GitHub - jie-xiao/yara: 忘记从哪里搜集到的yara规则，打算维护一下

jie-xiao / yara Public

Notifications You must be signed in to change notification settings
Fork 1
Star 3

忘记从哪里搜集到的yara规则，打算维护一下

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 5 Commits
.vscode		.vscode
ACBackdoor_Linux.yara		ACBackdoor_Linux.yara
APT32_KerrDown.yara		APT32_KerrDown.yara
APT32_Ratsnif.yara		APT32_Ratsnif.yara
APT34_LONGWATCH.yara		APT34_LONGWATCH.yara
APT34_PICKPOCKET.yara		APT34_PICKPOCKET.yara
APT34_VALUEVAULT.yara		APT34_VALUEVAULT.yara
DNSpionage.yara		DNSpionage.yara
Dacls_Linux.yara		Dacls_Linux.yara
Dacls_Windows.yara		Dacls_Windows.yara
DealPly.yar		DealPly.yar
EvilGnome_Linux.yara		EvilGnome_Linux.yara
Glupteba.yara		Glupteba.yara
JSWorm.yara		JSWorm.yara
KPOT_v2.yara		KPOT_v2.yara
Linux_Golang_Ransomware.rule		Linux_Golang_Ransomware.rule
REMCOS_RAT_2019.yara		REMCOS_RAT_2019.yara
RedGhost_Linux.yara		RedGhost_Linux.yara
SilentTrinity_Delivery.yara		SilentTrinity_Delivery.yara
SilentTrinity_Payload.yara		SilentTrinity_Payload.yara
TA505_FlowerPippi.yara		TA505_FlowerPippi.yara
WatchBog_Linux.yara		WatchBog_Linux.yara
apt34_PICKPOCKET.yar		apt34_PICKPOCKET.yar
apt_aa19_024a.yar		apt_aa19_024a.yar
apt_agent_btz.yar		apt_agent_btz.yar
apt_alienspy_rat.yar		apt_alienspy_rat.yar
apt_apt10.yar		apt_apt10.yar
apt_apt10_redleaves.yar		apt_apt10_redleaves.yar
apt_apt12_malware.yar		apt_apt12_malware.yar
apt_apt15.yar		apt_apt15.yar
apt_apt17_mal_sep17.yar		apt_apt17_mal_sep17.yar
apt_apt17_malware.yar		apt_apt17_malware.yar
apt_apt19.yar		apt_apt19.yar
apt_apt28.yar		apt_apt28.yar
apt_apt29_grizzly_steppe.yar		apt_apt29_grizzly_steppe.yar
apt_apt30_backspace.yar		apt_apt30_backspace.yar
apt_apt34.yar		apt_apt34.yar
apt_apt37.yar		apt_apt37.yar
apt_apt3_bemstour.yar		apt_apt3_bemstour.yar
apt_apt41.yar		apt_apt41.yar
apt_apt6_malware.yar		apt_apt6_malware.yar
apt_ar18_165a.yar		apt_ar18_165a.yar
apt_area1_phishing_diplomacy.yar		apt_area1_phishing_diplomacy.yar
apt_aus_parl_compromise.yar		apt_aus_parl_compromise.yar
apt_babyshark.yar		apt_babyshark.yar
apt_backdoor_ssh_python.yar		apt_backdoor_ssh_python.yar
apt_backspace.yar		apt_backspace.yar
apt_beepservice.yar		apt_beepservice.yar
apt_between-hk-and-burma.yar		apt_between-hk-and-burma.yar
apt_bigbang.yar		apt_bigbang.yar
apt_blackenergy.yar		apt_blackenergy.yar
apt_blackenergy_installer.yar		apt_blackenergy_installer.yar
apt_bluetermite_emdivi.yar		apt_bluetermite_emdivi.yar
apt_bronze_butler.yar		apt_bronze_butler.yar
apt_buckeye.yar		apt_buckeye.yar
apt_carbon_paper_turla.yar		apt_carbon_paper_turla.yar
apt_casper.yar		apt_casper.yar
apt_cheshirecat.yar		apt_cheshirecat.yar
apt_cloudduke.yar		apt_cloudduke.yar
apt_cmstar.yar		apt_cmstar.yar
apt_cn_pp_zerot.yar		apt_cn_pp_zerot.yar
apt_cobaltstrike.yar		apt_cobaltstrike.yar
apt_cobaltstrike_evasive.yar		apt_cobaltstrike_evasive.yar
apt_codoso.yar		apt_codoso.yar
apt_coreimpact_agent.yar		apt_coreimpact_agent.yar
apt_danti_svcmondr.yar		apt_danti_svcmondr.yar
apt_darkcaracal.yar		apt_darkcaracal.yar
apt_darkhydrus.yar		apt_darkhydrus.yar
apt_deeppanda.yar		apt_deeppanda.yar
apt_derusbi.yar		apt_derusbi.yar
apt_dnspionage.yar		apt_dnspionage.yar
apt_donotteam_ytyframework.yar		apt_donotteam_ytyframework.yar
apt_dragonfly.yar		apt_dragonfly.yar
apt_dtrack.yar		apt_dtrack.yar
apt_dubnium.yar		apt_dubnium.yar
apt_duqu1_5_modules.yar		apt_duqu1_5_modules.yar
apt_duqu2.yar		apt_duqu2.yar
apt_dustman.yar		apt_dustman.yar
apt_emissary.yar		apt_emissary.yar
apt_eqgrp.yar		apt_eqgrp.yar
apt_eqgrp_apr17.yar		apt_eqgrp_apr17.yar
apt_eternalblue_non_wannacry.yar		apt_eternalblue_non_wannacry.yar
apt_exile_rat.yar		apt_exile_rat.yar
apt_f5_bigip_expl_payloads.yar		apt_f5_bigip_expl_payloads.yar
apt_fakem_backdoor.yar		apt_fakem_backdoor.yar
apt_fancybear_computrace_agent.yar		apt_fancybear_computrace_agent.yar
apt_fancybear_dnc.yar		apt_fancybear_dnc.yar
apt_fancybear_osxagent.yar		apt_fancybear_osxagent.yar
apt_fidelis_phishing_plain_sight.yar		apt_fidelis_phishing_plain_sight.yar
apt_fin7.yar		apt_fin7.yar
apt_fin7_backdoor.yar		apt_fin7_backdoor.yar
apt_flame2_orchestrator.yar		apt_flame2_orchestrator.yar
apt_foudre.yar		apt_foudre.yar
apt_four_element_sword.yar		apt_four_element_sword.yar
apt_freemilk.yar		apt_freemilk.yar
apt_furtim.yar		apt_furtim.yar
apt_fvey_shadowbroker_dec16.yar		apt_fvey_shadowbroker_dec16.yar
apt_fvey_shadowbroker_jan17.yar		apt_fvey_shadowbroker_jan17.yar
apt_ghostdragon_gh0st_rat.yar		apt_ghostdragon_gh0st_rat.yar
apt_glassRAT.yar		apt_glassRAT.yar

Repository files navigation

rule SUSP_Microsoft_7z_SFX_Combo {
   meta:
      description = "Detects a suspicious file that has a Microsoft copyright and is a 7z SFX"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2018-09-16"
      hash1 = "cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1"
   strings:
      $s1 = "7ZSfx%03x.cmd" fullword wide
      $s2 = "7z SFX: error" fullword ascii

      /* PE Header : LegalCopyright (C) Microsoft Corporation. All rights reserved.*/
      $c1 = { 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70
              00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9
              00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F
              00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F
              00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20
              00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68
              00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72
              00 76 00 65 00 64 00 2E }
   condition:
      uint16(0) == 0x5a4d and filesize < 3000KB and 1 of ($s*) and $c1
}


rule SUSP_Microsoft_RAR_SFX_Combo {
   meta:
      description = "Detects a suspicious file that has a Microsoft copyright and is a RAR SFX"
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2018-09-16"
   strings:
      $s1 = "winrarsfxmappingfile.tmp" fullword wide
      $s2 = "WinRAR self-extracting archive" fullword wide
      $s3 = "WINRAR.SFX" fullword

      /* PE Header : LegalCopyright (C) Microsoft Corporation. All rights reserved.*/
      $c1 = { 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70
              00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9
              00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F
              00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F
              00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20
              00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68
              00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72
              00 76 00 65 00 64 00 2E }
   condition:
      uint16(0) == 0x5a4d and filesize < 3000KB and 1 of ($s*) and $c1
}