This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
*/
rule bin_ndisk {
rule bin_ndisk : disk HackingTeam {
meta:
meta:
description = "Hacking Team Disclosure Sample - file ndisk.sys"
description = "Hacking Team Disclosure Sample - file ndisk.sys"
author = "Florian Roth"
author = "Florian Roth"
...
@@ -22,7 +22,7 @@ rule bin_ndisk {
...
@@ -22,7 +22,7 @@ rule bin_ndisk {
uint16(0) == 0x5a4d and filesize < 30KB and 6 of them
uint16(0) == 0x5a4d and filesize < 30KB and 6 of them
}
}
rule Hackingteam_Elevator_DLL {
rule Hackingteam_Elevator_DLL : dll HackingTeam {
meta:
meta:
description = "Hacking Team Disclosure Sample - file elevator.dll"
description = "Hacking Team Disclosure Sample - file elevator.dll"
author = "Florian Roth"
author = "Florian Roth"
...
@@ -44,7 +44,7 @@ rule Hackingteam_Elevator_DLL {
...
@@ -44,7 +44,7 @@ rule Hackingteam_Elevator_DLL {
uint16(0) == 0x5a4d and filesize < 1000KB and 6 of them
uint16(0) == 0x5a4d and filesize < 1000KB and 6 of them
}
}
rule HackingTeam_Elevator_EXE {
rule HackingTeam_Elevator_EXE : HackingTeam {
meta:
meta:
description = "Hacking Team Disclosure Sample - file elevator.exe"
description = "Hacking Team Disclosure Sample - file elevator.exe"
