forked from t4d/PhishingKit-Yara-Rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
136 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| rule PK_DHL_tare : DHL | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating DHL" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-08" | ||
| comment = "Phishing Kit - DHL - 'Created in 2014 By tare_ama'" | ||
|
|
||
| strings: | ||
| $zip_file = { 50 4b 03 04 } | ||
| $spec_dir = "DHL_files" | ||
| $spec_file1 = "deliveryform.php" | ||
| $spec_file2 = "DHL.php" | ||
| $spec_file3 = "tracking2.php" | ||
| $spec_file4 = "mailar222.txt" | ||
| condition: | ||
| uint32(0) == 0x04034b50 and | ||
| $zip_file and | ||
| $spec_dir and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| rule PK_DeutschePost_zabi : DeutschePost | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating DeutschePost" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-12" | ||
| comment = "Phishing Kit - DeutschePost - '. $zabi .'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| $spec_dir = "manage" | ||
| // specific file found in PhishingKit | ||
| $spec_file = "card.php" | ||
| $spec_file2 = "block3.php" | ||
| $spec_file3 = "1.css" | ||
| $spec_file4 = "proxyblock.php" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| $spec_dir and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| rule PK_O365_Priv9 : Office365 | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating Office 365" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-01-20" | ||
| comment = "Phishing Kit - O365 - code reuse from PK_O365_Priv8" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| // specific files found in PhishingKit | ||
| $spec_file = "pt.htm" | ||
| $spec_file2 = "ind.php" | ||
| $spec_file3 = "n.php" | ||
| $spec_file4 = "index.html" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| rule PK_Whatsapp_Arpantek : Whatsapp | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating Whatsapp" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-10" | ||
| comment = "Phishing Kit - Whatsapp - 'ARPANTEK'" | ||
|
|
||
| strings: | ||
| // the zipfile working on | ||
| $zip_file = { 50 4b 03 04 } | ||
| $spec_dir = "cgi-bin" | ||
| // specific file found in PhishingKit | ||
| $spec_file = "joining.php" | ||
| $spec_file2 = "email.php" | ||
| $spec_file3 = "fb_style.css" | ||
| $spec_file4 = "setting.php" | ||
| condition: | ||
| // look for the ZIP header | ||
| uint32(0) == 0x04034b50 and | ||
| // make sure we have a local file header | ||
| $zip_file and | ||
| $spec_dir and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| rule PK_XFinity_slim : XFinity | ||
| { | ||
| meta: | ||
| description = "Phishing Kit impersonating XFinity" | ||
| licence = "GPL-3.0" | ||
| author = "Thomas 'tAd' Damonneville" | ||
| reference = "" | ||
| date = "2021-04-13" | ||
| comment = "Phishing Kit - XFinity - 'Created By SLim'" | ||
|
|
||
| strings: | ||
| $zip_file = { 50 4b 03 04 } | ||
| $spec_dir = "Sign in to XFINITY_files" | ||
| $spec_file1 = "verify.php" | ||
| $spec_file2 = "1647526060x32.js" | ||
| $spec_file3 = "asc.txt" | ||
| condition: | ||
| uint32(0) == 0x04034b50 and | ||
| $zip_file and | ||
| $spec_dir and | ||
| // check for file | ||
| all of ($spec_file*) | ||
| } |