Skip to content

R
rules
Commit 342fb955 by mmorenog Committed by GitHub
Options

Update LURK0_CCTV0.yar

parent 9ca2f464
Showing with 27 additions and 27 deletions
malware/LURK0_CCTV0.yar
rule LURK0Header : Family LURK0 { rule LURK0Header : Family LURK0 {
meta: meta:
description = “5 char code for LURK0” description = "5 char code for LURK0"
author = “Katie Kleemola” author = "Katie Kleemola"
last_updated = “07-21-2014” last_updated = "07-21-2014"
strings: strings:
$ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 } $ = { C6 [5] 4C C6 [5] 55 C6 [5] 52 C6 [5] 4B C6 [5] 30 }
...@@ -13,9 +13,9 @@ any of them ...@@ -13,9 +13,9 @@ any of them
rule CCTV0Header : Family CCTV0 { rule CCTV0Header : Family CCTV0 {
meta: meta:
description = “5 char code for LURK0” description = "5 char code for LURK0"
author = “Katie Kleemola” author = "Katie Kleemola"
last_updated = “07-21-2014” last_updated = "07-21-2014"
strings: strings:
//if its just one char a time //if its just one char a time
...@@ -29,34 +29,34 @@ any of them ...@@ -29,34 +29,34 @@ any of them
rule SharedStrings : Family { rule SharedStrings : Family {
meta: meta:
description = “Internal names found in LURK0/CCTV0 samples” description = "Internal names found in LURK0/CCTV0 samples"
author = “Katie Kleemola” author = "Katie Kleemola"
last_updated = “07-22-2014” last_updated = "07-22-2014"
strings: strings:
// internal names // internal names
$i1 = “Butterfly.dll” $i1 = "Butterfly.dll"
$i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/ $i2 = /\\BT[0-9.]+\\ButterFlyDLL\\/
$i3 = “ETClientDLL” $i3 = "ETClientDLL"
// dbx // dbx
$d1 = “\\DbxUpdateET\\” wide $d1 = "\\DbxUpdateET\\" wide
$d2 = “\\DbxUpdateBT\\” wide $d2 = "\\DbxUpdateBT\\" wide
$d3 = “\\DbxUpdate\\” wide $d3 = "\\DbxUpdate\\" wide
// other folders // other folders
$mc1 = “\\Micet\\” $mc1 = "\\Micet\\"
// embedded file names // embedded file names
$n1 = “IconCacheEt.dat” wide $n1 = "IconCacheEt.dat" wide
$n2 = “IconConfigEt.dat” wide $n2 = "IconConfigEt.dat" wide
$m1 = “\x00\x00ERXXXXXXX\x00\x00” wide $m1 = "\x00\x00ERXXXXXXX\x00\x00" wide
$m2 = “\x00\x00111\x00\x00” wide $m2 = "\x00\x00111\x00\x00" wide
$m3 = “\x00\x00ETUN\x00\x00” wide $m3 = "\x00\x00ETUN\x00\x00" wide
$m4 = “\x00\x00ER\x00\x00” wide $m4 = "\x00\x00ER\x00\x00" wide
condition: condition:
any of them //todo: finetune this any of them //todo: finetune this
...@@ -66,9 +66,9 @@ any of them //todo: finetune this ...@@ -66,9 +66,9 @@ any of them //todo: finetune this
rule LURK0 : Family LURK0 { rule LURK0 : Family LURK0 {
meta: meta:
description = “rule for lurk0” description = "rule for lurk0"
author = “Katie Kleemola” author = "Katie Kleemola"
last_updated = “07-22-2014” last_updated = "07-22-2014"
condition: condition:
LURK0Header and SharedStrings LURK0Header and SharedStrings
...@@ -78,9 +78,9 @@ LURK0Header and SharedStrings ...@@ -78,9 +78,9 @@ LURK0Header and SharedStrings
rule CCTV0 : Family CCTV0 { rule CCTV0 : Family CCTV0 {
meta: meta:
description = “rule for cctv0” description = "rule for cctv0"
author = “Katie Kleemola” author = "Katie Kleemola"
last_updated = “07-22-2014” last_updated = "07-22-2014"
condition: condition:
CCTV0Header and SharedStrings CCTV0Header and SharedStrings
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment