Sneed-Reactivity/yara-mikesxrs/Elastic/Mozi_Obfuscation_Technique.yar

rule Mozi_Obfuscation_Technique
{
  meta:
    author =  "Elastic Security, Lars Wallenborn (@larsborn)"
    description = "Detects obfuscation technique used by Mozi botnet."
    reference = "https://www.elastic.co/security-labs/collecting-and-operationalizing-threat-data-from-the-mozi-botnet"
  strings:
    $a = { 55 50 58 21
           [4]
           00 00 00 00
           00 00 00 00
           00 00 00 00 }
  condition:
    all of them
}