Update APT_APT3102.yar

Rules indented correctly

Update APT_APT3102.yar
Rules indented correctly
6364ad80 · Marc Rivero López · GitHub · 13af57f8 · 6364ad80
Commit 6364ad80 authored Jan 21, 2017 by Marc Rivero López Committed by GitHub Jan 21, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 6 deletions

APT_APT3102.yar malware/APT_APT3102.yar +8 -6

No files found.
--- a/malware/APT_APT3102.yar
+++ b/malware/APT_APT3102.yar
@@ -5,32 +5,34 @@

 import "pe"

-rule APT3102Code : APT3102 Family 
+rule APT3102Code
 {
+
    meta:
        description = "3102 code features"
        author = "Seth Hardy"
        last_modified = "2014-06-25"
-        
+
    strings:
        $setupthread = { B9 02 07 00 00 BE ?? ?? ?? ?? 8B F8 6A 00 F3 A5 }
-  
+
    condition:
        any of them
 }

-rule APT3102Strings : APT3102 Family
+rule APT3102Strings
 {
+    
    meta:
        description = "3102 Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-25"
-        
+
    strings:
        $ = "rundll32_exec.dll\x00Update"
        // this is in the encrypted code - shares with 9002 variant
        //$ = "POST http://%ls:%d/%x HTTP/1.1"
-        
+
    condition:
       any of them
 }