Rule Details
Description: Automatically imported from Yara-Rules GitHub repository.
Reference: https://raw.githubusercontent.com/Yara-Rules/rules/master/cve_rules/CVE-2012-0158.yar
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
*
* Signature for the CVE-2012-0158 used in KeyBoy operation
* Ref https://citizenlab.org/2016/11/parliament-keyboy/
*
*/
rule CVE_2012_0158_KeyBoy {
meta:
author = "Etienne Maynier <etienne@citizenlab.ca>"
description = "CVE-2012-0158 variant"
file = "8307e444cad98b1b59568ad2eba5f201"
strings:
$a = "d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff09000600000000000000000000000100000001" nocase // OLE header
$b = "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" nocase // junk data
$c = /5(\{\\b0\}|)[ ]*2006F00(\{\\b0\}|)[ ]*6F007(\{\\b0\}|)[ ]*400200045(\{\\b0\}|)[ ]*006(\{\\b0\}|)[ ]*E007(\{\\b0\}|)[ ]*400720079/ nocase
$d = "MSComctlLib.ListViewCtrl.2"
$e = "ac38c874503c307405347aaaebf2ac2c31ebf6e8e3" nocase //decoding shellcode
condition:
all of them
}
Author: YARA GitHub Importer
Tags: imported, yara