Xanda's Blog !~!

Yara rule for jjencode

Jun
10

I’ve recently worked on yara rule to detect jjencode. So here is my simple rule:

rule jjEncode
{
   meta:
      description = "jjencode detection"
      ref = "http://blog.xanda.org/2015/06/10/yara-rule-for-jjencode/"
      author = "adnan.shukor@gmail.com"
      date = "10-June-2015"
      version = "1"
      impact = 3
      hide = false
   strings:
      $jjencode = /(\$|[\S]+)=~\[\]\;(\$|[\S]+)\=\{[\_]{3}\:[\+]{2}(\$|[\S]+)\,[\$]{4}\:\(\!\[\]\+["]{2}\)[\S]+/ fullword 
   condition:
      $jjencode
}

See you next time 🙂

One Response to Yara rule for jjencode

  1. nan, buat kelas sikit ajar advance yara ni

Leave a Reply

Your email address will not be published. Required fields are marked *