Delete apt_ZZ_Naikon_ARstrings.yar

2025-06-20 01:40:17 +00:00 · 2020-05-11 22:34:20 +08:00 · 2020-05-11 22:34:20 +08:00 · 4a87691e89
commit 4a87691e89
parent eacdc78f1f
1 changed files with 0 additions and 36 deletions
--- a/nazar/apt_ZZ_Naikon_ARstrings.yar
+++ b/nazar/apt_ZZ_Naikon_ARstrings.yar
@ -1,36 +0,0 @@
-rule apt_ZZ_Naikon_ARstrings : Naikon 
-{
-    meta:
-        copyright = "Kaspersky"
-        description = "Rule to detect Naikon aria samples"
-        hash = "2B4D3AD32C23BD492EA945EB8E59B758"
-        date = "2020-05-07"
-        version = "1.0"
-
-    strings:
-        $a1 = "Terminate Process [PID=%d] succeeds!" fullword wide
-        $a2 = "TerminateProcess [PID=%d] Failed:%d" fullword wide
-        $a3 = "Close tcp connection returns: %d!" fullword wide
-        $a4 = "Delete Directory [%s] returns:%d" fullword wide
-        $a5 = "Delete Directory [%s] succeeds!" fullword wide
-        $a6 = "Create Directory [%s] succeeds!" fullword wide
-        $a7 = "SHFileOperation [%s] returns:%d" fullword wide
-        $a8 = "SHFileOperation [%s] succeeds!" fullword wide
-        $a9 = "Close tcp connection succeeds!" fullword wide
-        $a10 = "OpenProcess [PID=%d] Failed:%d" fullword wide
-        $a11 = "ShellExecute [%s] returns:%d" fullword wide
-        $a12 = "ShellExecute [%s] succeeds!" fullword wide
-        $a13 = "FindFirstFile [%s] Error:%d" fullword wide
-        $a14 = "Delete File [%s] succeeds!" fullword wide
-        $a15 = "CreateFile [%s] Error:%d" fullword wide
-        $a16 = "DebugAzManager" fullword ascii
-        $a17 = "Create Directroy [%s] Failed:%d" fullword wide
-
-        $m1 = "TCPx86.dll" fullword wide ascii
-        $m2 = "aria-body" nocase wide ascii
-
-    condition:
-        uint16(0) == 0x5A4D and
-        filesize &lt; 450000 and
-        (2 of ($a*) and 1 of ($m*))
-}