14 lines
1.4 KiB
Plaintext
14 lines
1.4 KiB
Plaintext
|
|
rule Backdoor_Win32_Bifrose_P{
|
|
meta:
|
|
description = "Backdoor:Win32/Bifrose.P,SIGNATURE_TYPE_PEHSTR,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {50 45 00 00 4c 01 02 00 76 f8 a5 46 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 30 00 00 00 00 00 00 19 77 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 00 00 00 04 00 00 78 44 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 76 00 00 3c 00 00 00 } //1
|
|
$a_01_1 = {27 27 27 48 33 30 29 31 cc 0e 5f af b3 91 2b ba 4d 09 27 27 32 7f 27 27 27 ed 27 27 4d 2c 27 9b 02 c8 c9 b7 27 47 9a 5f 7a 26 26 26 26 76 6d 7b 7e 68 79 6c 83 74 90 8a 99 96 9a 96 8d 9b 83 68 } //1
|
|
$a_01_2 = {2e 74 65 78 74 00 00 00 f2 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 73 72 63 00 00 00 30 2e 00 00 00 80 00 00 00 30 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 } //1
|
|
$a_01_3 = {0a 8b 94 fe e5 5e bd 65 aa 4c 31 27 58 34 38 a3 6c ff 01 22 43 ba 3e 51 b7 6e 80 91 02 26 32 06 45 ef 81 1d e8 de 31 f8 10 a8 18 47 aa df 14 12 29 30 71 23 08 e6 ac 9c 8d 3c 48 b0 33 a9 67 64 2c a3 fd ea df ea d8 06 9c 19 e7 63 c5 93 78 df } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=4
|
|
|
|
} |