Create APT_CrashOverride.yar

a1f02d7a · jovimon · GitHub · 8518f9bd · a1f02d7a
Commit a1f02d7a authored Jun 12, 2017 by jovimon Committed by GitHub Jun 12, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 16 deletions

APT_CrashOverride.yar malware/APT_CrashOverride.yar +2 -16

No files found.
--- a/malware/APT_CrashOverride.yar
+++ b/malware/APT_CrashOverride.yar
@@ -85,8 +85,8 @@ rule dragos_crashoverride_moduleStrings {

 rule dragos_crashoverride_configReader {
    meta:
-        description = "CRASHOVERRIDE v1 Config File Parsing"
-        author = "Dragos Inc"
+    description = "CRASHOVERRIDE v1 Config File Parsing"
+    author = "Dragos Inc"
 		reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
    strings:
        $s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
@@ -97,20 +97,6 @@ rule dragos_crashoverride_configReader {
        all of them
 }

-rule dragos_crashoverride_configReader {
-    meta:
-		description = "CRASHOVERRIDE v1 Config File Parsing"
-		author = "Dragos Inc"
-		reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
-    strings:
-		$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
-		$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
-		$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
-		$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
-	condition:
-		all of them
-}
-
 rule dragos_crashoverride_weirdMutex {
    meta:
        description = "Blank mutex creation assoicated with CRASHOVERRIDE"