Sneed-Reactivity/yara-mikesxrs/Nvisio/CCleaner.yar

34 lines
1.3 KiB
Text
Raw Normal View History

// YARA rules compromised CCleaner
// NVISO 2017/09/18
// http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
import "hash"
rule ccleaner_compromised_installer {
meta:
author = "NVISIO"
reference = "https://blog.nviso.be/2017/09/21/yara-rules-for-ccleaner-5-33/"
condition:
filesize == 9791816 and hash.sha256(0, filesize) == "1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff"
}
rule ccleaner_compromised_application {
meta:
author = "NVISIO"
reference = "https://blog.nviso.be/2017/09/21/yara-rules-for-ccleaner-5-33/"
condition:
filesize == 7781592 and hash.sha256(0, filesize) == "36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9" or
filesize == 7680216 and hash.sha256(0, filesize) == "6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9"
}
rule ccleaner_compromised_pdb {
meta:
author = "NVISIO"
reference = "https://blog.nviso.be/2017/09/21/yara-rules-for-ccleaner-5-33/"
strings:
$a = "s:\\workspace\\ccleaner\\branches\\v5.33\\bin\\CCleaner\\Release\\CCleaner.pdb"
$b = "s:\\workspace\\ccleaner\\branches\\v5.33\\bin\\CCleaner\\ReleaseTV\\CCleaner.pdb"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and ($a or $b)
}