Update APT_Emissary.yar

Fixed syntax rule

Update APT_Emissary.yar
Fixed syntax rule
8da187d5 · Marc Rivero López · GitHub · f55bcd25 · 8da187d5
Commit 8da187d5 authored Jan 21, 2017 by Marc Rivero López Committed by GitHub Jan 21, 2017
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletions

APT_Emissary.yar malware/APT_Emissary.yar +5 -1

No files found.
--- a/malware/APT_Emissary.yar
+++ b/malware/APT_Emissary.yar
@@ -9,7 +9,9 @@
 	Identifier: Emissary Malware
 */

-rule Emissary_APT_Malware_1 {
+rule Emissary_APT_Malware_1 
+{
+
    meta:
        description = "Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll"
        author = "Florian Roth"
@@ -29,6 +31,7 @@ rule Emissary_APT_Malware_1 {
        hash11 = "29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051"
        hash12 = "98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0"
        hash13 = "fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb"
+
    strings:
        $s1 = "cmd.exe /c %s > %s" fullword ascii
        $s2 = "execute cmd timeout." fullword ascii
@@ -40,6 +43,7 @@ rule Emissary_APT_Malware_1 {
        $s8 = "DownloadFile - exception:%s,code:0x%08x." fullword ascii
        $s9 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" fullword ascii
        $s10 = "CDllApp::InitInstance() - Evnet already exists." fullword ascii
+
    condition:
        uint16(0) == 0x5a4d and filesize < 250KB and 3 of them
 }