YARA rules for Sakula
11 rules · scoped to tool · back to Sakula
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule malware_sakula_xorloop {
meta:
description = "XOR loops from Sakula malware"
author = "David Cannings"
md5 = "fc6497fe708dbda9355139721b6181e7"
date = "2016-06-13"
modified = "2023-01-27"
id = "9349b7e4-560c-5d8b-94d9-cbb9fd09e132"
strings:
// XOR decode loop (non-null, non-key byte only)
$opcodes_decode_loop01 = { 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B }
// XOR decode
$opcodes_decode_loop02 = { 8B 45 08 8D 0C 02 8A 01 84 C0 74 08 3C ?? 74 04 34 ?? 88 01 }
condition:
uint16(0) == 0x5A4D and any of ($opcodes*)
}
rule malware_sakula_memory {
meta:
description = "Sakula malware - strings after unpacking (memory rule)"
author = "David Cannings"
md5 = "b3852b9e7f2b8954be447121bb6b65c3"
id = "328e3707-d11d-5b7f-bec4-18a42a2c658b"
strings:
$str01 = "cmd.exe /c ping 127.0.0.1 & del \"%s\""
$str02 = "cmd.exe /c rundll32 \"%s\" Play \"%s\""
$str03 = "Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+SV1)"
$str04 = "cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c cmd.exe /c \"%s\""
$str05 = "Self Process Id:%d"
$str06 = "%d_%d_%d_%s"
$str07 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
$str08 = "cmd.exe /c rundll32 \"%s\" ActiveQvaw \"%s\""
// Encode loop, operations: rol 1; xor ??;
$opcodes01 = { 83 F9 00 74 0E 31 C0 8A 03 D0 C0 34 ?? 88 03 49 43 EB ED }
// Encode loop, single byte XOR
$opcodes02 = { 31 C0 8A 04 13 32 01 83 F8 00 75 0E 83 FA 00 74 04 49 4A }
condition:
4 of them
}
rule malware_sakula_shellcode {
meta:
description = "Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula"
author = "David Cannings"
id = "147e4894-7877-5367-9f6b-588eb7f0379a"
strings:
/*
55 push ebp
89 E5 mov ebp, esp
E8 00 00 00 00 call $+5
58 pop eax
83 C0 06 add eax, 6
C9 leave
C3 retn
*/
// Get EIP technique (may not be unique enough to identify Sakula)
// Note this only appears in memory or decoded files
$opcodes01 = { 55 89 E5 E8 00 00 00 00 58 83 C0 06 C9 C3 }
/*
8B 5E 3C mov ebx, [esi+3Ch] ; Offset to PE header
8B 5C 1E 78 mov ebx, [esi+ebx+78h] ; Length of headers
8B 4C 1E 20 mov ecx, [esi+ebx+20h] ; Number of data directories
53 push ebx
8B 5C 1E 24 mov ebx, [esi+ebx+24h] ; Export table
01 F3 add ebx, esi
*/
// Export parser
$opcodes02 = { 8B 5E 3C 8B 5C 1E 78 8B 4C 1E 20 53 8B 5C 1E 24 01 F3 }
condition:
any of them
}
rule RAT_Sakula
{
meta:
date = "2015-10-13"
description = "Detects Sakula v1.0 RAT"
author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings"
reference = "http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara"
id = "4be3179c-3b91-56db-bba9-9ccc42066f96"
strings:
$s1 = "%d_of_%d_for_%s_on_%s"
$s2 = "/c ping 127.0.0.1 & del /q \"%s\""
$s3 = "=%s&type=%d"
$s4 = "?photoid="
$s5 = "iexplorer"
$s6 = "net start \"%s\""
$s7 = "cmd.exe /c rundll32 \"%s\""
$v1_1 = "MicroPlayerUpdate.exe"
$v1_2 = "CCPUpdate"
$v1_3 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 }
$v1_4 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF }
$serial01 = { 31 06 2e 48 3e 01 06 b1 8c 98 2f 00 53 18 5c 36 }
$serial02 = { 01 a5 d9 59 95 19 b1 ba fc fa d0 e8 0b 6d 67 35 }
$serial03 = { 47 d5 d5 37 2b cb 15 62 b4 c9 f4 c2 bd f1 35 87 }
$serial04 = { 3a c1 0e 68 f1 ce 51 9e 84 dd cd 28 b1 1f a5 42 }
$opcodes1 = { 89 FF 55 89 E5 83 EC 20 A1 ?? ?? ?? 00 83 F8 00 }
$opcodes2 = { 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B }
$opcodes3 = { 8B 45 08 8D 0C 02 8A 01 84 C0 74 08 3C ?? 74 04 34 ?? 88 01 }
$opcodes4 = { 30 14 38 8D 0C 38 40 FE C2 3B C6 }
$opcodes5 = { 30 14 39 8D 04 39 41 FE C2 3B CE }
$fp1 = "Symantec Corporation" ascii wide
condition:
uint16(0) == 0x5a4d and (
(3 of ($s*) and any of ($v1_*)) or
(any of ($serial0*)) or
(any of ($opcodes*))
)
and not 1 of ($fp*)
}
rule MAL_AirdViper_Sample_Apr18_1 {
meta:
description = "Detects Arid Viper malware sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-05-04"
hash1 = "9f453f1d5088bd17c60e812289b4bb0a734b7ad2ba5a536f5fd6d6ac3b8f3397"
id = "00f118d1-be1c-5f50-a50f-591f824a1a53"
strings:
$x1 = "cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del \"%s\"" fullword ascii
$x2 = "daenerys=%s&" ascii
$x3 = "betriebssystem=%s&anwendung=%s&AV=%s" ascii
$s1 = "Taskkill /IM %s /F & %s" fullword ascii
$s2 = "/api/primewire/%s/requests/macKenzie/delete" fullword ascii
$s3 = "\\TaskWindows.exe" ascii
$s4 = "MicrosoftOneDrives.exe" fullword ascii
$s5 = "\\SeanSansom.txt" ascii
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and (
1 of ($x*) or
4 of them
)
}
rule MAL_Cisco_RayInitiator_Stage_3_LINE_VIPER_ShellCode {
meta:
author = "NCSC"
description = "Detects RayInitiator GRUB bootkit stage 3 deploy phase code that copies LINE VIPER shellcode stub and marks executable."
date = "2025-09-25"
reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf"
score = 85
strings:
$xc1 = {
48 89 FA 48 83 C7 40 4C 89 CE B9 D0 01 00 00 F3 A4 48
89 D7 48 83 C7 40 48 89 3A 48 C1 EF 0C 48 C1 E7 0C BA
07 00 00 00 48 C7 C6 00 20 00 00
}
condition:
$xc1
}
rule MAL_Cisco_LINE_VIPER_Shellcode_Deobfuscation_Routine {
meta:
author = "NCSC"
description = "Detects LINE VIPER Cisco ASA malware code as part of a shellcode deobfuscation routine."
date = "2025-09-25"
reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf"
score = 85
license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/"
strings:
$xc1 = {
48 8B 7F 08 48 8D 5F 70 49 C7 C1 00 18 00 00 49 C7 C0
20 00 00 00 48 89 DF 8A 01 32 07 48 FF C7 41 FF C8 4D 85 C0 75 F3
88 01 48 FF C1 41 FF C9 4D 85 C9 75 DA
}
$x1 = "SIt/CEiNX3BJx8EAGAAAScfAIAAAAEiJ34oBMgdI/8dB/8hNhcB184gBSP/BQf/JTYXJdd"
$x2 = "iLfwhIjV9wScfBABgAAEnHwCAAAABIid+KATIHSP/HQf/ITYXAdfOIAUj/wUH/yU2FyXXa"
$x3 = "Ii38ISI1fcEnHwQAYAABJx8AgAAAASInfigEyB0j/x0H/yE2FwHXziAFI/8FB/8lNhcl12"
condition:
1 of them
}
rule MAL_Cisco_LINE_VIPER_Shellcode_Initial_Execution {
meta:
author = "NCSC (modifier by Florian Roth)"
description = "Detects LINE VIPER Cisco ASA malware code as part of shellcode initial execution."
date = "2025-09-25"
modified = "2025-09-27"
reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf"
score = 85
license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/"
strings:
$xc1 = {
48 8D B7 80 00 00 00 BA 00 20 00 00 [19] 48 C7 C6 00
90 00 00 BA 07 00 00 00
}
// $x1 = /SI23gAAAALoAIAAA[A-Za-z0-9+\/]{26}jHxgCQAAC6BwAAA/
// $x2 = /iNt4AAAAC6ACAAA[A-Za-z0-9+\/]{26}Ix8YAkAAAugcAAA/
// $x3 = /IjbeAAAAAugAgAA[A-Za-z0-9+\/]{26}SMfGAJAAALoHAAAA/
$xe1 = { 53 49 32 33 67 41 41 41 41 4c 6f 41 49 41 41 41 [26] 6a 48 78 67 43 51 41 41 43 36 42 77 41 41 41 }
$xe2 = { 69 4e 74 34 41 41 41 41 43 36 41 43 41 41 41 [26] 49 78 38 59 41 6b 41 41 41 75 67 63 41 41 41 }
$xe3 = { 49 6a 62 65 41 41 41 41 41 75 67 41 67 41 41 [26] 53 4d 66 47 41 4a 41 41 41 4c 6f 48 41 41 41 41 }
condition:
1 of them
}
rule MAL_Cisco_LINE_VIPER_RSA_Enc_Random_AES_Key_Gen {
meta:
author = "NCSC"
description = "Detects LINE VIPER Cisco ASA malware code as part of RSA encrypted random AES key generation."
date = "2025-09-25"
reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf"
score = 85
license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/"
strings:
$xc1 = {
48 31 C0 49 89 06 49 89 46 08 49 83 C6 10 49 83 ED 10
4D 85 ED 75 D8 BF 30 00 00 00
}
$xc2 = {
0F 85 57 01 00 00 49 8B 44 24 08 48 83 F8 2F 7C 33 41
BD F0 02 00 00 4D 8D 74 24 10 49 8B 3E
}
$xc3 = {
85 C0 0F 8E EE 00 00 00 41 BD F0 02 00 00 4D 8D 7C 24
10 49 8B 3F 48 85 FF 74 0D 49 83 C7 10 49 83 ED 10 4D 85 ED 75 EB
4D 89 37 BF 70 00 00 00
}
$xc4 = {
48 85 C0 0F 84 3F 00 00 00 48 89 45 B0 BF 80 00 00 00
4C 89 EE 48 89 C2 48 8B 4D A8 41 B8 01 00 00 00
}
condition:
1 of them
}
rule MAL_Cisco_LINE_VIPER_AES_Enc_Tasking_Exfil {
meta:
author = "NCSC"
description = "Detects LINE VIPER Cisco ASA malware code as part of AES encrypted tasking and exfiltration."
date = "2025-09-25"
reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf"
score = 85
license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/"
strings:
$ = {
48 31 C0 48 89 45 D8 49 89 FC 49 89 F5 49 89 D6 48 8B
47 08 48 89 45 B8 48 8D 40 40 48 89 45 E0 48 8D 70 E0 48 89 75 B0
48 8D 78 F0 48 89 7D E8 BA 10 00 00 00
}
$ = {
48 85 C0 0F 84 EA 00 00 00 48 89 45 A8 4C 89 EF 48 89
C6 4C 89 F2 48 8B 4D A0 4C 8B 45 B0 4D 31 C9
}
$ = {
48 85 C0 0F 84 82 00 00 00 49 89 C7 48 8B 7D E0 BE 00
01 00 00 48 8B 55 A0
}
$ = {
48 8B 7D D0 49 83 C7 10 49 C1 EF 04 49 C1 E7 04 4C 89
FE 48 8D 55 D8
}
condition:
3 of them
}
rule MAL_Cisco_LINE_VIPER_ICMP_Tasking_Shellcode_Payloads {
meta:
author = "NCSC"
description = "Detects LINE VIPER Cisco ASA malware code as part of ICMP tasking shellcode payloads."
date = "2025-09-25"
reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf"
score = 85
license = "https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/"
strings:
$ = {
55 53 41 54 41 55 41 56 41 57 48 89 E5 48 83 EC 60 48
31 C0 B9 07 00 00 00 48 8D 7D A8 F3 48 AB BF 01 00 00
00 BE 30 00 00 00
}
$ = {
49 89 C7 48 C7 C2 38 DF FF FF 64 48 8B 0A 48 8B 99 00
01 00 00 48 89 81 00 01 00 00
}
$ = {
49 8B 47 10 48 8D 55 B0 BE 01 20 01 00 4C 89 FF FF 90
90 00 00 00 48 8B 7D B0 48 85 FF 0F 84 3C 00 00 00
}
$ = {
49 8B 47 10 BE 08 20 01 00 4C 89 FF 48 8D 55 A8 FF 90
90 00 00 00 48 8B 7D B0 49 89 7E 20 48 8B 7D A8 49 89
7E 28
}
condition:
3 of them
}