Merge pull request #330 from Neo23x0/add-id

more rule IDs
Neo23x0 · Dec 12, 2024 · 7f13b42 · 7f13b42
2 parents 40324c6 + 8f0255a
commit 7f13b42
Show file tree

Hide file tree

Showing 18 changed files with 1,088 additions and 0 deletions.
diff --git a/yara/apt_apt27_rshell.yar b/yara/apt_apt27_rshell.yar
@@ -17,6 +17,7 @@ rule APT_MAL_APT27_Rshell_Jul24 {
       hash6 = "c4fe1e56f601d411e2385352606524fb8bbf773bc2ba14889a8de605c2d14da0"
       hash7 = "c787144d285fcca8a542f7a5525a37bcd089b39068b9a4db7fe3554ee6c08301"
       hash8 = "ddaa4d23e4651a517fffbd29f0924607ba6b6253171144da5e49237afe91666b"
+      id = "67c8ac4e-8e2f-5cca-90cb-5d5fdf6f86b5"
    strings:
       $a1 = "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%" ascii
       $a2 = "/proc/self/exe" ascii

diff --git a/yara/apt_nk_andariel_jul24.yar b/yara/apt_nk_andariel_jul24.yar
@@ -7,6 +7,7 @@ rule MAL_APT_NK_Andariel_ScheduledTask_Loader {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 80
+      id = "0c32758b-480c-5784-b28f-cee85d038850"
    strings:
       $obfuscation1 = { B8 02 00 00 00 48 6B C0 00 B9 CD FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 01 B9 CC FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 02 B9 8D FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 03 B9 9A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 04 B9 8C FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 05 B9 8A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 06 33 C9 66 89 8C 04 60 01 00 00 }
       $obfuscation2 = { 48 6B C0 02 C6 44 04 20 BA B8 01 00 00 00 48 6B C0 03 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 04 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 05 C6 44 04 20 8A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 9C B8 01 00 00 00 }
@@ -23,6 +24,7 @@ rule MAL_APT_NK_Andariel_KaosRAT_Yamabot {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 70
+      id = "cdde69cd-1b38-52f5-8552-cef2cf4ad69c"
    strings:
       $str1 = "/kaos/"
       $str2 = "Abstand ["
@@ -46,6 +48,7 @@ rule MAL_APT_NK_TriFaux_EasyRAT_JUPITER {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 80
+      id = "8bd72287-59da-53cf-9015-66149303e59f"
    strings:
       $InitOnce = "InitOnceExecuteOnce"
       $BREAK = { 0D 00 0A 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 0D 00 0A }
@@ -62,6 +65,7 @@ rule MAL_APT_NK_Andariel_CutieDrop_MagicRAT {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 80
+      id = "104244de-83fb-5112-a2b6-e20d38a6ced6"
    strings:
       // I removed the 'wide' from the strings because the samples don't contain the strings
       // UTF-16 formatted and there's no indication that they ever will be, F.R.
@@ -87,6 +91,7 @@ rule MAL_APT_NK_Andariel_HHSD_FileTransferTool {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 70
+      id = "46b6dbaf-1272-5bbd-a586-5e48ba6c5022"
    strings:
       // 30 4D C7                xor     [rbp+buffer_v41+3], cl
       // 81 7D C4 22 C0 78 00    cmp      dword ptr [rbp+buffer_v41], 78C022h
@@ -126,6 +131,7 @@ rule MAL_APT_NK_Andariel_Atharvan_3RAT {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 80
+      id = "9ff6998a-a2dd-5671-bd3f-ee69561f71ef"
    strings:
       $3RAT = "D:\\rang\\TOOL\\3RAT" 
       $atharvan = "Atharvan_dll.pdb"
@@ -142,6 +148,7 @@ rule MAL_APT_NK_Andariel_LilithRAT_Variant {
       date = "2024-07-25"
       modified = "2024-07-26"
       score = 80
+      id = "916a289b-db7b-5f09-9d3e-589c3f09101d"
    strings:
       // I removed the 'wide' from the strings because the samples don't contain the strings
       // UTF-16 formatted and there's no indication that they ever will be, F.R.
@@ -177,6 +184,7 @@ rule MAL_APT_NK_Andariel_SocksTroy_Strings_OpCodes {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 80
+      id = "9e7fb6ba-771e-5cae-a0d5-c0b95ee6d4e9"
    strings:
       $strHost = "-host" wide
       $strAuth = "-auth" wide
@@ -197,6 +205,7 @@ rule MAL_APT_NK_Andariel_Agni {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 80
+      id = "ffe3f427-c10a-5ad4-ab29-c0d9b576c30f"
    strings:
       $xor = { 34 ?? 88 01 48 8D 49 01 0F B6 01 84 C0 75 F1 }
       $stackstrings = { C7 44 24 [5-10] C7 44 24 [5] C7 44 24 [5-10] C7 44 24 [5-10] C7 44 24 }
@@ -213,6 +222,7 @@ rule MAL_APT_NK_Andariel_GoLang_Validalpha_Handshake {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 75
+      id = "51dafa43-9da0-569a-9123-7e9800284046"
    strings:
       $ = { 66 C7 00 AB CD C6 40 02 EF ?? 03 00 00 00 48 89 C1 ?? 03 00 00 00 }
    condition:
@@ -226,6 +236,7 @@ rule MAL_APT_NK_Andariel_GoLang_Validalpha_Tasks {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 80
+      id = "caa67a79-3ea6-5910-971c-f311722570ff"
    strings:
       $ = "main.ScreenMonitThread"
       $ = "main.CmdShell"
@@ -242,6 +253,7 @@ rule MAL_APT_NK_Andariel_GoLang_Validalpha_BlackString {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 90
+      id = "36f46a1d-69b6-5c99-9a54-6a14d62d2721"
    strings:
       $ = "I:/01___Tools/02__RAT/Black"
    condition:
@@ -283,6 +295,7 @@ rule MAL_APT_NK_Andariel_ELF_Backdoor_Fipps {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 80
+      id = "040bca78-8b7e-5397-8a2b-1ddeed59eea3"
    strings:
       $a = "found mac address"
       $b = "RecvThread"
@@ -300,6 +313,7 @@ rule MAL_APT_NK_Andariel_BindShell {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 70
+      id = "3f6d83da-cea5-5e12-b0ba-93ace09d3d5c"
    strings:
       $str_comspec = "COMSPEC"
       $str_consolewindow = "GetConsoleWindow"
@@ -320,6 +334,7 @@ rule MAL_APT_NK_Andariel_Grease2 {
       date = "2024-07-25"
       modified = "2024-07-26"
       score = 80
+      id = "4defbe08-b3c6-5ab9-9a57-cec57ff42d9a"
    strings:
       /* I bet this was an error and fixed the strings - I allow you to kick my butt when I'm wrong
       $str_rdpconf = "c: \\windows\\temp\\RDPConf.exe" fullword nocase
@@ -341,6 +356,7 @@ rule MAL_APT_NK_Andariel_NoPineapple_Dtrack_Unpacked {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 80
+      id = "6ccaf24b-c110-5788-a792-fa7f39fb18f7"
    strings:
       $str_nopineapple = "< No Pineapple! >"
       $str_qt_library = "Qt 5.12.10"
@@ -358,6 +374,7 @@ rule MAL_APT_NK_Andariel_DTrack_Unpacked {
       date = "2024-07-25"
       modified = "2024-07-26"
       score = 75
+      id = "0c161275-2b2e-51a4-9e08-c118fb4c8671"
    strings:
       $x_str_cmd_4 = "/c systeminfo > \"%s\" & tasklist > \"%s\" & netstat -naop tcp > \"%s\"" wide
       $x_str_cmd_2 = "/c ping -n 3 127.0.01 > NUL % echo EEE > \"%s\"" wide
@@ -382,6 +399,7 @@ rule MAL_APT_NK_Andariel_TigerRAT_Crowdsourced_Rule {
       date = "2024-07-25"
       modified = "2024-07-26"
       score = 75
+      id = "6be65222-7d3c-5ff5-a9c7-d91dcf1deaa6"
    strings:
       $m1 = ".?AVModuleKeyLogger@@" fullword ascii
       $m2 = ".?AVModulePortForwarder@@" fullword ascii
@@ -411,6 +429,7 @@ rule MAL_APT_NK_WIN_Tiger_RAT_Auto {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 75
+      id = "4579af62-52be-5f5f-a577-16ec50297c05"
     strings:
       $sequence_0 = { 33c0 89442438 89442430 448bcf 4533c0 }
          // n = 5, score = 200
@@ -552,6 +571,7 @@ rule MAL_APT_NK_WIN_DTrack_Auto {
       reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"
       date = "2024-07-25"
       score = 75
+      id = "1b40c685-beba-50fa-b484-c1526577cb23"
    strings:
       $sequence_0 = { 52 8b4508 50 e8???????? 83c414 8b4d10 51 }
          // n = 7, score = 400

diff --git a/yara/apt_nobellium_rdp_phish.yar b/yara/apt_nobellium_rdp_phish.yar
@@ -11,6 +11,7 @@ rule SUSP_RDP_File_Indicators_Oct24_1 {
       hash3 = "9b8cb8b01ce4eafb9204250a3c28bfaf70cc76a99ce411ad52bbf1aa2b6cce34"
       hash4 = "ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46"
       hash5 = "f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8"
+      id = "16128c1e-64ed-5a3e-ad1e-e0330d91f5a9"
    strings:
       $s1 = "redirectclipboard:i:1" wide fullword
       $s2 = "redirectprinters:i:1" wide fullword

diff --git a/yara/apt_volttyphoon_versamem.yar b/yara/apt_volttyphoon_versamem.yar
@@ -7,6 +7,7 @@ rule WEBSHELL_JAVA_VersaMem_JAR_Aug24_1 {
       date = "2024-08-27"
       modified = "2024-08-29"
       score = 75
+      id = "9b666e61-cfa8-58b3-a362-772cd907c57c"
    strings:
       $sa1 = "com.versa.vnms.ui.TestMain"
       $sa2 = "captureLoginPasswordCode"
@@ -31,6 +32,7 @@ rule WEBSHELL_JAVA_VersaMem_JAR_Aug24_2 {
       date = "2024-08-29"
       score = 75
       hash1 = "4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37"
+      id = "5ca598ed-5d0a-563d-a5e8-f8229af2c949"
    strings:
       $x1 = "tomcat_memShell" ascii
       $x2 = "versa/vnms/ui/config/" ascii fullword

diff --git a/yara/expl_cleo_dec24.yar b/yara/expl_cleo_dec24.yar
@@ -6,6 +6,7 @@ rule EXPL_Cleo_Exploitation_Log_Indicators_Dec24 : SCRIPT {
       reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
       date = "2024-12-10"
       score = 75
+      id = "385042a9-fc8c-5b50-975f-3436a16e6861"
    strings:
       $x1 = "Note: Processing autorun file 'autorun\\health" ascii wide
       $x2 = "60282967-dc91-40ef-a34c-38e992509c2c.xml" ascii wide
@@ -22,6 +23,7 @@ rule SUSP_EXPL_Cleo_Exploitation_Log_Indicators_Dec24_1 {
       hash1 = "786951478a0fc5db24f6e1d8dcc5eaa8880dbd928da97828a61f1f1f0f21e21d"
       date = "2024-12-10"
       score = 75
+      id = "81daf184-4c38-5d84-899b-9d0de2f39934"
    strings:
       $sa1 = "<Thread type=\"AutoRun\" action=" ascii
       $sa2 = "<Mark date=" ascii
@@ -56,6 +58,7 @@ rule SUSP_EXPL_Cleo_Exploitation_Log_Indicators_Dec24_2 {
       reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
       date = "2024-12-10"
       score = 70
+      id = "d215d4a0-1726-58d4-90df-8ec6102effe1"
    strings:
       $sa1 = "<Thread type=\"AutoRun\" action=" ascii
       $sa2 = "<Mark date=" ascii
@@ -92,6 +95,7 @@ rule EXPL_Cleo_Exploitation_XML_Indicators_Dec24 {
       reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
       date = "2024-12-10"
       score = 70
+      id = "622633af-aa7a-5bf9-a59c-6590535d86a4"
    strings:
       $x1 = "<Host alias=\"60282967-dc91-40ef-a34c-38e992509c2c\" application=\"\" " ascii
       
@@ -113,6 +117,7 @@ rule SUSP_EXPL_Cleo_Exploitation_XML_Indicators_Dec24_1 {
       hash1 = "b103f708e85416fc6d7af9605da4b57b3abe42fb9c6c9ec0f539b4c877580bd2"
       date = "2024-12-10"
       score = 70
+      id = "b30ca09f-b84c-5de8-9bf7-9f3269f32c1f"
    strings:
       $sa1 = "<Action actiontype=\"Commands\"" ascii
       $sa2 = "<?xml version=" ascii
@@ -147,6 +152,7 @@ rule SUSP_EXPL_Cleo_Exploitation_XML_Indicators_Dec24_2 {
       reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
       date = "2024-12-10"
       score = 70
+      id = "a71c71f3-d36f-5c27-b150-e678bccf2dba"
    strings:
       $sa1 = "<Action actiontype=\"Commands\"" ascii
       $sa2 = "<?xml version=" ascii
@@ -183,6 +189,7 @@ rule EXPL_Cleo_Exploitation_PS1_Indicators_Dec24 : SCRIPT {
       reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
       date = "2024-12-10"
       score = 75
+      id = "491cda57-0ad0-5ddc-90cb-48411eef2f2e"
    strings:
       $xe1 = "Start-Process -WindowStyle Hidden -FilePath jre\\bin\\java.exe" base64 ascii wide
       $xe2 = "$f=\"cleo." base64 ascii wide
@@ -201,6 +208,7 @@ rule SUSP_EXPL_JAR_Indicators_Dec24 {
       reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
       date = "2024-12-10"
       score = 70
+      id = "4e8f6aa8-9efd-5fcf-b795-5042d4ba1708"
    strings:
       $s1 = "TLS v3 " ascii
       $s2 = "java/util/Base64$Decoder" ascii
@@ -221,6 +229,7 @@ rule EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_1_1 {
       date = "2024-12-10"
       score = 75
       hash1 = "0c57b317b572d071afd8ccdb844dd6f117e20f818c6031d7ba8adcbd32be0617"
+      id = "2940ddad-3dba-594a-9111-e4741d6ff39b"
    strings:
       $a1 = "java/lang/StringBuffer"
 
@@ -243,6 +252,7 @@ rule EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_2 {
       date = "2024-12-10"
       score = 75
       hash1 = "1ba95af21bac45db43ebf02f87ecedde802c7de4d472f33e74ee0a5b5015a726"
+      id = "bd575454-7fd0-566d-94e5-ec1368675108"
    strings:
       $s1 = "Timeout getting pipe-data" ascii fullword
       $s2 = "Ftprootpath" ascii fullword
@@ -261,6 +271,7 @@ rule EXPL_Cleo_Exploitation_JAVA_Payloads_Dec24_3 {
       reference = "https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild"
       date = "2024-12-10"
       score = 75
+      id = "5c227bb9-0731-5955-a758-6fe86ecc2d86"
    strings:
       $a1 = "java/lang/String" ascii
 

diff --git a/yara/expl_cups_sep24.yar b/yara/expl_cups_sep24.yar
@@ -6,6 +6,7 @@ rule EXPL_LNX_CUPS_CVE_2024_47177_Sep24 {
       reference = "https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8"
       date = "2024-09-27"
       score = 75
+      id = "a7b986ad-e943-5350-a6e0-34c40f07874c"
    strings:
       $s1 = "FoomaticRIPCommandLine: " ascii
       $s2 = "cupsFilter2 : " ascii
@@ -20,6 +21,7 @@ rule SUSP_EXPL_LNX_CUPS_CVE_2024_47177_Sep24 {
       reference = "https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8"
       date = "2024-09-27"
       score = 65
+      id = "cb76f1c7-6dc0-5fed-a970-2a4890db46d3"
    strings:
       $ = "FoomaticRIPCommandLine: \"bash " ascii
       $ = "FoomaticRIPCommandLine: \"sh " ascii

diff --git a/yara/gen_brooxml_dec24.yar b/yara/gen_brooxml_dec24.yar
@@ -7,6 +7,7 @@ rule Brooxml_Hunting {
         date = "2024-11-27"
         score = 70
         reference = "https://x.com/threatinsight/status/1861817946508763480"
+        id = "1ffea1c7-9f97-5bb1-93d7-ce914765416f"
     strings:
         $pk_ooxml_magic = {50 4b 03 04 [22] 13 00 [2] 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c}
 
@@ -45,6 +46,7 @@ rule Brooxml_Phishing {
         date = "2024-11-27"
         score = 65
         reference = "https://x.com/threatinsight/status/1861817946508763480"
+        id = "ccd8ab30-90a4-5d4b-8a77-dbc4669bdb95"
     strings:
         $hex1 = { 21 20 03 20 c3 be c3 bf 09 20 [0-1] 06 20 20 20 20 20 20 20 20 20 20 20 01 20 20 20 06 20 20 20 20 20 20 20 20 10 20 20 05 20 20 20 01 20 20 20 c3 be c3 bf c3 bf c3 bf }
         $docx = { 50 4b }

diff --git a/yara/gen_xor_hunting.yar b/yara/gen_xor_hunting.yar
@@ -8,6 +8,7 @@ rule SUSP_XORed_Mozilla_Oct19 {
       date = "2019-10-28"
       modified = "2023-11-03"
       score = 60
+      id = "71e5b399-c384-5330-ae52-4e0a806e7969"
    strings:
       $xo1 = "Mozilla/5.0" xor ascii wide
       $xof1 = "Mozilla/5.0" ascii wide

diff --git a/yara/mal_go_modbus.yar b/yara/mal_go_modbus.yar
@@ -8,6 +8,7 @@ rule MAL_Go_Modbus_Jul24_1 {
       modified = "2024-07-24"
       score = 75
       hash1 = "5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb"
+      id = "4a1e6bbe-d743-5394-b207-e417b64fa76d"
    strings:
       $a1 = "Go build"
 

diff --git a/yara/mal_inc_ransomware.yar b/yara/mal_inc_ransomware.yar
@@ -8,6 +8,7 @@ rule MAL_RANSOM_INC_Aug24 {
       hash1 = "eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc" // LYNX
       hash2 = "1754c9973bac8260412e5ec34bf5156f5bb157aa797f95ff4fc905439b74357a" // INC
       score = 80
+      id = "b776490b-f26a-55d9-bb26-ec3c617f070c"
    strings:
       $s1 = "tarting full encryption in" wide
       $s2 = "oad hidden drives" wide

diff --git a/yara/mal_perfctl_oct24.yar b/yara/mal_perfctl_oct24.yar
@@ -7,6 +7,7 @@ rule MAL_EXPL_Perfctl_Oct24 {
       date = "2024-10-09"
       score = 80
       hash1 = "22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13"
+      id = "1f525eaf-445c-592e-bfa4-e9846390dd1d"
    strings:
       $s1 = "Exploit failed. Target is most likely patched." ascii fullword
       $s2 = "SHELL=pkexec" ascii fullword
@@ -28,6 +29,7 @@ rule MAL_LNX_Perfctl_Oct24 {
       score = 75
       hash1 = "a6d3c6b6359ae660d855f978057aab1115b418ed277bb9047cd488f9c7850747"
       hash2 = "ca3f246d635bfa560f6c839111be554a14735513e90b3e6784bedfe1930bdfd6"
+      id = "391513ae-3348-5297-a22a-6f06e50f06d2"
    strings:
       $op1 = { 83 45 f8 01 8b 45 f8 48 3b 45 98 0f 82 1b ff ff ff 90 c9 c3 55 }
       $op2 = { 48 8b 55 a0 48 01 ca 0f b6 0a 48 8b 55 a8 89 c0 88 4c 02 18 8b 45 fc 83 e0 3f }

diff --git a/yara/mal_sophos_pygmy_nov24.yar b/yara/mal_sophos_pygmy_nov24.yar
@@ -7,6 +7,7 @@ rule MAL_Sophos_XG_Pygmy_Goat_AES_Key {
       date = "2024-10-22"
       score = 75
       hash1 = "71f70d61af00542b2e9ad64abd2dda7e437536ff"
+      id = "62be3f4f-b435-54b2-b596-4ad01606edb8"
    strings:
       $dword_1 = { 59 4b 6e 77 }
       $dword_2 = { 51 6a 6d 41 }
@@ -30,6 +31,7 @@ rule MAL_Sophos_XG_Pygmy_Goat_Magic_Strings {
       date = "2024-10-22"
       score = 75
       hash1 = "71f70d61af00542b2e9ad64abd2dda7e437536ff"
+      id = "7df6c228-d569-5f1c-8bbb-4194347f99d1"
    strings:
       $c2_magic_handshake = ",bEB3?=o"
       $fake_ssh_banner = "SSH-2.0-D8pjE"
@@ -49,6 +51,7 @@ rule MAL_EarthWorm_Socks_Proxy_ID_Generation {
       date = "2024-10-22"
       score = 75
       hash1 = "71f70d61af00542b2e9ad64abd2dda7e437536ff"
+      id = "242777e4-3abb-50d8-8c45-746cc4a8b1f8"
    strings:
       $chartoi = {
          8b 45 ?? // MOV EAX,dword ptr [EBP + ??]

diff --git a/yara/mal_xlogin_nov24.yar b/yara/mal_xlogin_nov24.yar
@@ -9,6 +9,7 @@ rule MAL_ELF_Xlogin_Nov24_1 {
       hash1 = "2b09a6811a9d0447f8c6480430eb0f7e3ff64fa933d0b2e8cd6117f38382cc6a"
       hash2 = "d1cbf80786b1ca1ba2e5c31ec09159be276ad3d10fc0a8a0dbff229d8263ca0a"
       hash3 = "ff17e9bcc1ed16985713405b95745e47674ec98e3c6c889df797600718a35b2c"
+      id = "e8940660-ecf8-5616-9cb1-fc0a02d35689"
    strings:
       $xc1 = { 6C 6F 67 69 6E 3A 00 25 73 00 00 2F 62 69 6E 2F 73 68 00 2F 74 6D 70 2F 6C 6F 67 69 6E }