(YARA) YARA_Detect_Crinkler
rule Crinkler_V01_V02_Rune_LHStubbe_and_Aske_Simon_Christensen: PEiD
{
strings:
$a = { B9 ?? ?? ?? ?? 01 C0 68 ?? ?? ?? ?? 6A 00 58 50 6A 00 5F 48 5D BB 03 00 00 00 BE ?? ?? ?? ?? E9 }
condition:
$a at pe.entry_point
}
rule Crinkler_V03_V04_Rune_LHStubbe_and_Aske_Simon_Christensen_additional: PEiD
{
strings:
$a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }
condition:
$a at pe.entry_point
}
rule Crinkler_V01_V02_Rune_LHStubbe_and_Aske_Simon_Christensen_additional: PEiD
{
strings:
$a = { B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF }
condition:
$a at pe.entry_point
}
rule Crinkler_V03_V04_Rune_LHStubbe_and_Aske_Simon_Christensen: PEiD
{
strings:
$a = { B8 00 00 42 00 31 DB 43 EB 58 }
condition:
$a at pe.entry_point
}
Associated Techniques
Created
June 28, 2022
Last Revised
June 28, 2022