solve Privete Global rules

1b7efe4d · Bondey · dadbcfa7 · 1b7efe4d · 1b7efe4d
Commit 1b7efe4d authored Aug 27, 2018 by Bondey
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 24 deletions

MALW_TRITON_HATMAN.yar malware/MALW_TRITON_HATMAN.yar +5 -12

RAT_CrossRAT.yar malware/RAT_CrossRAT.yar +5 -12

No files found.
--- a/malware/MALW_TRITON_HATMAN.yar
+++ b/malware/MALW_TRITON_HATMAN.yar
@@ -6,13 +6,6 @@
 * AUTHOR:      DHS/NCCIC/ICS-CERT
 */

-/* Globally only look at small files. */
-
-private global rule hatman_filesize : hatman {
-    condition:
-        filesize < 100KB
-}
-
 /* Private rules that are used at the end in the public rules. */

 private rule hatman_setstatus : hatman {
@@ -90,25 +83,25 @@ private rule hatman_payload_int : hatman {

 rule hatman_compiled_python : hatman {
    condition:
-        hatman_nullsub and hatman_setstatus and hatman_dividers
+        filesize < 100KB and hatman_nullsub and hatman_setstatus and hatman_dividers
 }
 rule hatman_injector : hatman {
    condition:
-        hatman_injector_int and not hatman_payload_int
+        filesize < 100KB and hatman_injector_int and not hatman_payload_int
 }
 rule hatman_payload : hatman {
    condition:
-        hatman_payload_int and not hatman_injector_int
+        filesize < 100KB and hatman_payload_int and not hatman_injector_int
 }
 rule hatman_combined : hatman {
    condition:
-        hatman_injector_int and hatman_payload_int and hatman_dividers
+        filesize < 100KB and hatman_injector_int and hatman_payload_int and hatman_dividers
 }
 rule hatman : hatman {
    meta:
        author = "DHS/NCCIC/ICS-CERT"
        description = "Matches the known samples of the HatMan malware."
    condition:
-        hatman_compiled_python or hatman_injector or hatman_payload
+        filesize < 100KB and hatman_compiled_python or hatman_injector or hatman_payload
            or hatman_combined
 }
--- a/malware/RAT_CrossRAT.yar
+++ b/malware/RAT_CrossRAT.yar
 import "hash" 

-global private rule javaarchive
-{
-    strings:
-        $magic = { 50 4b 03 04 ( 14 | 0a ) 00 }
-        $string_1 = "META-INF/"
-        $string_2 = ".class" nocase
-
-	condition:
-	    filesize < 400KB and
-        $magic at 0 and 1 of ($string_*)
-}
-
 rule CrossRAT: RAT
 {
    meta:
@@ -20,8 +8,13 @@ rule CrossRAT: RAT
        date = "26/01/2018"
        ref = "https://simonsigre.com"
        ref= "https://objective-see.com/blog/blog_0x28.html"
+    strings:
+        $magic = { 50 4b 03 04 ( 14 | 0a ) 00 }
+        $string_1 = "META-INF/"
+        $string_2 = ".class" nocase

    condition:
        filesize < 400KB and
+        $magic at 0 and 1 of ($string_*) and
        hash.md5(0, filesize) == "85b794e080d83a91e904b97769e1e770"
 }