31 lines
937 B
Text
31 lines
937 B
Text
rule phoenix_html2
|
|
{
|
|
meta:
|
|
author = "Josh Berry"
|
|
date = "2016-06-26"
|
|
description = "Phoenix Exploit Kit Detection"
|
|
hash0 = "2fd263f5d988a92715f4146a0006cb31"
|
|
sample_filetype = "js-html"
|
|
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
|
|
strings:
|
|
$string0 = "Pec.lilsD)E)i-gonP(mgge.eOmn"
|
|
$string1 = "(trt;oo"
|
|
$string2 = "aceeC:0h"
|
|
$string3 = "Vubb.oec.n)a."
|
|
$string4 = "t;o{(bspd}ci:0OO[g(cfjdh}1sN}ntnrlt;0pwf{-"
|
|
$string5 = "seierb)gMle(}ev;is{(b;ga"
|
|
$string6 = "e)}ift"
|
|
$string7 = "Dud{rt"
|
|
$string8 = "blecroeely}diuFI-"
|
|
$string9 = "ttec]tr"
|
|
$string10 = "fSgcso"
|
|
$string11 = "eig.t)eR{t}aeesbdtbl{1sr)m"
|
|
$string12 = ").}n,Raa.s"
|
|
$string13 = "sLtfcb.nrf{Wiantscncad1ac)scb0eo]}Diuu(nar"
|
|
$string14 = "dxc.,:tfr(ucxRn"
|
|
$string15 = "eDnnforbyri(tbmns).[i.ee;dl(aNimp(l(h[u[ti;u)"
|
|
$string16 = "}tn)i{ebr,_.ns(Nes,,gm(ar.t"
|
|
$string17 = "l]it}N(pe3,iaaLds.)lqea:Ps00Hc;[{Euihlc)LiLI"
|
|
condition:
|
|
17 of them
|
|
}
|