Sneed-Reactivity/yara-mikesxrs/phbiohazard/phbiohazard_index.yara

50 lines
1.4 KiB
Text
Raw Normal View History

import "pe"
rule APT20140414_1NT
{
meta:
author = "phbiohazard"
reference = "https://github.com/phbiohazard/Yara"
strings:
$dpi1 = {47 45 54 20 2f}
$dpi2 = {2F 74 61 73 6B 73 3F 76 65 72 73 69 6F 6E 3D}
$dpi3 = {26 67 72 6F 75 70 3D}
$dpi4 = {26 63 6C 69 65 6E 74 3D}
condition:
all of them
}
rule APT20140414_1PE
{
meta:
author = "phbiohazard"
reference = "https://github.com/phbiohazard/Yara"
strings:
$genep1 = {04 01 68 9b 1a 40 00 6a 01 6a 00 6a 00 ff 15 0c}
$genep2 = {e9 3d 87 f8 ff bb d6 fb 04 8a 10 5c d2 70 d9 cb}
$genep3 = {57 56 8b f0 e8 70 fd ff ff 5e e8 6e 01 00 00 5f}
$contep1 = {e9 02 47 83 c6 02 89 f2 83 f9 00}
$contep2 = {e5 44 75 c1 8b 36 0c 44 4d c9 31 8b 8a d7 88 d8}
$contep3 = {9c d1 d4 52 7b c5 99 29 1c d7 46 c5 f9 8c f8 e2}
$contep4 = {e8 ef e4 bb 00 5d c3}
condition:
$genep1 and $contep1 and $contep2 or ($genep2 at pe.entry_point and ($contep3 in (pe.entry_point..pe.entry_point + 65))) or ($genep3 at pe.entry_point and ($contep4 in (pe.entry_point..pe.entry_point + 26)))
}
rule ID2015032010000026
{
meta:
author = "mbl"
info = "IOC detection - Version 1.0"
reference = "https://github.com/phbiohazard/Yara"
strings:
$genep1 = {4D 5A 90 00 03 00}
$contep1 = {4D D0 FF EB 22 C7 85 78 FF FF FF 1C 00 00 00 EB}
$contep2 = {2F 77 77 77 2E 74 68 61 77 74 65 2E 63 6F 6D 2F}
condition:
$genep1 and ($contep1 in (0x5d90..0x5d9f) and $contep2 in (0x27e70..0x27e7f))
}