valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Suspicious String Obfuscation Concat

Browse Source
This commit is contained in:
Florian Roth 2018-10-10 16:30:32 +02:00
parent ce17d9ab65
commit ee33d93858
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
yara/gen_suspicious_strings.yar
View File

@ -174,3 +174,16 @@ rule SUSP_LNK_File_PathTraversal {
all of them
)
}
rule SUSP_Script_Obfuscation_Char_Concat {
meta:
description = "Detects strings found in sample from CN group repo leak in October 2018"
author = "Florian Roth"
reference = "https://twitter.com/JaromirHorejsi/status/1047084277920411648"
date = "2018-10-04"
hash1 = "b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b"
strings:
$s1 = "\"c\" & \"r\" & \"i\" & \"p\" & \"t\"" fullword ascii
condition:
1 of them
}