JohnGalt14

YARA Rules - NetTraveler

Jun 14th, 2013
263
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2.   Rules generated from APT Report NetTraveler
  3.   http://www.securelist.com/en/blog/8105/NetTraveler_is_Running_Red_Star_APT_Attacks_Compromise_High_Profile_Victims  
  4. */
  5. rule APT_Malware_BAT_Contents {
  6.     meta: description = "APT Malware Batch File Contents" threat_level = 10 score = 60
  7.     strings:
  8.     $a1 = ">nul del"
  9.     $a2 = "service.exe"
  10.     $a3 = "service.dll"
  11.     condition: all of them
  12. }
  13. rule APT_Malware_NetTraveler_Saker {
  14.     meta: description = "APT Malware NetTraveler Saker" threat_level = 10 score = 50
  15.     strings:
  16.     $a1 = "JustTempFun" fullword
  17.     $a2 = "servicemain" nocase fullword
  18.     condition: all of them
  19. }
  20. rule APT_Malware_NetTraveler_Trojan {
  21.     meta: description = "APT Malware NetTraveler Trojan" threat_level = 10 score = 65
  22.     strings:
  23.     $a1 = "Get From IEOption!"
  24.     $a2 = "Get From Reg!"
  25.     condition: all of them
  26. }
RAW Paste Data