-
Notifications
You must be signed in to change notification settings - Fork 13
/
AlienSpy.yar
46 lines (35 loc) · 1.14 KB
/
AlienSpy.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
rule AlienSpy
{
meta:
author = "Kevin Breen"
ref = "http://malwareconfig.com/stats/AlienSpy"
maltype = "Remote Access Trojan"
filetype = "jar"
strings:
$PK = "PK"
$MF = "META-INF/MANIFEST.MF"
$a1 = "a.txt"
$a2 = "b.txt"
$a3 = "Main.class"
$b1 = "ID"
$b2 = "Main.class"
$b3 = "plugins/Server.class"
$c1 = "resource/password.txt"
$c2 = "resource/server.dll"
$d1 = "java/stubcito.opp"
$d2 = "java/textito.isn"
$e1 = "java/textito.text"
$e2 = "java/resources.xsx"
$f1 = "amarillo/asdasd.asd"
$f2 = "amarillo/adqwdqwd.asdwf"
$g1 = "config/config.perl"
$g2 = "main/Start.class"
$o1 = "config/config.ini"
$o2 = "windows/windows.ini"
$o3 = "components/linux.plsk"
$o4 = "components/manifest.ini"
$o5 = "components/mac.hwid"
condition:
$PK at 0 and $MF and
(all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*) or all of ($e*) or all of ($f*) or all of ($g*) or any of ($o*))
}