private rule FavoriteCode : Favorite Family { meta: description = "Favorite code features" author = "Seth Hardy" last_modified = "2014-06-24" strings: // standard string hiding $ = { C6 45 ?? 3B C6 45 ?? 27 C6 45 ?? 34 C6 45 ?? 75 C6 45 ?? 6B C6 45 ?? 6C C6 45 ?? 3B C6 45 ?? 2F } $ = { C6 45 ?? 6F C6 45 ?? 73 C6 45 ?? 73 C6 45 ?? 76 C6 45 ?? 63 C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 } condition: any of them } private rule FavoriteStrings : Favorite Family { meta: description = "Favorite Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-24" strings: $string1 = "!QAZ4rfv" $file1 = "msupdater.exe" $file2 = "FAVORITES.DAT" condition: any of ($string*) or all of ($file*) } rule Favorite : Family { meta: description = "Favorite" author = "Seth Hardy" last_modified = "2014-06-24" condition: FavoriteCode or FavoriteStrings }