Skip to content

oldmonk007/myrep

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
Sorry, we had to truncate this directory to 1,000 files. 22 entries were omitted from the list.
000_common_rules.yar
000_common_rules.yar
 
 
ACBackdoor_Linux.yara
ACBackdoor_Linux.yara
 
 
APT32_KerrDown.yara
APT32_KerrDown.yara
 
 
APT32_Ratsnif.yara
APT32_Ratsnif.yara
 
 
APT34_LONGWATCH.yara
APT34_LONGWATCH.yara
 
 
APT34_PICKPOCKET.yara
APT34_PICKPOCKET.yara
 
 
APT34_VALUEVAULT.yara
APT34_VALUEVAULT.yara
 
 
APT_APT1.yar
APT_APT1.yar
 
 
APT_APT10.yar
APT_APT10.yar
 
 
APT_APT15.yar
APT_APT15.yar
 
 
APT_APT17.yar
APT_APT17.yar
 
 
APT_APT29_Grizzly_Steppe.yar
APT_APT29_Grizzly_Steppe.yar
 
 
APT_APT3102.yar
APT_APT3102.yar
 
 
APT_APT9002.yar
APT_APT9002.yar
 
 
APT_Backspace.yar
APT_Backspace.yar
 
 
APT_Bestia.yar
APT_Bestia.yar
 
 
APT_Blackenergy.yar
APT_Blackenergy.yar
 
 
APT_Bluetermite_Emdivi.yar
APT_Bluetermite_Emdivi.yar
 
 
APT_C16.yar
APT_C16.yar
 
 
APT_Carbanak.yar
APT_Carbanak.yar
 
 
APT_Careto.yar
APT_Careto.yar
 
 
APT_Casper.yar
APT_Casper.yar
 
 
APT_CheshireCat.yar
APT_CheshireCat.yar
 
 
APT_Cloudduke.yar
APT_Cloudduke.yar
 
 
APT_Cobalt.yar
APT_Cobalt.yar
 
 
APT_Codoso.yar
APT_Codoso.yar
 
 
APT_CrashOverride.yar
APT_CrashOverride.yar
 
 
APT_DeepPanda_Anthem.yar
APT_DeepPanda_Anthem.yar
 
 
APT_DeputyDog.yar
APT_DeputyDog.yar
 
 
APT_Derusbi.yar
APT_Derusbi.yar
 
 
APT_Dubnium.yar
APT_Dubnium.yar
 
 
APT_Duqu2.yar
APT_Duqu2.yar
 
 
APT_EQUATIONGRP.yar
APT_EQUATIONGRP.yar
 
 
APT_Emissary.yar
APT_Emissary.yar
 
 
APT_EnergeticBear_backdoored_ssh.yar
APT_EnergeticBear_backdoored_ssh.yar
 
 
APT_Equation.yar
APT_Equation.yar
 
 
APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar
APT_FVEY_ShadowBrokers_Jan17_Screen_Strings.yar
 
 
APT_FiveEyes.yar
APT_FiveEyes.yar
 
 
APT_Grasshopper.yar
APT_Grasshopper.yar
 
 
APT_Greenbug.yar
APT_Greenbug.yar
 
 
APT_Grizzlybear_uscert.yar
APT_Grizzlybear_uscert.yar
 
 
APT_HackingTeam.yar
APT_HackingTeam.yar
 
 
APT_Hellsing.yar
APT_Hellsing.yar
 
 
APT_HiddenCobra.yar
APT_HiddenCobra.yar
 
 
APT_Hikit.yar
APT_Hikit.yar
 
 
APT_Industroyer.yar
APT_Industroyer.yar
 
 
APT_Irontiger.yar
APT_Irontiger.yar
 
 
APT_Kaba.yar
APT_Kaba.yar
 
 
APT_Ke3Chang_TidePool.yar
APT_Ke3Chang_TidePool.yar
 
 
APT_KeyBoy.yar
APT_KeyBoy.yar
 
 
APT_KimSuky_dllbckdr.yar
APT_KimSuky_dllbckdr.yar
 
 
APT_LotusBlossom.yar
APT_LotusBlossom.yar
 
 
APT_MiniASP_pdb.yar
APT_MiniASP_pdb.yar
 
 
APT_Minidionis.yar
APT_Minidionis.yar
 
 
APT_Mirage.yar
APT_Mirage.yar
 
 
APT_Molerats.yar
APT_Molerats.yar
 
 
APT_Mongall.yar
APT_Mongall.yar
 
 
APT_MoonlightMaze.yar
APT_MoonlightMaze.yar
 
 
APT_NGO.yar
APT_NGO.yar
 
 
APT_OPCleaver.yar
APT_OPCleaver.yar
 
 
APT_Oilrig.yar
APT_Oilrig.yar
 
 
APT_OpClandestineWolf.yar
APT_OpClandestineWolf.yar
 
 
APT_OpDustStorm.yar
APT_OpDustStorm.yar
 
 
APT_OpPotao.yar
APT_OpPotao.yar
 
 
APT_Operation_SoftCell.yar
APT_Operation_SoftCell.yar
 
 
APT_PCclient.yar
APT_PCclient.yar
 
 
APT_Passcv.yar
APT_Passcv.yar
 
 
APT_Pipcreat.yar
APT_Pipcreat.yar
 
 
APT_Platinum.yar
APT_Platinum.yar
 
 
APT_Poseidon_Group.yar
APT_Poseidon_Group.yar
 
 
APT_Prikormka.yar
APT_Prikormka.yar
 
 
APT_PutterPanda.yar
APT_PutterPanda.yar
 
 
APT_RedLeaves.yar
APT_RedLeaves.yar
 
 
APT_Regin.yar
APT_Regin.yar
 
 
APT_RemSec.yar
APT_RemSec.yar
 
 
APT_Sauron.yar
APT_Sauron.yar
 
 
APT_Sauron_extras.yar
APT_Sauron_extras.yar
 
 
APT_Scarab_Scieron.yar
APT_Scarab_Scieron.yar
 
 
APT_Seaduke.yar
APT_Seaduke.yar
 
 
APT_Shamoon_StoneDrill.yar
APT_Shamoon_StoneDrill.yar
 
 
APT_Snowglobe_Babar.yar
APT_Snowglobe_Babar.yar
 
 
APT_Sofacy_Bundestag.yar
APT_Sofacy_Bundestag.yar
 
 
APT_Sofacy_Fysbis.yar
APT_Sofacy_Fysbis.yar
 
 
APT_Sofacy_Jun16.yar
APT_Sofacy_Jun16.yar
 
 
APT_Sphinx_Moth.yar
APT_Sphinx_Moth.yar
 
 
APT_Stuxnet.yar
APT_Stuxnet.yar
 
 
APT_Terracota.yar
APT_Terracota.yar
 
 
APT_ThreatGroup3390.yar
APT_ThreatGroup3390.yar
 
 
APT_Tortoiseshell_Syskit
APT_Tortoiseshell_Syskit
 
 
APT_Tortoiseshell_Syskit.yar
APT_Tortoiseshell_Syskit.yar
 
 
APT_TradeSecret.yar
APT_TradeSecret.yar
 
 
APT_Turla_Neuron.yar
APT_Turla_Neuron.yar
 
 
APT_Turla_RUAG.yar
APT_Turla_RUAG.yar
 
 
APT_UP007_SLServer.yar
APT_UP007_SLServer.yar
 
 
APT_Unit78020.yar
APT_Unit78020.yar
 
 
APT_Uppercut.yar
APT_Uppercut.yar
 
 
APT_Waterbug.yar
APT_Waterbug.yar
 
 
APT_WildNeutron.yar
APT_WildNeutron.yar
 
 
APT_Windigo_Onimiki.yar
APT_Windigo_Onimiki.yar
 
 
APT_Winnti.yar
APT_Winnti.yar
 
 

Repository files navigation

rule SUSP_Microsoft_7z_SFX_Combo {
   meta:
      description = "Detects a suspicious file that has a Microsoft copyright and is a 7z SFX"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2018-09-16"
      hash1 = "cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1"
   strings:
      $s1 = "7ZSfx%03x.cmd" fullword wide
      $s2 = "7z SFX: error" fullword ascii

      /* PE Header : LegalCopyright (C) Microsoft Corporation. All rights reserved.*/
      $c1 = { 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70
              00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9
              00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F
              00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F
              00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20
              00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68
              00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72
              00 76 00 65 00 64 00 2E }
   condition:
      uint16(0) == 0x5a4d and filesize < 3000KB and 1 of ($s*) and $c1
}


rule SUSP_Microsoft_RAR_SFX_Combo {
   meta:
      description = "Detects a suspicious file that has a Microsoft copyright and is a RAR SFX"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2018-09-16"
   strings:
      $s1 = "winrarsfxmappingfile.tmp" fullword wide
      $s2 = "WinRAR self-extracting archive" fullword wide
      $s3 = "WINRAR.SFX" fullword

      /* PE Header : LegalCopyright (C) Microsoft Corporation. All rights reserved.*/
      $c1 = { 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70
              00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9
              00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F
              00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F
              00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20
              00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68
              00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72
              00 76 00 65 00 64 00 2E }
   condition:
      uint16(0) == 0x5a4d and filesize < 3000KB and 1 of ($s*) and $c1
}

About

No description, website, or topics provided.
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages