qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Nucleroot/Backdoor_Win32_Nucleroot_ge...

21 lines
2.5 KiB
Plaintext
Raw Permalink Blame History

rule Backdoor_Win32_Nucleroot_gen_A{
meta:
description = "Backdoor:Win32/Nucleroot.gen!A,SIGNATURE_TYPE_PEHSTR_EXT,06 00 05 00 0b 00 00 02 00 "
strings :
$a_00_0 = {64 33 32 31 00 00 00 00 20 2d 39 20 72 6f 6f 74 6b 69 74 2e 65 78 65 00 75 70 78 2e 65 78 65 00 ff ff ff ff 13 00 00 00 4e 75 63 6c 65 61 72 20 52 6f 6f 74 6b 69 74 20 31 2e 30 00 } //01 00
$a_00_1 = {57 61 72 6e 69 6e 67 20 21 21 21 00 ff ff ff ff 29 00 00 00 54 68 65 20 52 6f 6f 74 6b 69 74 20 69 73 20 52 75 6e 6e 69 6e 67 20 6f 6e 20 59 6f 75 72 20 53 79 73 74 65 6d } //01 00
$a_00_2 = {43 6f 6e 6e 65 63 74 69 6f 6e 20 48 69 64 65 00 ff ff ff ff 49 00 00 00 41 64 64 20 74 68 65 20 50 6f 72 74 20 2f 20 50 72 6f 74 6f 63 6f 6c 20 74 6f 20 48 69 64 65 20 74 68 65 20 43 6f 6e 6e 65 63 74 69 6f 6e 20 4f 6e 2f 74 68 72 6f 75 67 68 20 69 74 20 46 72 6f 6d 20 4e 65 74 73 74 61 74 } //01 00
$a_00_3 = {50 72 6f 63 65 73 73 20 48 69 64 65 00 00 00 00 ff ff ff ff 2b 00 00 00 41 64 64 20 54 68 65 20 50 72 6f 63 65 73 73 20 6e 61 6d 65 20 79 6f 75 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 6f 20 } //01 00
$a_00_4 = {46 69 6c 65 73 20 2f 20 44 69 72 73 20 20 48 69 64 65 00 00 ff ff ff ff 25 00 00 00 41 64 64 20 74 68 65 20 46 69 6c 65 20 6f 72 20 74 68 65 20 44 69 72 65 63 74 6f 72 79 20 74 6f 20 48 69 64 65 } //02 00
$a_00_5 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 00 00 00 ff ff ff ff 07 00 00 00 73 68 69 74 62 69 74 } //02 00
$a_00_6 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 00 00 00 63 3a 5c 77 6f 6f 74 2e 77 69 6e 6b } //02 00
$a_00_7 = {72 6f 6f 74 6b 69 74 2e 65 78 65 } //02 00 rootkit.exe
$a_00_8 = {08 00 00 00 6e 6b 69 74 2e 64 6c 6c } //01 00
$a_01_9 = {73 76 63 68 6f 73 3b 73 6d 76 73 3b 73 6d 76 73 31 3b 79 69 6e 67 63 61 6e 67 3b 79 69 6e 67 63 61 6e 67 31 3b 66 75 6a 69 61 } //01 00 svchos;smvs;smvs1;yingcang;yingcang1;fujia
$a_01_10 = {46 79 67 54 43 6c 65 61 6e 65 72 2e 65 78 65 3b 54 72 6f 6a 61 6e 77 61 6c 6c 2e 65 78 65 3b 69 70 61 72 6d 6f 72 2e 65 78 65 3b 6d 6d 73 6b 2e 65 78 65 3b 61 64 61 6d 2e 65 78 65 3b 49 63 65 53 77 6f 72 64 2e 65 78 65 3b 53 74 61 72 74 55 70 4d 61 6e 61 67 65 72 2e 65 78 65 3b 52 6d 76 54 72 6a 61 6e 2e 65 78 65 3b 50 72 6f 63 65 73 73 4a 75 64 67 65 72 } //00 00 FygTCleaner.exe;Trojanwall.exe;iparmor.exe;mmsk.exe;adam.exe;IceSword.exe;StartUpManager.exe;RmvTrjan.exe;ProcessJudger
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink