Update MALW_Chicken.yar

24029a3a · Marc Rivero López · GitHub · 9046badb · 24029a3a
Commit 24029a3a authored Jan 24, 2017 by Marc Rivero López Committed by GitHub Jan 24, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 2 deletions

MALW_Chicken.yar malware/MALW_Chicken.yar +10 -2

No files found.
--- a/malware/MALW_Chicken.yar
+++ b/malware/MALW_Chicken.yar
@@ -3,11 +3,14 @@
    long as you use it under this license.
 */

-rule ChickenDOS{
+rule ChickenDOS
+{
+
    meta:
        author = "Jason Jones <jasonjones@arbor.net>"
        description = "Win32-variant of Chicken ident for both dropper and dropped file"
        source = "https://github.com/arbor/yara/blob/master/chicken.yara"
+
    strings:
        $pdb1 = "\\Chicken\\Release\\svchost.pdb"
        $pdb2 = "\\IntergrateCHK\\Release\\IntergrateCHK.pdb"
@@ -20,15 +23,19 @@ rule ChickenDOS{
        $str7 = "68961"
        $str8 = "InstallService DbProtectSupport %d"
        $str9 = "C:\\Program Files\\DbProtectSupport\\npf.sys"
+   
    condition:
        ($pdb1 or $pdb2) and 5 of ($str*)
 }

-rule ChickenDOS_Linux : DoS Linux {
+rule ChickenDOS_Linux 
+{
+ 
    meta:
        author = "Jason Jones <jasonjones@arbor.net>"
        description = "Linux-variant of Chicken ident for both dropper and dropped file"
        source = "https://github.com/arbor/yara/blob/master/chicken.yara"
+    
    strings:
        $cfg = "fake.cfg"
        $file1 = "ThreadAttack.cpp"
@@ -37,6 +44,7 @@ rule ChickenDOS_Linux : DoS Linux {
        $str2 = "DomainRandEx"
        $str3 = "cpu %llu %llu %llu %llu"
        $str4 = "[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s" ascii
+    
    condition:
        $cfg and all of ($file*) and 3 of ($str*)
 }