valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0d1648a850
signature-base/yara/apt_industroyer.yar

153 lines
5.9 KiB
Plaintext
Raw Blame History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-06-13
Identifier: Industroyer
Reference: https://goo.gl/x81cSy
*/
/* Rule Set ----------------------------------------------------------------- */
rule Industroyer_Malware_1 {
meta:
description = "Detects Industroyer related malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
hash1 = "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910"
hash2 = "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81"
strings:
$s1 = "haslo.exe" fullword ascii
$s2 = "SYSTEM\\CurrentControlSet\\Services\\%ls" fullword wide
$s3 = "SYS_BASCON.COM" fullword wide
$s4 = "*.pcmt" fullword wide
$s5 = "*.pcmi" fullword wide
$x1 = { 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73
00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61
00 67 00 65 00 50 00 61 00 74 00 68 00 00 00 43
00 3A 00 5C 00 00 00 44 00 3A 00 5C 00 00 00 45
00 3A 00 5C 00 00 00 }
$x2 = "haslo.dat\x00Crash"
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 1 of ($x*) or 2 of them )
}
rule Industroyer_Malware_2 {
meta:
description = "Detects Industroyer related malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
hash1 = "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571"
hash2 = "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4"
hash3 = "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77"
hash1 = "6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47"
strings:
$x1 = "sc create %ls type= own start= auto error= ignore binpath= \"%ls\" displayname= \"%ls\"" fullword wide
$x2 = "10.15.1.69:3128" fullword wide
$s1 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)" fullword wide
$s2 = "/c sc stop %s" fullword wide
$s3 = "sc start %ls" fullword wide
$s4 = "93.115.27.57" fullword wide
$s5 = "5.39.218.152" fullword wide
$s6 = "tierexe" fullword wide
$s7 = "comsys" fullword wide
$s8 = "195.16.88.6" fullword wide
$s9 = "TieringService" fullword wide
$a1 = "TEMP\x00\x00DEF" fullword wide
$a2 = "TEMP\x00\x00DEF-C" fullword wide
$a3 = "TEMP\x00\x00DEF-WS" fullword wide
$a4 = "TEMP\x00\x00DEF-EP" fullword wide
$a5 = "TEMP\x00\x00DC-2-TEMP" fullword wide
$a6 = "TEMP\x00\x00DC-2" fullword wide
$a7 = "TEMP\x00\x00CES-McA-TEMP" fullword wide
$a8 = "TEMP\x00\x00SRV_WSUS" fullword wide
$a9 = "TEMP\x00\x00SRV_DC-2" fullword wide
$a10 = "TEMP\x00\x00SCE-WSUS01" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) or 3 of them or 1 of ($a*) ) or ( 5 of them )
}
rule Industroyer_Portscan_3 {
meta:
description = "Detects Industroyer related custom port scaner"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
hash1 = "893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f"
strings:
$s1 = "!ZBfamily" fullword ascii
$s2 = ":g/outddomo;" fullword ascii
$s3 = "GHIJKLMNOTST" fullword ascii
/* Decompressed File */
$d1 = "Error params Arguments!!!" fullword wide
$d2 = "^(.+?.exe).*\\s+-ip\\s*=\\s*(.+)\\s+-ports\\s*=\\s*(.+)$" fullword wide
$d3 = "Exhample:App.exe -ip= 127.0.0.1-100," fullword wide
$d4 = "Error IP Range %ls - %ls" fullword wide
$d5 = "Can't closesocket." fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and all of ($s*) or 2 of ($d*) )
}
rule Industroyer_Portscan_3_Output {
meta:
description = "Detects Industroyer related custom port scaner output file"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
strings:
$s1 = "WSA library load complite." fullword ascii
$s2 = "Connection refused" fullword ascii
condition:
all of them
}
rule Industroyer_Malware_4 {
meta:
description = "Detects Industroyer related malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
hash1 = "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561"
strings:
$s1 = "haslo.dat" fullword wide
$s2 = "defragsvc" fullword ascii
/* .dat\x00\x00Crash */
$a1 = { 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00 }
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of ($s*) or $a1 )
}
rule Industroyer_Malware_5 {
meta:
description = "Detects Industroyer related malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/x81cSy"
date = "2017-06-13"
hash1 = "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad"
strings:
$x1 = "D2MultiCommService.exe" fullword ascii
$x2 = "Crash104.dll" fullword ascii
$x3 = "iec104.log" fullword ascii
$x4 = "IEC-104 client: ip=%s; port=%s; ASDU=%u " fullword ascii
$s1 = "Error while getaddrinfo executing: %d" fullword ascii
$s2 = "return info-Remote command" fullword ascii
$s3 = "Error killing process ..." fullword ascii
$s4 = "stop_comm_service_name" fullword ascii
$s5 = "*1* Data exchange: Send: %d (%s)" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and ( 1 of ($x*) or 4 of them ) ) or ( all of them )
}
Reference in New Issue View Git Blame Copy Permalink