20 lines
1.7 KiB
Plaintext
20 lines
1.7 KiB
Plaintext
|
|
rule Backdoor_Win32_Mayday_gen_A{
|
|
meta:
|
|
description = "Backdoor:Win32/Mayday.gen!A,SIGNATURE_TYPE_PEHSTR_EXT,08 00 08 00 0a 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {30 30 30 31 30 30 30 31 00 00 00 00 2e 65 78 65 00 00 00 00 77 6d 75 70 64 61 74 65 00 00 00 00 73 76 63 68 6f 73 74 00 34 2e 30 00 } //1
|
|
$a_01_1 = {45 6e 61 62 6c 65 64 00 44 69 73 61 62 6c 65 64 00 00 00 00 3a 2a 3a 00 00 00 00 00 53 59 53 54 45 4d 5c 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f } //1
|
|
$a_01_2 = {45 63 68 6f 52 65 71 75 65 73 74 00 53 59 53 54 } //1 捅潨敒畱獥t奓呓
|
|
$a_01_3 = {4d 73 67 00 4c 69 73 74 00 00 00 00 4d 61 69 6c 00 00 00 00 67 75 69 64 00 00 00 00 66 69 6c 65 6e 61 6d 65 00 00 00 00 63 6f 6d 6d 61 6e 64 00 70 61 73 73 77 6f 72 64 00 00 00 00 64 6f 77 6e } //1
|
|
$a_01_4 = {75 70 64 61 74 65 00 00 6c 65 61 72 6e 00 00 00 6c 6f 67 00 67 65 74 6e 61 6d 65 00 6d 61 69 6c 73 74 61 74 2e 6c 6f 67 00 00 00 00 25 30 31 30 } //1
|
|
$a_01_5 = {7c 25 30 31 30 75 00 00 00 2e 63 6f 6d 00 00 00 00 2e 65 6d 6c 00 00 00 00 30 30 30 30 30 30 30 } //1
|
|
$a_01_6 = {57 4f 49 2e 62 69 7a 00 57 4c 42 2e 69 6e 66 6f } //1 佗⹉楢z䱗⹂湩潦
|
|
$a_01_7 = {49 6e 63 72 65 64 69 62 6c 65 44 61 74 65 73 2e 63 6f 6d 00 49 64 65 61 6c 4c 6f 76 65 72 2e 63 } //1
|
|
$a_01_8 = {53 65 6d 69 63 6f 6e 64 75 63 74 6f 72 73 2e 62 69 7a 00 00 53 63 65 6e 74 65 64 2e 62 69 7a } //1
|
|
$a_01_9 = {41 31 34 34 35 45 36 46 36 33 35 43 44 39 43 45 42 38 34 45 31 30 30 44 38 30 30 36 39 39 39 39 30 44 30 31 37 43 34 33 32 44 33 } //1 A1445E6F635CD9CEB84E100D800699990D017C432D3
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1) >=8
|
|
|
|
} |