/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule nAspyUpdateCode : nAspyUpdate Family { meta: description = "nAspyUpdate code features" author = "Seth Hardy" last_modified = "2014-07-14" strings: // decryption loop in dropper $ = { 8A 54 24 14 8A 01 32 C2 02 C2 88 01 41 4E 75 F4 } condition: any of them } rule nAspyUpdateStrings : nAspyUpdate Family { meta: description = "nAspyUpdate Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-14" strings: $ = "\\httpclient.txt" $ = "password <=14" $ = "/%ldn.txt" $ = "Kill You\x00" condition: any of them } rule nAspyUpdate : Family { meta: description = "nAspyUpdate" author = "Seth Hardy" last_modified = "2014-07-14" condition: nAspyUpdateCode or nAspyUpdateStrings }