daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'projectdiscovery:main' into main

patch-1
Arm!tage 2023-08-08 10:04:27 +08:00 committed by GitHub
parent 7dc5d4468a 1591326e71
commit 743fcb0bb2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
370 changed files with 5122 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/scripts/wordpress-plugins-update-requirements.txt vendored
View File

@ -1,6 +1,6 @@
beautifulsoup4==4.11.1
bs4==0.0.1
certifi==2022.9.24
certifi==2023.7.22
charset-normalizer==2.1.1
idna==3.4
Markdown==3.4.1

152
.new-additions
View File

@ -1,12 +1,164 @@
file/malware/aar-malware.yaml
file/malware/adzok-malware.yaml
file/malware/alfa-malware.yaml
file/malware/alienspy-malware.yaml
file/malware/alina-malware.yaml
file/malware/alpha-malware.yaml
file/malware/andromeda-malware.yaml
file/malware/ap0calypse-malware.yaml
file/malware/arcom-malware.yaml
file/malware/arkei-malware.yaml
file/malware/backoff-malware.yaml
file/malware/bandook-malware.yaml
file/malware/blacknix-malware.yaml
file/malware/blackworm-malware.yaml
file/malware/bluebanana-malware.yaml
file/malware/bozok-malware.yaml
file/malware/bublik-malware.yaml
file/malware/cap-hookexkeylogger-malware.yaml
file/malware/cerberus-malware.yaml
file/malware/clientmesh-malware.yaml
file/malware/crimson-malware.yaml
file/malware/cryptxxx-dropper-malware.yaml
file/malware/cryptxxx-malware.yaml
file/malware/cxpid-malware.yaml
file/malware/cythosia-malware.yaml
file/malware/darkrat-malware.yaml
file/malware/ddostf-malware.yaml
file/malware/derkziel-malware.yaml
file/malware/dexter-malware.yaml
file/malware/diamondfox-malware.yaml
file/malware/dmalocker-malware.yaml
file/malware/doublepulsar-malware.yaml
file/malware/eicar-malware.yaml
file/malware/erebus-malware.yaml
file/malware/ezcob-malware.yaml
file/malware/fudcrypt-malware.yaml
file/malware/gafgyt-bash-malware.yaml
file/malware/gafgyt-generic-malware.yaml
file/malware/gafgyt-hihi-malware.yaml
file/malware/gafgyt-hoho-malware.yaml
file/malware/gafgyt-jackmy-malware.yaml
file/malware/gafgyt-oh-malware.yaml
file/malware/genome-malware.yaml
file/malware/glass-malware.yaml
file/malware/glasses-malware.yaml
file/malware/gozi-malware.yaml
file/malware/gpgqwerty-malware.yaml
file/malware/greame-malware.yaml
file/malware/grozlex-malware.yaml
file/malware/hawkeye-malware.yaml
file/malware/imminent-malware.yaml
file/malware/infinity-malware.yaml
file/malware/insta11-malware.yaml
file/malware/intel-virtualization-malware.yaml
file/malware/iotreaper-malware.yaml
file/malware/linux-aesddos-malware.yaml
file/malware/linux-billgates-malware.yaml
file/malware/linux-elknot-malware.yaml
file/malware/linux-mrblack-malware.yaml
file/malware/linux-tsunami-malware.yaml
file/malware/locky-malware.yaml
file/malware/lostdoor-malware.yaml
file/malware/luminositylink-malware.yaml
file/malware/luxnet-malware.yaml
file/malware/macgyver-installer-malware.yaml
file/malware/macgyver-malware.yaml
file/malware/madness-malware.yaml
file/malware/miner--malware.yaml
file/malware/miniasp3-malware.yaml
file/malware/naikon-malware.yaml
file/malware/naspyupdate-malware.yaml
file/malware/notepad-malware.yaml
file/malware/olyx-malware.yaml
file/malware/osx-leverage-malware.yaml
file/malware/paradox-malware.yaml
file/malware/plasma-malware.yaml
file/malware/poetrat-malware.yaml
file/malware/pony-malware.yaml
file/malware/pubsab-malware.yaml
file/malware/punisher-malware.yaml
file/malware/pypi-malware.yaml
file/malware/pythorat-malware.yaml
file/malware/qrat-malware.yaml
file/malware/satana-dropper-malware.yaml
file/malware/satana-malware.yaml
file/malware/shimrat-malware.yaml
file/malware/shimratreporter-malware.yaml
file/malware/sigma-malware.yaml
file/malware/smallnet-malware.yaml
file/malware/snake-malware.yaml
file/malware/sub7nation-malware.yaml
file/malware/t5000-malware.yaml
file/malware/tedroo-malware.yaml
file/malware/terminator-malware.yaml
file/malware/teslacrypt-malware.yaml
file/malware/tox-malware.yaml
file/malware/treasurehunt-malware.yaml
file/malware/trickbot-malware.yaml
file/malware/trumpbot-malware.yaml
file/malware/universal-1337-malware.yaml
file/malware/unrecom-malware.yaml
file/malware/urausy-malware.yaml
file/malware/vertex-malware.yaml
file/malware/virusrat-malware.yaml
file/malware/wabot-malware.yaml
file/malware/warp-malware.yaml
file/malware/xhide-malware.yaml
file/malware/xor-ddos-malware.yaml
file/malware/yayih-malware.yaml
file/malware/zeghost-malware.yaml
file/malware/zoxpng-malware.yaml
http/cnvd/2021/CNVD-2021-41972.yaml
http/cnvd/2021/CNVD-2021-43984.yaml
http/cves/2018/CVE-2018-12909.yaml
http/cves/2018/CVE-2018-18809.yaml
http/cves/2018/CVE-2018-7653.yaml
http/cves/2019/CVE-2019-14750.yaml
http/cves/2019/CVE-2019-16057.yaml
http/cves/2019/CVE-2019-7192.yaml
http/cves/2022/CVE-2022-0169.yaml
http/cves/2022/CVE-2022-2414.yaml
http/cves/2022/CVE-2022-40843.yaml
http/cves/2023/CVE-2023-1698.yaml
http/cves/2023/CVE-2023-22478.yaml
http/cves/2023/CVE-2023-22480.yaml
http/cves/2023/CVE-2023-32117.yaml
http/cves/2023/CVE-2023-35082.yaml
http/cves/2023/CVE-2023-37580.yaml
http/cves/2023/CVE-2023-39120.yaml
http/cves/2023/CVE-2023-39143.yaml
http/default-logins/bloofoxcms-default-login.yaml
http/exposed-panels/acenet-panel.yaml
http/exposed-panels/bloofoxcms-login-panel.yaml
http/exposed-panels/discuz-panel.yaml
http/exposed-panels/kodak-network-panel.yaml
http/exposed-panels/mpsec-isg1000-panel.yaml
http/exposures/files/socks5-vpn-config.yaml
http/misconfiguration/bitbucket-auth-bypass.yaml
http/misconfiguration/casdoor-users-password.yaml
http/misconfiguration/clickhouse-unauth-api.yaml
http/misconfiguration/installer/yzmcms-installer.yaml
http/misconfiguration/mobsf-framework-exposure.yaml
http/misconfiguration/openstack-config.yaml
http/misconfiguration/oracle-reports-services.yaml
http/misconfiguration/sonarqube-projects-disclosure.yaml
http/vulnerabilities/apache/apache-solr-rce.yaml
http/vulnerabilities/bsphp-info.yaml
http/vulnerabilities/discuz/discuz-api-pathinfo.yaml
http/vulnerabilities/joomla/joomla-department-sqli.yaml
http/vulnerabilities/netmizer/netmizer-cmd-rce.yaml
http/vulnerabilities/netmizer/netmizer-data-listing.yaml
http/vulnerabilities/other/acti-video-lfi.yaml
http/vulnerabilities/other/avcon6-execl-lfi.yaml
http/vulnerabilities/other/avcon6-lfi.yaml
http/vulnerabilities/other/clodop-printer-lfi.yaml
http/vulnerabilities/other/easyimage-downphp-lfi.yaml
http/vulnerabilities/other/kodak-network-lfi.yaml
http/vulnerabilities/other/sangfor-cphp-rce.yaml
http/vulnerabilities/other/sangfor-download-lfi.yaml
http/vulnerabilities/other/sangfor-sysuser-conf.yaml
http/vulnerabilities/wordpress/photo-gallery-xss.yaml
http/vulnerabilities/zzzcms/zzzcms-info-disclosure.yaml
http/vulnerabilities/zzzcms/zzzcms-ssrf.yaml
http/vulnerabilities/zzzcms/zzzcms-xss.yaml

12
cves.json
View File

@ -477,6 +477,7 @@
{"ID":"CVE-2018-12675","Info":{"Name":"SV3C HD Camera L Series - Open Redirect","Severity":"medium","Description":"SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-12675.yaml"}
{"ID":"CVE-2018-1271","Info":{"Name":"Spring MVC Framework - Local File Inclusion","Severity":"medium","Description":"Spring MVC Framework versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported are vulnerable to local file inclusion because they allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). A malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.","Classification":{"CVSSScore":"5.9"}},"file_path":"http/cves/2018/CVE-2018-1271.yaml"}
{"ID":"CVE-2018-1273","Info":{"Name":"Spring Data Commons - Remote Code Execution","Severity":"critical","Description":"Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5,\nand older unsupported versions, contain a property binder vulnerability\ncaused by improper neutralization of special elements.\nAn unauthenticated remote malicious user (or attacker) can supply\nspecially crafted request parameters against Spring Data REST backed HTTP resources\nor using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-1273.yaml"}
{"ID":"CVE-2018-12909","Info":{"Name":"Webgrind \u003c= 1.5 - Local File Inclusion","Severity":"high","Description":"Webgrind 1.5 relies on user input to display a file, which lets anyone view files from the local filesystem (that the webserver user has access to) via an index.php?op=fileviewer\u0026file= URI\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2018/CVE-2018-12909.yaml"}
{"ID":"CVE-2018-12998","Info":{"Name":"Zoho manageengine - Cross-Site Scripting","Severity":"medium","Description":"Zoho manageengine is vulnerable to reflected cross-site scripting. This impacts Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-12998.yaml"}
{"ID":"CVE-2018-1335","Info":{"Name":"Apache Tika \u003c1.1.8- Header Command Injection","Severity":"high","Description":"Apache Tika versions 1.7 to 1.17 allow clients to send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients.","Classification":{"CVSSScore":"8.1"}},"file_path":"http/cves/2018/CVE-2018-1335.yaml"}
{"ID":"CVE-2018-13379","Info":{"Name":"Fortinet FortiOS - Credentials Disclosure","Severity":"critical","Description":"Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal).","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-13379.yaml"}
@ -525,6 +526,7 @@
{"ID":"CVE-2018-18775","Info":{"Name":"Microstrategy Web 7 - Cross-Site Scripting","Severity":"medium","Description":"Microstrategy Web 7 does not sufficiently encode user-controlled inputs, resulting in cross-site scripting via the Login.asp Msg parameter.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-18775.yaml"}
{"ID":"CVE-2018-18777","Info":{"Name":"Microstrategy Web 7 - Local File Inclusion","Severity":"medium","Description":"Microstrategy Web 7 is vulnerable to local file inclusion via \"/WebMstr7/servlet/mstrWeb\" (in the parameter subpage). Remote authenticated users can bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product.\n","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2018/CVE-2018-18777.yaml"}
{"ID":"CVE-2018-18778","Info":{"Name":"ACME mini_httpd \u003c1.30 - Local File Inclusion","Severity":"medium","Description":"ACME mini_httpd before 1.30 is vulnerable to local file inclusion.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2018/CVE-2018-18778.yaml"}
{"ID":"CVE-2018-18809","Info":{"Name":"TIBCO JasperReports Library - Directory Traversal","Severity":"critical","Description":"The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2018/CVE-2018-18809.yaml"}
{"ID":"CVE-2018-18925","Info":{"Name":"Gogs (Go Git Service) 0.11.66 - Remote Code Execution","Severity":"critical","Description":"Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a \"..\" session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-18925.yaml"}
{"ID":"CVE-2018-19136","Info":{"Name":"DomainMOD 4.11.01 - Cross-Site Scripting","Severity":"medium","Description":"DomainMOD 4.11.01 is vulnerable to reflected cross-site scripting via assets/edit/registrar-account.php.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-19136.yaml"}
{"ID":"CVE-2018-19137","Info":{"Name":"DomainMOD 4.11.01 - Cross-Site Scripting","Severity":"medium","Description":"DomainMOD 4.11.01 is vulnerable to reflected cross-site Scripting via assets/edit/ip-address.php.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-19137.yaml"}
@ -575,6 +577,7 @@
{"ID":"CVE-2018-7490","Info":{"Name":"uWSGI PHP Plugin Local File Inclusion","Severity":"high","Description":"uWSGI PHP Plugin before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, making it susceptible to local file inclusion.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2018/CVE-2018-7490.yaml"}
{"ID":"CVE-2018-7600","Info":{"Name":"Drupal - Remote Code Execution","Severity":"critical","Description":"Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-7600.yaml"}
{"ID":"CVE-2018-7602","Info":{"Name":"Drupal - Remote Code Execution","Severity":"critical","Description":"Drupal 7.x and 8.x contain a remote code execution vulnerability that exists within multiple subsystems. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2018/CVE-2018-7602.yaml"}
{"ID":"CVE-2018-7653","Info":{"Name":"YzmCMS v3.6 - Cross-Site Scripting","Severity":"medium","Description":"In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2018/CVE-2018-7653.yaml"}
{"ID":"CVE-2018-7662","Info":{"Name":"CouchCMS \u003c= 2.0 - Path Disclosure","Severity":"medium","Description":"CouchCMS \u003c= 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php.","Classification":{"CVSSScore":"5.3"}},"file_path":"http/cves/2018/CVE-2018-7662.yaml"}
{"ID":"CVE-2018-7700","Info":{"Name":"DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution","Severity":"high","Description":"DedeCMS 5.7SP2 is susceptible to cross-site request forgery with a corresponding impact of arbitrary code execution because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2018/CVE-2018-7700.yaml"}
{"ID":"CVE-2018-7719","Info":{"Name":"Acrolinx Server \u003c5.2.5 - Local File Inclusion","Severity":"high","Description":"Acrolinx Server prior to 5.2.5 suffers from a local file inclusion vulnerability.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2018/CVE-2018-7719.yaml"}
@ -647,6 +650,7 @@
{"ID":"CVE-2019-15858","Info":{"Name":"WordPress Woody Ad Snippets \u003c2.2.5 - Cross-Site Scripting/Remote Code Execution","Severity":"high","Description":"WordPress Woody Ad Snippets prior to 2.2.5 is susceptible to cross-site scripting and remote code execution via admin/includes/class.import.snippet.php, which allows unauthenticated options import as demonstrated by storing a cross-site scripting payload for remote code execution.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"http/cves/2019/CVE-2019-15858.yaml"}
{"ID":"CVE-2019-15859","Info":{"Name":"Socomec DIRIS A-40 Devices Password Disclosure","Severity":"critical","Description":"Socomec DIRIS A-40 devices before 48250501 are susceptible to a password disclosure vulnerability in the web interface that could allow remote attackers to get full access to a device via the /password.jsn URI.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-15859.yaml"}
{"ID":"CVE-2019-15889","Info":{"Name":"WordPress Download Manager \u003c2.9.94 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Download Manager plugin before 2.9.94 contains a cross-site scripting vulnerability via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-15889.yaml"}
{"ID":"CVE-2019-16057","Info":{"Name":"D-Link DNS-320 - Remote Code Execution","Severity":"critical","Description":"The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-16057.yaml"}
{"ID":"CVE-2019-16097","Info":{"Name":"Harbor \u003c=1.82.0 - Privilege Escalation","Severity":"medium","Description":"Harbor 1.7.0 through 1.8.2 is susceptible to privilege escalation via core/api/user.go, which allows allows non-admin users to create admin accounts via the POST /api/users API when Harbor is setup with DB as an authentication backend and allows user to do self-registration.","Classification":{"CVSSScore":"6.5"}},"file_path":"http/cves/2019/CVE-2019-16097.yaml"}
{"ID":"CVE-2019-16123","Info":{"Name":"PilusCart \u003c=1.4.1 - Local File Inclusion","Severity":"high","Description":"PilusCart versions 1.4.1 and prior suffer from a file disclosure vulnerability via local file inclusion.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2019/CVE-2019-16123.yaml"}
{"ID":"CVE-2019-16278","Info":{"Name":"nostromo 1.9.6 - Remote Code Execution","Severity":"critical","Description":"nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via directory traversal in the function http_verify.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-16278.yaml"}
@ -715,6 +719,7 @@
{"ID":"CVE-2019-6715","Info":{"Name":"W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated File Read / Directory Traversal","Severity":"high","Description":"WordPress plugin W3 Total Cache before version 0.9.4 allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data via pub/sns.php.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2019/CVE-2019-6715.yaml"}
{"ID":"CVE-2019-6799","Info":{"Name":"phpMyAdmin \u003c4.8.5 - Local File Inclusion","Severity":"medium","Description":"phpMyAdmin before 4.8.5 is susceptible to local file inclusion. When the AllowArbitraryServer configuration setting is set to true, an attacker can read, with the use of a rogue MySQL server, any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of options(MYSQLI_OPT_LOCAL_INFIL calls.\n","Classification":{"CVSSScore":"5.9"}},"file_path":"http/cves/2019/CVE-2019-6799.yaml"}
{"ID":"CVE-2019-6802","Info":{"Name":"Pypiserver \u003c1.2.5 - Carriage Return Line Feed Injection","Severity":"medium","Description":"Pypiserver through 1.2.5 and below is susceptible to carriage return line feed injection. An attacker can set arbitrary HTTP headers and possibly conduct cross-site scripting attacks via a %0d%0a in a URI.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-6802.yaml"}
{"ID":"CVE-2019-7192","Info":{"Name":"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution","Severity":"critical","Description":"This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-7192.yaml"}
{"ID":"CVE-2019-7219","Info":{"Name":"Zarafa WebApp \u003c=2.0.1.47791 - Cross-Site Scripting","Severity":"medium","Description":"Zarafa WebApp 2.0.1.47791 and earlier contains an unauthenticated reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2019/CVE-2019-7219.yaml"}
{"ID":"CVE-2019-7238","Info":{"Name":"Sonatype Nexus Repository Manager \u003c3.15.0 - Remote Code Execution","Severity":"critical","Description":"Sonatype Nexus Repository Manager before 3.15.0 is susceptible to remote code execution.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2019/CVE-2019-7238.yaml"}
{"ID":"CVE-2019-7254","Info":{"Name":"eMerge E3 1.00-06 - Local File Inclusion","Severity":"high","Description":"Linear eMerge E3-Series devices are vulnerable to local file inclusion.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2019/CVE-2019-7254.yaml"}
@ -1085,7 +1090,7 @@
{"ID":"CVE-2021-24435","Info":{"Name":"WordPress Titan Framework plugin \u003c= 1.12.1 - Cross-Site Scripting","Severity":"medium","Description":"The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24435.yaml"}
{"ID":"CVE-2021-24436","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.4 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.4 is susceptible to cross-site scripting within the extension parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This can allow an attacker to convince an authenticated admin into clicking a link to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24436.yaml"}
{"ID":"CVE-2021-24452","Info":{"Name":"WordPress W3 Total Cache \u003c2.1.5 - Cross-Site Scripting","Severity":"medium","Description":"WordPress W3 Total Cache plugin before 2.1.5 is susceptible to cross-site scripting via the extension parameter in the Extensions dashboard, when the setting 'Anonymously track usage to improve product quality' is enabled. The parameter is output in a JavaScript context without proper escaping. This can allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24452.yaml"}
{"ID":"CVE-2021-24472","Info":{"Name":"Onair2 \u003c 3.9.9.2 \u0026 KenthaRadio \u003c 2.0.2 - Remote File Inclusion/Server-Side Request Forgery","Severity":"critical","Description":"Onair2 \u003c 3.9.9.2 and KenthaRadio \u003c 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24472.yaml"}
{"ID":"CVE-2021-24472","Info":{"Name":"Onair2 \u003c 3.9.9.2 \u0026 KenthaRadio \u003c 2.0.2 - Remote File Inclusion/Server-Side Request Forgery","Severity":"critical","Description":"Onair2 \u003c 3.9.9.2 and KenthaRadio \u003c 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2021/CVE-2021-24472.yaml"}
{"ID":"CVE-2021-24488","Info":{"Name":"WordPress Post Grid \u003c2.1.8 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Post Grid plugin before 2.1.8 contains a reflected cross-site scripting vulnerability. The slider import search feature and tab parameter of thesettings are not properly sanitized before being output back in the pages,","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24488.yaml"}
{"ID":"CVE-2021-24495","Info":{"Name":"Wordpress Marmoset Viewer \u003c1.9.3 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Marmoset Viewer plugin before 1.9.3 contains a cross-site scripting vulnerability. It does not property sanitize, validate, or escape the 'id' parameter before outputting back in the page.","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24495.yaml"}
{"ID":"CVE-2021-24498","Info":{"Name":"WordPress Calendar Event Multi View \u003c1.4.01 - Cross-Site Scripting","Severity":"medium","Description":"WordPress Calendar Event Multi View plugin before 1.4.01 contains an unauthenticated reflected cross-site scripting vulnerability. It does not sanitize or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php).","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2021/CVE-2021-24498.yaml"}
@ -1548,6 +1553,7 @@
{"ID":"CVE-2022-24112","Info":{"Name":"Apache APISIX - Remote Code Execution","Severity":"critical","Description":"A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-24112.yaml"}
{"ID":"CVE-2022-24124","Info":{"Name":"Casdoor 1.13.0 - Unauthenticated SQL Injection","Severity":"high","Description":"Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations.","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2022/CVE-2022-24124.yaml"}
{"ID":"CVE-2022-24129","Info":{"Name":"Shibboleth OIDC OP \u003c3.0.4 - Server-Side Request Forgery","Severity":"high","Description":"The Shibboleth Identity Provider OIDC OP plugin before 3.0.4 is vulnerable to server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter, which allows attackers to interact with arbitrary third-party HTTP services.","Classification":{"CVSSScore":"8.2"}},"file_path":"http/cves/2022/CVE-2022-24129.yaml"}
{"ID":"CVE-2022-2414","Info":{"Name":"FreeIPA - XML Entity Injection","Severity":"high","Description":"Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2022/CVE-2022-2414.yaml"}
{"ID":"CVE-2022-24181","Info":{"Name":"PKP Open Journal Systems 2.4.8-3.3 - Cross-Site Scripting","Severity":"medium","Description":"PKP Open Journal Systems 2.4.8 to 3.3 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary code via the X-Forwarded-Host Header.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2022/CVE-2022-24181.yaml"}
{"ID":"CVE-2022-24223","Info":{"Name":"Atom CMS v2.0 - SQL Injection","Severity":"critical","Description":"AtomCMS v2.0 was discovered to contain a SQL injection vulnerability via /admin/login.php.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-24223.yaml"}
{"ID":"CVE-2022-24260","Info":{"Name":"VoipMonitor - Pre-Auth SQL Injection","Severity":"critical","Description":"A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2022/CVE-2022-24260.yaml"}
@ -1857,6 +1863,8 @@
{"ID":"CVE-2023-2122","Info":{"Name":"Image Optimizer by 10web \u003c 1.0.26 - Cross-Site Scripting","Severity":"medium","Description":"Image Optimizer by 10web before 1.0.26 is susceptible to cross-site scripting via the iowd_tabs_active parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-2122.yaml"}
{"ID":"CVE-2023-2130","Info":{"Name":"Purchase Order Management v1.0 - SQL Injection","Severity":"critical","Description":"A vulnerability classified as critical has been found in SourceCodester Purchase Order Management System 1.0. Affected is an unknown function of the file /admin/suppliers/view_details.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-226206 is the identifier assigned to this vulnerability.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-2130.yaml"}
{"ID":"CVE-2023-2178","Info":{"Name":"Aajoda Testimonials \u003c 2.2.2 - Cross-Site Scripting","Severity":"medium","Description":"The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-2178.yaml"}
{"ID":"CVE-2023-22478","Info":{"Name":"KubePi \u003c= v1.6.4 LoginLogsSearch - Unauthorized Access","Severity":"high","Description":"KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-22478.yaml"}
{"ID":"CVE-2023-22480","Info":{"Name":"KubeOperator Foreground `kubeconfig` - File Download","Severity":"critical","Description":"KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2023/CVE-2023-22480.yaml"}
{"ID":"CVE-2023-2252","Info":{"Name":"Directorist \u003c 7.5.4 - Local File Inclusion","Severity":"medium","Description":"Directorist before 7.5.4 is susceptible to Local File Inclusion as it does not validate the file parameter when importing CSV files.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-2252.yaml"}
{"ID":"CVE-2023-22620","Info":{"Name":"SecurePoint UTM 12.x Session ID Leak","Severity":"high","Description":"An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows sessionid information disclosure via an invalid authentication attempt. This can afterwards be used to bypass the device's authentication and get access to the administrative interface.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-22620.yaml"}
{"ID":"CVE-2023-2272","Info":{"Name":"Tiempo.com \u003c= 0.1.2 - Cross-Site Scripting","Severity":"medium","Description":"Tiempo.com before 0.1.2 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.\n","Classification":{"CVSSScore":"6.1"}},"file_path":"http/cves/2023/CVE-2023-2272.yaml"}
@ -1962,3 +1970,5 @@
{"ID":"CVE-2023-38205","Info":{"Name":"Adobe ColdFusion - Access Control Bypass","Severity":"high","Description":"","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-38205.yaml"}
{"ID":"CVE-2023-3836","Info":{"Name":"Dahua Smart Park Management - Arbitrary File Upload","Severity":"high","Description":"Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-3836.yaml"}
{"ID":"CVE-2023-38646","Info":{"Name":"Metabase \u003c 0.46.6.1 - Remote Code Execution","Severity":"critical","Description":"Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.\n","Classification":{"CVSSScore":"N/A"}},"file_path":"http/cves/2023/CVE-2023-38646.yaml"}
{"ID":"CVE-2023-39120","Info":{"Name":"Nodogsplash - Directory Traversal","Severity":"high","Description":"Nodogsplash product was affected by a directory traversal vulnerability that also impacted the OpenWrt product. This vulnerability was addressed in Nodogsplash version 5.0.1. Exploiting this vulnerability, remote attackers could read arbitrary files from the target system.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2023/CVE-2023-39120.yaml"}
{"ID":"CVE-2023-39143","Info":{"Name":"PaperCut \u003c 22.1.3 - Path Traversal","Severity":"critical","Description":"PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files.","Classification":{"CVSSScore":"9.4"}},"file_path":"http/cves/2023/CVE-2023-39143.yaml"}

2
cves.json-checksum.txt
View File

@ -1 +1 @@
b58b2350b7c7c0ab742dbd60851e3b31
a11349fed98e93a8bbebdc46ec6718ae

17
dns/dns-saas-service-detection.yaml
View File

@ -10,21 +10,17 @@ info:
- https://www.theregister.com/2021/02/24/dns_cname_tracking/
- https://www.ionos.com/digitalguide/hosting/technical-matters/cname-record/
metadata:
max-request: 2
max-request: 1
tags: dns,service
dns:
- name: "{{FQDN}}"
type: CNAME
- name: "{{FQDN}}"
type: A
extractors:
- type: regex
group: 1
regex:
- 'IN\t(?:A|CNAME)\t([A-Za-z0-9-_.]*([a-zA-Z]+[0-9]+|[0-9.]+[a-zA-Z]+))'
- type: dsl
dsl:
- cname
matchers-condition: or
matchers:
@ -389,6 +385,7 @@ dns:
words:
- hs.eloqua.com
- type: word
words:
- type: regex
regex:
- "IN\tCNAME"
- "IN\\s*CNAME"

25
file/malware/aar-malware.yaml Normal file
View File

@ -0,0 +1,25 @@
id: aar-malware
info:
name: AAR Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Hashtable"
- "get_IsDisposed"
- "TripleDES"
- "testmemory.FRMMain.resources"
- "$this.Icon"
- "{11111-22222-20001-00001}"
- "@@@@@"
condition: and

110
file/malware/adzok-malware.yaml Normal file
View File

@ -0,0 +1,110 @@
id: adzok-malware
info:
name: Adzok Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "Uninstall.jarPK"
- "resources/icono.pngPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "Uninstall.jarPK"
condition: and
- type: word
part: raw
words:
- "config.xmlPK"
- "key.classPK"
- "svd$1.classPK"
- "svd$2.classPK"
- "Mensaje.classPK"
- "inic$ShutdownHook.class"
- "resources/icono.pngPK"
condition: and

19
file/malware/alfa-malware.yaml Normal file
View File

@ -0,0 +1,19 @@
id: alfa-malware
info:
name: Alfa Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "8B0C9781E1FFFF000081F919040000740F81F9"
- "220400007407423BD07CE2EB02"
condition: and

25
file/malware/alienspy-malware.yaml Normal file
View File

@ -0,0 +1,25 @@
id: alienspy-malware
info:
name: AlienSpy Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "META-INF/MANIFEST.MF"
- "ePK"
- "kPK"
- "config.ini"
- "password.ini"
- "stub/stub.dll"
- "c.dat"
condition: and

21
file/malware/alina-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: alina-malware
info:
name: Alina Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'Alina v1.0'
- 'POST'
- '1[0-2])[0-9]'
condition: and

17
file/malware/alpha-malware.yaml Normal file
View File

@ -0,0 +1,17 @@
id: alpha-malware
info:
name: Alpha Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "520065006100640020004D0065002000280048006F00770020004400650063"

23
file/malware/andromeda-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: andromeda-malware
info:
name: Andromeda Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst'
- type: binary
binary:
- "1C1C1D03494746"

24
file/malware/ap0calypse-malware.yaml Normal file
View File

@ -0,0 +1,24 @@
id: ap0calypse-malware
info:
name: Ap0calypse Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Ap0calypse"
- "Sifre"
- "MsgGoster"
- "Baslik"
- "Dosyalars"
- "Injecsiyon"
condition: and

28
file/malware/arcom-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: arcom-malware
info:
name: Arcom Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "CVu3388fnek3W(3ij3fkp0930di"
- "ZINGAWI2"
- "clWebLightGoldenrodYellow"
- "Ancestor for '%s' not found"
- "Control-C hit"
condition: and
- type: binary
binary:
- "A3242521"

23
file/malware/arkei-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: arkei-malware
info:
name: Arkei Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'Arkei'
- '/server/gate'
- '/server/grubConfig'
- '\\files\\'
- 'SQLite'
condition: and

21
file/malware/backoff-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: backoff-malware
info:
name: Backoff Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'
- '%s @ %s'
- 'Upload KeyLogs'
condition: and

28
file/malware/bandook-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: bandook-malware
info:
name: Bandook Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "aaaaaa1|"
- "aaaaaa2|"
- "aaaaaa3|"
- "aaaaaa4|"
- "aaaaaa5|"
- "%s%d.exe"
- "astalavista"
- "givemecache"
- "%s\\system32\\drivers\\blogs\\*"
- "bndk13me"
condition: and

23
file/malware/blacknix-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: blacknix-malware
info:
name: BlackNix Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "SETTINGS"
- "Mark Adler"
- "Random-Number-Here"
- "RemoteShell"
- "SystemInfo"
condition: and

29
file/malware/blackworm-malware.yaml Normal file
View File

@ -0,0 +1,29 @@
id: blackworm-malware
info:
name: Blackworm Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'm_ComputerObjectProvider'
- 'MyWebServices'
- 'get_ExecutablePath'
- 'get_WebServices'
- 'My.WebServices'
- 'My.User'
- 'm_UserObjectProvider'
- 'DelegateCallback'
- 'TargetMethod'
- '000004b0'
- 'Microsoft Corporation'
condition: and

24
file/malware/bluebanana-malware.yaml Normal file
View File

@ -0,0 +1,24 @@
id: bluebanana-malware
info:
name: BlueBanana Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "META-INF"
- "config.txt"
- "a/a/a/a/f.class"
- "a/a/a/a/l.class"
- "a/a/a/b/q.class"
- "a/a/a/b/v.class"
condition: and

24
file/malware/bozok-malware.yaml Normal file
View File

@ -0,0 +1,24 @@
id: bozok-malware
info:
name: Bozok Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "getVer"
- "StartVNC"
- "SendCamList"
- "untPlugin"
- "gethostbyname"
condition: and
case-insensitive: true

19
file/malware/bublik-malware.yaml Normal file
View File

@ -0,0 +1,19 @@
id: bublik-malware
info:
name: Bublik Malware Detector
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- '636F6E736F6C6173'
- '636C556E00696E666F2E696E69'
condition: and

38
file/malware/cap-hookexkeylogger-malware.yaml Normal file
View File

@ -0,0 +1,38 @@
id: cap-hookexkeylogger-malware
info:
name: CAP HookExKeylogger Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "SetWindowsHookEx"
- "WH_KEYBOARD_LL"
condition: and
case-insensitive: true
- type: word
part: raw
words:
- "SetWindowsHookEx"
- "WH_KEYBOARD"
condition: and
case-insensitive: true
- type: word
part: raw
words:
- "WH_KEYBOARD"
- "WH_KEYBOARD_LL"
condition: and
case-insensitive: true

28
file/malware/cerberus-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: cerberus-malware
info:
name: Cerberus Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "Ypmw1Syv023QZD"
- "wZ2pla"
- "wBmpf3Pb7RJe"
condition: or
- type: word
part: raw
words:
- "cerberus"
case-insensitive: true

29
file/malware/clientmesh-malware.yaml Normal file
View File

@ -0,0 +1,29 @@
id: clientmesh-malware
info:
name: ClientMesh Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "machinedetails"
- "MySettings"
- "sendftppasswords"
- "sendbrowserpasswords"
- "arma2keyMass"
- "keylogger"
condition: and
- type: binary
binary:
- "0000000000000000007E"

23
file/malware/crimson-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: crimson-malware
info:
name: Crimson Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "com/crimson/PK"
- "com/crimson/bootstrapJar/PK"
- "com/crimson/permaJarMulti/PermaJarReporter$1.classPK"
- "com/crimson/universal/containers/KeyloggerLog.classPK"
- "com/crimson/universal/UploadTransfer.classPK"
condition: and

19
file/malware/cryptxxx-dropper-malware.yaml Normal file
View File

@ -0,0 +1,19 @@
id: cryptxxx-dropper-malware
info:
name: CryptXXX Dropper Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "50653157584346765962486F35"
- "43003A005C0042004900450052005C0051006D006B004E0052004C00460000"
condition: and

42
file/malware/cryptxxx-malware.yaml Normal file
View File

@ -0,0 +1,42 @@
id: cryptxxx-malware
info:
name: CryptXXX Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "525947404A41595D52000000FFFFFFFF"
- "0600000052594740405A0000FFFFFFFF"
- "0A000000525C4B4D574D424B5C520000"
- "FFFFFFFF0A000000525D575D5A4B4370"
- "3F520000FFFFFFFF06000000524C4141"
- "5A520000FFFFFFFF0A000000525C4B4D"
- "41584B5C57520000FFFFFFFF0E000000"
- "522A5C4B4D574D424B204C4740520000"
- "FFFFFFFF0A000000525E4B5C48424149"
- "5D520000FFFFFFFF05000000524B4847"
- "52000000FFFFFFFF0C000000524D4140"
- "48474920435D475200000000FFFFFFFF"
- "0A000000525E5C41495C4F703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3C520000FFFFFFFF0800000052494141"
- "49424B5200000000FFFFFFFF06000000"
- "525A4B435E520000FFFFFFFF08000000"
- "52483A4C4D703F5200000000FFFFFFFF"
- "0A000000524F42425B5D4B703F520000"
- "FFFFFFFF0A000000525E5C41495C4F70"
- "3F520000FFFFFFFF0A000000525E5C41"
- "495C4F703C520000FFFFFFFF09000000"
- "524F5E5E4A4F5A4F52000000FFFFFFFF"
- "0A000000525E5C41495C4F703D520000"
- "FFFFFFFF08000000525E5B4C42474D52"
condition: and

27
file/malware/cxpid-malware.yaml Normal file
View File

@ -0,0 +1,27 @@
id: cxpid-malware
info:
name: Cxpid Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- '/cxpid/submit.php?SessionID='
- '/cxgid/'
- 'E21BC52BEA2FEF26D005CF'
- 'E21BC52BEA39E435C40CD8'
- ' -,L-,O+,Q-,R-,Y-,S-'
- type: binary
binary:
- "558BECB9380400006A006A004975F9"

18
file/malware/cythosia-malware.yaml Normal file
View File

@ -0,0 +1,18 @@
id: cythosia-malware
info:
name: Cythosia Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'HarvesterSocksBot.Properties.Resources'

25
file/malware/darkrat-malware.yaml Normal file
View File

@ -0,0 +1,25 @@
id: darkrat-malware
info:
name: DarkRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "@1906dark1996coder@"
- "SHEmptyRecycleBinA"
- "mciSendStringA"
- "add_Shutdown"
- "get_SaveMySettingsOnExit"
- "get_SpecialDirectories"
- "Client.My"
condition: and

30
file/malware/ddostf-malware.yaml Normal file
View File

@ -0,0 +1,30 @@
id: ddostf-malware
info:
name: DDoSTf Malware - Detect
author: daffainfo
severity: info
reference:
- http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'ddos.tf'
- 'Accept-Language: zh'
- '%d Kb/bps|%d%%'
condition: and
- type: binary
binary:
- 'E8AEBEE7BDAE5443505F4B454550494E54564CE99499E8AFAFEFBC9A00'
- 'E8AEBEE7BDAE5443505F4B454550434E54E99499E8AFAFEFBC9A00'
condition: and

25
file/malware/derkziel-malware.yaml Normal file
View File

@ -0,0 +1,25 @@
id: derkziel-malware
info:
name: Derkziel Malware - Detect
author: daffainfo
severity: info
reference:
- https://bhf.su/threads/137898/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- '{!}DRZ{!}'
- 'User-Agent: Uploador'
- 'SteamAppData.vdf'
- 'loginusers.vdf'
- 'config.vdf'
condition: and

24
file/malware/dexter-malware.yaml Normal file
View File

@ -0,0 +1,24 @@
id: dexter-malware
info:
name: Dexter Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar
- http://goo.gl/oBvy8b
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'Java Security Plugin'
- '%s\\%s\\%s.exe'
- 'Sun Java Security Plugin'
- '\\Internet Explorer\\iexplore.exe'
condition: and

24
file/malware/diamondfox-malware.yaml Normal file
View File

@ -0,0 +1,24 @@
id: diamondfox-malware
info:
name: DiamondFox Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'UPDATE_B'
- 'UNISTALL_B'
- 'S_PROTECT'
- 'P_WALLET'
- 'GR_COMMAND'
- 'FTPUPLOAD'
condition: and

22
file/malware/dmalocker-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: dmalocker-malware
info:
name: DMA Locker Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "41424358595a3131"
- "21444d414c4f434b"
- "21444d414c4f434b332e30"
- "3F520000FFFFFFFF06000000524C4141"
- "21444d414c4f434b342e30"
condition: or

19
file/malware/doublepulsar-malware.yaml Normal file
View File

@ -0,0 +1,19 @@
id: doublepulsar-malware
info:
name: DoublePulsar Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE"
- "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741"
condition: or

18
file/malware/eicar-malware.yaml Normal file
View File

@ -0,0 +1,18 @@
id: eicar-malware
info:
name: Eicar Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"

20
file/malware/erebus-malware.yaml Normal file
View File

@ -0,0 +1,20 @@
id: erebus-malware
info:
name: Erebus Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"
- "EREBUS IS BEST."
condition: and

23
file/malware/ezcob-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: ezcob-malware
info:
name: Ezcob Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12'
- '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12'
- 'Ezcob'
- 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126'
- '20110113144935'
condition: or

31
file/malware/fudcrypt-malware.yaml Normal file
View File

@ -0,0 +1,31 @@
id: fudcrypt-malware
info:
name: FUDCrypt Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/gigajew/FudCrypt/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'OcYjzPUtJkNbLOABqYvNbvhZf'
- 'gwiXxyIDDtoYzgMSRGMckRbJi'
- 'BclWgISTcaGjnwrzSCIuKruKm'
- 'CJyUSiUNrIVbgksjxpAMUkAJJ'
- 'fAMVdoPUEyHEWdxQIEJPRYbEN'
- 'CIGQUctdcUPqUjoucmcoffECY'
- 'wcZfHOgetgAExzSoWFJFQdAyO'
- 'DqYKDnIoLeZDWYlQWoxZnpfPR'
- 'MkhMoOHCbGUMqtnRDJKnBYnOj'
- 'sHEqLMGglkBAOIUfcSAgMvZfs'
- 'JtZApJhbFAIFxzHLjjyEQvtgd'
- 'IIQrSWZEMmoQIKGuxxwoTwXka'

22
file/malware/gafgyt-bash-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: gafgyt-bash-malware
info:
name: Gafgyt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'PONG!'
- 'GETLOCALIP'
- 'HTTPFLOOD'
- 'LUCKYLILDUDE'
condition: and

22
file/malware/gafgyt-generic-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: gafgyt-generic-malware
info:
name: Gafgyt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "/bin/busybox;echo -e 'gayfgt'"
- '/proc/net/route'
- 'admin'
- 'root'
condition: and

24
file/malware/gafgyt-hihi-malware.yaml Normal file
View File

@ -0,0 +1,24 @@
id: gafgyt-hihi-malware
info:
name: Gafgyt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'PING'
- 'PONG'
- 'TELNET LOGIN CRACKED - %s:%s:%s'
- 'ADVANCEDBOT'
- '46.166.185.92'
- 'LOLNOGTFO'
condition: and

22
file/malware/gafgyt-hoho-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: gafgyt-hoho-malware
info:
name: Gafgyt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'PING'
- 'PRIVMSG'
- 'Remote IRC Bot'
- '23.95.43.182'
condition: and

22
file/malware/gafgyt-jackmy-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: gafgyt-jackmy-malware
info:
name: Gafgyt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'PING'
- 'PONG'
- 'jackmy'
- '203.134.%d.%d'
condition: and

22
file/malware/gafgyt-oh-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: gafgyt-oh-malware
info:
name: Gafgyt Oh Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'busyboxterrorist'
- 'BOGOMIPS'
- '124.105.97.%d'
- 'fucknet'
condition: and

21
file/malware/genome-malware.yaml Normal file
View File

@ -0,0 +1,21 @@
id: genome-malware
info:
name: Genome Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- 'Attempting to create more than one keyboard::Monitor instance'
- '{Right windows}'
- 'Access violation - no RTTI data!'
condition: and

22
file/malware/glass-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: glass-malware
info:
name: Glass Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "PostQuitMessage"
- "pwlfnn10,gzg"
- "update.dll"
- "_winver"
condition: and

30
file/malware/glasses-malware.yaml Normal file
View File

@ -0,0 +1,30 @@
id: glasses-malware
info:
name: Glasses Malware - Detect
author: daffainfo
severity: info
reference:
- https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- 'thequickbrownfxjmpsvalzydg'
- 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'
- '" target="NewRef"></a>'
condition: and
- type: binary
binary:
- "B8ABAAAAAAF7E1D1EA8D04522BC8"
- "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA"
condition: or

19
file/malware/gozi-malware.yaml Normal file
View File

@ -0,0 +1,19 @@
id: gozi-malware
info:
name: Gozi Malware - Detect
author: daffainfo
severity: info
reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "63006F006F006B006900650073002E00730071006C006900740065002D006A006F00750072006E0061006C0000004F504552412E45584500"

22
file/malware/gpgqwerty-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: gpgqwerty-malware
info:
name: GPGQwerty Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "gpg.exe recipient qwerty -o"
- "%s%s.%d.qwerty"
- "del /Q /F /S %s$recycle.bin"
- "cryz1@protonmail.com"
condition: and

31
file/malware/greame-malware.yaml Normal file
View File

@ -0,0 +1,31 @@
id: greame-malware
info:
name: Greame Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "EditSvr"
- "TLoader"
- "Stroks"
- "Avenger by NhT"
- "####@####"
- "GREAME"
condition: and
- type: binary
binary:
- "232323234023232323E8EEE9F9232323234023232323"
- "232323234023232323FAFDF0EFF9232323234023232323"
condition: and

19
file/malware/grozlex-malware.yaml Normal file
View File

@ -0,0 +1,19 @@
id: grozlex-malware
info:
name: Grozlex Malware - Detect
author: daffainfo
severity: info
reference:
- https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "4C006F00670073002000610074007400610063006800650064002000620079002000690043006F007A0065006E"

27
file/malware/hawkeye-malware.yaml Normal file
View File

@ -0,0 +1,27 @@
id: hawkeye-malware
info:
name: HawkEye Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "HawkEyeKeylogger"
- "099u787978786"
- "HawkEye_Keylogger"
- "holdermail.txt"
- "wallet.dat"
- "Keylog Records"
- "<!-- do not script -->"
- "\\pidloc.txt"
- "BSPLIT"
condition: and

37
file/malware/imminent-malware.yaml Normal file
View File

@ -0,0 +1,37 @@
id: imminent-malware
info:
name: Imminent Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "DecodeProductKey"
- "StartHTTPFlood"
- "CodeKey"
- "MESSAGEBOX"
- "GetFilezillaPasswords"
- "DataIn"
- "UDPzSockets"
condition: and
- type: word
part: raw
words:
- "<URL>k__BackingField"
- "<RunHidden>k__BackingField"
- "DownloadAndExecute"
- "england.png"
- "-CHECK & PING -n 2 127.0.0.1 & EXIT"
- "Showed Messagebox"
condition: and

26
file/malware/infinity-malware.yaml Normal file
View File

@ -0,0 +1,26 @@
id: infinity-malware
info:
name: Infinity Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "CRYPTPROTECT_PROMPTSTRUCT"
- "discomouse"
- "GetDeepInfo"
- "AES_Encrypt"
- "StartUDPFlood"
- "BATScripting"
- "FBqINhRdpgnqATxJ.html"
- "magic_key"
condition: and

28
file/malware/insta11-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: insta11-malware
info:
name: Insta11 Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- 'XTALKER7'
- 'Insta11 Microsoft'
- 'wudMessage'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
- 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary:
- 'E9000000006823040000'

29
file/malware/intel-virtualization-malware.yaml Normal file
View File

@ -0,0 +1,29 @@
id: intel-virtualization-malware
info:
name: Intel Virtualization Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- '4C6F6164535452494E47'
- '496E697469616C697A654B6579486F6F6B'
- '46696E645265736F7572636573'
- '4C6F6164535452494E4746726F6D484B4355'
- '6863637574696C732E444C4C'
condition: and
- type: binary
binary:
- '483A5C466173745C506C756728686B636D64295C'
- '646C6C5C52656C656173655C48696A61636B446C6C2E706462'
condition: and

28
file/malware/iotreaper-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: iotreaper-malware
info:
name: IotReaper Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- 'XTALKER7'
- 'Insta11 Microsoft'
- 'wudMessage'
- 'ECD4FC4D-521C-11D0-B792-00A0C90312E1'
- 'B12AE898-D056-4378-A844-6D393FE37956'
condition: or
- type: binary
binary:
- 'E9000000006823040000'

37
file/malware/linux-aesddos-malware.yaml Normal file
View File

@ -0,0 +1,37 @@
id: linux-aesddos-malware
info:
name: Linux AESDDOS Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "3AES"
- "Hacker"
condition: and
- type: word
part: raw
words:
- "3AES"
- "VERSONEX"
condition: and
- type: word
part: raw
words:
- "VERSONEX"
- "Hacker"
condition: and

22
file/malware/linux-billgates-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: linux-billgates-malware
info:
name: Linux BillGates Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "12CUpdateGates"
- "11CUpdateBill"
condition: and

22
file/malware/linux-elknot-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: linux-elknot-malware
info:
name: Linux Elknot Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ZN8CUtility7DeCryptEPciPKci"
- "ZN13CThreadAttack5StartEP11CCmdMessage"
condition: and

22
file/malware/linux-mrblack-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: linux-mrblack-malware
info:
name: Linux MrBlack Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Mr.Black"
- "VERS0NEX:%s|%d|%d|%s"
condition: and

22
file/malware/linux-tsunami-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: linux-tsunami-malware
info:
name: Linux Tsunami Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "PRIVMSG %s :[STD]Hitting %s"
- "NOTICE %s :TSUNAMI <target> <secs>"
- "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."

31
file/malware/locky-malware.yaml Normal file
View File

@ -0,0 +1,31 @@
id: locky-malware
info:
name: Locky Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "45b899f7f90faf45b88945b8"
- "2b0a0faf4df8894df8c745"
condition: and
- type: binary
binary:
- "2E006C006F0063006B00790000"
- "005F004C006F0063006B007900"
- "5F007200650063006F00760065"
- "0072005F0069006E0073007400"
- "720075006300740069006F006E"
- "0073002E0074007800740000"
- "536F6674776172655C4C6F636B7900"
condition: and

32
file/malware/lostdoor-malware.yaml Normal file
View File

@ -0,0 +1,32 @@
id: lostdoor-malware
info:
name: LostDoor Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "*mlt* = %"
- "*ip* = %"
- "*victimo* = %"
- "*name* = %"
- "[START]"
- "[DATA]"
- "We Control Your Digital World"
- "RC4Initialize"
- "RC4Decrypt"
condition: and
- type: binary
binary:
- "0D0A2A454449545F5345525645522A0D0A"

29
file/malware/luminositylink-malware.yaml Normal file
View File

@ -0,0 +1,29 @@
id: luminositylink-malware
info:
name: LuminosityLink Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "SMARTLOGS"
- "RUNPE"
- "b.Resources"
- "CLIENTINFO*"
- "Invalid Webcam Driver Download URL, or Failed to Download File!"
- "Proactive Anti-Malware has been manually activated!"
- "REMOVEGUARD"
- "C0n1f8"
- "Luminosity"
- "LuminosityCryptoMiner"
- "MANAGER*CLIENTDETAILS*"
condition: and

24
file/malware/luxnet-malware.yaml Normal file
View File

@ -0,0 +1,24 @@
id: luxnet-malware
info:
name: LuxNet Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "GetHashCode"
- "Activator"
- "WebClient"
- "op_Equality"
- "dickcursor.cur"
- "{0}|{1}|{2}"
condition: and

24
file/malware/macgyver-installer-malware.yaml Normal file
View File

@ -0,0 +1,24 @@
id: macgyver-installer-malware
info:
name: MacGyver.cap Installer Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "delete -AID 315041592e5359532e4444463031"
- "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4"
- "-mac_key 404142434445464748494a4b4c4d4e4f"
- "-enc_key 404142434445464748494a4b4c4d4e4f"
condition: and

27
file/malware/macgyver-malware.yaml Normal file
View File

@ -0,0 +1,27 @@
id: macgyver-malware
info:
name: MacGyver.cap Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "src/MacGyver/javacard/Header.cap"
- "src/MacGyver/javacard/Directory.cap"
- "src/MacGyver/javacard/Applet.cap"
- "src/MacGyver/javacard/Import.cap"
- "src/MacGyver/javacard/ConstantPool.cap"
- "src/MacGyver/javacard/Class.cap"
- "src/MacGyver/javacard/Method.cap"
condition: and

28
file/malware/madness-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: madness-malware
info:
name: Madness DDOS Malware - Detect
author: daffainfo
severity: info
reference:
- https://github.com/arbor/yara/blob/master/madness.yara
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
- "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
- "document.cookie="
- "[\"cookie\",\""
- "\"realauth="
- "\"location\"];"
- "d3Rm"
- "ZXhl"
condition: and

19
file/malware/miner--malware.yaml Normal file
View File

@ -0,0 +1,19 @@
id: miner-malware
info:
name: Miner Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "stratum+tcp"
- "stratum+udp"

59
file/malware/miniasp3-malware.yaml Normal file
View File

@ -0,0 +1,59 @@
id: miniasp3-malware
info:
name: MiniASP3 Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "open internet failed…"
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "run error!"
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "run ok!"
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "time out,change to mode 0"
condition: and
- type: word
part: raw
words:
- "MiniAsp3\\Release\\MiniAsp.pdb"
- "http://%s/about.htm"
- "http://%s/result_%s.htm"
- "command is null!"
condition: and

31
file/malware/naikon-malware.yaml Normal file
View File

@ -0,0 +1,31 @@
id: naikon-malware
info:
name: Naikon Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "0FAFC1C1E01F"
- "355A010000"
- "81C27F140600"
condition: and
- type: word
part: raw
words:
- "NOKIAN95/WEB"
- "/tag=info&id=15"
- "skg(3)=&3.2d_u1"
- "\\Temp\\iExplorer.exe"
- "\\Temp\\\"TSG\""
condition: or

27
file/malware/naspyupdate-malware.yaml Normal file
View File

@ -0,0 +1,27 @@
id: naspyupdate-malware
info:
name: nAspyUpdate Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: binary
binary:
- "8A5424148A0132C202C28801414E75F4"
- type: word
part: raw
words:
- "\\httpclient.txt"
- "password <=14"
- "/%ldn.txt"
- "Kill You\x00"
condition: or

19
file/malware/notepad-malware.yaml Normal file
View File

@ -0,0 +1,19 @@
id: notepad-malware
info:
name: Notepad v1.1 Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "75BAA77C842BE168B0F66C42C7885997"
- "B523F63566F407F3834BCC54AAA32524"

26
file/malware/olyx-malware.yaml Normal file
View File

@ -0,0 +1,26 @@
id: olyx-malware
info:
name: Olyx Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "/Applications/Automator.app/Contents/MacOS/DockLight"
condition: or
- type: binary
binary:
- "C7400436363636C7400836363636"
- "C740045C5C5C5CC740085C5C5C5C"
condition: or

25
file/malware/osx-leverage-malware.yaml Normal file
View File

@ -0,0 +1,25 @@
id: osx-leverage-malware
info:
name: OSX Leverage Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
- "+:Users:Shared:UserEvent.app:Contents:MacOS:"
- "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
- "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
- "osascript -e 'tell application \"System Events\" to get the name of every login item'"
- "osascript -e 'tell application \"System Events\" to get the path of every login item'"
- "serverVisible \x00"
condition: and

25
file/malware/paradox-malware.yaml Normal file
View File

@ -0,0 +1,25 @@
id: paradox-malware
info:
name: Paradox Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ParadoxRAT"
- "Form1"
- "StartRMCam"
- "Flooders"
- "SlowLaris"
- "SHITEMID"
- "set_Remote_Chat"
condition: and

27
file/malware/plasma-malware.yaml Normal file
View File

@ -0,0 +1,27 @@
id: plasma-malware
info:
name: Plasma Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Miner: Failed to Inject."
- "Started GPU Mining on:"
- "BK: Hard Bot Killer Ran Successfully!"
- "Uploaded Keylogs Successfully!"
- "No Slowloris Attack is Running!"
- "An ARME Attack is Already Running on"
- "Proactive Bot Killer Enabled!"
- "PlasmaRAT"
- "AntiEverything"
condition: and

34
file/malware/poetrat-malware.yaml Normal file
View File

@ -0,0 +1,34 @@
id: poetrat-malware
info:
name: PoetRat Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "launcher.py"
- "smile.zip"
- "smile_funs.py"
- "frown.py"
- "backer.py"
- "smile.py"
- "affine.py"
- "cmd"
- ".exe"
condition: and
- type: regex
regex:
- '(\.py$|\.pyc$|\.pyd$|Python)'
- '\.dll'
condition: and

22
file/malware/pony-malware.yaml Normal file
View File

@ -0,0 +1,22 @@
id: pony-malware
info:
name: Pony Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
- "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
- "POST %s HTTP/1.0"
- "Accept-Encoding: identity, *;q=0"
condition: and

26
file/malware/pubsab-malware.yaml Normal file
View File

@ -0,0 +1,26 @@
id: pubsab-malware
info:
name: PubSab Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "_deamon_init"
- "com.apple.PubSabAgent"
- "/tmp/screen.jpeg"
condition: or
- type: binary
binary:
- "6B45E43789CA29C28955E4"

30
file/malware/punisher-malware.yaml Normal file
View File

@ -0,0 +1,30 @@
id: punisher-malware
info:
name: Punisher Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "abccba"
- "SpyTheSpy"
- "wireshark"
- "apateDNS"
- "abccbaDanabccb"
condition: and
- type: binary
binary:
- "5C006800660068002E007600620073"
- "5C00730063002E007600620073"
condition: and

23
file/malware/pypi-malware.yaml Normal file
View File

@ -0,0 +1,23 @@
id: pypi-malware
info:
name: Fake PyPI Malware - Detect
author: daffainfo
severity: info
reference:
- http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
- https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "# Welcome Here! :)"
- "# just toy, no harm :)"
- "[0x76,0x21,0xfe,0xcc,0xee]"
condition: and

26
file/malware/pythorat-malware.yaml Normal file
View File

@ -0,0 +1,26 @@
id: pythorat-malware
info:
name: PythoRAT Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "TKeylogger"
- "uFileTransfer"
- "TTDownload"
- "SETTINGS"
- "Unknown"
- "#@#@#"
- "PluginData"
- "OnPluginMessage"
condition: and

49
file/malware/qrat-malware.yaml Normal file
View File

@ -0,0 +1,49 @@
id: qrat-malware
info:
name: QRat Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- "quaverse/crypter"
- "Qrypt.class"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
part: raw
words:
- "e-data"
- "Qrypt.class"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
words:
- "e-data"
- "quaverse/crypter"
- "Jarizer.class"
- "URLConnection.class"
condition: and
- type: word
part: raw
words:
- "e-data"
- "quaverse/crypter"
- "Qrypt.class"
- "URLConnection.class"
condition: and

20
file/malware/satana-dropper-malware.yaml Normal file
View File

@ -0,0 +1,20 @@
id: satana-dropper-malware
info:
name: Satana Dropper Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "25732D547279457863657074"
- "643A5C6C626574776D77795C75696A657571706C667775622E706462"
- "71666E7476746862"
condition: and

28
file/malware/satana-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: satana-malware
info:
name: Satana Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: binary
binary:
- "210073006100740061006E00610021002E0074007800740000"
- "456E756D4C6F63616C526573"
- "574E65744F70656E456E756D5700"
- "21534154414E4121"
condition: and
- type: binary
binary:
- "7467777975677771"
- "537776776E6775"
condition: or

42
file/malware/shimrat-malware.yaml Normal file
View File

@ -0,0 +1,42 @@
id: shimrat-malware
info:
name: ShimRat Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: or
matchers:
- type: word
part: raw
words:
- ".dll"
- ".dat"
- "QWERTYUIOPLKJHG"
- "MNBVCXZLKJHGFDS"
condition: and
- type: word
part: raw
words:
- "Data$$00"
- "Data$$01%c%sData"
condition: and
- type: word
part: raw
words:
- "ping localhost -n 9 /c %s > nul"
- "Demo"
- "Win32App"
- "COMSPEC"
- "ShimMain"
- "NotifyShims"
- "GetHookAPIs"
condition: and

30
file/malware/shimratreporter-malware.yaml Normal file
View File

@ -0,0 +1,30 @@
id: shimratreporter-malware
info:
name: ShimRatReporter Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "IP-INFO"
- "Network-INFO"
- "OS-INFO"
- "Process-INFO"
- "Browser-INFO"
- "QueryUser-INFO"
- "Users-INFO"
- "Software-INFO"
- "%02X-%02X-%02X-%02X-%02X-%02X"
- "(from environment) = %s"
- "NetUserEnum"
- "GetNetworkParams"
condition: and

27
file/malware/sigma-malware.yaml Normal file
View File

@ -0,0 +1,27 @@
id: sigma-malware
info:
name: Sigma Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Sigma.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- ".php?"
- "uid="
- "&uname="
- "&os="
- "&pcname="
- "&total="
- "&country="
- "&network="
- "&subid="
condition: and

28
file/malware/smallnet-malware.yaml Normal file
View File

@ -0,0 +1,28 @@
id: smallnet-malware
info:
name: SmallNet Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "!!<3SAFIA<3!!"
- "!!ElMattadorDz!!"
condition: or
- type: word
part: raw
words:
- "stub_2.Properties"
- "stub.exe"
- "get_CurrentDomain"
condition: and

25
file/malware/snake-malware.yaml Normal file
View File

@ -0,0 +1,25 @@
id: snake-malware
info:
name: Snake Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Snake.yar
tags: malware,file
file:
- extensions:
- all
matchers-condition: and
matchers:
- type: word
part: raw
words:
- "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\""
- type: binary
binary:
- "89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF"
- "648B0D140000008B89000000003B61080F863801000083EC3CE8321AF3FF8D7C242889E6E825EAF0FF8B44242C8B4C242889C2C1E81FC1E01F85C00F84FC000000D1E289CBC1E91F09D189DAD1E3C1EB1F89CDD1E109D989CB81C1807FB1D7C1ED1F81C3807FB1D783D50D89C8BB00CA9A3B89D1F7E381E1FFFFFF3F89C301C889C60500001A3D89042469ED00CA9A3B01EA89CDC1F91F01EB11CA81C600001A3D81D2EB03B2A189542404E81062F6FF31C0EB79894424208B4C24408D14C18B1A895C24248B52048954241CC7042405000000E848FEFFFF8B4424088B4C2404C70424000000008B542424895424048B5C241C895C2408894C240C89442410E8ECDDEFFF8B4424188B4C2414894C24088944240C8B4424248904248B44241C89442404E868BBF3FF8B44242040"
condition: and

31
file/malware/sub7nation-malware.yaml Normal file
View File

@ -0,0 +1,31 @@
id: sub7nation-malware
info:
name: Sub7Nation Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "EnableLUA /t REG_DWORD /d 0 /f"
- "*A01*"
- "*A02*"
- "*A03*"
- "*A04*"
- "*A05*"
- "*A06*"
- "#@#@#"
- "HostSettings"
- "sevane.tmp"
- "cmd_.bat"
- "a2b7c3d7e4"
- "cmd.dll"
condition: and

32
file/malware/t5000-malware.yaml Normal file
View File

@ -0,0 +1,32 @@
id: t5000-malware
info:
name: T5000 Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_T5000.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "_tmpR.vbs"
- "_tmpg.vbs"
- "Dtl.dat"
- "3C6FB3CA-69B1-454f-8B2F-BD157762810E"
- "EED5CA6C-9958-4611-B7A7-1238F2E1B17E"
- "8A8FF8AD-D1DE-4cef-B87C-82627677662E"
- "43EE34A9-9063-4d2c-AACD-F5C62B849089"
- "A8859547-C62D-4e8b-A82D-BE1479C684C9"
- "A59CF429-D0DD-4207-88A1-04090680F714"
- "utd_CE31"
- "f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdb"
- "l:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdb"
- "f:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdb"
- "E:\\VS2010\\xPlat2\\Release\\InstRes32.pdb"
condition: or

19
file/malware/tedroo-malware.yaml Normal file
View File

@ -0,0 +1,19 @@
id: tedroo-malware
info:
name: Tedroo Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Tedroo.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "257325732E657865"
- "5F6C6F672E747874"
condition: and

20
file/malware/terminator-malware.yaml Normal file
View File

@ -0,0 +1,20 @@
id: terminator-malware
info:
name: Terminator Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Terminator.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "Accelorator"
- "<html><title>12356</title><body>"
condition: and

17
file/malware/teslacrypt-malware.yaml Normal file
View File

@ -0,0 +1,17 @@
id: teslacrypt-malware
info:
name: TeslaCrypt Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_TeslaCrypt.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: binary
binary:
- "4E6F7720697427732025493A254D25702E00000076616C2069732025640A0000"

Some files were not shown because too many files have changed in this diff Show More