From d7881fbe7338ce6aa965ef69604a68227ecd419f Mon Sep 17 00:00:00 2001 From: orlando <75084509+dehoisted@users.noreply.github.com> Date: Sun, 4 Jul 2021 19:54:26 -0400 Subject: [PATCH] Rules for extra stuff (still useful) --- Extra/anti_vm.yar | 37 +++++++++++++++++++++++++ Extra/basic_file_sig.yar | 49 ++++++++++++++++++++++++++++++++++ Extra/discord_token_logger.yar | 13 +++++++++ 3 files changed, 99 insertions(+) create mode 100644 Extra/anti_vm.yar create mode 100644 Extra/basic_file_sig.yar create mode 100644 Extra/discord_token_logger.yar diff --git a/Extra/anti_vm.yar b/Extra/anti_vm.yar new file mode 100644 index 0000000..c267616 --- /dev/null +++ b/Extra/anti_vm.yar @@ -0,0 +1,37 @@ +rule anti_vm { + meta: + description = "Checks for vm names and paths used to detect virtual machines" + type = "Anti VM/Debug" + strings: + $s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase + $s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase + $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion" nocase + $s4 = "SYSTEM\\CurrentControlSet\\Control\\SystemInformation" nocase + $s5 = "virtualbox" nocase + $s6 = "vmware" nocase + $s6 = "innotek gmbh" + $s7 = "SystemManufacturer" + $s8 = "SystemProductName" + $vbox = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase ascii wide + condition: + any of them +} + +rule anti_debug { + meta: + description = "Detects tools for analyzing files/anti debug tools" + type = "Anti VM/Debug" + strings: + $f1 = "procmon.exe" nocase + $f2 = "processmonitor.exe" nocase + $f3 = "wireshark.exe" nocase + $f4 = "fiddler.exe" nocase + $f5 = "ollydbg.exe" nocase + $f6 = "winhex.exe" nocase + $f7 = "processhacker.exe" nocase + $ex1 = "CheckRemoteDebuggerPresent" + $ex2 = "IsDebuggerPresent" + $ex3 = "IsDebugged" + condition: + any of them +} \ No newline at end of file diff --git a/Extra/basic_file_sig.yar b/Extra/basic_file_sig.yar new file mode 100644 index 0000000..5f63355 --- /dev/null +++ b/Extra/basic_file_sig.yar @@ -0,0 +1,49 @@ +// If something is detected here, it doesn't automatically mean the file is malware of course + +import "pe" + +rule IsPE32 +{ + meta: + description = "Checks if architecture is 64 bit" + type = "PECheck" + condition: + uint16(0) == 0x5A4D and + uint16(uint32(0x3C)+0x18) == 0x010B +} + +rule IsPE64 +{ + meta: + description = "Checks if architecture is 64 bit" + type = "PECheck" + condition: + uint16(0) == 0x5A4D and + uint16(uint32(0x3C)+0x18) == 0x020B +} + +rule NATIVE_DLL +{ + meta: + description = "Checks if file is a native DLL" + condition: + uint16(0) == 0x5A4D and + (uint16(uint32(0x3C)+0x16) & 0x2000) == 0x2000 + +} + +rule DOTNET_EXE +{ + meta: + type = "DOTNET" + condition: + pe.imports("mscoree.dll", "_CorExeMain") +} + +rule DOTNET_DLL +{ + meta: + type = "DOTNET" + condition: + pe.imports("mscoree.dll", "_CorDllMain") +} \ No newline at end of file diff --git a/Extra/discord_token_logger.yar b/Extra/discord_token_logger.yar new file mode 100644 index 0000000..593fef0 --- /dev/null +++ b/Extra/discord_token_logger.yar @@ -0,0 +1,13 @@ +rule Discord_Token_Logger { + meta: + description = "Detects discord token logger" + type = "Malware/Gather Info" + strings: + $path1 = "\\Discord\\Local Storage\\leveldb" + $path2 = "\\Lightcord\\Local Storage\\leveldb" + $path3 = "\\Google\\Chrome\\User Data\\Default\\Local Storage\\leveldb" + $path4 = "\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Local Storage\\leveldb" + $lb = "\\Local Storage\\leveldb" + condition: + any of them +} \ No newline at end of file