daffainfo
/
nuclei-malware
mirror of https://github.com/daffainfo/nuclei-malware.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: added BinaryAlert and restructure the repo

main
Muhammad Daffa 2023-08-08 00:32:42 +07:00
parent 597ea580a7
commit fbc13aeb4c
126 changed files with 3481 additions and 3074 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
BinaryAlert/basicrat-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: basicrat-malware
info:
name: BasicRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/multi/malware_multi_vesche_basicrat.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "HKCU Run registry key applied"
- "HKCU Run registry key failed"
- "Error, platform unsupported."
- "Persistence successful,"
- "Persistence unsuccessful,"
condition: and

21
BinaryAlert/cerber-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: cerber-malware
info:
name: Cerber Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_cerber_evasion.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "38oDr5.vbs"
- "8ivq.dll"
- "jmsctls_progress32"
condition: and

28
BinaryAlert/crunchrat-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: crunchrat-malware
info:
name: CrunchRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_t3ntman_crunchrat.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "<action>command<action>"
- "<action>upload<action>"
- "<action>download<action>"
- "cmd.exe"
- "application/x-www-form-urlencoded"
- "&action="
- "&secondary="
- "<secondary>"
- "<action>"
condition: and
case-insensitive: true

23
BinaryAlert/hydracrypt-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: ransomware_windows_hydracrypt
info:
name: Hydracrypt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_hydracrypt.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "oTraining"
- "Stop Training"
- "Play \"sound.wav\""
- "&Start Recording"
- "7About record"
condition: and

38
BinaryAlert/macos-bella-malware.yaml Normal file
View File

@ -0,0 +1,38 @@
id: macos-bella-malware
info:
name: Bella Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "Verified! [2FV Enabled] Account ->"
- "There is no root shell to perform this command. See [rooter] manual entry."
- "Attempt to escalate Bella to root through a variety of attack vectors."
- "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER."
condition: or
- type: word
part: raw
words:
- "user_pass_phish"
- "bella_info"
- "get_root"
condition: and
- type: word
part: raw
words:
- "Please specify a bella server."
- "What port should Bella connect on [Default is 4545]:"
condition: and

24
BinaryAlert/petya-malware-variant-1.yaml Normal file
View File

@ -0,0 +1,24 @@
id: petya-malware-variant-1
info:
name: Petya Malware (Variant 1) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_1.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Ooops, your important files are encrypted."
- "Send your Bitcoin wallet ID and personal installation key to e-mail"
- "wowsmith123456@posteo.net. Your personal installation key:"
- "Send $300 worth of Bitcoin to following address:"
- "have been encrypted. Perhaps you are busy looking for a way to recover your"
- "need to do is submit the payment and purchase the decryption key."
condition: or

20
BinaryAlert/petya-malware-variant-3.yaml Normal file
View File

@ -0,0 +1,20 @@
id: petya-malware-variant-3
info:
name: Petya Malware (Variant 3) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_3.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "wevtutil cl Setup & wevtutil cl System"
- "fsutil usn deletejournal /D %c:"
condition: or

18
BinaryAlert/petya-malware-variant-bitcoin.yaml Normal file
View File

@ -0,0 +1,18 @@
id: petya-malware-variant-bitcoin
info:
name: Petya Malware (Variant Bitcoin) - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_bitcoin.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB"

29
BinaryAlert/pony-stealer-malware.yaml Normal file
View File

@ -0,0 +1,29 @@
id: pony-stealer-malware
info:
name: Windows Pony Stealer Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_pony_stealer.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "signons.sqlite"
- "signons.txt"
- "signons2.txt"
- "signons3.txt"
- "WininetCacheCredentials"
- "moz_logins"
- "encryptedPassword"
- "FlashFXP"
- "BulletProof"
- "CuteFTP"
condition: and
case-insensitive: true

21
BinaryAlert/powerware-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: powerware-malware
info:
name: PowerWare Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_powerware_locky.yara
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ScriptRunner.dll"
- "ScriptRunner.pdb"
- "fixed.ps1"
condition: and

32
BinaryAlert/wannacry-malware.yaml Normal file
View File

@ -0,0 +1,32 @@
id: wannacry-malware
info:
name: WannaCry Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_wannacry.yara
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "msg/m_chinese"
- ".wnry"
- "attrib +h"
condition: and
- type: word
part: raw
words:
- "WNcry@2ol7"
- "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
- "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"
- "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"
- "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"
condition: or

34
BinaryAlert/zrypt-malware.yaml Normal file
View File

@ -0,0 +1,34 @@
id: zrypt-malware
info:
name: Zcrypt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "How to Buy Bitcoins"
- "ALL YOUR PERSONAL FILES ARE ENCRYPTED"
- "Click Here to Show Bitcoin Address"
- "MyEncrypter2.pdb"
condition: or
- type: word
part: raw
words:
- ".p7b"
- ".p7c"
- ".pdd"
- ".pef"
- ".pem"
- "How to decrypt files.html"
condition: and

42
LICENSE
View File

@ -1,21 +1,21 @@
MIT License
Copyright (c) 2023 Muhammad Daffa
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
MIT License
Copyright (c) 2023 Muhammad Daffa
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

265
README.md
View File

@ -1,251 +1,14 @@
# Nuclei Malware
Template to detect some malware using nuclei
## Status Malware
I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not
| Malware Yara Rules | Status |
| --- | --- |
| MALW_ATMPot | 🟥 Impossible |
| MALW_ATM_HelloWorld | 🟥 Impossible |
| MALW_AZORULT | 🟥 Impossible |
| MALW_AgentTesla | 🟨 Still possible but requires a lot of effort |
| MALW_AgentTesla_SMTP | 🟨 Still possible but requires a lot of effort |
| MALW_AlMashreq | 🟨 Still possible but requires a lot of effort |
| MALW_Alina | 🟩 Possible |
| MALW_Andromeda | 🟩 Possible |
| MALW_Arkei | 🟩 Possible |
| MALW_Athena | 🟨 Still possible but requires a lot of effort |
| MALW_Atmos | 🟥 Impossible |
| MALW_BackdoorSSH | 🟥 Impossible |
| MALW_Backoff | 🟩 Possible |
| MALW_Bangat | 🟥 Impossible |
| MALW_Batel | 🟥 Impossible |
| MALW_BlackRev | 🟨 Still possible but requires a lot of effort |
| MALW_BlackWorm | 🟩 Possible |
| MALW_Boouset | 🟥 Impossible |
| MALW_Bublik | 🟩 Possible |
| MALW_Buzus_Softpulse | 🟥 Impossible |
| MALW_CAP_HookExKeylogger | 🟨 Still possible but requires a lot of effort |
| MALW_Chicken | 🟨 Still possible but requires a lot of effort |
| MALW_Citadel | 🟥 Impossible |
| MALW_Cloaking | 🟥 Impossible |
| MALW_Cookies | 🟨 Still possible but requires a lot of effort |
| MALW_Corkow | 🟥 Impossible |
| MALW_Cxpid | 🟩 Possible |
| MALW_Cythosia | 🟩 Possible |
| MALW_DDoSTf | 🟩 Possible |
| MALW_Derkziel | 🟩 Possible |
| MALW_Dexter | 🟩 Possible |
| MALW_DiamondFox | 🟩 Possible |
| MALW_DirtJumper | 🟨 Still possible but requires a lot of effort |
| MALW_Eicar | 🟩 Possible |
| MALW_Elex | 🟥 Impossible |
| MALW_Elknot | 🟥 Impossible |
| MALW_Emotet | 🟥 Impossible |
| MALW_Empire | 🟥 Impossible |
| MALW_Enfal | 🟥 Impossible |
| MALW_Exploit_UAC_Elevators | 🟥 Impossible |
| MALW_Ezcob | 🟩 Possible |
| MALW_F0xy | 🟥 Impossible |
| MALW_FALLCHILL | 🟥 Impossible |
| MALW_FUDCrypt | 🟩 Possible |
| MALW_FakeM | 🟥 Impossible |
| MALW_Fareit | 🟥 Impossible |
| MALW_Favorite | 🟥 Impossible |
| MALW_Furtim | 🟥 Impossible |
| MALW_Gafgyt | 🟩 Possible |
| MALW_Genome | 🟩 Possible |
| MALW_Glasses | 🟩 Possible |
| MALW_Gozi | 🟩 Possible |
| MALW_Grozlex | 🟩 Possible |
| MALW_Hajime | 🟥 Impossible |
| MALW_Hsdfihdf_banking | 🟨 Still possible but requires a lot of effort |
| MALW_Httpsd_ELF | 🟥 Impossible |
| MALW_IMuler | 🟥 Impossible |
| MALW_IcedID | 🟥 Impossible |
| MALW_Iexpl0ree | 🟥 Impossible |
| MALW_Install11 | 🟩 Possible |
| MALW_Intel_Virtualization | 🟩 Possible |
| MALW_IotReaper | 🟩 Possible |
| MALW_Jolob_Backdoor | 🟩 Possible |
| MALW_KINS | 🟨 Still possible but requires a lot of effort |
| MALW_Kelihos | 🟩 Possible |
| MALW_KeyBase | 🟥 Impossible |
| MALW_Korlia | 🟥 Impossible |
| MALW_Korplug | 🟥 Impossible |
| MALW_Kovter | 🟩 Possible |
| MALW_Kraken | 🟥 Impossible |
| MALW_Kwampirs | 🟩 Possible |
| MALW_LURK0 | 🟥 Impossible |
| MALW_Lateral_Movement | 🟩 Possible |
| MALW_Lenovo_Superfish | 🟥 Impossible |
| MALW_LinuxBew | 🟩 Possible |
| MALW_LinuxHelios | 🟩 Possible |
| MALW_LinuxMoose | 🟥 Impossible |
| MALW_LostDoor | 🟩 Possible |
| MALW_LuaBot | 🟩 Possible |
| MALW_LuckyCat | 🟥 Impossible |
| MALW_MSILStealer | 🟩 Possible |
| MALW_MacControl | 🟥 Impossible |
| MALW_MacGyver | 🟩 Possible |
| MALW_Madness | 🟩 Possible |
| MALW_Magento_backend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_frontend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_suspicious | 🟥 Impossible |
| MALW_Mailers | 🟥 Impossible |
| MALW_MedusaHTTP_2019 | 🟨 Still possible but requires a lot of effort |
| MALW_Miancha | 🟥 Impossible |
| MALW_MiniAsp3_mem | 🟨 Still possible but requires a lot of effort |
| MALW_Mirai | 🟥 Impossible |
| MALW_Mirai_Okiru_ELF | 🟥 Impossible |
| MALW_Mirai_Satori_ELF | 🟥 Impossible |
| MALW_Miscelanea | 🟥 Impossible |
| MALW_Miscelanea_Linux | 🟨 Still possible but requires a lot of effort |
| MALW_Monero_Miner_installer | 🟩 Possible |
| MALW_NSFree | 🟩 Possible |
| MALW_Naikon | 🟨 Still possible but requires a lot of effort |
| MALW_Naspyupdate | 🟨 Still possible but requires a lot of effort |
| MALW_NetTraveler | 🟨 Still possible but requires a lot of effort |
| MALW_NionSpy | 🟥 Impossible |
| MALW_Notepad | 🟩 Possible |
| MALW_OSX_Leverage | 🟩 Possible |
| MALW_Odinaff | 🟥 Impossible |
| MALW_Olyx | 🟩 Possible |
| MALW_PE_sections | 🟥 Impossible |
| MALW_PittyTiger | 🟨 Still possible but requires a lot of effort |
| MALW_PolishBankRat | 🟥 Impossible |
| MALW_Ponmocup | 🟥 Impossible |
| MALW_Pony | 🟩 Possible |
| MALW_Predator | 🟥 Impossible |
| MALW_PubSab | 🟩 Possible |
| MALW_PurpleWave | 🟥 Impossible |
| MALW_PyPI | 🟩 Possible |
| MALW_Pyinstaller | 🟥 Impossible |
| MALW_Pyinstaller_OSX | 🟩 Possible |
| MALW_Quarian | 🟥 Impossible |
| MALW_Rebirth_Vulcan_ELF | 🟥 Impossible |
| MALW_Regsubdat | 🟥 Impossible |
| MALW_Rockloader | 🟥 Impossible |
| MALW_Rooter | 🟥 Impossible |
| MALW_Rovnix | 🟥 Impossible |
| MALW_Safenet | 🟩 Possible |
| MALW_Sakurel | 🟩 Possible |
| MALW_Sayad | 🟩 Possible |
| MALW_Scarhikn | 🟥 Impossible |
| MALW_Sendsafe | 🟨 Still possible but requires a lot of effort |
| MALW_Shamoon | 🟥 Impossible |
| MALW_Shifu | 🟥 Impossible |
| MALW_Skeleton | 🟥 Impossible |
| MALW_Spora | 🟩 Possible |
| MALW_Sqlite | 🟩 Possible |
| MALW_Stealer | 🟩 Possible |
| MALW_Surtr | 🟥 Impossible |
| MALW_T5000 | 🟩 Possible |
| MALW_TRITON_HATMAN | 🟥 Impossible |
| MALW_TRITON_ICS_FRAMEWORK | 🟥 Impossible |
| MALW_Tedroo | 🟩 Possible |
| MALW_Tinba | 🟥 Impossible |
| MALW_TinyShell_Backdoor_gen | 🟥 Impossible |
| MALW_Torte_ELF | 🟥 Impossible |
| MALW_TreasureHunt | 🟩 Possible |
| MALW_TrickBot | 🟩 Possible |
| MALW_Trumpbot | 🟩 Possible |
| MALW_Upatre | 🟥 Impossible |
| MALW_Urausy | 🟩 Possible |
| MALW_Vidgrab | 🟥 Impossible |
| MALW_Virut_FileInfector_UNK_VERSION | 🟥 Impossible |
| MALW_Volgmer | 🟥 Impossible |
| MALW_Wabot | 🟩 Possible |
| MALW_Warp | 🟩 Possible |
| MALW_Wimmie | 🟥 Impossible |
| MALW_XHide | 🟩 Possible |
| MALW_XMRIG_Miner | 🟩 Possible |
| MALW_XOR_DDos | 🟩 Possible |
| MALW_Yayih | 🟩 Possible |
| MALW_Yordanyan_ActiveAgent | 🟨 Still possible but requires a lot of effort |
| MALW_Zegost | 🟩 Possible |
| MALW_Zeus | 🟥 Impossible |
| MALW_adwind_RAT | 🟥 Impossible |
| MALW_hancitor | 🟨 Still possible but requires a lot of effort |
| MALW_kirbi_mimikatz | 🟥 Impossible |
| MALW_kpot | 🟨 Still possible but requires a lot of effort |
| MALW_marap | 🟨 Still possible but requires a lot of effort |
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
| MALW_viotto_keylogger | 🟥 Impossible |
| MALW_xDedic_marketplace | 🟥 Impossible |
| RANSOM_.CRYPTXXX.yar | 🟩 Possible |
| RANSOM_777.yar | 🟩 Possible |
| RANSOM_Alpha.yar | 🟩 Possible |
| RANSOM_BadRabbit.yar | 🟥 Impossible |
| RANSOM_Cerber.yar | 🟥 Impossible |
| RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_Crypren.yar | 🟥 Impossible |
| RANSOM_CryptoNar.yar | 🟥 Impossible |
| RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_DMALocker.yar | 🟩 Possible |
| RANSOM_DoublePulsar_Petya.yar | 🟩 Possible |
| RANSOM_Erebus.yar | 🟩 Possible |
| RANSOM_GPGQwerty.yar | 🟩 Possible |
| RANSOM_GoldenEye.yar | 🟥 Impossible |
| RANSOM_Locky.yar | 🟩 Possible |
| RANSOM_MS17-010_Wannacrypt.yar | 🟥 Impossible |
| RANSOM_Maze.yar | 🟥 Impossible |
| RANSOM_PetrWrap.yar | 🟥 Impossible |
| RANSOM_Petya.yar | 🟥 Impossible |
| RANSOM_Petya_MS17_010.yar | 🟥 Impossible |
| RANSOM_Pico.yar | 🟥 Impossible |
| RANSOM_Revix.yar | 🟥 Impossible |
| RANSOM_SamSam.yar | 🟥 Impossible |
| RANSOM_Satana.yar | 🟩 Possible |
| RANSOM_Shiva.yar | 🟥 Impossible |
| RANSOM_Sigma.yar | 🟩 Possible |
| RANSOM_Snake.yar | 🟩 Possible |
| RANSOM_Stampado.yar | 🟥 Impossible |
| RANSOM_TeslaCrypt.yar | 🟩 Possible |
| RANSOM_Tox.yar | 🟩 Possible |
| RANSOM_acroware.yar | 🟥 Impossible |
| RANSOM_jeff_dev.yar | 🟥 Impossible |
| RANSOM_locdoor.yar | 🟥 Impossible |
| RANSOM_screenlocker_5h311_1nj3c706.yar | 🟥 Impossible |
| RANSOM_shrug2.yar | 🟥 Impossible |
| RANSOM_termite.yar | 🟥 Impossible |
| RAT_Adwind.yar | 🟥 Impossible |
| RAT_Adzok.yar | 🟩 Possible |
| RAT_Asyncrat.yar | 🟥 Impossible |
| RAT_BlackShades.yar | 🟥 Impossible |
| RAT_Bolonyokte.yar | 🟥 Impossible |
| RAT_Bozok.yar | 🟩 Possible |
| RAT_Cerberus.yar | 🟩 Possible |
| RAT_Crimson.yar | 🟩 Possible |
| RAT_CrossRAT.yar | 🟥 Impossible |
| RAT_CyberGate.yar | 🟩 Possible |
| RAT_DarkComet.yar | 🟥 Impossible |
| RAT_FlyingKitten.yar | 🟥 Impossible |
| RAT_Gh0st.yar | 🟥 Impossible |
| RAT_Gholee.yar | 🟩 Possible |
| RAT_Glass.yar | 🟩 Possible |
| RAT_Havex.yar | 🟥 Impossible |
| RAT_Hizor.yar | 🟥 Impossible |
| RAT_Indetectables.yar | 🟥 Impossible |
| RAT_Inocnation.yar | 🟥 Impossible |
| RAT_Meterpreter_Reverse_Tcp.yar | 🟥 Impossible |
| RAT_Nanocore.yar | 🟥 Impossible |
| RAT_NetwiredRC.yar | 🟥 Impossible |
| RAT_Njrat.yar | 🟥 Impossible |
| RAT_Orcus.yar | 🟥 Impossible |
| RAT_PlugX.yar | 🟥 Impossible |
| RAT_PoetRATDoc.yar | 🟩 Possible |
| RAT_PoetRATPython.yar | 🟥 Impossible |
| RAT_PoisonIvy.yar | 🟥 Impossible |
| RAT_Ratdecoders.yar | 🟩 Possible |
| RAT_Sakula.yar | 🟥 Impossible |
| RAT_ShadowTech.yar | 🟩 Possible |
| RAT_Shim.yar | 🟩 Possible |
| RAT_Terminator.yar | 🟩 Possible |
| RAT_Xtreme.yar | 🟥 Impossible |
| RAT_ZoxPNG.yar | 🟩 Possible |
| RAT_jRAT.yar | 🟩 Possible |
| RAT_xRAT.yar | 🟩 Possible |
| RAT_xRAT20.yar | 🟥 Impossible |
# Nuclei Malware
Template to detect some malware using nuclei. Creating these nuclei templates based on previously made YARA rules and then converting them into nuclei template format
### List of Repositories
* [https://github.com/Yara-Rules/rules](https://github.com/daffainfo/nuclei-malware/tree/master/Yara-Rules)
* [https://github.com/airbnb/binaryalert/tree/master/rules/public](https://github.com/daffainfo/nuclei-malware/tree/master/BinaryAlert)
### To-Do
- [ ] Create a GitHub Actions workflow to detect the total number of templates in this repository
- [ ] Gives the status of whether the template is already in the nuclei-templates repo or not (In `STATUS.md`)
- [ ] Create more nuclei templates using these repository
- [x] https://github.com/airbnb/binaryalert/tree/master/rules/public
- [ ] https://github.com/reversinglabs/reversinglabs-yara-rules
- [ ] etc.

279
STATUS.md Normal file
View File

@ -0,0 +1,279 @@
# List
* [https://github.com/Yara-Rules/rules](https://github.com/daffainfo/nuclei-malware/tree/master/Yara-Rules)
| Yara Rules | Status |
| --- | --- |
| MALW_ATMPot | 🟥 Impossible |
| MALW_ATM_HelloWorld | 🟥 Impossible |
| MALW_AZORULT | 🟥 Impossible |
| MALW_AgentTesla | 🟨 Still possible but requires a lot of effort |
| MALW_AgentTesla_SMTP | 🟨 Still possible but requires a lot of effort |
| MALW_AlMashreq | 🟨 Still possible but requires a lot of effort |
| MALW_Alina | 🟩 Possible |
| MALW_Andromeda | 🟩 Possible |
| MALW_Arkei | 🟩 Possible |
| MALW_Athena | 🟨 Still possible but requires a lot of effort |
| MALW_Atmos | 🟥 Impossible |
| MALW_BackdoorSSH | 🟥 Impossible |
| MALW_Backoff | 🟩 Possible |
| MALW_Bangat | 🟥 Impossible |
| MALW_Batel | 🟥 Impossible |
| MALW_BlackRev | 🟨 Still possible but requires a lot of effort |
| MALW_BlackWorm | 🟩 Possible |
| MALW_Boouset | 🟥 Impossible |
| MALW_Bublik | 🟩 Possible |
| MALW_Buzus_Softpulse | 🟥 Impossible |
| MALW_CAP_HookExKeylogger | 🟨 Still possible but requires a lot of effort |
| MALW_Chicken | 🟨 Still possible but requires a lot of effort |
| MALW_Citadel | 🟥 Impossible |
| MALW_Cloaking | 🟥 Impossible |
| MALW_Cookies | 🟨 Still possible but requires a lot of effort |
| MALW_Corkow | 🟥 Impossible |
| MALW_Cxpid | 🟩 Possible |
| MALW_Cythosia | 🟩 Possible |
| MALW_DDoSTf | 🟩 Possible |
| MALW_Derkziel | 🟩 Possible |
| MALW_Dexter | 🟩 Possible |
| MALW_DiamondFox | 🟩 Possible |
| MALW_DirtJumper | 🟨 Still possible but requires a lot of effort |
| MALW_Eicar | 🟩 Possible |
| MALW_Elex | 🟥 Impossible |
| MALW_Elknot | 🟥 Impossible |
| MALW_Emotet | 🟥 Impossible |
| MALW_Empire | 🟥 Impossible |
| MALW_Enfal | 🟥 Impossible |
| MALW_Exploit_UAC_Elevators | 🟥 Impossible |
| MALW_Ezcob | 🟩 Possible |
| MALW_F0xy | 🟥 Impossible |
| MALW_FALLCHILL | 🟥 Impossible |
| MALW_FUDCrypt | 🟩 Possible |
| MALW_FakeM | 🟥 Impossible |
| MALW_Fareit | 🟥 Impossible |
| MALW_Favorite | 🟥 Impossible |
| MALW_Furtim | 🟥 Impossible |
| MALW_Gafgyt | 🟩 Possible |
| MALW_Genome | 🟩 Possible |
| MALW_Glasses | 🟩 Possible |
| MALW_Gozi | 🟩 Possible |
| MALW_Grozlex | 🟩 Possible |
| MALW_Hajime | 🟥 Impossible |
| MALW_Hsdfihdf_banking | 🟨 Still possible but requires a lot of effort |
| MALW_Httpsd_ELF | 🟥 Impossible |
| MALW_IMuler | 🟥 Impossible |
| MALW_IcedID | 🟥 Impossible |
| MALW_Iexpl0ree | 🟥 Impossible |
| MALW_Install11 | 🟩 Possible |
| MALW_Intel_Virtualization | 🟩 Possible |
| MALW_IotReaper | 🟩 Possible |
| MALW_Jolob_Backdoor | 🟩 Possible |
| MALW_KINS | 🟨 Still possible but requires a lot of effort |
| MALW_Kelihos | 🟩 Possible |
| MALW_KeyBase | 🟥 Impossible |
| MALW_Korlia | 🟥 Impossible |
| MALW_Korplug | 🟥 Impossible |
| MALW_Kovter | 🟩 Possible |
| MALW_Kraken | 🟥 Impossible |
| MALW_Kwampirs | 🟩 Possible |
| MALW_LURK0 | 🟥 Impossible |
| MALW_Lateral_Movement | 🟩 Possible |
| MALW_Lenovo_Superfish | 🟥 Impossible |
| MALW_LinuxBew | 🟩 Possible |
| MALW_LinuxHelios | 🟩 Possible |
| MALW_LinuxMoose | 🟥 Impossible |
| MALW_LostDoor | 🟩 Possible |
| MALW_LuaBot | 🟩 Possible |
| MALW_LuckyCat | 🟥 Impossible |
| MALW_MSILStealer | 🟩 Possible |
| MALW_MacControl | 🟥 Impossible |
| MALW_MacGyver | 🟩 Possible |
| MALW_Madness | 🟩 Possible |
| MALW_Magento_backend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_frontend | 🟨 Still possible but requires a lot of effort |
| MALW_Magento_suspicious | 🟥 Impossible |
| MALW_Mailers | 🟥 Impossible |
| MALW_MedusaHTTP_2019 | 🟨 Still possible but requires a lot of effort |
| MALW_Miancha | 🟥 Impossible |
| MALW_MiniAsp3_mem | 🟨 Still possible but requires a lot of effort |
| MALW_Mirai | 🟥 Impossible |
| MALW_Mirai_Okiru_ELF | 🟥 Impossible |
| MALW_Mirai_Satori_ELF | 🟥 Impossible |
| MALW_Miscelanea | 🟥 Impossible |
| MALW_Miscelanea_Linux | 🟨 Still possible but requires a lot of effort |
| MALW_Monero_Miner_installer | 🟩 Possible |
| MALW_NSFree | 🟩 Possible |
| MALW_Naikon | 🟨 Still possible but requires a lot of effort |
| MALW_Naspyupdate | 🟨 Still possible but requires a lot of effort |
| MALW_NetTraveler | 🟨 Still possible but requires a lot of effort |
| MALW_NionSpy | 🟥 Impossible |
| MALW_Notepad | 🟩 Possible |
| MALW_OSX_Leverage | 🟩 Possible |
| MALW_Odinaff | 🟥 Impossible |
| MALW_Olyx | 🟩 Possible |
| MALW_PE_sections | 🟥 Impossible |
| MALW_PittyTiger | 🟨 Still possible but requires a lot of effort |
| MALW_PolishBankRat | 🟥 Impossible |
| MALW_Ponmocup | 🟥 Impossible |
| MALW_Pony | 🟩 Possible |
| MALW_Predator | 🟥 Impossible |
| MALW_PubSab | 🟩 Possible |
| MALW_PurpleWave | 🟥 Impossible |
| MALW_PyPI | 🟩 Possible |
| MALW_Pyinstaller | 🟥 Impossible |
| MALW_Pyinstaller_OSX | 🟩 Possible |
| MALW_Quarian | 🟥 Impossible |
| MALW_Rebirth_Vulcan_ELF | 🟥 Impossible |
| MALW_Regsubdat | 🟥 Impossible |
| MALW_Rockloader | 🟥 Impossible |
| MALW_Rooter | 🟥 Impossible |
| MALW_Rovnix | 🟥 Impossible |
| MALW_Safenet | 🟩 Possible |
| MALW_Sakurel | 🟩 Possible |
| MALW_Sayad | 🟩 Possible |
| MALW_Scarhikn | 🟥 Impossible |
| MALW_Sendsafe | 🟨 Still possible but requires a lot of effort |
| MALW_Shamoon | 🟥 Impossible |
| MALW_Shifu | 🟥 Impossible |
| MALW_Skeleton | 🟥 Impossible |
| MALW_Spora | 🟩 Possible |
| MALW_Sqlite | 🟩 Possible |
| MALW_Stealer | 🟩 Possible |
| MALW_Surtr | 🟥 Impossible |
| MALW_T5000 | 🟩 Possible |
| MALW_TRITON_HATMAN | 🟥 Impossible |
| MALW_TRITON_ICS_FRAMEWORK | 🟥 Impossible |
| MALW_Tedroo | 🟩 Possible |
| MALW_Tinba | 🟥 Impossible |
| MALW_TinyShell_Backdoor_gen | 🟥 Impossible |
| MALW_Torte_ELF | 🟥 Impossible |
| MALW_TreasureHunt | 🟩 Possible |
| MALW_TrickBot | 🟩 Possible |
| MALW_Trumpbot | 🟩 Possible |
| MALW_Upatre | 🟥 Impossible |
| MALW_Urausy | 🟩 Possible |
| MALW_Vidgrab | 🟥 Impossible |
| MALW_Virut_FileInfector_UNK_VERSION | 🟥 Impossible |
| MALW_Volgmer | 🟥 Impossible |
| MALW_Wabot | 🟩 Possible |
| MALW_Warp | 🟩 Possible |
| MALW_Wimmie | 🟥 Impossible |
| MALW_XHide | 🟩 Possible |
| MALW_XMRIG_Miner | 🟩 Possible |
| MALW_XOR_DDos | 🟩 Possible |
| MALW_Yayih | 🟩 Possible |
| MALW_Yordanyan_ActiveAgent | 🟨 Still possible but requires a lot of effort |
| MALW_Zegost | 🟩 Possible |
| MALW_Zeus | 🟥 Impossible |
| MALW_adwind_RAT | 🟥 Impossible |
| MALW_hancitor | 🟨 Still possible but requires a lot of effort |
| MALW_kirbi_mimikatz | 🟥 Impossible |
| MALW_kpot | 🟨 Still possible but requires a lot of effort |
| MALW_marap | 🟨 Still possible but requires a lot of effort |
| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort |
| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort |
| MALW_viotto_keylogger | 🟥 Impossible |
| MALW_xDedic_marketplace | 🟥 Impossible |
| RANSOM_.CRYPTXXX.yar | 🟩 Possible |
| RANSOM_777.yar | 🟩 Possible |
| RANSOM_Alpha.yar | 🟩 Possible |
| RANSOM_BadRabbit.yar | 🟥 Impossible |
| RANSOM_Cerber.yar | 🟥 Impossible |
| RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_Crypren.yar | 🟥 Impossible |
| RANSOM_CryptoNar.yar | 🟥 Impossible |
| RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort |
| RANSOM_DMALocker.yar | 🟩 Possible |
| RANSOM_DoublePulsar_Petya.yar | 🟩 Possible |
| RANSOM_Erebus.yar | 🟩 Possible |
| RANSOM_GPGQwerty.yar | 🟩 Possible |
| RANSOM_GoldenEye.yar | 🟥 Impossible |
| RANSOM_Locky.yar | 🟩 Possible |
| RANSOM_MS17-010_Wannacrypt.yar | 🟥 Impossible |
| RANSOM_Maze.yar | 🟥 Impossible |
| RANSOM_PetrWrap.yar | 🟥 Impossible |
| RANSOM_Petya.yar | 🟥 Impossible |
| RANSOM_Petya_MS17_010.yar | 🟥 Impossible |
| RANSOM_Pico.yar | 🟥 Impossible |
| RANSOM_Revix.yar | 🟥 Impossible |
| RANSOM_SamSam.yar | 🟥 Impossible |
| RANSOM_Satana.yar | 🟩 Possible |
| RANSOM_Shiva.yar | 🟥 Impossible |
| RANSOM_Sigma.yar | 🟩 Possible |
| RANSOM_Snake.yar | 🟩 Possible |
| RANSOM_Stampado.yar | 🟥 Impossible |
| RANSOM_TeslaCrypt.yar | 🟩 Possible |
| RANSOM_Tox.yar | 🟩 Possible |
| RANSOM_acroware.yar | 🟥 Impossible |
| RANSOM_jeff_dev.yar | 🟥 Impossible |
| RANSOM_locdoor.yar | 🟥 Impossible |
| RANSOM_screenlocker_5h311_1nj3c706.yar | 🟥 Impossible |
| RANSOM_shrug2.yar | 🟥 Impossible |
| RANSOM_termite.yar | 🟥 Impossible |
| RAT_Adwind.yar | 🟥 Impossible |
| RAT_Adzok.yar | 🟩 Possible |
| RAT_Asyncrat.yar | 🟥 Impossible |
| RAT_BlackShades.yar | 🟥 Impossible |
| RAT_Bolonyokte.yar | 🟥 Impossible |
| RAT_Bozok.yar | 🟩 Possible |
| RAT_Cerberus.yar | 🟩 Possible |
| RAT_Crimson.yar | 🟩 Possible |
| RAT_CrossRAT.yar | 🟥 Impossible |
| RAT_CyberGate.yar | 🟩 Possible |
| RAT_DarkComet.yar | 🟥 Impossible |
| RAT_FlyingKitten.yar | 🟥 Impossible |
| RAT_Gh0st.yar | 🟥 Impossible |
| RAT_Gholee.yar | 🟩 Possible |
| RAT_Glass.yar | 🟩 Possible |
| RAT_Havex.yar | 🟥 Impossible |
| RAT_Hizor.yar | 🟥 Impossible |
| RAT_Indetectables.yar | 🟥 Impossible |
| RAT_Inocnation.yar | 🟥 Impossible |
| RAT_Meterpreter_Reverse_Tcp.yar | 🟥 Impossible |
| RAT_Nanocore.yar | 🟥 Impossible |
| RAT_NetwiredRC.yar | 🟥 Impossible |
| RAT_Njrat.yar | 🟥 Impossible |
| RAT_Orcus.yar | 🟥 Impossible |
| RAT_PlugX.yar | 🟥 Impossible |
| RAT_PoetRATDoc.yar | 🟩 Possible |
| RAT_PoetRATPython.yar | 🟥 Impossible |
| RAT_PoisonIvy.yar | 🟥 Impossible |
| RAT_Ratdecoders.yar | 🟩 Possible |
| RAT_Sakula.yar | 🟥 Impossible |
| RAT_ShadowTech.yar | 🟩 Possible |
| RAT_Shim.yar | 🟩 Possible |
| RAT_Terminator.yar | 🟩 Possible |
| RAT_Xtreme.yar | 🟥 Impossible |
| RAT_ZoxPNG.yar | 🟩 Possible |
| RAT_jRAT.yar | 🟩 Possible |
| RAT_xRAT.yar | 🟩 Possible |
| RAT_xRAT20.yar | 🟥 Impossible |
* [https://github.com/airbnb/binaryalert/tree/master/rules/public](https://github.com/daffainfo/nuclei-malware/tree/master/BinaryAlert)
| Yara Rules | Status |
| --- | --- |
| malware_macos_apt_sofacy_xagent.yara | 🟥 Impossible |
| malware_macos_bella.yara | 🟩 Possible |
| malware_macos_macspy.yara | 🟥 Impossible |
| malware_macos_marten4n6_evilosx.yara | 🟨 Still possible but requires a lot of effort |
| malware_macos_neoneggplant_eggshell.yara | 🟨 Still possible but requires a lot of effort |
| malware_macos_proton_rat_generic.yara | 🟥 Impossible |
| malware_multi_pupy_rat.yara | 🟨 Still possible but requires a lot of effort |
| malware_multi_vesche_basicrat.yara | 🟩 Possible |
| malware_windows_apt_red_leaves_generic.yara | 🟨 Still possible but requires a lot of effort |
| malware_windows_pony_stealer.yara | 🟩 Possible |
| malware_windows_remcos_rat.yara | 🟨 Still possible but requires a lot of effort |
| malware_windows_t3ntman_crunchrat.yara | 🟩 Possible |
| malware_windows_xrat_quasarrat.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_HDDCryptorA.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_cerber_evasion.yara | 🟩 Possible |
| ransomware_windows_cryptolocker.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_hydracrypt.yara | 🟩 Possible |
| ransomware_windows_lazarus_wannacry.yara | 🟥 Impossible |
| ransomware_windows_petya_variant_1.yara | 🟩 Possible |
| ransomware_windows_petya_variant_2.yara | 🟨 Still possible but requires a lot of effort |
| ransomware_windows_petya_variant_3.yara | 🟩 Possible |
| ransomware_windows_petya_variant_bitcoin.yara | 🟩 Possible |
| ransomware_windows_powerware_locky.yara | 🟩 Possible |
| ransomware_windows_wannacry.yara | 🟩 Possible |
| ransomware_windows_zcrypt.yara | 🟩 Possible |

48
malware_aar.yaml → Yara-Rules/aar-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_aar
info:
name: AAR Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "Hashtable"
- "get_IsDisposed"
- "TripleDES"
- "testmemory.FRMMain.resources"
- "$this.Icon"
- "{11111-22222-20001-00001}"
- "@@@@@"
id: aar-malware
info:
name: AAR Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Hashtable"
- "get_IsDisposed"
- "TripleDES"
- "testmemory.FRMMain.resources"
- "$this.Icon"
- "{11111-22222-20001-00001}"
- "@@@@@"
condition: and

210
malware_adzok.yaml → Yara-Rules/adzok-malware.yaml
View File

@ -1,102 +1,110 @@
id: malware_adzok
info:
name: Adzok Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
condition: and
- type: word
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "resources/icono.pngPK"
id: adzok-malware
info:
name: Adzok Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "resources/icono.pngPK"
condition: and

39
malware_alfa.yaml → Yara-Rules/alfa-malware.yaml
View File

@ -1,20 +1,19 @@
id: malware_alfa
info:
name: Alfa Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "8B0C9781E1FFFF000081F919040000740F81F9"
- "220400007407423BD07CE2EB02"
condition: and
id: alfa-malware
info:
name: Alfa Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "8B0C9781E1FFFF000081F919040000740F81F9"
- "220400007407423BD07CE2EB02"
condition: and

48
malware_alienspy.yaml → Yara-Rules/alienspy-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_alienspy
info:
name: AlienSpy Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "META-INF/MANIFEST.MF"
- "ePK"
- "kPK"
- "config.ini"
- "password.ini"
- "stub/stub.dll"
- "c.dat"
id: alienspy-malware
info:
name: AlienSpy Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "META-INF/MANIFEST.MF"
- "ePK"
- "kPK"
- "config.ini"
- "password.ini"
- "stub/stub.dll"
- "c.dat"
condition: and

40
malware_alina.yaml → Yara-Rules/alina-malware.yaml
View File

@ -1,21 +1,21 @@
id: malware_alina
info:
name: Alina Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Alina v1.0'
- 'POST'
- '1[0-2])[0-9]'
id: alina-malware
info:
name: Alina Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'Alina v1.0'
- 'POST'
- '1[0-2])[0-9]'
condition: and

34
malware_alpha.yaml → Yara-Rules/alpha-malware.yaml
View File

@ -1,17 +1,17 @@
id: malware_alpha
info:
name: Alpha Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "520065006100640020004D0065002000280048006F00770020004400650063"
id: alpha-malware
info:
name: Alpha Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "520065006100640020004D0065002000280048006F00770020004400650063"

43
malware_andromeda.yaml → Yara-Rules/andromeda-malware.yaml
View File

@ -1,22 +1,23 @@
id: malware_andromeda
info:
name: Andromeda Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst'
- type: binary
binary:
id: andromeda-malware
info:
name: Andromeda Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst'
- type: binary
binary:
- "1C1C1D03494746"

46
malware_ap0calypse.yaml → Yara-Rules/ap0calypse-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_ap0calypse
info:
name: Ap0calypse Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "Ap0calypse"
- "Sifre"
- "MsgGoster"
- "Baslik"
- "Dosyalars"
- "Injecsiyon"
id: ap0calypse-malware
info:
name: Ap0calypse Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Ap0calypse"
- "Sifre"
- "MsgGoster"
- "Baslik"
- "Dosyalars"
- "Injecsiyon"
condition: and

53
malware_arcom.yaml → Yara-Rules/arcom-malware.yaml
View File

@ -1,27 +1,28 @@
id: malware_arcom
info:
name: Arcom Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "CVu3388fnek3W(3ij3fkp0930di"
- "ZINGAWI2"
- "clWebLightGoldenrodYellow"
- "Ancestor for '%s' not found"
- "Control-C hit"
condition: and
- type: binary
binary:
id: arcom-malware
info:
name: Arcom Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "CVu3388fnek3W(3ij3fkp0930di"
- "ZINGAWI2"
- "clWebLightGoldenrodYellow"
- "Ancestor for '%s' not found"
- "Control-C hit"
condition: and
- type: binary
binary:
- "A3242521"

44
malware_arkei.yaml → Yara-Rules/arkei-malware.yaml
View File

@ -1,23 +1,23 @@
id: malware_arkei
info:
name: Arkei Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Arkei'
- '/server/gate'
- '/server/grubConfig'
- '\\files\\'
- 'SQLite'
id: arkei-malware
info:
name: Arkei Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'Arkei'
- '/server/gate'
- '/server/grubConfig'
- '\\files\\'
- 'SQLite'
condition: and

40
malware_backoff.yaml → Yara-Rules/backoff-malware.yaml
View File

@ -1,21 +1,21 @@
id: malware_backoff
info:
name: Backoff Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'
- '%s @ %s'
- 'Upload KeyLogs'
id: backoff-malware
info:
name: Backoff Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'
- '%s @ %s'
- 'Upload KeyLogs'
condition: and

56
malware_bandook.yaml → Yara-Rules/bandook-malware.yaml
View File

@ -1,28 +1,28 @@
id: malware_bandook
info:
name: Bandook Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "aaaaaa1|"
- "aaaaaa2|"
- "aaaaaa3|"
- "aaaaaa4|"
- "aaaaaa5|"
- "%s%d.exe"
- "astalavista"
- "givemecache"
- "%s\\system32\\drivers\\blogs\\*"
- "bndk13me"
condition: and
id: bandook-malware
info:
name: Bandook Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "aaaaaa1|"
- "aaaaaa2|"
- "aaaaaa3|"
- "aaaaaa4|"
- "aaaaaa5|"
- "%s%d.exe"
- "astalavista"
- "givemecache"
- "%s\\system32\\drivers\\blogs\\*"
- "bndk13me"
condition: and

46
malware_blacknix.yaml → Yara-Rules/blacknix-malware.yaml
View File

@ -1,23 +1,23 @@
id: malware_blacknix
info:
name: BlackNix Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "SETTINGS"
- "Mark Adler"
- "Random-Number-Here"
- "RemoteShell"
- "SystemInfo"
condition: and
id: blacknix-malware
info:
name: BlackNix Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "SETTINGS"
- "Mark Adler"
- "Random-Number-Here"
- "RemoteShell"
- "SystemInfo"
condition: and

56
malware_blackworm.yaml → Yara-Rules/blackworm-malware.yaml
View File

@ -1,29 +1,29 @@
id: malware_blackworm
info:
name: Blackworm Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'm_ComputerObjectProvider'
- 'MyWebServices'
- 'get_ExecutablePath'
- 'get_WebServices'
- 'My.WebServices'
- 'My.User'
- 'm_UserObjectProvider'
- 'DelegateCallback'
- 'TargetMethod'
- '000004b0'
- 'Microsoft Corporation'
id: blackworm-malware
info:
name: Blackworm Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'm_ComputerObjectProvider'
- 'MyWebServices'
- 'get_ExecutablePath'
- 'get_WebServices'
- 'My.WebServices'
- 'My.User'
- 'm_UserObjectProvider'
- 'DelegateCallback'
- 'TargetMethod'
- '000004b0'
- 'Microsoft Corporation'
condition: and

48
malware_bluebanana.yaml → Yara-Rules/bluebanana-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_bluebanana
info:
name: BlueBanana Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "META-INF"
- "config.txt"
- "a/a/a/a/f.class"
- "a/a/a/a/l.class"
- "a/a/a/b/q.class"
- "a/a/a/b/v.class"
condition: and
id: bluebanana-malware
info:
name: BlueBanana Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "META-INF"
- "config.txt"
- "a/a/a/a/f.class"
- "a/a/a/a/l.class"
- "a/a/a/b/q.class"
- "a/a/a/b/v.class"
condition: and

46
malware_bozok.yaml → Yara-Rules/bozok-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_bozok
info:
name: Bozok Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "getVer"
- "StartVNC"
- "SendCamList"
- "untPlugin"
- "gethostbyname"
condition: and
id: bozok-malware
info:
name: Bozok Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "getVer"
- "StartVNC"
- "SendCamList"
- "untPlugin"
- "gethostbyname"
condition: and
case-insensitive: true

37
malware_bublik.yaml → Yara-Rules/bublik-malware.yaml
View File

@ -1,20 +1,19 @@
id: malware_bublik
info:
name: Bublik Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- '636F6E736F6C6173'
- '636C556E00696E666F2E696E69'
id: bublik-malware
info:
name: Bublik Malware Detector
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- '636F6E736F6C6173'
- '636C556E00696E666F2E696E69'
condition: and

71
malware_cap_hookexkeylogger.yaml → Yara-Rules/cap-hookexkeylogger-malware.yaml
View File

@ -1,35 +1,38 @@
id: malware_cap_hookexkeylogger
info:
name: CAP HookExKeylogger Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "SetWindowsHookEx"
- "WH_KEYBOARD_LL"
condition: and
case-insensitive: true
- type: word
words:
- "SetWindowsHookEx"
- "WH_KEYBOARD"
condition: and
case-insensitive: true
- type: word
words:
- "WH_KEYBOARD"
- "WH_KEYBOARD_LL"
condition: and
id: cap-hookexkeylogger-malware
info:
name: CAP HookExKeylogger Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "SetWindowsHookEx"
- "WH_KEYBOARD_LL"
condition: and
case-insensitive: true
- type: word
part: raw
words:
- "SetWindowsHookEx"
- "WH_KEYBOARD"
condition: and
case-insensitive: true
- type: word
part: raw
words:
- "WH_KEYBOARD"
- "WH_KEYBOARD_LL"
condition: and
case-insensitive: true

54
malware_cerberus.yaml → Yara-Rules/cerberus-malware.yaml
View File

@ -1,26 +1,28 @@
id: malware_cerberus
info:
name: Cerberus Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "Ypmw1Syv023QZD"
- "wZ2pla"
- "wBmpf3Pb7RJe"
condition: or
- type: word
words:
- "cerberus"
case-insensitive: true
id: cerberus-malware
info:
name: Cerberus Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "Ypmw1Syv023QZD"
- "wZ2pla"
- "wBmpf3Pb7RJe"
condition: or
- type: word
part: raw
words:
- "cerberus"
case-insensitive: true

55
malware_clientmesh.yaml → Yara-Rules/clientmesh-malware.yaml
View File

@ -1,28 +1,29 @@
id: malware_clientmesh
info:
name: ClientMesh Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "machinedetails"
- "MySettings"
- "sendftppasswords"
- "sendbrowserpasswords"
- "arma2keyMass"
- "keylogger"
condition: and
- type: binary
binary:
id: clientmesh-malware
info:
name: ClientMesh Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "machinedetails"
- "MySettings"
- "sendftppasswords"
- "sendbrowserpasswords"
- "arma2keyMass"
- "keylogger"
condition: and
- type: binary
binary:
- "0000000000000000007E"

46
malware_crimson.yaml → Yara-Rules/crimson-malware.yaml
View File

@ -1,23 +1,23 @@
id: malware_crimson
info:
name: Crimson Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "com/crimson/PK"
- "com/crimson/bootstrapJar/PK"
- "com/crimson/permaJarMulti/PermaJarReporter$1.classPK"
- "com/crimson/universal/containers/KeyloggerLog.classPK"
- "com/crimson/universal/UploadTransfer.classPK"
condition: and
id: crimson-malware
info:
name: Crimson Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "com/crimson/PK"
- "com/crimson/bootstrapJar/PK"
- "com/crimson/permaJarMulti/PermaJarReporter$1.classPK"
- "com/crimson/universal/containers/KeyloggerLog.classPK"
- "com/crimson/universal/UploadTransfer.classPK"
condition: and

37
malware_cryptxxx_dropper.yaml → Yara-Rules/cryptxxx-dropper-malware.yaml
View File

@ -1,20 +1,19 @@
id: malware_cryptxxx_dropper
info:
name: CryptXXX Dropper Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary #Dropper
binary:
- "50653157584346765962486F35"
- "43003A005C0042004900450052005C0051006D006B004E0052004C00460000"
id: cryptxxx-dropper-malware
info:
name: CryptXXX Dropper Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "50653157584346765962486F35"
- "43003A005C0042004900450052005C0051006D006B004E0052004C00460000"
condition: and

83
malware_cryptxxx.yaml → Yara-Rules/cryptxxx-malware.yaml
View File

@ -1,43 +1,42 @@
id: malware_cryptxxx
info:
name: CryptXXX Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "525947404A41595D52000000FFFFFFFF"
- "0600000052594740405A0000FFFFFFFF"
- "0A000000525C4B4D574D424B5C520000"
- "FFFFFFFF0A000000525D575D5A4B4370"
- "3F520000FFFFFFFF06000000524C4141"
- "5A520000FFFFFFFF0A000000525C4B4D"
- "41584B5C57520000FFFFFFFF0E000000"
- "522A5C4B4D574D424B204C4740520000"
- "FFFFFFFF0A000000525E4B5C48424149"
- "5D520000FFFFFFFF05000000524B4847"
- "52000000FFFFFFFF0C000000524D4140"
- "48474920435D475200000000FFFFFFFF"
- "0A000000525E5C41495C4F703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3C520000FFFFFFFF0800000052494141"
- "49424B5200000000FFFFFFFF06000000"
- "525A4B435E520000FFFFFFFF08000000"
- "52483A4C4D703F5200000000FFFFFFFF"
- "0A000000524F42425B5D4B703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3F520000FFFFFFFF0A000000525E5C41"
- "495C4F703C520000FFFFFFFF09000000"
- "524F5E5E4A4F5A4F52000000FFFFFFFF"
- "0A000000525E5C41495C4F703D520000"
- "FFFFFFFF08000000525E5B4C42474D52"
id: cryptxxx-malware
info:
name: CryptXXX Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "525947404A41595D52000000FFFFFFFF"
- "0600000052594740405A0000FFFFFFFF"
- "0A000000525C4B4D574D424B5C520000"
- "FFFFFFFF0A000000525D575D5A4B4370"
- "3F520000FFFFFFFF06000000524C4141"
- "5A520000FFFFFFFF0A000000525C4B4D"
- "41584B5C57520000FFFFFFFF0E000000"
- "522A5C4B4D574D424B204C4740520000"
- "FFFFFFFF0A000000525E4B5C48424149"
- "5D520000FFFFFFFF05000000524B4847"
- "52000000FFFFFFFF0C000000524D4140"
- "48474920435D475200000000FFFFFFFF"
- "0A000000525E5C41495C4F703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3C520000FFFFFFFF0800000052494141"
- "49424B5200000000FFFFFFFF06000000"
- "525A4B435E520000FFFFFFFF08000000"
- "52483A4C4D703F5200000000FFFFFFFF"
- "0A000000524F42425B5D4B703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3F520000FFFFFFFF0A000000525E5C41"
- "495C4F703C520000FFFFFFFF09000000"
- "524F5E5E4A4F5A4F52000000FFFFFFFF"
- "0A000000525E5C41495C4F703D520000"
- "FFFFFFFF08000000525E5B4C42474D52"
condition: and

51
malware_cxpid.yaml → Yara-Rules/cxpid-malware.yaml
View File

@ -1,26 +1,27 @@
id: malware_cxpid
info:
name: Cxpid Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word #cxpidStrings
words:
- '/cxpid/submit.php?SessionID='
- '/cxgid/'
- 'E21BC52BEA2FEF26D005CF'
- 'E21BC52BEA39E435C40CD8'
- ' -,L-,O+,Q-,R-,Y-,S-'
- type: binary #cxpidCode
binary:
id: cxpid-malware
info:
name: Cxpid Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- '/cxpid/submit.php?SessionID='
- '/cxgid/'
- 'E21BC52BEA2FEF26D005CF'
- 'E21BC52BEA39E435C40CD8'
- ' -,L-,O+,Q-,R-,Y-,S-'
- type: binary
binary:
- "558BECB9380400006A006A004975F9"

34
malware_cythosia.yaml → Yara-Rules/cythosia-malware.yaml
View File

@ -1,18 +1,18 @@
id: malware_cythosia
info:
name: Cythosia Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
id: cythosia-malware
info:
name: Cythosia Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'HarvesterSocksBot.Properties.Resources'

50
malware_darkrat.yaml → Yara-Rules/darkrat-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_darkrat
info:
name: DarkRAT Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "@1906dark1996coder@"
- "SHEmptyRecycleBinA"
- "mciSendStringA"
- "add_Shutdown"
- "get_SaveMySettingsOnExit"
- "get_SpecialDirectories"
- "Client.My"
condition: and
id: darkrat-malware
info:
name: DarkRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "@1906dark1996coder@"
- "SHEmptyRecycleBinA"
- "mciSendStringA"
- "add_Shutdown"
- "get_SaveMySettingsOnExit"
- "get_SpecialDirectories"
- "Client.My"
condition: and

57
malware_ddostf.yaml → Yara-Rules/ddostf-malware.yaml
View File

@ -1,29 +1,30 @@
id: malware_ddostf
info:
name: DDoSTf Malware Detector
author: daffainfo
severity: critical
reference:
- http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'ddos.tf'
- 'Accept-Language: zh'
- '%d Kb/bps|%d%%'
condition: and
- type: binary
binary:
- 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00' #TCP_KEEPINTVL
- 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00' #TCP_KEEPCNT
id: ddostf-malware
info:
name: DDoSTf Malware - Detect
author: daffainfo
severity: info
reference:
- http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'ddos.tf'
- 'Accept-Language: zh'
- '%d Kb/bps|%d%%'
condition: and
- type: binary
binary:
- 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00'
- 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00'
condition: and

48
malware_derkziel.yaml → Yara-Rules/derkziel-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_derkziel
info:
name: Derkziel Malware Detector
author: daffainfo
severity: critical
reference:
- https://bhf.su/threads/137898/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- '{!}DRZ{!}'
- 'User-Agent: Uploador'
- 'SteamAppData.vdf'
- 'loginusers.vdf'
- 'config.vdf'
id: derkziel-malware
info:
name: Derkziel Malware - Detect
author: daffainfo
severity: info
reference:
- https://bhf.su/threads/137898/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- '{!}DRZ{!}'
- 'User-Agent: Uploador'
- 'SteamAppData.vdf'
- 'loginusers.vdf'
- 'config.vdf'
condition: and

46
malware_dexter.yaml → Yara-Rules/dexter-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_dexter
info:
name: Dexter Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar
- http://goo.gl/oBvy8b
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Java Security Plugin'
- '%s\\%s\\%s.exe'
- 'Sun Java Security Plugin'
- '\\Internet Explorer\\iexplore.exe'
id: dexter-malware
info:
name: Dexter Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar
- http://goo.gl/oBvy8b
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'Java Security Plugin'
- '%s\\%s\\%s.exe'
- 'Sun Java Security Plugin'
- '\\Internet Explorer\\iexplore.exe'
condition: and

46
malware_diamondfox.yaml → Yara-Rules/diamondfox-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_diamondfox
info:
name: DiamondFox Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'UPDATE_B'
- 'UNISTALL_B'
- 'S_PROTECT'
- 'P_WALLET'
- 'GR_COMMAND'
- 'FTPUPLOAD'
id: diamondfox-malware
info:
name: DiamondFox Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'UPDATE_B'
- 'UNISTALL_B'
- 'S_PROTECT'
- 'P_WALLET'
- 'GR_COMMAND'
- 'FTPUPLOAD'
condition: and

43
malware_dmalocker.yaml → Yara-Rules/dmalocker-malware.yaml
View File

@ -1,21 +1,22 @@
id: malware_dmalocker
info:
name: DMA Locker Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "41424358595a3131"
- "21444d414c4f434b"
- "21444d414c4f434b332e30"
- "3F520000FFFFFFFF06000000524C4141"
- "21444d414c4f434b342e30" #v4
id: dmalocker-malware
info:
name: DMA Locker Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "41424358595a3131"
- "21444d414c4f434b"
- "21444d414c4f434b332e30"
- "3F520000FFFFFFFF06000000524C4141"
- "21444d414c4f434b342e30"
condition: or

37
malware_doublepulsar.yaml → Yara-Rules/doublepulsar-malware.yaml
View File

@ -1,18 +1,19 @@
id: malware_doublepulsar
info:
name: DoublePulsar Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE" #xor
- "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741" #dll
id: doublepulsar-malware
info:
name: DoublePulsar Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE"
- "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741"
condition: or

33
malware_eicar.yaml → Yara-Rules/eicar-malware.yaml
View File

@ -1,17 +1,18 @@
id: malware_eicar
info:
name: Eicar Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
id: eicar-malware
info:
name: Eicar Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"

38
malware_erebus.yaml → Yara-Rules/erebus-malware.yaml
View File

@ -1,20 +1,20 @@
id: malware_erebus
info:
name: Erebus Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"
- "EREBUS IS BEST."
id: erebus-malware
info:
name: Erebus Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"
- "EREBUS IS BEST."
condition: and

44
malware_ezcob.yaml → Yara-Rules/ezcob-malware.yaml
View File

@ -1,21 +1,23 @@
id: malware_ezcob
info:
name: Ezcob Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12'
- '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12'
- 'Ezcob'
- 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126'
- '20110113144935'
id: ezcob-malware
info:
name: Ezcob Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12'
- '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12'
- 'Ezcob'
- 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126'
- '20110113144935'
condition: or

59
malware_fudcrypt.yaml → Yara-Rules/fudcrypt-malware.yaml
View File

@ -1,30 +1,31 @@
id: malware_fudcrypt
info:
name: FUDCrypt Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/gigajew/FudCrypt/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- 'OcYjzPUtJkNbLOABqYvNbvhZf'
- 'gwiXxyIDDtoYzgMSRGMckRbJi'
- 'BclWgISTcaGjnwrzSCIuKruKm'
- 'CJyUSiUNrIVbgksjxpAMUkAJJ'
- 'fAMVdoPUEyHEWdxQIEJPRYbEN'
- 'CIGQUctdcUPqUjoucmcoffECY'
- 'wcZfHOgetgAExzSoWFJFQdAyO'
- 'DqYKDnIoLeZDWYlQWoxZnpfPR'
- 'MkhMoOHCbGUMqtnRDJKnBYnOj'
- 'sHEqLMGglkBAOIUfcSAgMvZfs'
- 'JtZApJhbFAIFxzHLjjyEQvtgd'
id: fudcrypt-malware
info:
name: FUDCrypt Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/gigajew/FudCrypt/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'OcYjzPUtJkNbLOABqYvNbvhZf'
- 'gwiXxyIDDtoYzgMSRGMckRbJi'
- 'BclWgISTcaGjnwrzSCIuKruKm'
- 'CJyUSiUNrIVbgksjxpAMUkAJJ'
- 'fAMVdoPUEyHEWdxQIEJPRYbEN'
- 'CIGQUctdcUPqUjoucmcoffECY'
- 'wcZfHOgetgAExzSoWFJFQdAyO'
- 'DqYKDnIoLeZDWYlQWoxZnpfPR'
- 'MkhMoOHCbGUMqtnRDJKnBYnOj'
- 'sHEqLMGglkBAOIUfcSAgMvZfs'
- 'JtZApJhbFAIFxzHLjjyEQvtgd'
- 'IIQrSWZEMmoQIKGuxxwoTwXka'

42
malware_gafgyt_bash.yaml → Yara-Rules/gafgyt-bash-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gafgyt_bash
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PONG!'
- 'GETLOCALIP'
- 'HTTPFLOOD'
- 'LUCKYLILDUDE'
id: gafgyt-bash-malware
info:
name: Gafgyt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'PONG!'
- 'GETLOCALIP'
- 'HTTPFLOOD'
- 'LUCKYLILDUDE'
condition: and

42
malware_gafgyt_generic.yaml → Yara-Rules/gafgyt-generic-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gafgyt_generic
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "/bin/busybox;echo -e 'gayfgt'"
- '/proc/net/route'
- 'admin'
- 'root'
id: gafgyt-generic-malware
info:
name: Gafgyt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "/bin/busybox;echo -e 'gayfgt'"
- '/proc/net/route'
- 'admin'
- 'root'
condition: and

46
malware_gafgyt_hihi.yaml → Yara-Rules/gafgyt-hihi-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_gafgyt_hihi
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PING'
- 'PONG'
- 'TELNET LOGIN CRACKED - %s:%s:%s'
- 'ADVANCEDBOT'
- '46.166.185.92'
- 'LOLNOGTFO'
id: gafgyt-hihi-malware
info:
name: Gafgyt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'PING'
- 'PONG'
- 'TELNET LOGIN CRACKED - %s:%s:%s'
- 'ADVANCEDBOT'
- '46.166.185.92'
- 'LOLNOGTFO'
condition: and

42
malware_gafgyt_hoho.yaml → Yara-Rules/gafgyt-hoho-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gafgyt_hoho
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PING'
- 'PRIVMSG'
- 'Remote IRC Bot'
- '23.95.43.182'
id: gafgyt-hoho-malware
info:
name: Gafgyt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'PING'
- 'PRIVMSG'
- 'Remote IRC Bot'
- '23.95.43.182'
condition: and

42
malware_gafgyt_jackmy.yaml → Yara-Rules/gafgyt-jackmy-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gafgyt_jackmy
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PING'
- 'PONG'
- 'jackmy'
- '203.134.%d.%d'
id: gafgyt-jackmy-malware
info:
name: Gafgyt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'PING'
- 'PONG'
- 'jackmy'
- '203.134.%d.%d'
condition: and

42
malware_gafgyt_oh.yaml → Yara-Rules/gafgyt-oh-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gafgyt_oh
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'busyboxterrorist'
- 'BOGOMIPS'
- '124.105.97.%d'
- 'fucknet'
id: gafgyt-oh-malware
info:
name: Gafgyt Oh Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'busyboxterrorist'
- 'BOGOMIPS'
- '124.105.97.%d'
- 'fucknet'
condition: and

40
malware_genome.yaml → Yara-Rules/genome-malware.yaml
View File

@ -1,21 +1,21 @@
id: malware_genome
info:
name: Genome Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Attempting to create more than one keyboard::Monitor instance'
- '{Right windows}'
- 'Access violation - no RTTI data!'
id: genome-malware
info:
name: Genome Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'Attempting to create more than one keyboard::Monitor instance'
- '{Right windows}'
- 'Access violation - no RTTI data!'
condition: and

44
malware_glass.yaml → Yara-Rules/glass-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_glass
info:
name: Glass Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "PostQuitMessage"
- "pwlfnn10,gzg"
- "update.dll"
- "_winver"
condition: and
id: glass-malware
info:
name: Glass Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "PostQuitMessage"
- "pwlfnn10,gzg"
- "update.dll"
- "_winver"
condition: and

57
malware_glasses.yaml → Yara-Rules/glasses-malware.yaml
View File

@ -1,29 +1,30 @@
id: malware_glasses
info:
name: Glasses Malware Detector
author: daffainfo
severity: critical
reference:
- https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word #GlassesStrings
words:
- 'thequickbrownfxjmpsvalzydg'
- 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'
- '" target="NewRef"></a>'
condition: and
- type: binary #GlassesCode
binary:
- "B8ABAAAAAAF7E1D1EA8D04522BC8"
- "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA"
id: glasses-malware
info:
name: Glasses Malware - Detect
author: daffainfo
severity: info
reference:
- https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'thequickbrownfxjmpsvalzydg'
- 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'
- '" target="NewRef"></a>'
condition: and
- type: binary
binary:
- "B8ABAAAAAAF7E1D1EA8D04522BC8"
- "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA"
condition: or

36
malware_gozi.yaml → Yara-Rules/gozi-malware.yaml
View File

@ -1,19 +1,19 @@
id: malware_gozi
info:
name: Gozi Malware Detector
author: daffainfo
severity: critical
reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
id: gozi-malware
info:
name: Gozi Malware - Detect
author: daffainfo
severity: info
reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "63006F006F006B006900650073002E00730071006C006900740065002D006A006F00750072006E0061006C0000004F504552412E45584500"

42
malware_gpgqwerty.yaml → Yara-Rules/gpgqwerty-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_gpgqwerty
info:
name: GPGQwerty Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "gpg.exe recipient qwerty -o"
- "%s%s.%d.qwerty"
- "del /Q /F /S %s$recycle.bin"
- "cryz1@protonmail.com"
id: gpgqwerty-malware
info:
name: GPGQwerty Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "gpg.exe recipient qwerty -o"
- "%s%s.%d.qwerty"
- "del /Q /F /S %s$recycle.bin"
- "cryz1@protonmail.com"
condition: and

59
malware_greame.yaml → Yara-Rules/greame-malware.yaml
View File

@ -1,30 +1,31 @@
id: malware_greame
info:
name: Greame Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "EditSvr"
- "TLoader"
- "Stroks"
- "Avenger by NhT"
- "####@####"
- "GREAME"
condition: and
- type: binary
binary:
- "232323234023232323E8EEE9F9232323234023232323"
- "232323234023232323FAFDF0EFF9232323234023232323"
id: greame-malware
info:
name: Greame Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "EditSvr"
- "TLoader"
- "Stroks"
- "Avenger by NhT"
- "####@####"
- "GREAME"
condition: and
- type: binary
binary:
- "232323234023232323E8EEE9F9232323234023232323"
- "232323234023232323FAFDF0EFF9232323234023232323"
condition: and

36
malware_grozlex.yaml → Yara-Rules/grozlex-malware.yaml
View File

@ -1,19 +1,19 @@
id: malware_grozlex
info:
name: Grozlex Malware Detector
author: daffainfo
severity: critical
reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
id: grozlex-malware
info:
name: Grozlex Malware - Detect
author: daffainfo
severity: info
reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "4C006F00670073002000610074007400610063006800650064002000620079002000690043006F007A0065006E"

54
malware_hawkeye.yaml → Yara-Rules/hawkeye-malware.yaml
View File

@ -1,27 +1,27 @@
id: malware_hawkeye
info:
name: HawkEye Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "HawkEyeKeylogger"
- "099u787978786"
- "HawkEye_Keylogger"
- "holdermail.txt"
- "wallet.dat"
- "Keylog Records"
- "<!-- do not script -->"
- "\\pidloc.txt"
- "BSPLIT"
condition: and
id: hawkeye-malware
info:
name: HawkEye Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "HawkEyeKeylogger"
- "099u787978786"
- "HawkEye_Keylogger"
- "holdermail.txt"
- "wallet.dat"
- "Keylog Records"
- "<!-- do not script -->"
- "\\pidloc.txt"
- "BSPLIT"
condition: and

70
malware_imminent.yaml → Yara-Rules/imminent-malware.yaml
View File

@ -1,35 +1,37 @@
id: malware_imminent
info:
name: Imminent Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "DecodeProductKey"
- "StartHTTPFlood"
- "CodeKey"
- "MESSAGEBOX"
- "GetFilezillaPasswords"
- "DataIn"
- "UDPzSockets"
condition: and
- type: word
words:
- "<URL>k__BackingField"
- "<RunHidden>k__BackingField"
- "DownloadAndExecute"
- "england.png"
- "-CHECK & PING -n 2 127.0.0.1 & EXIT"
- "Showed Messagebox"
id: imminent-malware
info:
name: Imminent Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "DecodeProductKey"
- "StartHTTPFlood"
- "CodeKey"
- "MESSAGEBOX"
- "GetFilezillaPasswords"
- "DataIn"
- "UDPzSockets"
condition: and
- type: word
part: raw
words:
- "<URL>k__BackingField"
- "<RunHidden>k__BackingField"
- "DownloadAndExecute"
- "england.png"
- "-CHECK & PING -n 2 127.0.0.1 & EXIT"
- "Showed Messagebox"
condition: and

50
malware_infinity.yaml → Yara-Rules/infinity-malware.yaml
View File

@ -1,26 +1,26 @@
id: malware_infinity
info:
name: Infinity Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "CRYPTPROTECT_PROMPTSTRUCT"
- "discomouse"
- "GetDeepInfo"
- "AES_Encrypt"
- "StartUDPFlood"
- "BATScripting"
- "FBqINhRdpgnqATxJ.html"
- "magic_key"
id: infinity-malware
info:
name: Infinity Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "CRYPTPROTECT_PROMPTSTRUCT"
- "discomouse"
- "GetDeepInfo"
- "AES_Encrypt"
- "StartUDPFlood"
- "BATScripting"
- "FBqINhRdpgnqATxJ.html"
- "magic_key"
condition: and

53
malware_insta11.yaml → Yara-Rules/insta11-malware.yaml
View File

@ -1,27 +1,28 @@
id: malware_insta11
info:
name: Insta11 Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- 'XTALKER7'
- 'Insta11 Microsoft'
- 'wudMessage'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
- 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary:
id: insta11-malware
info:
name: Insta11 Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- 'XTALKER7'
- 'Insta11 Microsoft'
- 'wudMessage'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
- 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary:
- 'E9000000006823040000'

56
malware_intel_virtualization.yaml → Yara-Rules/intel-virtualization-malware.yaml
View File

@ -1,29 +1,29 @@
id: malware_intel_virtualization
info:
name: Intel Virtualization Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- '4C6F6164535452494E47'
- '496E697469616C697A654B6579486F6F6B'
- '46696E645265736F7572636573'
- '4C6F6164535452494E4746726F6D484B4355'
- '6863637574696C732E444C4C'
condition: and
- type: binary # Dynamic dll (malicious)
binary:
- '483A5C466173745C506C756728686B636D64295C'
- '646C6C5C52656C656173655C48696A61636B446C6C2E706462'
id: intel-virtualization-malware
info:
name: Intel Virtualization Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- '4C6F6164535452494E47'
- '496E697469616C697A654B6579486F6F6B'
- '46696E645265736F7572636573'
- '4C6F6164535452494E4746726F6D484B4355'
- '6863637574696C732E444C4C'
condition: and
- type: binary
binary:
- '483A5C466173745C506C756728686B636D64295C'
- '646C6C5C52656C656173655C48696A61636B446C6C2E706462'
condition: and

53
malware_iotreaper.yaml → Yara-Rules/iotreaper-malware.yaml
View File

@ -1,27 +1,28 @@
id: malware_iotreaper
info:
name: IotReaper Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- 'XTALKER7'
- 'Insta11 Microsoft'
- 'wudMessage'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
- 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary:
id: iotreaper-malware
info:
name: IotReaper Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- 'XTALKER7'
- 'Insta11 Microsoft'
- 'wudMessage'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
- 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary:
- 'E9000000006823040000'

71
malware_linux_aesddos.yaml → Yara-Rules/linux-aesddos-malware.yaml
View File

@ -1,34 +1,37 @@
id: malware_linux_aesddos
info:
name: Linux AESDDOS Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "3AES"
- "Hacker"
condition: and
- type: word
words:
- "3AES"
- "VERSONEX"
condition: and
- type: word
words:
- "VERSONEX"
- "Hacker"
condition: and
id: linux-aesddos-malware
info:
name: Linux AESDDOS Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "3AES"
- "Hacker"
condition: and
- type: word
part: raw
words:
- "3AES"
- "VERSONEX"
condition: and
- type: word
part: raw
words:
- "VERSONEX"
- "Hacker"
condition: and

44
malware_linux_billgates.yaml → Yara-Rules/linux-billgates-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_linux_billgates
info:
name: Linux BillGates Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "12CUpdateGates"
- "11CUpdateBill"
condition: and
id: linux-billgates-malware
info:
name: Linux BillGates Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "12CUpdateGates"
- "11CUpdateBill"
condition: and

44
malware_linux_elknot.yaml → Yara-Rules/linux-elknot-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_linux_elknot
info:
name: Linux Elknot Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "ZN8CUtility7DeCryptEPciPKci"
- "ZN13CThreadAttack5StartEP11CCmdMessage"
condition: and
id: linux-elknot-malware
info:
name: Linux Elknot Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ZN8CUtility7DeCryptEPciPKci"
- "ZN13CThreadAttack5StartEP11CCmdMessage"
condition: and

44
malware_linux_mrblack.yaml → Yara-Rules/linux-mrblack-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_linux_mrblack
info:
name: Linux MrBlack Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "Mr.Black"
- "VERS0NEX:%s|%d|%d|%s"
condition: and
id: linux-mrblack-malware
info:
name: Linux MrBlack Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Mr.Black"
- "VERS0NEX:%s|%d|%d|%s"
condition: and

43
malware_linux_tsunami.yaml → Yara-Rules/linux-tsunami-malware.yaml
View File

@ -1,21 +1,22 @@
id: malware_linux_tsunami
info:
name: Linux Tsunami Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "PRIVMSG %s :[STD]Hitting %s"
- "NOTICE %s :TSUNAMI <target> <secs>"
- "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
id: linux-tsunami-malware
info:
name: Linux Tsunami Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "PRIVMSG %s :[STD]Hitting %s"
- "NOTICE %s :TSUNAMI <target> <secs>"
- "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."

60
malware_locky.yaml → Yara-Rules/locky-malware.yaml
View File

@ -1,31 +1,31 @@
id: malware_locky
info:
name: Locky Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "45b899f7f90faf45b88945b8"
- "2b0a0faf4df8894df8c745"
condition: and
- type: binary
binary:
- "2E006C006F0063006B00790000"
- "005F004C006F0063006B007900"
- "5F007200650063006F00760065"
- "0072005F0069006E0073007400"
- "720075006300740069006F006E"
- "0073002E0074007800740000"
- "536F6674776172655C4C6F636B7900"
id: locky-malware
info:
name: Locky Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "45b899f7f90faf45b88945b8"
- "2b0a0faf4df8894df8c745"
condition: and
- type: binary
binary:
- "2E006C006F0063006B00790000"
- "005F004C006F0063006B007900"
- "5F007200650063006F00760065"
- "0072005F0069006E0073007400"
- "720075006300740069006F006E"
- "0073002E0074007800740000"
- "536F6674776172655C4C6F636B7900"
condition: and

61
malware_lostdoor.yaml → Yara-Rules/lostdoor-malware.yaml
View File

@ -1,31 +1,32 @@
id: malware_lostdoor
info:
name: LostDoor Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "*mlt* = %"
- "*ip* = %"
- "*victimo* = %"
- "*name* = %"
- "[START]"
- "[DATA]"
- "We Control Your Digital World"
- "RC4Initialize"
- "RC4Decrypt"
condition: and
- type: binary
binary:
id: lostdoor-malware
info:
name: LostDoor Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "*mlt* = %"
- "*ip* = %"
- "*victimo* = %"
- "*name* = %"
- "[START]"
- "[DATA]"
- "We Control Your Digital World"
- "RC4Initialize"
- "RC4Decrypt"
condition: and
- type: binary
binary:
- "0D0A2A454449545F5345525645522A0D0A"

56
malware_luminositylink.yaml → Yara-Rules/luminositylink-malware.yaml
View File

@ -1,29 +1,29 @@
id: malware_luminositylink
info:
name: LuminosityLink Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "SMARTLOGS"
- "RUNPE"
- "b.Resources"
- "CLIENTINFO*"
- "Invalid Webcam Driver Download URL, or Failed to Download File!"
- "Proactive Anti-Malware has been manually activated!"
- "REMOVEGUARD"
- "C0n1f8"
- "Luminosity"
- "LuminosityCryptoMiner"
- "MANAGER*CLIENTDETAILS*"
id: luminositylink-malware
info:
name: LuminosityLink Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "SMARTLOGS"
- "RUNPE"
- "b.Resources"
- "CLIENTINFO*"
- "Invalid Webcam Driver Download URL, or Failed to Download File!"
- "Proactive Anti-Malware has been manually activated!"
- "REMOVEGUARD"
- "C0n1f8"
- "Luminosity"
- "LuminosityCryptoMiner"
- "MANAGER*CLIENTDETAILS*"
condition: and

46
malware_luxnet.yaml → Yara-Rules/luxnet-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_luxnet
info:
name: LuxNet Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "GetHashCode"
- "Activator"
- "WebClient"
- "op_Equality"
- "dickcursor.cur"
- "{0}|{1}|{2}"
id: luxnet-malware
info:
name: LuxNet Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "GetHashCode"
- "Activator"
- "WebClient"
- "op_Equality"
- "dickcursor.cur"
- "{0}|{1}|{2}"
condition: and

46
malware_macgyver_installer.yaml → Yara-Rules/macgyver-installer-malware.yaml
View File

@ -1,24 +1,24 @@
id: malware_macgyver_installer
info:
name: MacGyver.cap Installer Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "delete -AID 315041592e5359532e4444463031"
- "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4"
- "-mac_key 404142434445464748494a4b4c4d4e4f"
- "-enc_key 404142434445464748494a4b4c4d4e4f"
id: macgyver-installer-malware
info:
name: MacGyver.cap Installer Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "delete -AID 315041592e5359532e4444463031"
- "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4"
- "-mac_key 404142434445464748494a4b4c4d4e4f"
- "-enc_key 404142434445464748494a4b4c4d4e4f"
condition: and

52
malware_macgyver.yaml → Yara-Rules/macgyver-malware.yaml
View File

@ -1,27 +1,27 @@
id: malware_macgyver
info:
name: MacGyver.cap Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "src/MacGyver/javacard/Header.cap"
- "src/MacGyver/javacard/Directory.cap"
- "src/MacGyver/javacard/Applet.cap"
- "src/MacGyver/javacard/Import.cap"
- "src/MacGyver/javacard/ConstantPool.cap"
- "src/MacGyver/javacard/Class.cap"
- "src/MacGyver/javacard/Method.cap"
id: macgyver-malware
info:
name: MacGyver.cap Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "src/MacGyver/javacard/Header.cap"
- "src/MacGyver/javacard/Directory.cap"
- "src/MacGyver/javacard/Applet.cap"
- "src/MacGyver/javacard/Import.cap"
- "src/MacGyver/javacard/ConstantPool.cap"
- "src/MacGyver/javacard/Class.cap"
- "src/MacGyver/javacard/Method.cap"
condition: and

54
malware_madness.yaml → Yara-Rules/madness-malware.yaml
View File

@ -1,28 +1,28 @@
id: malware_madness
info:
name: Madness DDOS Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/arbor/yara/blob/master/madness.yara
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
- "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
- "document.cookie="
- "[\"cookie\",\""
- "\"realauth="
- "\"location\"];"
- "d3Rm"
- "ZXhl"
id: madness-malware
info:
name: Madness DDOS Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/arbor/yara/blob/master/madness.yara
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
- "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
- "document.cookie="
- "[\"cookie\",\""
- "\"realauth="
- "\"location\"];"
- "d3Rm"
- "ZXhl"
condition: and

35
malware_miner.yaml → Yara-Rules/miner--malware.yaml
View File

@ -1,18 +1,19 @@
id: malware_miner
info:
name: Miner Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "stratum+tcp"
id: miner-malware
info:
name: Miner Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "stratum+tcp"
- "stratum+udp"

113
malware_miniasp3.yaml → Yara-Rules/miniasp3-malware.yaml
View File

@ -1,54 +1,59 @@
id: malware_miniasp3
info:
name: MiniASP3 Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "open internet failed…"
condition: and
- type: word
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "run error!"
condition: and
- type: word
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "run ok!"
condition: and
- type: word
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "time out,change to mode 0"
condition: and
- type: word
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "command is null!"
condition: and
id: miniasp3-malware
info:
name: MiniASP3 Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "open internet failed…"
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "run error!"
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "run ok!"
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "time out,change to mode 0"
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "command is null!"
condition: and

61
malware_naikon.yaml → Yara-Rules/naikon-malware.yaml
View File

@ -1,30 +1,31 @@
id: malware_naikon
info:
name: Naikon Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "0FAFC1C1E01F"
- "355A010000"
- "81C27F140600"
condition: and
- type: word
words:
- "NOKIAN95/WEB"
- "/tag=info&id=15"
- "skg(3)=&3.2d_u1"
- "\\Temp\\iExplorer.exe"
- "\\Temp\\\"TSG\""
condition: or
id: naikon-malware
info:
name: Naikon Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "0FAFC1C1E01F"
- "355A010000"
- "81C27F140600"
condition: and
- type: word
part: raw
words:
- "NOKIAN95/WEB"
- "/tag=info&id=15"
- "skg(3)=&3.2d_u1"
- "\\Temp\\iExplorer.exe"
- "\\Temp\\\"TSG\""
condition: or

53
malware_naspyupdate.yaml → Yara-Rules/naspyupdate-malware.yaml
View File

@ -1,26 +1,27 @@
id: malware_naspyupdate
info:
name: nAspyUpdate Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "8A5424148A0132C202C28801414E75F4"
- type: word
words:
- "\\httpclient.txt"
- "password <=14"
- "/%ldn.txt"
- "Kill You\x00"
condition: or
id: naspyupdate-malware
info:
name: nAspyUpdate Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "8A5424148A0132C202C28801414E75F4"
- type: word
part: raw
words:
- "\\httpclient.txt"
- "password <=14"
- "/%ldn.txt"
- "Kill You\x00"
condition: or

35
malware_notepad.yaml → Yara-Rules/notepad-malware.yaml
View File

@ -1,18 +1,19 @@
id: malware_notepad
info:
name: Notepad v1.1 Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "75BAA77C842BE168B0F66C42C7885997"
id: notepad-malware
info:
name: Notepad v1.1 Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "75BAA77C842BE168B0F66C42C7885997"
- "B523F63566F407F3834BCC54AAA32524"

51
malware_olyx.yaml → Yara-Rules/olyx-malware.yaml
View File

@ -1,25 +1,26 @@
id: malware_olyx
info:
name: Olyx Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "/Applications/Automator.app/Contents/MacOS/DockLight"
condition: or
- type: binary
binary:
- "C7400436363636C7400836363636"
- "C740045C5C5C5CC740085C5C5C5C"
condition: or
id: olyx-malware
info:
name: Olyx Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "/Applications/Automator.app/Contents/MacOS/DockLight"
condition: or
- type: binary
binary:
- "C7400436363636C7400836363636"
- "C740045C5C5C5CC740085C5C5C5C"
condition: or

48
malware_osx_leverage.yaml → Yara-Rules/osx-leverage-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_osx_leverage
info:
name: OSX Leverage Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
- "+:Users:Shared:UserEvent.app:Contents:MacOS:"
- "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
- "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
- "osascript -e 'tell application \"System Events\" to get the name of every login item'"
- "osascript -e 'tell application \"System Events\" to get the path of every login item'"
- "serverVisible \x00"
id: osx-leverage-malware
info:
name: OSX Leverage Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
- "+:Users:Shared:UserEvent.app:Contents:MacOS:"
- "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
- "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
- "osascript -e 'tell application \"System Events\" to get the name of every login item'"
- "osascript -e 'tell application \"System Events\" to get the path of every login item'"
- "serverVisible \x00"
condition: and

48
malware_paradox.yaml → Yara-Rules/paradox-malware.yaml
View File

@ -1,25 +1,25 @@
id: malware_paradox
info:
name: Paradox Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "ParadoxRAT"
- "Form1"
- "StartRMCam"
- "Flooders"
- "SlowLaris"
- "SHITEMID"
- "set_Remote_Chat"
id: paradox-malware
info:
name: Paradox Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ParadoxRAT"
- "Form1"
- "StartRMCam"
- "Flooders"
- "SlowLaris"
- "SHITEMID"
- "set_Remote_Chat"
condition: and

52
malware_plasma.yaml → Yara-Rules/plasma-malware.yaml
View File

@ -1,27 +1,27 @@
id: malware_plasma
info:
name: Plasma Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "Miner: Failed to Inject."
- "Started GPU Mining on:"
- "BK: Hard Bot Killer Ran Successfully!"
- "Uploaded Keylogs Successfully!"
- "No Slowloris Attack is Running!"
- "An ARME Attack is Already Running on"
- "Proactive Bot Killer Enabled!"
- "PlasmaRAT"
- "AntiEverything"
id: plasma-malware
info:
name: Plasma Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Miner: Failed to Inject."
- "Started GPU Mining on:"
- "BK: Hard Bot Killer Ran Successfully!"
- "Uploaded Keylogs Successfully!"
- "No Slowloris Attack is Running!"
- "An ARME Attack is Already Running on"
- "Proactive Bot Killer Enabled!"
- "PlasmaRAT"
- "AntiEverything"
condition: and

65
malware_poetrat.yaml → Yara-Rules/poetrat-malware.yaml
View File

@ -1,33 +1,34 @@
id: malware_poetrat
info:
name: PoetRat Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "launcher.py"
- "smile.zip"
- "smile_funs.py"
- "frown.py"
- "backer.py"
- "smile.py"
- "affine.py"
- "cmd"
- ".exe"
condition: and
- type: regex
regex:
- '(\.py$|\.pyc$|\.pyd$|Python)'
- '\.dll'
id: poetrat-malware
info:
name: PoetRat Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "launcher.py"
- "smile.zip"
- "smile_funs.py"
- "frown.py"
- "backer.py"
- "smile.py"
- "affine.py"
- "cmd"
- ".exe"
condition: and
- type: regex
regex:
- '(\.py$|\.pyc$|\.pyd$|Python)'
- '\.dll'
condition: and

42
malware_pony.yaml → Yara-Rules/pony-malware.yaml
View File

@ -1,22 +1,22 @@
id: malware_pony
info:
name: Pony Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
- "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
- "POST %s HTTP/1.0"
- "Accept-Encoding: identity, *;q=0"
id: pony-malware
info:
name: Pony Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
- "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
- "POST %s HTTP/1.0"
- "Accept-Encoding: identity, *;q=0"
condition: and

49
malware_pubsab.yaml → Yara-Rules/pubsab-malware.yaml
View File

@ -1,25 +1,26 @@
id: malware_pubsab
info:
name: PubSab Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "_deamon_init"
- "com.apple.PubSabAgent"
- "/tmp/screen.jpeg"
condition: or
- type: binary
binary:
id: pubsab-malware
info:
name: PubSab Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "_deamon_init"
- "com.apple.PubSabAgent"
- "/tmp/screen.jpeg"
condition: or
- type: binary
binary:
- "6B45E43789CA29C28955E4"

57
malware_punisher.yaml → Yara-Rules/punisher-malware.yaml
View File

@ -1,29 +1,30 @@
id: malware_punisher
info:
name: Punisher Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "abccba"
- "SpyTheSpy"
- "wireshark"
- "apateDNS"
- "abccbaDanabccb"
condition: and
- type: binary
binary:
- "5C006800660068002E007600620073"
- "5C00730063002E007600620073"
id: punisher-malware
info:
name: Punisher Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "abccba"
- "SpyTheSpy"
- "wireshark"
- "apateDNS"
- "abccbaDanabccb"
condition: and
- type: binary
binary:
- "5C006800660068002E007600620073"
- "5C00730063002E007600620073"
condition: and

44
malware_pypi.yaml → Yara-Rules/pypi-malware.yaml
View File

@ -1,23 +1,23 @@
id: malware_pypi
info:
name: Fake PyPI Malware Detector
author: daffainfo
severity: critical
reference:
- http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "# Welcome Here! :)"
- "# just toy, no harm :)"
- "[0x76,0x21,0xfe,0xcc,0xee]"
id: pypi-malware
info:
name: Fake PyPI Malware - Detect
author: daffainfo
severity: info
reference:
- http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "# Welcome Here! :)"
- "# just toy, no harm :)"
- "[0x76,0x21,0xfe,0xcc,0xee]"
condition: and

52
malware_pythorat.yaml → Yara-Rules/pythorat-malware.yaml
View File

@ -1,26 +1,26 @@
id: malware_pythorat
info:
name: PythoRAT Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "TKeylogger"
- "uFileTransfer"
- "TTDownload"
- "SETTINGS"
- "Unknown"
- "#@#@#"
- "PluginData"
- "OnPluginMessage"
condition: and
id: pythorat-malware
info:
name: PythoRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "TKeylogger"
- "uFileTransfer"
- "TTDownload"
- "SETTINGS"
- "Unknown"
- "#@#@#"
- "PluginData"
- "OnPluginMessage"
condition: and

95
malware_qrat.yaml → Yara-Rules/qrat-malware.yaml
View File

@ -1,46 +1,49 @@
id: malware_qrat
info:
name: QRat Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "quaverse/crypter"
- "Qrypt.class"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
words:
- "e-data"
- "Qrypt.class"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
words:
- "e-data"
- "quaverse/crypter"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
words:
- "e-data"
- "quaverse/crypter"
- "Qrypt.class"
- "URLConnection.class"
condition: and
id: qrat-malware
info:
name: QRat Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "quaverse/crypter"
- "Qrypt.class"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
part: raw
words:
- "e-data"
- "Qrypt.class"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
words:
- "e-data"
- "quaverse/crypter"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
part: raw
words:
- "e-data"
- "quaverse/crypter"
- "Qrypt.class"
- "URLConnection.class"
condition: and

39
malware_satana_dropper.yaml → Yara-Rules/satana-dropper-malware.yaml
View File

@ -1,21 +1,20 @@
id: malware_satana_dropper
info:
name: Satana Dropper Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary #Dropper
binary:
- "25732D547279457863657074"
- "643A5C6C626574776D77795C75696A657571706C667775622E706462"
- "71666E7476746862"
id: satana-dropper-malware
info:
name: Satana Dropper Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "25732D547279457863657074"
- "643A5C6C626574776D77795C75696A657571706C667775622E706462"
- "71666E7476746862"
condition: and

54
malware_satana.yaml → Yara-Rules/satana-malware.yaml
View File

@ -1,28 +1,28 @@
id: malware_satana
info:
name: Satana Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "210073006100740061006E00610021002E0074007800740000"
- "456E756D4C6F63616C526573"
- "574E65744F70656E456E756D5700"
- "21534154414E4121"
condition: and
- type: binary
binary:
- "7467777975677771"
- "537776776E6775"
id: satana-malware
info:
name: Satana Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "210073006100740061006E00610021002E0074007800740000"
- "456E756D4C6F63616C526573"
- "574E65744F70656E456E756D5700"
- "21534154414E4121"
condition: and
- type: binary
binary:
- "7467777975677771"
- "537776776E6775"
condition: or

Some files were not shown because too many files have changed in this diff Show More