Minor Changes to YARA Rules

yara/apt_irongate.yar

@@ -16,6 +16,7 @@ rule IronGate_APT_Step7ProSim_Gen {
 		score = 90
 		hash1 = "0539af1a0cc7f231af8f135920a990321529479f6534c3b64e571d490e1514c3"
 		hash2 = "fa8400422f3161206814590768fc1a27cf6420fc5d322d52e82899ac9f49e14f"
+		hash3 = "5ab1672b15de9bda84298e0bb226265af09b70a9f0b26d6dfb7bdd6cbaed192d"
 	strings:
 		$x1 = "\\obj\\Release\\Step7ProSim.pdb" ascii
 

yara/crime_petya_ransom.yar

@@ -23,5 +23,9 @@ rule Petya_Ransomware {
 		$s4 = "@CommandLineMode" fullword wide
 		$s5 = "X-Retry-After" fullword wide
 	condition:
-		uint16(0) == 0x5a4d and filesize < 500KB and $a1 and all of ($s*)
+	(
+		uint16(0) == 0x5a4d and filesize < 500KB and 3 of them
+	) or (
+		all of them
+	) and not filename matches /Google/
 }

yara/general_officemacros.yar

@@ -4,7 +4,7 @@ rule Office_AutoOpen_Macro {
 		description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
 		author = "Florian Roth"
 		date = "2015-05-28"
-		score = 60
+		score = 40
 		hash1 = "4d00695d5011427efc33c9722c61ced2"
 		hash2 = "63f6b20cb39630b13c14823874bd3743"
 		hash3 = "66e67c2d84af85a569a04042141164e6"
@@ -16,7 +16,7 @@ rule Office_AutoOpen_Macro {
 		$s1 = "AutoOpen" ascii fullword
 		$s2 = "Macros" wide fullword
 	condition:
-		( 
+		(
 			uint32be(0) == 0xd0cf11e0 or 	// DOC, PPT, XLS
 			uint32be(0) == 0x504b0304		// DOCX, PPTX, XLSX (PKZIP)
 		)
@@ -41,6 +41,6 @@ rule Office_as_MHTML {
 		$x1 = "QWN0aXZlTWltZQA" ascii 	// Base64 encoded 'ActiveMime'
 		$x2 = "0M8R4KGxGuE" ascii 		// Base64 encoded office header D0CF11E0A1B11AE1..
 	condition:
-		uint32be(0) == 0x4d494d45 // "MIME" header 
+		uint32be(0) == 0x4d494d45 // "MIME" header
 		and all of ($s*) and 1 of ($x*)
 }