13 lines
803 B
Plaintext
13 lines
803 B
Plaintext
|
|
rule Ransom_O97M_Poshkod_gen_B{
|
|
meta:
|
|
description = "Ransom:O97M/Poshkod.gen!B,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 03 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {41 46 4d 41 61 51 42 73 41 47 55 41 62 67 42 30 41 47 77 41 65 51 42 44 41 47 38 41 62 67 42 30 41 47 6b 41 62 67 42 31 41 47 55 41 4a } //1 AFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJ
|
|
$a_01_1 = {41 47 6b 41 62 41 42 6c 41 47 34 41 64 41 42 73 41 48 6b 41 51 77 42 76 41 47 34 41 64 41 42 70 41 47 34 41 64 51 42 6c 41 43 } //1 AGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlAC
|
|
$a_01_2 = {55 77 42 70 41 47 77 41 5a 51 42 75 41 48 51 41 62 41 42 35 41 45 4d 41 62 77 42 75 41 48 51 41 61 51 42 75 41 48 55 41 5a 51 41 } //1 UwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQA
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1) >=1
|
|
|
|
} |