feat: added 51 nuclei templates
parent
95c62fdc8f
commit
46e7b13d6a
179
README.md
179
README.md
|
@ -1,2 +1,177 @@
|
|||
# nuclei-malware
|
||||
Template to detect some malware
|
||||
# Nuclei Malware
|
||||
Template to detect some malware using nuclei
|
||||
|
||||
## Status
|
||||
I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not
|
||||
|
||||
| Malware Yara Rules | Status |
|
||||
| --- | --- |
|
||||
| MALW_ATMPot | 🟥 Impossible |
|
||||
| MALW_ATM_HelloWorld | 🟥 Impossible |
|
||||
| MALW_AZORULT | 🟥 Impossible |
|
||||
| MALW_AgentTesla | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_AgentTesla_SMTP | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_AlMashreq | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Alina | 🟩 Possible |
|
||||
| MALW_Andromeda | 🟩 Possible |
|
||||
| MALW_Arkei | 🟩 Possible |
|
||||
| MALW_Athena | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Atmos | 🟥 Impossible |
|
||||
| MALW_BackdoorSSH | 🟥 Impossible |
|
||||
| MALW_Backoff | 🟩 Possible |
|
||||
| MALW_Bangat | 🟥 Impossible |
|
||||
| MALW_Batel | 🟥 Impossible |
|
||||
| MALW_BlackRev | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_BlackWorm | 🟩 Possible |
|
||||
| MALW_Boouset | 🟥 Impossible |
|
||||
| MALW_Bublik | 🟩 Possible |
|
||||
| MALW_Buzus_Softpulse | 🟥 Impossible |
|
||||
| MALW_CAP_HookExKeylogger | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Chicken | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Citadel | 🟥 Impossible |
|
||||
| MALW_Cloaking | 🟥 Impossible |
|
||||
| MALW_Cookies | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Corkow | 🟥 Impossible |
|
||||
| MALW_Cxpid | 🟩 Possible |
|
||||
| MALW_Cythosia | 🟩 Possible |
|
||||
| MALW_DDoSTf | 🟩 Possible |
|
||||
| MALW_Derkziel | 🟩 Possible |
|
||||
| MALW_Dexter | 🟩 Possible |
|
||||
| MALW_DiamondFox | 🟩 Possible |
|
||||
| MALW_DirtJumper | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Eicar | 🟩 Possible |
|
||||
| MALW_Elex | 🟥 Impossible |
|
||||
| MALW_Elknot | 🟥 Impossible |
|
||||
| MALW_Emotet | 🟥 Impossible |
|
||||
| MALW_Empire | 🟥 Impossible |
|
||||
| MALW_Enfal | 🟥 Impossible |
|
||||
| MALW_Exploit_UAC_Elevators | 🟥 Impossible |
|
||||
| MALW_Ezcob | 🟩 Possible |
|
||||
| MALW_F0xy | 🟥 Impossible |
|
||||
| MALW_FALLCHILL | 🟥 Impossible |
|
||||
| MALW_FUDCrypt | 🟩 Possible |
|
||||
| MALW_FakeM | 🟥 Impossible |
|
||||
| MALW_Fareit | 🟥 Impossible |
|
||||
| MALW_Favorite | 🟥 Impossible |
|
||||
| MALW_Furtim | 🟥 Impossible |
|
||||
| MALW_Gafgyt | 🟩 Possible |
|
||||
| MALW_Genome | 🟩 Possible |
|
||||
| MALW_Glasses | 🟩 Possible |
|
||||
| MALW_Gozi | 🟩 Possible |
|
||||
| MALW_Grozlex | 🟩 Possible |
|
||||
| MALW_Hajime | 🟥 Impossible |
|
||||
| MALW_Hsdfihdf_banking | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Httpsd_ELF | 🟥 Impossible |
|
||||
| MALW_IMuler | 🟥 Impossible |
|
||||
| MALW_IcedID | 🟥 Impossible |
|
||||
| MALW_Iexpl0ree | 🟥 Impossible |
|
||||
| MALW_Install11 | 🟩 Possible |
|
||||
| MALW_Intel_Virtualization | 🟩 Possible |
|
||||
| MALW_IotReaper | 🟩 Possible |
|
||||
| MALW_Jolob_Backdoor | 🟩 Possible |
|
||||
| MALW_KINS | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Kelihos | 🟩 Possible |
|
||||
| MALW_KeyBase | 🟥 Impossible |
|
||||
| MALW_Korlia | 🟥 Impossible |
|
||||
| MALW_Korplug | 🟥 Impossible |
|
||||
| MALW_Kovter | 🟩 Possible |
|
||||
| MALW_Kraken | 🟥 Impossible |
|
||||
| MALW_Kwampirs | 🟩 Possible |
|
||||
| MALW_LURK0 | 🟥 Impossible |
|
||||
| MALW_Lateral_Movement | 🟩 Possible |
|
||||
| MALW_Lenovo_Superfish | 🟥 Impossible |
|
||||
| MALW_LinuxBew | 🟩 Possible |
|
||||
| MALW_LinuxHelios | 🟩 Possible |
|
||||
| MALW_LinuxMoose | 🟥 Impossible |
|
||||
| MALW_LostDoor | 🟩 Possible |
|
||||
| MALW_LuaBot | 🟩 Possible |
|
||||
| MALW_LuckyCat | 🟥 Impossible |
|
||||
| MALW_MSILStealer | 🟩 Possible |
|
||||
| MALW_MacControl | 🟥 Impossible |
|
||||
| MALW_MacGyver | 🟩 Possible |
|
||||
| MALW_Madness | 🟩 Possible |
|
||||
| MALW_Magento_backend | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Magento_frontend | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Magento_suspicious | 🟥 Impossible |
|
||||
| MALW_Mailers | 🟥 Impossible |
|
||||
| MALW_MedusaHTTP_2019 | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Miancha | 🟥 Impossible |
|
||||
| MALW_MiniAsp3_mem | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Mirai | 🟥 Impossible |
|
||||
| MALW_Mirai_Okiru_ELF | 🟥 Impossible |
|
||||
| MALW_Mirai_Satori_ELF | 🟥 Impossible |
|
||||
| MALW_Miscelanea | 🟥 Impossible |
|
||||
| MALW_Miscelanea_Linux | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Monero_Miner_installer | 🟩 Possible |
|
||||
| MALW_NSFree | 🟩 Possible |
|
||||
| MALW_Naikon | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Naspyupdate | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_NetTraveler | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_NionSpy | 🟥 Impossible |
|
||||
| MALW_Notepad | 🟩 Possible |
|
||||
| MALW_OSX_Leverage | 🟩 Possible |
|
||||
| MALW_Odinaff | 🟥 Impossible |
|
||||
| MALW_Olyx | 🟩 Possible |
|
||||
| MALW_PE_sections | 🟥 Impossible |
|
||||
| MALW_PittyTiger | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_PolishBankRat | 🟥 Impossible |
|
||||
| MALW_Ponmocup | 🟥 Impossible |
|
||||
| MALW_Pony | 🟩 Possible |
|
||||
| MALW_Predator | 🟥 Impossible |
|
||||
| MALW_PubSab | 🟩 Possible |
|
||||
| MALW_PurpleWave | 🟥 Impossible |
|
||||
| MALW_PyPI | 🟩 Possible |
|
||||
| MALW_Pyinstaller | 🟥 Impossible |
|
||||
| MALW_Pyinstaller_OSX | 🟩 Possible |
|
||||
| MALW_Quarian | 🟥 Impossible |
|
||||
| MALW_Rebirth_Vulcan_ELF | 🟥 Impossible |
|
||||
| MALW_Regsubdat | 🟥 Impossible |
|
||||
| MALW_Rockloader | 🟥 Impossible |
|
||||
| MALW_Rooter | 🟥 Impossible |
|
||||
| MALW_Rovnix | 🟥 Impossible |
|
||||
| MALW_Safenet | 🟩 Possible |
|
||||
| MALW_Sakurel | 🟩 Possible |
|
||||
| MALW_Sayad | 🟩 Possible |
|
||||
| MALW_Scarhikn | 🟥 Impossible |
|
||||
| MALW_Sendsafe | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Shamoon | 🟥 Impossible |
|
||||
| MALW_Shifu | 🟥 Impossible |
|
||||
| MALW_Skeleton | 🟥 Impossible |
|
||||
| MALW_Spora | 🟩 Possible |
|
||||
| MALW_Sqlite | 🟩 Possible |
|
||||
| MALW_Stealer | 🟩 Possible |
|
||||
| MALW_Surtr | 🟥 Impossible |
|
||||
| MALW_T5000 | 🟩 Possible |
|
||||
| MALW_TRITON_HATMAN | 🟥 Impossible |
|
||||
| MALW_TRITON_ICS_FRAMEWORK | 🟥 Impossible |
|
||||
| MALW_Tedroo | 🟩 Possible |
|
||||
| MALW_Tinba | 🟥 Impossible |
|
||||
| MALW_TinyShell_Backdoor_gen | 🟥 Impossible |
|
||||
| MALW_Torte_ELF | 🟥 Impossible |
|
||||
| MALW_TreasureHunt | 🟩 Possible |
|
||||
| MALW_TrickBot | 🟩 Possible |
|
||||
| MALW_Trumpbot | 🟩 Possible |
|
||||
| MALW_Upatre | 🟥 Impossible |
|
||||
| MALW_Urausy | 🟩 Possible |
|
||||
| MALW_Vidgrab | 🟥 Impossible |
|
||||
| MALW_Virut_FileInfector_UNK_VERSION | 🟥 Impossible |
|
||||
| MALW_Volgmer | 🟥 Impossible |
|
||||
| MALW_Wabot | 🟩 Possible |
|
||||
| MALW_Warp | 🟩 Possible |
|
||||
| MALW_Wimmie | 🟥 Impossible |
|
||||
| MALW_XHide | 🟩 Possible |
|
||||
| MALW_XMRIG_Miner | 🟩 Possible |
|
||||
| MALW_XOR_DDos | 🟩 Possible |
|
||||
| MALW_Yayih | 🟩 Possible |
|
||||
| MALW_Yordanyan_ActiveAgent | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_Zegost | 🟩 Possible |
|
||||
| MALW_Zeus | 🟥 Impossible |
|
||||
| MALW_adwind_RAT | 🟥 Impossible |
|
||||
| MALW_hancitor | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_kirbi_mimikatz | 🟥 Impossible |
|
||||
| MALW_kpot | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_marap | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
|
||||
| MALW_viotto_keylogger | 🟥 Impossible |
|
||||
| MALW_xDedic_marketplace | 🟥 Impossible |
|
|
@ -0,0 +1,24 @@
|
|||
id: malware_alina
|
||||
|
||||
info:
|
||||
name: Alina Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Brian Wallace @botnet_hunter"
|
||||
author_original_email: "bwall@ballastsecurity.net"
|
||||
date: "2014-08-09"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'Alina v1.0'
|
||||
- 'POST'
|
||||
- '1[0-2])[0-9]'
|
||||
condition: and
|
|
@ -0,0 +1,25 @@
|
|||
id: malware_andromeda
|
||||
|
||||
info:
|
||||
name: Andromeda Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Brian Wallace @botnet_hunter"
|
||||
author_original_email: "bwall@ballastsecurity.net"
|
||||
date: "2014-03-13"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst'
|
||||
|
||||
- type: binary
|
||||
binary:
|
||||
- "1C1C1D03494746"
|
|
@ -0,0 +1,26 @@
|
|||
id: malware_arkei
|
||||
|
||||
info:
|
||||
name: Arkei Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Fumik0_"
|
||||
date: "2014-07-10"
|
||||
hash: "5632c89fe4c7c2c87b69d787bbf0a5b4cc535f1aa02699792888c60e0ef88fc5"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'Arkei'
|
||||
- '/server/gate'
|
||||
- '/server/grubConfig'
|
||||
- '\\files\\'
|
||||
- 'SQLite'
|
||||
condition: and
|
|
@ -0,0 +1,24 @@
|
|||
id: malware_backoff
|
||||
|
||||
info:
|
||||
name: Backoff Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Brian Wallace @botnet_hunter"
|
||||
author_original_email: "bwall@ballastsecurity.net"
|
||||
date: "2014-08-21"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'
|
||||
- '%s @ %s'
|
||||
- 'Upload KeyLogs'
|
||||
condition: and
|
|
@ -0,0 +1,32 @@
|
|||
id: malware_blackworm
|
||||
|
||||
info:
|
||||
name: Blackworm Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Brian Wallace @botnet_hunter"
|
||||
author_original_email: "bwall@ballastsecurity.net"
|
||||
date: "2015-05-20"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'm_ComputerObjectProvider'
|
||||
- 'MyWebServices'
|
||||
- 'get_ExecutablePath'
|
||||
- 'get_WebServices'
|
||||
- 'My.WebServices'
|
||||
- 'My.User'
|
||||
- 'm_UserObjectProvider'
|
||||
- 'DelegateCallback'
|
||||
- 'TargetMethod'
|
||||
- '000004b0'
|
||||
- 'Microsoft Corporation'
|
||||
condition: and
|
|
@ -0,0 +1,22 @@
|
|||
id: malware_bublik
|
||||
|
||||
info:
|
||||
name: Bublik Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Kevin Falcoz"
|
||||
date: "29/09/2013"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: binary
|
||||
binary:
|
||||
- '636F6E736F6C6173'
|
||||
- '636C556E00696E666F2E696E69'
|
||||
condition: and
|
|
@ -0,0 +1,25 @@
|
|||
id: malware_cxpid
|
||||
|
||||
info:
|
||||
name: Cxpid Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word #cxpidStrings
|
||||
words:
|
||||
- '/cxpid/submit.php?SessionID='
|
||||
- '/cxgid/'
|
||||
- 'E21BC52BEA2FEF26D005CF'
|
||||
- 'E21BC52BEA39E435C40CD8'
|
||||
- ' -,L-,O+,Q-,R-,Y-,S-'
|
||||
|
||||
- type: binary #cxpidCode
|
||||
binary:
|
||||
- "558BECB9380400006A006A004975F9"
|
|
@ -0,0 +1,21 @@
|
|||
id: malware_cythosia
|
||||
|
||||
info:
|
||||
name: Cythosia Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Brian Wallace @botnet_hunter"
|
||||
author_original_email: "bwall@ballastsecurity.net"
|
||||
date: "2015-03-21"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'HarvesterSocksBot.Properties.Resources'
|
|
@ -0,0 +1,29 @@
|
|||
id: malware_ddostf
|
||||
|
||||
info:
|
||||
name: DDoSTf Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "benkow_ - MalwareMustDie"
|
||||
reference: http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'ddos.tf'
|
||||
- 'Accept-Language: zh'
|
||||
- '%d Kb/bps|%d%%'
|
||||
condition: and
|
||||
|
||||
- type: binary
|
||||
binary:
|
||||
- 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00' #TCP_KEEPINTVL
|
||||
- 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00' #TCP_KEEPCNT
|
||||
condition: and
|
|
@ -0,0 +1,26 @@
|
|||
id: malware_derkziel
|
||||
|
||||
info:
|
||||
name: Derkziel Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "The Malware Hunter"
|
||||
date: "2015-11"
|
||||
reference: https://bhf.su/threads/137898/
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '{!}DRZ{!}'
|
||||
- 'User-Agent: Uploador'
|
||||
- 'SteamAppData.vdf'
|
||||
- 'loginusers.vdf'
|
||||
- 'config.vdf'
|
||||
condition: and
|
|
@ -0,0 +1,25 @@
|
|||
id: malware_dexter
|
||||
|
||||
info:
|
||||
name: Dexter Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Florian Roth"
|
||||
date: "2015/02/10"
|
||||
reference: http://goo.gl/oBvy8b
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'Java Security Plugin'
|
||||
- '%s\\%s\\%s.exe'
|
||||
- 'Sun Java Security Plugin'
|
||||
- '\\Internet Explorer\\iexplore.exe'
|
||||
condition: and
|
|
@ -0,0 +1,27 @@
|
|||
id: malware_diamondfox
|
||||
|
||||
info:
|
||||
name: DiamondFox Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Brian Wallace @botnet_hunter"
|
||||
author_original_email: "bwall@ballastsecurity.net"
|
||||
date: "2015-08-22"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'UPDATE_B'
|
||||
- 'UNISTALL_B'
|
||||
- 'S_PROTECT'
|
||||
- 'P_WALLET'
|
||||
- 'GR_COMMAND'
|
||||
- 'FTPUPLOAD'
|
||||
condition: and
|
|
@ -0,0 +1,19 @@
|
|||
id: malware_eicar
|
||||
|
||||
info:
|
||||
name: Eicar Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Marc Rivero | @seifreed"
|
||||
hash: "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
|
|
@ -0,0 +1,23 @@
|
|||
id: malware_ezcob
|
||||
|
||||
info:
|
||||
name: Ezcob Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Seth Hardy"
|
||||
date: "2014-06-23"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12'
|
||||
- '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12'
|
||||
- 'Ezcob'
|
||||
- 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126'
|
||||
- '20110113144935'
|
|
@ -0,0 +1,31 @@
|
|||
id: malware_fudcrypt
|
||||
|
||||
info:
|
||||
name: FUDCrypt Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference: https://github.com/gigajew/FudCrypt/
|
||||
metadata:
|
||||
author_original: "https://github.com/hwvs"
|
||||
date: "2019-11-21"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'OcYjzPUtJkNbLOABqYvNbvhZf'
|
||||
- 'gwiXxyIDDtoYzgMSRGMckRbJi'
|
||||
- 'BclWgISTcaGjnwrzSCIuKruKm'
|
||||
- 'CJyUSiUNrIVbgksjxpAMUkAJJ'
|
||||
- 'fAMVdoPUEyHEWdxQIEJPRYbEN'
|
||||
- 'CIGQUctdcUPqUjoucmcoffECY'
|
||||
- 'wcZfHOgetgAExzSoWFJFQdAyO'
|
||||
- 'DqYKDnIoLeZDWYlQWoxZnpfPR'
|
||||
- 'MkhMoOHCbGUMqtnRDJKnBYnOj'
|
||||
- 'sHEqLMGglkBAOIUfcSAgMvZfs'
|
||||
- 'JtZApJhbFAIFxzHLjjyEQvtgd'
|
||||
- 'IIQrSWZEMmoQIKGuxxwoTwXka'
|
|
@ -0,0 +1,26 @@
|
|||
id: malware_gafgyt_bash
|
||||
|
||||
info:
|
||||
name: Gafgyt Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Joan Soriano / @joanbtl"
|
||||
date: "2017-05-25"
|
||||
MD5: "c8d58acfe524a09d4df7ffbe4a43c429"
|
||||
SHA1: "b41fefa8470f3b3657594af18d2ea4f6ac4d567f"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'PONG!'
|
||||
- 'GETLOCALIP'
|
||||
- 'HTTPFLOOD'
|
||||
- 'LUCKYLILDUDE'
|
||||
condition: and
|
|
@ -0,0 +1,26 @@
|
|||
id: malware_gafgyt_generic
|
||||
|
||||
info:
|
||||
name: Gafgyt Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Joan Soriano / @joanbtl"
|
||||
date: "2017-05-01"
|
||||
MD5: "e3fac853203c3f1692af0101eaad87f1"
|
||||
SHA1: "710781e62d49419a3a73624f4a914b2ad1684c6a"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "/bin/busybox;echo -e 'gayfgt'"
|
||||
- '/proc/net/route'
|
||||
- 'admin'
|
||||
- 'root'
|
||||
condition: and
|
|
@ -0,0 +1,28 @@
|
|||
id: malware_gafgyt_hihi
|
||||
|
||||
info:
|
||||
name: Gafgyt Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Joan Soriano / @joanbtl"
|
||||
date: "2017-05-01"
|
||||
MD5: "cc99e8dd2067fd5702a4716164865c8a"
|
||||
SHA1: "b9b316c1cc9f7a1bf8c70400861de08d95716e49"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'PING'
|
||||
- 'PONG'
|
||||
- 'TELNET LOGIN CRACKED - %s:%s:%s'
|
||||
- 'ADVANCEDBOT'
|
||||
- '46.166.185.92'
|
||||
- 'LOLNOGTFO'
|
||||
condition: and
|
|
@ -0,0 +1,26 @@
|
|||
id: malware_gafgyt_hoho
|
||||
|
||||
info:
|
||||
name: Gafgyt Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Joan Soriano / @joanbtl"
|
||||
date: "2017-05-25"
|
||||
MD5: "369c7c66224b343f624803d595aa1e09"
|
||||
SHA1: "54519d2c124cb536ed0ddad5683440293d90934f"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'PING'
|
||||
- 'PRIVMSG'
|
||||
- 'Remote IRC Bot'
|
||||
- '23.95.43.182'
|
||||
condition: and
|
|
@ -0,0 +1,26 @@
|
|||
id: malware_gafgyt_jackmy
|
||||
|
||||
info:
|
||||
name: Gafgyt Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Joan Soriano / @joanbtl"
|
||||
date: "2017-05-25"
|
||||
MD5: "419b8a10a3ac200e7e8a0c141b8abfba"
|
||||
SHA1: "5433a5768c5d22dabc4d133c8a1d192d525939d5"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'PING'
|
||||
- 'PONG'
|
||||
- 'jackmy'
|
||||
- '203.134.%d.%d'
|
||||
condition: and
|
|
@ -0,0 +1,26 @@
|
|||
id: malware_gafgyt_oh
|
||||
|
||||
info:
|
||||
name: Gafgyt Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Joan Soriano / @joanbtl"
|
||||
date: "2017-05-25"
|
||||
MD5: "97f5edac312de349495cb4afd119d2a5"
|
||||
SHA1: "916a51f2139f11e8be6247418dca6c41591f4557"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'busyboxterrorist'
|
||||
- 'BOGOMIPS'
|
||||
- '124.105.97.%d'
|
||||
- 'fucknet'
|
||||
condition: and
|
|
@ -0,0 +1,24 @@
|
|||
id: malware_genome
|
||||
|
||||
info:
|
||||
name: Genome Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Brian Wallace @botnet_hunter"
|
||||
author_original_email: "bwall@ballastsecurity.net"
|
||||
date: "2014-09-07"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'Attempting to create more than one keyboard::Monitor instance'
|
||||
- '{Right windows}'
|
||||
- 'Access violation - no RTTI data!'
|
||||
condition: and
|
|
@ -0,0 +1,31 @@
|
|||
id: malware_glasses
|
||||
|
||||
info:
|
||||
name: Glasses Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference: https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/
|
||||
metadata:
|
||||
author_original: "Seth Hardy"
|
||||
date: "2021-11-18"
|
||||
SHA1: "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word #GlassesStrings
|
||||
words:
|
||||
- 'thequickbrownfxjmpsvalzydg'
|
||||
- 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'
|
||||
- '" target="NewRef"></a>'
|
||||
condition: and
|
||||
|
||||
- type: binary #GlassesCode
|
||||
binary:
|
||||
- "B8ABAAAAAAF7E1D1EA8D04522BC8"
|
||||
- "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA"
|
||||
condition: or
|
|
@ -0,0 +1,19 @@
|
|||
id: malware_gozi
|
||||
|
||||
info:
|
||||
name: Gozi Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference: https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
|
||||
metadata:
|
||||
author_original: "CCN-CERT"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: binary
|
||||
binary:
|
||||
- "63006F006F006B006900650073002E00730071006C006900740065002D006A006F00750072006E0061006C0000004F504552412E45584500"
|
|
@ -0,0 +1,20 @@
|
|||
id: malware_grozlex
|
||||
|
||||
info:
|
||||
name: Grozlex Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference: https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
|
||||
metadata:
|
||||
author_original: "Kevin Falcoz"
|
||||
date: "20/08/2013"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: binary
|
||||
binary:
|
||||
- "4C006F00670073002000610074007400610063006800650064002000620079002000690043006F007A0065006E"
|
|
@ -0,0 +1,29 @@
|
|||
id: malware_insta11
|
||||
|
||||
info:
|
||||
name: Insta11 Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Seth Hardy"
|
||||
date: "2014-06-23"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'XTALKER7'
|
||||
- 'Insta11 Microsoft'
|
||||
- 'wudMessage'
|
||||
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
|
||||
- 'B12AE898-D056-4378-A844-6D393FE37956'
|
||||
condition: or
|
||||
|
||||
- type: binary
|
||||
binary:
|
||||
- 'E9000000006823040000'
|
|
@ -0,0 +1,31 @@
|
|||
id: malware_intel_virtualization
|
||||
|
||||
info:
|
||||
name: Intel Virtualization Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Seth Hardy"
|
||||
date: "2014-06-23"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: binary
|
||||
binary:
|
||||
- '4C6F6164535452494E47'
|
||||
- '496E697469616C697A654B6579486F6F6B'
|
||||
- '46696E645265736F7572636573'
|
||||
- '4C6F6164535452494E4746726F6D484B4355'
|
||||
- '6863637574696C732E444C4C'
|
||||
condition: and
|
||||
|
||||
- type: binary # Dynamic dll (malicious)
|
||||
binary:
|
||||
- '483A5C466173745C506C756728686B636D64295C'
|
||||
- '646C6C5C52656C656173655C48696A61636B446C6C2E706462'
|
||||
condition: and
|
|
@ -0,0 +1,29 @@
|
|||
id: malware_iotreaper
|
||||
|
||||
info:
|
||||
name: IotReaper Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Seth Hardy"
|
||||
date: "2014-06-23"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'XTALKER7'
|
||||
- 'Insta11 Microsoft'
|
||||
- 'wudMessage'
|
||||
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
|
||||
- 'B12AE898-D056-4378-A844-6D393FE37956'
|
||||
condition: or
|
||||
|
||||
- type: binary
|
||||
binary:
|
||||
- 'E9000000006823040000'
|
|
@ -0,0 +1,29 @@
|
|||
id: malware_macgyver
|
||||
|
||||
info:
|
||||
name: MacGyver.cap Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference: https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
|
||||
metadata:
|
||||
author_original: "xylitol@temari.fr"
|
||||
date: "2021-05-11"
|
||||
hash1: "9dc70002e82c78ee34c813597925c6cf8aa8d68b7e9ce5bcc70ea9bcab9dbf4a"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "src/MacGyver/javacard/Header.cap"
|
||||
- "src/MacGyver/javacard/Directory.cap"
|
||||
- "src/MacGyver/javacard/Applet.cap"
|
||||
- "src/MacGyver/javacard/Import.cap"
|
||||
- "src/MacGyver/javacard/ConstantPool.cap"
|
||||
- "src/MacGyver/javacard/Class.cap"
|
||||
- "src/MacGyver/javacard/Method.cap"
|
||||
condition: and
|
|
@ -0,0 +1,35 @@
|
|||
id: malware_macgyver_installer
|
||||
|
||||
info:
|
||||
name: MacGyver.cap Installer Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference: https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
|
||||
metadata:
|
||||
author_original: "xylitol@temari.fr"
|
||||
date: "2021-05-11"
|
||||
hash1: "bb828eb0bbebabbcb51f490f4a0c08dd798b1f350dddddb6c00abcb6f750069f"
|
||||
hash2: "04f0c9904675c7cf80ff1962bec5ef465ccf8c29e668f3158ec262414a6cc6eb"
|
||||
hash3: "7335cd56a9ac08c200cca7e25b939e9c4ffa4d508207e68bee01904bf20a6528"
|
||||
hash4: "af542ccb415647dbd80df902858a3d150a85f37992a35f29999eed76ac01a12b"
|
||||
hash5: "247484124f4879bfacaae73ea32267e2c1e89773986df70a5f3456b1fb944c58"
|
||||
hash6: "1cc8a2f3ce12f4b8356bda8b4aaf61d510d1078112af1c14cf4583090e062fbe"
|
||||
hash7: "c23411deeec790e2dba37f4c49c7ecac3c867b7012431c9281ed748519eda65c"
|
||||
hash8: "c0d11ed2eed0fef8d2f53920a1e12f667e03eafdb2d2941473d120e9e6f0e657"
|
||||
hash9: "1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08"
|
||||
hash10: "87678c6dcf0065ffc487a284b9f79bd8c0815c5c621fc92f83df24393bfcc660"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "delete -AID 315041592e5359532e4444463031"
|
||||
- "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4"
|
||||
- "-mac_key 404142434445464748494a4b4c4d4e4f"
|
||||
- "-enc_key 404142434445464748494a4b4c4d4e4f"
|
||||
condition: and
|
|
@ -0,0 +1,29 @@
|
|||
id: malware_madness
|
||||
|
||||
info:
|
||||
name: Madness DDOS Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference: https://github.com/arbor/yara/blob/master/madness.yara
|
||||
metadata:
|
||||
author_original: "Jason Jones <jasonjones@arbor.net>"
|
||||
date: "2014-01-15"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
|
||||
- "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
|
||||
- "document.cookie="
|
||||
- "[\"cookie\",\""
|
||||
- "\"realauth="
|
||||
- "\"location\"];"
|
||||
- "d3Rm"
|
||||
- "ZXhl"
|
||||
condition: and
|
|
@ -0,0 +1,19 @@
|
|||
id: malware_miner
|
||||
|
||||
info:
|
||||
name: Miner Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Akamai CSIRT"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "stratum+tcp"
|
||||
- "stratum+udp"
|
|
@ -0,0 +1,21 @@
|
|||
id: malware_notepad
|
||||
|
||||
info:
|
||||
name: Notepad v1.1 Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "RSA_IR"
|
||||
date: "4Jun13"
|
||||
MD5: "106E63DBDA3A76BEEB53A8BBD8F98927"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "75BAA77C842BE168B0F66C42C7885997"
|
||||
- "B523F63566F407F3834BCC54AAA32524"
|
|
@ -0,0 +1,27 @@
|
|||
id: malware_olyx
|
||||
|
||||
info:
|
||||
name: Olyx Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Seth Hardy"
|
||||
date: "2014-06-19"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "/Applications/Automator.app/Contents/MacOS/DockLight"
|
||||
condition: or
|
||||
|
||||
- type: binary
|
||||
binary:
|
||||
- "C7400436363636C7400836363636"
|
||||
- "C740045C5C5C5CC740085C5C5C5C"
|
||||
condition: or
|
|
@ -0,0 +1,27 @@
|
|||
id: malware_osx_leverage
|
||||
|
||||
info:
|
||||
name: OSX Leverage Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "earada@alienvault.com"
|
||||
date: "2013/09"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
|
||||
- "+:Users:Shared:UserEvent.app:Contents:MacOS:"
|
||||
- "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
|
||||
- "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
|
||||
- "osascript -e 'tell application \"System Events\" to get the name of every login item'"
|
||||
- "osascript -e 'tell application \"System Events\" to get the path of every login item'"
|
||||
- "serverVisible \x00"
|
||||
condition: and
|
|
@ -0,0 +1,25 @@
|
|||
id: malware_pony
|
||||
|
||||
info:
|
||||
name: Pony Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Brian Wallace @botnet_hunter"
|
||||
author_original_email: "bwall@ballastsecurity.net"
|
||||
date: "2014-08-16"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
|
||||
- "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
|
||||
- "POST %s HTTP/1.0"
|
||||
- "Accept-Encoding: identity, *;q=0"
|
||||
condition: and
|
|
@ -0,0 +1,27 @@
|
|||
id: malware_pubsab
|
||||
|
||||
info:
|
||||
name: PubSab Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Seth Hardy"
|
||||
date: "2014-06-19"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "_deamon_init"
|
||||
- "com.apple.PubSabAgent"
|
||||
- "/tmp/screen.jpeg"
|
||||
condition: or
|
||||
|
||||
- type: binary
|
||||
binary:
|
||||
- "6B45E43789CA29C28955E4"
|
|
@ -0,0 +1,24 @@
|
|||
id: malware_pypi
|
||||
|
||||
info:
|
||||
name: Fake PyPI Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
|
||||
metadata:
|
||||
author_original: "@bartblaze"
|
||||
date: "2017-09"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "# Welcome Here! :)"
|
||||
- "# just toy, no harm :)"
|
||||
- "[0x76,0x21,0xfe,0xcc,0xee]"
|
||||
condition: and
|
|
@ -0,0 +1,33 @@
|
|||
id: malware_t5000
|
||||
|
||||
info:
|
||||
name: T5000 Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Seth Hardy"
|
||||
date: "2014-06-26"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers:
|
||||
- type: binary
|
||||
binary:
|
||||
- "_tmpR.vbs"
|
||||
- "_tmpg.vbs"
|
||||
- "Dtl.dat"
|
||||
- "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
|
||||
- "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
|
||||
- "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
|
||||
- "43EE34A9-9063-4d2c-AACD-F5C62B849089"
|
||||
- "A8859547-C62D-4e8b-A82D-BE1479C684C9"
|
||||
- "A59CF429-D0DD-4207-88A1-04090680F714"
|
||||
- "utd_CE31"
|
||||
- "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
|
||||
- "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
|
||||
- "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
|
||||
- "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
|
||||
condition: and
|
|
@ -0,0 +1,22 @@
|
|||
id: malware_tedroo
|
||||
|
||||
info:
|
||||
name: Tedroo Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Kevin Falcoz"
|
||||
date: "22/11/2015"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: binary
|
||||
binary:
|
||||
- "257325732E657865"
|
||||
- "5F6C6F672E747874"
|
||||
condition: and
|
|
@ -0,0 +1,24 @@
|
|||
id: malware_treasurehunt
|
||||
|
||||
info:
|
||||
name: Trickbot Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
reference: http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed
|
||||
metadata:
|
||||
author_original: "Minerva Labs"
|
||||
date: "2016/06"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "treasureHunter.pdb"
|
||||
- "jucheck"
|
||||
- "cmdLineDecrypted"
|
||||
condition: and
|
|
@ -0,0 +1,24 @@
|
|||
id: malware_trickbot
|
||||
|
||||
info:
|
||||
name: Trickbot Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Marc Salinas @Bondey_m"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "moduleconfig"
|
||||
- "Start"
|
||||
- "Control"
|
||||
- "FreeBuffer"
|
||||
- "Release"
|
||||
condition: and
|
|
@ -0,0 +1,24 @@
|
|||
id: malware_trumpbot
|
||||
|
||||
info:
|
||||
name: TrumpBot Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Joan Soriano / @joanbtl"
|
||||
date: "2017-04-16"
|
||||
MD5: "77122e0e6fcf18df9572d80c4eedd88d"
|
||||
SHA1: "108ee460d4c11ea373b7bba92086dd8023c0654f"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "trumpisdaddy"
|
||||
- "198.50.154.188"
|
||||
condition: and
|
|
@ -0,0 +1,28 @@
|
|||
id: malware_universal_1337
|
||||
|
||||
info:
|
||||
name: Universal 1337 Stealer Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Kevin Falcoz"
|
||||
date: "24/02/2013"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: binary
|
||||
binary:
|
||||
- "2A5B532D502D4C2D492D545D2A"
|
||||
- "2A5B482D452D522D455D2A"
|
||||
condition: and
|
||||
|
||||
- type: binary
|
||||
binary:
|
||||
- "4654507E"
|
||||
- "7E317E317E307E30"
|
||||
condition: and
|
|
@ -0,0 +1,25 @@
|
|||
id: malware_urausy
|
||||
|
||||
info:
|
||||
name: Urausy Skype Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "AlienVault Labs"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "skype.dat"
|
||||
- "skype.ini"
|
||||
- "CreateWindow"
|
||||
- "YIWEFHIWQ"
|
||||
- "CreateDesktop"
|
||||
- "MyDesktop"
|
||||
condition: and
|
|
@ -0,0 +1,22 @@
|
|||
id: malware_wabot
|
||||
|
||||
info:
|
||||
name: Warp Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Kevin Falcoz"
|
||||
date: "14/08/2015"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: binary
|
||||
binary:
|
||||
- "433A5C6D6172696A75616E612E747874"
|
||||
- "7349524334"
|
||||
condition: and
|
|
@ -0,0 +1,27 @@
|
|||
id: malware_warp
|
||||
|
||||
info:
|
||||
name: Warp Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Seth Hardy"
|
||||
date: "2014-07-10"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word #WarpStrings
|
||||
words:
|
||||
- "/2011/n325423.shtml?"
|
||||
- "wyle"
|
||||
- "\\~ISUN32.EXE"
|
||||
condition: or
|
||||
|
||||
- type: binary #WarpCode
|
||||
binary:
|
||||
- "80382B7503C6002D80382F7503C6005F"
|
|
@ -0,0 +1,24 @@
|
|||
id: malware_xhide
|
||||
|
||||
info:
|
||||
name: xHide Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Joan Soriano / @w0lfvan"
|
||||
date: "2017-12-01"
|
||||
MD5: "c644c04bce21dacdeb1e6c14c081e359"
|
||||
SHA256: "59f5b21ef8a570c02453b5edb0e750a42a1382f6"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'XHide - Process Faker'
|
||||
- 'Fakename: %s PidNum: %d'
|
||||
condition: and
|
|
@ -0,0 +1,26 @@
|
|||
id: malware_xor_ddos
|
||||
|
||||
info:
|
||||
name: XOR_DDosv1 Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Akamai CSIRT"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "BB2FA36AAA9541F0"
|
||||
- "md5="
|
||||
- "denyip="
|
||||
- "filename="
|
||||
- "rmfile="
|
||||
- "exec_packet"
|
||||
- "build_iphdr"
|
||||
condition: and
|
|
@ -0,0 +1,28 @@
|
|||
id: malware_yayih
|
||||
|
||||
info:
|
||||
name: Glasses Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Seth Hardy"
|
||||
date: "2014-07-11"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: word #YayihStrings
|
||||
words:
|
||||
- "/bbs/info.asp"
|
||||
- "\\msinfo.exe"
|
||||
- "%s\\%srcs.pdf"
|
||||
- "\\aumLib.ini"
|
||||
condition: or
|
||||
|
||||
- type: binary #YayihCode
|
||||
binary:
|
||||
- "8004087A03C18B45FC8034081903C1413B0A7CE9"
|
|
@ -0,0 +1,22 @@
|
|||
id: malware_zeghost
|
||||
|
||||
info:
|
||||
name: Zegost Malware Detector
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
metadata:
|
||||
author_original: "Kevin Falcoz"
|
||||
date: "10/06/2013"
|
||||
tags: malware,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- all
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: binary
|
||||
binary:
|
||||
- '392F6633304C693575624F35444E414444784738733736327471593D'
|
||||
- '00BADA2251426F6D6500'
|
||||
condition: and
|
Loading…
Reference in New Issue