Sneed-Reactivity/yara-Neo23x0/crime_mirai.yar

182 lines
7 KiB
Text
Raw Permalink Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2016-10-04
Identifier: Mirai
*/
/* Rule Set ----------------------------------------------------------------- */
rule Mirai_Botnet_Malware {
meta:
description = "Detects Mirai Botnet Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2016-10-04"
modified = "2023-01-27"
hash1 = "05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c"
hash2 = "05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c"
hash3 = "20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4"
hash4 = "2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69"
hash5 = "420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175"
hash6 = "62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6"
hash7 = "70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0"
hash8 = "89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147"
hash9 = "bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4"
hash10 = "c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f"
hash11 = "d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89"
hash12 = "f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5"
hash13 = "fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b"
id = "a678e9f7-d516-5bdb-962e-b9d39d8a64bb"
strings:
$x1 = "POST /cdn-cgi/" ascii
$x2 = "/dev/misc/watchdog" fullword ascii
$x3 = "/dev/watchdog" ascii
$x5 = ".mdebug.abi32" fullword ascii
$s1 = "LCOGQGPTGP" fullword ascii
$s2 = "QUKLEKLUKVJOG" fullword ascii
$s3 = "CFOKLKQVPCVMP" fullword ascii
$s4 = "QWRGPTKQMP" fullword ascii
$s5 = "HWCLVGAJ" fullword ascii
$s6 = "NKQVGLKLE" fullword ascii
condition:
uint16(0) == 0x457f and filesize < 200KB and
(
( 1 of ($x*) and 1 of ($s*) ) or
4 of ($s*)
)
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2017-05-12
Identifier: Mirai
Reference: Internal Research
*/
/* Rule Set ----------------------------------------------------------------- */
rule Mirai_1_May17 {
meta:
description = "Detects Mirai Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-05-12"
super_rule = 1
hash1 = "172d050cf0d4e4f5407469998857b51261c80209d9fa5a2f5f037f8ca14e85d2"
hash2 = "9ba8def84a0bf14f682b3751b8f7a453da2cea47099734a72859028155b2d39c"
hash3 = "a393449a5f19109160384b13d60bb40601af2ef5f08839b5223f020f1f83e990"
id = "ac85ee28-a01f-5c3d-a534-0c19a3dc92e7"
strings:
$s1 = "GET /bins/mirai.x86 HTTP/1.0" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 5000KB and all of them )
}
rule Miari_2_May17 {
meta:
description = "Detects Mirai Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-05-12"
super_rule = 1
hash1 = "9ba8def84a0bf14f682b3751b8f7a453da2cea47099734a72859028155b2d39c"
hash2 = "a393449a5f19109160384b13d60bb40601af2ef5f08839b5223f020f1f83e990"
id = "1c2cc98d-8ca5-5055-8f86-7f85c046ccd9"
strings:
$s1 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36" fullword ascii
$s2 = "GET /g.php HTTP/1.1" fullword ascii
$s3 = "https://%[^/]/%s" fullword ascii
$s4 = "pass\" value=\"[^\"]*\"" fullword ascii
$s5 = "jbeupq84v7.2y.net" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 5000KB and 2 of them )
}
rule MAL_ELF_LNX_Mirai_Oct10_1 {
meta:
description = "Detects ELF Mirai variant"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-10-27"
modified = "2023-01-27"
hash1 = "3be2d250a3922aa3f784e232ce13135f587ac713b55da72ef844d64a508ddcfe"
id = "7bb28f03-03ba-581a-bc03-bd09a52787d9"
strings:
$x1 = " -r /vi/mips.bushido; "
$x2 = "/bin/busybox chmod 777 * /tmp/" ascii
$s1 = "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1" fullword ascii
$s2 = "loadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>" fullword ascii
$s3 = "POST /cdn-cgi/" ascii
condition:
uint16(0) == 0x457f and filesize < 200KB and (
( 1 of ($x*) and 1 of ($s*) ) or
all of ($x*)
)
}
rule MAL_ELF_LNX_Mirai_Oct10_2 {
meta:
description = "Detects ELF malware Mirai related"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-10-27"
hash1 = "fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9"
id = "421b7708-030e-50d1-bf2e-e91758a48c00"
strings:
$c01 = { 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00
20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D
41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A }
condition:
uint16(0) == 0x457f and filesize < 200KB and all of them
}
rule MAL_Mirai_Nov19_1 {
meta:
description = "Detects Mirai malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/bad_packets/status/1194049104533282816"
date = "2019-11-13"
hash1 = "bbb83da15d4dabd395996ed120435e276a6ddfbadafb9a7f096597c869c6c739"
hash2 = "fadbbe439f80cc33da0222f01973f27cce9f5ab0709f1bfbf1a954ceac5a579b"
id = "40edcb29-9e10-5b87-ba79-8e3f629829e5"
strings:
$s1 = "SERVZUXO" fullword ascii
$s2 = "-loldongs" fullword ascii
$s3 = "/dev/null" fullword ascii
$s4 = "/bin/busybox" fullword ascii
$sc1 = { 47 72 6F 75 70 73 3A 09 30 }
condition:
uint16(0) == 0x457f and filesize <= 100KB and 4 of them
}
rule MAL_ARM_LNX_Mirai_Mar13_2022 {
meta:
description = "Detects new ARM Mirai variant"
author = "Mehmet Ali Kerimoglu a.k.a. CYB3RMX"
date = "2022-03-16"
hash1 = "0283b72913b8a78b2a594b2d40ebc3c873e4823299833a1ff6854421378f5a68"
id = "54d8860e-fc45-5571-b68c-66590c67a705"
strings:
$str1 = "/home/landley/aboriginal/aboriginal/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm"
$str2 = "/home/landley/aboriginal/aboriginal/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm"
$str3 = "/home/landley/aboriginal/aboriginal/build/temp-armv6l/gcc-core/gcc/config/arm"
$str4 = "/home/landley/aboriginal/aboriginal/build/simple-cross-compiler-armv6l/bin/../cc/include"
$attck1 = "attack.c"
$attck2 = "attacks.c"
$attck3 = "anti_gdb_entry"
$attck4 = "resolve_cnc_addr"
$attck5 = "attack_gre_eth"
$attck6 = "attack_udp_generic"
$attck7 = "attack_get_opt_ip"
$attck8 = "attack_icmpecho"
condition:
uint16(0) == 0x457f and ( 3 of ($str*) or 4 of ($attck*) )
}