security:malware:yara
Dies ist eine alte Version des Dokuments!
Inhaltsverzeichnis
Create a file on vulnerable Server
count sequences of printable characters with the minimum length of 7
strings --bytes=7 sample.exe | wc -l
Rule to detect cmd.exe
offset.yar
rule cmd_rule
{
strings:
$s = "cmd.exe /c \"%s\""
condition:
$s
}
Rule to identify PE file type
pe.yar
rule IsPeFile {
strings:
$mz = "MZ"
condition:
$mz at 0 and uint32(uint32(0x3C)) == 0x4550
}
Rule to detect maleware in PE Files
malware.yar
rule str_rule
{
meta:
description = "intel - file strings.txt"
author = "rsi"
date = "2021-06-19"
strings:
$s1 = "WWWWWPj" fullword ascii
$s2 = "OpenSCManagerA" fullword ascii
$s3 = ";22dV::tN" fullword ascii
$s4 = "_local_unwind2" fullword ascii
$s5 = "2+( VPOL" fullword ascii
$s6 = "GlobalAlloc" fullword ascii
$s7 = "VirtualProtect" fullword ascii
$s8 = "@Pbmx~P" fullword ascii
$s9 = "FreeLibrary" fullword ascii
$s10 = "^Fr`+:&" fullword ascii
$s11 = "VirtualAlloc" fullword ascii
$s12 = "CreateDirectoryW" fullword ascii
$s13 = ">k_I[$" fullword ascii
$s14 = "msg/m_english.wnryF" fullword ascii
$s15 = "StartServiceA" fullword ascii
$s16 = ":*>B=Ox" fullword ascii
$s17 = "OpenMutexA" fullword ascii
$s18 = "GetFullPathNameA" fullword ascii
$s19 = "RegSetValueExA" fullword ascii
$s20 = "msg/m_french.wnry" fullword ascii
$s21 = "DeleteFileW" fullword ascii
$s22 = "QeTbF~ZiKw" fullword ascii
$s23 = "SbElHtQeF" fullword ascii
$s24 = "Q~TbFwZiK" fullword ascii
$s25 = "CreateFileW" fullword ascii
$s26 = ".?AVtype_info@@" fullword ascii
$s27 = "CryptDecrypt" fullword ascii
$s28 = "=j&&LZ66lA??~" fullword ascii
$s29 = "F~TbKwZi" fullword ascii
$s30 = "incorrect data check" fullword ascii
$s31 = "tasksche.exe" fullword ascii
$s32 = "MoveFileW" fullword ascii
$s33 = "unknown compression method" fullword ascii
$s34 = "??1exception@@UAE@XZ" fullword ascii
$s35 = "realloc" fullword ascii
$s36 = "SetCurrentDirectoryA" fullword ascii
$s37 = "WriteFile" fullword ascii
$s38 = "b4(X2;ey" fullword ascii
$s39 = "__p__commode" fullword ascii
$s40 = "MultiByteToWideChar" fullword ascii
$s41 = "LoadLibraryA" fullword ascii
$s42 = "6tGuzF" fullword ascii
$s43 = "%%Jo..r" fullword ascii
$s44 = "4$8,9-6'.6$:#?*1hHpXeA~SrZlN" fullword ascii
$s45 = "PPxD<<%" fullword ascii
$s46 = "kernel32.dll" fullword ascii
$s47 = "&%^W6)." fullword ascii
$s48 = "CryptImportKey" fullword ascii
$s49 = "HeapFree" fullword ascii
$s50 = "_except_handler3" fullword ascii
$s51 = "WaitForSingleObject" fullword ascii
$s52 = "V,YYG;~" fullword ascii
$s53 = "Ud|JZ|BE" fullword ascii
$s54 = "_CxxThrowException" fullword ascii
$s55 = "data error" fullword ascii
$s56 = "??0exception@@QAE@ABQBD@Z" fullword ascii
$s57 = "_acmdln" fullword ascii
$s58 = "OLEAUT32.dll" fullword ascii
$s59 = ";u>H4q7.c" fullword ascii
$s60 = "GetModuleHandleA" fullword ascii
$s61 = "incomplete literal/length tree" fullword ascii
$s62 = "OpenServiceA" fullword ascii
$s63 = "CryptReleaseContext" fullword ascii
$s64 = "attrib +h ." fullword ascii
$s65 = "inflate 1.1.3 Copyright 1995-1998 Mark Adler" fullword ascii
$s66 = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" fullword ascii
$s67 = "insufficient memory" fullword ascii
$s68 = "$`GnP+%<g" fullword ascii
$s69 = "TaskStart" fullword ascii
$s70 = "msg/m_chinese (traditional).wnry" fullword ascii
$s71 = "[_:L x86" fullword ascii
$s72 = "ReadFile" fullword ascii
$s73 = "Bb..fO3" fullword ascii
$s74 = "qDj$bIU" fullword ascii
$s75 = "k|_^][Y" fullword ascii
$s76 = "invalid distance code" fullword ascii
$s77 = "wcsrchr" fullword ascii
$s78 = "GetFileSizeEx" fullword ascii
$s79 = "L)b7=a`" fullword ascii
$s80 = "__CxxFrameHandler" fullword ascii
$s81 = "_stricmp" fullword ascii
$s82 = "[4+G[Tnr" fullword ascii
$s83 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" fullword ascii
$s84 = "msg/m_croatian.wnry" fullword ascii
$s85 = "CMnQ,OOr" fullword ascii
$s86 = "swprintf" fullword ascii
$s87 = "SetFileAttributesW" fullword ascii
$s88 = "msg/m_czech.wnryn" fullword ascii
$s89 = "O|x8+^_" fullword ascii
$s90 = "HeapAlloc" fullword ascii
$s91 = "__setusermatherr" fullword ascii
$s92 = "GetWindowsDirectoryW" fullword ascii
$s93 = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" fullword ascii
$s94 = "LocalFileTimeToFileTime" fullword ascii
$s95 = "3/Vq9 =" fullword ascii
$s96 = "CryptAcquireContextA" fullword ascii
$s97 = "Jo7eQX%" fullword ascii
$s98 = "FindResourceA" fullword ascii
$s99 = "'B;1?5s" fullword ascii
$s100 = "IsBadReadPtr" fullword ascii
$s101 = "GetExitCodeProcess" fullword ascii
$s102 = "`.rdata" fullword ascii
$s103 = "#`?@/9P" fullword ascii
$s104 = "GetTempPathW" fullword ascii
$s105 = "invalid bit length repeat" fullword ascii
$s106 = "MSVCRT.dll" fullword ascii
$s107 = "o%%Jr..$" fullword ascii
$s108 = "GlobalMsWinZonesCacheCounterMutexA" fullword ascii
$s109 = "!`7RNkv" fullword ascii
$s110 = "__p___argc" fullword ascii
$s111 = "SetCurrentDirectoryW" fullword ascii
$s112 = "oversubscribed literal/length tree" fullword ascii
$s113 = "[l~y2U=" fullword ascii
$s114 = "msg/m_greek.wnry4n" fullword ascii
$s115 = "invalid block type" fullword ascii
$s116 = "<` Xu9g" fullword ascii
$s117 = "GetNativeSystemInfo" fullword ascii
$s118 = "CloseServiceHandle" fullword ascii
$s119 = "incomplete distance tree" fullword ascii
$s120 = "S Q+c@x" fullword ascii
$s121 = "8d62ro/" fullword ascii
$s122 = "e ];F[p" fullword ascii
$s123 = "$@^ Y+kCM3" fullword ascii
$s124 = "X(N.K&9" fullword ascii
$s125 = "LeaveCriticalSection" fullword ascii
$s126 = "msg/m_bulgarian.wnry" fullword ascii
$s127 = "B~WJLuC" fullword ascii
$s128 = "invalid window size" fullword ascii
$s129 = "msg/m_dutch.wnry9" fullword ascii
$s130 = "GetCurrentDirectoryA" fullword ascii
$s131 = "Hy}V2l0e" fullword ascii
$s132 = "xxJo%%r..8$" fullword ascii
$s133 = "NLc>zQy" fullword ascii
$s134 = "=iF-s4\"t" fullword ascii
$s135 = "GetFileAttributesA" fullword ascii
$s136 = "_initterm" fullword ascii
$s137 = "2{0ONU T8" fullword ascii
$s138 = "M{_rKG C" fullword ascii
$s139 = "4XI\"whG" fullword ascii
$s140 = "DeleteCriticalSection" fullword ascii
$s141 = "b.wnryP8" fullword ascii
$s142 = "GetFileSize" fullword ascii
$s143 = "GetFileAttributesW" fullword ascii
$s144 = "md)(:--" fullword ascii
$s145 = "WNcry@2ol7" fullword ascii
$s146 = "empty distance tree with lengths" fullword ascii
$s147 = "SizeofResource" fullword ascii
$s148 = "CopyFileA" fullword ascii
$s149 = "uo\"usd/" fullword ascii
$s150 = "ciC [/K" fullword ascii
$s151 = "$0vJ<T9" fullword ascii
$s152 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
$s153 = "CryptDestroyKey" fullword ascii
$s154 = "oversubscribed distance tree" fullword ascii
$s155 = "MoveFileExW" fullword ascii
$s156 = "KfmZ@9q" fullword ascii
$s157 = "TerminateProcess" fullword ascii
$s158 = "stream end" fullword ascii
$s159 = "c.wnry%" fullword ascii
$s160 = "vi#<!d*S" fullword ascii
$s161 = "pfgGL`R" fullword ascii
$s162 = "_XcptFilter" fullword ascii
$s163 = "RegCreateKeyW" fullword ascii
$s164 = "[wS#C^6" fullword ascii
$s165 = "file error" fullword ascii
$s166 = ">nuGl=Cme4" fullword ascii
$s167 = "Microsoft Enhanced RSA and AES Cryptographic Provider" fullword ascii
$s168 = "msg/m_filipino.wnry" fullword ascii
$s169 = "incomplete dynamic bit lengths tree" fullword ascii
$s170 = ".?AVexception@@" fullword ascii
$s171 = "b=htZo&f" fullword ascii
$s172 = "KERNEL32.dll" fullword ascii
$s173 = "msg/m_chinese (simplified).wnryR9" fullword ascii
$s174 = "&&Lj66lZ??~A" fullword ascii
$s175 = "#E.(`MW" fullword ascii
$s176 = "cmd.exe /c \"%s\"" fullword ascii
$s177 = "j_1lTo`" fullword ascii
$s178 = "stream error" fullword ascii
$s179 = "&Lj&6lZ6?~A?" fullword ascii
$s180 = "WS2_32.dll" fullword ascii
$s181 = "SystemTimeToFileTime" fullword ascii
$s182 = "- unzip 0.15 Copyright 1998 Gilles Vollant" fullword ascii
$s183 = "??0exception@@QAE@ABV0@@Z" fullword ascii
$s184 = ",4$8'9-6:.6$1#?*XhHpSeA~NrZlE" fullword ascii
$s185 = "CloseHandle" fullword ascii
$s186 = "??2@YAPAXI@Z" fullword ascii
$s187 = "SetFileTime" fullword ascii
$s188 = "|~}%.15" fullword ascii
$s189 = "GetProcessHeap" fullword ascii
$s190 = "SE{^QC4" fullword ascii
$s191 = "Df\"\"T~**;" fullword ascii
$s192 = "wsprintfA" fullword ascii
$s193 = "GetModuleFileNameA" fullword ascii
$s194 = "RegQueryValueExA" fullword ascii
$s195 = "2/O-_.X8w.+" fullword ascii
$s196 = "s<,kX5k" fullword ascii
$s197 = "4I_,eJi" fullword ascii
$s198 = "CreateServiceA" fullword ascii
$s199 = "f\"\"D~**T" fullword ascii
$s200 = "_controlfp" fullword ascii
$s201 = "incompatible version" fullword ascii
$s202 = "dV22tN::" fullword ascii
$s203 = "_-TPsPUv: V" fullword ascii
$s204 = "IyEf [%" fullword ascii
$s205 = "__set_app_type" fullword ascii
$s206 = "InitializeCriticalSection" fullword ascii
$s207 = "Hjz%3(0" fullword ascii
$s208 = ".Vy_Fdk" fullword ascii
$s209 = "'Oh'-o]" fullword ascii
$s210 = "qr=_os*" fullword ascii
$s211 = ",MF3j;2@" fullword ascii
$s212 = "need dictionary" fullword ascii
$s213 = "CreateDirectoryA" fullword ascii
$s214 = "pq\"b\"V1" fullword ascii
$s215 = "=XnFQ-Il" fullword ascii
$s216 = "x%Jo%.r." fullword ascii
$s217 = "GetProcAddress" fullword ascii
$s218 = "CryptEncrypt" fullword ascii
$s219 = "MSVCP60.dll" fullword ascii
$s220 = "6P>YK^$r" fullword ascii
$s221 = "__p___argv" fullword ascii
$s222 = "sprintf" fullword ascii
$s223 = "MF2E0UG" fullword ascii
$s224 = "KPeJr}F" fullword ascii
$s225 = "CryptGenKey" fullword ascii
$s226 = "__getmainargs" fullword ascii
$s227 = "`1^9tdb" fullword ascii
$s228 = "mK~}k=P" fullword ascii
$s229 = "ADVAPI32.dll" fullword ascii
$s230 = "GetComputerNameW" fullword ascii
$s231 = "!This program cannot be run in DOS mode." fullword ascii
$s232 = "WANACRY!" fullword ascii
$s233 = "incorrect header check" fullword ascii
$s234 = "_mbsstr" fullword ascii
$s235 = "Le\"zE^f1" fullword ascii
$s236 = "msg/m_german.wnry" fullword ascii
$s237 = "\"Df\"*T~*" fullword ascii
$s238 = "SHELL32.dll" fullword ascii
$s239 = "8,4$6'9-$:.6*1#?pXhH~SeAlNrZbE" fullword ascii
$s240 = "LockResource" fullword ascii
$s241 = "#cMe&(;[Ip" fullword ascii
$s242 = "advapi32.dll" fullword ascii
$s243 = "Lj&&lZ66~A??" fullword ascii
$s244 = "L3koq_ >" fullword ascii
$s245 = "??1type_info@@UAE@XZ" fullword ascii
$s246 = "msg/m_danish.wnry" fullword ascii
$s247 = "^Md]\"lN" fullword ascii
$s248 = "EGBkV6\"rnL9" fullword ascii
$s249 = "?-3t/''" fullword ascii
$s250 = "GetStartupInfoA" fullword ascii
$s251 = "tJ9@0O(" fullword ascii
$s252 = "!A$U>=+" fullword ascii
$s253 = "2dV2:tN:" fullword ascii
$s254 = "tlHt Ht" fullword ascii
$s255 = "9d|!]`[" fullword ascii
$s256 = "GlobalFree" fullword ascii
$s257 = "V22dN::t" fullword ascii
$s258 = "nyMZ?%g;" fullword ascii
$s259 = "QeFbF~TiKwZ" fullword ascii
$s260 = "[d+?8d[" fullword ascii
$s261 = "EnterCriticalSection" fullword ascii
$s262 = "LoadResource" fullword ascii
$s263 = "msg/m_finnish.wnry~" fullword ascii
$s264 = "\"\"Df**T~" fullword ascii
$s265 = "kEs##Q^!" fullword ascii
$s266 = "r;#r7iS|1" fullword ascii
$s267 = "s]R\",XC(" fullword ascii
$s268 = "CreateFileA" fullword ascii
$s269 = "??3@YAXPAX@Z" fullword ascii
$s270 = "VirtualFree" fullword ascii
$s271 = "CreateProcessA" fullword ascii
$s272 = "invalid literal/length code" fullword ascii
$s273 = "oversubscribed dynamic bit lengths tree" fullword ascii
$s274 = "E65etRIv4" fullword ascii
$s275 = "SetLastError" fullword ascii
$s276 = "*4q4[`V" fullword ascii
$s277 = "+[_JQ}" fullword ascii
$s278 = "\"t=.|Vbq-" fullword ascii
$s279 = "invalid stored block lengths" fullword ascii
$s280 = ":95e`Il" fullword ascii
$s281 = "$8,4-6'96$:.?*1#HpXhA~SeZlNrSbE" fullword ascii
$s282 = "=1azT)8^y" fullword ascii
$s283 = "__p__fmode" fullword ascii
$s284 = "buffer error" fullword ascii
$s285 = "^Ml,L;0" fullword ascii
$s286 = "!#pHA[P" fullword ascii
$s287 = "*@~CS%1" fullword ascii
$s288 = "~|c<caKm2" fullword ascii
$s289 = "C77nYmm" fullword ascii
$s290 = "_adjust_fdiv" fullword ascii
$s291 = "7#z y,:" fullword ascii
$s292 = "e\".E~^G" fullword ascii
$s293 = "pp|B>>q" fullword ascii
$s294 = "SetFilePointer" fullword ascii
$s295 = "RegCloseKey" fullword ascii
$s296 = "strrchr" fullword ascii
$s297 = "USER32.dll" fullword ascii
$s298 = "too many length or distance symbols" fullword ascii
condition:
any of them and
uint32(uint32(0x3C)) == 0x4550
}
security/malware/yara.1624106662.txt.gz · Zuletzt geändert: von wikiadm