Merge branch 'master' into pr/102

2024-11-06 18:15:20 +00:00 · 2020-11-24 10:03:47 +01:00 · 2020-11-24 10:03:47 +01:00 · e4bc2e5ab4
commit e4bc2e5ab4
parent d144b35e95 acffce206a
8 changed files with 9 additions and 10 deletions
--- a/yara/apt_bronze_butler.yar
+++ b/yara/apt_bronze_butler.yar
@ -26,7 +26,7 @@ rule BronzeButler_Daserf_Delphi_1 {
      $s3 = "l32.dll" fullword ascii
      $s4 = "tProcess:" fullword ascii
      $s5 = " InjectPr" ascii
-      $s6 = "Write$Error creating variant or safe arrayInvalid argument to time encode" fullword wide
+      $s6 = "Write$Error creating variant or safe array\x1fInvalid argument to time encode" fullword wide
      $s7 = "on\\run /v " fullword ascii
      $s8 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run" fullword ascii
      $s9 = "ms1ng2d3d2.exe" fullword ascii
--- a/yara/apt_codoso.yar
+++ b/yara/apt_codoso.yar
@ -138,7 +138,7 @@ rule Codoso_Gh0st_3 {
 		$s4 = "testsupdate33" fullword ascii
 		$s5 = "Device Protect Application" fullword wide
 		$s6 = "MSVCP60.DLL" fullword ascii /* Goodware String - occured 1 times */
-		$s7 = "mail-news.eicp.net" fullword ascii
+		$s7 = "mail-news.eicp.net" fullword ascii
 	condition:
 		uint16(0) == 0x5a4d and filesize < 195KB and $x1 or 4 of them
 }
--- a/yara/apt_donotteam_ytyframework.yar
+++ b/yara/apt_donotteam_ytyframework.yar
@ -5,8 +5,8 @@ rule APT_DonotTeam_YTYframework : APT DonotTeam Windows {
      author = "James E.C, ProofPoint"
      description = "Modular malware framework with similarities to EHDevel"
      hashes = "1e0c1b97925e1ed90562d2c68971e038d8506b354dd6c1d2bcc252d2a48bc31c"
-      reference = "arbornetworks.com/blog/asert/don"
-      reference2 = "labs.bitdefender.com/2017/09/ehdeve"
+      reference = "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/"
+      reference2 = "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/"
      date = "08-03-2018"
   strings:
      $x1 = "/football/download2/" ascii wide
--- a/yara/apt_eternalblue_non_wannacry.yar
+++ b/yara/apt_eternalblue_non_wannacry.yar
@ -24,10 +24,10 @@ rule Backdoor_Redosdru_Jun17 {

      $s1 = "RegQueryValueEx(Svchost\\netsvcs)" fullword ascii
      $s2 = "serviceone" fullword ascii
-      $s3 = "#p #p #p #p #p #p #p #p #p #p #p #p #p #p #p #p #p #p #p #p #p #p #p #p #f #" fullword ascii
+      $s3 = "\x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#p \x1f#f \x1f#" fullword ascii
      $s4 = "servicetwo" fullword ascii
      $s5 = "UpdateCrc" fullword ascii
-      $s6 = "#[ #x #x #x #x #x #x #x #x #x #x #x #x #x #x #x #x #x #x #x #x #" fullword ascii
+      $s6 = "\x1f#[ \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#x \x1f#" fullword ascii
      $s7 = "nwsaPAgEnT" fullword ascii
      $s8 = "%-24s %-15s 0x%x(%d) " fullword ascii
   condition:
--- a/yara/apt_ghostdragon_gh0st_rat.yar
+++ b/yara/apt_ghostdragon_gh0st_rat.yar
@ -26,7 +26,6 @@ rule GhostDragon_Gh0stRAT {
 		$x7 = "%-23s %-16s  0x%x(%02d)" fullword ascii
 		$x8 = "RegSetValueEx(start)" fullword ascii
 		$x9 = "%s\\%s64.dl_" fullword ascii
-		$x10 = "$#REGMASTERKEY$WebCat was successfully started" fullword wide

 		$s1 = "viewsc.dll" fullword ascii
 		$s2 = "Proxy-Connection:   Keep-Alive" fullword ascii
--- a/yara/apt_sofacy_fysbis.yar
+++ b/yara/apt_sofacy_fysbis.yar
@ -8,7 +8,7 @@

 rule Sofacy_Fybis_ELF_Backdoor_Gen1 {
 	meta:
-		description = "Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1"
+		description = "Detects Sofacy Fysbis Linux Backdoor"
 		license = "https://creativecommons.org/licenses/by-nc/4.0/"
 		author = "Florian Roth"
 		reference = "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
--- a/yara/apt_webshell_chinachopper.yar
+++ b/yara/apt_webshell_chinachopper.yar
@ -7,7 +7,7 @@ rule ChinaChopper_Generic {
 		reference = "https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf"
 		date = "2015/03/10"
 	strings:
-		$aspx = /%@\sPage\sLanguage=.Jscript.%><%eval\(RequestItem\[.{,100}unsafe/
+		$aspx = /%@\sPage\sLanguage=.Jscript.%><%eval\(Request\.Item\[.{,100}unsafe/
 		$php = /<?php.\@eval\(\$_POST./
 	condition:
 		1 of them
--- a/yara/gen_ysoserial_payloads.yar
+++ b/yara/gen_ysoserial_payloads.yar
@ -50,7 +50,7 @@ rule Ysoserial_Payload_Spring1 {
      hash6 = "1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187"
      hash7 = "adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7"
   strings:
-      $x1 = "ysoserial/Pwner" ascii
+      $x1 = "ysoserial/Pwner" ascii
   condition:
      1 of them
 }