Sneed-Reactivity/yara-mikesxrs/Citizen Lab/rookie.yara

44 lines
1.1 KiB
Text
Raw Normal View History

private rule RookieCode : Rookie Family
{
meta:
description = "Rookie code features"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
// hidden AutoConfigURL
$ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 }
// hidden ProxyEnable
$ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 }
// xor on rand value?
$ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 }
condition:
any of them
}
private rule RookieStrings : Rookie Family
{
meta:
description = "Rookie Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-25"
strings:
$ = "RookIE/1.0"
condition:
any of them
}
rule Rookie : Family
{
meta:
description = "Rookie"
author = "Seth Hardy"
last_modified = "2014-06-25"
condition:
RookieCode or RookieStrings
}