Rename 'RCSession' to more widestream name 'Screech'.

ctxis · Mar 7, 2018 · 804a00d · 804a00d
1 parent 477f14f
commit 804a00d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -42,7 +42,7 @@ CAPE has config parsers/decoders for the following malware families, whose paylo
 - HttpBrowser
 - Enfal
 - PoisonIvy
-- RCSession/Screech
+- Screech
 
 CAPE also has Yara signatures to detect payloads that are extracted by a behavioural package. This list is growing, and includes:
 - QtBot, ZeroT, WanaCry, Sedreco, NetTraveler, Locky, Emotet, Cerber, Ursnif, Enfal, BadRabbit, Magniber, Redsip, RCSession, Hancitor, Kronos, PetrWrap, Kovter, Azer, Petya, Dreambot, Atlas, NanoLocker, Mole, Codoso, Cryptoshield, Loki, Jaff, Dridex, RedLeaf, ChChes, EvilGrab, HttpBrowser, IcedID, Scarab

diff --git a/data/yara/CAPE/RCSession.yar → data/yara/CAPE/Screech.yar b/data/yara/CAPE/RCSession.yar → data/yara/CAPE/Screech.yar
@@ -1,9 +1,9 @@
-rule RCSession
+rule Screech
 {
     meta:
         author = "kevoreilly"
-        description = "RCSession Payload"
-        cape_type = "RCSession Payload"
+        description = "Screech Payload"
+        cape_type = "Screech Payload"
     strings:
         $a1 = {56 33 F6 39 74 24 08 7E 4C 53 57 8B F8 2B FA 8B C6 25 03 00 00 80 79 05 48 83 C8 FC 40 83 E8 00 74 19 48 74 0F 48 74 05 6B C9 09 EB 15 8B C1 C1 E8 02 EB 03 8D 04 09 2B C8}
     condition: