feat: added 51 templates
parent
c0d0cfab82
commit
597ea580a7
78
README.md
78
README.md
|
@ -1,7 +1,7 @@
|
||||||
# Nuclei Malware
|
# Nuclei Malware
|
||||||
Template to detect some malware using nuclei
|
Template to detect some malware using nuclei
|
||||||
|
|
||||||
## Status
|
## Status Malware
|
||||||
I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not
|
I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not
|
||||||
|
|
||||||
| Malware Yara Rules | Status |
|
| Malware Yara Rules | Status |
|
||||||
|
@ -174,4 +174,78 @@ I took the reference from [yara rules repository](https://github.com/Yara-Rules/
|
||||||
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
|
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
|
||||||
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
|
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
|
||||||
| MALW_viotto_keylogger | 🟥 Impossible |
|
| MALW_viotto_keylogger | 🟥 Impossible |
|
||||||
| MALW_xDedic_marketplace | 🟥 Impossible |
|
| MALW_xDedic_marketplace | 🟥 Impossible |
|
||||||
|
| RANSOM_.CRYPTXXX.yar | 🟩 Possible |
|
||||||
|
| RANSOM_777.yar | 🟩 Possible |
|
||||||
|
| RANSOM_Alpha.yar | 🟩 Possible |
|
||||||
|
| RANSOM_BadRabbit.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Cerber.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort |
|
||||||
|
| RANSOM_Crypren.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_CryptoNar.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort |
|
||||||
|
| RANSOM_DMALocker.yar | 🟩 Possible |
|
||||||
|
| RANSOM_DoublePulsar_Petya.yar | 🟩 Possible |
|
||||||
|
| RANSOM_Erebus.yar | 🟩 Possible |
|
||||||
|
| RANSOM_GPGQwerty.yar | 🟩 Possible |
|
||||||
|
| RANSOM_GoldenEye.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Locky.yar | 🟩 Possible |
|
||||||
|
| RANSOM_MS17-010_Wannacrypt.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Maze.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_PetrWrap.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Petya.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Petya_MS17_010.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Pico.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Revix.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_SamSam.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Satana.yar | 🟩 Possible |
|
||||||
|
| RANSOM_Shiva.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_Sigma.yar | 🟩 Possible |
|
||||||
|
| RANSOM_Snake.yar | 🟩 Possible |
|
||||||
|
| RANSOM_Stampado.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_TeslaCrypt.yar | 🟩 Possible |
|
||||||
|
| RANSOM_Tox.yar | 🟩 Possible |
|
||||||
|
| RANSOM_acroware.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_jeff_dev.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_locdoor.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_screenlocker_5h311_1nj3c706.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_shrug2.yar | 🟥 Impossible |
|
||||||
|
| RANSOM_termite.yar | 🟥 Impossible |
|
||||||
|
| RAT_Adwind.yar | 🟥 Impossible |
|
||||||
|
| RAT_Adzok.yar | 🟩 Possible |
|
||||||
|
| RAT_Asyncrat.yar | 🟥 Impossible |
|
||||||
|
| RAT_BlackShades.yar | 🟥 Impossible |
|
||||||
|
| RAT_Bolonyokte.yar | 🟥 Impossible |
|
||||||
|
| RAT_Bozok.yar | 🟩 Possible |
|
||||||
|
| RAT_Cerberus.yar | 🟩 Possible |
|
||||||
|
| RAT_Crimson.yar | 🟩 Possible |
|
||||||
|
| RAT_CrossRAT.yar | 🟥 Impossible |
|
||||||
|
| RAT_CyberGate.yar | 🟩 Possible |
|
||||||
|
| RAT_DarkComet.yar | 🟥 Impossible |
|
||||||
|
| RAT_FlyingKitten.yar | 🟥 Impossible |
|
||||||
|
| RAT_Gh0st.yar | 🟥 Impossible |
|
||||||
|
| RAT_Gholee.yar | 🟩 Possible |
|
||||||
|
| RAT_Glass.yar | 🟩 Possible |
|
||||||
|
| RAT_Havex.yar | 🟥 Impossible |
|
||||||
|
| RAT_Hizor.yar | 🟥 Impossible |
|
||||||
|
| RAT_Indetectables.yar | 🟥 Impossible |
|
||||||
|
| RAT_Inocnation.yar | 🟥 Impossible |
|
||||||
|
| RAT_Meterpreter_Reverse_Tcp.yar | 🟥 Impossible |
|
||||||
|
| RAT_Nanocore.yar | 🟥 Impossible |
|
||||||
|
| RAT_NetwiredRC.yar | 🟥 Impossible |
|
||||||
|
| RAT_Njrat.yar | 🟥 Impossible |
|
||||||
|
| RAT_Orcus.yar | 🟥 Impossible |
|
||||||
|
| RAT_PlugX.yar | 🟥 Impossible |
|
||||||
|
| RAT_PoetRATDoc.yar | 🟩 Possible |
|
||||||
|
| RAT_PoetRATPython.yar | 🟥 Impossible |
|
||||||
|
| RAT_PoisonIvy.yar | 🟥 Impossible |
|
||||||
|
| RAT_Ratdecoders.yar | 🟩 Possible |
|
||||||
|
| RAT_Sakula.yar | 🟥 Impossible |
|
||||||
|
| RAT_ShadowTech.yar | 🟩 Possible |
|
||||||
|
| RAT_Shim.yar | 🟩 Possible |
|
||||||
|
| RAT_Terminator.yar | 🟩 Possible |
|
||||||
|
| RAT_Xtreme.yar | 🟥 Impossible |
|
||||||
|
| RAT_ZoxPNG.yar | 🟩 Possible |
|
||||||
|
| RAT_jRAT.yar | 🟩 Possible |
|
||||||
|
| RAT_xRAT.yar | 🟩 Possible |
|
||||||
|
| RAT_xRAT20.yar | 🟥 Impossible |
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: malware_aar
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: AAR Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Hashtable"
|
||||||
|
- "get_IsDisposed"
|
||||||
|
- "TripleDES"
|
||||||
|
- "testmemory.FRMMain.resources"
|
||||||
|
- "$this.Icon"
|
||||||
|
- "{11111-22222-20001-00001}"
|
||||||
|
- "@@@@@"
|
||||||
|
condition: and
|
|
@ -0,0 +1,102 @@
|
||||||
|
id: malware_adzok
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Adzok Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "key.classPK"
|
||||||
|
- "svd$1.classPK"
|
||||||
|
- "svd$2.classPK"
|
||||||
|
- "Mensaje.classPK"
|
||||||
|
- "inic$ShutdownHook.class"
|
||||||
|
- "Uninstall.jarPK"
|
||||||
|
- "resources/icono.pngPK"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "config.xmlPK"
|
||||||
|
- "svd$1.classPK"
|
||||||
|
- "svd$2.classPK"
|
||||||
|
- "Mensaje.classPK"
|
||||||
|
- "inic$ShutdownHook.class"
|
||||||
|
- "Uninstall.jarPK"
|
||||||
|
- "resources/icono.pngPK"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "config.xmlPK"
|
||||||
|
- "key.classPK"
|
||||||
|
- "svd$1.classPK"
|
||||||
|
- "Mensaje.classPK"
|
||||||
|
- "inic$ShutdownHook.class"
|
||||||
|
- "Uninstall.jarPK"
|
||||||
|
- "resources/icono.pngPK"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "config.xmlPK"
|
||||||
|
- "key.classPK"
|
||||||
|
- "svd$2.classPK"
|
||||||
|
- "Mensaje.classPK"
|
||||||
|
- "inic$ShutdownHook.class"
|
||||||
|
- "Uninstall.jarPK"
|
||||||
|
- "resources/icono.pngPK"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "config.xmlPK"
|
||||||
|
- "key.classPK"
|
||||||
|
- "svd$1.classPK"
|
||||||
|
- "svd$2.classPK"
|
||||||
|
- "inic$ShutdownHook.class"
|
||||||
|
- "Uninstall.jarPK"
|
||||||
|
- "resources/icono.pngPK"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "config.xmlPK"
|
||||||
|
- "key.classPK"
|
||||||
|
- "svd$1.classPK"
|
||||||
|
- "svd$2.classPK"
|
||||||
|
- "Mensaje.classPK"
|
||||||
|
- "Uninstall.jarPK"
|
||||||
|
- "resources/icono.pngPK"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "config.xmlPK"
|
||||||
|
- "key.classPK"
|
||||||
|
- "svd$1.classPK"
|
||||||
|
- "svd$2.classPK"
|
||||||
|
- "Mensaje.classPK"
|
||||||
|
- "inic$ShutdownHook.class"
|
||||||
|
- "Uninstall.jarPK"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "config.xmlPK"
|
||||||
|
- "key.classPK"
|
||||||
|
- "svd$1.classPK"
|
||||||
|
- "svd$2.classPK"
|
||||||
|
- "Mensaje.classPK"
|
||||||
|
- "inic$ShutdownHook.class"
|
||||||
|
- "resources/icono.pngPK"
|
||||||
|
condition: and
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: malware_alfa
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Alfa Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "8B0C9781E1FFFF000081F919040000740F81F9"
|
||||||
|
- "220400007407423BD07CE2EB02"
|
||||||
|
condition: and
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: malware_alienspy
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: AlienSpy Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "META-INF/MANIFEST.MF"
|
||||||
|
- "ePK"
|
||||||
|
- "kPK"
|
||||||
|
- "config.ini"
|
||||||
|
- "password.ini"
|
||||||
|
- "stub/stub.dll"
|
||||||
|
- "c.dat"
|
||||||
|
condition: and
|
|
@ -0,0 +1,17 @@
|
||||||
|
id: malware_alpha
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Alpha Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "520065006100640020004D0065002000280048006F00770020004400650063"
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: malware_ap0calypse
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Ap0calypse Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Ap0calypse"
|
||||||
|
- "Sifre"
|
||||||
|
- "MsgGoster"
|
||||||
|
- "Baslik"
|
||||||
|
- "Dosyalars"
|
||||||
|
- "Injecsiyon"
|
||||||
|
condition: and
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: malware_arcom
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Arcom Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "CVu3388fnek3W(3ij3fkp0930di"
|
||||||
|
- "ZINGAWI2"
|
||||||
|
- "clWebLightGoldenrodYellow"
|
||||||
|
- "Ancestor for '%s' not found"
|
||||||
|
- "Control-C hit"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "A3242521"
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: malware_bandook
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Bandook Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "aaaaaa1|"
|
||||||
|
- "aaaaaa2|"
|
||||||
|
- "aaaaaa3|"
|
||||||
|
- "aaaaaa4|"
|
||||||
|
- "aaaaaa5|"
|
||||||
|
- "%s%d.exe"
|
||||||
|
- "astalavista"
|
||||||
|
- "givemecache"
|
||||||
|
- "%s\\system32\\drivers\\blogs\\*"
|
||||||
|
- "bndk13me"
|
||||||
|
condition: and
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: malware_blacknix
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: BlackNix Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "SETTINGS"
|
||||||
|
- "Mark Adler"
|
||||||
|
- "Random-Number-Here"
|
||||||
|
- "RemoteShell"
|
||||||
|
- "SystemInfo"
|
||||||
|
condition: and
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: malware_bluebanana
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: BlueBanana Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "META-INF"
|
||||||
|
- "config.txt"
|
||||||
|
- "a/a/a/a/f.class"
|
||||||
|
- "a/a/a/a/l.class"
|
||||||
|
- "a/a/a/b/q.class"
|
||||||
|
- "a/a/a/b/v.class"
|
||||||
|
condition: and
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: malware_bozok
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Bozok Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "getVer"
|
||||||
|
- "StartVNC"
|
||||||
|
- "SendCamList"
|
||||||
|
- "untPlugin"
|
||||||
|
- "gethostbyname"
|
||||||
|
condition: and
|
||||||
|
case-insensitive: true
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: malware_cerberus
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Cerberus Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Ypmw1Syv023QZD"
|
||||||
|
- "wZ2pla"
|
||||||
|
- "wBmpf3Pb7RJe"
|
||||||
|
condition: or
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "cerberus"
|
||||||
|
case-insensitive: true
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: malware_clientmesh
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ClientMesh Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "machinedetails"
|
||||||
|
- "MySettings"
|
||||||
|
- "sendftppasswords"
|
||||||
|
- "sendbrowserpasswords"
|
||||||
|
- "arma2keyMass"
|
||||||
|
- "keylogger"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "0000000000000000007E"
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: malware_crimson
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Crimson Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "com/crimson/PK"
|
||||||
|
- "com/crimson/bootstrapJar/PK"
|
||||||
|
- "com/crimson/permaJarMulti/PermaJarReporter$1.classPK"
|
||||||
|
- "com/crimson/universal/containers/KeyloggerLog.classPK"
|
||||||
|
- "com/crimson/universal/UploadTransfer.classPK"
|
||||||
|
condition: and
|
|
@ -0,0 +1,43 @@
|
||||||
|
id: malware_cryptxxx
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: CryptXXX Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "525947404A41595D52000000FFFFFFFF"
|
||||||
|
- "0600000052594740405A0000FFFFFFFF"
|
||||||
|
- "0A000000525C4B4D574D424B5C520000"
|
||||||
|
- "FFFFFFFF0A000000525D575D5A4B4370"
|
||||||
|
- "3F520000FFFFFFFF06000000524C4141"
|
||||||
|
- "5A520000FFFFFFFF0A000000525C4B4D"
|
||||||
|
- "41584B5C57520000FFFFFFFF0E000000"
|
||||||
|
- "522A5C4B4D574D424B204C4740520000"
|
||||||
|
- "FFFFFFFF0A000000525E4B5C48424149"
|
||||||
|
- "5D520000FFFFFFFF05000000524B4847"
|
||||||
|
- "52000000FFFFFFFF0C000000524D4140"
|
||||||
|
- "48474920435D475200000000FFFFFFFF"
|
||||||
|
- "0A000000525E5C41495C4F703F520000"
|
||||||
|
- "FFFFFFFF0A000000525E5C41495C4F70"
|
||||||
|
- "3C520000FFFFFFFF0800000052494141"
|
||||||
|
- "49424B5200000000FFFFFFFF06000000"
|
||||||
|
- "525A4B435E520000FFFFFFFF08000000"
|
||||||
|
- "52483A4C4D703F5200000000FFFFFFFF"
|
||||||
|
- "0A000000524F42425B5D4B703F520000"
|
||||||
|
- "FFFFFFFF0A000000525E5C41495C4F70"
|
||||||
|
- "3F520000FFFFFFFF0A000000525E5C41"
|
||||||
|
- "495C4F703C520000FFFFFFFF09000000"
|
||||||
|
- "524F5E5E4A4F5A4F52000000FFFFFFFF"
|
||||||
|
- "0A000000525E5C41495C4F703D520000"
|
||||||
|
- "FFFFFFFF08000000525E5B4C42474D52"
|
||||||
|
condition: and
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: malware_cryptxxx_dropper
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: CryptXXX Dropper Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: binary #Dropper
|
||||||
|
binary:
|
||||||
|
- "50653157584346765962486F35"
|
||||||
|
- "43003A005C0042004900450052005C0051006D006B004E0052004C00460000"
|
||||||
|
condition: and
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: malware_darkrat
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: DarkRAT Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "@1906dark1996coder@"
|
||||||
|
- "SHEmptyRecycleBinA"
|
||||||
|
- "mciSendStringA"
|
||||||
|
- "add_Shutdown"
|
||||||
|
- "get_SaveMySettingsOnExit"
|
||||||
|
- "get_SpecialDirectories"
|
||||||
|
- "Client.My"
|
||||||
|
condition: and
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: malware_dmalocker
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: DMA Locker Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "41424358595a3131"
|
||||||
|
- "21444d414c4f434b"
|
||||||
|
- "21444d414c4f434b332e30"
|
||||||
|
- "3F520000FFFFFFFF06000000524C4141"
|
||||||
|
- "21444d414c4f434b342e30" #v4
|
|
@ -0,0 +1,18 @@
|
||||||
|
id: malware_doublepulsar
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: DoublePulsar Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE" #xor
|
||||||
|
- "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741" #dll
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: malware_erebus
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Erebus Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"
|
||||||
|
- "EREBUS IS BEST."
|
||||||
|
condition: and
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: malware_glass
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Glass Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "PostQuitMessage"
|
||||||
|
- "pwlfnn10,gzg"
|
||||||
|
- "update.dll"
|
||||||
|
- "_winver"
|
||||||
|
condition: and
|
|
@ -0,0 +1,22 @@
|
||||||
|
id: malware_gpgqwerty
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: GPGQwerty Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "gpg.exe –recipient qwerty -o"
|
||||||
|
- "%s%s.%d.qwerty"
|
||||||
|
- "del /Q /F /S %s$recycle.bin"
|
||||||
|
- "cryz1@protonmail.com"
|
||||||
|
condition: and
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: malware_greame
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Greame Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "EditSvr"
|
||||||
|
- "TLoader"
|
||||||
|
- "Stroks"
|
||||||
|
- "Avenger by NhT"
|
||||||
|
- "####@####"
|
||||||
|
- "GREAME"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "232323234023232323E8EEE9F9232323234023232323"
|
||||||
|
- "232323234023232323FAFDF0EFF9232323234023232323"
|
||||||
|
condition: and
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: malware_hawkeye
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: HawkEye Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "HawkEyeKeylogger"
|
||||||
|
- "099u787978786"
|
||||||
|
- "HawkEye_Keylogger"
|
||||||
|
- "holdermail.txt"
|
||||||
|
- "wallet.dat"
|
||||||
|
- "Keylog Records"
|
||||||
|
- "<!-- do not script -->"
|
||||||
|
- "\\pidloc.txt"
|
||||||
|
- "BSPLIT"
|
||||||
|
condition: and
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: malware_imminent
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Imminent Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "DecodeProductKey"
|
||||||
|
- "StartHTTPFlood"
|
||||||
|
- "CodeKey"
|
||||||
|
- "MESSAGEBOX"
|
||||||
|
- "GetFilezillaPasswords"
|
||||||
|
- "DataIn"
|
||||||
|
- "UDPzSockets"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "<URL>k__BackingField"
|
||||||
|
- "<RunHidden>k__BackingField"
|
||||||
|
- "DownloadAndExecute"
|
||||||
|
- "england.png"
|
||||||
|
- "-CHECK & PING -n 2 127.0.0.1 & EXIT"
|
||||||
|
- "Showed Messagebox"
|
||||||
|
condition: and
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: malware_infinity
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Infinity Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "CRYPTPROTECT_PROMPTSTRUCT"
|
||||||
|
- "discomouse"
|
||||||
|
- "GetDeepInfo"
|
||||||
|
- "AES_Encrypt"
|
||||||
|
- "StartUDPFlood"
|
||||||
|
- "BATScripting"
|
||||||
|
- "FBqINhRdpgnqATxJ.html"
|
||||||
|
- "magic_key"
|
||||||
|
condition: and
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: malware_locky
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Locky Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "45b899f7f90faf45b88945b8"
|
||||||
|
- "2b0a0faf4df8894df8c745"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "2E006C006F0063006B00790000"
|
||||||
|
- "005F004C006F0063006B007900"
|
||||||
|
- "5F007200650063006F00760065"
|
||||||
|
- "0072005F0069006E0073007400"
|
||||||
|
- "720075006300740069006F006E"
|
||||||
|
- "0073002E0074007800740000"
|
||||||
|
- "536F6674776172655C4C6F636B7900"
|
||||||
|
condition: and
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: malware_lostdoor
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: LostDoor Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "*mlt* = %"
|
||||||
|
- "*ip* = %"
|
||||||
|
- "*victimo* = %"
|
||||||
|
- "*name* = %"
|
||||||
|
- "[START]"
|
||||||
|
- "[DATA]"
|
||||||
|
- "We Control Your Digital World"
|
||||||
|
- "RC4Initialize"
|
||||||
|
- "RC4Decrypt"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "0D0A2A454449545F5345525645522A0D0A"
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: malware_luminositylink
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: LuminosityLink Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "SMARTLOGS"
|
||||||
|
- "RUNPE"
|
||||||
|
- "b.Resources"
|
||||||
|
- "CLIENTINFO*"
|
||||||
|
- "Invalid Webcam Driver Download URL, or Failed to Download File!"
|
||||||
|
- "Proactive Anti-Malware has been manually activated!"
|
||||||
|
- "REMOVEGUARD"
|
||||||
|
- "C0n1f8"
|
||||||
|
- "Luminosity"
|
||||||
|
- "LuminosityCryptoMiner"
|
||||||
|
- "MANAGER*CLIENTDETAILS*"
|
||||||
|
condition: and
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: malware_luxnet
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: LuxNet Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "GetHashCode"
|
||||||
|
- "Activator"
|
||||||
|
- "WebClient"
|
||||||
|
- "op_Equality"
|
||||||
|
- "dickcursor.cur"
|
||||||
|
- "{0}|{1}|{2}"
|
||||||
|
condition: and
|
|
@ -0,0 +1,25 @@
|
||||||
|
id: malware_paradox
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Paradox Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "ParadoxRAT"
|
||||||
|
- "Form1"
|
||||||
|
- "StartRMCam"
|
||||||
|
- "Flooders"
|
||||||
|
- "SlowLaris"
|
||||||
|
- "SHITEMID"
|
||||||
|
- "set_Remote_Chat"
|
||||||
|
condition: and
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: malware_plasma
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Plasma Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Miner: Failed to Inject."
|
||||||
|
- "Started GPU Mining on:"
|
||||||
|
- "BK: Hard Bot Killer Ran Successfully!"
|
||||||
|
- "Uploaded Keylogs Successfully!"
|
||||||
|
- "No Slowloris Attack is Running!"
|
||||||
|
- "An ARME Attack is Already Running on"
|
||||||
|
- "Proactive Bot Killer Enabled!"
|
||||||
|
- "PlasmaRAT"
|
||||||
|
- "AntiEverything"
|
||||||
|
condition: and
|
|
@ -0,0 +1,33 @@
|
||||||
|
id: malware_poetrat
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PoetRat Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "launcher.py"
|
||||||
|
- "smile.zip"
|
||||||
|
- "smile_funs.py"
|
||||||
|
- "frown.py"
|
||||||
|
- "backer.py"
|
||||||
|
- "smile.py"
|
||||||
|
- "affine.py"
|
||||||
|
- "cmd"
|
||||||
|
- ".exe"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- '(\.py$|\.pyc$|\.pyd$|Python)'
|
||||||
|
- '\.dll'
|
||||||
|
condition: and
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: malware_punisher
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Punisher Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "abccba"
|
||||||
|
- "SpyTheSpy"
|
||||||
|
- "wireshark"
|
||||||
|
- "apateDNS"
|
||||||
|
- "abccbaDanabccb"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "5C006800660068002E007600620073"
|
||||||
|
- "5C00730063002E007600620073"
|
||||||
|
condition: and
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: malware_pythorat
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: PythoRAT Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "TKeylogger"
|
||||||
|
- "uFileTransfer"
|
||||||
|
- "TTDownload"
|
||||||
|
- "SETTINGS"
|
||||||
|
- "Unknown"
|
||||||
|
- "#@#@#"
|
||||||
|
- "PluginData"
|
||||||
|
- "OnPluginMessage"
|
||||||
|
condition: and
|
|
@ -0,0 +1,46 @@
|
||||||
|
id: malware_qrat
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: QRat Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "quaverse/crypter"
|
||||||
|
- "Qrypt.class"
|
||||||
|
- "Jarizer.class"
|
||||||
|
- "URLConnection.class"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "e-data"
|
||||||
|
- "Qrypt.class"
|
||||||
|
- "Jarizer.class"
|
||||||
|
- "URLConnection.class"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "e-data"
|
||||||
|
- "quaverse/crypter"
|
||||||
|
- "Jarizer.class"
|
||||||
|
- "URLConnection.class"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "e-data"
|
||||||
|
- "quaverse/crypter"
|
||||||
|
- "Qrypt.class"
|
||||||
|
- "URLConnection.class"
|
||||||
|
condition: and
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: malware_satana
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Satana Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "210073006100740061006E00610021002E0074007800740000"
|
||||||
|
- "456E756D4C6F63616C526573"
|
||||||
|
- "574E65744F70656E456E756D5700"
|
||||||
|
- "21534154414E4121"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "7467777975677771"
|
||||||
|
- "537776776E6775"
|
||||||
|
condition: or
|
|
@ -0,0 +1,21 @@
|
||||||
|
id: malware_satana_dropper
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Satana Dropper Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: binary #Dropper
|
||||||
|
binary:
|
||||||
|
- "25732D547279457863657074"
|
||||||
|
- "643A5C6C626574776D77795C75696A657571706C667775622E706462"
|
||||||
|
- "71666E7476746862"
|
||||||
|
condition: and
|
|
@ -0,0 +1,39 @@
|
||||||
|
id: malware_shimrat
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ShimRat Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- ".dll"
|
||||||
|
- ".dat"
|
||||||
|
- "QWERTYUIOPLKJHG"
|
||||||
|
- "MNBVCXZLKJHGFDS"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Data$$00"
|
||||||
|
- "Data$$01%c%sData"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "ping localhost -n 9 /c %s > nul"
|
||||||
|
- "Demo"
|
||||||
|
- "Win32App"
|
||||||
|
- "COMSPEC"
|
||||||
|
- "ShimMain"
|
||||||
|
- "NotifyShims"
|
||||||
|
- "GetHookAPIs"
|
||||||
|
condition: and
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: malware_shimratreporter
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ShimRatReporter Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "IP-INFO"
|
||||||
|
- "Network-INFO"
|
||||||
|
- "OS-INFO"
|
||||||
|
- "Process-INFO"
|
||||||
|
- "Browser-INFO"
|
||||||
|
- "QueryUser-INFO"
|
||||||
|
- "Users-INFO"
|
||||||
|
- "Software-INFO"
|
||||||
|
- "%02X-%02X-%02X-%02X-%02X-%02X"
|
||||||
|
- "(from environment) = %s"
|
||||||
|
- "NetUserEnum"
|
||||||
|
- "GetNetworkParams"
|
||||||
|
condition: and
|
|
@ -0,0 +1,27 @@
|
||||||
|
id: malware_sigma
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Sigma Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Sigma.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- ".php?"
|
||||||
|
- "uid="
|
||||||
|
- "&uname="
|
||||||
|
- "&os="
|
||||||
|
- "&pcname="
|
||||||
|
- "&total="
|
||||||
|
- "&country="
|
||||||
|
- "&network="
|
||||||
|
- "&subid="
|
||||||
|
condition: and
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: malware_smallnet
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: SmallNet Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "!!<3SAFIA<3!!"
|
||||||
|
- "!!ElMattadorDz!!"
|
||||||
|
condition: or
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "stub_2.Properties"
|
||||||
|
- "stub.exe"
|
||||||
|
- "get_CurrentDomain"
|
||||||
|
condition: and
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
id: malware_snake
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Snake Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Snake.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\""
|
||||||
|
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF"
|
||||||
|
- "648B0D140000008B89000000003B61080F863801000083EC3CE8321AF3FF8D7C242889E6E825EAF0FF8B44242C8B4C242889C2C1E81FC1E01F85C00F84FC000000D1E289CBC1E91F09D189DAD1E3C1EB1F89CDD1E109D989CB81C1807FB1D7C1ED1F81C3807FB1D783D50D89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF31C0EB79894424208B4C24408D14C18B1A895C24248B52048954241CC7042405000000E848FEFFFF8B4424088B4C2404C70424000000008B542424895424048B5C241C895C2408894C240C89442410E8ECDDEFFF8B4424188B4C2414894C24088944240C8B4424248904248B44241C89442404E868BBF3FF8B44242040"
|
||||||
|
condition: and
|
|
@ -0,0 +1,31 @@
|
||||||
|
id: malware_sub7nation
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Sub7Nation Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "EnableLUA /t REG_DWORD /d 0 /f"
|
||||||
|
- "*A01*"
|
||||||
|
- "*A02*"
|
||||||
|
- "*A03*"
|
||||||
|
- "*A04*"
|
||||||
|
- "*A05*"
|
||||||
|
- "*A06*"
|
||||||
|
- "#@#@#"
|
||||||
|
- "HostSettings"
|
||||||
|
- "sevane.tmp"
|
||||||
|
- "cmd_.bat"
|
||||||
|
- "a2b7c3d7e4"
|
||||||
|
- "cmd.dll"
|
||||||
|
condition: and
|
|
@ -0,0 +1,20 @@
|
||||||
|
id: malware_terminator
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Terminator Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Terminator.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Accelorator"
|
||||||
|
- "<html><title>12356</title><body>"
|
||||||
|
condition: and
|
|
@ -0,0 +1,17 @@
|
||||||
|
id: malware_teslacrypt
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: TeslaCrypt Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_TeslaCrypt.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: binary
|
||||||
|
binary:
|
||||||
|
- "4E6F7720697427732025493A254D25702E00000076616C2069732025640A0000"
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: malware_tox
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Tox Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Tox.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<"
|
||||||
|
- "t;<<t;<<t<<<t<<"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "t;<<t;<<t<<<t<<"
|
||||||
|
- ">>><<<"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<"
|
||||||
|
- ">>><<<"
|
||||||
|
condition: and
|
|
@ -0,0 +1,23 @@
|
||||||
|
id: malware_unrecom
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Unrecom Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "META-INF"
|
||||||
|
- "load/ID"
|
||||||
|
- "load/JarMain.class"
|
||||||
|
- "load/MANIFEST.MF"
|
||||||
|
- "plugins/UnrecomServer.class"
|
||||||
|
condition: and
|
|
@ -0,0 +1,26 @@
|
||||||
|
id: malware_vertex
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Vertex Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "DEFPATH"
|
||||||
|
- "HKNAME"
|
||||||
|
- "HPORT"
|
||||||
|
- "INSTALL"
|
||||||
|
- "IPATH"
|
||||||
|
- "MUTEX"
|
||||||
|
- "PANELPATH"
|
||||||
|
- "ROOTURL"
|
||||||
|
condition: and
|
|
@ -0,0 +1,30 @@
|
||||||
|
id: malware_virusrat
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: VirusRat Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "virustotal"
|
||||||
|
- "virusscan"
|
||||||
|
- "abccba"
|
||||||
|
- "pronoip"
|
||||||
|
- "streamWebcam"
|
||||||
|
- "DOMAIN_PASSWORD"
|
||||||
|
- "Stub.Form1.resources"
|
||||||
|
- "ftp://{0}@{1}"
|
||||||
|
- "SELECT * FROM moz_logins"
|
||||||
|
- "SELECT * FROM moz_disabledHosts"
|
||||||
|
- "DynDNS\\Updater\\config.dyndns"
|
||||||
|
- "|BawaneH|"
|
||||||
|
condition: and
|
|
@ -0,0 +1,17 @@
|
||||||
|
id: malware_zoxpng
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: ZoxPNG Malware Detector
|
||||||
|
author: daffainfo
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_ZoxPNG.yar
|
||||||
|
tags: malware,file
|
||||||
|
|
||||||
|
file:
|
||||||
|
- extensions:
|
||||||
|
- all
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58"
|
Loading…
Reference in New Issue