daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: added malware detector

patch-1
Muhammad Daffa 2023-02-28 08:18:13 +07:00
parent 52a4a83294
commit 3a1ae28ae6
60 changed files with 1459 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
file/malware/malware_alina.yaml Normal file
View File

@ -0,0 +1,21 @@
id: malware_alina
info:
name: Alina Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Alina v1.0'
- 'POST'
- '1[0-2])[0-9]'
condition: and

22
file/malware/malware_andromeda.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_andromeda
info:
name: Andromeda Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst'
- type: binary
binary:
- "1C1C1D03494746"

23
file/malware/malware_arkei.yaml Normal file
View File

@ -0,0 +1,23 @@
id: malware_arkei
info:
name: Arkei Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Arkei'
- '/server/gate'
- '/server/grubConfig'
- '\\files\\'
- 'SQLite'
condition: and

21
file/malware/malware_backoff.yaml Normal file
View File

@ -0,0 +1,21 @@
id: malware_backoff
info:
name: Backoff Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'
- '%s @ %s'
- 'Upload KeyLogs'
condition: and

29
file/malware/malware_blackworm.yaml Normal file
View File

@ -0,0 +1,29 @@
id: malware_blackworm
info:
name: Blackworm Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'm_ComputerObjectProvider'
- 'MyWebServices'
- 'get_ExecutablePath'
- 'get_WebServices'
- 'My.WebServices'
- 'My.User'
- 'm_UserObjectProvider'
- 'DelegateCallback'
- 'TargetMethod'
- '000004b0'
- 'Microsoft Corporation'
condition: and

20
file/malware/malware_bublik.yaml Normal file
View File

@ -0,0 +1,20 @@
id: malware_bublik
info:
name: Bublik Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- '636F6E736F6C6173'
- '636C556E00696E666F2E696E69'
condition: and

35
file/malware/malware_cap_hookexkeylogger.yaml Normal file
View File

@ -0,0 +1,35 @@
id: malware_cap_hookexkeylogger
info:
name: CAP HookExKeylogger Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "SetWindowsHookEx"
- "WH_KEYBOARD_LL"
condition: and
case-insensitive: true
- type: word
words:
- "SetWindowsHookEx"
- "WH_KEYBOARD"
condition: and
case-insensitive: true
- type: word
words:
- "WH_KEYBOARD"
- "WH_KEYBOARD_LL"
condition: and
case-insensitive: true

26
file/malware/malware_cxpid.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_cxpid
info:
name: Cxpid Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word #cxpidStrings
words:
- '/cxpid/submit.php?SessionID='
- '/cxgid/'
- 'E21BC52BEA2FEF26D005CF'
- 'E21BC52BEA39E435C40CD8'
- ' -,L-,O+,Q-,R-,Y-,S-'
- type: binary #cxpidCode
binary:
- "558BECB9380400006A006A004975F9"

18
file/malware/malware_cythosia.yaml Normal file
View File

@ -0,0 +1,18 @@
id: malware_cythosia
info:
name: Cythosia Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'HarvesterSocksBot.Properties.Resources'

29
file/malware/malware_ddostf.yaml Normal file
View File

@ -0,0 +1,29 @@
id: malware_ddostf
info:
name: DDoSTf Malware Detector
author: daffainfo
severity: critical
reference:
- http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'ddos.tf'
- 'Accept-Language: zh'
- '%d Kb/bps|%d%%'
condition: and
- type: binary
binary:
- 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00' #TCP_KEEPINTVL
- 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00' #TCP_KEEPCNT
condition: and

25
file/malware/malware_derkziel.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_derkziel
info:
name: Derkziel Malware Detector
author: daffainfo
severity: critical
reference:
- https://bhf.su/threads/137898/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- '{!}DRZ{!}'
- 'User-Agent: Uploador'
- 'SteamAppData.vdf'
- 'loginusers.vdf'
- 'config.vdf'
condition: and

24
file/malware/malware_dexter.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_dexter
info:
name: Dexter Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar
- http://goo.gl/oBvy8b
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Java Security Plugin'
- '%s\\%s\\%s.exe'
- 'Sun Java Security Plugin'
- '\\Internet Explorer\\iexplore.exe'
condition: and

24
file/malware/malware_diamondfox.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_diamondfox
info:
name: DiamondFox Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'UPDATE_B'
- 'UNISTALL_B'
- 'S_PROTECT'
- 'P_WALLET'
- 'GR_COMMAND'
- 'FTPUPLOAD'
condition: and

17
file/malware/malware_eicar.yaml Normal file
View File

@ -0,0 +1,17 @@
id: malware_eicar
info:
name: Eicar Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"

21
file/malware/malware_ezcob.yaml Normal file
View File

@ -0,0 +1,21 @@
id: malware_ezcob
info:
name: Ezcob Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12'
- '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12'
- 'Ezcob'
- 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126'
- '20110113144935'

30
file/malware/malware_fudcrypt.yaml Normal file
View File

@ -0,0 +1,30 @@
id: malware_fudcrypt
info:
name: FUDCrypt Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/gigajew/FudCrypt/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- 'OcYjzPUtJkNbLOABqYvNbvhZf'
- 'gwiXxyIDDtoYzgMSRGMckRbJi'
- 'BclWgISTcaGjnwrzSCIuKruKm'
- 'CJyUSiUNrIVbgksjxpAMUkAJJ'
- 'fAMVdoPUEyHEWdxQIEJPRYbEN'
- 'CIGQUctdcUPqUjoucmcoffECY'
- 'wcZfHOgetgAExzSoWFJFQdAyO'
- 'DqYKDnIoLeZDWYlQWoxZnpfPR'
- 'MkhMoOHCbGUMqtnRDJKnBYnOj'
- 'sHEqLMGglkBAOIUfcSAgMvZfs'
- 'JtZApJhbFAIFxzHLjjyEQvtgd'
- 'IIQrSWZEMmoQIKGuxxwoTwXka'

22
file/malware/malware_gafgyt_bash.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_gafgyt_bash
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PONG!'
- 'GETLOCALIP'
- 'HTTPFLOOD'
- 'LUCKYLILDUDE'
condition: and

22
file/malware/malware_gafgyt_generic.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_gafgyt_generic
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "/bin/busybox;echo -e 'gayfgt'"
- '/proc/net/route'
- 'admin'
- 'root'
condition: and

24
file/malware/malware_gafgyt_hihi.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_gafgyt_hihi
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PING'
- 'PONG'
- 'TELNET LOGIN CRACKED - %s:%s:%s'
- 'ADVANCEDBOT'
- '46.166.185.92'
- 'LOLNOGTFO'
condition: and

22
file/malware/malware_gafgyt_hoho.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_gafgyt_hoho
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PING'
- 'PRIVMSG'
- 'Remote IRC Bot'
- '23.95.43.182'
condition: and

22
file/malware/malware_gafgyt_jackmy.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_gafgyt_jackmy
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'PING'
- 'PONG'
- 'jackmy'
- '203.134.%d.%d'
condition: and

22
file/malware/malware_gafgyt_oh.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_gafgyt_oh
info:
name: Gafgyt Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'busyboxterrorist'
- 'BOGOMIPS'
- '124.105.97.%d'
- 'fucknet'
condition: and

21
file/malware/malware_genome.yaml Normal file
View File

@ -0,0 +1,21 @@
id: malware_genome
info:
name: Genome Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'Attempting to create more than one keyboard::Monitor instance'
- '{Right windows}'
- 'Access violation - no RTTI data!'
condition: and

29
file/malware/malware_glasses.yaml Normal file
View File

@ -0,0 +1,29 @@
id: malware_glasses
info:
name: Glasses Malware Detector
author: daffainfo
severity: critical
reference:
- https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word #GlassesStrings
words:
- 'thequickbrownfxjmpsvalzydg'
- 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'
- '" target="NewRef"></a>'
condition: and
- type: binary #GlassesCode
binary:
- "B8ABAAAAAAF7E1D1EA8D04522BC8"
- "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA"
condition: or

19
file/malware/malware_gozi.yaml Normal file
View File

@ -0,0 +1,19 @@
id: malware_gozi
info:
name: Gozi Malware Detector
author: daffainfo
severity: critical
reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "63006F006F006B006900650073002E00730071006C006900740065002D006A006F00750072006E0061006C0000004F504552412E45584500"

19
file/malware/malware_grozlex.yaml Normal file
View File

@ -0,0 +1,19 @@
id: malware_grozlex
info:
name: Grozlex Malware Detector
author: daffainfo
severity: critical
reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "4C006F00670073002000610074007400610063006800650064002000620079002000690043006F007A0065006E"

27
file/malware/malware_insta11.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_insta11
info:
name: Insta11 Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- 'XTALKER7'
- 'Insta11 Microsoft'
- 'wudMessage'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
- 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary:
- 'E9000000006823040000'

29
file/malware/malware_intel_virtualization.yaml Normal file
View File

@ -0,0 +1,29 @@
id: malware_intel_virtualization
info:
name: Intel Virtualization Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- '4C6F6164535452494E47'
- '496E697469616C697A654B6579486F6F6B'
- '46696E645265736F7572636573'
- '4C6F6164535452494E4746726F6D484B4355'
- '6863637574696C732E444C4C'
condition: and
- type: binary # Dynamic dll (malicious)
binary:
- '483A5C466173745C506C756728686B636D64295C'
- '646C6C5C52656C656173655C48696A61636B446C6C2E706462'
condition: and

27
file/malware/malware_iotreaper.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_iotreaper
info:
name: IotReaper Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- 'XTALKER7'
- 'Insta11 Microsoft'
- 'wudMessage'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
- 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary:
- 'E9000000006823040000'

34
file/malware/malware_linux_aesddos.yaml Normal file
View File

@ -0,0 +1,34 @@
id: malware_linux_aesddos
info:
name: Linux AESDDOS Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "3AES"
- "Hacker"
condition: and
- type: word
words:
- "3AES"
- "VERSONEX"
condition: and
- type: word
words:
- "VERSONEX"
- "Hacker"
condition: and

22
file/malware/malware_linux_billgates.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_linux_billgates
info:
name: Linux BillGates Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "12CUpdateGates"
- "11CUpdateBill"
condition: and

22
file/malware/malware_linux_elknot.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_linux_elknot
info:
name: Linux Elknot Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "ZN8CUtility7DeCryptEPciPKci"
- "ZN13CThreadAttack5StartEP11CCmdMessage"
condition: and

22
file/malware/malware_linux_mrblack.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_linux_mrblack
info:
name: Linux MrBlack Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "Mr.Black"
- "VERS0NEX:%s|%d|%d|%s"
condition: and

21
file/malware/malware_linux_tsunami.yaml Normal file
View File

@ -0,0 +1,21 @@
id: malware_linux_tsunami
info:
name: Linux Tsunami Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "PRIVMSG %s :[STD]Hitting %s"
- "NOTICE %s :TSUNAMI <target> <secs>"
- "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."

27
file/malware/malware_macgyver.yaml Normal file
View File

@ -0,0 +1,27 @@
id: malware_macgyver
info:
name: MacGyver.cap Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "src/MacGyver/javacard/Header.cap"
- "src/MacGyver/javacard/Directory.cap"
- "src/MacGyver/javacard/Applet.cap"
- "src/MacGyver/javacard/Import.cap"
- "src/MacGyver/javacard/ConstantPool.cap"
- "src/MacGyver/javacard/Class.cap"
- "src/MacGyver/javacard/Method.cap"
condition: and

24
file/malware/malware_macgyver_installer.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_macgyver_installer
info:
name: MacGyver.cap Installer Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "delete -AID 315041592e5359532e4444463031"
- "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4"
- "-mac_key 404142434445464748494a4b4c4d4e4f"
- "-enc_key 404142434445464748494a4b4c4d4e4f"
condition: and

28
file/malware/malware_madness.yaml Normal file
View File

@ -0,0 +1,28 @@
id: malware_madness
info:
name: Madness DDOS Malware Detector
author: daffainfo
severity: critical
reference:
- https://github.com/arbor/yara/blob/master/madness.yara
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
- "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
- "document.cookie="
- "[\"cookie\",\""
- "\"realauth="
- "\"location\"];"
- "d3Rm"
- "ZXhl"
condition: and

18
file/malware/malware_miner.yaml Normal file
View File

@ -0,0 +1,18 @@
id: malware_miner
info:
name: Miner Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "stratum+tcp"
- "stratum+udp"

54
file/malware/malware_miniasp3.yaml Normal file
View File

@ -0,0 +1,54 @@
id: malware_miniasp3
info:
name: MiniASP3 Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "open internet failed…"
condition: and
- type: word
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "run error!"
condition: and
- type: word
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "run ok!"
condition: and
- type: word
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "time out,change to mode 0"
condition: and
- type: word
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "command is null!"
condition: and

30
file/malware/malware_naikon.yaml Normal file
View File

@ -0,0 +1,30 @@
id: malware_naikon
info:
name: Naikon Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "0FAFC1C1E01F"
- "355A010000"
- "81C27F140600"
condition: and
- type: word
words:
- "NOKIAN95/WEB"
- "/tag=info&id=15"
- "skg(3)=&3.2d_u1"
- "\\Temp\\iExplorer.exe"
- "\\Temp\\\"TSG\""
condition: or

26
file/malware/malware_naspyupdate.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_naspyupdate
info:
name: nAspyUpdate Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "8A5424148A0132C202C28801414E75F4"
- type: word
words:
- "\\httpclient.txt"
- "password <=14"
- "/%ldn.txt"
- "Kill You\x00"
condition: or

18
file/malware/malware_notepad.yaml Normal file
View File

@ -0,0 +1,18 @@
id: malware_notepad
info:
name: Notepad v1.1 Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
words:
- "75BAA77C842BE168B0F66C42C7885997"
- "B523F63566F407F3834BCC54AAA32524"

25
file/malware/malware_olyx.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_olyx
info:
name: Olyx Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "/Applications/Automator.app/Contents/MacOS/DockLight"
condition: or
- type: binary
binary:
- "C7400436363636C7400836363636"
- "C740045C5C5C5CC740085C5C5C5C"
condition: or

25
file/malware/malware_osx_leverage.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_osx_leverage
info:
name: OSX Leverage Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
- "+:Users:Shared:UserEvent.app:Contents:MacOS:"
- "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
- "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
- "osascript -e 'tell application \"System Events\" to get the name of every login item'"
- "osascript -e 'tell application \"System Events\" to get the path of every login item'"
- "serverVisible \x00"
condition: and

22
file/malware/malware_pony.yaml Normal file
View File

@ -0,0 +1,22 @@
id: malware_pony
info:
name: Pony Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
- "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
- "POST %s HTTP/1.0"
- "Accept-Encoding: identity, *;q=0"
condition: and

25
file/malware/malware_pubsab.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_pubsab
info:
name: PubSab Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
words:
- "_deamon_init"
- "com.apple.PubSabAgent"
- "/tmp/screen.jpeg"
condition: or
- type: binary
binary:
- "6B45E43789CA29C28955E4"

23
file/malware/malware_pypi.yaml Normal file
View File

@ -0,0 +1,23 @@
id: malware_pypi
info:
name: Fake PyPI Malware Detector
author: daffainfo
severity: critical
reference:
- http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "# Welcome Here! :)"
- "# just toy, no harm :)"
- "[0x76,0x21,0xfe,0xcc,0xee]"
condition: and

31
file/malware/malware_t5000.yaml Normal file
View File

@ -0,0 +1,31 @@
id: malware_t5000
info:
name: T5000 Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_T5000.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "_tmpR.vbs"
- "_tmpg.vbs"
- "Dtl.dat"
- "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
- "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
- "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
- "43EE34A9-9063-4d2c-AACD-F5C62B849089"
- "A8859547-C62D-4e8b-A82D-BE1479C684C9"
- "A59CF429-D0DD-4207-88A1-04090680F714"
- "utd_CE31"
- "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
- "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
- "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
- "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
condition: and

20
file/malware/malware_tedroo.yaml Normal file
View File

@ -0,0 +1,20 @@
id: malware_tedroo
info:
name: Tedroo Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Tedroo.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "257325732E657865"
- "5F6C6F672E747874"
condition: and

23
file/malware/malware_treasurehunt.yaml Normal file
View File

@ -0,0 +1,23 @@
id: malware_treasurehunt
info:
name: Trickbot Malware Detector
author: daffainfo
severity: critical
reference:
- http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_TreasureHunt.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "treasureHunter.pdb"
- "jucheck"
- "cmdLineDecrypted"
condition: and

23
file/malware/malware_trickbot.yaml Normal file
View File

@ -0,0 +1,23 @@
id: malware_trickbot
info:
name: Trickbot Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_TrickBot.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "moduleconfig"
- "Start"
- "Control"
- "FreeBuffer"
- "Release"
condition: and

20
file/malware/malware_trumpbot.yaml Normal file
View File

@ -0,0 +1,20 @@
id: malware_trumpbot
info:
name: TrumpBot Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Trumpbot.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "trumpisdaddy"
- "198.50.154.188"
condition: and

26
file/malware/malware_universal_1337.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_universal_1337
info:
name: Universal 1337 Stealer Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Stealer.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "2A5B532D502D4C2D492D545D2A"
- "2A5B482D452D522D455D2A"
condition: and
- type: binary
binary:
- "4654507E"
- "7E317E317E307E30"
condition: and

24
file/malware/malware_urausy.yaml Normal file
View File

@ -0,0 +1,24 @@
id: malware_urausy
info:
name: Urausy Skype Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Urausy.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "skype.dat"
- "skype.ini"
- "CreateWindow"
- "YIWEFHIWQ"
- "CreateDesktop"
- "MyDesktop"
condition: and

20
file/malware/malware_wabot.yaml Normal file
View File

@ -0,0 +1,20 @@
id: malware_wabot
info:
name: Warp Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Wabot.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "433A5C6D6172696A75616E612E747874"
- "7349524334"
condition: and

25
file/malware/malware_warp.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_warp
info:
name: Warp Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Warp.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word #WarpStrings
words:
- "/2011/n325423.shtml?"
- "wyle"
- "\\~ISUN32.EXE"
condition: or
- type: binary #WarpCode
binary:
- "80382B7503C6002D80382F7503C6005F"

20
file/malware/malware_xhide.yaml Normal file
View File

@ -0,0 +1,20 @@
id: malware_xhide
info:
name: xHide Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XHide.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- 'XHide - Process Faker'
- 'Fakename: %s PidNum: %d'
condition: and

25
file/malware/malware_xor_ddos.yaml Normal file
View File

@ -0,0 +1,25 @@
id: malware_xor_ddos
info:
name: XOR_DDosv1 Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XOR_DDos.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
words:
- "BB2FA36AAA9541F0"
- "md5="
- "denyip="
- "filename="
- "rmfile="
- "exec_packet"
- "build_iphdr"
condition: and

26
file/malware/malware_yayih.yaml Normal file
View File

@ -0,0 +1,26 @@
id: malware_yayih
info:
name: Yayih Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Yayih.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word #YayihStrings
words:
- "/bbs/info.asp"
- "\\msinfo.exe"
- "%s\\%srcs.pdf"
- "\\aumLib.ini"
condition: or
- type: binary #YayihCode
binary:
- "8004087A03C18B45FC8034081903C1413B0A7CE9"

20
file/malware/malware_zeghost.yaml Normal file
View File

@ -0,0 +1,20 @@
id: malware_zeghost
info:
name: Zegost Malware Detector
author: daffainfo
severity: critical
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Zegost.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- '392F6633304C693575624F35444E414444784738733736327471593D'
- '00BADA2251426F6D6500'
condition: and