Sneed-Reactivity/yara-mikesxrs/Checkpoint/ZZ_breakwin_config.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

14 lines
724 B
Text

rule ZZ_breakwin_config {
meta:
description = "Detects the header of the encrypted config files, assuming known encryption key."
reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
author = "Check Point Research"
date = "22-07-2021"
hash = "948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed"
hash = "2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22"
hash = "68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7"
strings:
$conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22}
condition:
$conf_header at 0
}