Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
65201289
Commit
65201289
authored
8 years ago
by
Marc Rivero López
Committed by
GitHub
8 years ago
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update APT_Prikormka.yar
parent
50535512
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
7 additions
and
4 deletions
+7
-4
APT_Prikormka.yar
malware/APT_Prikormka.yar
+7
-4
No files found.
malware/APT_Prikormka.yar
View file @
65201289
...
...
@@ -32,26 +32,26 @@
rule PrikormkaDropper
{
strings:
$mz = { 4D 5A }
$kd1 = "KDSTORAGE" wide
$kd2 = "KDSTORAGE_64" wide
$kd3 = "KDRUNDRV32" wide
$kd4 = "KDRAR" wide
$bin1 = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F}
$bin2 = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16}
$bin3 = {4D 00 4D 00 43 00 00 00 67 00 75 00 69 00 64 00 56 00 47 00 41 00 00 00 5F 00 73 00 76 00 67 00}
$inj1 = "?AVCinj2008Dlg@@" ascii
$inj2 = "?AVCinj2008App@@" ascii
condition:
($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
}
rule PrikormkaModule
{
strings:
$mz = { 4D 5A }
...
...
@@ -111,9 +111,9 @@ rule PrikormkaModule
rule PrikormkaEarlyVersion
{
strings:
$mz = { 4D 5A }
$str36 = "IntelRestore" ascii fullword
$str37 = "Resent" wide fullword
$str38 = "ocp8.1" wide fullword
...
...
@@ -123,12 +123,14 @@ rule PrikormkaEarlyVersion
$str42 = "smdhost.dll" ascii fullword
$str43 = "KDLLCFX" wide fullword
$str44 = "KDLLRUNDRV" wide fullword
condition:
($mz at 0) and (2 of ($str*))
}
rule Prikormka
{
meta:
Author = "Anton Cherepanov"
Date = "2016/05/10"
...
...
@@ -136,6 +138,7 @@ rule Prikormka
Source = "https://github.com/eset/malware-ioc/"
Contact = "threatintel@eset.com"
License = "BSD 2-Clause"
condition:
PrikormkaDropper or PrikormkaModule or PrikormkaEarlyVersion
}
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment