Added ruleset to detect a type of scam

ce12e9fa · Antonio S · f4341bde · ce12e9fa · ce12e9fa · ce12e9fa
Commit ce12e9fa authored Feb 01, 2016 by Antonio S
Show whitespace changes
Inline Side-by-side

Showing with 36 additions and 0 deletions

transferencia1.eml email/eml/transferencia1.eml +0 -0

transferencia2.eml email/eml/transferencia2.eml +0 -0

scam.yar email/scam.yar +36 -0

No files found.
--- a/email/eml/transferencia1.eml
+++ b/email/eml/transferencia1.eml
--- a/email/eml/transferencia2.eml
+++ b/email/eml/transferencia2.eml
--- a/email/scam.yar
+++ b/email/scam.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+*/
+rule content {
+	meta:
+		author = "A.Sanchez <asanchez@koodous.com>"
+		description = "Detects scam emails with phishing attachment."
+		test1 = "email/eml/transferencia1.eml"
+		test2 = "email/eml/transferencia2.eml"
+	strings:
+		$subject = "Asunto: Justificante de transferencia" nocase
+		$body = "Adjunto justificante de transferencia"
+	condition:
+		all of them
+}
+rule attachment {
+	meta:
+		author = "A.Sanchez <asanchez@koodous.com>"
+		description = "Detects scam emails with phishing attachment."
+		test1 = "email/eml/transferencia1.eml"
+		test2 = "email/eml/transferencia2.eml"
+	strings:
+		$filename = "filename=\"scan001.pdf.html\""
+		$pleaseEnter = "NTAlNkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlN" // Please enter 
+		$emailReq = "NkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUlNzglMzIlMkUlNDUlNkQlNjElNjklNkMlM0I" // ment.index2.Email;
+		$pAssign = "NzAlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUl" // p = document.inde
+	condition:
+		all of them
+}
\ No newline at end of file