Skip to content

R
rules
Commit 00795bcc by Marc Rivero López Committed by GitHub
Options

Update APT_Carbanak.yar 

Fixed rule style
parent 889dbf03
Showing with 15 additions and 4 deletions
malware/APT_Carbanak.yar
...@@ -11,30 +11,36 @@ ...@@ -11,30 +11,36 @@
/* Rule Set ----------------------------------------------------------------- */ /* Rule Set ----------------------------------------------------------------- */
rule Carbanak_0915_1 : APT { rule Carbanak_0915_1
{
meta: meta:
description = "Carbanak Malware" description = "Carbanak Malware"
author = "Florian Roth" author = "Florian Roth"
reference = "https://www.csis.dk/en/csis/blog/4710/" reference = "https://www.csis.dk/en/csis/blog/4710/"
date = "2015-09-03" date = "2015-09-03"
score = 70 score = 70
strings: strings:
$s1 = "evict1.pdb" fullword ascii $s1 = "evict1.pdb" fullword ascii
$s2 = "http://testing.corp 0" fullword ascii $s2 = "http://testing.corp 0" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 100KB and 1 of them uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
} }
rule Carbanak_0915_2 : APT { rule Carbanak_0915_2
{
meta: meta:
description = "Carbanak Malware" description = "Carbanak Malware"
author = "Florian Roth" author = "Florian Roth"
reference = "https://www.csis.dk/en/csis/blog/4710/" reference = "https://www.csis.dk/en/csis/blog/4710/"
date = "2015-09-03" date = "2015-09-03"
score = 70 score = 70
strings: strings:
$x1 = "8Rkzy.exe" fullword wide $x1 = "8Rkzy.exe" fullword wide
$s1 = "Export Template" fullword wide $s1 = "Export Template" fullword wide
$s2 = "Session folder with name '%s' already exists." fullword ascii $s2 = "Session folder with name '%s' already exists." fullword ascii
$s3 = "Show Unconnected Endpoints (Ctrl+U)" fullword ascii $s3 = "Show Unconnected Endpoints (Ctrl+U)" fullword ascii
...@@ -46,17 +52,22 @@ rule Carbanak_0915_2 : APT { ...@@ -46,17 +52,22 @@ rule Carbanak_0915_2 : APT {
uint16(0) == 0x5a4d and filesize < 500KB and ( $x1 or all of ($s*) ) uint16(0) == 0x5a4d and filesize < 500KB and ( $x1 or all of ($s*) )
} }
rule Carbanak_0915_3 : APT { rule Carbanak_0915_3
{
meta: meta:
description = "Carbanak Malware" description = "Carbanak Malware"
author = "Florian Roth" author = "Florian Roth"
reference = "https://www.csis.dk/en/csis/blog/4710/" reference = "https://www.csis.dk/en/csis/blog/4710/"
date = "2015-09-03" date = "2015-09-03"
score = 70 score = 70
strings: strings:
$s1 = "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww" fullword ascii $s1 = "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww" fullword ascii
$s2 = "SHInvokePrinterCommandA" fullword ascii $s2 = "SHInvokePrinterCommandA" fullword ascii
$s3 = "Ycwxnkaj" fullword ascii $s3 = "Ycwxnkaj" fullword ascii
condition: condition:
uint16(0) == 0x5a4d and filesize < 700KB and all of them uint16(0) == 0x5a4d and filesize < 700KB and all of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment