemoSubClass.classeN"
 501 | condition:
 502 | 	9 of them
 503 | }
 504 | 
 505 | rule crimepack_jar
 506 | {
 507 | meta:
 508 | 	author = "Josh Berry"
 509 | 	date = "2016-06-26"
 510 | 	description = "CrimePack Exploit Kit Detection"
 511 | 	hash0 = "d48e70d538225bc1807842ac13a8e188"
 512 | 	sample_filetype = "unknown"
 513 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 514 | strings:
 515 | 	$string0 = "r.JM,IM"
 516 | 	$string1 = "cpak/Crimepack$1.classPK"
 517 | 	$string2 = "cpak/KAVS.classPK"
 518 | 	$string3 = "cpak/KAVS.classmQ"
 519 | 	$string4 = "cpak/Crimepack$1.classmP[O"
 520 | 	$string5 = "META-INF/MANIFEST.MF"
 521 | 	$string6 = "META-INF/MANIFEST.MFPK"
 522 | condition:
 523 | 	6 of them
 524 | }
 525 | 
 526 | rule crimepack_jar3
 527 | {
 528 | meta:
 529 | 	author = "Josh Berry"
 530 | 	date = "2016-06-26"
 531 | 	description = "CrimePack Exploit Kit Detection"
 532 | 	hash0 = "40ed977adc009e1593afcb09d70888c4"
 533 | 	sample_filetype = "unknown"
 534 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 535 | strings:
 536 | 	$string0 = "payload.serPK"
 537 | 	$string1 = "vE/JD[j"
 538 | 	$string2 = "payload.ser["
 539 | 	$string3 = "Exploit$2.classPK"
 540 | 	$string4 = "Exploit$2.class"
 541 | 	$string5 = "Ho((i/"
 542 | 	$string6 = "META-INF/MANIFEST.MF"
 543 | 	$string7 = "H5641Yk"
 544 | 	$string8 = "Exploit$1.classPK"
 545 | 	$string9 = "Payloader.classPK"
 546 | 	$string10 = "%p6$MCS"
 547 | 	$string11 = "Exploit$1$1.classPK"
 548 | condition:
 549 | 	11 of them
 550 | }
 551 | 
 552 | rule cve_2013_0074
 553 | {
 554 | meta:
 555 | 	author = "Kaspersky Lab"
 556 | 	filetype = "Win32 EXE"
 557 | 	date = "2015-07-23"
 558 | 	version = "1.0"
 559 | 
 560 | strings:
 561 | 	$b2="Can't find Payload() address" ascii wide
 562 | 	$b3="/SilverApp1;component/App.xaml" ascii wide
 563 | 	$b4="Can't allocate ums after buf[]" ascii wide
 564 | 	$b5="------------ START ------------"
 565 | 
 566 | condition:
 567 | 	( (2 of ($b*)) )
 568 | }
 569 | 
 570 | rule CVE_2013_0422
 571 | {
 572 |         meta:
 573 |                 description = "Java Applet JMX Remote Code Execution"
 574 |                 cve = "CVE-2013-0422"
 575 |                 ref = "http://pastebin.com/JVedyrCe"
 576 |                 author = "adnan.shukor@gmail.com"
 577 |                 date = "12-Jan-2013"
 578 |                 version = "1"
 579 |                 impact = 4
 580 |                 hide = false
 581 |         strings:
 582 |                 $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword
 583 |                 $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword
 584 |                 $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword
 585 |                 $0422_4 = "findClass" fullword
 586 |                 $0422_5 = "publicLookup" fullword
 587 |                 $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword 
 588 |         condition:
 589 |                 (all of ($0422_*)) or (all of them)
 590 | }
 591 | 
 592 | rule eleonore_jar
 593 | {
 594 | meta:
 595 | 	author = "Josh Berry"
 596 | 	date = "2016-06-26"
 597 | 	description = "Eleonore Exploit Kit Detection"
 598 | 	hash0 = "ad829f4315edf9c2611509f3720635d2"
 599 | 	sample_filetype = "unknown"
 600 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 601 | strings:
 602 | 	$string0 = "r.JM,IM"
 603 | 	$string1 = "dev/s/DyesyasZ.classPK"
 604 | 	$string2 = "k4kjRv"
 605 | 	$string3 = "dev/s/LoaderX.class}V[t"
 606 | 	$string4 = "dev/s/PK"
 607 | 	$string5 = "Hsz6%y"
 608 | 	$string6 = "META-INF/MANIFEST.MF"
 609 | 	$string7 = "dev/PK"
 610 | 	$string8 = "dev/s/AdgredY.class"
 611 | 	$string9 = "dev/s/DyesyasZ.class"
 612 | 	$string10 = "dev/s/LoaderX.classPK"
 613 | 	$string11 = "eS0L5d"
 614 | 	$string12 = "8E{4ON"
 615 | condition:
 616 | 	12 of them
 617 | }
 618 | 
 619 | rule eleonore_jar2
 620 | {
 621 | meta:
 622 | 	author = "Josh Berry"
 623 | 	date = "2016-06-26"
 624 | 	description = "Eleonore Exploit Kit Detection"
 625 | 	hash0 = "94e99de80c357d01e64abf7dc5bd0ebd"
 626 | 	sample_filetype = "unknown"
 627 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 628 | strings:
 629 | 	$string0 = "META-INF/MANIFEST.MFManifest-Version: 1.0"
 630 | 	$string1 = "wPVvVyz"
 631 | 	$string2 = "JavaFX.class"
 632 | 	$string3 = "{%D@'\\"
 633 | 	$string4 = "JavaFXColor.class"
 634 | 	$string5 = "bWxEBI}Y"
 635 | 	$string6 = "$(2}UoD"
 636 | 	$string7 = "j%4muR"
 637 | 	$string8 = "vqKBZi"
 638 | 	$string9 = "l6gs8;"
 639 | 	$string10 = "JavaFXTrueColor.classeSKo"
 640 | 	$string11 = "ZyYQx "
 641 | 	$string12 = "META-INF/"
 642 | 	$string13 = "JavaFX.classPK"
 643 | 	$string14 = ";Ie8{A"
 644 | condition:
 645 | 	14 of them
 646 | }
 647 | 
 648 | rule eleonore_jar3
 649 | {
 650 | meta:
 651 | 	author = "Josh Berry"
 652 | 	date = "2016-06-26"
 653 | 	description = "Eleonore Exploit Kit Detection"
 654 | 	hash0 = "f65f3b9b809ebf221e73502480ab6ea7"
 655 | 	sample_filetype = "unknown"
 656 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 657 | strings:
 658 | 	$string0 = "16lNYF2V"
 659 | 	$string1 = "META-INF/MANIFEST.MFPK"
 660 | 	$string2 = "ghsdr/Jewredd.classPK"
 661 | 	$string3 = "ghsdr/Gedsrdc.class"
 662 | 	$string4 = "e[<n55"
 663 | 	$string5 = "ghsdr/Gedsrdc.classPK"
 664 | 	$string6 = "META-INF/"
 665 | 	$string7 = "na}pyO"
 666 | 	$string8 = "9A1.F\\"
 667 | 	$string9 = "ghsdr/Kocer.class"
 668 | 	$string10 = "MXGXO8"
 669 | 	$string11 = "ghsdr/Kocer.classPK"
 670 | 	$string12 = "ghsdr/Jewredd.class"
 671 | condition:
 672 | 	12 of them
 673 | }
 674 | 
 675 | rule eleonore_js
 676 | {
 677 | meta:
 678 | 	author = "Josh Berry"
 679 | 	date = "2016-06-26"
 680 | 	description = "Eleonore Exploit Kit Detection"
 681 | 	hash0 = "08f8488f1122f2388a0fd65976b9becd"
 682 | 	sample_filetype = "js-html"
 683 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 684 | strings:
 685 | 	$string0 = "var de"
 686 | 	$string1 = "sdjk];"
 687 | 	$string2 = "return dfshk;"
 688 | 	$string3 = "function jkshdk(){"
 689 | 	$string4 = "'val';"
 690 | 	$string5 = "var sdjk"
 691 | 	$string6 = "return fsdjkl;"
 692 | 	$string7 = " window[d"
 693 | 	$string8 = "var fsdjkl"
 694 | 	$string9 = "function jklsdjfk() {"
 695 | 	$string10 = "function rewiry(yiyr,fjkhd){"
 696 | 	$string11 = " sdjd "
 697 | condition:
 698 | 	11 of them
 699 | }
 700 | 
 701 | rule eleonore_js2
 702 | {
 703 | meta:
 704 | 	author = "Josh Berry"
 705 | 	date = "2016-06-26"
 706 | 	description = "Eleonore Exploit Kit Detection"
 707 | 	hash0 = "2f5ace22e886972a8dccc6aa5deb1e79"
 708 | 	sample_filetype = "js-html"
 709 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 710 | strings:
 711 | 	$string0 = "var dfshk "
 712 | 	$string1 = "arrow_next_down"
 713 | 	$string2 = "return eval('yiyr.replac'"
 714 | 	$string3 = "arrow_next_over"
 715 | 	$string4 = "arrow_prev_over"
 716 | 	$string5 = "xcCSSWeekdayBlock"
 717 | 	$string6 = "xcCSSHeadBlock"
 718 | 	$string7 = "xcCSSDaySpecial"
 719 | 	$string8 = "xcCSSDay"
 720 | 	$string9 = " window[df "
 721 | 	$string10 = "day_special"
 722 | 	$string11 = "var df"
 723 | 	$string12 = "function jklsdjfk() {"
 724 | 	$string13 = " sdjd "
 725 | 	$string14 = "'e(/kljf hdfk sdf/g,fjkhd);');"
 726 | 	$string15 = "arrow_next"
 727 | condition:
 728 | 	15 of them
 729 | }
 730 | 
 731 | rule eleonore_js3
 732 | {
 733 | meta:
 734 | 	author = "Josh Berry"
 735 | 	date = "2016-06-26"
 736 | 	description = "Eleonore Exploit Kit Detection"
 737 | 	hash0 = "9dcb8cd8d4f418324f83d914ab4d4650"
 738 | 	sample_filetype = "js-html"
 739 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 740 | strings:
 741 | 	$string0 = "@mozilla.org/file/directory_service;1"
 742 | 	$string1 = "var exe "
 743 | 	$string2 = "var file "
 744 | 	$string3 = "foStream.write(data, data.length);"
 745 | 	$string4 = "  var file_data "
 746 | 	$string5 = "return "
 747 | 	$string6 = " Components.classes["
 748 | 	$string7 = "url : "
 749 | 	$string8 = "].createInstance(Components.interfaces.nsILocalFile);"
 750 | 	$string9 = "  var bstream "
 751 | 	$string10 = " bstream.readBytes(size); "
 752 | 	$string11 = "@mozilla.org/supports-string;1"
 753 | 	$string12 = "  var channel "
 754 | 	$string13 = "tmp.exe"
 755 | 	$string14 = "  if (channel instanceof Components.interfaces.nsIHttpChannel "
 756 | 	$string15 = "@mozilla.org/network/io-service;1"
 757 | 	$string16 = " bstream.available()) { "
 758 | 	$string17 = "].getService(Components.interfaces.nsIIOService); "
 759 | condition:
 760 | 	17 of them
 761 | }
 762 | 
 763 | rule fragus_htm
 764 | {
 765 | meta:
 766 | 	author = "Josh Berry"
 767 | 	date = "2016-06-26"
 768 | 	description = "Fragus Exploit Kit Detection"
 769 | 	hash0 = "f76deec07a61b4276acc22beef41ea47"
 770 | 	sample_filetype = "js-html"
 771 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 772 | strings:
 773 | 	$string0 = ">Hello, "
 774 | 	$string1 = "http://www.clantemplates.com"
 775 | 	$string2 = "this template was created by Bl1nk and is downloadable at <B>ClanTemplates.com<BR></B>Replace "
 776 | 	$string3 = "></TD></TR></TABLE> "
 777 | 	$string4 = "Image21"
 778 | 	$string5 = "scrollbar etc.<BR><BR>Enjoy, Bl1nk</FONT></TD></TR></TABLE><BR></CENTER></TD></TR> "
 779 | 	$string6 = "to this WarCraft Template"
 780 | 	$string7 = " document.getElementById) x"
 781 | 	$string8 = "    if (a[i].indexOf("
 782 | 	$string9 = "x.oSrc;"
 783 | 	$string10 = "x.src; x.src"
 784 | 	$string11 = "<HTML>"
 785 | 	$string12 = "FFFFFF"
 786 | 	$string13 = " CELLSPACING"
 787 | 	$string14 = "images/layoutnormal_03.gif"
 788 | 	$string15 = "<TR> <TD "
 789 | 	$string16 = " CELLPADDING"
 790 | condition:
 791 | 	16 of them
 792 | }
 793 | 
 794 | rule fragus_js
 795 | {
 796 | meta:
 797 | 	author = "Josh Berry"
 798 | 	date = "2016-06-26"
 799 | 	description = "Fragus Exploit Kit Detection"
 800 | 	hash0 = "f234c11b5da9a782cb1e554f520a66cf"
 801 | 	sample_filetype = "js-html"
 802 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 803 | strings:
 804 | 	$string0 = "));ELI6Q3PZ"
 805 | 	$string1 = "VGhNU2pWQmMyUXhPSFI2TTNCVGVEUXpSR3huYm1aeE5UaFhXRFI0ZFhCQVMxWkRNVGh0V0hZNFZVYzBXWFJpTVRoVFpFUklaVGxG"
 806 | 	$string2 = "eFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkw"
 807 | 	$string3 = "TkhXa0ZrT1haNGRFSXhRM3BrTkRoVGMxZEJSMmcyT0dwNlkzSTJYM1pCYkZnMVVqQmpWMEZIYURZNGFucGpjalpmZGtGc1dERXpT"
 808 | 	$string4 = "byKZKkpZU<<18"
 809 | 	$string5 = ");CUer0x"
 810 | 	$string6 = "bzWRebpU3yE>>16"
 811 | 	$string7 = "RUJEWlVvMGNsVTVNMEpNWDNaNGJVSkpPRUJrUlVwRVQwQlNaR2cyY0ZWSE5GbDBRVFZ5UjFnMk9HVldOWGhMYUdFelRIZG5NMWQz"
 812 | 	$string8 = "WnZSVGxuT1ZSRkwwaFZSelZGUm5GRlJFVTBLVHQ0UWxKQ1drdzBiWEJ5WkhSdVBtdG9XVWd6TVVGSGFFeDVTMlk3ZUVKU1FscE1O"
 813 | 	$string9 = "QmZjMGN4YjBCd1oyOXBURUJJZEhvMFdYcGtOamhFV1ZwU01GVlZZbXBpUUZKV1lqTXpWMDAwY0dSNlF6aE1SekZ5ZEc4ME9FeEtN"
 814 | 	$string10 = "SCpMaWXOuME("
 815 | 	$string11 = "VjJKcVkxZGlYMTlhUVdRNVNUTkhaRFk0YWpsYWJsWkRNVGh0V0hZNFZVYzBXWFJ2Tm5CVmFEUlpWVmhDT0ZWV05YaDBRa1ZTUkUw"
 816 | 	$string12 = "2;}else{Yuii37DWU"
 817 | 	$string13 = "ELI6Q3PZ"
 818 | 	$string14 = "ZUhNNVZYQlZlRFY0UUZnMk9HMVlORkpFYkRsNGMxbEpPRUJSTVY5SGNETllPRXB0YjBsaloySnhPVVZ3UkZWQVgzTllORGgwV0RS"
 819 | 	$string15 = "S05GbE1lalk0Vm1ORmVEWnpXbEpXZDBWaU5ubzJjRlkzVjFsbFgwVmlURlpuYnpCUE5HNTBhRFpaVEZrMVFYTjZObkIwWTBVNE4x"
 820 | 	$string16 = "Vm5CWFFVZG9OamhxZW1OeU5sOTJRV3hZTVROSlpEWTRVM294V1VSUFFFdFdZalE0WlVjeGNsSmtObmhBYURVNFZVZEFjRlZDZGtO"
 821 | 	$string17 = "Yuii37DWU<<12"
 822 | 	$string18 = ";while(hdnR9eo3pZ6E3<ZZeD3LjJQ.length){eMImGB"
 823 | condition:
 824 | 	18 of them
 825 | }
 826 | 
 827 | rule fragus_js2
 828 | {
 829 | meta:
 830 | 	author = "Josh Berry"
 831 | 	date = "2016-06-26"
 832 | 	description = "Fragus Exploit Kit Detection"
 833 | 	hash0 = "f234c11b5da9a782cb1e554f520a66cf"
 834 | 	sample_filetype = "js-html"
 835 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 836 | strings:
 837 | 	$string0 = "(ELI6Q3PZ"
 838 | 	$string1 = "SnJTbVJqV2tOa09VbGZSMHcwY0ZWZmRrRjBjRFY0Y3psVmNGVjROWGhBV0RZNGJWZzBVa1J4TjNCVlgwVmlhRjkyZURaS1NWOUhj"
 839 | 	$string2 = "eFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkw"
 840 | 	$string3 = "VUpKUVdWS05ISlZjMXBTTUdWRlNFQmpaMjlrVDBCTFYzY3pZbGRpZG5oeldFUndkSE16YjB4M2JXSnFZMWRpZVY4ellreDNaMko1"
 841 | 	$string4 = "((Yuii37DWU"
 842 | 	$string5 = "YURVNFZXUlhjRlZDZGxsQVJ6UlNaRTlBUzFkM00ySlhiekU0ZEhnMWNrUjZZM0kyWDNaQmJGZ3hNMGxrTmpoVGVqRlpkSEUyV1dW"
 843 | 	$string6 = "String.fromCharCode(ZZeD3LjJQ);}else if(QIyZsvvbEmVOpp"
 844 | 	$string7 = "1);ELI6Q3PZ"
 845 | 	$string8 = "));Yuii37DWU"
 846 | 	$string9 = ");CUer0x"
 847 | 	$string10 = "T1ZaQ05IUkRTVGhqT1VWd1ZWOUpRMlZLZG5oNlQwQkxWM2N6WWxkQmRrRkFPVmR3VlRsYWJsWnNOWGhKT1ZkeFZWazFRbEU1UlZK"
 848 | 	$string11 = "TlpkM2wxS3lzcExUUTRYU2s4UEhocFVqRk9jazA3SUdsbUtIaHBVakZPY2swcGV5QkdWek5NVnlzOVVrSklWVE0wVDJ0NlpTZzJP"
 849 | 	$string12 = "String.fromCharCode(((eMImGB"
 850 | 	$string13 = "RGRDUkV0WFV6VkJkRkV4WHpCalYwRkhhRFk0YW5wamNqWmZka0ZzV0RaSWExZzBXWEZDUlZsQVpEWkJOMEoyZUhwd1duSlRXVE5J"
 851 | 	$string14 = "SCpMaWXOuME(mi1mm8bu87rL0W);eval(Pcii3iVk1AG);</script></body></html>"
 852 | 	$string15 = "Yuii37DWU"
 853 | 	$string16 = "Yuii37DWU<<12"
 854 | 	$string17 = "eTVzWlc1bmRHZ3NJRWhWUnpWRlJuRkZSRVUwUFRFd01qUXNJR2hQVlZsRVJFVmxVaXdnZUVKU1FscE1ORzF3Y21SMGJpd2dSbGN6"
 855 | condition:
 856 | 	17 of them
 857 | }
 858 | 
 859 | rule fragus_js_flash
 860 | {
 861 | meta:
 862 | 	author = "Josh Berry"
 863 | 	date = "2016-06-26"
 864 | 	description = "Fragus Exploit Kit Detection"
 865 | 	hash0 = "377431417b34de8592afecaea9aab95d"
 866 | 	sample_filetype = "js-html"
 867 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 868 | strings:
 869 | 	$string0 = "document.appendChild(bdy);try{for (i"
 870 | 	$string1 = "0; i<10; i"
 871 | 	$string2 = "default"
 872 | 	$string3 = "var m "
 873 | 	$string4 = "/g, document.getElementById('divid').innerHTML));"
 874 | 	$string5 = " n.substring(0,r/2);"
 875 | 	$string6 = "document.getElementById('f').innerHTML"
 876 | 	$string7 = "'atk' onclick"
 877 | 	$string8 = "function MAKEHEAP()"
 878 | 	$string9 = "document.createElement('div');"
 879 | 	$string10 = "<button id"
 880 | 	$string11 = "/g, document.getElementById('divid').innerHTML);"
 881 | 	$string12 = "document.body.appendChild(gg);"
 882 | 	$string13 = "var bdy "
 883 | 	$string14 = "var gg"
 884 | 	$string15 = " unescape(gg);while(n.length<r/2) { n"
 885 | condition:
 886 | 	15 of them
 887 | }
 888 | 
 889 | rule fragus_js_java
 890 | {
 891 | meta:
 892 | 	author = "Josh Berry"
 893 | 	date = "2016-06-26"
 894 | 	description = "Fragus Exploit Kit Detection"
 895 | 	hash0 = "7398e435e68a2fa31607518befef30fb"
 896 | 	sample_filetype = "js-html"
 897 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 898 | strings:
 899 | 	$string0 = "I></XML><SPAN DATASRC"
 900 | 	$string1 = "setTimeout('vparivatel()',8000);function vparivatel(){document.write('<iframe src"
 901 | 	$string2 = "I DATAFLD"
 902 | 	$string3 = " unescape("
 903 | 	$string4 = ", 1);swf.setAttribute("
 904 | 	$string5 = "function XMLNEW(){var spray "
 905 | 	$string6 = "vparivatel.php"
 906 | 	$string7 = "6) ){if ( (lv"
 907 | 	$string8 = "'WIN 9,0,16,0')"
 908 | 	$string9 = "d:/Program Files/Outlook Express/WAB.EXE"
 909 | 	$string10 = "<XML ID"
 910 | 	$string11 = "new ActiveXObject("
 911 | 	$string12 = "'7.1.0') ){SHOWPDF('iepdf.php"
 912 | 	$string13 = "function SWF(){try{sv"
 913 | 	$string14 = "'WIN 9,0,28,0')"
 914 | 	$string15 = "C DATAFORMATAS"
 915 | 	$string16 = " shellcode;xmlcode "
 916 | 	$string17 = "function SNAPSHOT(){var a"
 917 | condition:
 918 | 	17 of them
 919 | }
 920 | 
 921 | rule fragus_js_quicktime
 922 | {
 923 | meta:
 924 | 	author = "Josh Berry"
 925 | 	date = "2016-06-26"
 926 | 	description = "Fragus Exploit Kit Detection"
 927 | 	hash0 = "6bfc7bb877e1a79be24bd9563c768ffd"
 928 | 	sample_filetype = "js-html"
 929 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 930 | strings:
 931 | 	$string0 = "                setTimeout("
 932 | 	$string1 = "wnd.location"
 933 | 	$string2 = "window;"
 934 | 	$string3 = "        var pls "
 935 | 	$string4 = "        mem_flag "
 936 | 	$string5 = ", 1500);} else{ PRyyt4O3wvgz(1);}"
 937 | 	$string6 = "         } catch(e) { }"
 938 | 	$string7 = " mem_flag) JP7RXLyEu();"
 939 | 	$string8 = " 0x400000;"
 940 | 	$string9 = "----------------------------------------------------------------------------------------------------"
 941 | 	$string10 = "        heapBlocks "
 942 | 	$string11 = "        return mm;"
 943 | 	$string12 = "0x38);"
 944 | 	$string13 = "        h();"
 945 | 	$string14 = " getb(b,bSize);"
 946 | 	$string15 = "getfile.php"
 947 | condition:
 948 | 	15 of them
 949 | }
 950 | 
 951 | rule fragus_js_vml
 952 | {
 953 | meta:
 954 | 	author = "Josh Berry"
 955 | 	date = "2016-06-26"
 956 | 	description = "Fragus Exploit Kit Detection"
 957 | 	hash0 = "8ab72337c815e0505fcfbc97686c3562"
 958 | 	sample_filetype = "js-html"
 959 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
 960 | strings:
 961 | 	$string0 = " 0x100000;"
 962 | 	$string1 = "            var gg "
 963 | 	$string2 = "/g, document.getElementById('divid').innerHTML));"
 964 | 	$string3 = "                                var sss "
 965 | 	$string4 = "                }"
 966 | 	$string5 = "                        document.body.appendChild(obj);"
 967 | 	$string6 = "                                var hbs "
 968 | 	$string7 = " shcode; }"
 969 | 	$string8 = " '<div id"
 970 | 	$string9 = " hbs - (shcode.length"
 971 | 	$string10 = "){ m[i] "
 972 | 	$string11 = " unescape(gg);"
 973 | 	$string12 = "                                var z "
 974 | 	$string13 = "                                var hb "
 975 | 	$string14 = " Math.ceil('0'"
 976 | condition:
 977 | 	14 of them
 978 | }
 979 | 
 980 | rule generic_javascript_obfuscation
 981 | {
 982 | meta:
 983 | 	author = "Josh Berry"
 984 | 	date = "2016-06-28"
 985 | 	description = "JavaScript Obfuscation Detection"
 986 | 	sample_filetype = "js-html"
 987 | strings:
 988 | 	$string0 = /eval\(([\s]+)?(unescape|atob)\(/ nocase
 989 | 	$string1 = /var([\s]+)?([a-zA-Z_$])+([a-zA-Z0-9_$]+)?([\s]+)?=([\s]+)?\[([\s]+)?\"\\x[0-9a-fA-F]+/ nocase
 990 | 	$string2 = /var([\s]+)?([a-zA-Z_$])+([a-zA-Z0-9_$]+)?([\s]+)?=([\s]+)?eval;/
 991 | condition:
 992 | 	any of them
 993 | }
 994 | 
 995 | rule possible_includes_base64_packed_functions  
 996 | { 
 997 | 	meta: 
 998 | 		impact = 5 
 999 | 		hide = true 
1000 | 		desc = "Detects possible includes and packed functions" 
1001 | 	strings: 
1002 | 		$f = /(atob|btoa|;base64|base64,)/ nocase
1003 | 		//$ff = /(?:[A-Za-z0-9]{4}){2,}(?:[A-Za-z0-9]{2}[AEIMQUYcgkosw048]=|[A-Za-z0-9][AQgw]==)/ nocase 
1004 | 		$fff = /([A-Za-z0-9]{4})*([A-Za-z0-9]{2}==|[A-Za-z0-9]{3}=|[A-Za-z0-9]{4})/ 
1005 | 	condition: 
1006 | 		$f and $fff
1007 | } 
1008 |  
1009 | rule BeEF_browser_hooked {
1010 | 	meta:
1011 | 		description = "Yara rule related to hook.js, BeEF Browser hooking capability"
1012 | 		author = "Pasquale Stirparo"
1013 | 		date = "2015-10-07"
1014 | 		hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
1015 | 	strings:
1016 | 		$s0 = "mitb.poisonAnchor" wide ascii
1017 | 		$s1 = "this.request(this.httpproto" wide ascii
1018 | 		$s2 = "beef.logger.get_dom_identifier" wide ascii
1019 | 		$s3 = "return (!!window.opera" wide ascii 
1020 | 		$s4 = "history.pushState({ Be:\"EF\" }" wide ascii 
1021 | 		$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii 
1022 | 		$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii 
1023 | 		$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii 
1024 | 		$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii 
1025 | 		$s9 = "mitb.sniff(" wide ascii 
1026 | 		$s10 = "Method XMLHttpRequest.open override" wide ascii 
1027 | 		$s11 = ".browser.hasWebSocket" wide ascii 
1028 | 		$s12 = ".mitb.poisonForm" wide ascii 
1029 | 		$s13 = "resolved=require.resolve(file,cwd||" wide ascii 
1030 | 		$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii 
1031 | 		$s15 = "beef.net.request" wide ascii 
1032 | 		$s16 = "uagent.search(engineOpera)" wide ascii 
1033 | 		$s17 = "mitb.sniff" wide ascii
1034 | 		$s18 = "beef.logger.start" wide ascii
1035 | 	condition:
1036 | 		all of them
1037 | }
1038 | 
1039 | rule src_ptheft_command {
1040 | 	meta:
1041 | 		description = "Auto-generated rule - file command.js"
1042 | 		author = "Pasquale Stirparo"
1043 | 		reference = "not set"
1044 | 		date = "2015-10-08"
1045 | 		hash = "49c0e5400068924ff87729d9e1fece19acbfbd628d085f8df47b21519051b7f3"
1046 | 	strings:
1047 | 		$s0 = "var lilogo = 'http://content.linkedin.com/etc/designs/linkedin/katy/global/clientlibs/img/logo.png';" fullword wide ascii /* score: '38.00' */
1048 | 		$s1 = "dark=document.getElementById('darkenScreenObject'); " fullword wide ascii /* score: '21.00' */
1049 | 		$s2 = "beef.execute(function() {" fullword wide ascii /* score: '21.00' */
1050 | 		$s3 = "var logo  = 'http://www.youtube.com/yt/brand/media/image/yt-brand-standard-logo-630px.png';" fullword wide ascii /* score: '32.42' */
1051 | 		$s4 = "description.text('Enter your Apple ID e-mail address and password');" fullword wide ascii /* score: '28.00' */
1052 | 		$s5 = "sneakydiv.innerHTML= '<div id=\"edge\" '+edgeborder+'><div id=\"window_container\" '+windowborder+ '><div id=\"title_bar\" ' +ti" wide ascii /* score: '28.00' */
1053 | 		$s6 = "var logo  = 'https://www.yammer.com/favicon.ico';" fullword wide ascii /* score: '27.42' */
1054 | 		$s7 = "beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer);" fullword wide ascii /* score: '26.00' */
1055 | 		$s8 = "var title = 'Session Timed Out <img src=\"' + lilogo + '\" align=right height=20 width=70 alt=\"LinkedIn\">';" fullword wide ascii /* score: '24.00' */
1056 | 		$s9 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=20 width=70 alt=\"YouTube\">';" fullword wide ascii /* score: '24.00' */
1057 | 		$s10 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=24 width=24 alt=\"Yammer\">';" fullword wide ascii /* score: '24.00' */
1058 | 		$s11 = "var logobox = 'style=\"border:4px #84ACDD solid;border-radius:7px;height:45px;width:45px;background:#ffffff\"';" fullword wide ascii /* score: '21.00' */
1059 | 		$s12 = "sneakydiv.innerHTML= '<br><img src=\\''+imgr+'\\' width=\\'80px\\' height\\'80px\\' /><h2>Your session has timed out!</h2><p>For" wide ascii /* score: '23.00' */
1060 | 		$s13 = "inner.append(title, description, user,password);" fullword wide ascii /* score: '23.00' */
1061 | 		$s14 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
1062 | 		$s15 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
1063 | 		$s16 = "answer = document.getElementById('uname').value+':'+document.getElementById('pass').value;" fullword wide ascii /* score: '22.00' */
1064 | 		$s17 = "password.keydown(function(event) {" fullword wide ascii /* score: '21.01' */
1065 | 	condition:
1066 | 		13 of them
1067 | }
1068 | 
1069 | rule malicious_author : PDF
1070 | {
1071 | 	meta:
1072 | 		author = "Glenn Edwards (@hiddenillusion)"
1073 | 		version = "0.1"
1074 | 		weight = 5
1075 | 		
1076 | 	strings:
1077 | 		$magic = { 25 50 44 46 }
1078 | 		
1079 | 		$reg0 = /Creator.?\(yen vaw\)/
1080 | 		$reg1 = /Title.?\(who cis\)/
1081 | 		$reg2 = /Author.?\(ser pes\)/
1082 | 	condition:
1083 | 		$magic at 0 and all of ($reg*)
1084 | }
1085 | 
1086 | rule suspicious_version : PDF
1087 | {
1088 | 	meta:
1089 | 		author = "Glenn Edwards (@hiddenillusion)"
1090 | 		version = "0.1"
1091 | 		weight = 3
1092 | 		
1093 | 	strings:
1094 | 		$magic = { 25 50 44 46 }
1095 | 		$ver = /%PDF-1.\d{1}/
1096 | 	condition:
1097 | 		$magic at 0 and not $ver
1098 | }
1099 | 
1100 | rule suspicious_creation : PDF
1101 | {
1102 | 	meta:
1103 | 		author = "Glenn Edwards (@hiddenillusion)"
1104 | 		version = "0.1"
1105 | 		weight = 2
1106 | 		
1107 | 	strings:
1108 | 		$magic = { 25 50 44 46 }
1109 | 		$header = /%PDF-1\.(3|4|6)/
1110 | 		
1111 | 		$create0 = /CreationDate \(D:20101015142358\)/
1112 | 		$create1 = /CreationDate \(2008312053854\)/
1113 | 	condition:
1114 | 		$magic at 0 and $header and 1 of ($create*)
1115 | }
1116 | 
1117 | rule suspicious_title : PDF
1118 | {
1119 | 	meta:
1120 | 		author = "Glenn Edwards (@hiddenillusion)"
1121 | 		version = "0.1"
1122 | 		weight = 4
1123 | 		
1124 | 	strings:
1125 | 		$magic = { 25 50 44 46 }
1126 | 		$header = /%PDF-1\.(3|4|6)/
1127 | 		
1128 | 		$title0 = "who cis"
1129 | 		$title1 = "P66N7FF"
1130 | 		$title2 = "Fohcirya"
1131 | 	condition:
1132 | 		$magic at 0 and $header and 1 of ($title*)
1133 | }
1134 | 
1135 | rule suspicious_author : PDF
1136 | {
1137 | 	meta:
1138 | 		author = "Glenn Edwards (@hiddenillusion)"
1139 | 		version = "0.1"
1140 | 		weight = 4
1141 | 		
1142 | 	strings:
1143 | 		$magic = { 25 50 44 46 }
1144 | 		$header = /%PDF-1\.(3|4|6)/
1145 | 
1146 | 		$author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1"
1147 | 		$author1 = "ser pes"
1148 | 		$author2 = "Miekiemoes"
1149 | 		$author3 = "Nsarkolke"
1150 | 	condition:
1151 | 		$magic at 0 and $header and 1 of ($author*)
1152 | }
1153 | 
1154 | rule suspicious_producer : PDF
1155 | {
1156 | 	meta:
1157 | 		author = "Glenn Edwards (@hiddenillusion)"
1158 | 		version = "0.1"
1159 | 		weight = 2
1160 | 		
1161 | 	strings:
1162 | 		$magic = { 25 50 44 46 }
1163 | 		$header = /%PDF-1\.(3|4|6)/
1164 | 		
1165 | 		$producer0 = /Producer \(Scribus PDF Library/
1166 | 		$producer1 = "Notepad"
1167 | 	condition:
1168 | 		$magic at 0 and $header and 1 of ($producer*)
1169 | }
1170 | 
1171 | rule suspicious_creator : PDF
1172 | {
1173 | 	meta:
1174 | 		author = "Glenn Edwards (@hiddenillusion)"
1175 | 		version = "0.1"
1176 | 		weight = 3
1177 | 		
1178 | 	strings:
1179 | 		$magic = { 25 50 44 46 }
1180 | 		$header = /%PDF-1\.(3|4|6)/
1181 | 		
1182 | 		$creator0 = "yen vaw"
1183 | 		$creator1 = "Scribus"
1184 | 		$creator2 = "Viraciregavi"
1185 | 	condition:
1186 | 		$magic at 0 and $header and 1 of ($creator*)
1187 | }
1188 | 
1189 | rule possible_exploit : PDF
1190 | {
1191 | 	meta:
1192 | 		author = "Glenn Edwards (@hiddenillusion)"
1193 | 		version = "0.1"
1194 | 		weight = 3
1195 | 		
1196 | 	strings:
1197 | 		$magic = { 25 50 44 46 }
1198 | 		
1199 | 		$attrib0 = /\/JavaScript /
1200 | 		$attrib3 = /\/ASCIIHexDecode/
1201 | 		$attrib4 = /\/ASCII85Decode/
1202 | 
1203 | 		$action0 = /\/Action/
1204 | 		$action1 = "Array"
1205 | 		$shell = "A"
1206 | 		$cond0 = "unescape"
1207 | 		$cond1 = "String.fromCharCode"
1208 | 		
1209 | 		$nop = "%u9090%u9090"
1210 | 	condition:
1211 | 		$magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
1212 | }
1213 | 
1214 | rule shellcode_blob_metadata : PDF
1215 | {
1216 |         meta:
1217 |                 author = "Glenn Edwards (@hiddenillusion)"
1218 |                 version = "0.1"
1219 |                 description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded"
1220 |                 weight = 4
1221 |         strings:
1222 |                 $magic = { 25 50 44 46 }
1223 | 
1224 |                 $reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode
1225 |                 $reg_author = /\/Author.?\(([a-zA-Z0-9]{200,})/
1226 |                 $reg_title = /\/Title.?\(([a-zA-Z0-9]{200,})/
1227 |                 $reg_producer = /\/Producer.?\(([a-zA-Z0-9]{200,})/
1228 |                 $reg_creator = /\/Creator.?\(([a-zA-Z0-9]{300,})/
1229 |                 $reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/
1230 | 
1231 |         condition:
1232 |                 $magic at 0 and 1 of ($reg*)
1233 | }
1234 | 
1235 | rule multiple_filtering : PDF 
1236 | {
1237 |         meta: 
1238 |                 author = "Glenn Edwards (@hiddenillusion)"
1239 |                 version = "0.2"
1240 |                 weight = 3
1241 |                 
1242 |         strings:
1243 |                 $magic = { 25 50 44 46 }
1244 |                 $attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/           
1245 | 				// left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt
1246 | 
1247 |         condition: 
1248 |                 $magic at 0 and $attrib
1249 | }
1250 | 
1251 | rule suspicious_js : PDF
1252 | {
1253 | 	meta:
1254 | 		author = "Glenn Edwards (@hiddenillusion)"
1255 | 		version = "0.1"
1256 | 		weight = 3
1257 | 		
1258 | 	strings:
1259 | 		$magic = { 25 50 44 46 }
1260 | 		
1261 | 		$attrib0 = /\/OpenAction /
1262 | 		$attrib1 = /\/JavaScript /
1263 | 
1264 | 		$js0 = "eval"
1265 | 		$js1 = "Array"
1266 | 		$js2 = "String.fromCharCode"
1267 | 		
1268 | 	condition:
1269 | 		$magic at 0 and all of ($attrib*) and 2 of ($js*)
1270 | }
1271 | 
1272 | rule suspicious_launch_action : PDF
1273 | {
1274 | 	meta:
1275 | 		author = "Glenn Edwards (@hiddenillusion)"
1276 | 		version = "0.1"
1277 | 		weight = 2
1278 | 		
1279 | 	strings:
1280 | 		$magic = { 25 50 44 46 }
1281 | 		
1282 | 		$attrib0 = /\/Launch/
1283 | 		$attrib1 = /\/URL /
1284 | 		$attrib2 = /\/Action/
1285 | 		$attrib3 = /\/F /
1286 | 
1287 | 	condition:
1288 | 		$magic at 0 and 3 of ($attrib*)
1289 | }
1290 | 
1291 | rule suspicious_embed : PDF
1292 | {
1293 | 	meta:
1294 | 		author = "Glenn Edwards (@hiddenillusion)"
1295 | 		version = "0.1"
1296 | 		ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
1297 | 		weight = 2
1298 | 		
1299 | 	strings:
1300 | 		$magic = { 25 50 44 46 }
1301 | 		
1302 | 		$meth0 = /\/Launch/
1303 | 		$meth1 = /\/GoTo(E|R)/ //means go to embedded or remote
1304 | 		$attrib0 = /\/URL /
1305 | 		$attrib1 = /\/Action/
1306 | 		$attrib2 = /\/Filespec/
1307 | 		
1308 | 	condition:
1309 | 		$magic at 0 and 1 of ($meth*) and 2 of ($attrib*)
1310 | }
1311 | 
1312 | rule suspicious_obfuscation : PDF
1313 | {
1314 | 	meta:
1315 | 		author = "Glenn Edwards (@hiddenillusion)"
1316 | 		version = "0.1"
1317 | 		weight = 2
1318 | 		
1319 | 	strings:
1320 | 		$magic = { 25 50 44 46 }
1321 | 		$reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
1322 | 		
1323 | 	condition:
1324 | 		$magic at 0 and #reg > 5
1325 | }
1326 | 
1327 | rule invalid_XObject_js : PDF
1328 | {
1329 | 	meta:
1330 | 		author = "Glenn Edwards (@hiddenillusion)"
1331 | 		description = "XObject's require v1.4+"
1332 | 		ref = "https://blogs.adobe.com/ReferenceXObjects/"
1333 | 		version = "0.1"
1334 | 		weight = 2
1335 | 		
1336 | 	strings:
1337 | 		$magic = { 25 50 44 46 }
1338 | 		$ver = /%PDF-1\.[4-9]/
1339 | 		
1340 | 		$attrib0 = /\/XObject/
1341 | 		$attrib1 = /\/JavaScript/
1342 | 		
1343 | 	condition:
1344 | 		$magic at 0 and not $ver and all of ($attrib*)
1345 | }
1346 | 
1347 | rule invalid_trailer_structure : PDF
1348 | {
1349 | 	meta:
1350 | 		author = "Glenn Edwards (@hiddenillusion)"
1351 | 		version = "0.1"
1352 | 		weight = 1
1353 | 		
1354 |         strings:
1355 |                 $magic = { 25 50 44 46 }
1356 | 				// Required for a valid PDF
1357 |                 $reg0 = /trailer\r?\n?.*\/Size.*\r?\n?\.*/
1358 |                 $reg1 = /\/Root.*\r?\n?.*startxref\r?\n?.*\r?\n?%%EOF/
1359 | 
1360 |         condition:
1361 |                 $magic at 0 and not $reg0 and not $reg1
1362 | }
1363 | 
1364 | rule multiple_versions : PDF
1365 | {
1366 | 	meta:
1367 | 		author = "Glenn Edwards (@hiddenillusion)"
1368 | 		version = "0.1"
1369 |         description = "Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed"		
1370 | 		weight = 0
1371 | 		
1372 |         strings:
1373 |                 $magic = { 25 50 44 46 }
1374 |                 $s0 = "trailer"
1375 |                 $s1 = "%%EOF"
1376 | 
1377 |         condition:
1378 |                 $magic at 0 and #s0 > 1 and #s1 > 1
1379 | }
1380 | 
1381 | rule js_wrong_version : PDF
1382 | {
1383 | 	meta:
1384 | 		author = "Glenn Edwards (@hiddenillusion)"
1385 | 		description = "JavaScript was introduced in v1.3"
1386 | 		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
1387 | 		version = "0.1"
1388 | 		weight = 2
1389 | 		
1390 |         strings:
1391 |                 $magic = { 25 50 44 46 }
1392 | 				$js = /\/JavaScript/
1393 | 				$ver = /%PDF-1\.[3-9]/
1394 | 
1395 |         condition:
1396 |                 $magic at 0 and $js and not $ver
1397 | }
1398 | 
1399 | rule JBIG2_wrong_version : PDF
1400 | {
1401 | 	meta:
1402 | 		author = "Glenn Edwards (@hiddenillusion)"
1403 | 		description = "JBIG2 was introduced in v1.4"
1404 | 		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
1405 | 		version = "0.1"
1406 | 		weight = 1
1407 | 		
1408 |         strings:
1409 |                 $magic = { 25 50 44 46 }
1410 | 				$js = /\/JBIG2Decode/
1411 | 				$ver = /%PDF-1\.[4-9]/
1412 | 
1413 |         condition:
1414 |                 $magic at 0 and $js and not $ver
1415 | }
1416 | 
1417 | rule FlateDecode_wrong_version : PDF
1418 | {
1419 | 	meta:
1420 | 		author = "Glenn Edwards (@hiddenillusion)"
1421 | 		description = "Flate was introduced in v1.2"
1422 | 		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
1423 | 		version = "0.1"
1424 | 		weight = 1
1425 | 		
1426 |         strings:
1427 |                 $magic = { 25 50 44 46 }
1428 | 				$js = /\/FlateDecode/
1429 | 				$ver = /%PDF-1\.[2-9]/
1430 | 
1431 |         condition:
1432 |                 $magic at 0 and $js and not $ver
1433 | }
1434 | 
1435 | rule embed_wrong_version : PDF
1436 | {
1437 | 	meta:
1438 | 		author = "Glenn Edwards (@hiddenillusion)"
1439 | 		description = "EmbeddedFiles were introduced in v1.3"
1440 | 		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
1441 | 		version = "0.1"
1442 | 		weight = 1
1443 | 		
1444 |         strings:
1445 |                 $magic = { 25 50 44 46 }
1446 | 				$embed = /\/EmbeddedFiles/
1447 | 				$ver = /%PDF-1\.[3-9]/
1448 | 
1449 |         condition:
1450 |                 $magic at 0 and $embed and not $ver
1451 | }
1452 | 
1453 | rule invalid_xref_numbers : PDF
1454 | {
1455 |         meta:
1456 | 			author = "Glenn Edwards (@hiddenillusion)"
1457 | 			version = "0.1"
1458 | 			description = "The first entry in a cross-reference table is always free and has a generation number of 65,535"
1459 | 			notes = "This can be also be in a stream..."
1460 | 			weight = 1
1461 | 		
1462 |         strings:
1463 |                 $magic = { 25 50 44 46 }
1464 |                 $reg0 = /xref\r?\n?.*\r?\n?.*65535\sf/
1465 |                 $reg1 = /endstream.*?\r?\n?endobj.*?\r?\n?startxref/
1466 |         condition:
1467 |                 $magic at 0 and not $reg0 and not $reg1
1468 | }
1469 | 
1470 | rule js_splitting : PDF
1471 | {
1472 |         meta:
1473 |                 author = "Glenn Edwards (@hiddenillusion)"
1474 |                 version = "0.1"
1475 |                 description = "These are commonly used to split up JS code"
1476 |                 weight = 2
1477 |                 
1478 |         strings:
1479 |                 $magic = { 25 50 44 46 }
1480 | 				$js = /\/JavaScript/
1481 |                 $s0 = "getAnnots"
1482 |                 $s1 = "getPageNumWords"
1483 |                 $s2 = "getPageNthWord"
1484 |                 $s3 = "this.info"
1485 |                                 
1486 |         condition:
1487 |                 $magic at 0 and $js and 1 of ($s*)
1488 | }
1489 | 
1490 | rule BlackHole_v2 : PDF
1491 | {
1492 | 	meta:
1493 | 		author = "Glenn Edwards (@hiddenillusion)"
1494 | 		version = "0.1"
1495 | 		ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html"
1496 | 		weight = 3
1497 | 		
1498 | 	strings:
1499 | 		$magic = { 25 50 44 46 }
1500 | 		$content = "Index[5 1 7 1 9 4 23 4 50"
1501 | 		
1502 | 	condition:
1503 | 		$magic at 0 and $content
1504 | }
1505 | 
1506 | 
1507 | rule XDP_embedded_PDF : PDF
1508 | {
1509 | 	meta:
1510 | 		author = "Glenn Edwards (@hiddenillusion)"
1511 | 		version = "0.1"
1512 | 		ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
1513 |         weight = 1		
1514 | 
1515 | 	strings:
1516 | 		$s1 = "<pdf xmlns="
1517 | 		$s2 = "<chunk>"
1518 | 		$s3 = "</pdf>"
1519 | 		$header0 = "%PDF"
1520 | 		$header1 = "JVBERi0"
1521 | 
1522 | 	condition:
1523 | 		all of ($s*) and 1 of ($header*)
1524 | }
1525 | 
1526 | rule FlashNewfunction: decodedPDF
1527 | {
1528 |    meta:  
1529 |       ref = "CVE-2010-1297"
1530 |       hide = true
1531 |       impact = 5 
1532 |       ref = "http://blog.xanda.org/tag/jsunpack/"
1533 |    strings:
1534 |       $unescape = "unescape" fullword nocase
1535 |       $shellcode = /%u[A-Fa-f0-9]{4}/
1536 |       $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
1537 |       $cve20101297 = /\/Subtype ?\/Flash/
1538 |    condition:
1539 |       ($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
1540 | }
1541 | 
1542 | rule phoenix_html
1543 | {
1544 | meta:
1545 | 	author = "Josh Berry"
1546 | 	date = "2016-06-26"
1547 | 	description = "Phoenix Exploit Kit Detection"
1548 | 	hash0 = "8395f08f1371eb7b2a2e131b92037f9a"
1549 | 	sample_filetype = "js-html"
1550 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1551 | strings:
1552 | 	$string1 = "'></applet><body id"
1553 | 	$string2 = "<applet mayscript"
1554 | 	$string3 = "/gmi,String.fromCharCode(2"
1555 | 	$string4 = "/gmi,' ').replace(/"
1556 | 	$string5 = "pe;i;;.j1s->c"
1557 | 	$string6 = "es4Det"
1558 | 	$string7 = "<textarea>function"
1559 |         $string8 = ".replace(/"
1560 | 	$string9 = ".jar' code"
1561 | 	$string10 = ";iFc;ft'b)h{s"
1562 | condition:
1563 | 	10 of them
1564 | }
1565 | 
1566 | rule phoenix_html10
1567 | {
1568 | meta:
1569 | 	author = "Josh Berry"
1570 | 	date = "2016-06-26"
1571 | 	description = "Phoenix Exploit Kit Detection"
1572 | 	hash0 = "f5f8dceca74a50076070f2593e82ec43"
1573 | 	sample_filetype = "js-html"
1574 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1575 | strings:
1576 | 	$string0 = "pae>crAeahoilL"
1577 | 	$string1 = "D11C0002C0069733E60656F6462070D000402DFF200696E"
1578 | 	$string2 = "nbte)bbn"
1579 | 	$string3 = "v9o16,0')0B80002328203;)82F00223A216ifA160A262A462(a"
1580 | 	$string4 = "0442DFD2E30EC80E42D2E00AC3F3D53C9CAEBFF7E1E805080B044057CB1C0EF7F263DC64E0CBE47C2A21E370EE4A"
1581 | 	$string5 = ";)npeits0e.uvr;][tvr"
1582 | 	$string6 = "433EBE90242003E00C606D04036563435805000102000v020E656wa.i118,0',9F902F282620''C62022646660}{A780232A"
1583 | 	$string7 = "350;var ysjzyq"
1584 | 	$string8 = "aSmd'lm/t/im.}d.-Ljg,l-"
1585 | 	$string9 = "0017687F6164706E6967060002008101'2176045ckb"
1586 | 	$string10 = "63(dcma)nenn869"
1587 | 	$string11 = "').replace(/"
1588 | 	$string12 = "xd'c0lrls09sare"
1589 | 	$string13 = "(]t.(7u(<p"
1590 | 	$string14 = "d{et;bdBcriYtc:eayF20'F62;23C4AABA3B84FE21C2B0B066C0038B8353AF5C0B4DF8FF43E85FB6F05CEC4080236F3CDE6E"
1591 | 	$string15 = "/var another;</textarea>"
1592 | 	$string16 = "Fa527496C62eShHmar(bA,pPec"
1593 | 	$string17 = "FaA244A676C,150e62A5B2B61,'2F"
1594 | condition:
1595 | 	17 of them
1596 | }
1597 | 
1598 | rule phoenix_html11
1599 | {
1600 | meta:
1601 | 	author = "Josh Berry"
1602 | 	date = "2016-06-26"
1603 | 	description = "Phoenix Exploit Kit Detection"
1604 | 	hash0 = "be8c81288f9650e205ed13f3167ce256"
1605 | 	sample_filetype = "js-html"
1606 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1607 | strings:
1608 | 	$string0 = "D'0009F0C6941617C43427A76080001000F47020C606volv99,0,6,"
1609 | 	$string1 = "';)nWd"
1610 | 	$string2 = "IW'eeCn)s.a9e;0CF300FF379011078E047873754163636960496270486264416455747D69737812060209011301010104D0"
1611 | 	$string3 = "D8D51F5100019006D60667F2E056940170E01010747"
1612 | 	$string4 = "515F2F436WemBh2A4560683aFanoi(utse.o1/f;pistelzi"
1613 | 	$string5 = "/p(e/oah)FHw'aaarDsnwi-"
1614 | 	$string6 = "COa506u%db10u%1057u%f850u%f500u%0683u%05a8u%0030u%0706u%d300u%585du%38d0u%0080u%5612u'u%A2DdF6u%1M:."
1615 | 	$string7 = "S(yt)Dj"
1616 | 	$string8 = "FaA26285325,150e8292A6968,'2F"
1617 | 	$string9 = "0200e{b<0:D>r5d4u%c005u%0028u%251eu%a095u%6028u%0028u%2500u%f7f7u%70d7u%2025u%9008u%08f8u%c607usu%37"
1618 | 	$string10 = "(mEtlltopo{{e"
1619 | 	$string11 = "aSmd'lm/t/im.}d.-Ljg,l-"
1620 | 	$string12 = "r)C4snfapfuo}"
1621 | 	$string13 = "').replace(/"
1622 | 	$string14 = "A282A5ifA160F2628206(a"
1623 | 	$string15 = "obn0cf"
1624 | 	$string16 = "d(i'C)rtr.'pvif)iv1ilW)S((Ltl.)2,0,9;0se"
1625 | 	$string17 = "E23s3003476B18703C179396D08B841BC554F11678F0FEB9505FB355E044F33A540F61743738327E32D97D070FA37D87s000"
1626 | 	$string18 = "603742E545904575'294E20680,6F902E292A60''E6202A4E6468},e))tep"
1627 | condition:
1628 | 	18 of them
1629 | }
1630 | 
1631 | rule phoenix_html2
1632 | {
1633 | meta:
1634 | 	author = "Josh Berry"
1635 | 	date = "2016-06-26"
1636 | 	description = "Phoenix Exploit Kit Detection"
1637 | 	hash0 = "2fd263f5d988a92715f4146a0006cb31"
1638 | 	sample_filetype = "js-html"
1639 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1640 | strings:
1641 | 	$string0 = "Pec.lilsD)E)i-gonP(mgge.eOmn"
1642 | 	$string1 = "(trt;oo"
1643 | 	$string2 = "aceeC:0h"
1644 | 	$string3 = "Vubb.oec.n)a."
1645 | 	$string4 = "t;o{(bspd}ci:0OO[g(cfjdh}1sN}ntnrlt;0pwf{-"
1646 | 	$string5 = "seierb)gMle(}ev;is{(b;ga"
1647 | 	$string6 = "e)}ift"
1648 | 	$string7 = "Dud{rt"
1649 | 	$string8 = "blecroeely}diuFI-"
1650 | 	$string9 = "ttec]tr"
1651 | 	$string10 = "fSgcso"
1652 | 	$string11 = "eig.t)eR{t}aeesbdtbl{1sr)m"
1653 | 	$string12 = ").}n,Raa.s"
1654 | 	$string13 = "sLtfcb.nrf{Wiantscncad1ac)scb0eo]}Diuu(nar"
1655 | 	$string14 = "dxc.,:tfr(ucxRn"
1656 | 	$string15 = "eDnnforbyri(tbmns).[i.ee;dl(aNimp(l(h[u[ti;u)"
1657 | 	$string16 = "}tn)i{ebr,_.ns(Nes,,gm(ar.t"
1658 | 	$string17 = "l]it}N(pe3,iaaLds.)lqea:Ps00Hc;[{Euihlc)LiLI"
1659 | condition:
1660 | 	17 of them
1661 | }
1662 | 
1663 | rule phoenix_html3
1664 | {
1665 | meta:
1666 | 	author = "Josh Berry"
1667 | 	date = "2016-06-26"
1668 | 	description = "Phoenix Exploit Kit Detection"
1669 | 	hash0 = "d7cacbff6438d866998fc8bfee18102d"
1670 | 	sample_filetype = "js-html"
1671 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1672 | strings:
1673 | 	$string0 = "mtfla/,)asaf)'}"
1674 | 	$string1 = "72267E7C'A3035CFC415DFAAA834B208D8C230FD303E2EFFE386BE05960C588C6E85650746E690C39F706F97DC74349BA134"
1675 | 	$string2 = "N'eiui7F6e617e00F145A002645E527BFF264842F877B2FFC1FE84BCC6A50F0305B5B0C36A019F53674FD4D3736C494BD5C2"
1676 | 	$string3 = "lndl}})<>"
1677 | 	$string4 = "otodc};b<0:D>r5d4u%c005u%0028u%251eu%a095u%6028u%0028u%2500u%f7f7u%70d7u%2025u%9008u%08f8u%c607usu%3"
1678 | 	$string5 = "tuJaboaopb"
1679 | 	$string6 = "a(vxf{p'tSowa.i,1NIWm("
1680 | 	$string7 = "2004et"
1681 | 	$string8 = "2054sttE5356496478"
1682 | 	$string9 = "yi%A%%A%%A%%A%Cvld3,5314,004,6211,931,,,011394617,983,1154,5,1,,1,1,13,08,4304,1"
1683 | 	$string10 = "0ovel04ervEeieeem)h))B(ihsAE;u%04b8u%1c08u%0e50u%a000u%1010u%4000u%20afu%0006u%2478u%0020u%1065u%210"
1684 | 	$string11 = "/gmi,String.fromCharCode(2"
1685 | 	$string12 = "ncBcaocta.ye"
1686 | 	$string13 = "0201010030004A033102090;na"
1687 | 	$string14 = "66u%0(ec'h{iis%%A%%A%%A%%A%frS1,,8187,1,4,11,91516,,61,,10841,1,13,,,11248,01818849,23,,,,791meits0e"
1688 | 	$string15 = "D11C0002C0069733E60656F6462070D000402DFF200696E"
1689 | 	$string16 = "810p0y98"
1690 | 	$string17 = "9,0,e'Fm692E583760"
1691 | 	$string18 = "57784234633a)(u"
1692 | condition:
1693 | 	18 of them
1694 | }
1695 | 
1696 | rule phoenix_html4
1697 | {
1698 | meta:
1699 | 	author = "Josh Berry"
1700 | 	date = "2016-06-26"
1701 | 	description = "Phoenix Exploit Kit Detection"
1702 | 	hash0 = "61fde003211ac83c2884fbecefe1fc80"
1703 | 	sample_filetype = "js-html"
1704 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1705 | strings:
1706 | 	$string0 = "/dr.php"
1707 | 	$string1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
1708 | 	$string2 = "launchjnlp"
1709 | 	$string3 = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"
1710 | 	$string4 = "urlmon.dll"
1711 | 	$string5 = "<body>"
1712 | 	$string6 = " docbase"
1713 | 	$string7 = "</html>"
1714 | 	$string8 = " classid"
1715 | 	$string9 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
1716 | 	$string10 = "63AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
1717 | 	$string11 = "</object>"
1718 | 	$string12 = "application/x-java-applet"
1719 | 	$string13 = "java_obj"
1720 | condition:
1721 | 	13 of them
1722 | }
1723 | 
1724 | rule phoenix_html5
1725 | {
1726 | meta:
1727 | 	author = "Josh Berry"
1728 | 	date = "2016-06-26"
1729 | 	description = "Phoenix Exploit Kit Detection"
1730 | 	hash0 = "30afdca94d301905819e00a7458f4a4e"
1731 | 	sample_filetype = "js-html"
1732 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1733 | strings:
1734 | 	$string0 = "dtesu}"
1735 | 	$string1 = "<textarea>function gvgsxoy(gwcqg1){return gwcqg1.replace(/"
1736 | 	$string2 = "v}Ahnhxwet"
1737 | 	$string3 = "0125C6BBA2B84F7A1D2940C04C8B7449A40EEB0D14C8003535C0042D75E05F0D7F3E0A7B4E33EB4D8D47119290FC"
1738 | 	$string4 = "a2Fs2325223869e'Fm2873367130"
1739 | 	$string5 = "m0000F0F6E66607C71646F6607000107FA61021F6060(aeWWIN"
1740 | 	$string6 = ")(r>hd1/dNasmd(fpas"
1741 | 	$string7 = "9,0,e'Fm692E583760"
1742 | 	$string8 = "5ud(dis"
1743 | 	$string9 = "nacmambuntcmi"
1744 | 	$string10 = "Fa078597467,1C0e674366871,'2F"
1745 | 	$string11 = "Fa56F386A76,180e828592024,'2F"
1746 | 	$string12 = "alA)(2avoyOi;ic)t6])teptp,an}tnv0i'fms<uic"
1747 | 	$string13 = "iR'nandee"
1748 | 	$string14 = "('0.aEa-9leal"
1749 | 	$string15 = "bsD0seF"
1750 | 	$string16 = "t.ck263/6F3a001CE7A2684067F98BEC18B738801EF1F7F7E49A088695050C000865FC38080FE23727E0E8DE9CB53E748472"
1751 | condition:
1752 | 	16 of them
1753 | }
1754 | 
1755 | rule phoenix_html6
1756 | {
1757 | meta:
1758 | 	author = "Josh Berry"
1759 | 	date = "2016-06-26"
1760 | 	description = "Phoenix Exploit Kit Detection"
1761 | 	hash0 = "4aabb710cf04240d26c13dd2b0ccd6cc"
1762 | 	sample_filetype = "js-html"
1763 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1764 | strings:
1765 | 	$string0 = "F4B6B2E67)A780A373A633;ast2316363677fa'es6F3635244"
1766 | 	$string1 = "piia.a}rneecc.cnuoir"
1767 | 	$string2 = "0448D5A54BE10A5DA628100AC3F3D53C9CAEBFF7E1E805080B044057CB1C0EF7F263DC64E0CBE47C2A21E55E9EA620000106"
1768 | 	$string3 = "],enEn..o"
1769 | 	$string4 = "o;1()sna"
1770 | 	$string5 = "(eres(0.,"
1771 | 	$string6 = "}fs2he}o.t"
1772 | 	$string7 = "f'u>jisch3;)Ie)C'eO"
1773 | 	$string8 = "refhiacei"
1774 | 	$string9 = "0026632528(sCE7A2684067F98BEC1s00000F512Fm286631666"
1775 | 	$string10 = "vev%80b4u%ee18u%28b8u%2617u%5c08u%0e50u%a000u%9006u%76efu%b1cbu%ba2fu%6850u%0524u%9720u%f70<}1msa950"
1776 | 	$string11 = "pdu,xziien,ie"
1777 | 	$string12 = "rr)l;.)vr.nbl"
1778 | 	$string13 = "ii)ruccs)1e"
1779 | 	$string14 = "F30476737930anD<tAhnhxwet"
1780 | 	$string15 = ")yf{(ee..erneef"
1781 | 	$string16 = "ieiiXuMkCSwetEet"
1782 | 	$string17 = "F308477E7A7itme"
1783 | condition:
1784 | 	17 of them
1785 | }
1786 | 
1787 | rule phoenix_html7
1788 | {
1789 | meta:
1790 | 	author = "Josh Berry"
1791 | 	date = "2016-06-26"
1792 | 	description = "Phoenix Exploit Kit Detection"
1793 | 	hash0 = "f0e1b391ec3ce515fd617648bec11681"
1794 | 	sample_filetype = "js-html"
1795 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1796 | strings:
1797 | 	$string0 = "EBF0a0001B05D266503046C7A491A0C00044F0002035D0D0twl''WIN"
1798 | 	$string1 = "ah80672528657"
1799 | 	$string2 = "n);tctt)Eltc(Dj"
1800 | 	$string3 = ";cnt2<tEf"
1801 | 	$string4 = "iwkne){bvfvgzg5"
1802 | 	$string5 = "..'an{ea-Ect'8-huJ.)/l'/tCaaa}<Ct95l"
1803 | 	$string6 = "'WIWhaFtF662F6577IseFe427347637"
1804 | 	$string7 = "ddTh75e{"
1805 | 	$string8 = "Ae'n,,9"
1806 | 	$string9 = "%E7E3Vemtyi"
1807 | 	$string10 = "cf'treran"
1808 | 	$string11 = "ncBcaocta.ye"
1809 | 	$string12 = ")'0,p8k"
1810 | 	$string13 = "0;{tc4F}c;eptdpduoCuuedPl80evD"
1811 | 	$string14 = "iq,q,Nd(nccfr'Bearc'nBtpw"
1812 | 	$string15 = ";)npeits0e.uvhF$I'"
1813 | 	$string16 = "nvasai0.-"
1814 | 	$string17 = "lmzv'is'"
1815 | condition:
1816 | 	17 of them
1817 | }
1818 | 
1819 | rule phoenix_html8
1820 | {
1821 | meta:
1822 | 	author = "Josh Berry"
1823 | 	date = "2016-06-26"
1824 | 	description = "Phoenix Exploit Kit Detection"
1825 | 	hash0 = "1c19a863fc4f8b13c0c7eb5e231bc3d1"
1826 | 	sample_filetype = "js-html"
1827 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1828 | strings:
1829 | 	$string0 = "0x5)).replace(/"
1830 | 	$string1 = "%A%%A%%nc(,145,9,84037,1711,,4121,56,1,,0505,,651,,3,514101,01,29,7868,90"
1831 | 	$string2 = "/gmi,String.fromCharCode(2"
1832 | 	$string3 = "turt;oo)s"
1833 | 	$string4 = "91;var jtdpar"
1834 | 	$string5 = "R(,13,7,63,48140601,5057,,319,,6,1,1,2,,110,0,1011171,2319,,,,10vEAs)tfmneyeh%A%%A%%A%%A%s<u91,4693,"
1835 | 	$string6 = "y%%A%%A%%A%%A.meo21117,7,1,,10,1,9,8,1,9,100,6,141003,74181,163,441114,43,207,,remc'ut"
1836 | 	$string7 = "epjtjqe){jtdpar"
1837 | 	$string8 = "/gmi,'"
1838 | 	$string9 = "<font></font><body id"
1839 | 	$string10 = " epjtjqe; fqczi > 0; fqczi--){for (bwjmgl7 "
1840 | 	$string11 = "nbte)bb(egs%A%%A%%A%%A%%m"
1841 | 	$string12 = "fvC9614165,,,1,1801151030,,0,,487641114,,1,141,914810036,,888,201te.)'etdc:ysaA%%A%%A%%A%%5sao,61,0,"
1842 | 	$string13 = "(tiAmrd{/tnA%%A%%A%%A%%Aiin11,,1637,34191,626958314,11007,,61145,411,7,9,1821,,43,8311,26;d'ebt.dyvs"
1843 | 	$string14 = "A%%A%%A%%Ao"
1844 | 	$string15 = "hrksywd(cpkwisk4);/"
1845 | 	$string16 = ";</script>"
1846 | condition:
1847 | 	16 of them
1848 | }
1849 | 
1850 | rule phoenix_html9
1851 | {
1852 | meta:
1853 | 	author = "Josh Berry"
1854 | 	date = "2016-06-26"
1855 | 	description = "Phoenix Exploit Kit Detection"
1856 | 	hash0 = "742d012b9df0c27ed6ccf3b234db20db"
1857 | 	sample_filetype = "js-html"
1858 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1859 | strings:
1860 | 	$string0 = "tute)bbr:"
1861 | 	$string1 = "nfho(tghRx"
1862 | 	$string2 = "()irfE/Rt..cOcC"
1863 | 	$string3 = "NcEnevbf"
1864 | 	$string4 = "63FB8B4296BBC290A0.'0000079'Fh20216B6A6arA;<"
1865 | 	$string5 = "wHe(cLnyeyet(a.i,r.{.."
1866 | 	$string6 = "tute)bbdfiiix'bcr"
1867 | 	$string7 = "itifdf)d1L2f'asau%d004u%8e00u%0419u%a58du%2093u%ec10u%0050u%00d4u%4622u%bcd1u%b1ceu%5000u%f7f5u%5606"
1868 | 	$string8 = "2F4693529783'82F076676C38'te"
1869 | 	$string9 = "sm(teoeoi)cfh))pihnipeeeo}.,(.(("
1870 | 	$string10 = "ao)ntavlll{))ynlcoix}hiN.il'tes1ad)bm;"
1871 | 	$string11 = "i)}m0f(eClei(/te"
1872 | 	$string12 = "}aetsc"
1873 | 	$string13 = "irefnig.pT"
1874 | 	$string14 = "a0mrIif/tbne,(wsk,"
1875 | 	$string15 = "500F14B06000000630E6B72636F60632C6E711C6E762E646F147F44767F650A0804061901020009006B120005A2006L"
1876 | 	$string16 = ".hB.Csf)ddeSs"
1877 | 	$string17 = "tnne,IPd4Le"
1878 | 	$string18 = "hMdarc'nBtpw"
1879 | condition:
1880 | 	18 of them
1881 | }
1882 | 
1883 | rule phoenix_jar
1884 | {
1885 | meta:
1886 | 	author = "Josh Berry"
1887 | 	date = "2016-06-26"
1888 | 	description = "Phoenix Exploit Kit Detection"
1889 | 	hash0 = "a8a18219b02d30f44799415ff19c518e"
1890 | 	sample_filetype = "unknown"
1891 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1892 | strings:
1893 | 	$string0 = "r.JM,IM"
1894 | 	$string1 = "qX$8$a"
1895 | 	$string2 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProvider5"
1896 | 	$string3 = "a.classPK"
1897 | 	$string4 = "6;\\Q]Q"
1898 | 	$string5 = "h[s] X"
1899 | 	$string6 = "ToolsDemoSubClass.classPK"
1900 | 	$string7 = "a.class"
1901 | 	$string8 = "META-INF/MANIFEST.MFPK"
1902 | 	$string9 = "ToolsDemoSubClass.classeO"
1903 | 	$string10 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProviderPK"
1904 | condition:
1905 | 	10 of them
1906 | }
1907 | 
1908 | rule phoenix_jar2
1909 | {
1910 | meta:
1911 | 	author = "Josh Berry"
1912 | 	date = "2016-06-26"
1913 | 	description = "Phoenix Exploit Kit Detection"
1914 | 	hash0 = "989c5b5eaddf48010e62343d7a4db6f4"
1915 | 	sample_filetype = "unknown"
1916 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1917 | strings:
1918 | 	$string0 = "a66d578f084.classeQ"
1919 | 	$string1 = "a4cb9b1a8a5.class"
1920 | 	$string2 = ")szNu\\MutK"
1921 | 	$string3 = "qCCwBU"
1922 | 	$string4 = "META-INF/MANIFEST.MF"
1923 | 	$string5 = "QR,GOX"
1924 | 	$string6 = "ab5601d4848.classmT"
1925 | 	$string7 = "a6a7a760c0e["
1926 | 	$string8 = "2ZUK[L"
1927 | 	$string9 = "2VT(Au5"
1928 | 	$string10 = "a6a7a760c0ePK"
1929 | 	$string11 = "aa79d1019d8.class"
1930 | 	$string12 = "aa79d1019d8.classPK"
1931 | 	$string13 = "META-INF/MANIFEST.MFPK"
1932 | 	$string14 = "ab5601d4848.classPK"
1933 | condition:
1934 | 	14 of them
1935 | }
1936 | 
1937 | rule phoenix_jar3
1938 | {
1939 | meta:
1940 | 	author = "Josh Berry"
1941 | 	date = "2016-06-26"
1942 | 	description = "Phoenix Exploit Kit Detection"
1943 | 	hash0 = "c5655c496949f8071e41ea9ac011cab2"
1944 | 	sample_filetype = "unknown"
1945 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1946 | strings:
1947 | 	$string0 = "'> >$>"
1948 | 	$string1 = "bpac/PK"
1949 | 	$string2 = "bpac/purok$1.classmP]K"
1950 | 	$string3 = "bpac/KAVS.classmQ"
1951 | 	$string4 = "'n n$n"
1952 | 	$string5 = "bpac/purok$1.classPK"
1953 | 	$string6 = "$.4aX,Gt<"
1954 | 	$string7 = "bpac/KAVS.classPK"
1955 | 	$string8 = "bpac/b.classPK"
1956 | 	$string9 = "bpac/b.class"
1957 | condition:
1958 | 	9 of them
1959 | }
1960 | 
1961 | rule phoenix_pdf
1962 | {
1963 | meta:
1964 | 	author = "Josh Berry"
1965 | 	date = "2016-06-26"
1966 | 	description = "Phoenix Exploit Kit Detection"
1967 | 	hash0 = "16de68e66cab08d642a669bf377368da"
1968 | 	hash1 = "bab281fe0cf3a16a396550b15d9167d5"
1969 | 	sample_filetype = "pdf"
1970 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1971 | strings:
1972 | 	$string0 = "0000000254 00000 n"
1973 | 	$string1 = "0000000295 00000 n"
1974 | 	$string2 = "trailer<</Root 1 0 R /Size 7>>"
1975 | 	$string3 = "0000000000 65535 f"
1976 | 	$string4 = "3 0 obj<</JavaScript 5 0 R >>endobj"
1977 | 	$string5 = "0000000120 00000 n"
1978 | 	$string6 = "%PDF-1.0"
1979 | 	$string7 = "startxref"
1980 | 	$string8 = "0000000068 00000 n"
1981 | 	$string9 = "endobjxref"
1982 | 	$string10 = ")6 0 R ]>>endobj"
1983 | 	$string11 = "0000000010 00000 n"
1984 | condition:
1985 | 	11 of them
1986 | }
1987 | 
1988 | rule phoenix_pdf2
1989 | {
1990 | meta:
1991 | 	author = "Josh Berry"
1992 | 	date = "2016-06-26"
1993 | 	description = "Phoenix Exploit Kit Detection"
1994 | 	hash0 = "33cb6c67f58609aa853e80f718ab106a"
1995 | 	sample_filetype = "pdf"
1996 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
1997 | strings:
1998 | 	$string0 = "\\nQb<%"
1999 | 	$string1 = "0000000254 00000 n"
2000 | 	$string2 = ":S3>v0$EF"
2001 | 	$string3 = "trailer<</Root 1 0 R /Size 7>>"
2002 | 	$string4 = "%PDF-1.0"
2003 | 	$string5 = "0000000000 65535 f"
2004 | 	$string6 = "endstream"
2005 | 	$string7 = "0000000010 00000 n"
2006 | 	$string8 = "6 0 obj<</JS 7 0 R/S/JavaScript>>endobj"
2007 | 	$string9 = "3 0 obj<</JavaScript 5 0 R >>endobj"
2008 | 	$string10 = "}pr2IE"
2009 | 	$string11 = "0000000157 00000 n"
2010 | 	$string12 = "1 0 obj<</Type/Catalog/Pages 2 0 R /Names 3 0 R >>endobj"
2011 | 	$string13 = "5 0 obj<</Names[("
2012 | condition:
2013 | 	13 of them
2014 | }
2015 | 
2016 | rule phoenix_pdf3
2017 | {
2018 | meta:
2019 | 	author = "Josh Berry"
2020 | 	date = "2016-06-26"
2021 | 	description = "Phoenix Exploit Kit Detection"
2022 | 	hash0 = "bab281fe0cf3a16a396550b15d9167d5"
2023 | 	sample_filetype = "pdf"
2024 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2025 | strings:
2026 | 	$string0 = "trailer<</Root 1 0 R /Size 7>>"
2027 | 	$string1 = "stream"
2028 | 	$string2 = ";_oI5z"
2029 | 	$string3 = "0000000010 00000 n"
2030 | 	$string4 = "3 0 obj<</JavaScript 5 0 R >>endobj"
2031 | 	$string5 = "7 0 obj<</Filter[ /FlateDecode /ASCIIHexDecode /ASCII85Decode ]/Length 3324>>"
2032 | 	$string6 = "endobjxref"
2033 | 	$string7 = "L%}gE("
2034 | 	$string8 = "0000000157 00000 n"
2035 | 	$string9 = "1 0 obj<</Type/Catalog/Pages 2 0 R /Names 3 0 R >>endobj"
2036 | 	$string10 = "0000000120 00000 n"
2037 | 	$string11 = "4 0 obj<</Type/Page/Parent 2 0 R /Contents 12 0 R>>endobj"
2038 | condition:
2039 | 	11 of them
2040 | }
2041 | 
2042 | rule redkit_bin_basic : exploit_kit
2043 | {
2044 |     strings:
2045 |         $a = /\/\d{2}.html\s/
2046 |     condition:
2047 |         $a
2048 | }
2049 | 
2050 | rule sakura_jar
2051 | {
2052 | meta:
2053 | 	author = "Josh Berry"
2054 | 	date = "2016-06-26"
2055 | 	description = "Sakura Exploit Kit Detection"
2056 | 	hash0 = "a566ba2e3f260c90e01366e8b0d724eb"
2057 | 	sample_filetype = "unknown"
2058 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2059 | strings:
2060 | 	$string0 = "Rotok.classPK"
2061 | 	$string1 = "nnnolg"
2062 | 	$string2 = "X$Z'\\4^=aEbIdUmiprsxt}v<" wide
2063 | 	$string3 = "()Ljava/util/Set;"
2064 | 	$string4 = "(Ljava/lang/String;)V"
2065 | 	$string5 = "Ljava/lang/Exception;"
2066 | 	$string6 = "oooy32"
2067 | 	$string7 = "Too.java"
2068 | 	$string8 = "bbfwkd"
2069 | 	$string9 = "Ljava/lang/Process;"
2070 | 	$string10 = "getParameter"
2071 | 	$string11 = "length"
2072 | 	$string12 = "Simio.java"
2073 | 	$string13 = "Ljavax/swing/JList;"
2074 | 	$string14 = "-(Ljava/lang/String;)Ljava/lang/StringBuilder;"
2075 | 	$string15 = "Ljava/io/InputStream;"
2076 | 	$string16 = "vfnnnrof.exnnnroe"
2077 | 	$string17 = "Olsnnfw"
2078 | condition:
2079 | 	17 of them
2080 | }
2081 | 
2082 | rule sakura_jar2
2083 | {
2084 | meta:
2085 | 	author = "Josh Berry"
2086 | 	date = "2016-06-26"
2087 | 	description = "Sakura Exploit Kit Detection"
2088 | 	hash0 = "d21b4e2056e5ef9f9432302f445bcbe1"
2089 | 	sample_filetype = "unknown"
2090 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2091 | strings:
2092 | 	$string0 = "getProperty"
2093 | 	$string1 = "java/io/FileNotFoundException"
2094 | 	$string2 = "LLolp;"
2095 | 	$string3 = "cjhgreshhnuf "
2096 | 	$string4 = "StackMapTable"
2097 | 	$string5 = "onfwwa"
2098 | 	$string6 = "(C)Ljava/lang/StringBuilder;"
2099 | 	$string7 = "replace"
2100 | 	$string8 = "LEsia$fffgss;"
2101 | 	$string9 = "<clinit>"
2102 | 	$string10 = "()Ljava/io/InputStream;"
2103 | 	$string11 = "openConnection"
2104 | 	$string12 = " gjhgreshhnijhgreshhrtSjhgreshhot.sjhgreshhihjhgreshht;)"
2105 | 	$string13 = "Oi.class"
2106 | 	$string14 = " rjhgreshhorjhgreshhre rajhgreshhv"
2107 | 	$string15 = "java/lang/String"
2108 | 	$string16 = "java/net/URL"
2109 | 	$string17 = "Created-By: 1.7.0-b147 (Oracle Corporation)"
2110 | condition:
2111 | 	17 of them
2112 | }
2113 | 
2114 | rule zeus_js
2115 | {
2116 | meta:
2117 | 	author = "Josh Berry"
2118 | 	date = "2016-06-26"
2119 | 	description = "Zeus Exploit Kit Detection"
2120 | 	hash0 = "c87ac7a25168df49a64564afb04dc961"
2121 | 	sample_filetype = "js-html"
2122 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2123 | strings:
2124 | 	$string0 = "var jsmLastMenu "
2125 | 	$string1 = "position:absolute; z-index:99' "
2126 | 	$string2 = " -1)jsmSetDisplayStyle('popupmenu' "
2127 | 	$string3 = " '<tr><td><a href"
2128 | 	$string4 = "  jsmLastMenu "
2129 | 	$string5 = "  var ids "
2130 | 	$string6 = "this.target"
2131 | 	$string7 = " jsmPrevMenu, 'none');"
2132 | 	$string8 = "  if(jsmPrevMenu "
2133 | 	$string9 = ")if(MenuData[i])"
2134 | 	$string10 = " '<div style"
2135 | 	$string11 = "popupmenu"
2136 | 	$string12 = "  jsmSetDisplayStyle('popupmenu' "
2137 | 	$string13 = "function jsmHideLastMenu()"
2138 | 	$string14 = " MenuData.length; i"
2139 | condition:
2140 | 	14 of them
2141 | }
2142 | 
2143 | rule zeroaccess_css
2144 | {
2145 | meta:
2146 | 	author = "Josh Berry"
2147 | 	date = "2016-06-27"
2148 | 	description = "ZeroAccess Exploit Kit Detection"
2149 | 	hash0 = "4944324bad3b020618444ee131dce3d0"
2150 | 	sample_filetype = "js-html"
2151 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2152 | strings:
2153 | 	$string0 = "close-mail{right:130px "
2154 | 	$string1 = "ccc;box-shadow:0 0 5px 1px "
2155 | 	$string2 = "757575;border-bottom:1px solid "
2156 | 	$string3 = "777;height:1.8em;line-height:1.9em;display:block;float:left;padding:1px 15px;margin:0;text-shadow:-1"
2157 | 	$string4 = "C4C4C4;}"
2158 | 	$string5 = "999;-webkit-box-shadow:0 0 3px "
2159 | 	$string6 = "header div.service-links ul{display:inline;margin:10px 0 0;}"
2160 | 	$string7 = "t div h2.title{padding:0;margin:0;}.box5-condition-news h2.pane-title{display:block;margin:0 0 9px;p"
2161 | 	$string8 = "footer div.comp-info p{color:"
2162 | 	$string9 = "pcmi-listing-center .full-page-listing{width:490px;}"
2163 | 	$string10 = "pcmi-content-top .photo img,"
2164 | 	$string11 = "333;}div.tfw-header a var{display:inline-block;margin:0;line-height:20px;height:20px;width:120px;bac"
2165 | 	$string12 = "ay:none;text-decoration:none;outline:none;padding:4px;text-align:center;font-size:9px;color:"
2166 | 	$string13 = "333;}body.page-videoplayer div"
2167 | 	$string14 = "373737;position:relative;}body.node-type-video div"
2168 | 	$string15 = "pcmi-content-sidebara,.page-error-page "
2169 | 	$string16 = "fff;text-decoration:none;}"
2170 | 	$string17 = "qtabs-list li a,"
2171 | 	$string18 = "cdn2.dailyrx.com"
2172 | condition:
2173 | 	18 of them
2174 | }
2175 | 
2176 | rule zeroaccess_css2
2177 | {
2178 | meta:
2179 | 	author = "Josh Berry"
2180 | 	date = "2016-06-27"
2181 | 	description = "ZeroAccess Exploit Kit Detection"
2182 | 	hash0 = "e300d6a36b9bfc3389f64021e78b1503"
2183 | 	sample_filetype = "js-html"
2184 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2185 | strings:
2186 | 	$string0 = "er div.panel-hide{display:block;position:absolute;z-index:200;margin-top:-1.5em;}div.panel-pane div."
2187 | 	$string1 = "ve.gif) right center no-repeat;}div.ctools-ajaxing{float:left;width:18px;background:url(http://cdn3."
2188 | 	$string2 = "cdn2.dailyrx.com"
2189 | 	$string3 = "efefef;margin:5px 0 5px 0;}"
2190 | 	$string4 = "node{margin:0;padding:0;}div.panel-pane div.feed a{float:right;}"
2191 | 	$string5 = ":0 5px 0 0;float:left;}div.tweets-pulled-listing div.tweet-authorphoto img{max-height:40px;max-width"
2192 | 	$string6 = "i a{color:"
2193 | 	$string7 = ":bold;}div.tweets-pulled-listing .tweet-time a{color:silver;}div.tweets-pulled-listing  div.tweet-di"
2194 | 	$string8 = "div.panel-pane div.admin-links{font-size:xx-small;margin-right:1em;}div.panel-pane div.admin-links l"
2195 | 	$string9 = "div.tweets-pulled-listing ul{list-style:none;}div.tweets-pulled-listing div.tweet-authorphoto{margin"
2196 | 	$string10 = "FFFFDD none repeat scroll 0 0;border:1px solid "
2197 | 	$string11 = "vider{clear:left;border-bottom:1px solid "
2198 | condition:
2199 | 	11 of them
2200 | }
2201 | 
2202 | rule zeroaccess_htm
2203 | {
2204 | meta:
2205 | 	author = "Josh Berry"
2206 | 	date = "2016-06-27"
2207 | 	description = "ZeroAccess Exploit Kit Detection"
2208 | 	hash0 = "0e7d72749b60c8f05d4ff40da7e0e937"
2209 | 	sample_filetype = "js-html"
2210 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2211 | strings:
2212 | 	$string0 = "screen.height:"
2213 | 	$string1 = "</script></head><body onload"
2214 | 	$string2 = "Fx0ZAQRKXUVgbh0qNDRJVxYwGg4tGh8aHQoAVQQSNyo0NElXFjAaDi0NFQYESl1FBBNnTFoSPiBmADwnPTQxPSdKWUUEE2UcGR0z"
2215 | 	$string3 = "0);-10<b"
2216 | 	$string4 = "function fl(){var a"
2217 | 	$string5 = "0);else if(navigator.mimeTypes"
2218 | 	$string6 = ");b.href"
2219 | 	$string7 = "/presults.jsp"
2220 | 	$string8 = "128.164.107.221"
2221 | 	$string9 = ")[0].clientWidth"
2222 | 	$string10 = "presults.jsp"
2223 | 	$string11 = ":escape(c),e"
2224 | 	$string12 = "navigator.plugins.length)navigator.plugins["
2225 | 	$string13 = "window;d"
2226 | 	$string14 = "gr(),j"
2227 | 	$string15 = "VIEWPORT"
2228 | 	$string16 = "FQV2D0ZAH1VGDxgZVg9COwYCAwkcTzAcBxscBFoKAAMHUFVuWF5EVVYVdVtUR18bA1QdAU8HQjgeUFYeAEZ4SBEcEk1FTxsdUlVA"
2229 | condition:
2230 | 	16 of them
2231 | }
2232 | 
2233 | rule zeroaccess_js
2234 | {
2235 | meta:
2236 | 	author = "Josh Berry"
2237 | 	date = "2016-06-27"
2238 | 	description = "ZeroAccess Exploit Kit Detection"
2239 | 	hash0 = "a9f30483a197cfdc65b4a70b8eb738ab"
2240 | 	sample_filetype = "js-html"
2241 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2242 | strings:
2243 | 	$string0 = "Square ad tag  (tile"
2244 | 	$string1 = "  adRandNum "
2245 | 	$string2 = " cellspacing"
2246 | 	$string3 = "\\n//-->\\n</script>"
2247 | 	$string4 = "format"
2248 | 	$string5 = "//-->' "
2249 | 	$string6 = "2287974446"
2250 | 	$string7 = "NoScrBeg "
2251 | 	$string8 = "-- start adblade -->' "
2252 | 	$string9 = "3427054556"
2253 | 	$string10 = "        while (i >"
2254 | 	$string11 = "return '<table width"
2255 | 	$string12 = "</scr' "
2256 | 	$string13 = " s.substring(0, i"
2257 | 	$string14 = " /></a></noscript>' "
2258 | 	$string15 = "    else { isEmail "
2259 | 	$string16 = ").submit();"
2260 | 	$string17 = " border"
2261 | 	$string18 = "pub-8301011321395982"
2262 | condition:
2263 | 	18 of them
2264 | }
2265 | 
2266 | rule zeroaccess_js2
2267 | {
2268 | meta:
2269 | 	author = "Josh Berry"
2270 | 	date = "2016-06-27"
2271 | 	description = "ZeroAccess Exploit Kit Detection"
2272 | 	hash0 = "b5fda04856b98c254d33548cc1c1216c"
2273 | 	sample_filetype = "js-html"
2274 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2275 | strings:
2276 | 	$string0 = "ApiClientConfig"
2277 | 	$string1 = "function/.test(pa.toString())"
2278 | 	$string2 = "background-image:url(http:\\/\\/static.ak.fbcdn.net\\/rsrc.php\\/v2\\/y6\\/x\\/s816eWC-2sl.gif)}"
2279 | 	$string3 = "Music.init"
2280 | 	$string4 = "',header:'bool',recommendations:'bool',site:'hostname'},create_event_button:{},degrees:{href:'url'},"
2281 | 	$string5 = "cca6477272fc5cb805f85a84f20fca1d"
2282 | 	$string6 = "document.createElement('form');c.action"
2283 | 	$string7 = "javascript:false"
2284 | 	$string8 = "s.onMessage){j.error('An instance without whenReady or onMessage makes no sense');throw new Error('A"
2285 | 	$string9 = "NaN;}else h"
2286 | 	$string10 = "sprintf"
2287 | 	$string11 = "window,j"
2288 | 	$string12 = "o.getUserID(),da"
2289 | 	$string13 = "FB.Runtime.getLoginStatus();if(b"
2290 | 	$string14 = ")');k.toString"
2291 | 	$string15 = "rovide('XFBML.Send',{Dimensions:{width:80,height:25}});"
2292 | 	$string16 = "{log:i};e.exports"
2293 | 	$string17 = "a;FB.api('/fql','GET',f,function(g){if(g.error){ES5(ES5('Object','keys',false,b),'forEach',true,func"
2294 | 	$string18 = "true;}}var ia"
2295 | condition:
2296 | 	18 of them
2297 | }
2298 | 
2299 | rule zeroaccess_js3
2300 | {
2301 | meta:
2302 | 	author = "Josh Berry"
2303 | 	date = "2016-06-27"
2304 | 	description = "ZeroAccess Exploit Kit Detection"
2305 | 	hash0 = "5f13fdfb53a3e60e93d7d1d7bbecff4f"
2306 | 	sample_filetype = "js-html"
2307 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2308 | strings:
2309 | 	$string0 = "document.createDocumentFragment();img.src"
2310 | 	$string1 = "typeOf(events)"
2311 | 	$string2 = "var i,x,y,ARRcookies"
2312 | 	$string3 = "callbacks.length;j<l;j"
2313 | 	$string4 = "encodeURIComponent(value);if(options.domain)value"
2314 | 	$string5 = "event,HG.components.get('windowEvent_'"
2315 | 	$string6 = "'read'in Cookie){return Cookie.read(c_name);}"
2316 | 	$string7 = "item;},get:function(name,def){return HG.components.exists(name)"
2317 | 	$string8 = "){window.addEvent(windowEvents[i],function(){var callbacks"
2318 | 	$string9 = "reunload:function(callback){HG.events.add('beforeunload',callback);},add:function(event,callback){HG"
2319 | 	$string10 = "name){if(HG.components.exists(name)){delete HG.componentList[name];}}},util:{uuid:function(){return'"
2320 | 	$string11 = "window.HG"
2321 | 	$string12 = "x.replace(/"
2322 | 	$string13 = "encodeURIComponent(this.attr[key]));}"
2323 | 	$string14 = "options.domain;if(options.path)value"
2324 | 	$string15 = "this.page_sid;this.attr.user_sid"
2325 | condition:
2326 | 	15 of them
2327 | }
2328 | 
2329 | rule zeroaccess_js4
2330 | {
2331 | meta:
2332 | 	author = "Josh Berry"
2333 | 	date = "2016-06-27"
2334 | 	description = "ZeroAccess Exploit Kit Detection"
2335 | 	hash0 = "268ae96254e423e9d670ebe172d1a444"
2336 | 	sample_filetype = "js-html"
2337 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2338 | strings:
2339 | 	$string0 = ").join("
2340 | 	$string1 = "JSON.stringify:function(o){if(o"
2341 | 	$string2 = "){try{var a"
2342 | 	$string3 = ");return $.jqotecache[i]"
2343 | 	$string4 = "o.getUTCFullYear(),hours"
2344 | 	$string5 = "seconds"
2345 | 	$string6 = "')');};$.secureEvalJSON"
2346 | 	$string7 = "isFinite(n);},secondsToTime:function(sec_numb){sec_numb"
2347 | 	$string8 = "')');}else{throw new SyntaxError('Error parsing JSON, source is not valid.');}};$.quoteString"
2348 | 	$string9 = "o[name];var ret"
2349 | 	$string10 = "a[m].substr(2)"
2350 | 	$string11 = ");if(d){return true;}}}catch(e){return false;}}"
2351 | 	$string12 = "a.length;m<k;m"
2352 | 	$string13 = "if(parentClasses.length"
2353 | 	$string14 = "o.getUTCHours(),minutes"
2354 | 	$string15 = "$.jqote(e,d,t),$$"
2355 | 	$string16 = "q.test(x)){e"
2356 | 	$string17 = "{};HGWidget.creator"
2357 | condition:
2358 | 	17 of them
2359 | }
2360 | 
2361 | rule blackhole2_css
2362 | {
2363 | meta:
2364 | 	author = "Josh Berry"
2365 | 	date = "2016-06-27"
2366 | 	description = "BlackHole2 Exploit Kit Detection"
2367 | 	hash0 = "9664a16c65782d56f02789e7d52359cd"
2368 | 	sample_filetype = "js-html"
2369 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2370 | strings:
2371 | 	$string1 = "background:url('%%?a=img&img=countries.gif')"
2372 | 	$string2 = "background:url('%%?a=img&img=exploit.gif')"
2373 | 	$string3 = "background:url('%%?a=img&img=oses.gif')"
2374 | 	$string4 = "background:url('%%?a=img&img=browsers.gif')"
2375 | 	$string5 = "background:url('%%?a=img&img=edit.png')"
2376 | 	$string6 = "background:url('%%?a=img&img=add.png')"
2377 | 	$string7 = "background:url('%%?a=img&img=accept.png')"
2378 | 	$string8 = "background:url('%%?a=img&img=del.png')"
2379 | 	$string9 = "background:url('%%?a=img&img=stat.gif')"
2380 | condition:
2381 | 	18 of them
2382 | }
2383 | 
2384 | rule blackhole2_htm
2385 | {
2386 | meta:
2387 | 	author = "Josh Berry"
2388 | 	date = "2016-06-27"
2389 | 	description = "BlackHole2 Exploit Kit Detection"
2390 | 	hash0 = "92e21e491a90e24083449fd906515684"
2391 | 	hash1 = "98b302a504a7ad0e3515ab6b96d623f9"
2392 | 	hash2 = "a91d885ef4c4a0d16c88b956db9c6f43"
2393 | 	hash3 = "d8336f7ae9b3a4db69317aea105f49be"
2394 | 	hash4 = "eba5daf0442dff5b249274c99552177b"
2395 | 	hash5 = "02d8e6daef5a4723621c25cfb766a23d"
2396 | 	hash6 = "dadf69ce2124283a59107708ffa9c900"
2397 | 	hash7 = "467199178ac940ca311896c7d116954f"
2398 | 	hash8 = "17ab5b85f2e1f2b5da436555ea94f859"
2399 | 	sample_filetype = "js-html"
2400 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2401 | strings:
2402 | 	$string0 = ">links/</a></td><td align"
2403 | 	$string1 = ">684K</td><td>"
2404 | 	$string2 = "> 36K</td><td>"
2405 | 	$string3 = "move_logs.php"
2406 | 	$string4 = "files/"
2407 | 	$string5 = "cron_updatetor.php"
2408 | 	$string6 = ">12-Sep-2012 23:45  </td><td align"
2409 | 	$string7 = ">  - </td><td>"
2410 | 	$string8 = "cron_check.php"
2411 | 	$string9 = "-//W3C//DTD HTML 3.2 Final//EN"
2412 | 	$string10 = "bhadmin.php"
2413 | 	$string11 = ">21-Sep-2012 15:25  </td><td align"
2414 | 	$string12 = ">data/</a></td><td align"
2415 | 	$string13 = ">3.3K</td><td>"
2416 | 	$string14 = "cron_update.php"
2417 | condition:
2418 | 	14 of them
2419 | }
2420 | 
2421 | rule blackhole2_htm10
2422 | {
2423 | meta:
2424 | 	author = "Josh Berry"
2425 | 	date = "2016-06-27"
2426 | 	description = "BlackHole2 Exploit Kit Detection"
2427 | 	hash0 = "83704d531c9826727016fec285675eb1"
2428 | 	hash1 = "103ef0314607d28b3c54cd07e954cb25"
2429 | 	hash2 = "16c002dc45976caae259d7cabc95b2c3"
2430 | 	hash3 = "fd84d695ac3f2ebfb98d3255b3a4e1de"
2431 | 	hash4 = "c7b417a4d650c72efebc2c45eefbac2a"
2432 | 	hash5 = "c3c35e465e316a71abccca296ff6cd22"
2433 | 	hash2 = "16c002dc45976caae259d7cabc95b2c3"
2434 | 	hash7 = "10ce7956266bfd98fe310d7568bfc9d0"
2435 | 	hash8 = "60024caf40f4239d7e796916fb52dc8c"
2436 | 	sample_filetype = "js-html"
2437 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2438 | strings:
2439 | 	$string0 = "</body></html>"
2440 | 	$string1 = "/icons/back.gif"
2441 | 	$string2 = ">373K</td><td>"
2442 | 	$string3 = "/icons/unknown.gif"
2443 | 	$string4 = ">Last modified</a></th><th><a href"
2444 | 	$string5 = "tmp.gz"
2445 | 	$string6 = ">tmp.gz</a></td><td align"
2446 | 	$string7 = "nbsp;</td><td align"
2447 | 	$string8 = "</table>"
2448 | 	$string9 = ">  - </td><td>"
2449 | 	$string10 = ">filefdc7aaf4a3</a></td><td align"
2450 | 	$string11 = ">19-Sep-2012 07:06  </td><td align"
2451 | 	$string12 = "><img src"
2452 | 	$string13 = "file3fa7bdd7dc"
2453 | 	$string14 = "  <title>Index of /files</title>"
2454 | 	$string15 = "0da49e042d"
2455 | condition:
2456 | 	15 of them
2457 | }
2458 | 
2459 | rule blackhole2_htm11
2460 | {
2461 | meta:
2462 | 	author = "Josh Berry"
2463 | 	date = "2016-06-27"
2464 | 	description = "BlackHole2 Exploit Kit Detection"
2465 | 	hash0 = "e89b56df597688c489f06a0a6dd9efed"
2466 | 	hash1 = "06ba331ac5ae3cd1986c82cb1098029e"
2467 | 	hash2 = "a899dedb50ad81d9dbba660747828c7b"
2468 | 	hash3 = "7cbb58412554327fe8b643204a046e2b"
2469 | 	hash2 = "a899dedb50ad81d9dbba660747828c7b"
2470 | 	hash0 = "e89b56df597688c489f06a0a6dd9efed"
2471 | 	hash2 = "a899dedb50ad81d9dbba660747828c7b"
2472 | 	hash7 = "530d31a0c45b79c1ee0c5c678e242c02"
2473 | 	hash2 = "a899dedb50ad81d9dbba660747828c7b"
2474 | 	sample_filetype = "js-html"
2475 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2476 | strings:
2477 | 	$string0 = "></th><th><a href"
2478 | 	$string1 = "/icons/back.gif"
2479 | 	$string2 = ">Description</a></th></tr><tr><th colspan"
2480 | 	$string3 = "nbsp;</td><td align"
2481 | 	$string4 = "nbsp;</td></tr>"
2482 | 	$string5 = ">  - </td><td>"
2483 | 	$string6 = "-//W3C//DTD HTML 3.2 Final//EN"
2484 | 	$string7 = "<h1>Index of /dummy</h1>"
2485 | 	$string8 = ">Size</a></th><th><a href"
2486 | 	$string9 = " </head>"
2487 | 	$string10 = "/icons/blank.gif"
2488 | 	$string11 = "><hr></th></tr>"
2489 | condition:
2490 | 	11 of them
2491 | }
2492 | 
2493 | rule blackhole2_htm12
2494 | {
2495 | meta:
2496 | 	author = "Josh Berry"
2497 | 	date = "2016-06-27"
2498 | 	description = "BlackHole2 Exploit Kit Detection"
2499 | 	hash0 = "0d3acb5285cfe071e30be051d2aaf28a"
2500 | 	hash1 = "6f27377115ba5fd59f007d2cb3f50b35"
2501 | 	hash2 = "f7ffe1fd1a57d337a04d3c777cddc065"
2502 | 	hash3 = "06997228f2769859ef5e4cd8a454d650"
2503 | 	hash4 = "11062eea9b7f2a2675c1e60047e8735c"
2504 | 	hash0 = "0d3acb5285cfe071e30be051d2aaf28a"
2505 | 	hash2 = "f7ffe1fd1a57d337a04d3c777cddc065"
2506 | 	hash7 = "4ec720cfafabd1c9b1034bb82d368a30"
2507 | 	hash8 = "ecd7d11dc9bb6ee842e2a2dce56edc6f"
2508 | 	sample_filetype = "js-html"
2509 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2510 | strings:
2511 | 	$string0 = "  <title>Index of /data</title>"
2512 | 	$string1 = "<tr><th colspan"
2513 | 	$string2 = "</body></html>"
2514 | 	$string3 = "> 20K</td><td>"
2515 | 	$string4 = "/icons/layout.gif"
2516 | 	$string5 = " <body>"
2517 | 	$string6 = ">Name</a></th><th><a href"
2518 | 	$string7 = "spn.jar"
2519 | 	$string8 = "spn2.jar"
2520 | 	$string9 = " <head>"
2521 | 	$string10 = "-//W3C//DTD HTML 3.2 Final//EN"
2522 | 	$string11 = "> 10K</td><td>"
2523 | 	$string12 = ">7.9K</td><td>"
2524 | 	$string13 = ">Size</a></th><th><a href"
2525 | 	$string14 = "><hr></th></tr>"
2526 | condition:
2527 | 	14 of them
2528 | }
2529 | 
2530 | rule blackhole2_htm3
2531 | {
2532 | meta:
2533 | 	author = "Josh Berry"
2534 | 	date = "2016-06-27"
2535 | 	description = "BlackHole2 Exploit Kit Detection"
2536 | 	hash0 = "018ef031bc68484587eafeefa66c7082"
2537 | 	sample_filetype = "js-html"
2538 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2539 | strings:
2540 | 	$string0 = "/download.php"
2541 | 	$string1 = "./files/fdc7aaf4a3 md5 is 3169969e91f5fe5446909bbab6e14d5d"
2542 | 	$string2 = "321e774d81b2c3ae"
2543 | 	$string3 = "/files/new00010/554-0002.exe md5 is 8a497cf4ffa8a173a7ac75f0de1f8d8b"
2544 | 	$string4 = "./files/3fa7bdd7dc md5 is 8a497cf4ffa8a173a7ac75f0de1f8d8b"
2545 | 	$string5 = "1603256636530120915 md5 is 425ebdfcf03045917d90878d264773d2"
2546 | condition:
2547 | 	3 of them
2548 | }
2549 | 
2550 | rule blackhole2_htm4
2551 | {
2552 | meta:
2553 | 	author = "Josh Berry"
2554 | 	date = "2016-06-27"
2555 | 	description = "BlackHole2 Exploit Kit Detection"
2556 | 	hash0 = "926429bf5fe1fbd531eb100fc6e53524"
2557 | 	hash1 = "7b6cdc67077fc3ca75a54dea0833afe3"
2558 | 	hash2 = "82f108d4e6f997f8fc4cc02aad02629a"
2559 | 	hash3 = "bd819c3714dffb5d4988d2f19d571918"
2560 | 	hash4 = "9bc9f925f60bd8a7b632ae3a6147cb9e"
2561 | 	hash0 = "926429bf5fe1fbd531eb100fc6e53524"
2562 | 	hash2 = "82f108d4e6f997f8fc4cc02aad02629a"
2563 | 	hash7 = "386cb76d46b281778c8c54ac001d72dc"
2564 | 	hash8 = "0d95c666ea5d5c28fca5381bd54304b3"
2565 | 	sample_filetype = "js-html"
2566 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2567 | strings:
2568 | 	$string0 = "words.dat"
2569 | 	$string1 = "/icons/back.gif"
2570 | 	$string2 = "data.dat"
2571 | 	$string3 = "files.php"
2572 | 	$string4 = "js.php"
2573 | 	$string5 = "template.php"
2574 | 	$string6 = "kcaptcha"
2575 | 	$string7 = "/icons/blank.gif"
2576 | 	$string8 = "java.dat"
2577 | condition:
2578 | 	8 of them
2579 | }
2580 | 
2581 | rule blackhole2_htm5
2582 | {
2583 | meta:
2584 | 	author = "Josh Berry"
2585 | 	date = "2016-06-27"
2586 | 	description = "BlackHole2 Exploit Kit Detection"
2587 | 	hash0 = "fccb8f71663620a5a8b53dcfb396cfb5"
2588 | 	hash1 = "a09bcf1a1bdabe4e6e7e52e7f8898012"
2589 | 	hash2 = "40db66bf212dd953a169752ba9349c6a"
2590 | 	hash3 = "25a87e6da4baa57a9d6a2cdcb2d43249"
2591 | 	hash4 = "6f4c64a1293c03c9f881a4ef4e1491b3"
2592 | 	hash0 = "fccb8f71663620a5a8b53dcfb396cfb5"
2593 | 	hash2 = "40db66bf212dd953a169752ba9349c6a"
2594 | 	hash7 = "4bdfff8de0bb5ea2d623333a4a82c7f9"
2595 | 	hash8 = "b43b6a1897c2956c2a0c9407b74c4232"
2596 | 	sample_filetype = "js-html"
2597 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2598 | strings:
2599 | 	$string0 = "ruleEdit.php"
2600 | 	$string1 = "domains.php"
2601 | 	$string2 = "menu.php"
2602 | 	$string3 = "browsers_stat.php"
2603 | 	$string4 = "Index of /library/templates"
2604 | 	$string5 = "/icons/unknown.gif"
2605 | 	$string6 = "browsers_bstat.php"
2606 | 	$string7 = "oses_stat.php"
2607 | 	$string8 = "exploits_bstat.php"
2608 | 	$string9 = "block_config.php"
2609 | 	$string10 = "threads_bstat.php"
2610 | 	$string11 = "browsers_bstat.php"
2611 | 	$string12 = "settings.php"
2612 | condition:
2613 | 	12 of them
2614 | }
2615 | 
2616 | rule blackhole2_htm6
2617 | {
2618 | meta:
2619 | 	author = "Josh Berry"
2620 | 	date = "2016-06-27"
2621 | 	description = "BlackHole2 Exploit Kit Detection"
2622 | 	hash0 = "a5f94d7bdeb88b57be67132473e48286"
2623 | 	hash1 = "2e72a317d07aa1603f8d138787a2c582"
2624 | 	hash2 = "9440d49e1ed0794c90547758ef6023f7"
2625 | 	hash3 = "58265fc893ed5a001e3a7c925441298c"
2626 | 	hash2 = "9440d49e1ed0794c90547758ef6023f7"
2627 | 	hash0 = "a5f94d7bdeb88b57be67132473e48286"
2628 | 	hash2 = "9440d49e1ed0794c90547758ef6023f7"
2629 | 	hash7 = "95c6462d0f21181c5003e2a74c8d3529"
2630 | 	hash8 = "9236e7f96207253b4684f3497bcd2b3d"
2631 | 	sample_filetype = "js-html"
2632 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2633 | strings:
2634 | 	$string0 = "uniq1.png"
2635 | 	$string1 = "edit.png"
2636 | 	$string2 = "left.gif"
2637 | 	$string3 = "infin.png"
2638 | 	$string4 = "outdent.gif"
2639 | 	$string5 = "exploit.gif"
2640 | 	$string6 = "sem_g.png"
2641 | 	$string7 = "Index of /library/templates/img"
2642 | 	$string8 = "uniq1.png"
2643 | condition:
2644 | 	8 of them
2645 | }
2646 | 
2647 | rule blackhole2_htm8
2648 | {
2649 | meta:
2650 | 	author = "Josh Berry"
2651 | 	date = "2016-06-27"
2652 | 	description = "BlackHole2 Exploit Kit Detection"
2653 | 	hash0 = "3f47452c1e40f68160beff4bb2a3e5f4"
2654 | 	hash1 = "1e2ba0176787088e3580dfce0245bc16"
2655 | 	hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
2656 | 	hash3 = "f5e16a6cd2c2ac71289aaf1c087224ee"
2657 | 	hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
2658 | 	hash0 = "3f47452c1e40f68160beff4bb2a3e5f4"
2659 | 	hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
2660 | 	hash7 = "6702efdee17e0cd6c29349978961d9fa"
2661 | 	hash8 = "287dca9469c8f7f0cb6e5bdd9e2055cd"
2662 | 	sample_filetype = "js-html"
2663 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2664 | strings:
2665 | 	$string0 = ">Description</a></th></tr><tr><th colspan"
2666 | 	$string1 = ">Name</a></th><th><a href"
2667 | 	$string2 = "main.js"
2668 | 	$string3 = "datepicker.js"
2669 | 	$string4 = "form.js"
2670 | 	$string5 = "<address>Apache/2.2.15 (CentOS) Server at online-moo-viii.net Port 80</address>"
2671 | 	$string6 = "wysiwyg.js"
2672 | condition:
2673 | 	6 of them
2674 | }
2675 | 
2676 | rule blackhole2_jar
2677 | {
2678 | meta:
2679 | 	author = "Josh Berry"
2680 | 	date = "2016-06-27"
2681 | 	description = "BlackHole2 Exploit Kit Detection"
2682 | 	hash0 = "86946ec2d2031f2b456e804cac4ade6d"
2683 | 	sample_filetype = "unknown"
2684 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2685 | strings:
2686 | 	$string0 = "k0/3;N"
2687 | 	$string1 = "g:WlY0"
2688 | 	$string2 = "(ww6Ou"
2689 | 	$string3 = "SOUGX["
2690 | 	$string4 = "7X2ANb"
2691 | 	$string5 = "r8L<;zYH)"
2692 | 	$string6 = "fbeatbea/fbeatbee.classPK"
2693 | 	$string7 = "fbeatbea/fbeatbec.class"
2694 | 	$string8 = "fbeatbea/fbeatbef.class"
2695 | 	$string9 = "fbeatbea/fbeatbef.classPK"
2696 | 	$string10 = "fbeatbea/fbeatbea.class"
2697 | 	$string11 = "fbeatbea/fbeatbeb.classPK"
2698 | 	$string12 = "nOJh-2"
2699 | 	$string13 = "[af:Fr"
2700 | condition:
2701 | 	13 of them
2702 | }
2703 | 
2704 | rule blackhole2_jar2
2705 | {
2706 | meta:
2707 | 	author = "Josh Berry"
2708 | 	date = "2016-06-27"
2709 | 	description = "BlackHole2 Exploit Kit Detection"
2710 | 	hash0 = "add1d01ba06d08818ff6880de2ee74e8"
2711 | 	sample_filetype = "unknown"
2712 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2713 | strings:
2714 | 	$string0 = "6_O6d09"
2715 | 	$string1 = "juqirvs.classPK"
2716 | 	$string2 = "hw.classPK"
2717 | 	$string3 = "a.classPK"
2718 | 	$string4 = "w.classuS]w"
2719 | 	$string5 = "w.classPK"
2720 | 	$string6 = "YE}0vCZ"
2721 | 	$string7 = "v)Q,Ff"
2722 | 	$string8 = "%8H%t("
2723 | 	$string9 = "hw.class"
2724 | 	$string10 = "a.classmV"
2725 | 	$string11 = "2CniYFU"
2726 | 	$string12 = "juqirvs.class"
2727 | condition:
2728 | 	12 of them
2729 | }
2730 | 
2731 | rule blackhole2_jar3
2732 | {
2733 | meta:
2734 | 	author = "Josh Berry"
2735 | 	date = "2016-06-27"
2736 | 	description = "BlackHole2 Exploit Kit Detection"
2737 | 	hash0 = "c7abd2142f121bd64e55f145d4b860fa"
2738 | 	sample_filetype = "unknown"
2739 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2740 | strings:
2741 | 	$string0 = "69/sj]]o"
2742 | 	$string1 = "GJk5Nd"
2743 | 	$string2 = "vcs.classu"
2744 | 	$string3 = "T<EssB"
2745 | 	$string4 = "1vmQmQ"
2746 | 	$string5 = "Kf1Ewr"
2747 | 	$string6 = "c$WuuuKKu5"
2748 | 	$string7 = "m.classPK"
2749 | 	$string8 = "chcyih.classPK"
2750 | 	$string9 = "hw.class"
2751 | 	$string10 = "f';;;;{"
2752 | 	$string11 = "vcs.classPK"
2753 | 	$string12 = "Vbhf_6"
2754 | condition:
2755 | 	12 of them
2756 | }
2757 | 
2758 | rule blackhole2_pdf
2759 | {
2760 | meta:
2761 | 	author = "Josh Berry"
2762 | 	date = "2016-06-27"
2763 | 	description = "BlackHole2 Exploit Kit Detection"
2764 | 	hash0 = "d1e2ff36a6c882b289d3b736d915a6cc"
2765 | 	sample_filetype = "pdf"
2766 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
2767 | strings:
2768 | 	$string0 = "/StructTreeRoot 5 0 R/Type/Catalog>>"
2769 | 	$string1 = "0000036095 00000 n"
2770 | 	$string2 = "http://www.xfa.org/schema/xfa-locale-set/2.1/"
2771 | 	$string3 = "subform[0].ImageField1[0])/Subtype/Widget/TU(Image Field)/Parent 22 0 R/F 4/P 8 0 R/T<FEFF0049006D00"
2772 | 	$string4 = "0000000026 65535 f"
2773 | 	$string5 = "0000029039 00000 n"
2774 | 	$string6 = "0000029693 00000 n"
2775 | 	$string7 = "%PDF-1.6"
2776 | 	$string8 = "27 0 obj<</Subtype/Type0/DescendantFonts 28 0 R/BaseFont/KLGNYZ"
2777 | 	$string9 = "0000034423 00000 n"
2778 | 	$string10 = "0000000010 65535 f"
2779 | 	$string11 = ">stream"
2780 | 	$string12 = "/Pages 2 0 R%/StructTreeRoot 5 0 R/Type/Catalog>>"
2781 | 	$string13 = "19 0 obj<</Subtype/Type1C/Length 23094/Filter/FlateDecode>>stream"
2782 | 	$string14 = "0000003653 00000 n"
2783 | 	$string15 = "0000000023 65535 f"
2784 | 	$string16 = "0000028250 00000 n"
2785 | 	$string17 = "iceRGB>>>>/XStep 9.0/Type/Pattern/TilingType 2/YStep 9.0/BBox[0 0 9 9]>>stream"
2786 | 	$string18 = "<</Root 1 0 R>>"
2787 | condition:
2788 | 	18 of them
2789 | }
2790 | 
2791 | rule maldoc_indirect_function_call_1 : maldoc
2792 | {
2793 |     meta:
2794 |         author = "Didier Stevens (https://DidierStevens.com)"
2795 |     strings:
2796 |         $a = {FF 75 ?? FF 55 ??}
2797 |     condition:
2798 |         for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
2799 | }
2800 | 
2801 | rule maldoc_indirect_function_call_2 : maldoc
2802 | {
2803 |     meta:
2804 |         author = "Didier Stevens (https://DidierStevens.com)"
2805 |     strings:
2806 |         $a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
2807 |     condition:
2808 |         for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
2809 | }
2810 | 
2811 | rule maldoc_indirect_function_call_3 : maldoc
2812 | {
2813 |     meta:
2814 |         author = "Didier Stevens (https://DidierStevens.com)"
2815 |     strings:
2816 |         $a = {FF B7 ?? ?? ?? ?? FF 57 ??}
2817 |     condition:
2818 |         $a
2819 | }
2820 | 
2821 | rule maldoc_find_kernel32_base_method_1 : maldoc
2822 | {
2823 |     meta:
2824 |         author = "Didier Stevens (https://DidierStevens.com)"
2825 |     strings:
2826 |         $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
2827 |         $a2 = {64 A1 30 00 00 00}
2828 |     condition:
2829 |         any of them
2830 | }
2831 | 
2832 | rule maldoc_find_kernel32_base_method_2 : maldoc
2833 | {
2834 |     meta:
2835 |         author = "Didier Stevens (https://DidierStevens.com)"
2836 |     strings:
2837 |         $a = {31 ?? ?? 30 64 8B ??}
2838 |     condition:
2839 |         for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
2840 | }
2841 | 
2842 | rule maldoc_find_kernel32_base_method_3 : maldoc
2843 | {
2844 |     meta:
2845 |         author = "Didier Stevens (https://DidierStevens.com)"
2846 |     strings:
2847 |         $a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
2848 |     condition:
2849 |         for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
2850 | }
2851 | 
2852 | rule mwi_document: exploitdoc maldoc
2853 | {
2854 |     meta:
2855 |         description = "MWI generated document"
2856 |         author = "@Ydklijnsma"
2857 |         source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
2858 | 
2859 |       strings:
2860 |         $field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
2861 |         $mwistat_url = ".php?id="
2862 |         $field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
2863 | 
2864 |     condition:
2865 |         all of them
2866 | }
2867 | 
2868 | rule macrocheck : maldoc
2869 | {
2870 |     meta:
2871 |         Author      = "Fireeye Labs"
2872 |         Date        = "2014/11/30" 
2873 |         Description = "Identify office documents with the MACROCHECK credential stealer in them.  It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
2874 |         Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"
2875 | 
2876 |     strings:
2877 |         $PARAMpword = "pword=" ascii wide
2878 |         $PARAMmsg = "msg=" ascii wide
2879 |         $PARAMuname = "uname=" ascii
2880 |         $userform = "UserForm" ascii wide
2881 |         $userloginform = "UserLoginForm" ascii wide
2882 |         $invalid = "Invalid username or password" ascii wide
2883 |         $up1 = "uploadPOST" ascii wide
2884 |         $up2 = "postUpload" ascii wide
2885 |  
2886 |     condition:
2887 |         all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
2888 | }
2889 | 
2890 | rule Office_AutoOpen_Macro : maldoc {
2891 | 	meta:
2892 | 		description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
2893 | 		author = "Florian Roth"
2894 | 		date = "2015-05-28"
2895 | 		score = 60
2896 | 		hash1 = "4d00695d5011427efc33c9722c61ced2"
2897 | 		hash2 = "63f6b20cb39630b13c14823874bd3743"
2898 | 		hash3 = "66e67c2d84af85a569a04042141164e6"
2899 | 		hash4 = "a3035716fe9173703941876c2bde9d98"
2900 | 		hash5 = "7c06cab49b9332962625b16f15708345"
2901 | 		hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
2902 | 		hash7 = "25285b8fe2c41bd54079c92c1b761381"
2903 | 	strings:
2904 | 		$s1 = "AutoOpen" ascii fullword
2905 | 		$s2 = "Macros" wide fullword
2906 | 	condition:
2907 | 		uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000
2908 | }
2909 | 
2910 | rule Embedded_EXE_Cloaking : maldoc {
2911 |     meta:
2912 |         description = "Detects an embedded executable in a non-executable file"
2913 |         author = "Florian Roth"
2914 |         date = "2015/02/27"
2915 |         score = 80
2916 |     strings:
2917 |         $noex_png = { 89 50 4E 47 }
2918 |         $noex_pdf = { 25 50 44 46 }
2919 |         $noex_rtf = { 7B 5C 72 74 66 31 }
2920 |         $noex_jpg = { FF D8 FF E0 }
2921 |         $noex_gif = { 47 49 46 38 }
2922 |         $mz  = { 4D 5A }
2923 |         $a1 = "This program cannot be run in DOS mode"
2924 |         $a2 = "This program must be run under Win32"       
2925 |     condition:
2926 |         (
2927 |             ( $noex_png at 0 ) or
2928 |             ( $noex_pdf at 0 ) or
2929 |             ( $noex_rtf at 0 ) or
2930 |             ( $noex_jpg at 0 ) or
2931 |             ( $noex_gif at 0 )
2932 |         )
2933 |         and
2934 |         for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
2935 | }
2936 | 


--------------------------------------------------------------------------------
/angler_ek_checkpoint.yar:
--------------------------------------------------------------------------------
 1 | rule angler_ek_checkpoint
 2 | {
 3 | 	meta:
 4 | 		description = "Angler EK Exploit Kit - Checkpoint Detection"
 5 | 	strings:
 6 | 		$a = "Jul 2039" nocase
 7 | 		$b = "Jul 2040" nocase
 8 | 	condition:
 9 | 		any of them
10 | }


--------------------------------------------------------------------------------
/angler_ek_redirector.yar:
--------------------------------------------------------------------------------
 1 | rule AnglerEKredirector
 2 | {
 3 |    meta:
 4 |       description = "Angler Exploit Kit Redirector"
 5 |       ref = "http://blog.xanda.org/2015/08/28/yara-rule-for-angler-ek-redirector-js/"
 6 |       author = "adnan.shukor@gmail.com"
 7 |       date = "08-July-2015"
 8 |       impact = "5"
 9 |       version = "1"
10 |    strings:
11 |       $ekr1 = "<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000);" fullword
12 |       $ekr2 = "document.cookie=\"PHP_SESSION_PHP="
13 |       $ekr3 = "path=/; expires=\"+date.toUTCString();</script>" fullword
14 |       $ekr4 = "<iframe src=" fullword
15 |       $ekr5 = "</iframe></div>" fullword
16 |    condition:
17 |       all of them
18 | }


--------------------------------------------------------------------------------
/angler_flash.yar:
--------------------------------------------------------------------------------
 1 | rule angler_flash
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Angler Exploit Kit Detection"
 7 | 	hash0 = "8081397c30b53119716c374dd58fc653"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "(9OOSp"
12 | 	$string1 = "r$g@ 0'[A"
13 | 	$string2 = ";R-1qTP"
14 | 	$string3 = "xwBtR4"
15 | 	$string4 = "YbVjxp"
16 | 	$string5 = "ddgXkF"
17 | 	$string6 = ")n'URF"
18 | 	$string7 = "vAzq@W"
19 | 	$string8 = "rOkX$6m<"
20 | 	$string9 = "@@DB}q "
21 | 	$string10 = "TiKV'iV"
22 | 	$string11 = "538x;B"
23 | 	$string12 = "9pEM{d"
24 | 	$string13 = ".SIy/O"
25 | 	$string14 = "ER<Gu,"
26 | condition:
27 | 	14 of them
28 | }
29 | 


--------------------------------------------------------------------------------
/angler_flash2.yar:
--------------------------------------------------------------------------------
 1 | rule angler_flash2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Angler Exploit Kit Detection"
 7 | 	hash0 = "23812c5a1d33c9ce61b0882f860d79d6"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "4yOOUj"
12 | 	$string1 = "CSvI4e"
13 | 	$string2 = "'fwaEnkI"
14 | 	$string3 = "'y4m%X"
15 | 	$string4 = "eOc)a,"
16 | 	$string5 = "'0{Q5<"
17 | 	$string6 = "1BdX;P"
18 | 	$string7 = "D _J)C"
19 | 	$string8 = "-epZ.E"
20 | 	$string9 = "QpRkP."
21 | 	$string10 = "<o/]atel"
22 | 	$string11 = "@B.,X<"
23 | 	$string12 = "5r[c)U"
24 | 	$string13 = "52R7F'"
25 | 	$string14 = "NZ[FV'P"
26 | condition:
27 | 	14 of them
28 | }
29 | 


--------------------------------------------------------------------------------
/angler_flash4.yar:
--------------------------------------------------------------------------------
 1 | rule angler_flash4
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Angler Exploit Kit Detection"
 7 | 	hash0 = "dbb3f5e90c05602d92e5d6e12f8c1421"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "_u;cwD;"
12 | 	$string1 = "lhNp74"
13 | 	$string2 = "Y0GQ%v"
14 | 	$string3 = "qjqCb,nx"
15 | 	$string4 = "vn{l{Wl"
16 | 	$string5 = "5j5jz5"
17 | 	$string6 = "a3EWwhM"
18 | 	$string7 = "hVJb/4Aut"
19 | 	$string8 = ",lm4v,"
20 | 	$string9 = ",6MekS"
21 | 	$string10 = "YM.mxzO"
22 | 	$string11 = ";6 -$E"
23 | 	$string12 = "QA%: fy"
24 | 	$string13 = "<@{qvR"
25 | 	$string14 = "b9'$'6l"
26 | 	$string15 = ",x:pQ@-"
27 | 	$string16 = "2Dyyr9"
28 | condition:
29 | 	16 of them
30 | }
31 | 


--------------------------------------------------------------------------------
/angler_flash5.yar:
--------------------------------------------------------------------------------
 1 | rule angler_flash5
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Angler Exploit Kit Detection"
 7 | 	hash0 = "9f809272e59ee9ecd71093035b31eec6"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "0k%2{u"
12 | 	$string1 = "\\Pb@(R"
13 | 	$string2 = "ys)dVI"
14 | 	$string3 = "tk4_y["
15 | 	$string4 = "LM2Grx"
16 | 	$string5 = "n}s5fb"
17 | 	$string6 = "jT Nx<hKO"
18 | 	$string7 = "5xL>>}"
19 | 	$string8 = "S%,1{b"
20 | 	$string9 = "C'3g7j"
21 | 	$string10 = "}gfoh]"
22 | 	$string11 = ",KFVQb"
23 | 	$string12 = "LA;{Dx"
24 | condition:
25 | 	12 of them
26 | }
27 | 


--------------------------------------------------------------------------------
/angler_flash_uncompressed.yar:
--------------------------------------------------------------------------------
 1 | rule angler_flash_uncompressed
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Angler Exploit Kit Detection"
 7 | 	hash0 = "2543855d992b2f9a576f974c2630d851"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "DisplayObjectContainer"
12 | 	$string1 = "Xtime2"
13 | 	$string2 = "(HMRTQ"
14 | 	$string3 = "flash.events:EventDispatcher$flash.display:DisplayObjectContainer"
15 | 	$string4 = "_e_-___-__"
16 | 	$string5 = "ZviJbf"
17 | 	$string6 = "random-"
18 | 	$string7 = "_e_-_-_-_"
19 | 	$string8 = "_e_------"
20 | 	$string9 = "817677162"
21 | 	$string10 = "_e_-__-"
22 | 	$string11 = "-[vNnZZ"
23 | 	$string12 = "5:unpad: Invalid padding value. expected ["
24 | 	$string13 = "writeByte/"
25 | 	$string14 = "enumerateFonts"
26 | 	$string15 = "_e_---___"
27 | 	$string16 = "_e_-_-"
28 | 	$string17 = "f(fOJ4"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/angler_html.yar:
--------------------------------------------------------------------------------
 1 | rule angler_html
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Angler Exploit Kit Detection"
 7 | 	hash0 = "afca949ab09c5583a2ea5b2006236666"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = " A9 3E AF D5 9AQ FA 14 BC F2 A0H EA 7FfJ A58 A3 B1 BD 85 DB F3 B4 B6 FB B2 B4 14 82 19 88 28 D0 EA 2"
12 | 	$string1 = " 2BS 25 26p 20 3F 81 0E D3 9C 84 C7 EC C3 C41M C48 D3 B5N 09 C2z 98 7B 09. DF 05 5EQ DF A3 B6 EE D5 "
13 | 	$string2 = "9 A1Fg A8 837 9A A9 0A 1D 40b02 A5U6 22o 16 DC 5D F5 F5 FA BE FB EDX F0 87 DB C9 7B D6 AC F6D 10 1AJ"
14 | 	$string3 = "24 AA 17 FB B0 96d DBN 05 EE F6 0F 24 D4 D0 C0 E4 96 03 A3 03 20/ 04 40 DB 8F 7FI A6 DC F5 09 0FWV 1"
15 | 	$string4 = "Fq B3 94 E3 3E EFw E6 AA9 3A 5B 9E2 D2 EC AF6 10c 83 0F DF BB FBx AF B4 1BV 5C DD F8 9BR 97v D0U 9EG"
16 | 	$string5 = "29 9B 01E C85 86 B0 09 EC E07 AFCY 19 E5 11 1C 92 E2 DA A9 5D 19P 3A BF AB D6 B3 3FZ B4 92 FF E1 27 "
17 | 	$string6 = "B A9 88 B8 F0 EBLd 8E 08 18 11P EE BFk 15 5BM D6 B7 CEh AF 9C 8F 04 89 88 5E F6 ED 13 8EN1p 86Vk BC "
18 | 	$string7 = "w F4 C8 16pV 22 0A BB EB 83 7D BC 89 B6 E06 8B 2A DC E6 7D CE. 0Dh 18 0A8 5E 60 0C BF A4 00M 00 E3 3"
19 | 	$string8 = "B7 C6 E3 8E DC 3BR 60L 94h D8 AA7k5s 0D 7Fb 8B 80P E0 1BP EBT B5 03zE D0o 2A B97 18 F39 7C 94 99 11 "
20 | 	$string9 = "kY 24 8E 3E 94 84 D2 00 1EB 16 A4 9C 28 24 C1B BB 22 7D 97c F5 BA AD C4 5C 23 5D 3D 5C A7d5 0C F6 EA"
21 | 	$string10 = "08 01 3A 15 3B E0 1A E2 89 5B A2 F4 ED 87O F9l A99 124 27 BF BB A1c 2BW 12Z 07 AA D9 81 B7 A6-5 E2 E"
22 | 	$string11 = " 16 BF A7 0E 00 16 BB 8FB CBn FC D8 9C C7 EA AC C2q 85n A96I D1 9B FC8 BDl B8 3Ajf 7B ADH FD 20 88 F"
23 | 	$string12 = "  ML    "
24 | 	$string13 = " AEJ 3B C7 BFy EF F07X D3 A0 1E B4q C4 BE 3A 10 E7 A0 FE D1Jhp 89 A0sj 1CW 08 D5 F7 C8 C6 D5I 81 D2 "
25 | 	$string14 = "B 24 90 ED CEP C8 C9 9B E5 25 09 C6B- 2B 3B C7 28 C9 C62 EB D3 D5 ED DE A8 7F A9mNs 87 12 82 03 A2 8"
26 | 	$string15 = "A 3A A2L DFa 18 11P 00 7F1 BBbY FA 5E 04 C4 5D 89 F3S DAN B5 CAi 8D 0A AC A8 0A ABI E6 1E 89 BB 07 D"
27 | 	$string16 = "C B5 FD 0B F9 0Ch CE 01 14 8Dp AF 24 E0 E3 D90 DD FF B0 07 2Ad 0B 7D B0 B2 D8 BD E6 A7 CE E1 E4 3E5 "
28 | 	$string17 = "19 0C 85 14r/ 8C F3 84 2B 8C CF 90 93 E2 F6zo C3 D40 A6 94 01 02Q 21G AB B9 CDx 9D FB 21 2C 10 C3 3C"
29 | 	$string18 = "FAV D7y A0 C7Ld4 01 22 EE B0 1EY FAB BA E0 01 24 15g C5 DA6 19 EEsl BF C7O 9F 8B E8 AF 93 F52 00 06 "
30 | condition:
31 | 	18 of them
32 | }
33 | 


--------------------------------------------------------------------------------
/angler_html2.yar:
--------------------------------------------------------------------------------
 1 | rule angler_html2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Angler Exploit Kit Detection"
 7 | 	hash0 = "6c926bf25d1a8a80ab988c8a34c0102e"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "E 06 E7i 1E 91q 9C D0J 1D 9B 14 E7g 1D DD ECK 20c 40 C6 0C AFR5 3D 03 9Em EC 0CB C9 A9 DFw C9 ADP 5B"
12 | 	$string1 = "14Bc 5C 3Bp CB 2A 12 3D A56 AA 14 87 E3 81 8A 80h 27 1C 3A4 CE 12 AE FAy F0 8A 21 B8I AD 1E B9 2C D1"
13 | 	$string2 = "0J 95 83 CC 1C 95D CAD 1A EA F3 00 E9 DA_ F2 ED 3CM1 A0 01t 1B EE 2C B6AWKq BF CAY FE D8 F2 7C 96 92"
14 | 	$string3 = "A8MTCsn C9 DBu D3 10 A0 D4 AC A9 97 06Rn 01 DAK EFFN ADP AE 0E 8FJd 8F DA B6 25RO 18 2A 00 EA F9 8B "
15 | 	$string4 = "A3 EB C1 CE 1E C4ok C4 19 F2 A7 17 9FCoz B6- C6 25J BB 0B 8C1OZ E4 7B AEz F6 06A 5D C0 D7 E8 FF DB D"
16 | 	$string5 = " 07 DE A3 F8 B0 B3 20V A4 B2 C8 60 BD EEG 95 BB 04 1Ckw A4 80 E6 23 F02 FA 9C 9A 14F BDC 18 BE BD B4"
17 | 	$string6 = "7 D1 B9 9B AC 2AN BA D3 00 A9 1CJ3J C0V 8F 8E FC B6p9 00 E1 01 21j B3 27 FF C3 8E 2B 92 8B DEiUI C3 "
18 | 	$string7 = " 99 2C AF9 F9 3F5 A8 F0 1BU C8e/ 00Q B4 10 DD BC 9D 8A BF B2 17 8F BFd DB D1 B7 E66 21 96 86 1E B2 1"
19 | 	$string8 = "E86 DF9 22Tg E93 9Em 29 0A 5B B5m E2 DCIF D6 D2 F5B CF F7XkRv BE EA A6 C5 82p 5E B3 B4aD B9 3A E0 22"
20 | 	$string9 = " 7C 95.q D6f E8 1AE 17 82T 84 F1/O 82 C2q C7 FE 05C E4 E5W F5 0A E4l 12 3Brt 8A E0 E7 DDJ 1F 1F C4 A"
21 | 	$string10 = "4t 91iE BD 2C 95U E9 1C AE 5B 5B A3 9D B2 F9 0B B5 15S9 AB 9D 94 85 A6 F1 AF B6 FC CAt 91iE BD 2C 95"
22 | 	$string11 = "  </input>"
23 | 	$string12 = "2 D12 93 FD AB 0DKK AEN 40 DA 88 7B FA 3B 18 EE 09 92 ED AF A8b 07 002 0A A3S 04 29 F9 A3 EA BB E9 7"
24 | 	$string13 = "40 C6 0C AFR5E 15 07 EE CBg B3 C6 60G 92tFt D7E 7D F0 C4 A89 29 EC BA E1 D9 3D 23 F0 0B E0o 3E2c B3 "
25 | 	$string14 = "2 A3. A3 F1 D8 D4 A83K 9C AEu FF EA 02 F4 B8 A0 EE C9 7B 15 C1 07D 80 7C 10 864 96 E3 AA F8 99bgve D"
26 | 	$string15 = "C 7D DC 0A E9 0D A1k 85s 9D 24 8C D0k E1 7E 3AH E2 052 D8q 16 FC 96 0AR C0 EC 99K4 3F BE ED CC DBE A"
27 | 	$string16 = "40 DA 88 7B 9E 1A B3 FA DE 90U 5B BD6x 9A 0C 163 AB EA ED B4 B5 98 ADL B7 06 EE E5y B8 9B C9Q 00 E9 "
28 | 	$string17 = "F BF_ F9 AC 5B CC 0B1 7B 60 20c 40 C6 0C AFR5 0B C7D 09 9D E30 14 AC 027 B2 B9B A7 06 E3z DC- B2 60 "
29 | 	$string18 = "0 80 97Oi 8C 85 D2 1Bp CDv 11 05 D4 26 E7 FC 3DlO AE 96 D2 1B 89 7C 16H 11 86 D0 A6 B95 FC 01 C5 8E "
30 | condition:
31 | 	18 of them
32 | }
33 | 


--------------------------------------------------------------------------------
/angler_jar.yar:
--------------------------------------------------------------------------------
 1 | rule angler_jar
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Angler Exploit Kit Detection"
 7 | 	hash0 = "3de78737b728811af38ea780de5f5ed7"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "myftysbrth"
12 | 	$string1 = "classPK"
13 | 	$string2 = "8aoadN"
14 | 	$string3 = "j5/_<F"
15 | 	$string4 = "FXPreloader.class"
16 | 	$string5 = "V4w\\K,"
17 | 	$string6 = "W\\Vr2a"
18 | 	$string7 = "META-INF/MANIFEST.MF"
19 | 	$string8 = "Na8$NS"
20 | 	$string9 = "_YJjB'"
21 | condition:
22 | 	9 of them
23 | }


--------------------------------------------------------------------------------
/angler_js.yar:
--------------------------------------------------------------------------------
 1 | rule angler_js
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Angler Exploit Kit Detection"
 7 | 	hash0 = "482d6c24a824103f0bcd37fa59e19452"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "    2654435769,   Be"
12 | 	$string1 = "DFOMIqka "
13 | 	$string2 = ",  Zydr$>>16"
14 | 	$string3 = "DFOMIqka( 'OPPj_phuPuiwzDFo')"
15 | 	$string4 = "U0BNJWZ9J0vM43TnlNZcWnZjZSelQZlb1HGTTllZTm19emc0dlsYF13GvhQJmTZmbVMxallMdhWW948YWi t    P  b50GW"
16 | 	$string5 = "    auSt;"
17 | 	$string6 = " eval    (NDbMFR "
18 | 	$string7 = "jWUwYDZhNVyMI2TzykEYjWk0MDM5MA%ZQ1TD1gEMzj         3  D       ',"
19 | 	$string8 = "('fE').substr    (2    ,    1 "
20 | 	$string9 = ",  -1 "
21 | 	$string10 = "    )  );Zydr$  [ 1]"
22 | 	$string11 = " 11;PsKnARPQuNNZMP<9;PsKnARPQuNNZMP"
23 | 	$string12 = "new   Array  (2),  Ykz"
24 | 	$string13 = "<script> "
25 | 	$string14 = ");    CYxin "
26 | 	$string15 = "Zydr$    [    1]"
27 | 	$string16 = "var tKTGVbw,auSt, vnEihY, gftiUIdV, XnHs, UGlMHG, KWlqCKLfCV;"
28 | 	$string17 = "reXKyQsob1reXKyQsob3 "
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/blackhole1_jar.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole1_jar
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "BlackHole1 Exploit Kit Detection"
 7 | 	hash0 = "724acccdcf01cf2323aa095e6ce59cae"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "Created-By: 1.6.0_18 (Sun Microsystems Inc.)"
12 | 	$string1 = "workpack/decoder.classmQ]S"
13 | 	$string2 = "workpack/decoder.classPK"
14 | 	$string3 = "workpack/editor.classPK"
15 | 	$string4 = "xmleditor/GUI.classmO"
16 | 	$string5 = "xmleditor/GUI.classPK"
17 | 	$string6 = "xmleditor/peers.classPK"
18 | 	$string7 = "v(SiS]T"
19 | 	$string8 = ",R3TiV"
20 | 	$string9 = "META-INF/MANIFEST.MFPK"
21 | 	$string10 = "xmleditor/PK"
22 | 	$string11 = "Z[Og8o"
23 | 	$string12 = "workpack/PK"
24 | condition:
25 | 	12 of them
26 | }
27 | 


--------------------------------------------------------------------------------
/blackhole2_css.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_css
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "9664a16c65782d56f02789e7d52359cd"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string1 = "background:url('%%?a=img&img=countries.gif')"
12 | 	$string2 = "background:url('%%?a=img&img=exploit.gif')"
13 | 	$string3 = "background:url('%%?a=img&img=oses.gif')"
14 | 	$string4 = "background:url('%%?a=img&img=browsers.gif')"
15 | 	$string5 = "background:url('%%?a=img&img=edit.png')"
16 | 	$string6 = "background:url('%%?a=img&img=add.png')"
17 | 	$string7 = "background:url('%%?a=img&img=accept.png')"
18 | 	$string8 = "background:url('%%?a=img&img=del.png')"
19 | 	$string9 = "background:url('%%?a=img&img=stat.gif')"
20 | condition:
21 | 	18 of them
22 | }
23 | 


--------------------------------------------------------------------------------
/blackhole2_htm.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_htm
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "92e21e491a90e24083449fd906515684"
 8 | 	hash1 = "98b302a504a7ad0e3515ab6b96d623f9"
 9 | 	hash2 = "a91d885ef4c4a0d16c88b956db9c6f43"
10 | 	hash3 = "d8336f7ae9b3a4db69317aea105f49be"
11 | 	hash4 = "eba5daf0442dff5b249274c99552177b"
12 | 	hash5 = "02d8e6daef5a4723621c25cfb766a23d"
13 | 	hash6 = "dadf69ce2124283a59107708ffa9c900"
14 | 	hash7 = "467199178ac940ca311896c7d116954f"
15 | 	hash8 = "17ab5b85f2e1f2b5da436555ea94f859"
16 | 	sample_filetype = "js-html"
17 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
18 | strings:
19 | 	$string0 = ">links/</a></td><td align"
20 | 	$string1 = ">684K</td><td>"
21 | 	$string2 = "> 36K</td><td>"
22 | 	$string3 = "move_logs.php"
23 | 	$string4 = "files/"
24 | 	$string5 = "cron_updatetor.php"
25 | 	$string6 = ">12-Sep-2012 23:45  </td><td align"
26 | 	$string7 = ">  - </td><td>"
27 | 	$string8 = "cron_check.php"
28 | 	$string9 = "-//W3C//DTD HTML 3.2 Final//EN"
29 | 	$string10 = "bhadmin.php"
30 | 	$string11 = ">21-Sep-2012 15:25  </td><td align"
31 | 	$string12 = ">data/</a></td><td align"
32 | 	$string13 = ">3.3K</td><td>"
33 | 	$string14 = "cron_update.php"
34 | condition:
35 | 	14 of them
36 | }
37 | 


--------------------------------------------------------------------------------
/blackhole2_htm10.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_htm10
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "83704d531c9826727016fec285675eb1"
 8 | 	hash1 = "103ef0314607d28b3c54cd07e954cb25"
 9 | 	hash2 = "16c002dc45976caae259d7cabc95b2c3"
10 | 	hash3 = "fd84d695ac3f2ebfb98d3255b3a4e1de"
11 | 	hash4 = "c7b417a4d650c72efebc2c45eefbac2a"
12 | 	hash5 = "c3c35e465e316a71abccca296ff6cd22"
13 | 	hash2 = "16c002dc45976caae259d7cabc95b2c3"
14 | 	hash7 = "10ce7956266bfd98fe310d7568bfc9d0"
15 | 	hash8 = "60024caf40f4239d7e796916fb52dc8c"
16 | 	sample_filetype = "js-html"
17 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
18 | strings:
19 | 	$string0 = "</body></html>"
20 | 	$string1 = "/icons/back.gif"
21 | 	$string2 = ">373K</td><td>"
22 | 	$string3 = "/icons/unknown.gif"
23 | 	$string4 = ">Last modified</a></th><th><a href"
24 | 	$string5 = "tmp.gz"
25 | 	$string6 = ">tmp.gz</a></td><td align"
26 | 	$string7 = "nbsp;</td><td align"
27 | 	$string8 = "</table>"
28 | 	$string9 = ">  - </td><td>"
29 | 	$string10 = ">filefdc7aaf4a3</a></td><td align"
30 | 	$string11 = ">19-Sep-2012 07:06  </td><td align"
31 | 	$string12 = "><img src"
32 | 	$string13 = "file3fa7bdd7dc"
33 | 	$string14 = "  <title>Index of /files</title>"
34 | 	$string15 = "0da49e042d"
35 | condition:
36 | 	15 of them
37 | }
38 | 


--------------------------------------------------------------------------------
/blackhole2_htm11.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_htm11
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "e89b56df597688c489f06a0a6dd9efed"
 8 | 	hash1 = "06ba331ac5ae3cd1986c82cb1098029e"
 9 | 	hash2 = "a899dedb50ad81d9dbba660747828c7b"
10 | 	hash3 = "7cbb58412554327fe8b643204a046e2b"
11 | 	hash2 = "a899dedb50ad81d9dbba660747828c7b"
12 | 	hash0 = "e89b56df597688c489f06a0a6dd9efed"
13 | 	hash2 = "a899dedb50ad81d9dbba660747828c7b"
14 | 	hash7 = "530d31a0c45b79c1ee0c5c678e242c02"
15 | 	hash2 = "a899dedb50ad81d9dbba660747828c7b"
16 | 	sample_filetype = "js-html"
17 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
18 | strings:
19 | 	$string0 = "></th><th><a href"
20 | 	$string1 = "/icons/back.gif"
21 | 	$string2 = ">Description</a></th></tr><tr><th colspan"
22 | 	$string3 = "nbsp;</td><td align"
23 | 	$string4 = "nbsp;</td></tr>"
24 | 	$string5 = ">  - </td><td>"
25 | 	$string6 = "-//W3C//DTD HTML 3.2 Final//EN"
26 | 	$string7 = "<h1>Index of /dummy</h1>"
27 | 	$string8 = ">Size</a></th><th><a href"
28 | 	$string9 = " </head>"
29 | 	$string10 = "/icons/blank.gif"
30 | 	$string11 = "><hr></th></tr>"
31 | condition:
32 | 	11 of them
33 | }
34 | 


--------------------------------------------------------------------------------
/blackhole2_htm12.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_htm12
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "0d3acb5285cfe071e30be051d2aaf28a"
 8 | 	hash1 = "6f27377115ba5fd59f007d2cb3f50b35"
 9 | 	hash2 = "f7ffe1fd1a57d337a04d3c777cddc065"
10 | 	hash3 = "06997228f2769859ef5e4cd8a454d650"
11 | 	hash4 = "11062eea9b7f2a2675c1e60047e8735c"
12 | 	hash0 = "0d3acb5285cfe071e30be051d2aaf28a"
13 | 	hash2 = "f7ffe1fd1a57d337a04d3c777cddc065"
14 | 	hash7 = "4ec720cfafabd1c9b1034bb82d368a30"
15 | 	hash8 = "ecd7d11dc9bb6ee842e2a2dce56edc6f"
16 | 	sample_filetype = "js-html"
17 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
18 | strings:
19 | 	$string0 = "  <title>Index of /data</title>"
20 | 	$string1 = "<tr><th colspan"
21 | 	$string2 = "</body></html>"
22 | 	$string3 = "> 20K</td><td>"
23 | 	$string4 = "/icons/layout.gif"
24 | 	$string5 = " <body>"
25 | 	$string6 = ">Name</a></th><th><a href"
26 | 	$string7 = ">spn.jar</a></td><td align"
27 | 	$string8 = ">spn2.jar</a></td><td align"
28 | 	$string9 = " <head>"
29 | 	$string10 = "-//W3C//DTD HTML 3.2 Final//EN"
30 | 	$string11 = "> 10K</td><td>"
31 | 	$string12 = ">7.9K</td><td>"
32 | 	$string13 = ">Size</a></th><th><a href"
33 | 	$string14 = "><hr></th></tr>"
34 | condition:
35 | 	14 of them
36 | }
37 | 


--------------------------------------------------------------------------------
/blackhole2_htm3.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_htm3
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "018ef031bc68484587eafeefa66c7082"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "/download.php"
12 | 	$string1 = "./files/fdc7aaf4a3 md5 is 3169969e91f5fe5446909bbab6e14d5d"
13 | 	$string2 = "321e774d81b2c3ae"
14 | 	$string3 = "/files/new00010/554-0002.exe md5 is 8a497cf4ffa8a173a7ac75f0de1f8d8b"
15 | 	$string4 = "./files/3fa7bdd7dc md5 is 8a497cf4ffa8a173a7ac75f0de1f8d8b"
16 | 	$string5 = "1603256636530120915 md5 is 425ebdfcf03045917d90878d264773d2"
17 | condition:
18 | 	3 of them
19 | }
20 | 


--------------------------------------------------------------------------------
/blackhole2_htm4.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_htm4
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "926429bf5fe1fbd531eb100fc6e53524"
 8 | 	hash1 = "7b6cdc67077fc3ca75a54dea0833afe3"
 9 | 	hash2 = "82f108d4e6f997f8fc4cc02aad02629a"
10 | 	hash3 = "bd819c3714dffb5d4988d2f19d571918"
11 | 	hash4 = "9bc9f925f60bd8a7b632ae3a6147cb9e"
12 | 	hash0 = "926429bf5fe1fbd531eb100fc6e53524"
13 | 	hash2 = "82f108d4e6f997f8fc4cc02aad02629a"
14 | 	hash7 = "386cb76d46b281778c8c54ac001d72dc"
15 | 	hash8 = "0d95c666ea5d5c28fca5381bd54304b3"
16 | 	sample_filetype = "js-html"
17 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
18 | strings:
19 | 	$string0 = "words.dat"
20 | 	$string1 = "/icons/back.gif"
21 | 	$string2 = "data.dat"
22 | 	$string3 = "files.php"
23 | 	$string4 = "js.php"
24 | 	$string5 = "template.php"
25 | 	$string6 = "kcaptcha"
26 | 	$string7 = "/icons/blank.gif"
27 | 	$string8 = "java.dat"
28 | condition:
29 | 	8 of them
30 | }
31 | 


--------------------------------------------------------------------------------
/blackhole2_htm5.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_htm5
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "fccb8f71663620a5a8b53dcfb396cfb5"
 8 | 	hash1 = "a09bcf1a1bdabe4e6e7e52e7f8898012"
 9 | 	hash2 = "40db66bf212dd953a169752ba9349c6a"
10 | 	hash3 = "25a87e6da4baa57a9d6a2cdcb2d43249"
11 | 	hash4 = "6f4c64a1293c03c9f881a4ef4e1491b3"
12 | 	hash0 = "fccb8f71663620a5a8b53dcfb396cfb5"
13 | 	hash2 = "40db66bf212dd953a169752ba9349c6a"
14 | 	hash7 = "4bdfff8de0bb5ea2d623333a4a82c7f9"
15 | 	hash8 = "b43b6a1897c2956c2a0c9407b74c4232"
16 | 	sample_filetype = "js-html"
17 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
18 | strings:
19 | 	$string0 = "ruleEdit.php"
20 | 	$string1 = "domains.php"
21 | 	$string2 = "menu.php"
22 | 	$string3 = "browsers_stat.php"
23 | 	$string4 = "Index of /library/templates"
24 | 	$string5 = "/icons/unknown.gif"
25 | 	$string6 = "browsers_bstat.php"
26 | 	$string7 = "oses_stat.php"
27 | 	$string8 = "exploits_bstat.php"
28 | 	$string9 = "block_config.php"
29 | 	$string10 = "threads_bstat.php"
30 | 	$string11 = "browsers_bstat.php"
31 | 	$string12 = "settings.php"
32 | condition:
33 | 	12 of them
34 | }
35 | 


--------------------------------------------------------------------------------
/blackhole2_htm6.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_htm6
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "a5f94d7bdeb88b57be67132473e48286"
 8 | 	hash1 = "2e72a317d07aa1603f8d138787a2c582"
 9 | 	hash2 = "9440d49e1ed0794c90547758ef6023f7"
10 | 	hash3 = "58265fc893ed5a001e3a7c925441298c"
11 | 	hash2 = "9440d49e1ed0794c90547758ef6023f7"
12 | 	hash0 = "a5f94d7bdeb88b57be67132473e48286"
13 | 	hash2 = "9440d49e1ed0794c90547758ef6023f7"
14 | 	hash7 = "95c6462d0f21181c5003e2a74c8d3529"
15 | 	hash8 = "9236e7f96207253b4684f3497bcd2b3d"
16 | 	sample_filetype = "js-html"
17 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
18 | strings:
19 | 	$string0 = "uniq1.png"
20 | 	$string1 = "edit.png"
21 | 	$string2 = "left.gif"
22 | 	$string3 = "infin.png"
23 | 	$string4 = "outdent.gif"
24 | 	$string5 = "exploit.gif"
25 | 	$string6 = "sem_g.png"
26 | 	$string7 = "Index of /library/templates/img"
27 | 	$string8 = "uniq1.png"
28 | condition:
29 | 	8 of them
30 | }
31 | 


--------------------------------------------------------------------------------
/blackhole2_htm8.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_htm8
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "3f47452c1e40f68160beff4bb2a3e5f4"
 8 | 	hash1 = "1e2ba0176787088e3580dfce0245bc16"
 9 | 	hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
10 | 	hash3 = "f5e16a6cd2c2ac71289aaf1c087224ee"
11 | 	hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
12 | 	hash0 = "3f47452c1e40f68160beff4bb2a3e5f4"
13 | 	hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
14 | 	hash7 = "6702efdee17e0cd6c29349978961d9fa"
15 | 	hash8 = "287dca9469c8f7f0cb6e5bdd9e2055cd"
16 | 	sample_filetype = "js-html"
17 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
18 | strings:
19 | 	$string0 = ">Description</a></th></tr><tr><th colspan"
20 | 	$string1 = ">Name</a></th><th><a href"
21 | 	$string2 = "main.js"
22 | 	$string3 = "datepicker.js"
23 | 	$string4 = "form.js"
24 | 	$string5 = "<address>Apache/2.2.15 (CentOS) Server at online-moo-viii.net Port 80</address>"
25 | 	$string6 = "wysiwyg.js"
26 | condition:
27 | 	6 of them
28 | }
29 | 


--------------------------------------------------------------------------------
/blackhole2_jar.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_jar
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "86946ec2d2031f2b456e804cac4ade6d"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "k0/3;N"
12 | 	$string1 = "g:WlY0"
13 | 	$string2 = "(ww6Ou"
14 | 	$string3 = "SOUGX["
15 | 	$string4 = "7X2ANb"
16 | 	$string5 = "r8L<;zYH)"
17 | 	$string6 = "fbeatbea/fbeatbee.classPK"
18 | 	$string7 = "fbeatbea/fbeatbec.class"
19 | 	$string8 = "fbeatbea/fbeatbef.class"
20 | 	$string9 = "fbeatbea/fbeatbef.classPK"
21 | 	$string10 = "fbeatbea/fbeatbea.class"
22 | 	$string11 = "fbeatbea/fbeatbeb.classPK"
23 | 	$string12 = "nOJh-2"
24 | 	$string13 = "[af:Fr"
25 | condition:
26 | 	13 of them
27 | }
28 | 


--------------------------------------------------------------------------------
/blackhole2_jar2.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_jar2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "add1d01ba06d08818ff6880de2ee74e8"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "6_O6d09"
12 | 	$string1 = "juqirvs.classPK"
13 | 	$string2 = "hw.classPK"
14 | 	$string3 = "a.classPK"
15 | 	$string4 = "w.classuS]w"
16 | 	$string5 = "w.classPK"
17 | 	$string6 = "YE}0vCZ"
18 | 	$string7 = "v)Q,Ff"
19 | 	$string8 = "%8H%t("
20 | 	$string9 = "hw.class"
21 | 	$string10 = "a.classmV"
22 | 	$string11 = "2CniYFU"
23 | 	$string12 = "juqirvs.class"
24 | condition:
25 | 	12 of them
26 | }
27 | 


--------------------------------------------------------------------------------
/blackhole2_jar3.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_jar3
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "c7abd2142f121bd64e55f145d4b860fa"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "69/sj]]o"
12 | 	$string1 = "GJk5Nd"
13 | 	$string2 = "vcs.classu"
14 | 	$string3 = "T<EssB"
15 | 	$string4 = "1vmQmQ"
16 | 	$string5 = "Kf1Ewr"
17 | 	$string6 = "c$WuuuKKu5"
18 | 	$string7 = "m.classPK"
19 | 	$string8 = "chcyih.classPK"
20 | 	$string9 = "hw.class"
21 | 	$string10 = "f';;;;{"
22 | 	$string11 = "vcs.classPK"
23 | 	$string12 = "Vbhf_6"
24 | condition:
25 | 	12 of them
26 | }
27 | 


--------------------------------------------------------------------------------
/blackhole2_pdf.yar:
--------------------------------------------------------------------------------
 1 | rule blackhole2_pdf
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "BlackHole2 Exploit Kit Detection"
 7 | 	hash0 = "d1e2ff36a6c882b289d3b736d915a6cc"
 8 | 	sample_filetype = "pdf"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "/StructTreeRoot 5 0 R/Type/Catalog>>"
12 | 	$string1 = "0000036095 00000 n"
13 | 	$string2 = "http://www.xfa.org/schema/xfa-locale-set/2.1/"
14 | 	$string3 = "subform[0].ImageField1[0])/Subtype/Widget/TU(Image Field)/Parent 22 0 R/F 4/P 8 0 R/T<FEFF0049006D00"
15 | 	$string4 = "0000000026 65535 f"
16 | 	$string5 = "0000029039 00000 n"
17 | 	$string6 = "0000029693 00000 n"
18 | 	$string7 = "%PDF-1.6"
19 | 	$string8 = "27 0 obj<</Subtype/Type0/DescendantFonts 28 0 R/BaseFont/KLGNYZ"
20 | 	$string9 = "0000034423 00000 n"
21 | 	$string10 = "0000000010 65535 f"
22 | 	$string11 = ">stream"
23 | 	$string12 = "/Pages 2 0 R%/StructTreeRoot 5 0 R/Type/Catalog>>"
24 | 	$string13 = "19 0 obj<</Subtype/Type1C/Length 23094/Filter/FlateDecode>>stream"
25 | 	$string14 = "0000003653 00000 n"
26 | 	$string15 = "0000000023 65535 f"
27 | 	$string16 = "0000028250 00000 n"
28 | 	$string17 = "iceRGB>>>>/XStep 9.0/Type/Pattern/TilingType 2/YStep 9.0/BBox[0 0 9 9]>>stream"
29 | 	$string18 = "<</Root 1 0 R>>"
30 | condition:
31 | 	18 of them
32 | }
33 | 


--------------------------------------------------------------------------------
/blackhole_basic.yar:
--------------------------------------------------------------------------------
1 | rule blackhole_basic : exploit_kit
2 | {
3 |     strings:
4 |         $a = /\.php\?.*?\:[a-zA-Z0-9\:]{6,}\&.*?\&/
5 |     condition:
6 |         $a
7 | }


--------------------------------------------------------------------------------
/bleedinglife2_adobe_2010_1297_exploit.yar:
--------------------------------------------------------------------------------
 1 | rule bleedinglife2_adobe_2010_1297_exploit
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "BleedingLife2 Exploit Kit Detection"
 7 | 	hash0 = "8179a7f91965731daa16722bd95f0fcf"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "getSharedStyle"
12 | 	$string1 = "currentCount"
13 | 	$string2 = "String"
14 | 	$string3 = "setSelection"
15 | 	$string4 = "BOTTOM"
16 | 	$string5 = "classToInstancesDict"
17 | 	$string6 = "buttonDown"
18 | 	$string7 = "focusRect"
19 | 	$string8 = "pill11"
20 | 	$string9 = "TEXT_INPUT"
21 | 	$string10 = "restrict"
22 | 	$string11 = "defaultButtonEnabled"
23 | 	$string12 = "copyStylesToChild"
24 | 	$string13 = " xmlns:xmpMM"
25 | 	$string14 = "_editable"
26 | 	$string15 = "classToDefaultStylesDict"
27 | 	$string16 = "IMEConversionMode"
28 | 	$string17 = "Scene 1"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/bleedinglife2_adobe_2010_2884_exploit.yar:
--------------------------------------------------------------------------------
 1 | rule bleedinglife2_adobe_2010_2884_exploit
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "BleedingLife2 Exploit Kit Detection"
 7 | 	hash0 = "b22ac6bea520181947e7855cd317c9ac"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "_autoRepeat"
12 | 	$string1 = "embedFonts"
13 | 	$string2 = "KeyboardEvent"
14 | 	$string3 = "instanceStyles"
15 | 	$string4 = "InvalidationType"
16 | 	$string5 = "autoRepeat"
17 | 	$string6 = "getScaleX"
18 | 	$string7 = "RadioButton_selectedDownIcon"
19 | 	$string8 = "configUI"
20 | 	$string9 = "deactivate"
21 | 	$string10 = "fl.controls:Button"
22 | 	$string11 = "_mouseStateLocked"
23 | 	$string12 = "fl.core.ComponentShim"
24 | 	$string13 = "toString"
25 | 	$string14 = "_group"
26 | 	$string15 = "addRadioButton"
27 | 	$string16 = "inCallLaterPhase"
28 | 	$string17 = "oldMouseState"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/bleedinglife2_jar2.yar:
--------------------------------------------------------------------------------
 1 | rule bleedinglife2_jar2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "BleedingLife2 Exploit Kit Detection"
 7 | 	hash0 = "2bc0619f9a0c483f3fd6bce88148a7ab"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "META-INF/MANIFEST.MFPK"
12 | 	$string1 = "RequiredJavaComponent.classPK"
13 | 	$string2 = "META-INF/JAVA.SFm"
14 | 	$string3 = "RequiredJavaComponent.class"
15 | 	$string4 = "META-INF/MANIFEST.MF"
16 | 	$string5 = "META-INF/JAVA.DSAPK"
17 | 	$string6 = "META-INF/JAVA.SFPK"
18 | 	$string7 = "5EVTwkx"
19 | 	$string8 = "META-INF/JAVA.DSA3hb"
20 | 	$string9 = "y\\Dw -"
21 | condition:
22 | 	9 of them
23 | }
24 | 


--------------------------------------------------------------------------------
/bleedinglife2_java_2010_0842_exploit.yar:
--------------------------------------------------------------------------------
 1 | rule bleedinglife2_java_2010_0842_exploit
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "BleedingLife2 Exploit Kit Detection"
 7 | 	hash0 = "b14ee91a3da82f5acc78abd10078752e"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "META-INF/MANIFEST.MFManifest-Version: 1.0"
12 | 	$string1 = "ToolsDemo.classPK"
13 | 	$string2 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProvider5"
14 | 	$string3 = "Created-By: 1.6.0_22 (Sun Microsystems Inc.)"
15 | 	$string4 = "META-INF/PK"
16 | 	$string5 = "ToolsDemo.class"
17 | 	$string6 = "META-INF/services/PK"
18 | 	$string7 = "ToolsDemoSubClass.classPK"
19 | 	$string8 = "META-INF/MANIFEST.MFPK"
20 | 	$string9 = "ToolsDemoSubClass.classeN"
21 | condition:
22 | 	9 of them
23 | }
24 | 


--------------------------------------------------------------------------------
/crimepack_jar.yar:
--------------------------------------------------------------------------------
 1 | rule crimepack_jar
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "CrimePack Exploit Kit Detection"
 7 | 	hash0 = "d48e70d538225bc1807842ac13a8e188"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "r.JM,IM"
12 | 	$string1 = "cpak/Crimepack$1.classPK"
13 | 	$string2 = "cpak/KAVS.classPK"
14 | 	$string3 = "cpak/KAVS.classmQ"
15 | 	$string4 = "cpak/Crimepack$1.classmP[O"
16 | 	$string5 = "META-INF/MANIFEST.MF"
17 | 	$string6 = "META-INF/MANIFEST.MFPK"
18 | condition:
19 | 	6 of them
20 | }
21 | 


--------------------------------------------------------------------------------
/crimepack_jar3.yar:
--------------------------------------------------------------------------------
 1 | rule crimepack_jar3
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "CrimePack Exploit Kit Detection"
 7 | 	hash0 = "40ed977adc009e1593afcb09d70888c4"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "payload.serPK"
12 | 	$string1 = "vE/JD[j"
13 | 	$string2 = "payload.ser["
14 | 	$string3 = "Exploit$2.classPK"
15 | 	$string4 = "Exploit$2.class"
16 | 	$string5 = "Ho((i/"
17 | 	$string6 = "META-INF/MANIFEST.MF"
18 | 	$string7 = "H5641Yk"
19 | 	$string8 = "Exploit$1.classPK"
20 | 	$string9 = "Payloader.classPK"
21 | 	$string10 = "%p6$MCS"
22 | 	$string11 = "Exploit$1$1.classPK"
23 | condition:
24 | 	11 of them
25 | }
26 | 


--------------------------------------------------------------------------------
/cve_2013_0074.yar:
--------------------------------------------------------------------------------
 1 | rule cve_2013_0074
 2 | {
 3 | meta:
 4 | 	author = "Kaspersky Lab"
 5 | 	filetype = "Win32 EXE"
 6 | 	date = "2015-07-23"
 7 | 	version = "1.0"
 8 | 
 9 | strings:
10 | 	$b2="Can't find Payload() address" ascii wide
11 | 	$b3="/SilverApp1;component/App.xaml" ascii wide
12 | 	$b4="Can't allocate ums after buf[]" ascii wide
13 | 	$b5="------------ START ------------"
14 | 
15 | condition:
16 | 	( (2 of ($b*)) )
17 | }


--------------------------------------------------------------------------------
/cve_2013_0422.yar:
--------------------------------------------------------------------------------
 1 | rule CVE_2013_0422
 2 | {
 3 |         meta:
 4 |                 description = "Java Applet JMX Remote Code Execution"
 5 |                 cve = "CVE-2013-0422"
 6 |                 ref = "http://pastebin.com/JVedyrCe"
 7 |                 author = "adnan.shukor@gmail.com"
 8 |                 date = "12-Jan-2013"
 9 |                 version = "1"
10 |                 impact = 4
11 |                 hide = false
12 |         strings:
13 |                 $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword
14 |                 $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword
15 |                 $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword
16 |                 $0422_4 = "findClass" fullword
17 |                 $0422_5 = "publicLookup" fullword
18 |                 $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword 
19 |         condition:
20 |                 (all of ($0422_*)) or (all of them)
21 | }
22 | 


--------------------------------------------------------------------------------
/eleonore_jar.yar:
--------------------------------------------------------------------------------
 1 | rule eleonore_jar
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Eleonore Exploit Kit Detection"
 7 | 	hash0 = "ad829f4315edf9c2611509f3720635d2"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "r.JM,IM"
12 | 	$string1 = "dev/s/DyesyasZ.classPK"
13 | 	$string2 = "k4kjRv"
14 | 	$string3 = "dev/s/LoaderX.class}V[t"
15 | 	$string4 = "dev/s/PK"
16 | 	$string5 = "Hsz6%y"
17 | 	$string6 = "META-INF/MANIFEST.MF"
18 | 	$string7 = "dev/PK"
19 | 	$string8 = "dev/s/AdgredY.class"
20 | 	$string9 = "dev/s/DyesyasZ.class"
21 | 	$string10 = "dev/s/LoaderX.classPK"
22 | 	$string11 = "eS0L5d"
23 | 	$string12 = "8E{4ON"
24 | condition:
25 | 	12 of them
26 | }
27 | 


--------------------------------------------------------------------------------
/eleonore_jar2.yar:
--------------------------------------------------------------------------------
 1 | rule eleonore_jar2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Eleonore Exploit Kit Detection"
 7 | 	hash0 = "94e99de80c357d01e64abf7dc5bd0ebd"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "META-INF/MANIFEST.MFManifest-Version: 1.0"
12 | 	$string1 = "wPVvVyz"
13 | 	$string2 = "JavaFX.class"
14 | 	$string3 = "{%D@'\\"
15 | 	$string4 = "JavaFXColor.class"
16 | 	$string5 = "bWxEBI}Y"
17 | 	$string6 = "$(2}UoD"
18 | 	$string7 = "j%4muR"
19 | 	$string8 = "vqKBZi"
20 | 	$string9 = "l6gs8;"
21 | 	$string10 = "JavaFXTrueColor.classeSKo"
22 | 	$string11 = "ZyYQx "
23 | 	$string12 = "META-INF/"
24 | 	$string13 = "JavaFX.classPK"
25 | 	$string14 = ";Ie8{A"
26 | condition:
27 | 	14 of them
28 | }
29 | 


--------------------------------------------------------------------------------
/eleonore_jar3.yar:
--------------------------------------------------------------------------------
 1 | rule eleonore_jar3
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Eleonore Exploit Kit Detection"
 7 | 	hash0 = "f65f3b9b809ebf221e73502480ab6ea7"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "16lNYF2V"
12 | 	$string1 = "META-INF/MANIFEST.MFPK"
13 | 	$string2 = "ghsdr/Jewredd.classPK"
14 | 	$string3 = "ghsdr/Gedsrdc.class"
15 | 	$string4 = "e[<n55"
16 | 	$string5 = "ghsdr/Gedsrdc.classPK"
17 | 	$string6 = "META-INF/"
18 | 	$string7 = "na}pyO"
19 | 	$string8 = "9A1.F\\"
20 | 	$string9 = "ghsdr/Kocer.class"
21 | 	$string10 = "MXGXO8"
22 | 	$string11 = "ghsdr/Kocer.classPK"
23 | 	$string12 = "ghsdr/Jewredd.class"
24 | condition:
25 | 	12 of them
26 | }
27 | 


--------------------------------------------------------------------------------
/eleonore_js.yar:
--------------------------------------------------------------------------------
 1 | rule eleonore_js
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Eleonore Exploit Kit Detection"
 7 | 	hash0 = "08f8488f1122f2388a0fd65976b9becd"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "var de"
12 | 	$string1 = "sdjk];"
13 | 	$string2 = "return dfshk;"
14 | 	$string3 = "function jkshdk(){"
15 | 	$string4 = "'val';"
16 | 	$string5 = "var sdjk"
17 | 	$string6 = "return fsdjkl;"
18 | 	$string7 = " window[d"
19 | 	$string8 = "var fsdjkl"
20 | 	$string9 = "function jklsdjfk() {"
21 | 	$string10 = "function rewiry(yiyr,fjkhd){"
22 | 	$string11 = " sdjd "
23 | condition:
24 | 	11 of them
25 | }
26 | 


--------------------------------------------------------------------------------
/eleonore_js2.yar:
--------------------------------------------------------------------------------
 1 | rule eleonore_js2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Eleonore Exploit Kit Detection"
 7 | 	hash0 = "2f5ace22e886972a8dccc6aa5deb1e79"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "var dfshk "
12 | 	$string1 = "arrow_next_down"
13 | 	$string2 = "return eval('yiyr.replac'"
14 | 	$string3 = "arrow_next_over"
15 | 	$string4 = "arrow_prev_over"
16 | 	$string5 = "xcCSSWeekdayBlock"
17 | 	$string6 = "xcCSSHeadBlock"
18 | 	$string7 = "xcCSSDaySpecial"
19 | 	$string8 = "xcCSSDay"
20 | 	$string9 = " window[df "
21 | 	$string10 = "day_special"
22 | 	$string11 = "var df"
23 | 	$string12 = "function jklsdjfk() {"
24 | 	$string13 = " sdjd "
25 | 	$string14 = "'e(/kljf hdfk sdf/g,fjkhd);');"
26 | 	$string15 = "arrow_next"
27 | condition:
28 | 	15 of them
29 | }
30 | 


--------------------------------------------------------------------------------
/eleonore_js3.yar:
--------------------------------------------------------------------------------
 1 | rule eleonore_js3
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Eleonore Exploit Kit Detection"
 7 | 	hash0 = "9dcb8cd8d4f418324f83d914ab4d4650"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "@mozilla.org/file/directory_service;1"
12 | 	$string1 = "var exe "
13 | 	$string2 = "var file "
14 | 	$string3 = "foStream.write(data, data.length);"
15 | 	$string4 = "  var file_data "
16 | 	$string5 = "return "
17 | 	$string6 = " Components.classes["
18 | 	$string7 = "url : "
19 | 	$string8 = "].createInstance(Components.interfaces.nsILocalFile);"
20 | 	$string9 = "  var bstream "
21 | 	$string10 = " bstream.readBytes(size); "
22 | 	$string11 = "@mozilla.org/supports-string;1"
23 | 	$string12 = "  var channel "
24 | 	$string13 = "tmp.exe"
25 | 	$string14 = "  if (channel instanceof Components.interfaces.nsIHttpChannel "
26 | 	$string15 = "@mozilla.org/network/io-service;1"
27 | 	$string16 = " bstream.available()) { "
28 | 	$string17 = "].getService(Components.interfaces.nsIIOService); "
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/fragus_htm.yar:
--------------------------------------------------------------------------------
 1 | rule fragus_htm
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Fragus Exploit Kit Detection"
 7 | 	hash0 = "f76deec07a61b4276acc22beef41ea47"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = ">Hello, "
12 | 	$string1 = "http://www.clantemplates.com"
13 | 	$string2 = "this template was created by Bl1nk and is downloadable at <B>ClanTemplates.com<BR></B>Replace "
14 | 	$string3 = "></TD></TR></TABLE> "
15 | 	$string4 = "Image21"
16 | 	$string5 = "scrollbar etc.<BR><BR>Enjoy, Bl1nk</FONT></TD></TR></TABLE><BR></CENTER></TD></TR> "
17 | 	$string6 = "to this WarCraft Template"
18 | 	$string7 = " document.getElementById) x"
19 | 	$string8 = "    if (a[i].indexOf("
20 | 	$string9 = "x.oSrc;"
21 | 	$string10 = "x.src; x.src"
22 | 	$string11 = "<HTML>"
23 | 	$string12 = "FFFFFF"
24 | 	$string13 = " CELLSPACING"
25 | 	$string14 = "images/layoutnormal_03.gif"
26 | 	$string15 = "<TR> <TD "
27 | 	$string16 = " CELLPADDING"
28 | condition:
29 | 	16 of them
30 | }
31 | 


--------------------------------------------------------------------------------
/fragus_js.yar:
--------------------------------------------------------------------------------
 1 | rule fragus_js
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Fragus Exploit Kit Detection"
 7 | 	hash0 = "f234c11b5da9a782cb1e554f520a66cf"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "));ELI6Q3PZ"
12 | 	$string1 = "VGhNU2pWQmMyUXhPSFI2TTNCVGVEUXpSR3huYm1aeE5UaFhXRFI0ZFhCQVMxWkRNVGh0V0hZNFZVYzBXWFJpTVRoVFpFUklaVGxG"
13 | 	$string2 = "eFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkw"
14 | 	$string3 = "TkhXa0ZrT1haNGRFSXhRM3BrTkRoVGMxZEJSMmcyT0dwNlkzSTJYM1pCYkZnMVVqQmpWMEZIYURZNGFucGpjalpmZGtGc1dERXpT"
15 | 	$string4 = "byKZKkpZU<<18"
16 | 	$string5 = ");CUer0x"
17 | 	$string6 = "bzWRebpU3yE>>16"
18 | 	$string7 = "RUJEWlVvMGNsVTVNMEpNWDNaNGJVSkpPRUJrUlVwRVQwQlNaR2cyY0ZWSE5GbDBRVFZ5UjFnMk9HVldOWGhMYUdFelRIZG5NMWQz"
19 | 	$string8 = "WnZSVGxuT1ZSRkwwaFZSelZGUm5GRlJFVTBLVHQ0UWxKQ1drdzBiWEJ5WkhSdVBtdG9XVWd6TVVGSGFFeDVTMlk3ZUVKU1FscE1O"
20 | 	$string9 = "QmZjMGN4YjBCd1oyOXBURUJJZEhvMFdYcGtOamhFV1ZwU01GVlZZbXBpUUZKV1lqTXpWMDAwY0dSNlF6aE1SekZ5ZEc4ME9FeEtN"
21 | 	$string10 = "SCpMaWXOuME("
22 | 	$string11 = "VjJKcVkxZGlYMTlhUVdRNVNUTkhaRFk0YWpsYWJsWkRNVGh0V0hZNFZVYzBXWFJ2Tm5CVmFEUlpWVmhDT0ZWV05YaDBRa1ZTUkUw"
23 | 	$string12 = "2;}else{Yuii37DWU"
24 | 	$string13 = "ELI6Q3PZ"
25 | 	$string14 = "ZUhNNVZYQlZlRFY0UUZnMk9HMVlORkpFYkRsNGMxbEpPRUJSTVY5SGNETllPRXB0YjBsaloySnhPVVZ3UkZWQVgzTllORGgwV0RS"
26 | 	$string15 = "S05GbE1lalk0Vm1ORmVEWnpXbEpXZDBWaU5ubzJjRlkzVjFsbFgwVmlURlpuYnpCUE5HNTBhRFpaVEZrMVFYTjZObkIwWTBVNE4x"
27 | 	$string16 = "Vm5CWFFVZG9OamhxZW1OeU5sOTJRV3hZTVROSlpEWTRVM294V1VSUFFFdFdZalE0WlVjeGNsSmtObmhBYURVNFZVZEFjRlZDZGtO"
28 | 	$string17 = "Yuii37DWU<<12"
29 | 	$string18 = ";while(hdnR9eo3pZ6E3<ZZeD3LjJQ.length){eMImGB"
30 | condition:
31 | 	18 of them
32 | }
33 | 


--------------------------------------------------------------------------------
/fragus_js2.yar:
--------------------------------------------------------------------------------
 1 | rule fragus_js2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Fragus Exploit Kit Detection"
 7 | 	hash0 = "f234c11b5da9a782cb1e554f520a66cf"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "(ELI6Q3PZ"
12 | 	$string1 = "SnJTbVJqV2tOa09VbGZSMHcwY0ZWZmRrRjBjRFY0Y3psVmNGVjROWGhBV0RZNGJWZzBVa1J4TjNCVlgwVmlhRjkyZURaS1NWOUhj"
13 | 	$string2 = "eFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkw"
14 | 	$string3 = "VUpKUVdWS05ISlZjMXBTTUdWRlNFQmpaMjlrVDBCTFYzY3pZbGRpZG5oeldFUndkSE16YjB4M2JXSnFZMWRpZVY4ellreDNaMko1"
15 | 	$string4 = "((Yuii37DWU"
16 | 	$string5 = "YURVNFZXUlhjRlZDZGxsQVJ6UlNaRTlBUzFkM00ySlhiekU0ZEhnMWNrUjZZM0kyWDNaQmJGZ3hNMGxrTmpoVGVqRlpkSEUyV1dW"
17 | 	$string6 = "String.fromCharCode(ZZeD3LjJQ);}else if(QIyZsvvbEmVOpp"
18 | 	$string7 = "1);ELI6Q3PZ"
19 | 	$string8 = "));Yuii37DWU"
20 | 	$string9 = ");CUer0x"
21 | 	$string10 = "T1ZaQ05IUkRTVGhqT1VWd1ZWOUpRMlZLZG5oNlQwQkxWM2N6WWxkQmRrRkFPVmR3VlRsYWJsWnNOWGhKT1ZkeFZWazFRbEU1UlZK"
22 | 	$string11 = "TlpkM2wxS3lzcExUUTRYU2s4UEhocFVqRk9jazA3SUdsbUtIaHBVakZPY2swcGV5QkdWek5NVnlzOVVrSklWVE0wVDJ0NlpTZzJP"
23 | 	$string12 = "String.fromCharCode(((eMImGB"
24 | 	$string13 = "RGRDUkV0WFV6VkJkRkV4WHpCalYwRkhhRFk0YW5wamNqWmZka0ZzV0RaSWExZzBXWEZDUlZsQVpEWkJOMEoyZUhwd1duSlRXVE5J"
25 | 	$string14 = "SCpMaWXOuME(mi1mm8bu87rL0W);eval(Pcii3iVk1AG);</script></body></html>"
26 | 	$string15 = "Yuii37DWU"
27 | 	$string16 = "Yuii37DWU<<12"
28 | 	$string17 = "eTVzWlc1bmRHZ3NJRWhWUnpWRlJuRkZSRVUwUFRFd01qUXNJR2hQVlZsRVJFVmxVaXdnZUVKU1FscE1ORzF3Y21SMGJpd2dSbGN6"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/fragus_js_flash.yar:
--------------------------------------------------------------------------------
 1 | rule fragus_js_flash
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Fragus Exploit Kit Detection"
 7 | 	hash0 = "377431417b34de8592afecaea9aab95d"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "document.appendChild(bdy);try{for (i"
12 | 	$string1 = "0; i<10; i"
13 | 	$string2 = "default"
14 | 	$string3 = "var m "
15 | 	$string4 = "/g, document.getElementById('divid').innerHTML));"
16 | 	$string5 = " n.substring(0,r/2);"
17 | 	$string6 = "document.getElementById('f').innerHTML"
18 | 	$string7 = "'atk' onclick"
19 | 	$string8 = "function MAKEHEAP()"
20 | 	$string9 = "document.createElement('div');"
21 | 	$string10 = "<button id"
22 | 	$string11 = "/g, document.getElementById('divid').innerHTML);"
23 | 	$string12 = "document.body.appendChild(gg);"
24 | 	$string13 = "var bdy "
25 | 	$string14 = "var gg"
26 | 	$string15 = " unescape(gg);while(n.length<r/2) { n"
27 | condition:
28 | 	15 of them
29 | }
30 | 


--------------------------------------------------------------------------------
/fragus_js_java.yar:
--------------------------------------------------------------------------------
 1 | rule fragus_js_java
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Fragus Exploit Kit Detection"
 7 | 	hash0 = "7398e435e68a2fa31607518befef30fb"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "I></XML><SPAN DATASRC"
12 | 	$string1 = "setTimeout('vparivatel()',8000);function vparivatel(){document.write('<iframe src"
13 | 	$string2 = "I DATAFLD"
14 | 	$string3 = " unescape("
15 | 	$string4 = ", 1);swf.setAttribute("
16 | 	$string5 = "function XMLNEW(){var spray "
17 | 	$string6 = "vparivatel.php"
18 | 	$string7 = "6) ){if ( (lv"
19 | 	$string8 = "'WIN 9,0,16,0')"
20 | 	$string9 = "d:/Program Files/Outlook Express/WAB.EXE"
21 | 	$string10 = "<XML ID"
22 | 	$string11 = "new ActiveXObject("
23 | 	$string12 = "'7.1.0') ){SHOWPDF('iepdf.php"
24 | 	$string13 = "function SWF(){try{sv"
25 | 	$string14 = "'WIN 9,0,28,0')"
26 | 	$string15 = "C DATAFORMATAS"
27 | 	$string16 = " shellcode;xmlcode "
28 | 	$string17 = "function SNAPSHOT(){var a"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/fragus_js_quicktime.yar:
--------------------------------------------------------------------------------
 1 | rule fragus_js_quicktime
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Fragus Exploit Kit Detection"
 7 | 	hash0 = "6bfc7bb877e1a79be24bd9563c768ffd"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "                setTimeout("
12 | 	$string1 = "wnd.location"
13 | 	$string2 = "window;"
14 | 	$string3 = "        var pls "
15 | 	$string4 = "        mem_flag "
16 | 	$string5 = ", 1500);} else{ PRyyt4O3wvgz(1);}"
17 | 	$string6 = "         } catch(e) { }"
18 | 	$string7 = " mem_flag) JP7RXLyEu();"
19 | 	$string8 = " 0x400000;"
20 | 	$string9 = "----------------------------------------------------------------------------------------------------"
21 | 	$string10 = "        heapBlocks "
22 | 	$string11 = "        return mm;"
23 | 	$string12 = "0x38);"
24 | 	$string13 = "        h();"
25 | 	$string14 = " getb(b,bSize);"
26 | 	$string15 = "getfile.php"
27 | condition:
28 | 	15 of them
29 | }
30 | 


--------------------------------------------------------------------------------
/fragus_js_vml.yar:
--------------------------------------------------------------------------------
 1 | rule fragus_js_vml
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Fragus Exploit Kit Detection"
 7 | 	hash0 = "8ab72337c815e0505fcfbc97686c3562"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = " 0x100000;"
12 | 	$string1 = "            var gg "
13 | 	$string2 = "/g, document.getElementById('divid').innerHTML));"
14 | 	$string3 = "                                var sss "
15 | 	$string4 = "                }"
16 | 	$string5 = "                        document.body.appendChild(obj);"
17 | 	$string6 = "                                var hbs "
18 | 	$string7 = " shcode; }"
19 | 	$string8 = " '<div id"
20 | 	$string9 = " hbs - (shcode.length"
21 | 	$string10 = "){ m[i] "
22 | 	$string11 = " unescape(gg);"
23 | 	$string12 = "                                var z "
24 | 	$string13 = "                                var hb "
25 | 	$string14 = " Math.ceil('0'"
26 | condition:
27 | 	14 of them
28 | }
29 | 


--------------------------------------------------------------------------------
/javascript_exploit_and_obfuscation.yar:
--------------------------------------------------------------------------------
 1 | rule generic_javascript_obfuscation
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "JavaScript Obfuscation Detection"
 7 | 	sample_filetype = "js-html"
 8 | strings:
 9 | 	$string0 = /eval\(([\s]+)?(unescape|atob)\(/ nocase
10 | 	$string1 = /var([\s]+)?([a-zA-Z_$])+([a-zA-Z0-9_$]+)?([\s]+)?=([\s]+)?\[([\s]+)?\"\\x[0-9a-fA-F]+/ nocase
11 | 	$string2 = /var([\s]+)?([a-zA-Z_$])+([a-zA-Z0-9_$]+)?([\s]+)?=([\s]+)?eval;/
12 | condition:
13 | 	any of them
14 | }
15 | 
16 | rule possible_includes_base64_packed_functions  
17 | { 
18 | 	meta: 
19 | 		impact = 5 
20 | 		hide = true 
21 | 		desc = "Detects possible includes and packed functions" 
22 | 	strings: 
23 | 		$f = /(atob|btoa|;base64|base64,)/ nocase
24 | 		//$ff = /(?:[A-Za-z0-9]{4}){2,}(?:[A-Za-z0-9]{2}[AEIMQUYcgkosw048]=|[A-Za-z0-9][AQgw]==)/ nocase 
25 | 		$fff = /([A-Za-z0-9]{4})*([A-Za-z0-9]{2}==|[A-Za-z0-9]{3}=|[A-Za-z0-9]{4})/ 
26 | 	condition: 
27 | 		$f and $fff
28 | }
29 |  
30 | rule BeEF_browser_hooked {
31 | 	meta:
32 | 		description = "Yara rule related to hook.js, BeEF Browser hooking capability"
33 | 		author = "Pasquale Stirparo"
34 | 		date = "2015-10-07"
35 | 		hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
36 | 	strings:
37 | 		$s0 = "mitb.poisonAnchor" wide ascii
38 | 		$s1 = "this.request(this.httpproto" wide ascii
39 | 		$s2 = "beef.logger.get_dom_identifier" wide ascii
40 | 		$s3 = "return (!!window.opera" wide ascii 
41 | 		$s4 = "history.pushState({ Be:\"EF\" }" wide ascii 
42 | 		$s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii 
43 | 		$s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii 
44 | 		$s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii 
45 | 		$s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii 
46 | 		$s9 = "mitb.sniff(" wide ascii 
47 | 		$s10 = "Method XMLHttpRequest.open override" wide ascii 
48 | 		$s11 = ".browser.hasWebSocket" wide ascii 
49 | 		$s12 = ".mitb.poisonForm" wide ascii 
50 | 		$s13 = "resolved=require.resolve(file,cwd||" wide ascii 
51 | 		$s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii 
52 | 		$s15 = "beef.net.request" wide ascii 
53 | 		$s16 = "uagent.search(engineOpera)" wide ascii 
54 | 		$s17 = "mitb.sniff" wide ascii
55 | 		$s18 = "beef.logger.start" wide ascii
56 | 	condition:
57 | 		all of them
58 | }
59 | 
60 | rule src_ptheft_command {
61 | 	meta:
62 | 		description = "Auto-generated rule - file command.js"
63 | 		author = "Pasquale Stirparo"
64 | 		reference = "not set"
65 | 		date = "2015-10-08"
66 | 		hash = "49c0e5400068924ff87729d9e1fece19acbfbd628d085f8df47b21519051b7f3"
67 | 	strings:
68 | 		$s0 = "var lilogo = 'http://content.linkedin.com/etc/designs/linkedin/katy/global/clientlibs/img/logo.png';" fullword wide ascii /* score: '38.00' */
69 | 		$s1 = "dark=document.getElementById('darkenScreenObject'); " fullword wide ascii /* score: '21.00' */
70 | 		$s2 = "beef.execute(function() {" fullword wide ascii /* score: '21.00' */
71 | 		$s3 = "var logo  = 'http://www.youtube.com/yt/brand/media/image/yt-brand-standard-logo-630px.png';" fullword wide ascii /* score: '32.42' */
72 | 		$s4 = "description.text('Enter your Apple ID e-mail address and password');" fullword wide ascii /* score: '28.00' */
73 | 		$s5 = "sneakydiv.innerHTML= '<div id=\"edge\" '+edgeborder+'><div id=\"window_container\" '+windowborder+ '><div id=\"title_bar\" ' +ti" wide ascii /* score: '28.00' */
74 | 		$s6 = "var logo  = 'https://www.yammer.com/favicon.ico';" fullword wide ascii /* score: '27.42' */
75 | 		$s7 = "beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer);" fullword wide ascii /* score: '26.00' */
76 | 		$s8 = "var title = 'Session Timed Out <img src=\"' + lilogo + '\" align=right height=20 width=70 alt=\"LinkedIn\">';" fullword wide ascii /* score: '24.00' */
77 | 		$s9 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=20 width=70 alt=\"YouTube\">';" fullword wide ascii /* score: '24.00' */
78 | 		$s10 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=24 width=24 alt=\"Yammer\">';" fullword wide ascii /* score: '24.00' */
79 | 		$s11 = "var logobox = 'style=\"border:4px #84ACDD solid;border-radius:7px;height:45px;width:45px;background:#ffffff\"';" fullword wide ascii /* score: '21.00' */
80 | 		$s12 = "sneakydiv.innerHTML= '<br><img src=\\''+imgr+'\\' width=\\'80px\\' height\\'80px\\' /><h2>Your session has timed out!</h2><p>For" wide ascii /* score: '23.00' */
81 | 		$s13 = "inner.append(title, description, user,password);" fullword wide ascii /* score: '23.00' */
82 | 		$s14 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
83 | 		$s15 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
84 | 		$s16 = "answer = document.getElementById('uname').value+':'+document.getElementById('pass').value;" fullword wide ascii /* score: '22.00' */
85 | 		$s17 = "password.keydown(function(event) {" fullword wide ascii /* score: '21.01' */
86 | 	condition:
87 | 		13 of them
88 | }


