Update MALW_AdGholas.yar

3dcef576 · Marc Rivero López · GitHub · a5eaf2cc · 3dcef576
Commit 3dcef576 authored Jan 24, 2017 by Marc Rivero López Committed by GitHub Jan 24, 2017
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 6 deletions

MALW_AdGholas.yar malware/MALW_AdGholas.yar +9 -6

No files found.
--- a/malware/MALW_AdGholas.yar
+++ b/malware/MALW_AdGholas.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
-
 */

-rule AdGholas_mem : memory
+rule AdGholas_mem
 {
+
    meta:
        malfamily = "AdGholas"
        ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
@@ -22,13 +22,13 @@ rule AdGholas_mem : memory
        all of ($a*)
 }

-rule AdGholas_mem_MIME : memory
+rule AdGholas_mem_MIME 
 {
+
    meta:
        malfamily = "AdGholas"
        ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"

-
    strings:
        $b1=".300000000" ascii nocase wide fullword
        $b2=".saz" ascii nocase wide fullword
@@ -43,6 +43,7 @@ rule AdGholas_mem_MIME : memory
 //expensive
 rule AdGholas_mem_antisec : memory
 {
+ 
    meta:
        malfamily = "AdGholas"
        ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
@@ -83,8 +84,9 @@ rule AdGholas_mem_antisec : memory
        any of ($vid*) and #antisec > 20
 }

-rule AdGholas_mem_antisec_M2 : memory
+rule AdGholas_mem_antisec_M2
 {
+ 
    meta:
        malfamily = "AdGholas"
        ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
@@ -100,8 +102,9 @@ rule AdGholas_mem_antisec_M2 : memory
        all of ($s*)
 }

-rule AdGholas_mem_MIME_M2 : memory
+rule AdGholas_mem_MIME_M2
 {
+
    meta:
        malfamily = "AdGholas"
        ref = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"