Sneed-Reactivity/yara-mikesxrs/Dragonthreatlabs/apt_c16_win_wateringhole.yar

rule apt_c16_win_wateringhole 
{
  meta:
    author = "@dragonthreatlab"
    description = "Detects code from APT wateringhole"
    date        = "2015/01/11" 
    reference   = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
  strings:
    $str1 = "function runmumaa()"
    $str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("
    $str3 = "function MoSaklgEs7(k)"
  condition:
    any of ($str*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule apt_c16_win_wateringhole`
			`{`
			`meta:`
			`author = "@dragonthreatlab"`
			`description = "Detects code from APT wateringhole"`
			`date = "2015/01/11"`
			`reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"`
			`strings:`
			`$str1 = "function runmumaa()"`
			`$str2 = "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("`
			`$str3 = "function MoSaklgEs7(k)"`
			`condition:`
			`any of ($str*)`
			`}`