Skip to content

R
rules
Commit 958b7e7b by mmorenog
Options

Update APT_Prikormka.yar

parent 9cd8a071
Showing with 7 additions and 7 deletions
malware/APT_Prikormka.yar
...@@ -30,15 +30,15 @@ ...@@ -30,15 +30,15 @@
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// //
private rule PrikormkaDropper rule PrikormkaDropper
{ {
strings: strings:
$mz = { 4D 5A } $mz = { 4D 5A }
$kd1 = "KDSTORAGE" wide $kd = "KDSTORAGE" wide
$kd1 = "KDSTORAGE_64" wide $kd = "KDSTORAGE_64" wide
$kd1 = "KDRUNDRV32" wide $kd = "KDRUNDRV32" wide
$kd1 = "KDRAR" wide $kd = "KDRAR" wide
$bin = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F} $bin = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F}
$bin = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16} $bin = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16}
...@@ -50,7 +50,7 @@ private rule PrikormkaDropper ...@@ -50,7 +50,7 @@ private rule PrikormkaDropper
($mz at 0) and ((any of ($bin)) or (3 of ($kd1)) or (all of ($inj))) ($mz at 0) and ((any of ($bin)) or (3 of ($kd1)) or (all of ($inj)))
} }
private rule PrikormkaModule rule PrikormkaModule
{ {
strings: strings:
$mz = { 4D 5A } $mz = { 4D 5A }
...@@ -109,7 +109,7 @@ private rule PrikormkaModule ...@@ -109,7 +109,7 @@ private rule PrikormkaModule
($mz at 0) and (any of ($str)) ($mz at 0) and (any of ($str))
} }
private rule PrikormkaEarlyVersion rule PrikormkaEarlyVersion
{ {
strings: strings:
$mz = { 4D 5A } $mz = { 4D 5A }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment