forked from t4d/PhishingKit-Yara-Rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
285 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| rule PK_1and1_Ionos_mademen : one_and_one | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating IONOS by 1and1" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-08-13" | ||
| comment = "Phishing Kit - IONOS - 'MADEMEN CYBER TEAM'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific directory found in PhishingKit | ||
| $spec_dir = "demo_files" | ||
| // specific file found in PhishingKit | ||
| $spec_file = "demp.php" | ||
| $spec_file2 = "go.php" | ||
| $spec_file3 = "err.php" | ||
| $spec_file4 = "load.php" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| all of ($spec_dir*) and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| rule PK_1and1_Ionos_onlyone : one_and_one | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating IONOS by 1and1" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-08-12" | ||
| comment = "Phishing Kit - 1and1 - 'By The Only One'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific directory found in PhishingKit | ||
| $spec_dir = "img" | ||
| $spec_dir2 = ".well-known" | ||
| // specific file found in PhishingKit | ||
| $spec_file = "inpagelayer.css" | ||
| $spec_file2 = "apple-touch-icon.png" | ||
| $spec_file3 = "index.html" | ||
| $spec_file4 = "login.php" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| all of ($spec_dir*) and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| rule PK_ATT_dammy : ATandT | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating ATandT" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-08-12" | ||
| comment = "Phishing Kit - ATandT - 'Hacked By Opa Dammy'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific file found in PhishingKit | ||
| $spec_file = "Team.php" | ||
| $spec_file2 = "Indexxatt.htm" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| // check for file | ||
| $spec_file and | ||
| $spec_file2 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| rule PK_AdobePDF_venza2 : Adobe | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating Adobe PDF Online" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-08-13" | ||
| comment = "Phishing Kit - Adobe PDF Online - 'cReAtEd By VeNzA'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific directory found in PhishingKit | ||
| $spec_dir = "css" | ||
| $spec_dir1 = "images" | ||
| // specific file found in PhishingKit | ||
| $spec_file = "next.php" | ||
| $spec_file2 = "index.php" | ||
| $spec_file3 = "office3651.png" | ||
| $spec_file4 = "sharepoint-portals.svg" | ||
| $spec_file5 = "demo-page.css" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| all of ($spec_dir*) and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| rule PK_Amazon_xbalti : Amazon | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating Amazon" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-08-11" | ||
| comment = "Phishing Kit - Amazon - 'BY XBALTI'" | ||
|
|
||
| strings: | ||
| $zip_file = { 50 4b 03 04 } | ||
| $spec_dir = "XBALTI" | ||
| $spec_dir1 = "amazon" | ||
| $spec_file1 = "rezulta.php" | ||
| $spec_file2 = "check_bin.php" | ||
| $spec_file3 = "send_billing.php" | ||
| $spec_file4 = "antibots.php" | ||
| condition: | ||
| uint32(0) == 0x04034b50 and | ||
| $zip_file and | ||
| all of ($spec_dir*) and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| rule PK_Amex_codewizard : Amex | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating American Express" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-08-12" | ||
| comment = "Phishing Kit - Amex - '=+Codewizard+='" | ||
|
|
||
| strings: | ||
| $zip_file = { 50 4b 03 04 } | ||
| $spec_dir = "home" | ||
| $spec_file1 = "mm1.php" | ||
| $spec_file2 = "v.php" | ||
| $spec_file3 = "email2.php" | ||
| $spec_file4 = "enc.php" | ||
| condition: | ||
| uint32(0) == 0x04034b50 and | ||
| $zip_file and | ||
| $spec_dir and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| rule PK_BanquePostale_money : Banque Postale | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating la Banque Postale" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-08-12" | ||
| comment = "Phishing kit - Banque Postale - 'From: <[email protected]>'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific directory found in PhishingKit | ||
| $spec_dir = "config" | ||
| $spec_dir1 = "data" | ||
| // specific file found in PhishingKit | ||
| $spec_file = "trans.php" | ||
| $spec_file2 = "funcs.php" | ||
| $spec_file3 = "settings.php" | ||
| $spec_file4 = "cle-digitale.html" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| all of ($spec_dir*) and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| rule PK_MWeb_pak : MWeb | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating MWeb" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-08-12" | ||
| comment = "Phishing kit - MWeb - presence of a pakistani ip address in source code" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific directory found in PhishingKit | ||
| $spec_dir = "includes" | ||
| $spec_dir1 = "store" | ||
| // specific file found in PhishingKit | ||
| $spec_file = "config.php" | ||
| $spec_file2 = "user_details.php" | ||
| $spec_file3 = "mweb-custom.css" | ||
| $spec_file4 = "mweb-logo-2020-white.png" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| all of ($spec_dir*) and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| rule PK_Netease_papaz : Netease | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating Netease 163.com" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-08-12" | ||
| comment = "Phishing Kit - qiye.163.com - 'PAPAZ & SON'" | ||
|
|
||
| strings: | ||
| $zip_file = { 50 4b 03 04 } | ||
| $spec_dir = "img" | ||
| $spec_file1 = "bizmail1.php" | ||
| $spec_file2 = "next1.php" | ||
| $spec_file3 = "bizmail.php" | ||
| $spec_file4 = "qiyes.png" | ||
| condition: | ||
| uint32(0) == 0x04034b50 and | ||
| $zip_file and | ||
| $spec_dir and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| rule PK_O365_codespirit : Office365 | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating Office 365" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-08-13" | ||
| comment = "Phishing Kit - O365 - 'Created in CODE~SPIRIT'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific files found in PhishingKit | ||
| $spec_file = "ind.php" | ||
| $spec_file2 = "rst.htm" | ||
| $spec_file3 = "index.html" | ||
| $spec_file4 = "n.php" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |