SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer (Back to overview)

Industroyer

aka: Crash, CrashOverride

Actor(s): ELECTRUM

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

References
2022-07-26MandiantThibault van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith Lunden
@online{berlaere:20220726:mandiant:c1c4498, author = {Thibault van Geluwe de Berlaere and Jay Christiansen and Daniel Kapellmann Zafra and Ken Proska and Keith Lunden}, title = {{Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers}}, date = {2022-07-26}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics}, language = {English}, urldate = {2023-01-19} } Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-24TesorionTESORION
@techreport{tesorion:20220224:report:e2f2082, author = {TESORION}, title = {{Report OSINT: Russia/ Ukraine Conflict Cyberaspect}}, date = {2022-02-24}, institution = {Tesorion}, url = {https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf}, language = {English}, urldate = {2022-03-01} } Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2021-02-11DomainToolsJoe Slowik
@online{slowik:20210211:visibility:5d2f96e, author = {Joe Slowik}, title = {{Visibility, Monitoring, and Critical Infrastructure Security}}, date = {2021-02-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security}, language = {English}, urldate = {2021-02-20} } Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-12DragosDragos
@techreport{dragos:20201112:cyber:cf5b4fd, author = {Dragos}, title = {{Cyber Threat Perspective MANUFACTURING SECTOR}}, date = {2020-11-12}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf}, language = {English}, urldate = {2020-11-18} } Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake
2020-10-19Riskint BlogCurtis
@online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-10-19UK GovernmentForeignCommonwealth & Development Office, Dominic Raab
@online{office:20201019:uk:7ead390, author = {ForeignCommonwealth & Development Office and Dominic Raab}, title = {{UK exposes series of Russian cyber attacks against Olympic and Paralympic Games}}, date = {2020-10-19}, organization = {UK Government}, url = {https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games}, language = {English}, urldate = {2020-10-23} } UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2017-10-05Virus BulletinAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-07-04WikipediaVarious
@online{various:20170704:industroyer:54eba4d, author = {Various}, title = {{Industroyer}}, date = {2017-07-04}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Industroyer}, language = {English}, urldate = {2020-01-08} } Industroyer
Industroyer
2017-06-13DragosDragos
@techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations
Industroyer Sandworm
2017-06-12ESET ResearchAnton Cherepanov
@techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } WIN32/INDUSTROYER: A new threat for industrial control systems
Industroyer Sandworm
2017-06-12ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
Yara Rules
[TLP:WHITE] win_industroyer_auto (20230125 | Detects win.industroyer.)
rule win_industroyer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.industroyer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a04 50 6a03 53 c745f860ea0000 ffd6 }
            // n = 6, score = 600
            //   6a04                 | push                4
            //   50                   | push                eax
            //   6a03                 | push                3
            //   53                   | push                ebx
            //   c745f860ea0000       | mov                 dword ptr [ebp - 8], 0xea60
            //   ffd6                 | call                esi

        $sequence_1 = { 2bf2 57 33ff 3bd0 0f47f1 8b4d08 }
            // n = 6, score = 600
            //   2bf2                 | sub                 esi, edx
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   3bd0                 | cmp                 edx, eax
            //   0f47f1               | cmova               esi, ecx
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_2 = { 6a10 50 e8???????? 8b5d08 83c410 814dd401010000 }
            // n = 6, score = 600
            //   6a10                 | push                0x10
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   83c410               | add                 esp, 0x10
            //   814dd401010000       | or                  dword ptr [ebp - 0x2c], 0x101

        $sequence_3 = { 50 8945e0 e8???????? 8945f8 e8???????? }
            // n = 5, score = 600
            //   50                   | push                eax
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   e8????????           |                     

        $sequence_4 = { 8d45fc 50 6a04 8d45f0 50 57 }
            // n = 6, score = 600
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   6a04                 | push                4
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_5 = { 33f6 50 ff35???????? ff15???????? 85c0 0f4575f8 }
            // n = 6, score = 600
            //   33f6                 | xor                 esi, esi
            //   50                   | push                eax
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f4575f8             | cmovne              esi, dword ptr [ebp - 8]

        $sequence_6 = { 6800000008 56 8d85a0fdffff 50 51 ff7704 }
            // n = 6, score = 600
            //   6800000008           | push                0x8000000
            //   56                   | push                esi
            //   8d85a0fdffff         | lea                 eax, [ebp - 0x260]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff7704               | push                dword ptr [edi + 4]

        $sequence_7 = { e8???????? 50 6a03 56 894710 e8???????? }
            // n = 6, score = 600
            //   e8????????           |                     
            //   50                   | push                eax
            //   6a03                 | push                3
            //   56                   | push                esi
            //   894710               | mov                 dword ptr [edi + 0x10], eax
            //   e8????????           |                     

        $sequence_8 = { b900200000 0f46f9 3d00001000 b900100000 }
            // n = 4, score = 400
            //   b900200000           | mov                 ecx, 0x2000
            //   0f46f9               | cmovbe              edi, ecx
            //   3d00001000           | cmp                 eax, 0x100000
            //   b900100000           | mov                 ecx, 0x1000

        $sequence_9 = { ff15???????? 85c0 742c 83c604 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   742c                 | je                  0x2e
            //   83c604               | add                 esi, 4

        $sequence_10 = { b900800000 bfffff0000 0f46f9 3d00005000 b900400000 }
            // n = 5, score = 400
            //   b900800000           | mov                 ecx, 0x8000
            //   bfffff0000           | mov                 edi, 0xffff
            //   0f46f9               | cmovbe              edi, ecx
            //   3d00005000           | cmp                 eax, 0x500000
            //   b900400000           | mov                 ecx, 0x4000

        $sequence_11 = { 8907 894f04 e8???????? b9???????? 83c408 c700???????? }
            // n = 6, score = 400
            //   8907                 | mov                 dword ptr [edi], eax
            //   894f04               | mov                 dword ptr [edi + 4], ecx
            //   e8????????           |                     
            //   b9????????           |                     
            //   83c408               | add                 esp, 8
            //   c700????????         |                     

        $sequence_12 = { 3b35???????? 72eb b101 e8???????? }
            // n = 4, score = 400
            //   3b35????????         |                     
            //   72eb                 | jb                  0xffffffed
            //   b101                 | mov                 cl, 1
            //   e8????????           |                     

        $sequence_13 = { 6a00 6a00 ff15???????? 89849da0efffff 83c604 43 }
            // n = 6, score = 400
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   89849da0efffff       | mov                 dword ptr [ebp + ebx*4 - 0x1060], eax
            //   83c604               | add                 esi, 4
            //   43                   | inc                 ebx

        $sequence_14 = { 56 8bd8 57 53 e8???????? 8b0d???????? }
            // n = 6, score = 400
            //   56                   | push                esi
            //   8bd8                 | mov                 ebx, eax
            //   57                   | push                edi
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b0d????????         |                     

        $sequence_15 = { 83c604 43 81fe88000000 7291 899d98efffff }
            // n = 5, score = 400
            //   83c604               | add                 esi, 4
            //   43                   | inc                 ebx
            //   81fe88000000         | cmp                 esi, 0x88
            //   7291                 | jb                  0xffffff93
            //   899d98efffff         | mov                 dword ptr [ebp - 0x1068], ebx

        $sequence_16 = { ff742414 ff15???????? 57 ff15???????? ff15???????? 8b4c244c }
            // n = 6, score = 200
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   8b4c244c             | mov                 ecx, dword ptr [esp + 0x4c]

        $sequence_17 = { c3 8b04c574cb4000 5d c3 8bff }
            // n = 5, score = 200
            //   c3                   | ret                 
            //   8b04c574cb4000       | mov                 eax, dword ptr [eax*8 + 0x40cb74]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi

        $sequence_18 = { 8bd9 c785d0feffff28010000 ff15???????? 8bf0 83feff 7520 }
            // n = 6, score = 200
            //   8bd9                 | mov                 ebx, ecx
            //   c785d0feffff28010000     | mov    dword ptr [ebp - 0x130], 0x128
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7520                 | jne                 0x22

        $sequence_19 = { 6880ee3600 ff15???????? 68???????? ff15???????? 85c0 7417 }
            // n = 6, score = 200
            //   6880ee3600           | push                0x36ee80
            //   ff15????????         |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7417                 | je                  0x19

        $sequence_20 = { 57 8d7a34 8955fc 0fb603 8d7334 8802 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   8d7a34               | lea                 edi, [edx + 0x34]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   0fb603               | movzx               eax, byte ptr [ebx]
            //   8d7334               | lea                 esi, [ebx + 0x34]
            //   8802                 | mov                 byte ptr [edx], al

        $sequence_21 = { 8b0e 80790468 7519 0fb64106 83e800 7425 }
            // n = 6, score = 200
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   80790468             | cmp                 byte ptr [ecx + 4], 0x68
            //   7519                 | jne                 0x1b
            //   0fb64106             | movzx               eax, byte ptr [ecx + 6]
            //   83e800               | sub                 eax, 0
            //   7425                 | je                  0x27

        $sequence_22 = { 0f8258030000 83fb23 0f874f030000 8bd8 }
            // n = 4, score = 200
            //   0f8258030000         | jb                  0x35e
            //   83fb23               | cmp                 ebx, 0x23
            //   0f874f030000         | ja                  0x355
            //   8bd8                 | mov                 ebx, eax

        $sequence_23 = { 1bc0 23c1 eb55 8b1c9db8c14000 56 6800080000 }
            // n = 6, score = 200
            //   1bc0                 | sbb                 eax, eax
            //   23c1                 | and                 eax, ecx
            //   eb55                 | jmp                 0x57
            //   8b1c9db8c14000       | mov                 ebx, dword ptr [ebx*4 + 0x40c1b8]
            //   56                   | push                esi
            //   6800080000           | push                0x800

        $sequence_24 = { 837c243c04 0f85bd000000 ff7704 ff15???????? ff7708 ff15???????? }
            // n = 6, score = 200
            //   837c243c04           | cmp                 dword ptr [esp + 0x3c], 4
            //   0f85bd000000         | jne                 0xc3
            //   ff7704               | push                dword ptr [edi + 4]
            //   ff15????????         |                     
            //   ff7708               | push                dword ptr [edi + 8]
            //   ff15????????         |                     

        $sequence_25 = { ff35???????? ff15???????? 6800000100 8d85f0fffeff 6a00 }
            // n = 5, score = 200
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   6800000100           | push                0x10000
            //   8d85f0fffeff         | lea                 eax, [ebp - 0x10010]
            //   6a00                 | push                0

        $sequence_26 = { 7530 83790800 752a eb0b }
            // n = 4, score = 200
            //   7530                 | jne                 0x32
            //   83790800             | cmp                 dword ptr [ecx + 8], 0
            //   752a                 | jne                 0x2c
            //   eb0b                 | jmp                 0xd

        $sequence_27 = { 83e13f c1f806 6bc930 8855d4 8b0485d01f0210 88540828 }
            // n = 6, score = 200
            //   83e13f               | and                 ecx, 0x3f
            //   c1f806               | sar                 eax, 6
            //   6bc930               | imul                ecx, ecx, 0x30
            //   8855d4               | mov                 byte ptr [ebp - 0x2c], dl
            //   8b0485d01f0210       | mov                 eax, dword ptr [eax*4 + 0x10021fd0]
            //   88540828             | mov                 byte ptr [eax + ecx + 0x28], dl

        $sequence_28 = { 7253 83fb23 7753 8bd8 53 }
            // n = 5, score = 200
            //   7253                 | jb                  0x55
            //   83fb23               | cmp                 ebx, 0x23
            //   7753                 | ja                  0x55
            //   8bd8                 | mov                 ebx, eax
            //   53                   | push                ebx

        $sequence_29 = { c705????????04000000 c705????????00000000 c705????????00000000 ffd3 a1???????? }
            // n = 5, score = 200
            //   c705????????04000000     |     
            //   c705????????00000000     |     
            //   c705????????00000000     |     
            //   ffd3                 | call                ebx
            //   a1????????           |                     

        $sequence_30 = { ff15???????? 8945f0 68???????? ff35???????? c705????????00000000 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   68????????           |                     
            //   ff35????????         |                     
            //   c705????????00000000     |     

        $sequence_31 = { d9f1 833d????????00 0f851c0b0000 8d0d90fd4000 }
            // n = 4, score = 200
            //   d9f1                 | fyl2x               
            //   833d????????00       |                     
            //   0f851c0b0000         | jne                 0xb22
            //   8d0d90fd4000         | lea                 ecx, [0x40fd90]

        $sequence_32 = { 89570c 893e e8???????? 6a00 6a01 }
            // n = 5, score = 100
            //   89570c               | mov                 dword ptr [edi + 0xc], edx
            //   893e                 | mov                 dword ptr [esi], edi
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_33 = { 0f86d7050000 8d4e18 8d4618 51 ff7104 8d8d50feffff ff30 }
            // n = 7, score = 100
            //   0f86d7050000         | jbe                 0x5dd
            //   8d4e18               | lea                 ecx, [esi + 0x18]
            //   8d4618               | lea                 eax, [esi + 0x18]
            //   51                   | push                ecx
            //   ff7104               | push                dword ptr [ecx + 4]
            //   8d8d50feffff         | lea                 ecx, [ebp - 0x1b0]
            //   ff30                 | push                dword ptr [eax]

        $sequence_34 = { 51 57 8b00 894508 3bc1 75c3 894dcc }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   57                   | push                edi
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   3bc1                 | cmp                 eax, ecx
            //   75c3                 | jne                 0xffffffc5
            //   894dcc               | mov                 dword ptr [ebp - 0x34], ecx

        $sequence_35 = { 8945f8 e8???????? 807d0800 59 }
            // n = 4, score = 100
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   e8????????           |                     
            //   807d0800             | cmp                 byte ptr [ebp + 8], 0
            //   59                   | pop                 ecx

        $sequence_36 = { 83c40c 8bf8 897dec 8365fc00 8b4604 }
            // n = 5, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8bf8                 | mov                 edi, eax
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_37 = { 53 8d4dd8 8975f8 e8???????? 8b7d08 33c9 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   e8????????           |                     
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   33c9                 | xor                 ecx, ecx

        $sequence_38 = { e8???????? 83c40c 8d8df8feffff 56 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   56                   | push                esi

        $sequence_39 = { c1f803 3945ec 7760 8b45e8 8d1cc1 eb33 }
            // n = 6, score = 100
            //   c1f803               | sar                 eax, 3
            //   3945ec               | cmp                 dword ptr [ebp - 0x14], eax
            //   7760                 | ja                  0x62
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8d1cc1               | lea                 ebx, [ecx + eax*8]
            //   eb33                 | jmp                 0x35

    condition:
        7 of them and filesize < 983040
}
[TLP:WHITE] win_industroyer_w0   (20170615 | CRASHOVERRIDE v1 Suspicious Export)
import "pe"

rule win_industroyer_w0 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    condition:
        pe.exports("Crash") & pe.characteristics
}
[TLP:WHITE] win_industroyer_w1   (20170615 | CRASHOVERRIDE v1 Wiper)
import "pe"

rule win_industroyer_w1 {
    meta:
        description = "CRASHOVERRIDE v1 Wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "SYS_BASCON.COM" fullword nocase wide
        $s1 = ".pcmp" fullword nocase wide
        $s2 = ".pcmi" fullword nocase wide
        $s3 = ".pcmt" fullword nocase wide
        $s4 = ".cin" fullword nocase wide
        
    condition:
        pe.exports("Crash") and any of ($s*)
}
[TLP:WHITE] win_industroyer_w2   (20170615 | CRASHOVERRIDE v1 Suspicious Strings and Export)
import "pe"

rule win_industroyer_w2 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "101.dll" fullword nocase wide
        $s1 = "Crash101.dll" fullword nocase wide
        $s2 = "104.dll" fullword nocase wide
        $s3 = "Crash104.dll" fullword nocase wide
        $s4 = "61850.dll" fullword nocase wide
        $s5 = "Crash61850.dll" fullword nocase wide
        $s6 = "OPCClientDemo.dll" fullword nocase wide
        $s7 = "OPC" fullword nocase wide
        $s8 = "CrashOPCClientDemo.dll" fullword nocase wide
        $s9 = "D2MultiCommService.exe" fullword nocase wide
        $s10 = "CrashD2MultiCommService.exe" fullword nocase wide
        $s11 = "61850.exe" fullword nocase wide
        $s12 = "OPC.exe" fullword nocase wide
        $s13 = "haslo.exe" fullword nocase wide
        $s14 = "haslo.dat" fullword nocase wide     
    condition:
        any of ($s*) and pe.exports("Crash")
}
[TLP:WHITE] win_industroyer_w3   (20170615 | IEC-104 Interaction Module Program Strings)
rule win_industroyer_w3 { 
    meta:
        description = "IEC-104 Interaction Module Program Strings"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:      
        $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii 
        $s2 = " MSTR ->> SLV" nocase wide ascii 
        $s3 = " MSTR <<- SLV" nocase wide ascii 
        $s4 = "Unknown APDU format !!!" nocase wide ascii 
        $s5 = "iec104.log" nocase wide ascii 
    condition:      
        any of ($s*)
}
[TLP:WHITE] win_industroyer_w4   (20170615 | CRASHOVERRIDE v1 Config File Parsing)
rule win_industroyer_w4 {
    meta:
        description = "CRASHOVERRIDE v1 Config File Parsing"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
        $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
        $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
        $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w5   (20170615 | Blank mutex creation assoicated with CRASHOVERRIDE)
rule win_industroyer_w5 {
    meta:
        description = "Blank mutex creation assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }
        $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w6   (20170615 | Identify service hollowing and persistence setting)
rule win_industroyer_w6 {
    meta:
        description = "Identify service hollowing and persistence setting"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }
        $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w7   (20170615 | Registry Wiper functionality assoicated with CRASHOVERRIDE)
rule win_industroyer_w7 {
    meta:
        description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/industroyer/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }
        $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }
        $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w8   (20170615 | File manipulation actions associated with CRASHOVERRIDE wiper)
rule win_industroyer_w8 {
    meta:
        description = "File manipulation actions associated with CRASHOVERRIDE wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }
        $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }
    condition:
        all of them
}
Download all Yara Rules