Sneed-Reactivity/yara-Neo23x0/gen_cn_hacktools.yar

2588 lines
99 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2015-06-13
Identifier: CN-Tools Hacktools
Reference: Diclosed hacktool set at http://w2op.us/ (Mirror: http://tools.zjqhr.com)
*/
rule mswin_check_lm_group {
meta:
description = "Chinese Hacktool Set - file mswin_check_lm_group.exe"
author = "Florian Roth (Nextron Systems)"
score = 70
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2021-03-15"
hash = "115d87d7e7a3d08802a9e5fd6cd08e2ec633c367"
id = "be17981a-7cbf-55ac-bc81-9330472fc814"
strings:
$s1 = "Valid_Global_Groups: checking group membership of '%s\\%s'." fullword ascii
$s2 = "Usage: %s [-D domain][-G][-P][-c][-d][-h]" fullword ascii
$s3 = "-D default user Domain" fullword ascii
$fp1 = "Panda Security S.L." ascii wide
condition:
uint16(0) == 0x5a4d and filesize < 380KB and all of ($s*)
and not 1 of ($fp*)
}
rule WAF_Bypass {
meta:
description = "Chinese Hacktool Set - file WAF-Bypass.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "860a9d7aac2ce3a40ac54a4a0bd442c6b945fa4e"
id = "d9f40934-873b-5e73-9198-987966027edc"
strings:
$s1 = "Email: blacksplitn@gmail.com" fullword wide
$s2 = "User-Agent:" fullword wide
$s3 = "Send Failed.in RemoteThread" fullword ascii
$s4 = "www.example.com" fullword wide
$s5 = "Get Domain:%s IP Failed." fullword ascii
$s6 = "Connect To Server Failed." fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 7992KB and 5 of them
}
rule Guilin_veterans_cookie_spoofing_tool {
meta:
description = "Chinese Hacktool Set - file Guilin veterans cookie spoofing tool.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-27"
hash = "06b1969bc35b2ee8d66f7ce8a2120d3016a00bb1"
id = "13f78e0b-c975-5879-9af1-8c619d6c94a9"
strings:
$s0 = "kernel32.dll^G" fullword ascii
$s1 = "\\.Sus\"B" ascii
$s4 = "u56Load3" fullword ascii
$s11 = "O MYTMP(iM) VALUES (" ascii
condition:
uint16(0) == 0x5a4d and filesize < 1387KB and all of them
}
rule MarathonTool {
meta:
description = "Chinese Hacktool Set - file MarathonTool.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "084a27cd3404554cc799d0e689f65880e10b59e3"
id = "23513361-ecac-5ddb-92b9-4dd8da12e8db"
strings:
$s0 = "MarathonTool" ascii
$s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii
$s18 = "SELECT UNICODE(SUBSTRING((system_user),{0},1))" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1040KB and all of them
}
rule PLUGIN_TracKid {
meta:
description = "Chinese Hacktool Set - file TracKid.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "a114181b334e850d4b33e9be2794f5bb0eb59a09"
id = "8dd77df1-748e-5778-be40-38b794c74b97"
strings:
$s0 = "E-mail: cracker_prince@163.com" fullword ascii
$s1 = ".\\TracKid Log\\%s.txt" fullword ascii
$s2 = "Coded by prince" fullword ascii
$s3 = "TracKid.dll" fullword ascii
$s4 = ".\\TracKid Log" fullword ascii
$s5 = "%08x -- %s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 3 of them
}
rule Pc_pc2015 {
meta:
description = "Chinese Hacktool Set - file pc2015.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "de4f098611ac9eece91b079050b2d0b23afe0bcb"
id = "aa7c0b5e-91c3-52cc-9e06-b4648d0b8825"
strings:
$s0 = "\\svchost.exe" ascii
$s1 = "LON\\OD\\O-\\O)\\O%\\O!\\O=\\O9\\O5\\O1\\O" fullword ascii
$s8 = "%s%08x.001" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 309KB and all of them
}
rule sekurlsa {
meta:
description = "Chinese Hacktool Set - file sekurlsa.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5"
id = "b65dc578-e5a1-57e6-bd98-2c45cd07e857"
strings:
$s1 = "Bienvenue dans un processus distant" fullword wide
$s2 = "Format d'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur" wide
$s3 = "SECURITY\\Policy\\Secrets" fullword wide
$s4 = "Injection de donn" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1150KB and all of them
}
rule mysqlfast {
meta:
description = "Chinese Hacktool Set - file mysqlfast.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "32b60350390fe7024af7b4b8fbf50f13306c546f"
id = "93ee91cd-a6b8-5ed9-b750-779f88032be6"
strings:
$s2 = "Invalid password hash: %s" fullword ascii
$s3 = "-= MySql Hash Cracker =- " fullword ascii
$s4 = "Usage: %s hash" fullword ascii
$s5 = "Hash: %08lx%08lx" fullword ascii
$s6 = "Found pass: " fullword ascii
$s7 = "Pass not found" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 900KB and 4 of them
}
rule DTools2_02_DTools {
meta:
description = "Chinese Hacktool Set - file DTools.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "9f99771427120d09ec7afa3b21a1cb9ed720af12"
id = "fc812797-12d8-596a-8ebe-dd8b0d7a4b7e"
strings:
$s0 = "kernel32.dll" ascii
$s1 = "TSETPASSWORDFORM" fullword wide
$s2 = "TGETNTUSERNAMEFORM" fullword wide
$s3 = "TPORTFORM" fullword wide
$s4 = "ShellFold" fullword ascii
$s5 = "DefaultPHotLigh" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
rule dll_PacketX {
meta:
description = "Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
score = 50
hash = "3f0908e0a38512d2a4fb05a824aa0f6cf3ba3b71"
id = "19ab5977-934d-5e3f-8bba-925bb57bf486"
strings:
$s9 = "[Failed to load winpcap packet.dll." wide
$s10 = "PacketX Version" wide
condition:
uint16(0) == 0x5a4d and filesize < 1920KB and all of them
}
rule SqlDbx_zhs {
meta:
description = "Chinese Hacktool Set - file SqlDbx_zhs.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "e34228345498a48d7f529dbdffcd919da2dea414"
id = "31c49755-f1bd-5ecb-91ff-1040e40983ab"
strings:
$s0 = "S.failed_logins \"Failed Login Attempts\", " fullword ascii
$s7 = "SELECT ROLE, PASSWORD_REQUIRED FROM SYS.DBA_ROLES ORDER BY ROLE" fullword ascii
$s8 = "SELECT spid 'SPID', status 'Status', db_name (dbid) 'Database', loginame 'Login'" ascii
$s9 = "bcp.exe <:schema:>.<:table:> out \"<:file:>\" -n -S <:server:> -U <:user:> -P <:" ascii
$s11 = "L.login_policy_name AS \"Login Policy\", " fullword ascii
$s12 = "mailto:support@sqldbx.com" fullword ascii
$s15 = "S.last_login_time \"Last Login\", " fullword ascii
condition:
uint16(0) == 0x5a4d and 4 of them
}
rule ms10048_x86 {
meta:
description = "Chinese Hacktool Set - file ms10048-x86.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "e57b453966e4827e2effa4e153f2923e7d058702"
id = "373f0419-5a7d-5f01-968c-5d3e7b1c0670"
strings:
$s1 = "[ ] Resolving PsLookupProcessByProcessId" fullword ascii
$s2 = "The target is most likely patched." fullword ascii
$s3 = "Dojibiron by Ronald Huizer, (c) master@h4cker.us ." fullword ascii
$s4 = "[ ] Creating evil window" fullword ascii
$s5 = "%sHANDLEF_INDESTROY" fullword ascii
$s6 = "[+] Set to %d exploit half succeeded" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 4 of them
}
rule Dos_ch {
meta:
description = "Chinese Hacktool Set - file ch.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "60bbb87b08af840f21536b313a76646e7c1f0ea7"
id = "2e8319de-fe54-5083-968c-4707d127f072"
strings:
$s0 = "/Churraskito/-->Usage: Churraskito.exe \"command\" " fullword ascii
$s4 = "fuck,can't find WMI process PID." fullword ascii
$s5 = "/Churraskito/-->Found token %s " fullword ascii
$s8 = "wmiprvse.exe" fullword ascii
$s10 = "SELECT * FROM IIsWebInfo" fullword ascii
$s17 = "WinSta0\\Default" fullword ascii /* Goodware String - occured 22 times */
condition:
uint16(0) == 0x5a4d and filesize < 260KB and 3 of them
}
rule DUBrute_DUBrute {
meta:
description = "Chinese Hacktool Set - file DUBrute.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "8aaae91791bf782c92b97c6e1b0f78fb2a9f3e65"
id = "10aa2017-d563-5953-8672-dbc13ff6b3cf"
strings:
$s1 = "IP - %d; Login - %d; Password - %d; Combination - %d" fullword ascii
$s2 = "IP - 0; Login - 0; Password - 0; Combination - 0" fullword ascii
$s3 = "Create %d IP@Loginl;Password" fullword ascii
$s4 = "UBrute.com" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1020KB and all of them
}
rule CookieTools {
meta:
description = "Chinese Hacktool Set - file CookieTools.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b6a3727fe3d214f4fb03aa43fb2bc6fadc42c8be"
id = "893884e5-6f4c-5f67-9382-8bf1ee45a257"
strings:
$s0 = "http://210.73.64.88/doorway/cgi-bin/getclientip.asp?IP=" fullword ascii
$s2 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide
$s3 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide
$s8 = "OnGetPasswordP" fullword ascii
$s12 = "http://www.chinesehack.org/" ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and 4 of them
}
rule update_PcInit {
meta:
description = "Chinese Hacktool Set - file PcInit.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "a6facc4453f8cd81b8c18b3b3004fa4d8e2f5344"
id = "71c34049-97a2-5611-a081-21a85f8631d9"
strings:
$s1 = "\\svchost.exe" ascii
$s2 = "%s%08x.001" fullword ascii
$s3 = "Global\\ps%08x" fullword ascii
$s4 = "drivers\\" ascii /* Goodware String - occured 2 times */
$s5 = "StrStrA" fullword ascii /* Goodware String - occured 43 times */
$s6 = "StrToIntA" fullword ascii /* Goodware String - occured 44 times */
condition:
uint16(0) == 0x5a4d and filesize < 50KB and all of them
}
rule dat_NaslLib {
meta:
description = "Chinese Hacktool Set - file NaslLib.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "fb0d4263118faaeed2d68e12fab24c59953e862d"
id = "d5ce72a4-c2b0-50b2-85bb-acf0bfd354e0"
strings:
$s1 = "nessus_get_socket_from_connection: fd <%d> is closed" fullword ascii
$s2 = "[*] \"%s\" completed, %d/%d/%d/%d:%d:%d - %d/%d/%d/%d:%d:%d" fullword ascii
$s3 = "A FsSniffer backdoor seems to be running on this port%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1360KB and all of them
}
rule Dos_1 {
meta:
description = "Chinese Hacktool Set - file 1.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b554f0687a12ec3a137f321cc15e052ff219f28c"
id = "3f1cc1b3-bce2-5a29-849e-ee7deb5e8809"
strings:
$s1 = "/churrasco/-->Usage: Churrasco.exe \"command to run\"" fullword ascii
$s2 = "/churrasco/-->Done, command should have ran as SYSTEM!" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
rule OtherTools_servu {
meta:
description = "Chinese Hacktool Set - file svu.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5c64e6879a9746a0d65226706e0edc7a"
id = "b750d090-8726-5d21-98ba-6cb050cb7174"
strings:
$s0 = "MZKERNEL32.DLL" fullword ascii
$s1 = "UpackByDwing@" fullword ascii
$s2 = "GetProcAddress" fullword ascii
$s3 = "WriteFile" fullword ascii
condition:
uint32(0) == 0x454b5a4d and $s0 at 0 and filesize < 50KB and all of them
}
rule ustrrefadd {
meta:
description = "Chinese Hacktool Set - file ustrrefadd.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b371b122460951e74094f3db3016264c9c8a0cfa"
id = "e6701e7e-bb15-5e0c-822b-3e29342e083c"
strings:
$s0 = "E-Mail : admin@luocong.com" fullword ascii
$s1 = "Homepage: http://www.luocong.com" fullword ascii
$s2 = ": %d - " fullword ascii
$s3 = "ustrreffix.dll" fullword ascii
$s5 = "Ultra String Reference plugin v%d.%02d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 320KB and all of them
}
rule XScanLib {
meta:
description = "Chinese Hacktool Set - file XScanLib.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
id = "e1e2cfad-7cbb-51c3-9b55-648c47af641e"
strings:
$s4 = "XScanLib.dll" fullword ascii
$s6 = "Ports/%s/%d" fullword ascii
$s8 = "DEFAULT-TCP-PORT" fullword ascii
$s9 = "PlugCheckTcpPort" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 360KB and all of them
}
rule IDTools_For_WinXP_IdtTool {
meta:
description = "Chinese Hacktool Set - file IdtTool.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ebab6e4cb7ea82c8dc1fe4154e040e241f4672c6"
id = "c157d467-87f8-59d5-a3ba-e4fbeeba767d"
strings:
$s2 = "IdtTool.sys" fullword ascii
$s4 = "Idt Tool bY tMd[CsP]" fullword wide
$s6 = "\\\\.\\slIdtTool" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 25KB and all of them
}
rule GoodToolset_ms11046 {
meta:
description = "Chinese Hacktool Set - file ms11046.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "f8414a374011fd239a6c6d9c6ca5851cd8936409"
id = "a4703861-02a9-5d93-b6de-c3664ca8abb9"
strings:
$s1 = "[*] Token system command" fullword ascii
$s2 = "[*] command add user 90sec 90sec" fullword ascii
$s3 = "[*] Add to Administrators success" fullword ascii
$s4 = "[*] User has been successfully added" fullword ascii
$s5 = "Program: %s%s%s%s%s%s%s%s%s%s%s" fullword ascii /* Goodware String - occured 3 times */
condition:
uint16(0) == 0x5a4d and filesize < 840KB and 2 of them
}
rule Cmdshell32 {
meta:
description = "Chinese Hacktool Set - file Cmdshell32.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "3c41116d20e06dcb179e7346901c1c11cd81c596"
id = "f1dfb5a1-4292-5895-8310-913cfdf4d9d0"
strings:
$s1 = "cmdshell.exe" fullword wide
$s2 = "cmdshell" fullword ascii
$s3 = "[Root@CmdShell ~]#" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 62KB and all of them
}
rule Sniffer_analyzer_SSClone_1210_full_version {
meta:
description = "Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "6882125babb60bd0a7b2f1943a40b965b7a03d4e"
id = "69dac4bf-483d-5888-a748-1a52cf372066"
strings:
$s0 = "http://www.vip80000.com/hot/index.html" fullword ascii
$s1 = "GetConnectString" fullword ascii
$s2 = "CnCerT.Safe.SSClone.dll" fullword ascii
$s3 = "(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3580KB and all of them
}
rule x64_klock {
meta:
description = "Chinese Hacktool Set - file klock.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc"
id = "7065a4fb-c867-5a94-b6bb-5b60085bea15"
strings:
$s1 = "Bienvenue dans un processus distant" fullword wide
$s2 = "klock.dll" fullword ascii
$s3 = "Erreur : le bureau courant (" wide
$s4 = "klock de mimikatz pour Windows" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 907KB and all of them
}
rule Dos_Down32 {
meta:
description = "Chinese Hacktool Set - file Down32.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "0365738acd728021b0ea2967c867f1014fd7dd75"
id = "e56c254d-1238-5786-8e8a-f9122b0310a9"
strings:
$s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide
$s6 = "down.exe" fullword wide
$s15 = "get_Form1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 137KB and all of them
}
rule MarathonTool_2 {
meta:
description = "Chinese Hacktool Set - file MarathonTool.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "75b5d25cdaa6a035981e5a33198fef0117c27c9c"
id = "20151673-6779-58ce-872c-81e74a96597d"
strings:
$s3 = "http://localhost/retomysql/pista.aspx?id_pista=1" fullword wide
$s6 = "SELECT ASCII(SUBSTR(username,{0},1)) FROM USER_USERS" fullword wide
$s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
rule scanms_scanms {
meta:
description = "Chinese Hacktool Set - file scanms.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "47787dee6ddea2cb44ff27b6a5fd729273cea51a"
id = "50393220-35ae-5d3b-ae3f-5d5eb036c043"
strings:
$s1 = "--- ScanMs Tool --- (c) 2003 Internet Security Systems ---" fullword ascii
$s2 = "Scans for systems vulnerable to MS03-026 vuln" fullword ascii
$s3 = "More accurate for WinXP/Win2k, less accurate for WinNT" fullword ascii /* PEStudio Blacklist: os */
$s4 = "added %d.%d.%d.%d-%d.%d.%d.%d" fullword ascii
$s5 = "Internet Explorer 1.0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and 3 of them
}
rule CN_Tools_PcShare {
meta:
description = "Chinese Hacktool Set - file PcShare.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ee7ba9784fae413d644cdf5a093bd93b73537652"
id = "0c4e9f9b-9839-56a0-be21-a4e9f19cdfdb"
strings:
$s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
$s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide
$s5 = "port=%s;name=%s;pass=%s;" fullword wide
$s16 = "%s\\ini\\*.dat" fullword wide
$s17 = "pcinit.exe" fullword wide
$s18 = "http://www.pcshare.cn" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and 3 of them
}
rule pw_inspector {
meta:
description = "Chinese Hacktool Set - file pw-inspector.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "4f8e3e101098fc3da65ed06117b3cb73c0a66215"
id = "888db647-c5d0-5b1b-bcd2-512c1ebeadea"
strings:
$s1 = "-m MINLEN minimum length of a valid password" fullword ascii
$s2 = "http://www.thc.org" fullword ascii
$s3 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 460KB and all of them
}
rule Dll_LoadEx {
meta:
description = "Chinese Hacktool Set - file Dll_LoadEx.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "213d9d0afb22fe723ff570cf69ff8cdb33ada150"
id = "51235448-751e-51ce-93f8-da48eddb2b7f"
strings:
$s0 = "WiNrOOt@126.com" fullword wide
$s1 = "Dll_LoadEx.EXE" fullword wide
$s3 = "You Already Loaded This DLL ! :(" ascii
$s10 = "Dll_LoadEx Microsoft " fullword wide
$s17 = "Can't Load This Dll ! :(" ascii
$s18 = "WiNrOOt" fullword wide
$s20 = " Dll_LoadEx(&A)..." fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 120KB and 3 of them
}
rule dat_report {
meta:
description = "Chinese Hacktool Set - file report.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "4582a7c1d499bb96dad8e9b227e9d5de9becdfc2"
id = "c77633a7-0c2f-5efa-b58b-635546bfec95"
strings:
$s1 = "<a href=\"http://www.xfocus.net\">X-Scan</a>" fullword ascii
$s2 = "REPORT-ANALYSIS-OF-HOST" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 480KB and all of them
}
rule Dos_iis7 {
meta:
description = "Chinese Hacktool Set - file iis7.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "0a173c5ece2fd4ac8ecf9510e48e95f43ab68978"
id = "8813b7a2-0d44-5f26-80ab-0f493c09a027"
strings:
$s0 = "\\\\localhost" fullword ascii
$s1 = "iis.run" fullword ascii
$s3 = ">Could not connecto %s" fullword ascii
$s5 = "WHOAMI" ascii
$s13 = "WinSta0\\Default" fullword ascii /* Goodware String - occured 22 times */
condition:
uint16(0) == 0x5a4d and filesize < 140KB and all of them
}
rule SwitchSniffer {
meta:
description = "Chinese Hacktool Set - file SwitchSniffer.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "1e7507162154f67dff4417f1f5d18b4ade5cf0cd"
id = "6019f042-10ab-5899-8b1b-28b2609e9623"
strings:
$s0 = "NextSecurity.NET" fullword wide
$s2 = "SwitchSniffer Setup" fullword wide
condition:
uint16(0) == 0x5a4d and all of them
}
rule dbexpora {
meta:
description = "Chinese Hacktool Set - file dbexpora.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b55b007ef091b2f33f7042814614564625a8c79f"
id = "43297ce9-60f3-5b69-b7d8-904fffe622fe"
strings:
$s0 = "SELECT A.USER FROM SYS.USER_USERS A " fullword ascii
$s12 = "OCI 8 - OCIDescriptorFree" fullword ascii
$s13 = "ORACommand *" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 835KB and all of them
}
rule SQLCracker {
meta:
description = "Chinese Hacktool Set - file SQLCracker.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "1aa5755da1a9b050c4c49fc5c58fa133b8380410"
id = "7d7ff2cf-81fb-5a04-a97f-577c306137a9"
strings:
$s0 = "msvbvm60.dll" fullword ascii /* reversed goodware string 'lld.06mvbvsm' */
$s1 = "_CIcos" fullword ascii
$s2 = "kernel32.dll" fullword ascii
$s3 = "cKmhV" fullword ascii
$s4 = "080404B0" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 125KB and all of them
}
rule FreeVersion_debug {
meta:
description = "Chinese Hacktool Set - file debug.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d11e6c6f675b3be86e37e50184dadf0081506a89"
id = "2d69a39a-0da5-56ca-87a5-9116dea6c950"
strings:
$s0 = "c:\\Documents and Settings\\Administrator\\" ascii
$s1 = "Got WMI process Pid: %d" ascii
$s2 = "This exploit will execute" ascii
$s6 = "Found token %s " ascii
$s7 = "Running reverse shell" ascii
$s10 = "wmiprvse.exe" fullword ascii
$s12 = "SELECT * FROM IIsWebInfo" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 820KB and 3 of them
}
rule Dos_look {
meta:
description = "Chinese Hacktool Set - file look.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "e1a37f31170e812185cf00a838835ee59b8f64ba"
id = "910d1469-9173-5a7d-91ea-a50ee921f662"
strings:
$s1 = "<description>CHKen QQ:41901298</description>" fullword ascii
$s2 = "version=\"9.9.9.9\"" fullword ascii
$s3 = "name=\"CH.Ken.Tool\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 40KB and all of them
}
rule NtGodMode {
meta:
description = "Chinese Hacktool Set - file NtGodMode.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "8baac735e37523d28fdb6e736d03c67274f7db77"
id = "3de620bf-0405-536b-9f6d-3a7f02417b20"
strings:
$s0 = "to HOST!" fullword ascii
$s1 = "SS.EXE" fullword ascii
$s5 = "lstrlen0" fullword ascii
$s6 = "Virtual" fullword ascii /* Goodware String - occured 6 times */
$s19 = "RtlUnw" fullword ascii /* Goodware String - occured 1 times */
condition:
uint16(0) == 0x5a4d and filesize < 45KB and all of them
}
rule WebCrack4_RouterPasswordCracking {
meta:
description = "Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "00c68d1b1aa655dfd5bb693c13cdda9dbd34c638"
id = "e3d50ff8-e58d-5c60-9acd-25ba95a21f68"
strings:
$s0 = "http://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORD" fullword ascii
$s1 = "Username: \"%s\", Password: \"%s\", Remarks: \"%s\"" fullword ascii
$s14 = "user:\"%s\" pass: \"%s\" result=\"%s\"" fullword ascii
$s16 = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" fullword ascii
$s20 = "List count out of bounds (%d)+Operation not allowed on sorted string list%String" wide
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and 2 of them
}
rule hscan_gui {
meta:
description = "Chinese Hacktool Set - file hscan-gui.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "1885f0b7be87f51c304b39bc04b9423539825c69"
id = "27f9d2e9-0a62-57ca-9061-c32945c59c7e"
strings:
$s0 = "Hscan.EXE" fullword wide
$s1 = "RestTool.EXE" fullword ascii
$s3 = "Hscan Application " fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 550KB and all of them
}
rule S_MultiFunction_Scanners_s {
meta:
description = "Chinese Hacktool Set - file s.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "79b60ffa1c0f73b3c47e72118e0f600fcd86b355"
id = "7fb90a59-116d-5fa7-b85b-cbb1af660666"
strings:
$s0 = "C:\\WINDOWS\\temp\\pojie.exe /l=" fullword ascii
$s1 = "C:\\WINDOWS\\temp\\s.exe" fullword ascii
$s2 = "C:\\WINDOWS\\temp\\s.exe tcp " fullword ascii
$s3 = "explorer.exe http://www.hackdos.com" fullword ascii
$s4 = "C:\\WINDOWS\\temp\\pojie.exe" fullword ascii
$s5 = "Failed to read file or invalid data in file!" fullword ascii
$s6 = "www.hackdos.com" fullword ascii
$s7 = "WTNE / MADE BY E COMPILER - WUTAO " fullword ascii
$s11 = "The interface of kernel library is invalid!" fullword ascii
$s12 = "eventvwr" fullword ascii
$s13 = "Failed to decompress data!" fullword ascii
$s14 = "NOTEPAD.EXE result.txt" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 8000KB and 4 of them
}
rule HKTL_CN_Dos_GetPass {
meta:
description = "Chinese Hacktool Set - file GetPass.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-06"
old_rule_name = "Dos_GetPass"
hash = "d18d952b24110b83abd17e042f9deee679de6a1a"
id = "08635096-474c-5fdf-825e-6c7c8c8d4061"
strings:
$s0 = "GetLogonS" ascii
$s3 = "/showthread.php?t=156643" ascii
$s8 = "To Run As Administ" ascii
$s18 = "EnableDebugPrivileg" fullword ascii
$s19 = "sedebugnameValue" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 890KB and all of them
}
rule HKTL_CN_update_PcMain {
meta:
description = "Chinese Hacktool Set - file PcMain.dll"
author = "Florian Roth (Nextron Systems)"
score = 90
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-06"
old_rule_name = "update_PcMain"
hash = "aa68323aaec0269b0f7e697e69cce4d00a949caa"
id = "24c9ba6f-0772-59c9-8bea-3a8bf7823e4c"
strings:
$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322" ascii
$s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii
$s2 = "SOFTWARE\\Classes\\HTTP\\shell\\open\\command" fullword ascii
$s3 = "\\svchost.exe -k " ascii
$s4 = "SYSTEM\\ControlSet001\\Services\\%s" fullword ascii
$s9 = "Global\\%s-key-event" fullword ascii
$s10 = "%d%d.exe" fullword ascii
$s14 = "%d.exe" fullword ascii
$s15 = "Global\\%s-key-metux" fullword ascii
$s18 = "GET / HTTP/1.1" fullword ascii
$s19 = "\\Services\\" ascii
$s20 = "qy001id=%d;qy001guid=%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 4 of them
}
rule HKTL_CN_Dos_sys {
meta:
description = "Chinese Hacktool Set - file sys.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-06"
old_rule_name = "Dos_sys"
hash = "b5837047443f8bc62284a0045982aaae8bab6f18"
id = "c4b740f2-f4f8-59ff-ad1f-c06718040b50"
strings:
$s0 = "'SeDebugPrivilegeOpen " fullword ascii
$s6 = "Author: Cyg07*2" fullword ascii
$s12 = "from golds7n[LAG]'J" fullword ascii
$s14 = "DAMAGE" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule HKTL_CN_dat_xpf {
meta:
description = "Chinese Hacktool Set - file xpf.sys"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-06"
old_rule_name = "dat_xpf"
hash = "761125ab594f8dc996da4ce8ce50deba49c81846"
id = "fe2de535-4f86-5c29-b67e-153423a897f7"
strings:
$s1 = "UnHook IoGetDeviceObjectPointer ok!" fullword ascii
$s2 = "\\Device\\XScanPF" wide
$s3 = "\\DosDevices\\XScanPF" wide
condition:
uint16(0) == 0x5a4d and filesize < 25KB and all of them
}
rule HKTL_CN_Project1 {
meta:
description = "Chinese Hacktool Set - file Project1.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-06"
old_rule_name = "Project1"
hash = "d1a5e3b646a16a7fcccf03759bd0f96480111c96"
id = "12cc7a82-d7a9-58c6-b283-3bb0df477cd8"
strings:
$s1 = "EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'" fullword ascii
$s2 = "Password.txt" fullword ascii
$s3 = "LoginPrompt" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and all of them
}
rule Arp_EMP_v1_0 {
meta:
description = "Chinese Hacktool Set - file Arp EMP v1.0.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ae4954c142ad1552a2abaef5636c7ef68fdd99ee"
id = "b2552f26-47ac-5fa0-941e-d674f9deccac"
strings:
$s0 = "Arp EMP v1.0.exe" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
rule CN_Tools_MyUPnP {
meta:
description = "Chinese Hacktool Set - file MyUPnP.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "15b6fca7e42cd2800ba82c739552e7ffee967000"
id = "394e19d3-882e-5a7c-a3a0-e662bd67955c"
strings:
$s1 = "<description>BYTELINKER.COM</description>" fullword ascii
$s2 = "myupnp.exe" fullword ascii
$s3 = "LOADER ERROR" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1500KB and all of them
}
rule CN_Tools_Shiell {
meta:
description = "Chinese Hacktool Set - file Shiell.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b432d80c37abe354d344b949c8730929d8f9817a"
id = "7ac7d79d-3f4e-54e7-bb97-ce94cbbb40a2"
strings:
$s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii
$s2 = "C:\\Windows\\System32\\Shiell.exe" fullword wide
$s3 = "Shift shell.exe" fullword wide
$s4 = "\" /v debugger /t REG_SZ /d \"" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1500KB and 2 of them
}
rule cndcom_cndcom {
meta:
description = "Chinese Hacktool Set - file cndcom.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "08bbe6312342b28b43201125bd8c518531de8082"
id = "b1acfe34-03b8-5909-a226-3325fe8629ab"
strings:
$s1 = "- Rewritten by HDM last <hdm [at] metasploit.com>" fullword ascii
$s2 = "- Usage: %s <Target ID> <Target IP>" fullword ascii
$s3 = "- Remote DCOM RPC Buffer Overflow Exploit" fullword ascii
$s4 = "- Warning:This Code is more like a dos tool!(Modify by pingker)" fullword ascii
$s5 = "Windows NT SP6 (Chinese)" fullword ascii
$s6 = "- Original code by FlashSky and Benjurry" fullword ascii
$s7 = "\\C$\\123456111111111111111.doc" wide
$s8 = "shell3all.c" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 2 of them
}
rule IsDebug_V1_4 {
meta:
description = "Chinese Hacktool Set - file IsDebug V1.4.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ca32474c358b4402421ece1cb31714fbb088b69a"
id = "f9b4a909-e0e5-5708-8794-39250b9d56cc"
strings:
$s0 = "IsDebug.dll" fullword ascii
$s1 = "SV Dumper V1.0" fullword wide
$s2 = "(IsDebuggerPresent byte Patcher)" fullword ascii
$s8 = "Error WriteMemory failed" fullword ascii
$s9 = "IsDebugPresent" fullword ascii
$s10 = "idb_Autoload" fullword ascii
