DefenderYara/Exploit/iPhoneOS/Kappotoma/Exploit_iPhoneOS_Kappotoma_D.yar

rule Exploit_iPhoneOS_Kappotoma_D{
	meta:
		description = "Exploit:iPhoneOS/Kappotoma.D,SIGNATURE_TYPE_MACHOHSTR_EXT,02 00 02 00 04 00 00 "
		
	strings :
		$a_00_0 = {5f 73 65 74 5f 65 78 70 6c 6f 69 74 5f 73 74 72 61 74 65 67 79 } //1 _set_exploit_strategy
		$a_00_1 = {63 79 64 69 61 2e 7a 6f 64 74 74 64 2e 63 6f 6d } //1 cydia.zodttd.com
		$a_00_2 = {6d 61 63 68 73 77 61 70 32 5f 65 78 70 6c 6f 69 74 } //1 machswap2_exploit
		$a_00_3 = {4a 61 69 6c 62 72 65 61 6b 56 69 65 77 43 6f 6e 74 72 6f 6c 6c 65 72 2e 6d } //1 JailbreakViewController.m
	condition:
		((#a_00_0  & 1)*1+(#a_00_1  & 1)*1+(#a_00_2  & 1)*1+(#a_00_3  & 1)*1) >=2
 
}