rule Keylogging { meta: description = "Detects keylogging functionality" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $import1 = "import keyboard" ascii wide $import2 = "from pynput" ascii wide $hook1 = "keyboard.hook" ascii wide $hook2 = "keyboard.Listener" ascii wide $hook3 = "keyboard.on_press" ascii wide $hook4 = "KeyboardEvent" ascii wide $func1 = "on_press" ascii wide $func2 = "on_release" ascii wide condition: 1 of ($import*) and 1 of ($hook*) or 1 of ($func*) } rule ScreenCapture { meta: description = "Detects screen capture functionality" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $import1 = "import pyautogui" ascii wide $import2 = "from PIL import ImageGrab" ascii wide $import3 = "import mss" ascii wide $func1 = "pyautogui.screenshot" ascii wide $func2 = "ImageGrab.grab" ascii wide $func3 = "mss().shot" ascii wide $func4 = ".save(" ascii wide condition: 1 of ($import*) and 1 of ($func*) } rule BrowserDataTheft { meta: description = "Detects browser data theft functionality" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $browser1 = "Chrome" nocase ascii wide $browser2 = "Firefox" nocase ascii wide $browser3 = "Edge" nocase ascii wide $browser4 = "Opera" nocase ascii wide $path1 = "AppData\\Local\\Google\\Chrome\\User Data" ascii wide $path2 = "AppData\\Roaming\\Mozilla\\Firefox\\Profiles" ascii wide $path3 = "AppData\\Local\\Microsoft\\Edge\\User Data" ascii wide $data1 = "Login Data" ascii wide $data2 = "Cookies" ascii wide $data3 = "Web Data" ascii wide $sql1 = "SELECT" ascii wide $sql2 = "FROM logins" ascii wide $sql3 = "FROM cookies" ascii wide $crypto1 = "CryptUnprotectData" ascii wide $crypto2 = "Crypt.decrypt" ascii wide condition: (2 of ($browser*) or 1 of ($path*)) and (1 of ($data*)) and (1 of ($sql*) or 1 of ($crypto*)) } rule SystemInformationCollection { meta: description = "Detects system information collection functionality" author = "Malware Researcher" severity = "Medium" date = "2023-01-01" strings: $import1 = "import platform" ascii wide $import2 = "import socket" ascii wide $import3 = "import uuid" ascii wide $import4 = "import psutil" ascii wide $func1 = "platform.system" ascii wide $func2 = "platform.release" ascii wide $func3 = "socket.gethostname" ascii wide $func4 = "uuid.getnode" ascii wide $func5 = "psutil.cpu_count" ascii wide $func6 = "psutil.disk_usage" ascii wide $func7 = "os.environ" ascii wide $func8 = "os.getlogin" ascii wide condition: 2 of ($import*) and 2 of ($func*) } rule AntiVMTechniques { meta: description = "Detects anti-VM/sandbox evasion techniques" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $vm1 = "VMware" nocase ascii wide $vm2 = "VirtualBox" nocase ascii wide $vm3 = "QEMU" nocase ascii wide $vm4 = "Xen" nocase ascii wide $vm5 = "KVM" nocase ascii wide $vm6 = "Parallels" nocase ascii wide $vm7 = "Hyper-V" nocase ascii wide $vm8 = "Virtual Machine" nocase ascii wide $check1 = "wmic.exe" nocase ascii wide $check2 = "systeminfo" nocase ascii wide $check3 = "get_mac" nocase ascii wide $check4 = "registry" nocase ascii wide $check5 = "check_vm" nocase ascii wide $check6 = "is_vm" nocase ascii wide condition: 2 of ($vm*) and 1 of ($check*) } rule SelfDestructCode { meta: description = "Detects self-destructing code functionality" author = "Malware Researcher" severity = "High" date = "2023-01-01" strings: $del1 = "os.remove" ascii wide $del2 = "os.unlink" ascii wide $del3 = "shutil.rmtree" ascii wide $path1 = "__file__" ascii wide $path2 = "sys.argv[0]" ascii wide $cmd1 = "cmd.exe /c" ascii wide $cmd2 = "del " ascii wide $cmd3 = "rmdir" ascii wide $bat1 = ".bat" ascii wide $bat2 = ".cmd" ascii wide condition: 1 of ($del*) and (1 of ($path*) or (1 of ($cmd*) and 1 of ($bat*))) }