From 0e88d5938a990975f113edb3a2836c0cb4789f18 Mon Sep 17 00:00:00 2001 From: Vishal Thakur Date: Wed, 27 Sep 2023 15:02:18 +1000 Subject: [PATCH 1/4] Create RANSOM_Ransomexx.yar --- malware/RANSOM_Ransomexx.yar | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 malware/RANSOM_Ransomexx.yar diff --git a/malware/RANSOM_Ransomexx.yar b/malware/RANSOM_Ransomexx.yar new file mode 100644 index 00000000..c744b301 --- /dev/null +++ b/malware/RANSOM_Ransomexx.yar @@ -0,0 +1,32 @@ +/* +author = "Vishal Thakur - malienist.medium.com" +date = "2021-11-30" +version = "1" +description = "Detects RansomExx Linux Ransomware" +info = "Generated from information extracted from the malware sample by manual analysis." +*/ + +rule ransomexxStatic { + strings: + $header = { 7f 45 4c 46 02 } + $email = { 66 72 61 6e 63 65 2e 65 69 67 73 40 70 72 6f 74 6f 6e 6d 61 69 6c 2e 63 6f 6d } + $msg1 = { 53 74 75 64 79 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 52 45 47 41 52 44 46 55 4c 4c 59 20 61 6e 64 20 63 61 6c 6c 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 66 72 6f 6d 20 74 65 63 68 6e 69 63 61 6c 20 64 69 76 69 73 69 6f 6e } + $msg2 = { 45 6e 63 72 79 70 74 65 64 20 66 69 6c 65 20 4d 55 53 54 20 4e 4f 54 20 68 61 76 65 20 72 69 63 68 20 64 61 74 61 } + $msg3 = { 52 65 61 63 68 20 75 73 20 53 4f 4c 45 4c 59 20 69 66 20 79 6f 75 20 72 65 70 72 65 73 65 6e 74 20 61 6c 6c 20 61 66 66 65 63 74 65 64 20 6e 65 74 77 6f 72 6b } + $msg4 = { 47 72 65 65 74 69 6e 67 73 20 45 49 47 53 49 } + $msg5 = { 62 72 61 69 6e 70 6f 6f 6c } + $msg6 = { 6d 62 65 64 74 6c 73 5f 61 65 73 5f 78 74 73 5f 64 65 63 6f 64 65 5f 6b 65 79 73 } + + condition: + filesize < 270KB and + all of them +} + +rule ransomexxCode { + strings: + $block1 = { ?? 65 6d 6f 76 65 00 6f 70 65 6e 64 69 72 00 61 6c 61 ?? 6d 00 75 73 6c 65 65 70 00 66 77 72 69 74 65 00 66 72 65 61 64 00 67 65 74 74 69 6d 65 6f 66 64 61 79 00 72 65 6e 61 6d 65 00 72 65 61 64 64 69 72 36 34 00 5f 5f 63 78 61 5f 66 69 6e 61 6c 69 7a 65 00 73 79 73 63 61 6c 6c 00 6d 65 6d 6d 6f 76 65 00 66 6f 70 65 6e 36 34 00 73 74 ?? 63 6d 70 00 5f 5f 6c 69 62 63 5f 73 74 61 72 74 5f 6d 61 69 6e 00 66 65 ?? ?? 6f ?? 00 73 6e 70 72 69 6e 74 66 00 73 79 73 63 6f 6e 66 00 66 72 65 65 00 5f 5f 78 73 74 61 74 36 34 00 6c 69 62 70 74 68 72 65 61 64 2e 73 6f 2e 30 00 6c 69 62 63 2e 73 6f 2e 36 00 47 4c 49 42 43 5f 32 2e 32 2e 35 00 47 4c 49 42 43 5f 32 2e 33 2e 34 00 5f 5f 67 6d 6f 6e 5f 73 74 61 72 74 5f 5f } + $block2 = { ?? 54 4d 5f 64 65 ?? 65 67 69 73 74 65 ?? 54 4d 43 6c 6f 6e 65 54 61 62 6c 65 00 5f 49 54 4d 5f 72 65 67 69 73 74 65 72 54 4d 43 6c 6f 6e 65 54 61 62 6c 65 00 5f 5f 65 72 72 6e 6f 5f 6c 6f 63 61 74 69 6f 6e 00 70 74 68 72 65 61 64 5f 63 72 65 61 74 65 00 70 74 68 72 65 61 64 5f 6d 75 74 65 78 5f 6c 6f 63 6b 00 70 74 68 ?? 65 61 64 5f 6d 75 74 65 78 5f 75 6e 6c 6f 63 6b 00 73 ?? ?? 63 70 79 00 67 6d 74 69 6d 65 5f ?? 00 73 70 72 69 6e 74 66 00 73 72 61 6e 64 00 63 6c 6f 73 65 64 69 72 00 66 74 65 6c 6c 00 73 69 67 6e 61 6c 00 70 75 74 73 00 74 69 6d 65 00 70 75 74 63 68 61 72 00 66 67 65 74 73 00 73 63 68 65 64 5f 73 65 74 61 66 66 69 6e 69 74 79 00 63 61 6c 6c 6f 63 00 73 74 ?? 6c 65 6e 00 6d 65 6d 73 65 74 00 73 74 72 73 74 ?? 00 66 73 65 65 6b 00 6d 65 6d 63 6d 70 00 6d 65 6d 63 70 79 00 66 63 6c 6f 73 65 00 6d 61 6c 6c 6f 63 00 73 74 ?? 63 61 } + condition: + filesize < 270KB and + all of them +} From 113d4e053ceb51746988ec522d0e9ebd2f5c6e5e Mon Sep 17 00:00:00 2001 From: Vishal Thakur Date: Mon, 11 Dec 2023 14:05:01 +1100 Subject: [PATCH 2/4] Create MALW_darkgate.yar --- malware/MALW_darkgate.yar | 86 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 malware/MALW_darkgate.yar diff --git a/malware/MALW_darkgate.yar b/malware/MALW_darkgate.yar new file mode 100644 index 00000000..83ef23ea --- /dev/null +++ b/malware/MALW_darkgate.yar @@ -0,0 +1,86 @@ +/* +This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. +*/ +rule DarkGateStrings { + + meta: + author = "Vishal Thakur - malienist.medium.com" + date = "2023-Dec-11" + version = "1" + description = "Detects DarkGate Malware" + info = "Generated from information extracted from the malware sample by manual analysis." + strings: + $str1 = { 2f 63 20 63 6d 64 6b 65 79 20 2f 67 65 6e 65 72 69 63 3a 22 31 32 37 2e 30 2e 30 2e 32 22 20 2f 75 73 65 72 3a 22 53 61 66 65 4d 6f 64 65 22 20 2f 70 61 73 73 3a 22 64 61 72 6b 67 61 74 65 70 61 73 73 77 6f 72 64 30 22 } + $str2 = { 43 3a 5c 74 65 6d 70 5c 74 73 6b 6d } + $str3 = { 4e 6f 20 73 74 61 72 74 75 70 20 63 6f 6e 66 69 67 75 72 65 64 2c 20 73 6b 69 70 20 75 70 64 61 74 65 } + $str4 = { 43 6f 72 72 75 70 74 65 64 20 64 6f 77 6e 6c 6f 61 64 65 64 20 72 65 73 6f 75 72 63 65 73 } + $str5 = { 54 68 65 72 65 27 73 20 6e 6f 20 63 72 65 64 65 6e 74 69 61 6c 73 20 74 6f 20 72 65 6d 6f 76 65 } + $str6 = { 2f 63 20 63 3a 5c 74 65 6d 70 5c 50 73 45 78 65 63 2e 65 78 65 20 2d 61 63 63 65 70 74 65 75 6c 61 20 2d 69 20 2d 64 20 2d 73 } + $str7 = { 53 43 6f 72 72 75 70 74 65 64 20 64 6f 77 6e 6c 6f 61 64 65 64 20 72 65 73 6f 75 72 63 65 73 } + $str8 = { 63 3a 5c 74 65 6d 70 5c 63 72 61 73 68 2e 74 78 74 } + $str9 = { 64 61 72 6b 67 61 74 65 70 61 73 73 77 6f 72 64 30 } + + condition: + 7 of them +} + +rule DarkGateElevation { + meta: + author = "Vishal Thakur - malienist.medium.com" + date = "2023-Dec-11" + version = "1" + description = "Detects DarkGate Malware" + info = "Generated from information extracted from the malware sample by manual analysis. Rule to detect DarkGate related to elevation." + strings: + $str1 = { 53 59 53 54 45 4d 20 45 6c 65 76 61 74 69 6f 6e 3a 20 43 61 6e 6e 6f 74 20 66 69 6e 64 20 52 41 57 20 50 45 } + $str2 = { 50 45 49 20 6e 65 65 64 20 41 64 6d 69 6e 20 72 69 67 68 74 73 20 74 6f 20 65 6c 65 76 61 74 65 20 74 6f 20 53 59 53 54 45 4d } + $str3 = { 45 6c 65 76 61 74 69 6f 6e 3a 20 41 54 20 52 41 57 20 53 54 55 42 20 45 4c 45 56 41 54 49 4f 4e 20 49 53 20 4e 4f 54 20 41 56 41 49 4c 41 42 4c 45 } + $str4 = { 53 59 53 54 45 4d 20 45 6c 65 76 61 74 69 6f 6e 3a 20 43 6f 6d 70 6c 65 74 65 64 2c 20 6e 65 77 20 44 61 72 6b 47 61 74 65 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 77 69 74 68 20 53 59 53 54 45 4d 20 70 72 69 76 69 6c 65 67 65 73 2c 20 45 78 65 63 75 74 65 64 20 66 72 6f 6d 3a } + $str5 = { 45 6c 65 76 61 74 69 6f 6e 3a 20 3f 3f 3f } + $str6 = { 45 6c 65 76 61 74 69 6f 6e 3a 20 46 41 49 4c 55 52 45 } + + condition: + 4 of them +} + +rule DarkGateMisc { + meta: + author = "Vishal Thakur - malienist.medium.com" + date = "2023-Dec-11" + version = "1" + description = "Detects DarkGate Malware" + info = "Generated from information extracted from the malware sample by manual analysis. Rule to detect DarkGate related to misc strings." + strings: + $str1= { 2f 63 20 63 3a 5c 74 65 6d 70 5c 50 73 45 78 65 63 2e 65 78 65 20 2d 61 63 63 65 70 74 65 75 6c 61 20 2d 69 20 2d 64 20 2d 73 } + $str2= { 4e 6f 20 73 74 61 72 74 75 70 20 63 6f 6e 66 69 67 75 72 65 64 2c 20 73 6b 69 70 20 75 70 64 61 74 65 } + $str3= { 43 6f 72 72 75 70 74 65 64 20 64 6f 77 6e 6c 6f 61 64 65 64 20 72 65 73 6f 75 72 63 65 73 } + $str4= { 63 3a 5c 74 65 6d 70 5c 50 73 45 78 65 63 2e 65 78 65 } + $str5= { 63 3a 5c 74 65 6d 70 5c 70 69 64 67 69 6e 2e 65 78 65 } + $str6= { 63 3a 5c 74 65 6d 70 5c 63 72 61 73 68 2e 74 78 74 } + $str7= { 63 3a 5c 74 65 6d 70 5c 70 2e 74 78 74 } + $str8= { 63 3a 5c 74 65 6d 70 5c 64 2e 74 78 74 } + $str9= { 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 41 56 47 } + $str10= { 63 3a 5c 74 65 6d 70 5c 41 75 74 6f 69 74 33 2e 65 78 65 } + condition: + 8 of them +} + +rule DarkGateRndm { + meta: + author = "Vishal Thakur - malienist.medium.com" + date = "2023-Dec-11" + version = "1" + description = "Detects DarkGate Malware" + info = "Generated from information extracted from the malware sample by manual analysis. Rule to detect DarkGate related to strings found in the binary." + strings: + $str1= { 20 2d 2d 6d 75 74 65 2d 61 75 64 69 6f 20 2d 2d 64 69 73 61 62 6c 65 2d 61 75 64 69 6f 20 2d 2d 6e 6f 2d 73 61 6e 64 62 6f 78 20 2d 2d 6e 65 77 2d 77 69 6e 64 6f 77 20 2d 2d 64 69 73 61 62 6c 65 2d 33 64 2d 61 70 69 73 20 2d 2d 64 69 73 61 62 6c 65 2d 67 70 75 20 2d 2d 64 69 73 61 62 6c 65 2d 64 33 64 31 31 20 2d 2d 77 69 6e 64 6f 77 2d 73 69 7a 65 3d 0a } + $str2= { 7a 4c 41 78 75 55 30 6b 51 4b 66 33 73 57 45 37 65 50 52 4f 32 69 6d 79 67 39 47 53 70 56 6f 59 43 36 72 68 6c 58 34 38 5a 48 6e 76 6a 4a 44 42 4e 46 74 4d 64 31 49 35 61 63 77 62 71 54 2b 3d } + $str3= { 2f 63 20 78 63 6f 70 79 20 2f 45 20 2f 49 20 2f 59 20 22 25 73 22 20 22 25 73 22 20 26 26 20 65 78 69 74 } + $str4= { 6b 61 63 6c 6a 63 62 65 6a 6f 6a 6e 61 70 6e 6d 69 69 66 67 63 6b 62 61 66 6b 6f 6a 63 6e 63 66 } + $str5= { 65 70 63 6e 6e 66 62 6a 66 63 67 70 68 67 64 6d 67 67 6b 61 6d 6b 6d 67 6f 6a 64 61 67 64 6e 6e } + $str6= { 6c 61 6c 66 70 6a 64 62 68 70 6d 6e 68 66 6f 66 6b 63 6b 64 70 6b 6c 6a 65 69 6c 6d 6f 67 66 6c } + $str7= { 52 53 41 63 74 69 6f 6e 53 65 6e 64 48 51 53 63 72 65 65 6e 73 68 6f 74 } + + condition: + 5 of them +} From 7989fe96e68dac5614790947439f7f996c683fec Mon Sep 17 00:00:00 2001 From: Vishal Thakur Date: Thu, 14 Dec 2023 09:21:04 +1100 Subject: [PATCH 3/4] Create MALW_BottomLoader.yar --- malware/MALW_BottomLoader.yar | 45 +++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 malware/MALW_BottomLoader.yar diff --git a/malware/MALW_BottomLoader.yar b/malware/MALW_BottomLoader.yar new file mode 100644 index 00000000..85c54177 --- /dev/null +++ b/malware/MALW_BottomLoader.yar @@ -0,0 +1,45 @@ +/* +This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. +*/ +rule bottomLoaderStrings { + + meta: + author = "Vishal Thakur - malienist.medium.com" + date = "2023-Dec-14" + version = "1" + description = "Detects BottomLoader Malware" + info = "Generated from information extracted from the malware sample by manual analysis." + strings: + $str1 = { 73 72 63 5c 63 6f 72 65 5c 69 6e 74 65 72 6e 61 6c 5c 67 63 5c 70 72 6f 78 79 2e 64 } + $str2 = { 41 20 63 79 63 6c 65 20 68 61 73 20 62 65 65 6e 20 64 65 74 65 63 74 65 64 20 69 6e 20 79 6f 75 72 20 70 72 6f 67 72 61 6d } + $str3 = { 43 61 6e 6e 6f 74 20 72 65 6f 70 65 6e 20 66 69 6c 65 20 69 6e 20 6d 6f 64 65 } + $str4 = { 73 65 70 61 72 61 74 6f 72 20 64 69 67 69 74 20 77 69 64 74 68 } + $str5 = { 41 74 74 65 6d 70 74 69 6e 67 20 74 6f 20 77 72 69 74 65 20 74 6f 20 63 6c 6f 73 65 64 20 46 69 6c 65 } + $str6 = { 64 72 75 6e 74 69 6d 65 5c 69 6d 70 6f 72 74 5c 63 6f 72 65 5c 69 6e 74 65 72 6e 61 6c 5c 73 74 72 69 6e 67 2e 64 } + $str7 = { 73 74 64 5c 75 6e 69 5c 70 61 63 6b 61 67 65 2e 64 } + $str8 = { 41 74 74 65 6d 70 74 69 6e 67 20 74 6f 20 72 65 6f 70 65 6e 28 29 20 61 6e 20 75 6e 6f 70 65 6e 65 64 20 66 69 6c 65 } + $str9 = { 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 70 72 69 6e 74 69 6e 67 20 6d 6f 64 75 6c 65 20 63 79 63 6c 65 } + + condition: + 7 of them +} + +rule bottomLoaderTimezone { + + meta: + author = "Vishal Thakur - malienist.medium.com" + date = "2023-Dec-14" + version = "1" + description = "Detects BottomLoader Malware" + info = "Generated from information extracted from the malware sample by manual analysis." + strings: + $str1 = { 73 74 64 2e 64 61 74 65 74 69 6d 65 2e 74 69 6d 65 7a 6f 6e 65 2e 50 6f 73 69 78 54 69 6d 65 5a 6f 6e 65 2e 54 65 6d 70 54 72 61 6e 73 69 74 69 6f 6e } + $str2 = { 73 74 64 2e 64 61 74 65 74 69 6d 65 2e 74 69 6d 65 7a 6f 6e 65 2e 50 6f 73 69 78 54 69 6d 65 5a 6f 6e 65 2e 54 72 61 6e 73 69 74 69 6f 6e 54 79 70 65 } + $str3 = { 73 74 64 2e 64 61 74 65 74 69 6d 65 2e 74 69 6d 65 7a 6f 6e 65 2e 50 6f 73 69 78 54 69 6d 65 5a 6f 6e 65 2e 4c 65 61 70 53 65 63 6f 6e 64 } + $str4 = { 73 74 64 2e 64 61 74 65 74 69 6d 65 2e 74 69 6d 65 7a 6f 6e 65 2e 50 6f 73 69 78 54 69 6d 65 5a 6f 6e 65 2e 54 65 6d 70 54 54 49 6e 66 6f } + $str5 = { 73 74 64 2e 64 61 74 65 74 69 6d 65 2e 74 69 6d 65 7a 6f 6e 65 2e 50 6f 73 69 78 54 69 6d 65 5a 6f 6e 65 2e 54 72 61 6e 73 69 74 69 6f 6e } + $str6 = { 73 74 64 2e 64 61 74 65 74 69 6d 65 2e 74 69 6d 65 7a 6f 6e 65 2e 50 6f 73 69 78 54 69 6d 65 5a 6f 6e 65 2e 54 54 49 6e 66 6f } + + condition: + 4 of them +} From a5cc86b5bdd7577936f746bb12494072c2b568b3 Mon Sep 17 00:00:00 2001 From: Vishal Thakur Date: Tue, 2 Jan 2024 13:23:25 +1100 Subject: [PATCH 4/4] Create MALW_JinxLoader.yar --- malware/MALW_JinxLoader.yar | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 malware/MALW_JinxLoader.yar diff --git a/malware/MALW_JinxLoader.yar b/malware/MALW_JinxLoader.yar new file mode 100644 index 00000000..e2e7a402 --- /dev/null +++ b/malware/MALW_JinxLoader.yar @@ -0,0 +1,26 @@ +/* +This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. +*/ +rule jinxLoaderStrings { + + meta: + author = "Vishal Thakur - malienist.medium.com" + date = "2024-Jan-2" + version = "1" + description = "Detects JinxLoader Malware" + info = "Generated from information extracted from the malware sample by manual analysis." + strings: + $str1 = { 51 70 74 69 71 73 2E 64 6C 6C } + $str2 = { 50 61 70 36 6D 2F 43 2B 51 49 46 73 69 66 6D 32 44 61 64 67 67 50 76 39 4C 36 42 36 69 76 69 78 41 71 6F 79 71 50 43 6E 4B 37 31 39 6E 65 79 53 48 61 42 73 67 76 65 2F 46 2B 68 75 69 75 47 4D 4B 4B 5A 6C 67 39 75 79 41 37 59 79 67 4F 57 4D 4A 37 31 73 6E 75 43 79 41 72 70 39 6C 71 36 30 43 36 64 57 6F 2F 43 39 43 61 64 68 31 4E 4B 32 47 6F 64 77 6E 2F 43 56 48 4C 78 6B 70 2F 53 39 43 72 39 73 31 50 4B 32 47 6F 78 48 6A 76 69 32 56 5A 70 6E 69 2F 43 72 49 62 55 79 76 66 43 79 43 6F 42 39 6E 66 79 39 43 65 68 49 69 2F 48 6F 43 62 5A 39 73 4D 57 38 48 62 70 39 68 76 71 39 56 62 52 73 6D 38 71 51 47 36 46 37 69 76 75 6E 4B 72 78 6B 6A 76 79 39 56 59 42 73 6D 39 47 79 47 72 49 79 33 71 66 6B 56 2B 45 79 72 75 61 67 43 37 35 72 67 2B 79 41 43 36 46 2F 69 75 66 6F 50 62 70 6B 6E 2F 6D 32 4C 36 42 36 69 76 69 78 41 71 70 4D 6C 2B 57 2F 41 61 46 73 6E 61 36 78 44 37 46 73 67 2B 4F 2B 56 61 42 6B 67 50 36 32 47 72 5A 36 6D 77 3D 3D } + $str3 = { 65 32 5A 68 4D 44 56 6D 5A 44 46 6D 4C 54 4E 69 4D 47 59 74 4E 44 63 30 4D 79 30 35 4E 44 68 69 4C 54 56 6A 4F 44 55 7A 59 6A 55 32 4D 44 45 34 59 33 30 73 49 45 4E 31 62 48 52 31 63 6D 55 39 62 6D 56 31 64 48 4A 68 62 43 77 67 55 48 56 69 62 47 6C 6A 53 32 56 35 56 47 39 72 5A 57 34 39 4D 32 55 31 4E 6A 4D 31 4D 44 59 35 4D 32 59 33 4D 7A 55 31 5A 51 3D 3D 2C 5B 7A 5D 7B 66 62 30 61 66 32 66 38 2D 66 39 31 37 2D 34 66 33 36 2D 61 65 61 35 2D 34 65 37 65 66 36 34 33 31 61 61 30 7D 2C 65 32 5A 68 4D 44 56 6D 5A 44 46 6D 4C 54 4E 69 4D 47 59 74 4E 44 63 30 4D 79 30 35 4E 44 68 69 4C 54 56 6A 4F 44 55 7A 59 6A 55 32 4D 44 45 34 59 33 30 3D 2C 5B 7A 5D 7B 66 62 30 61 66 32 66 38 2D 66 39 31 37 2D 34 66 33 36 2D 61 65 61 35 2D 34 65 37 65 66 36 34 33 31 61 61 30 7D } + $str4 = { 7B 66 61 30 35 66 64 31 66 2D 33 62 30 66 2D 34 37 34 33 2D 39 34 38 62 2D 35 63 38 35 33 62 35 36 30 31 38 63 7D 2C 20 50 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D 33 65 35 36 33 35 30 36 39 33 66 37 33 35 35 65 } + $str5 = { 33 3F 23 33 3F 27 33 3F 2B 33 3F 2F 33 3F 33 33 3F 37 33 3F 3B 33 3F 3F 33 3F 43 33 3F 47 33 3F 4B 33 3F 4F 33 3F 53 33 3F 57 33 3F 5B 33 3F 5F 33 3F 63 33 3F 67 33 3F 6B 33 3F 6F } + $str6 = { 7B 66 62 30 61 66 32 66 38 2D 66 39 31 37 2D 34 66 33 36 2D 61 65 61 35 2D 34 65 37 65 66 36 34 33 31 61 61 30 7D } + $str7 = { 24 33 31 34 38 31 32 36 34 2D 36 35 35 66 2D 34 62 33 33 2D 38 34 65 35 2D 33 31 62 37 35 62 63 30 30 31 62 34 } + $str8 = { 7A 59 26 4F 7B 25 32 23 52 68 3C 58 5D 39 } + $str9 = { 27 63 71 56 2C 3E 47 24 27 37 4C 64 } + + condition: + filesize < 6000KB and + 7 of them +}