Update APT_Shamoon_StoneDrill.yar

f568367c · mmorenog · GitHub · 2a3fc3a2 · f568367c
Commit f568367c authored Mar 07, 2017 by mmorenog Committed by GitHub Mar 07, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 0 deletions

APT_Shamoon_StoneDrill.yar malware/APT_Shamoon_StoneDrill.yar +15 -0

No files found.
--- a/malware/APT_Shamoon_StoneDrill.yar
+++ b/malware/APT_Shamoon_StoneDrill.yar
@@ -32,3 +32,18 @@ pe.resources[i].language == 0 and
 not ($mz in (pe.resources[i].offset..pe.resources[i].offset + pe.resources[i].length))
 )
 }
+rule StoneDrill_main_sub {
+meta:
+ author = "Kaspersky Lab"
+ description = "Rule to detect StoneDrill (decrypted) samples"
+ hash = "d01781f1246fd1b64e09170bd6600fe1"
+ hash = "ac3c25534c076623192b9381f926ba0d"
+ version = "1.0"
+strings:
+ $code = {B8 08 00 FE 7F FF 30 8F 44 24 ?? 68 B4 0F 00 00 FF 15 ?? ?? ?? 00 B8 08 00 FE 7F FF
+30 8F 44 24 ?? 8B ?? 24 [1 - 4] 2B ?? 24 [6] F7 ?1 [5 - 12] 00}
+condition:
+ uint16(0) == 0x5A4D and
+ $code and
+ filesize < 5000000
+}