mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-07 02:25:19 +00:00
60 lines
1.8 KiB
Plaintext
60 lines
1.8 KiB
Plaintext
/*
|
|
Yara Rule Set
|
|
Author: Dragos Inc
|
|
Date: 2016-06-12
|
|
Identifier: Crash Override
|
|
*/
|
|
|
|
import "pe"
|
|
|
|
rule dragos_crashoverride_suspcious
|
|
{
|
|
meta:
|
|
description = "CRASHOVERRIDE v1 Wiper"
|
|
author = "Dragos Inc"
|
|
reference = "https://t.co/h8QaIP4FU8"
|
|
strings:
|
|
$s0 = "SYS_BASCON.COM" fullword nocase wide
|
|
$s1 = ".pcmp" fullword nocase wide
|
|
$s2 = ".pcmi" fullword nocase wide
|
|
$s3 = ".pcmt" fullword nocase wide
|
|
$s4 = ".cin" fullword nocase wide
|
|
condition:
|
|
pe.exports("Crash") and any of ($s*)
|
|
}
|
|
|
|
rule dragos_crashoverride_exporting_dlls {
|
|
meta:
|
|
description = "CRASHOVERRIDE v1 Suspicious Export"
|
|
author = "Dragos Inc"
|
|
reference = "https://t.co/h8QaIP4FU8"
|
|
condition:
|
|
pe.exports("Crash") & pe.characteristics
|
|
}
|
|
|
|
rule dragos_crashoverride_name_search {
|
|
meta:
|
|
description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
|
|
author = "Dragos Inc"
|
|
reference = "https://t.co/h8QaIP4FU8"
|
|
strings:
|
|
$s0 = "101.dll" fullword nocase wide
|
|
$s1 = "Crash101.dll" fullword nocase wide
|
|
$s2 = "104.dll" fullword nocase wide
|
|
$s3 = "Crash104.dll" fullword nocase wide
|
|
$s4 = "61850.dll" fullword nocase wide
|
|
$s5 = "Crash61850.dll" fullword nocase wide
|
|
$s6 = "OPCClientDemo.dll" fullword nocase wide
|
|
$s7 = "OPC" fullword nocase wide
|
|
$s8 = "CrashOPCClientDemo.dll" fullword nocase wide
|
|
$s9 = "D2MultiCommService.exe" fullword nocase wide
|
|
$s10 = "CrashD2MultiCommService.exe" fullword nocase wide $s11 = "61850.exe" fullword nocase wide
|
|
$s12 = "OPC.exe" fullword nocase wide
|
|
$s13 = "haslo.exe" fullword nocase wide
|
|
$s14 = "haslo.dat" fullword nocase wide
|
|
condition:
|
|
any of ($s*) and pe.exports("Crash")
|
|
}
|
|
|
|
|
|
|