import "pe" rule brc4_core { meta: version = "first version" author = "@ninjaparanoid" reference = "https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara" date = "2022-11-19" description = "Hunts for known strings used in Badger till release v1.2.9 when not in an encrypted state" id = "3a702d21-392f-5b7d-90a7-eb053d259b32" strings: $coreStrings1 = "CLOSED" $coreStrings2 = "LISTENING" $coreStrings3 = "SYN_SENT" $coreStrings4 = "SYN_RCVD" $coreStrings5 = "ESTABLISHED" $coreStrings6 = "FIN_WAIT1" $coreStrings7 = "FIN_WAIT2" $coreStrings8 = "CLOSE_WAIT" $coreStrings9 = "CLOSING" $coreStrings10 = "LAST_ACK" $coreStrings11 = "TIME_WAIT" $coreStrings12 = "DELETE_TCB" $coreStrings13 = "v4.0.30319" $coreStrings14 = "bYXJm/3#M?:XyMBF" $coreStrings15 = "ServicesActive" $coreStrings16 = "coffee" $coreStrings17 = "Until Admin Unlock" $coreStrings18 = "alertable" $coreStrings19 = "%02d%02d%d_%02d%02d%2d%02d_%s" $coreStrings20 = ";" $coreStrings21 = ";" $coreStrings22 = ";" $coreStrings23 = ";" $coreStrings24 = ";" $coreStrings25 = ";" $coreStrings26 = ";" $coreStrings27 = ";" $coreStrings28 = ";" $coreStrings29 = ";" $coreStrings30 = ";" $coreStrings31 = ";" $coreStrings32 = ";" $coreStrings33 = ";" $coreStrings34 = ";" $coreStrings35 = ";" $coreStrings36 = ";" $coreStrings37 = ";" $coreStrings38 = ";" $coreStrings39 = ";" $coreStrings40 = ";" $coreStrings41 = ";" $coreStrings42 = "