16 lines
1.1 KiB
Plaintext
16 lines
1.1 KiB
Plaintext
|
|
rule Backdoor_Win32_Ruperk_A{
|
|
meta:
|
|
description = "Backdoor:Win32/Ruperk.A,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0d 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {73 75 70 65 72 62 6b 31 2e 72 75 00 } //2 畳数扲ㅫ爮u
|
|
$a_01_1 = {23 6e 6f 63 6d 64 00 00 23 64 65 73 74 72 75 63 74 00 } //1
|
|
$a_01_2 = {23 72 75 6e 00 00 00 00 23 64 6f 77 6e 6c 6f 61 64 00 } //1
|
|
$a_01_3 = {23 62 6f 74 5f 69 64 00 23 66 61 69 6c 00 } //1 戣瑯楟d昣楡l
|
|
$a_01_4 = {2e 00 65 00 78 00 65 00 00 00 00 00 5c 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 5c 00 52 00 75 00 6e 00 } //1
|
|
$a_03_5 = {83 c0 01 89 45 f0 74 57 6a 05 8d 4d e0 51 e8 ?? ?? ?? ?? 83 c4 08 8d 55 e0 52 68 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 89 45 f0 83 7d f0 00 74 31 68 ?? ?? ?? ?? 8d 45 e0 50 68 ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 0c 89 45 f0 83 7d f0 00 74 12 68 } //10
|
|
condition:
|
|
((#a_01_0 & 1)*2+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_03_5 & 1)*10) >=13
|
|
|
|
} |