valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 10:28:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3a36eabb3f
signature-base/yara/crime_malware_generic.yar

107 lines
3.9 KiB
Plaintext
Raw Blame History

/* Malware ----------------------------------------------------------------- */
rule TrojanDownloader {
meta:
description = "Trojan Downloader - Flash Exploit Feb15"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "http://goo.gl/wJ8V1I"
date = "2015/02/11"
hash = "5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e"
score = 60
strings:
$x1 = "Hello World!" fullword ascii
$x2 = "CONIN$" fullword ascii
$s6 = "GetCommandLineA" fullword ascii
$s7 = "ExitProcess" fullword ascii
$s8 = "CreateFileA" fullword ascii
$s5 = "SetConsoleMode" fullword ascii
$s9 = "TerminateProcess" fullword ascii
$s10 = "GetCurrentProcess" fullword ascii
$s11 = "UnhandledExceptionFilter" fullword ascii
$s3 = "user32.dll" fullword ascii
$s16 = "GetEnvironmentStrings" fullword ascii
$s2 = "GetLastActivePopup" fullword ascii
$s17 = "GetFileType" fullword ascii
$s19 = "HeapCreate" fullword ascii
$s20 = "VirtualFree" fullword ascii
$s21 = "WriteFile" fullword ascii
$s22 = "GetOEMCP" fullword ascii
$s23 = "VirtualAlloc" fullword ascii
$s24 = "GetProcAddress" fullword ascii
$s26 = "FlushFileBuffers" fullword ascii
$s27 = "SetStdHandle" fullword ascii
$s28 = "KERNEL32.dll" fullword ascii
condition:
$x1 and $x2 and ( all of ($s*) ) and filesize < 35000
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-08-01
Identifier: IsmDoor
Reference: https://twitter.com/Voulnet/status/892104753295110145
License: http://creativecommons.org/licenses/by-nc-sa/4.0/
*/
/* Rule Set ----------------------------------------------------------------- */
rule IsmDoor_Jul17_A2 {
meta:
description = "Detects IsmDoor Malware"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://twitter.com/Voulnet/status/892104753295110145"
date = "2017-08-01"
hash1 = "be72c89efef5e59c4f815d2fce0da5a6fac8c90b86ee0e424868d4ae5e550a59"
hash2 = "ea1be14eb474c9f70e498c764aaafc8b34173c80cac9a8b89156e9390bd87ba8"
strings:
$s1 = "powershell -exec bypass -file \"" fullword ascii
$s2 = "PAQlFcaWUaFkVICEx2CkNCUUpGcA" ascii
$s3 = "\\Documents" fullword ascii
$s4 = "\\Libraries" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
}
rule Unknown_Malware_Sample_Jul17_2 {
meta:
description = "Detects unknown malware sample with pastebin RAW URL"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "https://goo.gl/iqH8CK"
date = "2017-08-01"
hash1 = "3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52"
strings:
$s1 = "4System.Web.Services.Protocols.SoapHttpClientProtocol" fullword ascii
$s2 = "https://pastebin.com/raw/" wide
$s3 = "My.Computer" fullword ascii
$s4 = "MyTemplate" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}
rule MAL_unspecified_Jan18_1 {
meta:
description = "Detects unspecified malware sample"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
reference = "Internal Research"
date = "2018-01-19"
hash1 = "f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417"
strings:
$s1 = "User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii
$s2 = "ping 192.0.2.2 -n 1 -w %d >nul 2>&1" fullword ascii
$s3 = "[Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword ascii
$s4 = "start /b \"\" cmd /c del \"%%~f0\"&exit /b" fullword ascii
$s5 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword ascii
$s6 = "%s\\%s.bat" fullword ascii
$s7 = "DEL /s \"%s\" >nul 2>&1" fullword ascii
condition:
filesize < 300KB and 2 of them
}
Reference in New Issue View Git Blame Copy Permalink