rule zeus_js : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Zeus Exploit Kit Detection"
hash0 = "c87ac7a25168df49a64564afb04dc961"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "var jsmLastMenu "
$string1 = "position:absolute; z-index:99' "
$string2 = " -1)jsmSetDisplayStyle('popupmenu' "
$string3 = " '<tr><td><a href"
$string4 = " jsmLastMenu "
$string5 = " var ids "
$string6 = "this.target"
$string7 = " jsmPrevMenu, 'none');"
$string8 = " if(jsmPrevMenu "
$string9 = ")if(MenuData[i])"
$string10 = " '<div style"
$string11 = "popupmenu"
$string12 = " jsmSetDisplayStyle('popupmenu' "
$string13 = "function jsmHideLastMenu()"
$string14 = " MenuData.length; i"
condition:
14 of them
}