-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathRAT_Havex.yar
93 lines (79 loc) · 2.63 KB
/
RAT_Havex.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Win32OPCHavex
{
meta:
Author = "BAE Systems"
Date = "2014/06/23"
Description = "Rule for identifying OPC version of HAVEX"
Reference = "www.f-secure.com/weblog/archives/00002718.html"
strings:
$mzhdr = "MZ"
$dll = "7CFC52CD3F87.dll"
$a1 = "Start finging of LAN hosts..." wide
$a2 = "Finding was fault. Unexpective error" wide
$a3 = "Was found %i hosts in LAN:" wide
$a4 = "Hosts was't found." wide
$a5 = "Start finging of OPC Servers..." wide
$a6 = "Was found %i OPC Servers." wide
$a7 = "OPC Servers not found. Programm finished" wide
$a8 = "%s[%s]!!!EXEPTION %i!!!" wide
$a9 = "Start finging of OPC Tags..." wide
condition:
$mzhdr at 0 and ($dll or (any of ($a*)))
}
rule Win32FertgerHavex
{
meta:
Author = "BAE Systems"
Date = "2014/06/23"
Description = "Rule for identifying Fertger version of HAVEX"
Reference = "www.f-secure.com/weblog/archives/00002718.html"
strings:
$mz = "MZ"
$a1="\\\\.\\pipe\\mypipe-f" wide
$a2="\\\\.\\pipe\\mypipe-h" wide
$a3="\\qln.dbx" wide
$a4="*.yls" wide
$a5="\\*.xmd" wide
$a6="fertger" wide
$a7="havex"
condition:
$mz at 0 and 3 of ($a*)
}
rule Havex_Trojan_PHP_Server
{
meta:
Author = "Florian Roth"
Date = "2014/06/24"
Description = "Detects the PHP server component of the Havex RAT"
Reference = "www.f-secure.com/weblog/archives/00002718.html"
strings:
$s1 = "havex--></body></head>"
$s2 = "ANSWERTAG_START"
$s3 = "PATH_BLOCKFILE"
condition:
all of them
}
rule SANS_ICS_Cybersecurity_Challenge_400_Havex_Memdump : memory
{
meta:
description = "Detects Havex Windows process executable from memory dump"
date = "2015-12-2"
author = "Chris Sistrunk"
hash = "8065674de8d79d1c0e7b3baf81246e7d"
strings:
$magic = { 4d 5a }
$s1 = "~tracedscn.yls" fullword wide
$s2 = "[!]Start" fullword wide
$s3 = "[+]Get WSADATA" fullword wide
$s4 = "[-]Can not get local ip" fullword wide
$s5 = "[+]Local:" fullword wide
$s6 = "[-]Threads number > Hosts number" fullword wide
$s7 = "[-]Connection error" fullword wide
$x1 = "bddd4e2b84fa2ad61eb065e7797270ff.exe" fullword wide
condition:
$magic at 0 and ( 3 of ($s*) or $x1 )
}