Update APT_C16.yar

Fixed rule style

Update APT_C16.yar
Fixed rule style
889dbf03 · Marc Rivero López · GitHub · d757ab9a · 889dbf03
Commit 889dbf03 authored Jan 21, 2017 by Marc Rivero López Committed by GitHub Jan 21, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 37 additions and 20 deletions

APT_C16.yar malware/APT_C16.yar +37 -20

No files found.
--- a/malware/APT_C16.yar
+++ b/malware/APT_C16.yar
@@ -4,45 +4,53 @@

 import "pe"

-rule apt_c16_win_memory_pcclient : Memory APT 
+rule apt_c16_win_memory_pcclient
 {
+
  meta:
    author = "@dragonthreatlab"
    md5 = "ec532bbe9d0882d403473102e9724557"
    description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
-    date        = "2015/01/11" 
-    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+    date = "2015/01/11"
+    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+
  strings:
    $str1 = "Kill You" ascii
    $str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
    $str3 = "%4.2f  KB" ascii
-    $encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}  
+    $encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}
+
  condition:
    all of them
 }

-rule apt_c16_win_disk_pcclient : Disk
+rule apt_c16_win_disk_pcclient
 {
+
  meta:
    author = "@dragonthreatlab"
    md5 = "55f84d88d84c221437cd23cdbc541d2e"
    description = "Encoded version of pcclient found on disk"
-    date        = "2015/01/11" 
-    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+    date = "2015/01/11"
+    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+
  strings:
    $header = {51 5C 96 06 03 06 06 06 0A 06 06 06 FF FF 06 06 BE 06 06 06 06 06 06 06 46 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 EE 06 06 06 10 1F BC 10 06 BA 0D D1 25 BE 05 52 D1 25 5A 6E 6D 73 26 76 74 6F 67 74 65 71 26 63 65 70 70 6F 7A 26 64 69 26 74 79 70 26 6D 70 26 4A 4F 53 26 71 6F 6A 69 30 11 11 0C 2A 06 06 06 06 06 06 06 73 43 96 1B 37 24 00 4E 37 24 00 4E 37 24 00 4E BA 40 F6 4E 39 24 00 4E 5E 41 FA 4E 33 24 00 4E 5E 41 FC 4E 39 24 00 4E 37 24 FF 4E 0D 24 00 4E FA 31 A3 4E 40 24 00 4E DF 41 F9 4E 36 24 00 4E F6 2A FE 4E 38 24 00 4E DF 41 FC 4E 38 24 00 4E 54 6D 63 6E 37 24 00 4E 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 56 49 06 06 52 05 09 06 5D 87 8C 5A 06 06 06 06 06 06 06 06 E6 06 10 25 0B 05 08 06 06 1C 06 06 06 1A 06 06 06 06 06 06 E5 27 06 06 06 16 06 06 06 36 06 06 06 06 06 16 06 16 06 06 06 04 06 06 0A 06 06 06 06 06 06 06 0A 06 06 06 06 06 06 06 06 76 06 06 06 0A 06 06 06 06 06 06 04 06 06 06 06 06 16 06 06 16 06 06}
+
  condition:
    $header at 0
 }

-rule apt_c16_win32_dropper : Dropper
+rule apt_c16_win32_dropper
 {
+
  meta:
    author = "@dragonthreatlab"
    md5 = "ad17eff26994df824be36db246c8fb6a"
    description = "APT malware used to drop PcClient RAT"
-    date        = "2015/01/11" 
-    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+    date = "2015/01/11"
+    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+
  strings:
    $mz = {4D 5A}
    $str1 = "clbcaiq.dll" ascii
@@ -50,50 +58,58 @@ rule apt_c16_win32_dropper : Dropper
    $str3 = "/ShowWU" ascii
    $str4 = "Software\\Microsoft\\Windows\\CurrentVersion\\" ascii
    $str5 = {8A 08 2A CA 32 CA 88 08 40 4E 75 F4 5E}
+
  condition:
    $mz at 0 and all of ($str*)
 }

-rule apt_c16_win_swisyn : Memory
+rule apt_c16_win_swisyn
 {
+
  meta:
    author = "@dragonthreatlab"
    md5 = "a6a18c846e5179259eba9de238f67e41"
    description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
-    date        = "2015/01/11" 
-    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+    date = "2015/01/11"
+    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+
  strings:
    $mz = {4D 5A}
    $str1 = "/ShowWU" ascii
    $str2 = "IsWow64Process"
    $str3 = "regsvr32 "
    $str4 = {8A 11 2A 55 FC 8B 45 08 88 10 8B 4D 08 8A 11 32 55 FC 8B 45 08 88 10}
+
  condition:
    $mz at 0 and all of ($str*)
 }

-rule apt_c16_win_wateringhole 
+rule apt_c16_win_wateringhole
 {
+
  meta:
    author = "@dragonthreatlab"
    description = "Detects code from APT wateringhole"
-    date        = "2015/01/11" 
-    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+    date = "2015/01/11"
+    reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+
  strings:
    $str1 = "function runmumaa()"
    $str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("
    $str3 = "function MoSaklgEs7(k)"
+
  condition:
    any of ($str*)
 }

-rule apt_c16_win64_dropper : Dropper
+rule apt_c16_win64_dropper
 {
+
    meta:
-        author      = "@dragonthreatlab"
-        date        = "2015/01/11" 
+        author = "@dragonthreatlab"
+        date = "2015/01/11"
        description = "APT malware used to drop PcClient RAT"
-        reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
+        reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"

    strings:
        $mz = { 4D 5A }
@@ -105,3 +121,4 @@ rule apt_c16_win64_dropper : Dropper
    condition:
        $mz at 0 and all of ($str*)
 }
+