Merge pull request Yara-Rules#410 from manfred-kaiser/master

Added Rule for tweetable-polyglot-png
k0ko380 · Apr 21, 2021 · 4d372ea · 4d372ea
2 parents 3872244 + 3ca61e7
commit 4d372ea
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/packers/tweetable-polyglot-png.yar b/packers/tweetable-polyglot-png.yar
@@ -0,0 +1,19 @@
+rule TweetablePolyglotPng {
+  meta:
+    description = "tweetable-polyglot-png: https://github.com/DavidBuchanan314/tweetable-polyglot-png"
+    author = "Manfred Kaiser"
+  strings:
+    $magic1 = { 50 4b 01 02 }
+    $magic2 = { 50 4b 03 04 }
+    $magic3 = { 50 4b 05 06 }
+
+  condition:
+    (
+      uint32be(0) == 0x89504E47 or
+      uint32be(0) == 0xFFD8FFE0
+    ) and
+    $magic1 and
+    $magic2 and
+    $magic3
+
+}
diff --git a/packers_index.yar b/packers_index.yar
@@ -7,3 +7,4 @@ include "./packers/Javascript_exploit_and_obfuscation.yar"
 include "./packers/packer.yar"
 include "./packers/packer_compiler_signatures.yar"
 include "./packers/peid.yar"
+include "./packers/tweetable-polyglot-png.yar"