daffainfo
/
nuclei-malware
mirror of https://github.com/daffainfo/nuclei-malware.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: added 51 nuclei templates

main
Muhammad Daffa 2023-02-15 21:39:31 +07:00
parent 95c62fdc8f
commit 46e7b13d6a
52 changed files with 1489 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

179
README.md
View File

@ -1,2 +1,177 @@
# nuclei-malware
Template to detect some malware
# Nuclei Malware
Template to detect some malware using nuclei
## Status
I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not
| Malware Yara Rules | Status |
| --- | --- |
| MALW_ATMPot | 🟥 Impossible |
| MALW_ATM_HelloWorld | 🟥 Impossible |
| MALW_AZORULT | 🟥 Impossible |
| MALW_AgentTesla | 🟨 Still possible but requires a lot of effort |
| MALW_AgentTesla_SMTP | 🟨 Still possible but requires a lot of effort |
| MALW_AlMashreq | 🟨 Still possible but requires a lot of effort |
| MALW_Alina | 🟩 Possible |
| MALW_Andromeda | 🟩 Possible |
| MALW_Arkei | 🟩 Possible |
| MALW_Athena | 🟨 Still possible but requires a lot of effort |
| MALW_Atmos | 🟥 Impossible |
| MALW_BackdoorSSH | 🟥 Impossible |
| MALW_Backoff | 🟩 Possible |
| MALW_Bangat | 🟥 Impossible |
| MALW_Batel | 🟥 Impossible |
| MALW_BlackRev | 🟨 Still possible but requires a lot of effort |
| MALW_BlackWorm | 🟩 Possible |
| MALW_Boouset | 🟥 Impossible |
| MALW_Bublik | 🟩 Possible |
| MALW_Buzus_Softpulse | 🟥 Impossible |
| MALW_CAP_HookExKeylogger | 🟨 Still possible but requires a lot of effort |
| MALW_Chicken | 🟨 Still possible but requires a lot of effort |
| MALW_Citadel | 🟥 Impossible |
| MALW_Cloaking | 🟥 Impossible |
| MALW_Cookies | 🟨 Still possible but requires a lot of effort |
| MALW_Corkow | 🟥 Impossible |
| MALW_Cxpid | 🟩 Possible |
| MALW_Cythosia | 🟩 Possible |
| MALW_DDoSTf | 🟩 Possible |
| MALW_Derkziel | 🟩 Possible |
| MALW_Dexter | 🟩 Possible |
| MALW_DiamondFox | 🟩 Possible |
| MALW_DirtJumper | 🟨 Still possible but requires a lot of effort |
| MALW_Eicar | 🟩 Possible |
| MALW_Elex | 🟥 Impossible |
| MALW_Elknot | 🟥 Impossible |
| MALW_Emotet | 🟥 Impossible |
| MALW_Empire | 🟥 Impossible |
| MALW_Enfal | 🟥 Impossible |
| MALW_Exploit_UAC_Elevators | 🟥 Impossible |
| MALW_Ezcob | 🟩 Possible |
| MALW_F0xy | 🟥 Impossible |
| MALW_FALLCHILL | 🟥 Impossible |
| MALW_FUDCrypt | 🟩 Possible |
| MALW_FakeM | 🟥 Impossible |
| MALW_Fareit | 🟥 Impossible |
| MALW_Favorite | 🟥 Impossible |
| MALW_Furtim | 🟥 Impossible |
| MALW_Gafgyt | 🟩 Possible |
| MALW_Genome | 🟩 Possible |
| MALW_Glasses | 🟩 Possible |
| MALW_Gozi | 🟩 Possible |
| MALW_Grozlex | 🟩 Possible |
| MALW_Hajime | 🟥 Impossible |
| MALW_Hsdfihdf_banking | 🟨 Still possible but requires a lot of effort |
| MALW_Httpsd_ELF | 🟥 Impossible |
| MALW_IMuler | 🟥 Impossible |
| MALW_IcedID | 🟥 Impossible |
| MALW_Iexpl0ree | 🟥 Impossible |
| MALW_Install11 | 🟩 Possible |
| MALW_Intel_Virtualization | 🟩 Possible |
| MALW_IotReaper | 🟩 Possible |
| MALW_Jolob_Backdoor | 🟩 Possible |
| MALW_KINS | 🟨 Still possible but requires a lot of effort |
| MALW_Kelihos | 🟩 Possible |
| MALW_KeyBase | 🟥 Impossible |
| MALW_Korlia | 🟥 Impossible |
| MALW_Korplug | 🟥 Impossible |
| MALW_Kovter | 🟩 Possible |
| MALW_Kraken | 🟥 Impossible |
| MALW_Kwampirs | 🟩 Possible |
| MALW_LURK0 | 🟥 Impossible |
| MALW_Lateral_Movement | 🟩 Possible |
| MALW_Lenovo_Superfish | 🟥 Impossible |
| MALW_LinuxBew | 🟩 Possible |
| MALW_LinuxHelios | 🟩 Possible |
| MALW_LinuxMoose | 🟥 Impossible |
| MALW_LostDoor | 🟩 Possible |
| MALW_LuaBot | 🟩 Possible |
| MALW_LuckyCat | 🟥 Impossible |
| MALW_MSILStealer | 🟩 Possible |
| MALW_MacControl | 🟥 Impossible |
| MALW_MacGyver | 🟩 Possible |
| MALW_Madness | 🟩 Possible |
| MALW_Magento_backend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_frontend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_suspicious | 🟥 Impossible |
| MALW_Mailers | 🟥 Impossible |
| MALW_MedusaHTTP_2019 | 🟨 Still possible but requires a lot of effort |
| MALW_Miancha | 🟥 Impossible |
| MALW_MiniAsp3_mem | 🟨 Still possible but requires a lot of effort |
| MALW_Mirai | 🟥 Impossible |
| MALW_Mirai_Okiru_ELF | 🟥 Impossible |
| MALW_Mirai_Satori_ELF | 🟥 Impossible |
| MALW_Miscelanea | 🟥 Impossible |
| MALW_Miscelanea_Linux | 🟨 Still possible but requires a lot of effort |
| MALW_Monero_Miner_installer | 🟩 Possible |
| MALW_NSFree | 🟩 Possible |
| MALW_Naikon | 🟨 Still possible but requires a lot of effort |
| MALW_Naspyupdate | 🟨 Still possible but requires a lot of effort |
| MALW_NetTraveler | 🟨 Still possible but requires a lot of effort |
| MALW_NionSpy | 🟥 Impossible |
| MALW_Notepad | 🟩 Possible |
| MALW_OSX_Leverage | 🟩 Possible |
| MALW_Odinaff | 🟥 Impossible |
| MALW_Olyx | 🟩 Possible |
| MALW_PE_sections | 🟥 Impossible |
| MALW_PittyTiger | 🟨 Still possible but requires a lot of effort |
| MALW_PolishBankRat | 🟥 Impossible |
| MALW_Ponmocup | 🟥 Impossible |
| MALW_Pony | 🟩 Possible |
| MALW_Predator | 🟥 Impossible |
| MALW_PubSab | 🟩 Possible |
| MALW_PurpleWave | 🟥 Impossible |
| MALW_PyPI | 🟩 Possible |
| MALW_Pyinstaller | 🟥 Impossible |
| MALW_Pyinstaller_OSX | 🟩 Possible |
| MALW_Quarian | 🟥 Impossible |
| MALW_Rebirth_Vulcan_ELF | 🟥 Impossible |
| MALW_Regsubdat | 🟥 Impossible |
| MALW_Rockloader | 🟥 Impossible |
| MALW_Rooter | 🟥 Impossible |
| MALW_Rovnix | 🟥 Impossible |
| MALW_Safenet | 🟩 Possible |
| MALW_Sakurel | 🟩 Possible |
| MALW_Sayad | 🟩 Possible |
| MALW_Scarhikn | 🟥 Impossible |
| MALW_Sendsafe | 🟨 Still possible but requires a lot of effort |
| MALW_Shamoon | 🟥 Impossible |
| MALW_Shifu | 🟥 Impossible |
| MALW_Skeleton | 🟥 Impossible |
| MALW_Spora | 🟩 Possible |
| MALW_Sqlite | 🟩 Possible |
| MALW_Stealer | 🟩 Possible |
| MALW_Surtr | 🟥 Impossible |
| MALW_T5000 | 🟩 Possible |
| MALW_TRITON_HATMAN | 🟥 Impossible |
| MALW_TRITON_ICS_FRAMEWORK | 🟥 Impossible |
| MALW_Tedroo | 🟩 Possible |
| MALW_Tinba | 🟥 Impossible |
| MALW_TinyShell_Backdoor_gen | 🟥 Impossible |
| MALW_Torte_ELF | 🟥 Impossible |
| MALW_TreasureHunt | 🟩 Possible |
| MALW_TrickBot | 🟩 Possible |
| MALW_Trumpbot | 🟩 Possible |
| MALW_Upatre | 🟥 Impossible |
| MALW_Urausy | 🟩 Possible |
| MALW_Vidgrab | 🟥 Impossible |
| MALW_Virut_FileInfector_UNK_VERSION | 🟥 Impossible |
| MALW_Volgmer | 🟥 Impossible |
| MALW_Wabot | 🟩 Possible |
| MALW_Warp | 🟩 Possible |
| MALW_Wimmie | 🟥 Impossible |
| MALW_XHide | 🟩 Possible |
| MALW_XMRIG_Miner | 🟩 Possible |
| MALW_XOR_DDos | 🟩 Possible |
| MALW_Yayih | 🟩 Possible |
| MALW_Yordanyan_ActiveAgent | 🟨 Still possible but requires a lot of effort |
| MALW_Zegost | 🟩 Possible |
| MALW_Zeus | 🟥 Impossible |
| MALW_adwind_RAT | 🟥 Impossible |
| MALW_hancitor | 🟨 Still possible but requires a lot of effort |
| MALW_kirbi_mimikatz | 🟥 Impossible |
| MALW_kpot | 🟨 Still possible but requires a lot of effort |
| MALW_marap | 🟨 Still possible but requires a lot of effort |
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
| MALW_viotto_keylogger | 🟥 Impossible |
| MALW_xDedic_marketplace | 🟥 Impossible |

24
malware_alina.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_alina
info:
name: Alina Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Brian Wallace @botnet_hunter"
author_original_email: "bwall@ballastsecurity.net"
date: "2014-08-09"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Alina v1.0'
- 'POST'
- '1[0-2])[0-9]'
condition: and

25
malware_andromeda.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_andromeda
info:
name: Andromeda Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Brian Wallace @botnet_hunter"
author_original_email: "bwall@ballastsecurity.net"
date: "2014-03-13"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst'
- type: binary
binary:
- "1C1C1D03494746"

26
malware_arkei.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_arkei
info:
name: Arkei Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Fumik0_"
date: "2014-07-10"
hash: "5632c89fe4c7c2c87b69d787bbf0a5b4cc535f1aa02699792888c60e0ef88fc5"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Arkei'
- '/server/gate'
- '/server/grubConfig'
- '\\files\\'
- 'SQLite'
condition: and

24
malware_backoff.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_backoff
info:
name: Backoff Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Brian Wallace @botnet_hunter"
author_original_email: "bwall@ballastsecurity.net"
date: "2014-08-21"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'
- '%s @ %s'
- 'Upload KeyLogs'
condition: and

32
malware_blackworm.yaml Normal file
View File

@ -0,0 +1,32 @@
id: malware_blackworm
info:
name: Blackworm Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Brian Wallace @botnet_hunter"
author_original_email: "bwall@ballastsecurity.net"
date: "2015-05-20"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'm_ComputerObjectProvider'
- 'MyWebServices'
- 'get_ExecutablePath'
- 'get_WebServices'
- 'My.WebServices'
- 'My.User'
- 'm_UserObjectProvider'
- 'DelegateCallback'
- 'TargetMethod'
- '000004b0'
- 'Microsoft Corporation'
condition: and

22
malware_bublik.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_bublik
info:
name: Bublik Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Kevin Falcoz"
date: "29/09/2013"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- '636F6E736F6C6173'
- '636C556E00696E666F2E696E69'
condition: and

25
malware_cxpid.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_cxpid
info:
name: Cxpid Malware Detector
author: daffainfo
severity: critical
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word #cxpidStrings
words:
- '/cxpid/submit.php?SessionID='
- '/cxgid/'
- 'E21BC52BEA2FEF26D005CF'
- 'E21BC52BEA39E435C40CD8'
- ' -,L-,O+,Q-,R-,Y-,S-'
- type: binary #cxpidCode
binary:
- "558BECB9380400006A006A004975F9"

21
malware_cythosia.yaml Normal file
View File

@ -0,0 +1,21 @@
id: malware_cythosia
info:
name: Cythosia Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Brian Wallace @botnet_hunter"
author_original_email: "bwall@ballastsecurity.net"
date: "2015-03-21"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'HarvesterSocksBot.Properties.Resources'

29
malware_ddostf.yaml Normal file
View File

@ -0,0 +1,29 @@
id: malware_ddostf
info:
name: DDoSTf Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "benkow_ - MalwareMustDie"
reference: http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'ddos.tf'
- 'Accept-Language: zh'
- '%d Kb/bps|%d%%'
condition: and
- type: binary
binary:
- 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00' #TCP_KEEPINTVL
- 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00' #TCP_KEEPCNT
condition: and

26
malware_derkziel.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_derkziel
info:
name: Derkziel Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "The Malware Hunter"
date: "2015-11"
reference: https://bhf.su/threads/137898/
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- '{!}DRZ{!}'
- 'User-Agent: Uploador'
- 'SteamAppData.vdf'
- 'loginusers.vdf'
- 'config.vdf'
condition: and

25
malware_dexter.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_dexter
info:
name: Dexter Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Florian Roth"
date: "2015/02/10"
reference: http://goo.gl/oBvy8b
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Java Security Plugin'
- '%s\\%s\\%s.exe'
- 'Sun Java Security Plugin'
- '\\Internet Explorer\\iexplore.exe'
condition: and

27
malware_diamondfox.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_diamondfox
info:
name: DiamondFox Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Brian Wallace @botnet_hunter"
author_original_email: "bwall@ballastsecurity.net"
date: "2015-08-22"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'UPDATE_B'
- 'UNISTALL_B'
- 'S_PROTECT'
- 'P_WALLET'
- 'GR_COMMAND'
- 'FTPUPLOAD'
condition: and

19
malware_eicar.yaml Normal file
View File

@ -0,0 +1,19 @@
id: malware_eicar
info:
name: Eicar Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Marc Rivero | @seifreed"
hash: "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"

23
malware_ezcob.yaml Normal file
View File

@ -0,0 +1,23 @@
id: malware_ezcob
info:
name: Ezcob Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Seth Hardy"
date: "2014-06-23"
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12'
- '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12'
- 'Ezcob'
- 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126'
- '20110113144935'

31
malware_fudcrypt.yaml Normal file
View File

@ -0,0 +1,31 @@
id: malware_fudcrypt
info:
name: FUDCrypt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/gigajew/FudCrypt/
metadata:
author_original: "https://github.com/hwvs"
date: "2019-11-21"
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- 'OcYjzPUtJkNbLOABqYvNbvhZf'
- 'gwiXxyIDDtoYzgMSRGMckRbJi'
- 'BclWgISTcaGjnwrzSCIuKruKm'
- 'CJyUSiUNrIVbgksjxpAMUkAJJ'
- 'fAMVdoPUEyHEWdxQIEJPRYbEN'
- 'CIGQUctdcUPqUjoucmcoffECY'
- 'wcZfHOgetgAExzSoWFJFQdAyO'
- 'DqYKDnIoLeZDWYlQWoxZnpfPR'
- 'MkhMoOHCbGUMqtnRDJKnBYnOj'
- 'sHEqLMGglkBAOIUfcSAgMvZfs'
- 'JtZApJhbFAIFxzHLjjyEQvtgd'
- 'IIQrSWZEMmoQIKGuxxwoTwXka'

26
malware_gafgyt_bash.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_gafgyt_bash
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Joan Soriano / @joanbtl"
date: "2017-05-25"
MD5: "c8d58acfe524a09d4df7ffbe4a43c429"
SHA1: "b41fefa8470f3b3657594af18d2ea4f6ac4d567f"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PONG!'
- 'GETLOCALIP'
- 'HTTPFLOOD'
- 'LUCKYLILDUDE'
condition: and

26
malware_gafgyt_generic.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_gafgyt_generic
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Joan Soriano / @joanbtl"
date: "2017-05-01"
MD5: "e3fac853203c3f1692af0101eaad87f1"
SHA1: "710781e62d49419a3a73624f4a914b2ad1684c6a"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "/bin/busybox;echo -e 'gayfgt'"
- '/proc/net/route'
- 'admin'
- 'root'
condition: and

28
malware_gafgyt_hihi.yaml Normal file
View File

@ -0,0 +1,28 @@
id: malware_gafgyt_hihi
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Joan Soriano / @joanbtl"
date: "2017-05-01"
MD5: "cc99e8dd2067fd5702a4716164865c8a"
SHA1: "b9b316c1cc9f7a1bf8c70400861de08d95716e49"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PING'
- 'PONG'
- 'TELNET LOGIN CRACKED - %s:%s:%s'
- 'ADVANCEDBOT'
- '46.166.185.92'
- 'LOLNOGTFO'
condition: and

26
malware_gafgyt_hoho.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_gafgyt_hoho
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Joan Soriano / @joanbtl"
date: "2017-05-25"
MD5: "369c7c66224b343f624803d595aa1e09"
SHA1: "54519d2c124cb536ed0ddad5683440293d90934f"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PING'
- 'PRIVMSG'
- 'Remote IRC Bot'
- '23.95.43.182'
condition: and

26
malware_gafgyt_jackmy.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_gafgyt_jackmy
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Joan Soriano / @joanbtl"
date: "2017-05-25"
MD5: "419b8a10a3ac200e7e8a0c141b8abfba"
SHA1: "5433a5768c5d22dabc4d133c8a1d192d525939d5"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PING'
- 'PONG'
- 'jackmy'
- '203.134.%d.%d'
condition: and

26
malware_gafgyt_oh.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_gafgyt_oh
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Joan Soriano / @joanbtl"
date: "2017-05-25"
MD5: "97f5edac312de349495cb4afd119d2a5"
SHA1: "916a51f2139f11e8be6247418dca6c41591f4557"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'busyboxterrorist'
- 'BOGOMIPS'
- '124.105.97.%d'
- 'fucknet'
condition: and

24
malware_genome.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_genome
info:
name: Genome Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Brian Wallace @botnet_hunter"
author_original_email: "bwall@ballastsecurity.net"
date: "2014-09-07"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Attempting to create more than one keyboard::Monitor instance'
- '{Right windows}'
- 'Access violation - no RTTI data!'
condition: and

31
malware_glasses.yaml Normal file
View File

@ -0,0 +1,31 @@
id: malware_glasses
info:
name: Glasses Malware Detector
author: daffainfo
severity: critical
reference: https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/
metadata:
author_original: "Seth Hardy"
date: "2021-11-18"
SHA1: "aaf262fde1738dbf0bb50213a9624cd6705ebcaeb06c5fcaf7e9f33695d3fc33"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word #GlassesStrings
words:
- 'thequickbrownfxjmpsvalzydg'
- 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'
- '" target="NewRef"></a>'
condition: and
- type: binary #GlassesCode
binary:
- "B8ABAAAAAAF7E1D1EA8D04522BC8"
- "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA"
condition: or

19
malware_gozi.yaml Normal file
View File

@ -0,0 +1,19 @@
id: malware_gozi
info:
name: Gozi Malware Detector
author: daffainfo
severity: critical
reference: https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
metadata:
author_original: "CCN-CERT"
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "63006F006F006B006900650073002E00730071006C006900740065002D006A006F00750072006E0061006C0000004F504552412E45584500"

20
malware_grozlex.yaml Normal file
View File

@ -0,0 +1,20 @@
id: malware_grozlex
info:
name: Grozlex Malware Detector
author: daffainfo
severity: critical
reference: https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
metadata:
author_original: "Kevin Falcoz"
date: "20/08/2013"
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "4C006F00670073002000610074007400610063006800650064002000620079002000690043006F007A0065006E"

29
malware_insta11.yaml Normal file
View File

@ -0,0 +1,29 @@
id: malware_insta11
info:
name: Insta11 Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Seth Hardy"
date: "2014-06-23"
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- 'XTALKER7'
- 'Insta11 Microsoft'
- 'wudMessage'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
- 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary:
- 'E9000000006823040000'

31
malware_intel_virtualization.yaml Normal file
View File

@ -0,0 +1,31 @@
id: malware_intel_virtualization
info:
name: Intel Virtualization Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Seth Hardy"
date: "2014-06-23"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- '4C6F6164535452494E47'
- '496E697469616C697A654B6579486F6F6B'
- '46696E645265736F7572636573'
- '4C6F6164535452494E4746726F6D484B4355'
- '6863637574696C732E444C4C'
condition: and
- type: binary # Dynamic dll (malicious)
binary:
- '483A5C466173745C506C756728686B636D64295C'
- '646C6C5C52656C656173655C48696A61636B446C6C2E706462'
condition: and

29
malware_iotreaper.yaml Normal file
View File

@ -0,0 +1,29 @@
id: malware_iotreaper
info:
name: IotReaper Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Seth Hardy"
date: "2014-06-23"
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- 'XTALKER7'
- 'Insta11 Microsoft'
- 'wudMessage'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
- 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary:
- 'E9000000006823040000'

29
malware_macgyver.yaml Normal file
View File

@ -0,0 +1,29 @@
id: malware_macgyver
info:
name: MacGyver.cap Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
metadata:
author_original: "xylitol@temari.fr"
date: "2021-05-11"
hash1: "9dc70002e82c78ee34c813597925c6cf8aa8d68b7e9ce5bcc70ea9bcab9dbf4a"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "src/MacGyver/javacard/Header.cap"
- "src/MacGyver/javacard/Directory.cap"
- "src/MacGyver/javacard/Applet.cap"
- "src/MacGyver/javacard/Import.cap"
- "src/MacGyver/javacard/ConstantPool.cap"
- "src/MacGyver/javacard/Class.cap"
- "src/MacGyver/javacard/Method.cap"
condition: and

35
malware_macgyver_installer.yaml Normal file
View File

@ -0,0 +1,35 @@
id: malware_macgyver_installer
info:
name: MacGyver.cap Installer Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
metadata:
author_original: "xylitol@temari.fr"
date: "2021-05-11"
hash1: "bb828eb0bbebabbcb51f490f4a0c08dd798b1f350dddddb6c00abcb6f750069f"
hash2: "04f0c9904675c7cf80ff1962bec5ef465ccf8c29e668f3158ec262414a6cc6eb"
hash3: "7335cd56a9ac08c200cca7e25b939e9c4ffa4d508207e68bee01904bf20a6528"
hash4: "af542ccb415647dbd80df902858a3d150a85f37992a35f29999eed76ac01a12b"
hash5: "247484124f4879bfacaae73ea32267e2c1e89773986df70a5f3456b1fb944c58"
hash6: "1cc8a2f3ce12f4b8356bda8b4aaf61d510d1078112af1c14cf4583090e062fbe"
hash7: "c23411deeec790e2dba37f4c49c7ecac3c867b7012431c9281ed748519eda65c"
hash8: "c0d11ed2eed0fef8d2f53920a1e12f667e03eafdb2d2941473d120e9e6f0e657"
hash9: "1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08"
hash10: "87678c6dcf0065ffc487a284b9f79bd8c0815c5c621fc92f83df24393bfcc660"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "delete -AID 315041592e5359532e4444463031"
- "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4"
- "-mac_key 404142434445464748494a4b4c4d4e4f"
- "-enc_key 404142434445464748494a4b4c4d4e4f"
condition: and

