Minor Changes to YARA Rules

2024-11-07 02:25:19 +00:00 · 2016-06-08 11:28:42 +02:00 · 2016-06-08 11:28:42 +02:00 · 3b0ad587a7
commit 3b0ad587a7
parent 16de1a3b72
3 changed files with 9 additions and 4 deletions
--- a/yara/apt_irongate.yar
+++ b/yara/apt_irongate.yar
@ -16,6 +16,7 @@ rule IronGate_APT_Step7ProSim_Gen {
 		score = 90
 		hash1 = "0539af1a0cc7f231af8f135920a990321529479f6534c3b64e571d490e1514c3"
 		hash2 = "fa8400422f3161206814590768fc1a27cf6420fc5d322d52e82899ac9f49e14f"
+		hash3 = "5ab1672b15de9bda84298e0bb226265af09b70a9f0b26d6dfb7bdd6cbaed192d"
 	strings:
 		$x1 = "\\obj\\Release\\Step7ProSim.pdb" ascii

--- a/yara/crime_petya_ransom.yar
+++ b/yara/crime_petya_ransom.yar
@ -23,5 +23,9 @@ rule Petya_Ransomware {
 		$s4 = "@CommandLineMode" fullword wide
 		$s5 = "X-Retry-After" fullword wide
 	condition:
-		uint16(0) == 0x5a4d and filesize < 500KB and $a1 and all of ($s*)
+	(
+		uint16(0) == 0x5a4d and filesize < 500KB and 3 of them
+	) or (
+		all of them
+	) and not filename matches /Google/
 }
--- a/yara/general_officemacros.yar
+++ b/yara/general_officemacros.yar
@ -4,7 +4,7 @@ rule Office_AutoOpen_Macro {
 		description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
 		author = "Florian Roth"
 		date = "2015-05-28"
-		score = 60
+		score = 40
 		hash1 = "4d00695d5011427efc33c9722c61ced2"
 		hash2 = "63f6b20cb39630b13c14823874bd3743"
 		hash3 = "66e67c2d84af85a569a04042141164e6"