Skip to content

R
rules
Commit e4622225 by Marc Rivero López Committed by GitHub
Options

Update APT_WildNeutron.yar

parent 532bb81b
Showing with 2 additions and 4 deletions
malware/APT_WildNeutron.yar
...@@ -80,8 +80,7 @@ rule WildNeutron_Sample_3 ...@@ -80,8 +80,7 @@ rule WildNeutron_Sample_3
$s7 = "Acer LiveUpdater" fullword wide /* PEStudio Blacklist: strings */ /* score: '10.00' */ $s7 = "Acer LiveUpdater" fullword wide /* PEStudio Blacklist: strings */ /* score: '10.00' */
condition: condition:
uint16(0) == 0x5a4d and filesize < 2020KB and uint16(0) == 0x5a4d and filesize < 2020KB and ( 1 of ($x*) or all of ($s*) )
( 1 of ($x*) or all of ($s*) )
} }
rule WildNeutron_Sample_4 rule WildNeutron_Sample_4
...@@ -284,8 +283,7 @@ rule WildNeutron_Sample_10 ...@@ -284,8 +283,7 @@ rule WildNeutron_Sample_10
$y5 = "Error: RegSetValueExA 0x%x" fullword ascii /* score: '9.00' */ $y5 = "Error: RegSetValueExA 0x%x" fullword ascii /* score: '9.00' */
condition: condition:
uint16(0) == 0x5a4d and filesize < 400KB and ( $n1 or ( 1 of ($s*) and 1 of ($x*) and 3 of ($y*) ) uint16(0) == 0x5a4d and filesize < 400KB and ( $n1 or ( 1 of ($s*) and 1 of ($x*) and 3 of ($y*)))
)
} }
/* Super Rules ------------------------------------------------------------- */ /* Super Rules ------------------------------------------------------------- */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment