Merge pull request #244 from Bondey/master

added apt28 downdelph rules

Merge pull request #244 from Bondey/master
added apt28 downdelph rules
8910035e · mmorenog · GitHub · fd0003cb · b38b0d1a · 8910035e
Commit 8910035e authored Jun 15, 2017 by mmorenog Committed by GitHub Jun 15, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 0 deletions

APT_fancybear_downdelph.yar malware/APT_fancybear_downdelph.yar +24 -0

No files found.
--- a/malware/APT_fancybear_downdelph.yar
+++ b/malware/APT_fancybear_downdelph.yar
+rule APT_fancybear_Downdelph_magic : Bootkit{
+	meta:
+		author = "Marc Salinas @Bondey_m"
+		description = "APT28 downdelph magic string"
+		reference = "https://www.threatminer.org/_reports/2016/eset-sednit-part3%20-%20ESET.pdf#viewer.action=download"
+	strings:
+		$str1 = " :3 "
+	condition:
+		$str1 at 0
+}
+
+
+
+rule APT_fancybear_Downdelph_MBR : Bootkit{
+	meta:
+		author = "Marc Salinas @Bondey_m"
+		description = "APT28 downdelph string on MBR (get your MBR with BOOTICE on Win or #dd if=/dev/sda of=./sda.mbr bs=512 count=1"
+		reference = "https://www.threatminer.org/_reports/2016/eset-sednit-part3%20-%20ESET.pdf#viewer.action=download"
+	strings:
+		$s1 = { 20 3A 33 20 } //string " :3 "
+	condition:
+		$s1 at 411  //posición 0x19b
+}
\ No newline at end of file