diff --git a/BinaryAlert/basicrat-malware.yaml b/BinaryAlert/basicrat-malware.yaml new file mode 100644 index 0000000..077ead6 --- /dev/null +++ b/BinaryAlert/basicrat-malware.yaml @@ -0,0 +1,23 @@ +id: basicrat-malware + +info: + name: BasicRAT Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/multi/malware_multi_vesche_basicrat.yara + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "HKCU Run registry key applied" + - "HKCU Run registry key failed" + - "Error, platform unsupported." + - "Persistence successful," + - "Persistence unsuccessful," + condition: and \ No newline at end of file diff --git a/BinaryAlert/cerber-malware.yaml b/BinaryAlert/cerber-malware.yaml new file mode 100644 index 0000000..c10f437 --- /dev/null +++ b/BinaryAlert/cerber-malware.yaml @@ -0,0 +1,21 @@ +id: cerber-malware + +info: + name: Cerber Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_cerber_evasion.yara + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "38oDr5.vbs" + - "8ivq.dll" + - "jmsctls_progress32" + condition: and \ No newline at end of file diff --git a/BinaryAlert/crunchrat-malware.yaml b/BinaryAlert/crunchrat-malware.yaml new file mode 100644 index 0000000..6fbb91d --- /dev/null +++ b/BinaryAlert/crunchrat-malware.yaml @@ -0,0 +1,28 @@ +id: crunchrat-malware + +info: + name: CrunchRAT Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_t3ntman_crunchrat.yara + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "command" + - "upload" + - "download" + - "cmd.exe" + - "application/x-www-form-urlencoded" + - "&action=" + - "&secondary=" + - "" + - "" + condition: and + case-insensitive: true \ No newline at end of file diff --git a/BinaryAlert/hydracrypt-malware.yaml b/BinaryAlert/hydracrypt-malware.yaml new file mode 100644 index 0000000..c7aaf46 --- /dev/null +++ b/BinaryAlert/hydracrypt-malware.yaml @@ -0,0 +1,23 @@ +id: ransomware_windows_hydracrypt + +info: + name: Hydracrypt Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_hydracrypt.yara + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "oTraining" + - "Stop Training" + - "Play \"sound.wav\"" + - "&Start Recording" + - "7About record" + condition: and \ No newline at end of file diff --git a/BinaryAlert/macos-bella-malware.yaml b/BinaryAlert/macos-bella-malware.yaml new file mode 100644 index 0000000..9821728 --- /dev/null +++ b/BinaryAlert/macos-bella-malware.yaml @@ -0,0 +1,38 @@ +id: macos-bella-malware + +info: + name: Bella Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/macos/malware_macos_bella.yara + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "Verified! [2FV Enabled] Account ->" + - "There is no root shell to perform this command. See [rooter] manual entry." + - "Attempt to escalate Bella to root through a variety of attack vectors." + - "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER." + condition: or + + - type: word + part: raw + words: + - "user_pass_phish" + - "bella_info" + - "get_root" + condition: and + + - type: word + part: raw + words: + - "Please specify a bella server." + - "What port should Bella connect on [Default is 4545]:" + condition: and \ No newline at end of file diff --git a/BinaryAlert/petya-malware-variant-1.yaml b/BinaryAlert/petya-malware-variant-1.yaml new file mode 100644 index 0000000..186774d --- /dev/null +++ b/BinaryAlert/petya-malware-variant-1.yaml @@ -0,0 +1,24 @@ +id: petya-malware-variant-1 + +info: + name: Petya Malware (Variant 1) - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_1.yara + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "Ooops, your important files are encrypted." + - "Send your Bitcoin wallet ID and personal installation key to e-mail" + - "wowsmith123456@posteo.net. Your personal installation key:" + - "Send $300 worth of Bitcoin to following address:" + - "have been encrypted. Perhaps you are busy looking for a way to recover your" + - "need to do is submit the payment and purchase the decryption key." + condition: or \ No newline at end of file diff --git a/BinaryAlert/petya-malware-variant-3.yaml b/BinaryAlert/petya-malware-variant-3.yaml new file mode 100644 index 0000000..7d161d4 --- /dev/null +++ b/BinaryAlert/petya-malware-variant-3.yaml @@ -0,0 +1,20 @@ +id: petya-malware-variant-3 + +info: + name: Petya Malware (Variant 3) - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_3.yara + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "wevtutil cl Setup & wevtutil cl System" + - "fsutil usn deletejournal /D %c:" + condition: or \ No newline at end of file diff --git a/BinaryAlert/petya-malware-variant-bitcoin.yaml b/BinaryAlert/petya-malware-variant-bitcoin.yaml new file mode 100644 index 0000000..f0b8bab --- /dev/null +++ b/BinaryAlert/petya-malware-variant-bitcoin.yaml @@ -0,0 +1,18 @@ +id: petya-malware-variant-bitcoin + +info: + name: Petya Malware (Variant Bitcoin) - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_petya_variant_bitcoin.yara + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQAB" \ No newline at end of file diff --git a/BinaryAlert/pony-stealer-malware.yaml b/BinaryAlert/pony-stealer-malware.yaml new file mode 100644 index 0000000..b2e89f2 --- /dev/null +++ b/BinaryAlert/pony-stealer-malware.yaml @@ -0,0 +1,29 @@ +id: pony-stealer-malware + +info: + name: Windows Pony Stealer Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/malware/windows/malware_windows_pony_stealer.yara + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "signons.sqlite" + - "signons.txt" + - "signons2.txt" + - "signons3.txt" + - "WininetCacheCredentials" + - "moz_logins" + - "encryptedPassword" + - "FlashFXP" + - "BulletProof" + - "CuteFTP" + condition: and + case-insensitive: true \ No newline at end of file diff --git a/BinaryAlert/powerware-malware.yaml b/BinaryAlert/powerware-malware.yaml new file mode 100644 index 0000000..6e6187d --- /dev/null +++ b/BinaryAlert/powerware-malware.yaml @@ -0,0 +1,21 @@ +id: powerware-malware + +info: + name: PowerWare Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_powerware_locky.yara + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "ScriptRunner.dll" + - "ScriptRunner.pdb" + - "fixed.ps1" + condition: and \ No newline at end of file diff --git a/BinaryAlert/wannacry-malware.yaml b/BinaryAlert/wannacry-malware.yaml new file mode 100644 index 0000000..fc020a6 --- /dev/null +++ b/BinaryAlert/wannacry-malware.yaml @@ -0,0 +1,32 @@ +id: wannacry-malware + +info: + name: WannaCry Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_wannacry.yara + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "msg/m_chinese" + - ".wnry" + - "attrib +h" + condition: and + + - type: word + part: raw + words: + - "WNcry@2ol7" + - "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" + - "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" + - "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" + - "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" + condition: or \ No newline at end of file diff --git a/BinaryAlert/zrypt-malware.yaml b/BinaryAlert/zrypt-malware.yaml new file mode 100644 index 0000000..3ecd1a3 --- /dev/null +++ b/BinaryAlert/zrypt-malware.yaml @@ -0,0 +1,34 @@ +id: zrypt-malware + +info: + name: Zcrypt Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/airbnb/binaryalert/blob/master/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "How to Buy Bitcoins" + - "ALL YOUR PERSONAL FILES ARE ENCRYPTED" + - "Click Here to Show Bitcoin Address" + - "MyEncrypter2.pdb" + condition: or + + - type: word + part: raw + words: + - ".p7b" + - ".p7c" + - ".pdd" + - ".pef" + - ".pem" + - "How to decrypt files.html" + condition: and \ No newline at end of file diff --git a/LICENSE b/LICENSE index 7bd9723..50e31c8 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1,21 @@ -MIT License - -Copyright (c) 2023 Muhammad Daffa - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. +MIT License + +Copyright (c) 2023 Muhammad Daffa + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 7d03a32..77d6d19 100644 --- a/README.md +++ b/README.md @@ -1,251 +1,14 @@ -# Nuclei Malware -Template to detect some malware using nuclei - -## Status Malware -I took the reference from [yara rules repository](https://github.com/Yara-Rules/rules/blob/master/malware/) and in this section is about the status of each rule whether it can be made into a nuclei template or not - -| Malware Yara Rules | Status | -| --- | --- | -| MALW_ATMPot | πŸŸ₯ Impossible | -| MALW_ATM_HelloWorld | πŸŸ₯ Impossible | -| MALW_AZORULT | πŸŸ₯ Impossible | -| MALW_AgentTesla | 🟨 Still possible but requires a lot of effort | -| MALW_AgentTesla_SMTP | 🟨 Still possible but requires a lot of effort | -| MALW_AlMashreq | 🟨 Still possible but requires a lot of effort | -| MALW_Alina | 🟩 Possible | -| MALW_Andromeda | 🟩 Possible | -| MALW_Arkei | 🟩 Possible | -| MALW_Athena | 🟨 Still possible but requires a lot of effort | -| MALW_Atmos | πŸŸ₯ Impossible | -| MALW_BackdoorSSH | πŸŸ₯ Impossible | -| MALW_Backoff | 🟩 Possible | -| MALW_Bangat | πŸŸ₯ Impossible | -| MALW_Batel | πŸŸ₯ Impossible | -| MALW_BlackRev | 🟨 Still possible but requires a lot of effort | -| MALW_BlackWorm | 🟩 Possible | -| MALW_Boouset | πŸŸ₯ Impossible | -| MALW_Bublik | 🟩 Possible | -| MALW_Buzus_Softpulse | πŸŸ₯ Impossible | -| MALW_CAP_HookExKeylogger | 🟨 Still possible but requires a lot of effort | -| MALW_Chicken | 🟨 Still possible but requires a lot of effort | -| MALW_Citadel | πŸŸ₯ Impossible | -| MALW_Cloaking | πŸŸ₯ Impossible | -| MALW_Cookies | 🟨 Still possible but requires a lot of effort | -| MALW_Corkow | πŸŸ₯ Impossible | -| MALW_Cxpid | 🟩 Possible | -| MALW_Cythosia | 🟩 Possible | -| MALW_DDoSTf | 🟩 Possible | -| MALW_Derkziel | 🟩 Possible | -| MALW_Dexter | 🟩 Possible | -| MALW_DiamondFox | 🟩 Possible | -| MALW_DirtJumper | 🟨 Still possible but requires a lot of effort | -| MALW_Eicar | 🟩 Possible | -| MALW_Elex | πŸŸ₯ Impossible | -| MALW_Elknot | πŸŸ₯ Impossible | -| MALW_Emotet | πŸŸ₯ Impossible | -| MALW_Empire | πŸŸ₯ Impossible | -| MALW_Enfal | πŸŸ₯ Impossible | -| MALW_Exploit_UAC_Elevators | πŸŸ₯ Impossible | -| MALW_Ezcob | 🟩 Possible | -| MALW_F0xy | πŸŸ₯ Impossible | -| MALW_FALLCHILL | πŸŸ₯ Impossible | -| MALW_FUDCrypt | 🟩 Possible | -| MALW_FakeM | πŸŸ₯ Impossible | -| MALW_Fareit | πŸŸ₯ Impossible | -| MALW_Favorite | πŸŸ₯ Impossible | -| MALW_Furtim | πŸŸ₯ Impossible | -| MALW_Gafgyt | 🟩 Possible | -| MALW_Genome | 🟩 Possible | -| MALW_Glasses | 🟩 Possible | -| MALW_Gozi | 🟩 Possible | -| MALW_Grozlex | 🟩 Possible | -| MALW_Hajime | πŸŸ₯ Impossible | -| MALW_Hsdfihdf_banking | 🟨 Still possible but requires a lot of effort | -| MALW_Httpsd_ELF | πŸŸ₯ Impossible | -| MALW_IMuler | πŸŸ₯ Impossible | -| MALW_IcedID | πŸŸ₯ Impossible | -| MALW_Iexpl0ree | πŸŸ₯ Impossible | -| MALW_Install11 | 🟩 Possible | -| MALW_Intel_Virtualization | 🟩 Possible | -| MALW_IotReaper | 🟩 Possible | -| MALW_Jolob_Backdoor | 🟩 Possible | -| MALW_KINS | 🟨 Still possible but requires a lot of effort | -| MALW_Kelihos | 🟩 Possible | -| MALW_KeyBase | πŸŸ₯ Impossible | -| MALW_Korlia | πŸŸ₯ Impossible | -| MALW_Korplug | πŸŸ₯ Impossible | -| MALW_Kovter | 🟩 Possible | -| MALW_Kraken | πŸŸ₯ Impossible | -| MALW_Kwampirs | 🟩 Possible | -| MALW_LURK0 | πŸŸ₯ Impossible | -| MALW_Lateral_Movement | 🟩 Possible | -| MALW_Lenovo_Superfish | πŸŸ₯ Impossible | -| MALW_LinuxBew | 🟩 Possible | -| MALW_LinuxHelios | 🟩 Possible | -| MALW_LinuxMoose | πŸŸ₯ Impossible | -| MALW_LostDoor | 🟩 Possible | -| MALW_LuaBot | 🟩 Possible | -| MALW_LuckyCat | πŸŸ₯ Impossible | -| MALW_MSILStealer | 🟩 Possible | -| MALW_MacControl | πŸŸ₯ Impossible | -| MALW_MacGyver | 🟩 Possible | -| MALW_Madness | 🟩 Possible | -| MALW_Magento_backend | 🟨 Still possible but requires a lot of effort | -| MALW_Magento_frontend | 🟨 Still possible but requires a lot of effort | -| MALW_Magento_suspicious | πŸŸ₯ Impossible | -| MALW_Mailers | πŸŸ₯ Impossible | -| MALW_MedusaHTTP_2019 | 🟨 Still possible but requires a lot of effort | -| MALW_Miancha | πŸŸ₯ Impossible | -| MALW_MiniAsp3_mem | 🟨 Still possible but requires a lot of effort | -| MALW_Mirai | πŸŸ₯ Impossible | -| MALW_Mirai_Okiru_ELF | πŸŸ₯ Impossible | -| MALW_Mirai_Satori_ELF | πŸŸ₯ Impossible | -| MALW_Miscelanea | πŸŸ₯ Impossible | -| MALW_Miscelanea_Linux | 🟨 Still possible but requires a lot of effort | -| MALW_Monero_Miner_installer | 🟩 Possible | -| MALW_NSFree | 🟩 Possible | -| MALW_Naikon | 🟨 Still possible but requires a lot of effort | -| MALW_Naspyupdate | 🟨 Still possible but requires a lot of effort | -| MALW_NetTraveler | 🟨 Still possible but requires a lot of effort | -| MALW_NionSpy | πŸŸ₯ Impossible | -| MALW_Notepad | 🟩 Possible | -| MALW_OSX_Leverage | 🟩 Possible | -| MALW_Odinaff | πŸŸ₯ Impossible | -| MALW_Olyx | 🟩 Possible | -| MALW_PE_sections | πŸŸ₯ Impossible | -| MALW_PittyTiger | 🟨 Still possible but requires a lot of effort | -| MALW_PolishBankRat | πŸŸ₯ Impossible | -| MALW_Ponmocup | πŸŸ₯ Impossible | -| MALW_Pony | 🟩 Possible | -| MALW_Predator | πŸŸ₯ Impossible | -| MALW_PubSab | 🟩 Possible | -| MALW_PurpleWave | πŸŸ₯ Impossible | -| MALW_PyPI | 🟩 Possible | -| MALW_Pyinstaller | πŸŸ₯ Impossible | -| MALW_Pyinstaller_OSX | 🟩 Possible | -| MALW_Quarian | πŸŸ₯ Impossible | -| MALW_Rebirth_Vulcan_ELF | πŸŸ₯ Impossible | -| MALW_Regsubdat | πŸŸ₯ Impossible | -| MALW_Rockloader | πŸŸ₯ Impossible | -| MALW_Rooter | πŸŸ₯ Impossible | -| MALW_Rovnix | πŸŸ₯ Impossible | -| MALW_Safenet | 🟩 Possible | -| MALW_Sakurel | 🟩 Possible | -| MALW_Sayad | 🟩 Possible | -| MALW_Scarhikn | πŸŸ₯ Impossible | -| MALW_Sendsafe | 🟨 Still possible but requires a lot of effort | -| MALW_Shamoon | πŸŸ₯ Impossible | -| MALW_Shifu | πŸŸ₯ Impossible | -| MALW_Skeleton | πŸŸ₯ Impossible | -| MALW_Spora | 🟩 Possible | -| MALW_Sqlite | 🟩 Possible | -| MALW_Stealer | 🟩 Possible | -| MALW_Surtr | πŸŸ₯ Impossible | -| MALW_T5000 | 🟩 Possible | -| MALW_TRITON_HATMAN | πŸŸ₯ Impossible | -| MALW_TRITON_ICS_FRAMEWORK | πŸŸ₯ Impossible | -| MALW_Tedroo | 🟩 Possible | -| MALW_Tinba | πŸŸ₯ Impossible | -| MALW_TinyShell_Backdoor_gen | πŸŸ₯ Impossible | -| MALW_Torte_ELF | πŸŸ₯ Impossible | -| MALW_TreasureHunt | 🟩 Possible | -| MALW_TrickBot | 🟩 Possible | -| MALW_Trumpbot | 🟩 Possible | -| MALW_Upatre | πŸŸ₯ Impossible | -| MALW_Urausy | 🟩 Possible | -| MALW_Vidgrab | πŸŸ₯ Impossible | -| MALW_Virut_FileInfector_UNK_VERSION | πŸŸ₯ Impossible | -| MALW_Volgmer | πŸŸ₯ Impossible | -| MALW_Wabot | 🟩 Possible | -| MALW_Warp | 🟩 Possible | -| MALW_Wimmie | πŸŸ₯ Impossible | -| MALW_XHide | 🟩 Possible | -| MALW_XMRIG_Miner | 🟩 Possible | -| MALW_XOR_DDos | 🟩 Possible | -| MALW_Yayih | 🟩 Possible | -| MALW_Yordanyan_ActiveAgent | 🟨 Still possible but requires a lot of effort | -| MALW_Zegost | 🟩 Possible | -| MALW_Zeus | πŸŸ₯ Impossible | -| MALW_adwind_RAT | πŸŸ₯ Impossible | -| MALW_hancitor | 🟨 Still possible but requires a lot of effort | -| MALW_kirbi_mimikatz | πŸŸ₯ Impossible | -| MALW_kpot | 🟨 Still possible but requires a lot of effort | -| MALW_marap | 🟨 Still possible but requires a lot of effort | -| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort | -| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort | -| MALW_viotto_keylogger | πŸŸ₯ Impossible | -| MALW_xDedic_marketplace | πŸŸ₯ Impossible | -| RANSOM_.CRYPTXXX.yar | 🟩 Possible | -| RANSOM_777.yar | 🟩 Possible | -| RANSOM_Alpha.yar | 🟩 Possible | -| RANSOM_BadRabbit.yar | πŸŸ₯ Impossible | -| RANSOM_Cerber.yar | πŸŸ₯ Impossible | -| RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort | -| RANSOM_Crypren.yar | πŸŸ₯ Impossible | -| RANSOM_CryptoNar.yar | πŸŸ₯ Impossible | -| RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort | -| RANSOM_DMALocker.yar | 🟩 Possible | -| RANSOM_DoublePulsar_Petya.yar | 🟩 Possible | -| RANSOM_Erebus.yar | 🟩 Possible | -| RANSOM_GPGQwerty.yar | 🟩 Possible | -| RANSOM_GoldenEye.yar | πŸŸ₯ Impossible | -| RANSOM_Locky.yar | 🟩 Possible | -| RANSOM_MS17-010_Wannacrypt.yar | πŸŸ₯ Impossible | -| RANSOM_Maze.yar | πŸŸ₯ Impossible | -| RANSOM_PetrWrap.yar | πŸŸ₯ Impossible | -| RANSOM_Petya.yar | πŸŸ₯ Impossible | -| RANSOM_Petya_MS17_010.yar | πŸŸ₯ Impossible | -| RANSOM_Pico.yar | πŸŸ₯ Impossible | -| RANSOM_Revix.yar | πŸŸ₯ Impossible | -| RANSOM_SamSam.yar | πŸŸ₯ Impossible | -| RANSOM_Satana.yar | 🟩 Possible | -| RANSOM_Shiva.yar | πŸŸ₯ Impossible | -| RANSOM_Sigma.yar | 🟩 Possible | -| RANSOM_Snake.yar | 🟩 Possible | -| RANSOM_Stampado.yar | πŸŸ₯ Impossible | -| RANSOM_TeslaCrypt.yar | 🟩 Possible | -| RANSOM_Tox.yar | 🟩 Possible | -| RANSOM_acroware.yar | πŸŸ₯ Impossible | -| RANSOM_jeff_dev.yar | πŸŸ₯ Impossible | -| RANSOM_locdoor.yar | πŸŸ₯ Impossible | -| RANSOM_screenlocker_5h311_1nj3c706.yar | πŸŸ₯ Impossible | -| RANSOM_shrug2.yar | πŸŸ₯ Impossible | -| RANSOM_termite.yar | πŸŸ₯ Impossible | -| RAT_Adwind.yar | πŸŸ₯ Impossible | -| RAT_Adzok.yar | 🟩 Possible | -| RAT_Asyncrat.yar | πŸŸ₯ Impossible | -| RAT_BlackShades.yar | πŸŸ₯ Impossible | -| RAT_Bolonyokte.yar | πŸŸ₯ Impossible | -| RAT_Bozok.yar | 🟩 Possible | -| RAT_Cerberus.yar | 🟩 Possible | -| RAT_Crimson.yar | 🟩 Possible | -| RAT_CrossRAT.yar | πŸŸ₯ Impossible | -| RAT_CyberGate.yar | 🟩 Possible | -| RAT_DarkComet.yar | πŸŸ₯ Impossible | -| RAT_FlyingKitten.yar | πŸŸ₯ Impossible | -| RAT_Gh0st.yar | πŸŸ₯ Impossible | -| RAT_Gholee.yar | 🟩 Possible | -| RAT_Glass.yar | 🟩 Possible | -| RAT_Havex.yar | πŸŸ₯ Impossible | -| RAT_Hizor.yar | πŸŸ₯ Impossible | -| RAT_Indetectables.yar | πŸŸ₯ Impossible | -| RAT_Inocnation.yar | πŸŸ₯ Impossible | -| RAT_Meterpreter_Reverse_Tcp.yar | πŸŸ₯ Impossible | -| RAT_Nanocore.yar | πŸŸ₯ Impossible | -| RAT_NetwiredRC.yar | πŸŸ₯ Impossible | -| RAT_Njrat.yar | πŸŸ₯ Impossible | -| RAT_Orcus.yar | πŸŸ₯ Impossible | -| RAT_PlugX.yar | πŸŸ₯ Impossible | -| RAT_PoetRATDoc.yar | 🟩 Possible | -| RAT_PoetRATPython.yar | πŸŸ₯ Impossible | -| RAT_PoisonIvy.yar | πŸŸ₯ Impossible | -| RAT_Ratdecoders.yar | 🟩 Possible | -| RAT_Sakula.yar | πŸŸ₯ Impossible | -| RAT_ShadowTech.yar | 🟩 Possible | -| RAT_Shim.yar | 🟩 Possible | -| RAT_Terminator.yar | 🟩 Possible | -| RAT_Xtreme.yar | πŸŸ₯ Impossible | -| RAT_ZoxPNG.yar | 🟩 Possible | -| RAT_jRAT.yar | 🟩 Possible | -| RAT_xRAT.yar | 🟩 Possible | -| RAT_xRAT20.yar | πŸŸ₯ Impossible | \ No newline at end of file +# Nuclei Malware +Template to detect some malware using nuclei. Creating these nuclei templates based on previously made YARA rules and then converting them into nuclei template format + +### List of Repositories +* [https://github.com/Yara-Rules/rules](https://github.com/daffainfo/nuclei-malware/tree/master/Yara-Rules) +* [https://github.com/airbnb/binaryalert/tree/master/rules/public](https://github.com/daffainfo/nuclei-malware/tree/master/BinaryAlert) + +### To-Do +- [ ] Create a GitHub Actions workflow to detect the total number of templates in this repository +- [ ] Gives the status of whether the template is already in the nuclei-templates repo or not (In `STATUS.md`) +- [ ] Create more nuclei templates using these repository + - [x] https://github.com/airbnb/binaryalert/tree/master/rules/public + - [ ] https://github.com/reversinglabs/reversinglabs-yara-rules + - [ ] etc. \ No newline at end of file diff --git a/STATUS.md b/STATUS.md new file mode 100644 index 0000000..560358c --- /dev/null +++ b/STATUS.md @@ -0,0 +1,279 @@ +# List + +* [https://github.com/Yara-Rules/rules](https://github.com/daffainfo/nuclei-malware/tree/master/Yara-Rules) + +| Yara Rules | Status | +| --- | --- | +| MALW_ATMPot | πŸŸ₯ Impossible | +| MALW_ATM_HelloWorld | πŸŸ₯ Impossible | +| MALW_AZORULT | πŸŸ₯ Impossible | +| MALW_AgentTesla | 🟨 Still possible but requires a lot of effort | +| MALW_AgentTesla_SMTP | 🟨 Still possible but requires a lot of effort | +| MALW_AlMashreq | 🟨 Still possible but requires a lot of effort | +| MALW_Alina | 🟩 Possible | +| MALW_Andromeda | 🟩 Possible | +| MALW_Arkei | 🟩 Possible | +| MALW_Athena | 🟨 Still possible but requires a lot of effort | +| MALW_Atmos | πŸŸ₯ Impossible | +| MALW_BackdoorSSH | πŸŸ₯ Impossible | +| MALW_Backoff | 🟩 Possible | +| MALW_Bangat | πŸŸ₯ Impossible | +| MALW_Batel | πŸŸ₯ Impossible | +| MALW_BlackRev | 🟨 Still possible but requires a lot of effort | +| MALW_BlackWorm | 🟩 Possible | +| MALW_Boouset | πŸŸ₯ Impossible | +| MALW_Bublik | 🟩 Possible | +| MALW_Buzus_Softpulse | πŸŸ₯ Impossible | +| MALW_CAP_HookExKeylogger | 🟨 Still possible but requires a lot of effort | +| MALW_Chicken | 🟨 Still possible but requires a lot of effort | +| MALW_Citadel | πŸŸ₯ Impossible | +| MALW_Cloaking | πŸŸ₯ Impossible | +| MALW_Cookies | 🟨 Still possible but requires a lot of effort | +| MALW_Corkow | πŸŸ₯ Impossible | +| MALW_Cxpid | 🟩 Possible | +| MALW_Cythosia | 🟩 Possible | +| MALW_DDoSTf | 🟩 Possible | +| MALW_Derkziel | 🟩 Possible | +| MALW_Dexter | 🟩 Possible | +| MALW_DiamondFox | 🟩 Possible | +| MALW_DirtJumper | 🟨 Still possible but requires a lot of effort | +| MALW_Eicar | 🟩 Possible | +| MALW_Elex | πŸŸ₯ Impossible | +| MALW_Elknot | πŸŸ₯ Impossible | +| MALW_Emotet | πŸŸ₯ Impossible | +| MALW_Empire | πŸŸ₯ Impossible | +| MALW_Enfal | πŸŸ₯ Impossible | +| MALW_Exploit_UAC_Elevators | πŸŸ₯ Impossible | +| MALW_Ezcob | 🟩 Possible | +| MALW_F0xy | πŸŸ₯ Impossible | +| MALW_FALLCHILL | πŸŸ₯ Impossible | +| MALW_FUDCrypt | 🟩 Possible | +| MALW_FakeM | πŸŸ₯ Impossible | +| MALW_Fareit | πŸŸ₯ Impossible | +| MALW_Favorite | πŸŸ₯ Impossible | +| MALW_Furtim | πŸŸ₯ Impossible | +| MALW_Gafgyt | 🟩 Possible | +| MALW_Genome | 🟩 Possible | +| MALW_Glasses | 🟩 Possible | +| MALW_Gozi | 🟩 Possible | +| MALW_Grozlex | 🟩 Possible | +| MALW_Hajime | πŸŸ₯ Impossible | +| MALW_Hsdfihdf_banking | 🟨 Still possible but requires a lot of effort | +| MALW_Httpsd_ELF | πŸŸ₯ Impossible | +| MALW_IMuler | πŸŸ₯ Impossible | +| MALW_IcedID | πŸŸ₯ Impossible | +| MALW_Iexpl0ree | πŸŸ₯ Impossible | +| MALW_Install11 | 🟩 Possible | +| MALW_Intel_Virtualization | 🟩 Possible | +| MALW_IotReaper | 🟩 Possible | +| MALW_Jolob_Backdoor | 🟩 Possible | +| MALW_KINS | 🟨 Still possible but requires a lot of effort | +| MALW_Kelihos | 🟩 Possible | +| MALW_KeyBase | πŸŸ₯ Impossible | +| MALW_Korlia | πŸŸ₯ Impossible | +| MALW_Korplug | πŸŸ₯ Impossible | +| MALW_Kovter | 🟩 Possible | +| MALW_Kraken | πŸŸ₯ Impossible | +| MALW_Kwampirs | 🟩 Possible | +| MALW_LURK0 | πŸŸ₯ Impossible | +| MALW_Lateral_Movement | 🟩 Possible | +| MALW_Lenovo_Superfish | πŸŸ₯ Impossible | +| MALW_LinuxBew | 🟩 Possible | +| MALW_LinuxHelios | 🟩 Possible | +| MALW_LinuxMoose | πŸŸ₯ Impossible | +| MALW_LostDoor | 🟩 Possible | +| MALW_LuaBot | 🟩 Possible | +| MALW_LuckyCat | πŸŸ₯ Impossible | +| MALW_MSILStealer | 🟩 Possible | +| MALW_MacControl | πŸŸ₯ Impossible | +| MALW_MacGyver | 🟩 Possible | +| MALW_Madness | 🟩 Possible | +| MALW_Magento_backend | 🟨 Still possible but requires a lot of effort | +| MALW_Magento_frontend | 🟨 Still possible but requires a lot of effort | +| MALW_Magento_suspicious | πŸŸ₯ Impossible | +| MALW_Mailers | πŸŸ₯ Impossible | +| MALW_MedusaHTTP_2019 | 🟨 Still possible but requires a lot of effort | +| MALW_Miancha | πŸŸ₯ Impossible | +| MALW_MiniAsp3_mem | 🟨 Still possible but requires a lot of effort | +| MALW_Mirai | πŸŸ₯ Impossible | +| MALW_Mirai_Okiru_ELF | πŸŸ₯ Impossible | +| MALW_Mirai_Satori_ELF | πŸŸ₯ Impossible | +| MALW_Miscelanea | πŸŸ₯ Impossible | +| MALW_Miscelanea_Linux | 🟨 Still possible but requires a lot of effort | +| MALW_Monero_Miner_installer | 🟩 Possible | +| MALW_NSFree | 🟩 Possible | +| MALW_Naikon | 🟨 Still possible but requires a lot of effort | +| MALW_Naspyupdate | 🟨 Still possible but requires a lot of effort | +| MALW_NetTraveler | 🟨 Still possible but requires a lot of effort | +| MALW_NionSpy | πŸŸ₯ Impossible | +| MALW_Notepad | 🟩 Possible | +| MALW_OSX_Leverage | 🟩 Possible | +| MALW_Odinaff | πŸŸ₯ Impossible | +| MALW_Olyx | 🟩 Possible | +| MALW_PE_sections | πŸŸ₯ Impossible | +| MALW_PittyTiger | 🟨 Still possible but requires a lot of effort | +| MALW_PolishBankRat | πŸŸ₯ Impossible | +| MALW_Ponmocup | πŸŸ₯ Impossible | +| MALW_Pony | 🟩 Possible | +| MALW_Predator | πŸŸ₯ Impossible | +| MALW_PubSab | 🟩 Possible | +| MALW_PurpleWave | πŸŸ₯ Impossible | +| MALW_PyPI | 🟩 Possible | +| MALW_Pyinstaller | πŸŸ₯ Impossible | +| MALW_Pyinstaller_OSX | 🟩 Possible | +| MALW_Quarian | πŸŸ₯ Impossible | +| MALW_Rebirth_Vulcan_ELF | πŸŸ₯ Impossible | +| MALW_Regsubdat | πŸŸ₯ Impossible | +| MALW_Rockloader | πŸŸ₯ Impossible | +| MALW_Rooter | πŸŸ₯ Impossible | +| MALW_Rovnix | πŸŸ₯ Impossible | +| MALW_Safenet | 🟩 Possible | +| MALW_Sakurel | 🟩 Possible | +| MALW_Sayad | 🟩 Possible | +| MALW_Scarhikn | πŸŸ₯ Impossible | +| MALW_Sendsafe | 🟨 Still possible but requires a lot of effort | +| MALW_Shamoon | πŸŸ₯ Impossible | +| MALW_Shifu | πŸŸ₯ Impossible | +| MALW_Skeleton | πŸŸ₯ Impossible | +| MALW_Spora | 🟩 Possible | +| MALW_Sqlite | 🟩 Possible | +| MALW_Stealer | 🟩 Possible | +| MALW_Surtr | πŸŸ₯ Impossible | +| MALW_T5000 | 🟩 Possible | +| MALW_TRITON_HATMAN | πŸŸ₯ Impossible | +| MALW_TRITON_ICS_FRAMEWORK | πŸŸ₯ Impossible | +| MALW_Tedroo | 🟩 Possible | +| MALW_Tinba | πŸŸ₯ Impossible | +| MALW_TinyShell_Backdoor_gen | πŸŸ₯ Impossible | +| MALW_Torte_ELF | πŸŸ₯ Impossible | +| MALW_TreasureHunt | 🟩 Possible | +| MALW_TrickBot | 🟩 Possible | +| MALW_Trumpbot | 🟩 Possible | +| MALW_Upatre | πŸŸ₯ Impossible | +| MALW_Urausy | 🟩 Possible | +| MALW_Vidgrab | πŸŸ₯ Impossible | +| MALW_Virut_FileInfector_UNK_VERSION | πŸŸ₯ Impossible | +| MALW_Volgmer | πŸŸ₯ Impossible | +| MALW_Wabot | 🟩 Possible | +| MALW_Warp | 🟩 Possible | +| MALW_Wimmie | πŸŸ₯ Impossible | +| MALW_XHide | 🟩 Possible | +| MALW_XMRIG_Miner | 🟩 Possible | +| MALW_XOR_DDos | 🟩 Possible | +| MALW_Yayih | 🟩 Possible | +| MALW_Yordanyan_ActiveAgent | 🟨 Still possible but requires a lot of effort | +| MALW_Zegost | 🟩 Possible | +| MALW_Zeus | πŸŸ₯ Impossible | +| MALW_adwind_RAT | πŸŸ₯ Impossible | +| MALW_hancitor | 🟨 Still possible but requires a lot of effort | +| MALW_kirbi_mimikatz | πŸŸ₯ Impossible | +| MALW_kpot | 🟨 Still possible but requires a lot of effort | +| MALW_marap | 🟨 Still possible but requires a lot of effort | +| MALW_shifu_shiz | 🟨 Still possible but requires a lot of effort | +| MALW_sitrof_fortis_scar | 🟨 Still possible but requires a lot of effort | +| MALW_viotto_keylogger | πŸŸ₯ Impossible | +| MALW_xDedic_marketplace | πŸŸ₯ Impossible | +| RANSOM_.CRYPTXXX.yar | 🟩 Possible | +| RANSOM_777.yar | 🟩 Possible | +| RANSOM_Alpha.yar | 🟩 Possible | +| RANSOM_BadRabbit.yar | πŸŸ₯ Impossible | +| RANSOM_Cerber.yar | πŸŸ₯ Impossible | +| RANSOM_Comodosec.yar | 🟨 Still possible but requires a lot of effort | +| RANSOM_Crypren.yar | πŸŸ₯ Impossible | +| RANSOM_CryptoNar.yar | πŸŸ₯ Impossible | +| RANSOM_Cryptolocker.yar | 🟨 Still possible but requires a lot of effort | +| RANSOM_DMALocker.yar | 🟩 Possible | +| RANSOM_DoublePulsar_Petya.yar | 🟩 Possible | +| RANSOM_Erebus.yar | 🟩 Possible | +| RANSOM_GPGQwerty.yar | 🟩 Possible | +| RANSOM_GoldenEye.yar | πŸŸ₯ Impossible | +| RANSOM_Locky.yar | 🟩 Possible | +| RANSOM_MS17-010_Wannacrypt.yar | πŸŸ₯ Impossible | +| RANSOM_Maze.yar | πŸŸ₯ Impossible | +| RANSOM_PetrWrap.yar | πŸŸ₯ Impossible | +| RANSOM_Petya.yar | πŸŸ₯ Impossible | +| RANSOM_Petya_MS17_010.yar | πŸŸ₯ Impossible | +| RANSOM_Pico.yar | πŸŸ₯ Impossible | +| RANSOM_Revix.yar | πŸŸ₯ Impossible | +| RANSOM_SamSam.yar | πŸŸ₯ Impossible | +| RANSOM_Satana.yar | 🟩 Possible | +| RANSOM_Shiva.yar | πŸŸ₯ Impossible | +| RANSOM_Sigma.yar | 🟩 Possible | +| RANSOM_Snake.yar | 🟩 Possible | +| RANSOM_Stampado.yar | πŸŸ₯ Impossible | +| RANSOM_TeslaCrypt.yar | 🟩 Possible | +| RANSOM_Tox.yar | 🟩 Possible | +| RANSOM_acroware.yar | πŸŸ₯ Impossible | +| RANSOM_jeff_dev.yar | πŸŸ₯ Impossible | +| RANSOM_locdoor.yar | πŸŸ₯ Impossible | +| RANSOM_screenlocker_5h311_1nj3c706.yar | πŸŸ₯ Impossible | +| RANSOM_shrug2.yar | πŸŸ₯ Impossible | +| RANSOM_termite.yar | πŸŸ₯ Impossible | +| RAT_Adwind.yar | πŸŸ₯ Impossible | +| RAT_Adzok.yar | 🟩 Possible | +| RAT_Asyncrat.yar | πŸŸ₯ Impossible | +| RAT_BlackShades.yar | πŸŸ₯ Impossible | +| RAT_Bolonyokte.yar | πŸŸ₯ Impossible | +| RAT_Bozok.yar | 🟩 Possible | +| RAT_Cerberus.yar | 🟩 Possible | +| RAT_Crimson.yar | 🟩 Possible | +| RAT_CrossRAT.yar | πŸŸ₯ Impossible | +| RAT_CyberGate.yar | 🟩 Possible | +| RAT_DarkComet.yar | πŸŸ₯ Impossible | +| RAT_FlyingKitten.yar | πŸŸ₯ Impossible | +| RAT_Gh0st.yar | πŸŸ₯ Impossible | +| RAT_Gholee.yar | 🟩 Possible | +| RAT_Glass.yar | 🟩 Possible | +| RAT_Havex.yar | πŸŸ₯ Impossible | +| RAT_Hizor.yar | πŸŸ₯ Impossible | +| RAT_Indetectables.yar | πŸŸ₯ Impossible | +| RAT_Inocnation.yar | πŸŸ₯ Impossible | +| RAT_Meterpreter_Reverse_Tcp.yar | πŸŸ₯ Impossible | +| RAT_Nanocore.yar | πŸŸ₯ Impossible | +| RAT_NetwiredRC.yar | πŸŸ₯ Impossible | +| RAT_Njrat.yar | πŸŸ₯ Impossible | +| RAT_Orcus.yar | πŸŸ₯ Impossible | +| RAT_PlugX.yar | πŸŸ₯ Impossible | +| RAT_PoetRATDoc.yar | 🟩 Possible | +| RAT_PoetRATPython.yar | πŸŸ₯ Impossible | +| RAT_PoisonIvy.yar | πŸŸ₯ Impossible | +| RAT_Ratdecoders.yar | 🟩 Possible | +| RAT_Sakula.yar | πŸŸ₯ Impossible | +| RAT_ShadowTech.yar | 🟩 Possible | +| RAT_Shim.yar | 🟩 Possible | +| RAT_Terminator.yar | 🟩 Possible | +| RAT_Xtreme.yar | πŸŸ₯ Impossible | +| RAT_ZoxPNG.yar | 🟩 Possible | +| RAT_jRAT.yar | 🟩 Possible | +| RAT_xRAT.yar | 🟩 Possible | +| RAT_xRAT20.yar | πŸŸ₯ Impossible | + +* [https://github.com/airbnb/binaryalert/tree/master/rules/public](https://github.com/daffainfo/nuclei-malware/tree/master/BinaryAlert) + +| Yara Rules | Status | +| --- | --- | +| malware_macos_apt_sofacy_xagent.yara | πŸŸ₯ Impossible | +| malware_macos_bella.yara | 🟩 Possible | +| malware_macos_macspy.yara | πŸŸ₯ Impossible | +| malware_macos_marten4n6_evilosx.yara | 🟨 Still possible but requires a lot of effort | +| malware_macos_neoneggplant_eggshell.yara | 🟨 Still possible but requires a lot of effort | +| malware_macos_proton_rat_generic.yara | πŸŸ₯ Impossible | +| malware_multi_pupy_rat.yara | 🟨 Still possible but requires a lot of effort | +| malware_multi_vesche_basicrat.yara | 🟩 Possible | +| malware_windows_apt_red_leaves_generic.yara | 🟨 Still possible but requires a lot of effort | +| malware_windows_pony_stealer.yara | 🟩 Possible | +| malware_windows_remcos_rat.yara | 🟨 Still possible but requires a lot of effort | +| malware_windows_t3ntman_crunchrat.yara | 🟩 Possible | +| malware_windows_xrat_quasarrat.yara | 🟨 Still possible but requires a lot of effort | +| ransomware_windows_HDDCryptorA.yara | 🟨 Still possible but requires a lot of effort | +| ransomware_windows_cerber_evasion.yara | 🟩 Possible | +| ransomware_windows_cryptolocker.yara | 🟨 Still possible but requires a lot of effort | +| ransomware_windows_hydracrypt.yara | 🟩 Possible | +| ransomware_windows_lazarus_wannacry.yara | πŸŸ₯ Impossible | +| ransomware_windows_petya_variant_1.yara | 🟩 Possible | +| ransomware_windows_petya_variant_2.yara | 🟨 Still possible but requires a lot of effort | +| ransomware_windows_petya_variant_3.yara | 🟩 Possible | +| ransomware_windows_petya_variant_bitcoin.yara | 🟩 Possible | +| ransomware_windows_powerware_locky.yara | 🟩 Possible | +| ransomware_windows_wannacry.yara | 🟩 Possible | +| ransomware_windows_zcrypt.yara | 🟩 Possible | \ No newline at end of file diff --git a/malware_aar.yaml b/Yara-Rules/aar-malware.yaml similarity index 77% rename from malware_aar.yaml rename to Yara-Rules/aar-malware.yaml index 8705fe0..e90211d 100644 --- a/malware_aar.yaml +++ b/Yara-Rules/aar-malware.yaml @@ -1,25 +1,25 @@ -id: malware_aar - -info: - name: AAR Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "Hashtable" - - "get_IsDisposed" - - "TripleDES" - - "testmemory.FRMMain.resources" - - "$this.Icon" - - "{11111-22222-20001-00001}" - - "@@@@@" +id: aar-malware + +info: + name: AAR Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "Hashtable" + - "get_IsDisposed" + - "TripleDES" + - "testmemory.FRMMain.resources" + - "$this.Icon" + - "{11111-22222-20001-00001}" + - "@@@@@" condition: and \ No newline at end of file diff --git a/malware_adzok.yaml b/Yara-Rules/adzok-malware.yaml similarity index 87% rename from malware_adzok.yaml rename to Yara-Rules/adzok-malware.yaml index 38b78ed..325e690 100644 --- a/malware_adzok.yaml +++ b/Yara-Rules/adzok-malware.yaml @@ -1,102 +1,110 @@ -id: malware_adzok - -info: - name: Adzok Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - "key.classPK" - - "svd$1.classPK" - - "svd$2.classPK" - - "Mensaje.classPK" - - "inic$ShutdownHook.class" - - "Uninstall.jarPK" - - "resources/icono.pngPK" - condition: and - - - type: word - words: - - "config.xmlPK" - - "svd$1.classPK" - - "svd$2.classPK" - - "Mensaje.classPK" - - "inic$ShutdownHook.class" - - "Uninstall.jarPK" - - "resources/icono.pngPK" - condition: and - - - type: word - words: - - "config.xmlPK" - - "key.classPK" - - "svd$1.classPK" - - "Mensaje.classPK" - - "inic$ShutdownHook.class" - - "Uninstall.jarPK" - - "resources/icono.pngPK" - condition: and - - - type: word - words: - - "config.xmlPK" - - "key.classPK" - - "svd$2.classPK" - - "Mensaje.classPK" - - "inic$ShutdownHook.class" - - "Uninstall.jarPK" - - "resources/icono.pngPK" - condition: and - - - type: word - words: - - "config.xmlPK" - - "key.classPK" - - "svd$1.classPK" - - "svd$2.classPK" - - "inic$ShutdownHook.class" - - "Uninstall.jarPK" - - "resources/icono.pngPK" - condition: and - - - type: word - words: - - "config.xmlPK" - - "key.classPK" - - "svd$1.classPK" - - "svd$2.classPK" - - "Mensaje.classPK" - - "Uninstall.jarPK" - - "resources/icono.pngPK" - condition: and - - - type: word - words: - - "config.xmlPK" - - "key.classPK" - - "svd$1.classPK" - - "svd$2.classPK" - - "Mensaje.classPK" - - "inic$ShutdownHook.class" - - "Uninstall.jarPK" - condition: and - - - type: word - words: - - "config.xmlPK" - - "key.classPK" - - "svd$1.classPK" - - "svd$2.classPK" - - "Mensaje.classPK" - - "inic$ShutdownHook.class" - - "resources/icono.pngPK" +id: adzok-malware + +info: + name: Adzok Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "key.classPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + part: raw + words: + - "config.xmlPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + part: raw + words: + - "config.xmlPK" + - "key.classPK" + - "svd$1.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + part: raw + words: + - "config.xmlPK" + - "key.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + part: raw + words: + - "config.xmlPK" + - "key.classPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + part: raw + words: + - "config.xmlPK" + - "key.classPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "Uninstall.jarPK" + - "resources/icono.pngPK" + condition: and + + - type: word + part: raw + words: + - "config.xmlPK" + - "key.classPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "Uninstall.jarPK" + condition: and + + - type: word + part: raw + words: + - "config.xmlPK" + - "key.classPK" + - "svd$1.classPK" + - "svd$2.classPK" + - "Mensaje.classPK" + - "inic$ShutdownHook.class" + - "resources/icono.pngPK" condition: and \ No newline at end of file diff --git a/malware_alfa.yaml b/Yara-Rules/alfa-malware.yaml similarity index 77% rename from malware_alfa.yaml rename to Yara-Rules/alfa-malware.yaml index 873196d..cd83d7b 100644 --- a/malware_alfa.yaml +++ b/Yara-Rules/alfa-malware.yaml @@ -1,20 +1,19 @@ -id: malware_alfa - -info: - name: Alfa Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: binary - binary: - - "8B0C9781E1FFFF000081F919040000740F81F9" - - "220400007407423BD07CE2EB02" - condition: and +id: alfa-malware + +info: + name: Alfa Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "8B0C9781E1FFFF000081F919040000740F81F9" + - "220400007407423BD07CE2EB02" + condition: and diff --git a/malware_alienspy.yaml b/Yara-Rules/alienspy-malware.yaml similarity index 74% rename from malware_alienspy.yaml rename to Yara-Rules/alienspy-malware.yaml index aaa6462..59dbed1 100644 --- a/malware_alienspy.yaml +++ b/Yara-Rules/alienspy-malware.yaml @@ -1,25 +1,25 @@ -id: malware_alienspy - -info: - name: AlienSpy Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "META-INF/MANIFEST.MF" - - "ePK" - - "kPK" - - "config.ini" - - "password.ini" - - "stub/stub.dll" - - "c.dat" +id: alienspy-malware + +info: + name: AlienSpy Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "META-INF/MANIFEST.MF" + - "ePK" + - "kPK" + - "config.ini" + - "password.ini" + - "stub/stub.dll" + - "c.dat" condition: and \ No newline at end of file diff --git a/malware_alina.yaml b/Yara-Rules/alina-malware.yaml similarity index 69% rename from malware_alina.yaml rename to Yara-Rules/alina-malware.yaml index f6ff798..aeb2a94 100644 --- a/malware_alina.yaml +++ b/Yara-Rules/alina-malware.yaml @@ -1,21 +1,21 @@ -id: malware_alina - -info: - name: Alina Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'Alina v1.0' - - 'POST' - - '1[0-2])[0-9]' +id: alina-malware + +info: + name: Alina Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'Alina v1.0' + - 'POST' + - '1[0-2])[0-9]' condition: and \ No newline at end of file diff --git a/malware_alpha.yaml b/Yara-Rules/alpha-malware.yaml similarity index 78% rename from malware_alpha.yaml rename to Yara-Rules/alpha-malware.yaml index dd2082a..61598b6 100644 --- a/malware_alpha.yaml +++ b/Yara-Rules/alpha-malware.yaml @@ -1,17 +1,17 @@ -id: malware_alpha - -info: - name: Alpha Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: binary - binary: - - "520065006100640020004D0065002000280048006F00770020004400650063" +id: alpha-malware + +info: + name: Alpha Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "520065006100640020004D0065002000280048006F00770020004400650063" diff --git a/malware_andromeda.yaml b/Yara-Rules/andromeda-malware.yaml similarity index 71% rename from malware_andromeda.yaml rename to Yara-Rules/andromeda-malware.yaml index 3e4886e..fa33859 100644 --- a/malware_andromeda.yaml +++ b/Yara-Rules/andromeda-malware.yaml @@ -1,22 +1,23 @@ -id: malware_andromeda - -info: - name: Andromeda Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst' - - - type: binary - binary: +id: andromeda-malware + +info: + name: Andromeda Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + part: raw + words: + - 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst' + + - type: binary + binary: - "1C1C1D03494746" \ No newline at end of file diff --git a/malware_ap0calypse.yaml b/Yara-Rules/ap0calypse-malware.yaml similarity index 72% rename from malware_ap0calypse.yaml rename to Yara-Rules/ap0calypse-malware.yaml index 855ea9f..ea987ae 100644 --- a/malware_ap0calypse.yaml +++ b/Yara-Rules/ap0calypse-malware.yaml @@ -1,24 +1,24 @@ -id: malware_ap0calypse - -info: - name: Ap0calypse Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "Ap0calypse" - - "Sifre" - - "MsgGoster" - - "Baslik" - - "Dosyalars" - - "Injecsiyon" +id: ap0calypse-malware + +info: + name: Ap0calypse Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "Ap0calypse" + - "Sifre" + - "MsgGoster" + - "Baslik" + - "Dosyalars" + - "Injecsiyon" condition: and \ No newline at end of file diff --git a/malware_arcom.yaml b/Yara-Rules/arcom-malware.yaml similarity index 78% rename from malware_arcom.yaml rename to Yara-Rules/arcom-malware.yaml index de8159d..3b654e0 100644 --- a/malware_arcom.yaml +++ b/Yara-Rules/arcom-malware.yaml @@ -1,27 +1,28 @@ -id: malware_arcom - -info: - name: Arcom Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "CVu3388fnek3W(3ij3fkp0930di" - - "ZINGAWI2" - - "clWebLightGoldenrodYellow" - - "Ancestor for '%s' not found" - - "Control-C hit" - condition: and - - - type: binary - binary: +id: arcom-malware + +info: + name: Arcom Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + part: raw + words: + - "CVu3388fnek3W(3ij3fkp0930di" + - "ZINGAWI2" + - "clWebLightGoldenrodYellow" + - "Ancestor for '%s' not found" + - "Control-C hit" + condition: and + + - type: binary + binary: - "A3242521" \ No newline at end of file diff --git a/malware_arkei.yaml b/Yara-Rules/arkei-malware.yaml similarity index 72% rename from malware_arkei.yaml rename to Yara-Rules/arkei-malware.yaml index af3f70e..90395cd 100644 --- a/malware_arkei.yaml +++ b/Yara-Rules/arkei-malware.yaml @@ -1,23 +1,23 @@ -id: malware_arkei - -info: - name: Arkei Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'Arkei' - - '/server/gate' - - '/server/grubConfig' - - '\\files\\' - - 'SQLite' +id: arkei-malware + +info: + name: Arkei Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'Arkei' + - '/server/gate' + - '/server/grubConfig' + - '\\files\\' + - 'SQLite' condition: and \ No newline at end of file diff --git a/malware_backoff.yaml b/Yara-Rules/backoff-malware.yaml similarity index 71% rename from malware_backoff.yaml rename to Yara-Rules/backoff-malware.yaml index 635f0fa..6aab1cf 100644 --- a/malware_backoff.yaml +++ b/Yara-Rules/backoff-malware.yaml @@ -1,21 +1,21 @@ -id: malware_backoff - -info: - name: Backoff Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s' - - '%s @ %s' - - 'Upload KeyLogs' +id: backoff-malware + +info: + name: Backoff Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s' + - '%s @ %s' + - 'Upload KeyLogs' condition: and \ No newline at end of file diff --git a/malware_bandook.yaml b/Yara-Rules/bandook-malware.yaml similarity index 81% rename from malware_bandook.yaml rename to Yara-Rules/bandook-malware.yaml index fcdc999..db468d8 100644 --- a/malware_bandook.yaml +++ b/Yara-Rules/bandook-malware.yaml @@ -1,28 +1,28 @@ -id: malware_bandook - -info: - name: Bandook Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "aaaaaa1|" - - "aaaaaa2|" - - "aaaaaa3|" - - "aaaaaa4|" - - "aaaaaa5|" - - "%s%d.exe" - - "astalavista" - - "givemecache" - - "%s\\system32\\drivers\\blogs\\*" - - "bndk13me" - condition: and +id: bandook-malware + +info: + name: Bandook Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "aaaaaa1|" + - "aaaaaa2|" + - "aaaaaa3|" + - "aaaaaa4|" + - "aaaaaa5|" + - "%s%d.exe" + - "astalavista" + - "givemecache" + - "%s\\system32\\drivers\\blogs\\*" + - "bndk13me" + condition: and diff --git a/malware_blacknix.yaml b/Yara-Rules/blacknix-malware.yaml similarity index 76% rename from malware_blacknix.yaml rename to Yara-Rules/blacknix-malware.yaml index d542900..edf25ce 100644 --- a/malware_blacknix.yaml +++ b/Yara-Rules/blacknix-malware.yaml @@ -1,23 +1,23 @@ -id: malware_blacknix - -info: - name: BlackNix Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "SETTINGS" - - "Mark Adler" - - "Random-Number-Here" - - "RemoteShell" - - "SystemInfo" - condition: and +id: blacknix-malware + +info: + name: BlackNix Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "SETTINGS" + - "Mark Adler" + - "Random-Number-Here" + - "RemoteShell" + - "SystemInfo" + condition: and diff --git a/malware_blackworm.yaml b/Yara-Rules/blackworm-malware.yaml similarity index 79% rename from malware_blackworm.yaml rename to Yara-Rules/blackworm-malware.yaml index 6703850..adbf7a0 100644 --- a/malware_blackworm.yaml +++ b/Yara-Rules/blackworm-malware.yaml @@ -1,29 +1,29 @@ -id: malware_blackworm - -info: - name: Blackworm Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'm_ComputerObjectProvider' - - 'MyWebServices' - - 'get_ExecutablePath' - - 'get_WebServices' - - 'My.WebServices' - - 'My.User' - - 'm_UserObjectProvider' - - 'DelegateCallback' - - 'TargetMethod' - - '000004b0' - - 'Microsoft Corporation' +id: blackworm-malware + +info: + name: Blackworm Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'm_ComputerObjectProvider' + - 'MyWebServices' + - 'get_ExecutablePath' + - 'get_WebServices' + - 'My.WebServices' + - 'My.User' + - 'm_UserObjectProvider' + - 'DelegateCallback' + - 'TargetMethod' + - '000004b0' + - 'Microsoft Corporation' condition: and \ No newline at end of file diff --git a/malware_bluebanana.yaml b/Yara-Rules/bluebanana-malware.yaml similarity index 77% rename from malware_bluebanana.yaml rename to Yara-Rules/bluebanana-malware.yaml index 4b67384..d1652ec 100644 --- a/malware_bluebanana.yaml +++ b/Yara-Rules/bluebanana-malware.yaml @@ -1,24 +1,24 @@ -id: malware_bluebanana - -info: - name: BlueBanana Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "META-INF" - - "config.txt" - - "a/a/a/a/f.class" - - "a/a/a/a/l.class" - - "a/a/a/b/q.class" - - "a/a/a/b/v.class" - condition: and +id: bluebanana-malware + +info: + name: BlueBanana Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "META-INF" + - "config.txt" + - "a/a/a/a/f.class" + - "a/a/a/a/l.class" + - "a/a/a/b/q.class" + - "a/a/a/b/v.class" + condition: and diff --git a/malware_bozok.yaml b/Yara-Rules/bozok-malware.yaml similarity index 72% rename from malware_bozok.yaml rename to Yara-Rules/bozok-malware.yaml index 7843410..a883f2c 100644 --- a/malware_bozok.yaml +++ b/Yara-Rules/bozok-malware.yaml @@ -1,24 +1,24 @@ -id: malware_bozok - -info: - name: Bozok Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "getVer" - - "StartVNC" - - "SendCamList" - - "untPlugin" - - "gethostbyname" - condition: and +id: bozok-malware + +info: + name: Bozok Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "getVer" + - "StartVNC" + - "SendCamList" + - "untPlugin" + - "gethostbyname" + condition: and case-insensitive: true \ No newline at end of file diff --git a/malware_bublik.yaml b/Yara-Rules/bublik-malware.yaml similarity index 78% rename from malware_bublik.yaml rename to Yara-Rules/bublik-malware.yaml index 12cc09d..527f68a 100644 --- a/malware_bublik.yaml +++ b/Yara-Rules/bublik-malware.yaml @@ -1,20 +1,19 @@ -id: malware_bublik - -info: - name: Bublik Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: binary - binary: - - '636F6E736F6C6173' - - '636C556E00696E666F2E696E69' +id: bublik-malware + +info: + name: Bublik Malware Detector + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - '636F6E736F6C6173' + - '636C556E00696E666F2E696E69' condition: and \ No newline at end of file diff --git a/malware_cap_hookexkeylogger.yaml b/Yara-Rules/cap-hookexkeylogger-malware.yaml similarity index 74% rename from malware_cap_hookexkeylogger.yaml rename to Yara-Rules/cap-hookexkeylogger-malware.yaml index 88f071c..fd2fae1 100644 --- a/malware_cap_hookexkeylogger.yaml +++ b/Yara-Rules/cap-hookexkeylogger-malware.yaml @@ -1,35 +1,38 @@ -id: malware_cap_hookexkeylogger - -info: - name: CAP HookExKeylogger Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - "SetWindowsHookEx" - - "WH_KEYBOARD_LL" - condition: and - case-insensitive: true - - - type: word - words: - - "SetWindowsHookEx" - - "WH_KEYBOARD" - condition: and - case-insensitive: true - - - type: word - words: - - "WH_KEYBOARD" - - "WH_KEYBOARD_LL" - condition: and +id: cap-hookexkeylogger-malware + +info: + name: CAP HookExKeylogger Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "SetWindowsHookEx" + - "WH_KEYBOARD_LL" + condition: and + case-insensitive: true + + - type: word + part: raw + words: + - "SetWindowsHookEx" + - "WH_KEYBOARD" + condition: and + case-insensitive: true + + - type: word + part: raw + words: + - "WH_KEYBOARD" + - "WH_KEYBOARD_LL" + condition: and case-insensitive: true \ No newline at end of file diff --git a/malware_cerberus.yaml b/Yara-Rules/cerberus-malware.yaml similarity index 76% rename from malware_cerberus.yaml rename to Yara-Rules/cerberus-malware.yaml index 0bc53ba..4a7841c 100644 --- a/malware_cerberus.yaml +++ b/Yara-Rules/cerberus-malware.yaml @@ -1,26 +1,28 @@ -id: malware_cerberus - -info: - name: Cerberus Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - "Ypmw1Syv023QZD" - - "wZ2pla" - - "wBmpf3Pb7RJe" - condition: or - - - type: word - words: - - "cerberus" - case-insensitive: true +id: cerberus-malware + +info: + name: Cerberus Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "Ypmw1Syv023QZD" + - "wZ2pla" + - "wBmpf3Pb7RJe" + condition: or + + - type: word + part: raw + words: + - "cerberus" + case-insensitive: true diff --git a/malware_clientmesh.yaml b/Yara-Rules/clientmesh-malware.yaml similarity index 75% rename from malware_clientmesh.yaml rename to Yara-Rules/clientmesh-malware.yaml index 7fdc288..ed7c9f7 100644 --- a/malware_clientmesh.yaml +++ b/Yara-Rules/clientmesh-malware.yaml @@ -1,28 +1,29 @@ -id: malware_clientmesh - -info: - name: ClientMesh Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "machinedetails" - - "MySettings" - - "sendftppasswords" - - "sendbrowserpasswords" - - "arma2keyMass" - - "keylogger" - condition: and - - - type: binary - binary: +id: clientmesh-malware + +info: + name: ClientMesh Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + part: raw + words: + - "machinedetails" + - "MySettings" + - "sendftppasswords" + - "sendbrowserpasswords" + - "arma2keyMass" + - "keylogger" + condition: and + + - type: binary + binary: - "0000000000000000007E" \ No newline at end of file diff --git a/malware_crimson.yaml b/Yara-Rules/crimson-malware.yaml similarity index 81% rename from malware_crimson.yaml rename to Yara-Rules/crimson-malware.yaml index 12dc37b..731b4e7 100644 --- a/malware_crimson.yaml +++ b/Yara-Rules/crimson-malware.yaml @@ -1,23 +1,23 @@ -id: malware_crimson - -info: - name: Crimson Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "com/crimson/PK" - - "com/crimson/bootstrapJar/PK" - - "com/crimson/permaJarMulti/PermaJarReporter$1.classPK" - - "com/crimson/universal/containers/KeyloggerLog.classPK" - - "com/crimson/universal/UploadTransfer.classPK" - condition: and +id: crimson-malware + +info: + name: Crimson Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "com/crimson/PK" + - "com/crimson/bootstrapJar/PK" + - "com/crimson/permaJarMulti/PermaJarReporter$1.classPK" + - "com/crimson/universal/containers/KeyloggerLog.classPK" + - "com/crimson/universal/UploadTransfer.classPK" + condition: and diff --git a/malware_cryptxxx_dropper.yaml b/Yara-Rules/cryptxxx-dropper-malware.yaml similarity index 65% rename from malware_cryptxxx_dropper.yaml rename to Yara-Rules/cryptxxx-dropper-malware.yaml index 8df56a8..65420d2 100644 --- a/malware_cryptxxx_dropper.yaml +++ b/Yara-Rules/cryptxxx-dropper-malware.yaml @@ -1,20 +1,19 @@ -id: malware_cryptxxx_dropper - -info: - name: CryptXXX Dropper Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: binary #Dropper - binary: - - "50653157584346765962486F35" - - "43003A005C0042004900450052005C0051006D006B004E0052004C00460000" +id: cryptxxx-dropper-malware + +info: + name: CryptXXX Dropper Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "50653157584346765962486F35" + - "43003A005C0042004900450052005C0051006D006B004E0052004C00460000" condition: and \ No newline at end of file diff --git a/malware_cryptxxx.yaml b/Yara-Rules/cryptxxx-malware.yaml similarity index 91% rename from malware_cryptxxx.yaml rename to Yara-Rules/cryptxxx-malware.yaml index c2582ca..3377b6d 100644 --- a/malware_cryptxxx.yaml +++ b/Yara-Rules/cryptxxx-malware.yaml @@ -1,43 +1,42 @@ -id: malware_cryptxxx - -info: - name: CryptXXX Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: binary - binary: - - "525947404A41595D52000000FFFFFFFF" - - "0600000052594740405A0000FFFFFFFF" - - "0A000000525C4B4D574D424B5C520000" - - "FFFFFFFF0A000000525D575D5A4B4370" - - "3F520000FFFFFFFF06000000524C4141" - - "5A520000FFFFFFFF0A000000525C4B4D" - - "41584B5C57520000FFFFFFFF0E000000" - - "522A5C4B4D574D424B204C4740520000" - - "FFFFFFFF0A000000525E4B5C48424149" - - "5D520000FFFFFFFF05000000524B4847" - - "52000000FFFFFFFF0C000000524D4140" - - "48474920435D475200000000FFFFFFFF" - - "0A000000525E5C41495C4F703F520000" - - "FFFFFFFF0A000000525E5C41495C4F70" - - "3C520000FFFFFFFF0800000052494141" - - "49424B5200000000FFFFFFFF06000000" - - "525A4B435E520000FFFFFFFF08000000" - - "52483A4C4D703F5200000000FFFFFFFF" - - "0A000000524F42425B5D4B703F520000" - - "FFFFFFFF0A000000525E5C41495C4F70" - - "3F520000FFFFFFFF0A000000525E5C41" - - "495C4F703C520000FFFFFFFF09000000" - - "524F5E5E4A4F5A4F52000000FFFFFFFF" - - "0A000000525E5C41495C4F703D520000" - - "FFFFFFFF08000000525E5B4C42474D52" +id: cryptxxx-malware + +info: + name: CryptXXX Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "525947404A41595D52000000FFFFFFFF" + - "0600000052594740405A0000FFFFFFFF" + - "0A000000525C4B4D574D424B5C520000" + - "FFFFFFFF0A000000525D575D5A4B4370" + - "3F520000FFFFFFFF06000000524C4141" + - "5A520000FFFFFFFF0A000000525C4B4D" + - "41584B5C57520000FFFFFFFF0E000000" + - "522A5C4B4D574D424B204C4740520000" + - "FFFFFFFF0A000000525E4B5C48424149" + - "5D520000FFFFFFFF05000000524B4847" + - "52000000FFFFFFFF0C000000524D4140" + - "48474920435D475200000000FFFFFFFF" + - "0A000000525E5C41495C4F703F520000" + - "FFFFFFFF0A000000525E5C41495C4F70" + - "3C520000FFFFFFFF0800000052494141" + - "49424B5200000000FFFFFFFF06000000" + - "525A4B435E520000FFFFFFFF08000000" + - "52483A4C4D703F5200000000FFFFFFFF" + - "0A000000524F42425B5D4B703F520000" + - "FFFFFFFF0A000000525E5C41495C4F70" + - "3F520000FFFFFFFF0A000000525E5C41" + - "495C4F703C520000FFFFFFFF09000000" + - "524F5E5E4A4F5A4F52000000FFFFFFFF" + - "0A000000525E5C41495C4F703D520000" + - "FFFFFFFF08000000525E5B4C42474D52" condition: and \ No newline at end of file diff --git a/malware_cxpid.yaml b/Yara-Rules/cxpid-malware.yaml similarity index 69% rename from malware_cxpid.yaml rename to Yara-Rules/cxpid-malware.yaml index dd37f0b..27bff90 100644 --- a/malware_cxpid.yaml +++ b/Yara-Rules/cxpid-malware.yaml @@ -1,26 +1,27 @@ -id: malware_cxpid - -info: - name: Cxpid Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word #cxpidStrings - words: - - '/cxpid/submit.php?SessionID=' - - '/cxgid/' - - 'E21BC52BEA2FEF26D005CF' - - 'E21BC52BEA39E435C40CD8' - - ' -,L-,O+,Q-,R-,Y-,S-' - - - type: binary #cxpidCode - binary: +id: cxpid-malware + +info: + name: Cxpid Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - '/cxpid/submit.php?SessionID=' + - '/cxgid/' + - 'E21BC52BEA2FEF26D005CF' + - 'E21BC52BEA39E435C40CD8' + - ' -,L-,O+,Q-,R-,Y-,S-' + + - type: binary + binary: - "558BECB9380400006A006A004975F9" \ No newline at end of file diff --git a/malware_cythosia.yaml b/Yara-Rules/cythosia-malware.yaml similarity index 57% rename from malware_cythosia.yaml rename to Yara-Rules/cythosia-malware.yaml index f5b8b2e..4b92dd3 100644 --- a/malware_cythosia.yaml +++ b/Yara-Rules/cythosia-malware.yaml @@ -1,18 +1,18 @@ -id: malware_cythosia - -info: - name: Cythosia Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: +id: cythosia-malware + +info: + name: Cythosia Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: - 'HarvesterSocksBot.Properties.Resources' \ No newline at end of file diff --git a/malware_darkrat.yaml b/Yara-Rules/darkrat-malware.yaml similarity index 80% rename from malware_darkrat.yaml rename to Yara-Rules/darkrat-malware.yaml index 9c54600..7133a27 100644 --- a/malware_darkrat.yaml +++ b/Yara-Rules/darkrat-malware.yaml @@ -1,25 +1,25 @@ -id: malware_darkrat - -info: - name: DarkRAT Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "@1906dark1996coder@" - - "SHEmptyRecycleBinA" - - "mciSendStringA" - - "add_Shutdown" - - "get_SaveMySettingsOnExit" - - "get_SpecialDirectories" - - "Client.My" - condition: and +id: darkrat-malware + +info: + name: DarkRAT Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "@1906dark1996coder@" + - "SHEmptyRecycleBinA" + - "mciSendStringA" + - "add_Shutdown" + - "get_SaveMySettingsOnExit" + - "get_SpecialDirectories" + - "Client.My" + condition: and diff --git a/malware_ddostf.yaml b/Yara-Rules/ddostf-malware.yaml similarity index 80% rename from malware_ddostf.yaml rename to Yara-Rules/ddostf-malware.yaml index 7d8780c..c6233bc 100644 --- a/malware_ddostf.yaml +++ b/Yara-Rules/ddostf-malware.yaml @@ -1,29 +1,30 @@ -id: malware_ddostf - -info: - name: DDoSTf Malware Detector - author: daffainfo - severity: critical - reference: - - http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'ddos.tf' - - 'Accept-Language: zh' - - '%d Kb/bps|%d%%' - condition: and - - - type: binary - binary: - - 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00' #TCP_KEEPINTVL - - 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00' #TCP_KEEPCNT +id: ddostf-malware + +info: + name: DDoSTf Malware - Detect + author: daffainfo + severity: info + reference: + - http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + part: raw + words: + - 'ddos.tf' + - 'Accept-Language: zh' + - '%d Kb/bps|%d%%' + condition: and + + - type: binary + binary: + - 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00' + - 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00' condition: and \ No newline at end of file diff --git a/malware_derkziel.yaml b/Yara-Rules/derkziel-malware.yaml similarity index 74% rename from malware_derkziel.yaml rename to Yara-Rules/derkziel-malware.yaml index 9eacee1..b70f1a6 100644 --- a/malware_derkziel.yaml +++ b/Yara-Rules/derkziel-malware.yaml @@ -1,25 +1,25 @@ -id: malware_derkziel - -info: - name: Derkziel Malware Detector - author: daffainfo - severity: critical - reference: - - https://bhf.su/threads/137898/ - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - '{!}DRZ{!}' - - 'User-Agent: Uploador' - - 'SteamAppData.vdf' - - 'loginusers.vdf' - - 'config.vdf' +id: derkziel-malware + +info: + name: Derkziel Malware - Detect + author: daffainfo + severity: info + reference: + - https://bhf.su/threads/137898/ + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - '{!}DRZ{!}' + - 'User-Agent: Uploador' + - 'SteamAppData.vdf' + - 'loginusers.vdf' + - 'config.vdf' condition: and \ No newline at end of file diff --git a/malware_dexter.yaml b/Yara-Rules/dexter-malware.yaml similarity index 75% rename from malware_dexter.yaml rename to Yara-Rules/dexter-malware.yaml index 1fe8811..bbb30a1 100644 --- a/malware_dexter.yaml +++ b/Yara-Rules/dexter-malware.yaml @@ -1,24 +1,24 @@ -id: malware_dexter - -info: - name: Dexter Malware Detector - author: daffainfo - severity: critical - reference: - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar - - http://goo.gl/oBvy8b - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'Java Security Plugin' - - '%s\\%s\\%s.exe' - - 'Sun Java Security Plugin' - - '\\Internet Explorer\\iexplore.exe' +id: dexter-malware + +info: + name: Dexter Malware - Detect + author: daffainfo + severity: info + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar + - http://goo.gl/oBvy8b + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'Java Security Plugin' + - '%s\\%s\\%s.exe' + - 'Sun Java Security Plugin' + - '\\Internet Explorer\\iexplore.exe' condition: and \ No newline at end of file diff --git a/malware_diamondfox.yaml b/Yara-Rules/diamondfox-malware.yaml similarity index 72% rename from malware_diamondfox.yaml rename to Yara-Rules/diamondfox-malware.yaml index 115d6bb..cee314b 100644 --- a/malware_diamondfox.yaml +++ b/Yara-Rules/diamondfox-malware.yaml @@ -1,24 +1,24 @@ -id: malware_diamondfox - -info: - name: DiamondFox Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'UPDATE_B' - - 'UNISTALL_B' - - 'S_PROTECT' - - 'P_WALLET' - - 'GR_COMMAND' - - 'FTPUPLOAD' +id: diamondfox-malware + +info: + name: DiamondFox Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'UPDATE_B' + - 'UNISTALL_B' + - 'S_PROTECT' + - 'P_WALLET' + - 'GR_COMMAND' + - 'FTPUPLOAD' condition: and \ No newline at end of file diff --git a/malware_dmalocker.yaml b/Yara-Rules/dmalocker-malware.yaml similarity index 70% rename from malware_dmalocker.yaml rename to Yara-Rules/dmalocker-malware.yaml index 5333a53..65fc482 100644 --- a/malware_dmalocker.yaml +++ b/Yara-Rules/dmalocker-malware.yaml @@ -1,21 +1,22 @@ -id: malware_dmalocker - -info: - name: DMA Locker Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: binary - binary: - - "41424358595a3131" - - "21444d414c4f434b" - - "21444d414c4f434b332e30" - - "3F520000FFFFFFFF06000000524C4141" - - "21444d414c4f434b342e30" #v4 +id: dmalocker-malware + +info: + name: DMA Locker Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "41424358595a3131" + - "21444d414c4f434b" + - "21444d414c4f434b332e30" + - "3F520000FFFFFFFF06000000524C4141" + - "21444d414c4f434b342e30" + condition: or diff --git a/malware_doublepulsar.yaml b/Yara-Rules/doublepulsar-malware.yaml similarity index 70% rename from malware_doublepulsar.yaml rename to Yara-Rules/doublepulsar-malware.yaml index cdeb7e8..2566e73 100644 --- a/malware_doublepulsar.yaml +++ b/Yara-Rules/doublepulsar-malware.yaml @@ -1,18 +1,19 @@ -id: malware_doublepulsar - -info: - name: DoublePulsar Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: binary - binary: - - "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE" #xor - - "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741" #dll +id: doublepulsar-malware + +info: + name: DoublePulsar Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE" + - "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741" + condition: or \ No newline at end of file diff --git a/malware_eicar.yaml b/Yara-Rules/eicar-malware.yaml similarity index 70% rename from malware_eicar.yaml rename to Yara-Rules/eicar-malware.yaml index 787c257..d1792fc 100644 --- a/malware_eicar.yaml +++ b/Yara-Rules/eicar-malware.yaml @@ -1,17 +1,18 @@ -id: malware_eicar - -info: - name: Eicar Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: word - words: +id: eicar-malware + +info: + name: Eicar Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: - "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" \ No newline at end of file diff --git a/malware_erebus.yaml b/Yara-Rules/erebus-malware.yaml similarity index 71% rename from malware_erebus.yaml rename to Yara-Rules/erebus-malware.yaml index b6b66c7..3eb91a7 100644 --- a/malware_erebus.yaml +++ b/Yara-Rules/erebus-malware.yaml @@ -1,20 +1,20 @@ -id: malware_erebus - -info: - name: Erebus Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log" - - "EREBUS IS BEST." +id: erebus-malware + +info: + name: Erebus Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log" + - "EREBUS IS BEST." condition: and \ No newline at end of file diff --git a/malware_ezcob.yaml b/Yara-Rules/ezcob-malware.yaml similarity index 75% rename from malware_ezcob.yaml rename to Yara-Rules/ezcob-malware.yaml index 352afe9..8ed607a 100644 --- a/malware_ezcob.yaml +++ b/Yara-Rules/ezcob-malware.yaml @@ -1,21 +1,23 @@ -id: malware_ezcob - -info: - name: Ezcob Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: word - words: - - '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12' - - '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12' - - 'Ezcob' - - 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126' - - '20110113144935' \ No newline at end of file +id: ezcob-malware + +info: + name: Ezcob Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12' + - '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12' + - 'Ezcob' + - 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126' + - '20110113144935' + condition: or \ No newline at end of file diff --git a/malware_fudcrypt.yaml b/Yara-Rules/fudcrypt-malware.yaml similarity index 81% rename from malware_fudcrypt.yaml rename to Yara-Rules/fudcrypt-malware.yaml index 05fdf71..37d4272 100644 --- a/malware_fudcrypt.yaml +++ b/Yara-Rules/fudcrypt-malware.yaml @@ -1,30 +1,31 @@ -id: malware_fudcrypt - -info: - name: FUDCrypt Malware Detector - author: daffainfo - severity: critical - reference: - - https://github.com/gigajew/FudCrypt/ - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: word - words: - - 'OcYjzPUtJkNbLOABqYvNbvhZf' - - 'gwiXxyIDDtoYzgMSRGMckRbJi' - - 'BclWgISTcaGjnwrzSCIuKruKm' - - 'CJyUSiUNrIVbgksjxpAMUkAJJ' - - 'fAMVdoPUEyHEWdxQIEJPRYbEN' - - 'CIGQUctdcUPqUjoucmcoffECY' - - 'wcZfHOgetgAExzSoWFJFQdAyO' - - 'DqYKDnIoLeZDWYlQWoxZnpfPR' - - 'MkhMoOHCbGUMqtnRDJKnBYnOj' - - 'sHEqLMGglkBAOIUfcSAgMvZfs' - - 'JtZApJhbFAIFxzHLjjyEQvtgd' +id: fudcrypt-malware + +info: + name: FUDCrypt Malware - Detect + author: daffainfo + severity: info + reference: + - https://github.com/gigajew/FudCrypt/ + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'OcYjzPUtJkNbLOABqYvNbvhZf' + - 'gwiXxyIDDtoYzgMSRGMckRbJi' + - 'BclWgISTcaGjnwrzSCIuKruKm' + - 'CJyUSiUNrIVbgksjxpAMUkAJJ' + - 'fAMVdoPUEyHEWdxQIEJPRYbEN' + - 'CIGQUctdcUPqUjoucmcoffECY' + - 'wcZfHOgetgAExzSoWFJFQdAyO' + - 'DqYKDnIoLeZDWYlQWoxZnpfPR' + - 'MkhMoOHCbGUMqtnRDJKnBYnOj' + - 'sHEqLMGglkBAOIUfcSAgMvZfs' + - 'JtZApJhbFAIFxzHLjjyEQvtgd' - 'IIQrSWZEMmoQIKGuxxwoTwXka' \ No newline at end of file diff --git a/malware_gafgyt_bash.yaml b/Yara-Rules/gafgyt-bash-malware.yaml similarity index 70% rename from malware_gafgyt_bash.yaml rename to Yara-Rules/gafgyt-bash-malware.yaml index 84addbd..efd654c 100644 --- a/malware_gafgyt_bash.yaml +++ b/Yara-Rules/gafgyt-bash-malware.yaml @@ -1,22 +1,22 @@ -id: malware_gafgyt_bash - -info: - name: Gafgyt Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'PONG!' - - 'GETLOCALIP' - - 'HTTPFLOOD' - - 'LUCKYLILDUDE' +id: gafgyt-bash-malware + +info: + name: Gafgyt Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'PONG!' + - 'GETLOCALIP' + - 'HTTPFLOOD' + - 'LUCKYLILDUDE' condition: and \ No newline at end of file diff --git a/malware_gafgyt_generic.yaml b/Yara-Rules/gafgyt-generic-malware.yaml similarity index 70% rename from malware_gafgyt_generic.yaml rename to Yara-Rules/gafgyt-generic-malware.yaml index 516e36d..3d3e12a 100644 --- a/malware_gafgyt_generic.yaml +++ b/Yara-Rules/gafgyt-generic-malware.yaml @@ -1,22 +1,22 @@ -id: malware_gafgyt_generic - -info: - name: Gafgyt Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "/bin/busybox;echo -e 'gayfgt'" - - '/proc/net/route' - - 'admin' - - 'root' +id: gafgyt-generic-malware + +info: + name: Gafgyt Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "/bin/busybox;echo -e 'gayfgt'" + - '/proc/net/route' + - 'admin' + - 'root' condition: and \ No newline at end of file diff --git a/malware_gafgyt_hihi.yaml b/Yara-Rules/gafgyt-hihi-malware.yaml similarity index 73% rename from malware_gafgyt_hihi.yaml rename to Yara-Rules/gafgyt-hihi-malware.yaml index 565c27f..c133bc0 100644 --- a/malware_gafgyt_hihi.yaml +++ b/Yara-Rules/gafgyt-hihi-malware.yaml @@ -1,24 +1,24 @@ -id: malware_gafgyt_hihi - -info: - name: Gafgyt Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'PING' - - 'PONG' - - 'TELNET LOGIN CRACKED - %s:%s:%s' - - 'ADVANCEDBOT' - - '46.166.185.92' - - 'LOLNOGTFO' +id: gafgyt-hihi-malware + +info: + name: Gafgyt Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'PING' + - 'PONG' + - 'TELNET LOGIN CRACKED - %s:%s:%s' + - 'ADVANCEDBOT' + - '46.166.185.92' + - 'LOLNOGTFO' condition: and \ No newline at end of file diff --git a/malware_gafgyt_hoho.yaml b/Yara-Rules/gafgyt-hoho-malware.yaml similarity index 70% rename from malware_gafgyt_hoho.yaml rename to Yara-Rules/gafgyt-hoho-malware.yaml index b93135e..ee60551 100644 --- a/malware_gafgyt_hoho.yaml +++ b/Yara-Rules/gafgyt-hoho-malware.yaml @@ -1,22 +1,22 @@ -id: malware_gafgyt_hoho - -info: - name: Gafgyt Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'PING' - - 'PRIVMSG' - - 'Remote IRC Bot' - - '23.95.43.182' +id: gafgyt-hoho-malware + +info: + name: Gafgyt Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'PING' + - 'PRIVMSG' + - 'Remote IRC Bot' + - '23.95.43.182' condition: and \ No newline at end of file diff --git a/malware_gafgyt_jackmy.yaml b/Yara-Rules/gafgyt-jackmy-malware.yaml similarity index 69% rename from malware_gafgyt_jackmy.yaml rename to Yara-Rules/gafgyt-jackmy-malware.yaml index dc68548..5a06bcc 100644 --- a/malware_gafgyt_jackmy.yaml +++ b/Yara-Rules/gafgyt-jackmy-malware.yaml @@ -1,22 +1,22 @@ -id: malware_gafgyt_jackmy - -info: - name: Gafgyt Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'PING' - - 'PONG' - - 'jackmy' - - '203.134.%d.%d' +id: gafgyt-jackmy-malware + +info: + name: Gafgyt Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'PING' + - 'PONG' + - 'jackmy' + - '203.134.%d.%d' condition: and \ No newline at end of file diff --git a/malware_gafgyt_oh.yaml b/Yara-Rules/gafgyt-oh-malware.yaml similarity index 70% rename from malware_gafgyt_oh.yaml rename to Yara-Rules/gafgyt-oh-malware.yaml index 923d09e..fbe6013 100644 --- a/malware_gafgyt_oh.yaml +++ b/Yara-Rules/gafgyt-oh-malware.yaml @@ -1,22 +1,22 @@ -id: malware_gafgyt_oh - -info: - name: Gafgyt Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'busyboxterrorist' - - 'BOGOMIPS' - - '124.105.97.%d' - - 'fucknet' +id: gafgyt-oh-malware + +info: + name: Gafgyt Oh Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'busyboxterrorist' + - 'BOGOMIPS' + - '124.105.97.%d' + - 'fucknet' condition: and \ No newline at end of file diff --git a/malware_genome.yaml b/Yara-Rules/genome-malware.yaml similarity index 74% rename from malware_genome.yaml rename to Yara-Rules/genome-malware.yaml index 62af730..bdde541 100644 --- a/malware_genome.yaml +++ b/Yara-Rules/genome-malware.yaml @@ -1,21 +1,21 @@ -id: malware_genome - -info: - name: Genome Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'Attempting to create more than one keyboard::Monitor instance' - - '{Right windows}' - - 'Access violation - no RTTI data!' +id: genome-malware + +info: + name: Genome Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'Attempting to create more than one keyboard::Monitor instance' + - '{Right windows}' + - 'Access violation - no RTTI data!' condition: and \ No newline at end of file diff --git a/malware_glass.yaml b/Yara-Rules/glass-malware.yaml similarity index 76% rename from malware_glass.yaml rename to Yara-Rules/glass-malware.yaml index 3deb3f7..31d843f 100644 --- a/malware_glass.yaml +++ b/Yara-Rules/glass-malware.yaml @@ -1,22 +1,22 @@ -id: malware_glass - -info: - name: Glass Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "PostQuitMessage" - - "pwlfnn10,gzg" - - "update.dll" - - "_winver" - condition: and +id: glass-malware + +info: + name: Glass Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "PostQuitMessage" + - "pwlfnn10,gzg" + - "update.dll" + - "_winver" + condition: and diff --git a/malware_glasses.yaml b/Yara-Rules/glasses-malware.yaml similarity index 77% rename from malware_glasses.yaml rename to Yara-Rules/glasses-malware.yaml index ecc4d1f..f807078 100644 --- a/malware_glasses.yaml +++ b/Yara-Rules/glasses-malware.yaml @@ -1,29 +1,30 @@ -id: malware_glasses - -info: - name: Glasses Malware Detector - author: daffainfo - severity: critical - reference: - - https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/ - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word #GlassesStrings - words: - - 'thequickbrownfxjmpsvalzydg' - - 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)' - - '" target="NewRef">' - condition: and - - - type: binary #GlassesCode - binary: - - "B8ABAAAAAAF7E1D1EA8D04522BC8" - - "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA" +id: glasses-malware + +info: + name: Glasses Malware - Detect + author: daffainfo + severity: info + reference: + - https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/ + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + part: raw + words: + - 'thequickbrownfxjmpsvalzydg' + - 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)' + - '" target="NewRef">' + condition: and + + - type: binary + binary: + - "B8ABAAAAAAF7E1D1EA8D04522BC8" + - "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA" condition: or \ No newline at end of file diff --git a/malware_gozi.yaml b/Yara-Rules/gozi-malware.yaml similarity index 71% rename from malware_gozi.yaml rename to Yara-Rules/gozi-malware.yaml index dd875ea..36cf476 100644 --- a/malware_gozi.yaml +++ b/Yara-Rules/gozi-malware.yaml @@ -1,19 +1,19 @@ -id: malware_gozi - -info: - name: Gozi Malware Detector - author: daffainfo - severity: critical - reference: - - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: binary - binary: +id: gozi-malware + +info: + name: Gozi Malware - Detect + author: daffainfo + severity: info + reference: + - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: - "63006F006F006B006900650073002E00730071006C006900740065002D006A006F00750072006E0061006C0000004F504552412E45584500" \ No newline at end of file diff --git a/malware_gpgqwerty.yaml b/Yara-Rules/gpgqwerty-malware.yaml similarity index 73% rename from malware_gpgqwerty.yaml rename to Yara-Rules/gpgqwerty-malware.yaml index ad16fe6..066572e 100644 --- a/malware_gpgqwerty.yaml +++ b/Yara-Rules/gpgqwerty-malware.yaml @@ -1,22 +1,22 @@ -id: malware_gpgqwerty - -info: - name: GPGQwerty Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "gpg.exe –recipient qwerty -o" - - "%s%s.%d.qwerty" - - "del /Q /F /S %s$recycle.bin" - - "cryz1@protonmail.com" +id: gpgqwerty-malware + +info: + name: GPGQwerty Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "gpg.exe –recipient qwerty -o" + - "%s%s.%d.qwerty" + - "del /Q /F /S %s$recycle.bin" + - "cryz1@protonmail.com" condition: and \ No newline at end of file diff --git a/malware_greame.yaml b/Yara-Rules/greame-malware.yaml similarity index 80% rename from malware_greame.yaml rename to Yara-Rules/greame-malware.yaml index c300125..bd1bd85 100644 --- a/malware_greame.yaml +++ b/Yara-Rules/greame-malware.yaml @@ -1,30 +1,31 @@ -id: malware_greame - -info: - name: Greame Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "EditSvr" - - "TLoader" - - "Stroks" - - "Avenger by NhT" - - "####@####" - - "GREAME" - condition: and - - - type: binary - binary: - - "232323234023232323E8EEE9F9232323234023232323" - - "232323234023232323FAFDF0EFF9232323234023232323" +id: greame-malware + +info: + name: Greame Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + part: raw + words: + - "EditSvr" + - "TLoader" + - "Stroks" + - "Avenger by NhT" + - "####@####" + - "GREAME" + condition: and + + - type: binary + binary: + - "232323234023232323E8EEE9F9232323234023232323" + - "232323234023232323FAFDF0EFF9232323234023232323" condition: and \ No newline at end of file diff --git a/malware_grozlex.yaml b/Yara-Rules/grozlex-malware.yaml similarity index 74% rename from malware_grozlex.yaml rename to Yara-Rules/grozlex-malware.yaml index f565713..5764ce2 100644 --- a/malware_grozlex.yaml +++ b/Yara-Rules/grozlex-malware.yaml @@ -1,19 +1,19 @@ -id: malware_grozlex - -info: - name: Grozlex Malware Detector - author: daffainfo - severity: critical - reference: - - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: binary - binary: +id: grozlex-malware + +info: + name: Grozlex Malware - Detect + author: daffainfo + severity: info + reference: + - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: - "4C006F00670073002000610074007400610063006800650064002000620079002000690043006F007A0065006E" \ No newline at end of file diff --git a/malware_hawkeye.yaml b/Yara-Rules/hawkeye-malware.yaml similarity index 81% rename from malware_hawkeye.yaml rename to Yara-Rules/hawkeye-malware.yaml index 71a0643..ee41657 100644 --- a/malware_hawkeye.yaml +++ b/Yara-Rules/hawkeye-malware.yaml @@ -1,27 +1,27 @@ -id: malware_hawkeye - -info: - name: HawkEye Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "HawkEyeKeylogger" - - "099u787978786" - - "HawkEye_Keylogger" - - "holdermail.txt" - - "wallet.dat" - - "Keylog Records" - - "" - - "\\pidloc.txt" - - "BSPLIT" - condition: and +id: hawkeye-malware + +info: + name: HawkEye Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "HawkEyeKeylogger" + - "099u787978786" + - "HawkEye_Keylogger" + - "holdermail.txt" + - "wallet.dat" + - "Keylog Records" + - "" + - "\\pidloc.txt" + - "BSPLIT" + condition: and diff --git a/malware_imminent.yaml b/Yara-Rules/imminent-malware.yaml similarity index 81% rename from malware_imminent.yaml rename to Yara-Rules/imminent-malware.yaml index e5b1958..a195069 100644 --- a/malware_imminent.yaml +++ b/Yara-Rules/imminent-malware.yaml @@ -1,35 +1,37 @@ -id: malware_imminent - -info: - name: Imminent Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - "DecodeProductKey" - - "StartHTTPFlood" - - "CodeKey" - - "MESSAGEBOX" - - "GetFilezillaPasswords" - - "DataIn" - - "UDPzSockets" - condition: and - - - type: word - words: - - "k__BackingField" - - "k__BackingField" - - "DownloadAndExecute" - - "england.png" - - "-CHECK & PING -n 2 127.0.0.1 & EXIT" - - "Showed Messagebox" +id: imminent-malware + +info: + name: Imminent Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "DecodeProductKey" + - "StartHTTPFlood" + - "CodeKey" + - "MESSAGEBOX" + - "GetFilezillaPasswords" + - "DataIn" + - "UDPzSockets" + condition: and + + - type: word + part: raw + words: + - "k__BackingField" + - "k__BackingField" + - "DownloadAndExecute" + - "england.png" + - "-CHECK & PING -n 2 127.0.0.1 & EXIT" + - "Showed Messagebox" condition: and \ No newline at end of file diff --git a/malware_infinity.yaml b/Yara-Rules/infinity-malware.yaml similarity index 76% rename from malware_infinity.yaml rename to Yara-Rules/infinity-malware.yaml index 9cedade..3559d4f 100644 --- a/malware_infinity.yaml +++ b/Yara-Rules/infinity-malware.yaml @@ -1,26 +1,26 @@ -id: malware_infinity - -info: - name: Infinity Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "CRYPTPROTECT_PROMPTSTRUCT" - - "discomouse" - - "GetDeepInfo" - - "AES_Encrypt" - - "StartUDPFlood" - - "BATScripting" - - "FBqINhRdpgnqATxJ.html" - - "magic_key" +id: infinity-malware + +info: + name: Infinity Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "CRYPTPROTECT_PROMPTSTRUCT" + - "discomouse" + - "GetDeepInfo" + - "AES_Encrypt" + - "StartUDPFlood" + - "BATScripting" + - "FBqINhRdpgnqATxJ.html" + - "magic_key" condition: and \ No newline at end of file diff --git a/malware_insta11.yaml b/Yara-Rules/insta11-malware.yaml similarity index 76% rename from malware_insta11.yaml rename to Yara-Rules/insta11-malware.yaml index 62b29ee..2fab0c1 100644 --- a/malware_insta11.yaml +++ b/Yara-Rules/insta11-malware.yaml @@ -1,27 +1,28 @@ -id: malware_insta11 - -info: - name: Insta11 Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - 'XTALKER7' - - 'Insta11 Microsoft' - - 'wudMessage' - - 'ECD4FC4D-521C-11D0-B792-00A0C90312E1' - - 'B12AE898-D056-4378-A844-6D393FE37956' - condition: or - - - type: binary - binary: +id: insta11-malware + +info: + name: Insta11 Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - 'XTALKER7' + - 'Insta11 Microsoft' + - 'wudMessage' + - 'ECD4FC4D-521C-11D0-B792-00A0C90312E1' + - 'B12AE898-D056-4378-A844-6D393FE37956' + condition: or + + - type: binary + binary: - 'E9000000006823040000' \ No newline at end of file diff --git a/malware_intel_virtualization.yaml b/Yara-Rules/intel-virtualization-malware.yaml similarity index 79% rename from malware_intel_virtualization.yaml rename to Yara-Rules/intel-virtualization-malware.yaml index 76a128a..981cfcb 100644 --- a/malware_intel_virtualization.yaml +++ b/Yara-Rules/intel-virtualization-malware.yaml @@ -1,29 +1,29 @@ -id: malware_intel_virtualization - -info: - name: Intel Virtualization Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: binary - binary: - - '4C6F6164535452494E47' - - '496E697469616C697A654B6579486F6F6B' - - '46696E645265736F7572636573' - - '4C6F6164535452494E4746726F6D484B4355' - - '6863637574696C732E444C4C' - condition: and - - - type: binary # Dynamic dll (malicious) - binary: - - '483A5C466173745C506C756728686B636D64295C' - - '646C6C5C52656C656173655C48696A61636B446C6C2E706462' +id: intel-virtualization-malware + +info: + name: Intel Virtualization Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: binary + binary: + - '4C6F6164535452494E47' + - '496E697469616C697A654B6579486F6F6B' + - '46696E645265736F7572636573' + - '4C6F6164535452494E4746726F6D484B4355' + - '6863637574696C732E444C4C' + condition: and + + - type: binary + binary: + - '483A5C466173745C506C756728686B636D64295C' + - '646C6C5C52656C656173655C48696A61636B446C6C2E706462' condition: and \ No newline at end of file diff --git a/malware_iotreaper.yaml b/Yara-Rules/iotreaper-malware.yaml similarity index 76% rename from malware_iotreaper.yaml rename to Yara-Rules/iotreaper-malware.yaml index 61ab4fc..96e96bd 100644 --- a/malware_iotreaper.yaml +++ b/Yara-Rules/iotreaper-malware.yaml @@ -1,27 +1,28 @@ -id: malware_iotreaper - -info: - name: IotReaper Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - 'XTALKER7' - - 'Insta11 Microsoft' - - 'wudMessage' - - 'ECD4FC4D-521C-11D0-B792-00A0C90312E1' - - 'B12AE898-D056-4378-A844-6D393FE37956' - condition: or - - - type: binary - binary: +id: iotreaper-malware + +info: + name: IotReaper Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - 'XTALKER7' + - 'Insta11 Microsoft' + - 'wudMessage' + - 'ECD4FC4D-521C-11D0-B792-00A0C90312E1' + - 'B12AE898-D056-4378-A844-6D393FE37956' + condition: or + + - type: binary + binary: - 'E9000000006823040000' \ No newline at end of file diff --git a/malware_linux_aesddos.yaml b/Yara-Rules/linux-aesddos-malware.yaml similarity index 77% rename from malware_linux_aesddos.yaml rename to Yara-Rules/linux-aesddos-malware.yaml index 5ef7358..e0faa45 100644 --- a/malware_linux_aesddos.yaml +++ b/Yara-Rules/linux-aesddos-malware.yaml @@ -1,34 +1,37 @@ -id: malware_linux_aesddos - -info: - name: Linux AESDDOS Malware Detector - author: daffainfo - severity: critical - reference: - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar - - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - "3AES" - - "Hacker" - condition: and - - - type: word - words: - - "3AES" - - "VERSONEX" - condition: and - - - type: word - words: - - "VERSONEX" - - "Hacker" - condition: and +id: linux-aesddos-malware + +info: + name: Linux AESDDOS Malware - Detect + author: daffainfo + severity: info + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar + - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "3AES" + - "Hacker" + condition: and + + - type: word + part: raw + words: + - "3AES" + - "VERSONEX" + condition: and + + - type: word + part: raw + words: + - "VERSONEX" + - "Hacker" + condition: and diff --git a/malware_linux_billgates.yaml b/Yara-Rules/linux-billgates-malware.yaml similarity index 75% rename from malware_linux_billgates.yaml rename to Yara-Rules/linux-billgates-malware.yaml index 0609768..410361a 100644 --- a/malware_linux_billgates.yaml +++ b/Yara-Rules/linux-billgates-malware.yaml @@ -1,22 +1,22 @@ -id: malware_linux_billgates - -info: - name: Linux BillGates Malware Detector - author: daffainfo - severity: critical - reference: - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar - - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429 - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "12CUpdateGates" - - "11CUpdateBill" - condition: and +id: linux-billgates-malware + +info: + name: Linux BillGates Malware - Detect + author: daffainfo + severity: info + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar + - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429 + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "12CUpdateGates" + - "11CUpdateBill" + condition: and diff --git a/malware_linux_elknot.yaml b/Yara-Rules/linux-elknot-malware.yaml similarity index 77% rename from malware_linux_elknot.yaml rename to Yara-Rules/linux-elknot-malware.yaml index c76d9f7..227d4d0 100644 --- a/malware_linux_elknot.yaml +++ b/Yara-Rules/linux-elknot-malware.yaml @@ -1,22 +1,22 @@ -id: malware_linux_elknot - -info: - name: Linux Elknot Malware Detector - author: daffainfo - severity: critical - reference: - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar - - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099 - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "ZN8CUtility7DeCryptEPciPKci" - - "ZN13CThreadAttack5StartEP11CCmdMessage" - condition: and +id: linux-elknot-malware + +info: + name: Linux Elknot Malware - Detect + author: daffainfo + severity: info + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar + - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099 + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "ZN8CUtility7DeCryptEPciPKci" + - "ZN13CThreadAttack5StartEP11CCmdMessage" + condition: and diff --git a/malware_linux_mrblack.yaml b/Yara-Rules/linux-mrblack-malware.yaml similarity index 75% rename from malware_linux_mrblack.yaml rename to Yara-Rules/linux-mrblack-malware.yaml index a7ddd52..2033f67 100644 --- a/malware_linux_mrblack.yaml +++ b/Yara-Rules/linux-mrblack-malware.yaml @@ -1,22 +1,22 @@ -id: malware_linux_mrblack - -info: - name: Linux MrBlack Malware Detector - author: daffainfo - severity: critical - reference: - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar - - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "Mr.Black" - - "VERS0NEX:%s|%d|%d|%s" - condition: and +id: linux-mrblack-malware + +info: + name: Linux MrBlack Malware - Detect + author: daffainfo + severity: info + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar + - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "Mr.Black" + - "VERS0NEX:%s|%d|%d|%s" + condition: and diff --git a/malware_linux_tsunami.yaml b/Yara-Rules/linux-tsunami-malware.yaml similarity index 80% rename from malware_linux_tsunami.yaml rename to Yara-Rules/linux-tsunami-malware.yaml index 37ea831..8566ea0 100644 --- a/malware_linux_tsunami.yaml +++ b/Yara-Rules/linux-tsunami-malware.yaml @@ -1,21 +1,22 @@ -id: malware_linux_tsunami - -info: - name: Linux Tsunami Malware Detector - author: daffainfo - severity: critical - reference: - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar - - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: word - words: - - "PRIVMSG %s :[STD]Hitting %s" - - "NOTICE %s :TSUNAMI " - - "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually." +id: linux-tsunami-malware + +info: + name: Linux Tsunami Malware - Detect + author: daffainfo + severity: info + reference: + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar + - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "PRIVMSG %s :[STD]Hitting %s" + - "NOTICE %s :TSUNAMI " + - "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually." diff --git a/malware_locky.yaml b/Yara-Rules/locky-malware.yaml similarity index 85% rename from malware_locky.yaml rename to Yara-Rules/locky-malware.yaml index 8f04e10..d2a412d 100644 --- a/malware_locky.yaml +++ b/Yara-Rules/locky-malware.yaml @@ -1,31 +1,31 @@ -id: malware_locky - -info: - name: Locky Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: binary - binary: - - "45b899f7f90faf45b88945b8" - - "2b0a0faf4df8894df8c745" - condition: and - - - type: binary - binary: - - "2E006C006F0063006B00790000" - - "005F004C006F0063006B007900" - - "5F007200650063006F00760065" - - "0072005F0069006E0073007400" - - "720075006300740069006F006E" - - "0073002E0074007800740000" - - "536F6674776172655C4C6F636B7900" +id: locky-malware + +info: + name: Locky Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: binary + binary: + - "45b899f7f90faf45b88945b8" + - "2b0a0faf4df8894df8c745" + condition: and + + - type: binary + binary: + - "2E006C006F0063006B00790000" + - "005F004C006F0063006B007900" + - "5F007200650063006F00760065" + - "0072005F0069006E0073007400" + - "720075006300740069006F006E" + - "0073002E0074007800740000" + - "536F6674776172655C4C6F636B7900" condition: and \ No newline at end of file diff --git a/malware_lostdoor.yaml b/Yara-Rules/lostdoor-malware.yaml similarity index 76% rename from malware_lostdoor.yaml rename to Yara-Rules/lostdoor-malware.yaml index 9aee6ab..15100cc 100644 --- a/malware_lostdoor.yaml +++ b/Yara-Rules/lostdoor-malware.yaml @@ -1,31 +1,32 @@ -id: malware_lostdoor - -info: - name: LostDoor Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "*mlt* = %" - - "*ip* = %" - - "*victimo* = %" - - "*name* = %" - - "[START]" - - "[DATA]" - - "We Control Your Digital World" - - "RC4Initialize" - - "RC4Decrypt" - condition: and - - - type: binary - binary: +id: lostdoor-malware + +info: + name: LostDoor Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + part: raw + words: + - "*mlt* = %" + - "*ip* = %" + - "*victimo* = %" + - "*name* = %" + - "[START]" + - "[DATA]" + - "We Control Your Digital World" + - "RC4Initialize" + - "RC4Decrypt" + condition: and + + - type: binary + binary: - "0D0A2A454449545F5345525645522A0D0A" \ No newline at end of file diff --git a/malware_luminositylink.yaml b/Yara-Rules/luminositylink-malware.yaml similarity index 79% rename from malware_luminositylink.yaml rename to Yara-Rules/luminositylink-malware.yaml index 11e88a4..cb3b11c 100644 --- a/malware_luminositylink.yaml +++ b/Yara-Rules/luminositylink-malware.yaml @@ -1,29 +1,29 @@ -id: malware_luminositylink - -info: - name: LuminosityLink Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "SMARTLOGS" - - "RUNPE" - - "b.Resources" - - "CLIENTINFO*" - - "Invalid Webcam Driver Download URL, or Failed to Download File!" - - "Proactive Anti-Malware has been manually activated!" - - "REMOVEGUARD" - - "C0n1f8" - - "Luminosity" - - "LuminosityCryptoMiner" - - "MANAGER*CLIENTDETAILS*" +id: luminositylink-malware + +info: + name: LuminosityLink Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "SMARTLOGS" + - "RUNPE" + - "b.Resources" + - "CLIENTINFO*" + - "Invalid Webcam Driver Download URL, or Failed to Download File!" + - "Proactive Anti-Malware has been manually activated!" + - "REMOVEGUARD" + - "C0n1f8" + - "Luminosity" + - "LuminosityCryptoMiner" + - "MANAGER*CLIENTDETAILS*" condition: and \ No newline at end of file diff --git a/malware_luxnet.yaml b/Yara-Rules/luxnet-malware.yaml similarity index 74% rename from malware_luxnet.yaml rename to Yara-Rules/luxnet-malware.yaml index 71320c0..89e67c9 100644 --- a/malware_luxnet.yaml +++ b/Yara-Rules/luxnet-malware.yaml @@ -1,24 +1,24 @@ -id: malware_luxnet - -info: - name: LuxNet Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "GetHashCode" - - "Activator" - - "WebClient" - - "op_Equality" - - "dickcursor.cur" - - "{0}|{1}|{2}" +id: luxnet-malware + +info: + name: LuxNet Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "GetHashCode" + - "Activator" + - "WebClient" + - "op_Equality" + - "dickcursor.cur" + - "{0}|{1}|{2}" condition: and \ No newline at end of file diff --git a/malware_macgyver_installer.yaml b/Yara-Rules/macgyver-installer-malware.yaml similarity index 79% rename from malware_macgyver_installer.yaml rename to Yara-Rules/macgyver-installer-malware.yaml index 874cead..dfe2c14 100644 --- a/malware_macgyver_installer.yaml +++ b/Yara-Rules/macgyver-installer-malware.yaml @@ -1,24 +1,24 @@ -id: malware_macgyver_installer - -info: - name: MacGyver.cap Installer Malware Detector - author: daffainfo - severity: critical - reference: - - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "delete -AID 315041592e5359532e4444463031" - - "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4" - - "-mac_key 404142434445464748494a4b4c4d4e4f" - - "-enc_key 404142434445464748494a4b4c4d4e4f" +id: macgyver-installer-malware + +info: + name: MacGyver.cap Installer Malware - Detect + author: daffainfo + severity: info + reference: + - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "delete -AID 315041592e5359532e4444463031" + - "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4" + - "-mac_key 404142434445464748494a4b4c4d4e4f" + - "-enc_key 404142434445464748494a4b4c4d4e4f" condition: and \ No newline at end of file diff --git a/malware_macgyver.yaml b/Yara-Rules/macgyver-malware.yaml similarity index 83% rename from malware_macgyver.yaml rename to Yara-Rules/macgyver-malware.yaml index 4cffb2d..883de61 100644 --- a/malware_macgyver.yaml +++ b/Yara-Rules/macgyver-malware.yaml @@ -1,27 +1,27 @@ -id: malware_macgyver - -info: - name: MacGyver.cap Malware Detector - author: daffainfo - severity: critical - reference: - - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "src/MacGyver/javacard/Header.cap" - - "src/MacGyver/javacard/Directory.cap" - - "src/MacGyver/javacard/Applet.cap" - - "src/MacGyver/javacard/Import.cap" - - "src/MacGyver/javacard/ConstantPool.cap" - - "src/MacGyver/javacard/Class.cap" - - "src/MacGyver/javacard/Method.cap" +id: macgyver-malware + +info: + name: MacGyver.cap Malware - Detect + author: daffainfo + severity: info + reference: + - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "src/MacGyver/javacard/Header.cap" + - "src/MacGyver/javacard/Directory.cap" + - "src/MacGyver/javacard/Applet.cap" + - "src/MacGyver/javacard/Import.cap" + - "src/MacGyver/javacard/ConstantPool.cap" + - "src/MacGyver/javacard/Class.cap" + - "src/MacGyver/javacard/Method.cap" condition: and \ No newline at end of file diff --git a/malware_madness.yaml b/Yara-Rules/madness-malware.yaml similarity index 69% rename from malware_madness.yaml rename to Yara-Rules/madness-malware.yaml index f4e4ab9..666b90f 100644 --- a/malware_madness.yaml +++ b/Yara-Rules/madness-malware.yaml @@ -1,28 +1,28 @@ -id: malware_madness - -info: - name: Madness DDOS Malware Detector - author: daffainfo - severity: critical - reference: - - https://github.com/arbor/yara/blob/master/madness.yara - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE" - - "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ==" - - "document.cookie=" - - "[\"cookie\",\"" - - "\"realauth=" - - "\"location\"];" - - "d3Rm" - - "ZXhl" +id: madness-malware + +info: + name: Madness DDOS Malware - Detect + author: daffainfo + severity: info + reference: + - https://github.com/arbor/yara/blob/master/madness.yara + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE" + - "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ==" + - "document.cookie=" + - "[\"cookie\",\"" + - "\"realauth=" + - "\"location\"];" + - "d3Rm" + - "ZXhl" condition: and \ No newline at end of file diff --git a/malware_miner.yaml b/Yara-Rules/miner--malware.yaml similarity index 66% rename from malware_miner.yaml rename to Yara-Rules/miner--malware.yaml index b58bb49..416ac41 100644 --- a/malware_miner.yaml +++ b/Yara-Rules/miner--malware.yaml @@ -1,18 +1,19 @@ -id: malware_miner - -info: - name: Miner Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: word - words: - - "stratum+tcp" +id: miner-malware + +info: + name: Miner Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "stratum+tcp" - "stratum+udp" \ No newline at end of file diff --git a/malware_miniasp3.yaml b/Yara-Rules/miniasp3-malware.yaml similarity index 84% rename from malware_miniasp3.yaml rename to Yara-Rules/miniasp3-malware.yaml index 19e76b4..13d843f 100644 --- a/malware_miniasp3.yaml +++ b/Yara-Rules/miniasp3-malware.yaml @@ -1,54 +1,59 @@ -id: malware_miniasp3 - -info: - name: MiniASP3 Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - "MiniAsp3\\Release\\MiniAsp.pdb" - - "http://%s/about.htm" - - "http://%s/result_%s.htm" - - "open internet failed…" - condition: and - - - type: word - words: - - "MiniAsp3\\Release\\MiniAsp.pdb" - - "http://%s/about.htm" - - "http://%s/result_%s.htm" - - "run error!" - condition: and - - - type: word - words: - - "MiniAsp3\\Release\\MiniAsp.pdb" - - "http://%s/about.htm" - - "http://%s/result_%s.htm" - - "run ok!" - condition: and - - - type: word - words: - - "MiniAsp3\\Release\\MiniAsp.pdb" - - "http://%s/about.htm" - - "http://%s/result_%s.htm" - - "time out,change to mode 0" - condition: and - - - type: word - words: - - "MiniAsp3\\Release\\MiniAsp.pdb" - - "http://%s/about.htm" - - "http://%s/result_%s.htm" - - "command is null!" - condition: and +id: miniasp3-malware + +info: + name: MiniASP3 Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "MiniAsp3\\Release\\MiniAsp.pdb" + - "http://%s/about.htm" + - "http://%s/result_%s.htm" + - "open internet failed…" + condition: and + + - type: word + part: raw + words: + - "MiniAsp3\\Release\\MiniAsp.pdb" + - "http://%s/about.htm" + - "http://%s/result_%s.htm" + - "run error!" + condition: and + + - type: word + part: raw + words: + - "MiniAsp3\\Release\\MiniAsp.pdb" + - "http://%s/about.htm" + - "http://%s/result_%s.htm" + - "run ok!" + condition: and + + - type: word + part: raw + words: + - "MiniAsp3\\Release\\MiniAsp.pdb" + - "http://%s/about.htm" + - "http://%s/result_%s.htm" + - "time out,change to mode 0" + condition: and + + - type: word + part: raw + words: + - "MiniAsp3\\Release\\MiniAsp.pdb" + - "http://%s/about.htm" + - "http://%s/result_%s.htm" + - "command is null!" + condition: and diff --git a/malware_naikon.yaml b/Yara-Rules/naikon-malware.yaml similarity index 82% rename from malware_naikon.yaml rename to Yara-Rules/naikon-malware.yaml index a90d0f2..255e0f4 100644 --- a/malware_naikon.yaml +++ b/Yara-Rules/naikon-malware.yaml @@ -1,30 +1,31 @@ -id: malware_naikon - -info: - name: Naikon Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: binary - binary: - - "0FAFC1C1E01F" - - "355A010000" - - "81C27F140600" - condition: and - - - type: word - words: - - "NOKIAN95/WEB" - - "/tag=info&id=15" - - "skg(3)=&3.2d_u1" - - "\\Temp\\iExplorer.exe" - - "\\Temp\\\"TSG\"" - condition: or +id: naikon-malware + +info: + name: Naikon Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: binary + binary: + - "0FAFC1C1E01F" + - "355A010000" + - "81C27F140600" + condition: and + + - type: word + part: raw + words: + - "NOKIAN95/WEB" + - "/tag=info&id=15" + - "skg(3)=&3.2d_u1" + - "\\Temp\\iExplorer.exe" + - "\\Temp\\\"TSG\"" + condition: or diff --git a/malware_naspyupdate.yaml b/Yara-Rules/naspyupdate-malware.yaml similarity index 79% rename from malware_naspyupdate.yaml rename to Yara-Rules/naspyupdate-malware.yaml index 1b0b2bc..20fd59f 100644 --- a/malware_naspyupdate.yaml +++ b/Yara-Rules/naspyupdate-malware.yaml @@ -1,26 +1,27 @@ -id: malware_naspyupdate - -info: - name: nAspyUpdate Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: binary - binary: - - "8A5424148A0132C202C28801414E75F4" - - - type: word - words: - - "\\httpclient.txt" - - "password <=14" - - "/%ldn.txt" - - "Kill You\x00" - condition: or +id: naspyupdate-malware + +info: + name: nAspyUpdate Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: binary + binary: + - "8A5424148A0132C202C28801414E75F4" + + - type: word + part: raw + words: + - "\\httpclient.txt" + - "password <=14" + - "/%ldn.txt" + - "Kill You\x00" + condition: or diff --git a/malware_notepad.yaml b/Yara-Rules/notepad-malware.yaml similarity index 62% rename from malware_notepad.yaml rename to Yara-Rules/notepad-malware.yaml index 5186bfc..7797520 100644 --- a/malware_notepad.yaml +++ b/Yara-Rules/notepad-malware.yaml @@ -1,18 +1,19 @@ -id: malware_notepad - -info: - name: Notepad v1.1 Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: word - words: - - "75BAA77C842BE168B0F66C42C7885997" +id: notepad-malware + +info: + name: Notepad v1.1 Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "75BAA77C842BE168B0F66C42C7885997" - "B523F63566F407F3834BCC54AAA32524" \ No newline at end of file diff --git a/malware_olyx.yaml b/Yara-Rules/olyx-malware.yaml similarity index 81% rename from malware_olyx.yaml rename to Yara-Rules/olyx-malware.yaml index fdb94e8..2753f6a 100644 --- a/malware_olyx.yaml +++ b/Yara-Rules/olyx-malware.yaml @@ -1,25 +1,26 @@ -id: malware_olyx - -info: - name: Olyx Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - "/Applications/Automator.app/Contents/MacOS/DockLight" - condition: or - - - type: binary - binary: - - "C7400436363636C7400836363636" - - "C740045C5C5C5CC740085C5C5C5C" - condition: or +id: olyx-malware + +info: + name: Olyx Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "/Applications/Automator.app/Contents/MacOS/DockLight" + condition: or + + - type: binary + binary: + - "C7400436363636C7400836363636" + - "C740045C5C5C5CC740085C5C5C5C" + condition: or diff --git a/malware_osx_leverage.yaml b/Yara-Rules/osx-leverage-malware.yaml similarity index 84% rename from malware_osx_leverage.yaml rename to Yara-Rules/osx-leverage-malware.yaml index bd8c29e..6bdde72 100644 --- a/malware_osx_leverage.yaml +++ b/Yara-Rules/osx-leverage-malware.yaml @@ -1,25 +1,25 @@ -id: malware_osx_leverage - -info: - name: OSX Leverage Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F" - - "+:Users:Shared:UserEvent.app:Contents:MacOS:" - - "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'" - - "osascript -e 'tell application \"System Events\" to get the hidden of every login item'" - - "osascript -e 'tell application \"System Events\" to get the name of every login item'" - - "osascript -e 'tell application \"System Events\" to get the path of every login item'" - - "serverVisible \x00" +id: osx-leverage-malware + +info: + name: OSX Leverage Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F" + - "+:Users:Shared:UserEvent.app:Contents:MacOS:" + - "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'" + - "osascript -e 'tell application \"System Events\" to get the hidden of every login item'" + - "osascript -e 'tell application \"System Events\" to get the name of every login item'" + - "osascript -e 'tell application \"System Events\" to get the path of every login item'" + - "serverVisible \x00" condition: and \ No newline at end of file diff --git a/malware_paradox.yaml b/Yara-Rules/paradox-malware.yaml similarity index 74% rename from malware_paradox.yaml rename to Yara-Rules/paradox-malware.yaml index bc6af0e..33b0e3b 100644 --- a/malware_paradox.yaml +++ b/Yara-Rules/paradox-malware.yaml @@ -1,25 +1,25 @@ -id: malware_paradox - -info: - name: Paradox Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "ParadoxRAT" - - "Form1" - - "StartRMCam" - - "Flooders" - - "SlowLaris" - - "SHITEMID" - - "set_Remote_Chat" +id: paradox-malware + +info: + name: Paradox Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "ParadoxRAT" + - "Form1" + - "StartRMCam" + - "Flooders" + - "SlowLaris" + - "SHITEMID" + - "set_Remote_Chat" condition: and \ No newline at end of file diff --git a/malware_plasma.yaml b/Yara-Rules/plasma-malware.yaml similarity index 81% rename from malware_plasma.yaml rename to Yara-Rules/plasma-malware.yaml index 78105ae..9e93abc 100644 --- a/malware_plasma.yaml +++ b/Yara-Rules/plasma-malware.yaml @@ -1,27 +1,27 @@ -id: malware_plasma - -info: - name: Plasma Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "Miner: Failed to Inject." - - "Started GPU Mining on:" - - "BK: Hard Bot Killer Ran Successfully!" - - "Uploaded Keylogs Successfully!" - - "No Slowloris Attack is Running!" - - "An ARME Attack is Already Running on" - - "Proactive Bot Killer Enabled!" - - "PlasmaRAT" - - "AntiEverything" +id: plasma-malware + +info: + name: Plasma Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "Miner: Failed to Inject." + - "Started GPU Mining on:" + - "BK: Hard Bot Killer Ran Successfully!" + - "Uploaded Keylogs Successfully!" + - "No Slowloris Attack is Running!" + - "An ARME Attack is Already Running on" + - "Proactive Bot Killer Enabled!" + - "PlasmaRAT" + - "AntiEverything" condition: and \ No newline at end of file diff --git a/malware_poetrat.yaml b/Yara-Rules/poetrat-malware.yaml similarity index 80% rename from malware_poetrat.yaml rename to Yara-Rules/poetrat-malware.yaml index 4807a1a..0e073a4 100644 --- a/malware_poetrat.yaml +++ b/Yara-Rules/poetrat-malware.yaml @@ -1,33 +1,34 @@ -id: malware_poetrat - -info: - name: PoetRat Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "launcher.py" - - "smile.zip" - - "smile_funs.py" - - "frown.py" - - "backer.py" - - "smile.py" - - "affine.py" - - "cmd" - - ".exe" - condition: and - - - type: regex - regex: - - '(\.py$|\.pyc$|\.pyd$|Python)' - - '\.dll' +id: poetrat-malware + +info: + name: PoetRat Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + part: raw + words: + - "launcher.py" + - "smile.zip" + - "smile_funs.py" + - "frown.py" + - "backer.py" + - "smile.py" + - "affine.py" + - "cmd" + - ".exe" + condition: and + + - type: regex + regex: + - '(\.py$|\.pyc$|\.pyd$|Python)' + - '\.dll' condition: and \ No newline at end of file diff --git a/malware_pony.yaml b/Yara-Rules/pony-malware.yaml similarity index 76% rename from malware_pony.yaml rename to Yara-Rules/pony-malware.yaml index 0fad43b..0640e50 100644 --- a/malware_pony.yaml +++ b/Yara-Rules/pony-malware.yaml @@ -1,22 +1,22 @@ -id: malware_pony - -info: - name: Pony Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}" - - "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0" - - "POST %s HTTP/1.0" - - "Accept-Encoding: identity, *;q=0" +id: pony-malware + +info: + name: Pony Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}" + - "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0" + - "POST %s HTTP/1.0" + - "Accept-Encoding: identity, *;q=0" condition: and \ No newline at end of file diff --git a/malware_pubsab.yaml b/Yara-Rules/pubsab-malware.yaml similarity index 73% rename from malware_pubsab.yaml rename to Yara-Rules/pubsab-malware.yaml index 0ed91d9..a729ecf 100644 --- a/malware_pubsab.yaml +++ b/Yara-Rules/pubsab-malware.yaml @@ -1,25 +1,26 @@ -id: malware_pubsab - -info: - name: PubSab Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - "_deamon_init" - - "com.apple.PubSabAgent" - - "/tmp/screen.jpeg" - condition: or - - - type: binary - binary: +id: pubsab-malware + +info: + name: PubSab Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "_deamon_init" + - "com.apple.PubSabAgent" + - "/tmp/screen.jpeg" + condition: or + + - type: binary + binary: - "6B45E43789CA29C28955E4" \ No newline at end of file diff --git a/malware_punisher.yaml b/Yara-Rules/punisher-malware.yaml similarity index 78% rename from malware_punisher.yaml rename to Yara-Rules/punisher-malware.yaml index c1e6ac3..4d175df 100644 --- a/malware_punisher.yaml +++ b/Yara-Rules/punisher-malware.yaml @@ -1,29 +1,30 @@ -id: malware_punisher - -info: - name: Punisher Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "abccba" - - "SpyTheSpy" - - "wireshark" - - "apateDNS" - - "abccbaDanabccb" - condition: and - - - type: binary - binary: - - "5C006800660068002E007600620073" - - "5C00730063002E007600620073" +id: punisher-malware + +info: + name: Punisher Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + part: raw + words: + - "abccba" + - "SpyTheSpy" + - "wireshark" + - "apateDNS" + - "abccbaDanabccb" + condition: and + + - type: binary + binary: + - "5C006800660068002E007600620073" + - "5C00730063002E007600620073" condition: and \ No newline at end of file diff --git a/malware_pypi.yaml b/Yara-Rules/pypi-malware.yaml similarity index 74% rename from malware_pypi.yaml rename to Yara-Rules/pypi-malware.yaml index 988ad9a..94a71fe 100644 --- a/malware_pypi.yaml +++ b/Yara-Rules/pypi-malware.yaml @@ -1,23 +1,23 @@ -id: malware_pypi - -info: - name: Fake PyPI Malware Detector - author: daffainfo - severity: critical - reference: - - http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/ - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "# Welcome Here! :)" - - "# just toy, no harm :)" - - "[0x76,0x21,0xfe,0xcc,0xee]" +id: pypi-malware + +info: + name: Fake PyPI Malware - Detect + author: daffainfo + severity: info + reference: + - http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/ + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "# Welcome Here! :)" + - "# just toy, no harm :)" + - "[0x76,0x21,0xfe,0xcc,0xee]" condition: and \ No newline at end of file diff --git a/malware_pythorat.yaml b/Yara-Rules/pythorat-malware.yaml similarity index 79% rename from malware_pythorat.yaml rename to Yara-Rules/pythorat-malware.yaml index 531ec46..613fdca 100644 --- a/malware_pythorat.yaml +++ b/Yara-Rules/pythorat-malware.yaml @@ -1,26 +1,26 @@ -id: malware_pythorat - -info: - name: PythoRAT Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "TKeylogger" - - "uFileTransfer" - - "TTDownload" - - "SETTINGS" - - "Unknown" - - "#@#@#" - - "PluginData" - - "OnPluginMessage" - condition: and +id: pythorat-malware + +info: + name: PythoRAT Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "TKeylogger" + - "uFileTransfer" + - "TTDownload" + - "SETTINGS" + - "Unknown" + - "#@#@#" + - "PluginData" + - "OnPluginMessage" + condition: and diff --git a/malware_qrat.yaml b/Yara-Rules/qrat-malware.yaml similarity index 84% rename from malware_qrat.yaml rename to Yara-Rules/qrat-malware.yaml index f81b270..7f71656 100644 --- a/malware_qrat.yaml +++ b/Yara-Rules/qrat-malware.yaml @@ -1,46 +1,49 @@ -id: malware_qrat - -info: - name: QRat Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - "quaverse/crypter" - - "Qrypt.class" - - "Jarizer.class" - - "URLConnection.class" - condition: and - - - type: word - words: - - "e-data" - - "Qrypt.class" - - "Jarizer.class" - - "URLConnection.class" - condition: and - - - type: word - words: - - "e-data" - - "quaverse/crypter" - - "Jarizer.class" - - "URLConnection.class" - condition: and - - - type: word - words: - - "e-data" - - "quaverse/crypter" - - "Qrypt.class" - - "URLConnection.class" - condition: and +id: qrat-malware + +info: + name: QRat Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "quaverse/crypter" + - "Qrypt.class" + - "Jarizer.class" + - "URLConnection.class" + condition: and + + - type: word + part: raw + words: + - "e-data" + - "Qrypt.class" + - "Jarizer.class" + - "URLConnection.class" + condition: and + + - type: word + words: + - "e-data" + - "quaverse/crypter" + - "Jarizer.class" + - "URLConnection.class" + condition: and + + - type: word + part: raw + words: + - "e-data" + - "quaverse/crypter" + - "Qrypt.class" + - "URLConnection.class" + condition: and diff --git a/malware_satana_dropper.yaml b/Yara-Rules/satana-dropper-malware.yaml similarity index 67% rename from malware_satana_dropper.yaml rename to Yara-Rules/satana-dropper-malware.yaml index eeded75..14d2a1e 100644 --- a/malware_satana_dropper.yaml +++ b/Yara-Rules/satana-dropper-malware.yaml @@ -1,21 +1,20 @@ -id: malware_satana_dropper - -info: - name: Satana Dropper Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: binary #Dropper - binary: - - "25732D547279457863657074" - - "643A5C6C626574776D77795C75696A657571706C667775622E706462" - - "71666E7476746862" +id: satana-dropper-malware + +info: + name: Satana Dropper Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "25732D547279457863657074" + - "643A5C6C626574776D77795C75696A657571706C667775622E706462" + - "71666E7476746862" condition: and \ No newline at end of file diff --git a/malware_satana.yaml b/Yara-Rules/satana-malware.yaml similarity index 82% rename from malware_satana.yaml rename to Yara-Rules/satana-malware.yaml index cbb6f4e..a0224d5 100644 --- a/malware_satana.yaml +++ b/Yara-Rules/satana-malware.yaml @@ -1,28 +1,28 @@ -id: malware_satana - -info: - name: Satana Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: binary - binary: - - "210073006100740061006E00610021002E0074007800740000" - - "456E756D4C6F63616C526573" - - "574E65744F70656E456E756D5700" - - "21534154414E4121" - condition: and - - - type: binary - binary: - - "7467777975677771" - - "537776776E6775" +id: satana-malware + +info: + name: Satana Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: binary + binary: + - "210073006100740061006E00610021002E0074007800740000" + - "456E756D4C6F63616C526573" + - "574E65744F70656E456E756D5700" + - "21534154414E4121" + condition: and + + - type: binary + binary: + - "7467777975677771" + - "537776776E6775" condition: or \ No newline at end of file diff --git a/malware_shimrat.yaml b/Yara-Rules/shimrat-malware.yaml similarity index 78% rename from malware_shimrat.yaml rename to Yara-Rules/shimrat-malware.yaml index 6e42a70..d6fd677 100644 --- a/malware_shimrat.yaml +++ b/Yara-Rules/shimrat-malware.yaml @@ -1,39 +1,42 @@ -id: malware_shimrat - -info: - name: ShimRat Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - ".dll" - - ".dat" - - "QWERTYUIOPLKJHG" - - "MNBVCXZLKJHGFDS" - condition: and - - - type: word - words: - - "Data$$00" - - "Data$$01%c%sData" - condition: and - - - type: word - words: - - "ping localhost -n 9 /c %s > nul" - - "Demo" - - "Win32App" - - "COMSPEC" - - "ShimMain" - - "NotifyShims" - - "GetHookAPIs" +id: shimrat-malware + +info: + name: ShimRat Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - ".dll" + - ".dat" + - "QWERTYUIOPLKJHG" + - "MNBVCXZLKJHGFDS" + condition: and + + - type: word + part: raw + words: + - "Data$$00" + - "Data$$01%c%sData" + condition: and + + - type: word + part: raw + words: + - "ping localhost -n 9 /c %s > nul" + - "Demo" + - "Win32App" + - "COMSPEC" + - "ShimMain" + - "NotifyShims" + - "GetHookAPIs" condition: and \ No newline at end of file diff --git a/malware_shimratreporter.yaml b/Yara-Rules/shimratreporter-malware.yaml similarity index 81% rename from malware_shimratreporter.yaml rename to Yara-Rules/shimratreporter-malware.yaml index 1c9235e..d0e3685 100644 --- a/malware_shimratreporter.yaml +++ b/Yara-Rules/shimratreporter-malware.yaml @@ -1,30 +1,30 @@ -id: malware_shimratreporter - -info: - name: ShimRatReporter Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "IP-INFO" - - "Network-INFO" - - "OS-INFO" - - "Process-INFO" - - "Browser-INFO" - - "QueryUser-INFO" - - "Users-INFO" - - "Software-INFO" - - "%02X-%02X-%02X-%02X-%02X-%02X" - - "(from environment) = %s" - - "NetUserEnum" - - "GetNetworkParams" - condition: and +id: shimratreporter-malware + +info: + name: ShimRatReporter Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "IP-INFO" + - "Network-INFO" + - "OS-INFO" + - "Process-INFO" + - "Browser-INFO" + - "QueryUser-INFO" + - "Users-INFO" + - "Software-INFO" + - "%02X-%02X-%02X-%02X-%02X-%02X" + - "(from environment) = %s" + - "NetUserEnum" + - "GetNetworkParams" + condition: and diff --git a/malware_sigma.yaml b/Yara-Rules/sigma-malware.yaml similarity index 75% rename from malware_sigma.yaml rename to Yara-Rules/sigma-malware.yaml index 44753f3..ac2e2cd 100644 --- a/malware_sigma.yaml +++ b/Yara-Rules/sigma-malware.yaml @@ -1,27 +1,27 @@ -id: malware_sigma - -info: - name: Sigma Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Sigma.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - ".php?" - - "uid=" - - "&uname=" - - "&os=" - - "&pcname=" - - "&total=" - - "&country=" - - "&network=" - - "&subid=" +id: sigma-malware + +info: + name: Sigma Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Sigma.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - ".php?" + - "uid=" + - "&uname=" + - "&os=" + - "&pcname=" + - "&total=" + - "&country=" + - "&network=" + - "&subid=" condition: and \ No newline at end of file diff --git a/malware_smallnet.yaml b/Yara-Rules/smallnet-malware.yaml similarity index 72% rename from malware_smallnet.yaml rename to Yara-Rules/smallnet-malware.yaml index b432b6d..4279b9d 100644 --- a/malware_smallnet.yaml +++ b/Yara-Rules/smallnet-malware.yaml @@ -1,28 +1,28 @@ -id: malware_smallnet - -info: - name: SmallNet Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "!!<3SAFIA<3!!" - - "!!ElMattadorDz!!" - condition: or - - - type: word - words: - - "stub_2.Properties" - - "stub.exe" - - "get_CurrentDomain" - condition: and - +id: smallnet-malware + +info: + name: SmallNet Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "!!<3SAFIA<3!!" + - "!!ElMattadorDz!!" + condition: or + + - type: word + part: raw + words: + - "stub_2.Properties" + - "stub.exe" + - "get_CurrentDomain" + condition: and \ No newline at end of file diff --git a/malware_snake.yaml b/Yara-Rules/snake-malware.yaml similarity index 89% rename from malware_snake.yaml rename to Yara-Rules/snake-malware.yaml index f060c56..4a1a6ed 100644 --- a/malware_snake.yaml +++ b/Yara-Rules/snake-malware.yaml @@ -1,24 +1,25 @@ -id: malware_snake - -info: - name: Snake Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Snake.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\"" - - - type: binary - binary: - - "89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF" - - "648B0D140000008B89000000003B61080F863801000083EC3CE8321AF3FF8D7C242889E6E825EAF0FF8B44242C8B4C242889C2C1E81FC1E01F85C00F84FC000000D1E289CBC1E91F09D189DAD1E3C1EB1F89CDD1E109D989CB81C1807FB1D7C1ED1F81C3807FB1D783D50D89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF31C0EB79894424208B4C24408D14C18B1A895C24248B52048954241CC7042405000000E848FEFFFF8B4424088B4C2404C70424000000008B542424895424048B5C241C895C2408894C240C89442410E8ECDDEFFF8B4424188B4C2414894C24088944240C8B4424248904248B44241C89442404E868BBF3FF8B44242040" +id: snake-malware + +info: + name: Snake Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Snake.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: and + matchers: + - type: word + part: raw + words: + - "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\"" + + - type: binary + binary: + - "89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF" + - "648B0D140000008B89000000003B61080F863801000083EC3CE8321AF3FF8D7C242889E6E825EAF0FF8B44242C8B4C242889C2C1E81FC1E01F85C00F84FC000000D1E289CBC1E91F09D189DAD1E3C1EB1F89CDD1E109D989CB81C1807FB1D7C1ED1F81C3807FB1D783D50D89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF31C0EB79894424208B4C24408D14C18B1A895C24248B52048954241CC7042405000000E848FEFFFF8B4424088B4C2404C70424000000008B542424895424048B5C241C895C2408894C240C89442410E8ECDDEFFF8B4424188B4C2414894C24088944240C8B4424248904248B44241C89442404E868BBF3FF8B44242040" condition: and \ No newline at end of file diff --git a/malware_sub7nation.yaml b/Yara-Rules/sub7nation-malware.yaml similarity index 81% rename from malware_sub7nation.yaml rename to Yara-Rules/sub7nation-malware.yaml index 39b832c..fe367eb 100644 --- a/malware_sub7nation.yaml +++ b/Yara-Rules/sub7nation-malware.yaml @@ -1,31 +1,31 @@ -id: malware_sub7nation - -info: - name: Sub7Nation Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "EnableLUA /t REG_DWORD /d 0 /f" - - "*A01*" - - "*A02*" - - "*A03*" - - "*A04*" - - "*A05*" - - "*A06*" - - "#@#@#" - - "HostSettings" - - "sevane.tmp" - - "cmd_.bat" - - "a2b7c3d7e4" - - "cmd.dll" - condition: and +id: sub7nation-malware + +info: + name: Sub7Nation Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "EnableLUA /t REG_DWORD /d 0 /f" + - "*A01*" + - "*A02*" + - "*A03*" + - "*A04*" + - "*A05*" + - "*A06*" + - "#@#@#" + - "HostSettings" + - "sevane.tmp" + - "cmd_.bat" + - "a2b7c3d7e4" + - "cmd.dll" + condition: and diff --git a/malware_t5000.yaml b/Yara-Rules/t5000-malware.yaml similarity index 83% rename from malware_t5000.yaml rename to Yara-Rules/t5000-malware.yaml index efd169b..11bd71a 100644 --- a/malware_t5000.yaml +++ b/Yara-Rules/t5000-malware.yaml @@ -1,31 +1,32 @@ -id: malware_t5000 - -info: - name: T5000 Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_T5000.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: binary - binary: - - "_tmpR.vbs" - - "_tmpg.vbs" - - "Dtl.dat" - - "3C6FB3CA-69B1-454f-8B2F-BD157762810E" - - "EED5CA6C-9958-4611-B7A7-1238F2E1B17E" - - "8A8FF8AD-D1DE-4cef-B87C-82627677662E" - - "43EE34A9-9063-4d2c-AACD-F5C62B849089" - - "A8859547-C62D-4e8b-A82D-BE1479C684C9" - - "A59CF429-D0DD-4207-88A1-04090680F714" - - "utd_CE31" - - "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb" - - "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb" - - "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb" - - "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb" - condition: and \ No newline at end of file +id: t5000-malware + +info: + name: T5000 Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_T5000.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "_tmpR.vbs" + - "_tmpg.vbs" + - "Dtl.dat" + - "3C6FB3CA-69B1-454f-8B2F-BD157762810E" + - "EED5CA6C-9958-4611-B7A7-1238F2E1B17E" + - "8A8FF8AD-D1DE-4cef-B87C-82627677662E" + - "43EE34A9-9063-4d2c-AACD-F5C62B849089" + - "A8859547-C62D-4e8b-A82D-BE1479C684C9" + - "A59CF429-D0DD-4207-88A1-04090680F714" + - "utd_CE31" + - "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb" + - "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb" + - "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb" + - "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb" + condition: or \ No newline at end of file diff --git a/malware_tedroo.yaml b/Yara-Rules/tedroo-malware.yaml similarity index 69% rename from malware_tedroo.yaml rename to Yara-Rules/tedroo-malware.yaml index 83f1b2f..ad0bb48 100644 --- a/malware_tedroo.yaml +++ b/Yara-Rules/tedroo-malware.yaml @@ -1,20 +1,19 @@ -id: malware_tedroo - -info: - name: Tedroo Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Tedroo.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: binary - binary: - - "257325732E657865" - - "5F6C6F672E747874" +id: tedroo-malware + +info: + name: Tedroo Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Tedroo.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "257325732E657865" + - "5F6C6F672E747874" condition: and \ No newline at end of file diff --git a/malware_terminator.yaml b/Yara-Rules/terminator-malware.yaml similarity index 73% rename from malware_terminator.yaml rename to Yara-Rules/terminator-malware.yaml index 9908e3d..825b1b1 100644 --- a/malware_terminator.yaml +++ b/Yara-Rules/terminator-malware.yaml @@ -1,20 +1,20 @@ -id: malware_terminator - -info: - name: Terminator Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Terminator.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "Accelorator" - - "12356" - condition: and +id: terminator-malware + +info: + name: Terminator Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Terminator.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "Accelorator" + - "12356" + condition: and diff --git a/malware_teslacrypt.yaml b/Yara-Rules/teslacrypt-malware.yaml similarity index 76% rename from malware_teslacrypt.yaml rename to Yara-Rules/teslacrypt-malware.yaml index 45d8ed6..ebf8223 100644 --- a/malware_teslacrypt.yaml +++ b/Yara-Rules/teslacrypt-malware.yaml @@ -1,17 +1,17 @@ -id: malware_teslacrypt - -info: - name: TeslaCrypt Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_TeslaCrypt.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: binary - binary: - - "4E6F7720697427732025493A254D25702E00000076616C2069732025640A0000" +id: teslacrypt-malware + +info: + name: TeslaCrypt Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_TeslaCrypt.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "4E6F7720697427732025493A254D25702E00000076616C2069732025640A0000" diff --git a/malware_tox.yaml b/Yara-Rules/tox-malware.yaml similarity index 80% rename from malware_tox.yaml rename to Yara-Rules/tox-malware.yaml index 2a4d3f0..e5380cb 100644 --- a/malware_tox.yaml +++ b/Yara-Rules/tox-malware.yaml @@ -1,32 +1,35 @@ -id: malware_tox - -info: - name: Tox Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Tox.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word - words: - - "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<>><<<" - condition: and - - - type: word - words: - - "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<>><<<" +id: tox-malware + +info: + name: Tox Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Tox.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<>><<<" + condition: and + + - type: word + part: raw + words: + - "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<>><<<" condition: and \ No newline at end of file diff --git a/malware_treasurehunt.yaml b/Yara-Rules/treasurehunt-malware.yaml similarity index 75% rename from malware_treasurehunt.yaml rename to Yara-Rules/treasurehunt-malware.yaml index 030f703..dada634 100644 --- a/malware_treasurehunt.yaml +++ b/Yara-Rules/treasurehunt-malware.yaml @@ -1,23 +1,23 @@ -id: malware_treasurehunt - -info: - name: Trickbot Malware Detector - author: daffainfo - severity: critical - reference: - - http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed - - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_TreasureHunt.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "treasureHunter.pdb" - - "jucheck" - - "cmdLineDecrypted" +id: treasurehunt-malware + +info: + name: Trickbot Malware - Detect + author: daffainfo + severity: info + reference: + - http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed + - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_TreasureHunt.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "treasureHunter.pdb" + - "jucheck" + - "cmdLineDecrypted" condition: and \ No newline at end of file diff --git a/malware_trickbot.yaml b/Yara-Rules/trickbot-malware.yaml similarity index 71% rename from malware_trickbot.yaml rename to Yara-Rules/trickbot-malware.yaml index 417c913..5194508 100644 --- a/malware_trickbot.yaml +++ b/Yara-Rules/trickbot-malware.yaml @@ -1,23 +1,23 @@ -id: malware_trickbot - -info: - name: Trickbot Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_TrickBot.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "moduleconfig" - - "Start" - - "Control" - - "FreeBuffer" - - "Release" +id: trickbot-malware + +info: + name: Trickbot Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_TrickBot.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "moduleconfig" + - "Start" + - "Control" + - "FreeBuffer" + - "Release" condition: and \ No newline at end of file diff --git a/malware_trumpbot.yaml b/Yara-Rules/trumpbot-malware.yaml similarity index 67% rename from malware_trumpbot.yaml rename to Yara-Rules/trumpbot-malware.yaml index 7ee5bd8..789a957 100644 --- a/malware_trumpbot.yaml +++ b/Yara-Rules/trumpbot-malware.yaml @@ -1,20 +1,20 @@ -id: malware_trumpbot - -info: - name: TrumpBot Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Trumpbot.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "trumpisdaddy" - - "198.50.154.188" +id: trumpbot-malware + +info: + name: TrumpBot Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Trumpbot.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "trumpisdaddy" + - "198.50.154.188" condition: and \ No newline at end of file diff --git a/malware_universal_1337.yaml b/Yara-Rules/universal-1337-malware.yaml similarity index 76% rename from malware_universal_1337.yaml rename to Yara-Rules/universal-1337-malware.yaml index 82a94a1..cb9aee9 100644 --- a/malware_universal_1337.yaml +++ b/Yara-Rules/universal-1337-malware.yaml @@ -1,26 +1,26 @@ -id: malware_universal_1337 - -info: - name: Universal 1337 Stealer Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Stealer.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: binary - binary: - - "2A5B532D502D4C2D492D545D2A" - - "2A5B482D452D522D455D2A" - condition: and - - - type: binary - binary: - - "4654507E" - - "7E317E317E307E30" +id: universal-1337-malware + +info: + name: Universal 1337 Stealer Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Stealer.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: binary + binary: + - "2A5B532D502D4C2D492D545D2A" + - "2A5B482D452D522D455D2A" + condition: and + + - type: binary + binary: + - "4654507E" + - "7E317E317E307E30" condition: and \ No newline at end of file diff --git a/malware_unrecom.yaml b/Yara-Rules/unrecom-malware.yaml similarity index 78% rename from malware_unrecom.yaml rename to Yara-Rules/unrecom-malware.yaml index 7c7ec54..2ec8387 100644 --- a/malware_unrecom.yaml +++ b/Yara-Rules/unrecom-malware.yaml @@ -1,23 +1,23 @@ -id: malware_unrecom - -info: - name: Unrecom Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "META-INF" - - "load/ID" - - "load/JarMain.class" - - "load/MANIFEST.MF" - - "plugins/UnrecomServer.class" - condition: and +id: unrecom-malware + +info: + name: Unrecom Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "META-INF" + - "load/ID" + - "load/JarMain.class" + - "load/MANIFEST.MF" + - "plugins/UnrecomServer.class" + condition: and diff --git a/malware_urausy.yaml b/Yara-Rules/urausy-malware.yaml similarity index 72% rename from malware_urausy.yaml rename to Yara-Rules/urausy-malware.yaml index abd5923..f67df73 100644 --- a/malware_urausy.yaml +++ b/Yara-Rules/urausy-malware.yaml @@ -1,24 +1,24 @@ -id: malware_urausy - -info: - name: Urausy Skype Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Urausy.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "skype.dat" - - "skype.ini" - - "CreateWindow" - - "YIWEFHIWQ" - - "CreateDesktop" - - "MyDesktop" +id: urausy-malware + +info: + name: Urausy Skype Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Urausy.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "skype.dat" + - "skype.ini" + - "CreateWindow" + - "YIWEFHIWQ" + - "CreateDesktop" + - "MyDesktop" condition: and \ No newline at end of file diff --git a/malware_vertex.yaml b/Yara-Rules/vertex-malware.yaml similarity index 78% rename from malware_vertex.yaml rename to Yara-Rules/vertex-malware.yaml index 34870fa..2643f1d 100644 --- a/malware_vertex.yaml +++ b/Yara-Rules/vertex-malware.yaml @@ -1,26 +1,26 @@ -id: malware_vertex - -info: - name: Vertex Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "DEFPATH" - - "HKNAME" - - "HPORT" - - "INSTALL" - - "IPATH" - - "MUTEX" - - "PANELPATH" - - "ROOTURL" - condition: and +id: vertex-malware + +info: + name: Vertex Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "DEFPATH" + - "HKNAME" + - "HPORT" + - "INSTALL" + - "IPATH" + - "MUTEX" + - "PANELPATH" + - "ROOTURL" + condition: and diff --git a/malware_virusrat.yaml b/Yara-Rules/virusrat-malware.yaml similarity index 83% rename from malware_virusrat.yaml rename to Yara-Rules/virusrat-malware.yaml index ed1643a..0b8c2c8 100644 --- a/malware_virusrat.yaml +++ b/Yara-Rules/virusrat-malware.yaml @@ -1,30 +1,30 @@ -id: malware_virusrat - -info: - name: VirusRat Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "virustotal" - - "virusscan" - - "abccba" - - "pronoip" - - "streamWebcam" - - "DOMAIN_PASSWORD" - - "Stub.Form1.resources" - - "ftp://{0}@{1}" - - "SELECT * FROM moz_logins" - - "SELECT * FROM moz_disabledHosts" - - "DynDNS\\Updater\\config.dyndns" - - "|BawaneH|" - condition: and +id: virusrat-malware + +info: + name: VirusRat Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "virustotal" + - "virusscan" + - "abccba" + - "pronoip" + - "streamWebcam" + - "DOMAIN_PASSWORD" + - "Stub.Form1.resources" + - "ftp://{0}@{1}" + - "SELECT * FROM moz_logins" + - "SELECT * FROM moz_disabledHosts" + - "DynDNS\\Updater\\config.dyndns" + - "|BawaneH|" + condition: and diff --git a/malware_wabot.yaml b/Yara-Rules/wabot-malware.yaml similarity index 70% rename from malware_wabot.yaml rename to Yara-Rules/wabot-malware.yaml index 2c091ac..c8a3931 100644 --- a/malware_wabot.yaml +++ b/Yara-Rules/wabot-malware.yaml @@ -1,20 +1,19 @@ -id: malware_wabot - -info: - name: Warp Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Wabot.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: binary - binary: - - "433A5C6D6172696A75616E612E747874" - - "7349524334" +id: wabot-malware + +info: + name: Warp Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Wabot.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - "433A5C6D6172696A75616E612E747874" + - "7349524334" condition: and \ No newline at end of file diff --git a/malware_warp.yaml b/Yara-Rules/warp-malware.yaml similarity index 64% rename from malware_warp.yaml rename to Yara-Rules/warp-malware.yaml index eaade5a..3890e02 100644 --- a/malware_warp.yaml +++ b/Yara-Rules/warp-malware.yaml @@ -1,25 +1,26 @@ -id: malware_warp - -info: - name: Warp Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Warp.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word #WarpStrings - words: - - "/2011/n325423.shtml?" - - "wyle" - - "\\~ISUN32.EXE" - condition: or - - - type: binary #WarpCode - binary: +id: warp-malware + +info: + name: Warp Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Warp.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "/2011/n325423.shtml?" + - "wyle" + - "\\~ISUN32.EXE" + condition: or + + - type: binary + binary: - "80382B7503C6002D80382F7503C6005F" \ No newline at end of file diff --git a/malware_xhide.yaml b/Yara-Rules/xhide-malware.yaml similarity index 69% rename from malware_xhide.yaml rename to Yara-Rules/xhide-malware.yaml index 655df59..c15a450 100644 --- a/malware_xhide.yaml +++ b/Yara-Rules/xhide-malware.yaml @@ -1,20 +1,20 @@ -id: malware_xhide - -info: - name: xHide Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XHide.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - 'XHide - Process Faker' - - 'Fakename: %s PidNum: %d' +id: xhide-malware + +info: + name: xHide Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XHide.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - 'XHide - Process Faker' + - 'Fakename: %s PidNum: %d' condition: and \ No newline at end of file diff --git a/malware_xor_ddos.yaml b/Yara-Rules/xor-ddos-malware.yaml similarity index 73% rename from malware_xor_ddos.yaml rename to Yara-Rules/xor-ddos-malware.yaml index ebc1571..668a320 100644 --- a/malware_xor_ddos.yaml +++ b/Yara-Rules/xor-ddos-malware.yaml @@ -1,25 +1,25 @@ -id: malware_xor_ddos - -info: - name: XOR_DDosv1 Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XOR_DDos.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: word - words: - - "BB2FA36AAA9541F0" - - "md5=" - - "denyip=" - - "filename=" - - "rmfile=" - - "exec_packet" - - "build_iphdr" +id: xor-ddos-malware + +info: + name: XOR_DDosv1 Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XOR_DDos.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "BB2FA36AAA9541F0" + - "md5=" + - "denyip=" + - "filename=" + - "rmfile=" + - "exec_packet" + - "build_iphdr" condition: and \ No newline at end of file diff --git a/malware_yayih.yaml b/Yara-Rules/yayih-malware.yaml similarity index 64% rename from malware_yayih.yaml rename to Yara-Rules/yayih-malware.yaml index 2101ae4..2b71a34 100644 --- a/malware_yayih.yaml +++ b/Yara-Rules/yayih-malware.yaml @@ -1,26 +1,27 @@ -id: malware_yayih - -info: - name: Yayih Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Yayih.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: or - matchers: - - type: word #YayihStrings - words: - - "/bbs/info.asp" - - "\\msinfo.exe" - - "%s\\%srcs.pdf" - - "\\aumLib.ini" - condition: or - - - type: binary #YayihCode - binary: +id: yayih-malware + +info: + name: Yayih Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Yayih.yar + tags: malware,file + +file: + - extensions: + - all + + matchers-condition: or + matchers: + - type: word + part: raw + words: + - "/bbs/info.asp" + - "\\msinfo.exe" + - "%s\\%srcs.pdf" + - "\\aumLib.ini" + condition: or + + - type: binary + binary: - "8004087A03C18B45FC8034081903C1413B0A7CE9" \ No newline at end of file diff --git a/malware_zeghost.yaml b/Yara-Rules/zeghost-malware.yaml similarity index 77% rename from malware_zeghost.yaml rename to Yara-Rules/zeghost-malware.yaml index ebdff4e..3e5c4be 100644 --- a/malware_zeghost.yaml +++ b/Yara-Rules/zeghost-malware.yaml @@ -1,20 +1,19 @@ -id: malware_zeghost - -info: - name: Zegost Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Zegost.yar - tags: malware,file - -file: - - extensions: - - all - - matchers-condition: and - matchers: - - type: binary - binary: - - '392F6633304C693575624F35444E414444784738733736327471593D' - - '00BADA2251426F6D6500' - condition: and +id: zeghost-malware + +info: + name: Zegost Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Zegost.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: binary + binary: + - '392F6633304C693575624F35444E414444784738733736327471593D' + - '00BADA2251426F6D6500' + condition: and diff --git a/malware_zoxpng.yaml b/Yara-Rules/zoxpng-malware.yaml similarity index 78% rename from malware_zoxpng.yaml rename to Yara-Rules/zoxpng-malware.yaml index 6fda61c..783ee71 100644 --- a/malware_zoxpng.yaml +++ b/Yara-Rules/zoxpng-malware.yaml @@ -1,17 +1,18 @@ -id: malware_zoxpng - -info: - name: ZoxPNG Malware Detector - author: daffainfo - severity: critical - reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_ZoxPNG.yar - tags: malware,file - -file: - - extensions: - - all - - matchers: - - type: word - words: - - "png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58" +id: zoxpng-malware + +info: + name: ZoxPNG Malware - Detect + author: daffainfo + severity: info + reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_ZoxPNG.yar + tags: malware,file + +file: + - extensions: + - all + + matchers: + - type: word + part: raw + words: + - "png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58"