Sneed-Reactivity/yara-mikesxrs/Mikesxrs/Syrian_Malware_Team_Blackworm.yar

rule Syrian_Malware_Team_Blackworm
{
	meta:
    	Author = "@X0RC1SM"
        Description = "Looking for unique strings"
        Reference = "https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html"
        Date = "2017-10-28"
  strings:
		$BWE1 = "_CorExeMain"
		$BWE2 = "mscoree.dll"
		$BWE3 = "syrian Malware"
		$BWE4 = "AppData"
		$BWE5 = "Temporary Projects"
		$BWE6 = "ali2.pdb"
				
		$BE1 = "aliallosh.sytes.net"
		$BE2 = "Syrian Malware"
		$BE3 = "Restart"
		$BE4 = "Microsoft"
		$BE5 = "Windows"
		$BE6 = "[endof]"
		$BE7 = "To Array"
		$BE8 = "Length"
	condition:
    	all of ($BWE*) or all of ($BE*)
}