Sneed-Reactivity/yara-mikesxrs/M4r14ch1/Havex_NetScan.yar

17 lines
804 B
Text
Raw Normal View History

rule Havex_NetScan_Malware {
meta:
description = "This rule will search for known indicators of a Havex Network Scan module infection. This module looks for hosts listening on known ICS-related ports to identify OPC or ICS systems and the file created when the scanning data is written."
author = "M4r14ch1"
reference = "https://github.com/M4r14ch1/Havex-Network-Scanner-Modules"
date = "2015/12/21"
strings:
$s0 = "~tracedscn.yls" wide nocase //yls file created in temp directory
$s1 = { 2B E2 ?? } //Measuresoft ScadaPro
$s2 = { 30 71 ?? } //7-Technologies IGSS SCADA
/* $s3 = { 0A F1 2? } //Rslinx*/
condition:
$s0 and ($s1 or $s2 /*or $s3*/)
}