/
RANSOM_coronavirus.yar
80 lines (58 loc) · 16 KB
/
RANSOM_coronavirus.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
rule installer_coronavirus {
meta:
description = "Rule to detect the Corona Virus Installer"
author = "Marc Rivero | McAfee ATR Team"
date = "2020-03-25"
rule_version = "v1"
malware_type = "ransomware"
malware_family = "Ransom:W32/CoronaVirus"
actor_type = "Cybercrime"
actor_group = "Unknown"
reference = "https://twitter.com/malwrhunterteam/status/1238056503493505024"
hash = "5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed"
strings:
//achellies@hotmail.com
$s1 = { 61 63 68 65 6C 6C 69 65 73 40 68 6F 74 6D 61 69 6C 2E 63 6F 6D }
//tojen.me@gmail.com
$s2 = { 74 6F 6A 65 6E 2E 6D 65 40 67 6D 61 69 6C 2E 63 6F 6D }
//wangchyz@gmail.com
$s4 = { 77 61 6E 67 63 68 79 7A 40 67 6D 61 69 6C 2E 63 6F 6D }
//Todos los tipos de imagen|*.bmp;*.cur;*.dib;*.emf;*.ico;*.wmf|Mapas de bits (*.bmp;*.dib)|*.bmp;*.dib|Iconos/cursores (*.ico;*.cur)|*.ico;*.cur|Metaarchivos (*.wmf;*.emf)|*.wmf;*.emf|Todos los archivos (*.*)|*.*||
$s5 = { 54 00 6F 00 64 00 6F 00 73 00 20 00 6C 00 6F 00 73 00 20 00 74 00 69 00 70 00 6F 00 73 00 20 00 64 00 65 00 20 00 69 00 6D 00 61 00 67 00 65 00 6E 00 7C 00 2A 00 2E 00 62 00 6D 00 70 00 3B 00 2A 00 2E 00 63 00 75 00 72 00 3B 00 2A 00 2E 00 64 00 69 00 62 00 3B 00 2A 00 2E 00 65 00 6D 00 66 00 3B 00 2A 00 2E 00 69 00 63 00 6F 00 3B 00 2A 00 2E 00 77 00 6D 00 66 00 7C 00 4D 00 61 00 70 00 61 00 73 00 20 00 64 00 65 00 20 00 62 00 69 00 74 00 73 00 20 00 28 00 2A 00 2E 00 62 00 6D 00 70 00 3B 00 2A 00 2E 00 64 00 69 00 62 00 29 00 7C 00 2A 00 2E 00 62 00 6D 00 70 00 3B 00 2A 00 2E 00 64 00 69 00 62 00 7C 00 49 00 63 00 6F 00 6E 00 6F 00 73 00 2F 00 63 00 75 00 72 00 73 00 6F 00 72 00 65 00 73 00 20 00 28 00 2A 00 2E 00 69 00 63 00 6F 00 3B 00 2A 00 2E 00 63 00 75 00 72 00 29 00 7C 00 2A 00 2E 00 69 00 63 00 6F 00 3B 00 2A 00 2E 00 63 00 75 00 72 00 7C 00 4D 00 65 00 74 00 61 00 61 00 72 00 63 00 68 00 69 00 76 00 6F 00 73 00 20 00 28 00 2A 00 2E 00 77 00 6D 00 66 00 3B 00 2A 00 2E 00 65 00 6D 00 66 00 29 00 7C 00 2A 00 2E 00 77 00 6D 00 66 00 3B 00 2A 00 2E 00 65 00 6D 00 66 00 7C 00 54 00 6F 00 64 00 6F 00 73 00 20 00 6C 00 6F 00 73 00 20 00 61 00 72 00 63 00 68 00 69 00 76 00 6F 00 73 00 20 00 28 00 2A 00 2E 00 2A 00 29 00 7C 00 2A 00 2E 00 2A 00 7C 00 7C 00 }
//HTML_IMG#IDR_HTM_IMAGES_LI_CAPTION_HOVER_PNG)IDR_HTM_IMAGES_SB_H_SCROLL_PREV_HOVER_PNG1IDR_HTM_IMG_PAGE_TITLE_ICON_MENU_ORANGE_CLOSE_PNG2IDR_HTM_IMG_PAGE_TITLE_ICON_MENU_PAID_SETTINGS_PNG
$s6 = { 48 00 54 00 4D 00 4C 00 5F 00 49 00 4D 00 47 00 23 00 49 00 44 00 52 00 5F 00 48 00 54 00 4D 00 5F 00 49 00 4D 00 41 00 47 00 45 00 53 00 5F 00 4C 00 49 00 5F 00 43 00 41 00 50 00 54 00 49 00 4F 00 4E 00 5F 00 48 00 4F 00 56 00 45 00 52 00 5F 00 50 00 4E 00 47 00 29 00 49 00 44 00 52 00 5F 00 48 00 54 00 4D 00 5F 00 49 00 4D 00 41 00 47 00 45 00 53 00 5F 00 53 00 42 00 5F 00 48 00 5F 00 53 00 43 00 52 00 4F 00 4C 00 4C 00 5F 00 50 00 52 00 45 00 56 00 5F 00 48 00 4F 00 56 00 45 00 52 00 5F 00 50 00 4E 00 47 00 31 00 49 00 44 00 52 00 5F 00 48 00 54 00 4D 00 5F 00 49 00 4D 00 47 00 5F 00 50 00 41 00 47 00 45 00 5F 00 54 00 49 00 54 00 4C 00 45 00 5F 00 49 00 43 00 4F 00 4E 00 5F 00 4D 00 45 00 4E 00 55 00 5F 00 4F 00 52 00 41 00 4E 00 47 00 45 00 5F 00 43 00 4C 00 4F 00 53 00 45 00 5F 00 50 00 4E 00 47 00 32 00 49 00 44 00 52 00 5F 00 48 00 54 00 4D 00 5F 00 49 00 4D 00 47 00 5F 00 50 00 41 00 47 00 45 00 5F 00 54 00 49 00 54 00 4C 00 45 00 5F 00 49 00 43 00 4F 00 4E 00 5F 00 4D 00 45 00 4E 00 55 00 5F 00 50 00 41 00 49 00 44 00 5F 00 53 00 45 00 54 00 54 00 49 00 4E 00 47 00 53 00 5F 00 50 00 4E 00 47 00 }
//%s\log_%04d%02d%02d_%d.log
$s7 = { 25 73 5C 6C 6F 67 5F 25 30 34 64 25 30 32 64 25 30 32 64 5F 25 64 2E 6C 6F 67 }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and
all of them
}
rule ransomware_coronavirus {
meta:
description = "Rule to detect the Corona Virus ransomware"
author = "Marc Rivero | McAfee ATR Team"
date = "2020-03-25"
rule_version = "v1"
malware_type = "ransomware"
malware_family = "Ransom:W32/CoronaVirus"
actor_type = "Cybercrime"
actor_group = "Unknown"
reference = "https://twitter.com/malwrhunterteam/status/1238056503493505024"
hash = "3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3"
strings:
//%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
$s1 = { 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73 }
//%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
$s2 = { 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 00 }
///upload/%s_%d_%s
$s3 = { 2F 00 75 00 70 00 6C 00 6F 00 61 00 64 00 2F 00 25 00 73 00 5F 00 25 00 64 00 5F 00 25 00 73 00 }
//SYSTEM\CurrentControlSet\Control\Session Manager
$s4 = { 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 43 6F 6E 74 72 6F 6C 5C 53 65 73 73 69 6F 6E 20 4D 61 6E 61 67 65 72 }
//\\.\PhysicalDrive%d
$s5 = { 5C 5C 2E 5C 50 68 79 73 69 63 61 6C 44 72 69 76 65 25 64 }
condition:
uint16(0) == 0x5a4d and
filesize < 100KB and
all of them
}