diff --git a/yara/apt_putterpanda.yar b/yara/apt_putterpanda.yar index aacb65a..a2944a5 100644 --- a/yara/apt_putterpanda.yar +++ b/yara/apt_putterpanda.yar @@ -1,4 +1,3 @@ - rule APT_Malware_PutterPanda_Rel { meta: description = "Detects an APT malware related to PutterPanda" @@ -83,7 +82,7 @@ rule APT_Malware_PutterPanda_WUAUCLT { hash = "fd5ca5a2d444865fa8320337467313e4026b9f78" strings: $x0 = "WUAUCLT.EXE" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */ - $x1 = "%s\\tmp%d.exe" fullword ascii /* score: '14.01' */ + $x1 = "%s\\tmp%d.exe" fullword ascii /* score: '14.01' */ $x2 = "Microsoft Corporation. All rights reserved." fullword wide /* score: '8.04' */ $s1 = "Microsoft Windows Operating System" fullword wide /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 4 times */ @@ -96,7 +95,7 @@ rule APT_Malware_PutterPanda_WUAUCLT { $s8 = "CreatePipe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 222 times */ $s9 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 410 times */ condition: - all of ($x*) or + all of ($x*) or (1 of ($x*) and all of ($s*) ) } @@ -142,7 +141,7 @@ rule Malware_MsUpdater_String_in_EXE { $fp2 = "_msupdate_" ascii /* False Positive */ $fp3 = "/kies" wide condition: - uint16(0) == 0x5a4d and filesize < 500KB and ( 1 of ($x*) ) and not ( 1 of ($fp*) ) + uint16(0) == 0x5a4d and filesize < 500KB and ( 1 of ($x*) ) and not ( 1 of ($fp*) ) } rule APT_Malware_PutterPanda_MsUpdater_3 { @@ -250,9 +249,9 @@ rule APT_Malware_PutterPanda_Gen4 { $z6 = "Avaliable data:%u bytes" fullword ascii /* score: '5.03' */ $z7 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" fullword ascii /* PEStudio Blacklist: guid */ /* score: '5.00' */ /* Goodware String - occured 2 times */ condition: - filesize < 300KB and + filesize < 300KB and ( ( uint16(0) == 0x5a4d and $x1 and 3 of ($s*) ) or ( 3 of ($s*) and 4 of ($z*) ) ) -} \ No newline at end of file +} diff --git a/yara/crime_corkow_dll.yar b/yara/crime_corkow_dll.yar index 2e02a74..85c922a 100644 --- a/yara/crime_corkow_dll.yar +++ b/yara/crime_corkow_dll.yar @@ -1,3 +1,4 @@ +import "pe" rule CorkowDLL { meta: diff --git a/yara/crime_snarasite.yar b/yara/crime_snarasite.yar index 241cdcc..0f24b4e 100644 --- a/yara/crime_snarasite.yar +++ b/yara/crime_snarasite.yar @@ -1,3 +1,5 @@ +import "pe" + rule BKDR_Snarasite_Oct17 { meta: description = "Auto-generated rule - file 36ba92cba23971ca9d16a0b4f45c853fd5b3108076464d5f2027b0f56054fd62"