Home/Cactus/YARA rules
YARA

YARA rules for Cactus

2 rules · scoped to actor · back to Cactus
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.

YARA rules

2 of 2
direct CACTUSTORCH
CACTUSTORCH
Detects CactusTorch Hacktool
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule CACTUSTORCH {
   meta:
      description = "Detects CactusTorch Hacktool"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://github.com/mdsecactivebreach/CACTUSTORCH"
      date = "2017-07-31"
      hash1 = "314e6d7d863878b6dca46af165e7f08fedd42c054d7dc3828dc80b86a3a9b98c"
      hash2 = "0305aa32d5f8484ca115bb4888880729af7f33ac99594ec1aa3c65644e544aea"
      hash3 = "a52d802e34ac9d7d3539019d284b04ded3b8e197d5e3b38ed61f523c3d68baa7"
      id = "75606b9e-97d5-5b8b-87f5-69b7e415b73c"
   strings:
      $x1 = "$payload = shellcode(%options[\"listener\"], \"true\", \"x86\");" fullword ascii
      $x2 = "Copy the base64 encoded payload into the code variable below." fullword ascii
      $x3 = " CACTUSTORCH Payload" ascii
      $x4 = "ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)" fullword ascii
      $x5 = "' Author: Vincent Yiu (@vysecurity)" fullword ascii
      $x6 = "Dim binary : binary = \"rundll32.exe\"" fullword ascii

      $a1 = "code = code & \"" ascii
      $a2 = "serialized_obj = serialized_obj & \"" ascii

      $s1 = "binary = \"rundll32.exe\"" fullword ascii
      $s2 = "EL.DataType = \"bin.hex\"" fullword ascii
      $s3 = "Set stm = CreateObject(\"System.IO.MemoryStream\")" fullword ascii
      $s4 = "var binary = \"rundll32.exe\";" fullword ascii
      $s5 = "var serialized_obj = \"" ascii
   condition:
      ( filesize < 800KB and
         (
            1 of ($x*) or
            ( 1 of ($a*) and 1 of ($s*) )
         )
      ) or ( 3 of them )
}
direct
HKTL_NET_NAME_CACTUSTORCH
Detects .NET red/black-team tools via name
author Arnim Rupp license see source repo
view YARA rule 
rule HKTL_NET_NAME_CACTUSTORCH {
    meta:
        description = "Detects .NET red/black-team tools via name"
        reference = "https://github.com/mdsecactivebreach/CACTUSTORCH"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp"
        date = "2021-01-22"
        id = "7b1e3015-fada-592c-b120-20aa12247d32"
    strings:
        $name = "CACTUSTORCH" ascii wide
        $compile = "AssemblyTitle" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin