valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 10:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Reworked many rules based on YARA performance guidelines

Browse Source 
https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7
This commit is contained in:
Florian Roth 2019-03-02 16:02:11 +01:00
parent f3371f2cfd
commit 78706dbe46
36 changed files with 119 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
yara/apt_alienspy_rat.yar
View File

@ -37,11 +37,11 @@ meta:
$sc_1 = "config.xml"
$sc_2 = "options"
$sc_3 = "plugins"
$sc_4 = "util"
/* $sc_4 = "util" */
$sc_5 = "util/OSHelper"
$sc_6 = "Start.class"
$sc_7 = "AlienSpy"
$sc_8 = "PK"
/* $sc_8 = "PK" */ /* too short atom - disabled for performance reasons */
condition:

4
yara/apt_apt29_grizzly_steppe.yar
View File

@ -62,6 +62,7 @@ rule PAS_TOOL_PHP_WEB_KIT_mod {
$cookie = "_COOKIE"
$isset = "isset"
condition:
uint32(0) == 0x68703f3c and
$php at 0 and
(filesize > 10KB and filesize < 30KB) and
#cookie == 2 and
@ -84,7 +85,7 @@ rule WebShell_PHP_Web_Kit_v3 {
$s2 = "(strrev($" ascii
$s3 = "de'.'code';" ascii
condition:
( $php at 0 or $php2 ) and
( ( uint32(0) == 0x68703f3c and $php at 0 ) or $php2 ) and
filesize > 8KB and filesize < 100KB and
all of ($s*)
}
@ -103,6 +104,7 @@ rule WebShell_PHP_Web_Kit_v4 {
$s2 = ";if(PHP_VERSION<'5'){" ascii
$s3 = "=SuBstr_rePlACe(" ascii
condition:
uint32(0) == 0x68703f3c and
$php at 0 and
filesize > 8KB and filesize < 100KB and
2 of ($s*)

1
yara/apt_apt30_backspace.yar
View File

@ -341,7 +341,6 @@ rule APT30_Sample_14 {
hash = "b0740175d20eab79a5d62cdbe0ee1a89212a8472"
strings:
$s0 = "AdobeReader.exe" fullword wide
$s1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" fullword ascii
$s4 = "10.1.7.27" fullword wide
$s5 = "Copyright 1984-2012 Adobe Systems Incorporated and its licensors. All ri" wide
$s8 = "Adobe Reader" fullword wide

17
yara/apt_casper.yar
View File

@ -14,17 +14,17 @@ rule Casper_Backdoor_x86 {
$s1 = "\"svchost.exe\"" fullword wide
$s2 = "firefox.exe" fullword ascii
$s3 = "\"Host Process for Windows Services\"" fullword wide
$x1 = "\\Users\\*" fullword ascii
$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x4 = "\\Documents and Settings\\*" fullword ascii
$y1 = "%s; %S=%S" fullword wide
$y2 = "%s; %s=%s" fullword ascii
$y3 = "Cookie: %s=%s" fullword ascii
$y4 = "http://%S:%d" fullword wide
$z1 = "http://google.com/" fullword ascii
$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
$z3 = "Operating System\"" fullword wide
@ -66,18 +66,17 @@ rule Casper_Included_Strings {
strings:
$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
$a1 = "& SYSTEMINFO) ELSE EXIT"
$mz = { 4d 5a }
$c1 = "domcommon.exe" wide fullword // File Name
$c2 = "jpic.gov.sy" fullword // C2 Server
$c3 = "aiomgr.exe" wide fullword // File Name
$c4 = "perfaudio.dat" fullword // Temp File Name
$c5 = "Casper_DLL.dll" fullword // Name
$c5 = "Casper_DLL.dll" fullword // Name
$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key
$c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex
condition:
all of ($a*) or
( $mz at 0 ) and ( 1 of ($c*) )
uint16(0) == 0x5a4d and ( 1 of ($c*) )
}
rule Casper_SystemInformation_Output {
@ -87,7 +86,7 @@ rule Casper_SystemInformation_Output {
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
score = 70
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
@ -98,4 +97,4 @@ rule Casper_SystemInformation_Output {
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
}

8
yara/apt_darkhydrus.yar
View File

@ -36,15 +36,13 @@ rule APT_DarkHydrus_Jul18_2 {
date = "2018-07-28"
hash1 = "b2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81"
strings:
$s1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
$s2 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
$s4 = "windir" fullword ascii /* Goodware String - occured 47 times */
$s6 = "temp.dll" fullword ascii /* Goodware String - occured 3 times */
$s7 = "libgcj-12.dll" fullword ascii /* Goodware String - occured 3 times */
$s8 = "%s\\System32\\%s" fullword ascii /* Goodware String - occured 4 times */
$s9 = "StartW" fullword ascii /* Goodware String - occured 5 times */
condition:
uint16(0) == 0x5a4d and filesize < 40KB and 6 of them
uint16(0) == 0x5a4d and filesize < 40KB and all of them
}
rule APT_DarkHydrus_Jul18_3 {
@ -56,14 +54,12 @@ rule APT_DarkHydrus_Jul18_3 {
date = "2018-07-28"
hash1 = "c8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3"
strings:
$s1 = "msdncss.com" fullword ascii
$s2 = "Ws2_32.dll" fullword ascii
$s3 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" fullword ascii
$s4 = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
pe.imphash() == "478eacfbe2b201dabe63be53f34148a5" or
3 of them
all of them
)
}

3
yara/apt_derusbi.yar
View File

@ -15,10 +15,9 @@ rule derusbi_kernel
strings:
$token1 = "$$$--Hello"
$token2 = "Wrod--$$$"
$cfg = "XXXXXXXXXXXXXXX"
$class = ".?AVPCC_BASEMOD@@"
condition:
uint16(0) == 0x5A4D and $token1 and $token2 and $cfg and $class
uint16(0) == 0x5A4D and $token1 and $token2 and $class
}
rule derusbi_linux

1
yara/apt_fin7.yar
View File

@ -158,7 +158,6 @@ rule APT_FIN7_EXE_Sample_Aug18_5 {
hash1 = "7789a3d7d05c30b4efaf3f2f5811804daa56d78a9a660968a4f1f9a78a9108a0"
strings:
$s1 = "x0=%d, y0=%d, x1=%d, y1=%d" fullword ascii
$s2 = "........................................................................................................" fullword ascii
$s3 = "sdfkjdfjfhgurgvncmnvmfdjdkfjdkfjdf" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them

6
yara/apt_grizzlybear_uscert.yar
View File

@ -1419,7 +1419,7 @@ rule IMPLANT_8_v1
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
score = 65
strings:
$DOTNET = "mscorlib" ascii
$REF_URL = "https://www.google.com/url?sa=" wide
@ -1432,11 +1432,13 @@ rule IMPLANT_8_v1
$REF_var_7 = "&ei=" wide
$REF_var_8 = "&usg=" wide
$REF_var_9 = "&bvm=" wide
/*
$REF_value_1 = "QFj" wide
$REF_value_2 = "bv.81" wide
*/ /* disabled due to performance reasons */
condition:
(uint16(0) == 0x5A4D) and ($DOTNET) and ($REF_URL) and
(3 of ($REF_var*)) and (1 of ($REF_value*))
(3 of ($REF_var*)) /* and (1 of ($REF_value*)) */
}
/* TOO MANY FALSE POSITIVES

4
yara/apt_moonlightmaze.yar
View File

@ -207,12 +207,10 @@ meta:
description = "Rule to detect Moonlight Maze encrypted keylogger logs"
strings:
$a1={47 01 22 2A 6D 3E 39 2C}
condition:
($a1 at 0)
uint32(0) == 0x2a220147 and ($a1 at 0)
}

12
yara/apt_prikormka.yar
View File

@ -33,8 +33,6 @@
private rule PrikormkaDropper
{
strings:
$mz = { 4D 5A }
$kd1 = "KDSTORAGE" wide
$kd2 = "KDSTORAGE_64" wide
$kd3 = "KDRUNDRV32" wide
@ -47,14 +45,12 @@ private rule PrikormkaDropper
$inj1 = "?AVCinj2008Dlg@@" ascii
$inj2 = "?AVCinj2008App@@" ascii
condition:
($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
uint16(0) == 0x5a4d and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
}
private rule PrikormkaModule
{
strings:
$mz = { 4D 5A }
// binary
$str1 = {6D 70 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00}
$str2 = {68 6C 70 75 63 74 66 2E 64 6C 6C 00 43 79 63 6C 65}
@ -106,14 +102,12 @@ private rule PrikormkaModule
$str34 = "\\TOOLS PZZ\\Bezzahod\\" ascii
condition:
($mz at 0) and (any of ($str*))
uint16(0) == 0x5a4d and (any of ($str*))
}
private rule PrikormkaEarlyVersion
{
strings:
$mz = { 4D 5A }
$str1 = "IntelRestore" ascii fullword
$str2 = "Resent" wide fullword
$str3 = "ocp8.1" wide fullword
@ -124,7 +118,7 @@ private rule PrikormkaEarlyVersion
$str8 = "KDLLCFX" wide fullword
$str9 = "KDLLRUNDRV" wide fullword
condition:
($mz at 0) and (2 of ($str*))
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule Prikormka

14
yara/apt_ruag.yar
View File

@ -3,7 +3,7 @@
Author: Florian Roth
Date: 2016-05-23
Identifier: Swiss RUAG APT Case
Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
Reference: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
*/
rule RUAG_Tavdig_Malformed_Executable {
@ -28,7 +28,7 @@ rule RUAG_Bot_Config_File {
$s2 = "name = " ascii
$s3 = "exe = cmd.exe" ascii
condition:
$s1 at 0 and $s2 and $s3 and filesize < 160
uint32(0) == 0x4e4f435b and $s1 at 0 and $s2 and $s3 and filesize < 160
}
rule RUAG_Cobra_Malware {
@ -54,16 +54,16 @@ rule RUAG_Cobra_Config_File {
$s1 = "object_id=" ascii
$s2 = "[TIME]" ascii fullword
$s3 = "lastconnect" ascii
$s3 = "lastconnect" ascii
$s4 = "[CW_LOCAL]" ascii fullword
$s5 = "system_pipe" ascii
$s6 = "user_pipe" ascii
$s7 = "[TRANSPORT]" ascii
$s8 = "run_task_system" ascii
$s9 = "[WORKDATA]" ascii
$s9 = "[WORKDATA]" ascii
$s10 = "address1" ascii
condition:
$h1 at 0 and 8 of ($s*) and filesize < 5KB
uint32(0) == 0x4d414e5b and $h1 at 0 and 8 of ($s*) and filesize < 5KB
}
rule RUAG_Exfil_Config_File {
@ -77,9 +77,9 @@ rule RUAG_Exfil_Config_File {
$s1 = "system_pipe" ascii
$s2 = "spstatus" ascii
$s3 = "adaptable" ascii
$s3 = "adaptable" ascii
$s4 = "post_frag" ascii
$s5 = "pfsgrowperiod" ascii
condition:
$h1 at 0 and all of ($s*) and filesize < 1KB
uint32(0) == 0x4152545b and $h1 at 0 and all of ($s*) and filesize < 1KB
}

3
yara/apt_snowglobe_babar.yar
View File

@ -11,7 +11,6 @@ rule SNOWGLOBE_Babar_Malware {
hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
score = 80
strings:
$mz = { 4d 5a }
$z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
$z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
$z2 = "ExecQueryFailled!" fullword ascii
@ -29,7 +28,7 @@ rule SNOWGLOBE_Babar_Malware {
$x5 = "cmd.exe" fullword ascii
$x6 = "DLLPATH" fullword ascii
condition:
( $mz at 0 ) and filesize < 1MB and
uint16(0) == 0x5a4d and filesize < 1MB and
(
( 1 of ($z*) and 1 of ($x*) ) or
( 3 of ($s*) and 4 of ($x*) )

20
yara/apt_turbo_campaign.yar
View File

@ -128,23 +128,13 @@ rule apt_win_exe_trojan_derusbi {
date = "2016/02/29"
reference = "https://github.com/fideliscyber/indicators/tree/master/FTA-1021"
strings:
$sa_1 = "USB" wide ascii
$sa_2 = "RAM" wide ascii
$sa_3 = "SHARE" wide ascii
$sa_4 = "HOST: %s:%d"
$sa_5 = "POST"
$sa_6 = "User-Agent: Mozilla"
$sa_7 = "Proxy-Connection: Keep-Alive"
$sa_8 = "Connection: Keep-Alive"
$sa_9 = "Server: Apache"
$sa_10 = "HTTP/1.1"
$sa_11 = "ImagePath"
$sa_12 = "ZwUnloadDriver"
$sa_13 = "ZwLoadDriver"
$sa_14 = "ServiceMain"
$sa_15 = "regsvr32.exe"
$sa_16 = "/s /u" wide ascii
$sa_17 = "rand"
$sa_18 = "_time64"
$sa_19 = "DllRegisterServer"
$sa_20 = "DllUnregisterServer"
@ -164,7 +154,7 @@ rule apt_win_exe_trojan_derusbi {
$sc_3 = "_crt_debugger_hook" wide ascii
$sc_4 = "ue8G5" wide ascii
$sd_1 = "NET" wide ascii
/* $sd_1 = "NET" wide ascii */ /* disabled due to performance reasons */
$sd_2 = "\\\\.\\pipe\\%s" wide ascii
$sd_3 = ".dat" wide ascii
$sd_4 = "CONNECT %s:%d" wide ascii
@ -172,16 +162,16 @@ rule apt_win_exe_trojan_derusbi {
$se_1 = "-%s-%04d" wide ascii
$se_2 = "-%04d" wide ascii
$se_3 = "FAL" wide ascii
$se_4 = "OK" wide ascii
/* $se_3 = "FAL" wide ascii */ /* disabled due to performance reasons */
/* $se_4 = "OK" wide ascii */ /* disabled due to performance reasons */
$se_5 = "2.03" wide ascii
$se_6 = "XXXXXXXXXXXXXXX" wide ascii
/* $se_6 = "XXXXXXXXXXXXXXX" wide ascii */ /* disabled due to memory usage reasons */
condition:
uint16(0) == 0x5A4D and (
all of ($sa_*) or
(
(13 of ($sa_*)) and (
(8 of ($sa_*)) and (
(5 of ($sb_*)) or
(3 of ($sc_*)) or
(all of ($sd_*)) or

2
yara/apt_turla_neuron.yar
View File

@ -16,7 +16,7 @@ rule Neuron_common_strings {
strings:
$strServiceName = "MSExchangeService" ascii
$strReqParameter_1 = "cadataKey" wide
$strReqParameter_2 = "cid" wide
/* $strReqParameter_2 = "cid" wide */ /* disabled due to performance reasons */
$strReqParameter_3 = "cadata" wide
$strReqParameter_4 = "cadataSig" wide
$strEmbeddedKey = "PFJTQUtleVZhbHVlPjxNb2R1bHVzPnZ3WXRKcnNRZjVTcCtWVG9Rb2xuaEVkMHVwWDFrVElFTUNTNEFnRkRCclNm clpKS0owN3BYYjh2b2FxdUtseXF2RzBJcHV0YXhDMVRYazRoeFNrdEpzbHljU3RFaHBUc1l4OVBEcURabVVZVklVb HlwSFN1K3ljWUJWVFdubTZmN0JTNW1pYnM0UWhMZElRbnl1ajFMQyt6TUhwZ0xmdEc2b1d5b0hyd1ZNaz08L01vZH VsdXM+PEV4cG9uZW50PkFRQUI8L0V4cG9uZW50PjwvUlNBS2V5VmFsdWU+" wide

24
yara/apt_turla_png_dropper_nov18.yar
View File

@ -43,7 +43,7 @@ rule turla_png_dropper {
}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and
all of ($api*) and
all of ($api*) and
1 of ($code*)
}
@ -57,19 +57,19 @@ rule turla_png_reg_enum_payload {
strings:
$crypt00 = "Microsoft Software Key Storage Provider" wide
$crypt01 = "ChainingModeCBC" wide
$crypt02 = "AES" wide
/* $crypt02 = "AES" wide */ /* disabled due to performance reasons */
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and
pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and
pe.imports("advapi32.dll", "RegEnumValueA") and
pe.imports("advapi32.dll", "RegEnumKeyExA") and
pe.imports("ncrypt.dll", "NCryptOpenStorageProvider") and
pe.imports("ncrypt.dll", "NCryptEnumKeys") and
pe.imports("ncrypt.dll", "NCryptOpenKey") and
pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and
pe.imports("advapi32.dll", "RegEnumValueA") and
pe.imports("advapi32.dll", "RegEnumKeyExA") and
pe.imports("ncrypt.dll", "NCryptOpenStorageProvider") and
pe.imports("ncrypt.dll", "NCryptEnumKeys") and
pe.imports("ncrypt.dll", "NCryptOpenKey") and
pe.imports("ncrypt.dll", "NCryptDecrypt") and
pe.imports("ncrypt.dll", "BCryptGenerateSymmetricKey") and
pe.imports("ncrypt.dll", "BCryptGetProperty") and
pe.imports("ncrypt.dll", "BCryptDecrypt") and
pe.imports("ncrypt.dll", "BCryptEncrypt") and
pe.imports("ncrypt.dll", "BCryptGenerateSymmetricKey") and
pe.imports("ncrypt.dll", "BCryptGetProperty") and
pe.imports("ncrypt.dll", "BCryptDecrypt") and
pe.imports("ncrypt.dll", "BCryptEncrypt") and
all of them
}

1
yara/apt_waterbear.yar
View File

@ -222,7 +222,6 @@ rule Waterbear_13_Jun17 {
$s3 = "ChangeServiceConfig failed (%d)" fullword ascii
$s4 = "Proxy %d:%s %d" fullword ascii
$s5 = "win9807.tmp" fullword ascii
$s6 = "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" fullword ascii
$s7 = "Service stopped successfully" fullword ascii
$s8 = "current dns:%s" fullword ascii
$s9 = "%c%u|%u|%u|%u|%u|" fullword ascii

37
yara/apt_waterbug.yar
View File

@ -7,11 +7,10 @@ rule WaterBug_wipbot_2013_core_PDF {
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$PDF = "%PDF-"
$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
condition:
($PDF at 0) and #a > 150 and #b > 200
uint32(0) == 0x46445025 and #a > 150 and #b > 200
}
rule WaterBug_wipbot_2013_dll {
@ -19,7 +18,7 @@ rule WaterBug_wipbot_2013_dll {
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
reference = "http://t.co/rF35OaAXrl"
strings:
$string1 = "/%s?rank=%s"
$string2 = "ModuleStart\x00ModuleStop\x00start"
@ -35,7 +34,7 @@ rule WaterBug_wipbot_2013_core {
description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
@ -51,15 +50,15 @@ rule WaterBug_turla_dropper {
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
strings:
$a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
$b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
condition:
condition:
all of them
}
rule WaterBug_fa_malware {
meta:
rule WaterBug_fa_malware {
meta:
description = "Symantec Waterbug Attack - FA malware variant"
author = "Symantec Security Response"
date = "22.01.2015"
@ -80,11 +79,11 @@ rule WaterBug_fa_malware {
rule WaterBug_turla_dll {
meta:
meta:
description = "Symantec Waterbug Attack - Trojan Turla DLL"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
reference = "http://t.co/rF35OaAXrl"
strings:
$a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
condition:
@ -92,26 +91,26 @@ rule WaterBug_turla_dll {
}
rule WaterBug_sav_dropper {
meta:
meta:
description = "Symantec Waterbug Attack - SAV Dropper"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$a = /[a-z]{,10}_x64.sys\x00hMZ\x00/
condition:
($mz at 0) and uint32(0x400) == 0x000000c3 and pe.number_of_sections == 6 and $a
($mz at 0) and uint32(0x400) == 0x000000c3 and pe.number_of_sections == 6 and $a
}
*/
*/
rule WaterBug_sav {
meta:
meta:
description = "Symantec Waterbug Attack - SAV Malware"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
reference = "http://t.co/rF35OaAXrl"
strings:
$mz = "MZ"
$code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
@ -119,5 +118,5 @@ rule WaterBug_sav {
$code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
$code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
condition:
($mz at 0) and (($code1a or $code1b or $code1c) and $code2)
}
($mz at 0) and (($code1a or $code1b or $code1c) and $code2)
}

1
yara/apt_wildneutron.yar
View File

@ -213,7 +213,6 @@ rule WildNeutron_Sample_9 {
hash = "781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e"
strings:
$s0 = "http://get.adobe.com/flashplayer/" fullword wide /* PEStudio Blacklist: strings */ /* score: '30.00' */
$s1 = "xxxxxxxxxxxxxxxxxxxx" fullword wide /* reversed goodware string 'xxxxxxxxxxxxxxxxxxxx' */ /* score: '19.00' */
$s4 = " Player Installer/Uninstaller" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.42' */
$s5 = "Adobe Flash Plugin Updater" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.00' */
$s6 = "uSOFTWARE\\Adobe" fullword wide /* PEStudio Blacklist: strings */ /* score: '10.42' */

1
yara/apt_winnti_burning_umbrella.yar
View File

@ -365,7 +365,6 @@ rule MAL_BurningUmbrella_Sample_22 {
hash1 = "fa116cf9410f1613003ca423ad6ca92657a61b8e9eda1b05caf4f30ca650aee5"
strings:
$s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\" fullword ascii
$s2 = "========================================================================================================" fullword ascii
$s3 = "Content-Disposition: form-data; name=\"txt\"; filename=\"" fullword ascii
$s4 = "Fail To Enum Service" fullword ascii
$s5 = "Host Power ON Time" fullword ascii

3
yara/cn_pentestset_scripts.yar
View File

@ -39,7 +39,6 @@ rule CN_Honker_passwd_dict_3389 {
$s4 = "passwd" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 42 times */
$s5 = "password" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 244 times */
$s7 = "12345678" fullword ascii /* Goodware String - occured 29 times */
$s8 = "888888" fullword ascii /* Goodware String - occured 61 times */
condition:
filesize < 1KB and all of them
}
@ -354,4 +353,4 @@ rule CN_Honker_mssqlpw_scan {
$s1 = "response.Write \"Done!<br>Process \" & tTime & \" s\"" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 6KB and all of them
}
}

16
yara/crime_enfal.yar
View File

@ -33,23 +33,21 @@ rule Enfal_Malware_Backdoor {
hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
score = 60
strings:
$mz = { 4d 5a }
$x1 = "Micorsoft Corportation" fullword wide
$x2 = "IM Monnitor Service" fullword wide
$s1 = "imemonsvc.dll" fullword wide
$s2 = "iphlpsvc.tmp" fullword
$z1 = "urlmon" fullword
$z2 = "Registered trademarks and service marks are the property of their respec" wide
$z2 = "Registered trademarks and service marks are the property of their respec" wide
$z3 = "XpsUnregisterServer" fullword
$z4 = "XpsRegisterServer" fullword
$z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
condition:
( $mz at 0 ) and
(
1 of ($x*) or
uint16(0) == 0x5a4d and
(
1 of ($x*) or
( all of ($s*) and all of ($z*) )
)
}
}

5
yara/crime_hermes_ransom.yar
View File

@ -6,7 +6,6 @@ rule Hermes2_1 {
reference = "https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html"
hash = "b27881f59c8d8cc529fa80a58709db36"
strings:
$magic = { 4D 5A }
//in both version 2.1 and sample in Feb
$s1 = "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\"
$s2 = "0419"
@ -23,5 +22,5 @@ rule Hermes2_1 {
$u2 = "HERMES 2.1 TEST BUILD, press ok"
$u3 = "hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA" //RSA Key part
condition:
$magic at 0 and all of ($s*) and 3 of ($S*) and 1 of ($u*)
}
uint16(0) == 0x5a4d and all of ($s*) and 3 of ($S*) and 1 of ($u*)
}

2
yara/gen_cn_hacktools.yar
View File

@ -337,7 +337,7 @@ rule OtherTools_servu {
$s2 = "GetProcAddress" fullword ascii
$s3 = "WriteFile" fullword ascii
condition:
$s0 at 0 and filesize < 50KB and all of them
uint32(0) == 0x454b5a4d and $s0 at 0 and filesize < 50KB and all of them
}
rule ustrrefadd {

2
yara/gen_kirbi_mimkatz.yar
View File

@ -15,5 +15,5 @@ rule mimikatz_kirbi_ticket
strings:
$asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
condition:
$asn1 at 0
uint16(0) == 0x8276 and $asn1 at 0
}

6
yara/gen_metasploit_payloads.yar
View File

@ -231,10 +231,10 @@ rule Msfpayloads_msf_9 {
$s3 = "[0] = \"chmod\";" ascii
$s4 = "= Runtime.getRuntime().exec(" ascii
$s5 = ", 16) & 0xff;" ascii
$x1 = "4d5a9000030000000" ascii
condition:
4 of ($s*) or $x1 at 0
4 of ($s*) or (
uint32(0) == 0x00905a4d and uint32(4) == 0x00000003
)
}
rule Msfpayloads_msf_10 {

6
yara/gen_osx_backdoor_bella.yar
View File

@ -1,3 +1,4 @@
rule OSX_backdoor_Bella {
meta:
description = "Bella MacOS/OSX backdoor"
@ -7,7 +8,7 @@ rule OSX_backdoor_Bella {
hash = "4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be"
strings:
$h1 = /#!\/usr\/bin\/env\s+python/
$h1 = "#!/usr/bin/env"
//prereqs
$s0 = "subprocess" fullword ascii
@ -27,7 +28,8 @@ rule OSX_backdoor_Bella {
$subpart2_b = "appleIDPhish" fullword ascii
$subpart2_c = "iTunes" fullword ascii
condition:
$h1 at 0
uint32(0) == 0x752f2123
and $h1 at 0
and filesize < 120KB
and @s0[1] < 100
and @s1[1] < 100

5
yara/gen_osx_evilosx.yar
View File

@ -7,7 +7,7 @@ rule OSX_backdoor_EvilOSX {
hash = "89e5b8208daf85f549d9b7df8e2a062e47f15a5b08462a4224f73c0a6223972a"
strings:
$h1 = /#!\/usr\/bin\/env\s+python/
$h1 = "#!/usr/bin/env"
$s0 = "import base64" fullword ascii
$s1 = "b64decode" fullword ascii
@ -23,7 +23,8 @@ rule OSX_backdoor_EvilOSX {
$enc_x1 = /(AGUAdABfAGwAYQB1AG4AYwBoAF8AYQBnAGUAbgB0AF8AZABpAHIAZQBjAHQAbwByAHkA|cAZQB0AF8AbABhAHUAbgBjAGgAXwBhAGcAZQBuAHQAXwBkAGkAcgBlAGMAdABvAHIAeQ|dldF9sYXVuY2hfYWdlbnRfZGlyZWN0b3J5|Z2V0X2xhdW5jaF9hZ2VudF9kaXJlY3Rvcn|ZwBlAHQAXwBsAGEAdQBuAGMAaABfAGEAZwBlAG4AdABfAGQAaQByAGUAYwB0AG8AcgB5A|ZXRfbGF1bmNoX2FnZW50X2RpcmVjdG9ye)/ ascii
condition:
$h1 at 0
uint32(0) == 0x752f2123
and $h1 at 0
and filesize < 30KB
and all of ($s*)
and

3
yara/gen_osx_pyagent_persistence.yar
View File

@ -26,7 +26,8 @@ rule Persistence_Agent_MacOS {
$einterval_b = /(AHUAbgBBAHQATABvAGEAZA|dW5BdExvYW|IAdQBuAEEAdABMAG8AYQBkA|J1bkF0TG9hZ|UgB1AG4AQQB0AEwAbwBhAGQA|UnVuQXRMb2Fk)/ ascii
condition:
$h1 at 0
uint32(0) == 0x752f2123
and $h1 at 0
and filesize < 120KB
and
(

1
yara/gen_rats_malwareconfig.yar
View File

@ -15,7 +15,6 @@ rule RAT_AAR
$d = "testmemory.FRMMain.resources"
$e = "$this.Icon" wide
$f = "{11111-22222-20001-00001}" wide
$g = "@@@@@"
condition:
all of them

40
yara/spy_equation_fiveeyes.yar
View File

@ -76,8 +76,6 @@ rule Equation_Kaspersky_TripleFantasy_1 {
date = "2015/02/16"
hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
strings:
$mz = { 4d 5a }
$s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
$s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
$s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
@ -95,7 +93,7 @@ rule Equation_Kaspersky_TripleFantasy_1 {
$z2 = "www.google.com@80" fullword wide
$z3 = "127.0.0.1:3128" fullword wide
condition:
( $mz at 0 ) and filesize < 300000 and
uint16(0) == 0x5a4d and filesize < 300000 and
(
( all of ($s*) and all of ($z*) ) or
( all of ($s*) and 1 of ($x*) )
@ -111,8 +109,6 @@ rule Equation_Kaspersky_DoubleFantasy_1 {
date = "2015/02/16"
hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
strings:
$mz = { 4d 5a }
$z1 = "msvcp5%d.dll" fullword ascii
$s0 = "actxprxy.GetProxyDllInfo" fullword ascii
@ -120,7 +116,6 @@ rule Equation_Kaspersky_DoubleFantasy_1 {
$s5 = "actxprxy.DllRegisterServer" fullword ascii
$s6 = "actxprxy.DllUnregisterServer" fullword ascii
$x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
$x2 = "191H1a1" fullword ascii
$x3 = "November " fullword ascii
$x4 = "abababababab" fullword ascii
@ -128,7 +123,7 @@ rule Equation_Kaspersky_DoubleFantasy_1 {
$x6 = "October " fullword ascii
$x7 = "September " fullword ascii
condition:
( $mz at 0 ) and filesize < 350000 and
uint16(0) == 0x5a4d and filesize < 350000 and
(
( $z1 ) or
( all of ($s*) and 6 of ($x*) )
@ -144,7 +139,6 @@ rule Equation_Kaspersky_GROK_Keylogger {
date = "2015/02/16"
hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
strings:
$mz = { 4d 5a }
$s0 = "c:\\users\\rmgree5\\" ascii
$s1 = "msrtdv.sys" fullword wide
@ -161,7 +155,7 @@ rule Equation_Kaspersky_GROK_Keylogger {
$z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
condition:
( $mz at 0 ) and filesize < 250000 and
uint16(0) == 0x5a4d and filesize < 250000 and
(
$s0 or
( $s1 and 6 of ($x*) ) or
@ -194,8 +188,6 @@ rule Equation_Kaspersky_EquationDrugInstaller {
date = "2015/02/16"
hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
strings:
$mz = { 4d 5a }
$s0 = "\\system32\\win32k.sys" fullword wide
$s1 = "ALL_FIREWALLS" fullword ascii
@ -207,7 +199,7 @@ rule Equation_Kaspersky_EquationDrugInstaller {
$x6 = "WinStaObj" fullword wide
$x7 = "BINRES" fullword wide
condition:
( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
uint16(0) == 0x5a4d and filesize < 500000 and all of ($s*) and 5 of ($x*)
}
rule Equation_Kaspersky_EquationLaserInstaller {
@ -219,7 +211,6 @@ rule Equation_Kaspersky_EquationLaserInstaller {
date = "2015/02/16"
hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
strings:
$mz = { 4d 5a }
$s0 = "Failed to get Windows version" fullword ascii
$s1 = "lsasrv32.dll and lsass.exe" fullword wide
$s2 = "\\\\%s\\mailslot\\%s" fullword ascii
@ -230,7 +221,7 @@ rule Equation_Kaspersky_EquationLaserInstaller {
$s7 = "VIEWERS" fullword ascii
$s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
condition:
( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
uint16(0) == 0x5a4d and filesize < 250000 and 6 of ($s*)
}
rule Equation_Kaspersky_FannyWorm {
@ -242,8 +233,6 @@ rule Equation_Kaspersky_FannyWorm {
date = "2015/02/16"
hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
strings:
$mz = { 4d 5a }
$s1 = "x:\\fanny.bmp" fullword ascii
$s2 = "32.exe" fullword ascii
$s3 = "d:\\fanny.bmp" fullword ascii
@ -265,7 +254,7 @@ rule Equation_Kaspersky_FannyWorm {
$x15 = "Global\\RPCMutex" fullword ascii
$x16 = "Global\\DirectMarketing" fullword ascii
condition:
( $mz at 0 ) and filesize < 300000 and
uint16(0) == 0x5a4d and filesize < 300000 and
(
( 2 of ($s*) ) or
( 1 of ($s*) and 6 of ($x*) ) or
@ -282,7 +271,6 @@ rule Equation_Kaspersky_HDD_reprogramming_module {
date = "2015/02/16"
hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
strings:
$mz = { 4d 5a }
$s0 = "nls_933w.dll" fullword ascii
$s1 = "BINARY" fullword wide
@ -290,7 +278,7 @@ rule Equation_Kaspersky_HDD_reprogramming_module {
$s3 = "HAL.dll" fullword ascii
$s4 = "READ_REGISTER_UCHAR" fullword ascii
condition:
( $mz at 0 ) and filesize < 300000 and all of ($s*)
uint16(0) == 0x5a4d and filesize < 300000 and all of ($s*)
}
rule Equation_Kaspersky_EOP_Package {
@ -302,7 +290,6 @@ rule Equation_Kaspersky_EOP_Package {
date = "2015/02/16"
hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
strings:
$mz = { 4d 5a }
$s0 = "abababababab" fullword ascii
$s1 = "abcdefghijklmnopq" fullword ascii
$s2 = "@STATIC" fullword wide
@ -311,7 +298,7 @@ rule Equation_Kaspersky_EOP_Package {
$s5 = "prkMtx" fullword wide
$s6 = "cnFormVoidFBC" fullword wide
condition:
( $mz at 0 ) and filesize < 100000 and all of ($s*)
uint16(0) == 0x5a4d and filesize < 100000 and all of ($s*)
}
rule Equation_Kaspersky_TripleFantasy_Loader {
@ -323,8 +310,6 @@ rule Equation_Kaspersky_TripleFantasy_Loader {
date = "2015/02/16"
hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
strings:
$mz = { 4d 5a }
$x1 = "Original Innovations, LLC" fullword wide
$x2 = "Moniter Resource Protocol" fullword wide
$x3 = "ahlhcib.dll" fullword wide
@ -336,7 +321,7 @@ rule Equation_Kaspersky_TripleFantasy_Loader {
$s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
$s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
condition:
( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
uint16(0) == 0x5a4d and filesize < 50000 and ( all of ($x*) and all of ($s*) )
}
/* Rule generated from the mentioned keywords */
@ -350,8 +335,6 @@ rule Equation_Kaspersky_SuspiciousString {
date = "2015/02/17"
score = 60
strings:
$mz = { 4d 5a }
$s1 = "i386\\DesertWinterDriver.pdb" fullword
$s2 = "Performing UR-specific post-install..."
$s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
@ -359,7 +342,7 @@ rule Equation_Kaspersky_SuspiciousString {
$s5 = "standalonegrok_2.1.1.1"
$s6 = "c:\\users\\rmgree5\\"
condition:
( $mz at 0 ) and filesize < 500000 and all of ($s*)
uint16(0) == 0x5a4d and filesize < 500000 and all of ($s*)
}
/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */
@ -392,10 +375,9 @@ rule EquationDrug_CompatLayer_UnilayDLL {
date = "2015/03/11"
hash = "a3a31937956f161beba8acac35b96cb74241cd0f"
strings:
$mz = { 4d 5a }
$s0 = "unilay.dll" fullword ascii
condition:
( $mz at 0 ) and $s0
uint16(0) == 0x5a4d and $s0
}
rule EquationDrug_HDDSSD_Op {

10
yara/spy_regin_fiveeyes.yar
View File

@ -35,7 +35,7 @@ rule Regin_APT_KernelDriver_Generic_A {
$x1 = "LRich6" fullword ascii
$x2 = "KeServiceDescriptorTable" fullword ascii
condition:
$m0 at 0 and $m1 and
uint16(0) == 0x5a4d and $m0 at 0 and $m1 and
all of ($s*) and 1 of ($x*)
}
@ -85,6 +85,7 @@ rule Regin_APT_KernelDriver_Generic_B {
$z4 = "wcslen" fullword ascii
$z5 = "atoi" fullword ascii
condition:
uint16(0) == 0x5a4d and
$m0 at 0 and all of ($s*) and
( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) )
and filesize < 20KB
@ -111,6 +112,7 @@ rule Regin_APT_KernelDriver_Generic_C {
$y1 = "LSA Shell" fullword wide
$y2 = "0Richw" fullword ascii
condition:
uint16(0) == 0x5a4d and
$m0 at 0 and all of ($s*) and
( all of ($x*) or all of ($y*) )
and filesize < 20KB
@ -198,8 +200,6 @@ rule Regin_Sample_3 {
date = "27.11.14"
hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
strings:
$hd = { fe ba dc fe }
$s0 = "Service Pack x" fullword wide
$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
@ -216,7 +216,7 @@ rule Regin_Sample_3 {
$s13 = "RtlGetVersion" fullword wide
$s14 = "ntkrnlpa.exe" fullword ascii
condition:
( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB
uint32(0) == 0xfedcbafe and all of ($s*) and filesize > 160KB and filesize < 200KB
}
rule Regin_Sample_Set_1 {
@ -249,7 +249,7 @@ rule Regin_Sample_Set_1 {
$s19 = "IoCreateDevice" fullword ascii
$s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
condition:
all of them and filesize < 40KB and filesize > 30KB
filesize < 40KB and filesize > 30KB and all of them
}
rule Regin_Sample_Set_2 {

12
yara/thor-hacktools.yar
View File

@ -487,8 +487,6 @@ rule Tiny_Network_Tool_Generic {
hash1 = "cafc31d39c1e4721af3ba519759884b9"
hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"
strings:
$magic = { 4d 5a }
$s0 = "KERNEL32.DLL" fullword ascii
$s1 = "CRTDLL.DLL" fullword ascii
$s3 = "LoadLibraryA" fullword ascii
@ -509,7 +507,7 @@ rule Tiny_Network_Tool_Generic {
$z4 = "ToAscii" fullword ascii
condition:
( $magic at 0 ) and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB
uint16(0) == 0x5a4d and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB
}
rule Beastdoor_Backdoor {
@ -667,7 +665,6 @@ rule CN_Hacktool_1433_Scanner {
score = 40
date = "12.10.2014"
strings:
$magic = { 4d 5a }
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "del Weak1.txt" ascii fullword
@ -675,7 +672,7 @@ rule CN_Hacktool_1433_Scanner {
$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii
$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
condition:
( $magic at 0 ) and all of ($s*)
uint16(0) == 0x5a4d and all of ($s*)
}
rule CN_Hacktool_1433_Scanner_Comp2 {
@ -686,12 +683,11 @@ rule CN_Hacktool_1433_Scanner_Comp2 {
score = 40
date = "12.10.2014"
strings:
$magic = { 4d 5a }
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
condition:
( $magic at 0 ) and all of ($s*)
uint16(0) == 0x5a4d and all of ($s*)
}
rule WCE_Modified_1_1014 {
@ -1175,7 +1171,7 @@ rule Hacktools_CN_445_cmd {
$s0 = "cs.exe %1" fullword ascii
$s2 = "nc %1 4444" fullword ascii
condition:
$bat at 0 and all of ($s*)
uint32(0) == 0x68636540 and $bat at 0 and all of ($s*)
}
rule Hacktools_CN_GOGOGO_Bat {

5
yara/thor-webshells.yar
View File

@ -23,13 +23,12 @@ rule Weevely_Webshell {
date = "2014/12/14"
score = 60
strings:
$php = "<?php" ascii
$s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii
$s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii
$s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii
$s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii
condition:
$php at 0 and all of ($s*) and filesize > 570 and filesize < 800
uint32(0) == 0x68703f3c and all of ($s*) and filesize > 570 and filesize < 800
}
rule webshell_h4ntu_shell_powered_by_tsoi_ {
@ -9135,7 +9134,7 @@ rule PHP_Webshell_1_Feb17 {
$s1 = "$i=Array(\"pv\"=>@phpversion(),\"sv\"" ascii
$s3 = "$data = @unserialize(sh_decrypt(@base64_decode($data),$data_key));" ascii
condition:
( $h1 at 0 and 1 of them ) or 2 of them
uint32(0) == 0x68703f3c and ( $h1 at 0 and 1 of them ) or 2 of them
}
rule Webshell_Tiny_JSP_2 {

6
yara/thor_inverse_matches.yar
View File

@ -334,11 +334,10 @@ rule APT_Cloaked_SuperScan
author = "Florian Roth"
score = 50
strings:
$magic = { 4d 5a }
$s0 = "SuperScan4.exe" wide fullword
$s1 = "Foundstone Inc." wide fullword
condition:
( $magic at 0 ) and $s0 and $s1 and not filename contains "superscan"
uint16(0) == 0x5a4d and $s0 and $s1 and not filename contains "superscan"
}
rule APT_Cloaked_ScanLine
@ -350,12 +349,11 @@ rule APT_Cloaked_ScanLine
author = "Florian Roth"
score = 50
strings:
$magic = { 4d 5a }
$s0 = "ScanLine" wide fullword
$s1 = "Command line port scanner" wide fullword
$s2 = "sl.exe" wide fullword
condition:
( $magic at 0 ) and $s0 and $s1 and $s2 and not filename == "sl.exe"
uint16(0) == 0x5a4d and $s0 and $s1 and $s2 and not filename == "sl.exe"
}
rule SAM_Hive_Backup

5
yara/threat_lenovo_superfish.yar
View File

@ -12,12 +12,11 @@ rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
strings:
$mz = { 4d 5a }
//$s1 = "VisualDiscovery.exe" fullword wide
$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
$s3 = "GetPCProxyHandler" fullword ascii
$s4 = "StartPCProxy" fullword ascii
$s5 = "SetPCProxyHandler" fullword ascii
condition:
( $mz at 0 ) and filesize < 2MB and all of ($s*)
}
uint16(0) == 0x5a4d and filesize < 2MB and all of ($s*)
}

3
yara/yara_mixed_ext_vars.yar
View File

@ -173,7 +173,6 @@ rule GIFCloaked_Webshell_A {
hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
score = 60
strings:
$magic = { 47 49 46 38 } /* GIF8 ... */
$s0 = "input type"
$s1 = "<%eval request"
$s2 = "<%eval(Request.Item["
@ -184,7 +183,7 @@ rule GIFCloaked_Webshell_A {
$fp1 = "<form name=\"social_form\""
condition:
( $magic at 0 ) and ( 1 of ($s*) )
uint32(0) == 0x38464947 and ( 1 of ($s*) )
and not 1 of ($fp*)
}