Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@naari3

naari3/rule copy.yara Secret

Last active June 5, 2022 13:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save naari3/d43289683040ca808c7d3dc9d721dd10 to your computer and use it in GitHub Desktop.
Save naari3/d43289683040ca808c7d3dc9d721dd10 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rule copy.yara
rule MalElf {
meta:
description = "Malicious ELF binary"
strings:
$x1 = {e3 82 89 e3 81 9b e3 82 93 e9 9a 8e e6 ae b5}
$x2 = {e3 82 ab e3 83 96 e3 83 88 e8 99 ab}
$x3 = {e5 bb 83 e5 a2 9f e3 81 ae e8 a1 97}
$x4 = {e3 82 a4 e3 83 81 e3 82 b8 e3 82 af e3 81 ae e3 82 bf e3 83 ab e3 83 88}
$x5 = {e3 83 89 e3 83 ad e3 83 ad e3 83 bc e3 82 b5 e3 81 b8 e3 81 ae e9 81 93}
$x6 = {e7 89 b9 e7 95 b0 e7 82 b9}
$x7 = {e3 82 b8 e3 83 a7 e3 83 83 e3 83 88}
$x8 = {e5 a4 a9 e4 bd bf}
$x9 = {e7 b4 ab e9 99 bd e8 8a b1}
$x10 = {e7 a7 98 e5 af 86 e3 81 ae e7 9a 87 e5 b8 9d}
$x11 = {82 e7 82 b9 82 f1 8a 4b 92 69}
$x12 = {83 4a 83 75 83 67 92 8e}
$x13 = {94 70 9a d0 82 cc 8a 58}
$x14 = {83 43 83 60 83 57 83 4e 82 cc 83 5e 83 8b 83 67}
$x15 = {83 68 83 8d 83 8d 81 5b 83 54 82 d6 82 cc 93 b9}
$x16 = {93 c1 88 d9 93 5f}
$x17 = {83 57 83 87 83 62 83 67}
$x18 = {93 56 8e 67}
$x19 = {8e 87 97 7a 89 d4}
$x20 = {94 e9 96 a7 82 cc 8d 63 92 e9}
$x21 = {30 89 30 5b 30 93 96 8e 6b b5}
$x22 = {30 4b 30 76}
$x23 = {5e c3 58 9f 30 6e 88 57}
$x24 = {30 a4 30 c1 30 b8 30 af 30 6e 30 bf 30 eb 30 c8}
$x25 = {30 c9 30 ed 30 ed 30 fc 30 b5 30 78 30 6e 90 53}
$x26 = {72 79 75 70 70 b9}
$x27 = {30 b8 30 e7 30 c3 30 c8}
$x28 = {59 29 4f 7f}
$x29 = {7d 2b 96 7d 82 b1}
$x30 = {79 d8 5b c6 30 6e 76 87 5e 1d}
$x31 = {2b 4d 49 6b 2d 2b 4d 46 73 2d 2b 4d 4a 4d 2d 2b 6c 6f 34 2d}
$x32 = {2b 4d 45 73 2d 2b 4d 48}
$x33 = {2b 58 73 4d 2d 2b 57 4a 38 2d 2b 4d 47 34 2d 2b}
$x34 = {2b 4d 4b 51 2d 2b 4d 4d 45 2d 2b 4d 4c 67 2d 2b 4d 4b 38 2d 2b 4d 47 34 2d 2b 4d 4c 38 2d 2b 4d}
$x35 = {2b 4d 4d 6b 2d 2b 4d 4f 30 2d 2b 4d 4f 30 2d 2b 4d 50 77 2d 2b 4d 4c 55 2d 2b 4d 48 67 2d 2b 4d}
$x36 = {2b 63 6e 6b 2d 2b 64 58 41 2d 2b 63}
$x37 = {2b 4d 4c 67 2d 2b 4d 4f 63 2d 2b 4d 4d 4d 2d 2b}
$x38 = {2b 57 53 6b 2d 2b 54 33}
$x39 = {2b 66 53 73 2d 2b 6c 6e 30 2d 2b 67}
$x40 = {2b 65 64 67 2d 2b 57 38 59 2d 2b 4d 47 34 2d 2b 64 6f 63 2d}
condition:
not (
($x1 or $x6 or $x12 or not $x21 or $x32) and
($x3 or $x5 or not $x11 or $x24 or $x35) and
(not $x3 or $x31 or $x40 or $x9 or $x27) and
($x4 or $x8 or $x10 or $x29 or $x40) and
($x4 or $x7 or $x11 or $x25 or not $x36) and
($x8 or $x14 or $x18 or $x21 or $x38) and
($x12 or $x15 or not $x20 or $x30 or $x35) and
($x19 or $x21 or not $x32 or $x33 or $x39) and
($x2 or $x37 or $x19 or not $x23) and
(not $x5 or $x14 or $x23 or $x30) and
(not $x5 or $x8 or $x18 or $x23) and
($x33 or $x22 or $x4 or $x38) and
($x2 or $x20 or $x39) and
($x3 or $x15 or not $x30) and
($x6 or not $x17 or $x30) and
($x8 or $x29 or not $x21) and
(not $x16 or $x1 or $x29) and
($x20 or $x10 or not $x5) and
(not $x13 or $x25) and
($x21 or $x28 or $x30) and
not $x2 and
$x3 and
not $x7 and
not $x10 and
not $x11 and
$x14 and
not $x15 and
not $x22 and
$x26 and
not $x27 and
$x34 and
$x36 and
$x37 and
not $x40
)
}
Raw
rule.yara
rule Rule_0 {
meta:
description = "Malicious ELF binary"
strings:
$x1 = {e3 82 89 e3 81 9b e3 82 93 e9 9a 8e e6 ae b5}
$x6 = {e7 89 b9 e7 95 b0 e7 82 b9}
$x12 = {83 4a 83 75 83 67 92 8e}
$x21 = {30 89 30 5b 30 93 96 8e 6b b5}
$x32 = {2b 4d 45 73 2d 2b 4d 48}
condition:
not (
($x1 or $x6 or $x12 or not $x21 or $x32)
)
}
rule Rule_1 {
meta:
description = "Malicious ELF binary"
strings:
$x3 = {e5 bb 83 e5 a2 9f e3 81 ae e8 a1 97}
$x5 = {e3 83 89 e3 83 ad e3 83 ad e3 83 bc e3 82 b5 e3 81 b8 e3 81 ae e9 81 93}
$x11 = {82 e7 82 b9 82 f1 8a 4b 92 69}
$x24 = {30 a4 30 c1 30 b8 30 af 30 6e 30 bf 30 eb 30 c8}
$x35 = {2b 4d 4d 6b 2d 2b 4d 4f 30 2d 2b 4d 4f 30 2d 2b 4d 50 77 2d 2b 4d 4c 55 2d 2b 4d 48 67 2d 2b 4d}
condition:
not (
($x3 or $x5 or not $x11 or $x24 or $x35)
)
}
rule Rule_2 {
meta:
description = "Malicious ELF binary"
strings:
$x3 = {e5 bb 83 e5 a2 9f e3 81 ae e8 a1 97}
$x9 = {e7 b4 ab e9 99 bd e8 8a b1}
$x27 = {30 b8 30 e7 30 c3 30 c8}
$x31 = {2b 4d 49 6b 2d 2b 4d 46 73 2d 2b 4d 4a 4d 2d 2b 6c 6f 34 2d}
$x40 = {2b 65 64 67 2d 2b 57 38 59 2d 2b 4d 47 34 2d 2b 64 6f 63 2d}
condition:
not (
(not $x3 or $x31 or $x40 or $x9 or $x27)
)
}
rule Rule_3 {
meta:
description = "Malicious ELF binary"
strings:
$x4 = {e3 82 a4 e3 83 81 e3 82 b8 e3 82 af e3 81 ae e3 82 bf e3 83 ab e3 83 88}
$x8 = {e5 a4 a9 e4 bd bf}
$x10 = {e7 a7 98 e5 af 86 e3 81 ae e7 9a 87 e5 b8 9d}
$x29 = {7d 2b 96 7d 82 b1}
$x40 = {2b 65 64 67 2d 2b 57 38 59 2d 2b 4d 47 34 2d 2b 64 6f 63 2d}
condition:
not (
($x4 or $x8 or $x10 or $x29 or $x40)
)
}
rule Rule_4 {
meta:
description = "Malicious ELF binary"
strings:
$x4 = {e3 82 a4 e3 83 81 e3 82 b8 e3 82 af e3 81 ae e3 82 bf e3 83 ab e3 83 88}
$x7 = {e3 82 b8 e3 83 a7 e3 83 83 e3 83 88}
$x11 = {82 e7 82 b9 82 f1 8a 4b 92 69}
$x25 = {30 c9 30 ed 30 ed 30 fc 30 b5 30 78 30 6e 90 53}
$x36 = {2b 63 6e 6b 2d 2b 64 58 41 2d 2b 63}
condition:
not (
($x4 or $x7 or $x11 or $x25 or not $x36)
)
}
rule Rule_5 {
meta:
description = "Malicious ELF binary"
strings:
$x8 = {e5 a4 a9 e4 bd bf}
$x14 = {83 43 83 60 83 57 83 4e 82 cc 83 5e 83 8b 83 67}
$x18 = {93 56 8e 67}
$x21 = {30 89 30 5b 30 93 96 8e 6b b5}
$x38 = {2b 57 53 6b 2d 2b 54 33}
condition:
not (
($x8 or $x14 or $x18 or $x21 or $x38)
)
}
rule Rule_6 {
meta:
description = "Malicious ELF binary"
strings:
$x12 = {83 4a 83 75 83 67 92 8e}
$x15 = {83 68 83 8d 83 8d 81 5b 83 54 82 d6 82 cc 93 b9}
$x20 = {94 e9 96 a7 82 cc 8d 63 92 e9}
$x30 = {79 d8 5b c6 30 6e 76 87 5e 1d}
$x35 = {2b 4d 4d 6b 2d 2b 4d 4f 30 2d 2b 4d 4f 30 2d 2b 4d 50 77 2d 2b 4d 4c 55 2d 2b 4d 48 67 2d 2b 4d}
condition:
not (
($x12 or $x15 or not $x20 or $x30 or $x35)
)
}
rule Rule_7 {
meta:
description = "Malicious ELF binary"
strings:
$x19 = {8e 87 97 7a 89 d4}
$x21 = {30 89 30 5b 30 93 96 8e 6b b5}
$x32 = {2b 4d 45 73 2d 2b 4d 48}
$x33 = {2b 58 73 4d 2d 2b 57 4a 38 2d 2b 4d 47 34 2d 2b}
$x39 = {2b 66 53 73 2d 2b 6c 6e 30 2d 2b 67}
condition:
not (
($x19 or $x21 or not $x32 or $x33 or $x39)
)
}
rule Rule_8 {
meta:
description = "Malicious ELF binary"
strings:
$x2 = {e3 82 ab e3 83 96 e3 83 88 e8 99 ab}
$x19 = {8e 87 97 7a 89 d4}
$x23 = {5e c3 58 9f 30 6e 88 57}
$x37 = {2b 4d 4c 67 2d 2b 4d 4f 63 2d 2b 4d 4d 4d 2d 2b}
condition:
not (
($x2 or $x37 or $x19 or not $x23)
)
}
rule Rule_9 {
meta:
description = "Malicious ELF binary"
strings:
$x5 = {e3 83 89 e3 83 ad e3 83 ad e3 83 bc e3 82 b5 e3 81 b8 e3 81 ae e9 81 93}
$x14 = {83 43 83 60 83 57 83 4e 82 cc 83 5e 83 8b 83 67}
$x23 = {5e c3 58 9f 30 6e 88 57}
$x30 = {79 d8 5b c6 30 6e 76 87 5e 1d}
condition:
not (
(not $x5 or $x14 or $x23 or $x30)
)
}
rule Rule_10 {
meta:
description = "Malicious ELF binary"
strings:
$x5 = {e3 83 89 e3 83 ad e3 83 ad e3 83 bc e3 82 b5 e3 81 b8 e3 81 ae e9 81 93}
$x8 = {e5 a4 a9 e4 bd bf}
$x18 = {93 56 8e 67}
$x23 = {5e c3 58 9f 30 6e 88 57}
condition:
not (
(not $x5 or $x8 or $x18 or $x23)
)
}
rule Rule_11 {
meta:
description = "Malicious ELF binary"
strings:
$x4 = {e3 82 a4 e3 83 81 e3 82 b8 e3 82 af e3 81 ae e3 82 bf e3 83 ab e3 83 88}
$x22 = {30 4b 30 76}
$x33 = {2b 58 73 4d 2d 2b 57 4a 38 2d 2b 4d 47 34 2d 2b}
$x38 = {2b 57 53 6b 2d 2b 54 33}
condition:
not (
($x33 or $x22 or $x4 or $x38)
)
}
rule Rule_12 {
meta:
description = "Malicious ELF binary"
strings:
$x2 = {e3 82 ab e3 83 96 e3 83 88 e8 99 ab}
$x20 = {94 e9 96 a7 82 cc 8d 63 92 e9}
$x39 = {2b 66 53 73 2d 2b 6c 6e 30 2d 2b 67}
condition:
not (
($x2 or $x20 or $x39)
)
}
rule Rule_13 {
meta:
description = "Malicious ELF binary"
strings:
$x3 = {e5 bb 83 e5 a2 9f e3 81 ae e8 a1 97}
$x15 = {83 68 83 8d 83 8d 81 5b 83 54 82 d6 82 cc 93 b9}
$x30 = {79 d8 5b c6 30 6e 76 87 5e 1d}
condition:
not (
($x3 or $x15 or not $x30)
)
}
rule Rule_14 {
meta:
description = "Malicious ELF binary"
strings:
$x6 = {e7 89 b9 e7 95 b0 e7 82 b9}
$x17 = {83 57 83 87 83 62 83 67}
$x30 = {79 d8 5b c6 30 6e 76 87 5e 1d}
condition:
not (
($x6 or not $x17 or $x30)
)
}
rule Rule_15 {
meta:
description = "Malicious ELF binary"
strings:
$x8 = {e5 a4 a9 e4 bd bf}
$x21 = {30 89 30 5b 30 93 96 8e 6b b5}
$x29 = {7d 2b 96 7d 82 b1}
condition:
not (
($x8 or $x29 or not $x21)
)
}
rule Rule_16 {
meta:
description = "Malicious ELF binary"
strings:
$x1 = {e3 82 89 e3 81 9b e3 82 93 e9 9a 8e e6 ae b5}
$x16 = {93 c1 88 d9 93 5f}
$x29 = {7d 2b 96 7d 82 b1}
condition:
not (
(not $x16 or $x1 or $x29)
)
}
rule Rule_17 {
meta:
description = "Malicious ELF binary"
strings:
$x5 = {e3 83 89 e3 83 ad e3 83 ad e3 83 bc e3 82 b5 e3 81 b8 e3 81 ae e9 81 93}
$x10 = {e7 a7 98 e5 af 86 e3 81 ae e7 9a 87 e5 b8 9d}
$x20 = {94 e9 96 a7 82 cc 8d 63 92 e9}
condition:
not (
($x20 or $x10 or not $x5)
)
}
rule Rule_18 {
meta:
description = "Malicious ELF binary"
strings:
$x13 = {94 70 9a d0 82 cc 8a 58}
$x25 = {30 c9 30 ed 30 ed 30 fc 30 b5 30 78 30 6e 90 53}
condition:
not (
(not $x13 or $x25)
)
}
rule Rule_19 {
meta:
description = "Malicious ELF binary"
strings:
$x21 = {30 89 30 5b 30 93 96 8e 6b b5}
$x28 = {59 29 4f 7f}
$x30 = {79 d8 5b c6 30 6e 76 87 5e 1d}
condition:
not (
($x21 or $x28 or $x30)
)
}
rule Rule_20 {
meta:
description = "Malicious ELF binary"
strings:
$x2 = {e3 82 ab e3 83 96 e3 83 88 e8 99 ab}
condition:
not (
not $x2
)
}
rule Rule_21 {
meta:
description = "Malicious ELF binary"
strings:
$x3 = {e5 bb 83 e5 a2 9f e3 81 ae e8 a1 97}
condition:
not (
$x3
)
}
rule Rule_22 {
meta:
description = "Malicious ELF binary"
strings:
$x7 = {e3 82 b8 e3 83 a7 e3 83 83 e3 83 88}
condition:
not (
not $x7
)
}
rule Rule_23 {
meta:
description = "Malicious ELF binary"
strings:
$x10 = {e7 a7 98 e5 af 86 e3 81 ae e7 9a 87 e5 b8 9d}
condition:
not (
not $x10
)
}
rule Rule_24 {
meta:
description = "Malicious ELF binary"
strings:
$x11 = {82 e7 82 b9 82 f1 8a 4b 92 69}
condition:
not (
not $x11
)
}
rule Rule_25 {
meta:
description = "Malicious ELF binary"
strings:
$x14 = {83 43 83 60 83 57 83 4e 82 cc 83 5e 83 8b 83 67}
condition:
not (
$x14
)
}
rule Rule_26 {
meta:
description = "Malicious ELF binary"
strings:
$x15 = {83 68 83 8d 83 8d 81 5b 83 54 82 d6 82 cc 93 b9}
condition:
not (
not $x15
)
}
rule Rule_27 {
meta:
description = "Malicious ELF binary"
strings:
$x22 = {30 4b 30 76}
condition:
not (
not $x22
)
}
rule Rule_28 {
meta:
description = "Malicious ELF binary"
strings:
$x26 = {72 79 75 70 70 b9}
condition:
not (
$x26
)
}
rule Rule_29 {
meta:
description = "Malicious ELF binary"
strings:
$x27 = {30 b8 30 e7 30 c3 30 c8}
condition:
not (
not $x27
)
}
rule Rule_30 {
meta:
description = "Malicious ELF binary"
strings:
$x34 = {2b 4d 4b 51 2d 2b 4d 4d 45 2d 2b 4d 4c 67 2d 2b 4d 4b 38 2d 2b 4d 47 34 2d 2b 4d 4c 38 2d 2b 4d}
condition:
not (
$x34
)
}
rule Rule_31 {
meta:
description = "Malicious ELF binary"
strings:
$x36 = {2b 63 6e 6b 2d 2b 64 58 41 2d 2b 63}
condition:
not (
$x36
)
}
rule Rule_32 {
meta:
description = "Malicious ELF binary"
strings:
$x37 = {2b 4d 4c 67 2d 2b 4d 4f 63 2d 2b 4d 4d 4d 2d 2b}
condition:
not (
$x37
)
}
rule Rule_33 {
meta:
description = "Malicious ELF binary"
strings:
$x40 = {2b 65 64 67 2d 2b 57 38 59 2d 2b 4d 47 34 2d 2b 64 6f 63 2d}
condition:
not (
not $x40
)
}
Raw
rule_generator.rb
rule_file = open("rule copy.yara").read()
Rule = Struct.new(:name, :strings, :condition)
StrRule = Struct.new(:name, :body)
state = :none
strings = []
conditions = []
rule_file.split("\n").each do |line|
head = /\s+(.+?):/.match(line)
if head
state = head[1].to_sym
next
end
case state
when :strings
string = /^\s+(\$x\d{1,2}) = (\{.+?\})/.match(line)
if string
strings << StrRule.new(string[1], string[2])
end
when :condition
condition = /^\s+(.+?\$.+)/.match(line)
if condition
conditions << condition[1]
end
end
end
rules = []
i = 0
conditions.each do |condition|
strrules = condition.split(" or ").map do |r|
r.gsub(/\s+/, "").gsub("not", "").gsub("and", "").gsub("(", "").gsub(")", "")
end
cond_strings = []
strings.each do |string|
if strrules.include?(string.name)
cond_strings << "#{string.name} = #{string.body}"
end
end
ccc = condition.rpartition("and")
if ccc[1] == "and"
condition = ccc[0]
end
rules << Rule.new(
"Rule_#{i}",
cond_strings,
condition
)
i += 1
end
require 'erb'
erb = File.read('rule.yara.erb')
puts ERB.new(erb).result(binding)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment