42 lines
1 KiB
Text
42 lines
1 KiB
Text
|
private rule FavoriteCode : Favorite Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Favorite code features"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-24"
|
||
|
|
||
|
strings:
|
||
|
// standard string hiding
|
||
|
$ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F }
|
||
|
$ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 }
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
private rule FavoriteStrings : Favorite Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Favorite Identifying Strings"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-24"
|
||
|
|
||
|
strings:
|
||
|
$string1 = "!QAZ4rfv"
|
||
|
$file1 = "msupdater.exe"
|
||
|
$file2 = "FAVORITES.DAT"
|
||
|
|
||
|
condition:
|
||
|
any of ($string*) or all of ($file*)
|
||
|
}
|
||
|
|
||
|
rule Favorite : Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Favorite"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-24"
|
||
|
|
||
|
condition:
|
||
|
FavoriteCode or FavoriteStrings
|
||
|
}
|