$s11 = "Bin Files" fullword ascii
$s12 = "MASM32 version" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and all of them
}
rule HTTPSCANNER {
meta:
description = "Chinese Hacktool Set - file HTTPSCANNER.EXE"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ae2929346944c1ea3411a4562e9d5e2f765d088a"
id = "470c90f5-bb98-59ab-bff4-f6238c318e36"
strings:
$s1 = "HttpScanner.exe" fullword wide
$s2 = "HttpScanner" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 3500KB and all of them
}
rule HScan_v1_20_PipeCmd {
meta:
description = "Chinese Hacktool Set - file PipeCmd.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "64403ce63b28b544646a30da3be2f395788542d6"
id = "957a8e3b-5f6c-5f3e-8973-88259c9cb0dc"
strings:
$s1 = "%SystemRoot%\\system32\\PipeCmdSrv.exe" fullword ascii
$s2 = "PipeCmd.exe" fullword wide
$s3 = "Please Use NTCmd.exe Run This Program." fullword ascii
$s4 = "%s\\pipe\\%s%s%d" fullword ascii
$s5 = "\\\\.\\pipe\\%s%s%d" fullword ascii
$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
$s7 = "This is a service executable! Couldn't start directly." fullword ascii
$s8 = "Connecting to Remote Server ...Failed" fullword ascii
$s9 = "PIPECMDSRV" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 4 of them
}
rule Dos_fp {
meta:
description = "Chinese Hacktool Set - file fp.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c"
id = "f4427aab-50c3-5bb9-997a-75e162a83f8a"
strings:
$s1 = "fpipe -l 53 -s 53 -r 80 192.168.1.101" fullword ascii
$s2 = "FPipe.exe" fullword wide
$s3 = "http://www.foundstone.com" fullword ascii
$s4 = "%s %s port %d. Address is already in use" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 65KB and all of them
}
rule Dos_netstat {
meta:
description = "Chinese Hacktool Set - file netstat.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d0444b7bd936b5fc490b865a604e97c22d97e598"
id = "bc3141bf-4e82-5aa4-a8a6-a0a4586ee9a1"
strings:
$s0 = "w03a2409.dll" fullword ascii
$s1 = "Retransmission Timeout Algorithm = unknown (%1!u!)" fullword wide /* Goodware String - occured 2 times */
$s2 = "Administrative Status = %1!u!" fullword wide /* Goodware String - occured 2 times */
$s3 = "Packet Too Big %1!-10u! %2!-10u!" fullword wide /* Goodware String - occured 2 times */
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule CN_Tools_xsniff {
meta:
description = "Chinese Hacktool Set - file xsniff.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d61d7329ac74f66245a92c4505a327c85875c577"
id = "a0fdac88-a7b8-5d24-9012-2bfe7b07e675"
strings:
$s0 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
$s1 = "HOST: %s USER: %s, PASS: %s" fullword ascii
$s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
$s10 = "Code by glacier <glacier@xfocus.org>" fullword ascii
$s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 220KB and 2 of them
}
rule MSSqlPass {
meta:
description = "Chinese Hacktool Set - file MSSqlPass.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "172b4e31ed15d1275ac07f3acbf499daf9a055d7"
id = "d45b417f-3649-5603-bd19-8b8bcc19dabc"
strings:
$s0 = "Reveals the passwords stored in the Registry by Enterprise Manager of SQL Server" wide
$s1 = "empv.exe" fullword wide
$s2 = "Enterprise Manager PassView" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 120KB and all of them
}
rule WSockExpert {
meta:
description = "Chinese Hacktool Set - file WSockExpert.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "2962bf7b0883ceda5e14b8dad86742f95b50f7bf"
id = "0ae115be-c516-5f4a-97ce-555d84f42947"
strings:
$s1 = "OpenProcessCmdExecute!" fullword ascii
$s2 = "http://www.hackp.com" fullword ascii
$s3 = "'%s' is not a valid time!'%s' is not a valid date and time" fullword wide
$s4 = "SaveSelectedFilterCmdExecute" fullword ascii
$s5 = "PasswordChar@" fullword ascii
$s6 = "WSockHook.DLL" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2500KB and 4 of them
}
rule Ms_Viru_racle {
meta:
description = "Chinese Hacktool Set - file racle.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "13116078fff5c87b56179c5438f008caf6c98ecb"
id = "bdc78dcc-79e6-5516-bba2-54bf537eae38"
strings:
$s0 = "PsInitialSystemProcess @%p" fullword ascii
$s1 = "PsLookupProcessByProcessId(%u) Failed" fullword ascii
$s2 = "PsLookupProcessByProcessId(%u) => %p" fullword ascii
$s3 = "FirstStage() Loaded, CurrentThread @%p Stack %p - %p" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 210KB and all of them
}
rule lamescan3 {
meta:
description = "Chinese Hacktool Set - file lamescan3.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "3130eefb79650dab2e323328b905e4d5d3a1d2f0"
id = "8ff1a0e6-d054-589d-a038-f889951ba250"
strings:
$s1 = "dic\\loginlist.txt" fullword ascii
$s2 = "Radmin.exe" fullword ascii
$s3 = "lamescan3.pdf!" fullword ascii
$s4 = "dic\\passlist.txt" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3740KB and all of them
}
rule CN_Tools_pc {
meta:
description = "Chinese Hacktool Set - file pc.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5cf8caba170ec461c44394f4058669d225a94285"
id = "11cc6c46-33c0-5c53-88f8-700be9ca8add"
strings:
$s0 = "\\svchost.exe" ascii
$s2 = "%s%08x.001" fullword ascii
$s3 = "Qy001Service" fullword ascii
$s4 = "/.MIKY" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule Dos_Down64 {
meta:
description = "Chinese Hacktool Set - file Down64.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "43e455e43b49b953e17a5b885ffdcdf8b6b23226"
id = "b4907ede-dc6a-5b8c-bf1c-557df54191a4"
strings:
$s1 = "C:\\Windows\\Temp\\Down.txt" fullword wide
$s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide
$s3 = "C:\\Windows\\Temp\\" wide
$s4 = "ProcessXElement" fullword ascii
$s8 = "down.exe" fullword wide
$s20 = "set_Timer1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
rule epathobj_exp32 {
meta:
description = "Chinese Hacktool Set - file epathobj_exp32.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2022-12-21"
hash = "ed86ff44bddcfdd630ade8ced39b4559316195ba"
id = "ca4639af-ee4f-5220-9595-e7a06b9a8534"
strings:
$s0 = "Watchdog thread %d waiting on Mutex" fullword ascii
$s1 = "Exploit ok run command" fullword ascii
$s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" ascii
$s3 = "Alllocated userspace PATHRECORD () %p" fullword ascii
$s4 = "Mutex object did not timeout, list not patched" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 270KB and all of them
}
rule Tools_unknown {
meta:
description = "Chinese Hacktool Set - file unknown.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "4be8270c4faa1827177e2310a00af2d5bcd2a59f"
id = "2cb75a84-506d-5b67-8b1f-b91beb5a99a3"
strings:
$s1 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide
$s2 = "GET /ok.asp?id=1__sql__ HTTP/1.1" fullword ascii
$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
$s4 = "Failed to clear tab control Failed to delete tab at index %d\"Failed to retrieve" wide
$s5 = "Host: 127.0.0.1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2500KB and 4 of them
}
rule PLUGIN_AJunk {
meta:
description = "Chinese Hacktool Set - file AJunk.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "eb430fcfe6d13b14ff6baa4b3f59817c0facec00"
id = "af92d01d-5e24-52f7-934a-0ad102fc7a93"
strings:
$s1 = "AJunk.dll" fullword ascii
$s2 = "AJunk.DLL" fullword wide
$s3 = "AJunk Dynamic Link Library" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 560KB and all of them
}
rule IISPutScanner {
meta:
description = "Chinese Hacktool Set - file IISPutScanner.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "9869c70d6a9ec2312c749aa17d4da362fa6e2592"
id = "699ee45d-c842-56eb-b55b-12a91e815a7b"
strings:
$s2 = "KERNEL32.DLL" fullword ascii
$s3 = "ADVAPI32.DLL" fullword ascii
$s4 = "VERSION.DLL" fullword ascii
$s5 = "WSOCK32.DLL" fullword ascii
$s6 = "COMCTL32.DLL" fullword ascii
$s7 = "GDI32.DLL" fullword ascii
$s8 = "SHELL32.DLL" fullword ascii
$s9 = "USER32.DLL" fullword ascii
$s10 = "OLEAUT32.DLL" fullword ascii
$s11 = "LoadLibraryA" fullword ascii
$s12 = "GetProcAddress" fullword ascii
$s13 = "VirtualProtect" fullword ascii
$s14 = "VirtualAlloc" fullword ascii
$s15 = "VirtualFree" fullword ascii
$s16 = "ExitProcess" fullword ascii
$s17 = "RegCloseKey" fullword ascii
$s18 = "GetFileVersionInfoA" fullword ascii
$s19 = "ImageList_Add" fullword ascii
$s20 = "BitBlt" fullword ascii
$s21 = "ShellExecuteA" fullword ascii
$s22 = "ActivateKeyboardLayout" fullword ascii
$s23 = "BBABORT" fullword wide
$s25 = "BBCANCEL" fullword wide
$s26 = "BBCLOSE" fullword wide
$s27 = "BBHELP" fullword wide
$s28 = "BBIGNORE" fullword wide
$s29 = "PREVIEWGLYPH" fullword wide
$s30 = "DLGTEMPLATE" fullword wide
$s31 = "TABOUTBOX" fullword wide
$s32 = "TFORM1" fullword wide
$s33 = "MAINICON" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and filesize > 350KB and all of them
}
rule IDTools_For_WinXP_IdtTool_2 {
meta:
description = "Chinese Hacktool Set - file IdtTool.sys"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "07feb31dd21d6f97614118b8a0adf231f8541a67"
id = "0312be49-c262-5143-abfc-02d428552b86"
strings:
$s0 = "\\Device\\devIdtTool" wide
$s1 = "IoDeleteSymbolicLink" fullword ascii /* Goodware String - occured 467 times */
$s3 = "IoDeleteDevice" fullword ascii /* Goodware String - occured 993 times */
$s6 = "IoCreateSymbolicLink" fullword ascii /* Goodware String - occured 467 times */
$s7 = "IoCreateDevice" fullword ascii /* Goodware String - occured 988 times */
condition:
uint16(0) == 0x5a4d and filesize < 7KB and all of them
}
rule hkmjjiis6 {
meta:
description = "Chinese Hacktool Set - file hkmjjiis6.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "4cbc6344c6712fa819683a4bd7b53f78ea4047d7"
id = "9618c6ec-1557-5b1b-bebc-1c220bb3aba4"
strings:
$s1 = "comspec" fullword ascii
$s2 = "user32.dlly" ascii
$s3 = "runtime error" ascii
$s4 = "WinSta0\\Defau" ascii
$s5 = "AppIDFlags" fullword ascii
$s6 = "GetLag" fullword ascii
$s7 = "* FROM IIsWebInfo" ascii
$s8 = "wmiprvse.exe" ascii
$s9 = "LookupAcc" ascii
condition:
uint16(0) == 0x5a4d and filesize < 70KB and all of them
}
rule Dos_lcx {
meta:
description = "Chinese Hacktool Set - file lcx.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b6ad5dd13592160d9f052bb47b0d6a87b80a406d"
id = "2f443673-bfed-5ce3-a0e6-6b59f27c9658"
strings:
$s0 = "c:\\Users\\careful_snow\\" ascii
$s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii
$s3 = "[SERVER]connection to %s:%d error" fullword ascii
$s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s6 = "=========== Code by lion & bkbll, Welcome to [url]http://www.cnhonker.com[/url] " ascii
$s7 = "[-] There is a error...Create a new connection." fullword ascii
$s8 = "[+] Accept a Client on port %d from %s" fullword ascii
$s11 = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii
$s13 = "[+] Make a Connection to %s:%d...." fullword ascii
$s16 = "-listen <ConnectPort> <TransmitPort>" fullword ascii
$s17 = "[+] Waiting another Client on port:%d...." fullword ascii
$s18 = "[+] Accept a Client on port %d from %s ......" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 2 of them
}
rule x_way2_5_X_way {
meta:
description = "Chinese Hacktool Set - file X-way.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "8ba8530fbda3e8342e8d4feabbf98c66a322dac6"
id = "8e878671-2a7c-5c6e-a905-05d303f42e0f"
strings:
$s0 = "TTFTPSERVERFRM" fullword wide
$s1 = "TPORTSCANSETFRM" fullword wide
$s2 = "TIISSHELLFRM" fullword wide
$s3 = "TADVSCANSETFRM" fullword wide
$s4 = "ntwdblib.dll" fullword ascii
$s5 = "TSNIFFERFRM" fullword wide
$s6 = "TCRACKSETFRM" fullword wide
$s7 = "TCRACKFRM" fullword wide
$s8 = "dbnextrow" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them
}
rule tools_Sqlcmd {
meta:
description = "Chinese Hacktool Set - file Sqlcmd.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "99d56476e539750c599f76391d717c51c4955a33"
id = "26e29826-d4bb-55d0-9331-a91e4473daca"
strings:
$s0 = "[Usage]: %s <HostName|IP> <UserName> <Password>" fullword ascii
$s1 = "=============By uhhuhy(Feb 18,2003) - http://www.cnhonker.net=============" fullword ascii /* PEStudio Blacklist: os */
$s4 = "Cool! Connected to SQL server on %s successfully!" fullword ascii
$s5 = "EXEC master..xp_cmdshell \"%s\"" fullword ascii
$s6 = "=======================Sqlcmd v0.21 For HScan v1.20=======================" fullword ascii
$s10 = "Error,exit!" fullword ascii
$s11 = "Sqlcmd>" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 40KB and 3 of them
}
rule Sword1_5 {
meta:
description = "Chinese Hacktool Set - file Sword1.5.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "96ee5c98e982aa8ed92cb4cedb85c7fda873740f"
id = "dff8666a-0373-5605-9012-92b2b3ec71ea"
strings:
$s3 = "http://www.ip138.com/ip2city.asp" fullword wide
$s4 = "http://www.md5decrypter.co.uk/feed/api.aspx?" fullword wide
$s6 = "ListBox_Command" fullword wide
$s13 = "md=7fef6171469e80d32c0559f88b377245&submit=MD5+Crack" fullword wide
$s18 = "\\Set.ini" wide
$s19 = "OpenFileDialog1" fullword wide
$s20 = " (*.txt)|*.txt" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 4 of them
}
rule Tools_scan {
meta:
description = "Chinese Hacktool Set - file scan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "c580a0cc41997e840d2c0f83962e7f8b636a5a13"
id = "4601d4d0-2b7e-5937-87b6-df80ab373752"
strings:
$s2 = "Shanlu Studio" fullword wide
$s3 = "_AutoAttackMain" fullword ascii
$s4 = "_frmIpToAddr" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
rule Dos_c {
meta:
description = "Chinese Hacktool Set - file c.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "3deb6bd52fdac6d5a3e9a91c585d67820ab4df78"
id = "2e8319de-fe54-5083-968c-4707d127f072"
strings:
$s0 = "!Win32 .EXE." fullword ascii
$s1 = ".MPRESS1" fullword ascii
$s2 = ".MPRESS2" fullword ascii
$s3 = "XOLEHLP.dll" fullword ascii
$s4 = "</body></html>" fullword ascii
$s8 = "DtcGetTransactionManagerExA" fullword ascii /* Goodware String - occured 12 times */
$s9 = "GetUserNameA" fullword ascii /* Goodware String - occured 305 times */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
rule arpsniffer {
meta:
description = "Chinese Hacktool Set - file arpsniffer.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "7d8753f56fc48413fc68102cff34b6583cb0066c"
id = "78db3b18-008a-5a4e-9504-0cbe3b852046"
strings:
$s1 = "SHELL" ascii
$s2 = "PacketSendPacket" fullword ascii
$s3 = "ArpSniff" ascii
$s4 = "pcap_loop" fullword ascii /* Goodware String - occured 3 times */
$s5 = "packet.dll" fullword ascii /* Goodware String - occured 4 times */
condition:
uint16(0) == 0x5a4d and filesize < 120KB and all of them
}
rule pw_inspector_2 {
meta:
description = "Chinese Hacktool Set - file pw-inspector.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "e0a1117ee4a29bb4cf43e3a80fb9eaa63bb377bf"
id = "795c7009-93a8-57c4-8554-f0ed5c1d50f8"
strings:
$s1 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii
$s2 = "Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p " ascii
$s3 = "PW-Inspector" fullword ascii
$s4 = "i:o:m:M:c:lunps" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 2 of them
}
rule datPcShare {
meta:
description = "Chinese Hacktool Set - file datPcShare.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "87acb649ab0d33c62e27ea83241caa43144fc1c4"
id = "1bf44c0d-6aa7-5486-baee-c17d3e82403f"
strings:
$s1 = "PcShare.EXE" fullword wide
$s2 = "MZKERNEL32.DLL" fullword ascii
$s3 = "PcShare" fullword wide
$s4 = "QQ:4564405" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them
}
rule Tools_xport {
meta:
description = "Chinese Hacktool Set - file xport.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "9584de562e7f8185f721e94ee3cceac60db26dda"
id = "3223fe5b-6135-5530-a5eb-10c44f3f6277"
strings:
$s1 = "Match operate system failed, 0x%00004X:%u:%d(Window:TTL:DF)" fullword ascii
$s2 = "Example: xport www.xxx.com 80 -m syn" fullword ascii
$s3 = "%s - command line port scanner" fullword ascii
$s4 = "xport 192.168.1.1 1-1024 -t 200 -v" fullword ascii
$s5 = "Usage: xport <Host> <Ports Scope> [Options]" fullword ascii
$s6 = ".\\port.ini" fullword ascii
$s7 = "Port scan complete, total %d port, %d port is opened, use %d ms." fullword ascii
$s8 = "Code by glacier <glacier@xfocus.org>" fullword ascii
$s9 = "http://www.xfocus.org" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 2 of them
}
rule Pc_xai {
meta:
description = "Chinese Hacktool Set - file xai.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "f285a59fd931ce137c08bd1f0dae858cc2486491"
id = "dcf1b57b-3616-5198-bd57-18505fee91ae"
strings:
$s1 = "Powered by CoolDiyer @ C.Rufus Security Team 05/19/2008 http://www.xcodez.com/" fullword wide
$s2 = "%SystemRoot%\\System32\\" ascii
$s3 = "%APPDATA%\\" ascii
$s4 = "---- C.Rufus Security Team ----" fullword wide
$s5 = "www.snzzkz.com" fullword wide
$s6 = "%CommonProgramFiles%\\" ascii
$s7 = "GetRand.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
rule Radmin_Hash {
meta:
description = "Chinese Hacktool Set - file Radmin_Hash.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "be407bd5bf5bcd51d38d1308e17a1731cd52f66b"
id = "07761e81-15b4-5639-b766-8dc3f16e2b7a"
strings:
$s1 = "<description>IEBars</description>" fullword ascii
$s2 = "PECompact2" fullword ascii
$s3 = "Radmin, Remote Administrator" fullword wide
$s4 = "Radmin 3.0 Hash " fullword wide
$s5 = "HASH1.0" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 600KB and all of them
}
rule OSEditor {
meta:
description = "Chinese Hacktool Set - file OSEditor.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "6773c3c6575cf9cfedbb772f3476bb999d09403d"
id = "b308852c-3436-5748-9ba6-82d4c3c5fc14"
strings:
$s1 = "OSEditor.exe" fullword wide
$s2 = "netsafe" wide
$s3 = "OSC Editor" fullword wide
$s4 = "GIF89" ascii
$s5 = "Unlock" ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
rule GoodToolset_ms11011 {
meta:
description = "Chinese Hacktool Set - file ms11011.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5ad7a4962acbb6b0e3b73d77385eb91feb88b386"
id = "689b7ea3-6707-5f99-8232-438d903d414d"
strings:
$s0 = "\\i386\\Hello.pdb" ascii
$s1 = "OS not supported." fullword ascii
$s3 = "Not supported." fullword wide /* Goodware String - occured 3 times */
$s4 = "SystemDefaultEUDCFont" fullword wide /* Goodware String - occured 18 times */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
rule FreeVersion_release {
meta:
description = "Chinese Hacktool Set - file release.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "f42e4b5748e92f7a450eb49fc89d6859f4afcebb"
id = "1a603634-a00a-5f8b-a47d-c3c8065a5c3e"
strings:
$s1 = "-->Got WMI process Pid: %d " ascii
$s2 = "This exploit will execute \"net user " ascii
$s3 = "net user temp 123456 /add & net localgroup administrators temp /add" fullword ascii
$s4 = "Running reverse shell" ascii
$s5 = "wmiprvse.exe" fullword ascii
$s6 = "SELECT * FROM IIsWebInfo" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 3 of them
}
rule churrasco {
meta:
description = "Chinese Hacktool Set - file churrasco.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "a8d4c177948a8e60d63de9d0ed948c50d0151364"
id = "99cb5a7a-85c1-57f5-b5b6-f0b1092e1e06"
strings:
$s1 = "Done, command should have ran as SYSTEM!" ascii
$s2 = "Running command with SYSTEM Token..." ascii
$s3 = "Thread impersonating, got NETWORK SERVICE Token: 0x%x" ascii
$s4 = "Found SYSTEM token 0x%x" ascii
$s5 = "Thread not impersonating, looking for another thread..." ascii
condition:
uint16(0) == 0x5a4d and filesize < 150KB and 2 of them
}
rule x64_KiwiCmd {
meta:
description = "Chinese Hacktool Set - file KiwiCmd.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86"
id = "df759fd4-5d42-5dd9-81d0-ceccafcdd64d"
strings:
$s1 = "Process Ok, Memory Ok, resuming process :)" fullword wide
$s2 = "Kiwi Cmd no-gpo" fullword wide
$s3 = "KiwiAndCMD" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 2 of them
}
rule sql1433_SQL {
meta:
description = "Chinese Hacktool Set - file SQL.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "025e87deadd1c50b1021c26cb67b76b476fafd64"
id = "fb4c5958-2e4e-5231-b0db-eca6bc3d823a"
strings:
/* WIDE: ProductName 1433 */
$s0 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 31 00 34 00 33 00 33 }
/* WIDE: ProductVersion 1,4,3,3 */
$s1 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 31 00 2C 00 34 00 2C 00 33 00 2C 00 33 }
condition:
uint16(0) == 0x5a4d and filesize < 90KB and all of them
}
rule CookieTools2 {
meta:
description = "Chinese Hacktool Set - file CookieTools2.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "cb67797f229fdb92360319e01277e1345305eb82"
id = "f227ba4b-9cad-5aac-99ab-46a8237249d4"
strings:
$s1 = "www.gxgl.com&www.gxgl.net" fullword wide
$s2 = "ip.asp?IP=" fullword ascii
$s3 = "MSIE 5.5;" fullword ascii
$s4 = "SOFTWARE\\Borland\\" ascii
condition:
uint16(0) == 0x5a4d and filesize < 700KB and all of them
}
rule cyclotron {
meta:
description = "Chinese Hacktool Set - file cyclotron.sys"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5b63473b6dc1e5942bf07c52c31ba28f2702b246"
id = "7099462b-2a72-56cd-8a50-27cd445eb9d2"
strings:
$s1 = "\\Device\\IDTProt" wide
$s2 = "IoDeleteSymbolicLink" fullword ascii /* Goodware String - occured 467 times */
$s3 = "\\??\\slIDTProt" wide
$s4 = "IoDeleteDevice" fullword ascii /* Goodware String - occured 993 times */
$s5 = "IoCreateSymbolicLink" fullword ascii /* Goodware String - occured 467 times */
condition:
uint16(0) == 0x5a4d and filesize < 3KB and all of them
}
rule xscan_gui {
meta:
description = "Chinese Hacktool Set - file xscan_gui.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "a9e900510396192eb2ba4fb7b0ef786513f9b5ab"
id = "fee11058-e75f-5d8f-8d10-06dcaed99df1"
strings:
$s1 = "%s -mutex %s -host %s -index %d -config \"%s\"" fullword ascii
$s2 = "www.target.com" fullword ascii
$s3 = "%s\\scripts\\desc\\%s.desc" fullword ascii
$s4 = "%c Active/Maximum host thread: %d/%d, Current/Maximum thread: %d/%d, Time(s): %l" ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
rule CN_Tools_hscan {
meta:
description = "Chinese Hacktool Set - file hscan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "17a743e40790985ececf5c66eaad2a1f8c4cffe8"
id = "82d9cd61-8cef-56b4-8dfe-a28edaa781b8"
strings:
$s1 = "%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000" fullword ascii
$s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20" fullword ascii
$s3 = "%s -h www.target.com -all" fullword ascii
$s4 = ".\\report\\%s-%s.html" fullword ascii
$s5 = ".\\log\\Hscan.log" fullword ascii
$s6 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii
$s7 = "%s@ftpscan#FTP Account: %s/[null]" fullword ascii
$s8 = ".\\conf\\mysql_pass.dic" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule GoodToolset_pr {
meta:
description = "Chinese Hacktool Set - file pr.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "f6676daf3292cff59ef15ed109c2d408369e8ac8"
id = "d00e1873-f2a5-5e89-9223-ead418e2667c"
strings:
$s1 = "-->Got WMI process Pid: %d " ascii
$s2 = "-->This exploit gives you a Local System shell " ascii
$s3 = "wmiprvse.exe" fullword ascii
$s4 = "Try the first %d time" fullword ascii
$s5 = "-->Build&&Change By p " ascii
$s6 = "root\\MicrosoftIISv2" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
rule hydra_7_4_1_hydra {
meta:
description = "Chinese Hacktool Set - file hydra.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "3411d0380a1c1ebf58a454765f94d4f1dd714b5b"
id = "cf692bea-091d-5be0-a012-caba01e96dde"
strings:
$s1 = "%d of %d target%s%scompleted, %lu valid password%s found" fullword ascii
$s2 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" fullword ascii
$s3 = "hydra -P pass.txt target cisco-enable (direct console access)" fullword ascii
$s4 = "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED" fullword ascii
$s5 = "[ERROR] SMTP LOGIN AUTH, either this auth is disabled" fullword ascii
$s6 = "\"/login.php:user=^USER^&pass=^PASS^&mid=123:incorrect\"" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
}
rule CN_Tools_srss_2 {
meta:
description = "Chinese Hacktool Set - file srss.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "c418b30d004051bbf1b2d3be426936b95b5fea6f"
id = "3a84fa58-ccd0-5cf0-b1e0-a8f2ca04fd3f"
strings:
$x1 = "used pepack!" fullword ascii
$s1 = "KERNEL32.dll" fullword ascii
$s2 = "KERNEL32.DLL" fullword ascii
$s3 = "LoadLibraryA" fullword ascii
$s4 = "GetProcAddress" fullword ascii
$s5 = "VirtualProtect" fullword ascii
$s6 = "VirtualAlloc" fullword ascii
$s7 = "VirtualFree" fullword ascii
$s8 = "ExitProcess" fullword ascii
condition:
uint16(0) == 0x5a4d and ( $x1 at 0 ) and filesize < 14KB and all of ($s*)
}
rule Dos_NtGod {
meta:
description = "Chinese Hacktool Set - file NtGod.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "adefd901d6bbd8437116f0170b9c28a76d4a87bf"
id = "c2f0733d-5519-5cb8-b077-0ae8472400b4"
strings:
$s0 = "\\temp\\NtGodMode.exe" ascii
$s4 = "NtGodMode.exe" fullword ascii
$s10 = "ntgod.bat" fullword ascii
$s19 = "sfxcmd" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and all of them
}
rule CN_Tools_VNCLink {
meta:
description = "Chinese Hacktool Set - file VNCLink.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "cafb531822cbc0cfebbea864489eebba48081aa1"
id = "270dc14c-ac8f-58c2-b4ac-c10981e20a07"
strings:
$s1 = "C:\\temp\\vncviewer4.log" fullword ascii
$s2 = "[BL4CK] Patched by redsand || http://blacksecurity.org" fullword ascii
$s3 = "fake release extendedVkey 0x%x, keysym 0x%x" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 580KB and 2 of them
}
rule tools_NTCmd {
meta:
description = "Chinese Hacktool Set - file NTCmd.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "a3ae8659b9a673aa346a60844208b371f7c05e3c"
id = "db3f28d6-dfe8-5c79-a11b-e31701e250d7"
strings:
$s1 = "pipecmd \\\\%s -U:%s -P:\"\" %s" fullword ascii
$s2 = "[Usage]: %s <HostName|IP> <Username> <Password>" fullword ascii
$s3 = "pipecmd \\\\%s -U:%s -P:%s %s" fullword ascii
$s4 = "============By uhhuhy (Feb 18,2003) - http://www.cnhonker.net============" fullword ascii /* PEStudio Blacklist: os */
$s5 = "=======================NTcmd v0.11 for HScan v1.20=======================" fullword ascii
$s6 = "NTcmd>" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 80KB and 2 of them
}
rule mysql_pwd_crack {
meta:
description = "Chinese Hacktool Set - file mysql_pwd_crack.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "57d1cb4d404688804a8c3755b464a6e6248d1c73"
id = "3ddeb1c7-e124-5e9e-abcf-3856e0561165"
strings:
$s1 = "mysql_pwd_crack 127.0.0.1 -x 3306 -p root -d userdict.txt" fullword ascii
$s2 = "Successfully --> username %s password %s " fullword ascii
$s3 = "zhouzhen@gmail.com http://zhouzhen.eviloctal.org" fullword ascii
$s4 = "-a automode automatic crack the mysql password " fullword ascii
$s5 = "mysql_pwd_crack 127.0.0.1 -x 3306 -a" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
}
rule CmdShell64 {
meta:
description = "Chinese Hacktool Set - file CmdShell64.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5b92510475d95ae5e7cd6ec4c89852e8af34acf1"
id = "f4d69be7-f717-53f7-873e-86acbb309106"
strings:
$s1 = "C:\\Windows\\System32\\JAVASYS.EXE" fullword wide
$s2 = "ServiceCmdShell" fullword ascii
$s3 = "<!-- If your application is designed to work with Windows 8.1, uncomment the fol" ascii
$s4 = "ServiceSystemShell" fullword wide
$s5 = "[Root@CmdShell ~]#" fullword wide
$s6 = "Hello Man 2015 !" fullword wide
$s7 = "CmdShell" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and 4 of them
}
rule Ms_Viru_v {
meta:
description = "Chinese Hacktool Set - file v.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ecf4ba6d1344f2f3114d52859addee8b0770ed0d"
id = "88a01e7a-8210-5e0c-a9b8-b7c9b991e16b"
strings:
$s1 = "c:\\windows\\system32\\command.com /c " fullword ascii
$s2 = "Easy Usage Version -- Edited By: racle@tian6.com" fullword ascii
$s3 = "OH,Sry.Too long command." fullword ascii
$s4 = "Success! Commander." fullword ascii
$s5 = "Hey,how can racle work without ur command ?" fullword ascii
$s6 = "The exploit thread was unable to map the virtual 8086 address space" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 3 of them
}
rule CN_Tools_Vscan {
meta:
description = "Chinese Hacktool Set - file Vscan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "0365fe05e2de0f327dfaa8cd0d988dbb7b379612"
id = "2d73d9c9-62cd-592f-a44e-0a0456c85a3c"
strings:
$s1 = "[+] Usage: VNC_bypauth <target> <scantype> <option>" fullword ascii
$s2 = "========RealVNC <= 4.1.1 Bypass Authentication Scanner=======" fullword ascii
$s3 = "[+] Type VNC_bypauth <target>,<scantype> or <option> for more informations" fullword ascii
$s4 = "VNC_bypauth -i 192.168.0.1,192.168.0.2,192.168.0.3,..." fullword ascii
$s5 = "-vn:%-15s:%-7d connection closed" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 60KB and 2 of them
}
rule Dos_iis {
meta:
description = "Chinese Hacktool Set - file iis.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "61ffd2cbec5462766c6f1c44bd44eeaed4f3d2c7"
id = "8813b7a2-0d44-5f26-80ab-0f493c09a027"
strings:
$s1 = "comspec" fullword ascii
$s2 = "program terming" fullword ascii
$s3 = "WinSta0\\Defau" fullword ascii
$s4 = "* FROM IIsWebInfo" ascii
$s5 = "www.icehack." ascii
$s6 = "wmiprvse.exe" fullword ascii
$s7 = "Pid: %d" ascii
condition:
uint16(0) == 0x5a4d and filesize < 70KB and all of them
}
rule IISPutScannesr {
meta:
description = "Chinese Hacktool Set - file IISPutScannesr.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "2dd8fee20df47fd4eed5a354817ce837752f6ae9"
id = "c5d358e8-955f-5b96-89e7-eb0b6c4d0af0"
strings:
$s1 = "yoda & M.o.D." ascii
$s2 = "-> come.to/f2f **************" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them
}
rule HKTL_Unknown_CN_Generate {
meta:
description = "Chinese Hacktool Set - file Generate.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2022-01-20" /* fixed typo in rule name */
hash = "2cb4c3916271868c30c7b4598da697f59e9c7a12"
id = "88ad2c71-519f-58b0-87f8-a6f54a54a774"
strings:
$s1 = "C:\\TEMP\\" ascii
$s2 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide
$s3 = "$530 Please login with USER and PASS." fullword ascii
$s4 = "_Shell.exe" fullword ascii
$s5 = "ftpcWaitingPassword" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 3 of them
}
rule Pc_rejoice {
meta:
description = "Chinese Hacktool Set - file rejoice.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "fe634a9f5d48d5c64c8f8bfd59ac7d8965d8f372"
id = "197b5a21-e1ed-5ea8-b7f2-e84684aedc54"
strings:
$s1 = "@members.3322.net/dyndns/update?system=dyndns&hostname=" fullword ascii
$s2 = "http://www.xxx.com/xxx.exe" fullword ascii
$s3 = "@ddns.oray.com/ph/update?hostname=" fullword ascii
$s4 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide
$s5 = "ListViewProcessListColumnClick!" fullword ascii
$s6 = "http://iframe.ip138.com/ic.asp" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 3 of them
}
rule ms11080_withcmd {
meta:
description = "Chinese Hacktool Set - file ms11080_withcmd.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2022-12-21"
hash = "745e5058acff27b09cfd6169caf6e45097881a49"
id = "fa5002ac-d6e6-543f-8020-43dfae689b3b"
strings:
$s1 = "Usage : ms11-080.exe cmd.exe Command " fullword ascii
$s2 = "\\ms11080\\ms11080\\Debug\\ms11080.pdb" ascii
$s3 = "[>] by:Mer4en7y@90sec.org" fullword ascii
$s4 = "[>] create porcess error" fullword ascii
$s5 = "[>] ms11-080 Exploit" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and 1 of them
}
rule OtherTools_xiaoa {
meta:
description = "Chinese Hacktool Set - file xiaoa.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "6988acb738e78d582e3614f83993628cf92ae26d"
id = "a456d373-2063-5264-8cf4-d0a5918392fc"
strings:
$s1 = "Usage:system_exp.exe \"cmd\"" fullword ascii
$s2 = "The shell \"cmd\" success!" fullword ascii
$s3 = "Not Windows NT family OS." fullword ascii /* PEStudio Blacklist: os */
$s4 = "Unable to get kernel base address." fullword ascii
$s5 = "run \"%s\" failed,code: %d" fullword ascii
$s6 = "Windows Kernel Local Privilege Exploit " fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 2 of them
}
rule unknown2 {
meta:
description = "Chinese Hacktool Set - file unknown2.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "32508d75c3d95e045ddc82cb829281a288bd5aa3"
id = "af7ddcbf-1cba-51a9-b435-9a267320f502"
strings:
$s1 = "http://md5.com.cn/index.php/md5reverse/index/md/" wide
$s2 = "http://www.md5decrypter.co.uk/feed/api.aspx?" wide
$s3 = "http://www.md5.com.cn" fullword wide
$s4 = "1.5.exe" fullword wide
$s5 = "\\Set.ini" wide
$s6 = "OpenFileDialog1" fullword wide
$s7 = " (*.txt)|*.txt" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 300KB and 4 of them
}
rule hydra_7_3_hydra {
meta:
description = "Chinese Hacktool Set - file hydra.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "2f82b8bf1159e43427880d70bcd116dc9e8026ad"
id = "70e9a5bf-ce2d-58ab-8bdc-257e2aa5e917"
strings:
$s1 = "[ATTEMPT-ERROR] target %s - login \"%s\" - pass \"%s\" - child %d - %lu of %lu" fullword ascii
$s2 = "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICE" ascii
$s3 = "cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com" fullword ascii
$s4 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" fullword ascii
$s5 = "hydra -P pass.txt target cisco-enable (direct console access)" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 700KB and 1 of them
}
rule OracleScan {
meta:
description = "Chinese Hacktool Set - file OracleScan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "10ff7faf72fe6da8f05526367b3522a2408999ec"
id = "142c0ed1-0752-54c3-9a4b-68e656c32939"
strings:
$s1 = "MYBLOG:HTTP://HI.BAIDU.COM/0X24Q" fullword ascii
$s2 = "\\Borland\\Delphi\\RTL" ascii
$s3 = "USER_NAME" ascii
$s4 = "FROMWWHERE" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule SQLTools {
meta:
description = "Chinese Hacktool Set - file SQLTools.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "38a9caa2079afa2c8d7327e7762f7ed9a69056f7"
id = "bddb7956-abc1-58b6-8a6d-eb482be99f42"
strings:
$s1 = "DBN_POST" fullword wide
$s2 = "LOADER ERROR" fullword ascii
$s3 = "www.1285.net" fullword wide
$s4 = "TUPFILEFORM" fullword wide
$s5 = "DBN_DELETE" fullword wide
$s6 = "DBINSERT" fullword wide
$s7 = "Copyright (C) Kibosoft Corp. 2001-2006" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 2350KB and all of them
}
rule HKTL_Portscanner_533_NET_Jun15 {
meta:
description = "Chinese Hacktool Set - file portscanner.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
old_rule_name = "portscanner"
date = "2015-06-13"
hash = "1de367d503fdaaeee30e8ad7c100dd1e320858a4"
id = "c834203d-6d4d-5242-9b1e-b64fa6560ccd"
strings:
$s0 = "PortListfNo" fullword ascii
$s1 = ".533.net" fullword ascii
$s2 = "CRTDLL.DLL" fullword ascii
$s3 = "exitfc" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 25KB and all of them
}
rule kappfree {
meta:
description = "Chinese Hacktool Set - file kappfree.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "e57e79f190f8a24ca911e6c7e008743480c08553"
id = "eb9c1324-5d82-57ab-bd48-98c984b45b32"
strings:
$s1 = "Bienvenue dans un processus distant" fullword wide
$s2 = "kappfree.dll" fullword ascii
$s3 = "kappfree de mimikatz pour Windows (anti AppLocker)" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
rule Smartniff {
meta:
description = "Chinese Hacktool Set - file Smartniff.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "67609f21d54a57955d8fe6d48bc471f328748d0a"
id = "3d169126-1b43-5545-a106-7c38a6a49499"
strings:
$s1 = "smsniff.exe" fullword wide
$s2 = "support@nirsoft.net0" fullword ascii
$s3 = "</requestedPrivileges></security></trustInfo></assembly>" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
rule ChinaChopper_caidao {
meta:
description = "Chinese Hacktool Set - file caidao.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "056a60ec1f6a8959bfc43254d97527b003ae5edb"
id = "c56eb3e5-e916-535b-bf87-88a9ae94c359"
strings:
$s1 = "Pass,Config,n{)" fullword ascii
$s2 = "phMYSQLZ" fullword ascii
$s3 = "\\DHLP\\." ascii
$s4 = "\\dhlp\\." ascii
$s5 = "SHAutoComple" fullword ascii
$s6 = "MainFrame" ascii
condition:
uint16(0) == 0x5a4d and filesize < 1077KB and all of them
}
rule KiwiTaskmgr_2 {
meta:
description = "Chinese Hacktool Set - file KiwiTaskmgr.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16"
id = "ea021257-8ced-5131-a00a-be014b4112fb"
strings:
$s1 = "Process Ok, Memory Ok, resuming process :)" fullword wide
$s2 = "Kiwi Taskmgr no-gpo" fullword wide
$s3 = "KiwiAndTaskMgr" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule kappfree_2 {
meta:
description = "Chinese Hacktool Set - file kappfree.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5d578df9a71670aa832d1cd63379e6162564fb6b"
id = "6c7b4a99-b5ab-5fd6-b130-7c30b84b7171"
strings:
$s1 = "kappfree.dll" fullword ascii
$s2 = "kappfree de mimikatz pour Windows (anti AppLocker)" fullword wide
$s3 = "' introuvable !" fullword wide
$s4 = "kiwi\\mimikatz" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
rule x_way2_5_sqlcmd {
meta:
description = "Chinese Hacktool Set - file sqlcmd.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5152a57e3638418b0d97a42db1c0fc2f893a2794"
id = "c6b4dae2-38cb-5cf9-b980-df5ebefbe7ad"
strings:
$s1 = "LOADER ERROR" fullword ascii
$s2 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
$s3 = "The ordinal %u could not be located in the dynamic link library %s" fullword ascii
$s4 = "kernel32.dll" fullword ascii
$s5 = "VirtualAlloc" fullword ascii
$s6 = "VirtualFree" fullword ascii
$s7 = "VirtualProtect" fullword ascii
$s8 = "ExitProcess" fullword ascii
$s9 = "user32.dll" fullword ascii
$s16 = "MessageBoxA" fullword ascii
$s10 = "wsprintfA" fullword ascii
$s11 = "kernel32.dll" fullword ascii
$s12 = "GetProcAddress" fullword ascii
$s13 = "GetModuleHandleA" fullword ascii
$s14 = "LoadLibraryA" fullword ascii
$s15 = "odbc32.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 23KB and filesize > 20KB and all of them
}
rule Win32_klock {
meta:
description = "Chinese Hacktool Set - file klock.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "7addce4434670927c4efaa560524680ba2871d17"
id = "dd17a8e2-54af-5967-937a-d83feceab891"
strings:
$s1 = "klock.dll" fullword ascii
$s2 = "Erreur : impossible de basculer le bureau ; SwitchDesktop : " fullword wide
$s3 = "klock de mimikatz pour Windows" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 250KB and all of them
}
rule ipsearcher {
meta:
description = "Chinese Hacktool Set - file ipsearcher.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2022-12-21"
hash = "1e96e9c5c56fcbea94d26ce0b3f1548b224a4791"
id = "bb33535a-e8cc-545d-bee8-3c31902eedb9"
strings:
$s0 = "http://www.wzpg.com" fullword ascii
$s1 = "ipsearcher\\ipsearcher\\Release\\ipsearcher.pdb" ascii
$s3 = "_GetAddress" fullword ascii
$s5 = "ipsearcher.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 140KB and all of them
}
rule ms10048_x64 {
meta:
description = "Chinese Hacktool Set - file ms10048-x64.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "418bec3493c85e3490e400ecaff5a7760c17a0d0"
id = "8c9bcf72-1bc7-57ed-9e0b-09d113a8c704"
strings:
$s1 = "The target is most likely patched." fullword ascii
$s2 = "Dojibiron by Ronald Huizer, (c) master#h4cker.us " fullword ascii
$s3 = "[ ] Creating evil window" fullword ascii
$s4 = "[+] Set to %d exploit half succeeded" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 40KB and 1 of them
}
rule hscangui {
meta:
description = "Chinese Hacktool Set - file hscangui.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "af8aced0a78e1181f4c307c78402481a589f8d07"
id = "f0993510-70ee-52c6-a7b8-e023eb4b33ee"
strings:
$s1 = "[%s]: Found \"FTP account: anyone/anyone@any.net\" !!!" fullword ascii
$s2 = "http://www.cnhonker.com" fullword ascii
$s3 = "%s@ftpscan#Cracked account: %s/%s" fullword ascii
$s4 = "[%s]: Found \"FTP account: %s/%s\" !!!" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 220KB and 2 of them
}
rule GoodToolset_ms11080 {
meta:
description = "Chinese Hacktool Set - file ms11080.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2022-12-21"
hash = "f0854c49eddf807f3a7381d3b20f9af4a3024e9f"
id = "080e04a3-5cbe-57a8-9106-539451922cb4"
strings:
$s1 = "[*] command add user 90sec 90sec" fullword ascii
$s2 = "\\ms11080\\Debug\\ms11080.pdb" ascii
$s3 = "[>] by:Mer4en7y@90sec.org" fullword ascii
$s4 = "[*] Add to Administrators success" fullword ascii
$s5 = "[*] User has been successfully added" fullword ascii
$s6 = "[>] ms11-08 Exploit" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 240KB and 2 of them
}
rule epathobj_exp64 {
meta:
description = "Chinese Hacktool Set - file epathobj_exp64.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2022-12-21"
hash = "09195ba4e25ccce35c188657957c0f2c6a61d083"
id = "cb56bbdc-8afa-5b4b-b7df-942dd3d60366"
strings:
$s1 = "Watchdog thread %d waiting on Mutex" fullword ascii
$s2 = "Exploit ok run command" fullword ascii
$s3 = "\\epathobj_exp\\x64\\Release\\epathobj_exp.pdb" ascii
$s4 = "Alllocated userspace PATHRECORD () %p" fullword ascii
$s5 = "Mutex object did not timeout, list not patched" fullword ascii
$s6 = "- inconsistent onexit begin-end variables" fullword wide /* Goodware String - occured 96 times */
condition:
uint16(0) == 0x5a4d and filesize < 150KB and 2 of them
}
rule kelloworld_2 {
meta:
description = "Chinese Hacktool Set - file kelloworld.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"
id = "3f298004-e618-5f4a-9cd7-c7c954b6fc64"
strings:
$s1 = "Hello World!" fullword wide
$s2 = "kelloworld.dll" fullword ascii
$s3 = "kelloworld de mimikatz pour Windows" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
rule HScan_v1_20_hscan {
meta:
description = "Chinese Hacktool Set - file hscan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "568b06696ea0270ee1a744a5ac16418c8dacde1c"
id = "4183824c-b77f-5500-a962-8d9dc78a9388"
strings:
$s1 = "[%s]: Found \"FTP account: anyone/anyone@any.net\" !!!" fullword ascii
$s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,100" fullword ascii
$s3 = ".\\report\\%s-%s.html" fullword ascii
$s4 = ".\\log\\Hscan.log" fullword ascii
$s5 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
rule _Project1_Generate_rejoice {
meta:
description = "Chinese Hacktool Set - from files Project1.exe, Generate.exe, rejoice.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
super_rule = 1
hash0 = "d1a5e3b646a16a7fcccf03759bd0f96480111c96"
hash1 = "2cb4c3916271868c30c7b4598da697f59e9c7a12"
hash2 = "fe634a9f5d48d5c64c8f8bfd59ac7d8965d8f372"
id = "4b36d450-1194-527c-8565-7f321d486d01"
strings:
$s1 = "sfUserAppDataRoaming" fullword ascii
$s2 = "$TRzFrameControllerPropertyConnection" fullword ascii
$s3 = "delphi32.exe" fullword ascii
$s4 = "hkeyCurrentUser" fullword ascii
$s5 = "%s is not a valid IP address." fullword wide
$s6 = "Citadel hooking error" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
rule _hscan_hscan_hscangui {
meta:
description = "Chinese Hacktool Set - from files hscan.exe, hscan.exe, hscangui.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
super_rule = 1
hash0 = "17a743e40790985ececf5c66eaad2a1f8c4cffe8"
hash1 = "568b06696ea0270ee1a744a5ac16418c8dacde1c"
hash2 = "af8aced0a78e1181f4c307c78402481a589f8d07"
id = "174b0ee4-23ce-59fd-a784-ab58fd13ce67"
strings:
$s1 = ".\\log\\Hscan.log" fullword ascii
$s2 = ".\\report\\%s-%s.html" fullword ascii
$s3 = "[%s]: checking \"FTP account: ftp/ftp@ftp.net\" ..." fullword ascii
$s4 = "[%s]: IPC NULL session connection success !!!" fullword ascii
$s5 = "Scan %d targets,use %4.1f minutes" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 240KB and all of them
}
rule kiwi_tools {
meta:
description = "Chinese Hacktool Set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
super_rule = 1
hash0 = "e57e79f190f8a24ca911e6c7e008743480c08553"
hash1 = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"
hash2 = "7ac7541e20af7755b7d8141c5c1b7432465cabd8"
hash3 = "9fbfe3eb49d67347ab57ae743f7542864bc06de6"
hash4 = "5c90d648c414bdafb549291f95fe6f27c0c9b5ec"
hash5 = "7addce4434670927c4efaa560524680ba2871d17"
hash6 = "28c5c0bdb7786dc2771672a2c275be7d9b742ec7"
hash7 = "b5c93489a1b62181594d0fb08cc510d947353bc8"
hash8 = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5"
hash9 = "5d578df9a71670aa832d1cd63379e6162564fb6b"
hash10 = "febadc01a64a071816eac61a85418711debaf233"
hash11 = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86"
hash12 = "56a61c808b311e2225849d195bbeb69733efe49a"
hash13 = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16"
hash14 = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc"
hash15 = "f661d6516d081c37ab7da0f4ec21b2cc6a9257c6"
hash16 = "20facf1fa2d87cccf177403ca1a7852128a9a0ab"
hash17 = "6e0ffa472d63fdda5abc4c1b164ba8724dcb25b5"
id = "000f0081-b035-5c73-8da2-addde2b55303"
strings:
$s1 = "http://blog.gentilkiwi.com/mimikatz" ascii
$s2 = "Benjamin Delpy" fullword ascii
$s3 = "GlobalSign" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
rule kiwi_tools_gentil_kiwi {
meta:
description = "Chinese Hacktool Set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
super_rule = 1
hash0 = "e57e79f190f8a24ca911e6c7e008743480c08553"
hash1 = "55d5dabd96c44d16e41f70f0357cba1dda26c24f"
hash2 = "7ac7541e20af7755b7d8141c5c1b7432465cabd8"
hash3 = "9fbfe3eb49d67347ab57ae743f7542864bc06de6"
hash4 = "5c90d648c414bdafb549291f95fe6f27c0c9b5ec"
hash5 = "7addce4434670927c4efaa560524680ba2871d17"
hash6 = "28c5c0bdb7786dc2771672a2c275be7d9b742ec7"
hash7 = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5"
hash8 = "5d578df9a71670aa832d1cd63379e6162564fb6b"
hash9 = "febadc01a64a071816eac61a85418711debaf233"
hash10 = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86"
hash11 = "56a61c808b311e2225849d195bbeb69733efe49a"
hash12 = "8bd6c9f2e8be3e74bd83c6a2d929f8a69422fb16"
hash13 = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc"
hash14 = "f661d6516d081c37ab7da0f4ec21b2cc6a9257c6"
hash15 = "6e0ffa472d63fdda5abc4c1b164ba8724dcb25b5"
id = "4ad54580-b10b-5b17-8d8a-510e210e04d1"
strings:
$s1 = "mimikatz" fullword wide
$s2 = "Copyright (C) 2012 Gentil Kiwi" fullword wide
$s3 = "Gentil Kiwi" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}