SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer (Back to overview)

Industroyer

aka: Crash, CrashOverride

Actor(s): ELECTRUM


Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

References
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-24TesorionTESORION
@techreport{tesorion:20220224:report:e2f2082, author = {TESORION}, title = {{Report OSINT: Russia/ Ukraine Conflict Cyberaspect}}, date = {2022-02-24}, institution = {Tesorion}, url = {https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf}, language = {English}, urldate = {2022-03-01} } Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2021-02-11DomainToolsJoe Slowik
@online{slowik:20210211:visibility:5d2f96e, author = {Joe Slowik}, title = {{Visibility, Monitoring, and Critical Infrastructure Security}}, date = {2021-02-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security}, language = {English}, urldate = {2021-02-20} } Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-12DragosDragos
@techreport{dragos:20201112:cyber:cf5b4fd, author = {Dragos}, title = {{Cyber Threat Perspective MANUFACTURING SECTOR}}, date = {2020-11-12}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf}, language = {English}, urldate = {2020-11-18} } Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake
2020-10-19UK GovernmentForeignCommonwealth & Development Office, Dominic Raab
@online{office:20201019:uk:7ead390, author = {ForeignCommonwealth & Development Office and Dominic Raab}, title = {{UK exposes series of Russian cyber attacks against Olympic and Paralympic Games}}, date = {2020-10-19}, organization = {UK Government}, url = {https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games}, language = {English}, urldate = {2020-10-23} } UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-10-19Riskint BlogCurtis
@online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2017-10-05Virus BulletinAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-07-04WikipediaVarious
@online{various:20170704:industroyer:54eba4d, author = {Various}, title = {{Industroyer}}, date = {2017-07-04}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Industroyer}, language = {English}, urldate = {2020-01-08} } Industroyer
Industroyer
2017-06-13DragosDragos
@techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations
Industroyer ELECTRUM Sandworm
2017-06-12ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-06-12ESET ResearchAnton Cherepanov
@techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } WIN32/INDUSTROYER: A new threat for industrial control systems
Industroyer ELECTRUM
Yara Rules
[TLP:WHITE] win_industroyer_auto (20220516 | Detects win.industroyer.)
rule win_industroyer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.industroyer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 8bf0 e8???????? c70424e8030000 56 ff15???????? }
            // n = 6, score = 600
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   c70424e8030000       | mov                 dword ptr [esp], 0x3e8
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_1 = { 8d45ec 33c9 50 8d45a8 50 }
            // n = 5, score = 600
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   33c9                 | xor                 ecx, ecx
            //   50                   | push                eax
            //   8d45a8               | lea                 eax, [ebp - 0x58]
            //   50                   | push                eax

        $sequence_2 = { 57 57 68???????? 51 ff15???????? }
            // n = 5, score = 600
            //   57                   | push                edi
            //   57                   | push                edi
            //   68????????           |                     
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_3 = { 8d45f0 897df4 50 8d45fc 897dfc 50 }
            // n = 6, score = 600
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   50                   | push                eax

        $sequence_4 = { e8???????? 8b7d08 8bc8 8b45f8 8b35???????? }
            // n = 5, score = 600
            //   e8????????           |                     
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8bc8                 | mov                 ecx, eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b35????????         |                     

        $sequence_5 = { e8???????? 8d45f0 6a10 50 e8???????? 814dd801010000 }
            // n = 6, score = 600
            //   e8????????           |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   6a10                 | push                0x10
            //   50                   | push                eax
            //   e8????????           |                     
            //   814dd801010000       | or                  dword ptr [ebp - 0x28], 0x101

        $sequence_6 = { 50 57 6a00 e8???????? be0e000780 }
            // n = 5, score = 600
            //   50                   | push                eax
            //   57                   | push                edi
            //   6a00                 | push                0
            //   e8????????           |                     
            //   be0e000780           | mov                 esi, 0x8007000e

        $sequence_7 = { 57 6800000010 8d85f8fdffff 50 ff15???????? }
            // n = 5, score = 600
            //   57                   | push                edi
            //   6800000010           | push                0x10000000
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { eb19 8d8d90efffff 51 6a00 50 68???????? }
            // n = 6, score = 400
            //   eb19                 | jmp                 0x1b
            //   8d8d90efffff         | lea                 ecx, [ebp - 0x1070]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_9 = { 50 ffd3 8b542414 8d8c2468020000 e8???????? 8d442418 50 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   8d8c2468020000       | lea                 ecx, [esp + 0x268]
            //   e8????????           |                     
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax

        $sequence_10 = { 5d c3 80bdcffdffff00 752a 33f6 }
            // n = 5, score = 400
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   80bdcffdffff00       | cmp                 byte ptr [ebp - 0x231], 0
            //   752a                 | jne                 0x2c
            //   33f6                 | xor                 esi, esi

        $sequence_11 = { ff15???????? 85c0 0f847bffffff ffb59cf3ffff ffd7 8b4dfc }
            // n = 6, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f847bffffff         | je                  0xffffff81
            //   ffb59cf3ffff         | push                dword ptr [ebp - 0xc64]
            //   ffd7                 | call                edi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_12 = { 81ec34020000 a1???????? 33c5 8945fc 57 8895cffdffff 8bf9 }
            // n = 7, score = 400
            //   81ec34020000         | sub                 esp, 0x234
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   57                   | push                edi
            //   8895cffdffff         | mov                 byte ptr [ebp - 0x231], dl
            //   8bf9                 | mov                 edi, ecx

        $sequence_13 = { 56 ff15???????? 8b8c2474040000 5f 5e }
            // n = 5, score = 400
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b8c2474040000       | mov                 ecx, dword ptr [esp + 0x474]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_14 = { 57 e8???????? 83c404 8bf0 8d45fc 6a00 }
            // n = 6, score = 400
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   6a00                 | push                0

        $sequence_15 = { 83c404 53 ff15???????? 5f 5e 5b 8be5 }
            // n = 7, score = 400
            //   83c404               | add                 esp, 4
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_16 = { 50 56 ff15???????? 8b45f0 eb09 ff15???????? 8945f0 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   eb09                 | jmp                 0xb
            //   ff15????????         |                     
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_17 = { 1bc9 83c901 85c9 0fb6c3 b90c000000 c6857dfcfeff01 0f44c1 }
            // n = 7, score = 200
            //   1bc9                 | sbb                 ecx, ecx
            //   83c901               | or                  ecx, 1
            //   85c9                 | test                ecx, ecx
            //   0fb6c3               | movzx               eax, bl
            //   b90c000000           | mov                 ecx, 0xc
            //   c6857dfcfeff01       | mov                 byte ptr [ebp - 0x10383], 1
            //   0f44c1               | cmove               eax, ecx

        $sequence_18 = { 894638 c6463c01 eb17 894638 eb0e c746345c9b0110 c7463806000000 }
            // n = 7, score = 200
            //   894638               | mov                 dword ptr [esi + 0x38], eax
            //   c6463c01             | mov                 byte ptr [esi + 0x3c], 1
            //   eb17                 | jmp                 0x19
            //   894638               | mov                 dword ptr [esi + 0x38], eax
            //   eb0e                 | jmp                 0x10
            //   c746345c9b0110       | mov                 dword ptr [esi + 0x34], 0x10019b5c
            //   c7463806000000       | mov                 dword ptr [esi + 0x38], 6

        $sequence_19 = { c1e107 03c8 894a08 0fb64604 0fbe4e05 d0f8 }
            // n = 6, score = 200
            //   c1e107               | shl                 ecx, 7
            //   03c8                 | add                 ecx, eax
            //   894a08               | mov                 dword ptr [edx + 8], ecx
            //   0fb64604             | movzx               eax, byte ptr [esi + 4]
            //   0fbe4e05             | movsx               ecx, byte ptr [esi + 5]
            //   d0f8                 | sar                 al, 1

        $sequence_20 = { 660f28a030044100 660f28b820004100 660f54f0 660f5cc6 }
            // n = 4, score = 200
            //   660f28a030044100     | movapd              xmm4, xmmword ptr [eax + 0x410430]
            //   660f28b820004100     | movapd              xmm7, xmmword ptr [eax + 0x410020]
            //   660f54f0             | andpd               xmm6, xmm0
            //   660f5cc6             | subpd               xmm0, xmm6

        $sequence_21 = { 83c801 85c0 c6857dfcfeff01 0f94857bfcfeff }
            // n = 4, score = 200
            //   83c801               | or                  eax, 1
            //   85c0                 | test                eax, eax
            //   c6857dfcfeff01       | mov                 byte ptr [ebp - 0x10383], 1
            //   0f94857bfcfeff       | sete                byte ptr [ebp - 0x10385]

        $sequence_22 = { 894df0 8b34cd20ee4000 8b4d08 6a5a 2bce }
            // n = 5, score = 200
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b34cd20ee4000       | mov                 esi, dword ptr [ecx*8 + 0x40ee20]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   6a5a                 | push                0x5a
            //   2bce                 | sub                 ecx, esi

        $sequence_23 = { 6a00 ff15???????? 8bf0 85f6 7468 6a01 6a00 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7468                 | je                  0x6a
            //   6a01                 | push                1
            //   6a00                 | push                0

        $sequence_24 = { 0fb688e09a0110 83e10f eb02 33c9 8b450c 0fb684c8009b0110 c1e804 }
            // n = 7, score = 200
            //   0fb688e09a0110       | movzx               ecx, byte ptr [eax + 0x10019ae0]
            //   83e10f               | and                 ecx, 0xf
            //   eb02                 | jmp                 4
            //   33c9                 | xor                 ecx, ecx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0fb684c8009b0110     | movzx               eax, byte ptr [eax + ecx*8 + 0x10019b00]
            //   c1e804               | shr                 eax, 4

        $sequence_25 = { c745e0d4ff4000 eba2 894ddc c745e0d4ff4000 e9???????? }
            // n = 5, score = 200
            //   c745e0d4ff4000       | mov                 dword ptr [ebp - 0x20], 0x40ffd4
            //   eba2                 | jmp                 0xffffffa4
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   c745e0d4ff4000       | mov                 dword ptr [ebp - 0x20], 0x40ffd4
            //   e9????????           |                     

        $sequence_26 = { 0fb60c856eda0110 0fb634856fda0110 8bf9 8985a4f8ffff c1e702 57 }
            // n = 6, score = 200
            //   0fb60c856eda0110     | movzx               ecx, byte ptr [eax*4 + 0x1001da6e]
            //   0fb634856fda0110     | movzx               esi, byte ptr [eax*4 + 0x1001da6f]
            //   8bf9                 | mov                 edi, ecx
            //   8985a4f8ffff         | mov                 dword ptr [ebp - 0x75c], eax
            //   c1e702               | shl                 edi, 2
            //   57                   | push                edi

        $sequence_27 = { 8b35???????? 6a02 50 ffd6 6880000000 }
            // n = 5, score = 200
            //   8b35????????         |                     
            //   6a02                 | push                2
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   6880000000           | push                0x80

        $sequence_28 = { 85c0 7450 6aff 56 ff15???????? 6a00 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   7450                 | je                  0x52
            //   6aff                 | push                -1
            //   56                   | push                esi
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_29 = { 83c408 e9???????? 8d8d78fcfeff e8???????? c745fc00000000 8bb5f0f9fdff 56 }
            // n = 7, score = 200
            //   83c408               | add                 esp, 8
            //   e9????????           |                     
            //   8d8d78fcfeff         | lea                 ecx, [ebp - 0x10388]
            //   e8????????           |                     
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8bb5f0f9fdff         | mov                 esi, dword ptr [ebp - 0x20610]
            //   56                   | push                esi

        $sequence_30 = { 83c404 68???????? e8???????? 8b06 83c404 }
            // n = 5, score = 200
            //   83c404               | add                 esp, 4
            //   68????????           |                     
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   83c404               | add                 esp, 4

        $sequence_31 = { 1bc0 23c1 eb55 8b1c9db8c14000 56 6800080000 }
            // n = 6, score = 200
            //   1bc0                 | sbb                 eax, eax
            //   23c1                 | and                 eax, ecx
            //   eb55                 | jmp                 0x57
            //   8b1c9db8c14000       | mov                 ebx, dword ptr [ebx*4 + 0x40c1b8]
            //   56                   | push                esi
            //   6800080000           | push                0x800

        $sequence_32 = { 8b5614 8d442410 8bc8 c74424105cad4400 89742414 }
            // n = 5, score = 100
            //   8b5614               | mov                 edx, dword ptr [esi + 0x14]
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   8bc8                 | mov                 ecx, eax
            //   c74424105cad4400     | mov                 dword ptr [esp + 0x10], 0x44ad5c
            //   89742414             | mov                 dword ptr [esp + 0x14], esi

        $sequence_33 = { c1f906 6bc030 03048d58984500 eb05 }
            // n = 4, score = 100
            //   c1f906               | sar                 ecx, 6
            //   6bc030               | imul                eax, eax, 0x30
            //   03048d58984500       | add                 eax, dword ptr [ecx*4 + 0x459858]
            //   eb05                 | jmp                 7

        $sequence_34 = { 83ec20 33c9 8bc1 3914c540694400 7408 40 }
            // n = 6, score = 100
            //   83ec20               | sub                 esp, 0x20
            //   33c9                 | xor                 ecx, ecx
            //   8bc1                 | mov                 eax, ecx
            //   3914c540694400       | cmp                 dword ptr [eax*8 + 0x446940], edx
            //   7408                 | je                  0xa
            //   40                   | inc                 eax

        $sequence_35 = { 5d c20400 8d4108 6a05 }
            // n = 4, score = 100
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   8d4108               | lea                 eax, [ecx + 8]
            //   6a05                 | push                5

        $sequence_36 = { 7509 53 e8???????? 59 eb3c }
            // n = 5, score = 100
            //   7509                 | jne                 0xb
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   eb3c                 | jmp                 0x3e

        $sequence_37 = { 743c 8b5d90 397b18 7518 6a20 }
            // n = 5, score = 100
            //   743c                 | je                  0x3e
            //   8b5d90               | mov                 ebx, dword ptr [ebp - 0x70]
            //   397b18               | cmp                 dword ptr [ebx + 0x18], edi
            //   7518                 | jne                 0x1a
            //   6a20                 | push                0x20

        $sequence_38 = { 33c0 8bd9 57 8bf0 8945fc 53 8d4dd8 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8bd9                 | mov                 ebx, ecx
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]

        $sequence_39 = { 894210 894214 895a14 894210 837a1408 }
            // n = 5, score = 100
            //   894210               | mov                 dword ptr [edx + 0x10], eax
            //   894214               | mov                 dword ptr [edx + 0x14], eax
            //   895a14               | mov                 dword ptr [edx + 0x14], ebx
            //   894210               | mov                 dword ptr [edx + 0x10], eax
            //   837a1408             | cmp                 dword ptr [edx + 0x14], 8

    condition:
        7 of them and filesize < 983040
}
[TLP:WHITE] win_industroyer_w0   (20170615 | CRASHOVERRIDE v1 Suspicious Export)
import "pe"

rule win_industroyer_w0 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    condition:
        pe.exports("Crash") & pe.characteristics
}
[TLP:WHITE] win_industroyer_w1   (20170615 | CRASHOVERRIDE v1 Wiper)
import "pe"

rule win_industroyer_w1 {
    meta:
        description = "CRASHOVERRIDE v1 Wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "SYS_BASCON.COM" fullword nocase wide
        $s1 = ".pcmp" fullword nocase wide
        $s2 = ".pcmi" fullword nocase wide
        $s3 = ".pcmt" fullword nocase wide
        $s4 = ".cin" fullword nocase wide
        
    condition:
        pe.exports("Crash") and any of ($s*)
}
[TLP:WHITE] win_industroyer_w2   (20170615 | CRASHOVERRIDE v1 Suspicious Strings and Export)
import "pe"

rule win_industroyer_w2 {
    meta:
        description = "CRASHOVERRIDE v1 Suspicious Strings and Export"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "101.dll" fullword nocase wide
        $s1 = "Crash101.dll" fullword nocase wide
        $s2 = "104.dll" fullword nocase wide
        $s3 = "Crash104.dll" fullword nocase wide
        $s4 = "61850.dll" fullword nocase wide
        $s5 = "Crash61850.dll" fullword nocase wide
        $s6 = "OPCClientDemo.dll" fullword nocase wide
        $s7 = "OPC" fullword nocase wide
        $s8 = "CrashOPCClientDemo.dll" fullword nocase wide
        $s9 = "D2MultiCommService.exe" fullword nocase wide
        $s10 = "CrashD2MultiCommService.exe" fullword nocase wide
        $s11 = "61850.exe" fullword nocase wide
        $s12 = "OPC.exe" fullword nocase wide
        $s13 = "haslo.exe" fullword nocase wide
        $s14 = "haslo.dat" fullword nocase wide     
    condition:
        any of ($s*) and pe.exports("Crash")
}
[TLP:WHITE] win_industroyer_w3   (20170615 | IEC-104 Interaction Module Program Strings)
rule win_industroyer_w3 { 
    meta:
        description = "IEC-104 Interaction Module Program Strings"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:      
        $s1 = "IEC-104 client: ip=%s; port=%s; ASDU=%u" nocase wide ascii 
        $s2 = " MSTR ->> SLV" nocase wide ascii 
        $s3 = " MSTR <<- SLV" nocase wide ascii 
        $s4 = "Unknown APDU format !!!" nocase wide ascii 
        $s5 = "iec104.log" nocase wide ascii 
    condition:      
        any of ($s*)
}
[TLP:WHITE] win_industroyer_w4   (20170615 | CRASHOVERRIDE v1 Config File Parsing)
rule win_industroyer_w4 {
    meta:
        description = "CRASHOVERRIDE v1 Config File Parsing"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
        $s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
        $s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
        $s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w5   (20170615 | Blank mutex creation assoicated with CRASHOVERRIDE)
rule win_industroyer_w5 {
    meta:
        description = "Blank mutex creation assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }
        $s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w6   (20170615 | Identify service hollowing and persistence setting)
rule win_industroyer_w6 {
    meta:
        description = "Identify service hollowing and persistence setting"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }
        $s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w7   (20170615 | Registry Wiper functionality assoicated with CRASHOVERRIDE)
rule win_industroyer_w7 {
    meta:
        description = "Registry Wiper functionality assoicated with CRASHOVERRIDE"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/industroyer/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }
        $s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }
        $s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }
    condition:
        all of them
}
[TLP:WHITE] win_industroyer_w8   (20170615 | File manipulation actions associated with CRASHOVERRIDE wiper)
rule win_industroyer_w8 {
    meta:
        description = "File manipulation actions associated with CRASHOVERRIDE wiper"
        author = "Dragos Inc"
        reference = "https://dragos.com/blog/crashoverride/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer"
        malpedia_version = "20170615"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }
        $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }
    condition:
        all of them
}
Download all Yara Rules