Common Information
| Type | Value |
|---|---|
| Value |
rule M_Hunting_Embedded_Chromium_CRX_1 {
meta:
author = "Mandiant"
md5 = "f1c21a69ed9f85e12d58ef0f5ac5c9b1"
description = "Hunting for non-CRX files with extension equities"
strings:
$a1 = "_metadata"
$a2 = "manifest.json"
$a3 = "verified_contents.json"
$s1 = "_locales"
$s2 = "messages.json"
$f = /[a-z0-9A-Z_-]+\.(html|htm|css|js)/
$pk = { 50 4B 03 04 }
condition:
(((uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f) or (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcafebabf or uint32(0) == 0xbfbafeca)) and (((2 of ($a*)) and $f) or ((1 of ($a*)) and ($f or (1 of ($s*))))) and $pk and (#pk > 1) and (for any i in (1 .. #pk) : ( $a2 at @pk[i] + 30 )) and (for any j in (1 .. #pk) : ( $f at @pk[j] + 30 ))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |