From 1c1ff0640d0353143d1483d47099efde0572cca1 Mon Sep 17 00:00:00 2001
From: Arnim Rupp <46819580+ruppde@users.noreply.github.com>
Date: Sat, 30 Mar 2024 12:32:01 +0100
Subject: [PATCH 1/2] Update bkdr_xz_util_cve_2024_3094.yar

fix shifted hex
---
 yara/bkdr_xz_util_cve_2024_3094.yar | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yara/bkdr_xz_util_cve_2024_3094.yar b/yara/bkdr_xz_util_cve_2024_3094.yar
index 010c535b..45241585 100644
--- a/yara/bkdr_xz_util_cve_2024_3094.yar
+++ b/yara/bkdr_xz_util_cve_2024_3094.yar
@@ -32,7 +32,7 @@ rule BKDR_XZUtil_Binary_CVE_2024_3094_Mar24_1 {
       $op3 = { 4d 8b 6c 24 08 45 8b 3c 24 4c 8b 63 10 89 85 78 f1 ff ff 31 c0 83 bd 78 f1 ff ff 00 f3 ab 79 07 }
 
       /* function signature from detect.sh provided by Vegard Nossum */
-      $xc1 = { 30 F1 EF A5 54 88 9F 54 C8 9C E5 38 9F B8 1E 70 00 00 08 04 88 3E C2 84 88 95 42 41 84 88 94 C2 41 00 }
+      $xc1 = { F3 0F 1E FA 55 48 89 F5 4C 89 CE 53 89 FB 81 E7 00 00 00 80 48 83 EC 28 48 89 54 24 18 48 89 4C 24 10 }
    condition:
       uint16(0) == 0x457f
       and all of ($op*)

From bf8b00df32c6f1d1af9cb41ce2a99be9cc7ecbe5 Mon Sep 17 00:00:00 2001
From: Arnim Rupp <46819580+ruppde@users.noreply.github.com>
Date: Sat, 30 Mar 2024 12:41:13 +0100
Subject: [PATCH 2/2] Update bkdr_xz_util_cve_2024_3094.yar

add 2 more hashes
---
 yara/bkdr_xz_util_cve_2024_3094.yar | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/yara/bkdr_xz_util_cve_2024_3094.yar b/yara/bkdr_xz_util_cve_2024_3094.yar
index 45241585..fd7eeba0 100644
--- a/yara/bkdr_xz_util_cve_2024_3094.yar
+++ b/yara/bkdr_xz_util_cve_2024_3094.yar
@@ -6,6 +6,7 @@ rule BKDR_XZUtil_Script_CVE_2024_3094_Mar24_1 {
       reference = "https://www.openwall.com/lists/oss-security/2024/03/29/4"
       date = "2024-03-30"
       score = 80
+      hash = "d44d0425769fa2e0b6875e5ca25d45b251bbe98870c6b9bef34f7cea9f84c9c3"
    strings:
       $x1 = "/bad-3-corrupt_lzma2.xz | tr " ascii
       $x2 = "/tests/files/good-large_compressed.lzma|eval $i|tail -c +31265|" ascii
@@ -26,6 +27,7 @@ rule BKDR_XZUtil_Binary_CVE_2024_3094_Mar24_1 {
       hash3 = "8fa641c454c3e0f76de73b7cc3446096b9c8b9d33d406d38b8ac76090b0344fd"
       hash4 = "b418bfd34aa246b2e7b5cb5d263a640e5d080810f767370c4d2c24662a274963"
       hash5 = "cbeef92e67bf41ca9c015557d81f39adaba67ca9fb3574139754999030b83537"
+      hash6 = "5448850cdc3a7ae41ff53b433c2adbd0ff492515012412ee63a40d2685db3049"
    strings:
       $op1 = { 48 8d 7c 24 08 f3 ab 48 8d 44 24 08 48 89 d1 4c 89 c7 48 89 c2 e8 ?? ?? ?? ?? 89 c2 }
       $op2 = { 31 c0 49 89 ff b9 16 00 00 00 4d 89 c5 48 8d 7c 24 48 4d 89 ce f3 ab 48 8d 44 24 48 }