Sneed-Reactivity/yara-Neo23x0/crime_malware_set_oct16.yar

168 lines
6.7 KiB
Text
Raw Permalink Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2016-10-08
Identifier: Malware - October 2016
*/
/* Rule Set ----------------------------------------------------------------- */
rule Unspecified_Malware_Oct16_A {
meta:
description = "Detects an unspecififed malware - October 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2016-10-08"
score = 80
hash1 = "d112a7e21902287e4a37112bf17d7c73a7b206e7bc81780fd87991c1519f38c8"
id = "f62ecf7e-2b66-5567-9bf3-3d3797bc582d"
strings:
$x1 = "%s\\system32\\%s.dll" fullword ascii
$x2 = "%SystemRoot%\\System32\\svch%s -k nets" fullword ascii
$x3 = "\\\\.\\pipe\\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A" fullword ascii
$s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" fullword ascii
$s2 = "boottemp.exe" fullword ascii
$s3 = "at \\\\%s %d:%d C:\\%s.exe" fullword ascii
$s4 = "cryptcom.dll" fullword ascii
$s5 = "Wininet.dll" fullword ascii
$s6 = "\\\\%s\\%s\\%s.exe" fullword ascii
$s7 = "%s%d.exe" fullword ascii
$s8 = "booter.exe" fullword ascii
$s9 = "\\\\%s\\pipe%s" fullword ascii
$s10 = "C:\\DelInfo.bin" fullword ascii
$op0 = { ae 44 00 00 cb 44 00 00 dc 44 00 00 f5 44 00 00 } /* Opcode */
$op1 = { ae 44 00 00 cb 44 00 00 dc 44 00 00 f5 44 00 00 } /* Opcode */
$op2 = { ee 11 74 cf 73 0b 91 c4 c9 57 b2 d9 36 86 a5 b4 } /* Opcode */
condition:
/* File Detection */
( uint16(0) == 0x5a4d and filesize < 1000KB and (
2 of ($x*) or 3 of ($s*) or all of ($op*)
) )
/* In Memory */
or ( 6 of them )
}
rule Sality_Malware_Oct16 {
meta:
description = "Detects an unspecififed malware - October 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2016-10-08"
score = 80
hash1 = "8eaff5e1d4b55dd6e25f007549271da10afd1fa25064d7105de0ca2735487aad"
id = "7bf2a818-f7ee-587e-b22e-b557251d89e1"
strings:
$s1 = "Hello world!" fullword wide
$s2 = "[LordPE]" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}
rule Unspecified_Malware_Oct16_C {
meta:
description = "Detects an unspecififed malware - October 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2016-10-08"
score = 80
hash1 = "a451157f75627b2fef3d663946c94ef7dacb58f08b31d0ec4c0a542a1c4e6205"
id = "fff98097-a19a-59aa-bece-837c75b0995c"
strings:
$s1 = "dUSER32.DLL" fullword wide
$s2 = "output.dll" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 5000KB and all of them )
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-10-08
Identifier: Malware October 2016
*/
/* Rule Set ----------------------------------------------------------------- */
rule Bladabindi_Malware_B64 {
meta:
description = "Detects Bladabindi Malware using Base64 encoded strings"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2016-10-08"
hash1 = "dda668b0792b7679979e61f2038cf9a8ec39415cc161be00d2c8301e7d48768d"
id = "7f7023be-b6e1-5e1b-af8a-c413a5438ec8"
strings:
$s1 = "XHN5c3RlbTMyXA==" fullword ascii /* base64 encoded string '\system32\' */
$s2 = "RXhlY3V0ZSBFUlJPUg==" fullword ascii /* base64 encoded string 'Execute ERROR' */
$s3 = "dHJvamFuLmV4ZQ==" fullword ascii /* base64 encoded string 'trojan.exe' */
$s4 = "VXBkYXRlIEVSUk9S" fullword ascii /* base64 encoded string 'Update ERROR' */
$s5 = "RG93bmxvYWQgRVJST1I=" fullword ascii /* base64 encoded string 'Download ERROR' */
condition:
uint16(0) == 0x5a4d and filesize < 700KB and 1 of them
}
rule Dorkbot_Injector_Malware {
meta:
description = "Detects Darkbot Injector"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2016-10-08"
hash1 = "bc3c5ac7180c8ac21d6908d747aa6122154d2bb51bb99ff0e0b1c65088d275dc"
id = "b32986fe-d6f1-55f2-8d50-bc348b52fb49"
strings:
$s1 = "Enter an integer, a real number, a character and a string : " fullword ascii
$s2 = "ready to finish" fullword ascii
$s3 = "EYEnpw" fullword ascii
$s4 = "somewhere i belong" fullword ascii
$s5 = "Not all fields were assigned" fullword ascii
$s6 = "take down" fullword ascii
$s7 = "real number = %f" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and 6 of them )
}
rule Unspecified_Malware_Oct16_D {
meta:
description = "Detects unspecified malware - October 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2016-10-08"
hash1 = "cd5f3bc0176a6803093ffdea6a7442c416e0d2945b6903063d17f5bb8d17519d"
id = "6908467c-1ed6-508d-9503-246dd26823e5"
strings:
$s1 = "C:\\file.exe" fullword wide
$s2 = "new.exe" fullword wide
$s3 = "passwordIterations" fullword ascii
$op0 = { 10 00 12 00 1a 00 05 00 01 00 01 00 01 00 10 00 } /* Opcode */
$op1 = { 41 32 00 36 00 62 00 34 00 32 00 65 00 37 00 62 } /* Opcode */
$op2 = { 3c 4d 6f 64 75 6c 65 3e 00 6e 65 77 2e 65 78 65 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and ( all of ($s*) or all of ($op*) )
}
rule Unspecified_Malware_Oct16_E {
meta:
description = "Detects unspecified Malware - October 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2016-10-08"
hash1 = "28093385130b61f22920c0ce6e56de1f2cd8eef589bebe2af31f36f51f2b4d01"
id = "fffffe0c-e114-5648-96ea-dd692610e34c"
strings:
$s1 = "P3pORt" fullword ascii
$s2 = "msdownld.tmp" fullword ascii
$s3 = "TMP4351$.TMP" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}