Sneed-Reactivity/yara-mikesxrs/Mikesxrs/PDB_Arachnophobia.yar

17 lines
860 B
Text
Raw Normal View History

rule PDB_Arachnophobia
{
meta:
Author = "mikesxrs"
Description = "Looking for unique PDB strings"
Reference = "https://www.threatconnect.com/where-there-is-smoke-there-is-fire-south-asian-cyber-espionage-heats-up/Operation Arachnophobia"
Date = "2017-10-28"
strings:
$PDB1 = "C:\\Users\\Tranchulas\\Documents\\Visual Studio 2008\\Projects\\upload\\Release\\upload.pdb"
$PDB2 = "C:\\Users\\Cath\\documents\\visual studio 2010\\Projects\\ExtractPDF\\Release\\ExtractPDF.pdb"
$PDB3 = "C:\\Users\\Cath\\documents\\visual studio 2010\\Projects\\Start\\Release\\Start.pdb"
$PDB4 = "C:\\Users\\Cert-India\\Documents\\Visual Studio 2008\\Projects\\ufile\\Release\\ufile.pdb"
$PDB5 = "C:\\Users\\umairaziz27\\Documents\\Visual Studio 2008\\Projects\\usb\\Release\\usb.pdb"
condition:
any of them
}