From d28f594a27a5a5bffbe04a5801a1a295038a3e46 Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <ladislav.zezula@avast.com>
Date: Wed, 23 Sep 2020 09:44:21 +0200
Subject: [PATCH 1/2] Added YARA rule for Install Creator

---
 .../yara_patterns/tools/pe/x86/installers.yara    | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
index affbcd4ed..902cb7796 100644
--- a/support/yara_patterns/tools/pe/x86/installers.yara
+++ b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -112,6 +112,21 @@ rule ghost_installer {
 		all of them
 }
 
+rule install_creator {
+	meta:
+		tool = "I"
+		name = "InstallCreator"
+	strings:
+		$s01 = { 77 77 67 54 29 48 }
+	condition:
+		pe.number_of_sections == 3 and
+		pe.sections[0].name == "UPX0" and
+		pe.sections[1].name == "UPX1" and
+		pe.overlay.offset != 0 and
+		pe.overlay.size != 0 and
+		$s01 at pe.overlay.offset
+}
+
 rule kgb_sfx {
 	meta:
 		tool = "I"

From c169915189c10f58b5d9e7d2081d5ff83e71fbdb Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <ladislav.zezula@avast.com>
Date: Wed, 23 Sep 2020 15:48:11 +0200
Subject: [PATCH 2/2] Added YARA rule for missing NSIS installers

---
 .../yara_patterns/tools/pe/x86/installers.yara | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/support/yara_patterns/tools/pe/x86/installers.yara b/support/yara_patterns/tools/pe/x86/installers.yara
index 902cb7796..6550a845d 100644
--- a/support/yara_patterns/tools/pe/x86/installers.yara
+++ b/support/yara_patterns/tools/pe/x86/installers.yara
@@ -656,6 +656,24 @@ rule nsis_1xx_pimp {
 		$1 at pe.entry_point
 }
 
+rule nsis_overlay_data {
+	meta:
+		tool = "I"
+		name = "Nullsoft Install System"
+	strings:
+		$s01 = { EF BE AD DE 6E 73 69 73 69 6E 73 74 61 6C 6C 00 }
+        $s02 = { ED BE AD DE 4E 75 6C 6C 53 6F 66 74 49 6E 73 74 }
+        $s03 = { 0? 00 00 00 EF BE AD DE 4E 75 6C 6C (53|73) 6F 66 74 49 6E 73 74 }
+	condition:
+        pe.number_of_sections > 3 and
+		pe.overlay.size != 0 and
+        (
+            @s01 >= pe.overlay.offset or
+            @s02 >= pe.overlay.offset or
+            @s03 >= pe.overlay.offset
+        )
+}
+
 rule nsis_13x_pimp {
 	meta:
 		tool = "I"