Merge branch 'master' of https://github.com/Neo23x0/signature-base

Neo23x0 · Apr 7, 2024 · 1b9069a · 1b9069a
2 parents 68868de + 98465ec
commit 1b9069a
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/yara/gen_gobfuscate.yar b/yara/gen_gobfuscate.yar
@@ -2,14 +2,17 @@
 rule SUSP_GObfuscate_May21 {
    meta:
       description = "Identifies binaries obfuscated with gobfuscate"
-      author = "James Quinn"
+      author = "James Quinn, Paul Hager (merged with new similar pattern)"
       reference = "https://github.com/unixpickle/gobfuscate"
       date = "2021-05-14"
+      modified = "2024-04-02"
       score = 70
       id = "ae518296-b1c3-568c-bae0-3e0a6f7600ba"
    strings:
-      $s1 = { 0f b6 ?? ?? ?? 0f b6 ?? ?? ?? 31 D1 88 ?? ?? ?? 48 FF C0 48 83 f8 ?? 7c E7 48 C7 }
-      $s2 = { 0F b6 ?? ?? ?? 31 DA 88 ?? ?? ?? 40 83 ?? ?? 7D 09 0F B6 }
+      $s1 = { 0F B6 ?? ?? ?? 0F B6 ?? ?? ?? 31 D? [0-1] 88 ?? ?? ?? 48 FF C? 48 83 F? ?? 7C E6 48 }
+      // $s1a = { 0f b6 ?? ?? ?? 0f b6 ?? ?? ?? 31 d6 40 88 ?? ?? ?? 48 ff c1 48 83 f9 ?? 7c e6 48 } // new
+      // $s1b = { 0f b6 ?? ?? ?? 0f b6 ?? ?? ?? 31 d1    88 ?? ?? ?? 48 ff c0 48 83 f8 ?? 7c e7 48 c7 }
+      $s2 = { 0F B6 ?? ?? ?? 31 DA 88 ?? ?? ?? 40 83 ?? ?? 7D 09 0F B6 }
    condition:
       filesize < 50MB and any of them
 }
diff --git a/yara/gen_powershell_susp.yar b/yara/gen_powershell_susp.yar
@@ -57,7 +57,7 @@ rule Suspicious_PowerShell_WebDownload_1 : HIGHVOL FILE {
       score = 60
       reference = "Internal Research"
       date = "2017-02-22"
-      modified = "2022-07-27"
+      modified = "2024-04-03"
       nodeepdive = 1
       id = "a763fb82-c840-531b-b631-f282bf035020"
    strings:
@@ -76,6 +76,16 @@ rule Suspicious_PowerShell_WebDownload_1 : HIGHVOL FILE {
       $fp7 = "# RemoteSSHConfigurationScript" ascii /* \.vscode\extensions\ms-vscode-remote.remote-ssh */
       $fp8 = "<helpItems" ascii fullword
       $fp9 = "DownloadFile(\"https://codecov.io/bash" ascii
+      $fp10 = "DownloadFile('https://get.golang.org/installer.exe" ascii
+
+      $fpg1 = "All Rights"
+      $fpg2 = "<html"
+      $fpg3 = "<HTML"
+      $fpg4 = "Copyright"
+      $fpg5 = "License"
+      $fpg6 = "<?xml"
+      $fpg7 = "Help" fullword
+      $fpg8 = "COPYRIGHT" fullword
    condition:
       1 of ($s*) and not 1 of ($fp*)
 }