/* Yara Rule Set Author: Florian Roth Date: 2015-06-13 Identifier: CN-Tools Hacktools Reference: Diclosed hacktool set at http://w2op.us/ (Mirror: http://tools.zjqhr.com) */ rule mswin_check_lm_group { meta: description = "Chinese Hacktool Set - file mswin_check_lm_group.exe" author = "Florian Roth (Nextron Systems)" score = 70 reference = "http://tools.zjqhr.com/" date = "2015-06-13" modified = "2021-03-15" hash = "115d87d7e7a3d08802a9e5fd6cd08e2ec633c367" id = "be17981a-7cbf-55ac-bc81-9330472fc814" strings: $s1 = "Valid_Global_Groups: checking group membership of '%s\\%s'." fullword ascii $s2 = "Usage: %s [-D domain][-G][-P][-c][-d][-h]" fullword ascii $s3 = "-D default user Domain" fullword ascii $fp1 = "Panda Security S.L." ascii wide condition: uint16(0) == 0x5a4d and filesize < 380KB and all of ($s*) and not 1 of ($fp*) } rule WAF_Bypass { meta: description = "Chinese Hacktool Set - file WAF-Bypass.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "860a9d7aac2ce3a40ac54a4a0bd442c6b945fa4e" id = "d9f40934-873b-5e73-9198-987966027edc" strings: $s1 = "Email: blacksplitn@gmail.com" fullword wide $s2 = "User-Agent:" fullword wide $s3 = "Send Failed.in RemoteThread" fullword ascii $s4 = "www.example.com" fullword wide $s5 = "Get Domain:%s IP Failed." fullword ascii $s6 = "Connect To Server Failed." fullword ascii condition: uint16(0) == 0x5a4d and filesize < 7992KB and 5 of them } rule Guilin_veterans_cookie_spoofing_tool { meta: description = "Chinese Hacktool Set - file Guilin veterans cookie spoofing tool.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" modified = "2023-01-27" hash = "06b1969bc35b2ee8d66f7ce8a2120d3016a00bb1" id = "13f78e0b-c975-5879-9af1-8c619d6c94a9" strings: $s0 = "kernel32.dll^G" fullword ascii $s1 = "\\.Sus\"B" ascii $s4 = "u56Load3" fullword ascii $s11 = "O MYTMP(iM) VALUES (" ascii condition: uint16(0) == 0x5a4d and filesize < 1387KB and all of them } rule MarathonTool { meta: description = "Chinese Hacktool Set - file MarathonTool.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "084a27cd3404554cc799d0e689f65880e10b59e3" id = "23513361-ecac-5ddb-92b9-4dd8da12e8db" strings: $s0 = "MarathonTool" ascii $s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii $s18 = "SELECT UNICODE(SUBSTRING((system_user),{0},1))" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1040KB and all of them } rule PLUGIN_TracKid { meta: description = "Chinese Hacktool Set - file TracKid.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a114181b334e850d4b33e9be2794f5bb0eb59a09" id = "8dd77df1-748e-5778-be40-38b794c74b97" strings: $s0 = "E-mail: cracker_prince@163.com" fullword ascii $s1 = ".\\TracKid Log\\%s.txt" fullword ascii $s2 = "Coded by prince" fullword ascii $s3 = "TracKid.dll" fullword ascii $s4 = ".\\TracKid Log" fullword ascii $s5 = "%08x -- %s" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 200KB and 3 of them } rule Pc_pc2015 { meta: description = "Chinese Hacktool Set - file pc2015.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "de4f098611ac9eece91b079050b2d0b23afe0bcb" id = "aa7c0b5e-91c3-52cc-9e06-b4648d0b8825" strings: $s0 = "\\svchost.exe" ascii $s1 = "LON\\OD\\O-\\O)\\O%\\O!\\O=\\O9\\O5\\O1\\O" fullword ascii $s8 = "%s%08x.001" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 309KB and all of them } rule sekurlsa { meta: description = "Chinese Hacktool Set - file sekurlsa.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6acecd18fc7da1c5eb0d04e848aae9ce59d2b1b5" id = "b65dc578-e5a1-57e6-bd98-2c45cd07e857" strings: $s1 = "Bienvenue dans un processus distant" fullword wide $s2 = "Format d'appel invalide : addLogonSession [idSecAppHigh] idSecAppLow Utilisateur" wide $s3 = "SECURITY\\Policy\\Secrets" fullword wide $s4 = "Injection de donn" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1150KB and all of them } rule mysqlfast { meta: description = "Chinese Hacktool Set - file mysqlfast.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "32b60350390fe7024af7b4b8fbf50f13306c546f" id = "93ee91cd-a6b8-5ed9-b750-779f88032be6" strings: $s2 = "Invalid password hash: %s" fullword ascii $s3 = "-= MySql Hash Cracker =- " fullword ascii $s4 = "Usage: %s hash" fullword ascii $s5 = "Hash: %08lx%08lx" fullword ascii $s6 = "Found pass: " fullword ascii $s7 = "Pass not found" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 900KB and 4 of them } rule DTools2_02_DTools { meta: description = "Chinese Hacktool Set - file DTools.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "9f99771427120d09ec7afa3b21a1cb9ed720af12" id = "fc812797-12d8-596a-8ebe-dd8b0d7a4b7e" strings: $s0 = "kernel32.dll" ascii $s1 = "TSETPASSWORDFORM" fullword wide $s2 = "TGETNTUSERNAMEFORM" fullword wide $s3 = "TPORTFORM" fullword wide $s4 = "ShellFold" fullword ascii $s5 = "DefaultPHotLigh" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and all of them } rule dll_PacketX { meta: description = "Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" score = 50 hash = "3f0908e0a38512d2a4fb05a824aa0f6cf3ba3b71" id = "19ab5977-934d-5e3f-8bba-925bb57bf486" strings: $s9 = "[Failed to load winpcap packet.dll." wide $s10 = "PacketX Version" wide condition: uint16(0) == 0x5a4d and filesize < 1920KB and all of them } rule SqlDbx_zhs { meta: description = "Chinese Hacktool Set - file SqlDbx_zhs.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "e34228345498a48d7f529dbdffcd919da2dea414" id = "31c49755-f1bd-5ecb-91ff-1040e40983ab" strings: $s0 = "S.failed_logins \"Failed Login Attempts\", " fullword ascii $s7 = "SELECT ROLE, PASSWORD_REQUIRED FROM SYS.DBA_ROLES ORDER BY ROLE" fullword ascii $s8 = "SELECT spid 'SPID', status 'Status', db_name (dbid) 'Database', loginame 'Login'" ascii $s9 = "bcp.exe <:schema:>.<:table:> out \"<:file:>\" -n -S <:server:> -U <:user:> -P <:" ascii $s11 = "L.login_policy_name AS \"Login Policy\", " fullword ascii $s12 = "mailto:support@sqldbx.com" fullword ascii $s15 = "S.last_login_time \"Last Login\", " fullword ascii condition: uint16(0) == 0x5a4d and 4 of them } rule ms10048_x86 { meta: description = "Chinese Hacktool Set - file ms10048-x86.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "e57b453966e4827e2effa4e153f2923e7d058702" id = "373f0419-5a7d-5f01-968c-5d3e7b1c0670" strings: $s1 = "[ ] Resolving PsLookupProcessByProcessId" fullword ascii $s2 = "The target is most likely patched." fullword ascii $s3 = "Dojibiron by Ronald Huizer, (c) master@h4cker.us ." fullword ascii $s4 = "[ ] Creating evil window" fullword ascii $s5 = "%sHANDLEF_INDESTROY" fullword ascii $s6 = "[+] Set to %d exploit half succeeded" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 4 of them } rule Dos_ch { meta: description = "Chinese Hacktool Set - file ch.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "60bbb87b08af840f21536b313a76646e7c1f0ea7" id = "2e8319de-fe54-5083-968c-4707d127f072" strings: $s0 = "/Churraskito/-->Usage: Churraskito.exe \"command\" " fullword ascii $s4 = "fuck,can't find WMI process PID." fullword ascii $s5 = "/Churraskito/-->Found token %s " fullword ascii $s8 = "wmiprvse.exe" fullword ascii $s10 = "SELECT * FROM IIsWebInfo" fullword ascii $s17 = "WinSta0\\Default" fullword ascii /* Goodware String - occured 22 times */ condition: uint16(0) == 0x5a4d and filesize < 260KB and 3 of them } rule DUBrute_DUBrute { meta: description = "Chinese Hacktool Set - file DUBrute.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "8aaae91791bf782c92b97c6e1b0f78fb2a9f3e65" id = "10aa2017-d563-5953-8672-dbc13ff6b3cf" strings: $s1 = "IP - %d; Login - %d; Password - %d; Combination - %d" fullword ascii $s2 = "IP - 0; Login - 0; Password - 0; Combination - 0" fullword ascii $s3 = "Create %d IP@Loginl;Password" fullword ascii $s4 = "UBrute.com" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1020KB and all of them } rule CookieTools { meta: description = "Chinese Hacktool Set - file CookieTools.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b6a3727fe3d214f4fb03aa43fb2bc6fadc42c8be" id = "893884e5-6f4c-5f67-9382-8bf1ee45a257" strings: $s0 = "http://210.73.64.88/doorway/cgi-bin/getclientip.asp?IP=" fullword ascii $s2 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide $s3 = "Connection Closed Gracefully.;Could not bind socket. Address and port are alread" wide $s8 = "OnGetPasswordP" fullword ascii $s12 = "http://www.chinesehack.org/" ascii condition: uint16(0) == 0x5a4d and filesize < 5000KB and 4 of them } rule update_PcInit { meta: description = "Chinese Hacktool Set - file PcInit.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a6facc4453f8cd81b8c18b3b3004fa4d8e2f5344" id = "71c34049-97a2-5611-a081-21a85f8631d9" strings: $s1 = "\\svchost.exe" ascii $s2 = "%s%08x.001" fullword ascii $s3 = "Global\\ps%08x" fullword ascii $s4 = "drivers\\" ascii /* Goodware String - occured 2 times */ $s5 = "StrStrA" fullword ascii /* Goodware String - occured 43 times */ $s6 = "StrToIntA" fullword ascii /* Goodware String - occured 44 times */ condition: uint16(0) == 0x5a4d and filesize < 50KB and all of them } rule dat_NaslLib { meta: description = "Chinese Hacktool Set - file NaslLib.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "fb0d4263118faaeed2d68e12fab24c59953e862d" id = "d5ce72a4-c2b0-50b2-85bb-acf0bfd354e0" strings: $s1 = "nessus_get_socket_from_connection: fd <%d> is closed" fullword ascii $s2 = "[*] \"%s\" completed, %d/%d/%d/%d:%d:%d - %d/%d/%d/%d:%d:%d" fullword ascii $s3 = "A FsSniffer backdoor seems to be running on this port%s" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1360KB and all of them } rule Dos_1 { meta: description = "Chinese Hacktool Set - file 1.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b554f0687a12ec3a137f321cc15e052ff219f28c" id = "3f1cc1b3-bce2-5a29-849e-ee7deb5e8809" strings: $s1 = "/churrasco/-->Usage: Churrasco.exe \"command to run\"" fullword ascii $s2 = "/churrasco/-->Done, command should have ran as SYSTEM!" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule OtherTools_servu { meta: description = "Chinese Hacktool Set - file svu.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5c64e6879a9746a0d65226706e0edc7a" id = "b750d090-8726-5d21-98ba-6cb050cb7174" strings: $s0 = "MZKERNEL32.DLL" fullword ascii $s1 = "UpackByDwing@" fullword ascii $s2 = "GetProcAddress" fullword ascii $s3 = "WriteFile" fullword ascii condition: uint32(0) == 0x454b5a4d and $s0 at 0 and filesize < 50KB and all of them } rule ustrrefadd { meta: description = "Chinese Hacktool Set - file ustrrefadd.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b371b122460951e74094f3db3016264c9c8a0cfa" id = "e6701e7e-bb15-5e0c-822b-3e29342e083c" strings: $s0 = "E-Mail : admin@luocong.com" fullword ascii $s1 = "Homepage: http://www.luocong.com" fullword ascii $s2 = ": %d - " fullword ascii $s3 = "ustrreffix.dll" fullword ascii $s5 = "Ultra String Reference plugin v%d.%02d" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 320KB and all of them } rule XScanLib { meta: description = "Chinese Hacktool Set - file XScanLib.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "c5cb4f75cf241f5a9aea324783193433a42a13b0" id = "e1e2cfad-7cbb-51c3-9b55-648c47af641e" strings: $s4 = "XScanLib.dll" fullword ascii $s6 = "Ports/%s/%d" fullword ascii $s8 = "DEFAULT-TCP-PORT" fullword ascii $s9 = "PlugCheckTcpPort" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 360KB and all of them } rule IDTools_For_WinXP_IdtTool { meta: description = "Chinese Hacktool Set - file IdtTool.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ebab6e4cb7ea82c8dc1fe4154e040e241f4672c6" id = "c157d467-87f8-59d5-a3ba-e4fbeeba767d" strings: $s2 = "IdtTool.sys" fullword ascii $s4 = "Idt Tool bY tMd[CsP]" fullword wide $s6 = "\\\\.\\slIdtTool" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 25KB and all of them } rule GoodToolset_ms11046 { meta: description = "Chinese Hacktool Set - file ms11046.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f8414a374011fd239a6c6d9c6ca5851cd8936409" id = "a4703861-02a9-5d93-b6de-c3664ca8abb9" strings: $s1 = "[*] Token system command" fullword ascii $s2 = "[*] command add user 90sec 90sec" fullword ascii $s3 = "[*] Add to Administrators success" fullword ascii $s4 = "[*] User has been successfully added" fullword ascii $s5 = "Program: %s%s%s%s%s%s%s%s%s%s%s" fullword ascii /* Goodware String - occured 3 times */ condition: uint16(0) == 0x5a4d and filesize < 840KB and 2 of them } rule Cmdshell32 { meta: description = "Chinese Hacktool Set - file Cmdshell32.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "3c41116d20e06dcb179e7346901c1c11cd81c596" id = "f1dfb5a1-4292-5895-8310-913cfdf4d9d0" strings: $s1 = "cmdshell.exe" fullword wide $s2 = "cmdshell" fullword ascii $s3 = "[Root@CmdShell ~]#" fullword wide condition: uint16(0) == 0x5a4d and filesize < 62KB and all of them } rule Sniffer_analyzer_SSClone_1210_full_version { meta: description = "Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6882125babb60bd0a7b2f1943a40b965b7a03d4e" id = "69dac4bf-483d-5888-a748-1a52cf372066" strings: $s0 = "http://www.vip80000.com/hot/index.html" fullword ascii $s1 = "GetConnectString" fullword ascii $s2 = "CnCerT.Safe.SSClone.dll" fullword ascii $s3 = "(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3580KB and all of them } rule x64_klock { meta: description = "Chinese Hacktool Set - file klock.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "44825e848bc3abdb6f31d0a49725bb6f498e9ccc" id = "7065a4fb-c867-5a94-b6bb-5b60085bea15" strings: $s1 = "Bienvenue dans un processus distant" fullword wide $s2 = "klock.dll" fullword ascii $s3 = "Erreur : le bureau courant (" wide $s4 = "klock de mimikatz pour Windows" fullword wide condition: uint16(0) == 0x5a4d and filesize < 907KB and all of them } rule Dos_Down32 { meta: description = "Chinese Hacktool Set - file Down32.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "0365738acd728021b0ea2967c867f1014fd7dd75" id = "e56c254d-1238-5786-8e8a-f9122b0310a9" strings: $s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide $s6 = "down.exe" fullword wide $s15 = "get_Form1" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 137KB and all of them } rule MarathonTool_2 { meta: description = "Chinese Hacktool Set - file MarathonTool.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "75b5d25cdaa6a035981e5a33198fef0117c27c9c" id = "20151673-6779-58ce-872c-81e74a96597d" strings: $s3 = "http://localhost/retomysql/pista.aspx?id_pista=1" fullword wide $s6 = "SELECT ASCII(SUBSTR(username,{0},1)) FROM USER_USERS" fullword wide $s17 = "/Blind SQL injection tool based in heavy queries" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and all of them } rule scanms_scanms { meta: description = "Chinese Hacktool Set - file scanms.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "47787dee6ddea2cb44ff27b6a5fd729273cea51a" id = "50393220-35ae-5d3b-ae3f-5d5eb036c043" strings: $s1 = "--- ScanMs Tool --- (c) 2003 Internet Security Systems ---" fullword ascii $s2 = "Scans for systems vulnerable to MS03-026 vuln" fullword ascii $s3 = "More accurate for WinXP/Win2k, less accurate for WinNT" fullword ascii /* PEStudio Blacklist: os */ $s4 = "added %d.%d.%d.%d-%d.%d.%d.%d" fullword ascii $s5 = "Internet Explorer 1.0" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and 3 of them } rule CN_Tools_PcShare { meta: description = "Chinese Hacktool Set - file PcShare.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ee7ba9784fae413d644cdf5a093bd93b73537652" id = "0c4e9f9b-9839-56a0-be21-a4e9f19cdfdb" strings: $s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide $s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide $s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide $s5 = "port=%s;name=%s;pass=%s;" fullword wide $s16 = "%s\\ini\\*.dat" fullword wide $s17 = "pcinit.exe" fullword wide $s18 = "http://www.pcshare.cn" fullword wide condition: uint16(0) == 0x5a4d and filesize < 6000KB and 3 of them } rule pw_inspector { meta: description = "Chinese Hacktool Set - file pw-inspector.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "4f8e3e101098fc3da65ed06117b3cb73c0a66215" id = "888db647-c5d0-5b1b-bcd2-512c1ebeadea" strings: $s1 = "-m MINLEN minimum length of a valid password" fullword ascii $s2 = "http://www.thc.org" fullword ascii $s3 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii condition: uint16(0) == 0x5a4d and filesize < 460KB and all of them } rule Dll_LoadEx { meta: description = "Chinese Hacktool Set - file Dll_LoadEx.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "213d9d0afb22fe723ff570cf69ff8cdb33ada150" id = "51235448-751e-51ce-93f8-da48eddb2b7f" strings: $s0 = "WiNrOOt@126.com" fullword wide $s1 = "Dll_LoadEx.EXE" fullword wide $s3 = "You Already Loaded This DLL ! :(" ascii $s10 = "Dll_LoadEx Microsoft " fullword wide $s17 = "Can't Load This Dll ! :(" ascii $s18 = "WiNrOOt" fullword wide $s20 = " Dll_LoadEx(&A)..." fullword wide condition: uint16(0) == 0x5a4d and filesize < 120KB and 3 of them } rule dat_report { meta: description = "Chinese Hacktool Set - file report.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "4582a7c1d499bb96dad8e9b227e9d5de9becdfc2" id = "c77633a7-0c2f-5efa-b58b-635546bfec95" strings: $s1 = "X-Scan" fullword ascii $s2 = "REPORT-ANALYSIS-OF-HOST" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 480KB and all of them } rule Dos_iis7 { meta: description = "Chinese Hacktool Set - file iis7.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "0a173c5ece2fd4ac8ecf9510e48e95f43ab68978" id = "8813b7a2-0d44-5f26-80ab-0f493c09a027" strings: $s0 = "\\\\localhost" fullword ascii $s1 = "iis.run" fullword ascii $s3 = ">Could not connecto %s" fullword ascii $s5 = "WHOAMI" ascii $s13 = "WinSta0\\Default" fullword ascii /* Goodware String - occured 22 times */ condition: uint16(0) == 0x5a4d and filesize < 140KB and all of them } rule SwitchSniffer { meta: description = "Chinese Hacktool Set - file SwitchSniffer.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "1e7507162154f67dff4417f1f5d18b4ade5cf0cd" id = "6019f042-10ab-5899-8b1b-28b2609e9623" strings: $s0 = "NextSecurity.NET" fullword wide $s2 = "SwitchSniffer Setup" fullword wide condition: uint16(0) == 0x5a4d and all of them } rule dbexpora { meta: description = "Chinese Hacktool Set - file dbexpora.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b55b007ef091b2f33f7042814614564625a8c79f" id = "43297ce9-60f3-5b69-b7d8-904fffe622fe" strings: $s0 = "SELECT A.USER FROM SYS.USER_USERS A " fullword ascii $s12 = "OCI 8 - OCIDescriptorFree" fullword ascii $s13 = "ORACommand *" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 835KB and all of them } rule SQLCracker { meta: description = "Chinese Hacktool Set - file SQLCracker.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "1aa5755da1a9b050c4c49fc5c58fa133b8380410" id = "7d7ff2cf-81fb-5a04-a97f-577c306137a9" strings: $s0 = "msvbvm60.dll" fullword ascii /* reversed goodware string 'lld.06mvbvsm' */ $s1 = "_CIcos" fullword ascii $s2 = "kernel32.dll" fullword ascii $s3 = "cKmhV" fullword ascii $s4 = "080404B0" fullword wide condition: uint16(0) == 0x5a4d and filesize < 125KB and all of them } rule FreeVersion_debug { meta: description = "Chinese Hacktool Set - file debug.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "d11e6c6f675b3be86e37e50184dadf0081506a89" id = "2d69a39a-0da5-56ca-87a5-9116dea6c950" strings: $s0 = "c:\\Documents and Settings\\Administrator\\" ascii $s1 = "Got WMI process Pid: %d" ascii $s2 = "This exploit will execute" ascii $s6 = "Found token %s " ascii $s7 = "Running reverse shell" ascii $s10 = "wmiprvse.exe" fullword ascii $s12 = "SELECT * FROM IIsWebInfo" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 820KB and 3 of them } rule Dos_look { meta: description = "Chinese Hacktool Set - file look.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "e1a37f31170e812185cf00a838835ee59b8f64ba" id = "910d1469-9173-5a7d-91ea-a50ee921f662" strings: $s1 = "CHKen QQ:41901298" fullword ascii $s2 = "version=\"9.9.9.9\"" fullword ascii $s3 = "name=\"CH.Ken.Tool\"" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 40KB and all of them } rule NtGodMode { meta: description = "Chinese Hacktool Set - file NtGodMode.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "8baac735e37523d28fdb6e736d03c67274f7db77" id = "3de620bf-0405-536b-9f6d-3a7f02417b20" strings: $s0 = "to HOST!" fullword ascii $s1 = "SS.EXE" fullword ascii $s5 = "lstrlen0" fullword ascii $s6 = "Virtual" fullword ascii /* Goodware String - occured 6 times */ $s19 = "RtlUnw" fullword ascii /* Goodware String - occured 1 times */ condition: uint16(0) == 0x5a4d and filesize < 45KB and all of them } rule WebCrack4_RouterPasswordCracking { meta: description = "Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "00c68d1b1aa655dfd5bb693c13cdda9dbd34c638" id = "e3d50ff8-e58d-5c60-9acd-25ba95a21f68" strings: $s0 = "http://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORD" fullword ascii $s1 = "Username: \"%s\", Password: \"%s\", Remarks: \"%s\"" fullword ascii $s14 = "user:\"%s\" pass: \"%s\" result=\"%s\"" fullword ascii $s16 = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" fullword ascii $s20 = "List count out of bounds (%d)+Operation not allowed on sorted string list%String" wide condition: uint16(0) == 0x5a4d and filesize < 5000KB and 2 of them } rule hscan_gui { meta: description = "Chinese Hacktool Set - file hscan-gui.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "1885f0b7be87f51c304b39bc04b9423539825c69" id = "27f9d2e9-0a62-57ca-9061-c32945c59c7e" strings: $s0 = "Hscan.EXE" fullword wide $s1 = "RestTool.EXE" fullword ascii $s3 = "Hscan Application " fullword wide condition: uint16(0) == 0x5a4d and filesize < 550KB and all of them } rule S_MultiFunction_Scanners_s { meta: description = "Chinese Hacktool Set - file s.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "79b60ffa1c0f73b3c47e72118e0f600fcd86b355" id = "7fb90a59-116d-5fa7-b85b-cbb1af660666" strings: $s0 = "C:\\WINDOWS\\temp\\pojie.exe /l=" fullword ascii $s1 = "C:\\WINDOWS\\temp\\s.exe" fullword ascii $s2 = "C:\\WINDOWS\\temp\\s.exe tcp " fullword ascii $s3 = "explorer.exe http://www.hackdos.com" fullword ascii $s4 = "C:\\WINDOWS\\temp\\pojie.exe" fullword ascii $s5 = "Failed to read file or invalid data in file!" fullword ascii $s6 = "www.hackdos.com" fullword ascii $s7 = "WTNE / MADE BY E COMPILER - WUTAO " fullword ascii $s11 = "The interface of kernel library is invalid!" fullword ascii $s12 = "eventvwr" fullword ascii $s13 = "Failed to decompress data!" fullword ascii $s14 = "NOTEPAD.EXE result.txt" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 8000KB and 4 of them } rule HKTL_CN_Dos_GetPass { meta: description = "Chinese Hacktool Set - file GetPass.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" modified = "2023-01-06" old_rule_name = "Dos_GetPass" hash = "d18d952b24110b83abd17e042f9deee679de6a1a" id = "08635096-474c-5fdf-825e-6c7c8c8d4061" strings: $s0 = "GetLogonS" ascii $s3 = "/showthread.php?t=156643" ascii $s8 = "To Run As Administ" ascii $s18 = "EnableDebugPrivileg" fullword ascii $s19 = "sedebugnameValue" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 890KB and all of them } rule HKTL_CN_update_PcMain { meta: description = "Chinese Hacktool Set - file PcMain.dll" author = "Florian Roth (Nextron Systems)" score = 90 reference = "http://tools.zjqhr.com/" date = "2015-06-13" modified = "2023-01-06" old_rule_name = "update_PcMain" hash = "aa68323aaec0269b0f7e697e69cce4d00a949caa" id = "24c9ba6f-0772-59c9-8bea-3a8bf7823e4c" strings: $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322" ascii $s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii $s2 = "SOFTWARE\\Classes\\HTTP\\shell\\open\\command" fullword ascii $s3 = "\\svchost.exe -k " ascii $s4 = "SYSTEM\\ControlSet001\\Services\\%s" fullword ascii $s9 = "Global\\%s-key-event" fullword ascii $s10 = "%d%d.exe" fullword ascii $s14 = "%d.exe" fullword ascii $s15 = "Global\\%s-key-metux" fullword ascii $s18 = "GET / HTTP/1.1" fullword ascii $s19 = "\\Services\\" ascii $s20 = "qy001id=%d;qy001guid=%s" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 500KB and 4 of them } rule HKTL_CN_Dos_sys { meta: description = "Chinese Hacktool Set - file sys.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" modified = "2023-01-06" old_rule_name = "Dos_sys" hash = "b5837047443f8bc62284a0045982aaae8bab6f18" id = "c4b740f2-f4f8-59ff-ad1f-c06718040b50" strings: $s0 = "'SeDebugPrivilegeOpen " fullword ascii $s6 = "Author: Cyg07*2" fullword ascii $s12 = "from golds7n[LAG]'J" fullword ascii $s14 = "DAMAGE" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 150KB and all of them } rule HKTL_CN_dat_xpf { meta: description = "Chinese Hacktool Set - file xpf.sys" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" modified = "2023-01-06" old_rule_name = "dat_xpf" hash = "761125ab594f8dc996da4ce8ce50deba49c81846" id = "fe2de535-4f86-5c29-b67e-153423a897f7" strings: $s1 = "UnHook IoGetDeviceObjectPointer ok!" fullword ascii $s2 = "\\Device\\XScanPF" wide $s3 = "\\DosDevices\\XScanPF" wide condition: uint16(0) == 0x5a4d and filesize < 25KB and all of them } rule HKTL_CN_Project1 { meta: description = "Chinese Hacktool Set - file Project1.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" modified = "2023-01-06" old_rule_name = "Project1" hash = "d1a5e3b646a16a7fcccf03759bd0f96480111c96" id = "12cc7a82-d7a9-58c6-b283-3bb0df477cd8" strings: $s1 = "EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'" fullword ascii $s2 = "Password.txt" fullword ascii $s3 = "LoginPrompt" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 5000KB and all of them } rule Arp_EMP_v1_0 { meta: description = "Chinese Hacktool Set - file Arp EMP v1.0.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ae4954c142ad1552a2abaef5636c7ef68fdd99ee" id = "b2552f26-47ac-5fa0-941e-d674f9deccac" strings: $s0 = "Arp EMP v1.0.exe" fullword wide condition: uint16(0) == 0x5a4d and filesize < 800KB and all of them } rule CN_Tools_MyUPnP { meta: description = "Chinese Hacktool Set - file MyUPnP.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "15b6fca7e42cd2800ba82c739552e7ffee967000" id = "394e19d3-882e-5a7c-a3a0-e662bd67955c" strings: $s1 = "BYTELINKER.COM" fullword ascii $s2 = "myupnp.exe" fullword ascii $s3 = "LOADER ERROR" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1500KB and all of them } rule CN_Tools_Shiell { meta: description = "Chinese Hacktool Set - file Shiell.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b432d80c37abe354d344b949c8730929d8f9817a" id = "7ac7d79d-3f4e-54e7-bb97-ce94cbbb40a2" strings: $s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii $s2 = "C:\\Windows\\System32\\Shiell.exe" fullword wide $s3 = "Shift shell.exe" fullword wide $s4 = "\" /v debugger /t REG_SZ /d \"" fullword wide condition: uint16(0) == 0x5a4d and filesize < 1500KB and 2 of them } rule cndcom_cndcom { meta: description = "Chinese Hacktool Set - file cndcom.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "08bbe6312342b28b43201125bd8c518531de8082" id = "b1acfe34-03b8-5909-a226-3325fe8629ab" strings: $s1 = "- Rewritten by HDM last " fullword ascii $s2 = "- Usage: %s " fullword ascii $s3 = "- Remote DCOM RPC Buffer Overflow Exploit" fullword ascii $s4 = "- Warning:This Code is more like a dos tool!(Modify by pingker)" fullword ascii $s5 = "Windows NT SP6 (Chinese)" fullword ascii $s6 = "- Original code by FlashSky and Benjurry" fullword ascii $s7 = "\\C$\\123456111111111111111.doc" wide $s8 = "shell3all.c" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 2 of them } rule IsDebug_V1_4 { meta: description = "Chinese Hacktool Set - file IsDebug V1.4.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ca32474c358b4402421ece1cb31714fbb088b69a" id = "f9b4a909-e0e5-5708-8794-39250b9d56cc" strings: $s0 = "IsDebug.dll" fullword ascii $s1 = "SV Dumper V1.0" fullword wide $s2 = "(IsDebuggerPresent byte Patcher)" fullword ascii $s8 = "Error WriteMemory failed" fullword ascii $s9 = "IsDebugPresent" fullword ascii $s10 = "idb_Autoload" fullword ascii $s11 = "Bin Files" fullword ascii $s12 = "MASM32 version" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 30KB and all of them } rule HTTPSCANNER { meta: description = "Chinese Hacktool Set - file HTTPSCANNER.EXE" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "ae2929346944c1ea3411a4562e9d5e2f765d088a" id = "470c90f5-bb98-59ab-bff4-f6238c318e36" strings: $s1 = "HttpScanner.exe" fullword wide $s2 = "HttpScanner" fullword wide condition: uint16(0) == 0x5a4d and filesize < 3500KB and all of them } rule HScan_v1_20_PipeCmd { meta: description = "Chinese Hacktool Set - file PipeCmd.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "64403ce63b28b544646a30da3be2f395788542d6" id = "957a8e3b-5f6c-5f3e-8973-88259c9cb0dc" strings: $s1 = "%SystemRoot%\\system32\\PipeCmdSrv.exe" fullword ascii $s2 = "PipeCmd.exe" fullword wide $s3 = "Please Use NTCmd.exe Run This Program." fullword ascii $s4 = "%s\\pipe\\%s%s%d" fullword ascii $s5 = "\\\\.\\pipe\\%s%s%d" fullword ascii $s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii $s7 = "This is a service executable! Couldn't start directly." fullword ascii $s8 = "Connecting to Remote Server ...Failed" fullword ascii $s9 = "PIPECMDSRV" fullword wide condition: uint16(0) == 0x5a4d and filesize < 200KB and 4 of them } rule Dos_fp { meta: description = "Chinese Hacktool Set - file fp.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "41d57d356098ff55fe0e1f0bcaa9317df5a2a45c" id = "f4427aab-50c3-5bb9-997a-75e162a83f8a" strings: $s1 = "fpipe -l 53 -s 53 -r 80 192.168.1.101" fullword ascii $s2 = "FPipe.exe" fullword wide $s3 = "http://www.foundstone.com" fullword ascii $s4 = "%s %s port %d. Address is already in use" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 65KB and all of them } rule Dos_netstat { meta: description = "Chinese Hacktool Set - file netstat.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "d0444b7bd936b5fc490b865a604e97c22d97e598" id = "bc3141bf-4e82-5aa4-a8a6-a0a4586ee9a1" strings: $s0 = "w03a2409.dll" fullword ascii $s1 = "Retransmission Timeout Algorithm = unknown (%1!u!)" fullword wide /* Goodware String - occured 2 times */ $s2 = "Administrative Status = %1!u!" fullword wide /* Goodware String - occured 2 times */ $s3 = "Packet Too Big %1!-10u! %2!-10u!" fullword wide /* Goodware String - occured 2 times */ condition: uint16(0) == 0x5a4d and filesize < 150KB and all of them } rule CN_Tools_xsniff { meta: description = "Chinese Hacktool Set - file xsniff.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "d61d7329ac74f66245a92c4505a327c85875c577" id = "a0fdac88-a7b8-5d24-9012-2bfe7b07e675" strings: $s0 = "xsiff.exe -pass -hide -log pass.log" fullword ascii $s1 = "HOST: %s USER: %s, PASS: %s" fullword ascii $s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii $s10 = "Code by glacier " fullword ascii $s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 220KB and 2 of them } rule MSSqlPass { meta: description = "Chinese Hacktool Set - file MSSqlPass.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "172b4e31ed15d1275ac07f3acbf499daf9a055d7" id = "d45b417f-3649-5603-bd19-8b8bcc19dabc" strings: $s0 = "Reveals the passwords stored in the Registry by Enterprise Manager of SQL Server" wide $s1 = "empv.exe" fullword wide $s2 = "Enterprise Manager PassView" fullword wide condition: uint16(0) == 0x5a4d and filesize < 120KB and all of them } rule WSockExpert { meta: description = "Chinese Hacktool Set - file WSockExpert.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "2962bf7b0883ceda5e14b8dad86742f95b50f7bf" id = "0ae115be-c516-5f4a-97ce-555d84f42947" strings: $s1 = "OpenProcessCmdExecute!" fullword ascii $s2 = "http://www.hackp.com" fullword ascii $s3 = "'%s' is not a valid time!'%s' is not a valid date and time" fullword wide $s4 = "SaveSelectedFilterCmdExecute" fullword ascii $s5 = "PasswordChar@" fullword ascii $s6 = "WSockHook.DLL" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2500KB and 4 of them } rule Ms_Viru_racle { meta: description = "Chinese Hacktool Set - file racle.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "13116078fff5c87b56179c5438f008caf6c98ecb" id = "bdc78dcc-79e6-5516-bba2-54bf537eae38" strings: $s0 = "PsInitialSystemProcess @%p" fullword ascii $s1 = "PsLookupProcessByProcessId(%u) Failed" fullword ascii $s2 = "PsLookupProcessByProcessId(%u) => %p" fullword ascii $s3 = "FirstStage() Loaded, CurrentThread @%p Stack %p - %p" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 210KB and all of them } rule lamescan3 { meta: description = "Chinese Hacktool Set - file lamescan3.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "3130eefb79650dab2e323328b905e4d5d3a1d2f0" id = "8ff1a0e6-d054-589d-a038-f889951ba250" strings: $s1 = "dic\\loginlist.txt" fullword ascii $s2 = "Radmin.exe" fullword ascii $s3 = "lamescan3.pdf!" fullword ascii $s4 = "dic\\passlist.txt" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3740KB and all of them } rule CN_Tools_pc { meta: description = "Chinese Hacktool Set - file pc.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5cf8caba170ec461c44394f4058669d225a94285" id = "11cc6c46-33c0-5c53-88f8-700be9ca8add" strings: $s0 = "\\svchost.exe" ascii $s2 = "%s%08x.001" fullword ascii $s3 = "Qy001Service" fullword ascii $s4 = "/.MIKY" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule Dos_Down64 { meta: description = "Chinese Hacktool Set - file Down64.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "43e455e43b49b953e17a5b885ffdcdf8b6b23226" id = "b4907ede-dc6a-5b8c-bf1c-557df54191a4" strings: $s1 = "C:\\Windows\\Temp\\Down.txt" fullword wide $s2 = "C:\\Windows\\Temp\\Cmd.txt" fullword wide $s3 = "C:\\Windows\\Temp\\" wide $s4 = "ProcessXElement" fullword ascii $s8 = "down.exe" fullword wide $s20 = "set_Timer1" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 150KB and all of them } rule epathobj_exp32 { meta: description = "Chinese Hacktool Set - file epathobj_exp32.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" modified = "2022-12-21" hash = "ed86ff44bddcfdd630ade8ced39b4559316195ba" id = "ca4639af-ee4f-5220-9595-e7a06b9a8534" strings: $s0 = "Watchdog thread %d waiting on Mutex" fullword ascii $s1 = "Exploit ok run command" fullword ascii $s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" ascii $s3 = "Alllocated userspace PATHRECORD () %p" fullword ascii $s4 = "Mutex object did not timeout, list not patched" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 270KB and all of them } rule Tools_unknown { meta: description = "Chinese Hacktool Set - file unknown.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "4be8270c4faa1827177e2310a00af2d5bcd2a59f" id = "2cb75a84-506d-5b67-8b1f-b91beb5a99a3" strings: $s1 = "No data to read.$Can not bind in port range (%d - %d)" fullword wide $s2 = "GET /ok.asp?id=1__sql__ HTTP/1.1" fullword ascii $s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */ $s4 = "Failed to clear tab control Failed to delete tab at index %d\"Failed to retrieve" wide $s5 = "Host: 127.0.0.1" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2500KB and 4 of them } rule PLUGIN_AJunk { meta: description = "Chinese Hacktool Set - file AJunk.dll" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "eb430fcfe6d13b14ff6baa4b3f59817c0facec00" id = "af92d01d-5e24-52f7-934a-0ad102fc7a93" strings: $s1 = "AJunk.dll" fullword ascii $s2 = "AJunk.DLL" fullword wide $s3 = "AJunk Dynamic Link Library" fullword wide condition: uint16(0) == 0x5a4d and filesize < 560KB and all of them } rule IISPutScanner { meta: description = "Chinese Hacktool Set - file IISPutScanner.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "9869c70d6a9ec2312c749aa17d4da362fa6e2592" id = "699ee45d-c842-56eb-b55b-12a91e815a7b" strings: $s2 = "KERNEL32.DLL" fullword ascii $s3 = "ADVAPI32.DLL" fullword ascii $s4 = "VERSION.DLL" fullword ascii $s5 = "WSOCK32.DLL" fullword ascii $s6 = "COMCTL32.DLL" fullword ascii $s7 = "GDI32.DLL" fullword ascii $s8 = "SHELL32.DLL" fullword ascii $s9 = "USER32.DLL" fullword ascii $s10 = "OLEAUT32.DLL" fullword ascii $s11 = "LoadLibraryA" fullword ascii $s12 = "GetProcAddress" fullword ascii $s13 = "VirtualProtect" fullword ascii $s14 = "VirtualAlloc" fullword ascii $s15 = "VirtualFree" fullword ascii $s16 = "ExitProcess" fullword ascii $s17 = "RegCloseKey" fullword ascii $s18 = "GetFileVersionInfoA" fullword ascii $s19 = "ImageList_Add" fullword ascii $s20 = "BitBlt" fullword ascii $s21 = "ShellExecuteA" fullword ascii $s22 = "ActivateKeyboardLayout" fullword ascii $s23 = "BBABORT" fullword wide $s25 = "BBCANCEL" fullword wide $s26 = "BBCLOSE" fullword wide $s27 = "BBHELP" fullword wide $s28 = "BBIGNORE" fullword wide $s29 = "PREVIEWGLYPH" fullword wide $s30 = "DLGTEMPLATE" fullword wide $s31 = "TABOUTBOX" fullword wide $s32 = "TFORM1" fullword wide $s33 = "MAINICON" fullword wide condition: uint16(0) == 0x5a4d and filesize < 500KB and filesize > 350KB and all of them } rule IDTools_For_WinXP_IdtTool_2 { meta: description = "Chinese Hacktool Set - file IdtTool.sys" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "07feb31dd21d6f97614118b8a0adf231f8541a67" id = "0312be49-c262-5143-abfc-02d428552b86" strings: $s0 = "\\Device\\devIdtTool" wide $s1 = "IoDeleteSymbolicLink" fullword ascii /* Goodware String - occured 467 times */ $s3 = "IoDeleteDevice" fullword ascii /* Goodware String - occured 993 times */ $s6 = "IoCreateSymbolicLink" fullword ascii /* Goodware String - occured 467 times */ $s7 = "IoCreateDevice" fullword ascii /* Goodware String - occured 988 times */ condition: uint16(0) == 0x5a4d and filesize < 7KB and all of them } rule hkmjjiis6 { meta: description = "Chinese Hacktool Set - file hkmjjiis6.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "4cbc6344c6712fa819683a4bd7b53f78ea4047d7" id = "9618c6ec-1557-5b1b-bebc-1c220bb3aba4" strings: $s1 = "comspec" fullword ascii $s2 = "user32.dlly" ascii $s3 = "runtime error" ascii $s4 = "WinSta0\\Defau" ascii $s5 = "AppIDFlags" fullword ascii $s6 = "GetLag" fullword ascii $s7 = "* FROM IIsWebInfo" ascii $s8 = "wmiprvse.exe" ascii $s9 = "LookupAcc" ascii condition: uint16(0) == 0x5a4d and filesize < 70KB and all of them } rule Dos_lcx { meta: description = "Chinese Hacktool Set - file lcx.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "b6ad5dd13592160d9f052bb47b0d6a87b80a406d" id = "2f443673-bfed-5ce3-a0e6-6b59f27c9658" strings: $s0 = "c:\\Users\\careful_snow\\" ascii $s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii $s3 = "[SERVER]connection to %s:%d error" fullword ascii $s4 = "-tran " fullword ascii $s6 = "=========== Code by lion & bkbll, Welcome to [url]http://www.cnhonker.com[/url] " ascii $s7 = "[-] There is a error...Create a new connection." fullword ascii $s8 = "[+] Accept a Client on port %d from %s" fullword ascii $s11 = "-slave " fullword ascii $s13 = "[+] Make a Connection to %s:%d...." fullword ascii $s16 = "-listen " fullword ascii $s17 = "[+] Waiting another Client on port:%d...." fullword ascii $s18 = "[+] Accept a Client on port %d from %s ......" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 2 of them } rule x_way2_5_X_way { meta: description = "Chinese Hacktool Set - file X-way.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "8ba8530fbda3e8342e8d4feabbf98c66a322dac6" id = "8e878671-2a7c-5c6e-a905-05d303f42e0f" strings: $s0 = "TTFTPSERVERFRM" fullword wide $s1 = "TPORTSCANSETFRM" fullword wide $s2 = "TIISSHELLFRM" fullword wide $s3 = "TADVSCANSETFRM" fullword wide $s4 = "ntwdblib.dll" fullword ascii $s5 = "TSNIFFERFRM" fullword wide $s6 = "TCRACKSETFRM" fullword wide $s7 = "TCRACKFRM" fullword wide $s8 = "dbnextrow" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and 5 of them } rule tools_Sqlcmd { meta: description = "Chinese Hacktool Set - file Sqlcmd.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "99d56476e539750c599f76391d717c51c4955a33" id = "26e29826-d4bb-55d0-9331-a91e4473daca" strings: $s0 = "[Usage]: %s " fullword ascii $s1 = "=============By uhhuhy(Feb 18,2003) - http://www.cnhonker.net=============" fullword ascii /* PEStudio Blacklist: os */ $s4 = "Cool! Connected to SQL server on %s successfully!" fullword ascii $s5 = "EXEC master..xp_cmdshell \"%s\"" fullword ascii $s6 = "=======================Sqlcmd v0.21 For HScan v1.20=======================" fullword ascii $s10 = "Error,exit!" fullword ascii $s11 = "Sqlcmd>" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 40KB and 3 of them } rule Sword1_5 { meta: description = "Chinese Hacktool Set - file Sword1.5.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "96ee5c98e982aa8ed92cb4cedb85c7fda873740f" id = "dff8666a-0373-5605-9012-92b2b3ec71ea" strings: $s3 = "http://www.ip138.com/ip2city.asp" fullword wide $s4 = "http://www.md5decrypter.co.uk/feed/api.aspx?" fullword wide $s6 = "ListBox_Command" fullword wide $s13 = "md=7fef6171469e80d32c0559f88b377245&submit=MD5+Crack" fullword wide $s18 = "\\Set.ini" wide $s19 = "OpenFileDialog1" fullword wide $s20 = " (*.txt)|*.txt" fullword wide condition: uint16(0) == 0x5a4d and filesize < 400KB and 4 of them } rule Tools_scan { meta: description = "Chinese Hacktool Set - file scan.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "c580a0cc41997e840d2c0f83962e7f8b636a5a13" id = "4601d4d0-2b7e-5937-87b6-df80ab373752" strings: $s2 = "Shanlu Studio" fullword wide $s3 = "_AutoAttackMain" fullword ascii $s4 = "_frmIpToAddr" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3000KB and all of them } rule Dos_c { meta: description = "Chinese Hacktool Set - file c.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "3deb6bd52fdac6d5a3e9a91c585d67820ab4df78" id = "2e8319de-fe54-5083-968c-4707d127f072" strings: $s0 = "!Win32 .EXE." fullword ascii $s1 = ".MPRESS1" fullword ascii $s2 = ".MPRESS2" fullword ascii $s3 = "XOLEHLP.dll" fullword ascii $s4 = "" fullword ascii $s8 = "DtcGetTransactionManagerExA" fullword ascii /* Goodware String - occured 12 times */ $s9 = "GetUserNameA" fullword ascii /* Goodware String - occured 305 times */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } rule arpsniffer { meta: description = "Chinese Hacktool Set - file arpsniffer.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "7d8753f56fc48413fc68102cff34b6583cb0066c" id = "78db3b18-008a-5a4e-9504-0cbe3b852046" strings: $s1 = "SHELL" ascii $s2 = "PacketSendPacket" fullword ascii $s3 = "ArpSniff" ascii $s4 = "pcap_loop" fullword ascii /* Goodware String - occured 3 times */ $s5 = "packet.dll" fullword ascii /* Goodware String - occured 4 times */ condition: uint16(0) == 0x5a4d and filesize < 120KB and all of them } rule pw_inspector_2 { meta: description = "Chinese Hacktool Set - file pw-inspector.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "e0a1117ee4a29bb4cf43e3a80fb9eaa63bb377bf" id = "795c7009-93a8-57c4-8554-f0ed5c1d50f8" strings: $s1 = "Use for hacking: trim your dictionary file to the pw requirements of the target." fullword ascii $s2 = "Syntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p " ascii $s3 = "PW-Inspector" fullword ascii $s4 = "i:o:m:M:c:lunps" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 2 of them } rule datPcShare { meta: description = "Chinese Hacktool Set - file datPcShare.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "87acb649ab0d33c62e27ea83241caa43144fc1c4" id = "1bf44c0d-6aa7-5486-baee-c17d3e82403f" strings: $s1 = "PcShare.EXE" fullword wide $s2 = "MZKERNEL32.DLL" fullword ascii $s3 = "PcShare" fullword wide $s4 = "QQ:4564405" fullword wide condition: uint16(0) == 0x5a4d and filesize < 500KB and all of them } rule Tools_xport { meta: description = "Chinese Hacktool Set - file xport.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "9584de562e7f8185f721e94ee3cceac60db26dda" id = "3223fe5b-6135-5530-a5eb-10c44f3f6277" strings: $s1 = "Match operate system failed, 0x%00004X:%u:%d(Window:TTL:DF)" fullword ascii $s2 = "Example: xport www.xxx.com 80 -m syn" fullword ascii $s3 = "%s - command line port scanner" fullword ascii $s4 = "xport 192.168.1.1 1-1024 -t 200 -v" fullword ascii $s5 = "Usage: xport [Options]" fullword ascii $s6 = ".\\port.ini" fullword ascii $s7 = "Port scan complete, total %d port, %d port is opened, use %d ms." fullword ascii $s8 = "Code by glacier " fullword ascii $s9 = "http://www.xfocus.org" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 2 of them } rule Pc_xai { meta: description = "Chinese Hacktool Set - file xai.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f285a59fd931ce137c08bd1f0dae858cc2486491" id = "dcf1b57b-3616-5198-bd57-18505fee91ae" strings: $s1 = "Powered by CoolDiyer @ C.Rufus Security Team 05/19/2008 http://www.xcodez.com/" fullword wide $s2 = "%SystemRoot%\\System32\\" ascii $s3 = "%APPDATA%\\" ascii $s4 = "---- C.Rufus Security Team ----" fullword wide $s5 = "www.snzzkz.com" fullword wide $s6 = "%CommonProgramFiles%\\" ascii $s7 = "GetRand.dll" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 3000KB and all of them } rule Radmin_Hash { meta: description = "Chinese Hacktool Set - file Radmin_Hash.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "be407bd5bf5bcd51d38d1308e17a1731cd52f66b" id = "07761e81-15b4-5639-b766-8dc3f16e2b7a" strings: $s1 = "IEBars" fullword ascii $s2 = "PECompact2" fullword ascii $s3 = "Radmin, Remote Administrator" fullword wide $s4 = "Radmin 3.0 Hash " fullword wide $s5 = "HASH1.0" fullword wide condition: uint16(0) == 0x5a4d and filesize < 600KB and all of them } rule OSEditor { meta: description = "Chinese Hacktool Set - file OSEditor.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6773c3c6575cf9cfedbb772f3476bb999d09403d" id = "b308852c-3436-5748-9ba6-82d4c3c5fc14" strings: $s1 = "OSEditor.exe" fullword wide $s2 = "netsafe" wide $s3 = "OSC Editor" fullword wide $s4 = "GIF89" ascii $s5 = "Unlock" ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } rule GoodToolset_ms11011 { meta: description = "Chinese Hacktool Set - file ms11011.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5ad7a4962acbb6b0e3b73d77385eb91feb88b386" id = "689b7ea3-6707-5f99-8232-438d903d414d" strings: $s0 = "\\i386\\Hello.pdb" ascii $s1 = "OS not supported." fullword ascii $s3 = "Not supported." fullword wide /* Goodware String - occured 3 times */ $s4 = "SystemDefaultEUDCFont" fullword wide /* Goodware String - occured 18 times */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } rule FreeVersion_release { meta: description = "Chinese Hacktool Set - file release.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f42e4b5748e92f7a450eb49fc89d6859f4afcebb" id = "1a603634-a00a-5f8b-a47d-c3c8065a5c3e" strings: $s1 = "-->Got WMI process Pid: %d " ascii $s2 = "This exploit will execute \"net user " ascii $s3 = "net user temp 123456 /add & net localgroup administrators temp /add" fullword ascii $s4 = "Running reverse shell" ascii $s5 = "wmiprvse.exe" fullword ascii $s6 = "SELECT * FROM IIsWebInfo" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 3 of them } rule churrasco { meta: description = "Chinese Hacktool Set - file churrasco.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a8d4c177948a8e60d63de9d0ed948c50d0151364" id = "99cb5a7a-85c1-57f5-b5b6-f0b1092e1e06" strings: $s1 = "Done, command should have ran as SYSTEM!" ascii $s2 = "Running command with SYSTEM Token..." ascii $s3 = "Thread impersonating, got NETWORK SERVICE Token: 0x%x" ascii $s4 = "Found SYSTEM token 0x%x" ascii $s5 = "Thread not impersonating, looking for another thread..." ascii condition: uint16(0) == 0x5a4d and filesize < 150KB and 2 of them } rule x64_KiwiCmd { meta: description = "Chinese Hacktool Set - file KiwiCmd.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "569ca4ff1a5ea537aefac4a04a2c588c566c6d86" id = "df759fd4-5d42-5dd9-81d0-ceccafcdd64d" strings: $s1 = "Process Ok, Memory Ok, resuming process :)" fullword wide $s2 = "Kiwi Cmd no-gpo" fullword wide $s3 = "KiwiAndCMD" fullword wide condition: uint16(0) == 0x5a4d and filesize < 400KB and 2 of them } rule sql1433_SQL { meta: description = "Chinese Hacktool Set - file SQL.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "025e87deadd1c50b1021c26cb67b76b476fafd64" id = "fb4c5958-2e4e-5231-b0db-eca6bc3d823a" strings: /* WIDE: ProductName 1433 */ $s0 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 31 00 34 00 33 00 33 } /* WIDE: ProductVersion 1,4,3,3 */ $s1 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 31 00 2C 00 34 00 2C 00 33 00 2C 00 33 } condition: uint16(0) == 0x5a4d and filesize < 90KB and all of them } rule CookieTools2 { meta: description = "Chinese Hacktool Set - file CookieTools2.