Common Information
| Type | Value |
|---|---|
| Value |
rule apt_NK_Lazarus_SKOlympics_EPS {
meta:
author = "JAG-S, Insikt Group, RF"
desc = "CN terms in PostScript loader"
TLP = "Green"
version = "1.0"
md5 = "231fe349faa7342f33402c562f93a270"
strings:
$eps_strings1 = "/yinzi { token pop exch pop } bind def" ascii wide
$eps_strings2 = "/yaoshi <A3E6E7BB> def" ascii wide
$eps_strings8 = /\/yaoshi <[A-F0-9]{8}> def/ ascii wide
$eps_strings3 = "/yima{" ascii wide
$eps_strings4 = "/funcA exch def" ascii wide
$eps_strings5 = "0 1 funcA length 1 sub {" ascii wide
$eps_strings6 = "/funcB exch def" ascii wide
$eps_strings7 = "funcA funcB 2 copy get yaoshi funcB 4 mod get xor put" ascii wide
condition:
6 of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |