From 804a00d818901396dfd061f48e30846cb9e3bfbe Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 7 Mar 2018 10:45:30 +0000 Subject: [PATCH] Rename 'RCSession' to more widestream name 'Screech'. --- README.md | 2 +- data/yara/CAPE/{RCSession.yar => Screech.yar} | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) rename data/yara/CAPE/{RCSession.yar => Screech.yar} (75%) diff --git a/README.md b/README.md index 060c1175f..4d74964f8 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ CAPE has config parsers/decoders for the following malware families, whose paylo - HttpBrowser - Enfal - PoisonIvy -- RCSession/Screech +- Screech CAPE also has Yara signatures to detect payloads that are extracted by a behavioural package. This list is growing, and includes: - QtBot, ZeroT, WanaCry, Sedreco, NetTraveler, Locky, Emotet, Cerber, Ursnif, Enfal, BadRabbit, Magniber, Redsip, RCSession, Hancitor, Kronos, PetrWrap, Kovter, Azer, Petya, Dreambot, Atlas, NanoLocker, Mole, Codoso, Cryptoshield, Loki, Jaff, Dridex, RedLeaf, ChChes, EvilGrab, HttpBrowser, IcedID, Scarab diff --git a/data/yara/CAPE/RCSession.yar b/data/yara/CAPE/Screech.yar similarity index 75% rename from data/yara/CAPE/RCSession.yar rename to data/yara/CAPE/Screech.yar index 4753ce28d..6752dcc3e 100644 --- a/data/yara/CAPE/RCSession.yar +++ b/data/yara/CAPE/Screech.yar @@ -1,9 +1,9 @@ -rule RCSession +rule Screech { meta: author = "kevoreilly" - description = "RCSession Payload" - cape_type = "RCSession Payload" + description = "Screech Payload" + cape_type = "Screech Payload" strings: $a1 = {56 33 F6 39 74 24 08 7E 4C 53 57 8B F8 2B FA 8B C6 25 03 00 00 80 79 05 48 83 C8 FC 40 83 E8 00 74 19 48 74 0F 48 74 05 6B C9 09 EB 15 8B C1 C1 E8 02 EB 03 8D 04 09 2B C8} condition: