Update APT_Turla_RUAG.yar

malware/APT_Turla_RUAG.yar

@@ -2,14 +2,6 @@
     This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 
 */
-/*
-	Yara Rule Set
-	Author: Florian Roth
-	Date: 2016-06-09
-	Identifier: Turla Samples from RUAG Cyber Attack
-*/
-
-/* Rule Set ----------------------------------------------------------------- */
 
 rule Turla_APT_srsvc {
 	meta:
@@ -250,3 +242,31 @@ rule WaterBug_turla_dll
     condition:
         pe.exports("ee") and $a
 }
+rule turla_dropper
+{ 
+	meta:
+		maltype = "turla dropper"
+		ref = "https://github.com/reed1713"
+		reference = "http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf"
+		date = "3/13/2014"
+		description = "This sample was pulled from the bae systems snake campaign report. The Turla dropper creates a file in teh temp dir and registers an auto start service call \"RPC Endpoint Locator\"."
+	strings:
+
+		$type="Microsoft-Windows-Security-Auditing"
+		$eventid="4688"
+		$data="AppData\\Local\\Temp\\rsys.exe"
+
+		$type1="Service Control Manager"
+		$eventid1="7036"
+		$data1="RPC Endpoint Locator"
+		$data2="running"
+
+		$type2="Service Control Manager"
+		$eventid2="7045"
+		$data3="RPC Endpoint Locator"
+		$data4="user mode service" 
+		$data5="auto start"
+
+	condition:
+    ($type and $eventid and $data) or ($type1 and $eventid1 and $data1 and $data2 and $type2 and $eventid2 and $data3 and $data4 and $data5)
+}