/*
Yara Rule Set
Author: Florian Roth
Date: 2015-06-13
Identifier: CN-Tools Hacktools
Reference: Diclosed hacktool set at http://w2op.us/ (Mirror: http://tools.zjqhr.com)
*/
rule mswin_check_lm_group {
meta:
description = "Chinese Hacktool Set - file mswin_check_lm_group.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "115d87d7e7a3d08802a9e5fd6cd08e2ec633c367"
strings:
$s1 = "Valid_Global_Groups: checking group membership of '%s\\%s'." fullword ascii
$s2 = "Usage: %s [-D domain][-G][-P][-c][-d][-h]" fullword ascii
$s3 = "-D default user Domain" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 380KB and all of them
}
rule WAF_Bypass {
meta:
description = "Chinese Hacktool Set - file WAF-Bypass.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "860a9d7aac2ce3a40ac54a4a0bd442c6b945fa4e"
strings:
$s1 = "Email: blacksplitn@gmail.com" fullword wide
$s2 = "User-Agent:" fullword wide
$s3 = "Send Failed.in RemoteThread" fullword ascii
$s4 = "www.example.com" fullword wide
$s5 = "Get Domain:%s IP Failed." fullword ascii
$s6 = "Connect To Server Failed." fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 7992KB and 5 of them
}
rule Guilin_veterans_cookie_spoofing_tool {
meta:
description = "Chinese Hacktool Set - file Guilin veterans cookie spoofing tool.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "06b1969bc35b2ee8d66f7ce8a2120d3016a00bb1"
strings:
$s0 = "kernel32.dll^G" fullword ascii
$s1 = "\\.Sus\"B" fullword ascii
$s4 = "u56Load3" fullword ascii
$s11 = "O MYTMP(iM) VALUES (" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1387KB and all of them
}
rule MarathonTool {
meta:
description = "Chinese Hacktool Set - file MarathonTool.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "084a27cd3404554cc799d0e689f65880e10b59e3"
strings:
$s0 = "MarathonTool" ascii
$s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii
$s18 = "SELECT UNICODE(SUBSTRING((system_user),{0},1))" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1040KB and all of them
}
rule PLUGIN_TracKid {
meta:
description = "Chinese Hacktool Set - file TracKid.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "a114181b334e850d4b33e9be2794f5bb0eb59a09"
strings:
$s0 = "E-mail: cracker_prince@163.com" fullword ascii
$s1 = ".\\TracKid Log\\%s.txt" fullword ascii
$s2 = "Coded by prince" fullword ascii
$s3 = "TracKid.dll" fullword ascii
$s4 = ".\\TracKid Log" fullword ascii
$s5 = "%08x -- %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 3 of them
}
rule Pc_pc2015 {
meta:
description = "Chinese Hacktool Set - file pc2015.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "de4f098611ac9eece91b079050b2d0b23afe0bcb"
strings:
$s0 = "\\svchost.exe" fullword ascii
$s1 = "LON\\OD\\O-\\O)\\O%\\O!\\O=\\O9\\O5\\O1\\O" fullword ascii
$s8 = "%s%08x.001" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 309KB and all of them
}
rule sekurlsa {
meta:
description = "Chinese Hacktool Set - file sekurlsa.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5"
strings:
$s1 = "Bienvenue dans un processus distant" fullword wide
$s2 = "Format d'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur" wide
$s3 = "SECURITY\\Policy\\Secrets" fullword wide
$s4 = "Injection de donn" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1150KB and all of them
}
rule mysqlfast {
meta:
description = "Chinese Hacktool Set - file mysqlfast.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "32b60350390fe7024af7b4b8fbf50f13306c546f"
strings:
$s2 = "Invalid password hash: %s" fullword ascii
$s3 = "-= MySql Hash Cracker =- " fullword ascii
$s4 = "Usage: %s hash" fullword ascii
$s5 = "Hash: %08lx%08lx" fullword ascii
$s6 = "Found pass: " fullword ascii
$s7 = "Pass not found" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 900KB and 4 of them
}
rule DTools2_02_DTools {
meta:
description = "Chinese Hacktool Set - file DTools.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "9f99771427120d09ec7afa3b21a1cb9ed720af12"
strings:
$s0 = "kernel32.dll" ascii
$s1 = "TSETPASSWORDFORM" fullword wide
$s2 = "TGETNTUSERNAMEFORM" fullword wide
$s3 = "TPORTFORM" fullword wide
$s4 = "ShellFold" fullword ascii
$s5 = "DefaultPHotLigh" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
rule dll_PacketX {
meta:
description = "Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
score = 50
hash = "3f0908e0a38512d2a4fb05a824aa0f6cf3ba3b71"
strings:
$s9 = "[Failed to load winpcap packet.dll." wide
$s10 = "PacketX Version" wide
condition:
uint16(0) == 0x5a4d and filesize < 1920KB and all of them
}
rule SqlDbx_zhs {
meta:
description = "Chinese Hacktool Set - file SqlDbx_zhs.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "e34228345498a48d7f529dbdffcd919da2dea414"
strings:
$s0 = "S.failed_logins \"Failed Login Attempts\", " fullword ascii
$s7 = "SELECT ROLE, PASSWORD_REQUIRED FROM SYS.DBA_ROLES ORDER BY ROLE" fullword ascii
$s8 = "SELECT spid 'SPID', status 'Status', db_name (dbid) 'Database', loginame 'Login'" ascii
$s9 = "bcp.exe <:schema:>.<:table:> out \"<:file:>\" -n -S <:server:> -U <:user:> -P <:" ascii
$s11 = "L.login_policy_name AS \"Login Policy\", " fullword ascii
$s12 = "mailto:support@sqldbx.com" fullword ascii
$s15 = "S.last_login_time \"Last Login\", " fullword ascii
condition:
uint16(0) == 0x5a4d and 4 of them
}
rule ms10048_x86 {
meta:
description = "Chinese Hacktool Set - file ms10048-x86.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "e57b453966e4827e2effa4e153f2923e7d058702"
strings:
$s1 = "[ ] Resolving PsLookupProcessByProcessId" fullword ascii
$s2 = "The target is most likely patched." fullword ascii
$s3 = "Dojibiron by Ronald Huizer, (c) master@h4cker.us ." fullword ascii
$s4 = "[ ] Creating evil window" fullword ascii
$s5 = "%sHANDLEF_INDESTROY" fullword ascii
$s6 = "[+] Set to %d exploit half succeeded" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 4 of them
}
rule Dos_ch {
meta:
description = "Chinese Hacktool Set - file ch.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "60bbb87b08af840f21536b313a76646e7c1f0ea7"
strings:
$s0 = "/Churraskito/-->Usage: Churraskito.exe \"command\" " fullword ascii
$s4 = "fuck,can't find WMI process PID." fullword ascii
$s5 = "/Churraskito/-->Found token %s " fullword ascii
$s8 = "wmiprvse.exe" fullword ascii
$s10 = "SELECT * FROM IIsWebInfo" fullword ascii
$s17 = "WinSta0\\Default" fullword ascii /* Goodware String - occured 22 times */
condition:
uint16(0) == 0x5a4d and filesize < 260KB and 3 of them
}
rule DUBrute_DUBrute {
meta:
description = "Chinese Hacktool Set - file DUBrute.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "8aaae91791bf782c92b97c6e1b0f78fb2a9f3e65"
strings:
$s1 = "IP - %d; Login - %d; Password - %d; Combination - %d" fullword ascii
$s2 = "IP - 0; Login - 0; Password - 0; Combination - 0" fullword ascii
$s3 = "Create %d IP@Loginl;Password" fullword ascii
$s4 = "UBrute.com" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1020KB and all of them
}
rule CookieTools {
meta:
description = "Chinese Hacktool Set - file CookieTools.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b6a3727fe3d214f4fb03aa43fb2bc6fadc42c8be"
strings:
$s0 = "http://210.73.64.88/doorway/cgi-bin/getclientip.asp?IP=" fullword ascii
$s2 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide
$s3 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide
$s8 = "OnGetPasswordP" fullword ascii
$s12 = "http://www.chinesehack.org/" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and 4 of them
}
rule update_PcInit {
meta:
description = "Chinese Hacktool Set - file PcInit.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "a6facc4453f8cd81b8c18b3b3004fa4d8e2f5344"
strings:
$s1 = "\\svchost.exe" fullword ascii
$s2 = "%s%08x.001" fullword ascii
$s3 = "Global\\ps%08x" fullword ascii
$s4 = "drivers\\" fullword ascii /* Goodware String - occured 2 times */
$s5 = "StrStrA" fullword ascii /* Goodware String - occured 43 times */
$s6 = "StrToIntA" fullword ascii /* Goodware String - occured 44 times */
condition:
uint16(0) == 0x5a4d and filesize < 50KB and all of them
}
rule dat_NaslLib {
meta:
description = "Chinese Hacktool Set - file NaslLib.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "fb0d4263118faaeed2d68e12fab24c59953e862d"
strings:
$s1 = "nessus_get_socket_from_connection: fd <%d> is closed" fullword ascii
$s2 = "[*] \"%s\" completed, %d/%d/%d/%d:%d:%d - %d/%d/%d/%d:%d:%d" fullword ascii
$s3 = "A FsSniffer backdoor seems to be running on this port%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1360KB and all of them
}
rule Dos_1 {
meta:
description = "Chinese Hacktool Set - file 1.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b554f0687a12ec3a137f321cc15e052ff219f28c"
strings:
$s1 = "/churrasco/-->Usage: Churrasco.exe \"command to run\"" fullword ascii
$s2 = "/churrasco/-->Done, command should have ran as SYSTEM!" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
rule OtherTools_servu {
meta:
description = "Chinese Hacktool Set - file svu.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5c64e6879a9746a0d65226706e0edc7a"
strings:
$s0 = "MZKERNEL32.DLL" fullword ascii
$s1 = "UpackByDwing@" fullword ascii
$s2 = "GetProcAddress" fullword ascii
$s3 = "WriteFile" fullword ascii
condition:
$s0 at 0 and filesize < 50KB and all of them
}
rule ustrrefadd {
meta:
description = "Chinese Hacktool Set - file ustrrefadd.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b371b122460951e74094f3db3016264c9c8a0cfa"
strings:
$s0 = "E-Mail : admin@luocong.com" fullword ascii
$s1 = "Homepage: http://www.luocong.com" fullword ascii
$s2 = ": %d - " fullword ascii
$s3 = "ustrreffix.dll" fullword ascii
$s5 = "Ultra String Reference plugin v%d.%02d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 320KB and all of them
}
rule XScanLib {
meta:
description = "Chinese Hacktool Set - file XScanLib.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
strings:
$s4 = "XScanLib.dll" fullword ascii
$s6 = "Ports/%s/%d" fullword ascii
$s8 = "DEFAULT-TCP-PORT" fullword ascii
$s9 = "PlugCheckTcpPort" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 360KB and all of them
}
rule IDTools_For_WinXP_IdtTool {
meta:
description = "Chinese Hacktool Set - file IdtTool.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ebab6e4cb7ea82c8dc1fe4154e040e241f4672c6"
strings:
$s2 = "IdtTool.sys" fullword ascii
$s4 = "Idt Tool bY tMd[CsP]" fullword wide
$s6 = "\\\\.\\slIdtTool" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 25KB and all of them
}
rule GoodToolset_ms11046 {
meta:
description = "Chinese Hacktool Set - file ms11046.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "f8414a374011fd239a6c6d9c6ca5851cd8936409"
strings:
$s1 = "[*] Token system command" fullword ascii
$s2 = "[*] command add user 90sec 90sec" fullword ascii
$s3 = "[*] Add to Administrators success" fullword ascii
$s4 = "[*] User has been successfully added" fullword ascii
$s5 = "Program: %s%s%s%s%s%s%s%s%s%s%s" fullword ascii /* Goodware String - occured 3 times */
condition:
uint16(0) == 0x5a4d and filesize < 840KB and 2 of them
}
rule Cmdshell32 {
meta:
description = "Chinese Hacktool Set - file Cmdshell32.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "3c41116d20e06dcb179e7346901c1c11cd81c596"
strings:
$s1 = "cmdshell.exe" fullword wide
$s2 = "cmdshell" fullword ascii
$s3 = "[Root@CmdShell ~]#" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 62KB and all of them
}
rule Sniffer_analyzer_SSClone_1210_full_version {
meta:
description = "Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "6882125babb60bd0a7b2f1943a40b965b7a03d4e"
strings:
$s0 = "http://www.vip80000.com/hot/index.html" fullword ascii
$s1 = "GetConnectString" fullword ascii
$s2 = "CnCerT.Safe.SSClone.dll" fullword ascii
$s3 = "(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3580KB and all of them
}
rule x64_klock {
meta:
description = "Chinese Hacktool Set - file klock.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc"
strings:
$s1 = "Bienvenue dans un processus distant" fullword wide
$s2 = "klock.dll" fullword ascii
$s3 = "Erreur : le bureau courant (" fullword wide
$s4 = "klock de mimikatz pour Windows" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 907KB and all of them
}
rule Dos_Down32 {
meta:
description = "Chinese Hacktool Set - file Down32.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "0365738acd728021b0ea2967c867f1014fd7dd75"
strings:
$s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide
$s6 = "down.exe" fullword wide
$s15 = "get_Form1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 137KB and all of them
}
rule MarathonTool_2 {
meta:
description = "Chinese Hacktool Set - file MarathonTool.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "75b5d25cdaa6a035981e5a33198fef0117c27c9c"
strings:
$s3 = "http://localhost/retomysql/pista.aspx?id_pista=1" fullword wide
$s6 = "SELECT ASCII(SUBSTR(username,{0},1)) FROM USER_USERS" fullword wide
$s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
rule scanms_scanms {
meta:
description = "Chinese Hacktool Set - file scanms.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "47787dee6ddea2cb44ff27b6a5fd729273cea51a"
strings:
$s1 = "--- ScanMs Tool --- (c) 2003 Internet Security Systems ---" fullword ascii
$s2 = "Scans for systems vulnerable to MS03-026 vuln" fullword ascii
$s3 = "More accurate for WinXP/Win2k, less accurate for WinNT" fullword ascii /* PEStudio Blacklist: os */
$s4 = "added %d.%d.%d.%d-%d.%d.%d.%d" fullword ascii
$s5 = "Internet Explorer 1.0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and 3 of them
}
rule CN_Tools_PcShare {
meta:
description = "Chinese Hacktool Set - file PcShare.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ee7ba9784fae413d644cdf5a093bd93b73537652"
strings:
$s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
$s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide
$s5 = "port=%s;name=%s;pass=%s;" fullword wide
$s16 = "%s\\ini\\*.dat" fullword wide
$s17 = "pcinit.exe" fullword wide
$s18 = "http://www.pcshare.cn" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and 3 of them
}
rule pw_inspector {
meta:
description = "Chinese Hacktool Set - file pw-inspector.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "4f8e3e101098fc3da65ed06117b3cb73c0a66215"
strings:
$s1 = "-m MINLEN minimum length of a valid password" fullword ascii
$s2 = "http://www.thc.org" fullword ascii
$s3 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 460KB and all of them
}
rule Dll_LoadEx {
meta:
description = "Chinese Hacktool Set - file Dll_LoadEx.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "213d9d0afb22fe723ff570cf69ff8cdb33ada150"
strings:
$s0 = "WiNrOOt@126.com" fullword wide
$s1 = "Dll_LoadEx.EXE" fullword wide
$s3 = "You Already Loaded This DLL ! :(" fullword ascii
$s10 = "Dll_LoadEx Microsoft " fullword wide
$s17 = "Can't Load This Dll ! :(" fullword ascii
$s18 = "WiNrOOt" fullword wide
$s20 = " Dll_LoadEx(&A)..." fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 120KB and 3 of them
}
rule dat_report {
meta:
description = "Chinese Hacktool Set - file report.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "4582a7c1d499bb96dad8e9b227e9d5de9becdfc2"
strings:
$s1 = "X-Scan" fullword ascii
$s2 = "REPORT-ANALYSIS-OF-HOST" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 480KB and all of them
}
rule Dos_iis7 {
meta:
description = "Chinese Hacktool Set - file iis7.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "0a173c5ece2fd4ac8ecf9510e48e95f43ab68978"
strings:
$s0 = "\\\\localhost" fullword ascii
$s1 = "iis.run" fullword ascii
$s3 = ">Could not connecto %s" fullword ascii
$s5 = "WHOAMI" ascii
$s13 = "WinSta0\\Default" fullword ascii /* Goodware String - occured 22 times */
condition:
uint16(0) == 0x5a4d and filesize < 140KB and all of them
}
rule SwitchSniffer {
meta:
description = "Chinese Hacktool Set - file SwitchSniffer.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "1e7507162154f67dff4417f1f5d18b4ade5cf0cd"
strings:
$s0 = "NextSecurity.NET" fullword wide
$s2 = "SwitchSniffer Setup" fullword wide
condition:
uint16(0) == 0x5a4d and all of them
}
rule dbexpora {
meta:
description = "Chinese Hacktool Set - file dbexpora.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b55b007ef091b2f33f7042814614564625a8c79f"
strings:
$s0 = "SELECT A.USER FROM SYS.USER_USERS A " fullword ascii
$s12 = "OCI 8 - OCIDescriptorFree" fullword ascii
$s13 = "ORACommand *" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 835KB and all of them
}
rule SQLCracker {
meta:
description = "Chinese Hacktool Set - file SQLCracker.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "1aa5755da1a9b050c4c49fc5c58fa133b8380410"
strings:
$s0 = "msvbvm60.dll" fullword ascii /* reversed goodware string 'lld.06mvbvsm' */
$s1 = "_CIcos" fullword ascii
$s2 = "kernel32.dll" fullword ascii
$s3 = "cKmhV" fullword ascii
$s4 = "080404B0" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 125KB and all of them
}
rule FreeVersion_debug {
meta:
description = "Chinese Hacktool Set - file debug.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d11e6c6f675b3be86e37e50184dadf0081506a89"
strings:
$s0 = "c:\\Documents and Settings\\Administrator\\" fullword ascii
$s1 = "Got WMI process Pid: %d" ascii
$s2 = "This exploit will execute" ascii
$s6 = "Found token %s " ascii
$s7 = "Running reverse shell" ascii
$s10 = "wmiprvse.exe" fullword ascii
$s12 = "SELECT * FROM IIsWebInfo" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 820KB and 3 of them
}
rule Dos_look {
meta:
description = "Chinese Hacktool Set - file look.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "e1a37f31170e812185cf00a838835ee59b8f64ba"
strings:
$s1 = "CHKen QQ:41901298" fullword ascii
$s2 = "version=\"9.9.9.9\"" fullword ascii
$s3 = "name=\"CH.Ken.Tool\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 40KB and all of them
}
rule NtGodMode {
meta:
description = "Chinese Hacktool Set - file NtGodMode.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "8baac735e37523d28fdb6e736d03c67274f7db77"
strings:
$s0 = "to HOST!" fullword ascii
$s1 = "SS.EXE" fullword ascii
$s5 = "lstrlen0" fullword ascii
$s6 = "Virtual" fullword ascii /* Goodware String - occured 6 times */
$s19 = "RtlUnw" fullword ascii /* Goodware String - occured 1 times */
condition:
uint16(0) == 0x5a4d and filesize < 45KB and all of them
}
rule WebCrack4_RouterPasswordCracking {
meta:
description = "Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "00c68d1b1aa655dfd5bb693c13cdda9dbd34c638"
strings:
$s0 = "http://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORD" fullword ascii
$s1 = "Username: \"%s\", Password: \"%s\", Remarks: \"%s\"" fullword ascii
$s14 = "user:\"%s\" pass: \"%s\" result=\"%s\"" fullword ascii
$s16 = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" fullword ascii
$s20 = "List count out of bounds (%d)+Operation not allowed on sorted string list%String" wide
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and 2 of them
}
rule HScan_v1_20_oncrpc {
meta:
description = "Chinese Hacktool Set - file oncrpc.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "e8f047eed8d4f6d2f5dbaffdd0e6e4a09c5298a2"
strings:
$s1 = "clnt_raw.c - Fatal header serialization error." fullword ascii
$s2 = "svctcp_.c - cannot getsockname or listen" fullword ascii
$s3 = "too many connections (%d), compilation constant FD_SETSIZE was only %d" fullword ascii
$s4 = "svc_run: - select failed" fullword ascii
$s5 = "@(#)bindresvport.c" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 340KB and 4 of them
}
rule hscan_gui {
meta:
description = "Chinese Hacktool Set - file hscan-gui.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "1885f0b7be87f51c304b39bc04b9423539825c69"
strings:
$s0 = "Hscan.EXE" fullword wide
$s1 = "RestTool.EXE" fullword ascii
$s3 = "Hscan Application " fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 550KB and all of them
}
rule S_MultiFunction_Scanners_s {
meta:
description = "Chinese Hacktool Set - file s.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "79b60ffa1c0f73b3c47e72118e0f600fcd86b355"
strings:
$s0 = "C:\\WINDOWS\\temp\\pojie.exe /l=" fullword ascii
$s1 = "C:\\WINDOWS\\temp\\s.exe" fullword ascii
$s2 = "C:\\WINDOWS\\temp\\s.exe tcp " fullword ascii
$s3 = "explorer.exe http://www.hackdos.com" fullword ascii
$s4 = "C:\\WINDOWS\\temp\\pojie.exe" fullword ascii
$s5 = "Failed to read file or invalid data in file!" fullword ascii
$s6 = "www.hackdos.com" fullword ascii
$s7 = "WTNE / MADE BY E COMPILER - WUTAO " fullword ascii
$s11 = "The interface of kernel library is invalid!" fullword ascii
$s12 = "eventvwr" fullword ascii
$s13 = "Failed to decompress data!" fullword ascii
$s14 = "NOTEPAD.EXE result.txt" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 8000KB and 4 of them
}
rule Dos_GetPass {
meta:
description = "Chinese Hacktool Set - file GetPass.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d18d952b24110b83abd17e042f9deee679de6a1a"
strings:
$s0 = "GetLogonS" ascii
$s3 = "/showthread.php?t=156643" ascii
$s8 = "To Run As Administ" ascii
$s18 = "EnableDebugPrivileg" fullword ascii
$s19 = "sedebugnameValue" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 890KB and all of them
}
rule update_PcMain {
meta:
description = "Chinese Hacktool Set - file PcMain.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "aa68323aaec0269b0f7e697e69cce4d00a949caa"
strings:
$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322" ascii
$s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii
$s2 = "SOFTWARE\\Classes\\HTTP\\shell\\open\\command" fullword ascii
$s3 = "\\svchost.exe -k " fullword ascii
$s4 = "SYSTEM\\ControlSet001\\Services\\%s" fullword ascii
$s9 = "Global\\%s-key-event" fullword ascii
$s10 = "%d%d.exe" fullword ascii
$s14 = "%d.exe" fullword ascii
$s15 = "Global\\%s-key-metux" fullword ascii
$s18 = "GET / HTTP/1.1" fullword ascii
$s19 = "\\Services\\" fullword ascii
$s20 = "qy001id=%d;qy001guid=%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 4 of them
}
rule Dos_sys {
meta:
description = "Chinese Hacktool Set - file sys.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b5837047443f8bc62284a0045982aaae8bab6f18"
strings:
$s0 = "'SeDebugPrivilegeOpen " fullword ascii
$s6 = "Author: Cyg07*2" fullword ascii
$s12 = "from golds7n[LAG]'J" fullword ascii
$s14 = "DAMAGE" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule dat_xpf {
meta:
description = "Chinese Hacktool Set - file xpf.sys"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "761125ab594f8dc996da4ce8ce50deba49c81846"
strings:
$s1 = "UnHook IoGetDeviceObjectPointer ok!" fullword ascii
$s2 = "\\Device\\XScanPF" fullword wide
$s3 = "\\DosDevices\\XScanPF" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 25KB and all of them
}
rule Project1 {
meta:
description = "Chinese Hacktool Set - file Project1.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d1a5e3b646a16a7fcccf03759bd0f96480111c96"
strings:
$s1 = "EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'" fullword ascii
$s2 = "Password.txt" fullword ascii
$s3 = "LoginPrompt" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and all of them
}
rule Arp_EMP_v1_0 {
meta:
description = "Chinese Hacktool Set - file Arp EMP v1.0.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ae4954c142ad1552a2abaef5636c7ef68fdd99ee"
strings:
$s0 = "Arp EMP v1.0.exe" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
rule CN_Tools_MyUPnP {
meta:
description = "Chinese Hacktool Set - file MyUPnP.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "15b6fca7e42cd2800ba82c739552e7ffee967000"
strings:
$s1 = "BYTELINKER.COM" fullword ascii
$s2 = "myupnp.exe" fullword ascii
$s3 = "LOADER ERROR" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1500KB and all of them
}
rule CN_Tools_Shiell {
meta:
description = "Chinese Hacktool Set - file Shiell.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b432d80c37abe354d344b949c8730929d8f9817a"
strings:
$s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii
$s2 = "C:\\Windows\\System32\\Shiell.exe" fullword wide
$s3 = "Shift shell.exe" fullword wide
$s4 = "\" /v debugger /t REG_SZ /d \"" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1500KB and 2 of them
}
rule cndcom_cndcom {
meta:
description = "Chinese Hacktool Set - file cndcom.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "08bbe6312342b28b43201125bd8c518531de8082"
strings:
$s1 = "- Rewritten by HDM last " fullword ascii
$s2 = "- Usage: %s " fullword ascii
$s3 = "- Remote DCOM RPC Buffer Overflow Exploit" fullword ascii
$s4 = "- Warning:This Code is more like a dos tool!(Modify by pingker)" fullword ascii
$s5 = "Windows NT SP6 (Chinese)" fullword ascii
$s6 = "- Original code by FlashSky and Benjurry" fullword ascii
$s7 = "\\C$\\123456111111111111111.doc" fullword wide
$s8 = "shell3all.c" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 2 of them
}
rule IsDebug_V1_4 {
meta:
description = "Chinese Hacktool Set - file IsDebug V1.4.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ca32474c358b4402421ece1cb31714fbb088b69a"
strings:
$s0 = "IsDebug.dll" fullword ascii
$s1 = "SV Dumper V1.0" fullword wide
$s2 = "(IsDebuggerPresent byte Patcher)" fullword ascii
$s8 = "Error WriteMemory failed" fullword ascii
$s9 = "IsDebugPresent" fullword ascii
$s10 = "idb_Autoload" fullword ascii
$s11 = "Bin Files" fullword ascii
$s12 = "MASM32 version" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and all of them
}
rule HTTPSCANNER {
meta:
description = "Chinese Hacktool Set - file HTTPSCANNER.EXE"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ae2929346944c1ea3411a4562e9d5e2f765d088a"
strings:
$s1 = "HttpScanner.exe" fullword wide
$s2 = "HttpScanner" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 3500KB and all of them
}
rule HScan_v1_20_PipeCmd {
meta:
description = "Chinese Hacktool Set - file PipeCmd.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "64403ce63b28b544646a30da3be2f395788542d6"
strings:
$s1 = "%SystemRoot%\\system32\\PipeCmdSrv.exe" fullword ascii
$s2 = "PipeCmd.exe" fullword wide
$s3 = "Please Use NTCmd.exe Run This Program." fullword ascii
$s4 = "%s\\pipe\\%s%s%d" fullword ascii
$s5 = "\\\\.\\pipe\\%s%s%d" fullword ascii
$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
$s7 = "This is a service executable! Couldn't start directly." fullword ascii
$s8 = "Connecting to Remote Server ...Failed" fullword ascii
$s9 = "PIPECMDSRV" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 4 of them
}
rule Dos_fp {
meta:
description = "Chinese Hacktool Set - file fp.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c"
strings:
$s1 = "fpipe -l 53 -s 53 -r 80 192.168.1.101" fullword ascii
$s2 = "FPipe.exe" fullword wide
$s3 = "http://www.foundstone.com" fullword ascii
$s4 = "%s %s port %d. Address is already in use" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 65KB and all of them
}
rule Dos_netstat {
meta:
description = "Chinese Hacktool Set - file netstat.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d0444b7bd936b5fc490b865a604e97c22d97e598"
strings:
$s0 = "w03a2409.dll" fullword ascii
$s1 = "Retransmission Timeout Algorithm = unknown (%1!u!)" fullword wide /* Goodware String - occured 2 times */
$s2 = "Administrative Status = %1!u!" fullword wide /* Goodware String - occured 2 times */
$s3 = "Packet Too Big %1!-10u! %2!-10u!" fullword wide /* Goodware String - occured 2 times */
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule CN_Tools_xsniff {
meta:
description = "Chinese Hacktool Set - file xsniff.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d61d7329ac74f66245a92c4505a327c85875c577"
strings:
$s0 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
$s1 = "HOST: %s USER: %s, PASS: %s" fullword ascii
$s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
$s10 = "Code by glacier " fullword ascii
$s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 220KB and 2 of them
}
rule MSSqlPass {
meta:
description = "Chinese Hacktool Set - file MSSqlPass.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "172b4e31ed15d1275ac07f3acbf499daf9a055d7"
strings:
$s0 = "Reveals the passwords stored in the Registry by Enterprise Manager of SQL Server" wide
$s1 = "empv.exe" fullword wide
$s2 = "Enterprise Manager PassView" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 120KB and all of them
}
rule WSockExpert {
meta:
description = "Chinese Hacktool Set - file WSockExpert.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "2962bf7b0883ceda5e14b8dad86742f95b50f7bf"
strings:
$s1 = "OpenProcessCmdExecute!" fullword ascii
$s2 = "http://www.hackp.com" fullword ascii
$s3 = "'%s' is not a valid time!'%s' is not a valid date and time" fullword wide
$s4 = "SaveSelectedFilterCmdExecute" fullword ascii
$s5 = "PasswordChar@" fullword ascii
$s6 = "WSockHook.DLL" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2500KB and 4 of them
}
rule Ms_Viru_racle {
meta:
description = "Chinese Hacktool Set - file racle.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "13116078fff5c87b56179c5438f008caf6c98ecb"
strings:
$s0 = "PsInitialSystemProcess @%p" fullword ascii
$s1 = "PsLookupProcessByProcessId(%u) Failed" fullword ascii
$s2 = "PsLookupProcessByProcessId(%u) => %p" fullword ascii
$s3 = "FirstStage() Loaded, CurrentThread @%p Stack %p - %p" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 210KB and all of them
}
rule lamescan3 {
meta:
description = "Chinese Hacktool Set - file lamescan3.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "3130eefb79650dab2e323328b905e4d5d3a1d2f0"
strings:
$s1 = "dic\\loginlist.txt" fullword ascii
$s2 = "Radmin.exe" fullword ascii
$s3 = "lamescan3.pdf!" fullword ascii
$s4 = "dic\\passlist.txt" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3740KB and all of them
}
rule CN_Tools_pc {
meta:
description = "Chinese Hacktool Set - file pc.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5cf8caba170ec461c44394f4058669d225a94285"
strings:
$s0 = "\\svchost.exe" fullword ascii
$s2 = "%s%08x.001" fullword ascii
$s3 = "Qy001Service" fullword ascii
$s4 = "/.MIKY" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule Dos_Down64 {
meta:
description = "Chinese Hacktool Set - file Down64.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "43e455e43b49b953e17a5b885ffdcdf8b6b23226"
strings:
$s1 = "C:\\Windows\\Temp\\Down.txt" fullword wide
$s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide
$s3 = "C:\\Windows\\Temp\\" fullword wide
$s4 = "ProcessXElement" fullword ascii
$s8 = "down.exe" fullword wide
$s20 = "set_Timer1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule epathobj_exp32 {
meta:
description = "Chinese Hacktool Set - file epathobj_exp32.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ed86ff44bddcfdd630ade8ced39b4559316195ba"
strings:
$s0 = "Watchdog thread %d waiting on Mutex" fullword ascii
$s1 = "Exploit ok run command" fullword ascii
$s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" fullword ascii
$s3 = "Alllocated userspace PATHRECORD () %p" fullword ascii
$s4 = "Mutex object did not timeout, list not patched" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 270KB and all of them
}
rule Tools_unknown {
meta:
description = "Chinese Hacktool Set - file unknown.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "4be8270c4faa1827177e2310a00af2d5bcd2a59f"
strings:
$s1 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide
$s2 = "GET /ok.asp?id=1__sql__ HTTP/1.1" fullword ascii
$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
$s4 = "Failed to clear tab control Failed to delete tab at index %d\"Failed to retrieve" wide
$s5 = "Host: 127.0.0.1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2500KB and 4 of them
}
rule PLUGIN_AJunk {
meta:
description = "Chinese Hacktool Set - file AJunk.dll"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "eb430fcfe6d13b14ff6baa4b3f59817c0facec00"
strings:
$s1 = "AJunk.dll" fullword ascii
$s2 = "AJunk.DLL" fullword wide
$s3 = "AJunk Dynamic Link Library" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 560KB and all of them
}
rule IISPutScanner {
meta:
description = "Chinese Hacktool Set - file IISPutScanner.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "9869c70d6a9ec2312c749aa17d4da362fa6e2592"
strings:
$s2 = "KERNEL32.DLL" fullword ascii
$s3 = "ADVAPI32.DLL" fullword ascii
$s4 = "VERSION.DLL" fullword ascii
$s5 = "WSOCK32.DLL" fullword ascii
$s6 = "COMCTL32.DLL" fullword ascii
$s7 = "GDI32.DLL" fullword ascii
$s8 = "SHELL32.DLL" fullword ascii
$s9 = "USER32.DLL" fullword ascii
$s10 = "OLEAUT32.DLL" fullword ascii
$s11 = "LoadLibraryA" fullword ascii
$s12 = "GetProcAddress" fullword ascii
$s13 = "VirtualProtect" fullword ascii
$s14 = "VirtualAlloc" fullword ascii
$s15 = "VirtualFree" fullword ascii
$s16 = "ExitProcess" fullword ascii
$s17 = "RegCloseKey" fullword ascii
$s18 = "GetFileVersionInfoA" fullword ascii
$s19 = "ImageList_Add" fullword ascii
$s20 = "BitBlt" fullword ascii
$s21 = "ShellExecuteA" fullword ascii
$s22 = "ActivateKeyboardLayout" fullword ascii
$s23 = "BBABORT" fullword wide
$s25 = "BBCANCEL" fullword wide
$s26 = "BBCLOSE" fullword wide
$s27 = "BBHELP" fullword wide
$s28 = "BBIGNORE" fullword wide
$s29 = "PREVIEWGLYPH" fullword wide
$s30 = "DLGTEMPLATE" fullword wide
$s31 = "TABOUTBOX" fullword wide
$s32 = "TFORM1" fullword wide
$s33 = "MAINICON" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and filesize > 350KB and all of them
}
rule IDTools_For_WinXP_IdtTool_2 {
meta:
description = "Chinese Hacktool Set - file IdtTool.sys"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "07feb31dd21d6f97614118b8a0adf231f8541a67"
strings:
$s0 = "\\Device\\devIdtTool" fullword wide
$s1 = "IoDeleteSymbolicLink" fullword ascii /* Goodware String - occured 467 times */
$s3 = "IoDeleteDevice" fullword ascii /* Goodware String - occured 993 times */
$s6 = "IoCreateSymbolicLink" fullword ascii /* Goodware String - occured 467 times */
$s7 = "IoCreateDevice" fullword ascii /* Goodware String - occured 988 times */
condition:
uint16(0) == 0x5a4d and filesize < 7KB and all of them
}
rule hkmjjiis6 {
meta:
description = "Chinese Hacktool Set - file hkmjjiis6.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "4cbc6344c6712fa819683a4bd7b53f78ea4047d7"
strings:
$s1 = "comspec" fullword ascii
$s2 = "user32.dlly" ascii
$s3 = "runtime error" ascii
$s4 = "WinSta0\\Defau" ascii
$s5 = "AppIDFlags" fullword ascii
$s6 = "GetLag" fullword ascii
$s7 = "* FROM IIsWebInfo" ascii
$s8 = "wmiprvse.exe" ascii
$s9 = "LookupAcc" ascii
condition:
uint16(0) == 0x5a4d and filesize < 70KB and all of them
}
rule Dos_lcx {
meta:
description = "Chinese Hacktool Set - file lcx.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b6ad5dd13592160d9f052bb47b0d6a87b80a406d"
strings:
$s0 = "c:\\Users\\careful_snow\\" ascii
$s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii
$s3 = "[SERVER]connection to %s:%d error" fullword ascii
$s4 = "-tran " fullword ascii
$s6 = "=========== Code by lion & bkbll, Welcome to [url]http://www.cnhonker.com[/url] " ascii
$s7 = "[-] There is a error...Create a new connection." fullword ascii
$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
$s11 = "-slave " fullword ascii
$s13 = "[+] Make a Connection to %s:%d...." fullword ascii
$s16 = "-listen " fullword ascii
$s17 = "[+] Waiting another Client on port:%d...." fullword ascii
$s18 = "[+] Accept a Client on port %d from %s ......" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 2 of them
}
rule x_way2_5_X_way {
meta:
description = "Chinese Hacktool Set - file X-way.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "8ba8530fbda3e8342e8d4feabbf98c66a322dac6"
strings:
$s0 = "TTFTPSERVERFRM" fullword wide
$s1 = "TPORTSCANSETFRM" fullword wide
$s2 = "TIISSHELLFRM" fullword wide
$s3 = "TADVSCANSETFRM" fullword wide
$s4 = "ntwdblib.dll" fullword ascii
$s5 = "TSNIFFERFRM" fullword wide
$s6 = "TCRACKSETFRM" fullword wide
$s7 = "TCRACKFRM" fullword wide
$s8 = "dbnextrow" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them
}
rule tools_Sqlcmd {
meta:
description = "Chinese Hacktool Set - file Sqlcmd.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "99d56476e539750c599f76391d717c51c4955a33"
strings:
$s0 = "[Usage]: %s " fullword ascii
$s1 = "=============By uhhuhy(Feb 18,2003) - http://www.cnhonker.net=============" fullword ascii /* PEStudio Blacklist: os */
$s4 = "Cool! Connected to SQL server on %s successfully!" fullword ascii
$s5 = "EXEC master..xp_cmdshell \"%s\"" fullword ascii
$s6 = "=======================Sqlcmd v0.21 For HScan v1.20=======================" fullword ascii
$s10 = "Error,exit!" fullword ascii
$s11 = "Sqlcmd>" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 40KB and 3 of them
}
rule Sword1_5 {
meta:
description = "Chinese Hacktool Set - file Sword1.5.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "96ee5c98e982aa8ed92cb4cedb85c7fda873740f"
strings:
$s3 = "http://www.ip138.com/ip2city.asp" fullword wide
$s4 = "http://www.md5decrypter.co.uk/feed/api.aspx?" fullword wide
$s6 = "ListBox_Command" fullword wide
$s13 = "md=7fef6171469e80d32c0559f88b377245&submit=MD5+Crack" fullword wide
$s18 = "\\Set.ini" fullword wide
$s19 = "OpenFileDialog1" fullword wide
$s20 = " (*.txt)|*.txt" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 4 of them
}
rule Tools_scan {
meta:
description = "Chinese Hacktool Set - file scan.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "c580a0cc41997e840d2c0f83962e7f8b636a5a13"
strings:
$s2 = "Shanlu Studio" fullword wide
$s3 = "_AutoAttackMain" fullword ascii
$s4 = "_frmIpToAddr" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
rule Dos_c {
meta:
description = "Chinese Hacktool Set - file c.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "3deb6bd52fdac6d5a3e9a91c585d67820ab4df78"
strings:
$s0 = "!Win32 .EXE." fullword ascii
$s1 = ".MPRESS1" fullword ascii
$s2 = ".MPRESS2" fullword ascii
$s3 = "XOLEHLP.dll" fullword ascii
$s4 = "