Skip to content

R
rules
Commit 24029a3a by Marc Rivero López Committed by GitHub
Options

Update MALW_Chicken.yar

parent 9046badb
Showing with 10 additions and 2 deletions
malware/MALW_Chicken.yar
...@@ -3,11 +3,14 @@ ...@@ -3,11 +3,14 @@
long as you use it under this license. long as you use it under this license.
*/ */
rule ChickenDOS{ rule ChickenDOS
{
meta: meta:
author = "Jason Jones <jasonjones@arbor.net>" author = "Jason Jones <jasonjones@arbor.net>"
description = "Win32-variant of Chicken ident for both dropper and dropped file" description = "Win32-variant of Chicken ident for both dropper and dropped file"
source = "https://github.com/arbor/yara/blob/master/chicken.yara" source = "https://github.com/arbor/yara/blob/master/chicken.yara"
strings: strings:
$pdb1 = "\\Chicken\\Release\\svchost.pdb" $pdb1 = "\\Chicken\\Release\\svchost.pdb"
$pdb2 = "\\IntergrateCHK\\Release\\IntergrateCHK.pdb" $pdb2 = "\\IntergrateCHK\\Release\\IntergrateCHK.pdb"
...@@ -20,15 +23,19 @@ rule ChickenDOS{ ...@@ -20,15 +23,19 @@ rule ChickenDOS{
$str7 = "68961" $str7 = "68961"
$str8 = "InstallService DbProtectSupport %d" $str8 = "InstallService DbProtectSupport %d"
$str9 = "C:\\Program Files\\DbProtectSupport\\npf.sys" $str9 = "C:\\Program Files\\DbProtectSupport\\npf.sys"
condition: condition:
($pdb1 or $pdb2) and 5 of ($str*) ($pdb1 or $pdb2) and 5 of ($str*)
} }
rule ChickenDOS_Linux : DoS Linux { rule ChickenDOS_Linux
{
meta: meta:
author = "Jason Jones <jasonjones@arbor.net>" author = "Jason Jones <jasonjones@arbor.net>"
description = "Linux-variant of Chicken ident for both dropper and dropped file" description = "Linux-variant of Chicken ident for both dropper and dropped file"
source = "https://github.com/arbor/yara/blob/master/chicken.yara" source = "https://github.com/arbor/yara/blob/master/chicken.yara"
strings: strings:
$cfg = "fake.cfg" $cfg = "fake.cfg"
$file1 = "ThreadAttack.cpp" $file1 = "ThreadAttack.cpp"
...@@ -37,6 +44,7 @@ rule ChickenDOS_Linux : DoS Linux { ...@@ -37,6 +44,7 @@ rule ChickenDOS_Linux : DoS Linux {
$str2 = "DomainRandEx" $str2 = "DomainRandEx"
$str3 = "cpu %llu %llu %llu %llu" $str3 = "cpu %llu %llu %llu %llu"
$str4 = "[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s" ascii $str4 = "[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %s" ascii
condition: condition:
$cfg and all of ($file*) and 3 of ($str*) $cfg and all of ($file*) and 3 of ($str*)
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment