rule Flash_CVE_2015_5119_APT3_leg { meta: description = "Exploit Sample CVE-2015-5119" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" score = 70 yaraexchange = "No distribution without author's consent" date = "2015-08-01" id = "d9efaea3-0644-501a-990b-665e257beb86" strings: $s0 = "HT_exploit" fullword ascii $s1 = "HT_Exploit" fullword ascii $s2 = "flash_exploit_" ascii $s3 = "exp1_fla/MainTimeline" ascii fullword $s4 = "exp2_fla/MainTimeline" ascii fullword $s5 = "_shellcode_32" ascii $s6 = "todo: unknown 32-bit target" fullword ascii condition: uint16(0) == 0x5746 and 1 of them }