├── .gitignore ├── README.md ├── cuckoomon_hardened ├── cuckoomon.dll └── cuckoomon_vbox_hardened.patch ├── malware_analysis ├── APT_NGO_wuaclt │ ├── OpenIOC │ │ └── 3433dad8-879e-40d9-98b3-92ddc75f0dcd.ioc │ ├── snort │ │ └── apt-wuactl.rules │ └── yara │ │ ├── APT_NGO_wuaclt.yar │ │ └── APT_NGO_wuaclt_PDF.yar ├── Batchwiper │ └── 548cfc54-42b9-48c6-a753-02e74246699b.ioc ├── CFR │ └── 41bd34a6-dff3-435b-8a98-6ec7ab0d222b.ioc ├── CommentCrew │ └── apt1.yara ├── FPU │ └── fpu.yar ├── Georbot │ ├── GeorBotBinary.yara │ ├── GeorBotMemory.yara │ ├── georbot.ioc │ └── snort_georbot.rules ├── Hangover │ └── hangover.yar ├── OSX_Leverage │ ├── leverage.yar │ └── snort_leverage.rules ├── RedOctober │ └── 48290d24-834c-4097-abc5-4f22d3bd8f3c.ioc ├── Sykipot │ └── snort │ │ └── sykipot.rules └── Urausy │ └── urausy_skypedat.yar ├── malware_rulesets └── yara │ ├── avdetect.yar │ ├── dbgdetect.yar │ ├── index.yar │ ├── sandboxdetect.yar │ └── vmdetect.yar ├── peid2yar ├── README.md ├── aux │ ├── pefile_test_sigs.py │ └── peid_sigs_sanitizer.py ├── dbs │ ├── UserDB.TXT │ ├── epcompilersigs.peid │ ├── eppackersigs.peid │ ├── userdb_exeinfope.txt │ ├── userdb_jclausing.txt │ └── userdb_panda.txt ├── outputs │ ├── UserDB.yar │ ├── epcompilersigs.yar │ ├── eppackersigs.yar │ ├── userdb_exeinfope.yar │ ├── userdb_jclausing.yar │ └── userdb_panda.yar └── peid2yar.py ├── tools └── disaep.py ├── urlquery-chrome ├── README.md ├── main.css ├── manifest.json ├── options.html ├── options.js └── urlquery.js └── yarad ├── README.md ├── pyarad ├── pyarad.py ├── stress_test.py ├── stress_test_inet.py ├── test_scan.py └── test_scan_inet.py └── yarad ├── fingerprints ├── flash.yar └── index.yar ├── unpack.py ├── yarad.cfg └── yarad.py /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AlienVault Labs 2 | ## git repository 3 | 4 | WARNING! This repository is deprecated, clone the new one! [https://github.com/AlienVault-Labs/AlienVaultLabs](https://github.com/AlienVault-Labs/AlienVaultLabs) 5 | 6 | Alienvault Labs Projects Random Stuff 7 | 8 | [http://labs.alienvault.com/labs/](http://labs.alienvault.com/labs/) 9 | -------------------------------------------------------------------------------- /cuckoomon_hardened/cuckoomon.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaimeblasco/AlienvaultLabs/7613be50c50693d785017ce037879bd3eeacb9b2/cuckoomon_hardened/cuckoomon.dll -------------------------------------------------------------------------------- /cuckoomon_hardened/cuckoomon_vbox_hardened.patch: -------------------------------------------------------------------------------- 1 | diff --git a/cuckoomon.c b/cuckoomon.c 2 | index bdc0cd9..6161e51 100644 3 | --- a/cuckoomon.c 4 | +++ b/cuckoomon.c 5 | @@ -55,6 +55,8 @@ static hook_t g_hooks[] = { 6 | HOOK(ntdll, NtOpenFile), 7 | HOOK(ntdll, NtReadFile), 8 | HOOK(ntdll, NtWriteFile), 9 | + HOOK(kernel32, GetFileAttributesA), 10 | + HOOK(kernel32, GetFileAttributesExA), 11 | 12 | // lowest variant of MoveFile() 13 | HOOK(kernel32, MoveFileWithProgressW), 14 | diff --git a/hook_file.c b/hook_file.c 15 | index 9323eb6..89b1ae6 100644 16 | --- a/hook_file.c 17 | +++ b/hook_file.c 18 | @@ -18,6 +18,7 @@ along with this program. If not, see . 19 | 20 | #include 21 | #include 22 | +#include 23 | #include "hooking.h" 24 | #include "ntapi.h" 25 | #include "log.h" 26 | @@ -185,3 +186,38 @@ HOOKDEF(BOOL, WINAPI, CreateDirectoryExW, 27 | LOQ("u", "DirectoryName", lpNewDirectory); 28 | return ret; 29 | } 30 | + 31 | +/* Hardened */ 32 | +HOOKDEF(DWORD, WINAPI, GetFileAttributesA, 33 | + __in LPCTSTR lpFileName 34 | +) { 35 | + BOOL ret; 36 | + if (strstr(lpFileName, "VBox") != NULL) { 37 | + ret = INVALID_FILE_ATTRIBUTES; 38 | + LOQ("s", "Hardening", "Faked GetFileAttributesA return"); 39 | + } 40 | + else { 41 | + ret = Old_GetFileAttributesA(lpFileName); 42 | + } 43 | + LOQ("s", "GetFileAttributesA", lpFileName); 44 | + return ret; 45 | +} 46 | + 47 | +/* Hardened */ 48 | +HOOKDEF(DWORD, WINAPI, GetFileAttributesExA, 49 | + __in LPCTSTR lpFileName, 50 | + __in GET_FILEEX_INFO_LEVELS fInfoLevelId, 51 | + __out LPVOID lpFileInformation 52 | +) { 53 | + BOOL ret; 54 | + if (strstr(lpFileName, "VBox") != NULL) { 55 | + ret = 0; 56 | + LOQ("s", "Hardening", "Faked GetFileAttributesExA return"); 57 | + } 58 | + else { 59 | + ret = Old_GetFileAttributesExA(lpFileName, fInfoLevelId, 60 | + lpFileInformation); 61 | + } 62 | + LOQ("s", "GetFileAttributesExA", lpFileName); 63 | + return ret; 64 | +} 65 | diff --git a/hook_reg.c b/hook_reg.c 66 | index 0752b9c..da5e816 100644 67 | --- a/hook_reg.c 68 | +++ b/hook_reg.c 69 | @@ -18,6 +18,7 @@ along with this program. If not, see . 70 | 71 | #include 72 | #include 73 | +#include 74 | #include "hooking.h" 75 | #include "ntapi.h" 76 | #include "log.h" 77 | @@ -25,6 +26,7 @@ along with this program. If not, see . 78 | static IS_SUCCESS_LONGREG(); 79 | static const char *module_name = "registry"; 80 | 81 | +/* Hardened */ 82 | HOOKDEF(LONG, WINAPI, RegOpenKeyExA, 83 | __in HKEY hKey, 84 | __in_opt LPCTSTR lpSubKey, 85 | @@ -32,8 +34,19 @@ HOOKDEF(LONG, WINAPI, RegOpenKeyExA, 86 | __in REGSAM samDesired, 87 | __out PHKEY phkResult 88 | ) { 89 | - LONG ret = Old_RegOpenKeyExA(hKey, lpSubKey, ulOptions, samDesired, 90 | - phkResult); 91 | + LONG ret; 92 | + if (strstr(lpSubKey, "VirtualBox") != NULL) { 93 | + ret = 1; 94 | + LOQ("s", "Hardening", "Faked RegOpenKeyExA return"); 95 | + } 96 | + else if (strstr(lpSubKey, "ControlSet") != NULL) { 97 | + ret = 1; 98 | + LOQ("s", "Hardening", "Faked RegOpenKeyExA return"); 99 | + } 100 | + else { 101 | + ret = Old_RegOpenKeyExA(hKey, lpSubKey, ulOptions, samDesired, 102 | + phkResult); 103 | + } 104 | LOQ("psP", "Registry", hKey, "SubKey", lpSubKey, "Handle", phkResult); 105 | return ret; 106 | } 107 | @@ -216,6 +229,7 @@ HOOKDEF(LONG, WINAPI, RegSetValueExW, 108 | return ret; 109 | } 110 | 111 | +/* Hardened */ 112 | HOOKDEF(LONG, WINAPI, RegQueryValueExA, 113 | __in HKEY hKey, 114 | __in_opt LPCTSTR lpValueName, 115 | @@ -224,8 +238,25 @@ HOOKDEF(LONG, WINAPI, RegQueryValueExA, 116 | __out_opt LPBYTE lpData, 117 | __inout_opt LPDWORD lpcbData 118 | ) { 119 | - LONG ret = Old_RegQueryValueExA(hKey, lpValueName, lpReserved, lpType, 120 | - lpData, lpcbData); 121 | + LONG ret; 122 | + /* HARDWARE\\Description\\System "SystemBiosVersion" */ 123 | + if (strstr(lpValueName, "SystemBiosVersion") != NULL) { 124 | + ret = ERROR_SUCCESS; 125 | + LOQ("s", "Hardening", "Faked RegQueryValueExA return"); 126 | + } 127 | + /* HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 "Identifier" */ 128 | + else if (strstr(lpValueName, "Identifier") != NULL) { 129 | + ret = ERROR_SUCCESS; 130 | + LOQ("s", "Hardening", "Faked RegQueryValueExA return"); 131 | + } 132 | + else if (strstr(lpValueName, "ProductId") != NULL) { 133 | + ret = ERROR_SUCCESS; 134 | + LOQ("s", "Hardening", "Faked RegQueryValueExA return"); 135 | + } 136 | + else { 137 | + ret = Old_RegQueryValueExA(hKey, lpValueName, lpReserved, lpType, 138 | + lpData, lpcbData); 139 | + } 140 | LOQ("psLB", "Handle", hKey, "ValueName", lpValueName, 141 | "Type", lpType, "Buffer", lpcbData, lpData); 142 | return ret; 143 | diff --git a/hooks.h b/hooks.h 144 | index 035f047..e40f190 100644 145 | --- a/hooks.h 146 | +++ b/hooks.h 147 | @@ -93,6 +93,16 @@ extern HOOKDEF(BOOL, WINAPI, CreateDirectoryExW, 148 | __in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes 149 | ); 150 | 151 | +extern HOOKDEF(DWORD, WINAPI, GetFileAttributesA, 152 | + __in LPCTSTR lpFileName 153 | +); 154 | + 155 | +extern HOOKDEF(DWORD, WINAPI, GetFileAttributesExA, 156 | + __in LPCTSTR lpFileName, 157 | + __in GET_FILEEX_INFO_LEVELS fInfoLevelId, 158 | + __out LPVOID lpFileInformation 159 | +); 160 | + 161 | // 162 | // Registry Hooks 163 | // 164 | -------------------------------------------------------------------------------- /malware_analysis/APT_NGO_wuaclt/OpenIOC/3433dad8-879e-40d9-98b3-92ddc75f0dcd.ioc: -------------------------------------------------------------------------------- 1 | 2 | 3 | APT NGO WUACLT 4 | This family of malware consists of backdoors that attempt to fetch encoded commands over HTTP. The malware is capable of downloading a file, downloading and executing a file, executing arbitrary shell commands, or sleeping a specified interval. 5 | Mandiant 6 | 2013-02-10T06:11:53 7 | 8 | MINIASP 9 | APT 10 | APT1 11 | Backdoor 12 | 13 | 14 | 15 | 16 | 17 | 6eebee2aebd5194db62cb8230502378c 18 | 19 | 20 | 21 | 620c6a6cff832e35090487680123f52b 22 | 23 | 24 | 25 | 81b03cbcfc4b9d090cd8f5e5da816895 26 | 27 | 28 | 29 | e476e4a24f8b4ff4c8a0b260aa35fc9f 30 | 31 | 32 | 33 | 77fbfed235d6062212a3e43211a5706e 34 | 35 | 36 | 37 | 52509abd1cc7b7fb391b19929e0d99c0 38 | 39 | 40 | 41 | miniasp 42 | unique strings found in most samples in family 43 | 44 | 45 | 46 | http://%s/record.asp?device_t=%s 47 | unique strings found in most samples in family 48 | 49 | 50 | 51 | open internet failed... 52 | unique strings found in most samples in family 53 | 54 | 55 | 56 | q0nc9w8edaoiuk2mzrfy3xt1p5ls67g4bvhj 57 | unique strings found in most samples in family 58 | 59 | 60 | 61 | 62 | 63 | 28160 64 | 65 | 66 | 67 | 497783 68 | 69 | 70 | 71 | 56320 72 | 73 | 74 | 75 | 76 | 77 | 2011-10-14T08:20:10Z 78 | 79 | 80 | 81 | 2011-10-23T07:42:47Z 82 | 83 | 84 | 85 | 2012-06-04T12:57:35Z 86 | 87 | 88 | 89 | 2012-06-09T13:19:49Z 90 | 91 | 92 | 93 | 94 | 95 | acrord32ram.exe 96 | 97 | 98 | 99 | winword.exe 100 | 101 | 102 | 103 | acrord32.exe 104 | 105 | 106 | 107 | ituneshelper.exe 108 | 109 | 110 | 111 | power_gen_2012.exe 112 | 113 | 114 | 115 | checksum_mismatch 116 | anomaly found in some samples 117 | 118 | 119 | 120 | checksum_is_zero 121 | anomaly found in some samples 122 | 123 | 124 | 125 | contains_eof_data 126 | anomaly found in some samples 127 | 128 | 129 | 130 | 131 | 132 | -------------------------------------------------------------------------------- /malware_analysis/APT_NGO_wuaclt/snort/apt-wuactl.rules: -------------------------------------------------------------------------------- 1 | alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; classtype:bad-unknown; sid:1111111112; rev:1; threshold: type limit, track by_src, count 1, seconds 300; reference:url,http://labs.alienvault.com; ) 2 | alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|09|micorsofts|03|com|00|"; nocase; classtype:bad-unknown; sid:1111111113; rev:1; threshold: type limit, track by_src, count 1, seconds 300; reference:url,http://labs.alienvault.com; ) 3 | alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; classtype:bad-unknown; sid:1111111114; rev:1; threshold: type limit, track by_src, count 1, seconds 300; reference:url,http://labs.alienvault.com; ) 4 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT_NGO_wuaclt C2 Check-in"; flow:to_server,established; content:"/news/show.asp?id1="; http_uri; fast_pattern:only; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1"; http_header; reference:url,labs.alienvault.com; sid:1111111115; rev:1;) 5 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT_NGO_wuaclt"; flow:to_server,established; content:"/pics/"; http_uri; content:".asp?id="; http_uri; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SP Q"; http_header; content:"|0d 0a|Cookies|3a 20|"; fast_pattern:only; reference:url,labs.alienvault.com; sid:1111111116; rev:1;) 6 | -------------------------------------------------------------------------------- /malware_analysis/APT_NGO_wuaclt/yara/APT_NGO_wuaclt.yar: -------------------------------------------------------------------------------- 1 | rule APT_NGO_wuaclt 2 | { 3 | strings: 4 | $a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat" 5 | $b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 6 | $c = "/news/show.asp?id%d=%d" 7 | 8 | $d = "%%APPDATA%%\\Microsoft\\wuauclt\\" 9 | $e = "0l23kj@nboxu" 10 | 11 | $f = "%%s.asp?id=%%d&Sid=%%d" 12 | $g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)" 13 | $h = "Cookies: UseID=KGIOODAOOK%%s" 14 | 15 | condition: 16 | ($a and $b and $c) or ($d and $e) or ($f and $g and $h) 17 | } 18 | -------------------------------------------------------------------------------- /malware_analysis/APT_NGO_wuaclt/yara/APT_NGO_wuaclt_PDF.yar: -------------------------------------------------------------------------------- 1 | rule APT_NGO_wuaclt_PDF 2 | { 3 | strings: 4 | $pdf = "%PDF" nocase 5 | $comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A} 6 | 7 | condition: 8 | $pdf at 0 and $comment in (0..200) 9 | } 10 | 11 | 12 | -------------------------------------------------------------------------------- /malware_analysis/Batchwiper/548cfc54-42b9-48c6-a753-02e74246699b.ioc: -------------------------------------------------------------------------------- 1 | 2 | 3 | Batchwiper 4 | http://www.certcc.ir/index.php?name=news&file=article&sid=2293 5 | Jaime.Blasco 6 | 2012-12-17T10:26:50 7 | 8 | 9 | 10 | 11 | 12 | f3dd76477e16e26571f8c64a7fd4a97b 13 | 14 | 15 | 16 | fa0b300e671f73b3b0f7f415ccbe9d41 17 | 18 | 19 | 20 | c4cd216112cbc5b8c046934843c579f6 21 | 22 | 23 | 24 | ea7ed6b50a9f7b31caeea372a327bd37 25 | 26 | 27 | 28 | b7117b5d8281acd56648c9d08fadf630 29 | 30 | 31 | 32 | \system32\SLEEP.EXE 33 | 34 | 35 | 36 | \system32\jucheck.exe 37 | 38 | 39 | 40 | \system32\juboot.exe 41 | 42 | 43 | 44 | \Start Menu\Programs\Startup\GrooveMonitor.exe 45 | 46 | 47 | 48 | \Local Settings\Temp\1.tmp\juboot.bat 49 | 50 | 51 | 52 | \Local Settings\Temp\4.tmp\jucheck.bat 53 | 54 | 55 | 56 | \Local Settings\Temp\1.tmp\WmiPrv.bat 57 | 58 | 59 | 60 | 61 | SOFTWARE\Microsoft\Windows\CurrentVersion\Run 62 | 63 | 64 | 65 | jucheck.exe 66 | 67 | 68 | 69 | 70 | -------------------------------------------------------------------------------- /malware_analysis/CFR/41bd34a6-dff3-435b-8a98-6ec7ab0d222b.ioc: -------------------------------------------------------------------------------- 1 | 2 | 3 | Council on Foreign Relations Payload 4 | Indicators of compromise for the payload delivered by the Council on Foreign Relations waterhole attack using an Internet Explorer 8 zeroday 5 | Jaime Blasco 6 | 2012-12-29T13:07:26 7 | 8 | 9 | 10 | 11 | 12 | 39F206C64E2621AF0E7983C44E5E91FB 13 | 14 | 15 | 16 | \Temp\qwea.dat 17 | 18 | 19 | 20 | \Temp\flowertep.jpg 21 | 22 | 23 | 24 | \Program Files\Common Files\DirectDB.exe 25 | 26 | 27 | 28 | 29 | xsainfo[1].jpg 30 | 31 | 32 | 33 | \Temporary Internet Files\ 34 | 35 | 36 | 37 | 38 | 39 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{785942B1-FDE7-447F-A9C2-694A721FA120} 40 | 41 | 42 | 43 | DirectDB.exe 44 | 45 | 46 | 47 | 48 | 49 | HKEY_LOCAL_MACHINE\SOFTWARE\STS 50 | 51 | 52 | 53 | nck 54 | 55 | 56 | 57 | 58 | 59 | &!#@& 60 | 61 | 62 | 63 | 64 | DirectDB.exe 65 | 66 | 67 | 68 | iexplore.exe 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /malware_analysis/CommentCrew/apt1.yara: -------------------------------------------------------------------------------- 1 | 2 | rule LIGHTDART_APT1 { 3 | meta: 4 | author = "AlienVault Labs" 5 | info = "CommentCrew-threat-apt1" 6 | 7 | strings: 8 | $s1 = "ret.log" wide ascii 9 | $s2 = "Microsoft Internet Explorer 6.0" wide ascii 10 | $s3 = "szURL Fail" wide ascii 11 | $s4 = "szURL Successfully" wide ascii 12 | $s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii 13 | condition: 14 | all of them 15 | } 16 | 17 | rule AURIGA_APT1 { 18 | meta: 19 | author = "AlienVault Labs" 20 | info = "CommentCrew-threat-apt1" 21 | 22 | strings: 23 | $s1 = "superhard corp." wide ascii 24 | $s2 = "microsoft corp." wide ascii 25 | $s3 = "[Insert]" wide ascii 26 | $s4 = "[Delete]" wide ascii 27 | $s5 = "[End]" wide ascii 28 | $s6 = "!(*@)(!@KEY" wide ascii 29 | $s7 = "!(*@)(!@SID=" wide ascii 30 | condition: 31 | all of them 32 | } 33 | 34 | rule AURIGA_driver_APT1 { 35 | meta: 36 | author = "AlienVault Labs" 37 | info = "CommentCrew-threat-apt1" 38 | 39 | strings: 40 | $s1 = "Services\\riodrv32" wide ascii 41 | $s2 = "riodrv32.sys" wide ascii 42 | $s3 = "svchost.exe" wide ascii 43 | $s4 = "wuauserv.dll" wide ascii 44 | $s5 = "arp.exe" wide ascii 45 | $pdb = "projects\\auriga" wide ascii 46 | 47 | condition: 48 | all of ($s*) or $pdb 49 | } 50 | 51 | rule BANGAT_APT1 { 52 | meta: 53 | author = "AlienVault Labs" 54 | info = "CommentCrew-threat-apt1" 55 | 56 | strings: 57 | $s1 = "superhard corp." wide ascii 58 | $s2 = "microsoft corp." wide ascii 59 | $s3 = "[Insert]" wide ascii 60 | $s4 = "[Delete]" wide ascii 61 | $s5 = "[End]" wide ascii 62 | $s6 = "!(*@)(!@KEY" wide ascii 63 | $s7 = "!(*@)(!@SID=" wide ascii 64 | $s8 = "end binary output" wide ascii 65 | $s9 = "XriteProcessMemory" wide ascii 66 | $s10 = "IE:Password-Protected sites" wide ascii 67 | $s11 = "pstorec.dll" wide ascii 68 | 69 | condition: 70 | all of them 71 | } 72 | 73 | rule BISCUIT_GREENCAT_APT1 { 74 | meta: 75 | author = "AlienVault Labs" 76 | info = "CommentCrew-threat-apt1" 77 | 78 | strings: 79 | $s1 = "zxdosml" wide ascii 80 | $s2 = "get user name error!" wide ascii 81 | $s3 = "get computer name error!" wide ascii 82 | $s4 = "----client system info----" wide ascii 83 | $s5 = "stfile" wide ascii 84 | $s6 = "cmd success!" wide ascii 85 | 86 | condition: 87 | all of them 88 | } 89 | 90 | rule BOUNCER_APT1 { 91 | meta: 92 | author = "AlienVault Labs" 93 | info = "CommentCrew-threat-apt1" 94 | 95 | strings: 96 | $s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii 97 | $s2 = "IDR_DATA%d" wide ascii 98 | 99 | $s3 = "asdfqwe123cxz" wide ascii 100 | $s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii 101 | 102 | condition: 103 | ($s1 and $s2) or ($s3 and $s4) 104 | 105 | } 106 | 107 | rule BOUNCER_DLL_APT1 { 108 | meta: 109 | author = "AlienVault Labs" 110 | info = "CommentCrew-threat-apt1" 111 | 112 | strings: 113 | $s1 = "new_connection_to_bounce():" wide ascii 114 | $s2 = "usage:%s IP port [proxip] [port] [key]" wide ascii 115 | 116 | condition: 117 | all of them 118 | } 119 | 120 | rule CALENDAR_APT1 { 121 | meta: 122 | author = "AlienVault Labs" 123 | info = "CommentCrew-threat-apt1" 124 | 125 | strings: 126 | $s1 = "content" wide ascii 127 | $s2 = "title" wide ascii 128 | $s3 = "entry" wide ascii 129 | $s4 = "feed" wide ascii 130 | $s5 = "DownRun success" wide ascii 131 | $s6 = "%s@gmail.com" wide ascii 132 | $s7 = "" wide ascii 133 | 134 | $b8 = "W4qKihsb+So=" wide ascii 135 | $b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii 136 | $b10 = "8oqKiqb5880/uJLzAsY=" wide ascii 137 | 138 | condition: 139 | all of ($s*) or all of ($b*) 140 | } 141 | 142 | rule COMBOS_APT1 { 143 | meta: 144 | author = "AlienVault Labs" 145 | info = "CommentCrew-threat-apt1" 146 | 147 | strings: 148 | $s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii 149 | $s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii 150 | $s3 = "Delay" wide ascii 151 | $s4 = "Getfile" wide ascii 152 | $s5 = "Putfile" wide ascii 153 | $s6 = "---[ Virtual Shell]---" wide ascii 154 | $s7 = "Not Comming From Our Server %s." wide ascii 155 | 156 | 157 | condition: 158 | all of them 159 | } 160 | 161 | rule DAIRY_APT1 { 162 | meta: 163 | author = "AlienVault Labs" 164 | info = "CommentCrew-threat-apt1" 165 | 166 | strings: 167 | $s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii 168 | $s2 = "KilFail" wide ascii 169 | $s3 = "KilSucc" wide ascii 170 | $s4 = "pkkill" wide ascii 171 | $s5 = "pklist" wide ascii 172 | 173 | 174 | condition: 175 | all of them 176 | } 177 | 178 | rule GLOOXMAIL_APT1 { 179 | meta: 180 | author = "AlienVault Labs" 181 | info = "CommentCrew-threat-apt1" 182 | 183 | strings: 184 | $s1 = "Kill process success!" wide ascii 185 | $s2 = "Kill process failed!" wide ascii 186 | $s3 = "Sleep success!" wide ascii 187 | $s4 = "based on gloox" wide ascii 188 | 189 | $pdb = "glooxtest.pdb" wide ascii 190 | 191 | condition: 192 | all of ($s*) or $pdb 193 | } 194 | 195 | rule GOGGLES_APT1 { 196 | meta: 197 | author = "AlienVault Labs" 198 | info = "CommentCrew-threat-apt1" 199 | 200 | strings: 201 | $s1 = "Kill process success!" wide ascii 202 | $s2 = "Kill process failed!" wide ascii 203 | $s3 = "Sleep success!" wide ascii 204 | $s4 = "based on gloox" wide ascii 205 | 206 | $pdb = "glooxtest.pdb" wide ascii 207 | 208 | condition: 209 | all of ($s*) or $pdb 210 | } 211 | 212 | rule HACKSFASE1_APT1 { 213 | meta: 214 | author = "AlienVault Labs" 215 | info = "CommentCrew-threat-apt1" 216 | 217 | strings: 218 | $s1 = {cb 39 82 49 42 be 1f 3a} 219 | 220 | condition: 221 | all of them 222 | } 223 | 224 | rule HACKSFASE2_APT1 { 225 | meta: 226 | author = "AlienVault Labs" 227 | info = "CommentCrew-threat-apt1" 228 | 229 | strings: 230 | $s1 = "Send to Server failed." wide ascii 231 | $s2 = "HandShake with the server failed. Error:" wide ascii 232 | $s3 = "Decryption Failed. Context Expired." wide ascii 233 | 234 | condition: 235 | all of them 236 | } 237 | 238 | rule KURTON_APT1 { 239 | meta: 240 | author = "AlienVault Labs" 241 | info = "CommentCrew-threat-apt1" 242 | 243 | strings: 244 | $s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" wide ascii 245 | $s2 = "!(*@)(!@PORT!(*@)(!@URL" wide ascii 246 | $s3 = "MyTmpFile.Dat" wide ascii 247 | $s4 = "SvcHost.DLL.log" wide ascii 248 | 249 | condition: 250 | all of them 251 | } 252 | 253 | rule LONGRUN_APT1 { 254 | meta: 255 | author = "AlienVault Labs" 256 | info = "CommentCrew-threat-apt1" 257 | 258 | strings: 259 | $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" wide ascii 260 | $s2 = "%s\\%c%c%c%c%c%c%c" wide ascii 261 | $s3 = "wait:" wide ascii 262 | $s4 = "Dcryption Error! Invalid Character" wide ascii 263 | 264 | condition: 265 | all of them 266 | } 267 | 268 | rule MACROMAIL_APT1 { 269 | meta: 270 | author = "AlienVault Labs" 271 | info = "CommentCrew-threat-apt1" 272 | 273 | strings: 274 | $s1 = "svcMsn.dll" wide ascii 275 | $s2 = "RundllInstall" wide ascii 276 | $s3 = "Config service %s ok." wide ascii 277 | $s4 = "svchost.exe" wide ascii 278 | 279 | condition: 280 | all of them 281 | } 282 | 283 | rule MANITSME_APT1 { 284 | meta: 285 | author = "AlienVault Labs" 286 | info = "CommentCrew-threat-apt1" 287 | 288 | strings: 289 | $s1 = "Install an Service hosted by SVCHOST." wide ascii 290 | $s2 = "The Dll file that to be released." wide ascii 291 | $s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii 292 | $s4 = "svchost.exe" wide ascii 293 | 294 | $e1 = "Man,it's me" wide ascii 295 | $e2 = "Oh,shit" wide ascii 296 | $e3 = "Hallelujah" wide ascii 297 | $e4 = "nRet == SOCKET_ERROR" wide ascii 298 | 299 | $pdb1 = "rouji\\release\\Install.pdb" wide ascii 300 | $pdb2 = "rouji\\SvcMain.pdb" wide ascii 301 | 302 | condition: 303 | (all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2 304 | } 305 | 306 | rule MINIASP_APT1 { 307 | meta: 308 | author = "AlienVault Labs" 309 | info = "CommentCrew-threat-apt1" 310 | 311 | strings: 312 | $s1 = "miniasp" wide ascii 313 | $s2 = "wakeup=" wide ascii 314 | $s3 = "download ok!" wide ascii 315 | $s4 = "command is null!" wide ascii 316 | $s5 = "device_input.asp?device_t=" wide ascii 317 | 318 | 319 | condition: 320 | all of them 321 | } 322 | 323 | rule NEWSREELS_APT1 { 324 | meta: 325 | author = "AlienVault Labs" 326 | info = "CommentCrew-threat-apt1" 327 | 328 | strings: 329 | $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" wide ascii 330 | $s2 = "name=%s&userid=%04d&other=%c%s" wide ascii 331 | $s3 = "download ok!" wide ascii 332 | $s4 = "command is null!" wide ascii 333 | $s5 = "noclient" wide ascii 334 | $s6 = "wait" wide ascii 335 | $s7 = "active" wide ascii 336 | $s8 = "hello" wide ascii 337 | 338 | 339 | condition: 340 | all of them 341 | } 342 | 343 | rule SEASALT_APT1 { 344 | meta: 345 | author = "AlienVault Labs" 346 | info = "CommentCrew-threat-apt1" 347 | 348 | strings: 349 | $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" wide ascii 350 | $s2 = "upfileok" wide ascii 351 | $s3 = "download ok!" wide ascii 352 | $s4 = "upfileer" wide ascii 353 | $s5 = "fxftest" wide ascii 354 | 355 | 356 | condition: 357 | all of them 358 | } 359 | 360 | rule STARSYPOUND_APT1 { 361 | meta: 362 | author = "AlienVault Labs" 363 | info = "CommentCrew-threat-apt1" 364 | 365 | strings: 366 | $s1 = "*(SY)# cmd" wide ascii 367 | $s2 = "send = %d" wide ascii 368 | $s3 = "cmd.exe" wide ascii 369 | $s4 = "*(SY)#" wide ascii 370 | 371 | 372 | condition: 373 | all of them 374 | } 375 | 376 | rule SWORD_APT1 { 377 | meta: 378 | author = "AlienVault Labs" 379 | info = "CommentCrew-threat-apt1" 380 | 381 | strings: 382 | $s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" wide ascii 383 | $s2 = "sleep:" wide ascii 384 | $s3 = "down:" wide ascii 385 | $s4 = "*========== Bye Bye ! ==========*" wide ascii 386 | 387 | 388 | condition: 389 | all of them 390 | } 391 | 392 | 393 | rule thequickbrow_APT1 { 394 | meta: 395 | author = "AlienVault Labs" 396 | info = "CommentCrew-threat-apt1" 397 | 398 | strings: 399 | $s1 = "thequickbrownfxjmpsvalzydg" wide ascii 400 | 401 | 402 | condition: 403 | all of them 404 | } 405 | 406 | 407 | rule TABMSGSQL_APT1 { 408 | meta: 409 | author = "AlienVault Labs" 410 | info = "CommentCrew-threat-apt1" 411 | 412 | strings: 413 | $s1 = "letusgohtppmmv2.0.0.1" wide ascii 414 | $s2 = "Mozilla/4.0 (compatible; )" wide ascii 415 | $s3 = "filestoc" wide ascii 416 | $s4 = "filectos" wide ascii 417 | $s5 = "reshell" wide ascii 418 | 419 | condition: 420 | all of them 421 | } 422 | 423 | rule CCREWBACK1 424 | { 425 | meta: 426 | author = "AlienVault Labs" 427 | info = "CommentCrew-threat-apt1" 428 | 429 | strings: 430 | $a = "postvalue" wide ascii 431 | $b = "postdata" wide ascii 432 | $c = "postfile" wide ascii 433 | $d = "hostname" wide ascii 434 | $e = "clientkey" wide ascii 435 | $f = "start Cmd Failure!" wide ascii 436 | $g = "sleep:" wide ascii 437 | $h = "downloadcopy:" wide ascii 438 | $i = "download:" wide ascii 439 | $j = "geturl:" wide ascii 440 | $k = "1.234.1.68" wide ascii 441 | 442 | condition: 443 | 4 of ($a,$b,$c,$d,$e) or $f or 3 of ($g,$h,$i,$j) or $k 444 | } 445 | 446 | rule TrojanCookies_CCREW 447 | { 448 | meta: 449 | author = "AlienVault Labs" 450 | info = "CommentCrew-threat-apt1" 451 | 452 | strings: 453 | $a = "sleep:" wide ascii 454 | $b = "content=" wide ascii 455 | $c = "reqpath=" wide ascii 456 | $d = "savepath=" wide ascii 457 | $e = "command=" wide ascii 458 | 459 | 460 | condition: 461 | 4 of ($a,$b,$c,$d,$e) 462 | } 463 | 464 | rule GEN_CCREW1 465 | { 466 | meta: 467 | author = "AlienVault Labs" 468 | info = "CommentCrew-threat-apt1" 469 | 470 | strings: 471 | $a = "W!r@o#n$g" wide ascii 472 | $b = "KerNel32.dll" wide ascii 473 | 474 | condition: 475 | any of them 476 | } 477 | 478 | rule Elise 479 | { 480 | meta: 481 | author = "AlienVault Labs" 482 | info = "CommentCrew-threat-apt1" 483 | 484 | strings: 485 | $a = "SetElise.pdb" wide ascii 486 | 487 | condition: 488 | $a 489 | } 490 | 491 | rule EclipseSunCloudRAT 492 | { 493 | meta: 494 | author = "AlienVault Labs" 495 | info = "CommentCrew-threat-apt1" 496 | 497 | strings: 498 | $a = "Eclipse_A" wide ascii 499 | $b = "\\PJTS\\" wide ascii 500 | $c = "Eclipse_Client_B.pdb" wide ascii 501 | $d = "XiaoME" wide ascii 502 | $e = "SunCloud-Code" wide ascii 503 | $f = "/uc_server/data/forum.asp" wide ascii 504 | 505 | condition: 506 | any of them 507 | } 508 | 509 | rule MoonProject 510 | { 511 | meta: 512 | author = "AlienVault Labs" 513 | info = "CommentCrew-threat-apt1" 514 | 515 | strings: 516 | $a = "Serverfile is smaller than Clientfile" wide ascii 517 | $b = "\\M tools\\" wide ascii 518 | $c = "MoonDLL" wide ascii 519 | $d = "\\M tools\\" wide ascii 520 | 521 | condition: 522 | any of them 523 | } 524 | 525 | rule ccrewDownloader1 526 | { 527 | meta: 528 | author = "AlienVault Labs" 529 | info = "CommentCrew-threat-apt1" 530 | 531 | strings: 532 | $a = {DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42} 533 | 534 | condition: 535 | any of them 536 | } 537 | 538 | rule ccrewDownloader2 539 | { 540 | meta: 541 | author = "AlienVault Labs" 542 | info = "CommentCrew-threat-apt1" 543 | 544 | strings: 545 | $a = "3gZFQOBtY3sifNOl" wide ascii 546 | $b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" wide ascii 547 | $c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" wide ascii 548 | 549 | condition: 550 | any of them 551 | } 552 | 553 | 554 | rule ccrewMiniasp 555 | { 556 | meta: 557 | author = "AlienVault Labs" 558 | info = "CommentCrew-threat-apt1" 559 | 560 | strings: 561 | $a = "MiniAsp.pdb" wide ascii 562 | $b = "device_t=" wide ascii 563 | 564 | condition: 565 | any of them 566 | } 567 | 568 | 569 | rule ccrewSSLBack2 570 | { 571 | meta: 572 | author = "AlienVault Labs" 573 | info = "CommentCrew-threat-apt1" 574 | 575 | strings: 576 | $a = {39 82 49 42 BE 1F 3A} 577 | 578 | condition: 579 | any of them 580 | } 581 | 582 | rule ccrewSSLBack3 583 | { 584 | meta: 585 | author = "AlienVault Labs" 586 | info = "CommentCrew-threat-apt1" 587 | 588 | strings: 589 | $a = "SLYHKAAY" wide ascii 590 | 591 | condition: 592 | any of them 593 | } 594 | 595 | 596 | rule ccrewSSLBack1 597 | { 598 | meta: 599 | author = "AlienVault Labs" 600 | info = "CommentCrew-threat-apt1" 601 | 602 | strings: 603 | $a = "!@#%$^#@!" wide ascii 604 | $b = "64.91.80.6" wide ascii 605 | 606 | condition: 607 | any of them 608 | } 609 | 610 | rule ccrewDownloader3 611 | { 612 | meta: 613 | author = "AlienVault Labs" 614 | info = "CommentCrew-threat-apt1" 615 | 616 | strings: 617 | $a = "ejlcmbv" wide ascii 618 | $b = "bhxjuisv" wide ascii 619 | $c = "yqzgrh" wide ascii 620 | $d = "uqusofrp" wide ascii 621 | $e = "Ljpltmivvdcbb" wide ascii 622 | $f = "frfogjviirr" wide ascii 623 | $g = "ximhttoskop" wide ascii 624 | condition: 625 | 4 of them 626 | } 627 | 628 | 629 | rule ccrewQAZ 630 | { 631 | meta: 632 | author = "AlienVault Labs" 633 | info = "CommentCrew-threat-apt1" 634 | 635 | strings: 636 | $a = "!QAZ@WSX" wide ascii 637 | 638 | condition: 639 | $a 640 | } 641 | 642 | rule metaxcd 643 | { 644 | meta: 645 | author = "AlienVault Labs" 646 | info = "CommentCrew-threat-apt1" 647 | 648 | strings: 649 | $a = " 2 | 3 | GeorBot 4 | Jaime Blasco 5 | 2012-10-31T17:32:47 6 | 7 | 8 | 9 | 10 | 11 | usbclient.exe 12 | 13 | 14 | 15 | rpcsrv.log 16 | 17 | 18 | 19 | 20 | \Microsoft\Windows\CurrentVersion\Run 21 | 22 | 23 | 24 | USBSERV 25 | 26 | 27 | 28 | 29 | 30 | USBSERV 31 | 32 | 33 | 34 | usbclient.exe 35 | 36 | 37 | 38 | modules/docs/ 39 | 40 | 41 | 42 | bot123 43 | 44 | 45 | 46 | 47 | cr5_0 48 | 49 | 50 | 51 | cr1_0 52 | 53 | 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /malware_analysis/Georbot/snort_georbot.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Georbot requesting update"; flow: to_server,established; content:"/modules/docs/upload/calc.exe"; http_uri; classtype:trojan-activity; sid:1111111112; rev:1;) 2 | 3 | 4 | 5 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Georbot initial checkin"; flow: to_server,established; content:"POST"; http_method; nocase; content:".php?ver="; http_uri; content:"&p=cert123"; fast_pattern; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:1111111113; rev:1;) 6 | 7 | 8 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Georbot checkin"; flow: to_server,established; content:".php?ver="; http_uri; content:"&p=bot123"; fast_pattern; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:1111111114; rev:1;) 9 | -------------------------------------------------------------------------------- /malware_analysis/Hangover/hangover.yar: -------------------------------------------------------------------------------- 1 | rule Hangover_ron_babylon 2 | { 3 | strings: 4 | $a = "Content-Disposition: form-data; name=\"uploaddir\"" 5 | $b1 = "MBVDFRESCT" 6 | $b2 = "EMSCBVDFRT" 7 | $b3 = "EMSFRTCBVD" 8 | $b4= "sendFile" 9 | $b5 = "BUGMAAL" 10 | $b6 = "sMAAL" 11 | $b7 = "SIMPLE" 12 | $b8 = "SPLIME" 13 | $b9 = "getkey.php" 14 | $b10 = "MBVDFRESCT" 15 | $b11 = "DSMBVCTFRE" 16 | $b12 = "MBESCVDFRT" 17 | $b13 = "TCBFRVDEMS" 18 | $b14 = "DEMOMAKE" 19 | $b15 = "DEMO" 20 | $b16 = "UPHTTP" 21 | 22 | 23 | $c1 = "F39D45E70395ABFB8D8D2BFFC8BBD152" 24 | $c2 = "90B452BFFF3F395ABDC878D8BEDBD152" 25 | $c3 = "FFF3F395A90B452BB8BEDC878DDBD152" 26 | $c4 = "5A9DCB8FFF3F02B8B45BE39D152" 27 | $c5 = "5A902B8B45BEDCB8FFF3F39D152" 28 | $c6 = "78DDB5A902BB8FFF3F398B45BEDCD152" 29 | $c7 = "905ABEB452BFFFBDC878D83F39DBD152" 30 | $c8 = "D2BFFC8BBD152F3B8D89D45E70395ABF" 31 | $c9 = "8765F3F395A90B452BB8BEDC878" 32 | $c10 = "90ABDC878D8BEDBB452BFFF3F395D152" 33 | $c11 = "F12BDC94490B452AA8AEDC878DCBD187" 34 | 35 | condition: 36 | $a and (1 of ($b*) or 1 of ($c*)) 37 | 38 | } 39 | 40 | rule Hangover_Fuddol { 41 | strings: 42 | $a = "\\Http downloader(fud)" 43 | $b = "Fileexists" 44 | condition: 45 | all of them 46 | 47 | } 48 | 49 | rule Hangover_UpdateEx { 50 | strings: 51 | $a1 = "UpdateEx" 52 | $a2 = "VBA6.DLL" 53 | $a3 = "MainEx" 54 | $a4 = "GetLogs" 55 | $a5 = "ProMan" 56 | $a6 = "RedMod" 57 | 58 | condition: 59 | all of them 60 | 61 | } 62 | 63 | rule Hangover_Tymtin_Degrab { 64 | strings: 65 | $a1 = "&dis=no&utp=op&mfol=" 66 | $a2 = "value1=1&value2=2" 67 | 68 | condition: 69 | all of them 70 | 71 | } 72 | 73 | 74 | rule Hangover_Smackdown_Downloader { 75 | strings: 76 | $a1 = "DownloadComplete" 77 | $a2 = "DownloadProgress" 78 | $a3 = "DownloadError" 79 | $a4 = "UserControl" 80 | $a5 = "MSVBVM60.DLL" 81 | 82 | $b1 = "syslide" 83 | $b2 = "frmMina" 84 | $b3 = "Soundsman" 85 | $b4 = "New_upl" 86 | $b5 = "MCircle" 87 | $b6 = "shells_DataArrival" 88 | 89 | condition: 90 | 3 of ($a*) and 1 of ($b*) 91 | 92 | } 93 | 94 | 95 | rule Hangover_Vacrhan_Downloader { 96 | strings: 97 | $a1 = "pranVacrhan" 98 | $a2 = "VBA6.DLL" 99 | $a3 = "Timer1" 100 | $a4 = "Timer2" 101 | $a5 = "IsNTAdmin" 102 | 103 | condition: 104 | all of them 105 | 106 | } 107 | 108 | 109 | rule Hangover_Smackdown_various { 110 | strings: 111 | $a1 = "pranVacrhan" 112 | $a2 = "NaramGaram" 113 | $a3 = "vampro" 114 | $a4 = "AngelPro" 115 | 116 | $b1 = "VBA6.DLL" 117 | $b2 = "advpack" 118 | $b3 = "IsNTAdmin" 119 | 120 | 121 | condition: 122 | 1 of ($a*) and all of ($b*) 123 | 124 | } 125 | 126 | rule Hangover_Foler { 127 | strings: 128 | $a1 = "\\MyHood" 129 | $a2 = "UsbP" 130 | $a3 = "ID_MON" 131 | 132 | condition: 133 | all of them 134 | 135 | } 136 | 137 | rule Hangover_Appinbot { 138 | strings: 139 | $a1 = "CreateToolhelp32Snapshot" 140 | $a2 = "Process32First" 141 | $a3 = "Process32Next" 142 | $a4 = "FIDR/" 143 | $a5 = "SUBSCRIBE %d" 144 | $a6 = "CLOSE %d" 145 | 146 | condition: 147 | all of them 148 | 149 | } 150 | 151 | rule Hangover_Linog { 152 | strings: 153 | $a1 = "uploadedfile" 154 | $a2 = "Error in opening a file.." 155 | $a3 = "The file could not be opened" 156 | $a4 = "%sContent-Disposition: form-data; name=\"%s\";filename=\"%s\"" 157 | 158 | condition: 159 | all of them 160 | 161 | } 162 | 163 | 164 | rule Hangover_Iconfall { 165 | strings: 166 | $a1 = "iconfall" 167 | $a2 = "78DDB5A902BB8FFF3F398B45BEDCD152" 168 | 169 | condition: 170 | all of them 171 | 172 | } 173 | 174 | 175 | rule Hangover_Deksila { 176 | strings: 177 | $a1 = "WinInetGet/0.1" 178 | $a2 = "dekstop2007.ico" 179 | $a3 = "mozila20" 180 | 181 | condition: 182 | all of them 183 | 184 | } 185 | 186 | rule Hangover_Auspo { 187 | strings: 188 | $a1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV2)" 189 | $a2 = "POWERS" 190 | $a3 = "AUSTIN" 191 | 192 | condition: 193 | all of them 194 | 195 | } 196 | 197 | rule Hangover_Slidewin { 198 | strings: 199 | $a1 = "[NumLock]" 200 | $a2 = "[ScrlLock]" 201 | $a3 = "[LtCtrl]" 202 | $a4 = "[RtCtrl]" 203 | $a5 = "[LtAlt]" 204 | $a6 = "[RtAlt]" 205 | $a7 = "[HomePage]" 206 | $a8 = "[MuteOn/Off]" 207 | $a9 = "[VolDn]" 208 | $a10 = "[VolUp]" 209 | $a11 = "[Play/Pause]" 210 | $a12 = "[MailBox]" 211 | $a14 = "[Calc]" 212 | $a15 = "[Unknown]" 213 | 214 | condition: 215 | all of them 216 | 217 | } 218 | 219 | 220 | rule Hangover_Gimwlog { 221 | strings: 222 | $a1 = "file closed---------------------" 223 | $a2 = "new file------------------" 224 | $a3 = "md C:\\ApplicationData\\Prefetch\\" 225 | 226 | condition: 227 | all of them 228 | 229 | } 230 | 231 | 232 | rule Hangover_Gimwup { 233 | strings: 234 | $a1 = "=======inside while===========" 235 | $a2 = "scan finished" 236 | $a3 = "logFile.txt" 237 | 238 | condition: 239 | all of them 240 | 241 | } 242 | 243 | 244 | -------------------------------------------------------------------------------- /malware_analysis/OSX_Leverage/leverage.yar: -------------------------------------------------------------------------------- 1 | rule leverage_a 2 | { 3 | meta: 4 | author = "earada@alienvault.com" 5 | version = "1.0" 6 | description = "OSX/Leverage.A" 7 | date = "2013/09" 8 | strings: 9 | $a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F" 10 | $a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:" 11 | $a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'" 12 | $script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'" 13 | $script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'" 14 | $script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'" 15 | $properties = "serverVisible \x00" 16 | condition: 17 | all of them 18 | } 19 | -------------------------------------------------------------------------------- /malware_analysis/OSX_Leverage/snort_leverage.rules: -------------------------------------------------------------------------------- 1 | alert tcp any any -> $EXTERNAL_NET any (msg:"OSX/Leverage.A Checkin"; flow:established,to_server; content:"|00 00|"; offset:0; depth:2; content:"|00 00 00 01|"; distance:2; within:4; pcre:"/\|\d+ \w+ RAM\n\|\d+\w+\/\d+\w+ free \(\d+% used\)/"; sid:1696991; rev:1;) 2 | -------------------------------------------------------------------------------- /malware_analysis/RedOctober/48290d24-834c-4097-abc5-4f22d3bd8f3c.ioc: -------------------------------------------------------------------------------- 1 | 2 | 3 | Red October Campaign 4 | On January 14, 2013, Kaspersky Lab announced the discovery of ?Red October?, a high-level cyber-espionage campaign that has been active for over 5 years. (https://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies). This campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment. 5 | Jaime Blasco, Costin Raiu 6 | 2013-01-17T11:52:43 7 | 8 | 9 | 10 | 11 | 12 | fsmgmtio32.msc 13 | 14 | 15 | 16 | cfsyn.pcs 17 | 18 | 19 | 20 | frpdhry.hry 21 | 22 | 23 | 24 | ime64ex.ncs 25 | 26 | 27 | 28 | io32.ocx 29 | 30 | 31 | 32 | lhafd.gcp 33 | 34 | 35 | 36 | lsc32i.cmp 37 | 38 | 39 | 40 | ocxstate.dat 41 | 42 | 43 | 44 | opdocx.gxt 45 | 46 | 47 | 48 | sccme.hrp 49 | 50 | 51 | 52 | scprd.hrd 53 | 54 | 55 | 56 | syncls.gxk 57 | 58 | 59 | 60 | lgdrke.swk 61 | 62 | 63 | 64 | sdlvk.acx 65 | 66 | 67 | 68 | wsdktr.ltp 69 | 70 | 71 | 72 | synhfr.pkc 73 | 74 | 75 | 76 | scpkrp.gmx 77 | 78 | 79 | 80 | rfkscp.pck 81 | 82 | 83 | 84 | qsdtlp.rcp 85 | 86 | 87 | 88 | \SSDPserv32\ssdtrbs 89 | 90 | 91 | 92 | \smrdprev\smrdprev_ 93 | 94 | 95 | 96 | \Microsoft\RtkN32Gdi.exe 97 | 98 | 99 | 100 | dfgber7t8234ytfndfugh5vndfuvh4 101 | 102 | 103 | 104 | dfgbsdfjvabufqgwiffuvh4 105 | 106 | 107 | 108 | 208D2C60-3AEA-1069-A2D7-08002B30309D 109 | 110 | 111 | 112 | huiofwhfiowjcpowjkcwcophwvurweionwopmcvopwkvpwjnhopv 113 | 114 | 115 | 116 | sysvolumecheckasdfg 117 | 118 | 119 | 120 | bb-apps-world.com 121 | 122 | 123 | 124 | blackberry-apps-world.com 125 | 126 | 127 | 128 | blackberry-update.com 129 | 130 | 131 | 132 | csrss-check-new.com 133 | 134 | 135 | 136 | csrss-update-new.com 137 | 138 | 139 | 140 | csrss-upgrade-new.com 141 | 142 | 143 | 144 | dailyinfonews.net 145 | 146 | 147 | 148 | dll-host.com 149 | 150 | 151 | 152 | dll-host-check.com 153 | 154 | 155 | 156 | dll-host-udate.com 157 | 158 | 159 | 160 | dll-host-update.com 161 | 162 | 163 | 164 | dllupdate.info 165 | 166 | 167 | 168 | drivers-check.com 169 | 170 | 171 | 172 | drivers-get.com 173 | 174 | 175 | 176 | drivers-update-online.com 177 | 178 | 179 | 180 | genuine-check.com 181 | 182 | 183 | 184 | genuineservicecheck.com 185 | 186 | 187 | 188 | genuineupdate.com 189 | 190 | 191 | 192 | hotinfonews.com 193 | 194 | 195 | 196 | microsoftcheck.com 197 | 198 | 199 | 200 | microsoft-msdn.com 201 | 202 | 203 | 204 | microsoftosupdate.com 205 | 206 | 207 | 208 | mobileimho.com 209 | 210 | 211 | 212 | mobileimho.ru 213 | 214 | 215 | 216 | mobile-update.com 217 | 218 | 219 | 220 | msgenuine.net 221 | 222 | 223 | 224 | msinfoonline.org 225 | 226 | 227 | 228 | msonlinecheck.com 229 | 230 | 231 | 232 | msonlineget.com 233 | 234 | 235 | 236 | msonlineupdate.com 237 | 238 | 239 | 240 | ms-software-check.com 241 | 242 | 243 | 244 | ms-software-genuine.com 245 | 246 | 247 | 248 | ms-software-update.com 249 | 250 | 251 | 252 | new-driver-upgrade.com 253 | 254 | 255 | 256 | nt-windows-check.com 257 | 258 | 259 | 260 | nt-windows-online.com 261 | 262 | 263 | 264 | nt-windows-update.com 265 | 266 | 267 | 268 | osgenuine.com 269 | 270 | 271 | 272 | os-microsoft-check.com 273 | 274 | 275 | 276 | os-microsoft-update.com 277 | 278 | 279 | 280 | security-mobile.com 281 | 282 | 283 | 284 | shellupdate.com 285 | 286 | 287 | 288 | svchost-check.com 289 | 290 | 291 | 292 | svchost-online.com 293 | 294 | 295 | 296 | svchost-update.com 297 | 298 | 299 | 300 | update-genuine.com 301 | 302 | 303 | 304 | win-check-update.com 305 | 306 | 307 | 308 | windowscheckupdate.com 309 | 310 | 311 | 312 | windows-genuine.com 313 | 314 | 315 | 316 | windowsonlineupdate.com 317 | 318 | 319 | 320 | win-driver-upgrade.com 321 | 322 | 323 | 324 | wingenuine.com 325 | 326 | 327 | 328 | wins-driver-check.com 329 | 330 | 331 | 332 | wins-driver-update.com 333 | 334 | 335 | 336 | wins-update.com 337 | 338 | 339 | 340 | winupdateonline.com 341 | 342 | 343 | 344 | winupdateos.com 345 | 346 | 347 | 348 | world-mobile-congress.com 349 | 350 | 351 | 352 | xponlineupdate.com 353 | 354 | 355 | 356 | 141.101.239.225 357 | 358 | 359 | 360 | 178.162.129.237 361 | 362 | 363 | 364 | 178.162.182.42 365 | 366 | 367 | 368 | 178.63.208.49 369 | 370 | 371 | 372 | 188.40.19.247 373 | 374 | 375 | 376 | 31.184.234.18 377 | 378 | 379 | 380 | 31.41.45.9 381 | 382 | 383 | 384 | 37.235.54.48 385 | 386 | 387 | 388 | 46.4.202.86 389 | 390 | 391 | 392 | 77.72.133.161 393 | 394 | 395 | 396 | 78.46.173.15 397 | 398 | 399 | 400 | 88.198.30.44 401 | 402 | 403 | 404 | 88.198.85.161 405 | 406 | 407 | 408 | 88.198.85.162 409 | 410 | 411 | 412 | 92.53.105.40 413 | 414 | 415 | 416 | 95.168.172.69 417 | 418 | 419 | 420 | 31.41.45.139 421 | 422 | 423 | 424 | 91.226.31.40 425 | 426 | 427 | 428 | 178.63.208.63 429 | 430 | 431 | 432 | 31.41.45.119 433 | 434 | 435 | 436 | 176.9.241.254 437 | 438 | 439 | 440 | 31.41.45.179 441 | 442 | 443 | 444 | 176.9.189.36 445 | 446 | 447 | 448 | 92.53.105.214 449 | 450 | 451 | 452 | 188.40.19.244 453 | 454 | 455 | 456 | 85.25.104.57 457 | 458 | 459 | 460 | %ALLUSERSPROFILE%\adt.dat 461 | 462 | 463 | 464 | %LOCALAPPDATA%\adt.dat 465 | 466 | 467 | 468 | adobe_upd_imhbfex_ 469 | 470 | 471 | 472 | bestcrypt_update.exe 473 | 474 | 475 | 476 | bestcrypt_update.dll 477 | 478 | 479 | 480 | imapisync32.dat 481 | 482 | 483 | 484 | \hsperfdata32sys\bcmntc_rt_ 485 | 486 | 487 | 488 | \hdbrt32sys\ms32jxtr.dat 489 | 490 | 491 | 492 | 493 | \Windows NT\ 494 | 495 | 496 | 497 | 498 | svchost.exe 499 | 500 | 501 | 502 | svclogon.exe 503 | 504 | 505 | 506 | 507 | 508 | 509 | .sxdata 510 | 511 | 512 | 513 | 514 | rkef09erf90kerf9k34fo3kfo3ekdf2[l'2dl2043dl4d03ld34fkf4j 515 | 516 | 517 | 518 | sdfg45fyhh656ffhjfddsd5hkjfgccdxs4waaxzhjjy6yrre4dhjmmtr357643fbnffr 519 | 520 | 521 | 522 | sfgsrykw5rwqedg43564ytdfbgkfgnxczagsd6566igfsdr656867idffghkgdsdsdtd 523 | 524 | 525 | 526 | jr89h5tr489fg954dewdwedwehg845jhgi54jgljg54j3gj589gh489h2php 527 | 528 | 529 | 530 | 384r783fh374fh37hf349hf9348hf938fh3894hf893h4f89h3489fh3894f8 531 | 532 | 533 | 534 | 3497888hf8943hf89j389fj8934jf9843jf983j489fjjj43ghkjnbsdfjhsdf8374 535 | 536 | 537 | 538 | 0641cn34873cn47832cyn43ycn43yo5c4n5ynyynyn324y5c324yn5c3yn5c 539 | 540 | 541 | 542 | ldfn34fdldsflivfu4tu3049u039utgf9vuxdf0gu0349ut34po5j432pakoew02o3ox 543 | 544 | 545 | 546 | efkggjfrut454329wehdfgtriwnxcmgf457edhajzq234yr4fkkdjsheirtyjghfgks 547 | 548 | 549 | 550 | dkeerqwerfgvg467643fffdffhf5443DGFRESD2455667QQEwrfgu45kj535kj534m5n 551 | 552 | 553 | 554 | awsrrqwerfgvg4676e34gfdffhf5443DGFRESD2547967QQEwrfgu45kj535kj53we4u 555 | 556 | 557 | 558 | rtei458ghfjdkeirutnawqpondfrjuwgsfroinher5409srncbdhreqpodjrv5438hr 559 | 560 | 561 | 562 | qwertfhsjazxbcvnmkdlruwe23458732wuryfjghc4whcfggbjd3skdjfksfsf543ie 563 | 564 | 565 | 566 | ekrjdfh56urti34569382wqhdjfvncmdjqlosjhdfmazplkeey4559382dkwuueiowo 567 | 568 | 569 | 570 | dfr45e6uyt39gth45ncv43fjhrmlpotyiulqawert65hfjtrewow62krifje9532j3e 571 | 572 | 573 | 574 | a6749328347569483ryedfbcsjqopehf4rbdjwhse945hsdrgskwjr2354sheg3472s 575 | 576 | 577 | 578 | ldfn34fdldsflivfu4tu3049u039utgf9vuxdf0gu0349ut34po5j432pakoew02o3ox 579 | 580 | 581 | 582 | dfdedkwe3322oeitodkdjeio3e9ekdjwasddcncmvjdasalwpeoryg7534hvn5wewse 583 | 584 | 585 | 586 | eerklxcbs4783dtglwetpoqweo33wketkasdlgasdjgakti3eqtojqwoiedgoiddfgo 587 | 588 | 589 | 590 | erhg548rhgflri4932nvg56832hdfjcnrlsjqpmdrewjdhaznrow321hfrjska38rua 591 | 592 | 593 | 594 | hyjtri458ejshertkcbnvbn44cjfthweeowqksdjfklgorpwwjkdfj5i4wos89423od 595 | 596 | 597 | 598 | dfwjdh45683jsmcnrt5938qjdhertlmncbfgtjwpaj438271jdhr4hdbsuqplmk34hs 599 | 600 | 601 | 602 | dfgsdgjweerqkwdgofjsdfokgbjoi5290348t0dfjgbsjr65jopofkaj345j4tdfgsd 603 | 604 | 605 | 606 | 607 | 608 | 609 | .?AVMPTraitor@@ 610 | 611 | 612 | 613 | 614 | Executable 615 | 616 | 617 | 618 | Dll 619 | 620 | 621 | 622 | 623 | 624 | 625 | Software\Microsoft\Windows\CurrentVersion\Run 626 | 627 | 628 | 629 | 630 | \Windows NT\svchost.exe 631 | 632 | 633 | 634 | \Windows NT\svclogon.exe 635 | 636 | 637 | 638 | 639 | 640 | -------------------------------------------------------------------------------- /malware_analysis/Sykipot/snort/sykipot.rules: -------------------------------------------------------------------------------- 1 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain peocity.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|peocity|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016600; rev:1;) 2 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain rusview.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|rusview|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016601; rev:1;) 3 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain skyruss.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|skyruss|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016602; rev:1;) 4 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain commanal.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|commanal|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016603; rev:1;) 5 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain natareport.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|natareport|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016604; rev:1;) 6 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogellrey.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photogellrey|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016605; rev:1;) 7 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogalaxyzone.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|photogalaxyzone|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016606; rev:1;) 8 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insdet.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|insdet|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016607; rev:1;) 9 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain creditrept.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|creditrept|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016608; rev:1;) 10 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pollingvoter.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|pollingvoter|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016609; rev:1;) 11 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dfasonline.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dfasonline|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016610; rev:1;) 12 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hudsoninst.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|hudsoninst|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016611; rev:1;) 13 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain wsurveymaster.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wsurveymaster|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016612; rev:1;) 14 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nhrasurvey.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|nhrasurvey|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016613; rev:1;) 15 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pdi2012.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|pdi2012|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016614; rev:1;) 16 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nceba.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|nceba|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016615; rev:1;) 17 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain linkedin-blog.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|linkedin-blog|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016616; rev:1;) 18 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain aafbonus.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|aafbonus|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016617; rev:1;) 19 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain milstars.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|milstars|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016618; rev:1;) 20 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain vatdex.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|vatdex|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016619; rev:1;) 21 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insightpublicaffairs.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|insightpublicaffairs|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016620; rev:1;) 22 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain applesea.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|applesea|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016621; rev:1;) 23 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledmg.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledmg|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016622; rev:1;) 24 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appleintouch.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|appleintouch|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016623; rev:1;) 25 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain seyuieyahooapis.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|seyuieyahooapis|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016624; rev:1;) 26 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledns.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledns|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016625; rev:1;) 27 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain emailserverctr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|emailserverctr|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016626; rev:1;) 28 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dailynewsjustin.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dailynewsjustin|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016627; rev:1;) 29 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hi-tecsolutions.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|hi-tecsolutions|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016628; rev:1;) 30 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain slashdoc.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|slashdoc|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016629; rev:1;) 31 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photosmagnum.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photosmagnum|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016630; rev:1;) 32 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain resume4jobs.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|resume4jobs|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016631; rev:1;) 33 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain searching-job.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|searching-job|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016632; rev:1;) 34 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain servagency.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|servagency|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016633; rev:1;) 35 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain gsasmartpay.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|gsasmartpay|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016634; rev:1;) 36 | alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain tech-att.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tech-att|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016635; rev:1;) 37 | -------------------------------------------------------------------------------- /malware_analysis/Urausy/urausy_skypedat.yar: -------------------------------------------------------------------------------- 1 | 2 | rule urausy_skype_dat { 3 | meta: 4 | author = "AlienVault Labs" 5 | description = "Yara rule to match against memory of processes infected by Urausy skype.dat" 6 | strings: 7 | $a = "skype.dat" ascii wide 8 | $b = "skype.ini" ascii wide 9 | $win1 = "CreateWindow" 10 | $win2 = "YIWEFHIWQ" ascii wide 11 | $desk1 = "CreateDesktop" 12 | $desk2 = "MyDesktop" ascii wide 13 | condition: 14 | $a and $b and (all of ($win*) or all of ($desk*)) 15 | } 16 | 17 | -------------------------------------------------------------------------------- /malware_rulesets/yara/avdetect.yar: -------------------------------------------------------------------------------- 1 | 2 | rule avdetect_procs : avdetect 3 | { 4 | meta: 5 | author = "AlienVault Labs" 6 | type = "info" 7 | severity = 1 8 | description = "Antivirus detection tricks" 9 | 10 | strings: 11 | $proc2 = "LMon.exe" ascii wide 12 | $proc3 = "sagui.exe" ascii wide 13 | $proc4 = "RDTask.exe" ascii wide 14 | $proc5 = "kpf4gui.exe" ascii wide 15 | $proc6 = "ALsvc.exe" ascii wide 16 | $proc7 = "pxagent.exe" ascii wide 17 | $proc8 = "fsma32.exe" ascii wide 18 | $proc9 = "licwiz.exe" ascii wide 19 | $proc10 = "SavService.exe" ascii wide 20 | $proc11 = "prevxcsi.exe" ascii wide 21 | $proc12 = "alertwall.exe" ascii wide 22 | $proc13 = "livehelp.exe" ascii wide 23 | $proc14 = "SAVAdminService.exe" ascii wide 24 | $proc15 = "csi-eui.exe" ascii wide 25 | $proc16 = "mpf.exe" ascii wide 26 | $proc17 = "lookout.exe" ascii wide 27 | $proc18 = "savprogress.exe" ascii wide 28 | $proc19 = "lpfw.exe" ascii wide 29 | $proc20 = "mpfcm.exe" ascii wide 30 | $proc21 = "emlproui.exe" ascii wide 31 | $proc22 = "savmain.exe" ascii wide 32 | $proc23 = "outpost.exe" ascii wide 33 | $proc24 = "fameh32.exe" ascii wide 34 | $proc25 = "emlproxy.exe" ascii wide 35 | $proc26 = "savcleanup.exe" ascii wide 36 | $proc27 = "filemon.exe" ascii wide 37 | $proc28 = "AntiHook.exe" ascii wide 38 | $proc29 = "endtaskpro.exe" ascii wide 39 | $proc30 = "savcli.exe" ascii wide 40 | $proc31 = "procmon.exe" ascii wide 41 | $proc32 = "xfilter.exe" ascii wide 42 | $proc33 = "netguardlite.exe" ascii wide 43 | $proc34 = "backgroundscanclient.exe" ascii wide 44 | $proc35 = "Sniffer.exe" ascii wide 45 | $proc36 = "scfservice.exe" ascii wide 46 | $proc37 = "oasclnt.exe" ascii wide 47 | $proc38 = "sdcservice.exe" ascii wide 48 | $proc39 = "acs.exe" ascii wide 49 | $proc40 = "scfmanager.exe" ascii wide 50 | $proc41 = "omnitray.exe" ascii wide 51 | $proc42 = "sdcdevconx.exe" ascii wide 52 | $proc43 = "aupdrun.exe" ascii wide 53 | $proc44 = "spywaretermin" ascii wide 54 | $proc45 = "atorshield.exe" ascii wide 55 | $proc46 = "onlinent.exe" ascii wide 56 | $proc47 = "sdcdevconIA.exe" ascii wide 57 | $proc48 = "sppfw.exe" ascii wide 58 | $proc49 = "spywat~1.exe" ascii wide 59 | $proc50 = "opf.exe" ascii wide 60 | $proc51 = "sdcdevcon.exe" ascii wide 61 | $proc52 = "spfirewallsvc.exe" ascii wide 62 | $proc53 = "ssupdate.exe" ascii wide 63 | $proc54 = "pctavsvc.exe" ascii wide 64 | $proc55 = "configuresav.exe" ascii wide 65 | $proc56 = "fwsrv.exe" ascii wide 66 | $proc57 = "terminet.exe" ascii wide 67 | $proc58 = "pctav.exe" ascii wide 68 | $proc59 = "alupdate.exe" ascii wide 69 | $proc60 = "opfsvc.exe" ascii wide 70 | $proc61 = "tscutynt.exe" ascii wide 71 | $proc62 = "pcviper.exe" ascii wide 72 | $proc63 = "InstLsp.exe" ascii wide 73 | $proc64 = "uwcdsvr.exe" ascii wide 74 | $proc65 = "umxtray.exe" ascii wide 75 | $proc66 = "persfw.exe" ascii wide 76 | $proc67 = "CMain.exe" ascii wide 77 | $proc68 = "dfw.exe" ascii wide 78 | $proc69 = "updclient.exe" ascii wide 79 | $proc70 = "pgaccount.exe" ascii wide 80 | $proc71 = "CavAUD.exe" ascii wide 81 | $proc72 = "ipatrol.exe" ascii wide 82 | $proc73 = "webwall.exe" ascii wide 83 | $proc74 = "privatefirewall3.exe" ascii wide 84 | $proc75 = "CavEmSrv.exe" ascii wide 85 | $proc76 = "pcipprev.exe" ascii wide 86 | $proc77 = "winroute.exe" ascii wide 87 | $proc78 = "protect.exe" ascii wide 88 | $proc79 = "Cavmr.exe" ascii wide 89 | $proc80 = "prifw.exe" ascii wide 90 | $proc81 = "apvxdwin.exe" ascii wide 91 | $proc82 = "rtt_crc_service.exe" ascii wide 92 | $proc83 = "Cavvl.exe" ascii wide 93 | $proc84 = "tzpfw.exe" ascii wide 94 | $proc85 = "as3pf.exe" ascii wide 95 | $proc86 = "schedulerdaemon.exe" ascii wide 96 | $proc87 = "CavApp.exe" ascii wide 97 | $proc88 = "privatefirewall3.exe" ascii wide 98 | $proc89 = "avas.exe" ascii wide 99 | $proc90 = "sdtrayapp.exe" ascii wide 100 | $proc91 = "CavCons.exe" ascii wide 101 | $proc92 = "pfft.exe" ascii wide 102 | $proc93 = "avcom.exe" ascii wide 103 | $proc94 = "siteadv.exe" ascii wide 104 | $proc95 = "CavMud.exe" ascii wide 105 | $proc96 = "armorwall.exe" ascii wide 106 | $proc97 = "avkproxy.exe" ascii wide 107 | $proc98 = "sndsrvc.exe" ascii wide 108 | $proc99 = "CavUMAS.exe" ascii wide 109 | $proc100 = "app_firewall.exe" ascii wide 110 | $proc101 = "avkservice.exe" ascii wide 111 | $proc102 = "snsmcon.exe" ascii wide 112 | $proc103 = "UUpd.exe" ascii wide 113 | $proc104 = "blackd.exe" ascii wide 114 | $proc105 = "avktray.exe" ascii wide 115 | $proc106 = "snsupd.exe" ascii wide 116 | $proc107 = "cavasm.exe" ascii wide 117 | $proc108 = "blackice.exe" ascii wide 118 | $proc109 = "avkwctrl.exe" ascii wide 119 | $proc110 = "procguard.exe" ascii wide 120 | $proc111 = "CavSub.exe" ascii wide 121 | $proc112 = "umxagent.exe" ascii wide 122 | $proc113 = "avmgma.exe" ascii wide 123 | $proc114 = "DCSUserProt.exe" ascii wide 124 | $proc115 = "CavUserUpd.exe" ascii wide 125 | $proc116 = "kpf4ss.exe" ascii wide 126 | $proc117 = "avtask.exe" ascii wide 127 | $proc118 = "avkwctl.exe" ascii wide 128 | $proc119 = "CavQ.exe" ascii wide 129 | $proc120 = "tppfdmn.exe" ascii wide 130 | $proc121 = "aws.exe" ascii wide 131 | $proc122 = "firewall.exe" ascii wide 132 | $proc123 = "Cavoar.exe" ascii wide 133 | $proc124 = "blinksvc.exe" ascii wide 134 | $proc125 = "bgctl.exe" ascii wide 135 | $proc126 = "THGuard.exe" ascii wide 136 | $proc127 = "CEmRep.exe" ascii wide 137 | $proc128 = "sp_rsser.exe" ascii wide 138 | $proc129 = "bgnt.exe" ascii wide 139 | $proc130 = "spybotsd.exe" ascii wide 140 | $proc131 = "OnAccessInstaller.exe" ascii wide 141 | $proc132 = "op_mon.exe" ascii wide 142 | $proc133 = "bootsafe.exe" ascii wide 143 | $proc134 = "xauth_service.exe" ascii wide 144 | $proc135 = "SoftAct.exe" ascii wide 145 | $proc136 = "cmdagent.exe" ascii wide 146 | $proc137 = "bullguard.exe" ascii wide 147 | $proc138 = "xfilter.exe" ascii wide 148 | $proc139 = "CavSn.exe" ascii wide 149 | $proc140 = "VCATCH.EXE" ascii wide 150 | $proc141 = "cdas2.exe" ascii wide 151 | $proc142 = "zlh.exe" ascii wide 152 | $proc143 = "Packetizer.exe" ascii wide 153 | $proc144 = "SpyHunter3.exe" ascii wide 154 | $proc145 = "cmgrdian.exe" ascii wide 155 | $proc146 = "adoronsfirewall.exe" ascii wide 156 | $proc147 = "Packetyzer.exe" ascii wide 157 | $proc148 = "wwasher.exe" ascii wide 158 | $proc149 = "configmgr.exe" ascii wide 159 | $proc150 = "scfservice.exe" ascii wide 160 | $proc151 = "zanda.exe" ascii wide 161 | $proc152 = "authfw.exe" ascii wide 162 | $proc153 = "cpd.exe" ascii wide 163 | $proc154 = "scfmanager.exe" ascii wide 164 | $proc155 = "zerospywarele.exe" ascii wide 165 | $proc156 = "dvpapi.exe" ascii wide 166 | $proc157 = "espwatch.exe" ascii wide 167 | $proc158 = "dltray.exe" ascii wide 168 | $proc159 = "zerospywarelite_installer.exe" ascii wide 169 | $proc160 = "clamd.exe" ascii wide 170 | $proc161 = "fgui.exe" ascii wide 171 | $proc162 = "dlservice.exe" ascii wide 172 | $proc163 = "Wireshark.exe" ascii wide 173 | $proc164 = "sab_wab.exe" ascii wide 174 | $proc165 = "filedeleter.exe" ascii wide 175 | $proc166 = "ashwebsv.exe" ascii wide 176 | $proc167 = "tshark.exe" ascii wide 177 | $proc168 = "SUPERAntiSpyware.exe" ascii wide 178 | $proc169 = "firewall.exe" ascii wide 179 | $proc170 = "ashdisp.exe" ascii wide 180 | $proc171 = "rawshark.exe" ascii wide 181 | $proc172 = "vdtask.exe" ascii wide 182 | $proc173 = "firewall2004.exe" ascii wide 183 | $proc174 = "ashmaisv.exe" ascii wide 184 | $proc175 = "Ethereal.exe" ascii wide 185 | $proc176 = "asr.exe" ascii wide 186 | $proc177 = "firewallgui.exe" ascii wide 187 | $proc178 = "ashserv.exe" ascii wide 188 | $proc179 = "Tethereal.exe" ascii wide 189 | $proc180 = "NetguardLite.exe" ascii wide 190 | $proc181 = "gateway.exe" ascii wide 191 | $proc182 = "aswupdsv.exe" ascii wide 192 | $proc183 = "Windump.exe" ascii wide 193 | $proc184 = "nstzerospywarelite.exe" ascii wide 194 | $proc185 = "hpf_.exe" ascii wide 195 | $proc186 = "avastui.exe" ascii wide 196 | $proc187 = "Tcpdump.exe" ascii wide 197 | $proc188 = "cdinstx.exe" ascii wide 198 | $proc189 = "iface.exe" ascii wide 199 | $proc190 = "avastsvc.exe" ascii wide 200 | $proc191 = "Netcap.exe" ascii wide 201 | $proc192 = "cdas17.exe" ascii wide 202 | $proc193 = "invent.exe" ascii wide 203 | $proc194 = "Netmon.exe" ascii wide 204 | $proc195 = "fsrt.exe" ascii wide 205 | $proc196 = "ipcserver.exe" ascii wide 206 | $proc197 = "CV.exe" ascii wide 207 | $proc198 = "VSDesktop.exe" ascii wide 208 | $proc199 = "ipctray.exe" ascii wide 209 | condition: 210 | 3 of them 211 | } 212 | 213 | -------------------------------------------------------------------------------- /malware_rulesets/yara/dbgdetect.yar: -------------------------------------------------------------------------------- 1 | 2 | rule dbgdetect_funcs : dbgdetect 3 | { 4 | meta: 5 | author = "AlienVault Labs" 6 | type = "info" 7 | severity = 1 8 | description = "Debugger detection tricks" 9 | 10 | strings: 11 | $func1 = "IsDebuggerPresent" 12 | $func2 = "OutputDebugString" 13 | $func3 = "ZwQuerySystemInformation" 14 | $func4 = "ZwQueryInformationProcess" 15 | $func5 = "IsDebugged" 16 | $func6 = "NtGlobalFlags" 17 | $func7 = "CheckRemoteDebuggerPresent" 18 | $func8 = "SetInformationThread" 19 | $func9 = "DebugActiveProcess" 20 | 21 | condition: 22 | 2 of them 23 | } 24 | 25 | rule dbgdetect_procs : dbgdetect 26 | { 27 | meta: 28 | author = "AlienVault Labs" 29 | type = "info" 30 | severity = 1 31 | description = "Debugger detection tricks" 32 | 33 | strings: 34 | $proc1 = "wireshark" nocase ascii wide 35 | $proc2 = "filemon" nocase ascii wide 36 | $proc3 = "procexp" nocase ascii wide 37 | $proc4 = "procmon" nocase ascii wide 38 | $proc5 = "regmon" nocase ascii wide 39 | $proc6 = "idag" nocase ascii wide 40 | $proc7 = "immunitydebugger" nocase ascii wide 41 | $proc8 = "ollydbg" nocase ascii wide 42 | $proc9 = "petools" nocase ascii wide 43 | 44 | condition: 45 | 2 of them 46 | } 47 | 48 | rule dbgdetect_files : dbgdetect 49 | { 50 | meta: 51 | author = "AlienVault Labs" 52 | type = "info" 53 | severity = 1 54 | description = "Debugger detection tricks" 55 | strings: 56 | $file1 = "syserdbgmsg" nocase ascii wide 57 | $file2 = "syserboot" nocase ascii wide 58 | $file3 = "SICE" nocase ascii wide 59 | $file4 = "NTICE" nocase ascii wide 60 | condition: 61 | 2 of them 62 | } 63 | 64 | -------------------------------------------------------------------------------- /malware_rulesets/yara/index.yar: -------------------------------------------------------------------------------- 1 | 2 | // This just includes all files 3 | 4 | // Anti analysis rulesets 5 | include "avdetect.yar" 6 | include "dbgdetect.yar" 7 | include "sandboxdetect.yar" 8 | include "vmdetect.yar" 9 | 10 | -------------------------------------------------------------------------------- /malware_rulesets/yara/sandboxdetect.yar: -------------------------------------------------------------------------------- 1 | 2 | rule sandboxdetect_misc : sandboxdetect 3 | { 4 | meta: 5 | author = "AlienVault Labs" 6 | type = "info" 7 | severity = 1 8 | description = "Sandbox detection tricks" 9 | 10 | strings: 11 | $sbxie1 = "sbiedll" nocase ascii wide 12 | 13 | // CWSandbox 14 | $prodid1 = "55274-640-2673064-23950" ascii wide 15 | $prodid2 = "76487-644-3177037-23510" ascii wide 16 | $prodid3 = "76487-337-8429955-22614" ascii wide 17 | 18 | $proc1 = "joeboxserver" ascii wide 19 | $proc2 = "joeboxcontrol" ascii wide 20 | condition: 21 | any of them 22 | } 23 | 24 | -------------------------------------------------------------------------------- /malware_rulesets/yara/vmdetect.yar: -------------------------------------------------------------------------------- 1 | 2 | rule vmdetect_misc : vmdetect 3 | { 4 | meta: 5 | author = "AlienVault Labs" 6 | type = "info" 7 | severity = 1 8 | description = "Virtual Machine detection tricks" 9 | 10 | strings: 11 | $vbox1 = "VBoxService" nocase ascii wide 12 | $vbox2 = "VBoxTray" nocase ascii wide 13 | $vbox3 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase ascii wide 14 | $vbox4 = "SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions" nocase ascii wide 15 | 16 | $wine1 = "wine_get_unix_file_name" ascii wide 17 | 18 | $vmware1 = "vmmouse.sys" ascii wide 19 | $vmware2 = "VMware Virtual IDE Hard Drive" ascii wide 20 | 21 | $miscvm1 = "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" nocase ascii wide 22 | $miscvm2 = "SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum" nocase ascii wide 23 | 24 | // Drivers 25 | $vmdrv1 = "hgfs.sys" ascii wide 26 | $vmdrv2 = "vmhgfs.sys" ascii wide 27 | $vmdrv3 = "prleth.sys" ascii wide 28 | $vmdrv4 = "prlfs.sys" ascii wide 29 | $vmdrv5 = "prlmouse.sys" ascii wide 30 | $vmdrv6 = "prlvideo.sys" ascii wide 31 | $vmdrv7 = "prl_pv32.sys" ascii wide 32 | $vmdrv8 = "vpc-s3.sys" ascii wide 33 | $vmdrv9 = "vmsrvc.sys" ascii wide 34 | $vmdrv10 = "vmx86.sys" ascii wide 35 | $vmdrv11 = "vmnet.sys" ascii wide 36 | 37 | // SYSTEM\ControlSet001\Services 38 | $vmsrvc1 = "vmicheartbeat" ascii wide 39 | $vmsrvc2 = "vmicvss" ascii wide 40 | $vmsrvc3 = "vmicshutdown" ascii wide 41 | $vmsrvc4 = "vmicexchange" ascii wide 42 | $vmsrvc5 = "vmci" ascii wide 43 | $vmsrvc6 = "vmdebug" ascii wide 44 | $vmsrvc7 = "vmmouse" ascii wide 45 | $vmsrvc8 = "VMTools" ascii wide 46 | $vmsrvc9 = "VMMEMCTL" ascii wide 47 | $vmsrvc10 = "vmware" ascii wide 48 | $vmsrvc11 = "vmx86" ascii wide 49 | $vmsrvc12 = "vpcbus" ascii wide 50 | $vmsrvc13 = "vpc-s3" ascii wide 51 | $vmsrvc14 = "vpcuhub" ascii wide 52 | $vmsrvc15 = "msvmmouf" ascii wide 53 | $vmsrvc16 = "VBoxMouse" ascii wide 54 | $vmsrvc17 = "VBoxGuest" ascii wide 55 | $vmsrvc18 = "VBoxSF" ascii wide 56 | $vmsrvc19 = "xenevtchn" ascii wide 57 | $vmsrvc20 = "xennet" ascii wide 58 | $vmsrvc21 = "xennet6" ascii wide 59 | $vmsrvc22 = "xensvc" ascii wide 60 | $vmsrvc23 = "xenvdb" ascii wide 61 | 62 | // Processes 63 | $miscproc1 = "vmware2" ascii wide 64 | $miscproc2 = "vmount2" ascii wide 65 | $miscproc3 = "vmusrvc" ascii wide 66 | $miscproc4 = "vmsrvc" ascii wide 67 | $miscproc5 = "vboxservice" ascii wide 68 | $miscproc6 = "vboxtray" ascii wide 69 | $miscproc7 = "xenservice" ascii wide 70 | 71 | $vmware_mac_1a = "00-05-69" 72 | $vmware_mac_1b = "00:05:69" 73 | $vmware_mac_2a = "00-50-56" 74 | $vmware_mac_2b = "00:50:56" 75 | $vmware_mac_3a = "00-0C-29" 76 | $vmware_mac_3b = "00:0C:29" 77 | $vmware_mac_4a = "00-1C-14" 78 | $vmware_mac_4b = "00:1C:14" 79 | $virtualbox_mac_1a = "08-00-27" 80 | $virtualbox_mac_1b = "08:00:27" 81 | 82 | condition: 83 | 2 of them 84 | } 85 | 86 | -------------------------------------------------------------------------------- /peid2yar/README.md: -------------------------------------------------------------------------------- 1 | # PEiD 2 Yar 2 | 3 | Tiny script to convert PEiD signatures file to Yara rules file. 4 | 5 | # Usage 6 | 7 | $ ./peid2yar.py dbs/userdb.txt outputs/panda\_userdb.txt 8 | 9 | $ yara -m outputs/panda\_userdb.txt /tmp/borland.exe 10 | 11 | \_BobSoft\_Mini\_Delphi\_\_BoB\_\_BobSoft\_ [description="BobSoft Mini Delphi -> BoB / BobSoft"] /tmp/borland.exe 12 | -------------------------------------------------------------------------------- /peid2yar/aux/pefile_test_sigs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # pefile signatures file loader 4 | # AlienVault Labs - https://github.com/jaimeblasco/AlienvaultLabs 5 | # 6 | # Licensed under GNU/GPLv3 7 | # aortega@alienvault.com 8 | 9 | import peutils 10 | import sys 11 | import re 12 | import os 13 | 14 | if len(sys.argv) != 2: 15 | print "pefile signatures file loader Help - AlienVault Labs" 16 | print "Usage: %s userdb.txt" % (sys.argv[0]) 17 | sys.exit() 18 | 19 | peid_file = sys.argv[1] 20 | 21 | if not os.path.exists(peid_file): 22 | print "Error, %s doesn't exist." % (peid_file) 23 | sys.exit() 24 | 25 | peutils.SignatureDatabase(sys.argv[1]) 26 | 27 | print "OK" 28 | -------------------------------------------------------------------------------- /peid2yar/aux/peid_sigs_sanitizer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # PEiD signatures sanitizer 4 | # AlienVault Labs - https://github.com/jaimeblasco/AlienvaultLabs 5 | # 6 | # Licensed under GNU/GPLv3 7 | # aortega@alienvault.com 8 | 9 | import sys 10 | import re 11 | import os 12 | 13 | if len(sys.argv) != 3: 14 | print "PEiD signatures sanitizer Help - AlienVault Labs" 15 | print "Usage: %s userdb.txt output.txt" % (sys.argv[0]) 16 | sys.exit() 17 | 18 | peid_file = sys.argv[1] 19 | output_file = sys.argv[2] 20 | 21 | if not os.path.exists(peid_file): 22 | print "Error, %s doesn't exist." % (peid_file) 23 | sys.exit() 24 | 25 | peid_rules = [] 26 | 27 | f = open(peid_file, "r") 28 | data = f.read() 29 | f.close() 30 | 31 | m1 = re.compile("^\[(?P.+)\].*$") 32 | m2 = re.compile("^signature = (?P.+)$") 33 | m3 = re.compile("^ep_only = (?Ptrue|false).*$") 34 | m4 = re.compile("^([\dABCDEF]{2} ?|\?\? ?)+$") # Signature bytes validator for PEiD 35 | 36 | count = 0 37 | for i in data.split("\n"): 38 | ln = i.rstrip() 39 | count += 1 40 | m = m1.match(ln) 41 | if m: 42 | signame = m.group("signame") 43 | skip = True 44 | continue 45 | m = m2.match(ln) 46 | if m: 47 | signature = m.group("signature") 48 | m = m4.match(signature) 49 | if not m: 50 | print "Signature [%s] malformed at line %s, skipping" % (signame, count) 51 | continue 52 | skip = False 53 | continue 54 | m = m3.match(ln) 55 | if m and skip != True: 56 | ep = m.group("ep") 57 | peid_rules.append({"name": signame, "signature": signature, "ep": ep}) 58 | 59 | f = open(output_file, "w") 60 | f.write("; %s signatures added\n\n" % (len(peid_rules))) 61 | for s in peid_rules: 62 | f.write("[%s]\n" % (s["name"])) 63 | f.write("signature = %s\n" % (s["signature"])) 64 | f.write("ep_only = %s\n\n" % (s["ep"])) 65 | f.close() 66 | 67 | -------------------------------------------------------------------------------- /peid2yar/dbs/UserDB.TXT: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaimeblasco/AlienvaultLabs/7613be50c50693d785017ce037879bd3eeacb9b2/peid2yar/dbs/UserDB.TXT -------------------------------------------------------------------------------- /peid2yar/dbs/epcompilersigs.peid: -------------------------------------------------------------------------------- 1 | ; 2 | ; Entry Point compilers signatures 3 | ; 87 signatures in list 4 | ; 5 | 6 | [Borland Pascal v7.0 for Windows] 7 | signature = A1 C1 A3 83 75 57 51 33 C0 8 | ep_only = true 9 | 10 | [Borland C++ for Win32 1994] 11 | signature = A1 C1 A3 57 51 33 C0 BF B9 3B CF 12 | ep_only = true 13 | 14 | [Borland C++ for Win32 1995] 15 | signature = A1 C1 A3 83 75 80 16 | ep_only = true 17 | 18 | [Borland C++ for Win32 1995] 19 | signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 A1 C1 E0 02 A3 20 | ep_only = true 21 | 22 | [Borland C++ for Win32 1999] 23 | signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 24 | ep_only = true 25 | 26 | [Borland C++ for Win32 1999] 27 | signature = A1 C1 E0 02 A3 57 51 33 C0 BF B9 3B CF 76 05 2B CF FC F3 AA 59 28 | ep_only = true 29 | 30 | [Borland C++] 31 | signature = A1 C1 E0 02 32 | ep_only = true 33 | 34 | [Borland C++ DLL] 35 | signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 36 | ep_only = true 37 | 38 | [Borland C++ DLL] 39 | signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 A1 C1 E0 02 A3 40 | ep_only = true 41 | 42 | [Borland C++ DLL] 43 | signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 A1 C1 E0 02 A3 44 | ep_only = true 45 | 46 | [Borland C++ DLL] 47 | signature = C3 E9 FF 8D 48 | ep_only = true 49 | 50 | [Borland Delphi vx.x (Component)] 51 | signature = 55 8B EC 83 C4 B4 B8 E8 E8 8D 52 | ep_only = true 53 | 54 | [Borland Delphi DLL] 55 | signature = 55 8B EC 83 56 | ep_only = true 57 | 58 | [Borland Delphi v6.0 - v7.0] 59 | signature = E8 6A E8 89 05 E8 89 05 C7 05 0A B8 60 | ep_only = true 61 | 62 | [Borland Delphi v2.0] 63 | signature = 50 6A E8 FF FF BA 52 89 05 89 42 04 E8 5A 58 E8 C3 55 8B EC 33 64 | ep_only = true 65 | 66 | [Borland Delphi v3.0] 67 | signature = 55 8B EC 83 68 | ep_only = true 69 | 70 | [Borland Delphi v3.0] 71 | signature = 50 6A E8 FF FF BA 52 89 05 89 42 04 C7 42 08 C7 42 0C E8 5A 58 E8 72 | ep_only = true 73 | 74 | [Borland Delphi v4.0 - v5.0] 75 | signature = 55 8B EC 83 76 | ep_only = true 77 | 78 | [Borland Delphi v4.0 - v5.0] 79 | signature = 50 6A ?? E8 FF FF BA 52 89 05 89 42 04 C7 42 08 ?? ?? ?? ?? C7 42 0C ?? ?? ?? ?? E8 5A 58 E8 80 | ep_only = true 81 | 82 | [Borland Delphi v4.0 - v5.0] 83 | signature = BA 83 7D 0C 01 75 50 52 C6 05 8B 4D 08 89 0D 89 4A 84 | ep_only = true 85 | 86 | [Borland Delphi v6.0 - v7.0] 87 | signature = 53 8B D8 33 C0 A3 ?? 6A ?? E8 ?? FF A3 ?? A1 ?? A3 ?? 33 C0 A3 ?? 33 C0 A3 ?? 88 | ep_only = true 89 | 90 | [Borland Delphi v6.0 - v7.0] 91 | signature = 55 8B EC B9 6A ?? 6A ?? 92 | ep_only = true 93 | 94 | [Borland Delphi v6.0 - v7.0] 95 | signature = 55 8B EC 83 C4 F0 B8 E8 FB FF A1 8B E8 FF FF 8B 0D A1 8B ?? 8B 15 E8 FF FF A1 8B E8 FF 96 | ep_only = true 97 | 98 | [Borland Delphi v6.0 - v7.0] 99 | signature = 55 8B EC 100 | ep_only = true 101 | 102 | [Borland Delphi v5.0 KOL/MCK] 103 | signature = 55 8B EC 83 C4 F0 B8 40 ?? E8 FF FF E8 FF FF E8 FF FF 8B 104 | ep_only = true 105 | 106 | [Borland Delphi v5.0 KOL] 107 | signature = 53 8B D8 33 C0 A3 6A ?? E8 FF A3 A1 A3 33 C0 A3 33 C0 A3 108 | ep_only = true 109 | 110 | [Borland Delphi v6.0] 111 | signature = 55 8B EC 83 C4 F0 B8 45 ?? E8 FF A1 45 ?? 8B ?? E8 FF FF 8B 112 | ep_only = true 113 | 114 | [Borland Delphi v6.0] 115 | signature = 55 8B EC 83 C4 F0 B8 40 ?? E8 FF FF A1 72 40 ?? 33 D2 E8 FF FF A1 72 40 ?? 8B ?? 83 C0 14 E8 FF FF E8 FF 116 | ep_only = true 117 | 118 | [Borland Delphi v6.0 KOL] 119 | signature = 55 8B EC 83 C4 53 56 57 33 C0 89 45 F0 89 45 D4 89 45 D0 120 | ep_only = true 121 | 122 | [Borland Delphi Setup Module] 123 | signature = 55 8B EC 83 C4 124 | ep_only = true 125 | 126 | [Borland Delphi] 127 | signature = C3 E9 FF 8D 128 | ep_only = true 129 | 130 | [Borland Delphi (Component)] 131 | signature = 55 89 E5 83 EC 04 83 132 | ep_only = true 133 | 134 | [Cygwin32] 135 | signature = 6A FF 15 136 | ep_only = true 137 | 138 | [FASM v1.3x] 139 | signature = E8 ?? 6E ?? ?? 55 89 E5 8B 7D 0C 8B 75 08 89 F8 8B 5D 10 140 | ep_only = true 141 | 142 | [Free Pascal v0.99.10] 143 | signature = 64 A1 55 89 E5 6A FF 68 68 9A 10 40 144 | ep_only = true 145 | 146 | [LCC Win32 v1.x] 147 | signature = 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 FF 75 10 FF 75 0C FF 75 08 148 | ep_only = true 149 | 150 | [LCC Win32 DLL] 151 | signature = 8B 44 24 08 56 83 E8 74 48 152 | ep_only = true 153 | 154 | [Microsoft Visual C++] 155 | signature = 8B 44 24 08 83 156 | ep_only = true 157 | 158 | [Microsoft Visual C++] 159 | signature = 53 56 57 BB 8B 55 3B FB 160 | ep_only = true 161 | 162 | [Microsoft Visual C v2.0] 163 | signature = 55 8B EC 56 57 BF 8B 3B F7 164 | ep_only = true 165 | 166 | [Microsoft Visual C++ vx.x] 167 | signature = 53 55 56 8B 85 F6 57 B8 75 8B 85 C9 75 33 C0 5F 5E 5D 5B 168 | ep_only = true 169 | 170 | [Microsoft Visual C++ vx.x] 171 | signature = 64 A1 ?? ?? ?? ?? 55 8B EC 6A FF 68 68 50 64 89 25 ?? ?? ?? ?? 83 EC 53 56 172 | ep_only = true 173 | 174 | [Microsoft Visual C++ v4.x] 175 | signature = 64 A1 ?? ?? ?? ?? 55 8B EC 6A FF 68 68 50 64 83 53 56 57 89 176 | ep_only = true 177 | 178 | [Microsoft Visual C++ v4.2] 179 | signature = 64 A1 ?? ?? ?? ?? 55 8B EC 6A FF 68 68 50 64 83 53 56 57 89 180 | ep_only = true 181 | 182 | [Microsoft Visual C++ v4.2] 183 | signature = 53 B8 8B 56 57 85 DB 55 184 | ep_only = true 185 | 186 | [Microsoft Visual C++ v4.2 DLL] 187 | signature = 55 8B EC 6A FF 68 68 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 53 56 188 | ep_only = true 189 | 190 | [Microsoft Visual C++ v5.0] 191 | signature = 24 ?? 8B 24 192 | ep_only = true 193 | 194 | [Microsoft Visual C++ v5.0 DLL] 195 | signature = 55 8B EC 6A FF 68 68 64 A1 ?? ?? ?? ?? 196 | ep_only = true 197 | 198 | [Microsoft Visual C++ v5.0/v6.0 (MFC)] 199 | signature = 55 8B EC ?? 200 | ep_only = true 201 | 202 | [Microsoft Visual C++ vx.x] 203 | signature = 55 8B EC 83 EC 44 56 FF 15 8B F0 8A 3C 204 | ep_only = true 205 | 206 | [Microsoft Visual C++ v6.0 SPx] 207 | signature = 55 8B EC 83 EC 44 56 FF 15 6A 01 8B F0 FF 208 | ep_only = true 209 | 210 | [Microsoft Visual C++ v6.0 SPx] 211 | signature = 55 8B EC 6A FF 68 68 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 53 56 212 | ep_only = true 213 | 214 | [Microsoft Visual C++ v6.0] 215 | signature = 51 216 | ep_only = true 217 | 218 | [Microsoft Visual C++ v6.0 DLL] 219 | signature = 83 7C 24 08 01 75 09 8B 44 24 04 A3 ?? 10 E8 8B FF FF 220 | ep_only = true 221 | 222 | [Microsoft Visual C++ v6.0 DLL] 223 | signature = 55 8B EC 83 EC 50 53 56 57 BE 8D 7D F4 A5 A5 66 A5 224 | ep_only = true 225 | 226 | [Microsoft Visual C++ v6.0] 227 | signature = 55 8D 6C 81 EC 8B 45 83 F8 01 56 0F 84 85 C0 0F 228 | ep_only = true 229 | 230 | [Microsoft Visual C++ v6.0 DLL] 231 | signature = 55 8B EC 53 8B 5D 08 56 8B 75 232 | ep_only = true 233 | 234 | [Microsoft Visual C++ v6.0 DLL] 235 | signature = 0D ?? 236 | ep_only = true 237 | 238 | [Microsoft Visual C++ v6.0] 239 | signature = 55 8B EC 51 240 | ep_only = true 241 | 242 | [Microsoft Visual C++ v6.0 (Debug Version)] 243 | signature = 6A 68 E8 BF 8B C7 E8 89 65 8B F4 89 3E 56 FF 15 8B 4E 89 0D 8B 46 244 | ep_only = true 245 | 246 | [Microsoft Visual C++ v7.0] 247 | signature = 6A 68 248 | ep_only = true 249 | 250 | [Microsoft Visual C++ v7.0] 251 | signature = 55 8D 6C 81 EC 8B 45 83 F8 01 56 0F 84 85 C0 0F 252 | ep_only = true 253 | 254 | [Microsoft Visual C++ v7.0 DLL] 255 | signature = 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 256 | ep_only = true 257 | 258 | [Microsoft Visual C++ v7.0 DLL] 259 | signature = FF 25 ?? 260 | ep_only = true 261 | 262 | [Microsoft Visual C# v7.0 / Basic .NET] 263 | signature = 53 55 56 8B 74 24 14 85 F6 57 B8 264 | ep_only = true 265 | 266 | [Microsoft Visual C++ DLL] 267 | signature = 53 56 57 BB 01 8B 24 268 | ep_only = true 269 | 270 | [Microsoft Visual C++ DLL] 271 | signature = 53 B8 01 ?? ?? ?? 8B 5C 24 0C 56 57 85 DB 55 75 12 83 3D 75 09 33 272 | ep_only = true 273 | 274 | [Microsoft Visual C++ DLL] 275 | signature = 55 8B EC 56 57 BF 01 ?? ?? ?? 8B 75 276 | ep_only = true 277 | 278 | [Microsoft Visual C++ DLL] 279 | signature = 55 8B EC 6A FF 68 68 64 A1 ?? ?? ?? ?? 50 64 89 280 | ep_only = true 281 | 282 | [Microsoft Visual C++] 283 | signature = FF FF FF ?? ?? ?? ?? ?? ?? 30 ?? ?? ?? 284 | ep_only = true 285 | 286 | [Microsoft Visual Basic v5.0] 287 | signature = 68 288 | ep_only = true 289 | 290 | [Microsoft Visual Basic v5.0 / v6.0] 291 | signature = 5A 68 68 52 E9 292 | ep_only = true 293 | 294 | [Microsoft Visual Basic v6.0 DLL] 295 | signature = 55 89 E5 E8 C9 C3 45 58 296 | ep_only = true 297 | 298 | [MinGW GCC v2.x] 299 | signature = 55 89 E5 FF 300 | ep_only = true 301 | 302 | [MinGW GCC v2.x] 303 | signature = 55 89 E5 E8 C9 C3 45 58 304 | ep_only = true 305 | 306 | [MinGW GCC v2.x] 307 | signature = 55 89 308 | ep_only = true 309 | 310 | [MinGW GCC DLL v2xx] 311 | signature = 55 89 E5 83 EC 18 89 75 FC 8B 75 0C 89 5D F8 83 FE 01 74 5C 89 74 24 04 8B 55 10 89 54 24 08 8B 55 08 89 14 24 E8 96 01 ?? ?? 83 EC 0C 83 FE 01 89 C3 74 2C 85 F6 75 0C 8B 0D ?? 30 ?? 10 85 312 | ep_only = true 313 | 314 | [MinGW v3.2.x (Dll_main)] 315 | signature = 55 89 E5 83 EC 18 89 75 FC 8B 75 0C 89 5D F8 83 FE 01 74 5C 89 74 24 04 8B 55 10 89 54 24 08 8B 55 08 89 14 24 E8 76 01 ?? ?? 83 EC 0C 83 FE 01 89 C3 74 2C 85 F6 75 0C 8B 0D ?? 30 ?? 10 85 316 | ep_only = true 317 | 318 | [MinGW v3.2.x (Dll_WinMain)] 319 | signature = 55 89 E5 83 EC 08 C7 04 24 01 ?? ?? ?? FF 15 E4 40 40 ?? E8 68 ?? ?? ?? 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 ?? ?? ?? FF 15 E4 40 40 ?? E8 48 ?? ?? ?? 89 EC 31 C0 5D C3 89 320 | ep_only = true 321 | 322 | [MinGW v3.2.x (main)] 323 | signature = 55 89 E5 83 EC 08 C7 04 24 01 ?? ?? ?? FF 15 FC 40 40 ?? E8 68 ?? ?? ?? 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 ?? ?? ?? FF 15 FC 40 40 ?? E8 48 ?? ?? ?? 89 EC 31 C0 5D C3 89 324 | ep_only = true 325 | 326 | [MinGW v3.2.x (WinMain)] 327 | signature = 55 89 E5 83 EC 08 6A ?? 6A ?? 6A ?? 6A ?? E8 0D ?? ?? ?? B8 ?? ?? ?? ?? C9 C3 90 90 90 90 90 90 FF 25 38 20 ?? 10 90 90 ?? ?? ?? ?? ?? ?? ?? ?? FF FF FF FF ?? ?? ?? ?? FF FF FF 328 | ep_only = true 329 | 330 | [MinGW v3.2.x (Dll_mainCRTStartup)] 331 | signature = 55 89 E5 83 EC 08 6A ?? 6A ?? 6A ?? 6A ?? E8 0D ?? ?? ?? B8 ?? ?? ?? ?? C9 C3 90 90 90 90 90 90 FF 25 38 20 40 ?? 90 90 ?? ?? ?? ?? ?? ?? ?? ?? FF FF FF FF ?? ?? ?? ?? FF FF FF 332 | ep_only = true 333 | 334 | [MinGW v3.2.x (_mainCRTStartup)] 335 | signature = E8 FF FF E8 FF 336 | ep_only = true 337 | 338 | [Stranik 1.3 Modula/C/Pascal] 339 | signature = E9 57 41 54 43 4F 4D 20 43 2F 43 2B 2B 33 32 20 52 75 6E 2D 340 | ep_only = true 341 | 342 | [WATCOM C/C++ 32 Run-Time System 1988-1995] 343 | signature = FB 83 89 E3 89 89 66 66 BB 29 C0 B4 30 CD 344 | ep_only = true 345 | 346 | [WATCOM C/C++ 32 Run-Time System 1988-1994] 347 | signature = E9 57 348 | ep_only = true 349 | 350 | [WATCOM C/C++] 351 | signature = 53 56 57 55 8B 74 24 14 8B 7C 24 18 8B 6C 24 1C 83 FF 03 0F 352 | ep_only = true 353 | 354 | -------------------------------------------------------------------------------- /peid2yar/dbs/userdb_exeinfope.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaimeblasco/AlienvaultLabs/7613be50c50693d785017ce037879bd3eeacb9b2/peid2yar/dbs/userdb_exeinfope.txt -------------------------------------------------------------------------------- /peid2yar/dbs/userdb_jclausing.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaimeblasco/AlienvaultLabs/7613be50c50693d785017ce037879bd3eeacb9b2/peid2yar/dbs/userdb_jclausing.txt -------------------------------------------------------------------------------- /peid2yar/dbs/userdb_panda.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaimeblasco/AlienvaultLabs/7613be50c50693d785017ce037879bd3eeacb9b2/peid2yar/dbs/userdb_panda.txt -------------------------------------------------------------------------------- /peid2yar/outputs/UserDB.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaimeblasco/AlienvaultLabs/7613be50c50693d785017ce037879bd3eeacb9b2/peid2yar/outputs/UserDB.yar -------------------------------------------------------------------------------- /peid2yar/outputs/epcompilersigs.yar: -------------------------------------------------------------------------------- 1 | rule _WATCOM_CCpp_32_RunTime_System_19881994_ 2 | { 3 | meta: 4 | description = "WATCOM C/C++ 32 Run-Time System 1988-1994" 5 | strings: 6 | $0 = {E9 57} 7 | condition: 8 | $0 at entrypoint 9 | } 10 | rule _Borland_Delphi_v60_ 11 | { 12 | meta: 13 | description = "Borland Delphi v6.0" 14 | strings: 15 | $0 = {55 8B EC 83 C4 F0 B8 45 ?? E8 FF A1 45 ?? 8B ?? E8 FF FF 8B} 16 | $1 = {55 8B EC 83 C4 F0 B8 40 ?? E8 FF FF A1 72 40 ?? 33 D2 E8 FF FF A1 72 40 ?? 8B ?? 83 C0 14 E8 FF FF E8 FF} 17 | condition: 18 | $0 at entrypoint or $1 at entrypoint 19 | } 20 | rule _Microsoft_Visual_Cpp_ 21 | { 22 | meta: 23 | description = "Microsoft Visual C++" 24 | strings: 25 | $0 = {8B 44 24 08 83} 26 | $1 = {53 56 57 BB 8B 55 3B FB} 27 | $2 = {FF FF FF ?? ?? ?? ?? ?? ?? 30 ?? ?? ??} 28 | condition: 29 | $0 at entrypoint or $1 at entrypoint or $2 at entrypoint 30 | } 31 | rule _Cygwin32_ 32 | { 33 | meta: 34 | description = "Cygwin32" 35 | strings: 36 | $0 = {6A FF 15} 37 | condition: 38 | $0 at entrypoint 39 | } 40 | rule _Borland_Cpp_for_Win32_1995_ 41 | { 42 | meta: 43 | description = "Borland C++ for Win32 1995" 44 | strings: 45 | $0 = {A1 C1 A3 83 75 80} 46 | $1 = {EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 A1 C1 E0 02 A3} 47 | condition: 48 | $0 at entrypoint or $1 at entrypoint 49 | } 50 | rule _Microsoft_Visual_Cpp_v42_ 51 | { 52 | meta: 53 | description = "Microsoft Visual C++ v4.2" 54 | strings: 55 | $0 = {64 A1 ?? ?? ?? ?? 55 8B EC 6A FF 68 68 50 64 83 53 56 57 89} 56 | $1 = {53 B8 8B 56 57 85 DB 55} 57 | condition: 58 | $0 at entrypoint or $1 at entrypoint 59 | } 60 | rule _MinGW_v32x__mainCRTStartup_ 61 | { 62 | meta: 63 | description = "MinGW v3.2.x (_mainCRTStartup)" 64 | strings: 65 | $0 = {E8 FF FF E8 FF} 66 | condition: 67 | $0 at entrypoint 68 | } 69 | rule _Microsoft_Visual_Basic_v50_ 70 | { 71 | meta: 72 | description = "Microsoft Visual Basic v5.0" 73 | strings: 74 | $0 = {68} 75 | condition: 76 | $0 at entrypoint 77 | } 78 | rule _FASM_v13x_ 79 | { 80 | meta: 81 | description = "FASM v1.3x" 82 | strings: 83 | $0 = {E8 ?? 6E ?? ?? 55 89 E5 8B 7D 0C 8B 75 08 89 F8 8B 5D 10} 84 | condition: 85 | $0 at entrypoint 86 | } 87 | rule _LCC_Win32_DLL_ 88 | { 89 | meta: 90 | description = "LCC Win32 DLL" 91 | strings: 92 | $0 = {8B 44 24 08 56 83 E8 74 48} 93 | condition: 94 | $0 at entrypoint 95 | } 96 | rule _Borland_Delphi_v60_KOL_ 97 | { 98 | meta: 99 | description = "Borland Delphi v6.0 KOL" 100 | strings: 101 | $0 = {55 8B EC 83 C4 53 56 57 33 C0 89 45 F0 89 45 D4 89 45 D0} 102 | condition: 103 | $0 at entrypoint 104 | } 105 | rule _LCC_Win32_v1x_ 106 | { 107 | meta: 108 | description = "LCC Win32 v1.x" 109 | strings: 110 | $0 = {55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 FF 75 10 FF 75 0C FF 75 08} 111 | condition: 112 | $0 at entrypoint 113 | } 114 | rule _Microsoft_Visual_Cpp_v60_SPx_ 115 | { 116 | meta: 117 | description = "Microsoft Visual C++ v6.0 SPx" 118 | strings: 119 | $0 = {55 8B EC 83 EC 44 56 FF 15 6A 01 8B F0 FF} 120 | $1 = {55 8B EC 6A FF 68 68 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 53 56} 121 | condition: 122 | $0 at entrypoint or $1 at entrypoint 123 | } 124 | rule _Microsoft_Visual_Cpp_v60_DLL_ 125 | { 126 | meta: 127 | description = "Microsoft Visual C++ v6.0 DLL" 128 | strings: 129 | $0 = {83 7C 24 08 01 75 09 8B 44 24 04 A3 ?? 10 E8 8B FF FF} 130 | $1 = {55 8B EC 83 EC 50 53 56 57 BE 8D 7D F4 A5 A5 66 A5} 131 | $2 = {55 8B EC 53 8B 5D 08 56 8B 75} 132 | $3 = {0D ??} 133 | condition: 134 | $0 at entrypoint or $1 at entrypoint or $2 at entrypoint or $3 at entrypoint 135 | } 136 | rule _Free_Pascal_v09910_ 137 | { 138 | meta: 139 | description = "Free Pascal v0.99.10" 140 | strings: 141 | $0 = {64 A1 55 89 E5 6A FF 68 68 9A 10 40} 142 | condition: 143 | $0 at entrypoint 144 | } 145 | rule _Borland_Delphi_vxx_Component_ 146 | { 147 | meta: 148 | description = "Borland Delphi vx.x (Component)" 149 | strings: 150 | $0 = {55 8B EC 83 C4 B4 B8 E8 E8 8D} 151 | condition: 152 | $0 at entrypoint 153 | } 154 | rule _Microsoft_Visual_Cpp_v50v60_MFC_ 155 | { 156 | meta: 157 | description = "Microsoft Visual C++ v5.0/v6.0 (MFC)" 158 | strings: 159 | $0 = {55 8B EC ??} 160 | condition: 161 | $0 at entrypoint 162 | } 163 | rule _Microsoft_Visual_C_v70__Basic_NET_ 164 | { 165 | meta: 166 | description = "Microsoft Visual C# v7.0 / Basic .NET" 167 | strings: 168 | $0 = {53 55 56 8B 74 24 14 85 F6 57 B8} 169 | condition: 170 | $0 at entrypoint 171 | } 172 | rule _MinGW_GCC_DLL_v2xx_ 173 | { 174 | meta: 175 | description = "MinGW GCC DLL v2xx" 176 | strings: 177 | $0 = {55 89 E5 83 EC 18 89 75 FC 8B 75 0C 89 5D F8 83 FE 01 74 5C 89 74 24 04 8B 55 10 89 54 24 08 8B 55 08 89 14 24 E8 96 01 ?? ?? 83 EC 0C 83 FE 01 89 C3 74 2C 85 F6 75 0C 8B 0D ?? 30 ?? 10 85} 178 | condition: 179 | $0 at entrypoint 180 | } 181 | rule _Borland_Delphi_v60__v70_ 182 | { 183 | meta: 184 | description = "Borland Delphi v6.0 - v7.0" 185 | strings: 186 | $0 = {E8 6A E8 89 05 E8 89 05 C7 05 0A B8} 187 | $1 = {53 8B D8 33 C0 A3 ?? 6A ?? E8 ?? FF A3 ?? A1 ?? A3 ?? 33 C0 A3 ?? 33 C0 A3 ??} 188 | $2 = {55 8B EC B9 6A ?? 6A ??} 189 | $3 = {55 8B EC 83 C4 F0 B8 E8 FB FF A1 8B E8 FF FF 8B 0D A1 8B ?? 8B 15 E8 FF FF A1 8B E8 FF} 190 | $4 = {55 8B EC} 191 | condition: 192 | $0 at entrypoint or $1 at entrypoint or $2 at entrypoint or $3 at entrypoint or $4 at entrypoint 193 | } 194 | rule _Borland_Delphi_Component_ 195 | { 196 | meta: 197 | description = "Borland Delphi (Component)" 198 | strings: 199 | $0 = {55 89 E5 83 EC 04 83} 200 | condition: 201 | $0 at entrypoint 202 | } 203 | rule _Borland_Delphi_v20_ 204 | { 205 | meta: 206 | description = "Borland Delphi v2.0" 207 | strings: 208 | $0 = {50 6A E8 FF FF BA 52 89 05 89 42 04 E8 5A 58 E8 C3 55 8B EC 33} 209 | condition: 210 | $0 at entrypoint 211 | } 212 | rule _Borland_Pascal_v70_for_Windows_ 213 | { 214 | meta: 215 | description = "Borland Pascal v7.0 for Windows" 216 | strings: 217 | $0 = {A1 C1 A3 83 75 57 51 33 C0} 218 | condition: 219 | $0 at entrypoint 220 | } 221 | rule _Borland_Delphi_v40__v50_ 222 | { 223 | meta: 224 | description = "Borland Delphi v4.0 - v5.0" 225 | strings: 226 | $0 = {55 8B EC 83} 227 | $1 = {50 6A ?? E8 FF FF BA 52 89 05 89 42 04 C7 42 08 ?? ?? ?? ?? C7 42 0C ?? ?? ?? ?? E8 5A 58 E8} 228 | $2 = {BA 83 7D 0C 01 75 50 52 C6 05 8B 4D 08 89 0D 89 4A} 229 | condition: 230 | $0 at entrypoint or $1 at entrypoint or $2 at entrypoint 231 | } 232 | rule _Borland_Delphi_v30_ 233 | { 234 | meta: 235 | description = "Borland Delphi v3.0" 236 | strings: 237 | $0 = {55 8B EC 83} 238 | $1 = {50 6A E8 FF FF BA 52 89 05 89 42 04 C7 42 08 C7 42 0C E8 5A 58 E8} 239 | condition: 240 | $0 at entrypoint or $1 at entrypoint 241 | } 242 | rule _MinGW_v32x_WinMain_ 243 | { 244 | meta: 245 | description = "MinGW v3.2.x (WinMain)" 246 | strings: 247 | $0 = {55 89 E5 83 EC 08 6A ?? 6A ?? 6A ?? 6A ?? E8 0D ?? ?? ?? B8 ?? ?? ?? ?? C9 C3 90 90 90 90 90 90 FF 25 38 20 ?? 10 90 90 ?? ?? ?? ?? ?? ?? ?? ?? FF FF FF FF ?? ?? ?? ?? FF FF FF} 248 | condition: 249 | $0 at entrypoint 250 | } 251 | rule _Borland_Delphi_Setup_Module_ 252 | { 253 | meta: 254 | description = "Borland Delphi Setup Module" 255 | strings: 256 | $0 = {55 8B EC 83 C4} 257 | condition: 258 | $0 at entrypoint 259 | } 260 | rule _Microsoft_Visual_Basic_v60_DLL_ 261 | { 262 | meta: 263 | description = "Microsoft Visual Basic v6.0 DLL" 264 | strings: 265 | $0 = {55 89 E5 E8 C9 C3 45 58} 266 | condition: 267 | $0 at entrypoint 268 | } 269 | rule _WATCOM_CCpp_ 270 | { 271 | meta: 272 | description = "WATCOM C/C++" 273 | strings: 274 | $0 = {53 56 57 55 8B 74 24 14 8B 7C 24 18 8B 6C 24 1C 83 FF 03 0F} 275 | condition: 276 | $0 at entrypoint 277 | } 278 | rule _MinGW_v32x_Dll_WinMain_ 279 | { 280 | meta: 281 | description = "MinGW v3.2.x (Dll_WinMain)" 282 | strings: 283 | $0 = {55 89 E5 83 EC 08 C7 04 24 01 ?? ?? ?? FF 15 E4 40 40 ?? E8 68 ?? ?? ?? 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 ?? ?? ?? FF 15 E4 40 40 ?? E8 48 ?? ?? ?? 89 EC 31 C0 5D C3 89} 284 | condition: 285 | $0 at entrypoint 286 | } 287 | rule _Borland_Delphi_v50_KOL_ 288 | { 289 | meta: 290 | description = "Borland Delphi v5.0 KOL" 291 | strings: 292 | $0 = {53 8B D8 33 C0 A3 6A ?? E8 FF A3 A1 A3 33 C0 A3 33 C0 A3} 293 | condition: 294 | $0 at entrypoint 295 | } 296 | rule _Microsoft_Visual_Cpp_DLL_ 297 | { 298 | meta: 299 | description = "Microsoft Visual C++ DLL" 300 | strings: 301 | $0 = {53 56 57 BB 01 8B 24} 302 | $1 = {53 B8 01 ?? ?? ?? 8B 5C 24 0C 56 57 85 DB 55 75 12 83 3D 75 09 33} 303 | $2 = {55 8B EC 56 57 BF 01 ?? ?? ?? 8B 75} 304 | $3 = {55 8B EC 6A FF 68 68 64 A1 ?? ?? ?? ?? 50 64 89} 305 | condition: 306 | $0 at entrypoint or $1 at entrypoint or $2 at entrypoint or $3 at entrypoint 307 | } 308 | rule _Microsoft_Visual_C_v20_ 309 | { 310 | meta: 311 | description = "Microsoft Visual C v2.0" 312 | strings: 313 | $0 = {55 8B EC 56 57 BF 8B 3B F7} 314 | condition: 315 | $0 at entrypoint 316 | } 317 | rule _Microsoft_Visual_Cpp_v42_DLL_ 318 | { 319 | meta: 320 | description = "Microsoft Visual C++ v4.2 DLL" 321 | strings: 322 | $0 = {55 8B EC 6A FF 68 68 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 53 56} 323 | condition: 324 | $0 at entrypoint 325 | } 326 | rule _MinGW_v32x_Dll_main_ 327 | { 328 | meta: 329 | description = "MinGW v3.2.x (Dll_main)" 330 | strings: 331 | $0 = {55 89 E5 83 EC 18 89 75 FC 8B 75 0C 89 5D F8 83 FE 01 74 5C 89 74 24 04 8B 55 10 89 54 24 08 8B 55 08 89 14 24 E8 76 01 ?? ?? 83 EC 0C 83 FE 01 89 C3 74 2C 85 F6 75 0C 8B 0D ?? 30 ?? 10 85} 332 | condition: 333 | $0 at entrypoint 334 | } 335 | rule _Microsoft_Visual_Cpp_v70_ 336 | { 337 | meta: 338 | description = "Microsoft Visual C++ v7.0" 339 | strings: 340 | $0 = {6A 68} 341 | $1 = {55 8D 6C 81 EC 8B 45 83 F8 01 56 0F 84 85 C0 0F} 342 | condition: 343 | $0 at entrypoint or $1 at entrypoint 344 | } 345 | rule _WATCOM_CCpp_32_RunTime_System_19881995_ 346 | { 347 | meta: 348 | description = "WATCOM C/C++ 32 Run-Time System 1988-1995" 349 | strings: 350 | $0 = {FB 83 89 E3 89 89 66 66 BB 29 C0 B4 30 CD} 351 | condition: 352 | $0 at entrypoint 353 | } 354 | rule _Borland_Delphi_v50_KOLMCK_ 355 | { 356 | meta: 357 | description = "Borland Delphi v5.0 KOL/MCK" 358 | strings: 359 | $0 = {55 8B EC 83 C4 F0 B8 40 ?? E8 FF FF E8 FF FF E8 FF FF 8B} 360 | condition: 361 | $0 at entrypoint 362 | } 363 | rule _Microsoft_Visual_Cpp_vxx_ 364 | { 365 | meta: 366 | description = "Microsoft Visual C++ vx.x" 367 | strings: 368 | $0 = {53 55 56 8B 85 F6 57 B8 75 8B 85 C9 75 33 C0 5F 5E 5D 5B} 369 | $1 = {64 A1 ?? ?? ?? ?? 55 8B EC 6A FF 68 68 50 64 89 25 ?? ?? ?? ?? 83 EC 53 56} 370 | $2 = {55 8B EC 83 EC 44 56 FF 15 8B F0 8A 3C} 371 | condition: 372 | $0 at entrypoint or $1 at entrypoint or $2 at entrypoint 373 | } 374 | rule _Stranik_13_ModulaCPascal_ 375 | { 376 | meta: 377 | description = "Stranik 1.3 Modula/C/Pascal" 378 | strings: 379 | $0 = {E9 57 41 54 43 4F 4D 20 43 2F 43 2B 2B 33 32 20 52 75 6E 2D} 380 | condition: 381 | $0 at entrypoint 382 | } 383 | rule _Borland_Cpp_for_Win32_1994_ 384 | { 385 | meta: 386 | description = "Borland C++ for Win32 1994" 387 | strings: 388 | $0 = {A1 C1 A3 57 51 33 C0 BF B9 3B CF} 389 | condition: 390 | $0 at entrypoint 391 | } 392 | rule _Borland_Delphi_DLL_ 393 | { 394 | meta: 395 | description = "Borland Delphi DLL" 396 | strings: 397 | $0 = {55 8B EC 83} 398 | condition: 399 | $0 at entrypoint 400 | } 401 | rule _Microsoft_Visual_Cpp_v60_Debug_Version_ 402 | { 403 | meta: 404 | description = "Microsoft Visual C++ v6.0 (Debug Version)" 405 | strings: 406 | $0 = {6A 68 E8 BF 8B C7 E8 89 65 8B F4 89 3E 56 FF 15 8B 4E 89 0D 8B 46} 407 | condition: 408 | $0 at entrypoint 409 | } 410 | rule _Microsoft_Visual_Cpp_v4x_ 411 | { 412 | meta: 413 | description = "Microsoft Visual C++ v4.x" 414 | strings: 415 | $0 = {64 A1 ?? ?? ?? ?? 55 8B EC 6A FF 68 68 50 64 83 53 56 57 89} 416 | condition: 417 | $0 at entrypoint 418 | } 419 | rule _Microsoft_Visual_Cpp_v50_ 420 | { 421 | meta: 422 | description = "Microsoft Visual C++ v5.0" 423 | strings: 424 | $0 = {24 ?? 8B 24} 425 | condition: 426 | $0 at entrypoint 427 | } 428 | rule _Microsoft_Visual_Cpp_v50_DLL_ 429 | { 430 | meta: 431 | description = "Microsoft Visual C++ v5.0 DLL" 432 | strings: 433 | $0 = {55 8B EC 6A FF 68 68 64 A1 ?? ?? ?? ??} 434 | condition: 435 | $0 at entrypoint 436 | } 437 | rule _MinGW_v32x_Dll_mainCRTStartup_ 438 | { 439 | meta: 440 | description = "MinGW v3.2.x (Dll_mainCRTStartup)" 441 | strings: 442 | $0 = {55 89 E5 83 EC 08 6A ?? 6A ?? 6A ?? 6A ?? E8 0D ?? ?? ?? B8 ?? ?? ?? ?? C9 C3 90 90 90 90 90 90 FF 25 38 20 40 ?? 90 90 ?? ?? ?? ?? ?? ?? ?? ?? FF FF FF FF ?? ?? ?? ?? FF FF FF} 443 | condition: 444 | $0 at entrypoint 445 | } 446 | rule _Microsoft_Visual_Cpp_v70_DLL_ 447 | { 448 | meta: 449 | description = "Microsoft Visual C++ v7.0 DLL" 450 | strings: 451 | $0 = {55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10} 452 | $1 = {FF 25 ??} 453 | condition: 454 | $0 at entrypoint or $1 at entrypoint 455 | } 456 | rule _Borland_Cpp_ 457 | { 458 | meta: 459 | description = "Borland C++" 460 | strings: 461 | $0 = {A1 C1 E0 02} 462 | condition: 463 | $0 at entrypoint 464 | } 465 | rule _Microsoft_Visual_Cpp_v60_ 466 | { 467 | meta: 468 | description = "Microsoft Visual C++ v6.0" 469 | strings: 470 | $0 = {51} 471 | $1 = {55 8D 6C 81 EC 8B 45 83 F8 01 56 0F 84 85 C0 0F} 472 | $2 = {55 8B EC 51} 473 | condition: 474 | $0 at entrypoint or $1 at entrypoint or $2 at entrypoint 475 | } 476 | rule _Borland_Cpp_for_Win32_1999_ 477 | { 478 | meta: 479 | description = "Borland C++ for Win32 1999" 480 | strings: 481 | $0 = {EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B} 482 | $1 = {A1 C1 E0 02 A3 57 51 33 C0 BF B9 3B CF 76 05 2B CF FC F3 AA 59} 483 | condition: 484 | $0 at entrypoint or $1 at entrypoint 485 | } 486 | rule _MinGW_GCC_v2x_ 487 | { 488 | meta: 489 | description = "MinGW GCC v2.x" 490 | strings: 491 | $0 = {55 89 E5 FF} 492 | $1 = {55 89 E5 E8 C9 C3 45 58} 493 | $2 = {55 89} 494 | condition: 495 | $0 at entrypoint or $1 at entrypoint or $2 at entrypoint 496 | } 497 | rule _MinGW_v32x_main_ 498 | { 499 | meta: 500 | description = "MinGW v3.2.x (main)" 501 | strings: 502 | $0 = {55 89 E5 83 EC 08 C7 04 24 01 ?? ?? ?? FF 15 FC 40 40 ?? E8 68 ?? ?? ?? 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 ?? ?? ?? FF 15 FC 40 40 ?? E8 48 ?? ?? ?? 89 EC 31 C0 5D C3 89} 503 | condition: 504 | $0 at entrypoint 505 | } 506 | rule _Borland_Delphi_ 507 | { 508 | meta: 509 | description = "Borland Delphi" 510 | strings: 511 | $0 = {C3 E9 FF 8D} 512 | condition: 513 | $0 at entrypoint 514 | } 515 | rule _Microsoft_Visual_Basic_v50__v60_ 516 | { 517 | meta: 518 | description = "Microsoft Visual Basic v5.0 / v6.0" 519 | strings: 520 | $0 = {5A 68 68 52 E9} 521 | condition: 522 | $0 at entrypoint 523 | } 524 | rule _Borland_Cpp_DLL_ 525 | { 526 | meta: 527 | description = "Borland C++ DLL" 528 | strings: 529 | $0 = {EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90} 530 | $1 = {EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 A1 C1 E0 02 A3} 531 | $2 = {EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 A1 C1 E0 02 A3} 532 | $3 = {C3 E9 FF 8D} 533 | condition: 534 | $0 at entrypoint or $1 at entrypoint or $2 at entrypoint or $3 at entrypoint 535 | } 536 | -------------------------------------------------------------------------------- /peid2yar/outputs/userdb_exeinfope.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaimeblasco/AlienvaultLabs/7613be50c50693d785017ce037879bd3eeacb9b2/peid2yar/outputs/userdb_exeinfope.yar -------------------------------------------------------------------------------- /peid2yar/outputs/userdb_jclausing.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaimeblasco/AlienvaultLabs/7613be50c50693d785017ce037879bd3eeacb9b2/peid2yar/outputs/userdb_jclausing.yar -------------------------------------------------------------------------------- /peid2yar/outputs/userdb_panda.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jaimeblasco/AlienvaultLabs/7613be50c50693d785017ce037879bd3eeacb9b2/peid2yar/outputs/userdb_panda.yar -------------------------------------------------------------------------------- /peid2yar/peid2yar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # PEiD 2 Yar 4 | # AlienVault Labs - https://github.com/jaimeblasco/AlienvaultLabs 5 | # 6 | # Licensed under GNU/GPLv3 7 | # aortega@alienvault.com 8 | 9 | import sys 10 | import re 11 | import os 12 | 13 | if len(sys.argv) != 3: 14 | print "PEiD 2 Yar Help - AlienVault Labs" 15 | print "Usage: %s userdb.txt output.yar" % (sys.argv[0]) 16 | print "Please! Use signatures sanitizer first." 17 | sys.exit() 18 | 19 | peid_file = sys.argv[1] 20 | output_file = sys.argv[2] 21 | 22 | if not os.path.exists(peid_file): 23 | print "Error, %s doesn't exist." % (peid_file) 24 | sys.exit() 25 | 26 | peid_rules = {} 27 | 28 | f = open(peid_file, "r") 29 | data = f.read() 30 | f.close() 31 | 32 | m1 = re.compile("^\[(\* )?(?P.+)\]$") 33 | m2 = re.compile("^signature = (?P.+)$") 34 | m3 = re.compile("^ep_only = (?Ptrue|false)$") 35 | m4 = re.compile("^([\dABCDEF]{2} ?|[\dABCDEF]\? ?|\?\? ?)+$") # Signature bytes validator for Yara 36 | 37 | count = 0 38 | for i in data.split("\n"): 39 | ln = i.rstrip() 40 | count += 1 41 | m = m1.match(ln) 42 | if m: 43 | signame = "_" + m.group("signame").replace("+", "p").replace(" ", "_") + "_" 44 | for z in signame: 45 | if z.isalnum() == False and z != "_": 46 | signame = signame.replace(z, "") 47 | if len(signame) > 100: 48 | signame = signame[0:99] 49 | signdesc = m.group("signame").replace("\"", "") 50 | skip = True 51 | continue 52 | m = m2.match(ln) 53 | if m: 54 | signature = m.group("signature") 55 | m = m4.match(signature) 56 | if not m: 57 | print "Signature [%s] malformed at line %s, skipping" % (signdesc, count) 58 | continue 59 | tmp = [] 60 | cont = False 61 | for z in signature.split(" "): 62 | if cont == False and z == "??": 63 | continue 64 | else: 65 | cont = True 66 | tmp.append(z) 67 | signature = " ".join(tmp) 68 | skip = False 69 | continue 70 | m = m3.match(ln) 71 | if m and skip != True: 72 | ep = m.group("ep") 73 | if signame not in peid_rules.keys(): 74 | peid_rules[signame] = [{"desc": signdesc}, []] 75 | peid_rules[signame][1].append({"signature": signature, "ep": ep}) 76 | 77 | f = open(output_file, "w") 78 | for i in peid_rules.keys(): 79 | signame = i 80 | f.write("rule %s\n" % (signame)) 81 | f.write("{\n") 82 | f.write("\tmeta:\n") 83 | f.write("\t\tdescription = \"%s\"\n" % (peid_rules[i][0]["desc"])) 84 | f.write("\tstrings:\n") 85 | count = 0 86 | for z in peid_rules[i][1]: 87 | f.write("\t\t$%s = {%s}\n" % (str(count), z["signature"])) 88 | count += 1 89 | f.write("\tcondition:\n\t\t") 90 | count = 0 91 | cond = "" 92 | for z in peid_rules[i][1]: 93 | cond = cond + "$%s" % (count) 94 | if z["ep"] == "true": 95 | cond = cond + " at entrypoint" 96 | cond = cond + " or " 97 | count += 1 98 | cond = cond[0:len(cond)-4] 99 | f.write(cond) 100 | f.write("\n}\n") 101 | f.close() 102 | 103 | -------------------------------------------------------------------------------- /tools/disaep.py: -------------------------------------------------------------------------------- 1 | import pydasm 2 | import pefile 3 | import sys 4 | from binascii import * 5 | from optparse import OptionParser 6 | import os 7 | 8 | def lookAtEP(pe): 9 | ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint 10 | ep_ava = ep+pe.OPTIONAL_HEADER.ImageBase 11 | data = pe.get_memory_mapped_image()[ep:ep+10] 12 | 13 | return data, ep_ava 14 | 15 | 16 | def opPrint(data, ep_ava): 17 | print hexlify(data) 18 | offset = 0 19 | while offset < len(data): 20 | i = pydasm.get_instruction(data[offset:], pydasm.MODE_32) 21 | if i: 22 | print pydasm.get_instruction_string(i, pydasm.FORMAT_INTEL, ep_ava+offset) 23 | else: 24 | print "Unknown Opcode" 25 | break 26 | offset += i.length 27 | 28 | def main(): 29 | parser = OptionParser() 30 | parser.add_option("-i", "--input", dest="input", 31 | help="Input file or directory", metavar="FILE") 32 | 33 | 34 | (opts, args) = parser.parse_args() 35 | 36 | if not opts.__dict__['input']: 37 | parser.print_help() 38 | exit(-1) 39 | 40 | 41 | if not os.path.isdir(opts.__dict__['input']): 42 | try: 43 | pe = pefile.PE(opts.__dict__['input']) 44 | except pefile.PEFormatError: 45 | print "Not a PE32 file" 46 | exit(-1) 47 | data, ep_ava = lookAtEP(pe) 48 | opPrint(data, ep_ava) 49 | else: 50 | files = os.listdir(opts.__dict__['input']) 51 | for f in files: 52 | if os.path.isdir("%s/%s" % (opts.__dict__['input'], f)): 53 | continue 54 | try: 55 | pe = pefile.PE("%s/%s" % (opts.__dict__['input'], f)) 56 | except pefile.PEFormatError: 57 | continue 58 | print "%s/%s" % (opts.__dict__['input'], f) 59 | data, ep_ava = lookAtEP(pe) 60 | opPrint(data, ep_ava) 61 | 62 | 63 | 64 | if __name__ == "__main__": 65 | main() 66 | -------------------------------------------------------------------------------- /urlquery-chrome/README.md: -------------------------------------------------------------------------------- 1 | # urlQuery chrome extension 2 | -------------------------------------------------------------------------------- /urlquery-chrome/main.css: -------------------------------------------------------------------------------- 1 | html,body,div,span,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,abbr,address,cite,code,del,dfn,em,img,ins,kbd,q,samp,small,strong,sub,sup,var,b,i,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td,article,aside,canvas,details,figcaption,figure,footer,header,hgroup,menu,nav,section,summary,time,mark,audio,video 2 | { 3 | border:0; 4 | margin:0; 5 | padding:0; 6 | background: 7 | transparent; 8 | font-size:100%; 9 | outline:0; 10 | vertical-align:baseline; 11 | } 12 | 13 | .hideme{display:none;} 14 | 15 | blockquote,q{quotes:none;} 16 | a{color:black; margin:0;padding:0;background:transparent;font-size:100%;text-decoration:none;vertical-align:baseline;} 17 | label,a{cursor:pointer;} 18 | 19 | a:hover{text-decoration:underline;} 20 | 21 | input,select,img{vertical-align:middle;} 22 | html{font:13px/24px 'Segoe UI', Segoe, 'Helvetica Neue', Helvetica, Roboto, Arial, FreeSans, sans-serif;} 23 | h2{font-size:22px;font-weight:bold;} 24 | h3{font-size:16px;font-weight:bold;} 25 | h4{font-size:14px;font-weight:bold;} 26 | h5{font-size:13px;font-weight:bold;} 27 | h6{font-size:12px;font-weight:bold;} 28 | p{margin-bottom:16px;line-height:150%;} 29 | 30 | body{background-color:#222e3e;background-attachment:fixed;color:#222;line-height:1;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%;-moz-text-size-adjust:100%;-o-text-size-adjust:100%;text-size-adjust:100%;} 31 | background-repeat:no-repeat;background-size:142px 861px;background-position:100% 100%;} 32 | #billboard_wrapper{background-color:#10161e;text-align:center;padding:4px;border-bottom:1px solid #3e4c5e;} 33 | div#container{margin:15 auto;min-width:996px;width:996px;position:relative;} 34 | div#container_scale{margin:0 auto;min-width:996px;width:90%;position:relative;} 35 | div#body{border:2px solid #596d88;} 36 | 37 | nav ul{list-style:none;} 38 | #navigation{border-radius:4px 4px 0 0;clear:both;padding:0 4px;min-height:40px;zoom:1;background-color:#3e4c5e;background-position:0 0;} 39 | #navigation > ul{position:relative;z-index:9;} 40 | #navigation > ul > li,#subnavigation > ul > li{float:left;position:relative;} 41 | #navigation > ul > li:last-child{border-right:0;padding-right:0;} 42 | #navigation > ul > li.active > a{border-radius:4px 4px 0 0;background-color:#d9dcdf;background-position:0 -50px;color:#2d3c4e;} 43 | #navigation > ul > li > a > span{margin-left:7px;width:12px;display:inline-block;background-position:0 0;height:10px;vertical-align:baseline;} 44 | #navigation > ul > li:hover > a > span,#navigation > ul > li > a:hover > span,#navigation > ul > li.active > a > span{background-position:0 -10px;} 45 | #subnavigation{border-radius:4px 4px 4px 4px;clear:both;min-height:28px;overflow:hidden;background-color:#ced1d5;padding:4px 0;border: 2px solid #edeeef;} 46 | #subnavigation > ul#news-filter{float:left;padding-left:8px;overflow:hidden;} 47 | #subnavigation > ul#news-filter > li{border-right:1px solid #c5c9ce;margin:4px 0;padding:0 4px;} 48 | #subnavigation > ul#news-filter > li:first-child{padding-left:0;} 49 | #subnavigation > ul#news-filter > li:last-child{border-right:0;padding-right:0;} 50 | #subnavigation > ul#news-filter > li > a{margin:-2px 0;padding:0 12px;display:block;color:#2d3c4e;font-size:12px;font-weight:600;font-family:"Segoe WP Semibold", "Segoe UI Semibold", "Segoe UI Web Semibold", 'Segoe UI', Segoe, 'Helvetica Neue', Helvetica, Roboto, Arial, FreeSans, sans-serif;line-height:24px;text-decoration:none;height:1%;zoom:1;border-radius:4px;} 51 | #subnavigation > ul#news-filter > li:hover > a,#subnavigation > ul#news-filter > li > a:hover{background-color:#dfe4ea; } 52 | #subnavigation > ul#news-filter > li.active > a,#subnavigation > ul#news-filter > li.active:hover > a,#subnavigation > ul#news-filter > li.active > a:hover{background-color:#969da6;color:#fff;background-image:none;filter:inherit;text-shadow:none;} 53 | #subnavigation > ul#news-view{float:right;margin:0 8px 0 0 !important;list-style:none !important;} 54 | #subnavigation > ul#news-view > li{border-right:1px solid #c5c9ce;float:left;margin:6px 0 0;padding:0 4px;} 55 | #subnavigation > ul#news-view > li:last-child{border-right:0;padding-right:0;} 56 | #subnavigation > ul#news-view > li > a,#subnavigation > ul#news-view > li > span{padding:0 4px;display:inline-block;color:#2d3c4e;line-height:16px;font-size:10px;text-decoration:none;cursor:pointer;height:1%;zoom:1;border-radius:4px;}#subnavigation > ul#news-view > li.active > a,#subnavigation > ul#news-view > li.active > a:hover{background-color:#e6e7e8;background-color:rgba(255,255,255,0.5);font-weight:600;font-family:"Segoe WP Semibold", "Segoe UI Semibold", "Segoe UI Web Semibold", 'Segoe UI', Segoe, 'Helvetica Neue', Helvetica, Roboto, Arial, FreeSans, sans-serif;} 57 | #subnavigation > ul#news-view > li > a:hover,#subnavigation > ul#news-view > li > span:hover{background-color:#e4e5e8;} 58 | 59 | 60 | #siteinfo{padding:16px;color:#90969f;line-height:20px;overflow:hidden;font-size:10px;} 61 | #siteinfo a{color:#c7cacf;} 62 | #siteinfo a:hover{color:#ffffff;} 63 | #siteinfo > div{float:left;margin-right:32px;} 64 | #siteinfo > #siteinfo-content{float:right;margin-right:0;} 65 | #siteinfo h3{margin-bottom:8px;font-size:180%;font-weight:normal;} 66 | #siteinfo li,#siteinfo p{list-style:none;font-size:120%;line-height:150%;} 67 | 68 | #body{margin-top:8px;border-radius:4px;padding:12px;background-color:#ffffff;font-size:12px;} 69 | #wrapper{overflow:auto;} 70 | 71 | /**/ 72 | .wrapword{ 73 | white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */ 74 | white-space: -pre-wrap; /* Opera 4-6 */ 75 | white-space: -o-pre-wrap; /* Opera 7 */ 76 | word-wrap: break-word; /* Internet Explorer 5.5+ */ 77 | word-break: break-all; 78 | white-space: normal; 79 | } 80 | 81 | img.domain_graph{max-height: 450px; max-width: 100%;} 82 | 83 | h4.js_normal{background-color:#b0b8cb; border-radius:0px 0px 0px 0px; border: 1px solid #000000; padding:3px 1px; cursor:pointer;} 84 | h4.js_normal:hover{background-color:#96a0ba; border-radius:0px 0px 0px 0px; border: 1px solid #000000; padding:3px 1px; cursor:pointer;} 85 | h4.js_suspicious{background-color:#ffc846; border-radius:0px 0px 0px 0px; border: 1px solid #fbaf00; padding:3px 1px; cursor:pointer;} 86 | h4.js_suspicious:hover{background-color:#ffb811; border-radius:0px 0px 0px 0px; border: 1px solid #d29400; padding:3px 1px; cursor:pointer;} 87 | h4.js_malicious{background-color:#cc4d4d; border-radius:0px 0px 0px 0px; border: 1px solid #8a0000; padding:3px 1px; cursor:pointer;} 88 | h4.js_malicious:hover{background-color:#be3434; border-radius:0px 0px 0px 0px; border: 1px solid #6a0000; padding:3px 1px; cursor:pointer;} 89 | 90 | 91 | tr.http_suspicious{background-color:#ffc846; border-radius:0px 0px 0px 0px; border: 1px solid #fbaf00; padding:3px 1px;} 92 | tr.http_suspicious:hover{background-color:#ffb300; border-radius:0px 0px 0px 0px; border: 1px solid #c18700; padding:3px 1px;} 93 | tr.http_malicious{background-color:#cc4d4d; border-radius:0px 0px 0px 0px; border: 1px solid #8a0000; padding:3px 1px;} 94 | tr.http_malicious:hover{background-color:#be3434; border-radius:0px 0px 0px 0px; border: 1px solid #6a0000; padding:3px 1px;} 95 | 96 | 97 | /* Listing table */ 98 | table{width:100%;border-collapse:collapse;border-spacing:0;} 99 | table.test{border-radius:4px 4px 4px 4px; border: 1px solid #000000;} 100 | th{padding:5px; background-color:#2d3c4e; color:#ffffff; } 101 | tr.header{} 102 | 103 | td{padding:3px;} 104 | td.js_listing{padding: 1px;} 105 | tr.even{background-color:#d9dfe6; border: 1px solid #596d88;} 106 | tr.odd{background-color:#ced6df; border: 1px solid #596d88;} 107 | td.even_heading{background-color:#c5cbd2; border: 1px solid #596d88; width: 200px;} 108 | td.odd_heading{background-color:#b0b8cb; border: 1px solid #596d88; width: 200px;} 109 | 110 | tr.even_highlight{background-color:#d9dfe6; border: 1px solid #596d88;} 111 | tr.even_highlight:hover{background-color:#8d9db4; border: 1px solid #596d88;} 112 | tr.odd_highlight{background-color:#ced6df; border: 1px solid #596d88;} 113 | tr.odd_highlight:hover{background-color:#8d9db4; border: 1px solid #596d88;} 114 | 115 | 116 | -------------------------------------------------------------------------------- /urlquery-chrome/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "UrlQuery", 3 | "description": "Send an url to UrlQuery", 4 | "version": "0.1", 5 | "permissions": ["", "contextMenus", "tabs"], 6 | "background": { 7 | "scripts": ["urlquery.js"] 8 | }, 9 | "options_page": "options.html", 10 | "manifest_version": 2 11 | } 12 | -------------------------------------------------------------------------------- /urlquery-chrome/options.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | urlQuery Options 4 | 5 | 6 | 7 |
8 | 14 |
15 |

urlQuery settings:

16 | 17 | 18 | 19 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 40 | 41 | 42 | 43 | 48 | 49 | 50 |
User Agent: 20 | 27 |
Referer:
Adobe Reader: 36 | 39 |
Java: 44 | 47 |
51 | 52 |
53 |
54 | 55 | 56 | 57 | -------------------------------------------------------------------------------- /urlquery-chrome/options.js: -------------------------------------------------------------------------------- 1 | function save_options() { 2 | localStorage["useragent"] = document.getElementById("useragent").value; 3 | localStorage["referer"] = document.getElementById("referer").value; 4 | localStorage["adobereader"] = document.getElementById("adobereader").value; 5 | localStorage["java"] = document.getElementById("java").value; 6 | } 7 | 8 | function update_select(item, value) { 9 | if (!value) 10 | return; 11 | var select = document.getElementById(item); 12 | for (var i = 0; i < select.children.length; i++) { 13 | var child = select.children[i]; 14 | if (child.value == value) { 15 | child.selected = "true"; 16 | break; 17 | } 18 | } 19 | } 20 | 21 | function update_text(item, value) { 22 | if (!value) 23 | return; 24 | document.getElementById(item).value = value; 25 | } 26 | 27 | function restore_options() { 28 | update_select("useragent", localStorage["useragent"]); 29 | update_text("referer", localStorage["referer"]); 30 | update_select("adobereader", localStorage["adobereader"]); 31 | update_select("java", localStorage["java"]); 32 | } 33 | 34 | document.addEventListener('DOMContentLoaded', restore_options); 35 | document.querySelector('#save').addEventListener('click', save_options); 36 | -------------------------------------------------------------------------------- /urlquery-chrome/urlquery.js: -------------------------------------------------------------------------------- 1 | // urlQuery plugin for chrome 2 | // author: earada 3 | // email: earada@alienvault.com 4 | 5 | function genericOnClick(info, tab) { 6 | var http = new XMLHttpRequest(); 7 | url = (typeof(info.linkUrl)!="undefined")?info.linkUrl:info.selectionText; 8 | console.log("Sent to urlQuery: " + url); 9 | console.log(info) 10 | http.open("POST", "http://urlquery.net/api/v2/post.php", true); 11 | http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); 12 | http.onreadystatechange = function() { 13 | if(http.readyState == 4 && http.status == 200) { 14 | var obj = JSON.parse(http.responseText); 15 | if(obj["return_code"] == 3) { 16 | var tmp = document.createElement("DIV"); 17 | tmp.innerHTML = obj["msg"]; 18 | var msg = tmp.textContent||tmp.innerText; 19 | alert("UrlQuery "+ msg); 20 | } else { 21 | chrome.tabs.create({url: "http://urlquery.net/queued.php?id="+ obj["queue_id"]}); 22 | } 23 | } 24 | } 25 | params = "method=urlquery_submit&url="+encodeURIComponent(url); 26 | params += "&useragent="+encodeURIComponent(localStorage["useragent"]); 27 | params += "&referer="+encodeURIComponent(localStorage["referer"]); 28 | params += "&adobereader="+encodeURIComponent(localStorage["adobereader"]); 29 | params += "&java="+encodeURIComponent(localStorage["java"]); 30 | params += "&flags=0"; 31 | http.send(params); 32 | } 33 | 34 | var id = chrome.contextMenus.create({"title": "Send to urlQuery", 35 | "contexts":["link","selection"], "onclick": genericOnClick}); 36 | -------------------------------------------------------------------------------- /yarad/README.md: -------------------------------------------------------------------------------- 1 | # yarad 2 | ## yara daemon 3 | 4 | yarad deploys a server that can be used to scan files and streams centrally with yara and your own ruleset. 5 | 6 | Requirements: 7 | 8 | - yara-python 9 | - python-daemon (if you want to daemonize it) 10 | 11 | See yarad.cfg for configuration options. 12 | 13 | # pyarad 14 | ## python library to interact with yarad 15 | 16 | pyarad allows you to interact with yarad server from your python scripts. 17 | 18 | It implements this functions: 19 | 20 | y = init\_network\_socket(host, port=3369) 21 | 22 | y = init\_unix\_socket(socket\_file="/tmp/yarad.ctl") 23 | 24 | y.close() 25 | 26 | y.scan\_file(filename) 27 | 28 | y.scan\_stream(filebuffer) 29 | 30 | See examples for more information. 31 | -------------------------------------------------------------------------------- /yarad/pyarad/pyarad.py: -------------------------------------------------------------------------------- 1 | 2 | # pyarad - py lib to use yarad daemon 3 | # AlienVault Labs - https://github.com/jaimeblasco/AlienvaultLabs 4 | # 5 | # Licensed under GNU/GPLv3 6 | # aortega@alienvault.com 7 | 8 | import socket 9 | import ast 10 | import uuid 11 | import os 12 | import zlib 13 | 14 | class pyarad: 15 | def __init__(self): 16 | pass 17 | 18 | # Connections handlers 19 | def init_network_socket(self, host, port=3369): 20 | self.net_socket = True 21 | self.initialized = True 22 | self.conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 23 | self.conn.connect((host, port)) 24 | def init_unix_socket(self, socket_file="/tmp/yarad.ctl"): 25 | self.net_socket = False 26 | self.initialized = True 27 | self.conn = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) 28 | self.conn.connect(socket_file) 29 | def close(self): 30 | if self.initialized == True: 31 | self.conn.send("!close") 32 | self.conn.close() 33 | self.initialized = False 34 | else: 35 | return None 36 | 37 | # Functions to dump files 38 | def zdump_file(self, filename): 39 | f = open(filename, "rb") 40 | data = f.read() 41 | f.close() 42 | return zlib.compress(data, 9) 43 | def zdump_stream(self, filebuffer): 44 | return zlib.compress(filebuffer, 9) 45 | 46 | # Scanning functions 47 | def scan_file(self, filename): 48 | if self.initialized == True: 49 | if os.path.exists(filename): 50 | if self.net_socket == True: 51 | self.conn.send(self.zdump_file(filename)) 52 | else: 53 | self.conn.send(os.path.abspath(filename)) 54 | return ast.literal_eval(self.conn.recv(1024)) 55 | else: 56 | return [] 57 | else: 58 | return None 59 | def scan_stream(self, filebuffer): 60 | if self.initialized == True: 61 | if self.net_socket == True: 62 | self.conn.send(self.zdump_stream(filebuffer)) 63 | else: 64 | filename = "/tmp/.%s" % (str(uuid.uuid4())) 65 | f = open(filename, "wb") 66 | f.write(filebuffer) 67 | f.close() 68 | self.conn.send(filename) 69 | result = ast.literal_eval(self.conn.recv(1024)) 70 | if self.net_socket == False: 71 | os.unlink(filename) 72 | return result 73 | else: 74 | return None 75 | 76 | -------------------------------------------------------------------------------- /yarad/pyarad/stress_test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import pyarad 4 | from multiprocessing import Process 5 | import sys 6 | 7 | # Method 1 8 | 9 | def run(): 10 | y = pyarad.pyarad() 11 | y.init_unix_socket() 12 | print y.scan_file("/tmp/test.exe") 13 | y.close() 14 | 15 | for i in range(1000): 16 | p = Process(target=run, args=()) 17 | p.start() 18 | 19 | ### 20 | 21 | # Method 2 22 | 23 | y = pyarad.pyarad() 24 | y.init_unix_socket() 25 | for i in range(1000): 26 | print y.scan_file("/tmp/test.exe") 27 | y.close() 28 | 29 | ### 30 | -------------------------------------------------------------------------------- /yarad/pyarad/stress_test_inet.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import pyarad 4 | from multiprocessing import Process 5 | import sys 6 | 7 | # Method 1 8 | 9 | def run(): 10 | y = pyarad.pyarad() 11 | y.init_network_socket("127.0.0.1") 12 | print y.scan_file("/tmp/test.exe") 13 | y.close() 14 | 15 | for i in range(1000): 16 | p = Process(target=run, args=()) 17 | p.start() 18 | 19 | ### 20 | 21 | # Method 2 22 | 23 | y = pyarad.pyarad() 24 | y.init_network_socket("127.0.0.1") 25 | for i in range(1000): 26 | print y.scan_file("/tmp/test.exe") 27 | y.close() 28 | 29 | ### 30 | -------------------------------------------------------------------------------- /yarad/pyarad/test_scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import pyarad 4 | import sys 5 | 6 | if len(sys.argv) != 2: 7 | print "%s file" % (sys.argv[0]) 8 | sys.exit() 9 | 10 | y = pyarad.pyarad() 11 | y.init_unix_socket() 12 | print y.scan_file(sys.argv[1]) 13 | y.close() 14 | 15 | -------------------------------------------------------------------------------- /yarad/pyarad/test_scan_inet.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import pyarad 4 | import sys 5 | 6 | if len(sys.argv) != 2: 7 | print "%s file" % (sys.argv[0]) 8 | sys.exit() 9 | 10 | y = pyarad.pyarad() 11 | y.init_network_socket("127.0.0.1") 12 | print y.scan_file(sys.argv[1]) 13 | y.close() 14 | 15 | -------------------------------------------------------------------------------- /yarad/yarad/fingerprints/flash.yar: -------------------------------------------------------------------------------- 1 | rule flash_cws 2 | { 3 | strings: 4 | $0 = "CWS" 5 | 6 | condition: 7 | $0 at 0 8 | } 9 | -------------------------------------------------------------------------------- /yarad/yarad/fingerprints/index.yar: -------------------------------------------------------------------------------- 1 | include "flash.yar" 2 | -------------------------------------------------------------------------------- /yarad/yarad/unpack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # yarad - Yara daemon 4 | # AlienVault Labs - https://github.com/jaimeblasco/AlienvaultLabs 5 | # 6 | # Licensed under GNU/GPLv3 7 | # earada@alienvault.com 8 | 9 | import yara 10 | import os 11 | import tempfile 12 | from zlib import decompress 13 | 14 | finger_rules = yara.compile(filepath='fingerprints/index.yar', includes = True) 15 | 16 | def flash_cws(f): 17 | tf = tempfile.NamedTemporaryFile(delete=False) 18 | with open(f, 'rb') as fh: 19 | try: 20 | c = fh.read() 21 | tf.file.write('FWS' + c[3] + c[4:8] + decompress(c[8:])) 22 | tf.file.flush() 23 | except: 24 | raise NameError("Corrupted File") 25 | print "[*] Created: %s" % (tf.name) 26 | return tf.name 27 | 28 | filetypes = {'flash_cws' : flash_cws} 29 | 30 | def unpack(f): 31 | for i in finger_rules.match(f): 32 | if (i.rule in filetypes): 33 | return filetypes[i.rule](f) 34 | return None 35 | 36 | def delete(f): 37 | print "[*] Delete: %s" % (f) 38 | os.unlink(f) 39 | -------------------------------------------------------------------------------- /yarad/yarad/yarad.cfg: -------------------------------------------------------------------------------- 1 | [server] 2 | type = unix 3 | daemon = 1 4 | pidfile = /tmp/yarad.pid 5 | rules_file = /tmp/yara.rules 6 | 7 | [inet] 8 | # Several bugs to be fixed 9 | host = 0.0.0.0 10 | port = 3369 11 | 12 | [unix] 13 | socket_file = /tmp/yarad.ctl 14 | -------------------------------------------------------------------------------- /yarad/yarad/yarad.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # yarad - Yara daemon 4 | # AlienVault Labs - https://github.com/jaimeblasco/AlienvaultLabs 5 | # 6 | # Licensed under GNU/GPLv3 7 | # aortega@alienvault.com 8 | 9 | import yara 10 | from multiprocessing import Process 11 | import socket 12 | import os 13 | import ConfigParser 14 | import sys 15 | import zlib 16 | import unpack 17 | 18 | config = ConfigParser.ConfigParser() 19 | config.read("yarad.cfg") 20 | 21 | daemonize = config.getint("server", "daemon") 22 | if daemonize == 1: 23 | import daemon 24 | 25 | rules_f = config.get("server", "rules_file") 26 | pidfile = config.get("server", "pidfile") 27 | 28 | srv_config = {} 29 | srv_config["type"] = config.get("server", "type") 30 | if srv_config["type"] == "unix": 31 | srv_config["file"] = config.get("unix", "socket_file") 32 | elif srv_config["type"] == "inet": 33 | srv_config["host"] = config.get("inet", "host") 34 | srv_config["port"] = config.getint("inet", "port") 35 | else: 36 | print "Invalid server config" 37 | sys.exit() 38 | 39 | def dipatch_client_unix_file(conn, rules): 40 | f = "" 41 | while f != "!close": 42 | try: 43 | f = conn.recv(1024) 44 | if f == "!close": 45 | break 46 | if os.path.exists(f): 47 | uf = unpack.unpack(f) 48 | if uf: 49 | f = uf 50 | matches = [] 51 | for i in rules.match(f): 52 | matches.append({ 53 | "name": i.rule, "namespace": i.namespace, 54 | "meta": i.meta, "tags": i.tags 55 | }) 56 | conn.send(str(matches)) 57 | if uf: 58 | unpack.delete(uf) 59 | else: 60 | conn.send("[]") 61 | except: 62 | break 63 | conn.close() 64 | 65 | def dispatch_client_inet_socket(conn, rules): 66 | f = "" 67 | while f != "!close": 68 | try: 69 | f = conn.recv(16384) 70 | if f == "!close": 71 | break 72 | sample_stream = zlib.decompress(f) 73 | matches = [] 74 | for i in rules.match(data=sample_stream): 75 | matches.append({ 76 | "name": i.rule, "namespace": i.namespace, 77 | "meta": i.meta, "tags": i.tags 78 | }) 79 | conn.send(str(matches)) 80 | except: 81 | break 82 | conn.close() 83 | 84 | def write_pidfile(pidfile): 85 | f = open(pidfile, "w") 86 | f.write("%s\n" % (str(os.getpid()))) 87 | f.close() 88 | 89 | def mainloop(rules, srv_config): 90 | if srv_config["type"] == "unix": 91 | if os.path.exists(srv_config["file"]): 92 | os.unlink(srv_config["file"]) 93 | server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) 94 | server.bind(srv_config["file"]) 95 | dispatch_func = dipatch_client_unix_file 96 | else: 97 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 98 | server.bind((srv_config["host"], srv_config["port"])) 99 | dispatch_func = dispatch_client_inet_socket 100 | server.listen(1) 101 | while True: 102 | conn, addr = server.accept() 103 | p = Process(target=dispatch_func, args=(conn, rules)) 104 | p.start() 105 | server.close() 106 | 107 | print "[*] Starting" 108 | print "[*] Loading rules (%s) ... " % (rules_f), 109 | sys.stdout.flush() 110 | rules = yara.compile(filepath=rules_f, includes = True) 111 | print "OK" 112 | 113 | if daemonize == 1: 114 | print "[*] Forking ..." 115 | with daemon.DaemonContext(): 116 | write_pidfile(pidfile) 117 | mainloop(rules, srv_config) 118 | else: 119 | write_pidfile(pidfile) 120 | mainloop(rules, srv_config) 121 | 122 | --------------------------------------------------------------------------------