Sneed-Reactivity/yara-mikesxrs/Citizen Lab/naspyupdate.yara

42 lines
926 B
Text
Raw Normal View History

private rule nAspyUpdateCode : nAspyUpdate Family
{
meta:
description = "nAspyUpdate code features"
author = "Seth Hardy"
last_modified = "2014-07-14"
strings:
// decryption loop in dropper
$ = { 8A 54 24 14 8A 01 32 C2 02 C2 88 01 41 4E 75 F4 }
condition:
any of them
}
private rule nAspyUpdateStrings : nAspyUpdate Family
{
meta:
description = "nAspyUpdate Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-14"
strings:
$ = "\\httpclient.txt"
$ = "password <=14"
$ = "/%ldn.txt"
$ = "Kill You\x00"
condition:
any of them
}
rule nAspyUpdate : Family
{
meta:
description = "nAspyUpdate"
author = "Seth Hardy"
last_modified = "2014-07-14"
condition:
nAspyUpdateCode or nAspyUpdateStrings
}