Skip to content

R
rules
Commit 65201289 by Marc Rivero López Committed by GitHub
Options

Update APT_Prikormka.yar

parent 50535512
Showing with 7 additions and 4 deletions
malware/APT_Prikormka.yar
...@@ -32,26 +32,26 @@ ...@@ -32,26 +32,26 @@
rule PrikormkaDropper rule PrikormkaDropper
{ {
strings: strings:
$mz = { 4D 5A } $mz = { 4D 5A }
$kd1 = "KDSTORAGE" wide $kd1 = "KDSTORAGE" wide
$kd2 = "KDSTORAGE_64" wide $kd2 = "KDSTORAGE_64" wide
$kd3 = "KDRUNDRV32" wide $kd3 = "KDRUNDRV32" wide
$kd4 = "KDRAR" wide $kd4 = "KDRAR" wide
$bin1 = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F} $bin1 = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F}
$bin2 = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16} $bin2 = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16}
$bin3 = {4D 00 4D 00 43 00 00 00 67 00 75 00 69 00 64 00 56 00 47 00 41 00 00 00 5F 00 73 00 76 00 67 00} $bin3 = {4D 00 4D 00 43 00 00 00 67 00 75 00 69 00 64 00 56 00 47 00 41 00 00 00 5F 00 73 00 76 00 67 00}
$inj1 = "?AVCinj2008Dlg@@" ascii $inj1 = "?AVCinj2008Dlg@@" ascii
$inj2 = "?AVCinj2008App@@" ascii $inj2 = "?AVCinj2008App@@" ascii
condition: condition:
($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*))) ($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
} }
rule PrikormkaModule rule PrikormkaModule
{ {
strings: strings:
$mz = { 4D 5A } $mz = { 4D 5A }
...@@ -111,9 +111,9 @@ rule PrikormkaModule ...@@ -111,9 +111,9 @@ rule PrikormkaModule
rule PrikormkaEarlyVersion rule PrikormkaEarlyVersion
{ {
strings: strings:
$mz = { 4D 5A } $mz = { 4D 5A }
$str36 = "IntelRestore" ascii fullword $str36 = "IntelRestore" ascii fullword
$str37 = "Resent" wide fullword $str37 = "Resent" wide fullword
$str38 = "ocp8.1" wide fullword $str38 = "ocp8.1" wide fullword
...@@ -123,12 +123,14 @@ rule PrikormkaEarlyVersion ...@@ -123,12 +123,14 @@ rule PrikormkaEarlyVersion
$str42 = "smdhost.dll" ascii fullword $str42 = "smdhost.dll" ascii fullword
$str43 = "KDLLCFX" wide fullword $str43 = "KDLLCFX" wide fullword
$str44 = "KDLLRUNDRV" wide fullword $str44 = "KDLLRUNDRV" wide fullword
condition: condition:
($mz at 0) and (2 of ($str*)) ($mz at 0) and (2 of ($str*))
} }
rule Prikormka rule Prikormka
{ {
meta: meta:
Author = "Anton Cherepanov" Author = "Anton Cherepanov"
Date = "2016/05/10" Date = "2016/05/10"
...@@ -136,6 +138,7 @@ rule Prikormka ...@@ -136,6 +138,7 @@ rule Prikormka
Source = "https://github.com/eset/malware-ioc/" Source = "https://github.com/eset/malware-ioc/"
Contact = "threatintel@eset.com" Contact = "threatintel@eset.com"
License = "BSD 2-Clause" License = "BSD 2-Clause"
condition: condition:
PrikormkaDropper or PrikormkaModule or PrikormkaEarlyVersion PrikormkaDropper or PrikormkaModule or PrikormkaEarlyVersion
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment