Novel/signatures/common.yara

rule CHINESE_NEZHA_ARGO {
    strings:
        $a1 = "TkVaSEE=" // Base64 for "NEZHA"
        $a2 = "tunnel.json"
        $a3 = "vless"
        $a4 = "dmxlc3M=" // Base64 for "vless"
        $a5 = "/vmess"
        $a6 = "L3ZtZXNz" // Base64 for "/vmess"
        $a7 = "V0FSUA==" // Base64 for "WARP"
        $a8 = "/eooce/"
        $a9 = "ARGO_AUTH"
        $a10 = "--edge-ip-version"
        $a11 = "LS1lZGdlLWlwLXZlcnNpb24=" // Base64 for "--edge-ip-version"
        $a12 = "sub.txt"
        $a13 = "Server\x20is\x20running\x20on\x20port\x20"
        $a14 = "nysteria2"
        $a15 = "openssl req"
    condition:
        2 of ($a*)
}

rule OBFUSCATED_CODE {
    meta:
        description = "Detects an obfuscated script"
    strings:
        $f1 = "0x" nocase
        $f2 = "x20" nocase
        $f3 = "x0a" nocase
    condition:
        2 of ($f1, $f2, $f3)
}

rule OVERLOAD_CRYPTO_MINER {
    meta:
        ref = "https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e"
    strings:
        $a1 = "stratum+tcp"
        $a2 = "xmrig"
        $a3 = "crypto"
        
    condition:
        any of them
}

rule REVERSE_SHELL {
    strings: 
        $a1 = "0>&1"
        $a2 = "sh"
        $a3 = "-i"
        $a4 = "0<&196"
        $a5 = "<>/dev/tcp"
        $a6 = "socket.socket"

    condition:
        2 of them
}
pushed 2025-03-24 20:07:14 +00:00			`rule CHINESE_NEZHA_ARGO {`
			`strings:`
			`$a1 = "TkVaSEE=" // Base64 for "NEZHA"`
			`$a2 = "tunnel.json"`
			`$a3 = "vless"`
			`$a4 = "dmxlc3M=" // Base64 for "vless"`
			`$a5 = "/vmess"`
			`$a6 = "L3ZtZXNz" // Base64 for "/vmess"`
			`$a7 = "V0FSUA==" // Base64 for "WARP"`
			`$a8 = "/eooce/"`
			`$a9 = "ARGO_AUTH"`
			`$a10 = "--edge-ip-version"`
			`$a11 = "LS1lZGdlLWlwLXZlcnNpb24=" // Base64 for "--edge-ip-version"`
			`$a12 = "sub.txt"`
			`$a13 = "Server\x20is\x20running\x20on\x20port\x20"`
			`$a14 = "nysteria2"`
			`$a15 = "openssl req"`
Upload files to "signatures" 2025-03-23 19:04:04 +01:00			`condition:`
pushed 2025-03-24 20:07:14 +00:00			`2 of ($a*)`
upload 2025-03-24 18:03:56 +00:00			`}`

pushed 2025-03-24 20:07:14 +00:00			`rule OBFUSCATED_CODE {`
upload 2025-03-24 18:03:56 +00:00			`meta:`
			`description = "Detects an obfuscated script"`
			`strings:`
pushed 2025-03-24 20:07:14 +00:00			`$f1 = "0x" nocase`
			`$f2 = "x20" nocase`
			`$f3 = "x0a" nocase`
upload 2025-03-24 18:03:56 +00:00			`condition:`
pushed 2025-03-24 20:07:14 +00:00			`2 of ($f1, $f2, $f3)`
Upload files to "signatures" 2025-03-23 19:04:04 +01:00			`}`

pushed 2025-03-24 20:07:14 +00:00			`rule OVERLOAD_CRYPTO_MINER {`
			`meta:`
Upload files to "signatures" 2025-03-23 19:04:04 +01:00			`ref = "https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e"`
pushed 2025-03-24 20:07:14 +00:00			`strings:`
			`$a1 = "stratum+tcp"`
			`$a2 = "xmrig"`
			`$a3 = "crypto"`

Upload files to "signatures" 2025-03-23 19:04:04 +01:00			`condition:`
pushed 2025-03-24 20:07:14 +00:00			`any of them`
Upload files to "signatures" 2025-03-23 19:04:04 +01:00			`}`

pushed 2025-03-24 20:07:14 +00:00			`rule REVERSE_SHELL {`
			`strings:`
			`$a1 = "0>&1"`
			`$a2 = "sh"`
			`$a3 = "-i"`
			`$a4 = "0<&196"`
			`$a5 = "<>/dev/tcp"`
			`$a6 = "socket.socket"`

			`condition:`
			`2 of them`
			`}`