qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/InstantAccess/Backdoor_Win32_InstantAcces...

41 lines
3.2 KiB
Plaintext
Raw Permalink Blame History

rule Backdoor_Win32_InstantAccess{
meta:
description = "Backdoor:Win32/InstantAccess,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 "
strings :
$a_00_0 = {50 6f 72 74 20 68 61 73 20 62 65 65 6e 20 6f 70 65 6e 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e } //1 Port has been opened successfully.
$a_00_1 = {3c 68 74 6d 6c 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 } //1 <html><iframe src="
$a_02_2 = {65 67 61 63 63 65 73 73 [0-03] 2e 44 4c 4c } //1
$a_00_3 = {49 6e 73 74 61 6e 74 41 63 63 65 73 73 00 4f 70 65 6e 41 63 63 65 73 73 00 65 63 6e 68 65 00 65 73 77 68 65 00 65 75 68 77 65 00 69 65 64 69 73 63 6f } //1 湉瑳湡䅴捣獥s灏湥捁散獳攀湣敨攀睳敨攀桵敷椀摥獩潣
condition:
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_02_2 & 1)*1+(#a_00_3 & 1)*1) >=4
}
rule Backdoor_Win32_InstantAccess_2{
meta:
description = "Backdoor:Win32/InstantAccess,SIGNATURE_TYPE_PEHSTR_EXT,0b 00 0b 00 03 00 00 "
strings :
$a_03_0 = {59 85 c0 59 0f 85 ?? ?? 00 00 8d 85 ?? ?? ff ff 68 ?? ?? ?? ?? 50 ff 15 ?? ?? 40 00 59 85 c0 59 0f 85 ?? ?? 00 00 ?? 8d 85 ?? ?? ff ff 56 50 e8 ?? ?? 00 00 83 c4 0c 8d 85 ?? ?? ff ff ?? 50 ff 15 ?? ?? 40 00 8d 85 ?? ?? ff ff 68 ?? ?? ?? ?? 50 ff 15 ?? ?? 40 00 } //10
$a_02_1 = {5c 45 78 65 44 69 61 6c 65 72 2e 65 78 65 [0-10] 65 78 65 64 69 61 6c 65 72 [0-10] 69 6e 73 74 61 6e 74 20 61 63 63 65 73 73 2e 65 78 65 } //1
$a_02_2 = {5c 49 6e 73 74 61 6e 74 20 41 63 63 65 73 73 5c 43 65 6e 74 65 72 5c [0-10] 43 44 69 61 6c 65 72 45 58 45 44 6c 67 3a 3a 43 72 65 61 74 65 53 68 6f 72 74 43 75 74 28 29 } //1
condition:
((#a_03_0 & 1)*10+(#a_02_1 & 1)*1+(#a_02_2 & 1)*1) >=11
}
rule Backdoor_Win32_InstantAccess_3{
meta:
description = "Backdoor:Win32/InstantAccess,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 06 00 00 "
strings :
$a_00_0 = {3c 64 65 73 63 72 69 70 74 69 6f 6e 3e 69 6e 73 74 61 6e 74 2d 61 63 65 73 73 3c 2f 64 65 73 63 72 69 70 74 69 6f 6e 3e } //1 <description>instant-acess</description>
$a_00_1 = {3c 72 65 71 75 65 73 74 65 64 45 78 65 63 75 74 69 6f 6e 4c 65 76 65 6c 20 6c 65 76 65 6c 3d 22 72 65 71 75 69 72 65 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 22 } //1 <requestedExecutionLevel level="requireAdministrator"
$a_00_2 = {53 68 65 6c 6c 45 78 65 63 75 74 65 41 } //1 ShellExecuteA
$a_02_3 = {65 67 61 63 63 65 73 73 [0-03] 2e 44 4c 4c } //1
$a_02_4 = {49 6e 73 74 61 6e 74 41 63 63 65 73 73 [0-05] 4f 70 65 6e 41 63 63 65 73 73 [0-05] 52 65 67 69 73 74 65 72 45 58 45 [0-05] 65 63 6e 68 65 [0-05] 65 73 77 68 65 [0-05] 65 75 68 77 65 [0-05] 69 65 64 69 73 63 6f [0-05] 73 64 73 } //1
$a_02_5 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 [0-06] 49 00 6e 00 73 00 74 00 61 00 6e 00 74 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 2e 00 65 00 78 00 65 00 [0-10] 50 00 72 00 69 00 76 00 61 00 74 00 65 00 42 00 75 00 69 00 6c 00 64 00 [0-09] 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 [0-06] 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 [0-06] 49 00 6e 00 73 00 74 00 61 00 6e 00 74 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 } //5
condition:
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_02_3 & 1)*1+(#a_02_4 & 1)*1+(#a_02_5 & 1)*5) >=5
}
Reference in New Issue View Git Blame Copy Permalink