Update Equation.yar

6a77cc41 · mmorenog · 0b718b79 · 6a77cc41
Commit 6a77cc41 authored Oct 05, 2015 by mmorenog
Show whitespace changes
Inline Side-by-side

Showing with 23 additions and 3 deletions

Equation.yar malware/Equation.yar +23 -3

No files found.
--- a/malware/Equation.yar
+++ b/malware/Equation.yar
@@ -5,9 +5,6 @@

 import "pe"

-
-
-
 /* Equation APT ------------------------------------------------------------ */

 rule apt_equation_exploitlib_mutexes {
@@ -571,3 +568,26 @@ rule EquationDrug_FileSystem_Filter {
 	condition:
 		all of them
 }
+rule apt_equation_keyword {
+    meta:
+        description = "Rule to detect Equation group's keyword in executable file"
+        last_modified = "2015-09-26"
+        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
+    strings:
+         $a1 = "Backsnarf_AB25" wide
+         $a2 = "Backsnarf_AB25" ascii
+    condition:
+         uint16(0) == 0x5a4d and 1 of ($a*)
+}
+
+rule apt_equation_keyword {
+    meta:
+        description = "Rule to detect Equation group's keyword in executable file"
+        last_modified = "2015-09-26"
+        reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/"
+    strings:
+         $a1 = "Backsnarf_AB25" wide
+         $a2 = "Backsnarf_AB25" ascii
+    condition:
+         uint16(0) == 0x5a4d and 1 of ($a*)
+}