diff --git a/Indian/APT/Patchwork/2020-07-23/Yara/Yara_Patchwork_July_2020_1.yar b/Indian/APT/Patchwork/2020-07-23/Yara/Yara_Patchwork_July_2020_1.yar index b0de7ed..4ac68a1 100644 --- a/Indian/APT/Patchwork/2020-07-23/Yara/Yara_Patchwork_July_2020_1.yar +++ b/Indian/APT/Patchwork/2020-07-23/Yara/Yara_Patchwork_July_2020_1.yar @@ -30,7 +30,7 @@ rule Mal_BozokRAT_July_2020_1 { $s20 = "https://google.com-" fullword ascii /* legit site used as test for connectivity*/ $s21 = "--*****-------" fullword ascii condition: - uint16(0) == 0x5a4d and filesize < 50KB and ( pe.imphash() == "75b883fc692473a6eb7f309e3f1a432d" or 15 of them ) + uint16(0) == 0x5a4d and filesize > 50KB and ( pe.imphash() == "75b883fc692473a6eb7f309e3f1a432d" or 15 of them ) } rule Mal_BadNews_2016_OPChina_1 { @@ -56,7 +56,7 @@ rule Mal_BadNews_2016_OPChina_1 { $s13 = "image/jpeg" fullword wide $s14 = "https://en.wikipnet/search.php" fullword ascii /* legit site used as test for connectivity*/ condition: - uint16(0) == 0x5a4d and filesize < 70KB and ( pe.imphash() == "c71a34b50e03311fe548bb5a730e97ac" and ( pe.exports("JLI_AcceptableRelease") and pe.exports("JLI_ExactVersionId") and pe.exports("JLI_FreeManifest") and pe.exports("JLI_JarUnpackFile") and pe.exports("JLI_MemFree") and pe.exports("JLI_MemRealloc") ) and 12 of them + uint16(0) == 0x5a4d and filesize > 70KB and ( pe.imphash() == "c71a34b50e03311fe548bb5a730e97ac" and ( pe.exports("JLI_AcceptableRelease") and pe.exports("JLI_ExactVersionId") and pe.exports("JLI_FreeManifest") and pe.exports("JLI_JarUnpackFile") and pe.exports("JLI_MemFree") and pe.exports("JLI_MemRealloc") ) and 12 of them } rule Mal_BozokRAT_July2020_2 { @@ -82,5 +82,5 @@ rule Mal_BozokRAT_July2020_2 { $s13 = "--*****------" fullword ascii $s14 = "https://en.wikipedia.org/wiki/Main_Page" fullword ascii /* legit site used as test for connectivity*/ condition: - uint16(0) == 0x5a4d and filesize < 130KB and ( pe.imphash() == "79cf8ca8dd4dad9d47e49beb5c9bbd50" or 11 of them ) + uint16(0) == 0x5a4d and filesize > 130KB and ( pe.imphash() == "79cf8ca8dd4dad9d47e49beb5c9bbd50" or 11 of them ) }