Update APT_Sofacy_xtunnel_bundestag.yar

ee16aca2 · mmorenog · GitHub · 3a1d1b56 · ee16aca2
Commit ee16aca2 authored Jul 20, 2016 by mmorenog Committed by GitHub Jul 20, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

APT_Sofacy_xtunnel_bundestag.yar malware/APT_Sofacy_xtunnel_bundestag.yar +5 -5

No files found.
--- a/malware/APT_Sofacy_xtunnel_bundestag.yar
+++ b/malware/APT_Sofacy_xtunnel_bundestag.yar
@@ -2,7 +2,7 @@
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
 */
-rule apt_sofacy_xtunnel {
+rule apt_sofacy_xtunnel : APT28 Sofacy {
    meta:
        author = "Claudio Guarnieri"
        description = "Sofacy Malware - German Bundestag"
@@ -24,7 +24,7 @@ rule apt_sofacy_xtunnel {
        ((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*))) 
 }
-rule Sofacy_Bundestag_Winexe {
+rule Sofacy_Bundestag_Winexe : APT28 Sofacy {
    meta:
        description = "Winexe tool used by Sofacy group in Bundestag APT"
        author = "Florian Roth"
@@ -39,7 +39,7 @@ rule Sofacy_Bundestag_Winexe {
        uint16(0) == 0x5a4d and filesize < 115KB and all of them
 }
-rule Sofacy_Bundestag_Mal2 {
+rule Sofacy_Bundestag_Mal2 : APT28 Sofacy {
    meta:
        description = "Sofacy Group Malware Sample 2"
        author = "Florian Roth"
@@ -56,7 +56,7 @@ rule Sofacy_Bundestag_Mal2 {
        uint16(0) == 0x5a4d and ( 1 of ($x*) ) and $s1
 }
-rule Sofacy_Bundestag_Mal3 {
+rule Sofacy_Bundestag_Mal3 : APT28 Sofacy {
    meta:
        description = "Sofacy Group Malware Sample 3"
        author = "Florian Roth"
@@ -85,7 +85,7 @@ rule Sofacy_Bundestag_Mal3 {
        ) 
 }
-rule Sofacy_Bundestag_Batch {
+rule Sofacy_Bundestag_Batch : APT28 Sofacy {
    meta:
        description = "Sofacy Bundestags APT Batch Script"
        author = "Florian Roth"