Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-mikesxrs/abhinavbom/abhinavbom_index.yara

323 lines
7.8 KiB
Text
Raw Permalink Normal View History

OMG ISTG PLS WORK RED PILL :red_circle: :pill:
2024-07-25 12:43:35 -05:00
//PlugX APT Malware
rule PlugXXOR
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
date = "21/09/2015"
description = "rule for PlugX XOR Routine"
ref1 = "7048add2873b08a9693a60135f978686"
strings:
$hex_string = { 05 ?? ?? 00 00 8A D8 2A DC 89 45 FC 32 5D FE 81 E9 ?? ?? 00 00 2A 5D FF 89 4D F8 32 D9 2A DD 32 5D FA 2A 5D FB 32 1C 37 88 1E 46 4A 75 D2 5F 5B }
condition:
all of them
}
//APT1-Group Rule for sample used during exercise
rule BOUNCER_APT1 {
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
date = "21/09/2015"
info = "CommentCrew-threat-apt1"
strings:
$s1 = "*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdg" wide ascii
$s2 = "IDR_DATA%d" wide ascii
$s3 = "asdfqwe123cxz" wide ascii
$s4 = "Mode must be 0(encrypt) or 1(decrypt)." wide ascii
condition:
($s1 and $s2) or ($s3 and $s4)
}
rule banbra : banker
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
date = "8/06/2015"
strings:
$a = "senha" fullword nocase
$b = "cartao" fullword nocase
$c = "caixa"
$d = "login" fullword nocase
$e = ".com.br"
condition:
#a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/* Certificate Matches for Patterns seen in Duqu 2.0 infection */
/* https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf */
import "pe"
rule honhaicert_goodcheck {
strings:
$honhai = "HON HAI"
condition:
$honhai and pe.version_info["LegalCopyright"] contains "Microsoft"
}
rule sysinternals_not_signed
{
strings:
$sysinternals = "sysinternals" wide nocase
$mz = "MZ"
$url = "technet.microsoft.com" wide
$castuff = "Microsoft Code Signing PCA" wide
condition:
$mz at 0 and $sysinternals and ( not $castuff and not $url)
}
rule Gh0stRAT
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
date = "21/09/2015"
description = "rule for Gh0stRAT 3.6 variant June 2015"
originalauthor = "John Petrequin (jpetrequin@wapacklabs.com)"
ref1 = "http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/"
ref2= "1d7cb7250cf14ed2b9e1c99facba55df"
strings:
$MZ = "MZ"
$a = "piano.dll"
$b1 = "Programed by Zhou Zhangfa" wide
$b2 = "Please check your Sound Galaxy card." wide
condition:
$MZ and $a and any of ($b*)
}
rule FastPOS
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
date = "06/10/2016"
description = "rule to detect FastPOS Mutex"
ref1 = "5aabd7876faba0885fccc8b4d095537bd048b6943aaacaf3e01d204450e787c6"
strings:
$string1 = "uniqyeidclaxemain"
$string2 = "http://%s/cdosys.php"
condition:
all of ($string*)
}
//Rule to Catch Intelligence files in the meta of files uploaded. Current rule looks for NSA and MOSAD in meta of samples.
rule catch_intelligence_files
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
date = "21/09/2015"
description = "catch files"
strings:
$meta1 = "National Security Agency"
$meta3 = "Israeli Secret Intelligence"
$tag1 = "docx"
$tag2 = "doc"
$tag3 = "xls"
$tag4 = "xlxs"
$tag5 = "pdf"
$tag6 = "zip"
$tag7 = "rar"
$tag8 = "xlsb"
condition:
any of ($meta*) and any of ($tag*)
}
//Rule to pick up all the pcaps uploaded to Virustotal. This rule can be very noisy.
rule FE_PCAPs
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
description = "All pcaps uploaded to VT"
date = "29/07/2015"
strings:
$magic = {D4 C3 B2 A1}
condition:
$magic at 0
}
//Rule to detect all pcap uploads to Virustotal with +3 detection.
rule pcap_positives
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
description = "All pcaps uploaded to VT with +3 detection rate"
date = "21/06/2015"
strings:
$magic = {D4 C3 B2 A1}
condition:
$magic at 0 and positives > 3
}
//Rule to detect All pcaps submitted to VT and tagged as Exploit kits.
rule ek_submissions
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
description = "Detects pcaps uploaded to VT and matches IDS detections for Exploit kits"
date = "23/06/2015"
strings:
$magic = {D4 C3 B2 A1}
condition:
$magic at 0 and tags contains "exploit-kit"
}
//EK detection in VT for +3 positive engine detections
rule ek_submissions_2
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
description = "Detects pcaps uploaded to VT and matches IDS detections for Exploit kits"
date = "23/06/2015"
strings:
$magic = {D4 C3 B2 A1}
condition:
$magic at 0 and tags contains "exploit-kit" and positives >3
}
rule vmdetect_misc : vmdetect
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
date = "31/10/2015"
description = "Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names."
strings:
$vbox1 = "VBoxService" nocase ascii wide
$vbox2 = "VBoxTray" nocase ascii wide
$vbox3 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase ascii wide
$vbox4 = "SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions" nocase ascii wide
$wine1 = "wine_get_unix_file_name" ascii wide
$vmware1 = "vmmouse.sys" ascii wide
$vmware2 = "VMware Virtual IDE Hard Drive" ascii wide
$miscvm1 = "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" nocase ascii wide
$miscvm2 = "SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum" nocase ascii wide
// Drivers
$vmdrv1 = "hgfs.sys" ascii wide
$vmdrv2 = "vmhgfs.sys" ascii wide
$vmdrv3 = "prleth.sys" ascii wide
$vmdrv4 = "prlfs.sys" ascii wide
$vmdrv5 = "prlmouse.sys" ascii wide
$vmdrv6 = "prlvideo.sys" ascii wide
$vmdrv7 = "prl_pv32.sys" ascii wide
$vmdrv8 = "vpc-s3.sys" ascii wide
$vmdrv9 = "vmsrvc.sys" ascii wide
$vmdrv10 = "vmx86.sys" ascii wide
$vmdrv11 = "vmnet.sys" ascii wide
// SYSTEM\ControlSet001\Services
$vmsrvc1 = "vmicheartbeat" ascii wide
$vmsrvc2 = "vmicvss" ascii wide
$vmsrvc3 = "vmicshutdown" ascii wide
$vmsrvc4 = "vmicexchange" ascii wide
$vmsrvc5 = "vmci" ascii wide
$vmsrvc6 = "vmdebug" ascii wide
$vmsrvc7 = "vmmouse" ascii wide
$vmsrvc8 = "VMTools" ascii wide
$vmsrvc9 = "VMMEMCTL" ascii wide
$vmsrvc10 = "vmware" ascii wide
$vmsrvc11 = "vmx86" ascii wide
$vmsrvc12 = "vpcbus" ascii wide
$vmsrvc13 = "vpc-s3" ascii wide
$vmsrvc14 = "vpcuhub" ascii wide
$vmsrvc15 = "msvmmouf" ascii wide
$vmsrvc16 = "VBoxMouse" ascii wide
$vmsrvc17 = "VBoxGuest" ascii wide
$vmsrvc18 = "VBoxSF" ascii wide
$vmsrvc19 = "xenevtchn" ascii wide
$vmsrvc20 = "xennet" ascii wide
$vmsrvc21 = "xennet6" ascii wide
$vmsrvc22 = "xensvc" ascii wide
$vmsrvc23 = "xenvdb" ascii wide
// Processes
$miscproc1 = "vmware2" ascii wide
$miscproc2 = "vmount2" ascii wide
$miscproc3 = "vmusrvc" ascii wide
$miscproc4 = "vmsrvc" ascii wide
$miscproc5 = "vboxservice" ascii wide
$miscproc6 = "vboxtray" ascii wide
$miscproc7 = "xenservice" ascii wide
$vmware_mac_1a = "00-05-69"
$vmware_mac_1b = "00:05:69"
$vmware_mac_2a = "00-50-56"
$vmware_mac_2b = "00:50:56"
$vmware_mac_3a = "00-0C-29"
$vmware_mac_3b = "00:0C:29"
$vmware_mac_4a = "00-1C-14"
$vmware_mac_4b = "00:1C:14"
$virtualbox_mac_1a = "08-00-27"
$virtualbox_mac_1b = "08:00:27"
condition:
2 of them
}
rule xmlshell{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
date = "21/09/2015"
description = "strings within XMLShell used by CommentCrew"
strings:
$STFail = "ST fail"
$STSucc = "ST Success"
$Proc = "Process cmd.exe exited"
$ShellSuccess = "Shell started successfully"
$ShellFail = "Shell started fail"
$KillFail = "Kill Fail"
$KillSucc = "Kill Success"
condition:
all of them
}
Reference in a new issue Copy permalink