Industroyer (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.industroyer (Back to overview)

Industroyer

aka: Crash, CrashOverride

Actor(s): ELECTRUM

VTCollection

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

References

2024-04-16 ⋅ Mandiant ⋅ Alden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie Aytes, Nick Simonian, Ryan Hall, Tyler McLellan
APT44: Unearthing Sandworm
VPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic Destroyer PartyTicket RoarBAT Sandworm

2024-04-15 ⋅ UC Santa Cruz ⋅ Alonso Rojas, Alvaro A. Cardenas, Bing Huang, Emmanuele Zambon, Juan Lozano, Keerthi Koneru, Luis Salazar, Marina Krotofil, Ross Baldick, Sebastian R. Castro
A Tale of Two Industroyers: It was the Season of Darkness
Industroyer INDUSTROYER2

2022-07-26 ⋅ Mandiant ⋅ Daniel Kapellmann Zafra, Jay Christiansen, Keith Lunden, Ken Proska, Thibault van Geluwe de Berlaere
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton

2022-04-20 ⋅ CISA ⋅ CISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet

2022-04-20 ⋅ CISA ⋅ Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader

2022-04-12 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2

2022-04-12 ⋅ ESET Research ⋅ ESET Research
Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2

2022-02-24 ⋅ Tesorion ⋅ TESORION
Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate

2022-02-24 ⋅ nviso ⋅ Michel Coene
Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate

2021-02-11 ⋅ DomainTools ⋅ Joe Slowik
Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton

2020-12-21 ⋅ IronNet ⋅ Adam Hlavek, Kimberly Ortiz
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess

2020-11-12 ⋅ Dragos ⋅ Dragos
Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake

2020-10-19 ⋅ UK Government ⋅ Dominic Raab, ForeignCommonwealth & Development Office
UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer

2020-10-19 ⋅ Riskint Blog ⋅ Curtis
Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer

2020-01-31 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot

2020-01-01 ⋅ Dragos ⋅ Joe Slowik
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor

2018-10-11 ⋅ ESET Research ⋅ Anton Cherepanov, Robert Lipovsky
New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer

2017-10-05 ⋅ Virus Bulletin ⋅ Anton Cherepanov, Robert Lipovsky
Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer

2017-07-04 ⋅ Wikipedia ⋅ Various
Industroyer
Industroyer

2017-06-13 ⋅ Dragos ⋅ Dragos
CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations
Industroyer Sandworm

2017-06-12 ⋅ ESET Research ⋅ Anton Cherepanov
WIN32/INDUSTROYER: A new threat for industrial control systems
Industroyer Sandworm

2017-06-12 ⋅ ESET Research ⋅ Anton Cherepanov, Robert Lipovsky
Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer

Yara Rules

[TLP:WHITE] win_industroyer_auto (20260504 \| Detects win.industroyer.) rule win_industroyer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.industroyer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 53 33d2 bbbb010000 66395d0c } // n = 4, score = 600 // 53 \| push ebx // 33d2 \| xor edx, edx // bbbb010000 \| mov ebx, 0x1bb // 66395d0c \| cmp word ptr [ebp + 0xc], bx $sequence_1 = { 8d45fc 50 6a04 8d4510 50 ff35???????? } // n = 6, score = 600 // 8d45fc \| lea eax, [ebp - 4] // 50 \| push eax // 6a04 \| push 4 // 8d4510 \| lea eax, [ebp + 0x10] // 50 \| push eax // ff35???????? \| $sequence_2 = { 8bf8 53 57 e8???????? 83c410 8bc7 5f } // n = 7, score = 600 // 8bf8 \| mov edi, eax // 53 \| push ebx // 57 \| push edi // e8???????? \| // 83c410 \| add esp, 0x10 // 8bc7 \| mov eax, edi // 5f \| pop edi $sequence_3 = { e8???????? 8945f0 e8???????? 50 8945e8 e8???????? 83c40c } // n = 7, score = 600 // e8???????? \| // 8945f0 \| mov dword ptr [ebp - 0x10], eax // e8???????? \| // 50 \| push eax // 8945e8 \| mov dword ptr [ebp - 0x18], eax // e8???????? \| // 83c40c \| add esp, 0xc $sequence_4 = { 8945ec 8945e8 33c0 668945dc 8d85a4fdffff } // n = 5, score = 600 // 8945ec \| mov dword ptr [ebp - 0x14], eax // 8945e8 \| mov dword ptr [ebp - 0x18], eax // 33c0 \| xor eax, eax // 668945dc \| mov word ptr [ebp - 0x24], ax // 8d85a4fdffff \| lea eax, [ebp - 0x25c] $sequence_5 = { 68???????? 6a03 50 ff15???????? 8bf0 } // n = 5, score = 600 // 68???????? \| // 6a03 \| push 3 // 50 \| push eax // ff15???????? \| // 8bf0 \| mov esi, eax $sequence_6 = { 83c414 56 56 50 } // n = 4, score = 600 // 83c414 \| add esp, 0x14 // 56 \| push esi // 56 \| push esi // 50 \| push eax $sequence_7 = { 8d45f8 50 6a06 53 ffd6 } // n = 5, score = 600 // 8d45f8 \| lea eax, [ebp - 8] // 50 \| push eax // 6a06 \| push 6 // 53 \| push ebx // ffd6 \| call esi $sequence_8 = { 0f84bb000000 53 56 57 6a02 ff15???????? 8bd8 } // n = 7, score = 400 // 0f84bb000000 \| je 0xc1 // 53 \| push ebx // 56 \| push esi // 57 \| push edi // 6a02 \| push 2 // ff15???????? \| // 8bd8 \| mov ebx, eax $sequence_9 = { 85c0 75cd 56 ff15???????? 8b8c2474040000 5f } // n = 6, score = 400 // 85c0 \| test eax, eax // 75cd \| jne 0xffffffcf // 56 \| push esi // ff15???????? \| // 8b8c2474040000 \| mov ecx, dword ptr [esp + 0x474] // 5f \| pop edi $sequence_10 = { 0f46f9 3d00005000 b900400000 0f46f9 3d00003000 } // n = 5, score = 400 // 0f46f9 \| cmovbe edi, ecx // 3d00005000 \| cmp eax, 0x500000 // b900400000 \| mov ecx, 0x4000 // 0f46f9 \| cmovbe edi, ecx // 3d00003000 \| cmp eax, 0x300000 $sequence_11 = { 5d c3 6a00 53 ff15???????? 3d0000a000 } // n = 6, score = 400 // 5d \| pop ebp // c3 \| ret // 6a00 \| push 0 // 53 \| push ebx // ff15???????? \| // 3d0000a000 \| cmp eax, 0xa00000 $sequence_12 = { 8bf9 ff15???????? 3bf8 0f84bb000000 53 56 } // n = 6, score = 400 // 8bf9 \| mov edi, ecx // ff15???????? \| // 3bf8 \| cmp edi, eax // 0f84bb000000 \| je 0xc1 // 53 \| push ebx // 56 \| push esi $sequence_13 = { 743c 6690 f644241810 751c } // n = 4, score = 400 // 743c \| je 0x3e // 6690 \| nop // f644241810 \| test byte ptr [esp + 0x18], 0x10 // 751c \| jne 0x1e $sequence_14 = { 68???????? 8bf9 89542418 57 50 ffd3 8d442418 } // n = 7, score = 400 // 68???????? \| // 8bf9 \| mov edi, ecx // 89542418 \| mov dword ptr [esp + 0x18], edx // 57 \| push edi // 50 \| push eax // ffd3 \| call ebx // 8d442418 \| lea eax, [esp + 0x18] $sequence_15 = { e8???????? 46 3b35???????? 72eb b101 } // n = 5, score = 400 // e8???????? \| // 46 \| inc esi // 3b35???????? \| // 72eb \| jb 0xffffffed // b101 \| mov cl, 1 $sequence_16 = { 50 56 ff15???????? 85c0 7450 6aff } // n = 6, score = 200 // 50 \| push eax // 56 \| push esi // ff15???????? \| // 85c0 \| test eax, eax // 7450 \| je 0x52 // 6aff \| push -1 $sequence_17 = { 8b34cd20ee4000 8b4d08 6a5a 2bce 5b 0fb70431 } // n = 6, score = 200 // 8b34cd20ee4000 \| mov esi, dword ptr [ecx8 + 0x40ee20] // 8b4d08 \| mov ecx, dword ptr [ebp + 8] // 6a5a \| push 0x5a // 2bce \| sub ecx, esi // 5b \| pop ebx // 0fb70431 \| movzx eax, word ptr [ecx + esi] $sequence_18 = { 747a 6a00 6a01 6a00 ff15???????? 8bf0 } // n = 6, score = 200 // 747a \| je 0x7c // 6a00 \| push 0 // 6a01 \| push 1 // 6a00 \| push 0 // ff15???????? \| // 8bf0 \| mov esi, eax $sequence_19 = { c705????????00000000 ffd3 a1???????? 6aff 8945f8 8d45f4 } // n = 6, score = 200 // c705????????00000000 \| // ffd3 \| call ebx // a1???????? \| // 6aff \| push -1 // 8945f8 \| mov dword ptr [ebp - 8], eax // 8d45f4 \| lea eax, [ebp - 0xc] $sequence_20 = { eb09 ff15???????? 8945f0 68???????? ff35???????? c705????????00000000 c705????????01000000 } // n = 7, score = 200 // eb09 \| jmp 0xb // ff15???????? \| // 8945f0 \| mov dword ptr [ebp - 0x10], eax // 68???????? \| // ff35???????? \| // c705????????00000000 \| // c705????????01000000 \| $sequence_21 = { 0fb64332 884232 0fb64333 884233 f3a5 } // n = 5, score = 200 // 0fb64332 \| movzx eax, byte ptr [ebx + 0x32] // 884232 \| mov byte ptr [edx + 0x32], al // 0fb64333 \| movzx eax, byte ptr [ebx + 0x33] // 884233 \| mov byte ptr [edx + 0x33], al // f3a5 \| rep movsd dword ptr es:[edi], dword ptr [esi] $sequence_22 = { 8d85f0feffff 50 8b0f e8???????? 8b0f } // n = 5, score = 200 // 8d85f0feffff \| lea eax, [ebp - 0x110] // 50 \| push eax // 8b0f \| mov ecx, dword ptr [edi] // e8???????? \| // 8b0f \| mov ecx, dword ptr [edi] $sequence_23 = { 833d????????00 0f85b00a0000 8d0d90fd4000 ba1b000000 e8???????? } // n = 5, score = 200 // 833d????????00 \| // 0f85b00a0000 \| jne 0xab6 // 8d0d90fd4000 \| lea ecx, [0x40fd90] // ba1b000000 \| mov edx, 0x1b // e8???????? \| $sequence_24 = { 0fb64203 884603 0fb64204 884604 8b4204 c1f808 884605 } // n = 7, score = 200 // 0fb64203 \| movzx eax, byte ptr [edx + 3] // 884603 \| mov byte ptr [esi + 3], al // 0fb64204 \| movzx eax, byte ptr [edx + 4] // 884604 \| mov byte ptr [esi + 4], al // 8b4204 \| mov eax, dword ptr [edx + 4] // c1f808 \| sar eax, 8 // 884605 \| mov byte ptr [esi + 5], al $sequence_25 = { 837c243c04 0f85bd000000 ff7704 ff15???????? ff7708 } // n = 5, score = 200 // 837c243c04 \| cmp dword ptr [esp + 0x3c], 4 // 0f85bd000000 \| jne 0xc3 // ff7704 \| push dword ptr [edi + 4] // ff15???????? \| // ff7708 \| push dword ptr [edi + 8] $sequence_26 = { 56 68???????? 50 8d95f0fffeff 8bcf } // n = 5, score = 200 // 56 \| push esi // 68???????? \| // 50 \| push eax // 8d95f0fffeff \| lea edx, [ebp - 0x10010] // 8bcf \| mov ecx, edi $sequence_27 = { 84c9 a1???????? f30f7e05???????? 89442438 66a1???????? 668944243c a0???????? } // n = 7, score = 200 // 84c9 \| test cl, cl // a1???????? \| // f30f7e05???????? \| // 89442438 \| mov dword ptr [esp + 0x38], eax // 66a1???????? \| // 668944243c \| mov word ptr [esp + 0x3c], ax // a0???????? \| $sequence_28 = { 83c404 8985fcf9fdff 8d85fcf9fdff 8d8dc8fefeff } // n = 4, score = 200 // 83c404 \| add esp, 4 // 8985fcf9fdff \| mov dword ptr [ebp - 0x20604], eax // 8d85fcf9fdff \| lea eax, [ebp - 0x20604] // 8d8dc8fefeff \| lea ecx, [ebp - 0x10138] $sequence_29 = { 5d c20400 c6420201 8a410c 02c0 884204 } // n = 6, score = 200 // 5d \| pop ebp // c20400 \| ret 4 // c6420201 \| mov byte ptr [edx + 2], 1 // 8a410c \| mov al, byte ptr [ecx + 0xc] // 02c0 \| add al, al // 884204 \| mov byte ptr [edx + 4], al $sequence_30 = { f30f7e0e 83e908 8d7608 660fd60f 8d7f08 8b048dc4ab4000 ffe0 } // n = 7, score = 200 // f30f7e0e \| movq xmm1, qword ptr [esi] // 83e908 \| sub ecx, 8 // 8d7608 \| lea esi, [esi + 8] // 660fd60f \| movq qword ptr [edi], xmm1 // 8d7f08 \| lea edi, [edi + 8] // 8b048dc4ab4000 \| mov eax, dword ptr [ecx4 + 0x40abc4] // ffe0 \| jmp eax $sequence_31 = { 50 e8???????? 8b06 5f 5e 0fb64005 } // n = 6, score = 200 // 50 \| push eax // e8???????? \| // 8b06 \| mov eax, dword ptr [esi] // 5f \| pop edi // 5e \| pop esi // 0fb64005 \| movzx eax, byte ptr [eax + 5] $sequence_32 = { 897c241c e8???????? 53 6a01 8d8c24d4000000 } // n = 5, score = 100 // 897c241c \| mov dword ptr [esp + 0x1c], edi // e8???????? \| // 53 \| push ebx // 6a01 \| push 1 // 8d8c24d4000000 \| lea ecx, [esp + 0xd4] $sequence_33 = { 8d0441 50 52 8d954cffffff 8d8d14ffffff } // n = 5, score = 100 // 8d0441 \| lea eax, [ecx + eax2] // 50 \| push eax // 52 \| push edx // 8d954cffffff \| lea edx, [ebp - 0xb4] // 8d8d14ffffff \| lea ecx, [ebp - 0xec] $sequence_34 = { e8???????? 8d8d7cfdffff 83fb06 0f86c1020000 8d4e48 8d4648 } // n = 6, score = 100 // e8???????? \| // 8d8d7cfdffff \| lea ecx, [ebp - 0x284] // 83fb06 \| cmp ebx, 6 // 0f86c1020000 \| jbe 0x2c7 // 8d4e48 \| lea ecx, [esi + 0x48] // 8d4648 \| lea eax, [esi + 0x48] $sequence_35 = { 7417 807d0c00 0f8488000000 53 8d4db8 } // n = 5, score = 100 // 7417 \| je 0x19 // 807d0c00 \| cmp byte ptr [ebp + 0xc], 0 // 0f8488000000 \| je 0x8e // 53 \| push ebx // 8d4db8 \| lea ecx, [ebp - 0x48] $sequence_36 = { 0f434da0 51 e8???????? 59 } // n = 4, score = 100 // 0f434da0 \| cmovae ecx, dword ptr [ebp - 0x60] // 51 \| push ecx // e8???????? \| // 59 \| pop ecx $sequence_37 = { b8???????? e8???????? 8bf1 8975ec 8b4e04 } // n = 5, score = 100 // b8???????? \| // e8???????? \| // 8bf1 \| mov esi, ecx // 8975ec \| mov dword ptr [ebp - 0x14], esi // 8b4e04 \| mov ecx, dword ptr [esi + 4] $sequence_38 = { 8b4dfc 5f 5e 89480c } // n = 4, score = 100 // 8b4dfc \| mov ecx, dword ptr [ebp - 4] // 5f \| pop edi // 5e \| pop esi // 89480c \| mov dword ptr [eax + 0xc], ecx $sequence_39 = { 5f 807dfc00 5e 7409 ff75f8 } // n = 5, score = 100 // 5f \| pop edi // 807dfc00 \| cmp byte ptr [ebp - 4], 0 // 5e \| pop esi // 7409 \| je 0xb // ff75f8 \| push dword ptr [ebp - 8] condition: 7 of them and filesize < 983040 }
[TLP:WHITE] win_industroyer_w0 (20241220 \| CRASHOVERRIDE v1 Suspicious Export) import "pe" rule win_industroyer_w0 { meta: description = "CRASHOVERRIDE v1 Suspicious Export" author = "Dragos Inc" modified_by = "Rony (r0ny_123)" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20241220" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" condition: pe.exports("Crash") and pe.characteristics & pe.DLL }
[TLP:WHITE] win_industroyer_w1 (20170615 \| CRASHOVERRIDE v1 Wiper) import "pe" rule win_industroyer_w1 { meta: description = "CRASHOVERRIDE v1 Wiper" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = "SYS_BASCON.COM" fullword nocase wide $s1 = ".pcmp" fullword nocase wide $s2 = ".pcmi" fullword nocase wide $s3 = ".pcmt" fullword nocase wide $s4 = ".cin" fullword nocase wide condition: pe.exports("Crash") and any of ($s*) }
[TLP:WHITE] win_industroyer_w2 (20170615 \| CRASHOVERRIDE v1 Suspicious Strings and Export) import "pe" rule win_industroyer_w2 { meta: description = "CRASHOVERRIDE v1 Suspicious Strings and Export" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = "101.dll" fullword nocase wide $s1 = "Crash101.dll" fullword nocase wide $s2 = "104.dll" fullword nocase wide $s3 = "Crash104.dll" fullword nocase wide $s4 = "61850.dll" fullword nocase wide $s5 = "Crash61850.dll" fullword nocase wide $s6 = "OPCClientDemo.dll" fullword nocase wide $s7 = "OPC" fullword nocase wide $s8 = "CrashOPCClientDemo.dll" fullword nocase wide $s9 = "D2MultiCommService.exe" fullword nocase wide $s10 = "CrashD2MultiCommService.exe" fullword nocase wide $s11 = "61850.exe" fullword nocase wide $s12 = "OPC.exe" fullword nocase wide $s13 = "haslo.exe" fullword nocase wide $s14 = "haslo.dat" fullword nocase wide condition: any of ($s*) and pe.exports("Crash") }
[TLP:WHITE] win_industroyer_w3 (20170615 \| IEC-104 Interaction Module Program Strings) rule win_industroyer_w3 { meta: description = "IEC-104 Interaction Module Program Strings" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii $s2 = " MSTR ->> SLV" nocase wide ascii $s3 = " MSTR <<- SLV" nocase wide ascii $s4 = "Unknown APDU format !!!" nocase wide ascii $s5 = "iec104.log" nocase wide ascii condition: any of ($s*) }
[TLP:WHITE] win_industroyer_w4 (20170615 \| CRASHOVERRIDE v1 Config File Parsing) rule win_industroyer_w4 { meta: description = "CRASHOVERRIDE v1 Config File Parsing" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 } $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 } $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? } $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? } condition: all of them }
[TLP:WHITE] win_industroyer_w5 (20170615 \| Blank mutex creation assoicated with CRASHOVERRIDE) rule win_industroyer_w5 { meta: description = "Blank mutex creation assoicated with CRASHOVERRIDE" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 } $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00} condition: all of them }
[TLP:WHITE] win_industroyer_w6 (20170615 \| Identify service hollowing and persistence setting) rule win_industroyer_w6 { meta: description = "Identify service hollowing and persistence setting" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? } $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 } condition: all of them }
[TLP:WHITE] win_industroyer_w7 (20170615 \| Registry Wiper functionality assoicated with CRASHOVERRIDE) rule win_industroyer_w7 { meta: description = "Registry Wiper functionality assoicated with CRASHOVERRIDE" author = "Dragos Inc" reference = "https://dragos.com/blog/industroyer/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 } $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? } $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 } condition: all of them }
[TLP:WHITE] win_industroyer_w8 (20170615 \| File manipulation actions associated with CRASHOVERRIDE wiper) rule win_industroyer_w8 { meta: description = "File manipulation actions associated with CRASHOVERRIDE wiper" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 } $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 } condition: all of them }

