Sneed-Reactivity/yara-Neo23x0/crime_cn_group_btc.yar

62 lines
2.5 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2017-06-22
Identifier: CN Group Tools
Reference: Internal Research
*/
rule BTC_Miner_lsass1_chrome_2 {
meta:
description = "Detects a Bitcoin Miner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - CN Actor"
date = "2017-06-22"
super_rule = 1
score = 60
hash1 = "048e9146387d6ff2ac055eb9ddfbfb9a7f70e95c7db9692e2214fa4bec3d5b2e"
hash2 = "c8db8469287d47ffdc74fe86ce0e9d6e51de67ba1df318573c9398742116a6e8"
id = "7960d96a-7bd3-5135-867d-e39a02274c45"
strings:
$x1 = "-t, --threads=N number of miner threads (default: number of processors)" fullword ascii
$x2 = "-O, --userpass=U:P username:password pair for mining server" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 6000KB and 1 of them )
}
rule CN_Actor_RA_Tool_Ammyy_mscorsvw {
meta:
description = "Detects Ammyy remote access tool"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - CN Actor"
date = "2017-06-22"
hash1 = "1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed"
hash2 = "d9ec0a1be7cd218042c54bfbc12000662b85349a6b78731a09ed336e5d3cf0b4"
id = "71a0c5a9-b4dc-508d-a6b7-4b85b75bc34b"
strings:
$s1 = "Please enter password for accessing remote computer" fullword ascii
$s2 = "Die Zugriffsanforderung wurde vom Remotecomputer abgelehnt" fullword ascii
$s3 = "It will automatically be run the next time this computer is restart or you can start it manually" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and 3 of them )
}
rule CN_Actor_AmmyyAdmin {
meta:
description = "Detects Ammyy Admin Downloader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - CN Actor"
date = "2017-06-22"
score = 60
hash1 = "1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed"
id = "08ffb61a-e2de-538e-9d9f-040276324af9"
strings:
$x2 = "\\Ammyy\\sources\\main\\Downloader.cpp" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}