From 70037ba67ef75e7391bcf8bd865453ed16f50aa1 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 14 Apr 2018 11:56:12 +0200
Subject: [PATCH] PowerShell JAB rule

---
 yara/gen_powershell_susp.yar | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/yara/gen_powershell_susp.yar b/yara/gen_powershell_susp.yar
index 9613342..1420c28 100644
--- a/yara/gen_powershell_susp.yar
+++ b/yara/gen_powershell_susp.yar
@@ -171,3 +171,17 @@ rule SUSP_PowerShell_String_K32_RemProcess {
    condition:
       uint16(0) == 0x7566 and filesize < 6000KB and 1 of them
 }
+
+rule PowerShell_JAB_B64 {
+   meta:
+      description = "Detects base464 encoded $ sign at the beginning of a string"
+      author = "Florian Roth"
+      reference = "https://twitter.com/ItsReallyNick/status/980915287922040832"
+      date = "2018-04-02"
+      score = 60
+   strings:
+      $s1 = "('JAB" ascii wide
+      $s2 = "powershell" nocase
+   condition:
+      filesize < 30KB and all of them
+}