Skip to content

Commit

Permalink
Rules 20210811
Browse files Browse the repository at this point in the history
  • Loading branch information
@t4d
t4d committed Aug 11, 2021
1 parent a8c6f2e commit 2b1ee86
Show file tree
Hide file tree
Showing 7 changed files with 200 additions and 0 deletions.
30 changes: 30 additions & 0 deletions PK_BanquePostale_Fiching.yar
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
rule PK_BanquePostale_Fiching : Banque Postale
{
meta:
description = "Phishing Kit impersonating la Banque Postale"
licence = "GPL-3.0"
author = "Thomas 'tAd' Damonneville"
reference = ""
date = "2021-07-31"
comment = "Phishing kit - Banque Postale - '$FichingMessage = false'"

strings:
// the zipfile working on
$zip_file = { 50 4b 03 04 }
// specific directory found in PhishingKit
$spec_dir = "letters"
// specific file found in PhishingKit
$spec_file = "zobiii.php"
$spec_file2 = "crca.html"
$spec_file3 = "merci.html"
$spec_file4 = "certi.html"
condition:
// look for the ZIP header
uint32(0) == 0x04034b50 and
// make sure we have a local file header
$zip_file and
$spec_dir and
// check for file
all of ($spec_file*)
}
25 changes: 25 additions & 0 deletions PK_Correos_chilecc.yar
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
rule PK_Correos_chileccc : Correos
{
meta:
description = "Phishing Kit impersonating Correos de Costa Rica"
licence = "GPL-3.0"
author = "Thomas 'tAd' Damonneville"
reference = ""
date = "2021-08-03"
comment = "Phishing Kit - Correos - 'CHILE CC :)'"

strings:
$zip_file = { 50 4b 03 04 }
$spec_dir = "Autentisering_files"
$spec_file1 = "auth2.php"
$spec_file2 = "zlatan.php"
$spec_file3 = "loader.gif"
$spec_file4 = "ipv4.txt"
condition:
uint32(0) == 0x04034b50 and
$zip_file and
$spec_dir and
// check for file
all of ($spec_file*)
}
30 changes: 30 additions & 0 deletions PK_Excel_venza.yar
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
rule PK_Excel_venza : Excel
{
meta:
description = "Phishing Kit impersonating Excel page"
licence = "GPL-3.0"
author = "Thomas 'tAd' Damonneville"
reference = ""
date = "2021-08-02"
comment = "Phishing Kit - Excel - 'CrEaTeD bY VeNzA'"

strings:
// the zipfile working on
$zip_file = { 50 4b 03 04 }
// specific directory found in PhishingKit
$spec_dir = "video"
// specific file found in PhishingKit
$spec_file = "next.php"
$spec_file2 = "excel-white.png"
$spec_file3 = "excel.mp4"
$spec_file4 = "email.php"
condition:
// look for the ZIP header
uint32(0) == 0x04034b50 and
// make sure we have a local file header
$zip_file and
$spec_dir and
// check for file
all of ($spec_file*)
}
25 changes: 25 additions & 0 deletions PK_O365_kancha.yar
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
rule PK_O365_kancha : Office365
{
meta:
description = "Phishing Kit impersonating Office 365"
licence = "GPL-3.0"
author = "Thomas 'tAd' Damonneville"
reference = ""
date = "2021-08-03"
comment = "Phishing Kit - Office 365 - kancha.php file into the phishing kit"

strings:
$zip_file = { 50 4b 03 04 }
$spec_dir = "captcha"
$spec_file1 = "kancha.php"
$spec_file2 = "getting.php"
$spec_file3 = "captcha.php"
$spec_file4 = "font.ttf"
condition:
uint32(0) == 0x04034b50 and
$zip_file and
all of ($spec_dir*) and
// check for file
all of ($spec_file*)
}
30 changes: 30 additions & 0 deletions PK_SwissPost_mamouni.yar
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
rule PK_SwissPost_mamouni : SwissPost
{
meta:
description = "Phishing Kit impersonating Swiss Post"
licence = "GPL-3.0"
author = "Thomas 'tAd' Damonneville"
reference = ""
date = "2021-08-03"
comment = "Phishing Kit - Swiss Post - by 'Imo Mamouni'"

strings:
// the zipfile working on
$zip_file = { 50 4b 03 04 }
// specific directory found in PhishingKit
$spec_dir = "packeges"
// specific file found in PhishingKit
$spec_file = "no.html"
$spec_file2 = "block_bot.txt"
$spec_file3 = "ip.txt"
$spec_file4 = "configuration.php"
condition:
// look for the ZIP header
uint32(0) == 0x04034b50 and
// make sure we have a local file header
$zip_file and
// check for file
all of ($spec_file*) and
$spec_dir
}
30 changes: 30 additions & 0 deletions PK_USBank_Unknown.yar
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
rule PK_USBank_Unknown : USBank
{
meta:
description = "Phishing Kit impersonating USBank"
licence = "GPL-3.0"
author = "Thomas 'tAd' Damonneville"
reference = ""
date = "2021-08-02"
comment = "Phishing Kit - USBank - '-[ UnKnown ]-'"

strings:
// the zipfile working on
$zip_file = { 50 4b 03 04 }
// specific directory found in PhishingKit
$spec_dir = "information_files"
// specific file found in PhishingKit
$spec_file = "gen_validatorv4.js.txt"
$spec_file2 = "usbankDesktop.css"
$spec_file3 = "information.htm"
$spec_file4 = "log.php"
condition:
// look for the ZIP header
uint32(0) == 0x04034b50 and
// make sure we have a local file header
$zip_file and
$spec_dir and
// check for file
all of ($spec_file*)
}
30 changes: 30 additions & 0 deletions PK_WeTransfer_office.yar
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
rule PK_WeTransfer_office : WeTransfer
{
meta:
description = "Phishing Kit impersonating WeTransfer"
licence = "GPL-3.0"
author = "Thomas 'tAd' Damonneville"
reference = ""
date = "2021-08-04"
comment = "Phishing Kit - WeTransfer - '$subject = New Wetransfer Office'"

strings:
// the zipfile working on
$zip_file = { 50 4b 03 04 }
// specific directory found in PhishingKit
$spec_dir = "login"
// specific file found in PhishingKit
$spec_file = "core.php"
$spec_file1 = "postLogin.php"
$spec_file2 = "downloads.php"
$spec_file3 = "robots.txt"
condition:
// look for the ZIP header
uint32(0) == 0x04034b50 and
// make sure we have a local file header
$zip_file and
// check for file
$spec_dir and
all of ($spec_file*)
}

0 comments on commit 2b1ee86

Please sign in to comment.