YARA rules for ZxShell
8 rules · scoped to tool · back to ZxShell
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule ZXshell2_0_rar_Folder_ZXshell {
meta:
description = "Webshells Auto-generated - file ZXshell.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "246ce44502d2f6002d720d350e26c288"
id = "621ac87e-b1f8-58d7-9328-54af5ca9b605"
strings:
$s0 = "WPreviewPagesn"
$s1 = "DA!OLUTELY N"
condition:
all of them
}
rule ZXshell2_0_rar_Folder_zxrecv {
meta:
description = "Webshells Auto-generated - file zxrecv.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "5d3d12a39f41d51341ef4cb7ce69d30f"
id = "9d36541f-dd55-5385-8e2b-598ad78bdf73"
strings:
$s0 = "RyFlushBuff"
$s1 = "teToWideChar^FiYP"
$s2 = "mdesc+8F D"
$s3 = "\\von76std"
$s4 = "5pur+virtul"
$s5 = "- Kablto io"
$s6 = "ac#f{lowi8a"
condition:
all of them
}
rule ZXshell2_0_rar_Folder_nc {
meta:
description = "Webshells Auto-generated - file nc.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "2cd1bf15ae84c5f6917ddb128827ae8b"
id = "106209fc-f957-5131-825b-8eb7835625e0"
strings:
$s0 = "WSOCK32.dll"
$s1 = "?bSUNKNOWNV"
$s7 = "p@gram Jm6h)"
$s8 = "ser32.dllCONFP@"
condition:
all of them
}
rule ZxShell_Related_Malware_CN_Group_Jul17_1 {
meta:
description = "Detects a ZxShell related sample from a CN threat group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://blogs.rsa.com/cat-phishing/"
date = "2017-07-08"
hash1 = "ef56c2609bc1b90f3e04745890235e6052a4be94e35e38b6f69b64fb17a7064e"
id = "a91e39bb-1bb3-54a8-b684-d673c445375c"
strings:
$x1 = "CMD.EXE /C NET USER GUEST /ACTIVE:yes && NET USER GUEST ++++++" ascii
$x2 = "system\\cURRENTcONTROLSET\\sERVICES\\tERMSERVICE" fullword ascii
$x3 = "\\secivreS\\teSlortnoCtnerruC\\METSYS" ascii /* reversed goodware string 'SYSTEM\\CurrentControlSet\\Services\\' */
$x4 = "system\\cURRENTCONTROLSET\\cONTROL\\tERMINAL sERVER" fullword ascii
$x5 = "sOFTWARE\\mICROSOFT\\iNTERNET eXPLORER\\mAIN" fullword ascii
$x6 = "eNABLEaDMINtsREMOTE" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them )
}
rule ZxShell_Related_Malware_CN_Group_Jul17_2 {
meta:
description = "Detects a ZxShell related sample from a CN threat group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://blogs.rsa.com/cat-phishing/"
date = "2017-07-08"
hash1 = "204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e"
id = "37c1f26b-4b4f-510e-a7b7-b2afb17d6e71"
strings:
$u1 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)" fullword ascii
$u2 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)" fullword ascii
$u3 = "User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0" fullword ascii
$u4 = "User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii
$x1 = "\\\\%s\\admin$\\g1fd.exe" fullword ascii
$x2 = "C:\\g1fd.exe" fullword ascii
$x3 = "\\\\%s\\C$\\NewArean.exe" fullword ascii
$s0 = "at \\\\%s %d:%d %s" fullword ascii
$s1 = "%c%c%c%c%ccn.exe" fullword ascii
$s2 = "hra%u.dll" fullword ascii
$s3 = "Referer: http://%s:80/http://%s" fullword ascii
$s5 = "Accept-Language: zh-cn" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 3 of them )
}
rule ZxShell_Related_Malware_CN_Group_Jul17_3 {
meta:
description = "Detects a ZxShell related sample from a CN threat group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://blogs.rsa.com/cat-phishing/"
date = "2017-07-08"
hash1 = "2e5cf8c785dc081e5c2b43a4a785713c0ae032c5f86ccbc7abf5c109b8854ed7"
id = "1900b861-b4a2-50b5-a639-3eb442072139"
strings:
$s1 = "%s\\nt%s.dll" fullword ascii
$s2 = "RegQueryValueEx(Svchost\\netsvcs)" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and all of them )
}
rule ZxShell_Jul17 {
meta:
description = "Detects a ZxShell - CN threat group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://blogs.rsa.com/cat-phishing/"
date = "2017-07-08"
hash1 = "5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16"
id = "1b009b20-5a19-5cac-aaaf-ca61310eab9f"
strings:
$x1 = "zxplug -add" fullword ascii
$x2 = "getxxx c:\\xyz.dll" fullword ascii
$x3 = "downfile -d c:\\windows\\update.exe" fullword ascii
$x4 = "-fromurl http://x.x.x/x.dll" fullword ascii
$x5 = "ping 127.0.0.1 -n 7&cmd.exe /c net start %s" fullword ascii
$x6 = "ZXNC -e cmd.exe x.x.x.x" fullword ascii
$x7 = "(bind a cmdshell)" fullword ascii
$x8 = "ZXFtpServer 21 20 zx" fullword ascii
$x9 = "ZXHttpServer" fullword ascii
$x10 = "c:\\error.htm,.exe|c:\\a.exe,.zip|c:\\b.zip\"" fullword ascii
$x11 = "c:\\windows\\clipboardlog.txt" fullword ascii
$x12 = "AntiSniff -a wireshark.exe" fullword ascii
$x13 = "c:\\windows\\keylog.txt" fullword ascii
condition:
( filesize < 10000KB and 1 of them ) or 3 of them
}
rule ZXshell_20171211_chrsben {
meta:
description = "Detects ZxShell variant surfaced in Dec 17"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/snc85M"
date = "2017-12-11"
hash1 = "dd01e7a1c9b20d36ea2d961737780f2c0d56005c370e50247e38c5ca80dcaa4f"
id = "3bbfddb8-011a-52dd-b0c8-b35e6f740507"
strings:
$x1 = "ncProxyXll" fullword ascii
$s1 = "Uniscribe.dll" fullword ascii
$s2 = "GetModuleFileNameDll" fullword ascii
$s4 = "$Hangzhou Shunwang Technology Co.,Ltd0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and (
pe.imphash() == "de481441d675e9aca4f20bd8e16a5faa" or
pe.exports("PerfectWorld") or
pe.exports("ncProxyXll") or
1 of ($x*) or
2 of them
)
}