YARA rules for Negg Group
5 rules · scoped to actor · back to Negg Group
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Tiny_Network_Tool_Generic: FILE {
meta:
description = "Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "08.10.2014"
score = 40
hash0 = "9e1ab25a937f39ed8b031cd8cfbc4c07"
hash1 = "cafc31d39c1e4721af3ba519759884b9"
hash2 = "8e635b9a1e5aa5ef84bfa619bd2a1f92"
id = "04b1c2c6-605c-52d5-aa07-f3b77a6c4593"
strings:
$s0 = "KERNEL32.DLL" fullword ascii
$s1 = "CRTDLL.DLL" fullword ascii
$s3 = "LoadLibraryA" fullword ascii
$s4 = "GetProcAddress" fullword ascii
$y1 = "WININET.DLL" fullword ascii
$y2 = "atoi" fullword ascii
$x1 = "ADVAPI32.DLL" fullword ascii
$x2 = "USER32.DLL" fullword ascii
$x3 = "wsock32.dll" fullword ascii
$x4 = "FreeSid" fullword ascii
$x5 = "atoi" fullword ascii
$z1 = "ADVAPI32.DLL" fullword ascii
$z2 = "USER32.DLL" fullword ascii
$z3 = "FreeSid" fullword ascii
$z4 = "ToAscii" fullword ascii
condition:
uint16(0) == 0x5a4d and all of ($s*) and (all of ($y*) or all of ($x*) or all of ($z*)) and filesize < 15KB
}
rule Hacktools_CN_WinEggDrop {
meta:
description = "Disclosed hacktool set - file s.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "17.11.14"
score = 60
hash = "7665011742ce01f57e8dc0a85d35ec556035145d"
id = "9b6244ee-5ace-5caa-bfa2-732bcfcfc998"
strings:
$s0 = "Normal Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii
$s2 = "SYN Scan: About To Scan %u IP For %u Ports Using %d Thread" fullword ascii
$s6 = "Example: %s TCP 12.12.12.12 12.12.12.254 21 512 /Banner" fullword ascii
$s8 = "Something Wrong About The Ports" fullword ascii
$s9 = "Performing Time: %d/%d/%d %d:%d:%d --> " fullword ascii
$s10 = "Example: %s TCP 12.12.12.12/24 80 512 /T8 /Save" fullword ascii
$s12 = "%u Ports Scanned.Taking %d Threads " fullword ascii
$s13 = "%-16s %-5d -> \"%s\"" fullword ascii
$s14 = "SYN Scan Can Only Perform On WIN 2K Or Above" fullword ascii
$s17 = "SYN Scan: About To Scan %s:%d Using %d Thread" fullword ascii
$s18 = "Scan %s Complete In %d Hours %d Minutes %d Seconds. Found %u Open Ports" fullword ascii
condition:
5 of them
}
rule Jc_WinEggDrop_Shell {
meta:
description = "Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "23.11.14"
score = 60
hash = "820674b59f32f2cf72df50ba4411d7132d863ad2"
id = "219df3a1-fe1c-5d33-ab3e-1b3cbd104c9e"
strings:
$s0 = "Sniffer.dll" fullword ascii
$s4 = ":Execute net.exe user Administrator pass" fullword ascii
$s5 = "Fport.exe or mport.exe " fullword ascii
$s6 = ":Password Sniffering Is Running |Not Running " fullword ascii
$s9 = ": The Terminal Service Port Has Been Set To NewPort" fullword ascii
$s15 = ": Del www.exe " fullword ascii
$s20 = ":Dir *.exe " fullword ascii
condition:
2 of them
}
rule Jc_ALL_WinEggDropShell_rar_Folder_Install_2 {
meta:
description = "Disclosed hacktool set (old stuff) - file Install.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "23.11.14"
score = 60
hash = "95866e917f699ee74d4735300568640ea1a05afd"
id = "ebfc8e53-328c-5deb-bf9b-e0270f171c68"
strings:
$s1 = "http://go.163.com/sdemo" fullword wide
$s2 = "Player.tmp" fullword ascii
$s3 = "Player.EXE" fullword wide
$s4 = "mailto:sdemo@263.net" fullword ascii
$s5 = "S-Player.exe" fullword ascii
$s9 = "http://www.BaiXue.net (" wide
condition:
all of them
}
rule WinEggDropShellFinal_zip_Folder_InjectT {
meta:
description = "Disclosed hacktool set (old stuff) - file InjectT.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "23.11.14"
score = 60
hash = "516e80e4a25660954de8c12313e2d7642bdb79dd"
id = "16f04551-050f-5a07-a35b-a3a7dbba6803"
strings:
$s0 = "Packed by exe32pack" ascii
$s1 = "2TInject.Dll" fullword ascii
$s2 = "Windows Services" fullword ascii
$s3 = "Findrst6" fullword ascii
$s4 = "Press Any Key To Continue......" fullword ascii
condition:
all of them
}