Run make yara-x-fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

rules/anti-behavior/blocklist/user.yara

@@ -37,15 +37,15 @@ rule common_username_block_list: critical {
     $ = "test" fullword
     $ = "w0fjuOVmCcP5A" fullword
 
-    $not_grafana1  = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]"
-    $not_grafana2  = "The Grafana LLM plugin is not installed."
-    $not_grafana3  = "grafana.debug.scenes"
-    $not_jitsu     = "jitsu.com"
-    $not_redpanda  = "redpanda"
-    $not_sqlmetal1 = "sqlmetal"
-    $not_sqlmetal2 = "asqlmetal_test_net_2_0, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c5753d8c47f40083f549016a5711238ac8ec297605abccd3dc4b6d0f280b4764eb2cc58ec4e37831edad7e7a07b8fe4a9cbb059374c0cc047aa28839fed7176761813caf6a2ffa0bff9afb50ead56dd3f56186a663962a12b830c2a70eb70ec77823eb5750e5bdef9e01d097c30b5c5463c3d07d3472b58e4c02f2792309259f"
-    $not_sqlmetal3 = "asqlmetal_test_net_4_0, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c5753d8c47f40083f549016a5711238ac8ec297605abccd3dc4b6d0f280b4764eb2cc58ec4e37831edad7e7a07b8fe4a9cbb059374c0cc047aa28839fed7176761813caf6a2ffa0bff9afb50ead56dd3f56186a663962a12b830c2a70eb70ec77823eb5750e5bdef9e01d097c30b5c5463c3d07d3472b58e4c02f2792309259f"
-    $not_wireshark = "wireshark.org"
+    $not_grafana1   = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]"
+    $not_grafana2   = "The Grafana LLM plugin is not installed."
+    $not_grafana3   = "grafana.debug.scenes"
+    $not_jitsu      = "jitsu.com"
+    $not_redpanda   = "redpanda"
+    $not_sqlmetal1  = "sqlmetal"
+    $not_sqlmetal2  = "asqlmetal_test_net_2_0, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c5753d8c47f40083f549016a5711238ac8ec297605abccd3dc4b6d0f280b4764eb2cc58ec4e37831edad7e7a07b8fe4a9cbb059374c0cc047aa28839fed7176761813caf6a2ffa0bff9afb50ead56dd3f56186a663962a12b830c2a70eb70ec77823eb5750e5bdef9e01d097c30b5c5463c3d07d3472b58e4c02f2792309259f"
+    $not_sqlmetal3  = "asqlmetal_test_net_4_0, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c5753d8c47f40083f549016a5711238ac8ec297605abccd3dc4b6d0f280b4764eb2cc58ec4e37831edad7e7a07b8fe4a9cbb059374c0cc047aa28839fed7176761813caf6a2ffa0bff9afb50ead56dd3f56186a663962a12b830c2a70eb70ec77823eb5750e5bdef9e01d097c30b5c5463c3d07d3472b58e4c02f2792309259f"
+    $not_wireshark  = "wireshark.org"
     $gpt_tokenizer1 = "GPTTokenizer"
     $gpt_tokenizer2 = "GPT-4"
 

rules/anti-static/obfuscation/padding.yara

@@ -6,7 +6,7 @@ rule msxml2_http: critical {
     $a = /M.{0,48}S.{0,48}X.{0,48}M.{0,48}L.{0,48}2.{0,48}\.X.{0,48}M.{0,48}L.{0,48}H.{0,48}T.{0,48}T.{0,48}P.{0,48}/
 
     // https://github.com/mailru/FileAPI/blob/5b50e8ed012e089eb578e586d860a6fd035e16d8/lib/FileAPI.core.js#L298
-    $not_fileapi = "MSXML2.XMLHttp.3.0\")}catch(c){b=new ActiveXObject(\"Microsoft.XMLHTTP\")}return b},isArray:l,support:{dnd:s&&\"ondrop\"i"
+    $not_fileapi  = "MSXML2.XMLHttp.3.0\")}catch(c){b=new ActiveXObject(\"Microsoft.XMLHTTP\")}return b},isArray:l,support:{dnd:s&&\"ondrop\"i"
     $not_i18next1 = "i18nextHttpBackend"
     $not_i18next2 = "u[\"User-Agent\"]=\"i18next-http-backend (node/\".concat(S.process.version,\"; \")"
 

rules/data/base64/external.yara

@@ -35,7 +35,7 @@ rule base64_shell_double_encode: critical {
   strings:
     $ref = /base64[\s>].{0,32}\|\s{0,2}base64/
 
-    $not_gpgme = "if (!base64 || base64 == -1) /* Make sure that we really have a string.  */"
+    $not_gpgme   = "if (!base64 || base64 == -1) /* Make sure that we really have a string.  */"
     $not_unix_rb = "echo '%<base64>s' | base64 --decode > %<file>s"
 
   condition:

rules/evasion/mimicry/fake-process.yara

@@ -6,7 +6,7 @@ rule fake_kworker: critical linux {
     $kworker1 = /\[{0,1}kworker\/[\w\%:\-\]]{1,16}/
     $kworker2 = "[kworker"
 
-    $not_rescue = "kworker/R-%s"
+    $not_rescue          = "kworker/R-%s"
     $not_psutil_comment1 = "root           4   0.0    0.0B    0.0B   -20   idle  Mar27  00:00  kworker/0:0H"
     $not_psutil_comment2 = "root       20414   0.0    0.0B    0.0B         idle  Apr04  00:00  kworker/4:2"
     $not_psutil_comment3 = "root       22338   0.0    0.0B    0.0B         idle  02:04  00:00  kworker/1:2"

rules/exfil/stealer/wallet.yara

@@ -33,8 +33,8 @@ rule crypto_stealer_names: critical {
     $not_clef1       = "These data types are defined in the channel between clef and the UILedger"
     $not_clef2       = "The `transaction` (on input into clef) can have either `data` or `input`"
     $not_geth_site   = "https://geth.ethereum.org"
-    $gpt_tokenizer1 = "GPTTokenizer"
-    $gpt_tokenizer2 = "GPT-4"
+    $gpt_tokenizer1  = "GPTTokenizer"
+    $gpt_tokenizer2  = "GPT-4"
 
   condition:
     filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and (#gpt_tokenizer1 < 3 and #gpt_tokenizer2 < 65)

rules/false_positives/arangodb.yara

@@ -1,11 +1,13 @@
 rule arangodb_override: override {
   meta:
     R3C0NST_Shellcode_Apihashing_FIN8 = "low"
+
   strings:
-    $ =  "https://github.com/arangodb-helper/arangodb"
+    $ = "https://github.com/arangodb-helper/arangodb"
     $ = "/home/build/arangod"
     $ = "application/x-arango-dump"
     $ = "arangodb"
+
   condition:
     all of them
 }

rules/impact/degrade/win_defender.yara

@@ -1,7 +1,7 @@
 rule win_defender_configure: high {
   meta:
     description = "Uses powershell to configure Windows Defender"
-    filetypes = "exe,pe,ps1"
+    filetypes   = "exe,pe,ps1"
 
   strings:
     $exclusion = /[\w \'\:\\\"\-]{0,32}Add-MpPreference[\w \'\:\\\"\-]/
@@ -13,7 +13,7 @@ rule win_defender_configure: high {
 rule win_defender_exclusion: critical {
   meta:
     description = "Uses powershell to define Windows Defender exclusions"
-    filetypes = "exe,pe,ps1"
+    filetypes   = "exe,pe,ps1"
 
   strings:
     $exclusion = /[\w \'\:\\\"\-]{0,32}Add-MpPreference.{0,32}Exclusion[\w \'\:\\\"]{0,32}/