2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
rule Trojan_O97M_JsDropper_A{
|
|
|
|
|
meta:
|
2024-07-06 23:13:08 -07:00
|
|
|
description = "Trojan:O97M/JsDropper.A,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 09 00 00 "
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
strings :
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_00_0 = {22 22 20 26 20 43 68 72 28 38 33 29 20 26 20 22 68 65 22 20 26 20 22 6c 22 20 26 20 43 68 72 28 31 30 38 29 } //1 "" & Chr(83) & "he" & "l" & Chr(108)
|
|
|
|
|
$a_00_1 = {22 22 20 26 20 43 68 72 28 38 30 20 2b 20 33 29 20 26 20 22 68 65 22 20 26 20 22 6c 22 20 26 20 43 68 72 28 31 30 30 20 2b 20 38 29 } //1 "" & Chr(80 + 3) & "he" & "l" & Chr(100 + 8)
|
|
|
|
|
$a_00_2 = {43 68 72 28 33 32 29 20 26 20 22 2f 22 20 26 20 43 68 72 28 31 30 31 29 20 26 20 22 3a 22 } //1 Chr(32) & "/" & Chr(101) & ":"
|
|
|
|
|
$a_00_3 = {43 68 72 28 33 30 20 2b 20 32 29 20 26 20 22 2f 22 20 26 20 43 68 72 28 31 30 30 20 2b 20 31 29 20 26 20 22 3a 22 } //1 Chr(30 + 2) & "/" & Chr(100 + 1) & ":"
|
2024-07-09 05:28:14 -07:00
|
|
|
$a_02_4 = {43 68 72 28 [0-0b] 29 20 26 20 43 68 72 28 [0-0b] 29 20 26 20 22 72 22 20 26 20 22 69 70 22 20 26 20 22 74 22 } //1
|
|
|
|
|
$a_02_5 = {43 68 72 28 [0-0b] 29 20 26 20 43 68 72 28 [0-0b] 29 20 26 20 22 72 22 20 26 20 22 69 70 74 22 } //1
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_00_6 = {22 70 70 6c 69 22 20 26 20 43 68 72 28 90 02 08 29 20 26 20 22 61 74 69 6f 6e 22 } //1
|
2024-07-09 05:28:14 -07:00
|
|
|
$a_02_7 = {26 20 22 70 70 22 20 26 20 22 6c 69 22 20 26 20 43 68 72 28 [0-0c] 29 20 26 20 22 61 74 22 20 26 20 22 69 6f 6e 22 } //1
|
|
|
|
|
$a_02_8 = {22 45 78 65 22 20 26 20 43 68 72 28 [0-0f] 29 20 26 20 22 75 22 20 26 20 22 74 22 20 26 20 43 68 72 28 } //1
|
2024-02-05 06:12:47 -08:00
|
|
|
condition:
|
2024-07-06 23:13:08 -07:00
|
|
|
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_02_4 & 1)*1+(#a_02_5 & 1)*1+(#a_00_6 & 1)*1+(#a_02_7 & 1)*1+(#a_02_8 & 1)*1) >=3
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
}
|
