Industroyer (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.industroyer (Back to overview)

Industroyer

aka: Crash, CrashOverride

Actor(s): ELECTRUM

VTCollection

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

References

2024-04-16 ⋅ Mandiant ⋅ Alden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie Aytes, Nick Simonian, Ryan Hall, Tyler McLellan
APT44: Unearthing Sandworm
VPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic Destroyer PartyTicket RoarBAT Sandworm

2024-04-15 ⋅ UC Santa Cruz ⋅ Alonso Rojas, Alvaro A. Cardenas, Bing Huang, Emmanuele Zambon, Juan Lozano, Keerthi Koneru, Luis Salazar, Marina Krotofil, Ross Baldick, Sebastian R. Castro
A Tale of Two Industroyers: It was the Season of Darkness
Industroyer INDUSTROYER2

2022-07-26 ⋅ Mandiant ⋅ Daniel Kapellmann Zafra, Jay Christiansen, Keith Lunden, Ken Proska, Thibault van Geluwe de Berlaere
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton

2022-04-20 ⋅ CISA ⋅ CISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet

2022-04-20 ⋅ CISA ⋅ Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader

2022-04-12 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2

2022-04-12 ⋅ ESET Research ⋅ ESET Research
Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2

2022-02-24 ⋅ Tesorion ⋅ TESORION
Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate

2022-02-24 ⋅ nviso ⋅ Michel Coene
Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate

2021-02-11 ⋅ DomainTools ⋅ Joe Slowik
Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton

2020-12-21 ⋅ IronNet ⋅ Adam Hlavek, Kimberly Ortiz
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess

2020-11-12 ⋅ Dragos ⋅ Dragos
Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake

2020-10-19 ⋅ UK Government ⋅ Dominic Raab, ForeignCommonwealth & Development Office
UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer

2020-10-19 ⋅ Riskint Blog ⋅ Curtis
Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer

2020-01-31 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot

2020-01-01 ⋅ Dragos ⋅ Joe Slowik
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor

2018-10-11 ⋅ ESET Research ⋅ Anton Cherepanov, Robert Lipovsky
New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer

2017-10-05 ⋅ Virus Bulletin ⋅ Anton Cherepanov, Robert Lipovsky
Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer

2017-07-04 ⋅ Wikipedia ⋅ Various
Industroyer
Industroyer

2017-06-13 ⋅ Dragos ⋅ Dragos
CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations
Industroyer Sandworm

2017-06-12 ⋅ ESET Research ⋅ Anton Cherepanov
WIN32/INDUSTROYER: A new threat for industrial control systems
Industroyer Sandworm

2017-06-12 ⋅ ESET Research ⋅ Anton Cherepanov, Robert Lipovsky
Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer

Yara Rules

[TLP:WHITE] win_industroyer_auto (20251219 \| Detects win.industroyer.) rule win_industroyer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-01-05" version = "1" description = "Detects win.industroyer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_rule_date = "20260105" malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" malpedia_version = "20251219" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 53 ff75fc e8???????? 57 e8???????? 83c414 56 } // n = 7, score = 600 // 53 \| push ebx // ff75fc \| push dword ptr [ebp - 4] // e8???????? \| // 57 \| push edi // e8???????? \| // 83c414 \| add esp, 0x14 // 56 \| push esi $sequence_1 = { 8d85f8fdffff 56 be04010000 56 50 68???????? } // n = 6, score = 600 // 8d85f8fdffff \| lea eax, [ebp - 0x208] // 56 \| push esi // be04010000 \| mov esi, 0x104 // 56 \| push esi // 50 \| push eax // 68???????? \| $sequence_2 = { 8d45f4 50 56 57 53 ff15???????? 037df4 } // n = 7, score = 600 // 8d45f4 \| lea eax, [ebp - 0xc] // 50 \| push eax // 56 \| push esi // 57 \| push edi // 53 \| push ebx // ff15???????? \| // 037df4 \| add edi, dword ptr [ebp - 0xc] $sequence_3 = { 53 ffd6 53 e8???????? 59 85c0 } // n = 6, score = 600 // 53 \| push ebx // ffd6 \| call esi // 53 \| push ebx // e8???????? \| // 59 \| pop ecx // 85c0 \| test eax, eax $sequence_4 = { 68???????? 56 56 ff15???????? 57 8bf0 e8???????? } // n = 7, score = 600 // 68???????? \| // 56 \| push esi // 56 \| push esi // ff15???????? \| // 57 \| push edi // 8bf0 \| mov esi, eax // e8???????? \| $sequence_5 = { 50 6a02 56 e8???????? ff7710 6a03 56 } // n = 7, score = 600 // 50 \| push eax // 6a02 \| push 2 // 56 \| push esi // e8???????? \| // ff7710 \| push dword ptr [edi + 0x10] // 6a03 \| push 3 // 56 \| push esi $sequence_6 = { 8d45a8 33f6 57 50 e8???????? } // n = 5, score = 600 // 8d45a8 \| lea eax, [ebp - 0x58] // 33f6 \| xor esi, esi // 57 \| push edi // 50 \| push eax // e8???????? \| $sequence_7 = { 51 50 56 57 ff15???????? 56 e8???????? } // n = 7, score = 600 // 51 \| push ecx // 50 \| push eax // 56 \| push esi // 57 \| push edi // ff15???????? \| // 56 \| push esi // e8???????? \| $sequence_8 = { 6a02 ff15???????? 8bd8 85db 0f849d000000 8d85d0fdffff c785d0fdffff2c020000 } // n = 7, score = 400 // 6a02 \| push 2 // ff15???????? \| // 8bd8 \| mov ebx, eax // 85db \| test ebx, ebx // 0f849d000000 \| je 0xa3 // 8d85d0fdffff \| lea eax, [ebp - 0x230] // c785d0fdffff2c020000 \| mov dword ptr [ebp - 0x230], 0x22c $sequence_9 = { ff15???????? 89849da0efffff 83c604 43 81fe88000000 7291 } // n = 6, score = 400 // ff15???????? \| // 89849da0efffff \| mov dword ptr [ebp + ebx4 - 0x1060], eax // 83c604 \| add esi, 4 // 43 \| inc ebx // 81fe88000000 \| cmp esi, 0x88 // 7291 \| jb 0xffffff93 $sequence_10 = { 8b35???????? 0f1f00 f644241810 7451 } // n = 4, score = 400 // 8b35???????? \| // 0f1f00 \| nop dword ptr [eax] // f644241810 \| test byte ptr [esp + 0x18], 0x10 // 7451 \| je 0x53 $sequence_11 = { e8???????? 83c404 33c0 eb19 8d8d90efffff 51 } // n = 6, score = 400 // e8???????? \| // 83c404 \| add esp, 4 // 33c0 \| xor eax, eax // eb19 \| jmp 0x1b // 8d8d90efffff \| lea ecx, [ebp - 0x1070] // 51 \| push ecx $sequence_12 = { 81ec6c040000 a1???????? 33c4 89842468040000 53 8b1d???????? } // n = 6, score = 400 // 81ec6c040000 \| sub esp, 0x46c // a1???????? \| // 33c4 \| xor eax, esp // 89842468040000 \| mov dword ptr [esp + 0x468], eax // 53 \| push ebx // 8b1d???????? \| $sequence_13 = { 8b35???????? 39bdd8fdffff 741f 8d85d0fdffff 50 53 } // n = 6, score = 400 // 8b35???????? \| // 39bdd8fdffff \| cmp dword ptr [ebp - 0x228], edi // 741f \| je 0x21 // 8d85d0fdffff \| lea eax, [ebp - 0x230] // 50 \| push eax // 53 \| push ebx $sequence_14 = { 6800020000 8d85a0fbffff 50 56 ffb59cf3ffff ff15???????? 8b3d???????? } // n = 7, score = 400 // 6800020000 \| push 0x200 // 8d85a0fbffff \| lea eax, [ebp - 0x460] // 50 \| push eax // 56 \| push esi // ffb59cf3ffff \| push dword ptr [ebp - 0xc64] // ff15???????? \| // 8b3d???????? \| $sequence_15 = { 0f847bffffff ffb59cf3ffff ffd7 8b4dfc 5f 33cd } // n = 6, score = 400 // 0f847bffffff \| je 0xffffff81 // ffb59cf3ffff \| push dword ptr [ebp - 0xc64] // ffd7 \| call edi // 8b4dfc \| mov ecx, dword ptr [ebp - 4] // 5f \| pop edi // 33cd \| xor ecx, ebp $sequence_16 = { 89442444 8b442418 89442440 8d44243c 50 } // n = 5, score = 200 // 89442444 \| mov dword ptr [esp + 0x44], eax // 8b442418 \| mov eax, dword ptr [esp + 0x18] // 89442440 \| mov dword ptr [esp + 0x40], eax // 8d44243c \| lea eax, [esp + 0x3c] // 50 \| push eax $sequence_17 = { 8bcb 50 e8???????? 83c408 8d95d8fffeff 8bf0 } // n = 6, score = 200 // 8bcb \| mov ecx, ebx // 50 \| push eax // e8???????? \| // 83c408 \| add esp, 8 // 8d95d8fffeff \| lea edx, [ebp - 0x10028] // 8bf0 \| mov esi, eax $sequence_18 = { c745e0d4ff4000 e9???????? c745dc03000000 c745e0e0ff4000 e9???????? 83e80f 7451 } // n = 7, score = 200 // c745e0d4ff4000 \| mov dword ptr [ebp - 0x20], 0x40ffd4 // e9???????? \| // c745dc03000000 \| mov dword ptr [ebp - 0x24], 3 // c745e0e0ff4000 \| mov dword ptr [ebp - 0x20], 0x40ffe0 // e9???????? \| // 83e80f \| sub eax, 0xf // 7451 \| je 0x53 $sequence_19 = { eb07 8b0cc5dc084100 894de4 85c9 } // n = 4, score = 200 // eb07 \| jmp 9 // 8b0cc5dc084100 \| mov ecx, dword ptr [eax8 + 0x4108dc] // 894de4 \| mov dword ptr [ebp - 0x1c], ecx // 85c9 \| test ecx, ecx $sequence_20 = { 7417 68???????? 50 ff15???????? 85c0 7407 6a00 } // n = 7, score = 200 // 7417 \| je 0x19 // 68???????? \| // 50 \| push eax // ff15???????? \| // 85c0 \| test eax, eax // 7407 \| je 9 // 6a00 \| push 0 $sequence_21 = { 7464 68???????? ff35???????? c705????????01000000 c705????????04000000 c705????????00000000 c705????????00000000 } // n = 7, score = 200 // 7464 \| je 0x66 // 68???????? \| // ff35???????? \| // c705????????01000000 \| // c705????????04000000 \| // c705????????00000000 \| // c705????????00000000 \| $sequence_22 = { 80480c01 eb04 80600cfe 807d1000 8b4604 } // n = 5, score = 200 // 80480c01 \| or byte ptr [eax + 0xc], 1 // eb04 \| jmp 6 // 80600cfe \| and byte ptr [eax + 0xc], 0xfe // 807d1000 \| cmp byte ptr [ebp + 0x10], 0 // 8b4604 \| mov eax, dword ptr [esi + 4] $sequence_23 = { 8b4508 dd00 ebc6 c745e0e8ff4000 e9???????? c745e0f0ff4000 e9???????? } // n = 7, score = 200 // 8b4508 \| mov eax, dword ptr [ebp + 8] // dd00 \| fld qword ptr [eax] // ebc6 \| jmp 0xffffffc8 // c745e0e8ff4000 \| mov dword ptr [ebp - 0x20], 0x40ffe8 // e9???????? \| // c745e0f0ff4000 \| mov dword ptr [ebp - 0x20], 0x40fff0 // e9???????? \| $sequence_24 = { 8b34cd18c20110 8b4d08 6a5a 2bce 5b 0fb70431 663bc7 } // n = 7, score = 200 // 8b34cd18c20110 \| mov esi, dword ptr [ecx8 + 0x1001c218] // 8b4d08 \| mov ecx, dword ptr [ebp + 8] // 6a5a \| push 0x5a // 2bce \| sub ecx, esi // 5b \| pop ebx // 0fb70431 \| movzx eax, word ptr [ecx + esi] // 663bc7 \| cmp ax, di $sequence_25 = { 75f9 8d7c2430 2bd6 4f 8a4701 47 84c0 } // n = 7, score = 200 // 75f9 \| jne 0xfffffffb // 8d7c2430 \| lea edi, [esp + 0x30] // 2bd6 \| sub edx, esi // 4f \| dec edi // 8a4701 \| mov al, byte ptr [edi + 1] // 47 \| inc edi // 84c0 \| test al, al $sequence_26 = { 8945dc 8b1c9dd01f0210 895de0 f6441a2848 8b5d08 0f84ce000000 } // n = 6, score = 200 // 8945dc \| mov dword ptr [ebp - 0x24], eax // 8b1c9dd01f0210 \| mov ebx, dword ptr [ebx*4 + 0x10021fd0] // 895de0 \| mov dword ptr [ebp - 0x20], ebx // f6441a2848 \| test byte ptr [edx + ebx + 0x28], 0x48 // 8b5d08 \| mov ebx, dword ptr [ebp + 8] // 0f84ce000000 \| je 0xd4 $sequence_27 = { c7825402000000000000 c7825802000000000000 8b8350020000 898250020000 8b8354020000 } // n = 5, score = 200 // c7825402000000000000 \| mov dword ptr [edx + 0x254], 0 // c7825802000000000000 \| mov dword ptr [edx + 0x258], 0 // 8b8350020000 \| mov eax, dword ptr [ebx + 0x250] // 898250020000 \| mov dword ptr [edx + 0x250], eax // 8b8354020000 \| mov eax, dword ptr [ebx + 0x254] $sequence_28 = { f6470280 760d 68???????? e8???????? 83c404 } // n = 5, score = 200 // f6470280 \| test byte ptr [edi + 2], 0x80 // 760d \| jbe 0xf // 68???????? \| // e8???????? \| // 83c404 \| add esp, 4 $sequence_29 = { 0f1f440000 8a02 42 84c0 75f9 8d7c2430 2bd6 } // n = 7, score = 200 // 0f1f440000 \| nop dword ptr [eax + eax] // 8a02 \| mov al, byte ptr [edx] // 42 \| inc edx // 84c0 \| test al, al // 75f9 \| jne 0xfffffffb // 8d7c2430 \| lea edi, [esp + 0x30] // 2bd6 \| sub edx, esi $sequence_30 = { 660f59f5 660f28aa40fe4000 660f54e5 660f58fe } // n = 4, score = 200 // 660f59f5 \| mulpd xmm6, xmm5 // 660f28aa40fe4000 \| movapd xmm5, xmmword ptr [edx + 0x40fe40] // 660f54e5 \| andpd xmm4, xmm5 // 660f58fe \| addpd xmm7, xmm6 $sequence_31 = { e9???????? 894ddc c745e0d8ff4000 e9???????? } // n = 4, score = 200 // e9???????? \| // 894ddc \| mov dword ptr [ebp - 0x24], ecx // c745e0d8ff4000 \| mov dword ptr [ebp - 0x20], 0x40ffd8 // e9???????? \| $sequence_32 = { 33c2 2500800000 83f800 0f8547ffffff e9???????? 8b542408 } // n = 6, score = 100 // 33c2 \| xor eax, edx // 2500800000 \| and eax, 0x8000 // 83f800 \| cmp eax, 0 // 0f8547ffffff \| jne 0xffffff4d // e9???????? \| // 8b542408 \| mov edx, dword ptr [esp + 8] $sequence_33 = { 59 8bf0 6a01 8bce e8???????? 8d45f8 c706???????? } // n = 7, score = 100 // 59 \| pop ecx // 8bf0 \| mov esi, eax // 6a01 \| push 1 // 8bce \| mov ecx, esi // e8???????? \| // 8d45f8 \| lea eax, [ebp - 8] // c706???????? \| $sequence_34 = { 88d8 e2d9 8dbe00000600 8b07 09c0 } // n = 5, score = 100 // 88d8 \| mov al, bl // e2d9 \| loop 0xffffffdb // 8dbe00000600 \| lea edi, [esi + 0x60000] // 8b07 \| mov eax, dword ptr [edi] // 09c0 \| or eax, eax $sequence_35 = { 83eb01 741e 83eb01 7549 399ffc000000 7441 } // n = 6, score = 100 // 83eb01 \| sub ebx, 1 // 741e \| je 0x20 // 83eb01 \| sub ebx, 1 // 7549 \| jne 0x4b // 399ffc000000 \| cmp dword ptr [edi + 0xfc], ebx // 7441 \| je 0x43 $sequence_36 = { 894e10 e8???????? 59 59 85c0 } // n = 5, score = 100 // 894e10 \| mov dword ptr [esi + 0x10], ecx // e8???????? \| // 59 \| pop ecx // 59 \| pop ecx // 85c0 \| test eax, eax $sequence_37 = { ba05000000 8d0d905b4400 e9???????? a90000f07f 752c a9ffff0f00 } // n = 6, score = 100 // ba05000000 \| mov edx, 5 // 8d0d905b4400 \| lea ecx, [0x445b90] // e9???????? \| // a90000f07f \| test eax, 0x7ff00000 // 752c \| jne 0x2e // a9ffff0f00 \| test eax, 0xfffff $sequence_38 = { 773c 2b4334 99 f77d8c 894598 3b4b3c } // n = 6, score = 100 // 773c \| ja 0x3e // 2b4334 \| sub eax, dword ptr [ebx + 0x34] // 99 \| cdq // f77d8c \| idiv dword ptr [ebp - 0x74] // 894598 \| mov dword ptr [ebp - 0x68], eax // 3b4b3c \| cmp ecx, dword ptr [ebx + 0x3c] $sequence_39 = { 7451 8b7d08 8b4514 8b4d10 } // n = 4, score = 100 // 7451 \| je 0x53 // 8b7d08 \| mov edi, dword ptr [ebp + 8] // 8b4514 \| mov eax, dword ptr [ebp + 0x14] // 8b4d10 \| mov ecx, dword ptr [ebp + 0x10] condition: 7 of them and filesize < 983040 }
[TLP:WHITE] win_industroyer_w0 (20241220 \| CRASHOVERRIDE v1 Suspicious Export) import "pe" rule win_industroyer_w0 { meta: description = "CRASHOVERRIDE v1 Suspicious Export" author = "Dragos Inc" modified_by = "Rony (r0ny_123)" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20241220" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" condition: pe.exports("Crash") and pe.characteristics & pe.DLL }
[TLP:WHITE] win_industroyer_w1 (20170615 \| CRASHOVERRIDE v1 Wiper) import "pe" rule win_industroyer_w1 { meta: description = "CRASHOVERRIDE v1 Wiper" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = "SYS_BASCON.COM" fullword nocase wide $s1 = ".pcmp" fullword nocase wide $s2 = ".pcmi" fullword nocase wide $s3 = ".pcmt" fullword nocase wide $s4 = ".cin" fullword nocase wide condition: pe.exports("Crash") and any of ($s*) }
[TLP:WHITE] win_industroyer_w2 (20170615 \| CRASHOVERRIDE v1 Suspicious Strings and Export) import "pe" rule win_industroyer_w2 { meta: description = "CRASHOVERRIDE v1 Suspicious Strings and Export" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = "101.dll" fullword nocase wide $s1 = "Crash101.dll" fullword nocase wide $s2 = "104.dll" fullword nocase wide $s3 = "Crash104.dll" fullword nocase wide $s4 = "61850.dll" fullword nocase wide $s5 = "Crash61850.dll" fullword nocase wide $s6 = "OPCClientDemo.dll" fullword nocase wide $s7 = "OPC" fullword nocase wide $s8 = "CrashOPCClientDemo.dll" fullword nocase wide $s9 = "D2MultiCommService.exe" fullword nocase wide $s10 = "CrashD2MultiCommService.exe" fullword nocase wide $s11 = "61850.exe" fullword nocase wide $s12 = "OPC.exe" fullword nocase wide $s13 = "haslo.exe" fullword nocase wide $s14 = "haslo.dat" fullword nocase wide condition: any of ($s*) and pe.exports("Crash") }
[TLP:WHITE] win_industroyer_w3 (20170615 \| IEC-104 Interaction Module Program Strings) rule win_industroyer_w3 { meta: description = "IEC-104 Interaction Module Program Strings" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii $s2 = " MSTR ->> SLV" nocase wide ascii $s3 = " MSTR <<- SLV" nocase wide ascii $s4 = "Unknown APDU format !!!" nocase wide ascii $s5 = "iec104.log" nocase wide ascii condition: any of ($s*) }
[TLP:WHITE] win_industroyer_w4 (20170615 \| CRASHOVERRIDE v1 Config File Parsing) rule win_industroyer_w4 { meta: description = "CRASHOVERRIDE v1 Config File Parsing" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 } $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 } $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? } $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? } condition: all of them }
[TLP:WHITE] win_industroyer_w5 (20170615 \| Blank mutex creation assoicated with CRASHOVERRIDE) rule win_industroyer_w5 { meta: description = "Blank mutex creation assoicated with CRASHOVERRIDE" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 } $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00} condition: all of them }
[TLP:WHITE] win_industroyer_w6 (20170615 \| Identify service hollowing and persistence setting) rule win_industroyer_w6 { meta: description = "Identify service hollowing and persistence setting" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? } $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 } condition: all of them }
[TLP:WHITE] win_industroyer_w7 (20170615 \| Registry Wiper functionality assoicated with CRASHOVERRIDE) rule win_industroyer_w7 { meta: description = "Registry Wiper functionality assoicated with CRASHOVERRIDE" author = "Dragos Inc" reference = "https://dragos.com/blog/industroyer/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 } $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? } $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 } condition: all of them }
[TLP:WHITE] win_industroyer_w8 (20170615 \| File manipulation actions associated with CRASHOVERRIDE wiper) rule win_industroyer_w8 { meta: description = "File manipulation actions associated with CRASHOVERRIDE wiper" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 } $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 } condition: all of them }

