Sneed-Reactivity/yara-mikesxrs/Citizen Lab/surtr.yara
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

51 lines
1 KiB
Text

private rule SurtrCode : Surtr Family {
meta:
author = "Katie Kleemola"
description = "Code features for Surtr Stage1"
last_updated = "2014-07-16"
strings:
//decrypt config
$ = { 8A ?? ?? 84 ?? ?? 74 ?? 3C 01 74 ?? 34 01 88 41 3B ?? 72 ?? }
//if Burn folder name is not in strings
$ = { C6 [3] 42 C6 [3] 75 C6 [3] 72 C6 [3] 6E C6 [3] 5C }
//mov char in _Fire
$ = { C6 [3] 5F C6 [3] 46 C6 [3] 69 C6 [3] 72 C6 [3] 65 C6 [3] 2E C6 [3] 64 }
condition:
any of them
}
private rule SurtrStrings : Surtr Family {
meta:
author = "Katie Kleemola"
description = "Strings for Surtr"
last_updated = "2014-07-16"
strings:
$ = "\x00soul\x00"
$ = "\x00InstallDll.dll\x00"
$ = "\x00_One.dll\x00"
$ = "_Fra.dll"
$ = "CrtRunTime.log"
$ = "Prod.t"
$ = "Proe.t"
$ = "Burn\\"
$ = "LiveUpdata_Mem\\"
condition:
any of them
}
rule Surtr : Family {
meta:
author = "Katie Kleemola"
description = "Rule for Surtr Stage One"
last_updated = "2014-07-16"
condition:
SurtrStrings or SurtrCode
}