SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer (Back to overview)

Industroyer

aka: Crash, CrashOverride

Actor(s): ELECTRUM


Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

References
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-24TesorionTESORION
@techreport{tesorion:20220224:report:e2f2082, author = {TESORION}, title = {{Report OSINT: Russia/ Ukraine Conflict Cyberaspect}}, date = {2022-02-24}, institution = {Tesorion}, url = {https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf}, language = {English}, urldate = {2022-03-01} } Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2021-02-11DomainToolsJoe Slowik
@online{slowik:20210211:visibility:5d2f96e, author = {Joe Slowik}, title = {{Visibility, Monitoring, and Critical Infrastructure Security}}, date = {2021-02-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security}, language = {English}, urldate = {2021-02-20} } Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-12DragosDragos
@techreport{dragos:20201112:cyber:cf5b4fd, author = {Dragos}, title = {{Cyber Threat Perspective MANUFACTURING SECTOR}}, date = {2020-11-12}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf}, language = {English}, urldate = {2020-11-18} } Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake
2020-10-19Riskint BlogCurtis
@online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-10-19UK GovernmentForeignCommonwealth & Development Office, Dominic Raab
@online{office:20201019:uk:7ead390, author = {ForeignCommonwealth & Development Office and Dominic Raab}, title = {{UK exposes series of Russian cyber attacks against Olympic and Paralympic Games}}, date = {2020-10-19}, organization = {UK Government}, url = {https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games}, language = {English}, urldate = {2020-10-23} } UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2017-10-05Virus BulletinAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-07-04WikipediaVarious
@online{various:20170704:industroyer:54eba4d, author = {Various}, title = {{Industroyer}}, date = {2017-07-04}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Industroyer}, language = {English}, urldate = {2020-01-08} } Industroyer
Industroyer
2017-06-13DragosDragos
@techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations
Industroyer Sandworm
2017-06-12ESET ResearchAnton Cherepanov
@techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } WIN32/INDUSTROYER: A new threat for industrial control systems
Industroyer Sandworm
2017-06-12ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
Yara Rules
[TLP:WHITE] win_industroyer_auto (20221125 | Detects win.industroyer.)
rule win_industroyer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.industroyer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d45f4 59 6a00 6880000000 6a02 }
            // n = 5, score = 600
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   59                   | pop                 ecx
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a02                 | push                2

        $sequence_1 = { 6a1c ff7608 57 ff15???????? 8945f4 }
            // n = 5, score = 600
            //   6a1c                 | push                0x1c
            //   ff7608               | push                dword ptr [esi + 8]
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_2 = { 6a04 8d4508 50 ff35???????? ffd6 53 8d45fc }
            // n = 7, score = 600
            //   6a04                 | push                4
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   ff35????????         |                     
            //   ffd6                 | call                esi
            //   53                   | push                ebx
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_3 = { 50 6a02 56 e8???????? ff7710 6a03 }
            // n = 6, score = 600
            //   50                   | push                eax
            //   6a02                 | push                2
            //   56                   | push                esi
            //   e8????????           |                     
            //   ff7710               | push                dword ptr [edi + 0x10]
            //   6a03                 | push                3

        $sequence_4 = { 43 53 56 e8???????? 6a00 }
            // n = 5, score = 600
            //   43                   | inc                 ebx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_5 = { 897dfc 8d45fc 897d08 50 57 6a03 ff7604 }
            // n = 7, score = 600
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   897d08               | mov                 dword ptr [ebp + 8], edi
            //   50                   | push                eax
            //   57                   | push                edi
            //   6a03                 | push                3
            //   ff7604               | push                dword ptr [esi + 4]

        $sequence_6 = { 5e 8d45ac 56 50 e8???????? }
            // n = 5, score = 600
            //   5e                   | pop                 esi
            //   8d45ac               | lea                 eax, [ebp - 0x54]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 57 8d45f0 897df4 50 8d45fc }
            // n = 5, score = 600
            //   57                   | push                edi
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_8 = { 6a01 ff15???????? 8bf0 6a01 }
            // n = 4, score = 400
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   6a01                 | push                1

        $sequence_9 = { 8b06 ffd0 56 e8???????? 83c408 }
            // n = 5, score = 400
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   ffd0                 | call                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_10 = { 33c5 8945fc 53 8d85f8efffff 8ad9 }
            // n = 5, score = 400
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx
            //   8d85f8efffff         | lea                 eax, [ebp - 0x1008]
            //   8ad9                 | mov                 bl, cl

