From b553f873bc266e9b4af6b6727df47624e1185ea7 Mon Sep 17 00:00:00 2001 From: Th4nat0s Date: Thu, 17 Aug 2017 13:50:46 +0200 Subject: [PATCH 1/2] Move to yaramoi repo --- malwares/myYara/Andromeda.yar | 23 ----------------------- malwares/myYara/Kovter.yar | 30 ------------------------------ malwares/myYara/meterpreter.yar | 23 ----------------------- 3 files changed, 76 deletions(-) delete mode 100644 malwares/myYara/Andromeda.yar delete mode 100644 malwares/myYara/Kovter.yar delete mode 100644 malwares/myYara/meterpreter.yar diff --git a/malwares/myYara/Andromeda.yar b/malwares/myYara/Andromeda.yar deleted file mode 100644 index 346efee..0000000 --- a/malwares/myYara/Andromeda.yar +++ /dev/null @@ -1,23 +0,0 @@ -/* - This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. - -The detection work on the injected process usually (msiexec.exe) - -*/ - -rule Andromeda { - meta: - description = "Andromeda Malware" - author = "Th4nat0s" - reference = "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P07-Jose-Esparza-Travelling-to-the-far-side-of-Andromeda-2.pdf" - date = "2016/03/14" - strings: - $c_v210 = "{\"id\":%lu,\"bid\":%lu,\"os\":%lu,\"la\":%lu,\"rg\":%lu,\"bb\":%lu" - $c_v210b = "{\"id\":%lu,\"tid\":%lu,\"err\":%lu,\"w32\":%lu}" - $c_v209 = "id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu" - $c_v208 = "id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu" - $c_v209 = "id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu" - - condition: - any of them -} diff --git a/malwares/myYara/Kovter.yar b/malwares/myYara/Kovter.yar deleted file mode 100644 index f244d6e..0000000 --- a/malwares/myYara/Kovter.yar +++ /dev/null @@ -1,30 +0,0 @@ -/* - This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. - -*/ - -import "pe" - -rule Kovter { - meta: - description = "Kovter Malware" - author = "Th4nat0s" - reference = "http://www.cyphort.com/kovter-ad-fraud-trojan/" - date = "2015/11/11" - strings: - $mz="MZ" - $c_borland = "SOFTWARE\\Borland\\Delphi\\RTL" - $c_communist = "Lenin_SHDocVw" - $c_jsinject = "els=document.getElementsByTagName('object');" - $c_indll = "222.dll" - $c_os1 ="Win 2000" - $c_os2 ="Win Server 2003 R2" - $c_os3 ="Win Server 2008 R2" - $c_os4 ="Win Server 2012 R2" - $c_os5 ="Win 10" - $c_play = "try {jwplayer().play()} catch(e){}" - $c_hou = "@ouh" - - condition: - ($mz at 0) and all of ($c*) -} diff --git a/malwares/myYara/meterpreter.yar b/malwares/myYara/meterpreter.yar deleted file mode 100644 index 0128664..0000000 --- a/malwares/myYara/meterpreter.yar +++ /dev/null @@ -1,23 +0,0 @@ -/* - This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. - -*/ - -rule Meterpreter { - meta: - description = "Rapid 7 Meterpreter RAT" - author = "Th4nat0s" - reference = "https://dev.metasploit.com/documents/meterpreter.pdf" - date = "2016/03/14" - strings: - $s1 = "core_migrate" - $s2 = "core_loadlib" - $s3 = "packet_get_tlv_meta" - $s4 = "packet_get_tlv_string" - $s5 = "command_register" - $s6 = "channel_find_by_id" - $s7 = "POST" - - condition: - all of them -} From 9dba7a80a84aacc4f17bd7319f67df35f9a19c7b Mon Sep 17 00:00:00 2001 From: Th4nat0s Date: Thu, 17 Aug 2017 17:54:58 +0200 Subject: [PATCH 2/2] Add yaraconcat --- forensic/update_yara.sh | 27 +++++++++- forensic/yaraconcat.py | 113 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 138 insertions(+), 2 deletions(-) create mode 100755 forensic/yaraconcat.py diff --git a/forensic/update_yara.sh b/forensic/update_yara.sh index 7c89ebb..bcfe313 100755 --- a/forensic/update_yara.sh +++ b/forensic/update_yara.sh @@ -2,7 +2,7 @@ YaraPath="./yaraall" -echo "Update Yara Rules" +echo "Update Yara Rules" if [ -d rules ]; then pushd . cd rules @@ -17,19 +17,42 @@ if [ -d RATDecoders ]; then pushd . cd RATDecoders git pull - popd + popd else git clone https://github.com/kevthehermit/RATDecoders.git fi +echo "Update Thanatos Yara" +if [ -d Yaramoi ]; then + pushd . + cd Yaramoi + git pull + popd +else + git clone https://github.com/Th4nat0s/Yaramoi.git +fi + rm -rf $YaraPath mkdir -p $YaraPath cp rules/malware/*.yar $YaraPath cp rules/malware/Operation_Blockbuster/*.yara $YaraPath cp RATDecoders/yaraRules/*.yar $YaraPath +cp Yaramoi/*.yar $YaraPath pushd . cd $YaraPath for file in *.yara ;do mv "$file" "${file%.yara}.yar" done +popd + +# Remove nasty include +rm $YaraPath/yaraRules.yar + +# Create Metafile +pushd . +for file in `ls -1 $YaraPath` ;do + echo include \"$file\" + echo include \"$file\" >> $YaraPath/_YaraAll.yar +done +popd diff --git a/forensic/yaraconcat.py b/forensic/yaraconcat.py new file mode 100755 index 0000000..379ea3c --- /dev/null +++ b/forensic/yaraconcat.py @@ -0,0 +1,113 @@ +#!/usr/bin/env python3 +# coding=utf-8 +import sys +import glob +import re + + +# Functions +def getparam(count): + """Retrieve the parameters appended """ + if len(sys.argv) != count + 1: + print('Concatenate a bunch of yarafiles and Warn on duplicate YaraRules') + print('To Use: %s pathofyarafiles' % sys.argv[0]) + sys.exit(1) + else: + return sys.argv[1] + + +def parse(text): + '''Convert a yara concatenation to dict of yara, + takes care of duplicate rules name, keep order between rules + + Args: + text(list): Text Array of concatened yara rules + Returns: + dict: Return dict of list of yara rules. + ''' + idx = 0 # Index of rule + ridx = 0 # Count of "{" + pen, first = False, False + rule = [] + rules = {} + name = "" + rules_names = {} + comment = False + regex = re.compile(r'rule\s+(\S+)', re.I) + for line in text: + line = line.strip('\n') + + if line.startswith('rule ') and not pen: + name = regex.match(line).group(1) + if rules_names.get(name): + print ("/* Warning duplicate of %s */" % name) + rules_names[name] = True # Save to find duplicate + name = ("%05d__%s" % (idx, name)) # Index name + first, pen = True, True + + unquoted_line = re.sub(r'".*"', '""', line) + unquoted_line = unquoted_line.replace("\\{",'') + unquoted_line = re.sub(r'\/\*.*\*\/', '', unquoted_line).split("//")[0] + + print (idx, pen, "c", comment, line,"|", unquoted_line) + if comment and "*/" in unquoted_line: + comment = False + if "/*" in unquoted_line: + comment = True + + if pen and not comment: + rule.append(line) + ridx = ridx + unquoted_line.count('{') # count { + if "}" in unquoted_line: + ridx = ridx - unquoted_line.count('}') # count } + if ridx == 0: + idx +=1 + rules[name] = rule # Store it with index + rule = [] + if ridx == 0 and not first: + pen = False + first = False + + print("/* %d Rules Processed */" % idx) + return rules + + +def getimport(text): + '''Retrieve import used by all Yara files''' + regex = re.compile(r'import\s+\"(\S+)\"', re.I) + import_f = {} + for line in text: + import_l = regex.match(line) + if import_l: + import_f[import_l.group(1)] = True + return import_f + + +# Main Code ##### +def main(): + param = getparam(1) + yarafiles = glob.glob("%s/*.yar" % param) + all_line = [] + + print("/* %d Files Processed */" % len(yarafiles)) + for yarafile in yarafiles: + curr_file = open(yarafile) + lines = [i for i in curr_file.readlines()] + curr_file.close + all_line = all_line + lines + + # cr lf cleanup + yar_rules = parse(all_line) + + print ("") + # Print Import + for imp in getimport(all_line): + print ('import "%s"' % imp) + print ("") + for name in sorted(yar_rules): + print ("\n".join(yar_rules[name])) + print ("") + + +if __name__ == '__main__': + main()