Sneed-Reactivity/yara-mikesxrs/Mikesxrs/Syrian_Malware_Team_Blackworm.yar

27 lines
682 B
Text
Raw Permalink Normal View History

rule Syrian_Malware_Team_Blackworm
{
meta:
Author = "@X0RC1SM"
Description = "Looking for unique strings"
Reference = "https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html"
Date = "2017-10-28"
strings:
$BWE1 = "_CorExeMain"
$BWE2 = "mscoree.dll"
$BWE3 = "syrian Malware"
$BWE4 = "AppData"
$BWE5 = "Temporary Projects"
$BWE6 = "ali2.pdb"
$BE1 = "aliallosh.sytes.net"
$BE2 = "Syrian Malware"
$BE3 = "Restart"
$BE4 = "Microsoft"
$BE5 = "Windows"
$BE6 = "[endof]"
$BE7 = "To Array"
$BE8 = "Length"
condition:
all of ($BWE*) or all of ($BE*)
}