valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Missing PE module imports, minor changes

Browse Source
This commit is contained in:
Florian Roth 2017-10-11 18:43:19 +02:00
parent ae9f920a2a
commit dca5a3dcf7
3 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
yara/apt_putterpanda.yar
View File

@ -1,4 +1,3 @@
rule APT_Malware_PutterPanda_Rel {
meta:
description = "Detects an APT malware related to PutterPanda"
@ -83,7 +82,7 @@ rule APT_Malware_PutterPanda_WUAUCLT {
hash = "fd5ca5a2d444865fa8320337467313e4026b9f78"
strings:
$x0 = "WUAUCLT.EXE" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
$x1 = "%s\\tmp%d.exe" fullword ascii /* score: '14.01' */
$x1 = "%s\\tmp%d.exe" fullword ascii /* score: '14.01' */
$x2 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */
$s1 = "Microsoft Windows Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 4 times */
@ -96,7 +95,7 @@ rule APT_Malware_PutterPanda_WUAUCLT {
$s8 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 222 times */
$s9 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 410 times */
condition:
all of ($x*) or
all of ($x*) or
(1 of ($x*) and all of ($s*) )
}
@ -142,7 +141,7 @@ rule Malware_MsUpdater_String_in_EXE {
$fp2 = "_msupdate_" ascii /* False Positive */
$fp3 = "/kies" wide
condition:
uint16(0) == 0x5a4d and filesize < 500KB and ( 1 of ($x*) ) and not ( 1 of ($fp*) )
uint16(0) == 0x5a4d and filesize < 500KB and ( 1 of ($x*) ) and not ( 1 of ($fp*) )
}
rule APT_Malware_PutterPanda_MsUpdater_3 {
@ -250,9 +249,9 @@ rule APT_Malware_PutterPanda_Gen4 {
$z6 = "Avaliable data:%u bytes" fullword ascii /* score: '5.03' */
$z7 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" fullword ascii /* PEStudio Blacklist: guid */ /* score: '5.00' */ /* Goodware String - occured 2 times */
condition:
filesize < 300KB and
filesize < 300KB and
(
( uint16(0) == 0x5a4d and $x1 and 3 of ($s*) ) or
( 3 of ($s*) and 4 of ($z*) )
)
}
}

1
yara/crime_corkow_dll.yar
View File

@ -1,3 +1,4 @@
import "pe"
rule CorkowDLL {
meta:

2
yara/crime_snarasite.yar
View File

@ -1,3 +1,5 @@
import "pe"
rule BKDR_Snarasite_Oct17 {
meta:
description = "Auto-generated rule - file 36ba92cba23971ca9d16a0b4f45c853fd5b3108076464d5f2027b0f56054fd62"