SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer (Back to overview)

Industroyer

aka: Crash, CrashOverride

Actor(s): ELECTRUM


Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

References
2021-02-11DomainToolsJoe Slowik
@online{slowik:20210211:visibility:5d2f96e, author = {Joe Slowik}, title = {{Visibility, Monitoring, and Critical Infrastructure Security}}, date = {2021-02-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security}, language = {English}, urldate = {2021-02-20} } Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-12DragosDragos
@techreport{dragos:20201112:cyber:cf5b4fd, author = {Dragos}, title = {{Cyber Threat Perspective MANUFACTURING SECTOR}}, date = {2020-11-12}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf}, language = {English}, urldate = {2020-11-18} } Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake
2020-10-19UK GovernmentForeignCommonwealth & Development Office, Dominic Raab
@online{office:20201019:uk:7ead390, author = {ForeignCommonwealth & Development Office and Dominic Raab}, title = {{UK exposes series of Russian cyber attacks against Olympic and Paralympic Games}}, date = {2020-10-19}, organization = {UK Government}, url = {https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games}, language = {English}, urldate = {2020-10-23} } UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
elf.vpnfilter BlackEnergy EternalPetya Industroyer
2020-10-19Riskint BlogCurtis
@online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2017-10-05Virus BulletinAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-07-04WikipediaVarious
@online{various:20170704:industroyer:54eba4d, author = {Various}, title = {{Industroyer}}, date = {2017-07-04}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Industroyer}, language = {English}, urldate = {2020-01-08} } Industroyer
Industroyer
2017-06-13DragosDragos
@techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations
Industroyer ELECTRUM Sandworm
2017-06-12ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-06-12ESET ResearchAnton Cherepanov
@techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } WIN32/INDUSTROYER: A new threat for industrial control systems
Industroyer ELECTRUM
Yara Rules
[TLP:WHITE] win_industroyer_auto (20210616 | Detects win.industroyer.)
rule win_industroyer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.industroyer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff7310 ff15???????? 8bf8 8d85a0fdffff 6804010000 }
            // n = 6, score = 600
            //   50                   | push                eax
            //   ff7310               | push                dword ptr [ebx + 0x10]
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   8d85a0fdffff         | lea                 eax, dword ptr [ebp - 0x260]
            //   6804010000           | push                0x104

        $sequence_1 = { ff7508 33db 8bfb e8???????? 59 53 53 }
            // n = 7, score = 600
            //   ff7508               | push                dword ptr [ebp + 8]
            //   33db                 | xor                 ebx, ebx
            //   8bfb                 | mov                 edi, ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_2 = { 8d771c 56 e8???????? 8365f800 8d45f4 59 6a00 }
            // n = 7, score = 600
            //   8d771c               | lea                 esi, dword ptr [edi + 0x1c]
            //   56                   | push                esi
            //   e8????????           |                     
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   59                   | pop                 ecx
            //   6a00                 | push                0

        $sequence_3 = { 0f45c2 50 57 57 57 57 68???????? }
            // n = 7, score = 600
            //   0f45c2               | cmovne              eax, edx
            //   50                   | push                eax
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   68????????           |                     

        $sequence_4 = { 83ec30 56 57 8d45f8 33ff }
            // n = 5, score = 600
            //   83ec30               | sub                 esp, 0x30
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d45f8               | lea                 eax, dword ptr [ebp - 8]
            //   33ff                 | xor                 edi, edi

        $sequence_5 = { 50 ff15???????? 33c9 a3???????? 41 }
            // n = 5, score = 600
            //   50                   | push                eax
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   a3????????           |                     
            //   41                   | inc                 ecx

        $sequence_6 = { 6a00 6880000000 6a02 50 53 }
            // n = 5, score = 600
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a02                 | push                2
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_7 = { ffd7 03c0 50 53 56 e8???????? }
            // n = 6, score = 600
            //   ffd7                 | call                edi
            //   03c0                 | add                 eax, eax
            //   50                   | push                eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_8 = { b900100000 0f46f9 57 e8???????? }
            // n = 4, score = 400
            //   b900100000           | mov                 ecx, 0x1000
            //   0f46f9               | cmovbe              edi, ecx
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_9 = { 8b0c9550304100 8844192e 8b049550304100 804c182d04 ff4604 eb08 }
            // n = 6, score = 400
            //   8b0c9550304100       | mov                 ecx, dword ptr [edx*4 + 0x413050]
            //   8844192e             | mov                 byte ptr [ecx + ebx + 0x2e], al
            //   8b049550304100       | mov                 eax, dword ptr [edx*4 + 0x413050]
            //   804c182d04           | or                  byte ptr [eax + ebx + 0x2d], 4
            //   ff4604               | inc                 dword ptr [esi + 4]
            //   eb08                 | jmp                 0xa

        $sequence_10 = { e8???????? 59 83cfff 897de4 8365fc00 8b049d50304100 8b4de0 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83cfff               | or                  edi, 0xffffffff
            //   897de4               | mov                 dword ptr [ebp - 0x1c], edi
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8b049d50304100       | mov                 eax, dword ptr [ebx*4 + 0x413050]
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]

        $sequence_11 = { 6a03 6a00 6a02 8bf9 6800000040 57 }
            // n = 6, score = 400
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   8bf9                 | mov                 edi, ecx
            //   6800000040           | push                0x40000000
            //   57                   | push                edi

        $sequence_12 = { 56 ff15???????? 8b8c2474040000 5f 5e 5b }
            // n = 6, score = 400
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b8c2474040000       | mov                 ecx, dword ptr [esp + 0x474]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_13 = { 33c5 8945fc 0f1005???????? a1???????? 56 }
            // n = 5, score = 400
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   0f1005????????       |                     
            //   a1????????           |                     
            //   56                   | push                esi

        $sequence_14 = { 8bfe 83e03f c1ff06 6bd830 8b04bd50304100 f644032801 7444 }
            // n = 7, score = 400
            //   8bfe                 | mov                 edi, esi
            //   83e03f               | and                 eax, 0x3f
            //   c1ff06               | sar                 edi, 6
            //   6bd830               | imul                ebx, eax, 0x30
            //   8b04bd50304100       | mov                 eax, dword ptr [edi*4 + 0x413050]
            //   f644032801           | test                byte ptr [ebx + eax + 0x28], 1
            //   7444                 | je                  0x46

        $sequence_15 = { 8934b8 8bc7 83e03f 6bc830 8b049550304100 8b440818 }
            // n = 6, score = 400
            //   8934b8               | mov                 dword ptr [eax + edi*4], esi
            //   8bc7                 | mov                 eax, edi
            //   83e03f               | and                 eax, 0x3f
            //   6bc830               | imul                ecx, eax, 0x30
            //   8b049550304100       | mov                 eax, dword ptr [edx*4 + 0x413050]
            //   8b440818             | mov                 eax, dword ptr [eax + ecx + 0x18]

        $sequence_16 = { ff742414 ff15???????? 85c0 7595 ff742410 ff15???????? }
            // n = 6, score = 400
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7595                 | jne                 0xffffff97
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   ff15????????         |                     

        $sequence_17 = { 0f1005???????? 6802000080 0f1145d0 ff15???????? 85c0 }
            // n = 5, score = 400
            //   0f1005????????       |                     
            //   6802000080           | push                0x80000002
            //   0f1145d0             | movups              xmmword ptr [ebp - 0x30], xmm0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_18 = { ff15???????? 8bd8 85db 0f849d000000 8d85d0fdffff c785d0fdffff2c020000 50 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   0f849d000000         | je                  0xa3
            //   8d85d0fdffff         | lea                 eax, dword ptr [ebp - 0x230]
            //   c785d0fdffff2c020000     | mov    dword ptr [ebp - 0x230], 0x22c
            //   50                   | push                eax

        $sequence_19 = { c1f906 6bf030 03348d50304100 837e18ff 740c }
            // n = 5, score = 400
            //   c1f906               | sar                 ecx, 6
            //   6bf030               | imul                esi, eax, 0x30
            //   03348d50304100       | add                 esi, dword ptr [ecx*4 + 0x413050]
            //   837e18ff             | cmp                 dword ptr [esi + 0x18], -1
            //   740c                 | je                  0xe

        $sequence_20 = { 8bc1 c1f806 83e13f 6bc930 53 8b5d10 8b048550304100 }
            // n = 7, score = 400
            //   8bc1                 | mov                 eax, ecx
            //   c1f806               | sar                 eax, 6
            //   83e13f               | and                 ecx, 0x3f
            //   6bc930               | imul                ecx, ecx, 0x30
            //   53                   | push                ebx
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]
            //   8b048550304100       | mov                 eax, dword ptr [eax*4 + 0x413050]

        $sequence_21 = { 8b048550304100 56 8b7508 57 8b4c0818 8b4514 832600 }
            // n = 7, score = 400
            //   8b048550304100       | mov                 eax, dword ptr [eax*4 + 0x413050]
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8b4c0818             | mov                 ecx, dword ptr [eax + ecx + 0x18]
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   832600               | and                 dword ptr [esi], 0

        $sequence_22 = { c1f906 6bd730 8b0c8d50304100 c644112800 85f6 740c }
            // n = 6, score = 400
            //   c1f906               | sar                 ecx, 6
            //   6bd730               | imul                edx, edi, 0x30
            //   8b0c8d50304100       | mov                 ecx, dword ptr [ecx*4 + 0x413050]
            //   c644112800           | mov                 byte ptr [ecx + edx + 0x28], 0
            //   85f6                 | test                esi, esi
            //   740c                 | je                  0xe

        $sequence_23 = { 50 6802000080 ff15???????? 85c0 751b 6a02 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   751b                 | jne                 0x1d
            //   6a02                 | push                2

        $sequence_24 = { 8bc6 8bd6 83e03f c1fa06 6bc830 8b0495d01f0210 }
            // n = 6, score = 200
            //   8bc6                 | mov                 eax, esi
            //   8bd6                 | mov                 edx, esi
            //   83e03f               | and                 eax, 0x3f
            //   c1fa06               | sar                 edx, 6
            //   6bc830               | imul                ecx, eax, 0x30
            //   8b0495d01f0210       | mov                 eax, dword ptr [edx*4 + 0x10021fd0]

        $sequence_25 = { 7e15 80e90a 8d460a 894210 }
            // n = 4, score = 200
            //   7e15                 | jle                 0x17
            //   80e90a               | sub                 cl, 0xa
            //   8d460a               | lea                 eax, dword ptr [esi + 0xa]
            //   894210               | mov                 dword ptr [edx + 0x10], eax

        $sequence_26 = { 8985ecfffeff 8bc8 c745fc00000000 e8???????? c745fcffffffff }
            // n = 5, score = 200
            //   8985ecfffeff         | mov                 dword ptr [ebp - 0x10014], eax
            //   8bc8                 | mov                 ecx, eax
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   e8????????           |                     
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff

        $sequence_27 = { 8bca 32d2 83e103 f3a4 53 8d4c2434 e8???????? }
            // n = 7, score = 200
            //   8bca                 | mov                 ecx, edx
            //   32d2                 | xor                 dl, dl
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   53                   | push                ebx
            //   8d4c2434             | lea                 ecx, dword ptr [esp + 0x34]
            //   e8????????           |                     

        $sequence_28 = { 83e03f 6bd030 895de4 8b049dd01f0210 8945d4 }
            // n = 5, score = 200
            //   83e03f               | and                 eax, 0x3f
            //   6bd030               | imul                edx, eax, 0x30
            //   895de4               | mov                 dword ptr [ebp - 0x1c], ebx
            //   8b049dd01f0210       | mov                 eax, dword ptr [ebx*4 + 0x10021fd0]
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax

        $sequence_29 = { 83c801 85c0 0fb6db b808000000 b9???????? 0f44d8 }
            // n = 6, score = 200
            //   83c801               | or                  eax, 1
            //   85c0                 | test                eax, eax
            //   0fb6db               | movzx               ebx, bl
            //   b808000000           | mov                 eax, 8
            //   b9????????           |                     
            //   0f44d8               | cmove               ebx, eax

        $sequence_30 = { 8d45dc 0f1005???????? 884dec 8bce }
            // n = 4, score = 200
            //   8d45dc               | lea                 eax, dword ptr [ebp - 0x24]
            //   0f1005????????       |                     
            //   884dec               | mov                 byte ptr [ebp - 0x14], cl
            //   8bce                 | mov                 ecx, esi

        $sequence_31 = { c6400c00 c640140a c7401000000000 894604 }
            // n = 4, score = 200
            //   c6400c00             | mov                 byte ptr [eax + 0xc], 0
            //   c640140a             | mov                 byte ptr [eax + 0x14], 0xa
            //   c7401000000000       | mov                 dword ptr [eax + 0x10], 0
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_32 = { 59 99 f7f9 8d4db8 }
            // n = 4, score = 100
            //   59                   | pop                 ecx
            //   99                   | cdq                 
            //   f7f9                 | idiv                ecx
            //   8d4db8               | lea                 ecx, dword ptr [ebp - 0x48]

        $sequence_33 = { 68b0000000 8b00 8945f4 8b450c 8b00 }
            // n = 5, score = 100
            //   68b0000000           | push                0xb0
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_34 = { c745b440ac4400 8b45e4 8945b8 8b45e8 }
            // n = 4, score = 100
            //   c745b440ac4400       | mov                 dword ptr [ebp - 0x4c], 0x44ac40
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]

        $sequence_35 = { 51 8d3441 56 53 8d8d50fdffff }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   8d3441               | lea                 esi, dword ptr [ecx + eax*2]
            //   56                   | push                esi
            //   53                   | push                ebx
            //   8d8d50fdffff         | lea                 ecx, dword ptr [ebp - 0x2b0]

        $sequence_36 = { 8b7d10 3bf7 7438 85db 7434 8b4304 }
            // n = 6, score = 100
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   3bf7                 | cmp                 esi, edi
            //   7438                 | je                  0x3a
            //   85db                 | test                ebx, ebx
            //   7434                 | je                  0x36
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]

        $sequence_37 = { 33c0 40 59 8d7b10 894304 894308 }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   59                   | pop                 ecx
            //   8d7b10               | lea                 edi, dword ptr [ebx + 0x10]
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   894308               | mov                 dword ptr [ebx + 8], eax

        $sequence_38 = { 0f86f7020000 8d4e30 8d4630 51 ff7104 8d8db0feffff ff30 }
            // n = 7, score = 100
            //   0f86f7020000         | jbe                 0x2fd
            //   8d4e30               | lea                 ecx, dword ptr [esi + 0x30]
            //   8d4630               | lea                 eax, dword ptr [esi + 0x30]
            //   51                   | push                ecx
            //   ff7104               | push                dword ptr [ecx + 4]
            //   8d8db0feffff         | lea                 ecx, dword ptr [ebp - 0x150]
            //   ff30                 | push                dword ptr [eax]

        $sequence_39 = { 83b8a800000000 7512 8b04bd58984500 807c302900 }
            // n = 4, score = 100
            //   83b8a800000000       | cmp                 dword ptr [eax + 0xa8], 0
            //   7512                 | jne                 0x14
            //   8b04bd58984500       | mov                 eax, dword ptr [edi*4 + 0x459858]
            //   807c302900           | cmp                 byte ptr [eax + esi + 0x29], 0

    condition:
        7 of them and filesize < 983040
}
[TLP:WHITE] win_industroyer_w0   (20170615 | CRASHOVERRIDE v1 Suspicious Export)
import "pe"

rule win_industroyer_w0 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    condition:
        pe.exports("Crash") & pe.characteristics
}
[TLP:WHITE] win_industroyer_w1   (20170615 | CRASHOVERRIDE v1 Wiper)
import "pe"

rule win_industroyer_w1 {
    meta:
        description = "CRASHOVERRIDE v1 Wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "SYS_BASCON.COM" fullword nocase wide
        $s1 = ".pcmp" fullword nocase wide
        $s2 = ".pcmi" fullword nocase wide
        $s3 = ".pcmt" fullword nocase wide
        $s4 = ".cin" fullword nocase wide
        
    condition:
        pe.exports("Crash") and any of ($s*)
}
[TLP:WHITE] win_industroyer_w2   (20170615 | CRASHOVERRIDE v1 Suspicious Strings and Export)
import "pe"

rule win_industroyer_w2 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "101.dll" fullword nocase wide
        $s1 = "Crash101.dll" fullword nocase wide
        $s2 = "104.dll" fullword nocase wide
        $s3 = "Crash104.dll" fullword nocase wide
        $s4 = "61850.dll" fullword nocase wide
        $s5 = "Crash61850.dll" fullword nocase wide
        $s6 = "OPCClientDemo.dll" fullword nocase wide
        $s7 = "OPC" fullword nocase wide
        $s8 = "CrashOPCClientDemo.dll" fullword nocase wide
        $s9 = "D2MultiCommService.exe" fullword nocase wide
        $s10 = "CrashD2MultiCommService.exe" fullword nocase wide
        $s11 = "61850.exe" fullword nocase wide
        $s12 = "OPC.exe" fullword nocase wide
        $s13 = "haslo.exe" fullword nocase wide
        $s14 = "haslo.dat" fullword nocase wide     
    condition:
        any of ($s*) and pe.exports("Crash")
}
[TLP:WHITE] win_industroyer_w3   (20170615 | IEC-104 Interaction Module Program Strings)
rule win_industroyer_w3 { 
    meta:
        description = "IEC-104 Interaction Module Program Strings"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:      
        $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii 
        $s2 = " MSTR ->> SLV" nocase wide ascii 
        $s3 = " MSTR <<- SLV" nocase wide ascii 
        $s4 = "Unknown APDU format !!!" nocase wide ascii 
        $s5 = "iec104.log" nocase wide ascii 
    condition:      
        any of ($s*)
}
[TLP:WHITE] win_industroyer_w4   (20170615 | CRASHOVERRIDE v1 Config File Parsing)
rule win_industroyer_w4 {
    meta:
        description = "CRASHOVERRIDE v1 Config File Parsing"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
        $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
        $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
        $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w5   (20170615 | Blank mutex creation assoicated with CRASHOVERRIDE)
rule win_industroyer_w5 {
    meta:
        description = "Blank mutex creation assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }
        $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w6   (20170615 | Identify service hollowing and persistence setting)
rule win_industroyer_w6 {
    meta:
        description = "Identify service hollowing and persistence setting"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }
        $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w7   (20170615 | Registry Wiper functionality assoicated with CRASHOVERRIDE)
rule win_industroyer_w7 {
    meta:
        description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/industroyer/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }
        $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }
        $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w8   (20170615 | File manipulation actions associated with CRASHOVERRIDE wiper)
rule win_industroyer_w8 {
    meta:
        description = "File manipulation actions associated with CRASHOVERRIDE wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }
        $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }
    condition:
        all of them
}
Download all Yara Rules