100 Days of Yara - Day 15 2025

Written By August van sickle

Day 15

#100DaysOfYara Day 15

So today, I went hunting on my own through open dir’s to find some spicy binaries.

Heres a resource to learn about open dir hunting using censysy: https://censys.com/a-beginners-guide-to-hunting-open-directories/

The one I looted from, I grabbed a file called excel-https.exe. Part of the reason that interested me, is that file naming convention is typical of C2 implants, esp for ex, Cobalt Strike.

The binary was a PE32, had a lot of socket calls, and functionality, it had metadata that indicated it was an Apache tool used for load testing — ApacheBench: https://censys.com/a-beginners-guide-to-hunting-open-directories/

So I almost gave up, but there were calls for retrieving process ID’s, getting handles on processes, etc and Apache Bench is only testing web apps for load.

and, there was a hardcoded IP, which I visited and is the open dir I found in the first place.

So heres my Rule:

https://github.com/augustvansickle/2025_100DaysofYara/blob/76aaaa87796ef90fc5b3b8dba665c6b539a9d68e/Day15_OpenDir_HTTP_Beacon_PE.yar

August van sickle
Previous

Tsundere Botnet — Node.js Binary