junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update apts/blacktech/apt_waterbear.md

Browse Source
This commit is contained in:
junk
2025-01-09 17:02:12 -05:00
parent ec297b133c
commit 40ac7482b7
1 changed files with 31 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
apts/blacktech/apt_waterbear.md
View File

@ -7,7 +7,7 @@
*/ */
/* Rule Set ----------------------------------------------------------------- */ /* Rule Set ----------------------------------------------------------------- */
```
rule Waterbear_1_Jun17 { rule Waterbear_1_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -23,7 +23,8 @@ rule Waterbear_1_Jun17 {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 100KB and all of them ) ( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
} }
```
```
rule Waterbear_2_Jun17 { rule Waterbear_2_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -41,7 +42,9 @@ rule Waterbear_2_Jun17 {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
} }
```
```
rule Waterbear_4_Jun17 { rule Waterbear_4_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -66,7 +69,9 @@ rule Waterbear_4_Jun17 {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them ) ( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
} }
```
```
rule Waterbear_5_Jun17 { rule Waterbear_5_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -88,7 +93,9 @@ rule Waterbear_5_Jun17 {
condition: condition:
( uint16(0) == 0x3d53 and filesize < 100KB and ( all of ($a*) or 3 of them ) ) ( uint16(0) == 0x3d53 and filesize < 100KB and ( all of ($a*) or 3 of them ) )
} }
```
```
rule Waterbear_6_Jun17 { rule Waterbear_6_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -104,7 +111,10 @@ rule Waterbear_6_Jun17 {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 60KB and all of them ) ( uint16(0) == 0x5a4d and filesize < 60KB and all of them )
} }
```
```
rule Waterbear_7_Jun17 { rule Waterbear_7_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -123,7 +133,10 @@ rule Waterbear_7_Jun17 {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 80KB and all of them ) ( uint16(0) == 0x5a4d and filesize < 80KB and all of them )
} }
```
```
rule Waterbear_8_Jun17 { rule Waterbear_8_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -143,7 +156,10 @@ rule Waterbear_8_Jun17 {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 40KB and all of them ) ( uint16(0) == 0x5a4d and filesize < 40KB and all of them )
} }
```
```
rule Waterbear_9_Jun17 { rule Waterbear_9_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -164,7 +180,9 @@ rule Waterbear_9_Jun17 {
condition: condition:
uint16(0) == 0x5a4d and filesize < 30KB and all of ($s*) and ( $a1 or all of ($b*) ) uint16(0) == 0x5a4d and filesize < 30KB and all of ($s*) and ( $a1 or all of ($b*) )
} }
```
```
rule Waterbear_10_Jun17 { rule Waterbear_10_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -180,8 +198,8 @@ rule Waterbear_10_Jun17 {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 30KB and all of them ) ( uint16(0) == 0x5a4d and filesize < 30KB and all of them )
} }
```
```
rule Waterbear_11_Jun17 { rule Waterbear_11_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -199,7 +217,10 @@ rule Waterbear_11_Jun17 {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them ) ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
} }
```
```
rule Waterbear_12_Jun17 { rule Waterbear_12_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -215,7 +236,9 @@ rule Waterbear_12_Jun17 {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them ) ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
} }
```
```
rule Waterbear_13_Jun17 { rule Waterbear_13_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -241,7 +264,8 @@ rule Waterbear_13_Jun17 {
condition: condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them ) ( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them )
} }
```
```
rule Waterbear_14_Jun17 { rule Waterbear_14_Jun17 {
meta: meta:
description = "Detects malware from Operation Waterbear" description = "Detects malware from Operation Waterbear"
@ -258,4 +282,5 @@ rule Waterbear_14_Jun17 {
$s2 = "C:\\recycled" fullword ascii $s2 = "C:\\recycled" fullword ascii
condition: condition:
( uint16(0) == 0x5a4d and filesize < 8000KB and all of them ) ( uint16(0) == 0x5a4d and filesize < 8000KB and all of them )
} }
```