YARA rules for Animal Farm
8 rules · scoped to actor · back to Animal Farm
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule SNOWGLOBE_Babar_Malware {
meta:
description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france"
date = "2015/02/18"
hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
score = 80
id = "53a61065-a3b3-563e-8ecc-513d8da68085"
strings:
$z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
$z1 = "User-Agent: Mozilla/4.0 (compatible; MSI 6.0;" ascii fullword
$z2 = "ExecQueryFailled!" fullword ascii
$z3 = "NBOT_COMMAND_LINE" fullword
$z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
$s1 = "/s /n %s \"%s\"" fullword ascii
$s2 = "%%WINDIR%%\\%s\\%s" fullword ascii
$s3 = "/c start /wait " fullword ascii
$s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
$x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" ascii
$x2 = "%COMMON_APPDATA%" fullword ascii
$x4 = "CONOUT$" fullword ascii
$x5 = "cmd.exe" fullword ascii
$x6 = "DLLPATH" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1MB and
(
( 1 of ($z*) and 1 of ($x*) ) or
( 3 of ($s*) and 4 of ($x*) )
)
}
rule FE_LEGALSTRIKE_RTF {
meta:
version=".1"
filetype="MACRO"
author="joshua.kim@FireEye. - modified by Florian Roth"
date="2017-06-02"
description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
id = "b62ceffa-445f-517e-b86b-56e47876c6c0"
strings:
$lnkinfo = "4c0069006e006b0049006e0066006f"
$encoded1 = "4f4c45324c696e6b"
$encoded2 = "52006f006f007400200045006e007400720079"
$encoded3 = "4f0062006a0049006e0066006f"
$encoded4 = "4f006c0065"
$datastore = "\\*\\datastore"
condition:
uint32be(0) == 0x7B5C7274 and all of them
}
rule APT_MAL_URL_CloudAtlas_Oct20_2 {
meta:
description = "Detects unknown maldoc dropper noticed in October 2020 - file morgue6visible5bunny6culvert7ambo5nun1illuminate4.url"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/jfslowik/status/1316050637092651009"
date = "2020-10-13"
hash1 = "a6a58b614a9f5ffa1d90b5d42e15521f52e2295f02c1c0e5cd9cbfe933303bee"
id = "91f6362f-1793-58a3-a750-04ec9812b9df"
strings:
/* [InternetShortcut]
URL=https://msofficeupdate.org/ */
$hc1 = { 5B 49 6E 74 65 72 6E 65 74 53 68 6F 72 74 63 75
74 5D 0D 0A 55 52 4C 3D 68 74 74 70 73 3A 2F 2F
6D 73 6F 66 66 69 63 65 75 70 64 61 74 65 2E 6F
72 67 }
condition:
uint16(0) == 0x495b and
filesize < 200 and
$hc1 at 0
}
rule HKTL_NET_GUID_CasperStager {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ustayready/CasperStager"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "0ad18d2b-b7cc-5316-a8e8-b05d4439b8e1"
strings:
$typelibguid0lo = "c653a9f2-0939-43c8-9b93-fed5e2e4c7e6" ascii wide
$typelibguid1lo = "48dfc55e-6ae5-4a36-abef-14bc09d7510b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
rule Casper_Backdoor_x86 {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015-03-05"
modified = "2023-01-27"
hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
score = 80
id = "9e54f00c-74a7-56cc-87e5-8dec1233cbb5"
strings:
$s1 = "\"svchost.exe\"" fullword wide
$s2 = "firefox.exe" fullword ascii
$s3 = "\"Host Process for Windows Services\"" fullword wide
$x1 = "\\Users\\*" ascii
$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" ascii
$x3 = "\\Mozilla\\Firefox\\Profiles\\*" ascii
$x4 = "\\Documents and Settings\\*" ascii
$y1 = "%s; %S=%S" fullword wide
$y2 = "%s; %s=%s" fullword ascii
$y3 = "Cookie: %s=%s" fullword ascii
$y4 = "http://%S:%d" fullword wide
$z1 = "http://google.com/" ascii
$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
$z3 = "Operating System\"" fullword wide
condition:
( filesize < 250KB and all of ($s*) ) or
( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
}
rule Casper_EXE_Dropper {
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/05"
hash = "e4cc35792a48123e71a2c7b6aa904006343a157a"
score = 80
id = "a901d045-6f9b-57e8-8347-6f78178b7231"
strings:
$s0 = "<Command>" fullword ascii
$s1 = "</Command>" fullword ascii
$s2 = "\" /d \"" fullword ascii
$s4 = "'%s' %s" fullword ascii
$s5 = "nKERNEL32.DLL" fullword wide
$s6 = "@ReturnValue" fullword wide
$s7 = "ID: 0x%x" fullword ascii
$s8 = "Name: %S" fullword ascii
condition:
7 of them
}
rule Casper_Included_Strings {
meta:
description = "Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 50
id = "34ba474d-0858-534a-8f32-db5a709e8814"
strings:
$a0 = "cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST"
$a1 = "& SYSTEMINFO) ELSE EXIT"
$c1 = "domcommon.exe" wide fullword // File Name
$c2 = "jpic.gov.sy" fullword // C2 Server
$c3 = "aiomgr.exe" wide fullword // File Name
$c4 = "perfaudio.dat" fullword // Temp File Name
$c5 = "Casper_DLL.dll" fullword // Name
$c6 = { 7B 4B 59 DE 37 4A 42 26 59 98 63 C6 2D 0F 57 40 } // Decryption Key
$c7 = "{4216567A-4512-9825-7745F856}" fullword // Mutex
condition:
all of ($a*) or
uint16(0) == 0x5a4d and ( 1 of ($c*) )
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}