YARA rules for OilRig
133 rules · scoped to actor · back to OilRig
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Chafer_Portscanner {
meta:
description = "Detects Custom Portscanner used by Oilrig"
author = "Markus Neis"
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
date = "2018-03-22"
hash1 = "88274a68a6e07bdc53171641e7349d6d0c71670bd347f11dcc83306fe06656e9"
id = "8db934c3-fb0d-5c87-9096-1ee8fb16f9a5"
strings:
$x1 = "C:\\Users\\RS01204N\\Documents\\" ascii
$x2 = "PortScanner /ip:google.com /port:80 /t:500 /tout:2" fullword ascii
$x3 = "open ports of host/hosts" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them
}
rule Oilrig_Myrtille {
meta:
description = "Detects Oilrig Myrtille RDP Browser"
author = "Markus Neis"
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
date = "2018-03-22"
modified = "2022-12-21"
hash1 = "67945f2e65a4a53e2339bd361652c6663fe25060888f18e681418e313d1292ca"
id = "e742ab0c-0e21-569e-a100-e5082dc1d372"
strings:
$x1 = "\\obj\\Release\\Myrtille.Services.pdb" ascii
$x2 = "Failed to notify rdp client process exit (MyrtilleAppPool down?), remote session {0} ({1})" fullword wide
$x3 = "Started rdp client process, remote session {0}" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 50KB and 1 of them
}
rule Oilrig_PS_CnC {
meta:
description = "Powershell CnC using DNS queries"
author = "Markus Neis"
reference = "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
date = "2018-03-22"
hash1 = "9198c29a26f9c55317b4a7a722bf084036e93a41ba4466cbb61ea23d21289cfa"
id = "cbc5689c-37ff-59b6-9e3a-7d8577021f70"
strings:
$x1 = "(-join $base32filedata[$uploadedCompleteSize..$($uploadedCompleteSize" fullword ascii
$s2 = "$hostname = \"D\" + $fileID + (-join ((65..90) + (48..57) + (97..122)|" ascii
condition:
filesize < 40KB and 1 of them
}
rule APT34_Malware_HTA {
meta:
description = "Detects APT 34 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
date = "2017-12-07"
hash1 = "f6fa94cc8efea0dbd7d4d4ca4cf85ac6da97ee5cf0c59d16a6aafccd2b9d8b9a"
id = "683faded-7e4b-5b2f-9f85-300db96ed9d1"
strings:
$x1 = "WshShell.run \"cmd.exe /C C:\\ProgramData\\" ascii
$x2 = ".bat&ping 127.0.0.1 -n 6 > nul&wscript /b" ascii
$x3 = "cmd.exe /C certutil -f -decode C:\\ProgramData\\" ascii
$x4 = "a.WriteLine(\"set Shell0 = CreateObject(" ascii
$x5 = "& vbCrLf & \"Shell0.run" ascii
$s1 = "<title>Blog.tkacprow.pl: HTA Hello World!</title>" fullword ascii
$s2 = "<body onload=\"test()\">" fullword ascii
condition:
filesize < 60KB and ( 1 of ($x*) or all of ($s*) )
}
rule APT34_Malware_Exeruner {
meta:
description = "Detects APT 34 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
date = "2017-12-07"
hash1 = "c75c85acf0e0092d688a605778425ba4cb2a57878925eee3dc0f4dd8d636a27a"
id = "8ddfa59d-9b8a-5cb6-a992-6498ac9be75d"
strings:
$x1 = "\\obj\\Debug\\exeruner.pdb" ascii
$x2 = "\"wscript.shell`\")`nShell0.run" wide
$x3 = "powershell.exe -exec bypass -enc \" + ${global:$http_ag} +" wide
$x4 = "/c powershell -exec bypass -window hidden -nologo -command " fullword wide
$x5 = "\\UpdateTasks\\JavaUpdatesTasksHosts\\" wide
$x6 = "schtasks /create /F /ru SYSTEM /sc minute /mo 1 /tn" wide
$x7 = "UpdateChecker.ps1 & ping 127.0.0.1" wide
$s8 = "exeruner.exe" fullword wide
$s9 = "${global:$address1} = $env:ProgramData + \"\\Windows\\Microsoft\\java\";" fullword wide
$s10 = "C:\\ProgramData\\Windows\\Microsoft\\java" fullword wide
$s11 = "function runByVBS" fullword wide
$s12 = "$84e31856-683b-41c0-81dd-a02d8b795026" fullword ascii
$s13 = "${global:$dns_ag} = \"aQBmACAAKAAoAEcAZQB0AC0AVwBtAGk" wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
}
rule APT_APT34_PS_Malware_Apr19_1 {
meta:
description = "Detects APT34 PowerShell malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/0xffff0800/status/1118406371165126656"
date = "2019-04-17"
hash1 = "b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768"
id = "6a082c5a-ee5b-5002-9148-61bbcfedfe68"
strings:
$x1 = "= get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID" ascii
$x2 = "Write-Host \"excepton occured!\"" ascii /* :) */
$s1 = "Start-Sleep -s 1;" fullword ascii
$s2 = "Start-Sleep -m 100;" fullword ascii
condition:
1 of ($x*) or 2 of them
}
rule APT_APT34_PS_Malware_Apr19_2 {
meta:
description = "Detects APT34 PowerShell malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/0xffff0800/status/1118406371165126656"
date = "2019-04-17"
hash1 = "2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459"
id = "c3bdadfd-2164-5e33-be84-d5d5de8eb048"
strings:
$x1 = "= \"http://\" + [System.Net.Dns]::GetHostAddresses(\"" ascii
$x2 = "$t = get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID" fullword ascii
$x3 = "| Where { $_ -notmatch '^\\s+$' }" ascii
$s1 = "= new-object System.Net.WebProxy($u, $true);" fullword ascii
$s2 = " -eq \"dom\"){$" ascii
$s3 = " -eq \"srv\"){$" ascii
$s4 = "+\"<>\" | Set-Content" ascii
condition:
1 of ($x*) and 3 of them
}
rule APT_APT34_PS_Malware_Apr19_3 {
meta:
description = "Detects APT34 PowerShell malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/0xffff0800/status/1118406371165126656"
date = "2019-04-17"
modified = "2023-01-06"
hash1 = "27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed"
id = "361582e7-94e3-5608-9ba9-31fa20c37cf0"
strings:
$x1 = "Powershell.exe -exec bypass -file ${global:$address1}"
$x2 = "schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn"
$x3 = "\"\\UpdateTasks\\UpdateTaskHosts\""
$x4 = "wscript /b \\`\"${global:$address1" ascii
$x5 = "::FromBase64String([string]${global:$http_ag}))" ascii
$x6 = ".run command1, 0, false\" | Out-File " ascii
$x7 = "\\UpdateTask.vbs" ascii
$x8 = "hUpdater.ps1" fullword ascii
condition:
1 of them
}
rule Greenbug_Malware_1 {
meta:
description = "Detects Malware from Greenbug Incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
hash1 = "dab460a0b73e79299fbff2fa301420c1d97a36da7426acc0e903c70495db2b76"
id = "3375a392-4896-572c-9688-00f01ea86ca7"
strings:
$s1 = "vailablez" fullword ascii
$s2 = "Sfouglr" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and all of them )
}
rule Greenbug_Malware_2 {
meta:
description = "Detects Backdoor from Greenbug Incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
hash1 = "6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d"
hash2 = "21f5e60e9df6642dbbceca623ad59ad1778ea506b7932d75ea8db02230ce3685"
hash3 = "319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6c"
id = "e5d5ddae-cf6d-579f-9a67-9406838b5e0b"
strings:
$x1 = "|||Command executed successfully" fullword ascii
$x2 = "\\Release\\Bot Fresh.pdb" ascii
$x3 = "C:\\ddd\\a1.txt" fullword wide
$x4 = "Bots\\Bot5\\x64\\Release" ascii
$x5 = "Bot5\\Release\\Ism.pdb" ascii
$x6 = "Bot\\Release\\Ism.pdb" ascii
$x7 = "\\Bot Fresh\\Release\\Bot" ascii
$s1 = "/Home/SaveFile?commandId=CmdResult=" fullword wide
$s2 = "raB3G:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday" fullword ascii
$s3 = "Set-Cookie:\\b*{.+?}\\n" fullword wide
$s4 = "SELECT * FROM AntiVirusProduct" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 2 of them ) ) or ( 3 of them )
}
rule Greenbug_Malware_3 {
meta:
description = "Detects Backdoor from Greenbug Incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
super_rule = 1
hash1 = "44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49"
hash2 = "7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c"
id = "68142bcd-4bd0-5c80-97fc-38811565e21c"
strings:
$x1 = "F:\\Projects\\Bot\\Bot\\Release\\Ism.pdb" fullword ascii
$x2 = "C:\\ddd\\wer2.txt" fullword wide
$x3 = "\\Microsoft\\Windows\\tmp43hh11.txt" wide
condition:
1 of them
}
rule Greenbug_Malware_4 {
meta:
description = "Detects ISMDoor Backdoor"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
super_rule = 1
hash1 = "308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f"
hash2 = "82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9"
id = "d45dea36-6051-5531-afd2-abf27cd06a12"
strings:
$s1 = "powershell.exe -nologo -windowstyle hidden -c \"Set-ExecutionPolicy -scope currentuser" fullword ascii
$s2 = "powershell.exe -c \"Set-ExecutionPolicy -scope currentuser -ExecutionPolicy unrestricted -f; . \"" fullword ascii
$s3 = "c:\\windows\\temp\\tmp8873" fullword ascii
$s4 = "taskkill /im winit.exe /f" fullword ascii
$s5 = "invoke-psuacme"
$s6 = "-method oobe -payload \"\"" fullword ascii
$s7 = "C:\\ProgramData\\stat2.dat" fullword wide
$s8 = "Invoke-bypassuac" fullword ascii
$s9 = "Start Keylog Done" fullword wide
$s10 = "Microsoft\\Windows\\WinIt.exe" fullword ascii
$s11 = "Microsoft\\Windows\\Tmp9932u1.bat\"" fullword ascii
$s12 = "Microsoft\\Windows\\tmp43hh11.txt" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them ) or ( 3 of them )
}
rule Greenbug_Malware_5 {
meta:
description = "Auto-generated rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/urp4CD"
date = "2017-01-25"
modified = "2023-01-27"
super_rule = 1
hash1 = "308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f"
hash2 = "44bdf5266b45185b6824898664fd0c0f2039cdcb48b390f150e71345cd867c49"
hash3 = "7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c"
hash4 = "82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9"
id = "12362711-f466-5f9e-9227-1cf84aec93e5"
strings:
$x1 = "cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter" fullword ascii
$x2 = "cmd /a /c net user administrator /domain >>" fullword ascii
$x3 = "cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\" ascii
$o1 = "========================== (Net User) ==========================" ascii fullword
condition:
filesize < 2000KB and (
( uint16(0) == 0x5a4d and 1 of them ) or
$o1
)
}
rule Greenbug_Malware_Nov17_1 {
meta:
description = "Detects Greenbug Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.clearskysec.com/greenbug/"
date = "2017-11-26"
hash1 = "6e55e161dc9ace3076640a36ef4a8819bb85c6d5e88d8e852088478f79cf3b7c"
hash2 = "a9f1375da973b229eb649dc3c07484ae7513032b79665efe78c0e55a6e716821"
id = "50816c09-5f38-5e05-9915-b96f00ee4b88"
strings:
$x1 = "AgentV2.exe -c SampleDomain.com" fullword ascii
$x2 = ".ntpupdateserver.com" fullword ascii
$x3 = "Content-Disposition: form-data; name=\"file\"; filename=\"a.a\"" fullword ascii
$x4 = "a67d0db885a3432576548a2a03707334" fullword ascii
$x5 = "a67d0db8a2a173347654432503702aa3" fullword ascii
$x6 = "!!! can not create output file !!!" fullword ascii
$s1 = "\\runlog*" ascii
$s2 = "can not specify username!!" fullword ascii
$s3 = "Agent can not be configured" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (
pe.imphash() == "58ba44f7ff5436a603fec3df97d815ea" or
pe.imphash() == "538805ecd776b9a42e71aebf94fde1b1" or
1 of ($x*) or
3 of them
)
}
rule OPCLEAVER_BackDoorLogger
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "e9149baa-83c0-597f-833c-ea0241bb60e6"
strings:
$s1 = "BackDoorLogger"
$s2 = "zhuAddress"
condition:
all of them
}
rule OPCLEAVER_Jasus
{
meta:
description = "ARP cache poisoner used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "8e04b258-e071-5974-9778-b9d0b97be8d5"
strings:
$s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found"
condition:
all of them
}
rule OPCLEAVER_LoggerModule
{
meta:
description = "Keylogger used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "949e7ff4-2102-5c89-83c9-f7ba64745661"
strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition:
all of them
}
rule OPCLEAVER_NetC
{
meta:
description = "Net Crawler used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "68f32662-0d7d-5dfa-8bfd-ca41d383e19c"
strings:
$s1 = "NetC.exe" wide
$s2 = "Net Service"
condition:
all of them
}
rule OPCLEAVER_ShellCreator2
{
meta:
description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "b62336c3-39e5-55f8-98df-6c2a2cb0764a"
strings:
$s1 = "ShellCreator2.Properties"
$s2 = "set_IV"
condition:
all of them
}
rule OPCLEAVER_SmartCopy2
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "898d9060-208a-5dfb-a452-50ab49b80a9d"
strings:
$s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork"
condition:
all of them
}
rule OPCLEAVER_SynFlooder
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "bdaf02f4-1226-569b-9f55-999be7ff397a"
strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "s IP is : %s"
$s3 = "Raw TCP Socket Created successfully."
condition:
all of them
}
rule OPCLEAVER_TinyZBot
{
meta:
description = "Tiny Bot used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "4fad21a6-a900-5afb-876d-99a6d93e0c2c"
strings:
$s1 = "NetScp" wide
$s2 = "TinyZBot.Properties.Resources.resources"
$s3 = "Aoao WaterMark"
$s4 = "Run_a_exe"
$s5 = "netscp.exe"
$s6 = "get_MainModule_WebReference_DefaultWS"
$s7 = "remove_CheckFileMD5Completed"
$s8 = "http://tempuri.org/"
$s9 = "Zhoupin_Cleaver"
condition:
(($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9)
}
rule OPCLEAVER_ZhoupinExploitCrew
{
meta:
description = "Keywords used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "4e7457a0-e6e1-535c-b04b-ad313b496ce1"
strings:
$s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase
condition:
1 of them
}
rule OPCLEAVER_antivirusdetector
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "25ab4eaf-eae7-5a55-bed4-42f621d5f06c"
strings:
$s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector"
condition:
all of them
}
rule OPCLEAVER_csext
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "f865eae5-9988-5533-a004-e1694761a557"
strings:
$s1 = "COM+ System Extentions"
$s2 = "csext.exe"
$s3 = "COM_Extentions_bin"
condition:
all of them
}
rule OPCLEAVER_kagent
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "32d20495-eeed-5b2b-915d-cad60fa991f6"
strings:
$s1 = "kill command is in last machine, going back"
$s2 = "message data length in B64: %d Bytes"
condition:
all of them
}
rule OPCLEAVER_pvz_in
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "dede12b3-f1dd-58ba-a860-829b2331b740"
strings:
$s1 = "LAST_TIME=00/00/0000:00:00PM$"
$s2 = "if %%ERRORLEVEL%% == 1 GOTO line"
condition:
all of them
}
rule OPCLEAVER_pvz_out
{
meta:
description = "Parviz tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "46b51bff-dfd9-5f56-897c-422112bc837b"
strings:
$s1 = "Network Connectivity Module" wide
$s2 = "OSPPSVC" wide
condition:
all of them
}
rule OPCLEAVER_wndTest
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "f8daa0a8-f0f0-5bf7-b9ab-eaf5335ff2b9"
strings:
$s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition:
all of them
}
rule OPCLEAVER_zhCat
{
meta:
description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "e1f1bc48-b895-5e23-8ffd-b6ea9c8eb26f"
strings:
$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
$s2 = "ABC ( A Big Company )" wide fullword
condition:
all of them
}
rule OPCLEAVER_zhLookUp
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "45ef9a90-db4c-59c3-b694-da3f539b118b"
strings:
$s1 = "zhLookUp.Properties"
condition:
all of them
}
rule OPCLEAVER_Parviz_Developer
{
meta:
description = "Parviz developer known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
id = "2bfa90a0-0495-5b21-98f7-5ed7ebc74b2d"
strings:
$s1 = "Users\\parviz\\documents\\" nocase
condition:
$s1
}
rule OPCLEAVER_CCProxy_Config
{
meta:
description = "CCProxy config known from Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
id = "c4d80a2a-2a32-585e-bc20-1c5118e4ee48"
strings:
$s1 = "UserName=User-001" fullword ascii
$s2 = "Web=1" fullword ascii
$s3 = "Mail=1" fullword ascii
$s4 = "FTP=0" fullword ascii
$x1 = "IPAddressLow=78.109.194.114" fullword ascii
condition:
all of ($s*) or $x1
}