Yara rule for jjencode

Posted: June 10th, 2015 | Author: | Filed under: IT Related | 1 Comment »

I’ve recently worked on yara rule to detect jjencode. So here is my simple rule:

rule jjEncode
{
   meta:
      description = "jjencode detection"
      ref = "http://blog.xanda.org/2015/06/10/yara-rule-for-jjencode/"
      author = "adnan.shukor@gmail.com"
      date = "10-June-2015"
      version = "1"
      impact = 3
      hide = false
   strings:
      $jjencode = /(\$|[\S]+)=~\[\]\;(\$|[\S]+)\=\{[\_]{3}\:[\+]{2}(\$|[\S]+)\,[\$]{4}\:\(\!\[\]\+["]{2}\)[\S]+/ fullword 
   condition:
      $jjencode
}

See you next time 🙂


One Comment on “Yara rule for jjencode”

  1. 1 salax said at 11:19 AM on August 12th, 2015:

    nan, buat kelas sikit ajar advance yara ni


Leave a Reply