valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 10:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Reworked many rules based on YARA performance guidelines

Browse Source 
https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7
This commit is contained in:
Florian Roth 2019-03-02 16:02:11 +01:00
parent f3371f2cfd
commit 78706dbe46
36 changed files with 119 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
yara/apt_alienspy_rat.yar
View File

@ -37,11 +37,11 @@ meta:
$sc_1 = "config.xml"
$sc_2 = "options"
$sc_3 = "plugins"
$sc_4 = "util"
/* $sc_4 = "util" */
$sc_5 = "util/OSHelper"
$sc_6 = "Start.class"
$sc_7 = "AlienSpy"
$sc_8 = "PK"
/* $sc_8 = "PK" */ /* too short atom - disabled for performance reasons */
condition:

4
yara/apt_apt29_grizzly_steppe.yar
View File

@ -62,6 +62,7 @@ rule PAS_TOOL_PHP_WEB_KIT_mod {
$cookie = "_COOKIE"
$isset = "isset"
condition:
uint32(0) == 0x68703f3c and
$php at 0 and
(filesize > 10KB and filesize < 30KB) and
#cookie == 2 and
@ -84,7 +85,7 @@ rule WebShell_PHP_Web_Kit_v3 {
$s2 = "(strrev($" ascii
$s3 = "de'.'code';" ascii
condition:
( $php at 0 or $php2 ) and
( ( uint32(0) == 0x68703f3c and $php at 0 ) or $php2 ) and
filesize > 8KB and filesize < 100KB and
all of ($s*)
}
@ -103,6 +104,7 @@ rule WebShell_PHP_Web_Kit_v4 {
$s2 = ";if(PHP_VERSION<'5'){" ascii
$s3 = "=SuBstr_rePlACe(" ascii
condition:
uint32(0) == 0x68703f3c and
$php at 0 and
filesize > 8KB and filesize < 100KB and
2 of ($s*)

1
yara/apt_apt30_backspace.yar
View File

@ -341,7 +341,6 @@ rule APT30_Sample_14 {
hash = "b0740175d20eab79a5d62cdbe0ee1a89212a8472"
strings:
$s0 = "AdobeReader.exe" fullword wide
$s1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" fullword ascii
$s4 = "10.1.7.27" fullword wide
$s5 = "Copyright 1984-2012 Adobe Systems Incorporated and its licensors. All ri" wide
$s8 = "Adobe Reader" fullword wide

3
yara/apt_casper.yar
View File

@ -67,7 +67,6 @@ rule Casper_Included_Strings {
$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
$a1 = "& SYSTEMINFO) ELSE EXIT"
$mz = { 4d 5a }
$c1 = "domcommon.exe" wide fullword // File Name
$c2 = "jpic.gov.sy" fullword // C2 Server
$c3 = "aiomgr.exe" wide fullword // File Name
@ -77,7 +76,7 @@ rule Casper_Included_Strings {
$c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex
condition:
all of ($a*) or
( $mz at 0 ) and ( 1 of ($c*) )
uint16(0) == 0x5a4d and ( 1 of ($c*) )
}
rule Casper_SystemInformation_Output {

8
yara/apt_darkhydrus.yar
View File

@ -36,15 +36,13 @@ rule APT_DarkHydrus_Jul18_2 {
date = "2018-07-28"
hash1 = "b2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81"
strings:
$s1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
$s2 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii
$s4 = "windir" fullword ascii /* Goodware String - occured 47 times */
$s6 = "temp.dll" fullword ascii /* Goodware String - occured 3 times */
$s7 = "libgcj-12.dll" fullword ascii /* Goodware String - occured 3 times */
$s8 = "%s\\System32\\%s" fullword ascii /* Goodware String - occured 4 times */
$s9 = "StartW" fullword ascii /* Goodware String - occured 5 times */
condition:
uint16(0) == 0x5a4d and filesize < 40KB and 6 of them
uint16(0) == 0x5a4d and filesize < 40KB and all of them
}
rule APT_DarkHydrus_Jul18_3 {
@ -56,14 +54,12 @@ rule APT_DarkHydrus_Jul18_3 {
date = "2018-07-28"
hash1 = "c8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3"
strings:
$s1 = "msdncss.com" fullword ascii
$s2 = "Ws2_32.dll" fullword ascii
$s3 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" fullword ascii
$s4 = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
pe.imphash() == "478eacfbe2b201dabe63be53f34148a5" or
3 of them
all of them
)
}

3
yara/apt_derusbi.yar
View File

@ -15,10 +15,9 @@ rule derusbi_kernel
strings:
$token1 = "$$$--Hello"
$token2 = "Wrod--$$$"
$cfg = "XXXXXXXXXXXXXXX"
$class = ".?AVPCC_BASEMOD@@"
condition:
uint16(0) == 0x5A4D and $token1 and $token2 and $cfg and $class
uint16(0) == 0x5A4D and $token1 and $token2 and $class
}
rule derusbi_linux

1
yara/apt_fin7.yar
View File

@ -158,7 +158,6 @@ rule APT_FIN7_EXE_Sample_Aug18_5 {
hash1 = "7789a3d7d05c30b4efaf3f2f5811804daa56d78a9a660968a4f1f9a78a9108a0"
strings:
$s1 = "x0=%d, y0=%d, x1=%d, y1=%d" fullword ascii
$s2 = "........................................................................................................" fullword ascii
$s3 = "sdfkjdfjfhgurgvncmnvmfdjdkfjdkfjdf" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them

6
yara/apt_grizzlybear_uscert.yar
View File

@ -1419,7 +1419,7 @@ rule IMPLANT_8_v1
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
score = 65
strings:
$DOTNET = "mscorlib" ascii
$REF_URL = "https://www.google.com/url?sa=" wide
@ -1432,11 +1432,13 @@ rule IMPLANT_8_v1
$REF_var_7 = "&ei=" wide
$REF_var_8 = "&usg=" wide
$REF_var_9 = "&bvm=" wide
/*
$REF_value_1 = "QFj" wide
$REF_value_2 = "bv.81" wide
*/ /* disabled due to performance reasons */
condition:
(uint16(0) == 0x5A4D) and ($DOTNET) and ($REF_URL) and
(3 of ($REF_var*)) and (1 of ($REF_value*))
(3 of ($REF_var*)) /* and (1 of ($REF_value*)) */
}
/* TOO MANY FALSE POSITIVES

4
yara/apt_moonlightmaze.yar
View File

@ -207,12 +207,10 @@ meta:
description = "Rule to detect Moonlight Maze encrypted keylogger logs"
strings:
$a1={47 01 22 2A 6D 3E 39 2C}
condition:
($a1 at 0)
uint32(0) == 0x2a220147 and ($a1 at 0)
}

12
yara/apt_prikormka.yar
View File

@ -33,8 +33,6 @@
private rule PrikormkaDropper
{
strings:
$mz = { 4D 5A }
$kd1 = "KDSTORAGE" wide
$kd2 = "KDSTORAGE_64" wide
$kd3 = "KDRUNDRV32" wide
@ -47,14 +45,12 @@ private rule PrikormkaDropper
$inj1 = "?AVCinj2008Dlg@@" ascii
$inj2 = "?AVCinj2008App@@" ascii
condition:
($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
uint16(0) == 0x5a4d and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
}
private rule PrikormkaModule
{
strings:
$mz = { 4D 5A }
// binary
$str1 = {6D 70 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00}
$str2 = {68 6C 70 75 63 74 66 2E 64 6C 6C 00 43 79 63 6C 65}
@ -106,14 +102,12 @@ private rule PrikormkaModule
$str34 = "\\TOOLS PZZ\\Bezzahod\\" ascii
condition:
($mz at 0) and (any of ($str*))
uint16(0) == 0x5a4d and (any of ($str*))
}
private rule PrikormkaEarlyVersion
{
strings:
$mz = { 4D 5A }
$str1 = "IntelRestore" ascii fullword
$str2 = "Resent" wide fullword
$str3 = "ocp8.1" wide fullword
@ -124,7 +118,7 @@ private rule PrikormkaEarlyVersion
$str8 = "KDLLCFX" wide fullword
$str9 = "KDLLRUNDRV" wide fullword
condition:
($mz at 0) and (2 of ($str*))
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule Prikormka

6
yara/apt_ruag.yar
View File

@ -28,7 +28,7 @@ rule RUAG_Bot_Config_File {
$s2 = "name = " ascii
$s3 = "exe = cmd.exe" ascii
condition:
$s1 at 0 and $s2 and $s3 and filesize < 160
uint32(0) == 0x4e4f435b and $s1 at 0 and $s2 and $s3 and filesize < 160
}
rule RUAG_Cobra_Malware {
@ -63,7 +63,7 @@ rule RUAG_Cobra_Config_File {
$s9 = "[WORKDATA]" ascii
$s10 = "address1" ascii
condition:
$h1 at 0 and 8 of ($s*) and filesize < 5KB
uint32(0) == 0x4d414e5b and $h1 at 0 and 8 of ($s*) and filesize < 5KB
}
rule RUAG_Exfil_Config_File {
@ -81,5 +81,5 @@ rule RUAG_Exfil_Config_File {
$s4 = "post_frag" ascii
$s5 = "pfsgrowperiod" ascii
condition:
$h1 at 0 and all of ($s*) and filesize < 1KB
uint32(0) == 0x4152545b and $h1 at 0 and all of ($s*) and filesize < 1KB
}

3
yara/apt_snowglobe_babar.yar
View File

@ -11,7 +11,6 @@ rule SNOWGLOBE_Babar_Malware {
hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
score = 80
strings:
$mz = { 4d 5a }
$z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
$z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
$z2 = "ExecQueryFailled!" fullword ascii
@ -29,7 +28,7 @@ rule SNOWGLOBE_Babar_Malware {
$x5 = "cmd.exe" fullword ascii
$x6 = "DLLPATH" fullword ascii
condition:
( $mz at 0 ) and filesize < 1MB and
uint16(0) == 0x5a4d and filesize < 1MB and
(
( 1 of ($z*) and 1 of ($x*) ) or
( 3 of ($s*) and 4 of ($x*) )

20
yara/apt_turbo_campaign.yar
View File

@ -128,23 +128,13 @@ rule apt_win_exe_trojan_derusbi {
date = "2016/02/29"
reference = "https://github.com/fideliscyber/indicators/tree/master/FTA-1021"
strings:
$sa_1 = "USB" wide ascii
$sa_2 = "RAM" wide ascii
$sa_3 = "SHARE" wide ascii
$sa_4 = "HOST: %s:%d"
$sa_5 = "POST"
$sa_6 = "User-Agent: Mozilla"
$sa_7 = "Proxy-Connection: Keep-Alive"
$sa_8 = "Connection: Keep-Alive"
$sa_9 = "Server: Apache"
$sa_10 = "HTTP/1.1"
$sa_11 = "ImagePath"
$sa_12 = "ZwUnloadDriver"
$sa_13 = "ZwLoadDriver"
$sa_14 = "ServiceMain"
$sa_15 = "regsvr32.exe"
$sa_16 = "/s /u" wide ascii
$sa_17 = "rand"
$sa_18 = "_time64"
$sa_19 = "DllRegisterServer"
$sa_20 = "DllUnregisterServer"
@ -164,7 +154,7 @@ rule apt_win_exe_trojan_derusbi {
$sc_3 = "_crt_debugger_hook" wide ascii
$sc_4 = "ue8G5" wide ascii
$sd_1 = "NET" wide ascii
/* $sd_1 = "NET" wide ascii */ /* disabled due to performance reasons */
$sd_2 = "\\\\.\\pipe\\%s" wide ascii
$sd_3 = ".dat" wide ascii
$sd_4 = "CONNECT %s:%d" wide ascii
@ -172,16 +162,16 @@ rule apt_win_exe_trojan_derusbi {
$se_1 = "-%s-%04d" wide ascii
$se_2 = "-%04d" wide ascii
$se_3 = "FAL" wide ascii
$se_4 = "OK" wide ascii
/* $se_3 = "FAL" wide ascii */ /* disabled due to performance reasons */
/* $se_4 = "OK" wide ascii */ /* disabled due to performance reasons */
$se_5 = "2.03" wide ascii
$se_6 = "XXXXXXXXXXXXXXX" wide ascii
/* $se_6 = "XXXXXXXXXXXXXXX" wide ascii */ /* disabled due to memory usage reasons */
condition:
uint16(0) == 0x5A4D and (
all of ($sa_*) or
(
(13 of ($sa_*)) and (
(8 of ($sa_*)) and (
(5 of ($sb_*)) or
(3 of ($sc_*)) or
(all of ($sd_*)) or

2
yara/apt_turla_neuron.yar
View File

@ -16,7 +16,7 @@ rule Neuron_common_strings {
strings:
$strServiceName = "MSExchangeService" ascii
$strReqParameter_1 = "cadataKey" wide
$strReqParameter_2 = "cid" wide
/* $strReqParameter_2 = "cid" wide */ /* disabled due to performance reasons */
$strReqParameter_3 = "cadata" wide
$strReqParameter_4 = "cadataSig" wide
$strEmbeddedKey = "PFJTQUtleVZhbHVlPjxNb2R1bHVzPnZ3WXRKcnNRZjVTcCtWVG9Rb2xuaEVkMHVwWDFrVElFTUNTNEFnRkRCclNm clpKS0owN3BYYjh2b2FxdUtseXF2RzBJcHV0YXhDMVRYazRoeFNrdEpzbHljU3RFaHBUc1l4OVBEcURabVVZVklVb HlwSFN1K3ljWUJWVFdubTZmN0JTNW1pYnM0UWhMZElRbnl1ajFMQyt6TUhwZ0xmdEc2b1d5b0hyd1ZNaz08L01vZH VsdXM+PEV4cG9uZW50PkFRQUI8L0V4cG9uZW50PjwvUlNBS2V5VmFsdWU+" wide

2
yara/apt_turla_png_dropper_nov18.yar
View File

@ -57,7 +57,7 @@ rule turla_png_reg_enum_payload {
strings:
$crypt00 = "Microsoft Software Key Storage Provider" wide
$crypt01 = "ChainingModeCBC" wide
$crypt02 = "AES" wide
/* $crypt02 = "AES" wide */ /* disabled due to performance reasons */
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and
pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and

1
yara/apt_waterbear.yar
View File

@ -222,7 +222,6 @@ rule Waterbear_13_Jun17 {
$s3 = "ChangeServiceConfig failed (%d)" fullword ascii
$s4 = "Proxy %d:%s %d" fullword ascii
$s5 = "win9807.tmp" fullword ascii
$s6 = "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" fullword ascii
$s7 = "Service stopped successfully" fullword ascii
$s8 = "current dns:%s" fullword ascii
$s9 = "%c%u|%u|%u|%u|%u|" fullword ascii

3
yara/apt_waterbug.yar
View File

@ -7,11 +7,10 @@ rule WaterBug_wipbot_2013_core_PDF {
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$PDF = "%PDF-"
$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
condition:
($PDF at 0) and #a > 150 and #b > 200
uint32(0) == 0x46445025 and #a > 150 and #b > 200
}
rule WaterBug_wipbot_2013_dll {

1
yara/apt_wildneutron.yar
View File

@ -213,7 +213,6 @@ rule WildNeutron_Sample_9 {
hash = "781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e"
strings:
$s0 = "http://get.adobe.com/flashplayer/" fullword wide /* PEStudio Blacklist: strings */ /* score: '30.00' */
$s1 = "xxxxxxxxxxxxxxxxxxxx" fullword wide /* reversed goodware string 'xxxxxxxxxxxxxxxxxxxx' */ /* score: '19.00' */
$s4 = " Player Installer/Uninstaller" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.42' */
$s5 = "Adobe Flash Plugin Updater" fullword wide /* PEStudio Blacklist: strings */ /* score: '11.00' */
$s6 = "uSOFTWARE\\Adobe" fullword wide /* PEStudio Blacklist: strings */ /* score: '10.42' */

1
yara/apt_winnti_burning_umbrella.yar
View File

@ -365,7 +365,6 @@ rule MAL_BurningUmbrella_Sample_22 {
hash1 = "fa116cf9410f1613003ca423ad6ca92657a61b8e9eda1b05caf4f30ca650aee5"
strings:
$s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\" fullword ascii
$s2 = "========================================================================================================" fullword ascii
$s3 = "Content-Disposition: form-data; name=\"txt\"; filename=\"" fullword ascii
$s4 = "Fail To Enum Service" fullword ascii
$s5 = "Host Power ON Time" fullword ascii

1
yara/cn_pentestset_scripts.yar
View File

@ -39,7 +39,6 @@ rule CN_Honker_passwd_dict_3389 {
$s4 = "passwd" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 42 times */
$s5 = "password" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 244 times */
$s7 = "12345678" fullword ascii /* Goodware String - occured 29 times */
$s8 = "888888" fullword ascii /* Goodware String - occured 61 times */
condition:
filesize < 1KB and all of them
}

4
yara/crime_enfal.yar
View File

@ -33,8 +33,6 @@ rule Enfal_Malware_Backdoor {
hash2 = "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41"
score = 60
strings:
$mz = { 4d 5a }
$x1 = "Micorsoft Corportation" fullword wide
$x2 = "IM Monnitor Service" fullword wide
@ -47,7 +45,7 @@ rule Enfal_Malware_Backdoor {
$z4 = "XpsRegisterServer" fullword
$z5 = "{53A4988C-F91F-4054-9076-220AC5EC03F3}" fullword
condition:
( $mz at 0 ) and
uint16(0) == 0x5a4d and
(
1 of ($x*) or
( all of ($s*) and all of ($z*) )

3
yara/crime_hermes_ransom.yar
View File

@ -6,7 +6,6 @@ rule Hermes2_1 {
reference = "https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html"
hash = "b27881f59c8d8cc529fa80a58709db36"
strings:
$magic = { 4D 5A }
//in both version 2.1 and sample in Feb
$s1 = "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\"
$s2 = "0419"
@ -23,5 +22,5 @@ rule Hermes2_1 {
$u2 = "HERMES 2.1 TEST BUILD, press ok"
$u3 = "hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA" //RSA Key part
condition:
$magic at 0 and all of ($s*) and 3 of ($S*) and 1 of ($u*)
uint16(0) == 0x5a4d and all of ($s*) and 3 of ($S*) and 1 of ($u*)
}

2
yara/gen_cn_hacktools.yar
View File

@ -337,7 +337,7 @@ rule OtherTools_servu {
$s2 = "GetProcAddress" fullword ascii
$s3 = "WriteFile" fullword ascii
condition:
$s0 at 0 and filesize < 50KB and all of them
uint32(0) == 0x454b5a4d and $s0 at 0 and filesize < 50KB and all of them
}
rule ustrrefadd {

2
yara/gen_kirbi_mimkatz.yar
View File

@ -15,5 +15,5 @@ rule mimikatz_kirbi_ticket
strings:
$asn1 = { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
condition:
$asn1 at 0
uint16(0) == 0x8276 and $asn1 at 0
}

6
yara/gen_metasploit_payloads.yar
View File

@ -231,10 +231,10 @@ rule Msfpayloads_msf_9 {
$s3 = "[0] = \"chmod\";" ascii
$s4 = "= Runtime.getRuntime().exec(" ascii
$s5 = ", 16) & 0xff;" ascii
$x1 = "4d5a9000030000000" ascii
condition:
4 of ($s*) or $x1 at 0
4 of ($s*) or (
uint32(0) == 0x00905a4d and uint32(4) == 0x00000003
)
}
rule Msfpayloads_msf_10 {

6
yara/gen_osx_backdoor_bella.yar
View File

@ -1,3 +1,4 @@
rule OSX_backdoor_Bella {
meta:
description = "Bella MacOS/OSX backdoor"
@ -7,7 +8,7 @@ rule OSX_backdoor_Bella {
hash = "4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be"
strings:
$h1 = /#!\/usr\/bin\/env\s+python/
$h1 = "#!/usr/bin/env"
//prereqs
$s0 = "subprocess" fullword ascii
@ -27,7 +28,8 @@ rule OSX_backdoor_Bella {
$subpart2_b = "appleIDPhish" fullword ascii
$subpart2_c = "iTunes" fullword ascii
condition:
$h1 at 0
uint32(0) == 0x752f2123
and $h1 at 0
and filesize < 120KB
and @s0[1] < 100
and @s1[1] < 100

5
yara/gen_osx_evilosx.yar
View File

@ -7,7 +7,7 @@ rule OSX_backdoor_EvilOSX {
hash = "89e5b8208daf85f549d9b7df8e2a062e47f15a5b08462a4224f73c0a6223972a"
strings:
$h1 = /#!\/usr\/bin\/env\s+python/
$h1 = "#!/usr/bin/env"
$s0 = "import base64" fullword ascii
$s1 = "b64decode" fullword ascii
@ -23,7 +23,8 @@ rule OSX_backdoor_EvilOSX {
$enc_x1 = /(AGUAdABfAGwAYQB1AG4AYwBoAF8AYQBnAGUAbgB0AF8AZABpAHIAZQBjAHQAbwByAHkA|cAZQB0AF8AbABhAHUAbgBjAGgAXwBhAGcAZQBuAHQAXwBkAGkAcgBlAGMAdABvAHIAeQ|dldF9sYXVuY2hfYWdlbnRfZGlyZWN0b3J5|Z2V0X2xhdW5jaF9hZ2VudF9kaXJlY3Rvcn|ZwBlAHQAXwBsAGEAdQBuAGMAaABfAGEAZwBlAG4AdABfAGQAaQByAGUAYwB0AG8AcgB5A|ZXRfbGF1bmNoX2FnZW50X2RpcmVjdG9ye)/ ascii
condition:
$h1 at 0
uint32(0) == 0x752f2123
and $h1 at 0
and filesize < 30KB
and all of ($s*)
and

3
yara/gen_osx_pyagent_persistence.yar
View File

@ -26,7 +26,8 @@ rule Persistence_Agent_MacOS {
$einterval_b = /(AHUAbgBBAHQATABvAGEAZA|dW5BdExvYW|IAdQBuAEEAdABMAG8AYQBkA|J1bkF0TG9hZ|UgB1AG4AQQB0AEwAbwBhAGQA|UnVuQXRMb2Fk)/ ascii
condition:
$h1 at 0
uint32(0) == 0x752f2123
and $h1 at 0
and filesize < 120KB
and
(

1
yara/gen_rats_malwareconfig.yar
View File

@ -15,7 +15,6 @@ rule RAT_AAR
$d = "testmemory.FRMMain.resources"
$e = "$this.Icon" wide
$f = "{11111-22222-20001-00001}" wide
$g = "@@@@@"
condition:
all of them

40
yara/spy_equation_fiveeyes.yar
View File

@ -76,8 +76,6 @@ rule Equation_Kaspersky_TripleFantasy_1 {
date = "2015/02/16"
hash = "b2b2cd9ca6f5864ef2ac6382b7b6374a9fb2cbe9"
strings:
$mz = { 4d 5a }
$s0 = "%SystemRoot%\\system32\\hnetcfg.dll" fullword wide
$s1 = "%WINDIR%\\System32\\ahlhcib.dll" fullword wide
$s2 = "%WINDIR%\\sjyntmv.dat" fullword wide
@ -95,7 +93,7 @@ rule Equation_Kaspersky_TripleFantasy_1 {
$z2 = "www.google.com@80" fullword wide
$z3 = "127.0.0.1:3128" fullword wide
condition:
( $mz at 0 ) and filesize < 300000 and
uint16(0) == 0x5a4d and filesize < 300000 and
(
( all of ($s*) and all of ($z*) ) or
( all of ($s*) and 1 of ($x*) )
@ -111,8 +109,6 @@ rule Equation_Kaspersky_DoubleFantasy_1 {
date = "2015/02/16"
hash = "d09b4b6d3244ac382049736ca98d7de0c6787fa2"
strings:
$mz = { 4d 5a }
$z1 = "msvcp5%d.dll" fullword ascii
$s0 = "actxprxy.GetProxyDllInfo" fullword ascii
@ -120,7 +116,6 @@ rule Equation_Kaspersky_DoubleFantasy_1 {
$s5 = "actxprxy.DllRegisterServer" fullword ascii
$s6 = "actxprxy.DllUnregisterServer" fullword ascii
$x1 = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ascii
$x2 = "191H1a1" fullword ascii
$x3 = "November " fullword ascii
$x4 = "abababababab" fullword ascii
@ -128,7 +123,7 @@ rule Equation_Kaspersky_DoubleFantasy_1 {
$x6 = "October " fullword ascii
$x7 = "September " fullword ascii
condition:
( $mz at 0 ) and filesize < 350000 and
uint16(0) == 0x5a4d and filesize < 350000 and
(
( $z1 ) or
( all of ($s*) and 6 of ($x*) )
@ -144,7 +139,6 @@ rule Equation_Kaspersky_GROK_Keylogger {
date = "2015/02/16"
hash = "50b8f125ed33233a545a1aac3c9d4bb6aa34b48f"
strings:
$mz = { 4d 5a }
$s0 = "c:\\users\\rmgree5\\" ascii
$s1 = "msrtdv.sys" fullword wide
@ -161,7 +155,7 @@ rule Equation_Kaspersky_GROK_Keylogger {
$z2 = "\\registry\\machine\\software\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$z4 = "\\registry\\machine\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Environment" wide fullword
condition:
( $mz at 0 ) and filesize < 250000 and
uint16(0) == 0x5a4d and filesize < 250000 and
(
$s0 or
( $s1 and 6 of ($x*) ) or
@ -194,8 +188,6 @@ rule Equation_Kaspersky_EquationDrugInstaller {
date = "2015/02/16"
hash = "61fab1b8451275c7fd580895d9c68e152ff46417"
strings:
$mz = { 4d 5a }
$s0 = "\\system32\\win32k.sys" fullword wide
$s1 = "ALL_FIREWALLS" fullword ascii
@ -207,7 +199,7 @@ rule Equation_Kaspersky_EquationDrugInstaller {
$x6 = "WinStaObj" fullword wide
$x7 = "BINRES" fullword wide
condition:
( $mz at 0 ) and filesize < 500000 and all of ($s*) and 5 of ($x*)
uint16(0) == 0x5a4d and filesize < 500000 and all of ($s*) and 5 of ($x*)
}
rule Equation_Kaspersky_EquationLaserInstaller {
@ -219,7 +211,6 @@ rule Equation_Kaspersky_EquationLaserInstaller {
date = "2015/02/16"
hash = "5e1f56c1e57fbff96d4999db1fd6dd0f7d8221df"
strings:
$mz = { 4d 5a }
$s0 = "Failed to get Windows version" fullword ascii
$s1 = "lsasrv32.dll and lsass.exe" fullword wide
$s2 = "\\\\%s\\mailslot\\%s" fullword ascii
@ -230,7 +221,7 @@ rule Equation_Kaspersky_EquationLaserInstaller {
$s7 = "VIEWERS" fullword ascii
$s8 = "5.2.3790.220 (srv03_gdr.040918-1552)" fullword wide
condition:
( $mz at 0 ) and filesize < 250000 and 6 of ($s*)
uint16(0) == 0x5a4d and filesize < 250000 and 6 of ($s*)
}
rule Equation_Kaspersky_FannyWorm {
@ -242,8 +233,6 @@ rule Equation_Kaspersky_FannyWorm {
date = "2015/02/16"
hash = "1f0ae54ac3f10d533013f74f48849de4e65817a7"
strings:
$mz = { 4d 5a }
$s1 = "x:\\fanny.bmp" fullword ascii
$s2 = "32.exe" fullword ascii
$s3 = "d:\\fanny.bmp" fullword ascii
@ -265,7 +254,7 @@ rule Equation_Kaspersky_FannyWorm {
$x15 = "Global\\RPCMutex" fullword ascii
$x16 = "Global\\DirectMarketing" fullword ascii
condition:
( $mz at 0 ) and filesize < 300000 and
uint16(0) == 0x5a4d and filesize < 300000 and
(
( 2 of ($s*) ) or
( 1 of ($s*) and 6 of ($x*) ) or
@ -282,7 +271,6 @@ rule Equation_Kaspersky_HDD_reprogramming_module {
date = "2015/02/16"
hash = "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
strings:
$mz = { 4d 5a }
$s0 = "nls_933w.dll" fullword ascii
$s1 = "BINARY" fullword wide
@ -290,7 +278,7 @@ rule Equation_Kaspersky_HDD_reprogramming_module {
$s3 = "HAL.dll" fullword ascii
$s4 = "READ_REGISTER_UCHAR" fullword ascii
condition:
( $mz at 0 ) and filesize < 300000 and all of ($s*)
uint16(0) == 0x5a4d and filesize < 300000 and all of ($s*)
}
rule Equation_Kaspersky_EOP_Package {
@ -302,7 +290,6 @@ rule Equation_Kaspersky_EOP_Package {
date = "2015/02/16"
hash = "2bd1b1f5b4384ce802d5d32d8c8fd3d1dc04b962"
strings:
$mz = { 4d 5a }
$s0 = "abababababab" fullword ascii
$s1 = "abcdefghijklmnopq" fullword ascii
$s2 = "@STATIC" fullword wide
@ -311,7 +298,7 @@ rule Equation_Kaspersky_EOP_Package {
$s5 = "prkMtx" fullword wide
$s6 = "cnFormVoidFBC" fullword wide
condition:
( $mz at 0 ) and filesize < 100000 and all of ($s*)
uint16(0) == 0x5a4d and filesize < 100000 and all of ($s*)
}
rule Equation_Kaspersky_TripleFantasy_Loader {
@ -323,8 +310,6 @@ rule Equation_Kaspersky_TripleFantasy_Loader {
date = "2015/02/16"
hash = "4ce6e77a11b443cc7cbe439b71bf39a39d3d7fa3"
strings:
$mz = { 4d 5a }
$x1 = "Original Innovations, LLC" fullword wide
$x2 = "Moniter Resource Protocol" fullword wide
$x3 = "ahlhcib.dll" fullword wide
@ -336,7 +321,7 @@ rule Equation_Kaspersky_TripleFantasy_Loader {
$s4 = "hnetcfg.HNetGetShareAndBridgeSettings" fullword ascii
$s5 = "hnetcfg.HNetGetFirewallSettingsPage" fullword ascii
condition:
( $mz at 0 ) and filesize < 50000 and ( all of ($x*) and all of ($s*) )
uint16(0) == 0x5a4d and filesize < 50000 and ( all of ($x*) and all of ($s*) )
}
/* Rule generated from the mentioned keywords */
@ -350,8 +335,6 @@ rule Equation_Kaspersky_SuspiciousString {
date = "2015/02/17"
score = 60
strings:
$mz = { 4d 5a }
$s1 = "i386\\DesertWinterDriver.pdb" fullword
$s2 = "Performing UR-specific post-install..."
$s3 = "Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!"
@ -359,7 +342,7 @@ rule Equation_Kaspersky_SuspiciousString {
$s5 = "standalonegrok_2.1.1.1"
$s6 = "c:\\users\\rmgree5\\"
condition:
( $mz at 0 ) and filesize < 500000 and all of ($s*)
uint16(0) == 0x5a4d and filesize < 500000 and all of ($s*)
}
/* EquationDrug Update 11.03.2015 - http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ */
@ -392,10 +375,9 @@ rule EquationDrug_CompatLayer_UnilayDLL {
date = "2015/03/11"
hash = "a3a31937956f161beba8acac35b96cb74241cd0f"
strings:
$mz = { 4d 5a }
$s0 = "unilay.dll" fullword ascii
condition:
( $mz at 0 ) and $s0
uint16(0) == 0x5a4d and $s0
}
rule EquationDrug_HDDSSD_Op {

10
yara/spy_regin_fiveeyes.yar
View File

@ -35,7 +35,7 @@ rule Regin_APT_KernelDriver_Generic_A {
$x1 = "LRich6" fullword ascii
$x2 = "KeServiceDescriptorTable" fullword ascii
condition:
$m0 at 0 and $m1 and
uint16(0) == 0x5a4d and $m0 at 0 and $m1 and
all of ($s*) and 1 of ($x*)
}
@ -85,6 +85,7 @@ rule Regin_APT_KernelDriver_Generic_B {
$z4 = "wcslen" fullword ascii
$z5 = "atoi" fullword ascii
condition:
uint16(0) == 0x5a4d and
$m0 at 0 and all of ($s*) and
( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) )
and filesize < 20KB
@ -111,6 +112,7 @@ rule Regin_APT_KernelDriver_Generic_C {
$y1 = "LSA Shell" fullword wide
$y2 = "0Richw" fullword ascii
condition:
uint16(0) == 0x5a4d and
$m0 at 0 and all of ($s*) and
( all of ($x*) or all of ($y*) )
and filesize < 20KB
@ -198,8 +200,6 @@ rule Regin_Sample_3 {
date = "27.11.14"
hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
strings:
$hd = { fe ba dc fe }
$s0 = "Service Pack x" fullword wide
$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
@ -216,7 +216,7 @@ rule Regin_Sample_3 {
$s13 = "RtlGetVersion" fullword wide
$s14 = "ntkrnlpa.exe" fullword ascii
condition:
( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB
uint32(0) == 0xfedcbafe and all of ($s*) and filesize > 160KB and filesize < 200KB
}
rule Regin_Sample_Set_1 {
@ -249,7 +249,7 @@ rule Regin_Sample_Set_1 {
$s19 = "IoCreateDevice" fullword ascii
$s20 = "KefReleaseSpinLockFromDpcLevel" fullword ascii
condition:
all of them and filesize < 40KB and filesize > 30KB
filesize < 40KB and filesize > 30KB and all of them
}
rule Regin_Sample_Set_2 {

12
yara/thor-hacktools.yar
View File

@ -487,8 +487,6 @@ rule Tiny_Network_Tool_Generic {
hash1 = "cafc31d39c1e4721af3ba519759884b9"
hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"
strings:
$magic = { 4d 5a }
$s0 = "KERNEL32.DLL" fullword ascii
$s1 = "CRTDLL.DLL" fullword ascii
$s3 = "LoadLibraryA" fullword ascii
@ -509,7 +507,7 @@ rule Tiny_Network_Tool_Generic {
$z4 = "ToAscii" fullword ascii
condition:
( $magic at 0 ) and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB
uint16(0) == 0x5a4d and all of ($s*) and ( all of ($y*) or all of ($x*) or all of ($z*) ) and filesize < 15KB
}
rule Beastdoor_Backdoor {
@ -667,7 +665,6 @@ rule CN_Hacktool_1433_Scanner {
score = 40
date = "12.10.2014"
strings:
$magic = { 4d 5a }
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "del Weak1.txt" ascii fullword
@ -675,7 +672,7 @@ rule CN_Hacktool_1433_Scanner {
$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii
$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
condition:
( $magic at 0 ) and all of ($s*)
uint16(0) == 0x5a4d and all of ($s*)
}
rule CN_Hacktool_1433_Scanner_Comp2 {
@ -686,12 +683,11 @@ rule CN_Hacktool_1433_Scanner_Comp2 {
score = 40
date = "12.10.2014"
strings:
$magic = { 4d 5a }
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
condition:
( $magic at 0 ) and all of ($s*)
uint16(0) == 0x5a4d and all of ($s*)
}
rule WCE_Modified_1_1014 {
@ -1175,7 +1171,7 @@ rule Hacktools_CN_445_cmd {
$s0 = "cs.exe %1" fullword ascii
$s2 = "nc %1 4444" fullword ascii
condition:
$bat at 0 and all of ($s*)
uint32(0) == 0x68636540 and $bat at 0 and all of ($s*)
}
rule Hacktools_CN_GOGOGO_Bat {

5
yara/thor-webshells.yar
View File

@ -23,13 +23,12 @@ rule Weevely_Webshell {
date = "2014/12/14"
score = 60
strings:
$php = "<?php" ascii
$s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii
$s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii
$s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii
$s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii
condition:
$php at 0 and all of ($s*) and filesize > 570 and filesize < 800
uint32(0) == 0x68703f3c and all of ($s*) and filesize > 570 and filesize < 800
}
rule webshell_h4ntu_shell_powered_by_tsoi_ {
@ -9135,7 +9134,7 @@ rule PHP_Webshell_1_Feb17 {
$s1 = "$i=Array(\"pv\"=>@phpversion(),\"sv\"" ascii
$s3 = "$data = @unserialize(sh_decrypt(@base64_decode($data),$data_key));" ascii
condition:
( $h1 at 0 and 1 of them ) or 2 of them
uint32(0) == 0x68703f3c and ( $h1 at 0 and 1 of them ) or 2 of them
}
rule Webshell_Tiny_JSP_2 {

6
yara/thor_inverse_matches.yar
View File

@ -334,11 +334,10 @@ rule APT_Cloaked_SuperScan
author = "Florian Roth"
score = 50
strings:
$magic = { 4d 5a }
$s0 = "SuperScan4.exe" wide fullword
$s1 = "Foundstone Inc." wide fullword
condition:
( $magic at 0 ) and $s0 and $s1 and not filename contains "superscan"
uint16(0) == 0x5a4d and $s0 and $s1 and not filename contains "superscan"
}
rule APT_Cloaked_ScanLine
@ -350,12 +349,11 @@ rule APT_Cloaked_ScanLine
author = "Florian Roth"
score = 50
strings:
$magic = { 4d 5a }
$s0 = "ScanLine" wide fullword
$s1 = "Command line port scanner" wide fullword
$s2 = "sl.exe" wide fullword
condition:
( $magic at 0 ) and $s0 and $s1 and $s2 and not filename == "sl.exe"
uint16(0) == 0x5a4d and $s0 and $s1 and $s2 and not filename == "sl.exe"
}
rule SAM_Hive_Backup

3
yara/threat_lenovo_superfish.yar
View File

@ -12,12 +12,11 @@ rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
strings:
$mz = { 4d 5a }
//$s1 = "VisualDiscovery.exe" fullword wide
$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
$s3 = "GetPCProxyHandler" fullword ascii
$s4 = "StartPCProxy" fullword ascii
$s5 = "SetPCProxyHandler" fullword ascii
condition:
( $mz at 0 ) and filesize < 2MB and all of ($s*)
uint16(0) == 0x5a4d and filesize < 2MB and all of ($s*)
}

3
yara/yara_mixed_ext_vars.yar
View File

@ -173,7 +173,6 @@ rule GIFCloaked_Webshell_A {
hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
score = 60
strings:
$magic = { 47 49 46 38 } /* GIF8 ... */
$s0 = "input type"
$s1 = "<%eval request"
$s2 = "<%eval(Request.Item["
@ -184,7 +183,7 @@ rule GIFCloaked_Webshell_A {
$fp1 = "<form name=\"social_form\""
condition:
( $magic at 0 ) and ( 1 of ($s*) )
uint32(0) == 0x38464947 and ( 1 of ($s*) )
and not 1 of ($fp*)
}