Sneed-Reactivity/yara-Neo23x0/gen_google_anomaly.yar

23 lines
823 B
Text
Raw Normal View History

import "pe"
rule SUSP_Unsigned_GoogleUpdate {
meta:
description = "Detects suspicious unsigned GoogleUpdate.exe"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2019-08-05"
score = 60
hash1 = "5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354"
id = "2575b882-3526-5c42-9d50-83fb0b7df3f5"
strings:
/* OriginalName GoogleUpdate.exe */
$ac1 = { 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C
00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65
00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55
00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78
00 65 }
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and $ac1
and pe.number_of_signatures < 1
}