-
Notifications
You must be signed in to change notification settings - Fork 0
/
Malware_strings_in_lnk.yar
99 lines (98 loc) · 3.9 KB
/
Malware_strings_in_lnk.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
rule Malware_strings_in_lnk
{
strings:
$lnk = { 4C 00 00 00 01 14 02 00 }
$a1 = ".ps1" ascii wide nocase
$a2 = "powershell" ascii wide nocase
$a3 = "invoke" ascii wide nocase
$a4 = "[Convert]" ascii wide nocase
$a5 = "FromBase" ascii wide nocase
$a6 = "-exec" ascii wide nocase
$a7 = "-nop" ascii wide nocase
$a8 = "-noni" ascii wide nocase
$a9 = "-w hidden" ascii wide nocase
$a10 = "-enc" ascii wide nocase
$a11 = "-decode" ascii wide nocase
$a12 = "bypass" ascii wide nocase
$a13 = "javascript" ascii wide nocase
$a14 = "jscript" ascii wide nocase
$a15 = "vbscript" ascii wide nocase
$a16 = "wscript" ascii wide nocase
$a17 = "cscript" ascii wide nocase
$a18 = ".js" ascii wide nocase
$a19 = ".vb" ascii wide nocase
$a20 = ".wsc" ascii wide nocase
$a21 = ".wsh" ascii wide nocase
$a22 = ".wsf" ascii wide nocase
$a23 = ".sct" ascii wide nocase
$a24 = ".cmd" ascii wide nocase
$a25 = ".hta" ascii wide nocase
$a26 = ".bat" ascii wide nocase
$a27 = "ActiveXObject" ascii wide nocase
$a28 = "eval" ascii wide nocase
$a29 = ".exe" ascii wide nocase
$a30 = ".dll" ascii wide nocase
$a31 = ".scr" ascii wide nocase
$a32 = ".pif" ascii wide nocase
$a33 = "This program" ascii wide nocase
$a34 = "TVqQAA" ascii wide nocase
$a35 = ".7z" ascii wide nocase
$a36 = ".zip" ascii wide nocase
$a37 = ".cab" ascii wide nocase
$a38 = ".iso" ascii wide nocase
$a39 = ".rar" ascii wide nocase
$a40 = ".bz2" ascii wide nocase
$a41 = ".tar" ascii wide nocase
$a42 = ".lzh" ascii wide nocase
$a43 = ".dat" ascii wide nocase
$a44 = "WinRAR\\Rar.exe" ascii wide nocase
$a45 = "expand" ascii wide nocase
$a46 = "makecab" ascii wide nocase
$a47 = "UEsDBA" ascii wide nocase
$a48 = "TVNDRg" ascii wide nocase
$a49 = "cmd.exe" ascii wide nocase
$a50 = "/c echo" ascii wide nocase
$a51 = "/c start" ascii wide nocase
$a52 = "/c set" ascii wide nocase
$a53 = "%COMSPEC%" ascii wide nocase
$a54 = "rundll32.exe" ascii wide nocase
$a55 = "regsvr32.exe" ascii wide nocase
$a56 = "Assembly.Load" ascii wide nocase
$a57 = "[Reflection.Assembly]::Load" ascii wide nocase
$a58 = "process call" ascii wide nocase
$a59 = "bitsadmin" ascii wide nocase
$a60 = "certutil" ascii wide nocase
$a61 = "ServerXMLHTTP" ascii wide nocase
$a62 = "http" ascii wide nocase
$a63 = "ftp" ascii wide nocase
$a64 = ".url" ascii wide nocase
$a65 = "winword" ascii wide nocase
$a66 = "excel" ascii wide nocase
$a67 = "powerpnt" ascii wide nocase
$a68 = ".rtf" ascii wide nocase
$a69 = ".doc" ascii wide nocase
$a70 = ".dot" ascii wide nocase
$a71 = ".xls" ascii wide nocase
$a72 = ".xla" ascii wide nocase
$a73 = ".csv" ascii wide nocase
$a74 = ".ppt" ascii wide nocase
$a75 = ".pps" ascii wide nocase
$a76 = ".xml" ascii wide nocase
$a77 = ".pdf" ascii wide nocase
$a78 = "%PDF" ascii wide nocase
$a79 = ".swf" ascii wide nocase
$a80 = ".fws" ascii wide nocase
$a81 = "\\c$\\" ascii wide nocase
$a82 = "..\\..\\..\\..\\" ascii wide nocase
$a83 = "cdn." ascii wide nocase
$a84 = "githubusercontent" ascii wide nocase
$a85 = "googleusercontent" ascii wide nocase
$a86 = "cloudfront" ascii wide nocase
$a87 = "amazonaws" ascii wide nocase
$a88 = "akamai" ascii wide nocase
$a89 = "cdn77" ascii wide nocase
$a90 = "discordapp" ascii wide nocase
$a91 = "powershell.exe" ascii wide nocase
condition:
($lnk at 0) and any of ($a*)
}