Sneed-Reactivity/yara-Neo23x0/gen_cmd_script_obfuscated.yar

19 lines
735 B
Text
Raw Normal View History

rule MAL_CMD_Script_Obfuscated_Feb19_1 {
meta:
description = "Detects obfuscated batch script using env variable sub-strings"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/DbgShell/status/1101076457189793793"
date = "2019-03-01"
hash1 = "deed88c554c8f9bef4078e9f0c85323c645a52052671b94de039b438a8cff382"
id = "8cc99ff5-968c-5b12-9aac-72279c1b8a6b"
strings:
$h1 = { 40 65 63 68 6F 20 6F 66 66 0D 0A 73 65 74 20 }
$s1 = { 2C 31 25 0D 0A 65 63 68 6F 20 25 25 }
condition:
uint16(0) == 0x6540 and filesize < 200KB and
$h1 at 0 and
uint16(filesize-3) == 0x0d25 and uint8(filesize-1) == 0x0a and
$s1 in (filesize-200..filesize)
}