Skip to content

Instantly share code, notes, and snippets.

@BushidoUK

BushidoUK/RaspberryRobin_C2Domains.yara

Created May 3, 2023 00:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save BushidoUK/659f0544f67d9834dccb49d6ff493bda to your computer and use it in GitHub Desktop.
Save BushidoUK/659f0544f67d9834dccb49d6ff493bda to your computer and use it in GitHub Desktop.
Download ZIP
Raw
RaspberryRobin_C2Domains.yara
import "vt"
rule RaspberryRobin_C2Domains{
meta:
description = "Checks for Files with RaspberryRobin C2 domains"
author = "Will Thomas (@BushidoToken), Equinix Threat Analysis Center (ETAC)"
date = "2023-APRIL-14"
tlp = "CLEAR"
adversary = "DEV-0856"
strings:
$string1 = "03s30.com:8080" nocase wide ascii
$string2 = "0dz.me:8080" nocase wide ascii
$string3 = "0e.si:8080" nocase wide ascii
$string4 = "0i.pm:8080" nocase wide ascii
$string5 = "0i.wf:8080" nocase wide ascii
$string6 = "0j.re:8080" nocase wide ascii
$string7 = "0j.wf:8080" nocase wide ascii
$string8 = "0p.rs:8080" nocase wide ascii
$string9 = "0t.yt:8080" nocase wide ascii
$string10 = "0v.wf:8080" nocase wide ascii
$string11 = "0w.pm:8080" nocase wide ascii
$string12 = "0x9.biz:8080" nocase wide ascii
$string13 = "13j.me:8080" nocase wide ascii
$string14 = "1h3.me:8080" nocase wide ascii
$string15 = "1i.pm:8080" nocase wide ascii
$string16 = "1j.pm:8080" nocase wide ascii
$string17 = "1j4.xyz:8080" nocase wide ascii
$string18 = "1k4.xyz:8080" nocase wide ascii
$string19 = "1n4.xyz:8080" nocase wide ascii
$string20 = "1u.pm:8080" nocase wide ascii
$string21 = "1u.wf:8080" nocase wide ascii
$string22 = "21k.website:8080" nocase wide ascii
$string23 = "27o.nl:8080" nocase wide ascii
$string24 = "2i.nu:8080" nocase wide ascii
$string25 = "2i.pm:8080" nocase wide ascii
$string26 = "2i.wf:8080" nocase wide ascii
$string27 = "2j4.xyz:8080" nocase wide ascii
$string28 = "2jks.com:8080" nocase wide ascii
$string29 = "2kbq.com:8080" nocase wide ascii
$string30 = "2t.pm:8080" nocase wide ascii
$string31 = "2t.wf:8080" nocase wide ascii
$string32 = "2um.xyz:8080" nocase wide ascii
$string33 = "2yd.eu:8080" nocase wide ascii
$string34 = "3e.pm:8080" nocase wide ascii
$string35 = "3fvz.com:8080" nocase wide ascii
$string36 = "3h.wf:8080" nocase wide ascii
$string37 = "3h1.xyz:8080" nocase wide ascii
$string38 = "3lzj.com:8080" nocase wide ascii
$string39 = "3p.ms:8080" nocase wide ascii
$string40 = "3z.nu:8080" nocase wide ascii
$string41 = "4aw.ro:8080" nocase wide ascii
$string42 = "4c.pm:8080" nocase wide ascii
$string43 = "4j.pm:8080" nocase wide ascii
$string44 = "4j1.xyz:8080" nocase wide ascii
$string45 = "4j5.xyz:8080" nocase wide ascii
$string46 = "4k1.xyz:8080" nocase wide ascii
$string47 = "4kx.xyz:8080" nocase wide ascii
$string48 = "4m.wf:8080" nocase wide ascii
$string49 = "4n.wf:8080" nocase wide ascii
$string50 = "4q.pm:8080" nocase wide ascii
$string51 = "4s.pm:8080" nocase wide ascii
$string52 = "4s3.me:8080" nocase wide ascii
$string53 = "4w.pm:8080" nocase wide ascii
$string54 = "4w.rs:8080" nocase wide ascii
$string55 = "4w.wf:8080" nocase wide ascii
$string56 = "4xq.nl:8080" nocase wide ascii
$string57 = "5ap.nl:8080" nocase wide ascii
$string58 = "5g7.at:8080" nocase wide ascii
$string59 = "5j8.xyz:8080" nocase wide ascii
$string60 = "5jb.me:8080" nocase wide ascii
$string61 = "5jk.club:8080" nocase wide ascii
$string62 = "5kj.xyz:8080" nocase wide ascii
$string63 = "5kx.me:8080" nocase wide ascii
$string64 = "5qe8.com:8080" nocase wide ascii
$string65 = "5qe8.com :8080" nocase wide ascii
$string66 = "5qw.pw:8080" nocase wide ascii
$string67 = "5qy.ro:8080" nocase wide ascii
$string68 = "5s.pm:8080" nocase wide ascii
$string69 = "5v0.nl:8080" nocase wide ascii
$string70 = "5z.pm:8080" nocase wide ascii
$string71 = "5z.wf:8080" nocase wide ascii
$string72 = "60i.nl:8080" nocase wide ascii
$string73 = "66j.me:8080" nocase wide ascii
$string74 = "6ax.nl:8080" nocase wide ascii
$string75 = "6gcr.com:8080" nocase wide ascii
$string76 = "6id.xyz:8080" nocase wide ascii
$string77 = "6j2.xyz:8080" nocase wide ascii
$string78 = "6qo.at:8080" nocase wide ascii
$string79 = "6t.nz:8080" nocase wide ascii
$string80 = "6t.pm:8080" nocase wide ascii
$string81 = "6t.re:8080" nocase wide ascii
$string82 = "6t4.nl:8080" nocase wide ascii
$string83 = "6uy.at:8080" nocase wide ascii
$string84 = "6w.re:8080" nocase wide ascii
$string85 = "6wr9.com:8080" nocase wide ascii
$string86 = "6xj.xyz:8080" nocase wide ascii
$string87 = "6y.re:8080" nocase wide ascii
$string88 = "79r.nl:8080" nocase wide ascii
$string89 = "7d.rs:8080" nocase wide ascii
$string90 = "7d.wf:8080" nocase wide ascii
$string91 = "7yfb.com:8080" nocase wide ascii
$string92 = "8t.pm:8080" nocase wide ascii
$string93 = "8t.wf:8080" nocase wide ascii
$string94 = "9r.re:8080" nocase wide ascii
$string95 = "9r.sk:8080" nocase wide ascii
$string96 = "a0.pm:8080" nocase wide ascii
$string97 = "aij.hk:8080" nocase wide ascii
$string98 = "as3.biz:8080" nocase wide ascii
$string99 = "b3vv.com:8080" nocase wide ascii
$string100 = "b8x.org:8080" nocase wide ascii
$string101 = "b9.pm:8080" nocase wide ascii
$string102 = "bcomb.net:8080" nocase wide ascii
$string103 = "bo2sv.com:8080" nocase wide ascii
$string104 = "bpyo.in:8080" nocase wide ascii
$string105 = "c0.wf:8080" nocase wide ascii
$string106 = "c4z.pl:8080" nocase wide ascii
$string107 = "c7.lc:8080" nocase wide ascii
$string108 = "cb3u.com:8080" nocase wide ascii
$string109 = "d0.wf:8080" nocase wide ascii
$string110 = "d4j.club:8080" nocase wide ascii
$string111 = "dj2.biz:8080" nocase wide ascii
$string112 = "doem.re:8080" nocase wide ascii
$string113 = "dsi.mk:8080" nocase wide ascii
$string114 = "e0.wf:8080" nocase wide ascii
$string115 = "e9.wf:8080" nocase wide ascii
$string116 = "egso.net:8080" nocase wide ascii
$string117 = "ej3.xyz:8080" nocase wide ascii
$string118 = "ejk.bz:8080" nocase wide ascii
$string119 = "ejk.li:8080" nocase wide ascii
$string120 = "euya.cn:8080" nocase wide ascii
$string121 = "eznb.net:8080" nocase wide ascii
$string122 = "f0.tel:8080" nocase wide ascii
$string123 = "fgcz.net:8080" nocase wide ascii
$string124 = "fnx.wf:8080" nocase wide ascii
$string125 = "fxb.tw:8080" nocase wide ascii
$string126 = "fz.ms:8080" nocase wide ascii
$string127 = "g0.pm:8080" nocase wide ascii
$string128 = "g3.rs:8080" nocase wide ascii
$string129 = "g4.nu:8080" nocase wide ascii
$string130 = "g4.tel:8080" nocase wide ascii
$string131 = "g4.wf:8080" nocase wide ascii
$string132 = "glnj.nl:8080" nocase wide ascii
$string133 = "gloa.in:8080" nocase wide ascii
$string134 = "gz.qa:8080" nocase wide ascii
$string135 = "gz3.nl:8080" nocase wide ascii
$string136 = "h0.pm:8080" nocase wide ascii
$string137 = "h0.wf:8080" nocase wide ascii
$string138 = "h6.re:8080" nocase wide ascii
$string139 = "i0.wf:8080" nocase wide ascii
$string140 = "i0up.com:8080" nocase wide ascii
$string141 = "i1.pm:8080" nocase wide ascii
$string142 = "i49.xyz:8080" nocase wide ascii
$string143 = "i4x.xyz:8080" nocase wide ascii
$string144 = "i6n.xyz:8080" nocase wide ascii
$string145 = "iyw5.com:8080" nocase wide ascii
$string146 = "iz.gy:8080" nocase wide ascii
$string147 = "j0.wf:8080" nocase wide ascii
$string148 = "j1n.me:8080" nocase wide ascii
$string149 = "j2.gy:8080" nocase wide ascii
$string150 = "j3n.xyz:8080" nocase wide ascii
$string151 = "j4r.xyz:8080" nocase wide ascii
$string152 = "j4z.co:8080" nocase wide ascii
$string153 = "j4z.xyz:8080" nocase wide ascii
$string154 = "j5m.biz:8080" nocase wide ascii
$string155 = "j5n.xyz:8080" nocase wide ascii
$string156 = "j68.info:8080" nocase wide ascii
$string157 = "j8.si:8080" nocase wide ascii
$string158 = "jjl.one:8080" nocase wide ascii
$string159 = "jrtz.re:8080" nocase wide ascii
$string160 = "jrx.fr:8080" nocase wide ascii
$string161 = "jrx.tw:8080" nocase wide ascii
$string162 = "jzm.pw:8080" nocase wide ascii
$string163 = "k0.pm:8080" nocase wide ascii
$string164 = "k1n.club:8080" nocase wide ascii
$string165 = "k5j.one:8080" nocase wide ascii
$string166 = "k5m.co:8080" nocase wide ascii
$string167 = "k5x.xyz:8080" nocase wide ascii
$string168 = "k6c.org:8080" nocase wide ascii
$string169 = "k6j.me:8080" nocase wide ascii
$string170 = "k6j.pw:8080" nocase wide ascii
$string171 = "kglo.link:8080" nocase wide ascii
$string172 = "kj1.xyz:8080" nocase wide ascii
$string173 = "kjaj.top:8080" nocase wide ascii
$string174 = "kr4.xyz:8080" nocase wide ascii
$string175 = "krrz.pm:8080" nocase wide ascii
$string176 = "l0.wf:8080" nocase wide ascii
$string177 = "l5k.xyz:8080" nocase wide ascii
$string178 = "l6nk.com:8080" nocase wide ascii
$string179 = "l9b.org:8080" nocase wide ascii
$string180 = "ldnr.net:8080" nocase wide ascii
$string181 = "lgf.pw:8080" nocase wide ascii
$string182 = "li1iv.com:8080" nocase wide ascii
$string183 = "lwip.re:8080" nocase wide ascii
$string184 = "lwxa.eu:8080" nocase wide ascii
$string185 = "m0.nu:8080" nocase wide ascii
$string186 = "m0.wf:8080" nocase wide ascii
$string187 = "m0.yt:8080" nocase wide ascii
$string188 = "m5n.biz:8080" nocase wide ascii
$string189 = "mirw.wf:8080" nocase wide ascii
$string190 = "mn1.biz:8080" nocase wide ascii
$string191 = "mnem.wf:8080" nocase wide ascii
$string192 = "msix.pm:8080" nocase wide ascii
$string193 = "mwgq.net:8080" nocase wide ascii
$string194 = "mz3.biz:8080" nocase wide ascii
$string195 = "mzjc.is:8080" nocase wide ascii
$string196 = "n3.wf:8080" nocase wide ascii
$string197 = "n5.ms:8080" nocase wide ascii
$string198 = "n51.biz:8080" nocase wide ascii
$string199 = "n54.me:8080" nocase wide ascii
$string200 = "n5k.me:8080" nocase wide ascii
$string201 = "n9fz.com:8080" nocase wide ascii
$string202 = "nk0.club:8080" nocase wide ascii
$string203 = "nt3.xyz:8080" nocase wide ascii
$string204 = "nwz.li:8080" nocase wide ascii
$string205 = "nwz.li :8080" nocase wide ascii
$string206 = "nz4.xyz:8080" nocase wide ascii
$string207 = "nzm.one:8080" nocase wide ascii
$string208 = "o7car.com:8080" nocase wide ascii
$string209 = "oj8.eu:8080" nocase wide ascii
$string210 = "omzk.org:8080" nocase wide ascii
$string211 = "p0.wf:8080" nocase wide ascii
$string212 = "p3.ms:8080" nocase wide ascii
$string213 = "p9.tel:8080" nocase wide ascii
$string214 = "pjz.one:8080" nocase wide ascii
$string215 = "q0.pm:8080" nocase wide ascii
$string216 = "q0.wf:8080" nocase wide ascii
$string217 = "q2.rs:8080" nocase wide ascii
$string218 = "qji6.com:8080" nocase wide ascii
$string219 = "qmpo.art:8080" nocase wide ascii
$string220 = "r0.pm:8080" nocase wide ascii
$string221 = "r0.wf:8080" nocase wide ascii
$string222 = "r4e.pl:8080" nocase wide ascii
$string223 = "r6.nz:8080" nocase wide ascii
$string224 = "ri7.biz:8080" nocase wide ascii
$string225 = "rn9v.com:8080" nocase wide ascii
$string226 = "rn9v.com :8080" nocase wide ascii
$string227 = "rx3.xyz:8080" nocase wide ascii
$string228 = "s0.pm:8080" nocase wide ascii
$string229 = "s8.cx:8080" nocase wide ascii
$string230 = "skqv.eu:8080" nocase wide ascii
$string231 = "t0.wf:8080" nocase wide ascii
$string232 = "t7.nz:8080" nocase wide ascii
$string233 = "tiua.uk:8080" nocase wide ascii
$string234 = "trzx.eu:8080" nocase wide ascii
$string235 = "tz6.org:8080" nocase wide ascii
$string236 = "u0.nz:8080" nocase wide ascii
$string237 = "u0.pm:8080" nocase wide ascii
$string238 = "u0.rs:8080" nocase wide ascii
$string239 = "u7u.ro:8080" nocase wide ascii
$string240 = "u8wp.com:8080" nocase wide ascii
$string241 = "ubv5.com:8080" nocase wide ascii
$string242 = "ue2.eu:8080" nocase wide ascii
$string243 = "uoej.net:8080" nocase wide ascii
$string244 = "uqw.futbol:8080" nocase wide ascii
$string245 = "uz3.me:8080" nocase wide ascii
$string246 = "v0.cx:8080" nocase wide ascii
$string247 = "v0.wf:8080" nocase wide ascii
$string248 = "vn6.co:8080" nocase wide ascii
$string249 = "vqdn.net:8080" nocase wide ascii
$string250 = "vs.gy:8080" nocase wide ascii
$string251 = "w0.pm:8080" nocase wide ascii
$string252 = "w0iq.com:8080" nocase wide ascii
$string253 = "w4.nz:8080" nocase wide ascii
$string254 = "w4.rs:8080" nocase wide ascii
$string255 = "w4.wf:8080" nocase wide ascii
$string256 = "w6.nz:8080" nocase wide ascii
$string257 = "wak.rocks:8080" nocase wide ascii
$string258 = "xjam.hk:8080" nocase wide ascii
$string259 = "xtabr.com:8080" nocase wide ascii
$string260 = "xz4.biz:8080" nocase wide ascii
$string261 = "x1vl.com:8080" nocase wide ascii
$string262 = "y0.pm:8080" nocase wide ascii
$string263 = "y0.wf:8080" nocase wide ascii
$string264 = "y3x.biz:8080" nocase wide ascii
$string265 = "ynns.uk:8080" nocase wide ascii
$string266 = "yt6.ro:8080" nocase wide ascii
$string267 = "yuiw.xyz:8080" nocase wide ascii
$string268 = "z7s.org:8080" nocase wide ascii
$string269 = "zbs.is:8080" nocase wide ascii
$string270 = "zf0.ro:8080" nocase wide ascii
$string271 = "zi9f.com:8080" nocase wide ascii
$string272 = "zie5.com:8080" nocase wide ascii
$string273 = "zjc.bz:8080" nocase wide ascii
$string274 = "zk.qa:8080" nocase wide ascii
$string275 = "zk4.me:8080" nocase wide ascii
$string276 = "zk5.co:8080" nocase wide ascii
$string277 = "zxn.fyi:8080" nocase wide ascii
condition:
any of them
and not vt.metadata.file_type == vt.FileType.JAVASCRIPT
and not vt.metadata.file_type == vt.FileType.HTML
and vt.metadata.new_file
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment