Update Yara CI config (kevoreilly#2113)

* Update Yara CI config * Fix extra space in Qakbot parser test
rkoumis · May 9, 2024 · c873c15 · c873c15
1 parent 68622dc
commit c873c15
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 9 deletions.
diff --git a/.yara-ci.yml b/.yara-ci.yml
@@ -1,12 +1,13 @@
 files:
   accept:
   - "data/yara/**.yar"
+  - "analyzer/windows/data/yara/**.yar"
 
 false_positives:
   ignore:
-    - rule: "CobaltStrikeBeacon"
-    - rule: "Emotet"
-    - rule: "NSIS"
-    - rule: "UPX"
-    - rule: "Syscall"
-    - rule: "FormhookB"
+  - rule: "CobaltStrikeBeacon"
+  - rule: "Emotet"
+  - rule: "NSIS"
+  - rule: "UPX"
+  - rule: "Syscall"
+  - rule: "FormhookB"
diff --git a/analyzer/windows/data/yara/Blister.yar b/analyzer/windows/data/yara/Blister.yar
@@ -4,8 +4,8 @@ rule Blister
         author = "kevoreilly"
         description = "Blister Sleep Bypass"
         cape_options = "bp0=$sleep1+6,bp1=$sleep2+7,action0=setsignflag,action1=clearcarryflag,count=3"
-        blister_hash = "0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00"
-        blister_hash = "afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2"
+        packed = "0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00"
+        packed = "afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2"
     strings:
         $sleep1 = {FF FF 83 7D F0 00 (E9|0F 8?)}
         $sleep2 = {81 7D D8 90 B2 08 00 (E9|0F 8?)}

diff --git a/tests_parsers/test_qakbot.py b/tests_parsers/test_qakbot.py
@@ -2,6 +2,6 @@
 
 
 def test_qakbot():
-    with open("tests/data/malware/0cb0d77ac38df36fff891e072dea96401a8c1e8ff40d6ac741d5a2942aaeddbb ", "rb") as data:
+    with open("tests/data/malware/0cb0d77ac38df36fff891e072dea96401a8c1e8ff40d6ac741d5a2942aaeddbb", "rb") as data:
         conf = extract_config(data.read())
         assert conf == {"C2": "anscowerbrut.com", "Campaign": 2738000827}