rule: Ryuk rule fix

Neo23x0 · Oct 29, 2020 · 7dcb9ff · 7dcb9ff
1 parent 69d88f6
commit 7dcb9ff
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/yara/ryuk-commandlines.yar b/yara/ryuk-commandlines.yar
@@ -10,13 +10,13 @@ rule Ryuk_CmdLines {
 
         /* FireEye report https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html */
         $ba1 = "process call create"
-        $ba2 = "cmd.exe /c bitsadmin /transfer"
-        $ba3 = "%APPDATA%" nocase
+        $ba2 = "bitsadmin /transfer"
+        $ba3 = "AppData" nocase
 
         $bx1 = "/transfer vVv"
         $bx2 = "temp\\vVv.exe"
     condition:
         all of ($a*) and 1 of ($s*) 
-        or all of ($b*) 
+        or all of ($ba*) 
         or 1 of ($bx*)
 }