Sneed-Reactivity/yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_8.yar

rule Destructive_Target_Cleaning_Tool_8

{
	meta:
		author = "US CERT"
		reference = "https://www.us-cert.gov/ncas/alerts/TA14-353A"
	
	strings:
		$license= "{E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006500200042006100740068002C0020004A006F007200690073002000760061006E002000520061006E007400770069006A006B002C002000440065006C00690061006E000000000000000250000000000A002200CE000800EA03FFFF8200}"
		$PuTTY= "{50007500540054005900}"

	condition:
		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $license and not $PuTTY
 }