Sneed-Reactivity/yara-mikesxrs/Mikesxrs/FREEMILK_PDB.yar

17 lines
610 B
Text
Raw Normal View History

rule FREEMILK_PDB
{
meta:
Author = "mikesxrs"
Description = "Looking for unique PDB"
Reference = "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/"
Date = "2017-10-05"
strings:
$PDB1 = "E:\\BIG_POOH\\Project\\milk\\Release\\milk.pdb" ascii wide nocase
$PDB2 = "E:\\BIG_POOH\\Project\\Desktop\\milk\\Release\\milk.pdb" ascii wide nocase
$PDB3 = "E:\\BIG_POOH\\" ascii wide nocase
$PDB4 = "\\Release\\milk.pdb" ascii wide nocase
$PDB5 = "F:\\Backup\\2nd\\Agent\\Release\\Agent.pdb"
condition:
any of them
}