Update APT_OpDustStorm.yar

454726b2 · Marc Rivero López · GitHub · 3a930631 · 454726b2
Commit 454726b2 authored Jan 23, 2017 by Marc Rivero López Committed by GitHub Jan 23, 2017
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

APT_OpDustStorm.yar malware/APT_OpDustStorm.yar +6 -0

No files found.
--- a/malware/APT_OpDustStorm.yar
+++ b/malware/APT_OpDustStorm.yar
@@ -5,6 +5,7 @@

 rule Misdat_Backdoor_Packed
 {
+    
    meta:
        author = "Cylance SPEAR Team"
        note = "Probably Prone to False Positive"
@@ -21,6 +22,7 @@ rule Misdat_Backdoor_Packed

 rule MiSType_Backdoor_Packed
 {
+    
    meta:
        author = "Cylance SPEAR Team"
        note = "Probably Prone to False Positive"
@@ -36,6 +38,7 @@ rule MiSType_Backdoor_Packed

 rule Misdat_Backdoor
 {
+   
   meta:
        author = "Cylance SPEAR Team"
        /* Decode Function
@@ -55,6 +58,7 @@ rule Misdat_Backdoor
        CODE:00406C9E 4E                        dec     esi
        CODE:00406C9F 75 C9                     jnz     short loc_406C6A
        */
+    
    strings:
        $imul = {03 45 F8 69 C0 D9 DB 00 00 05 3B DA 00 00}
        $delphi = {50 45 00 00 4C 01 08 00 19 5E 42 2A}
@@ -65,6 +69,7 @@ rule Misdat_Backdoor

 rule SType_Backdoor
 {
+   
    meta:
        author = "Cylance SPEAR Team"
        
@@ -99,6 +104,7 @@ rule SType_Backdoor

 rule Zlib_Backdoor
 {
+   
    meta:
        author = "Cylance SPEAR Team"