15 lines
1.3 KiB
Plaintext
15 lines
1.3 KiB
Plaintext
|
|
rule TrojanClicker_Win32_Frosparf_G{
|
|
meta:
|
|
description = "TrojanClicker:Win32/Frosparf.G,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {44 62 6c 43 6c 69 63 6b } //1 DblClick
|
|
$a_01_1 = {61 00 64 00 66 00 2e 00 6c 00 79 00 } //1 adf.ly
|
|
$a_01_2 = {32 00 32 00 35 00 2c 00 32 00 32 00 34 00 2c 00 37 00 38 00 34 00 33 00 2c 00 32 00 32 00 37 00 2c 00 37 00 38 00 34 00 31 00 2c 00 32 00 35 00 39 00 2c 00 37 00 38 00 35 00 35 00 2c 00 37 00 38 00 35 00 37 00 } //1 225,224,7843,227,7841,259,7855,7857
|
|
$a_01_3 = {45 00 31 00 2c 00 45 00 30 00 2c 00 31 00 45 00 41 00 33 00 2c 00 45 00 33 00 2c 00 31 00 45 00 41 00 31 00 2c 00 45 00 32 00 2c 00 31 00 30 00 33 00 2c 00 31 00 45 00 41 00 35 00 2c 00 31 00 45 00 41 00 37 00 2c 00 31 00 45 00 41 00 39 00 2c 00 31 00 45 00 41 00 42 00 2c 00 31 00 45 00 41 00 44 00 2c 00 31 00 45 00 41 00 46 00 2c 00 31 00 45 00 42 00 31 00 2c 00 31 00 45 00 42 00 33 00 2c 00 31 00 45 00 42 00 35 00 2c 00 31 00 45 00 42 00 37 00 2c 00 43 00 31 00 2c 00 43 00 30 00 } //1 E1,E0,1EA3,E3,1EA1,E2,103,1EA5,1EA7,1EA9,1EAB,1EAD,1EAF,1EB1,1EB3,1EB5,1EB7,C1,C0
|
|
$a_01_4 = {70 00 61 00 74 00 63 00 68 00 65 00 72 00 5f 00 63 00 66 00 32 00 2e 00 65 00 78 00 65 00 } //1 patcher_cf2.exe
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=5
|
|
|
|
} |