Please write some documentation on what this does, how to "install" it, and how to run it.
The only documentation is the README, which isn't included in the download RussianAPTDetector, doesn't list all the command line parameters, and doesn't explain the meaning of -r.
A key point not mentioned is that, after downloading the code from github, you need to open index.html in a web browser, download the file, unzip it, and then add its contents to the directory containing index.html.
As it is, non-programmers won't be able to run it at all.
The downloaded files include a web page, "index.html", which, when opened, downloads the file RussianAPTDetector.7z .
This file includes three executables.
Running any of the three files from Windows does nothing but open and then shut a window.
By first opening a Cygwin shell, and then running them from within that shell, I found that:
-- Running Detector.exe produces this output:
usage: Detector.exe [-h] -t TARGET [TARGET ...] [-r]
Detector.exe: error: argument -t/--target is required
No indication what "TARGET" means, or what the arguments -r or -h do.
Running yara64.exe like this:
./yara64 rules.yar C:
makes it appear to scan my C drive, but very quickly, and it generates only a list of warnings.
If you're using Linux, the python file detector.py assumes you already have compiled the executable "yara" and added its location to your PATH.
Reading detector.py reveals that:
-t gives the drive or directory to scan. (To pass this to yara, you need to just put that target directory immediately after the rules file; yara doesn't want parm flags.)
-r means do a recursive scan, which I would think should be the default but I don't know how ransomware behaves
-p 8 means that the computer has 8 CPUs, or maybe 8 cores