14 lines
1.3 KiB
Plaintext
14 lines
1.3 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Donoff_BK{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Donoff.BK,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {50 72 69 76 61 74 65 20 46 75 6e 63 74 69 6f 6e 20 6f 52 73 45 72 53 33 6e 28 29 20 41 73 20 49 6e 74 65 67 65 72 90 0c 03 00 6f 52 73 45 72 53 33 6e 20 3d 20 31 35 30 20 2b 20 34 33 20 2b 20 31 20 2b 20 36 90 0c 03 00 45 6e 64 20 46 75 6e 63 74 69 6f 6e } //1
|
|
$a_02_1 = {65 33 37 6a 31 75 47 76 41 4f 3a 90 0c 03 00 47 32 58 6c 51 4d 61 20 3d 20 28 57 6d 4f 6e 48 66 20 2d 20 68 68 4e 37 45 36 61 49 29 20 2f 20 59 63 51 63 47 41 36 75 49 7a 31 35 55 28 47 52 6c 4f 56 61 68 39 4a 29 90 0c 03 00 4c 38 66 52 6c 77 45 68 77 53 54 49 5a 37 } //1
|
|
$a_02_2 = {65 33 37 6a 31 75 47 76 41 4f 3a 90 0c 03 00 77 56 70 74 4f 6c 20 3d 20 73 56 71 56 30 52 39 6d 59 20 26 20 70 35 49 77 72 52 55 4a 57 62 44 34 58 90 0c 03 00 45 6e 64 20 46 75 6e 63 74 69 6f 6e } //1
|
|
$a_00_3 = {6e 39 4d 66 76 50 36 6a 20 3d 20 4e 75 62 77 31 63 51 57 64 4e 54 69 59 69 20 2d 20 28 28 4e 75 62 77 31 63 51 57 64 4e 54 69 59 69 20 5c 20 6c 63 69 47 41 34 44 74 63 4d 4f 59 47 35 29 20 2a 20 6c 63 69 47 41 34 44 74 63 4d 4f 59 47 35 29 } //1 n9MfvP6j = Nubw1cQWdNTiYi - ((Nubw1cQWdNTiYi \ lciGA4DtcMOYG5) * lciGA4DtcMOYG5)
|
|
condition:
|
|
((#a_02_0 & 1)*1+(#a_02_1 & 1)*1+(#a_02_2 & 1)*1+(#a_00_3 & 1)*1) >=4
|
|
|
|
} |