YARA rules for KillDisk
4 rules · scoped to tool · back to KillDisk
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule TeleBots_KillDisk_1 {
meta:
description = "Detects TeleBots malware - KillDisk"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/4if3HG"
date = "2016-12-14"
hash1 = "8246f709efa922a485e1ca32d8b0d10dc752618e8b3fce4d3dd58d10e4a6a16d"
id = "111fc6bc-b790-51b9-81b7-a4716bb0aee9"
strings:
$s1 = "Plug-And-Play Support Service" fullword wide
$s2 = " /c \"echo Y|" fullword wide
$s3 = "-set=06.12.2016#09:30 -est=1410" fullword ascii
$s4 = "%d.%d.%d#%d:%d" fullword ascii
$s5 = " /T /C /G " fullword wide
$s6 = "[-] > %ls" fullword wide
$s7 = "[+] > %ls" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and 4 of them ) or ( 6 of them )
}
rule TeleBots_KillDisk_2 {
meta:
description = "Detects TeleBots malware - KillDisk"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/4if3HG"
date = "2016-12-14"
hash1 = "26173c9ec8fd1c4f9f18f89683b23267f6f9d116196ed15655e9cb453af2890e"
id = "7797187f-c94b-5323-ae43-2dc001f0b481"
strings:
$s1 = "Plug-And-Play Support Service" fullword wide
$s2 = " /c \"echo Y|" fullword wide
$s3 = "%d.%d.%d#%d:%d" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 500KB and all of them )
}
rule BlackEnergy_KillDisk_1 {
meta:
description = "Detects KillDisk malware from BlackEnergy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
score = 80
super_rule = 1
hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
hash3 = "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d"
hash4 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
id = "304e7aa3-48d3-5015-aaf1-6b1df2441b75"
strings:
$s0 = "system32\\cmd.exe" fullword ascii
$s1 = "system32\\icacls.exe" fullword wide
$s2 = "/c del /F /S /Q %c:\\*.*" fullword ascii
$s3 = "shutdown /r /t %d" fullword ascii
$s4 = "/C /Q /grant " fullword wide
$s5 = "%08X.tmp" fullword ascii
$s6 = "/c format %c: /Y /X /FS:NTFS" fullword ascii
$s7 = "/c format %c: /Y /Q" fullword ascii
$s8 = "taskhost.exe" fullword wide /* Goodware String - occured 1 times */
$s9 = "shutdown.exe" fullword wide /* Goodware String - occured 1 times */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 8 of them
}
rule BlackEnergy_KillDisk_2 {
meta:
description = "Detects KillDisk malware from BlackEnergy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
date = "2016-01-03"
modified = "2023-01-06"
score = 80
super_rule = 1
hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
hash3 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"
id = "f0304e87-a278-5963-9af0-935c088c00ec"
strings:
$s0 = "%c:\\~tmp%08X.tmp" fullword ascii
$s1 = "%s%08X.tmp" fullword ascii
$s2 = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" wide
$s3 = "%ls_%ls_%ls_%d.~tmp" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 3 of them
}