Sneed-Reactivity/yara-mikesxrs/Xylitol/ibanking.yar

rule Android_Malware : iBanking
{
	meta:
		author = "Xylitol xylitol@malwareint.com"
		date = "2014-02-14"
		description = "Match first two bytes, files and string present in iBanking"
		reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"
		yaraexchange = "do what the fuck you want"
	strings:
		// Generic android
		$pk = {50 4B}
		$file1 = "AndroidManifest.xml"
		// iBanking related
		$file2 = "res/drawable-xxhdpi/ok_btn.jpg"
		$string1 = "bot_id"
		$string2 = "type_password2"
	condition:
		($pk at 0 and 2 of ($file*) and ($string1 or $string2))
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule Android_Malware : iBanking`
			`{`
			`meta:`
			`author = "Xylitol xylitol@malwareint.com"`
			`date = "2014-02-14"`
			`description = "Match first two bytes, files and string present in iBanking"`
			`reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3166"`
			`yaraexchange = "do what the fuck you want"`
			`strings:`
			`// Generic android`
			`$pk = {50 4B}`
			`$file1 = "AndroidManifest.xml"`
			`// iBanking related`
			`$file2 = "res/drawable-xxhdpi/ok_btn.jpg"`
			`$string1 = "bot_id"`
			`$string2 = "type_password2"`
			`condition:`
			`($pk at 0 and 2 of ($file*) and ($string1 or $string2))`
			`}`