Download all Yara Rules

[TLP:WHITE] win_industroyer_auto (20260504 \| Detects win.industroyer.) rule win_industroyer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.industroyer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 53 33d2 bbbb010000 66395d0c } // n = 4, score = 600 // 53 \| push ebx // 33d2 \| xor edx, edx // bbbb010000 \| mov ebx, 0x1bb // 66395d0c \| cmp word ptr [ebp + 0xc], bx $sequence_1 = { 8d45fc 50 6a04 8d4510 50 ff35???????? } // n = 6, score = 600 // 8d45fc \| lea eax, [ebp - 4] // 50 \| push eax // 6a04 \| push 4 // 8d4510 \| lea eax, [ebp + 0x10] // 50 \| push eax // ff35???????? \| $sequence_2 = { 8bf8 53 57 e8???????? 83c410 8bc7 5f } // n = 7, score = 600 // 8bf8 \| mov edi, eax // 53 \| push ebx // 57 \| push edi // e8???????? \| // 83c410 \| add esp, 0x10 // 8bc7 \| mov eax, edi // 5f \| pop edi $sequence_3 = { e8???????? 8945f0 e8???????? 50 8945e8 e8???????? 83c40c } // n = 7, score = 600 // e8???????? \| // 8945f0 \| mov dword ptr [ebp - 0x10], eax // e8???????? \| // 50 \| push eax // 8945e8 \| mov dword ptr [ebp - 0x18], eax // e8???????? \| // 83c40c \| add esp, 0xc $sequence_4 = { 8945ec 8945e8 33c0 668945dc 8d85a4fdffff } // n = 5, score = 600 // 8945ec \| mov dword ptr [ebp - 0x14], eax // 8945e8 \| mov dword ptr [ebp - 0x18], eax // 33c0 \| xor eax, eax // 668945dc \| mov word ptr [ebp - 0x24], ax // 8d85a4fdffff \| lea eax, [ebp - 0x25c] $sequence_5 = { 68???????? 6a03 50 ff15???????? 8bf0 } // n = 5, score = 600 // 68???????? \| // 6a03 \| push 3 // 50 \| push eax // ff15???????? \| // 8bf0 \| mov esi, eax $sequence_6 = { 83c414 56 56 50 } // n = 4, score = 600 // 83c414 \| add esp, 0x14 // 56 \| push esi // 56 \| push esi // 50 \| push eax $sequence_7 = { 8d45f8 50 6a06 53 ffd6 } // n = 5, score = 600 // 8d45f8 \| lea eax, [ebp - 8] // 50 \| push eax // 6a06 \| push 6 // 53 \| push ebx // ffd6 \| call esi $sequence_8 = { 0f84bb000000 53 56 57 6a02 ff15???????? 8bd8 } // n = 7, score = 400 // 0f84bb000000 \| je 0xc1 // 53 \| push ebx // 56 \| push esi // 57 \| push edi // 6a02 \| push 2 // ff15???????? \| // 8bd8 \| mov ebx, eax $sequence_9 = { 85c0 75cd 56 ff15???????? 8b8c2474040000 5f } // n = 6, score = 400 // 85c0 \| test eax, eax // 75cd \| jne 0xffffffcf // 56 \| push esi // ff15???????? \| // 8b8c2474040000 \| mov ecx, dword ptr [esp + 0x474] // 5f \| pop edi $sequence_10 = { 0f46f9 3d00005000 b900400000 0f46f9 3d00003000 } // n = 5, score = 400 // 0f46f9 \| cmovbe edi, ecx // 3d00005000 \| cmp eax, 0x500000 // b900400000 \| mov ecx, 0x4000 // 0f46f9 \| cmovbe edi, ecx // 3d00003000 \| cmp eax, 0x300000 $sequence_11 = { 5d c3 6a00 53 ff15???????? 3d0000a000 } // n = 6, score = 400 // 5d \| pop ebp // c3 \| ret // 6a00 \| push 0 // 53 \| push ebx // ff15???????? \| // 3d0000a000 \| cmp eax, 0xa00000 $sequence_12 = { 8bf9 ff15???????? 3bf8 0f84bb000000 53 56 } // n = 6, score = 400 // 8bf9 \| mov edi, ecx // ff15???????? \| // 3bf8 \| cmp edi, eax // 0f84bb000000 \| je 0xc1 // 53 \| push ebx // 56 \| push esi $sequence_13 = { 743c 6690 f644241810 751c } // n = 4, score = 400 // 743c \| je 0x3e // 6690 \| nop // f644241810 \| test byte ptr [esp + 0x18], 0x10 // 751c \| jne 0x1e $sequence_14 = { 68???????? 8bf9 89542418 57 50 ffd3 8d442418 } // n = 7, score = 400 // 68???????? \| // 8bf9 \| mov edi, ecx // 89542418 \| mov dword ptr [esp + 0x18], edx // 57 \| push edi // 50 \| push eax // ffd3 \| call ebx // 8d442418 \| lea eax, [esp + 0x18] $sequence_15 = { e8???????? 46 3b35???????? 72eb b101 } // n = 5, score = 400 // e8???????? \| // 46 \| inc esi // 3b35???????? \| // 72eb \| jb 0xffffffed // b101 \| mov cl, 1 $sequence_16 = { 50 56 ff15???????? 85c0 7450 6aff } // n = 6, score = 200 // 50 \| push eax // 56 \| push esi // ff15???????? \| // 85c0 \| test eax, eax // 7450 \| je 0x52 // 6aff \| push -1 $sequence_17 = { 8b34cd20ee4000 8b4d08 6a5a 2bce 5b 0fb70431 } // n = 6, score = 200 // 8b34cd20ee4000 \| mov esi, dword ptr [ecx8 + 0x40ee20] // 8b4d08 \| mov ecx, dword ptr [ebp + 8] // 6a5a \| push 0x5a // 2bce \| sub ecx, esi // 5b \| pop ebx // 0fb70431 \| movzx eax, word ptr [ecx + esi] $sequence_18 = { 747a 6a00 6a01 6a00 ff15???????? 8bf0 } // n = 6, score = 200 // 747a \| je 0x7c // 6a00 \| push 0 // 6a01 \| push 1 // 6a00 \| push 0 // ff15???????? \| // 8bf0 \| mov esi, eax $sequence_19 = { c705????????00000000 ffd3 a1???????? 6aff 8945f8 8d45f4 } // n = 6, score = 200 // c705????????00000000 \| // ffd3 \| call ebx // a1???????? \| // 6aff \| push -1 // 8945f8 \| mov dword ptr [ebp - 8], eax // 8d45f4 \| lea eax, [ebp - 0xc] $sequence_20 = { eb09 ff15???????? 8945f0 68???????? ff35???????? c705????????00000000 c705????????01000000 } // n = 7, score = 200 // eb09 \| jmp 0xb // ff15???????? \| // 8945f0 \| mov dword ptr [ebp - 0x10], eax // 68???????? \| // ff35???????? \| // c705????????00000000 \| // c705????????01000000 \| $sequence_21 = { 0fb64332 884232 0fb64333 884233 f3a5 } // n = 5, score = 200 // 0fb64332 \| movzx eax, byte ptr [ebx + 0x32] // 884232 \| mov byte ptr [edx + 0x32], al // 0fb64333 \| movzx eax, byte ptr [ebx + 0x33] // 884233 \| mov byte ptr [edx + 0x33], al // f3a5 \| rep movsd dword ptr es:[edi], dword ptr [esi] $sequence_22 = { 8d85f0feffff 50 8b0f e8???????? 8b0f } // n = 5, score = 200 // 8d85f0feffff \| lea eax, [ebp - 0x110] // 50 \| push eax // 8b0f \| mov ecx, dword ptr [edi] // e8???????? \| // 8b0f \| mov ecx, dword ptr [edi] $sequence_23 = { 833d????????00 0f85b00a0000 8d0d90fd4000 ba1b000000 e8???????? } // n = 5, score = 200 // 833d????????00 \| // 0f85b00a0000 \| jne 0xab6 // 8d0d90fd4000 \| lea ecx, [0x40fd90] // ba1b000000 \| mov edx, 0x1b // e8???????? \| $sequence_24 = { 0fb64203 884603 0fb64204 884604 8b4204 c1f808 884605 } // n = 7, score = 200 // 0fb64203 \| movzx eax, byte ptr [edx + 3] // 884603 \| mov byte ptr [esi + 3], al // 0fb64204 \| movzx eax, byte ptr [edx + 4] // 884604 \| mov byte ptr [esi + 4], al // 8b4204 \| mov eax, dword ptr [edx + 4] // c1f808 \| sar eax, 8 // 884605 \| mov byte ptr [esi + 5], al $sequence_25 = { 837c243c04 0f85bd000000 ff7704 ff15???????? ff7708 } // n = 5, score = 200 // 837c243c04 \| cmp dword ptr [esp + 0x3c], 4 // 0f85bd000000 \| jne 0xc3 // ff7704 \| push dword ptr [edi + 4] // ff15???????? \| // ff7708 \| push dword ptr [edi + 8] $sequence_26 = { 56 68???????? 50 8d95f0fffeff 8bcf } // n = 5, score = 200 // 56 \| push esi // 68???????? \| // 50 \| push eax // 8d95f0fffeff \| lea edx, [ebp - 0x10010] // 8bcf \| mov ecx, edi $sequence_27 = { 84c9 a1???????? f30f7e05???????? 89442438 66a1???????? 668944243c a0???????? } // n = 7, score = 200 // 84c9 \| test cl, cl // a1???????? \| // f30f7e05???????? \| // 89442438 \| mov dword ptr [esp + 0x38], eax // 66a1???????? \| // 668944243c \| mov word ptr [esp + 0x3c], ax // a0???????? \| $sequence_28 = { 83c404 8985fcf9fdff 8d85fcf9fdff 8d8dc8fefeff } // n = 4, score = 200 // 83c404 \| add esp, 4 // 8985fcf9fdff \| mov dword ptr [ebp - 0x20604], eax // 8d85fcf9fdff \| lea eax, [ebp - 0x20604] // 8d8dc8fefeff \| lea ecx, [ebp - 0x10138] $sequence_29 = { 5d c20400 c6420201 8a410c 02c0 884204 } // n = 6, score = 200 // 5d \| pop ebp // c20400 \| ret 4 // c6420201 \| mov byte ptr [edx + 2], 1 // 8a410c \| mov al, byte ptr [ecx + 0xc] // 02c0 \| add al, al // 884204 \| mov byte ptr [edx + 4], al $sequence_30 = { f30f7e0e 83e908 8d7608 660fd60f 8d7f08 8b048dc4ab4000 ffe0 } // n = 7, score = 200 // f30f7e0e \| movq xmm1, qword ptr [esi] // 83e908 \| sub ecx, 8 // 8d7608 \| lea esi, [esi + 8] // 660fd60f \| movq qword ptr [edi], xmm1 // 8d7f08 \| lea edi, [edi + 8] // 8b048dc4ab4000 \| mov eax, dword ptr [ecx4 + 0x40abc4] // ffe0 \| jmp eax $sequence_31 = { 50 e8???????? 8b06 5f 5e 0fb64005 } // n = 6, score = 200 // 50 \| push eax // e8???????? \| // 8b06 \| mov eax, dword ptr [esi] // 5f \| pop edi // 5e \| pop esi // 0fb64005 \| movzx eax, byte ptr [eax + 5] $sequence_32 = { 897c241c e8???????? 53 6a01 8d8c24d4000000 } // n = 5, score = 100 // 897c241c \| mov dword ptr [esp + 0x1c], edi // e8???????? \| // 53 \| push ebx // 6a01 \| push 1 // 8d8c24d4000000 \| lea ecx, [esp + 0xd4] $sequence_33 = { 8d0441 50 52 8d954cffffff 8d8d14ffffff } // n = 5, score = 100 // 8d0441 \| lea eax, [ecx + eax2] // 50 \| push eax // 52 \| push edx // 8d954cffffff \| lea edx, [ebp - 0xb4] // 8d8d14ffffff \| lea ecx, [ebp - 0xec] $sequence_34 = { e8???????? 8d8d7cfdffff 83fb06 0f86c1020000 8d4e48 8d4648 } // n = 6, score = 100 // e8???????? \| // 8d8d7cfdffff \| lea ecx, [ebp - 0x284] // 83fb06 \| cmp ebx, 6 // 0f86c1020000 \| jbe 0x2c7 // 8d4e48 \| lea ecx, [esi + 0x48] // 8d4648 \| lea eax, [esi + 0x48] $sequence_35 = { 7417 807d0c00 0f8488000000 53 8d4db8 } // n = 5, score = 100 // 7417 \| je 0x19 // 807d0c00 \| cmp byte ptr [ebp + 0xc], 0 // 0f8488000000 \| je 0x8e // 53 \| push ebx // 8d4db8 \| lea ecx, [ebp - 0x48] $sequence_36 = { 0f434da0 51 e8???????? 59 } // n = 4, score = 100 // 0f434da0 \| cmovae ecx, dword ptr [ebp - 0x60] // 51 \| push ecx // e8???????? \| // 59 \| pop ecx $sequence_37 = { b8???????? e8???????? 8bf1 8975ec 8b4e04 } // n = 5, score = 100 // b8???????? \| // e8???????? \| // 8bf1 \| mov esi, ecx // 8975ec \| mov dword ptr [ebp - 0x14], esi // 8b4e04 \| mov ecx, dword ptr [esi + 4] $sequence_38 = { 8b4dfc 5f 5e 89480c } // n = 4, score = 100 // 8b4dfc \| mov ecx, dword ptr [ebp - 4] // 5f \| pop edi // 5e \| pop esi // 89480c \| mov dword ptr [eax + 0xc], ecx $sequence_39 = { 5f 807dfc00 5e 7409 ff75f8 } // n = 5, score = 100 // 5f \| pop edi // 807dfc00 \| cmp byte ptr [ebp - 4], 0 // 5e \| pop esi // 7409 \| je 0xb // ff75f8 \| push dword ptr [ebp - 8] condition: 7 of them and filesize < 983040 }
[TLP:WHITE] win_industroyer_w0 (20241220 \| CRASHOVERRIDE v1 Suspicious Export) import "pe" rule win_industroyer_w0 { meta: description = "CRASHOVERRIDE v1 Suspicious Export" author = "Dragos Inc" modified_by = "Rony (r0ny_123)" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20241220" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" condition: pe.exports("Crash") and pe.characteristics & pe.DLL }
[TLP:WHITE] win_industroyer_w1 (20170615 \| CRASHOVERRIDE v1 Wiper) import "pe" rule win_industroyer_w1 { meta: description = "CRASHOVERRIDE v1 Wiper" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = "SYS_BASCON.COM" fullword nocase wide $s1 = ".pcmp" fullword nocase wide $s2 = ".pcmi" fullword nocase wide $s3 = ".pcmt" fullword nocase wide $s4 = ".cin" fullword nocase wide condition: pe.exports("Crash") and any of ($s*) }
