Sneed-Reactivity/yara-mikesxrs/Citizen Lab/enfal.yara

69 lines
1.8 KiB
Text
Raw Permalink Normal View History

private rule EnfalCode : Enfal Family
{
meta:
description = "Enfal code tricks"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
// mov al, 20h; sub al, bl; add [ebx+esi], al; push esi; inc ebx; call edi; cmp ebx, eax
$decrypt = { B0 20 2A C3 00 04 33 56 43 FF D7 3B D8 }
condition:
any of them
}
private rule EnfalStrings : Enfal Family
{
meta:
description = "Enfal Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-19"
strings:
$ = "D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdb"
$ = "e:\\programs\\LuridDownLoader"
$ = "LuridDownloader for Falcon"
$ = "DllServiceTrojan"
$ = "\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\"
$ = "EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89"
$ = "Madonna\x00Jesus"
$ = "/iupw82/netstate"
$ = "fuckNodAgain"
$ = "iloudermao"
$ = "Crpq2.cgi"
$ = "Clnpp5.cgi"
$ = "Dqpq3ll.cgi"
$ = "dieosn83.cgi"
$ = "Rwpq1.cgi"
$ = "/Ccmwhite"
$ = "/Cmwhite"
$ = "/Crpwhite"
$ = "/Dfwhite"
$ = "/Query.txt"
$ = "/Ufwhite"
$ = "/cgl-bin/Clnpp5.cgi"
$ = "/cgl-bin/Crpq2.cgi"
$ = "/cgl-bin/Dwpq3ll.cgi"
$ = "/cgl-bin/Owpq4.cgi"
$ = "/cgl-bin/Rwpq1.cgi"
$ = "/trandocs/mm/"
$ = "/trandocs/netstat"
$ = "NFal.exe"
$ = "LINLINVMAN"
$ = "7NFP4R9W"
condition:
any of them
}
rule Enfal : Family
{
meta:
description = "Enfal"
author = "Seth Hardy"
last_modified = "2014-06-19"
condition:
EnfalCode or EnfalStrings
}