Sneed-Reactivity/yara-mikesxrs/dragos/crashoverride_configReader.yar

15 lines
518 B
Text
Raw Normal View History

rule crashoverride_configReader{
meta:
description = "CRASHOVERRIDE v1 Config File Parsing"
author = "Dragos Inc"
sha256 = "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad"
reference = "https://troopers.de/downloads/troopers18/TR18_DM_Mind-The-Gap.pdf"
strings:
$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
condition:
uint16(0) == 0x5a4d and all of them
}