From 25e2d3c449c43f3a04fd24d5dc74714152d6a538 Mon Sep 17 00:00:00 2001
From: Marc Rivero López <mriverolopez@gmail.com>
Date: Tue, 9 Feb 2016 09:59:27 +0100
Subject: [PATCH] Create Adwind_JAR_PACKA

---
 malware/Adwind_JAR_PACKA | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 malware/Adwind_JAR_PACKA

diff --git a/malware/Adwind_JAR_PACKA b/malware/Adwind_JAR_PACKA
new file mode 100644
index 0000000..bc2e9e7
--- /dev/null
+++ b/malware/Adwind_JAR_PACKA
@@ -0,0 +1,14 @@
+rule Adwind_JAR_PACKA {
+ meta:
+  author = “Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com”
+  reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf"
+  last_modi ed = “2015-11-30”
+ strings:
+  $b1 = “.class” ascii
+  $b2 = “c/a/a/” ascii
+  $b3 = “b/a/” ascii
+  $b4 = “a.dat” ascii
+  $b5 = “META-INF/MANIFEST.MF” ascii
+ condition:
+  int16(0) == 0x4B50 and ($b1 and $b2 and $b3 and $b4 and $b5)
+}
--
libgit2 0.26.0