qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Obfp/Backdoor_Win32_Obfp_A.yar

23 lines
2.9 KiB
Plaintext
Raw Permalink Blame History

rule Backdoor_Win32_Obfp_A{
meta:
description = "Backdoor:Win32/Obfp.A,SIGNATURE_TYPE_PEHSTR_EXT,19 10 18 10 0d 00 00 "
strings :
$a_00_0 = {43 72 79 70 74 41 63 71 75 69 72 65 43 6f 6e 74 65 78 74 41 } //1000 CryptAcquireContextA
$a_00_1 = {43 72 79 70 74 43 72 65 61 74 65 48 61 73 68 } //1000 CryptCreateHash
$a_00_2 = {43 72 79 70 74 44 65 72 69 76 65 4b 65 79 } //1000 CryptDeriveKey
$a_00_3 = {43 6c 69 65 6e 74 54 6f 53 63 72 65 65 6e } //1000 ClientToScreen
$a_00_4 = {00 33 c0 89 08 50 45 43 32 00 } //1
$a_00_5 = {50 45 43 32 44 62 67 4d 73 67 3a } //1 PEC2DbgMsg:
$a_02_6 = {55 8b ec 81 ec ?? ?? 00 00 56 83 a5 58 fd ff ff 00 83 a5 88 fd ff ff 00 83 a5 5c fd ff ff 00 83 a5 ?? ?? ff ff 00 83 65 bc 00 c6 45 d4 75 c6 45 d5 73 c6 45 d6 65 c6 45 d7 72 c6 45 d8 33 c6 45 d9 32 c6 45 da 2e c6 45 db 64 c6 45 dc 6c c6 45 dd 6c c6 45 de 00 c6 85 ?? ?? ff ff 4d c6 85 ?? ?? ff ff 65 c6 85 ?? ?? ff ff 73 c6 85 ?? ?? ff ff 73 c6 85 ?? ?? ff ff 61 c6 85 ?? ?? ff ff 67 c6 85 ?? ?? ff ff 65 c6 85 ?? ?? ff ff 42 c6 85 ?? ?? ff ff 6f c6 85 ?? ?? ff ff 78 c6 85 ?? ?? ff ff 41 c6 85 ?? ?? ff ff 00 } //70
$a_00_7 = {c6 85 60 fd ff ff 6b c6 85 61 fd ff ff 65 c6 85 62 fd ff ff 72 c6 85 63 fd ff ff 6e c6 85 64 fd ff ff 65 c6 85 65 fd ff ff 6c c6 85 66 fd ff ff 33 c6 85 67 fd ff ff 32 c6 85 68 fd ff ff 2e c6 85 69 fd ff ff 64 c6 85 6a fd ff ff 6c c6 85 6b fd ff ff 6c c6 85 6c fd ff ff 00 } //30
$a_02_8 = {53 33 db 56 57 89 5c 24 ?? 89 5c 24 ?? 89 5c 24 ?? 89 5c 24 ?? c6 44 24 ?? 75 c6 44 24 ?? 73 c6 44 24 ?? 65 c6 44 24 ?? 72 c6 44 24 ?? 33 c6 44 24 ?? 32 c6 44 24 ?? 2e c6 44 24 ?? 64 c6 44 24 ?? 6c c6 44 24 ?? 6c 88 5c 24 ?? c6 84 24 ?? 00 00 00 6b c6 84 24 ?? 00 00 00 65 c6 84 24 ?? 00 00 00 72 c6 84 24 ?? 00 00 00 6e c6 84 24 ?? 00 00 00 65 c6 84 24 ?? 00 00 00 6c c6 84 24 ?? 00 00 00 33 c6 84 24 ?? 00 00 00 32 c6 84 24 ?? 00 00 00 2e c6 84 24 ?? 00 00 00 64 c6 84 24 ?? 00 00 00 6c c6 84 24 ?? 00 00 00 6c 88 9c 24 ?? 00 00 00 } //100
$a_02_9 = {53 33 db 56 57 89 5d ?? 89 5d ?? 89 5d ?? 89 5d ?? c6 45 ?? 75 c6 45 ?? 73 c6 45 ?? 65 c6 45 ?? 72 c6 45 ?? 33 c6 45 ?? 32 c6 45 ?? 2e c6 45 ?? 64 c6 45 ?? 6c c6 45 ?? 6c 88 5d ?? c6 45 ?? 6b c6 45 ?? 65 c6 45 ?? 72 c6 45 ?? 6e c6 45 ?? 65 c6 45 ?? 6c c6 45 ?? 33 c6 45 ?? 32 c6 45 ?? 2e c6 45 ?? 64 c6 45 ?? 6c c6 45 ?? 6c 88 5d } //100
$a_02_10 = {50 6a 01 ff b5 5c fd ff ff 68 01 66 00 00 ff b5 58 fd ff ff ff 95 ?? ?? ff ff 85 c0 75 0a e9 ?? ?? 00 00 } //20
$a_02_11 = {50 6a 01 ff 74 24 ?? 68 01 66 00 00 ff 74 24 ?? ff 94 ?? ?? ?? 00 00 85 c0 0f 84 ?? ?? 00 00 } //20
$a_02_12 = {50 6a 01 ff 75 ?? 68 01 66 00 00 ff 75 ?? ff 95 ?? ?? ff ff 85 c0 0f 84 ?? ?? 00 00 } //20
condition:
((#a_00_0 & 1)*1000+(#a_00_1 & 1)*1000+(#a_00_2 & 1)*1000+(#a_00_3 & 1)*1000+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_02_6 & 1)*70+(#a_00_7 & 1)*30+(#a_02_8 & 1)*100+(#a_02_9 & 1)*100+(#a_02_10 & 1)*20+(#a_02_11 & 1)*20+(#a_02_12 & 1)*20) >=4120
}
Reference in New Issue View Git Blame Copy Permalink