re

0-day Yara

Punkty: 500
Rozwiązań: 11

One of researchers notified us about very dangerous 0-day malware. Unfortunately, we can't look at the sample, because analyst refused to provide one. After a short talk, he gave us an Yara rule, but again... only a compiled version of it.

Could you recover that rule to plaintext form? We've tried to do it on our own, but have been unsuccessful (the condition part looks very unusual).

Compiled Yara rules are version-dependent. That one was generated using Yara 3.7.1.

Hint: Yara rule conditions syntax allows to build very verbose and complicated rules. To evaluate them quickly, they're compiled to Yara bytecode (interpreter can be found here).

Format flagi: ecsc{litery_cyfry_i_znaki_specjalne}.

Aby wysłać flagę, musisz się zalogować.