MALW_Cxpid.yar
875 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule cxpidStrings
{
meta:
description = "cxpid Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
$ = "/cxpid/submit.php?SessionID="
$ = "/cxgid/"
$ = "E21BC52BEA2FEF26D005CF"
$ = "E21BC52BEA39E435C40CD8"
$ = " -,L-,O+,Q-,R-,Y-,S-"
condition:
any of them
}
rule cxpidCode
{
meta:
description = "cxpid code features"
author = "Seth Hardy"
last_modified = "2014-06-23"
strings:
$entryjunk = { 55 8B EC B9 38 04 00 00 6A 00 6A 00 49 75 F9 }
condition:
any of them
}