usualsuspect · April 21, 2026 13:18
diff --git a/zip_mod_filter.yara b/zip_mod_filter.yara
 rule zip_file_mod_filter
 {
    meta:
        author = "@jaydinbas"
        description = "Only match zips where every file has newer modification date than 2025-04-01"

    strings:
        $file_sig = "PK\x03\x04"    //zip header sig
        $entry_sig = "PK\x01\x02"   //central directory header

    condition:
        $file_sig at 0
        and for all i in (1..#entry_sig) :
        (
            //upper 7 bits are year since 1980
            ((uint16(@entry_sig[i]+0x0E) >> 9)+1980) >= 2025

            //middle 4 bits are month, 1 = January, ...
            and ((uint16(@entry_sig[i]+0x0E) >> 5) & 15) > 4

            //lower 5 bits are day of month
            and (uint16(@entry_sig[i]+0x0E) & 31) > 1
        )
 }
	rule zip_file_mod_filter
	{
	meta:
	author = "@jaydinbas"
	description = "Only match zips where every file has newer modification date than 2025-04-01"

	strings:
	$file_sig = "PK\x03\x04" //zip header sig
	$entry_sig = "PK\x01\x02" //central directory header

	condition:
	$file_sig at 0
	and for all i in (1..#entry_sig) :
	(
	//upper 7 bits are year since 1980
	((uint16(@entry_sig[i]+0x0E) >> 9)+1980) >= 2025

	//middle 4 bits are month, 1 = January, ...
	and ((uint16(@entry_sig[i]+0x0E) >> 5) & 15) > 4

	//lower 5 bits are day of month
	and (uint16(@entry_sig[i]+0x0E) & 31) > 1
	)
	}
No results found