Skip to content

R
rules
Commit 4c886a76 by Marc Rivero López Committed by GitHub
Options

Update EXPERIMENTAL_Beef.yar

parent 89db04c6
Showing with 4 additions and 1 deletions
malware/EXPERIMENTAL_Beef.yar
...@@ -10,12 +10,14 @@ ...@@ -10,12 +10,14 @@
*/ */
rule BeEF_browser_hooked : experimental { rule BeEF_browser_hooked : experimental
{
meta: meta:
description = "Yara rule related to hook.js, BeEF Browser hooking capability" description = "Yara rule related to hook.js, BeEF Browser hooking capability"
author = "Pasquale Stirparo" author = "Pasquale Stirparo"
date = "2015-10-07" date = "2015-10-07"
hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db" hash1 = "587e611f49baf63097ad2421ad0299b7b8403169ec22456fb6286abf051228db"
strings: strings:
$s0 = "mitb.poisonAnchor" wide ascii $s0 = "mitb.poisonAnchor" wide ascii
$s1 = "this.request(this.httpproto" wide ascii $s1 = "this.request(this.httpproto" wide ascii
...@@ -36,6 +38,7 @@ rule BeEF_browser_hooked : experimental { ...@@ -36,6 +38,7 @@ rule BeEF_browser_hooked : experimental {
$s16 = "uagent.search(engineOpera)" wide ascii $s16 = "uagent.search(engineOpera)" wide ascii
$s17 = "mitb.sniff" wide ascii $s17 = "mitb.sniff" wide ascii
$s18 = "beef.logger.start" wide ascii $s18 = "beef.logger.start" wide ascii
condition: condition:
all of them all of them
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment