Skip to content

R
rules
Commit e3c7b963 by Marc Rivero López Committed by GitHub
Options

Update APT_Casper.yar 

Fixed rule style
parent ea59b2e1
Showing with 1 additions and 1 deletions
malware/APT_Casper.yar
...@@ -31,6 +31,7 @@ rule Casper_Backdoor_x86 ...@@ -31,6 +31,7 @@ rule Casper_Backdoor_x86
$z1 = "http://google.com/" fullword ascii $z1 = "http://google.com/" fullword ascii
$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii $z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
$z3 = "Operating System\"" fullword wide $z3 = "Operating System\"" fullword wide
condition: condition:
( all of ($s*) ) or ( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) ) ( all of ($s*) ) or ( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
} }
...@@ -108,4 +109,3 @@ rule Casper_SystemInformation_Output ...@@ -108,4 +109,3 @@ rule Casper_SystemInformation_Output
condition: condition:
all of them all of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment