ajpc500 · June 16, 2021 18:17
diff --git a/sharpsphere.yara b/sharpsphere.yara
 rule SharpSphere {
 	meta:
 		description = "Strings in SharpSphere binary."
 		author = "Alfie Champion (ajpc500)"
 		date = "2021-06-12"
 	strings:
 		$s0 = "SharpSphere" ascii wide
        $s1 = "Upload file to target VM" ascii wide
 		$s2 = "Download file from target VM" ascii wide
        $s3 = "[x] Attempting to execute with cmd /c the following command:" wide
        $s4 = "[x] Creating snapshot for VM" wide
        $s5 = "[x] Download complete, zipping up so it's easier to exfiltrate..." wide
        $s6 = "[x] Execution finished, attempting to retrieve the results" wide
        $s7 = "[x] Finding existing snapshots for" wide
        $s8 = "[x] Output file deleted" wide
        $s9 = "[x] Output:" wide
        $s10 = "[x] Process started with PID" wide
        $s11 = "[x] Snapshot created successfully" wide
        $s12 = "[x] Zipping complete, download " wide
 	condition:
 		all of them
 }
	rule SharpSphere {
	meta:
	description = "Strings in SharpSphere binary."
	author = "Alfie Champion (ajpc500)"
	date = "2021-06-12"
	strings:
	$s0 = "SharpSphere" ascii wide
	$s1 = "Upload file to target VM" ascii wide
	$s2 = "Download file from target VM" ascii wide
	$s3 = "[x] Attempting to execute with cmd /c the following command:" wide
	$s4 = "[x] Creating snapshot for VM" wide
	$s5 = "[x] Download complete, zipping up so it's easier to exfiltrate..." wide
	$s6 = "[x] Execution finished, attempting to retrieve the results" wide
	$s7 = "[x] Finding existing snapshots for" wide
	$s8 = "[x] Output file deleted" wide
	$s9 = "[x] Output:" wide
	$s10 = "[x] Process started with PID" wide
	$s11 = "[x] Snapshot created successfully" wide
	$s12 = "[x] Zipping complete, download " wide
	condition:
	all of them
	}