19 lines
1,009 B
Text
19 lines
1,009 B
Text
|
import "pe"
|
||
|
|
||
|
rule Mal_Infostealer_EXE_Jupyter_Cert_36ff
|
||
|
{
|
||
|
meta:
|
||
|
description = "Detects Jupter executables by certificate OOO Sistema (36ff)"
|
||
|
reference = "https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise"
|
||
|
author = "BlackBerry Research & Intelligence Team"
|
||
|
date = "2021-10-14"
|
||
|
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
|
||
|
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and
|
||
|
for any i in (0 .. pe.number_of_signatures) : (
|
||
|
pe.signatures[i].issuer contains "Certum Extended Validation Code Signing CA SHA2" and
|
||
|
pe.signatures[i].serial == "36:ff:67:4e:b3:05:e9:9c:35:56:5f:a3:01:d5:c4:b0" // Serial variable must be lowercase
|
||
|
)
|
||
|
}
|