Yara rule for jjencode
Posted: June 10th, 2015 | Author: xanda | Filed under: IT Related | 1 Comment »I’ve recently worked on yara rule to detect jjencode. So here is my simple rule:
rule jjEncode { meta: description = "jjencode detection" ref = "https://blog.xanda.org/2015/06/10/yara-rule-for-jjencode/" author = "adnan.shukor@gmail.com" date = "10-June-2015" version = "1" impact = 3 hide = false strings: $jjencode = /(\$|[\S]+)=~\[\]\;(\$|[\S]+)\=\{[\_]{3}\:[\+]{2}(\$|[\S]+)\,[\$]{4}\:\(\!\[\]\+["]{2}\)[\S]+/ fullword condition: $jjencode }
See you next time 🙂
nan, buat kelas sikit ajar advance yara ni