fixing syntax & added scan report

e0acf380 · unixfreaxjp · GitHub · a9876ddb · e0acf380
Unverified Commit e0acf380 authored Jun 02, 2018 by unixfreaxjp Committed by GitHub Jun 02, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

TOOLKIT_Mandibule.yar malware/TOOLKIT_Mandibule.yar +7 -3

No files found.
--- a/malware/TOOLKIT_Mandibule.yar
+++ b/malware/TOOLKIT_Mandibule.yar
 /* 		Yara rule to detect ELF Linux process injector toolkit "mandibule" generic.
   		name: TOOLKIT_Mandibule.yar analyzed by unixfreaxjp. 
+		result:
+		TOOLKIT_Mandibule ./mandibule//mandibule-dynx86-stripped
+		TOOLKIT_Mandibule ./mandibule//mandibule-dynx86-UNstripped
+		TOOLKIT_Mandibule ./mandibule//mandibule-dun64-UNstripped
+		TOOLKIT_Mandibule ./mandibule//mandibule-dyn64-stripped
+
   		This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) 
   		and  open to any user or organization, as long as you use it under this license.
 */
@@ -31,6 +37,7 @@ private rule is__hex_top_mandibule64 {
 		$hex04 = { 53 48 81 EC 70 01 01 00 48 89 7C 24 08 48 8D 44 24 20 48 05 00 00 } // ld
 	condition:
                3 of them 
+}

 private rule is__hex_mid_mandibule32 {
 	meta:
@@ -43,8 +50,6 @@ private rule is__hex_mid_mandibule32 {
 		$hex08 = { E8 C6 D5 FF FF 83 C4 0C 68 00 01 00 00 } // ld
 	condition:
                3 of them 
-
-
 }

 private rule is__elf {
@@ -69,4 +74,3 @@ rule TOOLKIT_Mandibule {
 		and is__elf
 		and filesize < 30KB 
 }
-