Sneed-Reactivity/yara-mikesxrs/Citizen Lab/naikon.yara

45 lines
999 B
Text
Raw Normal View History

private rule NaikonCode : Naikon Family
{
meta:
description = "Naikon code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// decryption
$ = { 0F AF C1 C1 E0 1F } // imul eax, ecx; shl eah, 1fh
$ = { 35 5A 01 00 00} // xor eax, 15ah
$ = { 81 C2 7F 14 06 00 } // add edx, 6147fh
condition:
all of them
}
private rule NaikonStrings : Naikon Family
{
meta:
description = "Naikon Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "NOKIAN95/WEB"
$ = "/tag=info&id=15"
$ = "skg(3)=&3.2d_u1"
$ = "\\Temp\\iExplorer.exe"
$ = "\\Temp\\\"TSG\""
condition:
any of them
}
rule Naikon : Family
{
meta:
description = "Naikon"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
NaikonCode or NaikonStrings
}