Yara Rule - 의심스러운 XORED MSDOS Stub 메시지를 감지

🧱 보안 정책/룰 관련
1

Yara Rule - 의심스러운 XORED MSDOS Stub 메시지를 감지

Yara 정의.

Yara Rule - Detects suspicious XORed MSDOS stub message

Yara definition.

Author: Florian Roth

https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

date = "2019-10-28"
modified = "2023-09-04"
score = 55
$xo1 = "This program cannot be run in DOS mode" xor(0x01-0xff) ascii wide
$xo2 = "This program must be run under Win32" xor(0x01-0xff) ascii wide
$fp1 = "AVAST Software" fullword wide ascii
$fp2 = "AVG Netherlands" fullword wide ascii
$fp3 = "AVG Technologies" ascii wide
$fp4 = "Malicious Software Removal Tool" wide
$fp5 = "McAfee Labs" fullword ascii wide
$fp6 = "Kaspersky Lab" fullword ascii wide
$fp7 = "<propertiesmap>" ascii wide /* KasperSky Lab XML profiles */
and not uint16(0) == 0xb0b0
and not uint16(0) == 0x5953```


[https://github.com/Neo23x0/signature-base/commit/9b106026d207d0557d9f86335cb0a593b7a55640](https://github.com/Neo23x0/signature-base/commit/9b106026d207d0557d9f86335cb0a593b7a55640)