From 898b8dfb444a9a0cdbb19b0fa32987cc0a1f36b2 Mon Sep 17 00:00:00 2001
From: Jan Neduchal <duchy@honeypot.lol>
Date: Mon, 22 Feb 2021 11:47:40 +0100
Subject: [PATCH] unpackertool: added signatures for new UPX versions

---
 .../plugins/upx/upx_stub_signatures.cpp       | 358 +++++++++++++++++-
 .../yara_patterns/tools/elf/arm/packers.yara  | 314 +++++++++++++++
 .../yara_patterns/tools/elf/mips/packers.yara | 179 +++++++++
 .../yara_patterns/tools/elf/ppc/packers.yara  |  73 ++++
 .../yara_patterns/tools/elf/x64/packers.yara  |  59 +++
 .../yara_patterns/tools/elf/x86/packers.yara  |  59 +++
 6 files changed, 1037 insertions(+), 5 deletions(-)

diff --git a/src/unpackertool/plugins/upx/upx_stub_signatures.cpp b/src/unpackertool/plugins/upx/upx_stub_signatures.cpp
index b0889653b..2c1750cbc 100644
--- a/src/unpackertool/plugins/upx/upx_stub_signatures.cpp
+++ b/src/unpackertool/plugins/upx/upx_stub_signatures.cpp
@@ -198,6 +198,79 @@ Signature x86ElfNrv2eSignature2 =
 	0x75, 0x28 // JNZ rel +0x28
 };
 
+Signature x86ElfLzmaSignaturev394 =
+{
+	0xE8, ANY, ANY, ANY, ANY, 0xEB, 0x0E, 0x5A, 0x58, 0x59,
+	0x97, 0x60, 0x8A, 0x54, 0x24, 0x20, 0xE9, 0x11, 0x0B, 0x00,
+	0x00, 0x60, 0x8B, 0x74, 0x24, 0x24, 0x8B, 0x7C, 0x24, 0x2C,
+	0x83, 0xCD, 0xFF, 0x89, 0xE5, 0x8B, 0x55, 0x28, 0xAC, 0x4A,
+	0x88, 0xC1, 0x24, 0x07, 0xC0, 0xE9, 0x03, 0xBB, 0x00, 0xFD,
+	0xFF, 0xFF, 0xD3, 0xE3, 0x8D, 0xA4, 0x5C, 0x90, 0xF1, 0xFF,
+	0xFF, 0x83, 0xE4, 0xE0, 0x6A, 0x00, 0x6A, 0x00, 0x89, 0xE3,
+	0x53, 0x83, 0xC3, 0x04, 0x8B, 0x4D, 0x30, 0xFF, 0x31, 0x57,
+	0x53, 0x83, 0xC3, 0x04, 0x88, 0x43, 0x02, 0xAC, 0x4A, 0x88,
+	0xC1, 0x24, 0x0F, 0x88, 0x03, 0xC0, 0xE9, 0x04, 0x88, 0x4B
+};
+
+Signature x86ElfLzmaSignaturev395 =
+{
+	0x50, 0xE8, ANY, ANY, ANY, ANY, 0xEB, 0x0E, 0x5A, 0x58,
+	0x59, 0x97, 0x60, 0x8A, 0x54, 0x24, 0x20, 0xE9, 0x11, 0x0B,
+	0x00, 0x00, 0x60, 0x8B, 0x74, 0x24, 0x24, 0x8B, 0x7C, 0x24,
+	0x2C, 0x83, 0xCD, 0xFF, 0x89, 0xE5, 0x8B, 0x55, 0x28, 0xAC,
+	0x4A, 0x88, 0xC1, 0x24, 0x07, 0xC0, 0xE9, 0x03, 0xBB, 0x00,
+	0xFD, 0xFF, 0xFF, 0xD3, 0xE3, 0x8D, 0xA4, 0x5C, 0x90, 0xF1,
+	0xFF, 0xFF, 0x83, 0xE4, 0xE0, 0x6A, 0x00, 0x6A, 0x00, 0x89,
+	0xE3, 0x53, 0x83, 0xC3, 0x04, 0x8B, 0x4D, 0x30, 0xFF, 0x31,
+	0x57, 0x53, 0x83, 0xC3, 0x04, 0x88, 0x43, 0x02, 0xAC, 0x4A,
+	0x88, 0xC1, 0x24, 0x0F, 0x88, 0x03, 0xC0, 0xE9, 0x04, 0x88
+};
+
+
+Signature x86ElfNrv2bSignaturev395 =
+{
+	0x50, 0xE8, ANY, ANY, ANY, ANY, 0xEB, 0x0E, 0x5A, 0x58,
+	0x59, 0x97, 0x60, 0x8A, 0x54, 0x24, 0x20, 0xE9, 0xED, 0x00,
+	0x00, 0x00, 0x60, 0x8B, 0x74, 0x24, 0x24, 0x8B, 0x7C, 0x24,
+	0x2C, 0x83, 0xCD, 0xFF, 0xEB, 0x0E, 0x90, 0x90, 0x90, 0x90,
+	0x8A, 0x06, 0x46, 0x88, 0x07, 0x47, 0x01, 0xDB, 0x75, 0x07,
+	0x8B, 0x1E, 0x83, 0xEE, 0xFC, 0x11, 0xDB, 0x8A, 0x07, 0x72,
+	0xEB, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x01, 0xDB, 0x75, 0x07,
+	0x8B, 0x1E, 0x83, 0xEE, 0xFC, 0x11, 0xDB, 0x11, 0xC0, 0x01,
+	0xDB, 0x73, 0xEF, 0x75, 0x09, 0x8B, 0x1E, 0x83, 0xEE, 0xFC,
+	0x11, 0xDB, 0x73, 0xE4, 0x31, 0xC9, 0x83, 0xE8, 0x03, 0x72
+};
+
+
+Signature x86ElfNrv2dSignaturev395 =
+{
+	0x50, 0xE8, ANY, ANY, ANY, ANY, 0xEB, 0x0E, 0x5A, 0x58,
+	0x59, 0x97, 0x60, 0x8A, 0x54, 0x24, 0x20, 0xE9, 0x01, 0x01,
+	0x00, 0x00, 0x60, 0x8B, 0x74, 0x24, 0x24, 0x8B, 0x7C, 0x24,
+	0x2C, 0x83, 0xCD, 0xFF, 0xEB, 0x0E, 0x90, 0x90, 0x90, 0x90,
+	0x8A, 0x06, 0x46, 0x88, 0x07, 0x47, 0x01, 0xDB, 0x75, 0x07,
+	0x8B, 0x1E, 0x83, 0xEE, 0xFC, 0x11, 0xDB, 0x8A, 0x07, 0x72,
+	0xEB, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x01, 0xDB, 0x75, 0x07,
+	0x8B, 0x1E, 0x83, 0xEE, 0xFC, 0x11, 0xDB, 0x11, 0xC0, 0x01,
+	0xDB, 0x73, 0x0B, 0x75, 0x19, 0x8B, 0x1E, 0x83, 0xEE, 0xFC,
+	0x11, 0xDB, 0x72, 0x10, 0x48, 0x01, 0xDB, 0x75, 0x07, 0x8B
+};
+
+
+Signature x86ElfNrv2eSignaturev395 =
+{
+	0x50, 0xE8, ANY, ANY, ANY, ANY, 0xEB, 0x0E, 0x5A, 0x58,
+	0x59, 0x97, 0x60, 0x8A, 0x54, 0x24, 0x20, 0xE9, 0x11, 0x01,
+	0x00, 0x00, 0x60, 0x8B, 0x74, 0x24, 0x24, 0x8B, 0x7C, 0x24,
+	0x2C, 0x83, 0xCD, 0xFF, 0xEB, 0x0E, 0x90, 0x90, 0x90, 0x90,
+	0x8A, 0x06, 0x46, 0x88, 0x07, 0x47, 0x01, 0xDB, 0x75, 0x07,
+	0x8B, 0x1E, 0x83, 0xEE, 0xFC, 0x11, 0xDB, 0x8A, 0x07, 0x72,
+	0xEB, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x01, 0xDB, 0x75, 0x07,
+	0x8B, 0x1E, 0x83, 0xEE, 0xFC, 0x11, 0xDB, 0x11, 0xC0, 0x01,
+	0xDB, 0x73, 0x0B, 0x75, 0x28, 0x8B, 0x1E, 0x83, 0xEE, 0xFC,
+	0x11, 0xDB, 0x72, 0x1F, 0x48, 0x01, 0xDB, 0x75, 0x07, 0x8B
+};
+
 // Architecture x86
 // File format PE
 // LZMA Version 1
@@ -658,6 +731,99 @@ Signature x64ElfNrv2eSignature =
 	0x48, 0xFF, 0xC6 // INC RSI
 };
 
+Signature x64ElfLzmaSignaturev394 =
+{
+	0xE8, ANY, ANY, ANY, ANY, 0x55, 0x53, 0x51, 0x52,
+	0x48, 0x01, 0xFE, 0x56, 0x41, 0x80, 0xF8, 0x0E, 0x0F,
+	0x85, 0x65, 0x0A, 0x00, 0x00, 0x55, 0x48, 0x89, 0xE5,
+	0x44, 0x8B, 0x09, 0x49, 0x89, 0xD0, 0x48, 0x89, 0xF2,
+	0x48, 0x8D, 0x77, 0x02, 0x56, 0x8A, 0x07, 0xFF, 0xCA,
+	0x88, 0xC1, 0x24, 0x07
+};
+
+Signature x64ElfLzmaSignaturev395 =
+{
+	0x50, 0x52, 0xE8, ANY, ANY, ANY, ANY, 0x55, 0x53,
+	0x51, 0x52, 0x48, 0x01, 0xFE, 0x56, 0x41, 0x80, 0xF8,
+	0x0E, 0x0F, 0x85, 0x65, 0x0A, 0x00, 0x00, 0x55, 0x48,
+	0x89, 0xE5, 0x44, 0x8B, 0x09, 0x49, 0x89, 0xD0, 0x48,
+	0x89, 0xF2, 0x48, 0x8D, 0x77, 0x02, 0x56, 0x8A, 0x07,
+	0xFF, 0xCA, 0x88, 0xC1
+};
+
+
+Signature x64ElfNrv2bSignaturev395 =
+{
+	0xFC, 0x41, 0x5B, 0x41, 0x80, 0xF8, 0x02, 0x74, 0x0D,
+	0xE9, 0x85, 0x00, 0x00, 0x00, 0x48, 0xFF, 0xC6, 0x88,
+	0x17, 0x48, 0xFF, 0xC7, 0x8A, 0x16, 0x01, 0xDB, 0x75,
+	0x0A, 0x8B, 0x1E, 0x48, 0x83, 0xEE, 0xFC, 0x11, 0xDB,
+	0x8A, 0x16, 0x72, 0xE6, 0x8D, 0x41, 0x01, 0x41, 0xFF,
+	0xD3, 0x11, 0xC0, 0x01
+};
+
+
+Signature x64ElfNrv2dSignaturev395 =
+{
+	0xFC, 0x41, 0x5B, 0x41, 0x80, 0xF8, 0x05, 0x74, 0x0D,
+	0xE9, 0x93, 0x00, 0x00, 0x00, 0x48, 0xFF, 0xC6, 0x88,
+	0x17, 0x48, 0xFF, 0xC7, 0x8A, 0x16, 0x01, 0xDB, 0x75,
+	0x0A, 0x8B, 0x1E, 0x48, 0x83, 0xEE, 0xFC, 0x11, 0xDB,
+	0x8A, 0x16, 0x72, 0xE6, 0x8D, 0x41, 0x01, 0xEB, 0x07,
+	0xFF, 0xC8, 0x41, 0xFF
+};
+
+
+Signature x64ElfNrv2eSignaturev395 =
+{
+	0xFC, 0x41, 0x5B, 0x41, 0x80, 0xF8, 0x08, 0x74, 0x0D,
+	0xE9, 0xAC, 0x00, 0x00, 0x00, 0x48, 0xFF, 0xC6, 0x88,
+	0x17, 0x48, 0xFF, 0xC7, 0x8A, 0x16, 0x01, 0xDB, 0x75,
+	0x0A, 0x8B, 0x1E, 0x48, 0x83, 0xEE, 0xFC, 0x11, 0xDB,
+	0x8A, 0x16, 0x72, 0xE6, 0x8D, 0x41, 0x01, 0xEB, 0x07,
+	0xFF, 0xC8, 0x41, 0xFF
+};
+
+Signature x64ElfLzmaSignaturev396 =
+{
+	0x50, 0x52, 0xE8, ANY, ANY, ANY, ANY, 0x55, 0x53,
+	0x51, 0x52, 0x48, 0x01, 0xFE, 0x56, 0x41, 0x80, 0xF8,
+	0x0E, 0x0F, 0x85, 0x67, 0x0A, 0x00, 0x00, 0x55, 0x48,
+	0x89, 0xE5, 0x44, 0x8B, 0x09, 0x49, 0x89, 0xD0, 0x48,
+	0x89, 0xF2, 0x48, 0x8D, 0x77, 0x02, 0x56, 0x8A, 0x07,
+	0xFF, 0xCA, 0x88, 0xC1
+};
+
+Signature x64ElfNrv2bSignaturev396 =
+{
+	0xFC, 0x41, 0x5B, 0x41, 0x80, 0xF8, 0x02, 0x0F, 0x85,
+	0x87, 0x00, 0x00, 0x00, 0xEB, 0x08, 0x48, 0xFF, 0xC6,
+	0x88, 0x17, 0x48, 0xFF, 0xC7, 0x8A, 0x16, 0x01, 0xDB,
+	0x75, 0x0A, 0x8B, 0x1E, 0x48, 0x83, 0xEE, 0xFC, 0x11,
+	0xDB, 0x8A, 0x16, 0x72, 0xE6, 0x8D, 0x41, 0x01, 0x41,
+	0xFF, 0xD3, 0x11, 0xC0
+};
+
+Signature x64ElfNrv2dSignaturev396 =
+{
+	0xFC, 0x41, 0x5B, 0x41, 0x80, 0xF8, 0x05, 0x0F, 0x85,
+	0x95, 0x00, 0x00, 0x00, 0xEB, 0x08, 0x48, 0xFF, 0xC6,
+	0x88, 0x17, 0x48, 0xFF, 0xC7, 0x8A, 0x16, 0x01, 0xDB,
+	0x75, 0x0A, 0x8B, 0x1E, 0x48, 0x83, 0xEE, 0xFC, 0x11,
+	0xDB, 0x8A, 0x16, 0x72, 0xE6, 0x8D, 0x41, 0x01, 0xEB,
+	0x07, 0xFF, 0xC8, 0x41
+};
+
+Signature x64ElfNrv2eSignaturev396 =
+{
+	0xFC, 0x41, 0x5B, 0x41, 0x80, 0xF8, 0x08, 0x0F, 0x85,
+	0xAE, 0x00, 0x00, 0x00, 0xEB, 0x08, 0x48, 0xFF, 0xC6,
+	0x88, 0x17, 0x48, 0xFF, 0xC7, 0x8A, 0x16, 0x01, 0xDB,
+	0x75, 0x0A, 0x8B, 0x1E, 0x48, 0x83, 0xEE, 0xFC, 0x11,
+	0xDB, 0x8A, 0x16, 0x72, 0xE6, 0x8D, 0x41, 0x01, 0xEB,
+	0x07, 0xFF, 0xC8, 0x41
+};
+
 // Architecture x64
 // File format PE
 // LZMA
@@ -909,6 +1075,46 @@ Signature mipsLeElfNrv2eSignature =
 	0x21, 0x78, 0xEE, 0x01 // ADDU $t7, $t6
 };
 
+Signature mipsLeElfLzmaSignaturev395 =
+{
+	0x6D, 0x03, 0x11, 0x04, 0x00, 0x00, 0xFE, 0x27, 0x00,
+	0x00, 0x99, 0x90, 0x00, 0xFA, 0x01, 0x24, 0x01, 0x00,
+	0x98, 0x90, 0x07, 0x00, 0x22, 0x33, 0xC2, 0xC8, 0x19,
+	0x00, 0x04, 0x08, 0x21, 0x03, 0x60, 0xF1, 0x21, 0x24,
+	0x21, 0xE8, 0xA1, 0x03, 0x28, 0x00, 0xA1, 0xAF, 0x20,
+	0x00, 0xAA, 0x27, 0x2C
+};
+
+Signature mipsLeElfNrv2bSignaturev395 =
+{
+	0xD7, 0x00, 0x11, 0x04, 0x00, 0x00, 0xFE, 0x27, 0xFC,
+	0xFF, 0xBD, 0x27, 0x00, 0x00, 0xBF, 0xAF, 0x20, 0x28,
+	0xA4, 0x00, 0x00, 0x00, 0xE6, 0xAC, 0x00, 0x80, 0x0D,
+	0x3C, 0x21, 0x48, 0xA0, 0x01, 0x01, 0x00, 0x0B, 0x24,
+	0x38, 0x00, 0x11, 0x04, 0x01, 0x00, 0x0F, 0x24, 0x05,
+	0x00, 0xC0, 0x11, 0x00
+};
+
+Signature mipsLeElfNrv2dSignaturev395 =
+{
+	0xDE, 0x00, 0x11, 0x04, 0x00, 0x00, 0xFE, 0x27, 0xFC,
+	0xFF, 0xBD, 0x27, 0x00, 0x00, 0xBF, 0xAF, 0x20, 0x28,
+	0xA4, 0x00, 0x00, 0x00, 0xE6, 0xAC, 0x00, 0x80, 0x0D,
+	0x3C, 0x21, 0x48, 0xA0, 0x01, 0x01, 0x00, 0x0B, 0x24,
+	0x3F, 0x00, 0x11, 0x04, 0x01, 0x00, 0x0F, 0x24, 0x05,
+	0x00, 0xC0, 0x11, 0x00
+};
+
+Signature mipsLeElfNrv2eSignaturev395 =
+{
+	0xE2, 0x00, 0x11, 0x04, 0x00, 0x00, 0xFE, 0x27, 0xFC,
+	0xFF, 0xBD, 0x27, 0x00, 0x00, 0xBF, 0xAF, 0x20, 0x28,
+	0xA4, 0x00, 0x00, 0x00, 0xE6, 0xAC, 0x00, 0x80, 0x0D,
+	0x3C, 0x21, 0x48, 0xA0, 0x01, 0x01, 0x00, 0x0B, 0x24,
+	0x43, 0x00, 0x11, 0x04, 0x01, 0x00, 0x0F, 0x24, 0x05,
+	0x00, 0xC0, 0x11, 0x00
+};
+
 // Architecture MIPS Big-endian
 // File format ELF
 // LZMA
@@ -1011,6 +1217,48 @@ Signature mipsBeElfNrv2eSignature =
 	0x01, 0xEE, 0x78, 0x21 // ADDU $t7, $t6
 };
 
+Signature mipsBeElfLzmaSignaturev395 =
+{
+    0x04, 0x11, 0x03, 0x6D, 0x27, 0xFE, 0x00, 0x00, 0x90,
+	0x99, 0x00, 0x00, 0x24, 0x01, 0xFA, 0x00, 0x90, 0x98,
+	0x00, 0x01, 0x33, 0x22, 0x00, 0x07, 0x00, 0x19, 0xC8,
+	0xC2, 0x03, 0x21, 0x08, 0x04, 0x24, 0x21, 0xF1, 0x60,
+	0x03, 0xA1, 0xE8, 0x21, 0xAF, 0xA1, 0x00, 0x28, 0x27,
+	0xAA, 0x00, 0x20, 0xAF
+};
+
+Signature mipsBeElfNrv2bSignaturev395 =
+{
+	0x04, 0x11, 0x00, 0xE1, 0x27, 0xFE, 0x00, 0x00, 0x27,
+	0xBD, 0xFF, 0xFC, 0xAF, 0xBF, 0x00, 0x00, 0x00, 0xA4,
+	0x28, 0x20, 0xAC, 0xE6, 0x00, 0x00, 0x3C, 0x0D, 0x80,
+	0x00, 0x01, 0xA0, 0x48, 0x21, 0x24, 0x0B, 0x00, 0x01,
+	0x04, 0x11, 0x00, 0x42, 0x24, 0x0F, 0x00, 0x01, 0x11,
+	0xC0, 0x00, 0x05, 0x90
+};
+
+
+Signature mipsBeElfNrv2dSignaturev395 =
+{
+	0x04, 0x11, 0x00, 0xE8, 0x27, 0xFE, 0x00, 0x00, 0x27,
+	0xBD, 0xFF, 0xFC, 0xAF, 0xBF, 0x00, 0x00, 0x00, 0xA4,
+	0x28, 0x20, 0xAC, 0xE6, 0x00, 0x00, 0x3C, 0x0D, 0x80,
+	0x00, 0x01, 0xA0, 0x48, 0x21, 0x24, 0x0B, 0x00, 0x01,
+	0x04, 0x11, 0x00, 0x49, 0x24, 0x0F, 0x00, 0x01, 0x11,
+	0xC0, 0x00, 0x05, 0x90
+};
+
+
+Signature mipsBeElfNrv2eSignaturev395 =
+{
+	0x04, 0x11, 0x00, 0xEC, 0x27, 0xFE, 0x00, 0x00, 0x27,
+	0xBD, 0xFF, 0xFC, 0xAF, 0xBF, 0x00, 0x00, 0x00, 0xA4,
+	0x28, 0x20, 0xAC, 0xE6, 0x00, 0x00, 0x3C, 0x0D, 0x80,
+	0x00, 0x01, 0xA0, 0x48, 0x21, 0x24, 0x0B, 0x00, 0x01,
+	0x04, 0x11, 0x00, 0x4D, 0x24, 0x0F, 0x00, 0x01, 0x11,
+	0xC0, 0x00, 0x05, 0x90
+};
+
 // Architecture ARM
 // File Format ELF
 // LZMA
@@ -1095,6 +1343,53 @@ Signature armElfNrv2eSignature =
 	0x01, 0x10, 0xA1, 0xE0 // ADC R1, R1, R1
 };
 
+Signature armElfLzmaSignaturev394 =
+{
+	0x01, 0xC0, 0xD1, 0xE4, 0x07, 0xC0, 0x0C, 0xE2, 0x12, 0xC0, 0xCD, 0xE5, 0x01, 0xC0, 0xD1, 0xE4
+};
+
+
+Signature armElfNrv2eSignaturev394 =
+{
+	0x01, 0x10, 0x41, 0xE2, 0x04, 0x40, 0x94, 0xE0, 0xF1, 0xFF, 0xFF, 0x0B, 0x01, 0x10, 0xA1, 0xE0
+};
+
+
+Signature armElfNrv2dSignaturev394 =
+{
+	0x01, 0x10, 0x41, 0xE2, 0x04, 0x40, 0x94, 0xE0, 0xF1, 0xFF, 0xFF, 0x0B, 0x01, 0x10, 0xB1, 0xE0
+};
+
+
+Signature armElfNrv2bSignaturev394 =
+{
+	0xFB, 0xFF, 0xFF, 0x3A, 0x0C, 0xF0, 0xA0, 0xE1, 0x01, 0x30, 0xD0, 0xE4, 0x01, 0x30, 0xC2, 0xE4
+};
+
+
+Signature armBeElfLzmaSignaturev394 =
+{
+    0xE1, 0xA0, 0x30, 0x00, 0xE8, 0xBD, 0x00, 0x03, 0xE5, 0x91, 0x10, 0x00, 0xE0, 0x81, 0x10, 0x00
+};
+
+
+Signature armBeElfNrv2bSignaturev393 =
+{
+	0x2A, 0xFF, 0xFF, 0xFB, 0xEB, 0xFF, 0xFF, 0xF3, 0xE2, 0x51, 0x30, 0x03, 0xE3, 0xA0, 0x10, 0x00
+};
+
+
+Signature armBeElfNrv2dSignaturev393 =
+{
+	0x0B, 0xFF, 0xFF, 0xEE, 0xE0, 0xB1, 0x10, 0x01, 0xE0, 0x94, 0x40, 0x04, 0x0B, 0xFF, 0xFF, 0xEB
+};
+
+
+Signature armBeElfNrv2eSignaturev393 =
+{
+	0x0B, 0xFF, 0xFF, 0xEE, 0xE0, 0xA1, 0x10, 0x01, 0xE0, 0x94, 0x40, 0x04, 0x0B, 0xFF, 0xFF, 0xEB
+};
+
 // File Format ARM
 // LZMA
 Signature armMachOLzmaSignature =
@@ -1226,6 +1521,18 @@ Signature ppcElfNrv2eSignature =
 	ANYB(0x48, 0x03), ANY, ANY, ANYB(0x00, 0xFC) // B rel +XX
 };
 
+Signature ppcElfLzmaSignaturev394 =
+{
+	0x48, ANY, ANY, ANY,
+	0x28, 0x07, 0x00, 0x0E,
+	0x40, ANY, ANY, ANY,
+	0x94, 0x21, 0xFF, 0xE8,
+	0x7C, 0x08, 0x02, 0xA6,
+	0x7C, 0xC9, 0x33, 0x78,
+	0x81, 0x06, 0x00, 0x00,
+	0x7C, 0xA7, 0x2B, 0x78
+};
+
 // Modified UPX stubs
 // psyb0t - MIPS Little-endian ELF
 Signature psyb0t_mipsLeElfNrv2bSignature =
@@ -1643,6 +1950,11 @@ std::vector<UpxStubData> UpxStubSignatures::allStubs =
 	{ Architecture::X86,    Format::ELF,    &x86ElfNrv2dSignature2,     UpxStubVersion::NRV2D, 0x0,    0x0 },
 	{ Architecture::X86,    Format::ELF,    &x86ElfNrv2eSignature1,     UpxStubVersion::NRV2E, 0x0,    0x0 },
 	{ Architecture::X86,    Format::ELF,    &x86ElfNrv2eSignature2,     UpxStubVersion::NRV2E, 0x0,    0x0 },
+	{ Architecture::X86,    Format::ELF,    &x86ElfLzmaSignaturev394,   UpxStubVersion::LZMA,  0x0,    0x0 },
+	{ Architecture::X86,    Format::ELF,    &x86ElfLzmaSignaturev395,   UpxStubVersion::LZMA,  0x0,    0x0 },
+	{ Architecture::X86,    Format::ELF,    &x86ElfNrv2bSignaturev395,  UpxStubVersion::NRV2B, 0x0,    0x0 },
+	{ Architecture::X86,    Format::ELF,    &x86ElfNrv2dSignaturev395,  UpxStubVersion::NRV2D, 0x0,    0x0 },
+	{ Architecture::X86,    Format::ELF,    &x86ElfNrv2eSignaturev395,  UpxStubVersion::NRV2E, 0x0,    0x0 },
 	// x86 PE
 	{ Architecture::X86,    Format::PE,     &x86PeLzmaSignature1,       UpxStubVersion::LZMA,  0xAE1,  0x0 },
 	{ Architecture::X86,    Format::PE,     &x86PeLzmaSignature2,       UpxStubVersion::LZMA,  0xAE9,  0x0 },
@@ -1666,6 +1978,21 @@ std::vector<UpxStubData> UpxStubSignatures::allStubs =
 	{ Architecture::X86_64, Format::ELF,    &x64ElfNrv2bSignature,      UpxStubVersion::NRV2B, 0x0,    0x90 },
 	{ Architecture::X86_64, Format::ELF,    &x64ElfNrv2dSignature,      UpxStubVersion::NRV2D, 0x0,    0x90 },
 	{ Architecture::X86_64, Format::ELF,    &x64ElfNrv2eSignature,      UpxStubVersion::NRV2E, 0x0,    0x90 },
+
+	{ Architecture::X86_64, Format::ELF,    &x64ElfLzmaSignaturev394,   UpxStubVersion::LZMA,  0x0,    0x0 },
+	{ Architecture::X86_64, Format::ELF,    &x64ElfLzmaSignaturev395,   UpxStubVersion::LZMA,  0x0,    0x0 },
+	{ Architecture::X86_64, Format::ELF,    &x64ElfLzmaSignaturev396,   UpxStubVersion::LZMA,  0x0,    0x0 },
+
+	{ Architecture::X86_64, Format::ELF,    &x64ElfNrv2bSignaturev395,  UpxStubVersion::NRV2B, 0x0,    0x90 },
+	{ Architecture::X86_64, Format::ELF,    &x64ElfNrv2bSignaturev396,  UpxStubVersion::NRV2B, 0x0,    0x90 },
+
+	
+	{ Architecture::X86_64, Format::ELF,    &x64ElfNrv2dSignaturev395,  UpxStubVersion::NRV2D, 0x0,    0x90 },
+	{ Architecture::X86_64, Format::ELF,    &x64ElfNrv2dSignaturev396,  UpxStubVersion::NRV2D, 0x0,    0x90 },
+
+	{ Architecture::X86_64, Format::ELF,    &x64ElfNrv2eSignaturev395,  UpxStubVersion::NRV2E, 0x0,    0x90 },
+	{ Architecture::X86_64, Format::ELF,    &x64ElfNrv2eSignaturev396,  UpxStubVersion::NRV2E, 0x0,    0x90 },
+
 	// x64 PE
 	{ Architecture::X86_64, Format::PE,     &x64PeLzmaSignature,        UpxStubVersion::LZMA,  0xA7B,  0x0 },
 	{ Architecture::X86_64, Format::PE,     &x64PeNrv2bSignature,       UpxStubVersion::NRV2B, 0x0FB,  0x0 },
@@ -1681,16 +2008,36 @@ std::vector<UpxStubData> UpxStubSignatures::allStubs =
 	{ Architecture::MIPS,   Format::ELF,    &mipsLeElfNrv2bSignature,   UpxStubVersion::NRV2B, 0x0,    0x0 },
 	{ Architecture::MIPS,   Format::ELF,    &mipsLeElfNrv2dSignature,   UpxStubVersion::NRV2D, 0x0,    0x0 },
 	{ Architecture::MIPS,   Format::ELF,    &mipsLeElfNrv2eSignature,   UpxStubVersion::NRV2E, 0x0,    0x0 },
+
+	{ Architecture::MIPS,   Format::ELF,    &mipsLeElfLzmaSignaturev395,    UpxStubVersion::LZMA,  0x0,    0x0 },
+	{ Architecture::MIPS,   Format::ELF,    &mipsLeElfNrv2bSignaturev395,   UpxStubVersion::NRV2B, 0x0,    0x0 },
+	{ Architecture::MIPS,   Format::ELF,    &mipsLeElfNrv2dSignaturev395,   UpxStubVersion::NRV2D, 0x0,    0x0 },
+	{ Architecture::MIPS,   Format::ELF,    &mipsLeElfNrv2eSignaturev395,   UpxStubVersion::NRV2E, 0x0,    0x0 },
 	// MIPS Big-endian ELF
 	{ Architecture::MIPS,   Format::ELF,    &mipsBeElfLzmaSignature,    UpxStubVersion::LZMA,  0x0,    0x0 },
 	{ Architecture::MIPS,   Format::ELF,    &mipsBeElfNrv2bSignature,   UpxStubVersion::NRV2B, 0x0,    0x0 },
 	{ Architecture::MIPS,   Format::ELF,    &mipsBeElfNrv2dSignature,   UpxStubVersion::NRV2D, 0x0,    0x0 },
 	{ Architecture::MIPS,   Format::ELF,    &mipsBeElfNrv2eSignature,   UpxStubVersion::NRV2E, 0x0,    0x0 },
-	// ARM ELF
-	{ Architecture::ARM,    Format::ELF,    &armElfLzmaSignature,       UpxStubVersion::LZMA,  0x0,    0x180 },
-	{ Architecture::ARM,    Format::ELF,    &armElfNrv2bSignature,      UpxStubVersion::NRV2B, 0x0,    0x120 },
-	{ Architecture::ARM,    Format::ELF,    &armElfNrv2dSignature,      UpxStubVersion::NRV2D, 0x0,    0x120 },
-	{ Architecture::ARM,    Format::ELF,    &armElfNrv2eSignature,      UpxStubVersion::NRV2E, 0x0,    0x120 },
+
+	{ Architecture::MIPS,   Format::ELF,    &mipsBeElfLzmaSignaturev395,    UpxStubVersion::LZMA,  0x0,    0x0 },
+	{ Architecture::MIPS,   Format::ELF,    &mipsBeElfNrv2bSignaturev395,   UpxStubVersion::NRV2B, 0x0,    0x0 },
+	{ Architecture::MIPS,   Format::ELF,    &mipsBeElfNrv2dSignaturev395,   UpxStubVersion::NRV2D, 0x0,    0x0 },
+	{ Architecture::MIPS,   Format::ELF,    &mipsBeElfNrv2eSignaturev395,   UpxStubVersion::NRV2E, 0x0,    0x0 },
+	// ARM Little-endian ELF
+	{ Architecture::ARM,    Format::ELF,    &armElfLzmaSignature,          UpxStubVersion::LZMA,  0x0,    0x180 },
+	{ Architecture::ARM,    Format::ELF,    &armElfNrv2bSignature,         UpxStubVersion::NRV2B, 0x0,    0x120 },
+	{ Architecture::ARM,    Format::ELF,    &armElfNrv2dSignature,         UpxStubVersion::NRV2D, 0x0,    0x120 },
+	{ Architecture::ARM,    Format::ELF,    &armElfNrv2eSignature,         UpxStubVersion::NRV2E, 0x0,    0x120 },
+
+	{ Architecture::ARM,    Format::ELF,    &armElfLzmaSignaturev394,      UpxStubVersion::LZMA,  0x0,    0x170 },
+	{ Architecture::ARM,    Format::ELF,    &armElfNrv2bSignaturev394,     UpxStubVersion::NRV2B, 0x0,    0x170 },
+	{ Architecture::ARM,    Format::ELF,    &armElfNrv2dSignaturev394,     UpxStubVersion::NRV2D, 0x0,    0x170 },
+	{ Architecture::ARM,    Format::ELF,    &armElfNrv2eSignaturev394,     UpxStubVersion::NRV2E, 0x0,    0x170 },
+	// ARM Big-endian ELF
+	{ Architecture::ARM,    Format::ELF,    &armBeElfLzmaSignaturev394,    UpxStubVersion::NRV2B, 0x0,    0x180 },
+	{ Architecture::ARM,    Format::ELF,    &armBeElfNrv2bSignaturev393,   UpxStubVersion::NRV2B, 0x0,    0x180 },
+	{ Architecture::ARM,    Format::ELF,    &armBeElfNrv2dSignaturev393,   UpxStubVersion::NRV2D, 0x0,    0x180 },
+	{ Architecture::ARM,    Format::ELF,    &armBeElfNrv2eSignaturev393,   UpxStubVersion::NRV2E, 0x0,    0x180 },
 	// ARM Mach-O
 	{ Architecture::ARM,    Format::MACHO,  &armMachOLzmaSignature,     UpxStubVersion::LZMA,  0x0,    0x0 },
 	{ Architecture::ARM,    Format::MACHO,  &armMachONrv2bSignature,    UpxStubVersion::NRV2B, 0x0,    0x0 },
@@ -1701,6 +2048,7 @@ std::vector<UpxStubData> UpxStubSignatures::allStubs =
 	{ Architecture::POWERPC,Format::ELF,    &ppcElfNrv2bSignature,      UpxStubVersion::NRV2B, 0x0,    0x0 },
 	{ Architecture::POWERPC,Format::ELF,    &ppcElfNrv2dSignature,      UpxStubVersion::NRV2D, 0x0,    0x0 },
 	{ Architecture::POWERPC,Format::ELF,    &ppcElfNrv2eSignature,      UpxStubVersion::NRV2E, 0x0,    0x0 },
+	{ Architecture::POWERPC,Format::ELF,    &ppcElfLzmaSignaturev394,   UpxStubVersion::LZMA,  0x0,    0x0 },
 	// Modified UPX stubs
 	// psyb0t - MIPS Little-endian ELF
 	{ Architecture::MIPS,   Format::ELF,    &psyb0t_mipsLeElfNrv2bSignature,    UpxStubVersion::NRV2B, 0x0,     0x0 },
diff --git a/support/yara_patterns/tools/elf/arm/packers.yara b/support/yara_patterns/tools/elf/arm/packers.yara
index e0ee0490b..7c58dfb88 100644
--- a/support/yara_patterns/tools/elf/arm/packers.yara
+++ b/support/yara_patterns/tools/elf/arm/packers.yara
@@ -176,3 +176,317 @@ rule upx_394_nrv2e
 	condition:
 		$1 at elf.entry_point
 }
+rule arm_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "1CC04FE2064C9CE80CB08BE00CA08AE0????9?E5????4?E0????8?E0????A?E1????8?E2????A?E3????2?E9????A?E3??"
+	strings:
+		$h00 = { 1C C0 4F E2 06 4C 9C E8 0C B0 8B E0 0C A0 8A E0 ?? ?? 9? E5 ?? ?? 4? E0 ?? ?? 8? E0 ?? ?? A? E1 ?? ?? 8? E2 ?? ?? A? E3 ?? ?? 2? E9 ?? ?? A? E3 ?? }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "E24FC01CE89C4C06E08BB00CE08AA00CE59?????E04?????E08?????E1A?????E28?????E3A?????E92?????E3A?????E5"
+	strings:
+		$h00 = { E2 4F C0 1C E8 9C 4C 06 E0 8B B0 0C E0 8A A0 0C E5 9? ?? ?? E0 4? ?? ?? E0 8? ?? ?? E1 A? ?? ?? E2 8? ?? ?? E3 A? ?? ?? E9 2? ?? ?? E3 A? ?? ?? E5 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule arm_v394
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v394"
+		source = "Made by Jan Neduchal"
+		pattern = "1CC04FE2064C9CE80200A0E10CB08BE00CA08AE0????9?E5????4?E0????A?E1????8?E0????8?E2????A?E3????2?E9??"
+	strings:
+		$h00 = { 1C C0 4F E2 06 4C 9C E8 02 00 A0 E1 0C B0 8B E0 0C A0 8A E0 ?? ?? 9? E5 ?? ?? 4? E0 ?? ?? A? E1 ?? ?? 8? E0 ?? ?? 8? E2 ?? ?? A? E3 ?? ?? 2? E9 ?? }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_v394
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v394"
+		source = "Made by Jan Neduchal"
+		pattern = "E24FC01CE89C4C06E1A00002E08BB00CE08AA00CE59?????E04?????E1A?????E08?????E28?????E3A?????E92?????E3"
+	strings:
+		$h00 = { E2 4F C0 1C E8 9C 4C 06 E1 A0 00 02 E0 8B B0 0C E0 8A A0 0C E5 9? ?? ?? E0 4? ?? ?? E1 A? ?? ?? E0 8? ?? ?? E2 8? ?? ?? E3 A? ?? ?? E9 2? ?? ?? E3 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_nrv2b_v394
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v394"
+		source = "Made by Jan Neduchal"
+		pattern = "E24FC01CE89C4C06E1A00002E08BB00CE08AA00CE59?????E04?????E1A?????E08?????E28?????E3A?????E92?????E3"
+	strings:
+		$h00 = { E2 4F C0 1C E8 9C 4C 06 E1 A0 00 02 E0 8B B0 0C E0 8A A0 0C E5 9? ?? ?? E0 4? ?? ?? E1 A? ?? ?? E0 8? ?? ?? E2 8? ?? ?? E3 A? ?? ?? E9 2? ?? ?? E3 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule arm_lzma_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "18D04DE2DF0200EB00C0DDE50E005CE37802001A0C482DE900B0D0E506CCA0E3ABB1A0E11CCBA0E10DB0A0E13ACD8CE20C"
+	strings:
+		$h00 = { 18 D0 4D E2 DF 02 00 EB 00 C0 DD E5 0E 00 5C E3 78 02 00 1A 0C 48 2D E9 00 B0 D0 E5 06 CC A0 E3 AB B1 A0 E1 1C CB A0 E1 0D B0 A0 E1 3A CD 8C E2 0C }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule arm_nrv2b_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "18D04DE29E0000EB001081E03E402DE90050E0E30241A0E31D0000EA"
+	strings:
+		$h00 = { 18 D0 4D E2 9E 00 00 EB 00 10 81 E0 3E 40 2D E9 00 50 E0 E3 02 41 A0 E3 1D 00 00 EA  }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule arm_nrv2d_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "18D04DE2AD0000EBFC402DE9007081E00050E0E30241A0E3140000EA1800BDE8070040E0032042E0002084E50040A0E103"
+	strings:
+		$h00 = { 18 D0 4D E2 AD 00 00 EB FC 40 2D E9 00 70 81 E0 00 50 E0 E3 02 41 A0 E3 14 00 00 EA 18 00 BD E8 07 00 40 E0 03 20 42 E0 00 20 84 E5 00 40 A0 E1 03 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule arm_nrv2e_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "18D04DE2B20000EBFC402DE9007081E00050E0E30241A0E3140000EA1800BDE8070040E0032042E0002084E50040A0E103"
+	strings:
+		$h00 = { 18 D0 4D E2 B2 00 00 EB FC 40 2D E9 00 70 81 E0 00 50 E0 E3 02 41 A0 E3 14 00 00 EA 18 00 BD E8 07 00 40 E0 03 20 42 E0 00 20 84 E5 00 40 A0 E1 03 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_lzma_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "E24DD018EB0002D8E5DDC000E35C000E1A000274E92D480CE5D0B000E3A0CC06E1A0B1ABE1A0CB1CE1A0B00DE28CCD3AE0"
+	strings:
+		$h00 = { E2 4D D0 18 EB 00 02 D8 E5 DD C0 00 E3 5C 00 0E 1A 00 02 74 E9 2D 48 0C E5 D0 B0 00 E3 A0 CC 06 E1 A0 B1 AB E1 A0 CB 1C E1 A0 B0 0D E2 8C CD 3A E0 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_nrv2b_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "E24DD018EB000097E0811000E92D403EE3E05000E3A04102EA000019"
+	strings:
+		$h00 = { E2 4D D0 18 EB 00 00 97 E0 81 10 00 E9 2D 40 3E E3 E0 50 00 E3 A0 41 02 EA 00 00 19  }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_nrv2d_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "E24DD018EB0000A6E92D40FCE0817000E3E05000E3A04102EA000010E8BD0018E0400007E0422003E5842000E1A04000E1"
+	strings:
+		$h00 = { E2 4D D0 18 EB 00 00 A6 E9 2D 40 FC E0 81 70 00 E3 E0 50 00 E3 A0 41 02 EA 00 00 10 E8 BD 00 18 E0 40 00 07 E0 42 20 03 E5 84 20 00 E1 A0 40 00 E1 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_nrv2e_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "E24DD018EB0000ABE92D40FCE0817000E3E05000E3A04102EA000010E8BD0018E0400007E0422003E5842000E1A04000E1"
+	strings:
+		$h00 = { E2 4D D0 18 EB 00 00 AB E9 2D 40 FC E0 81 70 00 E3 E0 50 00 E3 A0 41 02 EA 00 00 10 E8 BD 00 18 E0 40 00 07 E0 42 20 03 E5 84 20 00 E1 A0 40 00 E1 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule arm_lzma_v396
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v396"
+		source = "Made by Jan Neduchal"
+		pattern = "18D04DE2E60200EB00C0DDE50E005CE37802001A0C482DE900B0D0E506CCA0E3ABB1A0E11CCBA0E10DB0A0E13ACD8CE20C"
+	strings:
+		$h00 = { 18 D0 4D E2 E6 02 00 EB 00 C0 DD E5 0E 00 5C E3 78 02 00 1A 0C 48 2D E9 00 B0 D0 E5 06 CC A0 E3 AB B1 A0 E1 1C CB A0 E1 0D B0 A0 E1 3A CD 8C E2 0C }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule arm_nrv2b_v396
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v396"
+		source = "Made by Jan Neduchal"
+		pattern = "18D04DE2A50000EB001081E03E402DE90050E0E30241A0E31D0000EA"
+	strings:
+		$h00 = { 18 D0 4D E2 A5 00 00 EB 00 10 81 E0 3E 40 2D E9 00 50 E0 E3 02 41 A0 E3 1D 00 00 EA  }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule arm_nrv2d_v396
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v396"
+		source = "Made by Jan Neduchal"
+		pattern = "18D04DE2B40000EBFC402DE9007081E00050E0E30241A0E3140000EA1800BDE8070040E0032042E0002084E50040A0E103"
+	strings:
+		$h00 = { 18 D0 4D E2 B4 00 00 EB FC 40 2D E9 00 70 81 E0 00 50 E0 E3 02 41 A0 E3 14 00 00 EA 18 00 BD E8 07 00 40 E0 03 20 42 E0 00 20 84 E5 00 40 A0 E1 03 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule arm_nrv2e_v396
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v396"
+		source = "Made by Jan Neduchal"
+		pattern = "18D04DE2B90000EBFC402DE9007081E00050E0E30241A0E3140000EA1800BDE8070040E0032042E0002084E50040A0E103"
+	strings:
+		$h00 = { 18 D0 4D E2 B9 00 00 EB FC 40 2D E9 00 70 81 E0 00 50 E0 E3 02 41 A0 E3 14 00 00 EA 18 00 BD E8 07 00 40 E0 03 20 42 E0 00 20 84 E5 00 40 A0 E1 03 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_lzma_v396
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v396"
+		source = "Made by Jan Neduchal"
+		pattern = "E24DD018EB0002DDE5DDC000E35C000E1A000274E92D480CE5D0B000E3A0CC06E1A0B1ABE1A0CB1CE1A0B00DE28CCD3AE0"
+	strings:
+		$h00 = { E2 4D D0 18 EB 00 02 DD E5 DD C0 00 E3 5C 00 0E 1A 00 02 74 E9 2D 48 0C E5 D0 B0 00 E3 A0 CC 06 E1 A0 B1 AB E1 A0 CB 1C E1 A0 B0 0D E2 8C CD 3A E0 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_nrv2b_v396
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v396"
+		source = "Made by Jan Neduchal"
+		pattern = "E24DD018EB00009CE0811000E92D403EE3E05000E3A04102EA000019"
+	strings:
+		$h00 = { E2 4D D0 18 EB 00 00 9C E0 81 10 00 E9 2D 40 3E E3 E0 50 00 E3 A0 41 02 EA 00 00 19  }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_nrv2d_v396
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v396"
+		source = "Made by Jan Neduchal"
+		pattern = "E24DD018EB0000ABE92D40FCE0817000E3E05000E3A04102EA000010E8BD0018E0400007E0422003E5842000E1A04000E1"
+	strings:
+		$h00 = { E2 4D D0 18 EB 00 00 AB E9 2D 40 FC E0 81 70 00 E3 E0 50 00 E3 A0 41 02 EA 00 00 10 E8 BD 00 18 E0 40 00 07 E0 42 20 03 E5 84 20 00 E1 A0 40 00 E1 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule armBe_nrv2e_v396
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v396"
+		source = "Made by Jan Neduchal"
+		pattern = "E24DD018EB0000B0E92D40FCE0817000E3E05000E3A04102EA000010E8BD0018E0400007E0422003E5842000E1A04000E1"
+	strings:
+		$h00 = { E2 4D D0 18 EB 00 00 B0 E9 2D 40 FC E0 81 70 00 E3 E0 50 00 E3 A0 41 02 EA 00 00 10 E8 BD 00 18 E0 40 00 07 E0 42 20 03 E5 84 20 00 E1 A0 40 00 E1 }
+	condition:
+		$h00 at elf.entry_point
+}
+
diff --git a/support/yara_patterns/tools/elf/mips/packers.yara b/support/yara_patterns/tools/elf/mips/packers.yara
index 4f8ef7618..13da978f9 100644
--- a/support/yara_patterns/tools/elf/mips/packers.yara
+++ b/support/yara_patterns/tools/elf/mips/packers.yara
@@ -155,3 +155,182 @@ rule upx_39x_nrv2e_be
 	condition:
 		$1 at elf.entry_point
 }
+rule mipsBe_lzma_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "04??????27F70000909900002401FA0090980001332200070019C8C2032108042421F16003A1E821AFA1002827AA0020AF"
+	strings:
+		$h00 = { 04 ?? ?? ?? 27 F7 00 00 90 99 00 00 24 01 FA 00 90 98 00 01 33 22 00 07 00 19 C8 C2 03 21 08 04 24 21 F1 60 03 A1 E8 21 AF A1 00 28 27 AA 00 20 AF }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsBe_nrv2x_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "04??????27F7000027BDFFFCAFBF000000A42820ACE600003C0D800001A04821240B000104??????240F000111??????90"
+	strings:
+		$h00 = { 04 ?? ?? ?? 27 F7 00 00 27 BD FF FC AF BF 00 00 00 A4 28 20 AC E6 00 00 3C 0D 80 00 01 A0 48 21 24 0B 00 01 04 ?? ?? ?? 24 0F 00 01 11 ?? ?? ?? 90 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsLe_lzma_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "4C??????0000F7270000999000FA01240100989007002233C2C819000408210360F1212421E8A1032800A1AF2000AA272C"
+	strings:
+		$h00 = { 4C ?? ?? ?? 00 00 F7 27 00 00 99 90 00 FA 01 24 01 00 98 90 07 00 22 33 C2 C8 19 00 04 08 21 03 60 F1 21 24 21 E8 A1 03 28 00 A1 AF 20 00 AA 27 2C }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsLe_nrv2b_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "B5??????0000F727FCFFBD270000BFAF2028A4000000E6AC00800D3C2148A00101000B2438??????01000F2405??????00"
+	strings:
+		$h00 = { B5 ?? ?? ?? 00 00 F7 27 FC FF BD 27 00 00 BF AF 20 28 A4 00 00 00 E6 AC 00 80 0D 3C 21 48 A0 01 01 00 0B 24 38 ?? ?? ?? 01 00 0F 24 05 ?? ?? ?? 00 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsLe_nrv2d_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "BC??????0000F727FCFFBD270000BFAF2028A4000000E6AC00800D3C2148A00101000B243F??????01000F2405??????00"
+	strings:
+		$h00 = { BC ?? ?? ?? 00 00 F7 27 FC FF BD 27 00 00 BF AF 20 28 A4 00 00 00 E6 AC 00 80 0D 3C 21 48 A0 01 01 00 0B 24 3F ?? ?? ?? 01 00 0F 24 05 ?? ?? ?? 00 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsLe_nrv2e_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "C0??????0000F727FCFFBD270000BFAF2028A4000000E6AC00800D3C2148A00101000B2443??????01000F2405??????00"
+	strings:
+		$h00 = { C0 ?? ?? ?? 00 00 F7 27 FC FF BD 27 00 00 BF AF 20 28 A4 00 00 00 E6 AC 00 80 0D 3C 21 48 A0 01 01 00 0B 24 43 ?? ?? ?? 01 00 0F 24 05 ?? ?? ?? 00 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsBe_lzma_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "04??????27FE0000909900002401FA0090980001332200070019C8C2032108042421F16003A1E821AFA1002827AA0020AF"
+	strings:
+		$h00 = { 04 ?? ?? ?? 27 FE 00 00 90 99 00 00 24 01 FA 00 90 98 00 01 33 22 00 07 00 19 C8 C2 03 21 08 04 24 21 F1 60 03 A1 E8 21 AF A1 00 28 27 AA 00 20 AF }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsBe_nrv2x_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "04??????27FE000027BDFFFCAFBF000000A42820ACE600003C0D800001A04821240B000104??????240F000111??????90"
+	strings:
+		$h00 = { 04 ?? ?? ?? 27 FE 00 00 27 BD FF FC AF BF 00 00 00 A4 28 20 AC E6 00 00 3C 0D 80 00 01 A0 48 21 24 0B 00 01 04 ?? ?? ?? 24 0F 00 01 11 ?? ?? ?? 90 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsLe_lzma_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "6D??????0000FE270000999000FA01240100989007002233C2C819000408210360F1212421E8A1032800A1AF2000AA272C"
+	strings:
+		$h00 = { 6D ?? ?? ?? 00 00 FE 27 00 00 99 90 00 FA 01 24 01 00 98 90 07 00 22 33 C2 C8 19 00 04 08 21 03 60 F1 21 24 21 E8 A1 03 28 00 A1 AF 20 00 AA 27 2C }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsLe_nrv2b_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "D7??????0000FE27FCFFBD270000BFAF2028A4000000E6AC00800D3C2148A00101000B2438??????01000F2405??????00"
+	strings:
+		$h00 = { D7 ?? ?? ?? 00 00 FE 27 FC FF BD 27 00 00 BF AF 20 28 A4 00 00 00 E6 AC 00 80 0D 3C 21 48 A0 01 01 00 0B 24 38 ?? ?? ?? 01 00 0F 24 05 ?? ?? ?? 00 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsLe_nrv2d_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "DE??????0000FE27FCFFBD270000BFAF2028A4000000E6AC00800D3C2148A00101000B243F??????01000F2405??????00"
+	strings:
+		$h00 = { DE ?? ?? ?? 00 00 FE 27 FC FF BD 27 00 00 BF AF 20 28 A4 00 00 00 E6 AC 00 80 0D 3C 21 48 A0 01 01 00 0B 24 3F ?? ?? ?? 01 00 0F 24 05 ?? ?? ?? 00 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule mipsLe_nrv2e_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "E2??????0000FE27FCFFBD270000BFAF2028A4000000E6AC00800D3C2148A00101000B2443??????01000F2405??????00"
+	strings:
+		$h00 = { E2 ?? ?? ?? 00 00 FE 27 FC FF BD 27 00 00 BF AF 20 28 A4 00 00 00 E6 AC 00 80 0D 3C 21 48 A0 01 01 00 0B 24 43 ?? ?? ?? 01 00 0F 24 05 ?? ?? ?? 00 }
+	condition:
+		$h00 at elf.entry_point
+}
+
diff --git a/support/yara_patterns/tools/elf/ppc/packers.yara b/support/yara_patterns/tools/elf/ppc/packers.yara
index 2693e1904..dd33dc5c3 100644
--- a/support/yara_patterns/tools/elf/ppc/packers.yara
+++ b/support/yara_patterns/tools/elf/ppc/packers.yara
@@ -124,3 +124,76 @@ rule upx_394_lzma_be
 	condition:
 		$1 at elf.entry_point
 }
+rule powerpc_lzma_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "48??????2807000E40??????7C0802A67CC93378810600007CA72B7838A4FFFE388300029001000888030000540BE8FE54"
+	strings:
+		$h00 = { 48 ?? ?? ?? 28 07 00 0E 40 ?? ?? ?? 7C 08 02 A6 7C C9 33 78 81 06 00 00 7C A7 2B 78 38 A4 FF FE 38 83 00 02 90 01 00 08 88 03 00 00 54 0B E8 FE 54 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule powerpc_nrv2b_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "48??????7C0029EC7DA802A62807000240??????90A600007C841A143C0080003D2080003863FFFF38A5FFFF3940FFFF48"
+	strings:
+		$h00 = { 48 ?? ?? ?? 7C 00 29 EC 7D A8 02 A6 28 07 00 02 40 ?? ?? ?? 90 A6 00 00 7C 84 1A 14 3C 00 80 00 3D 20 80 00 38 63 FF FF 38 A5 FF FF 39 40 FF FF 48 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule powerpc_nrv2d_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "48??????7C0029EC7DA802A62807000540??????90A600007C841A143C0080003D2080003863FFFF38A5FFFF3940FFFF48"
+	strings:
+		$h00 = { 48 ?? ?? ?? 7C 00 29 EC 7D A8 02 A6 28 07 00 05 40 ?? ?? ?? 90 A6 00 00 7C 84 1A 14 3C 00 80 00 3D 20 80 00 38 63 FF FF 38 A5 FF FF 39 40 FF FF 48 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule powerpc_nrv2e_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "48??????7C0029EC7DA802A62807000840??????90A600007C841A143C0080003D2080003863FFFF38A5FFFF3940FFFF48"
+	strings:
+		$h00 = { 48 ?? ?? ?? 7C 00 29 EC 7D A8 02 A6 28 07 00 08 40 ?? ?? ?? 90 A6 00 00 7C 84 1A 14 3C 00 80 00 3D 20 80 00 38 63 FF FF 38 A5 FF FF 39 40 FF FF 48 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule powerpc_lzma_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "48??????2807000E40??????9421FFE87C0802A67CC93378810600007CA72B7838A4FFFE38830002900100088803000054"
+	strings:
+		$h00 = { 48 ?? ?? ?? 28 07 00 0E 40 ?? ?? ?? 94 21 FF E8 7C 08 02 A6 7C C9 33 78 81 06 00 00 7C A7 2B 78 38 A4 FF FE 38 83 00 02 90 01 00 08 88 03 00 00 54 }
+	condition:
+		$h00 at elf.entry_point
+}
diff --git a/support/yara_patterns/tools/elf/x64/packers.yara b/support/yara_patterns/tools/elf/x64/packers.yara
index ab2a11f76..53fe15ad2 100644
--- a/support/yara_patterns/tools/elf/x64/packers.yara
+++ b/support/yara_patterns/tools/elf/x64/packers.yara
@@ -91,3 +91,62 @@ rule upx_394_lzma_2
 	condition:
 		$1 at elf.entry_point
 }
+rule x64_lzma_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "E8????????555351524801FE5641??????0F85????????554889E5448B094989D04889F2488D7702568A07FFCA88C12407"
+	strings:
+		$h00 = { E8 ?? ?? ?? ?? 55 53 51 52 48 01 FE 56 41 ?? ?? ?? 0F 85 ?? ?? ?? ?? 55 48 89 E5 44 8B 09 49 89 D0 48 89 F2 48 8D 77 02 56 8A 07 FF CA 88 C1 24 07 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule x64_nrv2x_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "E8????????555351524801FE564889FE4889D731DB31C94883CDFFE8????????01DB74??F3C38B1E4883EEFC11DB8A16F3"
+	strings:
+		$h00 = { E8 ?? ?? ?? ?? 55 53 51 52 48 01 FE 56 48 89 FE 48 89 D7 31 DB 31 C9 48 83 CD FF E8 ?? ?? ?? ?? 01 DB 74 ?? F3 C3 8B 1E 48 83 EE FC 11 DB 8A 16 F3 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule x64_lzma_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "5052E8????????555351524801FE5641??????0F85????????554889E5448B094989D04889F2488D7702568A07FFCA88C1"
+	strings:
+		$h00 = { 50 52 E8 ?? ?? ?? ?? 55 53 51 52 48 01 FE 56 41 ?? ?? ?? 0F 85 ?? ?? ?? ?? 55 48 89 E5 44 8B 09 49 89 D0 48 89 F2 48 8D 77 02 56 8A 07 FF CA 88 C1 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule x64_nrv2x_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "5052E8????????555351524801FE564889FE4889D731DB31C94883CDFFE8????????01DB74??F3C38B1E4883EEFC11DB8A"
+	strings:
+		$h00 = { 50 52 E8 ?? ?? ?? ?? 55 53 51 52 48 01 FE 56 48 89 FE 48 89 D7 31 DB 31 C9 48 83 CD FF E8 ?? ?? ?? ?? 01 DB 74 ?? F3 C3 8B 1E 48 83 EE FC 11 DB 8A }
+	condition:
+		$h00 at elf.entry_point
+}
+
diff --git a/support/yara_patterns/tools/elf/x86/packers.yara b/support/yara_patterns/tools/elf/x86/packers.yara
index b17917b94..1ac25f1ca 100644
--- a/support/yara_patterns/tools/elf/x86/packers.yara
+++ b/support/yara_patterns/tools/elf/x86/packers.yara
@@ -156,3 +156,62 @@ rule upx_39x_nrv2e_02
 	condition:
 		$1 at elf.entry_point
 }
+rule x86_lzma_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "E8????????EB??????????????????????????????608B7424248B7C242C83????89E58B5528AC4A88C12407C0E903BB??"
+	strings:
+		$h00 = { E8 ?? ?? ?? ?? EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 8B 74 24 24 8B 7C 24 2C 83 ?? ?? 89 E5 8B 55 28 AC 4A 88 C1 24 07 C0 E9 03 BB ?? }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule x86_nrv2x_v393
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v393"
+		source = "Made by Jan Neduchal"
+		pattern = "E8????????EB??????????????????????????????608B7424248B7C242C83????EB????????????8A064688074701DB75"
+	strings:
+		$h00 = { E8 ?? ?? ?? ?? EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 8B 74 24 24 8B 7C 24 2C 83 ?? ?? EB ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule x86_lzma_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "50E8????????EB??????????????????????????????608B7424248B7C242C83????89E58B5528AC4A88C12407C0E903BB"
+	strings:
+		$h00 = { 50 E8 ?? ?? ?? ?? EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 8B 74 24 24 8B 7C 24 2C 83 ?? ?? 89 E5 8B 55 28 AC 4A 88 C1 24 07 C0 E9 03 BB }
+	condition:
+		$h00 at elf.entry_point
+}
+
+
+rule x86_nrv2x_v395
+{
+	meta:
+		tool = "P"
+		name = "UPX"
+		version = "v395"
+		source = "Made by Jan Neduchal"
+		pattern = "50E8????????EB??????????????????????????????608B7424248B7C242C83????EB??????????8A064688074701DB75"
+	strings:
+		$h00 = { 50 E8 ?? ?? ?? ?? EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 8B 74 24 24 8B 7C 24 2C 83 ?? ?? EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 }
+	condition:
+		$h00 at elf.entry_point
+}
+