Skip to content

R
rules
Commit 6364ad80 by Marc Rivero López Committed by GitHub
Options

Update APT_APT3102.yar 

Rules indented correctly
parent 13af57f8
Showing with 8 additions and 6 deletions
malware/APT_APT3102.yar
...@@ -5,32 +5,34 @@ ...@@ -5,32 +5,34 @@
import "pe" import "pe"
rule APT3102Code : APT3102 Family rule APT3102Code
{ {
meta: meta:
description = "3102 code features" description = "3102 code features"
author = "Seth Hardy" author = "Seth Hardy"
last_modified = "2014-06-25" last_modified = "2014-06-25"
strings: strings:
$setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 } $setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
condition: condition:
any of them any of them
} }
rule APT3102Strings : APT3102 Family rule APT3102Strings
{ {
meta: meta:
description = "3102 Identifying Strings" description = "3102 Identifying Strings"
author = "Seth Hardy" author = "Seth Hardy"
last_modified = "2014-06-25" last_modified = "2014-06-25"
strings: strings:
$ = "rundll32_exec.dll\x00Update" $ = "rundll32_exec.dll\x00Update"
// this is in the encrypted code - shares with 9002 variant // this is in the encrypted code - shares with 9002 variant
//$ = "POST http://%ls:%d/%x HTTP/1.1" //$ = "POST http://%ls:%d/%x HTTP/1.1"
condition: condition:
any of them any of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment