Here are some YARA rules I developed.
The maldoc rules were derived from Frank Boldewin’s shellcode signatures used in OfficeMalScanner.
JPEG Exif Eval rule is explained here.
PEiD signatures converted to YARA rules explained here.
yara-rules-V0.0.8.zip (https)
MD5: 83D10B0A18D3F8E2C744B8FEA10F5E67
SHA256: 2D47165757F909440F6D1A95FF5C0EA1355B355AE7475D2A0CF821D3B9A6235A
[…] You can find all my YARA rules here: YARA Rules. […]
Pingback by YARA Rule: Detecting JPEG Exif With eval() | Didier Stevens — Tuesday 20 January 2015 @ 20:39
[…] Download my YARA Rules. […]
Pingback by Converting PEiD Signatures To YARA Rules | Didier Stevens — Thursday 22 January 2015 @ 0:57
rule contains_VBE_variant_3
{
meta:
reference = “https://blog.didierstevens.com/2016/03/22/yara-rule-to-detect-vbe-scripts/ and https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c and http://www.interclasse.com/scripts/decovbe.php and https://blog.didierstevens.com/2016/04/18/update-decode-vbe-py-version-0-0-2/”
author = “Drew Hunt”
version = 1
description = “Specific match VBE encoded VBS markers of samples observed. Didier’s original worked for specific short samples. ‘.+’ regex glob is not reliable for larger scripts.”
date = “2016-04-25”
strings:
$vbe_start = { 23 40 7E 5E [6] 3D 3D }
$vbe_end = { 3D 3D 5E 23 7E 40 }
condition:
(@vbe_start < @vbe_end)
}
Comment by Anonymous — Monday 25 April 2016 @ 21:11