V4 : Yara rules implementation

Example yara file

signatures/rules.yara

@@ -0,0 +1,140 @@
+rule Suspicious_PHP_Code {
+    meta:
+        description = "Suspicious PHP code"
+        author = "AI"
+    strings:
+        $eval_call = "eval("
+        $exec_call = "exec("
+        $suspicious_function = /[$][a-zA-Z_][a-zA-Z_0-9]{,20}\(/
+    condition:
+        any of ($eval_call, $exec_call, $suspicious_function)
+}
+
+rule Malicious_Python_Webshell {
+    meta:
+        description = "Malicious Python webshell"
+        author = "AI"
+    strings:
+        $import_os = "import os"
+        $os_system = "os.system("
+        $variable_assignment = /[$][a-zA-Z_][a-zA-Z_0-9]{,20}\s*=/
+    condition:
+        any of ($import_os, $os_system, $variable_assignment)
+}
+
+rule Cryptolocker_Virus {
+    meta:
+        description = "Cryptolocker virus"
+        author = "AI"
+    strings:
+        $crypto_collision = "from Crypto.Collision import collision"
+        $crypto_rsa = /from Crypto\.RSA import RSA.{1,100}/
+    condition:
+        any of ($crypto_collision, $crypto_rsa)
+}
+
+rule Coin_Mining_Malware {
+    meta:
+        description = "Coin mining malware"
+        author = "AI"
+    strings:
+        $hashlib_import = "import hashlib"
+        $multiprocessing_import = "import multiprocessing"
+        $os_import = "import os"
+    condition:
+        any of ($hashlib_import, $multiprocessing_import, $os_import)
+}
+
+rule SQL_Injection_Attack {
+    meta:
+        description = "SQL injection attack"
+        author = "AI"
+    strings:
+        $drop_table = "DROP TABLE"
+        $delete_from = "DELETE FROM"
+        $union_all = "UNION ALL"
+    condition:
+        any of ($drop_table, $delete_from, $union_all)
+}
+
+rule Cross_Site_Scripting {
+    meta:
+        description = "Cross-site scripting"
+        author = "AI"
+    strings:
+        $script_tag = /<script>.{1,100}<\/script>/
+        $alert_function = "alert("
+        $confirm_function = "confirm("
+    condition:
+        any of ($script_tag, $alert_function, $confirm_function)
+}
+
+rule suspicious_file_extension {
+    meta:
+        description = "Detects files with suspicious extensions"
+
+    strings:
+        $exe = ".exe"
+        $dll = ".dll"
+        $scr = ".scr"
+        $vbs = ".vbs"
+        $js = ".js"
+        $bat = ".bat"
+        $cmd = ".cmd"
+        $ps1 = ".ps1"
+        $ps2 = ".ps2"
+        $psm1 = ".psm1"
+        $py = ".py"
+        $pyx = ".pyx"
+        $jsx = ".jsx"
+        $ts = ".ts"
+        $tsx = ".tsx"
+        
+    condition:
+        any of them
+}
+
+rule malicious_file {
+    meta:
+        description = "Detects malicious files based on various indicators"
+
+    strings:
+        $malicious_code1 = { E8 83 EC 70 83 C4 }
+        $malicious_string1 = "malicious_string"
+        $malicious_domain = "malicious_domain.com"
+
+    condition:
+        $malicious_code1 or $malicious_string1 or $malicious_domain
+}
+
+rule malicious_webshell {
+    meta:
+        description = "Detects malicious webshells"
+        author = "AI"
+
+    strings:
+        $eval_post = "eval($_POST"
+        $eval_get = "eval($_GET"
+        $passthru_post = "passthru($_POST"
+        $passthru_get = "passthru($_GET"
+        $system_post = "system($_POST"
+        $system_get = "system($_GET"
+
+    condition:
+        any of ($eval_post, $eval_get, $passthru_post, $passthru_get, $system_post, $system_get)
+}
+
+rule ransomware_infection {
+    meta:
+        description = "Detects ransomware infections"
+        author = "AI"
+
+    strings:
+        $ransom_note = "All your files are encrypted."
+        $ransomDemand = "Pay us to get your files back."
+        $bitcoin_address = "1D9xMfW49gVHjY6Usa2zLs6Ym1Ya2G7mKZ"
+
+    condition:
+        any of ($ransom_note, $ransomDemand, $bitcoin_address)
+}
+