Update YARAForge to 20240616 (#271)

* Add test file * Revert "Add test file" This reverts commit 01102fc. * Update YARAForge, add RELEASE files * Remove directories from VERSION output * Update sample output
chainguard-dev · Jun 21, 2024 · b92acde · b92acde
1 parent f5d91c0
commit b92acde
Show file tree

Hide file tree

Showing 8 changed files with 11,104 additions and 6,915 deletions.
diff --git a/samples/Linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/samples/Linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
@@ -1,4 +1,5 @@
 # Linux/2024.Kaiji/eight-nebraska-autumn-illinois
+3P/elastic/threat
 combo/backdoor/kill_rm
 combo/botnet/systemctl
 combo/dropper/shell

diff --git a/samples/Windows/2024.GitHub.Clipper/main.exe.simple b/samples/Windows/2024.GitHub.Clipper/main.exe.simple
@@ -1,7 +1,7 @@
 # Windows/2024.GitHub.Clipper/main.exe
 3P/ditekshen/discordurl
-3P/ditekshen/rawgithub/url
 3P/ditekshen/vm/evasion/macaddrcomb
+3P/elastic/multi/threat
 3P/threat_hunting
 3P/threat_hunting/cstealer
 3P/threat_hunting/fentanyl

diff --git a/samples/Windows/2024.Sharp/sharpil_RAT.exe.md b/samples/Windows/2024.Sharp/sharpil_RAT.exe.md
@@ -2,7 +2,7 @@
 
 |   RISK   |                                                                              KEY                                                                               |                                                                                  DESCRIPTION                                                                                   |                                                                                   EVIDENCE                                                                                   |
 |----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| CRITICAL | [3P/ditekshen/telegramchatbot](https://github.com/ditekshen/detection/blob/7c2d40d839ad010072e1def7752780d41da1eba3/yara/indicator_suspicious.yar#L1291-L1306) | Detects executables using Telegram Chat Bot, by [ditekSHen](https://github.com/ditekshen/detection)                                                                            | $p1<br>$p2<br>$s1<br>$s2<br>$s4                                                                                                                                              |
+| CRITICAL | [3P/ditekshen/telegramchatbot](https://github.com/ditekshen/detection/blob/2ddbbe14eea1f342bca2cfd09a643a40ae2fcaf6/yara/indicator_suspicious.yar#L1293-L1308) | Detects executables using Telegram Chat Bot, by [ditekSHen](https://github.com/ditekshen/detection)                                                                            | $p1<br>$p2<br>$s1<br>$s2<br>$s4                                                                                                                                              |
 | MEDIUM   | [3P/threat_hunting/telegram](https://github.com/chainguard-dev/bincapz/blob/main/rules/yara/threat_hunting/all.yara#telegram_greyware_tool_keyword)            | [references 'telegram' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht                                                                                      | $string1_telegram_greyware_tool_keyword                                                                                                                                      |
 | MEDIUM   | [data/emdedded/app/manifest](https://github.com/chainguard-dev/bincapz/blob/main/rules/data/emdedded-app-manifest.yara#app_manifest)                           | [Contains embedded Microsoft Windows application manifest](https://learn.microsoft.com/en-us/cpp/build/reference/manifestuac-embeds-uac-information-in-manifest?view=msvc-170) | [requestedExecutionLevel](https://github.com/search?q=requestedExecutionLevel&type=code)<br>[requestedPrivileges](https://github.com/search?q=requestedPrivileges&type=code) |
 | MEDIUM   | [net/download](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/download.yara#download)                                                           | download files                                                                                                                                                                 | [DownloadString](https://github.com/search?q=DownloadString&type=code)<br>[Downloads](https://github.com/search?q=Downloads&type=code)                                       |

diff --git a/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff b/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff
diff --git a/third_party/yara/YARAForge/RELEASE b/third_party/yara/YARAForge/RELEASE
@@ -1 +1 @@
-20240602
+20240616
diff --git a/third_party/yara/YARAForge/yara-rules-full.yar b/third_party/yara/YARAForge/yara-rules-full.yar
diff --git a/third_party/yara/bartblaze/RELEASE b/third_party/yara/bartblaze/RELEASE
@@ -1,3 +1 @@
-/tmp/tmp.dxdSSSmhxM ~/src/bincapz/third_party/yara
-dd8cfd8c456159c7201f5d4209fe007dfff1636e
-~/src/bincapz/third_party/yara
+59e9921bc4b9870017d0e9696bcbf4544f4c0a3e
diff --git a/third_party/yara/update.sh b/third_party/yara/update.sh
@@ -21,9 +21,9 @@ git_clone() {
 	local repo=$1
 	local dir="${tmpdir}"
 	git clone "${repo}" "${dir}"
-	pushd "${dir}" || exit 1
+	pushd "${dir}" >/dev/null || exit 1
 	git rev-parse HEAD
-	popd || exit 1
+	popd >/dev/null || exit 1
 }
 
 # fixup_rules fixes rules up, including lightly obfuscating them to avoid XProtect from matching bincapz