Intitial release

2025-04-12 01:40:13 -05:00 · 2025-04-12 01:40:13 -05:00 · fa8caa5116
commit fa8caa5116
parent 299038fbc7
21 changed files with 1234 additions and 0 deletions
--- a/rules/dangerous.yar
+++ b/rules/dangerous.yar
@ -0,0 +1,134 @@
+rule Keylogging {
+    meta:
+        description = "Detects keylogging functionality"
+        author = "Malware Researcher"
+        severity = "High"
+        date = "2023-01-01"
+    strings:
+        $import1 = "import keyboard" ascii wide
+        $import2 = "from pynput" ascii wide
+        $hook1 = "keyboard.hook" ascii wide
+        $hook2 = "keyboard.Listener" ascii wide
+        $hook3 = "keyboard.on_press" ascii wide
+        $hook4 = "KeyboardEvent" ascii wide
+        $func1 = "on_press" ascii wide
+        $func2 = "on_release" ascii wide
+    condition:
+        1 of ($import*) and 1 of ($hook*) or 1 of ($func*)
+}
+
+rule ScreenCapture {
+    meta:
+        description = "Detects screen capture functionality"
+        author = "Malware Researcher"
+        severity = "High"
+        date = "2023-01-01"
+    strings:
+        $import1 = "import pyautogui" ascii wide
+        $import2 = "from PIL import ImageGrab" ascii wide
+        $import3 = "import mss" ascii wide
+        $func1 = "pyautogui.screenshot" ascii wide
+        $func2 = "ImageGrab.grab" ascii wide
+        $func3 = "mss().shot" ascii wide
+        $func4 = ".save(" ascii wide
+    condition:
+        1 of ($import*) and 1 of ($func*)
+}
+
+rule BrowserDataTheft {
+    meta:
+        description = "Detects browser data theft functionality"
+        author = "Malware Researcher"
+        severity = "High"
+        date = "2023-01-01"
+    strings:
+        $browser1 = "Chrome" nocase ascii wide
+        $browser2 = "Firefox" nocase ascii wide
+        $browser3 = "Edge" nocase ascii wide
+        $browser4 = "Opera" nocase ascii wide
+        $path1 = "AppData\\Local\\Google\\Chrome\\User Data" ascii wide
+        $path2 = "AppData\\Roaming\\Mozilla\\Firefox\\Profiles" ascii wide
+        $path3 = "AppData\\Local\\Microsoft\\Edge\\User Data" ascii wide
+        $data1 = "Login Data" ascii wide
+        $data2 = "Cookies" ascii wide
+        $data3 = "Web Data" ascii wide
+        $sql1 = "SELECT" ascii wide
+        $sql2 = "FROM logins" ascii wide
+        $sql3 = "FROM cookies" ascii wide
+        $crypto1 = "CryptUnprotectData" ascii wide
+        $crypto2 = "Crypt.decrypt" ascii wide
+    condition:
+        (2 of ($browser*) or 1 of ($path*)) and 
+        (1 of ($data*)) and 
+        (1 of ($sql*) or 1 of ($crypto*))
+}
+
+rule SystemInformationCollection {
+    meta:
+        description = "Detects system information collection functionality"
+        author = "Malware Researcher"
+        severity = "Medium"
+        date = "2023-01-01"
+    strings:
+        $import1 = "import platform" ascii wide
+        $import2 = "import socket" ascii wide
+        $import3 = "import uuid" ascii wide
+        $import4 = "import psutil" ascii wide
+        $func1 = "platform.system" ascii wide
+        $func2 = "platform.release" ascii wide
+        $func3 = "socket.gethostname" ascii wide
+        $func4 = "uuid.getnode" ascii wide
+        $func5 = "psutil.cpu_count" ascii wide
+        $func6 = "psutil.disk_usage" ascii wide
+        $func7 = "os.environ" ascii wide
+        $func8 = "os.getlogin" ascii wide
+    condition:
+        2 of ($import*) and 2 of ($func*)
+}
+
+rule AntiVMTechniques {
+    meta:
+        description = "Detects anti-VM/sandbox evasion techniques"
+        author = "Malware Researcher"
+        severity = "High"
+        date = "2023-01-01"
+    strings:
+        $vm1 = "VMware" nocase ascii wide
+        $vm2 = "VirtualBox" nocase ascii wide
+        $vm3 = "QEMU" nocase ascii wide
+        $vm4 = "Xen" nocase ascii wide
+        $vm5 = "KVM" nocase ascii wide
+        $vm6 = "Parallels" nocase ascii wide
+        $vm7 = "Hyper-V" nocase ascii wide
+        $vm8 = "Virtual Machine" nocase ascii wide
+        $check1 = "wmic.exe" nocase ascii wide
+        $check2 = "systeminfo" nocase ascii wide
+        $check3 = "get_mac" nocase ascii wide
+        $check4 = "registry" nocase ascii wide
+        $check5 = "check_vm" nocase ascii wide
+        $check6 = "is_vm" nocase ascii wide
+    condition:
+        2 of ($vm*) and 1 of ($check*)
+}
+
+rule SelfDestructCode {
+    meta:
+        description = "Detects self-destructing code functionality"
+        author = "Malware Researcher"
+        severity = "High"
+        date = "2023-01-01"
+    strings:
+        $del1 = "os.remove" ascii wide
+        $del2 = "os.unlink" ascii wide
+        $del3 = "shutil.rmtree" ascii wide
+        $path1 = "__file__" ascii wide
+        $path2 = "sys.argv[0]" ascii wide
+        $cmd1 = "cmd.exe /c" ascii wide
+        $cmd2 = "del " ascii wide
+        $cmd3 = "rmdir" ascii wide
+        $bat1 = ".bat" ascii wide
+        $bat2 = ".cmd" ascii wide
+    condition:
+        1 of ($del*) and (1 of ($path*) or 
+        (1 of ($cmd*) and 1 of ($bat*)))
+}