Sneed-Reactivity/yara-mikesxrs/Citizen Lab/cookies.yara

38 lines
1 KiB
Text
Raw Normal View History

private rule CookiesStrings : Cookies Family
{
meta:
description = "Cookies Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-20"
strings:
$zip1 = "ntdll.exePK"
$zip2 = "AcroRd32.exePK"
$zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
$zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
$exe1 = "Leave GetCommand!"
$exe2 = "perform exe success!"
$exe3 = "perform exe failure!"
$exe4 = "Entry SendCommandReq!"
$exe5 = "Reqfile not exist!"
$exe6 = "LeaveDealUpfile!"
$exe7 = "Entry PostData!"
$exe8 = "Leave PostFile!"
$exe9 = "Entry PostFile!"
$exe10 = "\\unknow.zip" wide ascii
$exe11 = "the url no respon!"
condition:
(2 of ($zip*)) or (2 of ($exe*))
}
rule Cookies : Family
{
meta:
description = "Cookies"
author = "Seth Hardy"
last_modified = "2014-06-20"
condition:
CookiesStrings
}