Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Hunting Beasts..."vinnu" Share/Save - My123World.Com!

  1. #1

    Hunting Beasts..."vinnu"

    Namaste

    The cyber world is full of cyberbeasts (malware/exploits...etc). Under this thread we all can share & make artifacts/signatures/YARA signatures,...,etc of malwares/exploits,..,etc of whatever we encounter/scan or research/analyse in our daily life.

    This effort will be quite helpful in hunting malware/exploits flowing in cyber world and participating in cleaning it.

    ..."vinnu"

  2. #2
    Code:
    rule Paradise_DDOS {
    	meta:
    		author = "vinnu"
    		description = "Paradise DDOS Binary"
    	strings:
    		$v1 = "\"PARADISE"
    		$v2 = "sActiveX"
    		$v3 = "3Messages"
    		$v4 = "KWindows"
    		$v5 = "2functions"
    		$v6 = "TLists"
    	condition:
    		6 of ($v*)
    }

  3. #3
    Code:
    rule Rodecap_StealRAT	{
    	meta:
    		author = "vinnu"
    		description = "StealRAT Binary"
    	strings:
    		$magic = "MZ"
    		$v1 = "SetCurrentDirectory failed (%d)"
    		$v2 = "RANDOM_STRING"
    		$v3 = "*.txt"
    		$v4 = "\\mmut\\mutator"
    		
    	condition:
    		($magic at 0) and (3 of ($v*))
    }

  4. #4
    Has anyone here integrated YARA to their own Honeypot ?

    --

    Narcissus

  5. #5
    Code:
    rule Nitol	{
    	meta:
    		author = "vinnu"
    		description = "Win32/Nitol DDOS malware binary signature"
    	strings:
    		$magic = "MZ"
    		$v0 = ".htmGET "
    		$v1 = "__p__commode"
    		$v2 = "ProcessTrans"
    		$v3 = "StopWork"
    		$v4 = "StartWork"
    		$v5 = "HARDWARE\\DESCRIPTION"
    		$v6 = "Windows 2008"
    		$v7 = "Windows Vista"
    		$v8 = "If-Modified-Since:"
    		$v9 = "svchost.exe"
    		$v10 = "ZwUnmapViewOfSection"
    		$v11 = "lpk.addon"
    	condition:
    		($magic at 0) and (10 of ($v*))
    }

  6. #6
    Code:
    rule Simda	{
    	meta:
    		author = "vinnu"
    		description = "Simda binary signature"
    	strings :
    		$magic = "MZ"
    		$v0 = "Misza Cia Less"
    		$v1 = "inness"
    		$v2 = "Lau. A"
    		$v3 = "0B0J0P0V0"
    		$v4 = ":\x1B:#:/:X:"
    		$a0 = "subg. Less"
    		$a1 = "Subaada, M"
    		$a2 = "Inleeiv Aefive"
    		$a3 = "under Iwynsi M"
    		$a4 = "unuath"
    		$a5 = "0+050Q0_0"
    		$a6 = ":(:.:4:::"
                    $s0 = ".driver"
                    $s1 = ".cfgbin"
                    $s2 = ".data1"
                    $s3 = ".orpc"
                    $s4 = ".PDATA"
                    $s5 = "PADDINGXX"
                    $s6 = "<8=J=\\="
    		
    	condition :
    	($magic at 0) and ((5 of ($v*)) or (7 of ($a*)) or (2 of ($s*)))
    }
    Last edited by "vinnu"; 02-07-2014 at 10:51 AM.

  7. #7
    Generic MSIL signature :
    Code:
    rule Kazy	{
    	meta :
    		author = "vinnu"
    	strings :
    		$magic = "MZ"
    		$v0 = "BSJB"
    		$v2 = "#Strings"
    		$v3 = "#US"
    		$v4 = "#GUID"
    		$v5 = "#Blob"
    		$v6 = "mscorlib"
    		$v7 = "VisualBasic"
    		$a0 = "v1.0."
    		$a1 = "v2.0."
    	condition:
    		(($magic at 0) and ((7 of ($v*)) and (1 of ($a*))))
    }
    Last edited by "vinnu"; 01-31-2014 at 03:24 PM.

  8. #8
    Code:
    rule Urausy_E	{
    	meta:
    		author =  "vinnu"
    		description = "Win32/Urausy ransomware binary signature"
    	strings:
    		$magic = "MZ"
    		$v0 = "BMAPIAddress"
    		$v1 = "BMAPIDetails"
    		$v2 = "BuildDisplayTable@"
    		$v3 = "I_MprSaveConn"
    		$v4 = "-(.-phog"
    		$v5 = "zzz6sss;sss<sss<sss<sss<sss<sss<xxx<zzz<zzz<zzz<zzz<zzz<zzz<zz"
    	condition:
    		(($magic at 0) and (5 of ($v*)))
    }

  9. #9
    Code:
    rule Dirtjumper	{
    	meta:
    		author = "vinnu"
    		description = "binary Signature of Dirtjumper aka Win32/Dishigy"
    	strings:
    		$magic = "MZ"
    		$v0 = { 00 00 CE 7B 00 00 E2 7B 00 00 F2 7B 00 00 FE 7B 00 00 16 7C 00 00 2E}
    		$v1 = { 7C 00 00 4E 7C 00 00 6E 7C 00 00 84 7C 00 00 96 7C 00 00 AA 7C 00 00}
    		$v2 = { B6 7C 00 00 CE 7C 00 00 E6 7C 00 00 FC 7C 00 00 0E 7D 00 00 2A 7D 00}
    		$v3 = { 00 40 7D 00 00 58 7D 00 00 6E 7D 00 00 84 7D 00 00 94 7D 00 00 B2 7D}
    		$v4 = { 00 00 C2 7D 00 00 D0 7D 00 00 DC 7D 00 00 EE 7D 00 00 04 7E 00 00 16}
    		$v5 = { 7E 00 00 32 7E 00 00 44 7E 00 00 58 7E}
    	condition:
    		($magic at 0 and (5 of ($v*)))
    }

  10. #10
    Code:
    rule Dirtjumper	{
    	meta:
    		author = "vinnu"
    		description = "binary Signature of Dirtjumper aka Win32/Dishigy"
    	strings:
    		$magic = "MZ"
    		$v0 = { 00 00 CE 7B 00 00 E2 7B 00 00 F2 7B 00 00 FE 7B 00 00 16 7C 00 00 2E}
    		$v1 = { 7C 00 00 4E 7C 00 00 6E 7C 00 00 84 7C 00 00 96 7C 00 00 AA 7C 00 00}
    		$v2 = { B6 7C 00 00 CE 7C 00 00 E6 7C 00 00 FC 7C 00 00 0E 7D 00 00 2A 7D 00}
    		$v3 = { 00 40 7D 00 00 58 7D 00 00 6E 7D 00 00 84 7D 00 00 94 7D 00 00 B2 7D}
    		$v4 = { 00 00 C2 7D 00 00 D0 7D 00 00 DC 7D 00 00 EE 7D 00 00 04 7E 00 00 16}
    		$v5 = { 7E 00 00 32 7E 00 00 44 7E 00 00 58 7E}
    	condition:
    		($magic at 0 and (5 of ($v*)))
    }

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •