DefenderYara/DoS/Win32/WhisperGate/DoS_Win32_WhisperGate_M.yar


rule DoS_Win32_WhisperGate_M{
	meta:
		description = "DoS:Win32/WhisperGate.M,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 "
		
	strings :
		$a_01_0 = {63 6d 64 2e 65 78 65 20 2f 6d 69 6e 20 2f 43 20 70 69 6e 67 20 31 31 31 2e 31 31 31 2e 31 31 31 2e 31 31 31 } //2 cmd.exe /min /C ping 111.111.111.111
		$a_00_1 = {25 00 2e 00 2a 00 73 00 2e 00 25 00 78 00 00 00 77 00 62 00 } //2
		$a_01_2 = {89 c2 b9 00 00 10 00 b0 cc 89 d7 89 55 e0 f3 aa } //2
		$a_00_3 = {2e 00 56 00 42 00 53 00 00 00 2e 00 50 00 53 00 31 00 00 00 2e 00 42 00 41 00 54 00 00 00 2e 00 43 00 4d 00 44 00 } //1
		$a_00_4 = {2e 00 48 00 54 00 4d 00 4c 00 00 00 2e 00 48 00 54 00 4d 00 00 00 2e 00 53 00 48 00 54 00 4d 00 4c 00 00 00 2e 00 58 00 48 00 54 00 4d 00 4c 00 } //1
	condition:
		((#a_01_0  & 1)*2+(#a_00_1  & 1)*2+(#a_01_2  & 1)*2+(#a_00_3  & 1)*1+(#a_00_4  & 1)*1) >=7
 
}
init 2024-02-05 06:12:47 -08:00
			`rule DoS_Win32_WhisperGate_M{`
			`meta:`
fix condition 2024-07-06 23:13:08 -07:00			`description = "DoS:Win32/WhisperGate.M,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 "`
init 2024-02-05 06:12:47 -08:00
			`strings :`
fix condition 2024-07-06 23:13:08 -07:00			`$a_01_0 = {63 6d 64 2e 65 78 65 20 2f 6d 69 6e 20 2f 43 20 70 69 6e 67 20 31 31 31 2e 31 31 31 2e 31 31 31 2e 31 31 31 } //2 cmd.exe /min /C ping 111.111.111.111`
			`$a_00_1 = {25 00 2e 00 2a 00 73 00 2e 00 25 00 78 00 00 00 77 00 62 00 } //2`
			`$a_01_2 = {89 c2 b9 00 00 10 00 b0 cc 89 d7 89 55 e0 f3 aa } //2`
			`$a_00_3 = {2e 00 56 00 42 00 53 00 00 00 2e 00 50 00 53 00 31 00 00 00 2e 00 42 00 41 00 54 00 00 00 2e 00 43 00 4d 00 44 00 } //1`
			`$a_00_4 = {2e 00 48 00 54 00 4d 00 4c 00 00 00 2e 00 48 00 54 00 4d 00 00 00 2e 00 53 00 48 00 54 00 4d 00 4c 00 00 00 2e 00 58 00 48 00 54 00 4d 00 4c 00 } //1`
init 2024-02-05 06:12:47 -08:00			`condition:`
fix condition 2024-07-06 23:13:08 -07:00			`((#a_01_0 & 1)2+(#a_00_1 & 1)2+(#a_01_2 & 1)2+(#a_00_3 & 1)1+(#a_00_4 & 1)*1) >=7`
init 2024-02-05 06:12:47 -08:00
			`}`