Update APT_APT10.yar

70f1cf3a · mmorenog · GitHub · aa6ded6d · 70f1cf3a
Commit 70f1cf3a authored May 02, 2017 by mmorenog Committed by GitHub May 02, 2017
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletions

APT_APT10.yar malware/APT_APT10.yar +2 -1

No files found.
--- a/malware/APT_APT10.yar
+++ b/malware/APT_APT10.yar
@@ -4,9 +4,11 @@ description = "Detect a dropper used to deploy an implant via side loading. This
 author = "USG"
 true_positive = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. "
 reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
+
 strings:
 $UniqueString = {2e 6c 6e 6b [0-14] 61 76 70 75 69 2e 65 78 65} // ".lnk" near "avpui.exe"
 $PsuedoRandomStringGenerator = {b9 1a [0-6] f7 f9 46 80 c2 41 88 54 35 8b 83 fe 64} // Unique function that generates a 100 character pseudo random string.
+
 condition:
 any of them
 }
@@ -17,7 +19,6 @@ description = "Detect the DLL responsible for loading and deobfuscating the DAT 
 author = "USG"
 true_positive = "7f8a867a8302fe58039a6db254d335ae" // StarBurn.dll
 reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
-
 strings:
        $XOR_Loop = {32 0c 3a 83 c2 02 88 0e 83 fa 08 [4-14] 32 0c 3a 83 c2 02 88 0e 83 fa 10} // Deobfuscation loop
 condition: