1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule YayihCode : Yayih Family
{
meta:
description = "Yayih code features"
author = "Seth Hardy"
last_modified = "2014-07-11"
strings:
// encryption
$ = { 80 04 08 7A 03 C1 8B 45 FC 80 34 08 19 03 C1 41 3B 0A 7C E9 }
condition:
any of them
}
rule YayihStrings : Yayih Family
{
meta:
description = "Yayih Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-07-11"
strings:
$ = "/bbs/info.asp"
$ = "\\msinfo.exe"
$ = "%s\\%srcs.pdf"
$ = "\\aumLib.ini"
condition:
any of them
}
rule Yayih : Family
{
meta:
description = "Yayih"
author = "Seth Hardy"
last_modified = "2014-07-11"
condition:
YayihCode or YayihStrings
}