2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
rule TrojanClicker_Win32_Zirit_J{
|
|
|
|
|
meta:
|
2024-07-06 23:13:08 -07:00
|
|
|
description = "TrojanClicker:Win32/Zirit.J,SIGNATURE_TYPE_PEHSTR_EXT,05 00 04 00 06 00 00 "
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
strings :
|
2024-07-06 23:13:08 -07:00
|
|
|
$a_01_0 = {83 c4 08 8b d8 ff 15 58 d0 00 10 50 8d 4c 24 74 68 2c f2 00 10 } //1
|
|
|
|
|
$a_01_1 = {76 33 2e 6d 61 69 6e 66 65 65 64 68 65 72 65 2e 63 6f 6d 00 65 78 65 63 00 00 00 00 63 6c 69 63 6b 73 00 00 75 72 6c 00 64 6e 73 } //1
|
|
|
|
|
$a_00_2 = {25 6c 64 2e 65 78 65 } //1 %ld.exe
|
|
|
|
|
$a_00_3 = {70 69 64 3d 25 73 26 73 3d 25 73 26 76 3d 31 31 26 75 73 65 72 3d 25 73 26 64 61 74 65 3d 25 73 26 71 3d 25 73 } //1 pid=%s&s=%s&v=11&user=%s&date=%s&q=%s
|
|
|
|
|
$a_00_4 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 53 68 65 6c 6c 53 65 72 76 69 63 65 4f 62 6a 65 63 74 44 65 6c 61 79 4c 6f 61 64 } //1 SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
|
2024-07-09 05:28:14 -07:00
|
|
|
$a_02_5 = {8b f0 83 fe ff 74 ?? 8d 44 24 10 50 56 ff 15 ?? ?? ?? 10 [0-02] 83 c0 da [0-02] 50 56 ff 15 ?? ?? ?? 10 8d 4c 24 0c [0-02] 51 6a 26 68 ?? ?? ?? 10 56 ff 15 ?? ?? ?? 10 } //1
|
2024-02-05 06:12:47 -08:00
|
|
|
condition:
|
2024-07-06 23:13:08 -07:00
|
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_02_5 & 1)*1) >=4
|
2024-02-05 06:12:47 -08:00
|
|
|
|
|
|
|
|
}
|
