Merge pull request #383 from RandomRhythm/master

Move MicrosoftVisualCV80 rule from packer.yar

Merge pull request #383 from RandomRhythm/master
Move MicrosoftVisualCV80 rule from packer.yar
15d44334 · Jaume Martin · GitHub · 2995d667 · a64cb680 · 15d44334
Unverified Commit 15d44334 authored Jul 01, 2020 by Jaume Martin Committed by GitHub Jul 01, 2020
8 changed files
--- a/maldocs/Maldoc_APT19_CVE-2017-1099.yar
+++ b/maldocs/Maldoc_APT19_CVE-2017-1099.yar
--- a/maldocs/Maldoc_hancitor_dropper.yar
+++ b/maldocs/Maldoc_hancitor_dropper.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
 rule hancitor_dropper : vb_win32api
 {
  meta:

--- a/maldocs_index.yar
+++ b/maldocs_index.yar
@@ -11,6 +11,7 @@ include "./maldocs/Maldoc_CVE_2017_8759.yar"
 include "./maldocs/Maldoc_Contains_VBE_File.yar"
 include "./maldocs/Maldoc_DDE.yar"
 include "./maldocs/Maldoc_Dridex.yar"
+include "./maldocs/Maldoc_hancitor_dropper.yar"
 include "./maldocs/Maldoc_Hidden_PE_file.yar"
 include "./maldocs/Maldoc_MIME_ActiveMime_b64.yar"
 include "./maldocs/Maldoc_PDF.yar"

--- a/malware/MALW_PolishBankRat
+++ b/malware/MALW_PolishBankRat
--- a/malware/MALW_Retefe.yar
+++ b/malware/MALW_Retefe.yar
@@ -4,7 +4,7 @@
 */
-  rule Retefe
+rule Retefe
 {
 meta:
 	author = "bartblaze"

--- a/malware_index.yar
+++ b/malware_index.yar
@@ -70,7 +70,7 @@ include "./malware/APT_RedLeaves.yar"
 include "./malware/APT_Regin.yar"
 include "./malware/APT_RemSec.yar"
 include "./malware/APT_Sauron.yar"
-include "./malware/APT_Sauron_extras.yar"
+include "./malware/APT_Sauron_extras.yar
 include "./malware/APT_Scarab_Scieron.yar"
 include "./malware/APT_Seaduke.yar"
 include "./malware/APT_Shamoon_StoneDrill.yar"
@@ -165,6 +165,7 @@ include "./malware/MALW_Jolob_Backdoor.yar"
 include "./malware/MALW_KINS.yar"
 include "./malware/MALW_Kelihos.yar"
 include "./malware/MALW_KeyBase.yar"
+include "./malware/MALW_kirbi_mimikatz.yar"
 include "./malware/MALW_Korlia.yar"
 include "./malware/MALW_Korplug.yar"
 include "./malware/MALW_Kovter.yar"
@@ -206,6 +207,7 @@ include "./malware/MALW_Odinaff.yar"
 include "./malware/MALW_Olyx.yar"
 include "./malware/MALW_PE_sections.yar"
 include "./malware/MALW_PittyTiger.yar"
+include "./malware/MALW_PolishBankRat.yar"
 include "./malware/MALW_Ponmocup.yar"
 include "./malware/MALW_Pony.yar"
 include "./malware/MALW_Predator.yar"
@@ -319,6 +321,7 @@ include "./malware/POS_MalumPOS.yar"
 include "./malware/POS_Mozart.yar"
 include "./malware/RANSOM_.CRYPTXXX.yar"
 include "./malware/RANSOM_777.yar"
+include "./malware/RANSOM_acroware.yar"
 include "./malware/RANSOM_Alpha.yar"
 include "./malware/RANSOM_BadRabbit.yar"
 include "./malware/RANSOM_Cerber.yar"
@@ -331,6 +334,8 @@ include "./malware/RANSOM_DoublePulsar_Petya.yar"
 include "./malware/RANSOM_Erebus.yar"
 include "./malware/RANSOM_GPGQwerty.yar"
 include "./malware/RANSOM_GoldenEye.yar"
+include "./malware/RANSOM_jeff_dev.yar"
+include "./malware/RANSOM_locdoor.yar"
 include "./malware/RANSOM_Locky.yar"
 include "./malware/RANSOM_MS17-010_Wannacrypt.yar"
 include "./malware/RANSOM_Maze.yar"
@@ -340,10 +345,13 @@ include "./malware/RANSOM_Petya_MS17_010.yar"
 include "./malware/RANSOM_Pico.yar"
 include "./malware/RANSOM_SamSam.yar"
 include "./malware/RANSOM_Satana.yar"
+include "./malware/RANSOM_screenlocker_5h311_1nj3c706.yar"
 include "./malware/RANSOM_Shiva.yar"
+include "./malware/RANSOM_shrug2.yar"
 include "./malware/RANSOM_Sigma.yar"
 include "./malware/RANSOM_Snake.yar"
 include "./malware/RANSOM_Stampado.yar"
+include "./malware/RANSOM_termite.yar"
 include "./malware/RANSOM_TeslaCrypt.yar"
 include "./malware/RANSOM_Tox.yar"
 include "./malware/RANSOM_acroware.yar"

--- a/packers/packer.yar
+++ b/packers/packer.yar
@@ -14842,18 +14842,6 @@ condition:
 }
-rule MicrosoftVisualCV80
-{
-      meta:
-		author="malware-lu"
-strings:
-		$a0 = { 6A 14 68 [4] E8 [4] BB 94 00 00 00 53 6A 00 8B [5] FF D7 50 FF [5] 8B F0 85 F6 75 0A 6A 12 E8 [4] 59 EB 18 89 1E 56 FF [5] 56 85 C0 75 14 50 FF D7 50 FF [5] B8 }
-condition:
-		$a0 at pe.entry_point
-}
 rule MZ_Crypt10byBrainSt0rm
 {
      meta:

--- a/packers/packer_compiler_signatures.yar
+++ b/packers/packer_compiler_signatures.yar
@@ -463,18 +463,16 @@ rule SkDUndetectabler : SkDrat {
 		)
 }
-/* usefull ? 18:53 2016-08-12
 rule MicrosoftVisualCV80
 {
      meta:
 		author="malware-lu"
 strings:
-		$a0 = { 6A 14 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB 94 00 00 00 53 6A 00 8B ?? ?? ?? ?? ?? FF D7 50 FF ?? ?? ?? ?? ?? 8B F0 85 F6 75 0A 6A 12 E8 ?? ?? ?? ?? 59 EB 18 89 1E 56 FF ?? ?? ?? ?? ?? 56 85 C0 75 14 50 FF D7 50 FF ?? ?? ?? ?? ?? B8 }
+		$a0 = { 6A 14 68 [4] E8 [4] BB 94 00 00 00 53 6A 00 8B [5] FF D7 50 FF [5] 8B F0 85 F6 75 0A 6A 12 E8 [4] 59 EB 18 89 1E 56 FF [5] 56 85 C0 75 14 50 FF D7 50 FF [5] B8 }
 condition:
 		$a0 at pe.entry_point
 }
-*/
 rule Cygwin : Red Hat
 {