29
malware_madness.yaml Normal file
View File

@ -0,0 +1,29 @@
id: malware_madness
info:
name: Madness DDOS Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/arbor/yara/blob/master/madness.yara
metadata:
author_original: "Jason Jones <jasonjones@arbor.net>"
date: "2014-01-15"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
- "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
- "document.cookie="
- "[\"cookie\",\""
- "\"realauth="
- "\"location\"];"
- "d3Rm"
- "ZXhl"
condition: and

19
malware_miner.yaml Normal file
View File

@ -0,0 +1,19 @@
id: malware_miner
info:
name: Miner Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Akamai CSIRT"
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "stratum+tcp"
- "stratum+udp"

21
malware_notepad.yaml Normal file
View File

@ -0,0 +1,21 @@
id: malware_notepad
info:
name: Notepad v1.1 Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "RSA_IR"
date: "4Jun13"
MD5: "106E63DBDA3A76BEEB53A8BBD8F98927"
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "75BAA77C842BE168B0F66C42C7885997"
- "B523F63566F407F3834BCC54AAA32524"

27
malware_olyx.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_olyx
info:
name: Olyx Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Seth Hardy"
date: "2014-06-19"
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "/Applications/Automator.app/Contents/MacOS/DockLight"
condition: or
- type: binary
binary:
- "C7400436363636C7400836363636"
- "C740045C5C5C5CC740085C5C5C5C"
condition: or

27
malware_osx_leverage.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_osx_leverage
info:
name: OSX Leverage Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "earada@alienvault.com"
date: "2013/09"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
- "+:Users:Shared:UserEvent.app:Contents:MacOS:"
- "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
- "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
- "osascript -e 'tell application \"System Events\" to get the name of every login item'"
- "osascript -e 'tell application \"System Events\" to get the path of every login item'"
- "serverVisible \x00"
condition: and

25
malware_pony.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_pony
info:
name: Pony Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Brian Wallace @botnet_hunter"
author_original_email: "bwall@ballastsecurity.net"
date: "2014-08-16"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
- "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
- "POST %s HTTP/1.0"
- "Accept-Encoding: identity, *;q=0"
condition: and

27
malware_pubsab.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_pubsab
info:
name: PubSab Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Seth Hardy"
date: "2014-06-19"
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "_deamon_init"
- "com.apple.PubSabAgent"
- "/tmp/screen.jpeg"
condition: or
- type: binary
binary:
- "6B45E43789CA29C28955E4"

24
malware_pypi.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_pypi
info:
name: Fake PyPI Malware Detector
author: daffainfo
severity: critical
reference: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
metadata:
author_original: "@bartblaze"
date: "2017-09"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "# Welcome Here! :)"
- "# just toy, no harm :)"
- "[0x76,0x21,0xfe,0xcc,0xee]"
condition: and

33
malware_t5000.yaml Normal file
View File

@ -0,0 +1,33 @@
id: malware_t5000
info:
name: T5000 Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Seth Hardy"
date: "2014-06-26"
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "_tmpR.vbs"
- "_tmpg.vbs"
- "Dtl.dat"
- "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
- "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
- "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
- "43EE34A9-9063-4d2c-AACD-F5C62B849089"
- "A8859547-C62D-4e8b-A82D-BE1479C684C9"
- "A59CF429-D0DD-4207-88A1-04090680F714"
- "utd_CE31"
- "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
- "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
- "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
- "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
condition: and

22
malware_tedroo.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_tedroo
info:
name: Tedroo Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Kevin Falcoz"
date: "22/11/2015"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "257325732E657865"
- "5F6C6F672E747874"
condition: and

24
malware_treasurehunt.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_treasurehunt
info:
name: Trickbot Malware Detector
author: daffainfo
severity: critical
reference: http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed
metadata:
author_original: "Minerva Labs"
date: "2016/06"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "treasureHunter.pdb"
- "jucheck"
- "cmdLineDecrypted"
condition: and

24
malware_trickbot.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_trickbot
info:
name: Trickbot Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Marc Salinas @Bondey_m"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "moduleconfig"
- "Start"
- "Control"
- "FreeBuffer"
- "Release"
condition: and

24
malware_trumpbot.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_trumpbot
info:
name: TrumpBot Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Joan Soriano / @joanbtl"
date: "2017-04-16"
MD5: "77122e0e6fcf18df9572d80c4eedd88d"
SHA1: "108ee460d4c11ea373b7bba92086dd8023c0654f"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "trumpisdaddy"
- "198.50.154.188"
condition: and

28
malware_universal_1337.yaml Normal file
View File

@ -0,0 +1,28 @@
id: malware_universal_1337
info:
name: Universal 1337 Stealer Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Kevin Falcoz"
date: "24/02/2013"
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "2A5B532D502D4C2D492D545D2A"
- "2A5B482D452D522D455D2A"
condition: and
- type: binary
binary:
- "4654507E"
- "7E317E317E307E30"
condition: and

25
malware_urausy.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_urausy
info:
name: Urausy Skype Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "AlienVault Labs"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "skype.dat"
- "skype.ini"
- "CreateWindow"
- "YIWEFHIWQ"
- "CreateDesktop"
- "MyDesktop"
condition: and

22
malware_wabot.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_wabot
info:
name: Warp Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Kevin Falcoz"
date: "14/08/2015"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "433A5C6D6172696A75616E612E747874"
- "7349524334"
condition: and

27
malware_warp.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_warp
info:
name: Warp Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Seth Hardy"
date: "2014-07-10"
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word #WarpStrings
words:
- "/2011/n325423.shtml?"
- "wyle"
- "\\~ISUN32.EXE"
condition: or
- type: binary #WarpCode
binary:
- "80382B7503C6002D80382F7503C6005F"

24
malware_xhide.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_xhide
info:
name: xHide Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Joan Soriano / @w0lfvan"
date: "2017-12-01"
MD5: "c644c04bce21dacdeb1e6c14c081e359"
SHA256: "59f5b21ef8a570c02453b5edb0e750a42a1382f6"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'XHide - Process Faker'
- 'Fakename: %s PidNum: %d'
condition: and

26
malware_xor_ddos.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_xor_ddos
info:
name: XOR_DDosv1 Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Akamai CSIRT"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "BB2FA36AAA9541F0"
- "md5="
- "denyip="
- "filename="
- "rmfile="
- "exec_packet"
- "build_iphdr"
condition: and

28
malware_yayih.yaml Normal file
View File

@ -0,0 +1,28 @@
id: malware_yayih
info:
name: Glasses Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Seth Hardy"
date: "2014-07-11"
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word #YayihStrings
words:
- "/bbs/info.asp"
- "\\msinfo.exe"
- "%s\\%srcs.pdf"
- "\\aumLib.ini"
condition: or
- type: binary #YayihCode
binary:
- "8004087A03C18B45FC8034081903C1413B0A7CE9"

22
malware_zeghost.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_zeghost
info:
name: Zegost Malware Detector
author: daffainfo
severity: critical
metadata:
author_original: "Kevin Falcoz"
date: "10/06/2013"
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- '392F6633304C693575624F35444E414444784738733736327471593D'
- '00BADA2251426F6D6500'
condition: and