17 lines
1.1 KiB
Plaintext
17 lines
1.1 KiB
Plaintext
|
|
rule Backdoor_Win32_Dokstormac_A{
|
|
meta:
|
|
description = "Backdoor:Win32/Dokstormac.A,SIGNATURE_TYPE_PEHSTR_EXT,34 00 31 00 07 00 00 14 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {00 7b 41 52 43 4f 4d 5f } //0a 00 笀剁佃彍
|
|
$a_01_1 = {56 00 69 00 64 00 65 00 6f 00 20 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 } //0a 00 Video Capture
|
|
$a_01_2 = {42 61 6e 6b 4c 61 62 65 6c 3d 25 73 0d 0a 43 61 70 61 63 69 74 79 3d 25 73 } //03 00
|
|
$a_01_3 = {42 6f 6f 74 75 70 53 74 61 74 65 3d 25 73 0d 0a 44 4e 53 48 6f 73 74 4e 61 6d 65 3d 25 73 } //03 00
|
|
$a_01_4 = {44 65 76 69 63 65 49 44 3d 25 73 0d 0a 45 73 74 69 6d 61 74 65 64 43 68 61 72 67 65 52 65 6d 61 69 6e 69 6e 67 3d 25 73 } //03 00 敄楶散䑉┽൳䔊瑳浩瑡摥桃牡敧敒慭湩湩㵧猥
|
|
$a_01_5 = {4d 65 6d 6f 72 79 54 79 70 65 3d 25 73 0d 0a 53 65 72 69 61 6c 4e 75 6d 62 65 72 3d 25 73 } //03 00 敍潭祲祔数┽൳匊牥慩乬浵敢㵲猥
|
|
$a_01_6 = {49 6e 65 74 43 70 6c 2e 63 70 6c 2c 43 6c 65 61 72 4d 79 54 72 61 63 6b 73 42 79 50 72 6f 63 65 73 73 20 33 32 } //00 00 InetCpl.cpl,ClearMyTracksByProcess 32
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |