Update APT_fancybear_dnc.yar

7b4c13a2 · Marc Rivero López · GitHub · 190e4883 · 7b4c13a2
Commit 7b4c13a2 authored Jan 24, 2017 by Marc Rivero López Committed by GitHub Jan 24, 2017
Show whitespace changes
Inline Side-by-side

Showing with 10 additions and 2 deletions

APT_fancybear_dnc.yar malware/APT_fancybear_dnc.yar +10 -2

No files found.
--- a/malware/APT_fancybear_dnc.yar
+++ b/malware/APT_fancybear_dnc.yar
@@ -3,12 +3,15 @@
 */
-rule COZY_FANCY_BEAR_Hunt {
+rule COZY_FANCY_BEAR_Hunt 
+{
    meta:
        description = "Detects Cozy Bear / Fancy Bear C2 Server IPs"
        author = "Florian Roth"
        reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
        date = "2016-06-14"
    strings:
        $s1 = "185.100.84.134" ascii wide fullword
        $s2 = "58.49.58.58" ascii wide fullword
@@ -17,18 +20,23 @@ rule COZY_FANCY_BEAR_Hunt {
        $s5 = "185.86.148.227" ascii wide fullword
        $s6 = "45.32.129.185" ascii wide fullword
        $s7 = "23.227.196.217" ascii wide fullword
    condition:
        uint16(0) == 0x5a4d and 1 of them
 }
-rule COZY_FANCY_BEAR_pagemgr_Hunt {
+rule COZY_FANCY_BEAR_pagemgr_Hunt 
+{
    meta:
        description = "Detects a pagemgr.exe as mentioned in the CrowdStrike report"
        author = "Florian Roth"
        reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
        date = "2016-06-14"
    strings:
        $s1 = "pagemgr.exe" wide fullword
    condition:
        uint16(0) == 0x5a4d and 1 of them
 }