Skip to content

R
rules
Commit 9cd8a071 by mmorenog
Options

Update APT_Prikormka.yar

parent 4f9dc6be
Showing with 5 additions and 5 deletions
malware/APT_Prikormka.yar
...@@ -35,10 +35,10 @@ private rule PrikormkaDropper ...@@ -35,10 +35,10 @@ private rule PrikormkaDropper
strings: strings:
$mz = { 4D 5A } $mz = { 4D 5A }
$kd = "KDSTORAGE" wide $kd1 = "KDSTORAGE" wide
$kd = "KDSTORAGE_64" wide $kd1 = "KDSTORAGE_64" wide
$kd = "KDRUNDRV32" wide $kd1 = "KDRUNDRV32" wide
$kd = "KDRAR" wide $kd1 = "KDRAR" wide
$bin = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F} $bin = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F}
$bin = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16} $bin = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16}
...@@ -47,7 +47,7 @@ private rule PrikormkaDropper ...@@ -47,7 +47,7 @@ private rule PrikormkaDropper
$inj = "?AVCinj2008Dlg@@" ascii $inj = "?AVCinj2008Dlg@@" ascii
$inj = "?AVCinj2008App@@" ascii $inj = "?AVCinj2008App@@" ascii
condition: condition:
($mz at 0) and ((any of ($bin)) or (3 of ($kd)) or (all of ($inj))) ($mz at 0) and ((any of ($bin)) or (3 of ($kd1)) or (all of ($inj)))
} }
private rule PrikormkaModule private rule PrikormkaModule
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment