Improved YARA removed old rules, added new ones

CAPESandbox · Apr 19, 2023 · daabb82 · daabb82
1 parent 7851a9d
commit daabb82
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 104 deletions.
diff --git a/.yara-ci.yml b/.yara-ci.yml
@@ -10,6 +10,7 @@ false_positives:
    - rule: "shellcode_stack_strings"
    - rule: "shellcode_get_eip"
    - rule: "shellcode_peb_parsing"
+   - rule: "shellcode_patterns"
    - rule: "lsadump"
    - rule: "UPX"
-   - rule: "INDICATOR_EXE_Packed_Dotfuscator"
+   - rule: "INDICATOR_EXE_Packed_Dotfuscator"
diff --git a/data/yara/binaries/HTML_PhishingKit.yar b/data/yara/binaries/HTML_PhishingKit.yar
diff --git a/data/yara/binaries/OneNote_BuildPath.yar b/data/yara/binaries/OneNote_BuildPath.yar
diff --git a/modules/signatures/credential_access_phishingkit.py b/modules/signatures/credential_access_phishingkit.py
@@ -31,6 +31,11 @@ class HTMLPhisher_0(Signature):
     confidence = 100
     categories = ["credential_access","evasion","infostealer","phishing", "static"]
     authors = ["Yasin Tas",  "Eye Security"]
+    references = [
+        "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
+        "https://socradar.io/what-is-a-phishing-kit/"
+        "https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
+        ]
     enabled = True
     minimum = "1.2"
     ttps = ["T1111", "T1193", "T1140"]  # MITRE v6
@@ -73,6 +78,11 @@ class HTMLPhisher_1(Signature):
     confidence = 100
     categories = ["credential_access","evasion","infostealer","phishing", "static"]
     authors = ["Yasin Tas",  "Eye Security"]
+    references = [
+    "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
+    "https://socradar.io/what-is-a-phishing-kit/"
+    "https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
+    ]
     enabled = True
     minimum = "1.2"
     ttps = ["T1111", "T1193", "T1140"]  # MITRE v6
@@ -109,5 +119,4 @@ def run(self):
                         self.data.append({"url": url.group(1)})
                         self.data.append({"user": user.group(1)})
                         return True
-            return False
-
+            return False
diff --git a/modules/signatures/suspicious_html.py b/modules/signatures/suspicious_html.py
@@ -24,6 +24,12 @@ class htmlBody(Signature):
     confidence = 80
     categories = ["phishing", "static"]
     authors = ["Yasin Tas",  "Eye Security"]
+    references = [
+    "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
+    "https://socradar.io/what-is-a-phishing-kit/"
+    "https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
+    ]
+    references = [""]
     enabled = True
     minimum = "1.2"
     ttps = ["T1566.001"]  # MITRE v6,7,8
@@ -37,6 +43,8 @@ def run(self):
             'username',
             'encoded_string',
             'url',
+            'emails'
+            '// remove email, and put ur mailer code',
                   ]
 
         if self.results["info"]["package"] == "edge" or self.results["info"]["package"] == "html":
@@ -57,6 +65,11 @@ class htmlTitle(Signature):
     confidence = 80
     categories = ["phishing", "static"]
     authors = ["Yasin Tas",  "Eye Security"]
+    references = [
+    "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
+    "https://socradar.io/what-is-a-phishing-kit/"
+    "https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
+    ]
     enabled = True
     minimum = "1.2"
     ttps = ["T1566.001"]  # MITRE v6,7,8
@@ -91,6 +104,11 @@ class suspiciousHTMLname(Signature):
     confidence = 80
     categories = ["phishing", "static"]
     authors = ["Yasin Tas",  "Eye Security"]
+    references = [
+    "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
+    "https://socradar.io/what-is-a-phishing-kit/"
+    "https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
+    ]
     enabled = True
     minimum = "1.2"
     ttps = ["T1566.001"]  # MITRE v6,7,8
@@ -124,6 +142,11 @@ class JSAtob(Signature):
     confidence = 80
     categories = ["evasion","phishing", "static"]
     authors = ["Yasin Tas",  "Eye Security"]
+    references = [
+    "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
+    "https://socradar.io/what-is-a-phishing-kit/"
+    "https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
+    ]
     enabled = True
     minimum = "1.2"
     ttps = ["T1140"]  # MITRE v6
@@ -137,11 +160,6 @@ def run(self):
             strings = self.results["target"]["file"]["strings"]
             data = ''.join(strings)
             if "atob" in str(data):
-                times_atob = data.count("atob")
-                self.confidence = self.confidence + (times_atob * 5)
-                if self.confidence >= 100:
-                    self.confidence = 100
-                self.data.append({f"Found atob {times_atob} times"})
                 return True
         return False
 
@@ -152,6 +170,11 @@ class URLDecode(Signature):
     confidence = 80
     categories = ["evasion","phishing", "static"]
     authors = ["Yasin Tas",  "Eye Security"]
+    references = [
+    "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
+    "https://socradar.io/what-is-a-phishing-kit/"
+    "https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
+    ]
     enabled = True
     minimum = "1.2"
     ttps = ["T1140"]  # MITRE v6
@@ -174,6 +197,11 @@ class jsUnescape(Signature):
     confidence = 80
     categories = ["evasion","phishing", "static"]
     authors = ["Yasin Tas",  "Eye Security"]
+    references = [
+    "https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/",
+    "https://socradar.io/what-is-a-phishing-kit/"
+    "https://github.com/SteveD3/kit_hunter/tree/master/tag_files"
+    ]
     enabled = True
     minimum = "1.2"
     ttps = ["T1140"]  # MITRE v6