100 Days of YARA – Day 11: UPX

A lot of malware utilizes a packer to reduce its footprint and to obfuscate strings, which defeats many simple YARA rules.

One popular packer is UPX https://upx.github.io/

This rule finds files that have been packed with unmodified versions of UPX.

rule upx
{
	meta:
		author = "Daniel Roberson"
		description = "https://github.com/upx/upx"

	strings:
		$s1 = "UPX!"
		$s2 = "UPX executable packer"

	condition:
		(uint32(0) == 0x464c457f or uint16(0) == 0x5a4d) and all of them
}

YARA Rules Index

2 thoughts on “100 Days of YARA – Day 11: UPX

  1. Pingback: YARA Rules Index – DMFR SECURITY

  2. Pingback: Week 01 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s