--------------------------------------------------------------------------------
/malicious_office.yar:
--------------------------------------------------------------------------------
  1 | rule maldoc_indirect_function_call_1 : maldoc
  2 | {
  3 |     meta:
  4 |         author = "Didier Stevens (https://DidierStevens.com)"
  5 |     strings:
  6 |         $a = {FF 75 ?? FF 55 ??}
  7 |     condition:
  8 |         for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
  9 | }
 10 | 
 11 | rule maldoc_indirect_function_call_2 : maldoc
 12 | {
 13 |     meta:
 14 |         author = "Didier Stevens (https://DidierStevens.com)"
 15 |     strings:
 16 |         $a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
 17 |     condition:
 18 |         for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
 19 | }
 20 | 
 21 | rule maldoc_indirect_function_call_3 : maldoc
 22 | {
 23 |     meta:
 24 |         author = "Didier Stevens (https://DidierStevens.com)"
 25 |     strings:
 26 |         $a = {FF B7 ?? ?? ?? ?? FF 57 ??}
 27 |     condition:
 28 |         $a
 29 | }
 30 | 
 31 | rule maldoc_find_kernel32_base_method_1 : maldoc
 32 | {
 33 |     meta:
 34 |         author = "Didier Stevens (https://DidierStevens.com)"
 35 |     strings:
 36 |         $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
 37 |         $a2 = {64 A1 30 00 00 00}
 38 |     condition:
 39 |         any of them
 40 | }
 41 | 
 42 | rule maldoc_find_kernel32_base_method_2 : maldoc
 43 | {
 44 |     meta:
 45 |         author = "Didier Stevens (https://DidierStevens.com)"
 46 |     strings:
 47 |         $a = {31 ?? ?? 30 64 8B ??}
 48 |     condition:
 49 |         for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
 50 | }
 51 | 
 52 | rule maldoc_find_kernel32_base_method_3 : maldoc
 53 | {
 54 |     meta:
 55 |         author = "Didier Stevens (https://DidierStevens.com)"
 56 |     strings:
 57 |         $a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
 58 |     condition:
 59 |         for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
 60 | }
 61 | 
 62 | rule mwi_document: exploitdoc maldoc
 63 | {
 64 |     meta:
 65 |         description = "MWI generated document"
 66 |         author = "@Ydklijnsma"
 67 |         source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
 68 | 
 69 |       strings:
 70 |         $field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
 71 |         $mwistat_url = ".php?id="
 72 |         $field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
 73 | 
 74 |     condition:
 75 |         all of them
 76 | }
 77 | 
 78 | rule macrocheck : maldoc
 79 | {
 80 |     meta:
 81 |         Author      = "Fireeye Labs"
 82 |         Date        = "2014/11/30" 
 83 |         Description = "Identify office documents with the MACROCHECK credential stealer in them.  It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
 84 |         Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"
 85 | 
 86 |     strings:
 87 |         $PARAMpword = "pword=" ascii wide
 88 |         $PARAMmsg = "msg=" ascii wide
 89 |         $PARAMuname = "uname=" ascii
 90 |         $userform = "UserForm" ascii wide
 91 |         $userloginform = "UserLoginForm" ascii wide
 92 |         $invalid = "Invalid username or password" ascii wide
 93 |         $up1 = "uploadPOST" ascii wide
 94 |         $up2 = "postUpload" ascii wide
 95 |  
 96 |     condition:
 97 |         all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
 98 | }
 99 | 
100 | rule Office_AutoOpen_Macro : maldoc {
101 | 	meta:
102 | 		description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
103 | 		author = "Florian Roth"
104 | 		date = "2015-05-28"
105 | 		score = 60
106 | 		hash1 = "4d00695d5011427efc33c9722c61ced2"
107 | 		hash2 = "63f6b20cb39630b13c14823874bd3743"
108 | 		hash3 = "66e67c2d84af85a569a04042141164e6"
109 | 		hash4 = "a3035716fe9173703941876c2bde9d98"
110 | 		hash5 = "7c06cab49b9332962625b16f15708345"
111 | 		hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
112 | 		hash7 = "25285b8fe2c41bd54079c92c1b761381"
113 | 	strings:
114 | 		$s1 = "AutoOpen" ascii fullword
115 | 		$s2 = "Macros" wide fullword
116 | 	condition:
117 | 		uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000
118 | }
119 | 
120 | rule Embedded_EXE_Cloaking : maldoc {
121 |     meta:
122 |         description = "Detects an embedded executable in a non-executable file"
123 |         author = "Florian Roth"
124 |         date = "2015/02/27"
125 |         score = 80
126 |     strings:
127 |         $noex_png = { 89 50 4E 47 }
128 |         $noex_pdf = { 25 50 44 46 }
129 |         $noex_rtf = { 7B 5C 72 74 66 31 }
130 |         $noex_jpg = { FF D8 FF E0 }
131 |         $noex_gif = { 47 49 46 38 }
132 |         $mz  = { 4D 5A }
133 |         $a1 = "This program cannot be run in DOS mode"
134 |         $a2 = "This program must be run under Win32"       
135 |     condition:
136 |         (
137 |             ( $noex_png at 0 ) or
138 |             ( $noex_pdf at 0 ) or
139 |             ( $noex_rtf at 0 ) or
140 |             ( $noex_jpg at 0 ) or
141 |             ( $noex_gif at 0 )
142 |         )
143 |         and
144 |         for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
145 | }
146 | 


--------------------------------------------------------------------------------
/malicious_pdf.yar:
--------------------------------------------------------------------------------
  1 | rule malicious_author : PDF
  2 | {
  3 | 	meta:
  4 | 		author = "Glenn Edwards (@hiddenillusion)"
  5 | 		version = "0.1"
  6 | 		weight = 5
  7 | 		
  8 | 	strings:
  9 | 		$magic = { 25 50 44 46 }
 10 | 		
 11 | 		$reg0 = /Creator.?\(yen vaw\)/
 12 | 		$reg1 = /Title.?\(who cis\)/
 13 | 		$reg2 = /Author.?\(ser pes\)/
 14 | 	condition:
 15 | 		$magic at 0 and all of ($reg*)
 16 | }
 17 | 
 18 | rule suspicious_version : PDF
 19 | {
 20 | 	meta:
 21 | 		author = "Glenn Edwards (@hiddenillusion)"
 22 | 		version = "0.1"
 23 | 		weight = 3
 24 | 		
 25 | 	strings:
 26 | 		$magic = { 25 50 44 46 }
 27 | 		$ver = /%PDF-1.\d{1}/
 28 | 	condition:
 29 | 		$magic at 0 and not $ver
 30 | }
 31 | 
 32 | rule suspicious_creation : PDF
 33 | {
 34 | 	meta:
 35 | 		author = "Glenn Edwards (@hiddenillusion)"
 36 | 		version = "0.1"
 37 | 		weight = 2
 38 | 		
 39 | 	strings:
 40 | 		$magic = { 25 50 44 46 }
 41 | 		$header = /%PDF-1\.(3|4|6)/
 42 | 		
 43 | 		$create0 = /CreationDate \(D:20101015142358\)/
 44 | 		$create1 = /CreationDate \(2008312053854\)/
 45 | 	condition:
 46 | 		$magic at 0 and $header and 1 of ($create*)
 47 | }
 48 | 
 49 | rule suspicious_title : PDF
 50 | {
 51 | 	meta:
 52 | 		author = "Glenn Edwards (@hiddenillusion)"
 53 | 		version = "0.1"
 54 | 		weight = 4
 55 | 		
 56 | 	strings:
 57 | 		$magic = { 25 50 44 46 }
 58 | 		$header = /%PDF-1\.(3|4|6)/
 59 | 		
 60 | 		$title0 = "who cis"
 61 | 		$title1 = "P66N7FF"
 62 | 		$title2 = "Fohcirya"
 63 | 	condition:
 64 | 		$magic at 0 and $header and 1 of ($title*)
 65 | }
 66 | 
 67 | rule suspicious_author : PDF
 68 | {
 69 | 	meta:
 70 | 		author = "Glenn Edwards (@hiddenillusion)"
 71 | 		version = "0.1"
 72 | 		weight = 4
 73 | 		
 74 | 	strings:
 75 | 		$magic = { 25 50 44 46 }
 76 | 		$header = /%PDF-1\.(3|4|6)/
 77 | 
 78 | 		$author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1"
 79 | 		$author1 = "ser pes"
 80 | 		$author2 = "Miekiemoes"
 81 | 		$author3 = "Nsarkolke"
 82 | 	condition:
 83 | 		$magic at 0 and $header and 1 of ($author*)
 84 | }
 85 | 
 86 | rule suspicious_producer : PDF
 87 | {
 88 | 	meta:
 89 | 		author = "Glenn Edwards (@hiddenillusion)"
 90 | 		version = "0.1"
 91 | 		weight = 2
 92 | 		
 93 | 	strings:
 94 | 		$magic = { 25 50 44 46 }
 95 | 		$header = /%PDF-1\.(3|4|6)/
 96 | 		
 97 | 		$producer0 = /Producer \(Scribus PDF Library/
 98 | 		$producer1 = "Notepad"
 99 | 	condition:
100 | 		$magic at 0 and $header and 1 of ($producer*)
101 | }
102 | 
103 | rule suspicious_creator : PDF
104 | {
105 | 	meta:
106 | 		author = "Glenn Edwards (@hiddenillusion)"
107 | 		version = "0.1"
108 | 		weight = 3
109 | 		
110 | 	strings:
111 | 		$magic = { 25 50 44 46 }
112 | 		$header = /%PDF-1\.(3|4|6)/
113 | 		
114 | 		$creator0 = "yen vaw"
115 | 		$creator1 = "Scribus"
116 | 		$creator2 = "Viraciregavi"
117 | 	condition:
118 | 		$magic at 0 and $header and 1 of ($creator*)
119 | }
120 | 
121 | rule possible_exploit : PDF
122 | {
123 | 	meta:
124 | 		author = "Glenn Edwards (@hiddenillusion)"
125 | 		version = "0.1"
126 | 		weight = 3
127 | 		
128 | 	strings:
129 | 		$magic = { 25 50 44 46 }
130 | 		
131 | 		$attrib0 = /\/JavaScript /
132 | 		$attrib3 = /\/ASCIIHexDecode/
133 | 		$attrib4 = /\/ASCII85Decode/
134 | 
135 | 		$action0 = /\/Action/
136 | 		$action1 = "Array"
137 | 		$shell = "A"
138 | 		$cond0 = "unescape"
139 | 		$cond1 = "String.fromCharCode"
140 | 		
141 | 		$nop = "%u9090%u9090"
142 | 	condition:
143 | 		$magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
144 | }
145 | 
146 | rule shellcode_blob_metadata : PDF
147 | {
148 |         meta:
149 |                 author = "Glenn Edwards (@hiddenillusion)"
150 |                 version = "0.1"
151 |                 description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded"
152 |                 weight = 4
153 |         strings:
154 |                 $magic = { 25 50 44 46 }
155 | 
156 |                 $reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode
157 |                 $reg_author = /\/Author.?\(([a-zA-Z0-9]{200,})/
158 |                 $reg_title = /\/Title.?\(([a-zA-Z0-9]{200,})/
159 |                 $reg_producer = /\/Producer.?\(([a-zA-Z0-9]{200,})/
160 |                 $reg_creator = /\/Creator.?\(([a-zA-Z0-9]{300,})/
161 |                 $reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/
162 | 
163 |         condition:
164 |                 $magic at 0 and 1 of ($reg*)
165 | }
166 | 
167 | rule multiple_filtering : PDF 
168 | {
169 |         meta: 
170 |                 author = "Glenn Edwards (@hiddenillusion)"
171 |                 version = "0.2"
172 |                 weight = 3
173 |                 
174 |         strings:
175 |                 $magic = { 25 50 44 46 }
176 |                 $attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/           
177 | 				// left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt
178 | 
179 |         condition: 
180 |                 $magic at 0 and $attrib
181 | }
182 | 
183 | rule suspicious_js : PDF
184 | {
185 | 	meta:
186 | 		author = "Glenn Edwards (@hiddenillusion)"
187 | 		version = "0.1"
188 | 		weight = 3
189 | 		
190 | 	strings:
191 | 		$magic = { 25 50 44 46 }
192 | 		
193 | 		$attrib0 = /\/OpenAction /
194 | 		$attrib1 = /\/JavaScript /
195 | 
196 | 		$js0 = "eval"
197 | 		$js1 = "Array"
198 | 		$js2 = "String.fromCharCode"
199 | 		
200 | 	condition:
201 | 		$magic at 0 and all of ($attrib*) and 2 of ($js*)
202 | }
203 | 
204 | rule suspicious_launch_action : PDF
205 | {
206 | 	meta:
207 | 		author = "Glenn Edwards (@hiddenillusion)"
208 | 		version = "0.1"
209 | 		weight = 2
210 | 		
211 | 	strings:
212 | 		$magic = { 25 50 44 46 }
213 | 		
214 | 		$attrib0 = /\/Launch/
215 | 		$attrib1 = /\/URL /
216 | 		$attrib2 = /\/Action/
217 | 		$attrib3 = /\/F /
218 | 
219 | 	condition:
220 | 		$magic at 0 and 3 of ($attrib*)
221 | }
222 | 
223 | rule suspicious_embed : PDF
224 | {
225 | 	meta:
226 | 		author = "Glenn Edwards (@hiddenillusion)"
227 | 		version = "0.1"
228 | 		ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
229 | 		weight = 2
230 | 		
231 | 	strings:
232 | 		$magic = { 25 50 44 46 }
233 | 		
234 | 		$meth0 = /\/Launch/
235 | 		$meth1 = /\/GoTo(E|R)/ //means go to embedded or remote
236 | 		$attrib0 = /\/URL /
237 | 		$attrib1 = /\/Action/
238 | 		$attrib2 = /\/Filespec/
239 | 		
240 | 	condition:
241 | 		$magic at 0 and 1 of ($meth*) and 2 of ($attrib*)
242 | }
243 | 
244 | rule suspicious_obfuscation : PDF
245 | {
246 | 	meta:
247 | 		author = "Glenn Edwards (@hiddenillusion)"
248 | 		version = "0.1"
249 | 		weight = 2
250 | 		
251 | 	strings:
252 | 		$magic = { 25 50 44 46 }
253 | 		$reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
254 | 		
255 | 	condition:
256 | 		$magic at 0 and #reg > 5
257 | }
258 | 
259 | rule invalid_XObject_js : PDF
260 | {
261 | 	meta:
262 | 		author = "Glenn Edwards (@hiddenillusion)"
263 | 		description = "XObject's require v1.4+"
264 | 		ref = "https://blogs.adobe.com/ReferenceXObjects/"
265 | 		version = "0.1"
266 | 		weight = 2
267 | 		
268 | 	strings:
269 | 		$magic = { 25 50 44 46 }
270 | 		$ver = /%PDF-1\.[4-9]/
271 | 		
272 | 		$attrib0 = /\/XObject/
273 | 		$attrib1 = /\/JavaScript/
274 | 		
275 | 	condition:
276 | 		$magic at 0 and not $ver and all of ($attrib*)
277 | }
278 | 
279 | rule invalid_trailer_structure : PDF
280 | {
281 | 	meta:
282 | 		author = "Glenn Edwards (@hiddenillusion)"
283 | 		version = "0.1"
284 | 		weight = 1
285 | 		
286 |         strings:
287 |                 $magic = { 25 50 44 46 }
288 | 				// Required for a valid PDF
289 |                 $reg0 = /trailer\r?\n?.*\/Size.*\r?\n?\.*/
290 |                 $reg1 = /\/Root.*\r?\n?.*startxref\r?\n?.*\r?\n?%%EOF/
291 | 
292 |         condition:
293 |                 $magic at 0 and not $reg0 and not $reg1
294 | }
295 | 
296 | rule multiple_versions : PDF
297 | {
298 | 	meta:
299 | 		author = "Glenn Edwards (@hiddenillusion)"
300 | 		version = "0.1"
301 |         description = "Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed"		
302 | 		weight = 0
303 | 		
304 |         strings:
305 |                 $magic = { 25 50 44 46 }
306 |                 $s0 = "trailer"
307 |                 $s1 = "%%EOF"
308 | 
309 |         condition:
310 |                 $magic at 0 and #s0 > 1 and #s1 > 1
311 | }
312 | 
313 | rule js_wrong_version : PDF
314 | {
315 | 	meta:
316 | 		author = "Glenn Edwards (@hiddenillusion)"
317 | 		description = "JavaScript was introduced in v1.3"
318 | 		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
319 | 		version = "0.1"
320 | 		weight = 2
321 | 		
322 |         strings:
323 |                 $magic = { 25 50 44 46 }
324 | 				$js = /\/JavaScript/
325 | 				$ver = /%PDF-1\.[3-9]/
326 | 
327 |         condition:
328 |                 $magic at 0 and $js and not $ver
329 | }
330 | 
331 | rule JBIG2_wrong_version : PDF
332 | {
333 | 	meta:
334 | 		author = "Glenn Edwards (@hiddenillusion)"
335 | 		description = "JBIG2 was introduced in v1.4"
336 | 		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
337 | 		version = "0.1"
338 | 		weight = 1
339 | 		
340 |         strings:
341 |                 $magic = { 25 50 44 46 }
342 | 				$js = /\/JBIG2Decode/
343 | 				$ver = /%PDF-1\.[4-9]/
344 | 
345 |         condition:
346 |                 $magic at 0 and $js and not $ver
347 | }
348 | 
349 | rule FlateDecode_wrong_version : PDF
350 | {
351 | 	meta:
352 | 		author = "Glenn Edwards (@hiddenillusion)"
353 | 		description = "Flate was introduced in v1.2"
354 | 		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
355 | 		version = "0.1"
356 | 		weight = 1
357 | 		
358 |         strings:
359 |                 $magic = { 25 50 44 46 }
360 | 				$js = /\/FlateDecode/
361 | 				$ver = /%PDF-1\.[2-9]/
362 | 
363 |         condition:
364 |                 $magic at 0 and $js and not $ver
365 | }
366 | 
367 | rule embed_wrong_version : PDF
368 | {
369 | 	meta:
370 | 		author = "Glenn Edwards (@hiddenillusion)"
371 | 		description = "EmbeddedFiles were introduced in v1.3"
372 | 		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
373 | 		version = "0.1"
374 | 		weight = 1
375 | 		
376 |         strings:
377 |                 $magic = { 25 50 44 46 }
378 | 				$embed = /\/EmbeddedFiles/
379 | 				$ver = /%PDF-1\.[3-9]/
380 | 
381 |         condition:
382 |                 $magic at 0 and $embed and not $ver
383 | }
384 | 
385 | rule invalid_xref_numbers : PDF
386 | {
387 |         meta:
388 | 			author = "Glenn Edwards (@hiddenillusion)"
389 | 			version = "0.1"
390 | 			description = "The first entry in a cross-reference table is always free and has a generation number of 65,535"
391 | 			notes = "This can be also be in a stream..."
392 | 			weight = 1
393 | 		
394 |         strings:
395 |                 $magic = { 25 50 44 46 }
396 |                 $reg0 = /xref\r?\n?.*\r?\n?.*65535\sf/
397 |                 $reg1 = /endstream.*?\r?\n?endobj.*?\r?\n?startxref/
398 |         condition:
399 |                 $magic at 0 and not $reg0 and not $reg1
400 | }
401 | 
402 | rule js_splitting : PDF
403 | {
404 |         meta:
405 |                 author = "Glenn Edwards (@hiddenillusion)"
406 |                 version = "0.1"
407 |                 description = "These are commonly used to split up JS code"
408 |                 weight = 2
409 |                 
410 |         strings:
411 |                 $magic = { 25 50 44 46 }
412 | 				$js = /\/JavaScript/
413 |                 $s0 = "getAnnots"
414 |                 $s1 = "getPageNumWords"
415 |                 $s2 = "getPageNthWord"
416 |                 $s3 = "this.info"
417 |                                 
418 |         condition:
419 |                 $magic at 0 and $js and 1 of ($s*)
420 | }
421 | 
422 | rule BlackHole_v2 : PDF
423 | {
424 | 	meta:
425 | 		author = "Glenn Edwards (@hiddenillusion)"
426 | 		version = "0.1"
427 | 		ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html"
428 | 		weight = 3
429 | 		
430 | 	strings:
431 | 		$magic = { 25 50 44 46 }
432 | 		$content = "Index[5 1 7 1 9 4 23 4 50"
433 | 		
434 | 	condition:
435 | 		$magic at 0 and $content
436 | }
437 | 
438 | 
439 | rule XDP_embedded_PDF : PDF
440 | {
441 | 	meta:
442 | 		author = "Glenn Edwards (@hiddenillusion)"
443 | 		version = "0.1"
444 | 		ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
445 |         weight = 1		
446 | 
447 | 	strings:
448 | 		$s1 = "<pdf xmlns="
449 | 		$s2 = "<chunk>"
450 | 		$s3 = "</pdf>"
451 | 		$header0 = "%PDF"
452 | 		$header1 = "JVBERi0"
453 | 
454 | 	condition:
455 | 		all of ($s*) and 1 of ($header*)
456 | }
457 | 


--------------------------------------------------------------------------------
/phoenix_html.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "8395f08f1371eb7b2a2e131b92037f9a"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string1 = "'></applet><body id"
12 | 	$string2 = "<applet mayscript"
13 | 	$string3 = "/gmi,String.fromCharCode(2"
14 | 	$string4 = "/gmi,' ').replace(/"
15 | 	$string5 = "pe;i;;.j1s->c"
16 | 	$string6 = "es4Det"
17 | 	$string7 = "<textarea>function"
18 |         $string8 = ".replace(/"
19 | 	$string9 = ".jar' code"
20 | 	$string10 = ";iFc;ft'b)h{s"
21 | condition:
22 | 	10 of them
23 | }
24 | 


--------------------------------------------------------------------------------
/phoenix_html10.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html10
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "f5f8dceca74a50076070f2593e82ec43"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "pae>crAeahoilL"
12 | 	$string1 = "D11C0002C0069733E60656F6462070D000402DFF200696E"
13 | 	$string2 = "nbte)bbn"
14 | 	$string3 = "v9o16,0')0B80002328203;)82F00223A216ifA160A262A462(a"
15 | 	$string4 = "0442DFD2E30EC80E42D2E00AC3F3D53C9CAEBFF7E1E805080B044057CB1C0EF7F263DC64E0CBE47C2A21E370EE4A"
16 | 	$string5 = ";)npeits0e.uvr;][tvr"
17 | 	$string6 = "433EBE90242003E00C606D04036563435805000102000v020E656wa.i118,0',9F902F282620''C62022646660}{A780232A"
18 | 	$string7 = "350;var ysjzyq"
19 | 	$string8 = "aSmd'lm/t/im.}d.-Ljg,l-"
20 | 	$string9 = "0017687F6164706E6967060002008101'2176045ckb"
21 | 	$string10 = "63(dcma)nenn869"
22 | 	$string11 = "').replace(/"
23 | 	$string12 = "xd'c0lrls09sare"
24 | 	$string13 = "(]t.(7u(<p"
25 | 	$string14 = "d{et;bdBcriYtc:eayF20'F62;23C4AABA3B84FE21C2B0B066C0038B8353AF5C0B4DF8FF43E85FB6F05CEC4080236F3CDE6E"
26 | 	$string15 = "/var another;</textarea>"
27 | 	$string16 = "Fa527496C62eShHmar(bA,pPec"
28 | 	$string17 = "FaA244A676C,150e62A5B2B61,'2F"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/phoenix_html11.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html11
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "be8c81288f9650e205ed13f3167ce256"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "D'0009F0C6941617C43427A76080001000F47020C606volv99,0,6,"
12 | 	$string1 = "';)nWd"
13 | 	$string2 = "IW'eeCn)s.a9e;0CF300FF379011078E047873754163636960496270486264416455747D69737812060209011301010104D0"
14 | 	$string3 = "D8D51F5100019006D60667F2E056940170E01010747"
15 | 	$string4 = "515F2F436WemBh2A4560683aFanoi(utse.o1/f;pistelzi"
16 | 	$string5 = "/p(e/oah)FHw'aaarDsnwi-"
17 | 	$string6 = "COa506u%db10u%1057u%f850u%f500u%0683u%05a8u%0030u%0706u%d300u%585du%38d0u%0080u%5612u'u%A2DdF6u%1M:."
18 | 	$string7 = "S(yt)Dj"
19 | 	$string8 = "FaA26285325,150e8292A6968,'2F"
20 | 	$string9 = "0200e{b<0:D>r5d4u%c005u%0028u%251eu%a095u%6028u%0028u%2500u%f7f7u%70d7u%2025u%9008u%08f8u%c607usu%37"
21 | 	$string10 = "(mEtlltopo{{e"
22 | 	$string11 = "aSmd'lm/t/im.}d.-Ljg,l-"
23 | 	$string12 = "r)C4snfapfuo}"
24 | 	$string13 = "').replace(/"
25 | 	$string14 = "A282A5ifA160F2628206(a"
26 | 	$string15 = "obn0cf"
27 | 	$string16 = "d(i'C)rtr.'pvif)iv1ilW)S((Ltl.)2,0,9;0se"
28 | 	$string17 = "E23s3003476B18703C179396D08B841BC554F11678F0FEB9505FB355E044F33A540F61743738327E32D97D070FA37D87s000"
29 | 	$string18 = "603742E545904575'294E20680,6F902E292A60''E6202A4E6468},e))tep"
30 | condition:
31 | 	18 of them
32 | }
33 | 


--------------------------------------------------------------------------------
/phoenix_html2.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "2fd263f5d988a92715f4146a0006cb31"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "Pec.lilsD)E)i-gonP(mgge.eOmn"
12 | 	$string1 = "(trt;oo"
13 | 	$string2 = "aceeC:0h"
14 | 	$string3 = "Vubb.oec.n)a."
15 | 	$string4 = "t;o{(bspd}ci:0OO[g(cfjdh}1sN}ntnrlt;0pwf{-"
16 | 	$string5 = "seierb)gMle(}ev;is{(b;ga"
17 | 	$string6 = "e)}ift"
18 | 	$string7 = "Dud{rt"
19 | 	$string8 = "blecroeely}diuFI-"
20 | 	$string9 = "ttec]tr"
21 | 	$string10 = "fSgcso"
22 | 	$string11 = "eig.t)eR{t}aeesbdtbl{1sr)m"
23 | 	$string12 = ").}n,Raa.s"
24 | 	$string13 = "sLtfcb.nrf{Wiantscncad1ac)scb0eo]}Diuu(nar"
25 | 	$string14 = "dxc.,:tfr(ucxRn"
26 | 	$string15 = "eDnnforbyri(tbmns).[i.ee;dl(aNimp(l(h[u[ti;u)"
27 | 	$string16 = "}tn)i{ebr,_.ns(Nes,,gm(ar.t"
28 | 	$string17 = "l]it}N(pe3,iaaLds.)lqea:Ps00Hc;[{Euihlc)LiLI"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/phoenix_html3.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html3
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "d7cacbff6438d866998fc8bfee18102d"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "mtfla/,)asaf)'}"
12 | 	$string1 = "72267E7C'A3035CFC415DFAAA834B208D8C230FD303E2EFFE386BE05960C588C6E85650746E690C39F706F97DC74349BA134"
13 | 	$string2 = "N'eiui7F6e617e00F145A002645E527BFF264842F877B2FFC1FE84BCC6A50F0305B5B0C36A019F53674FD4D3736C494BD5C2"
14 | 	$string3 = "lndl}})<>"
15 | 	$string4 = "otodc};b<0:D>r5d4u%c005u%0028u%251eu%a095u%6028u%0028u%2500u%f7f7u%70d7u%2025u%9008u%08f8u%c607usu%3"
16 | 	$string5 = "tuJaboaopb"
17 | 	$string6 = "a(vxf{p'tSowa.i,1NIWm("
18 | 	$string7 = "2004et"
19 | 	$string8 = "2054sttE5356496478"
20 | 	$string9 = "yi%A%%A%%A%%A%Cvld3,5314,004,6211,931,,,011394617,983,1154,5,1,,1,1,13,08,4304,1"
21 | 	$string10 = "0ovel04ervEeieeem)h))B(ihsAE;u%04b8u%1c08u%0e50u%a000u%1010u%4000u%20afu%0006u%2478u%0020u%1065u%210"
22 | 	$string11 = "/gmi,String.fromCharCode(2"
23 | 	$string12 = "ncBcaocta.ye"
24 | 	$string13 = "0201010030004A033102090;na"
25 | 	$string14 = "66u%0(ec'h{iis%%A%%A%%A%%A%frS1,,8187,1,4,11,91516,,61,,10841,1,13,,,11248,01818849,23,,,,791meits0e"
26 | 	$string15 = "D11C0002C0069733E60656F6462070D000402DFF200696E"
27 | 	$string16 = "810p0y98"
28 | 	$string17 = "9,0,e'Fm692E583760"
29 | 	$string18 = "57784234633a)(u"
30 | condition:
31 | 	18 of them
32 | }
33 | 


--------------------------------------------------------------------------------
/phoenix_html4.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html4
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "61fde003211ac83c2884fbecefe1fc80"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "/dr.php"
12 | 	$string1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
13 | 	$string2 = "launchjnlp"
14 | 	$string3 = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"
15 | 	$string4 = "urlmon.dll"
16 | 	$string5 = "<body>"
17 | 	$string6 = " docbase"
18 | 	$string7 = "</html>"
19 | 	$string8 = " classid"
20 | 	$string9 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
21 | 	$string10 = "63AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
22 | 	$string11 = "</object>"
23 | 	$string12 = "application/x-java-applet"
24 | 	$string13 = "java_obj"
25 | condition:
26 | 	13 of them
27 | }
28 | 


--------------------------------------------------------------------------------
/phoenix_html5.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html5
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "30afdca94d301905819e00a7458f4a4e"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "dtesu}"
12 | 	$string1 = "<textarea>function gvgsxoy(gwcqg1){return gwcqg1.replace(/"
13 | 	$string2 = "v}Ahnhxwet"
14 | 	$string3 = "0125C6BBA2B84F7A1D2940C04C8B7449A40EEB0D14C8003535C0042D75E05F0D7F3E0A7B4E33EB4D8D47119290FC"
15 | 	$string4 = "a2Fs2325223869e'Fm2873367130"
16 | 	$string5 = "m0000F0F6E66607C71646F6607000107FA61021F6060(aeWWIN"
17 | 	$string6 = ")(r>hd1/dNasmd(fpas"
18 | 	$string7 = "9,0,e'Fm692E583760"
19 | 	$string8 = "5ud(dis"
20 | 	$string9 = "nacmambuntcmi"
21 | 	$string10 = "Fa078597467,1C0e674366871,'2F"
22 | 	$string11 = "Fa56F386A76,180e828592024,'2F"
23 | 	$string12 = "alA)(2avoyOi;ic)t6])teptp,an}tnv0i'fms<uic"
24 | 	$string13 = "iR'nandee"
25 | 	$string14 = "('0.aEa-9leal"
26 | 	$string15 = "bsD0seF"
27 | 	$string16 = "t.ck263/6F3a001CE7A2684067F98BEC18B738801EF1F7F7E49A088695050C000865FC38080FE23727E0E8DE9CB53E748472"
28 | condition:
29 | 	16 of them
30 | }
31 | 


--------------------------------------------------------------------------------
/phoenix_html6.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html6
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "4aabb710cf04240d26c13dd2b0ccd6cc"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "F4B6B2E67)A780A373A633;ast2316363677fa'es6F3635244"
12 | 	$string1 = "piia.a}rneecc.cnuoir"
13 | 	$string2 = "0448D5A54BE10A5DA628100AC3F3D53C9CAEBFF7E1E805080B044057CB1C0EF7F263DC64E0CBE47C2A21E55E9EA620000106"
14 | 	$string3 = "],enEn..o"
15 | 	$string4 = "o;1()sna"
16 | 	$string5 = "(eres(0.,"
17 | 	$string6 = "}fs2he}o.t"
18 | 	$string7 = "f'u>jisch3;)Ie)C'eO"
19 | 	$string8 = "refhiacei"
20 | 	$string9 = "0026632528(sCE7A2684067F98BEC1s00000F512Fm286631666"
21 | 	$string10 = "vev%80b4u%ee18u%28b8u%2617u%5c08u%0e50u%a000u%9006u%76efu%b1cbu%ba2fu%6850u%0524u%9720u%f70<}1msa950"
22 | 	$string11 = "pdu,xziien,ie"
23 | 	$string12 = "rr)l;.)vr.nbl"
24 | 	$string13 = "ii)ruccs)1e"
25 | 	$string14 = "F30476737930anD<tAhnhxwet"
26 | 	$string15 = ")yf{(ee..erneef"
27 | 	$string16 = "ieiiXuMkCSwetEet"
28 | 	$string17 = "F308477E7A7itme"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/phoenix_html7.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html7
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "f0e1b391ec3ce515fd617648bec11681"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "EBF0a0001B05D266503046C7A491A0C00044F0002035D0D0twl''WIN"
12 | 	$string1 = "ah80672528657"
13 | 	$string2 = "n);tctt)Eltc(Dj"
14 | 	$string3 = ";cnt2<tEf"
15 | 	$string4 = "iwkne){bvfvgzg5"
16 | 	$string5 = "..'an{ea-Ect'8-huJ.)/l'/tCaaa}<Ct95l"
17 | 	$string6 = "'WIWhaFtF662F6577IseFe427347637"
18 | 	$string7 = "ddTh75e{"
19 | 	$string8 = "Ae'n,,9"
20 | 	$string9 = "%E7E3Vemtyi"
21 | 	$string10 = "cf'treran"
22 | 	$string11 = "ncBcaocta.ye"
23 | 	$string12 = ")'0,p8k"
24 | 	$string13 = "0;{tc4F}c;eptdpduoCuuedPl80evD"
25 | 	$string14 = "iq,q,Nd(nccfr'Bearc'nBtpw"
26 | 	$string15 = ";)npeits0e.uvhF$I'"
27 | 	$string16 = "nvasai0.-"
28 | 	$string17 = "lmzv'is'"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/phoenix_html8.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html8
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "1c19a863fc4f8b13c0c7eb5e231bc3d1"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "0x5)).replace(/"
12 | 	$string1 = "%A%%A%%nc(,145,9,84037,1711,,4121,56,1,,0505,,651,,3,514101,01,29,7868,90"
13 | 	$string2 = "/gmi,String.fromCharCode(2"
14 | 	$string3 = "turt;oo)s"
15 | 	$string4 = "91;var jtdpar"
16 | 	$string5 = "R(,13,7,63,48140601,5057,,319,,6,1,1,2,,110,0,1011171,2319,,,,10vEAs)tfmneyeh%A%%A%%A%%A%s<u91,4693,"
17 | 	$string6 = "y%%A%%A%%A%%A.meo21117,7,1,,10,1,9,8,1,9,100,6,141003,74181,163,441114,43,207,,remc'ut"
18 | 	$string7 = "epjtjqe){jtdpar"
19 | 	$string8 = "/gmi,'"
20 | 	$string9 = "<font></font><body id"
21 | 	$string10 = " epjtjqe; fqczi > 0; fqczi--){for (bwjmgl7 "
22 | 	$string11 = "nbte)bb(egs%A%%A%%A%%A%%m"
23 | 	$string12 = "fvC9614165,,,1,1801151030,,0,,487641114,,1,141,914810036,,888,201te.)'etdc:ysaA%%A%%A%%A%%5sao,61,0,"
24 | 	$string13 = "(tiAmrd{/tnA%%A%%A%%A%%Aiin11,,1637,34191,626958314,11007,,61145,411,7,9,1821,,43,8311,26;d'ebt.dyvs"
25 | 	$string14 = "A%%A%%A%%Ao"
26 | 	$string15 = "hrksywd(cpkwisk4);/"
27 | 	$string16 = ";</script>"
28 | condition:
29 | 	16 of them
30 | }
31 | 


--------------------------------------------------------------------------------
/phoenix_html9.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_html9
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "742d012b9df0c27ed6ccf3b234db20db"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "tute)bbr:"
12 | 	$string1 = "nfho(tghRx"
13 | 	$string2 = "()irfE/Rt..cOcC"
14 | 	$string3 = "NcEnevbf"
15 | 	$string4 = "63FB8B4296BBC290A0.'0000079'Fh20216B6A6arA;<"
16 | 	$string5 = "wHe(cLnyeyet(a.i,r.{.."
17 | 	$string6 = "tute)bbdfiiix'bcr"
18 | 	$string7 = "itifdf)d1L2f'asau%d004u%8e00u%0419u%a58du%2093u%ec10u%0050u%00d4u%4622u%bcd1u%b1ceu%5000u%f7f5u%5606"
19 | 	$string8 = "2F4693529783'82F076676C38'te"
20 | 	$string9 = "sm(teoeoi)cfh))pihnipeeeo}.,(.(("
21 | 	$string10 = "ao)ntavlll{))ynlcoix}hiN.il'tes1ad)bm;"
22 | 	$string11 = "i)}m0f(eClei(/te"
23 | 	$string12 = "}aetsc"
24 | 	$string13 = "irefnig.pT"
25 | 	$string14 = "a0mrIif/tbne,(wsk,"
26 | 	$string15 = "500F14B06000000630E6B72636F60632C6E711C6E762E646F147F44767F650A0804061901020009006B120005A2006L"
27 | 	$string16 = ".hB.Csf)ddeSs"
28 | 	$string17 = "tnne,IPd4Le"
29 | 	$string18 = "hMdarc'nBtpw"
30 | condition:
31 | 	18 of them
32 | }
33 | 


--------------------------------------------------------------------------------
/phoenix_jar.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_jar
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "a8a18219b02d30f44799415ff19c518e"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "r.JM,IM"
12 | 	$string1 = "qX$8$a"
13 | 	$string2 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProvider5"
14 | 	$string3 = "a.classPK"
15 | 	$string4 = "6;\\Q]Q"
16 | 	$string5 = "h[s] X"
17 | 	$string6 = "ToolsDemoSubClass.classPK"
18 | 	$string7 = "a.class"
19 | 	$string8 = "META-INF/MANIFEST.MFPK"
20 | 	$string9 = "ToolsDemoSubClass.classeO"
21 | 	$string10 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProviderPK"
22 | condition:
23 | 	10 of them
24 | }
25 | 


--------------------------------------------------------------------------------
/phoenix_jar2.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_jar2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "989c5b5eaddf48010e62343d7a4db6f4"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "a66d578f084.classeQ"
12 | 	$string1 = "a4cb9b1a8a5.class"
13 | 	$string2 = ")szNu\\MutK"
14 | 	$string3 = "qCCwBU"
15 | 	$string4 = "META-INF/MANIFEST.MF"
16 | 	$string5 = "QR,GOX"
17 | 	$string6 = "ab5601d4848.classmT"
18 | 	$string7 = "a6a7a760c0e["
19 | 	$string8 = "2ZUK[L"
20 | 	$string9 = "2VT(Au5"
21 | 	$string10 = "a6a7a760c0ePK"
22 | 	$string11 = "aa79d1019d8.class"
23 | 	$string12 = "aa79d1019d8.classPK"
24 | 	$string13 = "META-INF/MANIFEST.MFPK"
25 | 	$string14 = "ab5601d4848.classPK"
26 | condition:
27 | 	14 of them
28 | }
29 | 


--------------------------------------------------------------------------------
/phoenix_jar3.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_jar3
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "c5655c496949f8071e41ea9ac011cab2"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "'> >$>"
12 | 	$string1 = "bpac/PK"
13 | 	$string2 = "bpac/purok$1.classmP]K"
14 | 	$string3 = "bpac/KAVS.classmQ"
15 | 	$string4 = "'n n$n"
16 | 	$string5 = "bpac/purok$1.classPK"
17 | 	$string6 = "$.4aX,Gt<"
18 | 	$string7 = "bpac/KAVS.classPK"
19 | 	$string8 = "bpac/b.classPK"
20 | 	$string9 = "bpac/b.class"
21 | condition:
22 | 	9 of them
23 | }
24 | 


--------------------------------------------------------------------------------
/phoenix_pdf.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_pdf
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "16de68e66cab08d642a669bf377368da"
 8 | 	hash1 = "bab281fe0cf3a16a396550b15d9167d5"
 9 | 	sample_filetype = "pdf"
10 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
11 | strings:
12 | 	$string0 = "0000000254 00000 n"
13 | 	$string1 = "0000000295 00000 n"
14 | 	$string2 = "trailer<</Root 1 0 R /Size 7>>"
15 | 	$string3 = "0000000000 65535 f"
16 | 	$string4 = "3 0 obj<</JavaScript 5 0 R >>endobj"
17 | 	$string5 = "0000000120 00000 n"
18 | 	$string6 = "%PDF-1.0"
19 | 	$string7 = "startxref"
20 | 	$string8 = "0000000068 00000 n"
21 | 	$string9 = "endobjxref"
22 | 	$string10 = ")6 0 R ]>>endobj"
23 | 	$string11 = "0000000010 00000 n"
24 | condition:
25 | 	11 of them
26 | }
27 | 


--------------------------------------------------------------------------------
/phoenix_pdf2.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_pdf2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "33cb6c67f58609aa853e80f718ab106a"
 8 | 	sample_filetype = "pdf"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "\\nQb<%"
12 | 	$string1 = "0000000254 00000 n"
13 | 	$string2 = ":S3>v0$EF"
14 | 	$string3 = "trailer<</Root 1 0 R /Size 7>>"
15 | 	$string4 = "%PDF-1.0"
16 | 	$string5 = "0000000000 65535 f"
17 | 	$string6 = "endstream"
18 | 	$string7 = "0000000010 00000 n"
19 | 	$string8 = "6 0 obj<</JS 7 0 R/S/JavaScript>>endobj"
20 | 	$string9 = "3 0 obj<</JavaScript 5 0 R >>endobj"
21 | 	$string10 = "}pr2IE"
22 | 	$string11 = "0000000157 00000 n"
23 | 	$string12 = "1 0 obj<</Type/Catalog/Pages 2 0 R /Names 3 0 R >>endobj"
24 | 	$string13 = "5 0 obj<</Names[("
25 | condition:
26 | 	13 of them
27 | }
28 | 


--------------------------------------------------------------------------------
/phoenix_pdf3.yar:
--------------------------------------------------------------------------------
 1 | rule phoenix_pdf3
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Phoenix Exploit Kit Detection"
 7 | 	hash0 = "bab281fe0cf3a16a396550b15d9167d5"
 8 | 	sample_filetype = "pdf"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "trailer<</Root 1 0 R /Size 7>>"
12 | 	$string1 = "stream"
13 | 	$string2 = ";_oI5z"
14 | 	$string3 = "0000000010 00000 n"
15 | 	$string4 = "3 0 obj<</JavaScript 5 0 R >>endobj"
16 | 	$string5 = "7 0 obj<</Filter[ /FlateDecode /ASCIIHexDecode /ASCII85Decode ]/Length 3324>>"
17 | 	$string6 = "endobjxref"
18 | 	$string7 = "L%}gE("
19 | 	$string8 = "0000000157 00000 n"
20 | 	$string9 = "1 0 obj<</Type/Catalog/Pages 2 0 R /Names 3 0 R >>endobj"
21 | 	$string10 = "0000000120 00000 n"
22 | 	$string11 = "4 0 obj<</Type/Page/Parent 2 0 R /Contents 12 0 R>>endobj"
23 | condition:
24 | 	11 of them
25 | }
26 | 


--------------------------------------------------------------------------------
/redkit_bin_basic.yar:
--------------------------------------------------------------------------------
1 | rule redkit_bin_basic : exploit_kit
2 | {
3 |     strings:
4 |         $a = /\/\d{2}.html\s/
5 |     condition:
6 |         $a
7 | }


--------------------------------------------------------------------------------
/sakura_jar.yar:
--------------------------------------------------------------------------------
 1 | rule sakura_jar
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Sakura Exploit Kit Detection"
 7 | 	hash0 = "a566ba2e3f260c90e01366e8b0d724eb"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "Rotok.classPK"
12 | 	$string1 = "nnnolg"
13 | 	$string2 = "X$Z'\\4^=aEbIdUmiprsxt}v<" wide
14 | 	$string3 = "()Ljava/util/Set;"
15 | 	$string4 = "(Ljava/lang/String;)V"
16 | 	$string5 = "Ljava/lang/Exception;"
17 | 	$string6 = "oooy32"
18 | 	$string7 = "Too.java"
19 | 	$string8 = "bbfwkd"
20 | 	$string9 = "Ljava/lang/Process;"
21 | 	$string10 = "getParameter"
22 | 	$string11 = "length"
23 | 	$string12 = "Simio.java"
24 | 	$string13 = "Ljavax/swing/JList;"
25 | 	$string14 = "-(Ljava/lang/String;)Ljava/lang/StringBuilder;"
26 | 	$string15 = "Ljava/io/InputStream;"
27 | 	$string16 = "vfnnnrof.exnnnroe"
28 | 	$string17 = "Olsnnfw"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/sakura_jar2.yar:
--------------------------------------------------------------------------------
 1 | rule sakura_jar2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Sakura Exploit Kit Detection"
 7 | 	hash0 = "d21b4e2056e5ef9f9432302f445bcbe1"
 8 | 	sample_filetype = "unknown"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "getProperty"
12 | 	$string1 = "java/io/FileNotFoundException"
13 | 	$string2 = "LLolp;"
14 | 	$string3 = "cjhgreshhnuf "
15 | 	$string4 = "StackMapTable"
16 | 	$string5 = "onfwwa"
17 | 	$string6 = "(C)Ljava/lang/StringBuilder;"
18 | 	$string7 = "replace"
19 | 	$string8 = "LEsia$fffgss;"
20 | 	$string9 = "<clinit>"
21 | 	$string10 = "()Ljava/io/InputStream;"
22 | 	$string11 = "openConnection"
23 | 	$string12 = " gjhgreshhnijhgreshhrtSjhgreshhot.sjhgreshhihjhgreshht;)"
24 | 	$string13 = "Oi.class"
25 | 	$string14 = " rjhgreshhorjhgreshhre rajhgreshhv"
26 | 	$string15 = "java/lang/String"
27 | 	$string16 = "java/net/URL"
28 | 	$string17 = "Created-By: 1.7.0-b147 (Oracle Corporation)"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/zeroaccess_css.yar:
--------------------------------------------------------------------------------
 1 | rule zeroaccess_css
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "ZeroAccess Exploit Kit Detection"
 7 | 	hash0 = "4944324bad3b020618444ee131dce3d0"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "close-mail{right:130px "
12 | 	$string1 = "ccc;box-shadow:0 0 5px 1px "
13 | 	$string2 = "757575;border-bottom:1px solid "
14 | 	$string3 = "777;height:1.8em;line-height:1.9em;display:block;float:left;padding:1px 15px;margin:0;text-shadow:-1"
15 | 	$string4 = "C4C4C4;}"
16 | 	$string5 = "999;-webkit-box-shadow:0 0 3px "
17 | 	$string6 = "header div.service-links ul{display:inline;margin:10px 0 0;}"
18 | 	$string7 = "t div h2.title{padding:0;margin:0;}.box5-condition-news h2.pane-title{display:block;margin:0 0 9px;p"
19 | 	$string8 = "footer div.comp-info p{color:"
20 | 	$string9 = "pcmi-listing-center .full-page-listing{width:490px;}"
21 | 	$string10 = "pcmi-content-top .photo img,"
22 | 	$string11 = "333;}div.tfw-header a var{display:inline-block;margin:0;line-height:20px;height:20px;width:120px;bac"
23 | 	$string12 = "ay:none;text-decoration:none;outline:none;padding:4px;text-align:center;font-size:9px;color:"
24 | 	$string13 = "333;}body.page-videoplayer div"
25 | 	$string14 = "373737;position:relative;}body.node-type-video div"
26 | 	$string15 = "pcmi-content-sidebara,.page-error-page "
27 | 	$string16 = "fff;text-decoration:none;}"
28 | 	$string17 = "qtabs-list li a,"
29 | 	$string18 = "cdn2.dailyrx.com"
30 | condition:
31 | 	18 of them
32 | }
33 | 


--------------------------------------------------------------------------------
/zeroaccess_css2.yar:
--------------------------------------------------------------------------------
 1 | rule zeroaccess_css2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "ZeroAccess Exploit Kit Detection"
 7 | 	hash0 = "e300d6a36b9bfc3389f64021e78b1503"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "er div.panel-hide{display:block;position:absolute;z-index:200;margin-top:-1.5em;}div.panel-pane div."
12 | 	$string1 = "ve.gif) right center no-repeat;}div.ctools-ajaxing{float:left;width:18px;background:url(http://cdn3."
13 | 	$string2 = "cdn2.dailyrx.com"
14 | 	$string3 = "efefef;margin:5px 0 5px 0;}"
15 | 	$string4 = "node{margin:0;padding:0;}div.panel-pane div.feed a{float:right;}"
16 | 	$string5 = ":0 5px 0 0;float:left;}div.tweets-pulled-listing div.tweet-authorphoto img{max-height:40px;max-width"
17 | 	$string6 = "i a{color:"
18 | 	$string7 = ":bold;}div.tweets-pulled-listing .tweet-time a{color:silver;}div.tweets-pulled-listing  div.tweet-di"
19 | 	$string8 = "div.panel-pane div.admin-links{font-size:xx-small;margin-right:1em;}div.panel-pane div.admin-links l"
20 | 	$string9 = "div.tweets-pulled-listing ul{list-style:none;}div.tweets-pulled-listing div.tweet-authorphoto{margin"
21 | 	$string10 = "FFFFDD none repeat scroll 0 0;border:1px solid "
22 | 	$string11 = "vider{clear:left;border-bottom:1px solid "
23 | condition:
24 | 	11 of them
25 | }
26 | 


--------------------------------------------------------------------------------
/zeroaccess_htm.yar:
--------------------------------------------------------------------------------
 1 | rule zeroaccess_htm
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "ZeroAccess Exploit Kit Detection"
 7 | 	hash0 = "0e7d72749b60c8f05d4ff40da7e0e937"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "screen.height:"
12 | 	$string1 = "</script></head><body onload"
13 | 	$string2 = "Fx0ZAQRKXUVgbh0qNDRJVxYwGg4tGh8aHQoAVQQSNyo0NElXFjAaDi0NFQYESl1FBBNnTFoSPiBmADwnPTQxPSdKWUUEE2UcGR0z"
14 | 	$string3 = "0);-10<b"
15 | 	$string4 = "function fl(){var a"
16 | 	$string5 = "0);else if(navigator.mimeTypes"
17 | 	$string6 = ");b.href"
18 | 	$string7 = "/presults.jsp"
19 | 	$string8 = "128.164.107.221"
20 | 	$string9 = ")[0].clientWidth"
21 | 	$string10 = "presults.jsp"
22 | 	$string11 = ":escape(c),e"
23 | 	$string12 = "navigator.plugins.length)navigator.plugins["
24 | 	$string13 = "window;d"
25 | 	$string14 = "gr(),j"
26 | 	$string15 = "VIEWPORT"
27 | 	$string16 = "FQV2D0ZAH1VGDxgZVg9COwYCAwkcTzAcBxscBFoKAAMHUFVuWF5EVVYVdVtUR18bA1QdAU8HQjgeUFYeAEZ4SBEcEk1FTxsdUlVA"
28 | condition:
29 | 	16 of them
30 | }
31 | 


--------------------------------------------------------------------------------
/zeroaccess_js.yar:
--------------------------------------------------------------------------------
 1 | rule zeroaccess_js
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "ZeroAccess Exploit Kit Detection"
 7 | 	hash0 = "a9f30483a197cfdc65b4a70b8eb738ab"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "Square ad tag  (tile"
12 | 	$string1 = "  adRandNum "
13 | 	$string2 = " cellspacing"
14 | 	$string3 = "\\n//-->\\n</script>"
15 | 	$string4 = "format"
16 | 	$string5 = "//-->' "
17 | 	$string6 = "2287974446"
18 | 	$string7 = "NoScrBeg "
19 | 	$string8 = "-- start adblade -->' "
20 | 	$string9 = "3427054556"
21 | 	$string10 = "        while (i >"
22 | 	$string11 = "return '<table width"
23 | 	$string12 = "</scr' "
24 | 	$string13 = " s.substring(0, i"
25 | 	$string14 = " /></a></noscript>' "
26 | 	$string15 = "    else { isEmail "
27 | 	$string16 = ").submit();"
28 | 	$string17 = " border"
29 | 	$string18 = "pub-8301011321395982"
30 | condition:
31 | 	18 of them
32 | }
33 | 


--------------------------------------------------------------------------------
/zeroaccess_js2.yar:
--------------------------------------------------------------------------------
 1 | rule zeroaccess_js2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "ZeroAccess Exploit Kit Detection"
 7 | 	hash0 = "b5fda04856b98c254d33548cc1c1216c"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "ApiClientConfig"
12 | 	$string1 = "function/.test(pa.toString())"
13 | 	$string2 = "background-image:url(http:\\/\\/static.ak.fbcdn.net\\/rsrc.php\\/v2\\/y6\\/x\\/s816eWC-2sl.gif)}"
14 | 	$string3 = "Music.init"
15 | 	$string4 = "',header:'bool',recommendations:'bool',site:'hostname'},create_event_button:{},degrees:{href:'url'},"
16 | 	$string5 = "cca6477272fc5cb805f85a84f20fca1d"
17 | 	$string6 = "document.createElement('form');c.action"
18 | 	$string7 = "javascript:false"
19 | 	$string8 = "s.onMessage){j.error('An instance without whenReady or onMessage makes no sense');throw new Error('A"
20 | 	$string9 = "NaN;}else h"
21 | 	$string10 = "sprintf"
22 | 	$string11 = "window,j"
23 | 	$string12 = "o.getUserID(),da"
24 | 	$string13 = "FB.Runtime.getLoginStatus();if(b"
25 | 	$string14 = ")');k.toString"
26 | 	$string15 = "rovide('XFBML.Send',{Dimensions:{width:80,height:25}});"
27 | 	$string16 = "{log:i};e.exports"
28 | 	$string17 = "a;FB.api('/fql','GET',f,function(g){if(g.error){ES5(ES5('Object','keys',false,b),'forEach',true,func"
29 | 	$string18 = "true;}}var ia"
30 | condition:
31 | 	18 of them
32 | }
33 | 


--------------------------------------------------------------------------------
/zeroaccess_js3.yar:
--------------------------------------------------------------------------------
 1 | rule zeroaccess_js3
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "ZeroAccess Exploit Kit Detection"
 7 | 	hash0 = "5f13fdfb53a3e60e93d7d1d7bbecff4f"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "document.createDocumentFragment();img.src"
12 | 	$string1 = "typeOf(events)"
13 | 	$string2 = "var i,x,y,ARRcookies"
14 | 	$string3 = "callbacks.length;j<l;j"
15 | 	$string4 = "encodeURIComponent(value);if(options.domain)value"
16 | 	$string5 = "event,HG.components.get('windowEvent_'"
17 | 	$string6 = "'read'in Cookie){return Cookie.read(c_name);}"
18 | 	$string7 = "item;},get:function(name,def){return HG.components.exists(name)"
19 | 	$string8 = "){window.addEvent(windowEvents[i],function(){var callbacks"
20 | 	$string9 = "reunload:function(callback){HG.events.add('beforeunload',callback);},add:function(event,callback){HG"
21 | 	$string10 = "name){if(HG.components.exists(name)){delete HG.componentList[name];}}},util:{uuid:function(){return'"
22 | 	$string11 = "window.HG"
23 | 	$string12 = "x.replace(/"
24 | 	$string13 = "encodeURIComponent(this.attr[key]));}"
25 | 	$string14 = "options.domain;if(options.path)value"
26 | 	$string15 = "this.page_sid;this.attr.user_sid"
27 | condition:
28 | 	15 of them
29 | }
30 | 


--------------------------------------------------------------------------------
/zeroaccess_js4.yar:
--------------------------------------------------------------------------------
 1 | rule zeroaccess_js4
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-27"
 6 | 	description = "ZeroAccess Exploit Kit Detection"
 7 | 	hash0 = "268ae96254e423e9d670ebe172d1a444"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = ").join("
12 | 	$string1 = "JSON.stringify:function(o){if(o"
13 | 	$string2 = "){try{var a"
14 | 	$string3 = ");return $.jqotecache[i]"
15 | 	$string4 = "o.getUTCFullYear(),hours"
16 | 	$string5 = "seconds"
17 | 	$string6 = "')');};$.secureEvalJSON"
18 | 	$string7 = "isFinite(n);},secondsToTime:function(sec_numb){sec_numb"
19 | 	$string8 = "')');}else{throw new SyntaxError('Error parsing JSON, source is not valid.');}};$.quoteString"
20 | 	$string9 = "o[name];var ret"
21 | 	$string10 = "a[m].substr(2)"
22 | 	$string11 = ");if(d){return true;}}}catch(e){return false;}}"
23 | 	$string12 = "a.length;m<k;m"
24 | 	$string13 = "if(parentClasses.length"
25 | 	$string14 = "o.getUTCHours(),minutes"
26 | 	$string15 = "$.jqote(e,d,t),$$"
27 | 	$string16 = "q.test(x)){e"
28 | 	$string17 = "{};HGWidget.creator"
29 | condition:
30 | 	17 of them
31 | }
32 | 


--------------------------------------------------------------------------------
/zerox88_js2.yar:
--------------------------------------------------------------------------------
 1 | rule zerox88_js2
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "0x88 Exploit Kit Detection"
 7 | 	hash0 = "cad8b652338f5e3bc93069c8aa329301"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "function gSH() {"
12 | 	$string1 = "200 HEIGHT"
13 | 	$string2 = "'sh.js'><\\/SCRIPT>"
14 | 	$string3 = " 2 - 26;"
15 | 	$string4 = "<IFRAME ID"
16 | 	$string5 = ",100);"
17 | 	$string6 = "200></IFRAME>"
18 | 	$string7 = "setTimeout("
19 | 	$string8 = "'about:blank' WIDTH"
20 | 	$string9 = "mf.document.write("
21 | 	$string10 = "document.write("
22 | 	$string11 = "Kasper "
23 | condition:
24 | 	11 of them
25 | }
26 | 


--------------------------------------------------------------------------------
/zerox88_js3.yar:
--------------------------------------------------------------------------------
 1 | rule zerox88_js3
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "0x88 Exploit Kit Detection"
 7 | 	hash0 = "9df0ac2fa92e602ec11bac53555e2d82"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = " new ActiveXObject(szHTTP); "
12 | 	$string1 = " Csa2;"
13 | 	$string2 = "var ADO "
14 | 	$string3 = " new ActiveXObject(szOx88);"
15 | 	$string4 = " unescape("
16 | 	$string5 = "/test.exe"
17 | 	$string6 = " szEtYij;"
18 | 	$string7 = "var HTTP "
19 | 	$string8 = "%41%44%4F%44%42%2E"
20 | 	$string9 = "%4D%65%64%69%61"
21 | 	$string10 = "var szSRjq"
22 | 	$string11 = "%43%3A%5C%5C%50%72%6F%67%72%61%6D"
23 | 	$string12 = "var METHOD "
24 | 	$string13 = "ADO.Mode "
25 | 	$string14 = "%61%79%65%72"
26 | 	$string15 = "%2E%58%4D%4C%48%54%54%50"
27 | 	$string16 = " 7 - 6; HTTP.Open(METHOD, szURL, i-3); "
28 | condition:
29 | 	16 of them
30 | }
31 | 


--------------------------------------------------------------------------------
/zeus_js.yar:
--------------------------------------------------------------------------------
 1 | rule zeus_js
 2 | {
 3 | meta:
 4 | 	author = "Josh Berry"
 5 | 	date = "2016-06-26"
 6 | 	description = "Zeus Exploit Kit Detection"
 7 | 	hash0 = "c87ac7a25168df49a64564afb04dc961"
 8 | 	sample_filetype = "js-html"
 9 | 	yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
10 | strings:
11 | 	$string0 = "var jsmLastMenu "
12 | 	$string1 = "position:absolute; z-index:99' "
13 | 	$string2 = " -1)jsmSetDisplayStyle('popupmenu' "
14 | 	$string3 = " '<tr><td><a href"
15 | 	$string4 = "  jsmLastMenu "
16 | 	$string5 = "  var ids "
17 | 	$string6 = "this.target"
18 | 	$string7 = " jsmPrevMenu, 'none');"
19 | 	$string8 = "  if(jsmPrevMenu "
20 | 	$string9 = ")if(MenuData[i])"
21 | 	$string10 = " '<div style"
22 | 	$string11 = "popupmenu"
23 | 	$string12 = "  jsmSetDisplayStyle('popupmenu' "
24 | 	$string13 = "function jsmHideLastMenu()"
25 | 	$string14 = " MenuData.length; i"
26 | condition:
27 | 	14 of them
28 | }
29 | 


--------------------------------------------------------------------------------