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "cb67797f229fdb92360319e01277e1345305eb82" id = "f227ba4b-9cad-5aac-99ab-46a8237249d4" strings: $s1 = "www.gxgl.com&www.gxgl.net" fullword wide $s2 = "ip.asp?IP=" fullword ascii $s3 = "MSIE 5.5;" fullword ascii $s4 = "SOFTWARE\\Borland\\" ascii condition: uint16(0) == 0x5a4d and filesize < 700KB and all of them } rule cyclotron { meta: description = "Chinese Hacktool Set - file cyclotron.sys" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5b63473b6dc1e5942bf07c52c31ba28f2702b246" id = "7099462b-2a72-56cd-8a50-27cd445eb9d2" strings: $s1 = "\\Device\\IDTProt" wide $s2 = "IoDeleteSymbolicLink" fullword ascii /* Goodware String - occured 467 times */ $s3 = "\\??\\slIDTProt" wide $s4 = "IoDeleteDevice" fullword ascii /* Goodware String - occured 993 times */ $s5 = "IoCreateSymbolicLink" fullword ascii /* Goodware String - occured 467 times */ condition: uint16(0) == 0x5a4d and filesize < 3KB and all of them } rule xscan_gui { meta: description = "Chinese Hacktool Set - file xscan_gui.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a9e900510396192eb2ba4fb7b0ef786513f9b5ab" id = "fee11058-e75f-5d8f-8d10-06dcaed99df1" strings: $s1 = "%s -mutex %s -host %s -index %d -config \"%s\"" fullword ascii $s2 = "www.target.com" fullword ascii $s3 = "%s\\scripts\\desc\\%s.desc" fullword ascii $s4 = "%c Active/Maximum host thread: %d/%d, Current/Maximum thread: %d/%d, Time(s): %l" ascii condition: uint16(0) == 0x5a4d and filesize < 3000KB and all of them } rule CN_Tools_hscan { meta: description = "Chinese Hacktool Set - file hscan.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "17a743e40790985ececf5c66eaad2a1f8c4cffe8" id = "82d9cd61-8cef-56b4-8dfe-a28edaa781b8" strings: $s1 = "%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000" fullword ascii $s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20" fullword ascii $s3 = "%s -h www.target.com -all" fullword ascii $s4 = ".\\report\\%s-%s.html" fullword ascii $s5 = ".\\log\\Hscan.log" fullword ascii $s6 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii $s7 = "%s@ftpscan#FTP Account: %s/[null]" fullword ascii $s8 = ".\\conf\\mysql_pass.dic" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and all of them } rule GoodToolset_pr { meta: description = "Chinese Hacktool Set - file pr.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "f6676daf3292cff59ef15ed109c2d408369e8ac8" id = "d00e1873-f2a5-5e89-9223-ead418e2667c" strings: $s1 = "-->Got WMI process Pid: %d " ascii $s2 = "-->This exploit gives you a Local System shell " ascii $s3 = "wmiprvse.exe" fullword ascii $s4 = "Try the first %d time" fullword ascii $s5 = "-->Build&&Change By p " ascii $s6 = "root\\MicrosoftIISv2" fullword wide condition: uint16(0) == 0x5a4d and filesize < 200KB and all of them } rule hydra_7_4_1_hydra { meta: description = "Chinese Hacktool Set - file hydra.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "3411d0380a1c1ebf58a454765f94d4f1dd714b5b" id = "cf692bea-091d-5be0-a012-caba01e96dde" strings: $s1 = "%d of %d target%s%scompleted, %lu valid password%s found" fullword ascii $s2 = "[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORD" fullword ascii $s3 = "hydra -P pass.txt target cisco-enable (direct console access)" fullword ascii $s4 = "[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED" fullword ascii $s5 = "[ERROR] SMTP LOGIN AUTH, either this auth is disabled" fullword ascii $s6 = "\"/login.php:user=^USER^&pass=^PASS^&mid=123:incorrect\"" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them } rule CN_Tools_srss_2 { meta: description = "Chinese Hacktool Set - file srss.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "c418b30d004051bbf1b2d3be426936b95b5fea6f" id = "3a84fa58-ccd0-5cf0-b1e0-a8f2ca04fd3f" strings: $x1 = "used pepack!" fullword ascii $s1 = "KERNEL32.dll" fullword ascii $s2 = "KERNEL32.DLL" fullword ascii $s3 = "LoadLibraryA" fullword ascii $s4 = "GetProcAddress" fullword ascii $s5 = "VirtualProtect" fullword ascii $s6 = "VirtualAlloc" fullword ascii $s7 = "VirtualFree" fullword ascii $s8 = "ExitProcess" fullword ascii condition: uint16(0) == 0x5a4d and ( $x1 at 0 ) and filesize < 14KB and all of ($s*) } rule Dos_NtGod { meta: description = "Chinese Hacktool Set - file NtGod.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "adefd901d6bbd8437116f0170b9c28a76d4a87bf" id = "c2f0733d-5519-5cb8-b077-0ae8472400b4" strings: $s0 = "\\temp\\NtGodMode.exe" ascii $s4 = "NtGodMode.exe" fullword ascii $s10 = "ntgod.bat" fullword ascii $s19 = "sfxcmd" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 250KB and all of them } rule CN_Tools_VNCLink { meta: description = "Chinese Hacktool Set - file VNCLink.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "cafb531822cbc0cfebbea864489eebba48081aa1" id = "270dc14c-ac8f-58c2-b4ac-c10981e20a07" strings: $s1 = "C:\\temp\\vncviewer4.log" fullword ascii $s2 = "[BL4CK] Patched by redsand || http://blacksecurity.org" fullword ascii $s3 = "fake release extendedVkey 0x%x, keysym 0x%x" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 580KB and 2 of them } rule tools_NTCmd { meta: description = "Chinese Hacktool Set - file NTCmd.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "a3ae8659b9a673aa346a60844208b371f7c05e3c" id = "db3f28d6-dfe8-5c79-a11b-e31701e250d7" strings: $s1 = "pipecmd \\\\%s -U:%s -P:\"\" %s" fullword ascii $s2 = "[Usage]: %s " fullword ascii $s3 = "pipecmd \\\\%s -U:%s -P:%s %s" fullword ascii $s4 = "============By uhhuhy (Feb 18,2003) - http://www.cnhonker.net============" fullword ascii /* PEStudio Blacklist: os */ $s5 = "=======================NTcmd v0.11 for HScan v1.20=======================" fullword ascii $s6 = "NTcmd>" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 80KB and 2 of them } rule mysql_pwd_crack { meta: description = "Chinese Hacktool Set - file mysql_pwd_crack.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "57d1cb4d404688804a8c3755b464a6e6248d1c73" id = "3ddeb1c7-e124-5e9e-abcf-3856e0561165" strings: $s1 = "mysql_pwd_crack 127.0.0.1 -x 3306 -p root -d userdict.txt" fullword ascii $s2 = "Successfully --> username %s password %s " fullword ascii $s3 = "zhouzhen@gmail.com http://zhouzhen.eviloctal.org" fullword ascii $s4 = "-a automode automatic crack the mysql password " fullword ascii $s5 = "mysql_pwd_crack 127.0.0.1 -x 3306 -a" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 100KB and 1 of them } rule CmdShell64 { meta: description = "Chinese Hacktool Set - file CmdShell64.exe" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "5b92510475d95ae5e7cd6ec4c89852e8af34acf1" id = "f4d69be7-f717-53f7-873e-86acbb309106" strings: $s1 = "C:\\Windows\\System32\\JAVASYS.EXE" fullword wide $s2 = "ServiceCmdShell" fullword ascii $s3 = "