ÿØÿàJFIFÿþ ÿÛC       ÿÛC ÿÀÿÄÿÄ"#QrÿÄÿÄ&1!A"2qQaáÿÚ ?Øy,æ/3JæݹÈ߲؋5êXw²±ÉyˆR”¾I0ó2—PI¾IÌÚiMö¯–þrìN&"KgX:Šíµ•nTJnLK„…@!‰-ý ùúmë;ºgµŒ&ó±hw’¯Õ@”Ü— 9ñ-ë.²1<yà‚¹ïQÐU„ہ?.’¦èûbß±©Ö«Âw*VŒ) `$‰bØԟ’ëXÖ-ËTÜíGÚ3ð«g Ÿ§¯—Jx„–’U/ÂÅv_s(Hÿ@TñJÑãõçn­‚!ÈgfbÓc­:él[ðQe 9ÀPLbÃãCµm[5¿ç'ªjglå‡Ûí_§Úõl-;"PkÞÞÁQâ¼_Ñ^¢SŸx?"¸¦ùY騐ÒOÈ q’`~~ÚtËU¹CڒêV  I1Áß_ÿÙ// import "math" include "webshells.yara" /*private global rule size_limit { condition: filesize < 1MB } private rule is_php { strings: $str = /<\?(php|\s)/ condition: (filesize < 1MB) and $str } private rule php_keywords_rate { strings: $keyword = /\b(this|if|return|function|else|array|false|true)\b/ condition: is_php and math.divide(#keyword, filesize) > 0.001 } rule php_packed { strings: $func1 = /base64_decode\s*\(/ $func2 = /eval\s*\(/ $func3 = /\$[a-zA-Z0-9_]+\(/ condition: is_php and (($func1 and $func2) or $func3) and (math.entropy(0, filesize) >= 5.00) and not php_keywords_rate //5.81 } *./