Download all Yara Rules

[TLP:WHITE] win_industroyer_auto (20251219 \| Detects win.industroyer.) rule win_industroyer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-01-05" version = "1" description = "Detects win.industroyer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_rule_date = "20260105" malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" malpedia_version = "20251219" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 53 ff75fc e8???????? 57 e8???????? 83c414 56 } // n = 7, score = 600 // 53 \| push ebx // ff75fc \| push dword ptr [ebp - 4] // e8???????? \| // 57 \| push edi // e8???????? \| // 83c414 \| add esp, 0x14 // 56 \| push esi $sequence_1 = { 8d85f8fdffff 56 be04010000 56 50 68???????? } // n = 6, score = 600 // 8d85f8fdffff \| lea eax, [ebp - 0x208] // 56 \| push esi // be04010000 \| mov esi, 0x104 // 56 \| push esi // 50 \| push eax // 68???????? \| $sequence_2 = { 8d45f4 50 56 57 53 ff15???????? 037df4 } // n = 7, score = 600 // 8d45f4 \| lea eax, [ebp - 0xc] // 50 \| push eax // 56 \| push esi // 57 \| push edi // 53 \| push ebx // ff15???????? \| // 037df4 \| add edi, dword ptr [ebp - 0xc] $sequence_3 = { 53 ffd6 53 e8???????? 59 85c0 } // n = 6, score = 600 // 53 \| push ebx // ffd6 \| call esi // 53 \| push ebx // e8???????? \| // 59 \| pop ecx // 85c0 \| test eax, eax $sequence_4 = { 68???????? 56 56 ff15???????? 57 8bf0 e8???????? } // n = 7, score = 600 // 68???????? \| // 56 \| push esi // 56 \| push esi // ff15???????? \| // 57 \| push edi // 8bf0 \| mov esi, eax // e8???????? \| $sequence_5 = { 50 6a02 56 e8???????? ff7710 6a03 56 } // n = 7, score = 600 // 50 \| push eax // 6a02 \| push 2 // 56 \| push esi // e8???????? \| // ff7710 \| push dword ptr [edi + 0x10] // 6a03 \| push 3 // 56 \| push esi $sequence_6 = { 8d45a8 33f6 57 50 e8???????? } // n = 5, score = 600 // 8d45a8 \| lea eax, [ebp - 0x58] // 33f6 \| xor esi, esi // 57 \| push edi // 50 \| push eax // e8???????? \| $sequence_7 = { 51 50 56 57 ff15???????? 56 e8???????? } // n = 7, score = 600 // 51 \| push ecx // 50 \| push eax // 56 \| push esi // 57 \| push edi // ff15???????? \| // 56 \| push esi // e8???????? \| $sequence_8 = { 6a02 ff15???????? 8bd8 85db 0f849d000000 8d85d0fdffff c785d0fdffff2c020000 } // n = 7, score = 400 // 6a02 \| push 2 // ff15???????? \| // 8bd8 \| mov ebx, eax // 85db \| test ebx, ebx // 0f849d000000 \| je 0xa3 // 8d85d0fdffff \| lea eax, [ebp - 0x230] // c785d0fdffff2c020000 \| mov dword ptr [ebp - 0x230], 0x22c $sequence_9 = { ff15???????? 89849da0efffff 83c604 43 81fe88000000 7291 } // n = 6, score = 400 // ff15???????? \| // 89849da0efffff \| mov dword ptr [ebp + ebx4 - 0x1060], eax // 83c604 \| add esi, 4 // 43 \| inc ebx // 81fe88000000 \| cmp esi, 0x88 // 7291 \| jb 0xffffff93 $sequence_10 = { 8b35???????? 0f1f00 f644241810 7451 } // n = 4, score = 400 // 8b35???????? \| // 0f1f00 \| nop dword ptr [eax] // f644241810 \| test byte ptr [esp + 0x18], 0x10 // 7451 \| je 0x53 $sequence_11 = { e8???????? 83c404 33c0 eb19 8d8d90efffff 51 } // n = 6, score = 400 // e8???????? \| // 83c404 \| add esp, 4 // 33c0 \| xor eax, eax // eb19 \| jmp 0x1b // 8d8d90efffff \| lea ecx, [ebp - 0x1070] // 51 \| push ecx $sequence_12 = { 81ec6c040000 a1???????? 33c4 89842468040000 53 8b1d???????? } // n = 6, score = 400 // 81ec6c040000 \| sub esp, 0x46c // a1???????? \| // 33c4 \| xor eax, esp // 89842468040000 \| mov dword ptr [esp + 0x468], eax // 53 \| push ebx // 8b1d???????? \| $sequence_13 = { 8b35???????? 39bdd8fdffff 741f 8d85d0fdffff 50 53 } // n = 6, score = 400 // 8b35???????? \| // 39bdd8fdffff \| cmp dword ptr [ebp - 0x228], edi // 741f \| je 0x21 // 8d85d0fdffff \| lea eax, [ebp - 0x230] // 50 \| push eax // 53 \| push ebx $sequence_14 = { 6800020000 8d85a0fbffff 50 56 ffb59cf3ffff ff15???????? 8b3d???????? } // n = 7, score = 400 // 6800020000 \| push 0x200 // 8d85a0fbffff \| lea eax, [ebp - 0x460] // 50 \| push eax // 56 \| push esi // ffb59cf3ffff \| push dword ptr [ebp - 0xc64] // ff15???????? \| // 8b3d???????? \| $sequence_15 = { 0f847bffffff ffb59cf3ffff ffd7 8b4dfc 5f 33cd } // n = 6, score = 400 // 0f847bffffff \| je 0xffffff81 // ffb59cf3ffff \| push dword ptr [ebp - 0xc64] // ffd7 \| call edi // 8b4dfc \| mov ecx, dword ptr [ebp - 4] // 5f \| pop edi // 33cd \| xor ecx, ebp $sequence_16 = { 89442444 8b442418 89442440 8d44243c 50 } // n = 5, score = 200 // 89442444 \| mov dword ptr [esp + 0x44], eax // 8b442418 \| mov eax, dword ptr [esp + 0x18] // 89442440 \| mov dword ptr [esp + 0x40], eax // 8d44243c \| lea eax, [esp + 0x3c] // 50 \| push eax $sequence_17 = { 8bcb 50 e8???????? 83c408 8d95d8fffeff 8bf0 } // n = 6, score = 200 // 8bcb \| mov ecx, ebx // 50 \| push eax // e8???????? \| // 83c408 \| add esp, 8 // 8d95d8fffeff \| lea edx, [ebp - 0x10028] // 8bf0 \| mov esi, eax $sequence_18 = { c745e0d4ff4000 e9???????? c745dc03000000 c745e0e0ff4000 e9???????? 83e80f 7451 } // n = 7, score = 200 // c745e0d4ff4000 \| mov dword ptr [ebp - 0x20], 0x40ffd4 // e9???????? \| // c745dc03000000 \| mov dword ptr [ebp - 0x24], 3 // c745e0e0ff4000 \| mov dword ptr [ebp - 0x20], 0x40ffe0 // e9???????? \| // 83e80f \| sub eax, 0xf // 7451 \| je 0x53 $sequence_19 = { eb07 8b0cc5dc084100 894de4 85c9 } // n = 4, score = 200 // eb07 \| jmp 9 // 8b0cc5dc084100 \| mov ecx, dword ptr [eax8 + 0x4108dc] // 894de4 \| mov dword ptr [ebp - 0x1c], ecx // 85c9 \| test ecx, ecx $sequence_20 = { 7417 68???????? 50 ff15???????? 85c0 7407 6a00 } // n = 7, score = 200 // 7417 \| je 0x19 // 68???????? \| // 50 \| push eax // ff15???????? \| // 85c0 \| test eax, eax // 7407 \| je 9 // 6a00 \| push 0 $sequence_21 = { 7464 68???????? ff35???????? c705????????01000000 c705????????04000000 c705????????00000000 c705????????00000000 } // n = 7, score = 200 // 7464 \| je 0x66 // 68???????? \| // ff35???????? \| // c705????????01000000 \| // c705????????04000000 \| // c705????????00000000 \| // c705????????00000000 \| $sequence_22 = { 80480c01 eb04 80600cfe 807d1000 8b4604 } // n = 5, score = 200 // 80480c01 \| or byte ptr [eax + 0xc], 1 // eb04 \| jmp 6 // 80600cfe \| and byte ptr [eax + 0xc], 0xfe // 807d1000 \| cmp byte ptr [ebp + 0x10], 0 // 8b4604 \| mov eax, dword ptr [esi + 4] $sequence_23 = { 8b4508 dd00 ebc6 c745e0e8ff4000 e9???????? c745e0f0ff4000 e9???????? } // n = 7, score = 200 // 8b4508 \| mov eax, dword ptr [ebp + 8] // dd00 \| fld qword ptr [eax] // ebc6 \| jmp 0xffffffc8 // c745e0e8ff4000 \| mov dword ptr [ebp - 0x20], 0x40ffe8 // e9???????? \| // c745e0f0ff4000 \| mov dword ptr [ebp - 0x20], 0x40fff0 // e9???????? \| $sequence_24 = { 8b34cd18c20110 8b4d08 6a5a 2bce 5b 0fb70431 663bc7 } // n = 7, score = 200 // 8b34cd18c20110 \| mov esi, dword ptr [ecx8 + 0x1001c218] // 8b4d08 \| mov ecx, dword ptr [ebp + 8] // 6a5a \| push 0x5a // 2bce \| sub ecx, esi // 5b \| pop ebx // 0fb70431 \| movzx eax, word ptr [ecx + esi] // 663bc7 \| cmp ax, di $sequence_25 = { 75f9 8d7c2430 2bd6 4f 8a4701 47 84c0 } // n = 7, score = 200 // 75f9 \| jne 0xfffffffb // 8d7c2430 \| lea edi, [esp + 0x30] // 2bd6 \| sub edx, esi // 4f \| dec edi // 8a4701 \| mov al, byte ptr [edi + 1] // 47 \| inc edi // 84c0 \| test al, al $sequence_26 = { 8945dc 8b1c9dd01f0210 895de0 f6441a2848 8b5d08 0f84ce000000 } // n = 6, score = 200 // 8945dc \| mov dword ptr [ebp - 0x24], eax // 8b1c9dd01f0210 \| mov ebx, dword ptr [ebx*4 + 0x10021fd0] // 895de0 \| mov dword ptr [ebp - 0x20], ebx // f6441a2848 \| test byte ptr [edx + ebx + 0x28], 0x48 // 8b5d08 \| mov ebx, dword ptr [ebp + 8] // 0f84ce000000 \| je 0xd4 $sequence_27 = { c7825402000000000000 c7825802000000000000 8b8350020000 898250020000 8b8354020000 } // n = 5, score = 200 // c7825402000000000000 \| mov dword ptr [edx + 0x254], 0 // c7825802000000000000 \| mov dword ptr [edx + 0x258], 0 // 8b8350020000 \| mov eax, dword ptr [ebx + 0x250] // 898250020000 \| mov dword ptr [edx + 0x250], eax // 8b8354020000 \| mov eax, dword ptr [ebx + 0x254] $sequence_28 = { f6470280 760d 68???????? e8???????? 83c404 } // n = 5, score = 200 // f6470280 \| test byte ptr [edi + 2], 0x80 // 760d \| jbe 0xf // 68???????? \| // e8???????? \| // 83c404 \| add esp, 4 $sequence_29 = { 0f1f440000 8a02 42 84c0 75f9 8d7c2430 2bd6 } // n = 7, score = 200 // 0f1f440000 \| nop dword ptr [eax + eax] // 8a02 \| mov al, byte ptr [edx] // 42 \| inc edx // 84c0 \| test al, al // 75f9 \| jne 0xfffffffb // 8d7c2430 \| lea edi, [esp + 0x30] // 2bd6 \| sub edx, esi $sequence_30 = { 660f59f5 660f28aa40fe4000 660f54e5 660f58fe } // n = 4, score = 200 // 660f59f5 \| mulpd xmm6, xmm5 // 660f28aa40fe4000 \| movapd xmm5, xmmword ptr [edx + 0x40fe40] // 660f54e5 \| andpd xmm4, xmm5 // 660f58fe \| addpd xmm7, xmm6 $sequence_31 = { e9???????? 894ddc c745e0d8ff4000 e9???????? } // n = 4, score = 200 // e9???????? \| // 894ddc \| mov dword ptr [ebp - 0x24], ecx // c745e0d8ff4000 \| mov dword ptr [ebp - 0x20], 0x40ffd8 // e9???????? \| $sequence_32 = { 33c2 2500800000 83f800 0f8547ffffff e9???????? 8b542408 } // n = 6, score = 100 // 33c2 \| xor eax, edx // 2500800000 \| and eax, 0x8000 // 83f800 \| cmp eax, 0 // 0f8547ffffff \| jne 0xffffff4d // e9???????? \| // 8b542408 \| mov edx, dword ptr [esp + 8] $sequence_33 = { 59 8bf0 6a01 8bce e8???????? 8d45f8 c706???????? } // n = 7, score = 100 // 59 \| pop ecx // 8bf0 \| mov esi, eax // 6a01 \| push 1 // 8bce \| mov ecx, esi // e8???????? \| // 8d45f8 \| lea eax, [ebp - 8] // c706???????? \| $sequence_34 = { 88d8 e2d9 8dbe00000600 8b07 09c0 } // n = 5, score = 100 // 88d8 \| mov al, bl // e2d9 \| loop 0xffffffdb // 8dbe00000600 \| lea edi, [esi + 0x60000] // 8b07 \| mov eax, dword ptr [edi] // 09c0 \| or eax, eax $sequence_35 = { 83eb01 741e 83eb01 7549 399ffc000000 7441 } // n = 6, score = 100 // 83eb01 \| sub ebx, 1 // 741e \| je 0x20 // 83eb01 \| sub ebx, 1 // 7549 \| jne 0x4b // 399ffc000000 \| cmp dword ptr [edi + 0xfc], ebx // 7441 \| je 0x43 $sequence_36 = { 894e10 e8???????? 59 59 85c0 } // n = 5, score = 100 // 894e10 \| mov dword ptr [esi + 0x10], ecx // e8???????? \| // 59 \| pop ecx // 59 \| pop ecx // 85c0 \| test eax, eax $sequence_37 = { ba05000000 8d0d905b4400 e9???????? a90000f07f 752c a9ffff0f00 } // n = 6, score = 100 // ba05000000 \| mov edx, 5 // 8d0d905b4400 \| lea ecx, [0x445b90] // e9???????? \| // a90000f07f \| test eax, 0x7ff00000 // 752c \| jne 0x2e // a9ffff0f00 \| test eax, 0xfffff $sequence_38 = { 773c 2b4334 99 f77d8c 894598 3b4b3c } // n = 6, score = 100 // 773c \| ja 0x3e // 2b4334 \| sub eax, dword ptr [ebx + 0x34] // 99 \| cdq // f77d8c \| idiv dword ptr [ebp - 0x74] // 894598 \| mov dword ptr [ebp - 0x68], eax // 3b4b3c \| cmp ecx, dword ptr [ebx + 0x3c] $sequence_39 = { 7451 8b7d08 8b4514 8b4d10 } // n = 4, score = 100 // 7451 \| je 0x53 // 8b7d08 \| mov edi, dword ptr [ebp + 8] // 8b4514 \| mov eax, dword ptr [ebp + 0x14] // 8b4d10 \| mov ecx, dword ptr [ebp + 0x10] condition: 7 of them and filesize < 983040 }
[TLP:WHITE] win_industroyer_w0 (20241220 \| CRASHOVERRIDE v1 Suspicious Export) import "pe" rule win_industroyer_w0 { meta: description = "CRASHOVERRIDE v1 Suspicious Export" author = "Dragos Inc" modified_by = "Rony (r0ny_123)" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20241220" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" condition: pe.exports("Crash") and pe.characteristics & pe.DLL }
[TLP:WHITE] win_industroyer_w1 (20170615 \| CRASHOVERRIDE v1 Wiper) import "pe" rule win_industroyer_w1 { meta: description = "CRASHOVERRIDE v1 Wiper" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = "SYS_BASCON.COM" fullword nocase wide $s1 = ".pcmp" fullword nocase wide $s2 = ".pcmi" fullword nocase wide $s3 = ".pcmt" fullword nocase wide $s4 = ".cin" fullword nocase wide condition: pe.exports("Crash") and any of ($s*) }
[TLP:WHITE] win_industroyer_w2 (20170615 \| CRASHOVERRIDE v1 Suspicious Strings and Export) import "pe" rule win_industroyer_w2 { meta: description = "CRASHOVERRIDE v1 Suspicious Strings and Export" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = "101.dll" fullword nocase wide $s1 = "Crash101.dll" fullword nocase wide $s2 = "104.dll" fullword nocase wide $s3 = "Crash104.dll" fullword nocase wide $s4 = "61850.dll" fullword nocase wide $s5 = "Crash61850.dll" fullword nocase wide $s6 = "OPCClientDemo.dll" fullword nocase wide $s7 = "OPC" fullword nocase wide $s8 = "CrashOPCClientDemo.dll" fullword nocase wide $s9 = "D2MultiCommService.exe" fullword nocase wide $s10 = "CrashD2MultiCommService.exe" fullword nocase wide $s11 = "61850.exe" fullword nocase wide $s12 = "OPC.exe" fullword nocase wide $s13 = "haslo.exe" fullword nocase wide $s14 = "haslo.dat" fullword nocase wide condition: any of ($s*) and pe.exports("Crash") }
[TLP:WHITE] win_industroyer_w3 (20170615 \| IEC-104 Interaction Module Program Strings) rule win_industroyer_w3 { meta: description = "IEC-104 Interaction Module Program Strings" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii $s2 = " MSTR ->> SLV" nocase wide ascii $s3 = " MSTR <<- SLV" nocase wide ascii $s4 = "Unknown APDU format !!!" nocase wide ascii $s5 = "iec104.log" nocase wide ascii condition: any of ($s*) }
[TLP:WHITE] win_industroyer_w4 (20170615 \| CRASHOVERRIDE v1 Config File Parsing) rule win_industroyer_w4 { meta: description = "CRASHOVERRIDE v1 Config File Parsing" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 } $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 } $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? } $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? } condition: all of them }
[TLP:WHITE] win_industroyer_w5 (20170615 \| Blank mutex creation assoicated with CRASHOVERRIDE) rule win_industroyer_w5 { meta: description = "Blank mutex creation assoicated with CRASHOVERRIDE" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 } $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00} condition: all of them }
[TLP:WHITE] win_industroyer_w6 (20170615 \| Identify service hollowing and persistence setting) rule win_industroyer_w6 { meta: description = "Identify service hollowing and persistence setting" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? } $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 } condition: all of them }
[TLP:WHITE] win_industroyer_w7 (20170615 \| Registry Wiper functionality assoicated with CRASHOVERRIDE) rule win_industroyer_w7 { meta: description = "Registry Wiper functionality assoicated with CRASHOVERRIDE" author = "Dragos Inc" reference = "https://dragos.com/blog/industroyer/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 } $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? } $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 } condition: all of them }
[TLP:WHITE] win_industroyer_w8 (20170615 \| File manipulation actions associated with CRASHOVERRIDE wiper) rule win_industroyer_w8 { meta: description = "File manipulation actions associated with CRASHOVERRIDE wiper" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 } $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 } condition: all of them }

Industroyer Propose Change

References

Yara Rules

Industroyer