18 lines
1.5 KiB
Plaintext
18 lines
1.5 KiB
Plaintext
|
|
rule Backdoor_Win32_Smadow_gen_A{
|
|
meta:
|
|
description = "Backdoor:Win32/Smadow.gen!A,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 08 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {73 65 6e 64 74 90 01 01 81 7d 0c 72 65 63 76 74 90 01 01 cc eb 90 01 01 83 7d 90 01 01 00 75 90 00 } //02 00
|
|
$a_03_1 = {3d 64 69 73 63 0f 84 90 01 02 00 00 3d 73 65 6e 64 0f 84 90 01 02 00 00 3d 63 6e 63 74 74 90 01 01 3d 72 65 63 76 74 90 01 01 cc e9 90 00 } //01 00
|
|
$a_00_2 = {41 00 44 00 20 00 4e 00 65 00 74 00 77 00 6f 00 72 00 6b 00 } //01 00 AD Network
|
|
$a_00_3 = {5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 72 00 6f 00 6f 00 74 00 5c 00 74 00 6d 00 70 00 5c 00 62 00 6f 00 74 00 2e 00 6c 00 6f 00 67 00 } //01 00 \systemroot\tmp\bot.log
|
|
$a_00_4 = {5c 00 3f 00 3f 00 5c 00 25 00 73 00 5c 00 7b 00 32 00 31 00 37 00 46 00 32 00 30 00 30 00 42 00 2d 00 39 00 37 00 42 00 38 00 2d 00 34 00 36 00 38 00 64 00 2d 00 41 00 43 00 33 00 42 00 2d 00 38 00 35 00 37 00 37 00 45 00 31 00 31 00 32 00 45 00 45 00 43 00 31 00 7d 00 2e 00 74 00 6c 00 62 00 } //01 00 \??\%s\{217F200B-97B8-468d-AC3B-8577E112EEC1}.tlb
|
|
$a_00_5 = {25 75 3a 63 6f 6e 66 69 67 5f 6d 69 73 73 69 6e 67 5f 6f 72 5f 63 6f 72 72 75 70 74 } //01 00 %u:config_missing_or_corrupt
|
|
$a_00_6 = {55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 43 72 79 70 74 6f 41 50 49 2f 25 75 2e 25 75 } //01 00 User-Agent: Microsoft-CryptoAPI/%u.%u
|
|
$a_00_7 = {6d 79 20 6b 65 79 20 69 73 20 25 53 2c 20 6d 79 20 76 65 72 73 69 6f 6e 20 69 73 20 25 75 } //00 00 my key is %S, my version is %u
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |