This is a trivial yara rule stub. It picks up binaries with mispeleleleled words. I have started putting it together only yesterday when I noticed that many of popular (and often signed) binaries include lots of these. This suggests the coders are non-native speakers. The more far-fetching scenarios could include automatic checks against APT for popular misspellings to quickly highlight a possible attribution hints or… a false flag \ud83d\ude42 <\/p>\n\n\n\n
Improve at your own risk \ud83d\ude42<\/p>\n\n\n\n
rule mispel\n{\n strings:\n $s1 = \"appling\" ascii wide\n $s2 = \"runing\" ascii wide\n $s3 = \"youre\" ascii wide\n $s4 = \"faild\" ascii wide\n $s5 = \"suces\" ascii wide\n $s6 = \"seting\" ascii wide\n $s7 = \"opend\" ascii wide\n $s8 = \"seqence\" ascii wide\n\n condition:\n (1 of ($s*))\n}\n\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"This is a trivial yara rule stub. It picks up binaries with mispeleleleled words. I have started putting it together only yesterday when I noticed that many of popular (and often signed) binaries include lots of these. This suggests the … Continue reading