Sneed-Reactivity/yara-mikesxrs/1aN0rmus/1aN0rmus_index.yara

397 lines
11 KiB
Text
Raw Permalink Normal View History

rule backdoor_apt_pcclient
{
meta:
author = "@patrickrolsen"
maltype = "APT.PCCLient"
filetype = "DLL"
version = "0.1"
description = "Detects the dropper: 869fa4dfdbabfabe87d334f85ddda234 AKA dw20.dll/msacm32.drv dropped by 4a85af37de44daf5917f545c6fd03902 (RTF)"
date = "2012-10"
strings:
$magic = { 4d 5a } // MZ
$string1 = "www.micro1.zyns.com"
$string2 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
$string3 = "msacm32.drv" wide
$string4 = "C:\\Windows\\Explorer.exe" wide
$string5 = "Elevation:Administrator!" wide
$string6 = "C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdb"
condition:
$magic at 0 and 4 of ($string*)
}
rule pos_memory_scrapper
{
meta:
author = "@patrickrolsen"
maltype = "Point of Sale (POS) Malware Memory Scraper"
version = "0.1"
description = "POS Memory Scraper"
reference = "7f9cdc380eeed16eaab3e48d59f271aa -> http://www.xylibox.com/2013/05/dump-memory-grabber-blackpos.html"
date = "12/30/2013"
strings:
$string1 = "kartoxa" nocase
$string2 = "CC2 region:"
$string3 = "CC memregion:"
$string4 = "target pid:"
$string5 = "scan all processes:"
$string6 = "<pid> <PATTERN>"
condition:
all of ($string*)
}
rule FE_PCAPs
{
meta:
author = "@patrickrolsen"
maltype = "N/A"
version = "0.1"
description = "Find FireEye PCAPs uploaded to Virus Total"
date = "12/30/2013"
strings:
$magic = {D4 C3 B2 A1}
$ip1 = {0A 00 00 ?? C7 10 C7 ??} // "10.0.0.?? -> 199.16.199.??
$ip2 = {C7 10 C7 ?? 0A 00 00 ??} // "199.16.199.?? -> 10.0.0.??"
condition:
$magic at 0 and all of ($ip*)
}
// Point of Sale (POS) Malware
rule pos_memory_scrapper2
{
meta:
author = "@patrickrolsen"
maltype = "Point of Sale (POS) Malware Memory Scraper"
version = "0.2"
description = "POS Memory Scraper"
reference = "7f9cdc380eeed16eaab3e48d59f271aa http://www.xylibox.com/2013/05/dump-memory-grabber-blackpos.html"
date = "01/03/2014"
strings:
$magic = { 4D 5A } // MZ Header
$string1 = "kartoxa" nocase
$string2 = "CC2 region:"
$string3 = "CC memregion:"
$string4 = "target pid:"
$string5 = "scan all processes:"
$string6 = "<pid> <PATTERN>"
$string7 = "KAPTOXA" nocase
condition:
($magic at 0) and all of ($string*)
}
rule pos_malwre_dexter_stardust
{
meta:
author = "@patrickrolsen"
maltype = "Dexter Malware - StarDust Variant"
version = "0.1"
description = "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
reference = "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658"
date = "12/30/2013"
strings:
$magic = { 4D 5A } // MZ Header
$string1 = "ceh_3\\.\\ceh_4\\..\\ceh_6"
$string2 = "Yatoed3fe3rex23030am39497403"
$string3 = "Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19"
$string4 = "CommonFile.exe"
condition:
($magic at 0) and all of ($string*)
}
rule pos_malware_project_hook
{
meta:
author = "@patrickrolsen"
maltype = "Project Hook"
version = "0.1"
description = "Table 1 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
reference = "759154d20849a25315c4970fe37eac59"
date = "12/30/2013"
strings:
$magic = { 4D 5A } // MZ Header
$string1 = "CallImage.exe"
$string2 = "BurpSwim"
$string3 = "Work\\Project\\Load"
$string4 = "WortHisnal"
condition:
($magic at 0) and all of ($string*)
}
rule pdb_strings_Rescator
{
meta:
author = "@patrickrolsen"
maltype = "N/A Threat Intel..."
version = "0.2"
description = "Rescator PDB strings within binaries"
date = "01/03/2014"
strings:
$magic = { 4D 5A } // MZ Header
$pdb1 = "\\Projects\\Rescator" nocase
condition:
($magic at 0) and $pdb1
}
rule rtf_Kaba_jDoe
{
meta:
author = "@patrickrolsen"
maltype = "APT.Kaba"
filetype = "RTF"
version = "0.1"
description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
date = "2013-12-10"
strings:
$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
$author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"
$author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"
$string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
condition:
($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
}
rule rtf_yahoo_ken
{
meta:
author = "@patrickrolsen"
maltype = "Yahoo Ken"
filetype = "RTF"
version = "0.1"
description = "Test rule"
date = "2013-12-14"
strings:
$magic1 = { 7b 5c 72 74 30 31 } // {\rt01
$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
$magic3 = { 7b 5c 72 74 78 61 33 } // {\rtxa3
$author1 = { 79 61 68 6f 6f 20 6b 65 63 } // "yahoo ken"
condition:
($magic1 or $magic2 or $magic3 at 0) and $author1
}
rule Backdoor_APT_Mongall
{
meta:
author = "@patrickrolsen"
maltype = "Backdoor.APT.Mongall"
version = "0.1"
reference = "fd69a799e21ccb308531ce6056944842"
date = "01/04/2014"
strings:
$author = "author user"
$title = "title Vjkygdjdtyuj" nocase
$comp = "company ooo"
$cretime = "creatim\\yr2012\\mo4\\dy19\\hr15\\min10"
$passwd = "password 00000000"
condition:
all of them
}
rule tran_duy_linh
{
meta:
author = "@patrickrolsen"
maltype = "Misc."
version = "0.1"
reference = "8fa804105b1e514e1998e543cd2ca4ea, 872876cfc9c1535cd2a5977568716ae1, etc."
date = "2013-12-12"
strings:
$magic = {D0 CF 11 E0} //DOCFILE0
$string1 = "Tran Duy Linh" fullword
$string2 = "DLC Corporation" fullword
condition:
$magic at 0 and all of ($string*)
}
rule web_log_review
{
meta:
author = "@patrickrolsen"
version = "0.1"
reference = "Key words in weblogs - Very likely FPs in here."
date = "2013-12-14"
strings:
$s = "GET /.htaccess" nocase
$s0 = "GET /db/main.php" nocase
$s3 = "GET /dbadmin/main.php" nocase
$s4 = "GET /phpinfo.php" nocase
$s5 = "GET /password" nocase
$s6 = "GET /passwd" nocase
$s7 = "GET /phpmyadmin2" nocase
$s8 = "GET /c99shell.php" nocase
$s9 = "GET /c99.php" nocase
$s10 = "GET /response.write" nocase
$s11 = "GET /&dir" nocase
$s12 = "backdoor.php" nocase
$s13 = "GET /.htpasswd" nocase
$s14 = "GET /htaccess.bak" nocase
$s15 = "GET /htaccess.txt" nocase
$s16 = "GET /.bash_history" nocase
$s17 = "GET /_sqladm" nocase
$s18 = "'$IFS/etc/privpasswd;'" nocase
$s19 = ";cat /tmp/config/usr.ini" nocase
$s20 = "v0pCr3w" nocase
$s21 = "eval(base64_decode" nocase
$s22 = "nob0dyCr3w" nocase
$s23 = "eval(gzinflate" nocase
$s24 = "Hacked by" fullword
$s25 = "%5Bcmd%5D" nocase
$s26 = "[cmd]" nocase
$s27 = "union+select" nocase
$s28 = "UNION%20SELECT" nocase
$s29 = "(str_rot13" nocase
condition:
any of ($s*)
}
rule acunetix_web_scanner
{
meta:
author = "@patrickrolsen"
version = "0.1"
reference = "Acunetix Web Scanner"
date = "2013-12-14"
strings:
$s = "acunetix_wvs_security_test"
$s0 = "testasp.vulnweb.com"
$s1 = "GET /www.acunetix.tst"
condition:
any of ($s*)
}
rule php_exploit_GIF
{
meta:
author = "@patrickrolsen"
maltype = "GIF Exploits"
version = "0.1"
reference = "code.google.com/p/caffsec-malware-analysis"
date = "2013-12-14"
strings:
$magic = {47 49 46 38 ?? 61} // GIF8<version>a
$string1 = "; // md5 Login" nocase
$string2 = "; // md5 Password" nocase
$string3 = "shell_exec"
$string4 = "(base64_decode"
$string5 = "<?php"
$string6 = "(str_rot13"
$string7 = {3c 3f 70 68 70} // <?php
condition:
($magic at 0) and any of ($string*)
}
rule html_exploit_GIF
{
meta:
author = "@patrickrolsen"
maltype = "Web Shells"
version = "0.1"
reference = "code.google.com/p/caffsec-malware-analysis"
date = "2013-12-14"
strings:
$magic = {47 49 46 38 ?? 61} // GIF8<version>a
$string1 = {3c 68 74 6d 6c 3e} // <html>
$string2 = {3c 48 54 4d 4c 3e} // <HTML>
condition:
($magic at 0) and (any of ($string*))
}
rule web_shell_crews
{
meta:
author = "@patrickrolsen"
maltype = "Web Shell Crews"
version = "0.4"
reference = "http://www.exploit-db.com/exploits/24905/"
date = "12/29/2013"
strings:
$mz = { 4d 5a } // MZ
$string1 = "v0pCr3w"
$string2 = "BENJOLSHELL"
$string3 = "EgY_SpIdEr"
$string4 = "<title>HcJ"
$string5 = "0wn3d"
$string6 = "OnLy FoR QbH"
$string7 = "wSiLm"
$string8 = "b374k r3c0d3d"
$string9 = "x'1n73ct|d"
$string10 = "## CREATED BY KATE ##"
$string11 = "Ikram Ali"
$string12 = "FeeLCoMz"
$string13 = "s3n4t00r"
$string14 = "FaTaLisTiCz_Fx"
$string15 = "feelscanz.pl"
$string16 = "##[ KONFIGURASI"
$string17 = "Created by Kiss_Me"
$string18 = "Casper_Cell"
$string19 = "# [ CREWET ] #"
$string20 = "BY MACKER"
$string21 = "FraNGky"
$string22 = "1dt.w0lf"
$string23 = "Modification By iFX" nocase
condition:
not $mz at 0 and any of ($string*)
}
rule misc_php_exploits
{
meta:
author = "@patrickrolsen"
version = "0.4"
data = "12/29/2013"
reference = "Virus Total Downloading PHP files and reviewing them..."
strings:
$mz = { 4d 5a } // MZ
$php = "<?php"
$string1 = "eval(gzinflate(str_rot13(base64_decode("
$string2 = "eval(base64_decode("
$string3 = "eval(gzinflate(base64_decode("
$string4 = "cmd.exe /c"
$string5 = "eva1"
$string6 = "urldecode(stripslashes("
$string7 = "preg_replace(\"/.*/e\",\"\\x"
$string8 = "<?php echo \"<script>"
$string9 = "'o'.'w'.'s'" // 'Wi'.'nd'.'o'.'w'.'s'
$string10 = "preg_replace(\"/.*/\".'e',chr"
$string11 = "exp1ode"
$string12 = "cmdexec(\"killall ping;"
$string13 = "r57shell.php"
condition:
not $mz at 0 and $php and any of ($string*)
}
rule zend_framework
{
meta:
author = "@patrickrolsen"
maltype = "Zend Framework"
version = "0.3"
date = ""12/29/2013""
strings:
$mz = { 4d 5a } // MZ
$php = "<?php"
$string = "$zend_framework" nocase
condition:
not $mz at 0 and $php and $string
}
rule jpg_web_shell
{
meta:
author = "@patrickrolsen"
version = "0.1"
data = "12/19/2013"
reference = "http://www.securelist.com/en/blog/208214192/Malware_in_metadata"
strings:
$magic = { ff d8 ff e? } // e0, e1, e8
$string1 = "<script src"
$string2 = "/.*/e"
$string3 = "base64_decode"
condition:
($magic at 0) and 1 of ($string*)
}