SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer (Back to overview)

Industroyer

aka: Crash, CrashOverride

Actor(s): ELECTRUM


Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

References
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2017-10-05Virus BulletinAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-07-04WikipediaVarious
@online{various:20170704:industroyer:54eba4d, author = {Various}, title = {{Industroyer}}, date = {2017-07-04}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Industroyer}, language = {English}, urldate = {2020-01-08} } Industroyer
Industroyer
2017-06-13DragosDragos
@techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations
Industroyer ELECTRUM Sandworm
2017-06-12ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-06-12ESET ResearchAnton Cherepanov
@techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } WIN32/INDUSTROYER: A new threat for industrial control systems
Industroyer ELECTRUM
Yara Rules
[TLP:WHITE] win_industroyer_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_industroyer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d45f8 50 6a06 53 }
            // n = 4, score = 600
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   6a06                 | push                6
            //   53                   | push                ebx

        $sequence_1 = { 6a44 5e 8d45ac 56 50 }
            // n = 5, score = 600
            //   6a44                 | push                0x44
            //   5e                   | pop                 esi
            //   8d45ac               | lea                 eax, [ebp - 0x54]
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_2 = { 50 6a7b 68???????? 50 }
            // n = 4, score = 600
            //   50                   | push                eax
            //   6a7b                 | push                0x7b
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_3 = { 57 8d45fc 50 56 ff7508 ff35???????? ff15???????? }
            // n = 7, score = 600
            //   57                   | push                edi
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff35????????         |                     
            //   ff15????????         |                     

        $sequence_4 = { 57 68???????? 6a03 50 ff15???????? 8bf0 }
            // n = 6, score = 600
            //   57                   | push                edi
            //   68????????           |                     
            //   6a03                 | push                3
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_5 = { 57 6a02 56 897dfc e8???????? 57 }
            // n = 6, score = 600
            //   57                   | push                edi
            //   6a02                 | push                2
            //   56                   | push                esi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   e8????????           |                     
            //   57                   | push                edi

        $sequence_6 = { 83c410 814dcc01010000 897da0 8975f4 8b4118 }
            // n = 5, score = 600
            //   83c410               | add                 esp, 0x10
            //   814dcc01010000       | or                  dword ptr [ebp - 0x34], 0x101
            //   897da0               | mov                 dword ptr [ebp - 0x60], edi
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   8b4118               | mov                 eax, dword ptr [ecx + 0x18]

        $sequence_7 = { 50 50 56 8d85a0fdffff 50 ff15???????? }
            // n = 6, score = 600
            //   50                   | push                eax
            //   50                   | push                eax
            //   56                   | push                esi
            //   8d85a0fdffff         | lea                 eax, [ebp - 0x260]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 8b049d50304100 0fb6440828 83e001 7469 }
            // n = 4, score = 400
            //   8b049d50304100       | mov                 eax, dword ptr [ebx*4 + 0x413050]
            //   0fb6440828           | movzx               eax, byte ptr [eax + ecx + 0x28]
            //   83e001               | and                 eax, 1
            //   7469                 | je                  0x6b

        $sequence_9 = { 8b048550304100 33db 8b7508 57 8b440818 8b4d10 }
            // n = 6, score = 400
            //   8b048550304100       | mov                 eax, dword ptr [eax*4 + 0x413050]
            //   33db                 | xor                 ebx, ebx
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8b440818             | mov                 eax, dword ptr [eax + ecx + 0x18]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]

        $sequence_10 = { 7512 8b04bd50304100 807c302900 7504 32c0 }
            // n = 5, score = 400
            //   7512                 | jne                 0x14
            //   8b04bd50304100       | mov                 eax, dword ptr [edi*4 + 0x413050]
            //   807c302900           | cmp                 byte ptr [eax + esi + 0x29], 0
            //   7504                 | jne                 6
            //   32c0                 | xor                 al, al

        $sequence_11 = { 53 ffd6 85c0 75ea 5e }
            // n = 5, score = 400
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   75ea                 | jne                 0xffffffec
            //   5e                   | pop                 esi

        $sequence_12 = { 83c408 c700???????? 897804 85c9 }
            // n = 4, score = 400
            //   83c408               | add                 esp, 8
            //   c700????????         |                     
            //   897804               | mov                 dword ptr [eax + 4], edi
            //   85c9                 | test                ecx, ecx

        $sequence_13 = { 85c0 0f85bb000000 6800020000 8d85a0fbffff }
            // n = 4, score = 400
            //   85c0                 | test                eax, eax
            //   0f85bb000000         | jne                 0xc1
            //   6800020000           | push                0x200
            //   8d85a0fbffff         | lea                 eax, [ebp - 0x460]

        $sequence_14 = { 8b55d4 8a07 8b0c9550304100 8844192e 8b049550304100 804c182d04 }
            // n = 6, score = 400
            //   8b55d4               | mov                 edx, dword ptr [ebp - 0x2c]
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8b0c9550304100       | mov                 ecx, dword ptr [edx*4 + 0x413050]
            //   8844192e             | mov                 byte ptr [ecx + ebx + 0x2e], al
            //   8b049550304100       | mov                 eax, dword ptr [edx*4 + 0x413050]
            //   804c182d04           | or                  byte ptr [eax + ebx + 0x2d], 4

        $sequence_15 = { 46 3b35???????? 72eb b101 e8???????? 33c0 }
            // n = 6, score = 400
            //   46                   | inc                 esi
            //   3b35????????         |                     
            //   72eb                 | jb                  0xffffffed
            //   b101                 | mov                 cl, 1
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax

        $sequence_16 = { 53 8b5d10 8b048550304100 56 }
            // n = 4, score = 400
            //   53                   | push                ebx
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]
            //   8b048550304100       | mov                 eax, dword ptr [eax*4 + 0x413050]
            //   56                   | push                esi

        $sequence_17 = { 8bd6 83e03f c1fa06 6bc830 8b049550304100 }
            // n = 5, score = 400
            //   8bd6                 | mov                 edx, esi
            //   83e03f               | and                 eax, 0x3f
            //   c1fa06               | sar                 edx, 6
            //   6bc830               | imul                ecx, eax, 0x30
            //   8b049550304100       | mov                 eax, dword ptr [edx*4 + 0x413050]

        $sequence_18 = { 0f8230ffffff 6aff 6a01 8d85a0efffff 50 53 }
            // n = 6, score = 400
            //   0f8230ffffff         | jb                  0xffffff36
            //   6aff                 | push                -1
            //   6a01                 | push                1
            //   8d85a0efffff         | lea                 eax, [ebp - 0x1060]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_19 = { 57 8d1c85c82f4100 8b03 8b15???????? 83cfff 8bca }
            // n = 6, score = 400
            //   57                   | push                edi
            //   8d1c85c82f4100       | lea                 ebx, [eax*4 + 0x412fc8]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b15????????         |                     
            //   83cfff               | or                  edi, 0xffffffff
            //   8bca                 | mov                 ecx, edx

        $sequence_20 = { a1???????? 33c4 89842468040000 53 8b1d???????? 8d842460020000 }
            // n = 6, score = 400
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   89842468040000       | mov                 dword ptr [esp + 0x468], eax
            //   53                   | push                ebx
            //   8b1d????????         |                     
            //   8d842460020000       | lea                 eax, [esp + 0x260]

        $sequence_21 = { 6a00 6a01 ff15???????? 8bf0 6a01 56 }
            // n = 6, score = 400
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   6a01                 | push                1
            //   56                   | push                esi

        $sequence_22 = { 8b049550304100 8b440818 83f8ff 7409 83f8fe }
            // n = 5, score = 400
            //   8b049550304100       | mov                 eax, dword ptr [edx*4 + 0x413050]
            //   8b440818             | mov                 eax, dword ptr [eax + ecx + 0x18]
            //   83f8ff               | cmp                 eax, -1
            //   7409                 | je                  0xb
            //   83f8fe               | cmp                 eax, -2

        $sequence_23 = { 50 ffd3 8d442418 50 8d84246c020000 50 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax
            //   8d84246c020000       | lea                 eax, [esp + 0x26c]
            //   50                   | push                eax

        $sequence_24 = { 6800100000 8d85f8efffff 50 52 }
            // n = 4, score = 200
            //   6800100000           | push                0x1000
            //   8d85f8efffff         | lea                 eax, [ebp - 0x1008]
            //   50                   | push                eax
            //   52                   | push                edx

        $sequence_25 = { 668906 8b048dd01f0210 6a0a 8854382a 8b048dd01f0210 }
            // n = 5, score = 200
            //   668906               | mov                 word ptr [esi], ax
            //   8b048dd01f0210       | mov                 eax, dword ptr [ecx*4 + 0x10021fd0]
            //   6a0a                 | push                0xa
            //   8854382a             | mov                 byte ptr [eax + edi + 0x2a], dl
            //   8b048dd01f0210       | mov                 eax, dword ptr [ecx*4 + 0x10021fd0]

        $sequence_26 = { 8b0485d01f0210 80640828fe ff15???????? 50 e8???????? }
            // n = 5, score = 200
            //   8b0485d01f0210       | mov                 eax, dword ptr [eax*4 + 0x10021fd0]
            //   80640828fe           | and                 byte ptr [eax + ecx + 0x28], 0xfe
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_27 = { 8903 894304 8b03 8d04f0 894308 8b4508 }
            // n = 6, score = 200
            //   8903                 | mov                 dword ptr [ebx], eax
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8d04f0               | lea                 eax, [eax + esi*8]
            //   894308               | mov                 dword ptr [ebx + 8], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_28 = { 85ff 7ec9 8bd9 8d8df8efffff 2bd9 8db5f8efffff 03f0 }
            // n = 7, score = 200
            //   85ff                 | test                edi, edi
            //   7ec9                 | jle                 0xffffffcb
            //   8bd9                 | mov                 ebx, ecx
            //   8d8df8efffff         | lea                 ecx, [ebp - 0x1008]
            //   2bd9                 | sub                 ebx, ecx
            //   8db5f8efffff         | lea                 esi, [ebp - 0x1008]
            //   03f0                 | add                 esi, eax

        $sequence_29 = { 50 c7836802000000000000 8d8274020000 c7836c02000000000000 50 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   c7836802000000000000     | mov    dword ptr [ebx + 0x268], 0
            //   8d8274020000         | lea                 eax, [edx + 0x274]
            //   c7836c02000000000000     | mov    dword ptr [ebx + 0x26c], 0
            //   50                   | push                eax

        $sequence_30 = { 7204 3cfd 760d 68???????? e8???????? 83c404 68???????? }
            // n = 7, score = 200
            //   7204                 | jb                  6
            //   3cfd                 | cmp                 al, 0xfd
            //   760d                 | jbe                 0xf
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   68????????           |                     

        $sequence_31 = { 83c410 53 c6470400 c6470101 }
            // n = 4, score = 200
            //   83c410               | add                 esp, 0x10
            //   53                   | push                ebx
            //   c6470400             | mov                 byte ptr [edi + 4], 0
            //   c6470101             | mov                 byte ptr [edi + 1], 1

        $sequence_32 = { 8b4310 8b4c0230 33c0 40 f00fc1443118 40 83f801 }
            // n = 7, score = 100
            //   8b4310               | mov                 eax, dword ptr [ebx + 0x10]
            //   8b4c0230             | mov                 ecx, dword ptr [edx + eax + 0x30]
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   f00fc1443118         | lock xadd           dword ptr [ecx + esi + 0x18], eax
            //   40                   | inc                 eax
            //   83f801               | cmp                 eax, 1

        $sequence_33 = { 75c3 894dcc 8d8d78ffffff e8???????? 84c0 7417 b301 }
            // n = 7, score = 100
            //   75c3                 | jne                 0xffffffc5
            //   894dcc               | mov                 dword ptr [ebp - 0x34], ecx
            //   8d8d78ffffff         | lea                 ecx, [ebp - 0x88]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7417                 | je                  0x19
            //   b301                 | mov                 bl, 1

        $sequence_34 = { ff75dc 894dd0 50 ff750c 894dd4 }
            // n = 5, score = 100
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   894dd0               | mov                 dword ptr [ebp - 0x30], ecx
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   894dd4               | mov                 dword ptr [ebp - 0x2c], ecx

        $sequence_35 = { e8???????? 8d4b28 e8???????? 56 8d4de0 e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8d4b28               | lea                 ecx, [ebx + 0x28]
            //   e8????????           |                     
            //   56                   | push                esi
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   e8????????           |                     

        $sequence_36 = { 3914c540694400 7408 40 83f81d 7cf1 }
            // n = 5, score = 100
            //   3914c540694400       | cmp                 dword ptr [eax*8 + 0x446940], edx
            //   7408                 | je                  0xa
            //   40                   | inc                 eax
            //   83f81d               | cmp                 eax, 0x1d
            //   7cf1                 | jl                  0xfffffff3

        $sequence_37 = { 8bcf 8bd3 894dec 8955e8 85c9 }
            // n = 5, score = 100
            //   8bcf                 | mov                 ecx, edi
            //   8bd3                 | mov                 edx, ebx
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx
            //   85c9                 | test                ecx, ecx

        $sequence_38 = { 85d2 0f855affffff eb06 8b8df8feffff 03c9 399ccd00ffffff 7408 }
            // n = 7, score = 100
            //   85d2                 | test                edx, edx
            //   0f855affffff         | jne                 0xffffff60
            //   eb06                 | jmp                 8
            //   8b8df8feffff         | mov                 ecx, dword ptr [ebp - 0x108]
            //   03c9                 | add                 ecx, ecx
            //   399ccd00ffffff       | cmp                 dword ptr [ebp + ecx*8 - 0x100], ebx
            //   7408                 | je                  0xa

        $sequence_39 = { ebed 394d0c 7412 eb91 837d0c00 740a }
            // n = 6, score = 100
            //   ebed                 | jmp                 0xffffffef
            //   394d0c               | cmp                 dword ptr [ebp + 0xc], ecx
            //   7412                 | je                  0x14
            //   eb91                 | jmp                 0xffffff93
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   740a                 | je                  0xc

    condition:
        7 of them and filesize < 983040
}
[TLP:WHITE] win_industroyer_w0   (20170615 | CRASHOVERRIDE v1 Suspicious Export)
import "pe"

rule win_industroyer_w0 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    condition:
        pe.exports("Crash") & pe.characteristics
}
[TLP:WHITE] win_industroyer_w1   (20170615 | CRASHOVERRIDE v1 Wiper)
import "pe"

rule win_industroyer_w1 {
    meta:
        description = "CRASHOVERRIDE v1 Wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "SYS_BASCON.COM" fullword nocase wide
        $s1 = ".pcmp" fullword nocase wide
        $s2 = ".pcmi" fullword nocase wide
        $s3 = ".pcmt" fullword nocase wide
        $s4 = ".cin" fullword nocase wide
        
    condition:
        pe.exports("Crash") and any of ($s*)
}
[TLP:WHITE] win_industroyer_w2   (20170615 | CRASHOVERRIDE v1 Suspicious Strings and Export)
import "pe"

rule win_industroyer_w2 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "101.dll" fullword nocase wide
        $s1 = "Crash101.dll" fullword nocase wide
        $s2 = "104.dll" fullword nocase wide
        $s3 = "Crash104.dll" fullword nocase wide
        $s4 = "61850.dll" fullword nocase wide
        $s5 = "Crash61850.dll" fullword nocase wide
        $s6 = "OPCClientDemo.dll" fullword nocase wide
        $s7 = "OPC" fullword nocase wide
        $s8 = "CrashOPCClientDemo.dll" fullword nocase wide
        $s9 = "D2MultiCommService.exe" fullword nocase wide
        $s10 = "CrashD2MultiCommService.exe" fullword nocase wide
        $s11 = "61850.exe" fullword nocase wide
        $s12 = "OPC.exe" fullword nocase wide
        $s13 = "haslo.exe" fullword nocase wide
        $s14 = "haslo.dat" fullword nocase wide     
    condition:
        any of ($s*) and pe.exports("Crash")
}
[TLP:WHITE] win_industroyer_w3   (20170615 | IEC-104 Interaction Module Program Strings)
rule win_industroyer_w3 { 
    meta:
        description = "IEC-104 Interaction Module Program Strings"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:      
        $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii 
        $s2 = " MSTR ->> SLV" nocase wide ascii 
        $s3 = " MSTR <<- SLV" nocase wide ascii 
        $s4 = "Unknown APDU format !!!" nocase wide ascii 
        $s5 = "iec104.log" nocase wide ascii 
    condition:      
        any of ($s*)
}
[TLP:WHITE] win_industroyer_w4   (20170615 | CRASHOVERRIDE v1 Config File Parsing)
rule win_industroyer_w4 {
    meta:
        description = "CRASHOVERRIDE v1 Config File Parsing"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
        $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
        $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
        $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w5   (20170615 | Blank mutex creation assoicated with CRASHOVERRIDE)
rule win_industroyer_w5 {
    meta:
        description = "Blank mutex creation assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }
        $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w6   (20170615 | Identify service hollowing and persistence setting)
rule win_industroyer_w6 {
    meta:
        description = "Identify service hollowing and persistence setting"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }
        $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w7   (20170615 | Registry Wiper functionality assoicated with CRASHOVERRIDE)
rule win_industroyer_w7 {
    meta:
        description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/industroyer/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }
        $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }
        $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w8   (20170615 | File manipulation actions associated with CRASHOVERRIDE wiper)
rule win_industroyer_w8 {
    meta:
        description = "File manipulation actions associated with CRASHOVERRIDE wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }
        $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }
    condition:
        all of them
}
Download all Yara Rules