Merge pull request #38 from NoDataFound/patch-1

Create OpClandestineWolf.yar

OpClandestineWolf.yar

+rule OpClandestineWolf
+
+{
+ 
+   meta:
+        alert_severity = "HIGH"
+        log = "false"
+        author = "NDF"
+        weight = 0
+        alert = true
+        source = " https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html"
+        version = 1
+	date = "2015-06-23"
+	description = "Operation Clandestine Wolf signature based on OSINT from 06.23.15"
+	hash0 = "1a4b710621ef2e69b1f7790ae9b7a288"
+	hash1 = "917c92e8662faf96fffb8ffe7b7c80fb"
+	hash2 = "975b458cb80395fa32c9dda759cb3f7b"
+	hash3 = "3ed34de8609cd274e49bbd795f21acc4"
+	hash4 = "b1a55ec420dd6d24ff9e762c7b753868"
+	hash5 = "afd753a42036000ad476dcd81b56b754"
+	hash6 = "fad20abf8aa4eda0802504d806280dd7"
+	hash7 = "ab621059de2d1c92c3e7514e4b51751a"
+	hash8 = "510b77a4b075f09202209f989582dbea"
+	hash9 = "d1b1abfcc2d547e1ea1a4bb82294b9a3"
+	hash10 = "4692337bf7584f6bda464b9a76d268c1"
+	hash11 = "7cae5757f3ba9fef0a22ca0d56188439"
+	hash12 = "1a7ba923c6aa39cc9cb289a17599fce0"
+	hash13 = "f86db1905b3f4447eb5728859f9057b5"
+	hash14 = "37c6d1d3054e554e13d40ea42458ebed"
+	hash15 = "3e7430a09a44c0d1000f76c3adc6f4fa"
+	hash16 = "98eb249e4ddc4897b8be6fe838051af7"
+	hash17 = "1b57a7fad852b1d686c72e96f7837b44"
+	hash18 = "ffb84b8561e49a8db60e0001f630831f"
+	hash19 = "98eb249e4ddc4897b8be6fe838051af7"
+	hash20 = "dfb4025352a80c2d81b84b37ef00bcd0"
+	hash21 = "4457e89f4aec692d8507378694e0a3ba"
+	hash22 = "48de562acb62b469480b8e29821f33b8"
+	hash23 = "7a7eed9f2d1807f55a9308e21d81cccd"
+	hash24 = "6817b29e9832d8fd85dcbe4af176efb6"
+
+   strings:
+	$s0 = "flash.Media.Sound()"
+	$s1 = "call Kernel32!VirtualAlloc(0x1f140000hash$=0x10000hash$=0x1000hash$=0x40)"
+	$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"
+	$s3 = "NetStream"
+
+	condition:
+		all of them
+}
+
+
+