Sneed-Reactivity/yara-mikesxrs/Citizen Lab/rooter.yara

43 lines
893 B
Text
Raw Normal View History

private rule RooterCode : Rooter Family
{
meta:
description = "Rooter code features"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
// xor 0x30 decryption
$ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 }
condition:
any of them
}
private rule RooterStrings : Rooter Family
{
meta:
description = "Rooter Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-10"
strings:
$group1 = "seed\x00"
$group2 = "prot\x00"
$group3 = "ownin\x00"
$group4 = "feed0\x00"
$group5 = "nown\x00"
condition:
3 of ($group*)
}
rule Rooter : Family
{
meta:
description = "Rooter"
author = "Seth Hardy"
last_modified = "2014-07-10"
condition:
RooterCode or RooterStrings
}