Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
1b7efe4d
Commit
1b7efe4d
authored
Aug 27, 2018
by
Bondey
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
solve Privete Global rules
parent
dadbcfa7
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
10 additions
and
24 deletions
+10
-24
MALW_TRITON_HATMAN.yar
malware/MALW_TRITON_HATMAN.yar
+5
-12
RAT_CrossRAT.yar
malware/RAT_CrossRAT.yar
+5
-12
No files found.
malware/MALW_TRITON_HATMAN.yar
View file @
1b7efe4d
...
@@ -6,13 +6,6 @@
...
@@ -6,13 +6,6 @@
* AUTHOR: DHS/NCCIC/ICS-CERT
* AUTHOR: DHS/NCCIC/ICS-CERT
*/
*/
/* Globally only look at small files. */
private global rule hatman_filesize : hatman {
condition:
filesize < 100KB
}
/* Private rules that are used at the end in the public rules. */
/* Private rules that are used at the end in the public rules. */
private rule hatman_setstatus : hatman {
private rule hatman_setstatus : hatman {
...
@@ -90,25 +83,25 @@ private rule hatman_payload_int : hatman {
...
@@ -90,25 +83,25 @@ private rule hatman_payload_int : hatman {
rule hatman_compiled_python : hatman {
rule hatman_compiled_python : hatman {
condition:
condition:
hatman_nullsub and hatman_setstatus and hatman_dividers
filesize < 100KB and
hatman_nullsub and hatman_setstatus and hatman_dividers
}
}
rule hatman_injector : hatman {
rule hatman_injector : hatman {
condition:
condition:
hatman_injector_int and not hatman_payload_int
filesize < 100KB and
hatman_injector_int and not hatman_payload_int
}
}
rule hatman_payload : hatman {
rule hatman_payload : hatman {
condition:
condition:
hatman_payload_int and not hatman_injector_int
filesize < 100KB and
hatman_payload_int and not hatman_injector_int
}
}
rule hatman_combined : hatman {
rule hatman_combined : hatman {
condition:
condition:
hatman_injector_int and hatman_payload_int and hatman_dividers
filesize < 100KB and
hatman_injector_int and hatman_payload_int and hatman_dividers
}
}
rule hatman : hatman {
rule hatman : hatman {
meta:
meta:
author = "DHS/NCCIC/ICS-CERT"
author = "DHS/NCCIC/ICS-CERT"
description = "Matches the known samples of the HatMan malware."
description = "Matches the known samples of the HatMan malware."
condition:
condition:
hatman_compiled_python or hatman_injector or hatman_payload
filesize < 100KB and
hatman_compiled_python or hatman_injector or hatman_payload
or hatman_combined
or hatman_combined
}
}
malware/RAT_CrossRAT.yar
View file @
1b7efe4d
import "hash"
import "hash"
global private rule javaarchive
{
strings:
$magic = { 50 4b 03 04 ( 14 | 0a ) 00 }
$string_1 = "META-INF/"
$string_2 = ".class" nocase
condition:
filesize < 400KB and
$magic at 0 and 1 of ($string_*)
}
rule CrossRAT: RAT
rule CrossRAT: RAT
{
{
meta:
meta:
...
@@ -20,8 +8,13 @@ rule CrossRAT: RAT
...
@@ -20,8 +8,13 @@ rule CrossRAT: RAT
date = "26/01/2018"
date = "26/01/2018"
ref = "https://simonsigre.com"
ref = "https://simonsigre.com"
ref= "https://objective-see.com/blog/blog_0x28.html"
ref= "https://objective-see.com/blog/blog_0x28.html"
strings:
$magic = { 50 4b 03 04 ( 14 | 0a ) 00 }
$string_1 = "META-INF/"
$string_2 = ".class" nocase
condition:
condition:
filesize < 400KB and
filesize < 400KB and
$magic at 0 and 1 of ($string_*) and
hash.md5(0, filesize) == "85b794e080d83a91e904b97769e1e770"
hash.md5(0, filesize) == "85b794e080d83a91e904b97769e1e770"
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