        $sequence_11 = { ff15???????? 89849da0efffff 83c604 43 81fe88000000 7291 899d98efffff }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   89849da0efffff       | mov                 dword ptr [ebp + ebx*4 - 0x1060], eax
            //   83c604               | add                 esi, 4
            //   43                   | inc                 ebx
            //   81fe88000000         | cmp                 esi, 0x88
            //   7291                 | jb                  0xffffff93
            //   899d98efffff         | mov                 dword ptr [ebp - 0x1068], ebx

        $sequence_12 = { 751c 8d442444 50 57 8d842470020000 50 }
            // n = 6, score = 400
            //   751c                 | jne                 0x1e
            //   8d442444             | lea                 eax, [esp + 0x44]
            //   50                   | push                eax
            //   57                   | push                edi
            //   8d842470020000       | lea                 eax, [esp + 0x270]
            //   50                   | push                eax

        $sequence_13 = { 50 ff15???????? 85c0 742c 83c604 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   742c                 | je                  0x2e
            //   83c604               | add                 esi, 4

        $sequence_14 = { 6aff 6a01 8d85a0efffff 50 }
            // n = 4, score = 400
            //   6aff                 | push                -1
            //   6a01                 | push                1
            //   8d85a0efffff         | lea                 eax, [ebp - 0x1060]
            //   50                   | push                eax

        $sequence_15 = { 8bd8 c745fc00000000 83fbff 7548 57 ff15???????? 8d344502000000 }
            // n = 7, score = 400
            //   8bd8                 | mov                 ebx, eax
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   83fbff               | cmp                 ebx, -1
            //   7548                 | jne                 0x4a
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8d344502000000       | lea                 esi, [eax*2 + 2]

        $sequence_16 = { f7e9 c1fa0f 8bc2 c1e81f 03c2 3d8efd0000 7753 }
            // n = 7, score = 200
            //   f7e9                 | imul                ecx
            //   c1fa0f               | sar                 edx, 0xf
            //   8bc2                 | mov                 eax, edx
            //   c1e81f               | shr                 eax, 0x1f
            //   03c2                 | add                 eax, edx
            //   3d8efd0000           | cmp                 eax, 0xfd8e
            //   7753                 | ja                  0x55

        $sequence_17 = { ff15???????? ffd7 59 e9???????? c745dc03000000 eb7c c745e0e0ff4000 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   ffd7                 | call                edi
            //   59                   | pop                 ecx
            //   e9????????           |                     
            //   c745dc03000000       | mov                 dword ptr [ebp - 0x24], 3
            //   eb7c                 | jmp                 0x7e
            //   c745e0e0ff4000       | mov                 dword ptr [ebp - 0x20], 0x40ffe0

        $sequence_18 = { 6a01 50 8984bd34ffffff ff15???????? }
            // n = 4, score = 200
            //   6a01                 | push                1
            //   50                   | push                eax
            //   8984bd34ffffff       | mov                 dword ptr [ebp + edi*4 - 0xcc], eax
            //   ff15????????         |                     

        $sequence_19 = { e8???????? 8b35???????? 83c404 0f1f440000 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8b35????????         |                     
            //   83c404               | add                 esp, 4
            //   0f1f440000           | nop                 dword ptr [eax + eax]

        $sequence_20 = { 83c40c 8d85f4feffff 8bce 50 e8???????? 6a00 8bf0 }
            // n = 7, score = 200
            //   83c40c               | add                 esp, 0xc
            //   8d85f4feffff         | lea                 eax, [ebp - 0x10c]
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8bf0                 | mov                 esi, eax

        $sequence_21 = { 3bfb 7427 56 8b7508 85f6 7408 57 }
            // n = 7, score = 200
            //   3bfb                 | cmp                 edi, ebx
            //   7427                 | je                  0x29
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   85f6                 | test                esi, esi
            //   7408                 | je                  0xa
            //   57                   | push                edi

        $sequence_22 = { 0f57c0 0f29442420 668944242e 8d442418 50 8d442424 c7442424e0070c00 }
            // n = 7, score = 200
            //   0f57c0               | xorps               xmm0, xmm0
            //   0f29442420           | movaps              xmmword ptr [esp + 0x20], xmm0
            //   668944242e           | mov                 word ptr [esp + 0x2e], ax
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax
            //   8d442424             | lea                 eax, [esp + 0x24]
            //   c7442424e0070c00     | mov                 dword ptr [esp + 0x24], 0xc07e0

