13 lines
585 B
Plaintext
13 lines
585 B
Plaintext
|
|
rule Backdoor_Win32_Dawkhu_A{
|
|
meta:
|
|
description = "Backdoor:Win32/Dawkhu.A,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 03 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {2f c6 44 24 ?? 73 c6 44 24 ?? 68 c6 44 24 ?? 75 c6 44 24 ?? 74 c6 44 24 ?? 0d c6 44 24 ?? 0a } //1
|
|
$a_03_1 = {66 89 b4 24 ?? 01 00 00 33 c0 81 e6 ff ff 00 00 c7 84 ?? ?? 01 00 00 ?? ?? ?? ?? 89 94 ?? ?? 01 00 00 66 c7 84 24 ?? 01 00 00 } //1
|
|
$a_03_2 = {2d c6 44 24 ?? 30 c6 44 24 ?? 3d c6 44 24 ?? 4f c6 44 24 ?? 70 c6 44 24 ?? 65 c6 44 24 ?? 6e } //1
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1) >=3
|
|
|
|
} |