17 lines
1.3 KiB
Plaintext
17 lines
1.3 KiB
Plaintext
|
|
rule SoftwareBundler_Win32_Drefsint{
|
|
meta:
|
|
description = "SoftwareBundler:Win32/Drefsint,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 07 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {5c 4d 4d 2d 6c 69 61 6f 39 37 32 38 2e 65 78 65 00 } //1
|
|
$a_01_1 = {5c 64 72 65 61 6d 5c 31 2e 62 61 74 00 } //1
|
|
$a_01_2 = {29 20 64 6f 20 72 64 20 2f 73 2f 71 20 22 25 61 70 70 64 61 74 61 25 5c 25 25 61 22 20 3e 6e 75 6c 20 32 3e 6e 75 6c } //1 ) do rd /s/q "%appdata%\%%a" >nul 2>nul
|
|
$a_01_3 = {29 20 64 6f 20 72 65 67 20 64 65 6c 65 74 65 20 25 25 61 5c 25 25 62 20 2f 76 61 20 2f 66 20 3e 6e 75 6c 20 32 3e 6e 75 6c } //1 ) do reg delete %%a\%%b /va /f >nul 2>nul
|
|
$a_01_4 = {5c 55 6e 69 6e 73 74 61 6c 6c 5c 00 4e 56 49 44 49 41 00 57 69 6e 64 6f 77 73 00 4d 69 63 72 6f 73 6f 66 74 } //1 啜楮獮慴汬\噎䑉䅉圀湩潤獷䴀捩潲潳瑦
|
|
$a_01_5 = {31 38 30 2e 31 35 33 2e 31 34 37 2e 37 33 2f 66 73 69 6e 74 66 2f 63 39 66 32 35 34 39 66 63 65 31 38 66 34 64 63 34 61 65 31 33 64 36 61 36 35 32 37 64 39 63 34 65 2f } //1 180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/
|
|
$a_01_6 = {63 6e 72 64 6e 2e 63 6f 6d 2f 72 64 2e 68 74 6d 3f 69 64 3d } //1 cnrdn.com/rd.htm?id=
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1) >=7
|
|
|
|
} |