[TLP:WHITE] win_industroyer_w2 (20170615 \| CRASHOVERRIDE v1 Suspicious Strings and Export) import "pe" rule win_industroyer_w2 { meta: description = "CRASHOVERRIDE v1 Suspicious Strings and Export" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = "101.dll" fullword nocase wide $s1 = "Crash101.dll" fullword nocase wide $s2 = "104.dll" fullword nocase wide $s3 = "Crash104.dll" fullword nocase wide $s4 = "61850.dll" fullword nocase wide $s5 = "Crash61850.dll" fullword nocase wide $s6 = "OPCClientDemo.dll" fullword nocase wide $s7 = "OPC" fullword nocase wide $s8 = "CrashOPCClientDemo.dll" fullword nocase wide $s9 = "D2MultiCommService.exe" fullword nocase wide $s10 = "CrashD2MultiCommService.exe" fullword nocase wide $s11 = "61850.exe" fullword nocase wide $s12 = "OPC.exe" fullword nocase wide $s13 = "haslo.exe" fullword nocase wide $s14 = "haslo.dat" fullword nocase wide condition: any of ($s*) and pe.exports("Crash") }
[TLP:WHITE] win_industroyer_w3 (20170615 \| IEC-104 Interaction Module Program Strings) rule win_industroyer_w3 { meta: description = "IEC-104 Interaction Module Program Strings" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii $s2 = " MSTR ->> SLV" nocase wide ascii $s3 = " MSTR <<- SLV" nocase wide ascii $s4 = "Unknown APDU format !!!" nocase wide ascii $s5 = "iec104.log" nocase wide ascii condition: any of ($s*) }
[TLP:WHITE] win_industroyer_w4 (20170615 \| CRASHOVERRIDE v1 Config File Parsing) rule win_industroyer_w4 { meta: description = "CRASHOVERRIDE v1 Config File Parsing" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 } $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 } $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? } $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? } condition: all of them }
[TLP:WHITE] win_industroyer_w5 (20170615 \| Blank mutex creation assoicated with CRASHOVERRIDE) rule win_industroyer_w5 { meta: description = "Blank mutex creation assoicated with CRASHOVERRIDE" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 } $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00} condition: all of them }
[TLP:WHITE] win_industroyer_w6 (20170615 \| Identify service hollowing and persistence setting) rule win_industroyer_w6 { meta: description = "Identify service hollowing and persistence setting" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? } $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 } condition: all of them }
[TLP:WHITE] win_industroyer_w7 (20170615 \| Registry Wiper functionality assoicated with CRASHOVERRIDE) rule win_industroyer_w7 { meta: description = "Registry Wiper functionality assoicated with CRASHOVERRIDE" author = "Dragos Inc" reference = "https://dragos.com/blog/industroyer/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 } $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? } $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 } condition: all of them }
[TLP:WHITE] win_industroyer_w8 (20170615 \| File manipulation actions associated with CRASHOVERRIDE wiper) rule win_industroyer_w8 { meta: description = "File manipulation actions associated with CRASHOVERRIDE wiper" author = "Dragos Inc" reference = "https://dragos.com/blog/crashoverride/" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" malpedia_version = "20170615" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 } $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 } condition: all of them }

Industroyer Propose Change

References

Yara Rules

Industroyer