        $sequence_23 = { 56 8b7508 0fb602 8806 0fb64201 884601 0fb64202 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   0fb602               | movzx               eax, byte ptr [edx]
            //   8806                 | mov                 byte ptr [esi], al
            //   0fb64201             | movzx               eax, byte ptr [edx + 1]
            //   884601               | mov                 byte ptr [esi + 1], al
            //   0fb64202             | movzx               eax, byte ptr [edx + 2]

        $sequence_24 = { ff15???????? 6a02 ff15???????? 50 ffd6 ff770c }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   ff770c               | push                dword ptr [edi + 0xc]

        $sequence_25 = { 85f6 7468 6a01 6a00 6a00 6a00 }
            // n = 6, score = 200
            //   85f6                 | test                esi, esi
            //   7468                 | je                  0x6a
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_26 = { 5d c3 8b04c574cb4000 5d c3 8bff 55 }
            // n = 7, score = 200
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b04c574cb4000       | mov                 eax, dword ptr [eax*8 + 0x40cb74]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp

        $sequence_27 = { baff000000 0f1f8000000000 8a0431 8d4901 }
            // n = 4, score = 200
            //   baff000000           | mov                 edx, 0xff
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   8a0431               | mov                 al, byte ptr [ecx + esi]
            //   8d4901               | lea                 ecx, [ecx + 1]

        $sequence_28 = { 55 8bec 8b4d08 33c0 3b0cc570cb4000 }
            // n = 5, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   33c0                 | xor                 eax, eax
            //   3b0cc570cb4000       | cmp                 ecx, dword ptr [eax*8 + 0x40cb70]

        $sequence_29 = { 660f28a030044100 660f28b820004100 660f54f0 660f5cc6 660f59f4 }
            // n = 5, score = 200
            //   660f28a030044100     | movapd              xmm4, xmmword ptr [eax + 0x410430]
            //   660f28b820004100     | movapd              xmm7, xmmword ptr [eax + 0x410020]
            //   660f54f0             | andpd               xmm6, xmm0
            //   660f5cc6             | subpd               xmm0, xmm6
            //   660f59f4             | mulpd               xmm6, xmm4

        $sequence_30 = { 8bd9 8b7d14 6a08 e8???????? 83c404 }
            // n = 5, score = 200
            //   8bd9                 | mov                 ebx, ecx
            //   8b7d14               | mov                 edi, dword ptr [ebp + 0x14]
            //   6a08                 | push                8
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_31 = { e9???????? c745dc02000000 c745e0e4ff4000 8b4508 }
            // n = 4, score = 200
            //   e9????????           |                     
            //   c745dc02000000       | mov                 dword ptr [ebp - 0x24], 2
            //   c745e0e4ff4000       | mov                 dword ptr [ebp - 0x20], 0x40ffe4
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_32 = { 7e55 837db408 8d4da0 0f434da0 837dcc08 51 }
            // n = 6, score = 100
            //   7e55                 | jle                 0x57
            //   837db408             | cmp                 dword ptr [ebp - 0x4c], 8
            //   8d4da0               | lea                 ecx, [ebp - 0x60]
            //   0f434da0             | cmovae              ecx, dword ptr [ebp - 0x60]
            //   837dcc08             | cmp                 dword ptr [ebp - 0x34], 8
            //   51                   | push                ecx

        $sequence_33 = { 0f8eca030000 8b4778 85c0 7e0f 48 }
            // n = 5, score = 100
            //   0f8eca030000         | jle                 0x3d0
            //   8b4778               | mov                 eax, dword ptr [edi + 0x78]
            //   85c0                 | test                eax, eax
            //   7e0f                 | jle                 0x11
            //   48                   | dec                 eax

        $sequence_34 = { 8b0f 0fb7f0 e8???????? ff750c 8bc8 }
            // n = 5, score = 100
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   0fb7f0               | movzx               esi, ax
            //   e8????????           |                     
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8bc8                 | mov                 ecx, eax

        $sequence_35 = { 57 6a28 8bfa 8bf1 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   6a28                 | push                0x28
            //   8bfa                 | mov                 edi, edx
            //   8bf1                 | mov                 esi, ecx

        $sequence_36 = { 0f844c020000 e8???????? 85c0 0f843f020000 51 8d4c2414 }
            // n = 6, score = 100
            //   0f844c020000         | je                  0x252
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f843f020000         | je                  0x245
            //   51                   | push                ecx
            //   8d4c2414             | lea                 ecx, [esp + 0x14]

        $sequence_37 = { 384d10 58 0f45c8 c7420412000000 8b4508 }
            // n = 5, score = 100
            //   384d10               | cmp                 byte ptr [ebp + 0x10], cl
            //   58                   | pop                 eax
            //   0f45c8               | cmovne              ecx, eax
            //   c7420412000000       | mov                 dword ptr [edx + 4], 0x12
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_38 = { 53 885808 8b07 885809 }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   885808               | mov                 byte ptr [eax + 8], bl
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   885809               | mov                 byte ptr [eax + 9], bl

        $sequence_39 = { 0f57c0 c7842484000000b0ab4400 33db c784249c00000007000000 33c0 899c2498000000 57 }
            // n = 7, score = 100
            //   0f57c0               | xorps               xmm0, xmm0
            //   c7842484000000b0ab4400     | mov    dword ptr [esp + 0x84], 0x44abb0
            //   33db                 | xor                 ebx, ebx
            //   c784249c00000007000000     | mov    dword ptr [esp + 0x9c], 7
            //   33c0                 | xor                 eax, eax
            //   899c2498000000       | mov                 dword ptr [esp + 0x98], ebx
            //   57                   | push                edi

    condition:
        7 of them and filesize < 983040
}
[TLP:WHITE] win_industroyer_w0   (20170615 | CRASHOVERRIDE v1 Suspicious Export)
import "pe"

rule win_industroyer_w0 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    condition:
        pe.exports("Crash") & pe.characteristics
}
[TLP:WHITE] win_industroyer_w1   (20170615 | CRASHOVERRIDE v1 Wiper)
import "pe"

rule win_industroyer_w1 {
    meta:
        description = "CRASHOVERRIDE v1 Wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "SYS_BASCON.COM" fullword nocase wide
        $s1 = ".pcmp" fullword nocase wide
        $s2 = ".pcmi" fullword nocase wide
        $s3 = ".pcmt" fullword nocase wide
        $s4 = ".cin" fullword nocase wide
        
    condition:
        pe.exports("Crash") and any of ($s*)
}
[TLP:WHITE] win_industroyer_w2   (20170615 | CRASHOVERRIDE v1 Suspicious Strings and Export)
import "pe"

rule win_industroyer_w2 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "101.dll" fullword nocase wide
        $s1 = "Crash101.dll" fullword nocase wide
        $s2 = "104.dll" fullword nocase wide
        $s3 = "Crash104.dll" fullword nocase wide
        $s4 = "61850.dll" fullword nocase wide
        $s5 = "Crash61850.dll" fullword nocase wide
        $s6 = "OPCClientDemo.dll" fullword nocase wide
        $s7 = "OPC" fullword nocase wide
        $s8 = "CrashOPCClientDemo.dll" fullword nocase wide
        $s9 = "D2MultiCommService.exe" fullword nocase wide
        $s10 = "CrashD2MultiCommService.exe" fullword nocase wide
        $s11 = "61850.exe" fullword nocase wide
        $s12 = "OPC.exe" fullword nocase wide
        $s13 = "haslo.exe" fullword nocase wide
        $s14 = "haslo.dat" fullword nocase wide     
    condition:
        any of ($s*) and pe.exports("Crash")
}
[TLP:WHITE] win_industroyer_w3   (20170615 | IEC-104 Interaction Module Program Strings)
rule win_industroyer_w3 { 
    meta:
        description = "IEC-104 Interaction Module Program Strings"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:      
        $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii 
        $s2 = " MSTR ->> SLV" nocase wide ascii 
        $s3 = " MSTR <<- SLV" nocase wide ascii 
        $s4 = "Unknown APDU format !!!" nocase wide ascii 
        $s5 = "iec104.log" nocase wide ascii 
    condition:      
        any of ($s*)
}
[TLP:WHITE] win_industroyer_w4   (20170615 | CRASHOVERRIDE v1 Config File Parsing)
rule win_industroyer_w4 {
    meta:
        description = "CRASHOVERRIDE v1 Config File Parsing"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
        $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
        $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
        $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w5   (20170615 | Blank mutex creation assoicated with CRASHOVERRIDE)
rule win_industroyer_w5 {
    meta:
        description = "Blank mutex creation assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }
        $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w6   (20170615 | Identify service hollowing and persistence setting)
rule win_industroyer_w6 {
    meta:
        description = "Identify service hollowing and persistence setting"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }
        $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w7   (20170615 | Registry Wiper functionality assoicated with CRASHOVERRIDE)
rule win_industroyer_w7 {
    meta:
        description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/industroyer/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }
        $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }
        $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w8   (20170615 | File manipulation actions associated with CRASHOVERRIDE wiper)
rule win_industroyer_w8 {
    meta:
        description = "File manipulation actions associated with CRASHOVERRIDE wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }
        $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }
    condition:
        all of them
}
Download all Yara Rules