|
| 1 | +rule IQY_File_With_Suspicious_URL |
| 2 | +{ |
| 3 | + meta: |
| 4 | + Author = "InQuest Labs" |
| 5 | + Reference = "https://www.inquest.net/" |
| 6 | + Description = "Detects suspicious IQY Files using URLs associated with suspicious activity such as direct IP address URLs, URL shorteners, and file upload/download providers." |
| 7 | + Severity = "5" |
| 8 | + |
| 9 | + strings: |
| 10 | + /* |
| 11 | + match WEB on the first line of a file |
| 12 | + takes into account potential whitespace before or after case-insensitive "WEB" string |
| 13 | + */ |
| 14 | + $web =/^[ \t]*WEB[ \t]*(\x0A|\x0D\x0A)/ nocase |
| 15 | + |
| 16 | + /* match any http or https URL using a direct IP address */ |
| 17 | + $aa = /https?:\/\/((1?[0-9]{1,2}|25[0-5]|2[0-4][0-9])[.]){3}((1?[0-9]{1,2}|25[0-5]|2[0-4][0-9]))/ |
| 18 | + |
| 19 | + /* file upload/download providers */ |
| 20 | + $a2 = /https?:\/\/[^\.]*dropbox\.com\/sh?\// nocase |
| 21 | + $a4 = /https?:\/\/[^\.]*sendspace\.com\/./ nocase |
| 22 | + $a5 = /https?:\/\/[^\.]*bvp\.16mb\.com\/./ nocase |
| 23 | + $a6 = /https?:\/\/[^\.]*file\.io\/./ nocase |
| 24 | + $a7 = /https?:\/\/[^\.]*wetransfer\.com\/./ nocase |
| 25 | + $a8 = /https?:\/\/[^\.]*uploadcare\.com\/./ nocase |
| 26 | + $a9 = /https?:\/\/[^\.]*uploadfiles\.io\/./ nocase |
| 27 | + $a10 = /https?:\/\/[^\.]*filedropper\.com\/./ nocase |
| 28 | + $a11 = /https?:\/\/[^\.]*filefactory\.com\/./ nocase |
| 29 | + $a12 = /https?:\/\/[^\.]*doko\.moe\/./ nocase |
| 30 | + |
| 31 | + /* URL shorteners */ |
| 32 | + $a109 = /https?:\/\/(www\.)?a\.gd\/./ nocase |
| 33 | + $a110 = /https?:\/\/(www\.)?binged\.it\/./ nocase |
| 34 | + $a112 = /https?:\/\/(www\.)?budurl\.com\/./ nocase |
| 35 | + $a113 = /https?:\/\/(www\.)?chilp\.it\/./ nocase |
| 36 | + $a114 = /https?:\/\/(www\.)?cli\.gs\/./ nocase |
| 37 | + $a115 = /https?:\/\/(www\.)?fon\.gs\/./ nocase |
| 38 | + $a117 = /https?:\/\/(www\.)?fwd4\.me\/./ nocase |
| 39 | + $a118 = /https?:\/\/(www\.)?hex\.io\/./ nocase |
| 40 | + $a119 = /https?:\/\/(www\.)?hurl\.ws\/./ nocase |
| 41 | + $a120 = /https?:\/\/(www\.)?is\.gd\/./ nocase |
| 42 | + $a121 = /https?:\/\/(www\.)?kl\.am\/./ nocase |
| 43 | + $a122 = /https?:\/\/(www\.)?short\.ie\/./ nocase |
| 44 | + $a123 = /https?:\/\/(www\.)?short\.to\/./ nocase |
| 45 | + $a124 = /https?:\/\/(www\.)?sn\.im\/./ nocase |
| 46 | + $a125 = /https?:\/\/(www\.)?snipr\.com\/./ nocase |
| 47 | + $a126 = /https?:\/\/(www\.)?snipurl\.com\/./ nocase |
| 48 | + $a127 = /https?:\/\/(www\.)?snurl\.com\/./ nocase |
| 49 | + $a130 = /https?:\/\/(www\.)?to\.ly\/./ nocase |
| 50 | + $a131 = /https?:\/\/(www\.)?tr\.im\/./ nocase |
| 51 | + $a132 = /https?:\/\/(www\.)?tweetburner\.com\/./ nocase |
| 52 | + $a133 = /https?:\/\/(www\.)?twurl\.nl\/./ nocase |
| 53 | + $a134 = /https?:\/\/(www\.)?ub0\.cc\/./ nocase |
| 54 | + $a135 = /https?:\/\/(www\.)?ur1\.ca\/./ nocase |
| 55 | + $a136 = /https?:\/\/(www\.)?urlborg\.com\/./ nocase |
| 56 | + $a137 = /https?:\/\/(www\.)?tiny\.cc\/./ nocase |
| 57 | + $a138 = /https?:\/\/(www\.)?lc\.chat\/./ nocase |
| 58 | + $a139 = /https?:\/\/(www\.)?soo\.gd\/./ nocase |
| 59 | + $a140 = /https?:\/\/(www\.)?s2r\.co\/./ nocase |
| 60 | + $a141 = /https?:\/\/(www\.)?clicky\.me\/./ nocase |
| 61 | + $a142 = /https?:\/\/(www\.)?bv\.vc\/./ nocase |
| 62 | + $a143 = /https?:\/\/(www\.)?s\.id\/./ nocase |
| 63 | + $a144 = /https?:\/\/(www\.)?smarturl\.it\/./ nocase |
| 64 | + $a145 = /https?:\/\/(www\.)?tiny\.pl\/./ nocase |
| 65 | + $a146 = /https?:\/\/(www\.)?x\.co\/./ nocase |
| 66 | + |
| 67 | + condition: |
| 68 | + $web at 0 and 1 of ($a*) |
| 69 | +} |
0 commit comments