Update APT_Snowglobe_Babar.yar

2752849c · Marc Rivero López · GitHub · b64d3767 · 2752849c
Commit 2752849c authored 8 years ago by Marc Rivero López Committed by GitHub 8 years ago
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 8 deletions

APT_Snowglobe_Babar.yar malware/APT_Snowglobe_Babar.yar +6 -8

No files found.
--- a/malware/APT_Snowglobe_Babar.yar
+++ b/malware/APT_Snowglobe_Babar.yar
@@ -5,7 +5,9 @@
 import "pe"
-rule SNOWGLOBE_Babar_Malware {
+rule SNOWGLOBE_Babar_Malware 
+{
    meta:
        description = "Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe"
        author = "Florian Roth"
@@ -13,6 +15,7 @@ rule SNOWGLOBE_Babar_Malware {
        date = "2015/02/18"
        hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36"
        score = 80
    strings:
        $mz = { 4d 5a }
        $z0 = "admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper" ascii fullword
@@ -20,21 +23,16 @@ rule SNOWGLOBE_Babar_Malware {
        $z2 = "ExecQueryFailled!" fullword ascii
        $z3 = "NBOT_COMMAND_LINE" fullword
        $z4 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" fullword
        $s1 = "/s /n %s \"%s\"" fullword ascii
        $s2 = "%%WINDIR%%\\%s\\%s" fullword ascii
        $s3 = "/c start /wait " fullword ascii
        $s4 = "(D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)" ascii
        $x1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii
        $x2 = "%COMMON_APPDATA%" fullword ascii
        $x4 = "CONOUT$" fullword ascii
        $x5 = "cmd.exe" fullword ascii
        $x6 = "DLLPATH" fullword ascii
    condition:
-		( $mz at 0 ) and filesize < 1MB and
+        ( $mz at 0 ) and filesize < 1MB and (( 1 of ($z*) and 1 of ($x*) ) or ( 3 of ($s*) and 4 of ($x*) ) )
-		(
-			( 1 of ($z*) and 1 of ($x*) ) or
-			( 3 of ($s*) and 4 of ($x*) )
-		)
 }