Fix #11

This is a bit hackish, but I can't manage to find a more elegant way to do it.
author: jvoisin 2015-10-15 16:00:05 +0200
committer: jvoisin 2015-10-15 16:00:05 +0200
commit: 0e7023de422ee667ad1ab9bb878658efb8840fb8 (patch)
tree: 2e235aab46415200607caed2b43fbb2bcb58b1ff
parent: 2773cdee68438a943765d02471d452449567fd40 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/malwares.yara b/malwares.yara
index 1263b39..c901d06 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -85,6 +85,7 @@ private rule hex
      $exec = "\\x65\\x78\\x65\\x63" nocase
      $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
      $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
+      $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
    
    condition:
        any of them
author	jvoisin	2015-10-15 16:00:05 +0200
committer	jvoisin	2015-10-15 16:00:05 +0200
commit	0e7023de422ee667ad1ab9bb878658efb8840fb8 (patch)
tree	2e235aab46415200607caed2b43fbb2bcb58b1ff
parent	2773cdee68438a943765d02471d452449567fd40 (diff)

diff --git a/malwares.yara b/malwares.yara index 1263b39..c901d06 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -85,6 +85,7 @@ private rule hex
85	$exec = "\\x65\\x78\\x65\\x63" nocase	85	$exec = "\\x65\\x78\\x65\\x63" nocase
86	$system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase	86	$system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
87	$preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase	87	$preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
		88	$http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
88		89
89	condition:	90	condition:
90	any of them	91	any of them