Yara Rule - ADEDESK의 잠재적으로 손상된 서명 인증서로 서명 된 바이너리를 감지 (Philandro Software Gmbh, 0DBF152DEAP0B981A8A938D53F769DB8; 허용 버전).
Yara 정의.
Yara Rule - Detects binaries signed with a potentially compromised signing certificate of AnyDesk (philandro Software GmbH, 0DBF152DEAF0B981A8A938D53F769DB8; permissive version)
Yara definition.
Author: Florian Roth
https://download.anydesk.com/changelog.txt
date = "2024-02-02"
score = 75
$a1 = "AnyDesk Software GmbH" wide
pe.signatures[i].serial == "0d:bf:15:2d:ea:f0:b9:81:a8:a9:38:d5:3f:76:9d:b8"
date = "2024-02-02"
score = 65
$sc1 = { 0D BF 15 2D EA F0 B9 81 A8 A9 38 D5 3F 76 9D B8 }
$s2 = "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
$f1 = "AnyDesk Software GmbH" wide
uint16(0) == 0x5a4d```
[https://github.com/Neo23x0/signature-base/commit/9804d8e9ea7ea9056dd5fe26e4d4f784d71645ec](https://github.com/Neo23x0/signature-base/commit/9804d8e9ea7ea9056dd5fe26e4d4f784d71645ec)