Skip to content

R
rules
Commit d7558387 by mmorenog Committed by GitHub
Options

Update APT_APT10.yar

parent 166f4598
Showing with 3 additions and 3 deletions
malware/APT_APT10.yar
...@@ -69,9 +69,9 @@ reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A" ...@@ -69,9 +69,9 @@ reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
strings: strings:
$s0 = { 80343057403D2FD0010072F433C08BFF80343024403D2FD0010072F4 } $s0 = { 80343057403D2FD0010072F433C08BFF80343024403D2FD0010072F4 }
$s1 = "C:/\Users/\user/\Desktop/\my_OK_2014/\bit9/\runsna/\Release/\runsna.pdb" $s1 = "C:/Users/user/Desktop/my_OK_2014/bit9/runsna/Release/runsna.pdb" fullword ascii
$s2 = "d:/\work/\plug4.0(shellcode)" $s2 = "d:/work/plug4.0(shellcode)" fullword ascii
$s3 = "/\shellcode/\shellcode/\XSetting.h" $s3 = "/shellcode/shellcode/XSetting.h" fullword ascii
$s4 = { 42AFF4276A45AA58474D4C4BE03D5B395566BEBCBDEDE9972872C5C4C5498228 } $s4 = { 42AFF4276A45AA58474D4C4BE03D5B395566BEBCBDEDE9972872C5C4C5498228 }
$s5 = { 8AD32AD002D180C23830140E413BCB7CEF6A006A006A00566A006A00 } $s5 = { 8AD32AD002D180C23830140E413BCB7CEF6A006A006A00566A006A00 }
$s6 = { EB055F8BC7EB05E8F6FFFFFF558BEC81ECC8040000535657 } $s6 = { EB055F8BC7EB05E8F6FFFFFF558BEC81ECC8040000535657 }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment