minor - changes

2023-08-01 15:24:35 +05:30 · 2023-08-01 15:24:35 +05:30 · 92684a76c2
parent c318fc0a85
commit 92684a76c2
111 changed files with 242 additions and 189 deletions
--- a/file/malware/malware-aar.yaml
+++ b/file/malware/malware-aar.yaml
@ -3,7 +3,7 @@ id: malware-aar
 info:
  name: AAR Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "Hashtable"
          - "get_IsDisposed"
--- a/file/malware/malware-adzok.yaml
+++ b/file/malware/malware-adzok.yaml
@ -3,7 +3,7 @@ id: malware-adzok
 info:
  name: Adzok Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Adzok.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw        
        words:
          - "key.classPK"
          - "svd$1.classPK"
@ -25,6 +26,7 @@ file:
        condition: and

      - type: word
+        part: raw      
        words:
          - "config.xmlPK"
          - "svd$1.classPK"
@ -58,6 +60,7 @@ file:
        condition: and

      - type: word
+        part: raw      
        words:
          - "config.xmlPK"
          - "key.classPK"
@ -69,6 +72,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "config.xmlPK"
          - "key.classPK"
@ -80,6 +84,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "config.xmlPK"
          - "key.classPK"
@ -91,6 +96,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "config.xmlPK"
          - "key.classPK"
--- a/file/malware/malware-alfa.yaml
+++ b/file/malware/malware-alfa.yaml
@ -3,7 +3,7 @@ id: malware-alfa
 info:
  name: Alfa Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
  tags: malware,file

@ -11,7 +11,6 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: binary
        binary:
--- a/file/malware/malware-alienspy.yaml
+++ b/file/malware/malware-alienspy.yaml
@ -3,7 +3,7 @@ id: malware-alienspy
 info:
  name: AlienSpy Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "META-INF/MANIFEST.MF"
          - "ePK"
--- a/file/malware/malware-alina.yaml
+++ b/file/malware/malware-alina.yaml
@ -3,7 +3,7 @@ id: malware-alina
 info:
  name: Alina Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Alina.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw      
        words:
          - 'Alina v1.0'
          - 'POST'
--- a/file/malware/malware-alpha.yaml
+++ b/file/malware/malware-alpha.yaml
@ -3,7 +3,7 @@ id: malware-alpha
 info:
  name: Alpha Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Alpha.yar
  tags: malware,file

--- a/file/malware/malware-andromeda.yaml
+++ b/file/malware/malware-andromeda.yaml
@ -3,7 +3,7 @@ id: malware-andromeda
 info:
  name: Andromeda Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Andromeda.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst'

--- a/file/malware/malware-ap0calypse.yaml
+++ b/file/malware/malware-ap0calypse.yaml
@ -3,7 +3,7 @@ id: malware-ap0calypse
 info:
  name: Ap0calypse Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "Ap0calypse"
          - "Sifre"
--- a/file/malware/malware-arcom.yaml
+++ b/file/malware/malware-arcom.yaml
@ -3,7 +3,7 @@ id: malware-arcom
 info:
  name: Arcom Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "CVu3388fnek3W(3ij3fkp0930di"
          - "ZINGAWI2"
--- a/file/malware/malware-arkei.yaml
+++ b/file/malware/malware-arkei.yaml
@ -3,7 +3,7 @@ id: malware-arkei
 info:
  name: Arkei Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Arkei.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'Arkei'
          - '/server/gate'
--- a/file/malware/malware-backoff.yaml
+++ b/file/malware/malware-backoff.yaml
@ -3,7 +3,7 @@ id: malware-backoff
 info:
  name: Backoff Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Backoff.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - '&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s'
          - '%s @ %s'
--- a/file/malware/malware-bandook.yaml
+++ b/file/malware/malware-bandook.yaml
@ -3,7 +3,7 @@ id: malware-bandook
 info:
  name: Bandook Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "aaaaaa1|"
          - "aaaaaa2|"
--- a/file/malware/malware-blacknix.yaml
+++ b/file/malware/malware-blacknix.yaml
@ -3,7 +3,7 @@ id: malware-blacknix
 info:
  name: BlackNix Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "SETTINGS"
          - "Mark Adler"
--- a/file/malware/malware-blackworm.yaml
+++ b/file/malware/malware-blackworm.yaml
@ -3,7 +3,7 @@ id: malware-blackworm
 info:
  name: Blackworm Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_BlackWorm.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'm_ComputerObjectProvider'
          - 'MyWebServices'
--- a/file/malware/malware-bluebanana.yaml
+++ b/file/malware/malware-bluebanana.yaml
@ -3,7 +3,7 @@ id: malware-bluebanana
 info:
  name: BlueBanana Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "META-INF"
          - "config.txt"
--- a/file/malware/malware-bozok.yaml
+++ b/file/malware/malware-bozok.yaml
@ -3,7 +3,7 @@ id: malware-bozok
 info:
  name: Bozok Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Bozok.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "getVer"
          - "StartVNC"
--- a/file/malware/malware-bublik.yaml
+++ b/file/malware/malware-bublik.yaml
@ -3,7 +3,7 @@ id: malware-bublik
 info:
  name: Bublik Malware Detector
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Bublik.yar
  tags: malware,file

@ -11,7 +11,6 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: binary
        binary:
--- a/file/malware/malware-cap-hookexkeylogger.yaml
+++ b/file/malware/malware-cap-hookexkeylogger.yaml
@ -3,7 +3,7 @@ id: malware-cap-hookexkeylogger
 info:
  name: CAP HookExKeylogger Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_CAP_HookExKeylogger.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - "SetWindowsHookEx"
          - "WH_KEYBOARD_LL"
@ -21,6 +22,7 @@ file:
        case-insensitive: true

      - type: word
+        part: raw
        words:
          - "SetWindowsHookEx"
          - "WH_KEYBOARD"
@ -28,6 +30,7 @@ file:
        case-insensitive: true

      - type: word
+        part: raw
        words:
          - "WH_KEYBOARD"
          - "WH_KEYBOARD_LL"
--- a/file/malware/malware-cerberus.yaml
+++ b/file/malware/malware-cerberus.yaml
@ -3,7 +3,7 @@ id: malware-cerberus
 info:
  name: Cerberus Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Cerberus.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - "Ypmw1Syv023QZD"
          - "wZ2pla"
@ -21,6 +22,7 @@ file:
        condition: or

      - type: word
+        part: raw
        words:
          - "cerberus"
        case-insensitive: true
--- a/file/malware/malware-clientmesh.yaml
+++ b/file/malware/malware-clientmesh.yaml
@ -3,7 +3,7 @@ id: malware-clientmesh
 info:
  name: ClientMesh Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "machinedetails"
          - "MySettings"
--- a/file/malware/malware-crimson.yaml
+++ b/file/malware/malware-crimson.yaml
@ -3,7 +3,7 @@ id: malware-crimson
 info:
  name: Crimson Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Crimson.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "com/crimson/PK"
          - "com/crimson/bootstrapJar/PK"
--- a/file/malware/malware-cryptxxx-dropper.yaml
+++ b/file/malware/malware-cryptxxx-dropper.yaml
@ -3,7 +3,7 @@ id: malware-cryptxxx-dropper
 info:
  name: CryptXXX Dropper Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
  tags: malware,file

@ -11,9 +11,8 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
-      - type: binary #Dropper
+      - type: binary
        binary:
          - "50653157584346765962486F35"
          - "43003A005C0042004900450052005C0051006D006B004E0052004C00460000"
--- a/file/malware/malware-cryptxxx.yaml
+++ b/file/malware/malware-cryptxxx.yaml
@ -3,7 +3,7 @@ id: malware-cryptxxx
 info:
  name: CryptXXX Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
  tags: malware,file

@ -11,7 +11,6 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: binary
        binary:
--- a/file/malware/malware-cxpid.yaml
+++ b/file/malware/malware-cxpid.yaml
@ -3,7 +3,7 @@ id: malware-cxpid
 info:
  name: Cxpid Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cxpid.yar
  tags: malware,file

@ -13,7 +13,8 @@ file:

    matchers-condition: or
    matchers:
-      - type: word #cxpidStrings
+      - type: word
+        part: raw
        words:
          - '/cxpid/submit.php?SessionID='
          - '/cxgid/'
@ -21,6 +22,6 @@ file:
          - 'E21BC52BEA39E435C40CD8'
          - '                   -,L-,O+,Q-,R-,Y-,S-'

-      - type: binary #cxpidCode
+      - type: binary
        binary:
          - "558BECB9380400006A006A004975F9"
--- a/file/malware/malware-cythosia.yaml
+++ b/file/malware/malware-cythosia.yaml
@ -3,7 +3,7 @@ id: malware-cythosia
 info:
  name: Cythosia Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Cythosia.yar
  tags: malware,file

@ -11,8 +11,8 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'HarvesterSocksBot.Properties.Resources'
--- a/file/malware/malware-darkrat.yaml
+++ b/file/malware/malware-darkrat.yaml
@ -3,7 +3,7 @@ id: malware-darkrat
 info:
  name: DarkRAT Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "@1906dark1996coder@"
          - "SHEmptyRecycleBinA"
--- a/file/malware/malware-ddostf.yaml
+++ b/file/malware/malware-ddostf.yaml
@ -3,7 +3,7 @@ id: malware-ddostf
 info:
  name: DDoSTf Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DDoSTf.yar
@ -16,6 +16,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'ddos.tf'
          - 'Accept-Language: zh'
--- a/file/malware/malware-derkziel.yaml
+++ b/file/malware/malware-derkziel.yaml
@ -3,7 +3,7 @@ id: malware-derkziel
 info:
  name: Derkziel Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://bhf.su/threads/137898/
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Derkziel.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - '{!}DRZ{!}'
          - 'User-Agent: Uploador'
--- a/file/malware/malware-dexter.yaml
+++ b/file/malware/malware-dexter.yaml
@ -3,7 +3,7 @@ id: malware-dexter
 info:
  name: Dexter Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Dexter.yar
    - http://goo.gl/oBvy8b
@ -13,9 +13,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'Java Security Plugin'
          - '%s\\%s\\%s.exe'
--- a/file/malware/malware-diamondfox.yaml
+++ b/file/malware/malware-diamondfox.yaml
@ -3,7 +3,7 @@ id: malware-diamondfox
 info:
  name: DiamondFox Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_DiamondFox.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'UPDATE_B'
          - 'UNISTALL_B'
--- a/file/malware/malware-dmalocker.yaml
+++ b/file/malware/malware-dmalocker.yaml
@ -3,7 +3,7 @@ id: malware-dmalocker
 info:
  name: DMA Locker Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DMALocker.yar
  tags: malware,file

@ -18,4 +18,5 @@ file:
          - "21444d414c4f434b"
          - "21444d414c4f434b332e30"
          - "3F520000FFFFFFFF06000000524C4141"
-          - "21444d414c4f434b342e30" #v4
+          - "21444d414c4f434b342e30"
+        condition: or  
--- a/file/malware/malware-doublepulsar.yaml
+++ b/file/malware/malware-doublepulsar.yaml
@ -3,7 +3,7 @@ id: malware-doublepulsar
 info:
  name: DoublePulsar Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_DoublePulsar_Petya.yar
  tags: malware,file

@ -16,3 +16,4 @@ file:
        binary:
          - "FD0C8C5CB8C424C5CCCCCC0EE8CC246BCCCCCC0F24CDCCCCCC275C9775BACDCCCCC3FE" #xor
          - "45208D938D928D918D90929391970F9F9E9D99844529844D20CCCDCCCC9B844503844514844549CC3333332477CCCCCC844549C43333332484CDCCCC844549DC333333844749CC333333844741" #dll
+        condition: or  
--- a/file/malware/malware-eicar.yaml
+++ b/file/malware/malware-eicar.yaml
@ -3,7 +3,7 @@ id: malware-eicar
 info:
  name: Eicar Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Eicar.yar
  tags: malware,file

@ -13,5 +13,6 @@ file:

    matchers:
      - type: word
+        part: raw
        words:
          - "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
--- a/file/malware/malware-erebus.yaml
+++ b/file/malware/malware-erebus.yaml
@ -3,7 +3,7 @@ id: malware-erebus
 info:
  name: Erebus Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Erebus.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log"
          - "EREBUS IS BEST."
--- a/file/malware/malware-ezcob.yaml
+++ b/file/malware/malware-ezcob.yaml
@ -3,7 +3,7 @@ id: malware-ezcob
 info:
  name: Ezcob Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Ezcob.yar
  tags: malware,file

@ -13,9 +13,11 @@ file:

    matchers:
      - type: word
+        part: raw
        words:
          - '\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12'
          - '\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12'
          - 'Ezcob'
          - 'l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126'
          - '20110113144935'
+        condition: or  
--- a/file/malware/malware-fudcrypt.yaml
+++ b/file/malware/malware-fudcrypt.yaml
@ -3,7 +3,7 @@ id: malware-fudcrypt
 info:
  name: FUDCrypt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/gigajew/FudCrypt/
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_FUDCrypt.yar
@ -15,6 +15,7 @@ file:

    matchers:
      - type: word
+        part: raw
        words:
          - 'OcYjzPUtJkNbLOABqYvNbvhZf'
          - 'gwiXxyIDDtoYzgMSRGMckRbJi'
--- a/file/malware/malware-gafgyt-generic.yaml
+++ b/file/malware/malware-gafgyt-generic.yaml
@ -3,7 +3,7 @@ id: malware-gafgyt-generic
 info:
  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "/bin/busybox;echo -e 'gayfgt'"
          - '/proc/net/route'
--- a/file/malware/malware-gafgyt-hihi.yaml
+++ b/file/malware/malware-gafgyt-hihi.yaml
@ -3,7 +3,7 @@ id: malware-gafgyt-hihi
 info:
  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'PING'
          - 'PONG'
--- a/file/malware/malware-gafgyt-hoho.yaml
+++ b/file/malware/malware-gafgyt-hoho.yaml
@ -3,7 +3,7 @@ id: malware-gafgyt-hoho
 info:
  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'PING'
          - 'PRIVMSG'
--- a/file/malware/malware-gafgyt-jackmy.yaml
+++ b/file/malware/malware-gafgyt-jackmy.yaml
@ -3,7 +3,7 @@ id: malware-gafgyt-jackmy
 info:
  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'PING'
          - 'PONG'
--- a/file/malware/malware-gafgyt-oh.yaml
+++ b/file/malware/malware-gafgyt-oh.yaml
@ -3,7 +3,7 @@ id: malware-gafgyt-oh
 info:
  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'busyboxterrorist'
          - 'BOGOMIPS'
--- a/file/malware/malware-gafgyt_bash.yaml
+++ b/file/malware/malware-gafgyt_bash.yaml
@ -3,7 +3,7 @@ id: malware-gafgyt-bash
 info:
  name: Gafgyt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gafgyt.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'PONG!'
          - 'GETLOCALIP'
--- a/file/malware/malware-genome.yaml
+++ b/file/malware/malware-genome.yaml
@ -3,7 +3,7 @@ id: malware-genome
 info:
  name: Genome Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Genome.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - 'Attempting to create more than one keyboard::Monitor instance'
          - '{Right windows}'
--- a/file/malware/malware-glass.yaml
+++ b/file/malware/malware-glass.yaml
@ -3,7 +3,7 @@ id: malware-glass
 info:
  name: Glass Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Glass.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "PostQuitMessage"
          - "pwlfnn10,gzg"
--- a/file/malware/malware-glasses.yaml
+++ b/file/malware/malware-glasses.yaml
@ -3,7 +3,7 @@ id: malware-glasses
 info:
  name: Glasses Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://citizenlab.ca/2013/02/apt1s-glasses-watching-a-human-rights-organization/
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Glasses.yar
@ -15,14 +15,15 @@ file:

    matchers-condition: and
    matchers:
-      - type: word #GlassesStrings
+      - type: word
+        part: raw
        words:
          - 'thequickbrownfxjmpsvalzydg'
          - 'Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)'
          - '" target="NewRef"></a>'
        condition: and

-      - type: binary #GlassesCode
+      - type: binary
        binary:
          - "B8ABAAAAAAF7E1D1EA8D04522BC8"
          - "B856555555F7E98B4C241C8BC2C1E81F03D0493BCA"
--- a/file/malware/malware-gozi.yaml
+++ b/file/malware/malware-gozi.yaml
@ -3,7 +3,7 @@ id: malware-gozi
 info:
  name: Gozi Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Gozi.yar
--- a/file/malware/malware-gpgqwerty.yaml
+++ b/file/malware/malware-gpgqwerty.yaml
@ -3,7 +3,7 @@ id: malware-gpgqwerty
 info:
  name: GPGQwerty Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_GPGQwerty.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "gpg.exe –recipient qwerty  -o"
          - "%s%s.%d.qwerty"
--- a/file/malware/malware-greame.yaml
+++ b/file/malware/malware-greame.yaml
@ -3,7 +3,7 @@ id: malware-greame
 info:
  name: Greame Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "EditSvr"
          - "TLoader"
--- a/file/malware/malware-grozlex.yaml
+++ b/file/malware/malware-grozlex.yaml
@ -3,7 +3,7 @@ id: malware-grozlex
 info:
  name: Grozlex Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Grozlex.yar
--- a/file/malware/malware-hawkeye.yaml
+++ b/file/malware/malware-hawkeye.yaml
@ -3,7 +3,7 @@ id: malware-hawkeye
 info:
  name: HawkEye Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "HawkEyeKeylogger"
          - "099u787978786"
--- a/file/malware/malware-imminent.yaml
+++ b/file/malware/malware-imminent.yaml
@ -3,7 +3,7 @@ id: malware-imminent
 info:
  name: Imminent Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - "DecodeProductKey"
          - "StartHTTPFlood"
@ -25,6 +26,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "<URL>k__BackingField"
          - "<RunHidden>k__BackingField"
--- a/file/malware/malware-infinity.yaml
+++ b/file/malware/malware-infinity.yaml
@ -3,7 +3,7 @@ id: malware-infinity
 info:
  name: Infinity Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "CRYPTPROTECT_PROMPTSTRUCT"
          - "discomouse"
--- a/file/malware/malware-insta11.yaml
+++ b/file/malware/malware-insta11.yaml
@ -3,7 +3,7 @@ id: malware-insta11
 info:
  name: Insta11 Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Install11.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - 'XTALKER7'
          - 'Insta11 Microsoft'
--- a/file/malware/malware-intel-virtualization.yaml
+++ b/file/malware/malware-intel-virtualization.yaml
@ -3,7 +3,7 @@ id: malware-intel-virtualization
 info:
  name: Intel Virtualization Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Intel_Virtualization.yar
  tags: malware,file

@ -22,7 +22,7 @@ file:
          - '6863637574696C732E444C4C'
        condition: and

-      - type: binary # Dynamic dll (malicious)
+      - type: binary
        binary:
          - '483A5C466173745C506C756728686B636D64295C'
          - '646C6C5C52656C656173655C48696A61636B446C6C2E706462'
--- a/file/malware/malware-iotreaper.yaml
+++ b/file/malware/malware-iotreaper.yaml
@ -3,7 +3,7 @@ id: malware-iotreaper
 info:
  name: IotReaper Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_IotReaper.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - 'XTALKER7'
          - 'Insta11 Microsoft'
--- a/file/malware/malware-linux-aesddos.yaml
+++ b/file/malware/malware-linux-aesddos.yaml
@ -3,7 +3,7 @@ id: malware-linux-aesddos
 info:
  name: Linux AESDDOS Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
@ -16,18 +16,21 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - "3AES"
          - "Hacker"
        condition: and

      - type: word
+        part: raw
        words:
          - "3AES"
          - "VERSONEX"
        condition: and

      - type: word
+        part: raw
        words:
          - "VERSONEX"
          - "Hacker"
--- a/file/malware/malware-linux-billgates.yaml
+++ b/file/malware/malware-linux-billgates.yaml
@ -3,7 +3,7 @@ id: malware-linux-billgates
 info:
  name: Linux BillGates Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429
@ -13,9 +13,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "12CUpdateGates"
          - "11CUpdateBill"
--- a/file/malware/malware-linux-elknot.yaml
+++ b/file/malware/malware-linux-elknot.yaml
@ -3,7 +3,7 @@ id: malware-linux-elknot
 info:
  name: Linux Elknot Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099
@ -13,9 +13,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "ZN8CUtility7DeCryptEPciPKci"
          - "ZN13CThreadAttack5StartEP11CCmdMessage"
--- a/file/malware/malware-linux-mrblack.yaml
+++ b/file/malware/malware-linux-mrblack.yaml
@ -3,7 +3,7 @@ id: malware-linux-mrblack
 info:
  name: Linux MrBlack Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
@ -13,9 +13,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "Mr.Black"
          - "VERS0NEX:%s|%d|%d|%s"
--- a/file/malware/malware-linux-tsunami.yaml
+++ b/file/malware/malware-linux-tsunami.yaml
@ -3,7 +3,7 @@ id: malware-linux-tsunami
 info:
  name: Linux Tsunami Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Miscelanea_Linux.yar
    - http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483
@ -15,6 +15,7 @@ file:

    matchers:
      - type: word
+        part: raw
        words:
          - "PRIVMSG %s :[STD]Hitting %s"
          - "NOTICE %s :TSUNAMI <target> <secs>"
--- a/file/malware/malware-locky.yaml
+++ b/file/malware/malware-locky.yaml
@ -3,7 +3,7 @@ id: malware-locky
 info:
  name: Locky Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Locky.yar
  tags: malware,file

--- a/file/malware/malware-lostdoor.yaml
+++ b/file/malware/malware-lostdoor.yaml
@ -3,7 +3,7 @@ id: malware-lostdoor
 info:
  name: LostDoor Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "*mlt* = %"
          - "*ip* = %"
--- a/file/malware/malware-luminositylink.yaml
+++ b/file/malware/malware-luminositylink.yaml
@ -3,7 +3,7 @@ id: malware-luminositylink
 info:
  name: LuminosityLink Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "SMARTLOGS"
          - "RUNPE"
--- a/file/malware/malware-luxnet.yaml
+++ b/file/malware/malware-luxnet.yaml
@ -3,7 +3,7 @@ id: malware-luxnet
 info:
  name: LuxNet Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "GetHashCode"
          - "Activator"
--- a/file/malware/malware-macgyver-installer.yaml
+++ b/file/malware/malware-macgyver-installer.yaml
@ -3,7 +3,7 @@ id: malware-macgyver-installer
 info:
  name: MacGyver.cap Installer Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "delete -AID 315041592e5359532e4444463031"
          - "install -file MacGyver.cap -nvDataLimit 1000 -instParam 00 -priv 4"
--- a/file/malware/malware-macgyver.yaml
+++ b/file/malware/malware-macgyver.yaml
@ -3,7 +3,7 @@ id: malware-macgyver
 info:
  name: MacGyver.cap Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/fboldewin/MacGyver-s-return---An-EMV-Chip-cloning-case/blob/master/MacGyver's%20return%20-%20An%20EMV%20Chip%20cloning%20case.pdf
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MacGyver.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "src/MacGyver/javacard/Header.cap"
          - "src/MacGyver/javacard/Directory.cap"
--- a/file/malware/malware-madness.yaml
+++ b/file/malware/malware-madness.yaml
@ -3,7 +3,7 @@ id: malware-madness
 info:
  name: Madness DDOS Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - https://github.com/arbor/yara/blob/master/madness.yara
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Madness.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE"
          - "TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ=="
--- a/file/malware/malware-miner.yaml
+++ b/file/malware/malware-miner.yaml
@ -3,7 +3,7 @@ id: malware-miner
 info:
  name: Miner Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_XMRIG_Miner.yar
  tags: malware,file

@ -13,6 +13,7 @@ file:

    matchers:
      - type: word
+        part: raw
        words:
          - "stratum+tcp"
          - "stratum+udp"
--- a/file/malware/malware-miniasp3.yaml
+++ b/file/malware/malware-miniasp3.yaml
@ -3,7 +3,7 @@ id: malware-miniasp3
 info:
  name: MiniASP3 Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_MiniAsp3_mem.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - "MiniAsp3\\Release\\MiniAsp.pdb"
          - "http://%s/about.htm"
@ -22,6 +23,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "MiniAsp3\\Release\\MiniAsp.pdb"
          - "http://%s/about.htm"
@ -30,6 +32,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "MiniAsp3\\Release\\MiniAsp.pdb"
          - "http://%s/about.htm"
@ -38,6 +41,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "MiniAsp3\\Release\\MiniAsp.pdb"
          - "http://%s/about.htm"
@ -46,6 +50,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "MiniAsp3\\Release\\MiniAsp.pdb"
          - "http://%s/about.htm"
--- a/file/malware/malware-naikon.yaml
+++ b/file/malware/malware-naikon.yaml
@ -3,7 +3,7 @@ id: malware-naikon
 info:
  name: Naikon Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naikon.yar
  tags: malware,file

@ -21,6 +21,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "NOKIAN95/WEB"
          - "/tag=info&id=15"
--- a/file/malware/malware-naspyupdate.yaml
+++ b/file/malware/malware-naspyupdate.yaml
@ -3,7 +3,7 @@ id: malware-naspyupdate
 info:
  name: nAspyUpdate Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Naspyupdate.yar
  tags: malware,file

@ -18,6 +18,7 @@ file:
          - "8A5424148A0132C202C28801414E75F4"

      - type: word
+        part: raw
        words:
          - "\\httpclient.txt"
          - "password <=14"
--- a/file/malware/malware-notepad.yaml
+++ b/file/malware/malware-notepad.yaml
@ -3,7 +3,7 @@ id: malware-notepad
 info:
  name: Notepad v1.1 Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Notepad.yar
  tags: malware,file

@ -13,6 +13,7 @@ file:

    matchers:
      - type: word
+        part: raw
        words:
          - "75BAA77C842BE168B0F66C42C7885997"
          - "B523F63566F407F3834BCC54AAA32524"
--- a/file/malware/malware-olyx.yaml
+++ b/file/malware/malware-olyx.yaml
@ -3,7 +3,7 @@ id: malware-olyx
 info:
  name: Olyx Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Olyx.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - "/Applications/Automator.app/Contents/MacOS/DockLight"
        condition: or
--- a/file/malware/malware-osx-leverage.yaml
+++ b/file/malware/malware-osx-leverage.yaml
@ -3,7 +3,7 @@ id: malware-osx-leverage
 info:
  name: OSX Leverage Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
          - "+:Users:Shared:UserEvent.app:Contents:MacOS:"
--- a/file/malware/malware-paradox.yaml
+++ b/file/malware/malware-paradox.yaml
@ -3,7 +3,7 @@ id: malware-paradox
 info:
  name: Paradox Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "ParadoxRAT"
          - "Form1"
--- a/file/malware/malware-plasma.yaml
+++ b/file/malware/malware-plasma.yaml
@ -3,7 +3,7 @@ id: malware-plasma
 info:
  name: Plasma Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "Miner: Failed to Inject."
          - "Started GPU Mining on:"
--- a/file/malware/malware-poetrat.yaml
+++ b/file/malware/malware-poetrat.yaml
@ -3,7 +3,7 @@ id: malware-poetrat
 info:
  name: PoetRat Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_PoetRATDoc.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "launcher.py"
          - "smile.zip"
--- a/file/malware/malware-pony.yaml
+++ b/file/malware/malware-pony.yaml
@ -3,7 +3,7 @@ id: malware-pony
 info:
  name: Pony Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Pony.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}"
          - "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0"
--- a/file/malware/malware-pubsab.yaml
+++ b/file/malware/malware-pubsab.yaml
@ -3,7 +3,7 @@ id: malware-pubsab
 info:
  name: PubSab Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PubSab.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - "_deamon_init"
          - "com.apple.PubSabAgent"
--- a/file/malware/malware-punisher.yaml
+++ b/file/malware/malware-punisher.yaml
@ -3,7 +3,7 @@ id: malware-punisher
 info:
  name: Punisher Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "abccba"
          - "SpyTheSpy"
--- a/file/malware/malware-pypi.yaml
+++ b/file/malware/malware-pypi.yaml
@ -3,7 +3,7 @@ id: malware-pypi
 info:
  name: Fake PyPI Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_PyPI.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "# Welcome Here! :)"
          - "# just toy, no harm :)"
--- a/file/malware/malware-pythorat.yaml
+++ b/file/malware/malware-pythorat.yaml
@ -3,7 +3,7 @@ id: malware-pythorat
 info:
  name: PythoRAT Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "TKeylogger"
          - "uFileTransfer"
--- a/file/malware/malware-qrat.yaml
+++ b/file/malware/malware-qrat.yaml
@ -3,7 +3,7 @@ id: malware-qrat
 info:
  name: QRat Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - "quaverse/crypter"
          - "Qrypt.class"
@ -22,6 +23,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "e-data"
          - "Qrypt.class"
@ -38,6 +40,7 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "e-data"
          - "quaverse/crypter"
--- a/file/malware/malware-satana-dropper.yaml
+++ b/file/malware/malware-satana-dropper.yaml
@ -3,7 +3,7 @@ id: malware-satana-dropper
 info:
  name: Satana Dropper Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Satana.yar
  tags: malware,file

@ -11,9 +11,8 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
-      - type: binary #Dropper
+      - type: binary
        binary:
          - "25732D547279457863657074"
          - "643A5C6C626574776D77795C75696A657571706C667775622E706462"
--- a/file/malware/malware-satana.yaml
+++ b/file/malware/malware-satana.yaml
@ -3,7 +3,7 @@ id: malware-satana
 info:
  name: Satana Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_.CRYPTXXX.yar
  tags: malware,file

--- a/file/malware/malware-shimrat.yaml
+++ b/file/malware/malware-shimrat.yaml
@ -3,7 +3,7 @@ id: malware-shimrat
 info:
  name: ShimRat Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - ".dll"
          - ".dat"
@ -22,12 +23,14 @@ file:
        condition: and

      - type: word
+        part: raw
        words:
          - "Data$$00"
          - "Data$$01%c%sData"
        condition: and

      - type: word
+        part: raw
        words:
          - "ping localhost -n 9 /c %s > nul"
          - "Demo"
--- a/file/malware/malware-shimratreporter.yaml
+++ b/file/malware/malware-shimratreporter.yaml
@ -3,7 +3,7 @@ id: malware-shimratreporter
 info:
  name: ShimRatReporter Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Shim.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw  
        words:
          - "IP-INFO"
          - "Network-INFO"
--- a/file/malware/malware-sigma.yaml
+++ b/file/malware/malware-sigma.yaml
@ -3,7 +3,7 @@ id: malware-sigma
 info:
  name: Sigma Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Sigma.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - ".php?"
          - "uid="
--- a/file/malware/malware-smallnet.yaml
+++ b/file/malware/malware-smallnet.yaml
@ -3,7 +3,7 @@ id: malware-smallnet
 info:
  name: SmallNet Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,15 +11,16 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "!!<3SAFIA<3!!"
          - "!!ElMattadorDz!!"
        condition: or

      - type: word
+        part: raw
        words:
          - "stub_2.Properties"
          - "stub.exe"
--- a/file/malware/malware-snake.yaml
+++ b/file/malware/malware-snake.yaml
@ -3,7 +3,7 @@ id: malware-snake
 info:
  name: Snake Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Snake.yar
  tags: malware,file

@ -14,6 +14,7 @@ file:
    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\""

--- a/file/malware/malware-sub7nation.yaml
+++ b/file/malware/malware-sub7nation.yaml
@ -3,7 +3,7 @@ id: malware-sub7nation
 info:
  name: Sub7Nation Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Ratdecoders.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "EnableLUA /t REG_DWORD /d 0 /f"
          - "*A01*"
--- a/file/malware/malware-t5000.yaml
+++ b/file/malware/malware-t5000.yaml
@ -3,7 +3,7 @@ id: malware-t5000
 info:
  name: T5000 Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_T5000.yar
  tags: malware,file

@ -13,6 +13,7 @@ file:

    matchers:
      - type: word
+        part: raw
        words:
          - "_tmpR.vbs"
          - "_tmpg.vbs"
--- a/file/malware/malware-tedroo.yaml
+++ b/file/malware/malware-tedroo.yaml
@ -3,7 +3,7 @@ id: malware-tedroo
 info:
  name: Tedroo Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Tedroo.yar
  tags: malware,file

@ -11,7 +11,6 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: binary
        binary:
--- a/file/malware/malware-terminator.yaml
+++ b/file/malware/malware-terminator.yaml
@ -3,7 +3,7 @@ id: malware-terminator
 info:
  name: Terminator Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Terminator.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "Accelorator"
          - "<html><title>12356</title><body>"
--- a/file/malware/malware-teslacrypt.yaml
+++ b/file/malware/malware-teslacrypt.yaml
@ -3,7 +3,7 @@ id: malware-teslacrypt
 info:
  name: TeslaCrypt Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_TeslaCrypt.yar
  tags: malware,file

--- a/file/malware/malware-tox.yaml
+++ b/file/malware/malware-tox.yaml
@ -3,7 +3,7 @@ id: malware-tox
 info:
  name: Tox Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_Tox.yar
  tags: malware,file

@ -14,18 +14,21 @@ file:
    matchers-condition: or
    matchers:
      - type: word
+        part: raw
        words:
          - "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<"
          - "t;<<t;<<t<<<t<<"
        condition: and

      - type: word
+        part: raw
        words:
          - "t;<<t;<<t<<<t<<"
          - ">>><<<"
        condition: and

      - type: word
+        part: raw
        words:
          - "n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<"
          - ">>><<<"
--- a/file/malware/malware-treasurehunt.yaml
+++ b/file/malware/malware-treasurehunt.yaml
@ -3,7 +3,7 @@ id: malware-treasurehunt
 info:
  name: Trickbot Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference:
    - http://www.minerva-labs.com/#!Cybercriminals-Adopt-the-Mossad-Emblem/c7a5/573da2d60cf2f90ca6f6e3ed
    - https://github.com/Yara-Rules/rules/blob/master/malware/MALW_TreasureHunt.yar
@ -13,9 +13,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "treasureHunter.pdb"
          - "jucheck"
--- a/file/malware/malware-trickbot.yaml
+++ b/file/malware/malware-trickbot.yaml
@ -3,7 +3,7 @@ id: malware-trickbot
 info:
  name: Trickbot Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_TrickBot.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "moduleconfig"
          - "Start"
--- a/file/malware/malware-trumpbot.yaml
+++ b/file/malware/malware-trumpbot.yaml
@ -3,7 +3,7 @@ id: malware-trumpbot
 info:
  name: TrumpBot Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Trumpbot.yar
  tags: malware,file

@ -11,9 +11,9 @@ file:
  - extensions:
      - all

-    matchers-condition: and
    matchers:
      - type: word
+        part: raw
        words:
          - "trumpisdaddy"
          - "198.50.154.188"
--- a/file/malware/malware-universal-1337.yaml
+++ b/file/malware/malware-universal-1337.yaml
@ -3,7 +3,7 @@ id: malware-universal-1337
 info:
  name: Universal 1337 Stealer Malware - Detect
  author: daffainfo
-  severity: critical
+  severity: info
  reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Stealer.yar
  tags: malware,file

--- a/Show More
+++ b/Show More