From 1b0de13363a5b2f1bc51ec0ca64a991b3c36bbbf Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Fri, 6 Nov 2020 20:51:23 +0100
Subject: [PATCH] Update Yara_Patchwork_July_2020_1.yar

---
 .../Patchwork/2020-07-23/Yara/Yara_Patchwork_July_2020_1.yar   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Indian/APT/Patchwork/2020-07-23/Yara/Yara_Patchwork_July_2020_1.yar b/Indian/APT/Patchwork/2020-07-23/Yara/Yara_Patchwork_July_2020_1.yar
index 4ac68a1..4db86ba 100644
--- a/Indian/APT/Patchwork/2020-07-23/Yara/Yara_Patchwork_July_2020_1.yar
+++ b/Indian/APT/Patchwork/2020-07-23/Yara/Yara_Patchwork_July_2020_1.yar
@@ -56,8 +56,7 @@ rule Mal_BadNews_2016_OPChina_1 {
       $s13 = "image/jpeg" fullword wide
       $s14 = "https://en.wikipnet/search.php" fullword ascii /* legit site used as test for connectivity*/
    condition:
-      uint16(0) == 0x5a4d and filesize > 70KB and ( pe.imphash() == "c71a34b50e03311fe548bb5a730e97ac" and ( pe.exports("JLI_AcceptableRelease") and pe.exports("JLI_ExactVersionId") and pe.exports("JLI_FreeManifest") and pe.exports("JLI_JarUnpackFile") and pe.exports("JLI_MemFree") and pe.exports("JLI_MemRealloc") ) and 12 of them
-}
+      uint16(0) == 0x5a4d and filesize > 70KB and ( pe.imphash() == "c71a34b50e03311fe548bb5a730e97ac" and ( pe.exports("JLI_AcceptableRelease") and pe.exports("JLI_ExactVersionId") and pe.exports("JLI_FreeManifest") and pe.exports("JLI_JarUnpackFile") and pe.exports("JLI_MemFree") and pe.exports("JLI_MemRealloc") and 12 of them)
 
 rule Mal_BozokRAT_July2020_2 {
    meta: