security:malware:yara
Dies ist eine alte Version des Dokuments!
Inhaltsverzeichnis
Create a file on vulnerable Server
count sequences of printable characters with the minimum length of 7
strings --bytes=7 sample.exe | wc -l
Rule to detect cmd.exe
offset.yar
rule cmd_rule
{
strings:
$s = "cmd.exe /c \"%s\""
condition:
$s
}
Rule to identify PE file type
pe.yar
rule IsPeFile {
strings:
$mz = "MZ"
condition:
$mz at 0 and uint32(uint32(0x3C)) == 0x4550
}
Rule to detect maleware in PE Files
malware.yar
rule str_rule
{
strings:
$s1 = "WWWWWPj"
$s2 = "OpenSCManagerA"
$s3 = ";22dV::tN"
$s4 = "_local_unwind2"
$s5 = "2+( VPOL"
$s6 = "GlobalAlloc"
$s7 = "VirtualProtect"
$s8 = "@Pbmx~P"
$s9 = "FreeLibrary"
$s10 = "^Fr`+:&"
$s11 = "VirtualAlloc"
$s12 = "CreateDirectoryW"
$s13 = ">k_I[$"
$s14 = "msg/m_english.wnryF"
$s15 = "StartServiceA"
$s16 = ":*>B=Ox"
$s17 = "OpenMutexA"
$s18 = "GetFullPathNameA"
$s19 = "RegSetValueExA"
$s20 = "msg/m_french.wnry"
$s21 = "DeleteFileW"
$s22 = "QeTbF~ZiKw"
$s23 = "SbElHtQeF"
$s24 = "Q~TbFwZiK"
$s25 = "CreateFileW"
$s26 = ".?AVtype_info@@"
$s27 = "CryptDecrypt"
$s28 = "=j&&LZ66lA??~"
$s29 = "F~TbKwZi"
$s30 = "incorrect data check"
$s31 = "tasksche.exe"
$s32 = "MoveFileW"
$s33 = "unknown compression method"
$s34 = "??1exception@@UAE@XZ"
$s35 = "realloc"
$s36 = "SetCurrentDirectoryA"
$s37 = "WriteFile"
$s38 = "b4(X2;ey"
$s39 = "__p__commode"
$s40 = "MultiByteToWideChar"
$s41 = "LoadLibraryA"
$s42 = "6tGuzF"
$s43 = "%%Jo..r"
$s44 = "4$8,9-6'.6$:#?*1hHpXeA~SrZlN"
$s45 = "PPxD<<%"
$s46 = "kernel32.dll"
$s47 = "&%^W6)."
$s48 = "CryptImportKey"
$s49 = "HeapFree"
$s50 = "_except_handler3"
$s51 = "WaitForSingleObject"
$s52 = "V,YYG;~"
$s53 = "Ud|JZ|BE"
$s54 = "_CxxThrowException"
$s55 = "data error"
$s56 = "??0exception@@QAE@ABQBD@Z"
$s57 = "_acmdln"
$s58 = "OLEAUT32.dll"
$s59 = ";u>H4q7.c"
$s60 = "GetModuleHandleA"
$s61 = "incomplete literal/length tree"
$s62 = "OpenServiceA"
$s63 = "CryptReleaseContext"
$s64 = "attrib +h ."
$s65 = "inflate 1.1.3 Copyright 1995-1998 Mark Adler"
$s66 = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"
$s67 = "insufficient memory"
$s68 = "$`GnP+%<g"
$s69 = "TaskStart"
$s70 = "msg/m_chinese (traditional).wnry"
$s71 = "[_:L x86"
$s72 = "ReadFile"
$s73 = "Bb..fO3"
$s74 = "qDj$bIU"
$s75 = "k|_^][Y"
$s76 = "invalid distance code"
$s77 = "wcsrchr"
$s78 = "GetFileSizeEx"
$s79 = "L)b7=a`"
$s80 = "__CxxFrameHandler"
$s81 = "_stricmp"
$s82 = "[4+G[Tnr"
$s83 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"
$s84 = "msg/m_croatian.wnry"
$s85 = "CMnQ,OOr"
$s86 = "swprintf"
$s87 = "SetFileAttributesW"
$s88 = "msg/m_czech.wnryn"
$s89 = "O|x8+^_"
$s90 = "HeapAlloc"
$s91 = "__setusermatherr"
$s92 = "GetWindowsDirectoryW"
$s93 = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"
$s94 = "LocalFileTimeToFileTime"
$s95 = "3/Vq9 ="
$s96 = "CryptAcquireContextA"
$s97 = "Jo7eQX%"
$s98 = "FindResourceA"
$s99 = "'B;1?5s"
$s100 = "IsBadReadPtr"
$s101 = "GetExitCodeProcess"
$s102 = "`.rdata"
$s103 = "#`?@/9P"
$s104 = "GetTempPathW"
$s105 = "invalid bit length repeat"
$s106 = "MSVCRT.dll"
$s107 = "o%%Jr..$"
$s108 = "GlobalMsWinZonesCacheCounterMutexA"
$s109 = "!`7RNkv"
$s110 = "__p___argc"
$s111 = "SetCurrentDirectoryW"
$s112 = "oversubscribed literal/length tree"
$s113 = "[l~y2U="
$s114 = "msg/m_greek.wnry4n"
$s115 = "invalid block type"
$s116 = "<` Xu9g"
$s117 = "GetNativeSystemInfo"
$s118 = "CloseServiceHandle"
$s119 = "incomplete distance tree"
$s120 = "S Q+c@x"
$s121 = "8d62ro/"
$s122 = "e ];F[p"
$s123 = "$@^ Y+kCM3"
$s124 = "X(N.K&9"
$s125 = "LeaveCriticalSection"
$s126 = "msg/m_bulgarian.wnry"
$s127 = "B~WJLuC"
$s128 = "invalid window size"
$s129 = "msg/m_dutch.wnry9"
$s130 = "GetCurrentDirectoryA"
$s131 = "Hy}V2l0e"
$s132 = "xxJo%%r..8$"
$s133 = "NLc>zQy"
$s134 = "=iF-s4\"t"
$s135 = "GetFileAttributesA"
$s136 = "_initterm"
$s137 = "2{0ONU T8"
$s138 = "M{_rKG C"
$s139 = "4XI\"whG"
$s140 = "DeleteCriticalSection"
$s141 = "b.wnryP8"
$s142 = "GetFileSize"
$s143 = "GetFileAttributesW"
$s144 = "md)(:--"
$s145 = "WNcry@2ol7"
$s146 = "empty distance tree with lengths"
$s147 = "SizeofResource"
$s148 = "CopyFileA"
$s149 = "uo\"usd/"
$s150 = "ciC [/K"
$s151 = "$0vJ<T9"
$s152 = "icacls . /grant Everyone:F /T /C /Q"
$s153 = "CryptDestroyKey"
$s154 = "oversubscribed distance tree"
$s155 = "MoveFileExW"
$s156 = "KfmZ@9q"
$s157 = "TerminateProcess"
$s158 = "stream end"
$s159 = "c.wnry%"
$s160 = "vi#<!d*S"
$s161 = "pfgGL`R"
$s162 = "_XcptFilter"
$s163 = "RegCreateKeyW"
$s164 = "[wS#C^6"
$s165 = "file error"
$s166 = ">nuGl=Cme4"
$s167 = "Microsoft Enhanced RSA and AES Cryptographic Provider"
$s168 = "msg/m_filipino.wnry"
$s169 = "incomplete dynamic bit lengths tree"
$s170 = ".?AVexception@@"
$s171 = "b=htZo&f"
$s172 = "KERNEL32.dll"
$s173 = "msg/m_chinese (simplified).wnryR9"
$s174 = "&&Lj66lZ??~A"
$s175 = "#E.(`MW"
$s176 = "cmd.exe /c \"%s\""
$s177 = "j_1lTo`"
$s178 = "stream error"
$s179 = "&Lj&6lZ6?~A?"
$s180 = "WS2_32.dll"
$s181 = "SystemTimeToFileTime"
$s182 = "- unzip 0.15 Copyright 1998 Gilles Vollant"
$s183 = "??0exception@@QAE@ABV0@@Z"
$s184 = ",4$8'9-6:.6$1#?*XhHpSeA~NrZlE"
$s185 = "CloseHandle"
$s186 = "??2@YAPAXI@Z"
$s187 = "SetFileTime"
$s188 = "|~}%.15"
$s189 = "GetProcessHeap"
$s190 = "SE{^QC4"
$s191 = "Df\"\"T~**;"
$s192 = "wsprintfA"
$s193 = "GetModuleFileNameA"
$s194 = "RegQueryValueExA"
$s195 = "2/O-_.X8w.+"
$s196 = "s<,kX5k"
$s197 = "4I_,eJi"
$s198 = "CreateServiceA"
$s199 = "f\"\"D~**T"
$s200 = "_controlfp"
$s201 = "incompatible version"
$s202 = "dV22tN::"
$s203 = "_-TPsPUv: V"
$s204 = "IyEf [%"
$s205 = "__set_app_type"
$s206 = "InitializeCriticalSection"
$s207 = "Hjz%3(0"
$s208 = ".Vy_Fdk"
$s209 = "'Oh'-o]"
$s210 = "qr=_os*"
$s211 = ",MF3j;2@"
$s212 = "need dictionary"
$s213 = "CreateDirectoryA"
$s214 = "pq\"b\"V1"
$s215 = "=XnFQ-Il"
$s216 = "x%Jo%.r."
$s217 = "GetProcAddress"
$s218 = "CryptEncrypt"
$s219 = "MSVCP60.dll"
$s220 = "6P>YK^$r"
$s221 = "__p___argv"
$s222 = "sprintf"
$s223 = "MF2E0UG"
$s224 = "KPeJr}F"
$s225 = "CryptGenKey"
$s226 = "__getmainargs"
$s227 = "`1^9tdb"
$s228 = "mK~}k=P"
$s229 = "ADVAPI32.dll"
$s230 = "GetComputerNameW"
$s231 = "!This program cannot be run in DOS mode."
$s232 = "WANACRY!"
$s233 = "incorrect header check"
$s234 = "_mbsstr"
$s235 = "Le\"zE^f1"
$s236 = "msg/m_german.wnry"
$s237 = "\"Df\"*T~*"
$s238 = "SHELL32.dll"
$s239 = "8,4$6'9-$:.6*1#?pXhH~SeAlNrZbE"
$s240 = "LockResource"
$s241 = "#cMe&(;[Ip"
$s242 = "advapi32.dll"
$s243 = "Lj&&lZ66~A??"
$s244 = "L3koq_ >"
$s245 = "??1type_info@@UAE@XZ"
$s246 = "msg/m_danish.wnry"
$s247 = "^Md]\"lN"
$s248 = "EGBkV6\"rnL9"
$s249 = "?-3t/''"
$s250 = "GetStartupInfoA"
$s251 = "tJ9@0O("
$s252 = "!A$U>=+"
$s253 = "2dV2:tN:"
$s254 = "tlHt Ht"
$s255 = "9d|!]`["
$s256 = "GlobalFree"
$s257 = "V22dN::t"
$s258 = "nyMZ?%g;"
$s259 = "QeFbF~TiKwZ"
$s260 = "[d+?8d["
$s261 = "EnterCriticalSection"
$s262 = "LoadResource"
$s263 = "msg/m_finnish.wnry~"
$s264 = "\"\"Df**T~"
$s265 = "kEs##Q^!"
$s266 = "r;#r7iS|1"
$s267 = "s]R\",XC("
$s268 = "CreateFileA"
$s269 = "??3@YAXPAX@Z"
$s270 = "VirtualFree"
$s271 = "CreateProcessA"
$s272 = "invalid literal/length code"
$s273 = "oversubscribed dynamic bit lengths tree"
$s274 = "E65etRIv4"
$s275 = "SetLastError"
$s276 = "*4q4[`V"
$s277 = "+[_JQ}"
$s278 = "\"t=.|Vbq-"
$s279 = "invalid stored block lengths"
$s280 = ":95e`Il"
$s281 = "$8,4-6'96$:.?*1#HpXhA~SeZlNrSbE"
$s282 = "=1azT)8^y"
$s283 = "__p__fmode"
$s284 = "buffer error"
$s285 = "^Ml,L;0"
$s286 = "!#pHA[P"
$s287 = "*@~CS%1"
$s288 = "~|c<caKm2"
$s289 = "C77nYmm"
$s290 = "_adjust_fdiv"
$s291 = "7#z y,:"
$s292 = "e\".E~^G"
$s293 = "pp|B>>q"
$s294 = "SetFilePointer"
$s295 = "RegCloseKey"
$s296 = "strrchr"
$s297 = "USER32.dll"
$s298 = "too many length or distance symbols"
$mz = "MZ"
condition: any of them
}
rule IsPeFile {
strings:
$mz = "MZ"
condition:
any of them and $mz at 0 and uint32(uint32(0x3C)) == 0x4550
}
security/malware/yara.1624103418.txt.gz · Zuletzt geändert: von wikiadm