-
Notifications
You must be signed in to change notification settings - Fork 3
/
zipExec_crypter.yar
26 lines (22 loc) · 1.01 KB
/
zipExec_crypter.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
rule zipExec : WindowsMalware {
meta:
author = "Marius 'f0wL' Genheimer <[email protected]>"
description = "Detects zipExec Golang Loader/Crypter"
reference = "https://github.com/Tylous/ZipExec"
date = "2021-10-29"
tlp = "WHITE"
strings:
$shellExec = "ShellExecute('cmdkey', '/generic:Microsoft_Windows_Shell_ZipFolder:filename=" ascii
$domainCheck = "GetSystemInformation(\"IsOS_DomainMember\");" ascii
$tmp = "GetSpecialFolder(2);" ascii
$wscript = "new ActiveXObject(\"Wscri\"+\"pt.shell\");" ascii
$regExt = "HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt" ascii
$base64Index = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" ascii
// base64 encoded zip file
$zipEnc = {55 45 73 44 42 42 51 41 43 51 41 49 41 41}
condition:
uint16(0) == 0x090a
and filesize < 10MB // accounting for chunky Golang Malware
and $zipEnc
and 5 of them
}