Update MALW_CAP_Win32Inet.yara

9046badb · Marc Rivero López · GitHub · e523343c · 9046badb
Commit 9046badb authored Jan 24, 2017 by Marc Rivero López Committed by GitHub Jan 24, 2017
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

MALW_CAP_Win32Inet.yara malware/MALW_CAP_Win32Inet.yara +9 -0

No files found.
--- a/malware/MALW_CAP_Win32Inet.yara
+++ b/malware/MALW_CAP_Win32Inet.yara
@@ -9,35 +9,43 @@

 rule Str_Win32_Winsock2_Library
 {
+
    meta:
        author = "@adricnet"
        description = "Match Winsock 2 API library declaration"
        method = "String match"
+
    strings:
        $ws2_lib = "Ws2_32.dll" nocase
        $wsock2_lib = "WSock32.dll" nocase
+
    condition:
    (any of ($ws2_lib, $wsock2_lib))
 }

 rule Str_Win32_Wininet_Library
 {
+    
    meta:
        author = "@adricnet"
        description = "Match Windows Inet API library declaration"
        method = "String match"
+    
    strings:
        $wininet_lib = "WININET.dll" nocase
+    
    condition:
    (all of ($wininet*))
 }

 rule Str_Win32_Internet_API
 {
+   
    meta:
        author = "@adricnet"
        description = "Match Windows Inet API call"
        method = "String match, trim the As"
+   
    strings:
        $wininet_call_closeh = "InternetCloseHandle"
        $wininet_call_readf = "InternetReadFile"
@@ -54,6 +62,7 @@ rule Str_Win32_Http_API
        author = "@adricnet"
        description = "Match Windows Http API call"
        method = "String match, trim the As"
+   
    strings:
        $wininet_call_httpr = "HttpSendRequest"
        $wininet_call_httpq = "HttpQueryInfo"