1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule CookiesStrings : Cookies Family
{
meta:
description = "Cookies Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-20"
strings:
$zip1 = "ntdll.exePK"
$zip2 = "AcroRd32.exePK"
$zip3 = "Setup=ntdll.exe\x0d\x0aSilent=1\x0d\x0a"
$zip4 = "Setup=%temp%\\AcroRd32.exe\x0d\x0a"
$exe1 = "Leave GetCommand!"
$exe2 = "perform exe success!"
$exe3 = "perform exe failure!"
$exe4 = "Entry SendCommandReq!"
$exe5 = "Reqfile not exist!"
$exe6 = "LeaveDealUpfile!"
$exe7 = "Entry PostData!"
$exe8 = "Leave PostFile!"
$exe9 = "Entry PostFile!"
$exe10 = "\\unknow.zip" wide ascii
$exe11 = "the url no respon!"
condition:
(2 of ($zip*)) or (2 of ($exe*))
}
rule Cookies : Family
{
meta:
description = "Cookies"
author = "Seth Hardy"
last_modified = "2014-06-20"
condition:
CookiesStrings
}