SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer (Back to overview)

Industroyer

aka: Crash, CrashOverride

Actor(s): ELECTRUM

VTCollection    

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

References
2022-07-26MandiantDaniel Kapellmann Zafra, Jay Christiansen, Keith Lunden, Ken Proska, Thibault van Geluwe de Berlaere
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton
2022-04-20CISACISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-20CISAAustralian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-12Cert-UACert-UA
Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12ESET ResearchESET Research
Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-02-24TesorionTESORION
Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2022-02-24nvisoMichel Coene
Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2021-02-11DomainToolsJoe Slowik
Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-12DragosDragos
Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake
2020-10-19UK GovernmentDominic Raab, ForeignCommonwealth & Development Office
UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-10-19Riskint BlogCurtis
Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020-01-01DragosJoe Slowik
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2020-01-01SecureworksSecureWorks
IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2017-10-05Virus BulletinAnton Cherepanov, Robert Lipovsky
Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-07-04WikipediaVarious
Industroyer
Industroyer
2017-06-13DragosDragos
CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations
Industroyer Sandworm
2017-06-12ESET ResearchAnton Cherepanov
WIN32/INDUSTROYER: A new threat for industrial control systems
Industroyer Sandworm
2017-06-12ESET ResearchAnton Cherepanov, Robert Lipovsky
Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
Yara Rules
[TLP:WHITE] win_industroyer_auto (20230808 | Detects win.industroyer.)
rule win_industroyer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.industroyer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 50 ff750c ff15???????? 8d45fc 50 8d45f8 }
            // n = 7, score = 600
            //   50                   | push                eax
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff15????????         |                     
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_1 = { 68f4010000 ff15???????? 33c0 50 }
            // n = 4, score = 600
            //   68f4010000           | push                0x1f4
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax

        $sequence_2 = { 50 8945e0 e8???????? 8945f8 e8???????? 50 8945e4 }
            // n = 7, score = 600
            //   50                   | push                eax
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   e8????????           |                     
            //   50                   | push                eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_3 = { 6808020000 50 ff7710 ff15???????? }
            // n = 4, score = 600
            //   6808020000           | push                0x208
            //   50                   | push                eax
            //   ff7710               | push                dword ptr [edi + 0x10]
            //   ff15????????         |                     

        $sequence_4 = { ff7710 6a03 56 e8???????? 83c424 894708 85c0 }
            // n = 7, score = 600
            //   ff7710               | push                dword ptr [edi + 0x10]
            //   6a03                 | push                3
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   85c0                 | test                eax, eax

        $sequence_5 = { ff15???????? 8bd8 8d8598fdffff 6804010000 50 68???????? ff15???????? }
            // n = 7, score = 600
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   8d8598fdffff         | lea                 eax, [ebp - 0x268]
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_6 = { 6a02 50 53 68000000c0 56 c745f40c000000 895dfc }
            // n = 7, score = 600
            //   6a02                 | push                2
            //   50                   | push                eax
            //   53                   | push                ebx
            //   68000000c0           | push                0xc0000000
            //   56                   | push                esi
            //   c745f40c000000       | mov                 dword ptr [ebp - 0xc], 0xc
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_7 = { 6a4c e8???????? 8bf0 8d8510ffffff 6a4c }
            // n = 5, score = 600
            //   6a4c                 | push                0x4c
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8d8510ffffff         | lea                 eax, [ebp - 0xf0]
            //   6a4c                 | push                0x4c

        $sequence_8 = { 8bf9 ff15???????? 3bf8 0f84bb000000 }
            // n = 4, score = 400
            //   8bf9                 | mov                 edi, ecx
            //   ff15????????         |                     
            //   3bf8                 | cmp                 edi, eax
            //   0f84bb000000         | je                  0xc1

        $sequence_9 = { 8b7508 ff7604 8b06 ffd0 56 e8???????? }
            // n = 6, score = 400
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   ff7604               | push                dword ptr [esi + 4]
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   ffd0                 | call                eax
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_10 = { ffd6 85c0 7431 ff35???????? }
            // n = 4, score = 400
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7431                 | je                  0x33
            //   ff35????????         |                     

        $sequence_11 = { 8bd8 85db 0f849d000000 8d85d0fdffff c785d0fdffff2c020000 50 53 }
            // n = 7, score = 400
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   0f849d000000         | je                  0xa3
            //   8d85d0fdffff         | lea                 eax, [ebp - 0x230]
            //   c785d0fdffff2c020000     | mov    dword ptr [ebp - 0x230], 0x22c
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_12 = { 683f010f00 6a00 8d85a0f3ffff 50 6802000080 ff15???????? 85c0 }
            // n = 7, score = 400
            //   683f010f00           | push                0xf013f
            //   6a00                 | push                0
            //   8d85a0f3ffff         | lea                 eax, [ebp - 0xc60]
            //   50                   | push                eax
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_13 = { 85c0 0f85bb000000 6800020000 8d85a0fbffff 50 }
            // n = 5, score = 400
            //   85c0                 | test                eax, eax
            //   0f85bb000000         | jne                 0xc1
            //   6800020000           | push                0x200
            //   8d85a0fbffff         | lea                 eax, [ebp - 0x460]
            //   50                   | push                eax

        $sequence_14 = { bfffff0000 0f46f9 3d00005000 b900400000 }
            // n = 4, score = 400
            //   bfffff0000           | mov                 edi, 0xffff
            //   0f46f9               | cmovbe              edi, ecx
            //   3d00005000           | cmp                 eax, 0x500000
            //   b900400000           | mov                 ecx, 0x4000

        $sequence_15 = { 8d8c2468020000 e8???????? 8d442418 50 ff742414 ff15???????? }
            // n = 6, score = 400
            //   8d8c2468020000       | lea                 ecx, [esp + 0x268]
            //   e8????????           |                     
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   ff15????????         |                     

        $sequence_16 = { eb07 8b0cc5dc084100 894de4 85c9 }
            // n = 4, score = 200
            //   eb07                 | jmp                 9
            //   8b0cc5dc084100       | mov                 ecx, dword ptr [eax*8 + 0x4108dc]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   85c9                 | test                ecx, ecx

        $sequence_17 = { 0f8501010000 c745e0e4ff4000 8b4508 8bcf }
            // n = 4, score = 200
            //   0f8501010000         | jne                 0x107
            //   c745e0e4ff4000       | mov                 dword ptr [ebp - 0x20], 0x40ffe4
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bcf                 | mov                 ecx, edi

        $sequence_18 = { 6a0a 8854382a 8b048dd01f0210 8874382b 8b048dd01f0210 5a }
            // n = 6, score = 200
            //   6a0a                 | push                0xa
            //   8854382a             | mov                 byte ptr [eax + edi + 0x2a], dl
            //   8b048dd01f0210       | mov                 eax, dword ptr [ecx*4 + 0x10021fd0]
            //   8874382b             | mov                 byte ptr [eax + edi + 0x2b], dh
            //   8b048dd01f0210       | mov                 eax, dword ptr [ecx*4 + 0x10021fd0]
            //   5a                   | pop                 edx

        $sequence_19 = { 0f8580000000 8b4508 dd00 ebc6 c745e0e8ff4000 }
            // n = 5, score = 200
            //   0f8580000000         | jne                 0x86
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   dd00                 | fld                 qword ptr [eax]
            //   ebc6                 | jmp                 0xffffffc8
            //   c745e0e8ff4000       | mov                 dword ptr [ebp - 0x20], 0x40ffe8

        $sequence_20 = { 6689823e020000 0fb68340020000 888240020000 8d8344020000 50 e8???????? }
            // n = 6, score = 200
            //   6689823e020000       | mov                 word ptr [edx + 0x23e], ax
            //   0fb68340020000       | movzx               eax, byte ptr [ebx + 0x240]
            //   888240020000         | mov                 byte ptr [edx + 0x240], al
            //   8d8344020000         | lea                 eax, [ebx + 0x244]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_21 = { 50 ff15???????? 6a02 ff15???????? 50 ffd6 ff770c }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   ff770c               | push                dword ptr [edi + 0xc]

        $sequence_22 = { 0fb605???????? 88413e 0f1005???????? 0f118133010000 a1???????? 898143010000 }
            // n = 6, score = 200
            //   0fb605????????       |                     
            //   88413e               | mov                 byte ptr [ecx + 0x3e], al
            //   0f1005????????       |                     
            //   0f118133010000       | movups              xmmword ptr [ecx + 0x133], xmm0
            //   a1????????           |                     
            //   898143010000         | mov                 dword ptr [ecx + 0x143], eax

        $sequence_23 = { 83e901 740d 83e902 7521 }
            // n = 4, score = 200
            //   83e901               | sub                 ecx, 1
            //   740d                 | je                  0xf
            //   83e902               | sub                 ecx, 2
            //   7521                 | jne                 0x23

        $sequence_24 = { 660f28b820004100 660f54f0 660f5cc6 660f59f4 660f5cf2 f20f58fe }
            // n = 6, score = 200
            //   660f28b820004100     | movapd              xmm7, xmmword ptr [eax + 0x410020]
            //   660f54f0             | andpd               xmm6, xmm0
            //   660f5cc6             | subpd               xmm0, xmm6
            //   660f59f4             | mulpd               xmm6, xmm4
            //   660f5cf2             | subpd               xmm6, xmm2
            //   f20f58fe             | addsd               xmm7, xmm6

        $sequence_25 = { 807b0100 0f85fc000000 a840 0f85d5000000 ff35???????? ff15???????? }
            // n = 6, score = 200
            //   807b0100             | cmp                 byte ptr [ebx + 1], 0
            //   0f85fc000000         | jne                 0x102
            //   a840                 | test                al, 0x40
            //   0f85d5000000         | jne                 0xdb
            //   ff35????????         |                     
            //   ff15????????         |                     

        $sequence_26 = { 89422c 0fb64330 884230 0fb64331 884231 0fb64332 }
            // n = 6, score = 200
            //   89422c               | mov                 dword ptr [edx + 0x2c], eax
            //   0fb64330             | movzx               eax, byte ptr [ebx + 0x30]
            //   884230               | mov                 byte ptr [edx + 0x30], al
            //   0fb64331             | movzx               eax, byte ptr [ebx + 0x31]
            //   884231               | mov                 byte ptr [edx + 0x31], al
            //   0fb64332             | movzx               eax, byte ptr [ebx + 0x32]

        $sequence_27 = { 746a ff7508 8b15???????? 51 8bcb e8???????? }
            // n = 6, score = 200
            //   746a                 | je                  0x6c
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b15????????         |                     
            //   51                   | push                ecx
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_28 = { 85c0 7450 6aff 56 ff15???????? }
            // n = 5, score = 200
            //   85c0                 | test                eax, eax
            //   7450                 | je                  0x52
            //   6aff                 | push                -1
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_29 = { ba???????? 0f94c1 884b32 84c9 a1???????? f30f7e05???????? }
            // n = 6, score = 200
            //   ba????????           |                     
            //   0f94c1               | sete                cl
            //   884b32               | mov                 byte ptr [ebx + 0x32], cl
            //   84c9                 | test                cl, cl
            //   a1????????           |                     
            //   f30f7e05????????     |                     

        $sequence_30 = { 8b442418 89442440 8d44243c 50 ff15???????? 50 }
            // n = 6, score = 200
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   8d44243c             | lea                 eax, [esp + 0x3c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_31 = { ff15???????? 68???????? ff15???????? 85c0 7417 68???????? }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7417                 | je                  0x19
            //   68????????           |                     

        $sequence_32 = { 83c410 84c0 0f84b9010000 8b8520ffffff 8bbd1cffffff 2bc7 }
            // n = 6, score = 100
            //   83c410               | add                 esp, 0x10
            //   84c0                 | test                al, al
            //   0f84b9010000         | je                  0x1bf
            //   8b8520ffffff         | mov                 eax, dword ptr [ebp - 0xe0]
            //   8bbd1cffffff         | mov                 edi, dword ptr [ebp - 0xe4]
            //   2bc7                 | sub                 eax, edi

        $sequence_33 = { 8d4dc8 ff30 e8???????? 8d4d84 83ff02 0f86a4000000 }
            // n = 6, score = 100
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   8d4d84               | lea                 ecx, [ebp - 0x7c]
            //   83ff02               | cmp                 edi, 2
            //   0f86a4000000         | jbe                 0xaa

        $sequence_34 = { e8???????? 6a00 56 8d8d08feffff e8???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   6a00                 | push                0
            //   56                   | push                esi
            //   8d8d08feffff         | lea                 ecx, [ebp - 0x1f8]
            //   e8????????           |                     

        $sequence_35 = { 8bce 8907 53 894704 e8???????? 8b4308 }
            // n = 6, score = 100
            //   8bce                 | mov                 ecx, esi
            //   8907                 | mov                 dword ptr [edi], eax
            //   53                   | push                ebx
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   e8????????           |                     
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]

        $sequence_36 = { 53 8b1c85205e4400 56 6800080000 }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   8b1c85205e4400       | mov                 ebx, dword ptr [eax*4 + 0x445e20]
            //   56                   | push                esi
            //   6800080000           | push                0x800

        $sequence_37 = { 8945e4 8d83bc000000 50 e8???????? 6a28 e8???????? }
            // n = 6, score = 100
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8d83bc000000         | lea                 eax, [ebx + 0xbc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a28                 | push                0x28
            //   e8????????           |                     

        $sequence_38 = { 0fb7c1 8945f8 3905???????? 7f26 663b4df4 7320 }
            // n = 6, score = 100
            //   0fb7c1               | movzx               eax, cx
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   3905????????         |                     
            //   7f26                 | jg                  0x28
            //   663b4df4             | cmp                 cx, word ptr [ebp - 0xc]
            //   7320                 | jae                 0x22

        $sequence_39 = { 33c5 8945fc 8365e000 53 8b5d0c 56 }
            // n = 6, score = 100
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8365e000             | and                 dword ptr [ebp - 0x20], 0
            //   53                   | push                ebx
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   56                   | push                esi

    condition:
        7 of them and filesize < 983040
}
[TLP:WHITE] win_industroyer_w0   (20170615 | CRASHOVERRIDE v1 Suspicious Export)
import "pe"

rule win_industroyer_w0 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    condition:
        pe.exports("Crash") & pe.characteristics
}
[TLP:WHITE] win_industroyer_w1   (20170615 | CRASHOVERRIDE v1 Wiper)
import "pe"

rule win_industroyer_w1 {
    meta:
        description = "CRASHOVERRIDE v1 Wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "SYS_BASCON.COM" fullword nocase wide
        $s1 = ".pcmp" fullword nocase wide
        $s2 = ".pcmi" fullword nocase wide
        $s3 = ".pcmt" fullword nocase wide
        $s4 = ".cin" fullword nocase wide
        
    condition:
        pe.exports("Crash") and any of ($s*)
}
[TLP:WHITE] win_industroyer_w2   (20170615 | CRASHOVERRIDE v1 Suspicious Strings and Export)
import "pe"

rule win_industroyer_w2 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "101.dll" fullword nocase wide
        $s1 = "Crash101.dll" fullword nocase wide
        $s2 = "104.dll" fullword nocase wide
        $s3 = "Crash104.dll" fullword nocase wide
        $s4 = "61850.dll" fullword nocase wide
        $s5 = "Crash61850.dll" fullword nocase wide
        $s6 = "OPCClientDemo.dll" fullword nocase wide
        $s7 = "OPC" fullword nocase wide
        $s8 = "CrashOPCClientDemo.dll" fullword nocase wide
        $s9 = "D2MultiCommService.exe" fullword nocase wide
        $s10 = "CrashD2MultiCommService.exe" fullword nocase wide
        $s11 = "61850.exe" fullword nocase wide
        $s12 = "OPC.exe" fullword nocase wide
        $s13 = "haslo.exe" fullword nocase wide
        $s14 = "haslo.dat" fullword nocase wide     
    condition:
        any of ($s*) and pe.exports("Crash")
}
[TLP:WHITE] win_industroyer_w3   (20170615 | IEC-104 Interaction Module Program Strings)
rule win_industroyer_w3 { 
    meta:
        description = "IEC-104 Interaction Module Program Strings"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:      
        $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii 
        $s2 = " MSTR ->> SLV" nocase wide ascii 
        $s3 = " MSTR <<- SLV" nocase wide ascii 
        $s4 = "Unknown APDU format !!!" nocase wide ascii 
        $s5 = "iec104.log" nocase wide ascii 
    condition:      
        any of ($s*)
}
[TLP:WHITE] win_industroyer_w4   (20170615 | CRASHOVERRIDE v1 Config File Parsing)
rule win_industroyer_w4 {
    meta:
        description = "CRASHOVERRIDE v1 Config File Parsing"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
        $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
        $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
        $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w5   (20170615 | Blank mutex creation assoicated with CRASHOVERRIDE)
rule win_industroyer_w5 {
    meta:
        description = "Blank mutex creation assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }
        $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w6   (20170615 | Identify service hollowing and persistence setting)
rule win_industroyer_w6 {
    meta:
        description = "Identify service hollowing and persistence setting"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }
        $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w7   (20170615 | Registry Wiper functionality assoicated with CRASHOVERRIDE)
rule win_industroyer_w7 {
    meta:
        description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/industroyer/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }
        $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }
        $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w8   (20170615 | File manipulation actions associated with CRASHOVERRIDE wiper)
rule win_industroyer_w8 {
    meta:
        description = "File manipulation actions associated with CRASHOVERRIDE wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }
        $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }
    condition:
        all of them
}
Download all Yara Rules