ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Yara_Patchwork_July_2020_1.yar

Browse Source
This commit is contained in:
StrangerealIntel 2020-11-06 20:51:23 +01:00 committed by GitHub
parent 60404a8cf9
commit 1b0de13363
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Indian/APT/Patchwork/2020-07-23/Yara/Yara_Patchwork_July_2020_1.yar
View File

@ -56,8 +56,7 @@ rule Mal_BadNews_2016_OPChina_1 {
$s13 = "image/jpeg" fullword wide $s13 = "image/jpeg" fullword wide
$s14 = "https://en.wikipnet/search.php" fullword ascii /* legit site used as test for connectivity*/ $s14 = "https://en.wikipnet/search.php" fullword ascii /* legit site used as test for connectivity*/
condition: condition:
uint16(0) == 0x5a4d and filesize > 70KB and ( pe.imphash() == "c71a34b50e03311fe548bb5a730e97ac" and ( pe.exports("JLI_AcceptableRelease") and pe.exports("JLI_ExactVersionId") and pe.exports("JLI_FreeManifest") and pe.exports("JLI_JarUnpackFile") and pe.exports("JLI_MemFree") and pe.exports("JLI_MemRealloc") ) and 12 of them uint16(0) == 0x5a4d and filesize > 70KB and ( pe.imphash() == "c71a34b50e03311fe548bb5a730e97ac" and ( pe.exports("JLI_AcceptableRelease") and pe.exports("JLI_ExactVersionId") and pe.exports("JLI_FreeManifest") and pe.exports("JLI_JarUnpackFile") and pe.exports("JLI_MemFree") and pe.exports("JLI_MemRealloc") and 12 of them)
}
rule Mal_BozokRAT_July2020_2 { rule Mal_BozokRAT_July2020_2 {
meta: meta: