Volatility3 MCP Server

/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule EnfalCode : Enfal Family { meta: description = "Enfal code tricks" author = "Seth Hardy" last_modified = "2014-06-19" strings: // mov al, 20h; sub al, bl; add [ebx+esi], al; push esi; inc ebx; call edi; cmp ebx, eax $decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 } condition: any of them } rule EnfalStrings : Enfal Family { meta: description = "Enfal Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-19" strings: $ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb" $ = "e:\\programs\\LuridDownLoader" $ = "LuridDownloader for Falcon" $ = "DllServiceTrojan" $ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\" $ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89" $ = "Madonna\x00Jesus" $ = "/iupw82/netstate" $ = "fuckNodAgain" $ = "iloudermao" $ = "Crpq2.cgi" $ = "Clnpp5.cgi" $ = "Dqpq3ll.cgi" $ = "dieosn83.cgi" $ = "Rwpq1.cgi" $ = "/Ccmwhite" $ = "/Cmwhite" $ = "/Crpwhite" $ = "/Dfwhite" $ = "/Query.txt" $ = "/Ufwhite" $ = "/cgl-bin/Clnpp5.cgi" $ = "/cgl-bin/Crpq2.cgi" $ = "/cgl-bin/Dwpq3ll.cgi" $ = "/cgl-bin/Owpq4.cgi" $ = "/cgl-bin/Rwpq1.cgi" $ = "/trandocs/mm/" $ = "/trandocs/netstat" $ = "NFal.exe" $ = "LINLINVMAN" $ = "7NFP4R9W" condition: any of them } rule Enfal : Family { meta: description = "Enfal" author = "Seth Hardy" last_modified = "2014-06-19" condition: EnfalCode or EnfalStrings } rule Enfal_Malware { meta: description = "Detects a certain type of Enfal Malware" author = "Florian Roth" reference = "not set" date = "2015/02/10" hash = "9639ec9aca4011b2724d8e7ddd13db19913e3e16" score = 60 strings: $s0 = "POWERPNT.exe" fullword ascii $s1 = "%APPDATA%\\Microsoft\\Windows\\" fullword ascii $s2 = "%HOMEPATH%" fullword ascii $s3 = "Server2008" fullword ascii $s4 = "Server2003" fullword ascii $s5 = "Server2003R2" fullword ascii $s6 = "Server2008R2" fullword ascii $s9 = "%HOMEDRIVE%" fullword ascii $s13 = "%ComSpec%" fullword ascii condition: all of them } rule Enfal_Malware_Backdoor { meta: description = "Generic Rule to detect the Enfal Malware" author = "Florian Roth" date = "2015/02/10" super_rule = 1 hash0 = "6d484daba3927fc0744b1bbd7981a56ebef95790" hash1 = "d4071272cc1bf944e3867db299b3f5dce126f82b" hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41" score = 60 strings: $mz = { 4d 5a } $x1 = "Micorsoft Corportation" fullword wide $x2 = "IM Monnitor Service" fullword wide $s1 = "imemonsvc.dll" fullword wide $s2 = "iphlpsvc.tmp" fullword $z1 = "urlmon" fullword $z2 = "Registered trademarks and service marks are the property of their respec" wide $z3 = "XpsUnregisterServer" fullword $z4 = "XpsRegisterServer" fullword $z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword condition: ( $mz at 0 ) and ( 1 of ($x*) or ( all of ($s*) and all of ($z*) ) ) } rule ce_enfal_cmstar_debug_msg { meta: Author = "rfalcone" Date = "2015.05.10" Description = "Detects the static debug strings within CMSTAR" Reference = "http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin" strings: $d1 = "EEE\x0d\x0a" fullword $d2 = "TKE\x0d\x0a" fullword $d3 = "VPE\x0d\x0a" fullword $d4 = "VPS\x0d\x0a" fullword $d5 = "WFSE\x0d\x0a" fullword $d6 = "WFSS\x0d\x0a" fullword $d7 = "CM**\x0d\x0a" fullword condition: uint16(0) == 0x5a4d and all of ($d*) }