Sneed-Reactivity/yara-mikesxrs/Mikesxrs/Cleaver_PDB.yar

20 lines
889 B
Text
Raw Normal View History

rule Cleaver_PDB
{
meta:
Author = "@X0RC1SM"
Description = "Looking for unique PDB"
Reference = "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
Date = "2017-10-28"
strings:
$PDB1 = "e:\\projects\\cleaver\\trunk\\zhoupin_cleaver\\obj\\x86\\release\\netscp.pdb" ascii wide nocase
$PDB2 = "c:\\users\\jimbp\\desktop\\binder_1 - for cleaver\\binder_1\\obj\\x86\\release\\setup.pdb" ascii wide nocase
$PDB3 = "e:\\Projects\\Cleaver\\trunk\\MainModule\\obj\\Release\\MainModule.pdb" ascii wide nocase
$PDB4 = "e:\\projects\\cleaver\\" ascii wide nocase
$PDB5 = "c:\\users\\jimbp\\" ascii wide nocase
$PDB6 = "zhoupin_cleaver\\" ascii wide nocase
$PDB7 = "\\Projects\\Cleaver\\" ascii wide nocase
$PDB8 = "\\binder_1 - for cleaver\\" ascii wide nocase
condition:
any of them
}