Update APT_APT9002.yar

Fixed rule style

Update APT_APT9002.yar
Fixed rule style
29d900f4 · Marc Rivero López · GitHub · 6364ad80 · 29d900f4
Commit 29d900f4 authored Jan 21, 2017 by Marc Rivero López Committed by GitHub Jan 21, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 7 deletions

APT_APT9002.yar malware/APT_APT9002.yar +11 -7

No files found.
--- a/malware/APT_APT9002.yar
+++ b/malware/APT_APT9002.yar
@@ -5,8 +5,9 @@
 import "pe"
-rule APT9002Code : APT9002 Family 
+rule APT9002Code 
 {
    meta:
        description = "9002 code features"
        author = "Seth Hardy"
@@ -17,13 +18,14 @@ rule APT9002Code : APT9002 Family
        $ = { B9 7A 21 00 00 BE ?? ?? ?? ?? 8B F8 ?? ?? ?? F3 A5 }
        // decryption from other variant with multiple start threads
        $ = { 8A 14 3E 8A 1C 01 32 DA 88 1C 01 8B 54 3E 04 40 3B C2 72 EC }
    condition:
        any of them
 }
-rule APT9002Strings : APT9002 Family
+rule APT9002Strings
 {
    meta:
        description = "9002 Identifying Strings"
        author = "Seth Hardy"
@@ -37,13 +39,14 @@ rule APT9002Strings : APT9002 Family
        // also triggers on surtr $ = "mydll.dll\x00DoWork"
        $ = "sysinfo\x00sysbin01"
        $ = "\\FlashUpdate.exe"
    condition:
       any of them
 }
-rule APT9002 : Family
+rule APT9002 
 {
    meta:
        description = "9002"
        author = "Seth Hardy"
@@ -53,14 +56,15 @@ rule APT9002 : Family
        APT9002Code or APT9002Strings
 }
-rule FE_APT_9002 : RAT
+rule FE_APT_9002
 {
    meta:
        Author      = "FireEye Labs"
        Date        = "2013/11/10"
        Description = "Strings inside"
        Reference   = "Useful link"
    strings:
        $mz = { 4d 5a }
        $a = "rat_UnInstall" wide ascii