Skip to content

Commit

Permalink
updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@blacktop
blacktop committed Jan 5, 2019
1 parent 4240264 commit f0e8a86
Show file tree
Hide file tree
Showing 5 changed files with 8 additions and 72 deletions.
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ ifeq ("$(shell docker inspect -f {{.State.Running}} elasticsearch)", "true")
@docker rm -f elasticsearch || true
endif
@echo "===> Starting elasticsearch"
@docker run --init -d --name elasticsearch -p 9200:9200 malice/elasticsearch:6.3; sleep 15
@docker run --init -d --name elasticsearch -p 9200:9200 malice/elasticsearch; sleep 15

.PHONY: malware
malware:
Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

# malice-yara

[![Circle CI](https://circleci.com/gh/malice-plugins/yara.png?style=shield)](https://circleci.com/gh/malice-plugins/yara) [![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) [![Docker Stars](https://img.shields.io/docker/stars/malice/yara.svg)](https://hub.docker.com/r/malice/yara/) [![Docker Pulls](https://img.shields.io/docker/pulls/malice/yara.svg)](https://hub.docker.com/r/malice/yara/) [![Docker Image](https://img.shields.io/badge/docker%20image-53.2MB-blue.svg)](https://hub.docker.com/r/malice/virustotal/)
[![Circle CI](https://circleci.com/gh/malice-plugins/yara.png?style=shield)](https://circleci.com/gh/malice-plugins/yara) [![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) [![Docker Stars](https://img.shields.io/docker/stars/malice/yara.svg)](https://hub.docker.com/r/malice/yara/) [![Docker Pulls](https://img.shields.io/docker/pulls/malice/yara.svg)](https://hub.docker.com/r/malice/yara/) [![Docker Image](https://img.shields.io/badge/docker%20image-52.9MB-blue.svg)](https://hub.docker.com/r/malice/virustotal/)

Malice Yara Plugin

Expand Down
2 changes: 0 additions & 2 deletions docs/SAMPLE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
| `maldoc_function_prolog_signature` | | `0x1454` | `"U\x8b\xec\x81\xec"` | [] |
| `maldoc_structured_exception_handling` | | `0x5a55` | `"d\xa1\x00\x00\x00\x00"` | [] |
| `maldoc_suspicious_strings` | | `0x67ec` | `"CloseHandle"` | [] |
| `PEiD_00138_Armadillo_v1_71_` | [Armadillo v1.71] | `0x5a46` | `"U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1"` | [] |
| `PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_` | [dUP v2.x Patcher --> www.diablo2oo2.cjb.net] | `0x4e` | `"This program cannot be ru"` | [] |
| `PEiD_00729_Free_Pascal_1_06_` | [Free Pascal 1.06] | `0x3a12` | `"\xc6\x05\xc0\x84@\x00O\xe8k\x04\x00\x00"` | [] |
| `PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__` | [Microsoft Visual C++ v5.0/v6.0 (MFC)] | `0x5a46` | `"U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00P"` | [] |
Expand All @@ -16,7 +15,6 @@
| `_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_` | dUP v2.x Patcher --> www.diablo2oo2.cjb.net | `0x4e` | `"This program cannot be ru"` | [] |
| `_Microsoft_Visual_Cpp_` | Microsoft Visual C++ | `0x5a46` | `"U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00Pd\x89%"` | [] |
| `_Free_Pascal_v106_` | Free Pascal v1.06 | `0x3a12` | `"\xc6\x05\xc0\x84@\x00O\xe8k\x04\x00\x00"` | [] |
| `_Armadillo_v171_` | Armadillo v1.71 | `0x5a46` | `"U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1"` | [] |
| `_Microsoft_Visual_Cpp_v60_` | Microsoft Visual C++ v6.0 | `0x5a46` | `"U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00Pd\x89%"` | [] |
| `_Microsoft_Visual_Cpp_v50v60_MFC_` | Microsoft Visual C++ v5.0/v6.0 (MFC) | `0x5a46` | `"U\x8b\xecj\xffh b@\x00h\xc6[@\x00d\xa1\x00\x00\x00\x00P"` | [] |

Expand Down
43 changes: 6 additions & 37 deletions docs/elastic.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"took": 41,
"took": 122,
"timed_out": false,
"_shards": {
"total": 1,
Expand All @@ -14,13 +14,13 @@
{
"_index": "malice",
"_type": "samples",
"_id": "TwY5umUBQmwpI6z8tcxx",
"_id": "x9JcH2gB8bpWND1fUJOU",
"_score": 1,
"_source": {
"plugins": {
"av": {
"yara": {
"markdown": "#### Yara\n| Rule | Description | Offset | Data | Tags |\n|-------------|--------------|-------------|-------------|-------------|\n| `Contains_PE_File` | Detect a PE file inside a byte sequence | `0x0` | `"MZ"` | [] |\n| `maldoc_function_prolog_signature` | | `0x1454` | `"U\\x8b\\xec\\x81\\xec"` | [] |\n| `maldoc_structured_exception_handling` | | `0x5a55` | `"d\\xa1\\x00\\x00\\x00\\x00"` | [] |\n| `maldoc_suspicious_strings` | | `0x67ec` | `"CloseHandle"` | [] |\n| `PEiD_00138_Armadillo_v1_71_` | [Armadillo v1.71] | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1"` | [] |\n| `PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_` | [dUP v2.x Patcher --> www.diablo2oo2.cjb.net] | `0x4e` | `"This program cannot be ru"` | [] |\n| `PEiD_00729_Free_Pascal_1_06_` | [Free Pascal 1.06] | `0x3a12` | `"\\xc6\\x05\\xc0\\x84@\\x00O\\xe8k\\x04\\x00\\x00"` | [] |\n| `PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__` | [Microsoft Visual C++ v5.0/v6.0 (MFC)] | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00P"` | [] |\n| `PEiD_01108_Microsoft_Visual_C___v6_0_` | [Microsoft Visual C++ v6.0] | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00Pd\\x89%"` | [] |\n| `PEiD_01110_Microsoft_Visual_C___v6_0_` | [Microsoft Visual C++ v6.0] | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00Pd\\x89%"` | [] |\n| `PEiD_01125_Microsoft_Visual_C___` | [Microsoft Visual C++] | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00Pd\\x89%"` | [] |\n| `_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_` | dUP v2.x Patcher --> www.diablo2oo2.cjb.net | `0x4e` | `"This program cannot be ru"` | [] |\n| `_Microsoft_Visual_Cpp_` | Microsoft Visual C++ | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00Pd\\x89%"` | [] |\n| `_Free_Pascal_v106_` | Free Pascal v1.06 | `0x3a12` | `"\\xc6\\x05\\xc0\\x84@\\x00O\\xe8k\\x04\\x00\\x00"` | [] |\n| `_Armadillo_v171_` | Armadillo v1.71 | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1"` | [] |\n| `_Microsoft_Visual_Cpp_v60_` | Microsoft Visual C++ v6.0 | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00Pd\\x89%"` | [] |\n| `_Microsoft_Visual_Cpp_v50v60_MFC_` | Microsoft Visual C++ v5.0/v6.0 (MFC) | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00P"` | [] |\n> NOTE: **Data** truncated to 25 characters\n\n",
"markdown": "#### Yara\n| Rule | Description | Offset | Data | Tags |\n|-------------|--------------|-------------|-------------|-------------|\n| `Contains_PE_File` | Detect a PE file inside a byte sequence | `0x0` | `"MZ"` | [] |\n| `maldoc_function_prolog_signature` | | `0x1454` | `"U\\x8b\\xec\\x81\\xec"` | [] |\n| `maldoc_structured_exception_handling` | | `0x5a55` | `"d\\xa1\\x00\\x00\\x00\\x00"` | [] |\n| `maldoc_suspicious_strings` | | `0x67ec` | `"CloseHandle"` | [] |\n| `PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_` | [dUP v2.x Patcher --> www.diablo2oo2.cjb.net] | `0x4e` | `"This program cannot be ru"` | [] |\n| `PEiD_00729_Free_Pascal_1_06_` | [Free Pascal 1.06] | `0x3a12` | `"\\xc6\\x05\\xc0\\x84@\\x00O\\xe8k\\x04\\x00\\x00"` | [] |\n| `PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__` | [Microsoft Visual C++ v5.0/v6.0 (MFC)] | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00P"` | [] |\n| `PEiD_01108_Microsoft_Visual_C___v6_0_` | [Microsoft Visual C++ v6.0] | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00Pd\\x89%"` | [] |\n| `PEiD_01110_Microsoft_Visual_C___v6_0_` | [Microsoft Visual C++ v6.0] | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00Pd\\x89%"` | [] |\n| `PEiD_01125_Microsoft_Visual_C___` | [Microsoft Visual C++] | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00Pd\\x89%"` | [] |\n| `_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_` | dUP v2.x Patcher --> www.diablo2oo2.cjb.net | `0x4e` | `"This program cannot be ru"` | [] |\n| `_Microsoft_Visual_Cpp_` | Microsoft Visual C++ | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00Pd\\x89%"` | [] |\n| `_Free_Pascal_v106_` | Free Pascal v1.06 | `0x3a12` | `"\\xc6\\x05\\xc0\\x84@\\x00O\\xe8k\\x04\\x00\\x00"` | [] |\n| `_Microsoft_Visual_Cpp_v60_` | Microsoft Visual C++ v6.0 | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00Pd\\x89%"` | [] |\n| `_Microsoft_Visual_Cpp_v50v60_MFC_` | Microsoft Visual C++ v5.0/v6.0 (MFC) | `0x5a46` | `"U\\x8b\\xecj\\xffh b@\\x00h\\xc6[@\\x00d\\xa1\\x00\\x00\\x00\\x00P"` | [] |\n> NOTE: **Data** truncated to 25 characters\n\n",
"matches": [
{
"Meta": {
Expand Down Expand Up @@ -264,22 +264,6 @@
],
"Tags": null
},
{
"Meta": {
"description": "[Armadillo v1.71]",
"ep_only": "false"
},
"Namespace": "malice",
"Rule": "PEiD_00138_Armadillo_v1_71_",
"Strings": [
{
"Data": "VYvsav9oIGJAAGjGW0AAZKE=",
"Name": "$a",
"Offset": 23110
}
],
"Tags": null
},
{
"Meta": {
"description": "[dUP v2.x Patcher --> www.diablo2oo2.cjb.net]",
Expand Down Expand Up @@ -421,21 +405,6 @@
],
"Tags": null
},
{
"Meta": {
"description": "Armadillo v1.71"
},
"Namespace": "malice",
"Rule": "_Armadillo_v171_",
"Strings": [
{
"Data": "VYvsav9oIGJAAGjGW0AAZKE=",
"Name": "$0",
"Offset": 23110
}
],
"Tags": null
},
{
"Meta": {
"description": "Microsoft Visual C++ v6.0"
Expand Down Expand Up @@ -475,13 +444,13 @@
}
}
},
"scan_date": "2018-09-08T17:27:48.834832489Z"
"scan_date": "2019-01-05T18:52:50.1696905Z"
}
},
{
"_index": "malice",
"_type": "samples",
"_id": "UAY5umUBQmwpI6z8vsyP",
"_id": "yNJcH2gB8bpWND1fXJN_",
"_score": 1,
"_source": {
"plugins": {
Expand All @@ -492,7 +461,7 @@
}
}
},
"scan_date": "2018-09-08T17:27:51.181743813Z"
"scan_date": "2019-01-05T18:52:53.2448817Z"
}
}
]
Expand Down
31 changes: 0 additions & 31 deletions docs/results.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,22 +243,6 @@
}
]
},
{
"Rule": "PEiD_00138_Armadillo_v1_71_",
"Namespace": "malice",
"Tags": null,
"Meta": {
"description": "[Armadillo v1.71]",
"ep_only": "false"
},
"Strings": [
{
"Name": "$a",
"Offset": 23110,
"Data": "VYvsav9oIGJAAGjGW0AAZKE="
}
]
},
{
"Rule": "PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_",
"Namespace": "malice",
Expand Down Expand Up @@ -400,21 +384,6 @@
}
]
},
{
"Rule": "_Armadillo_v171_",
"Namespace": "malice",
"Tags": null,
"Meta": {
"description": "Armadillo v1.71"
},
"Strings": [
{
"Name": "$0",
"Offset": 23110,
"Data": "VYvsav9oIGJAAGjGW0AAZKE="
}
]
},
{
"Rule": "_Microsoft_Visual_Cpp_v60_",
"Namespace": "malice",
Expand Down

0 comments on commit f0e8a86

Please sign in to comment.