anti-abuse/signatures/common.yara


rule CHIENESE_NEZHA_ARGO
{
  strings:
    $a1 = "TkVaSEE="
    $a2 = "tunnel.json"
    $a3 = "vless"
    $a4 = "dmxlc3M="
    $a5 = "/vmess"
    $a6 = "L3ZtZXNz"
    $a7 = "V0FSUA=="
    $a8 = "/eooce/"
    $a9 = "ARGO_AUTH"
    $a10 = "--edge-ip-version"
    $a11 = "LS1lZGdlLWlwLXZlcnNpb24="
    $12 = "sub.txt"
    $13 = "Server\x20is\x20running\x20on\x20port\x20"
    $14 = "nysteria2"
    $15 = "openssl req"

    condition:
    2 of ($a1, $a2, $a3, $a4, $a5, $a6, $a7, $a8, $a9, $a10, $a11, $12, $13, $14, $15) 
}

rule OBFSCATED_CODE
{
    meta:
        description = "Detects an obfuscated script"

    strings:
        $f1 = "_0x" nocase
        $f2 = "\x20" nocase
        $f3 = "\x0a" nocase
        $f5 = "openssl req -new -x509" nocase
        $f6 = "cert.pem" nocase
        $f7 = "private.key" nocase
    condition:
        2 of ($f*)
}


rule OVERLOAD_CRYPTO_MINER
{
	meta:
        ref = "https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e"
  strings:
    $a1 = "stratum+tcp"
    condition:
    $a1  
}
Upload files to "signatures" 2025-03-23 19:04:04 +01:00
			`rule CHIENESE_NEZHA_ARGO`
			`{`
			`strings:`
			`$a1 = "TkVaSEE="`
			`$a2 = "tunnel.json"`
			`$a3 = "vless"`
			`$a4 = "dmxlc3M="`
			`$a5 = "/vmess"`
			`$a6 = "L3ZtZXNz"`
			`$a7 = "V0FSUA=="`
			`$a8 = "/eooce/"`
			`$a9 = "ARGO_AUTH"`
			`$a10 = "--edge-ip-version"`
			`$a11 = "LS1lZGdlLWlwLXZlcnNpb24="`
upload 2025-03-24 18:03:56 +00:00			`$12 = "sub.txt"`
			`$13 = "Server\x20is\x20running\x20on\x20port\x20"`
			`$14 = "nysteria2"`
			`$15 = "openssl req"`
Upload files to "signatures" 2025-03-23 19:04:04 +01:00
			`condition:`
upload 2025-03-24 18:03:56 +00:00			`2 of ($a1, $a2, $a3, $a4, $a5, $a6, $a7, $a8, $a9, $a10, $a11, $12, $13, $14, $15)`
			`}`

			`rule OBFSCATED_CODE`
			`{`
			`meta:`
			`description = "Detects an obfuscated script"`

			`strings:`
			`$f1 = "_0x" nocase`
			`$f2 = "\x20" nocase`
			`$f3 = "\x0a" nocase`
			`$f5 = "openssl req -new -x509" nocase`
			`$f6 = "cert.pem" nocase`
			`$f7 = "private.key" nocase`
			`condition:`
			`2 of ($f*)`
Upload files to "signatures" 2025-03-23 19:04:04 +01:00			`}`


			`rule OVERLOAD_CRYPTO_MINER`
			`{`
			`meta:`
			`ref = "https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e"`
			`strings:`
			`$a1 = "stratum+tcp"`
			`condition:`
			`$a1`
			`}`