From dfe0fa93925d08fbede127796f7d7793dc04485b Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Tue, 21 Feb 2017 17:24:37 +0100
Subject: Add another simple hex-string pattern

---
 php-malware-finder/common.yar | 1 +
 1 file changed, 1 insertion(+)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index bde83c7..184e5ce 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -51,6 +51,7 @@ private rule hex
         $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
         $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
         $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
+        $base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase
     
     condition:
         any of them
-- 
cgit v1.3