Sneed-Reactivity/yara-Neo23x0/crime_cryptowall_svg.yar

24 lines
726 B
Text
Raw Permalink Normal View History

rule SVG_LoadURL {
meta:
description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/psjCCc"
date = "2015-05-24"
hash1 = "ac8ef9df208f624be9c7e7804de55318"
hash2 = "3b9e67a38569ebe8202ac90ad60c52e0"
hash3 = "7e2be5cc785ef7711282cea8980b9fee"
hash4 = "4e2c6f6b3907ec882596024e55c2b58b"
score = 50
id = "c3d4c95f-ef8b-52ff-9cf9-d66d9b99a490"
strings:
$s1 = "</svg>" nocase
$s2 = "<script>" nocase
$s3 = "location.href='http" nocase
condition:
all of ($s*) and filesize < 600
}