1 files changed, 2 insertions, 1 deletions

diff --git a/malwares.yara b/malwares.yara
index cd8a789..352d084 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -60,8 +60,9 @@ rule ObfuscatedPhp
         $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
+        $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
     condition:
-        IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or $weevely3)
+        IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or $weevely3 or $danone)
 }
 
 private rule base64