1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Description: This rule keys on email headers that may have been sent from a malicious PHP script on a compromised webserver.
Priority: 4
Scope: Against Email
Tags: None
Author: P.Burbage
Created in PhishMe's Triage on September 1, 2015 1:43 PM
*/
rule PM_Email_Sent_By_PHP_Script
{
strings:
$php1="X-PHP-Script" fullword
$php2="X-PHP-Originating-Script" fullword
$php3="/usr/bin/php" fullword
condition:
any of them
}
/*
Description: Hits on ZIP attachments that contain *.js or *.jse - usually JS Dropper malware that has downloaded Kovter & Boaxee in the past.
Priority: 5
Scope: Against Attachment
Tags: FileID
Author: P.Burbage
Created in PhishMe's Triage on September 1, 2015 1:43 PM
*/
rule PM_Zip_with_js
{
strings:
$hdr="PK"
$e1=".js" nocase
$e2=".jse" nocase
condition:
$hdr at 0 and (($e1 in (filesize-100..filesize)) or ($e2 in (filesize-100..filesize)))
}