273 lines
12 KiB
Plaintext
273 lines
12 KiB
Plaintext
rule Gafgyt_Generic_Botnet {
|
|
meta:
|
|
description = "Detect the risk of Botnet Malware Gafgyt Rule 1"
|
|
hash0 = "2a18f2d59f172622e76d9d9b5c73393b"
|
|
hash1 = "06de2d19862494be7dbcbcf20b3dbe3a"
|
|
hash2 = "0fc30a802a07386f5cd4b18b47547979"
|
|
hash3 = "be6865ccb948f2937fd25fe465e434da"
|
|
hash4 = "c8d58acfe524a09d4df7ffbe4a43c429"
|
|
hash5 = "0f979b4ae1209020dd2b672f9dad7398"
|
|
hash6 = "45826c129bf3d3bd067e33cf7bef3883"
|
|
hash7 = "79b9d4cea7972951efad765406459f5e"
|
|
hash8 = "baad702930571c414b0e8896f8bb4a5f"
|
|
hash9 = "11754a20e705dccf96f1a1def7220efc"
|
|
hash10 = "67db9ed04d3b56f966a739fd40a47748"
|
|
strings:
|
|
$s0 = "busybox" fullword
|
|
$s1 = "PONG!" fullword
|
|
$s2 = "GETLOCALIP" fullword
|
|
$s3 = "HTTPFLOOD" fullword
|
|
$s4 = "LUCKYLILDUDE" fullword
|
|
$s5 = "/dev/null"
|
|
$s6 = "/etc/resolv.conf"
|
|
$s7 = "/etc/config/resolv.conf"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule Gafgyt_July_1 {
|
|
meta:
|
|
description = "Detect the risk of Botnet Malware Gafgyt Rule 2"
|
|
hash1 = "041db2cf6eac2a47ae4651751158838104e502ff33dcc7f5dd48472789870e6c"
|
|
hash2 = "0839b33e2da179eac610673769e9568d1942877739cf4d990f3787672a4e9af1"
|
|
hash3 = "2a1c1a22ed6989e9ba86f9a192834e0a35afec8026e8ecc0bb5c958d2892d46c"
|
|
hash4 = "30b682ee7114bf68f881e641e9ab14c7d62c84f725e9cf5bfccb403aaa1fe8f7"
|
|
hash5 = "3b9a35f7a0698b24d214818efd22235c995f1460fc55dd3ebd923ff0dca5370c"
|
|
hash6 = "4110dd04db3932f1f03bdce6fa74f5298ffb429b816c7a8fce40f1cbb043e968"
|
|
hash7 = "471b4d64420bdf2c8749c390a142ed449aff23b0d67609b268be044657501fa7"
|
|
hash8 = "5a9f02031f0b3b1a2edaeae2d77b8c1f67de2b611449432c42c88f840d7a1d5c"
|
|
hash9 = "78d9488d688f3b12181b54df0e9da3770e90a4a42a13db001fd211d16645a1bb"
|
|
hash10 = "7f2aa6e5e1f1229fb18a15d1599a7a6014796cc7c08b26b9c4336a2048dc8928"
|
|
hash11 = "805917658c7761debdaf18e83b54ec4e9ba645950c773ddd21d6cd8ba29b32d6"
|
|
hash12 = "ae880c7dd79ebb1d626aea57152fdaa779d07d5b326d7f7fad1d42b637e5da84"
|
|
hash13 = "b0d36c18bf900988d01828202ce1ab77949b9a8a29b264ea1639f170a6c9825b"
|
|
hash14 = "c17bf892498ed1dce5db1b0f3d588774b8e82f2636f397b2456d15e7442781e6"
|
|
hash15 = "c27e328d2fe6fd75066938f58c3359c5dbb9deea166c6a4d3b0397d295a3e8d5"
|
|
hash16 = "df292a289d93136fbdd6ac0850b2c8845f967d9a9a3bd29a9386b39843b82eda"
|
|
hash17 = "e07a008aaf0a0a2666a705a9756da5bc54be18e2a53a50eb7539f1143548a57f"
|
|
hash18 = "0be1e96f318d98398861217a9754bc003e6861d84de8553cdbd87531db66e19b"
|
|
hash19 = "2d049876c256e55ae48a1060c32f8d75b691525cd877556172f163fe39466001"
|
|
hash20 = "3d8194b7853a1edbaa5d14b4b7a0323c5584b8a5c959efe830073e43d0b4418a"
|
|
hash21 = "576bce5c1d1143b0e532333a28d37c98d65b271d651dbce86360d3e80460733f"
|
|
hash22 = "b7c5895189c7f4e30984e2f0db703c2120909dccaa339e59795d3e732bca9340"
|
|
hash23 = "db23bf90a7f0c69c3501876243ca2fe29e9208864dfa6f2b5d0dac51061a3d86"
|
|
hash24 = "e1093d59bef8f260b0ca1ebe82c0635cc225e060b8d7296efe330ca7837e6d44"
|
|
hash25 = "e29d1c2cbd64d0f1433602f2b63cf40e33b4376ac613e911a2160b268496164d"
|
|
hash26 = "e6523f691d0b4a16cc1892ec4eb3ee113d62443317e337412b70e0cea3e106f7"
|
|
hash27 = "ec9387b582e5a935094c6d165741d2c989e72afc3c6063a29e96153e97a74af3"
|
|
hash28 = "ed2eaf4c44f83c7920b2d73cbe242b82cc92e3188d04b1bb8742783c49487da7"
|
|
strings:
|
|
$s1 = "/20x/x58/x4b/x49/x57/x44/x49/x4a/x22/x20/x22/x64/x39/x63/x39/x29/x4d/x20/x29/x57/x5f/x22/x21/x5f/x2b/x20/x51/x53/x4d/x45/x4d/x44" ascii
|
|
$s2 = "/73x/6ax/x4a/x4b/x4d/x44/x20/x44/x57/x29/x5f/x20/x44/x57/x49/x4f/x57/x20/x57/x4f/x4b/x3c/x20/x57/x44/x4b/x20/x44/x29/x5f/x41/" fullword ascii
|
|
$s3 = "/20x/x58/x4b/x49/x57/x44/x49/x4a/x22/x20/x22/x64/x39/x63/x39/x29/x4d/x20/x29/x57/x5f/x22/x21/x5f/x2b/x20/x51/x53/x4d/x45/x4d/x44" ascii
|
|
$s4 = "/x4d/x20/x29/x28/x28/x22/x29/x45/x4f/x4b/x58/x50/x7b/x20/x5f/x57/x44/x44/x57/x44/" fullword ascii
|
|
$s5 = "/x71/x3b/x38/x38/x20/x43/x57/x29/x57/x22/x29/x64/x32/x20/x4b/x58/x4b/x4b/x4c/x22/x44/x20/x2d/x44/x5f/" fullword ascii
|
|
$s6 = "UDPBYPASS" fullword ascii
|
|
$s7 = "Is a named type file" fullword ascii
|
|
$s8 = "Structure needs cleaning" fullword ascii
|
|
$s9 = "No XENIX semaphores available" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x457f and filesize < 600KB and 5 of them
|
|
}
|
|
|
|
rule Gafgyt_July_6 {
|
|
meta:
|
|
description = "Detect the risk of Botnet Malware Gafgyt Rule 3"
|
|
author = "LightDefender"
|
|
date = "2021-07-06"
|
|
hash1 = "821d34f7978fc65fe3b570e86cce45edc921a6cbf02b127fb1263a8448a1f62a"
|
|
strings:
|
|
$s1 = "infected.log" fullword ascii
|
|
$s2 = "Samael-DDoS-Attack" fullword ascii
|
|
$s3 = "B0TK1LL" fullword ascii
|
|
$s4 = "This Device Has Been Infected by Samael Botnet Made By ur0a :)" ascii
|
|
condition:
|
|
uint16(0) == 0x457f and filesize < 600KB and 2 of them
|
|
}
|
|
|
|
rule elf_bashlite_auto {
|
|
|
|
meta:
|
|
description = "Detect the risk of Botnet Malware Gafgyt Rule 4"
|
|
strings:
|
|
$sequence_0 = { 21d0 3345fc c9 c3 55 }
|
|
// n = 5, score = 300
|
|
// 21d0 | mov dword ptr [ebp - 4], 0
|
|
// 3345fc | mov edi, 0x512c00
|
|
// c9 | inc esp
|
|
// c3 | mov edi, esp
|
|
// 55 | mov edi, 0x512c00
|
|
|
|
$sequence_1 = { e8???????? 89c2 89d0 c1e81f }
|
|
// n = 4, score = 300
|
|
// e8???????? |
|
|
// 89c2 | mov byte ptr [ebx], 0
|
|
// 89d0 | sub eax, edx
|
|
// c1e81f | cmp eax, dword ptr [esp + 0x7c]
|
|
|
|
$sequence_2 = { e8???????? 8945ec 837dec00 750b 8b45ec }
|
|
// n = 5, score = 300
|
|
// e8???????? |
|
|
// 8945ec | je 0xffffff7c
|
|
// 837dec00 | mov al, byte ptr [ebp - 0xf]
|
|
// 750b | cmp al, 0xc0
|
|
// 8b45ec | mov al, byte ptr [ebp - 0xd]
|
|
|
|
$sequence_3 = { f7d0 21d0 3345fc c9 }
|
|
// n = 4, score = 300
|
|
// f7d0 | mov ecx, eax
|
|
// 21d0 | dec eax
|
|
// 3345fc | mov edx, dword ptr [ebp - 0x40]
|
|
// c9 | mov edi, 0x800
|
|
|
|
$sequence_4 = { 750c e8???????? 8b00 83f804 }
|
|
// n = 4, score = 300
|
|
// 750c | cmp al, 0xfc
|
|
// e8???????? |
|
|
// 8b00 | jne 0x18a
|
|
// 83f804 | dec eax
|
|
|
|
$sequence_5 = { eb0a c785ecefffff00000000 8b85ecefffff c9 c3 }
|
|
// n = 5, score = 300
|
|
// eb0a | mov eax, dword ptr [eax]
|
|
// c785ecefffff00000000 | mov dword ptr [ebp - 0x108], eax
|
|
// 8b85ecefffff | mov dword ptr [ebp - 0x10c], 0x8056e9e
|
|
// c9 | mov dword ptr [ebp - 0x110], 5
|
|
// c3 | mov eax, dword ptr [ebp + 0xc]
|
|
|
|
$sequence_6 = { 8b85ecefffff c9 c3 55 }
|
|
// n = 4, score = 300
|
|
// 8b85ecefffff | add eax, 0x41
|
|
// c9 | mov byte ptr [ebx], al
|
|
// c3 | mov dword ptr [ebp - 0x1c], edx
|
|
// 55 | mov eax, dword ptr [ebp - 0x20]
|
|
|
|
$sequence_7 = { c1f802 89c2 89d0 01c0 01d0 }
|
|
// n = 5, score = 300
|
|
// c1f802 | mov dword ptr [ebp - 0x88], eax
|
|
// 89c2 | jmp 0x159
|
|
// 89d0 | mov dword ptr [esp], eax
|
|
// 01c0 | mov ecx, eax
|
|
// 01d0 | or ecx, 0x800
|
|
|
|
$sequence_8 = { 85c0 750c c785ecefffff01000000 eb0a c785ecefffff00000000 8b85ecefffff }
|
|
// n = 6, score = 300
|
|
// 85c0 | mov dword ptr [ebp - 0x4c], edx
|
|
// 750c | dec eax
|
|
// c785ecefffff01000000 | mov edi, dword ptr [ebp - 0x18]
|
|
// eb0a | mov ecx, dword ptr [ebp - 0x38]
|
|
// c785ecefffff00000000 | mov edx, dword ptr [ebp - 0x3c]
|
|
// 8b85ecefffff | add dword ptr [ebp - 0x34], eax
|
|
|
|
$sequence_9 = { 21d0 3345fc c9 c3 }
|
|
// n = 4, score = 300
|
|
// 21d0 | mov eax, dword ptr [ebp - 0x1c]
|
|
// 3345fc | mov word ptr [eax + 0xa], dx
|
|
// c9 | mov dword ptr [esp], 0
|
|
// c3 | movzx edx, ax
|
|
|
|
condition:
|
|
7 of them and filesize < 274018
|
|
}
|
|
|
|
|
|
rule Gafgyt_Botnet_generic : MALW
|
|
{
|
|
meta:
|
|
description = "Detect the risk of Botnet Malware Gafgyt Rule 5"
|
|
MD5 = "e3fac853203c3f1692af0101eaad87f1"
|
|
SHA1 = "710781e62d49419a3a73624f4a914b2ad1684c6a"
|
|
|
|
strings:
|
|
$etcTZ = "/bin/busybox;echo -e 'gayfgt'"
|
|
$s2 = "/proc/net/route"
|
|
$s3 = "admin"
|
|
$s4 = "root"
|
|
|
|
condition:
|
|
$etcTZ and $s2 and $s3 and $s4
|
|
}
|
|
|
|
rule Gafgyt_Botnet_oh : MALW
|
|
{
|
|
meta:
|
|
description = "Detect the risk of Botnet Malware Gafgyt Rule 6"
|
|
MD5 = "97f5edac312de349495cb4afd119d2a5"
|
|
SHA1 = "916a51f2139f11e8be6247418dca6c41591f4557"
|
|
|
|
strings:
|
|
$s1 = "busyboxterrorist"
|
|
$s2 = "BOGOMIPS"
|
|
$s3 = "124.105.97.%d"
|
|
$s4 = "fucknet"
|
|
condition:
|
|
$s1 and $s2 and $s3 and $s4
|
|
}
|
|
|
|
rule Gafgyt_Botnet_bash : MALW
|
|
{
|
|
meta:
|
|
description = "Detect the risk of Botnet Malware Gafgyt Rule 7"
|
|
MD5 = "c8d58acfe524a09d4df7ffbe4a43c429"
|
|
SHA1 = "b41fefa8470f3b3657594af18d2ea4f6ac4d567f"
|
|
|
|
strings:
|
|
$s1 = "PONG!"
|
|
$s2 = "GETLOCALIP"
|
|
$s3 = "HTTPFLOOD"
|
|
$s4 = "LUCKYLILDUDE"
|
|
condition:
|
|
$s1 and $s2 and $s3 and $s4
|
|
}
|
|
|
|
rule Gafgyt_Botnet_hoho : MALW
|
|
{
|
|
meta:
|
|
description = "Detect the risk of Botnet Malware Gafgyt Rule 8"
|
|
MD5 = "369c7c66224b343f624803d595aa1e09"
|
|
SHA1 = "54519d2c124cb536ed0ddad5683440293d90934f"
|
|
|
|
strings:
|
|
$s1 = "PING"
|
|
$s2 = "PRIVMSG"
|
|
$s3 = "Remote IRC Bot"
|
|
$s4 = "23.95.43.182"
|
|
condition:
|
|
$s1 and $s2 and $s3 and $s4
|
|
}
|
|
|
|
rule Gafgyt_Botnet_jackmy : MALW
|
|
{
|
|
meta:
|
|
description = "Detect the risk of Botnet Malware Gafgyt Rule 9"
|
|
MD5 = "419b8a10a3ac200e7e8a0c141b8abfba"
|
|
SHA1 = "5433a5768c5d22dabc4d133c8a1d192d525939d5"
|
|
|
|
strings:
|
|
$s1 = "PING"
|
|
$s2 = "PONG"
|
|
$s3 = "jackmy"
|
|
$s4 = "203.134.%d.%d"
|
|
condition:
|
|
$s1 and $s2 and $s3 and $s4
|
|
}
|
|
|
|
rule Gafgyt_Botnet_HIHI: MALW
|
|
{
|
|
meta:
|
|
description = "Detect the risk of Botnet Malware Gafgyt Rule 10"
|
|
MD5 = "cc99e8dd2067fd5702a4716164865c8a"
|
|
SHA1 = "b9b316c1cc9f7a1bf8c70400861de08d95716e49"
|
|
|
|
strings:
|
|
$s1 = "PING"
|
|
$s2 = "PONG"
|
|
$s3 = "TELNET LOGIN CRACKED - %s:%s:%s"
|
|
$s4 = "ADVANCEDBOT"
|
|
$s5 = "46.166.185.92"
|
|
$s6 = "LOLNOGTFO"
|
|
|
|
condition:
|
|
$s1 and $s2 and $s3 and $s4 and $s5 and $s6
|
|
}
|