SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer (Back to overview)

Industroyer

aka: Crash, CrashOverride

Actor(s): ELECTRUM


Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

References
2022-07-26MandiantThibault van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith Lunden
@online{berlaere:20220726:mandiant:c1c4498, author = {Thibault van Geluwe de Berlaere and Jay Christiansen and Daniel Kapellmann Zafra and Ken Proska and Keith Lunden}, title = {{Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers}}, date = {2022-07-26}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics}, language = {English}, urldate = {2023-01-19} } Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-24TesorionTESORION
@techreport{tesorion:20220224:report:e2f2082, author = {TESORION}, title = {{Report OSINT: Russia/ Ukraine Conflict Cyberaspect}}, date = {2022-02-24}, institution = {Tesorion}, url = {https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf}, language = {English}, urldate = {2022-03-01} } Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2021-02-11DomainToolsJoe Slowik
@online{slowik:20210211:visibility:5d2f96e, author = {Joe Slowik}, title = {{Visibility, Monitoring, and Critical Infrastructure Security}}, date = {2021-02-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security}, language = {English}, urldate = {2021-02-20} } Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-12DragosDragos
@techreport{dragos:20201112:cyber:cf5b4fd, author = {Dragos}, title = {{Cyber Threat Perspective MANUFACTURING SECTOR}}, date = {2020-11-12}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf}, language = {English}, urldate = {2020-11-18} } Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake
2020-10-19Riskint BlogCurtis
@online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-10-19UK GovernmentForeignCommonwealth & Development Office, Dominic Raab
@online{office:20201019:uk:7ead390, author = {ForeignCommonwealth & Development Office and Dominic Raab}, title = {{UK exposes series of Russian cyber attacks against Olympic and Paralympic Games}}, date = {2020-10-19}, organization = {UK Government}, url = {https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games}, language = {English}, urldate = {2020-10-23} } UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2017-10-05Virus BulletinAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-07-04WikipediaVarious
@online{various:20170704:industroyer:54eba4d, author = {Various}, title = {{Industroyer}}, date = {2017-07-04}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Industroyer}, language = {English}, urldate = {2020-01-08} } Industroyer
Industroyer
2017-06-13DragosDragos
@techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations
Industroyer Sandworm
2017-06-12ESET ResearchAnton Cherepanov
@techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } WIN32/INDUSTROYER: A new threat for industrial control systems
Industroyer Sandworm
2017-06-12ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
Yara Rules
[TLP:WHITE] win_industroyer_auto (20230715 | Detects win.industroyer.)
rule win_industroyer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.industroyer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d85f8feffff 50 56 ff15???????? 8b45fc 85c0 }
            // n = 6, score = 600
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   85c0                 | test                eax, eax

        $sequence_1 = { 55 8bec 81ec7c0a0000 56 57 6a44 5e }
            // n = 7, score = 600
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec7c0a0000         | sub                 esp, 0xa7c
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a44                 | push                0x44
            //   5e                   | pop                 esi

        $sequence_2 = { 68???????? 8d85f8fdffff 50 ff15???????? 57 6a02 6a04 }
            // n = 7, score = 600
            //   68????????           |                     
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   57                   | push                edi
            //   6a02                 | push                2
            //   6a04                 | push                4

        $sequence_3 = { 8d45fc 50 ff7310 ff15???????? 8bf8 8d85a0fdffff }
            // n = 6, score = 600
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff7310               | push                dword ptr [ebx + 0x10]
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   8d85a0fdffff         | lea                 eax, [ebp - 0x260]

        $sequence_4 = { 57 ffd6 8d45fc 50 ff75f0 }
            // n = 5, score = 600
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75f0               | push                dword ptr [ebp - 0x10]

        $sequence_5 = { 731e 8b7dfc 33c0 50 50 50 }
            // n = 6, score = 600
            //   731e                 | jae                 0x20
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_6 = { 68???????? ff15???????? ff7610 8d8584f5ffff }
            // n = 4, score = 600
            //   68????????           |                     
            //   ff15????????         |                     
            //   ff7610               | push                dword ptr [esi + 0x10]
            //   8d8584f5ffff         | lea                 eax, [ebp - 0xa7c]

        $sequence_7 = { 8d45fc 50 6a04 8d45f0 50 57 ffd6 }
            // n = 7, score = 600
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   6a04                 | push                4
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ffd6                 | call                esi

        $sequence_8 = { 8d442448 50 ffd6 85c0 7431 ff35???????? 8d442448 }
            // n = 7, score = 400
            //   8d442448             | lea                 eax, [esp + 0x48]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7431                 | je                  0x33
            //   ff35????????         |                     
            //   8d442448             | lea                 eax, [esp + 0x48]

        $sequence_9 = { 0f85bb000000 6800020000 8d85a0fbffff 50 56 ffb59cf3ffff }
            // n = 6, score = 400
            //   0f85bb000000         | jne                 0xc1
            //   6800020000           | push                0x200
            //   8d85a0fbffff         | lea                 eax, [ebp - 0x460]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ffb59cf3ffff         | push                dword ptr [ebp - 0xc64]

        $sequence_10 = { 83e4f8 81ec6c040000 a1???????? 33c4 89842468040000 53 8b1d???????? }
            // n = 7, score = 400
            //   83e4f8               | and                 esp, 0xfffffff8
            //   81ec6c040000         | sub                 esp, 0x46c
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   89842468040000       | mov                 dword ptr [esp + 0x468], eax
            //   53                   | push                ebx
            //   8b1d????????         |                     

        $sequence_11 = { 68???????? 8bf9 89542418 57 50 ffd3 8d442418 }
            // n = 7, score = 400
            //   68????????           |                     
            //   8bf9                 | mov                 edi, ecx
            //   89542418             | mov                 dword ptr [esp + 0x18], edx
            //   57                   | push                edi
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   8d442418             | lea                 eax, [esp + 0x18]

        $sequence_12 = { ff15???????? 85c0 7595 ff742410 ff15???????? ff742414 8d84246c020000 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7595                 | jne                 0xffffff97
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   ff15????????         |                     
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   8d84246c020000       | lea                 eax, [esp + 0x26c]

        $sequence_13 = { 751b 6a02 68???????? 6a02 50 }
            // n = 5, score = 400
            //   751b                 | jne                 0x1d
            //   6a02                 | push                2
            //   68????????           |                     
            //   6a02                 | push                2
            //   50                   | push                eax

        $sequence_14 = { 8945fc 0f1005???????? a1???????? 56 0f1145a0 }
            // n = 5, score = 400
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   0f1005????????       |                     
            //   a1????????           |                     
            //   56                   | push                esi
            //   0f1145a0             | movups              xmmword ptr [ebp - 0x60], xmm0

        $sequence_15 = { ff15???????? 8b3d???????? 85c0 0f858c000000 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   85c0                 | test                eax, eax
            //   0f858c000000         | jne                 0x92

        $sequence_16 = { 83e10f eb02 33c9 8b450c 0fb684c8009b0110 c1e804 }
            // n = 6, score = 200
            //   83e10f               | and                 ecx, 0xf
            //   eb02                 | jmp                 4
            //   33c9                 | xor                 ecx, ecx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0fb684c8009b0110     | movzx               eax, byte ptr [eax + ecx*8 + 0x10019b00]
            //   c1e804               | shr                 eax, 4

        $sequence_17 = { 884605 0fb64208 884606 8b4208 c1f808 884607 }
            // n = 6, score = 200
            //   884605               | mov                 byte ptr [esi + 5], al
            //   0fb64208             | movzx               eax, byte ptr [edx + 8]
            //   884606               | mov                 byte ptr [esi + 6], al
            //   8b4208               | mov                 eax, dword ptr [edx + 8]
            //   c1f808               | sar                 eax, 8
            //   884607               | mov                 byte ptr [esi + 7], al

        $sequence_18 = { 1bc0 83c801 85c0 c6857dfcfeff01 0f9485abfcfeff b9???????? 8bc6 }
            // n = 7, score = 200
            //   1bc0                 | sbb                 eax, eax
            //   83c801               | or                  eax, 1
            //   85c0                 | test                eax, eax
            //   c6857dfcfeff01       | mov                 byte ptr [ebp - 0x10383], 1
            //   0f9485abfcfeff       | sete                byte ptr [ebp - 0x10355]
            //   b9????????           |                     
            //   8bc6                 | mov                 eax, esi

        $sequence_19 = { 0f8580000000 8b4508 dd00 ebc6 c745e0e8ff4000 e9???????? c745e0f0ff4000 }
            // n = 7, score = 200
            //   0f8580000000         | jne                 0x86
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   dd00                 | fld                 qword ptr [eax]
            //   ebc6                 | jmp                 0xffffffc8
            //   c745e0e8ff4000       | mov                 dword ptr [ebp - 0x20], 0x40ffe8
            //   e9????????           |                     
            //   c745e0f0ff4000       | mov                 dword ptr [ebp - 0x20], 0x40fff0

        $sequence_20 = { 0f859b010000 c745e0d8ff4000 8b4508 8bcf 8b7510 c745dc01000000 dd00 }
            // n = 7, score = 200
            //   0f859b010000         | jne                 0x1a1
            //   c745e0d8ff4000       | mov                 dword ptr [ebp - 0x20], 0x40ffd8
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bcf                 | mov                 ecx, edi
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   c745dc01000000       | mov                 dword ptr [ebp - 0x24], 1
            //   dd00                 | fld                 qword ptr [eax]

        $sequence_21 = { 83ec48 a1???????? 33c4 89442444 56 57 68???????? }
            // n = 7, score = 200
            //   83ec48               | sub                 esp, 0x48
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   89442444             | mov                 dword ptr [esp + 0x44], eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   68????????           |                     

        $sequence_22 = { 8d4ee8 e8???????? 81c678020100 8d86a4fdffff 3bc7 }
            // n = 5, score = 200
            //   8d4ee8               | lea                 ecx, [esi - 0x18]
            //   e8????????           |                     
            //   81c678020100         | add                 esi, 0x10278
            //   8d86a4fdffff         | lea                 eax, [esi - 0x25c]
            //   3bc7                 | cmp                 eax, edi

        $sequence_23 = { eb07 8b04cd24ee4000 5f 5e 5b }
            // n = 5, score = 200
            //   eb07                 | jmp                 9
            //   8b04cd24ee4000       | mov                 eax, dword ptr [ecx*8 + 0x40ee24]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_24 = { 83c404 ff742414 ff15???????? 57 ff15???????? }
            // n = 5, score = 200
            //   83c404               | add                 esp, 4
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_25 = { 6a00 6a00 ffd7 8bf0 85f6 7464 68???????? }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ffd7                 | call                edi
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7464                 | je                  0x66
            //   68????????           |                     

        $sequence_26 = { 75f2 8d8f33010000 baff000000 0f1f8000000000 8a0431 8d4901 8841ff }
            // n = 7, score = 200
            //   75f2                 | jne                 0xfffffff4
            //   8d8f33010000         | lea                 ecx, [edi + 0x133]
            //   baff000000           | mov                 edx, 0xff
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   8a0431               | mov                 al, byte ptr [ecx + esi]
            //   8d4901               | lea                 ecx, [ecx + 1]
            //   8841ff               | mov                 byte ptr [ecx - 1], al

        $sequence_27 = { 85c0 7450 6aff 56 }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   7450                 | je                  0x52
            //   6aff                 | push                -1
            //   56                   | push                esi

        $sequence_28 = { 8b442418 89442440 8d44243c 50 ff15???????? 50 }
            // n = 6, score = 200
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   8d44243c             | lea                 eax, [esp + 0x3c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_29 = { 85c0 7475 ff7004 68???????? e8???????? 8b4604 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   7475                 | je                  0x77
            //   ff7004               | push                dword ptr [eax + 4]
            //   68????????           |                     
            //   e8????????           |                     
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_30 = { b8ad04c77e f7ee 57 c1fa0f b98efd0000 }
            // n = 5, score = 200
            //   b8ad04c77e           | mov                 eax, 0x7ec704ad
            //   f7ee                 | imul                esi
            //   57                   | push                edi
            //   c1fa0f               | sar                 edx, 0xf
            //   b98efd0000           | mov                 ecx, 0xfd8e

        $sequence_31 = { c7835c02000000000000 c7836002000000000000 c7836402000000000000 c7826802000000000000 c7826c02000000000000 c7827002000000000000 }
            // n = 6, score = 200
            //   c7835c02000000000000     | mov    dword ptr [ebx + 0x25c], 0
            //   c7836002000000000000     | mov    dword ptr [ebx + 0x260], 0
            //   c7836402000000000000     | mov    dword ptr [ebx + 0x264], 0
            //   c7826802000000000000     | mov    dword ptr [edx + 0x268], 0
            //   c7826c02000000000000     | mov    dword ptr [edx + 0x26c], 0
            //   c7827002000000000000     | mov    dword ptr [edx + 0x270], 0

        $sequence_32 = { 8bc2 f00fb10b 3bc2 740a 8b13 }
            // n = 5, score = 100
            //   8bc2                 | mov                 eax, edx
            //   f00fb10b             | lock cmpxchg        dword ptr [ebx], ecx
            //   3bc2                 | cmp                 eax, edx
            //   740a                 | je                  0xc
            //   8b13                 | mov                 edx, dword ptr [ebx]

        $sequence_33 = { 8975f8 e8???????? 8b7d08 33c9 394f14 }
            // n = 5, score = 100
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   e8????????           |                     
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   33c9                 | xor                 ecx, ecx
            //   394f14               | cmp                 dword ptr [edi + 0x14], ecx

        $sequence_34 = { 6a01 6a01 ff5004 eb0d 8b11 8d410c }
            // n = 6, score = 100
            //   6a01                 | push                1
            //   6a01                 | push                1
            //   ff5004               | call                dword ptr [eax + 4]
            //   eb0d                 | jmp                 0xf
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8d410c               | lea                 eax, [ecx + 0xc]

        $sequence_35 = { 6a00 6a01 8d8d70ffffff e8???????? 47 eba6 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   8d8d70ffffff         | lea                 ecx, [ebp - 0x90]
            //   e8????????           |                     
            //   47                   | inc                 edi
            //   eba6                 | jmp                 0xffffffa8

        $sequence_36 = { 57 8d4d14 e8???????? 8b4d10 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   8d4d14               | lea                 ecx, [ebp + 0x14]
            //   e8????????           |                     
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]

        $sequence_37 = { 8b4df8 c702???????? 894218 897a1c }
            // n = 4, score = 100
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   c702????????         |                     
            //   894218               | mov                 dword ptr [edx + 0x18], eax
            //   897a1c               | mov                 dword ptr [edx + 0x1c], edi

        $sequence_38 = { 83ec0c 56 6a14 e8???????? 8b4d08 }
            // n = 5, score = 100
            //   83ec0c               | sub                 esp, 0xc
            //   56                   | push                esi
            //   6a14                 | push                0x14
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_39 = { 8b450c 8701 5d c3 }
            // n = 4, score = 100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8701                 | xchg                dword ptr [ecx], eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

    condition:
        7 of them and filesize < 983040
}
[TLP:WHITE] win_industroyer_w0   (20170615 | CRASHOVERRIDE v1 Suspicious Export)
import "pe"

rule win_industroyer_w0 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    condition:
        pe.exports("Crash") & pe.characteristics
}
[TLP:WHITE] win_industroyer_w1   (20170615 | CRASHOVERRIDE v1 Wiper)
import "pe"

rule win_industroyer_w1 {
    meta:
        description = "CRASHOVERRIDE v1 Wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "SYS_BASCON.COM" fullword nocase wide
        $s1 = ".pcmp" fullword nocase wide
        $s2 = ".pcmi" fullword nocase wide
        $s3 = ".pcmt" fullword nocase wide
        $s4 = ".cin" fullword nocase wide
        
    condition:
        pe.exports("Crash") and any of ($s*)
}
[TLP:WHITE] win_industroyer_w2   (20170615 | CRASHOVERRIDE v1 Suspicious Strings and Export)
import "pe"

rule win_industroyer_w2 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "101.dll" fullword nocase wide
        $s1 = "Crash101.dll" fullword nocase wide
        $s2 = "104.dll" fullword nocase wide
        $s3 = "Crash104.dll" fullword nocase wide
        $s4 = "61850.dll" fullword nocase wide
        $s5 = "Crash61850.dll" fullword nocase wide
        $s6 = "OPCClientDemo.dll" fullword nocase wide
        $s7 = "OPC" fullword nocase wide
        $s8 = "CrashOPCClientDemo.dll" fullword nocase wide
        $s9 = "D2MultiCommService.exe" fullword nocase wide
        $s10 = "CrashD2MultiCommService.exe" fullword nocase wide
        $s11 = "61850.exe" fullword nocase wide
        $s12 = "OPC.exe" fullword nocase wide
        $s13 = "haslo.exe" fullword nocase wide
        $s14 = "haslo.dat" fullword nocase wide     
    condition:
        any of ($s*) and pe.exports("Crash")
}
[TLP:WHITE] win_industroyer_w3   (20170615 | IEC-104 Interaction Module Program Strings)
rule win_industroyer_w3 { 
    meta:
        description = "IEC-104 Interaction Module Program Strings"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:      
        $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii 
        $s2 = " MSTR ->> SLV" nocase wide ascii 
        $s3 = " MSTR <<- SLV" nocase wide ascii 
        $s4 = "Unknown APDU format !!!" nocase wide ascii 
        $s5 = "iec104.log" nocase wide ascii 
    condition:      
        any of ($s*)
}
[TLP:WHITE] win_industroyer_w4   (20170615 | CRASHOVERRIDE v1 Config File Parsing)
rule win_industroyer_w4 {
    meta:
        description = "CRASHOVERRIDE v1 Config File Parsing"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
        $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
        $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
        $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w5   (20170615 | Blank mutex creation assoicated with CRASHOVERRIDE)
rule win_industroyer_w5 {
    meta:
        description = "Blank mutex creation assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }
        $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w6   (20170615 | Identify service hollowing and persistence setting)
rule win_industroyer_w6 {
    meta:
        description = "Identify service hollowing and persistence setting"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }
        $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w7   (20170615 | Registry Wiper functionality assoicated with CRASHOVERRIDE)
rule win_industroyer_w7 {
    meta:
        description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/industroyer/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }
        $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }
        $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w8   (20170615 | File manipulation actions associated with CRASHOVERRIDE wiper)
rule win_industroyer_w8 {
    meta:
        description = "File manipulation actions associated with CRASHOVERRIDE wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }
        $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }
    condition:
        all of them
}
Download all Yara Rules