Yara Rule - Snake Malware에서 사용하는 대기열 파일을 감지
Yara 정의.
Yara Rule - Detects Queue files used by Snake malware
Yara definition.
Author: Florian Roth
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
date = "2023-05-10"
score = 75
uint16(0) == 0x5a4d
filename == "WerFault.exe"
or filename == "werfault.exe"
rsrc.type == pe.RESOURCE_TYPE_ICON and (
rsrc.length == 3240 or
rsrc.length == 1384 or
rsrc.length == 7336
date = "2023-05-10"
score = 80
//and math.entropy(0, filesize) >= 7.0
and math.entropy(0, 1024) >= 7.0```
[https://github.com/Neo23x0/signature-base/commit/4749de7c39806c150d432e9fc4f2c25a4323e870](https://github.com/Neo23x0/signature-base/commit/4749de7c39806c150d432e9fc4f2c25a4323e870)