Skip to content

R
rules
Commit 7fbbf7e7 by Marc Rivero López Committed by GitHub
Options

Update APT_Kaba.yar 

Syntax rule fixed
parent b614331c
Showing with 4 additions and 0 deletions
malware/APT_Kaba.yar
...@@ -7,6 +7,7 @@ import "pe" ...@@ -7,6 +7,7 @@ import "pe"
rule rtf_Kaba_jDoe rule rtf_Kaba_jDoe
{ {
meta: meta:
author = "@patrickrolsen" author = "@patrickrolsen"
maltype = "APT.Kaba" maltype = "APT.Kaba"
...@@ -14,6 +15,7 @@ meta: ...@@ -14,6 +15,7 @@ meta:
version = "0.1" version = "0.1"
description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620" description = "fe439af268cd3de3a99c21ea40cf493f, d0e0e68a88dce443b24453cc951cf55f, b563af92f144dea7327c9597d9de574e, and def0c9a4c732c3a1e8910db3f9451620"
date = "2013-12-10" date = "2013-12-10"
strings: strings:
$magic1 = { 7b 5c 72 74 30 31 } // {\rt01 $magic1 = { 7b 5c 72 74 30 31 } // {\rt01
$magic2 = { 7b 5c 72 74 66 31 } // {\rtf1 $magic2 = { 7b 5c 72 74 66 31 } // {\rtf1
...@@ -21,6 +23,8 @@ strings: ...@@ -21,6 +23,8 @@ strings:
$author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe" $author1 = { 4A 6F 68 6E 20 44 6F 65 } // "John Doe"
$author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone" $author2 = { 61 75 74 68 6f 72 20 53 74 6f 6e 65 } // "author Stone"
$string1 = { 44 30 [16] 43 46 [23] 31 31 45 } $string1 = { 44 30 [16] 43 46 [23] 31 31 45 }
condition: condition:
($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1 ($magic1 or $magic2 or $magic3 at 0) and all of ($author*) and $string1
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment