qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/Donoff/TrojanDownloader_O97M_Donof...

28 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

rule TrojanDownloader_O97M_Donoff_DS{
meta:
description = "TrojanDownloader:O97M/Donoff.DS,SIGNATURE_TYPE_MACROHSTR_EXT,12 00 12 00 12 00 00 "
strings :
$a_02_0 = {61 74 74 72 69 62 75 74 65 20 76 62 5f 6e 61 6d 65 20 3d 20 22 6d 6f 64 65 22 0d 0a 73 75 62 20 90 05 10 06 61 2d 7a 30 2d 39 28 29 0d 0a 0d 0a } //5
$a_02_1 = {20 3d 20 22 22 20 74 68 65 6e 0d 0a 73 68 65 6c 6c 20 90 05 10 06 61 2d 7a 30 2d 39 2c 20 66 61 6c 73 65 0d 0a 65 6e 64 20 69 66 0d 0a 65 6e 64 20 73 75 62 0d 0a 73 75 62 20 61 75 74 6f 6f 70 65 6e 28 29 } //5
$a_02_2 = {20 3d 20 22 22 20 74 68 65 6e 0d 0a 73 68 65 6c 6c 20 90 05 10 06 61 2d 7a 30 2d 39 2c 20 76 62 68 69 64 65 0d 0a 65 6e 64 20 69 66 0d 0a 65 6e 64 20 73 75 62 0d 0a 73 75 62 20 61 75 74 6f 6f 70 65 6e 28 29 } //5
$a_02_3 = {20 3d 20 22 22 20 74 68 65 6e 0d 0a 73 68 65 6c 6c 20 90 05 10 06 61 2d 7a 30 2d 39 2c 20 30 0d 0a 65 6e 64 20 69 66 0d 0a 65 6e 64 20 73 75 62 0d 0a 73 75 62 20 61 75 74 6f 6f 70 65 6e 28 29 } //5
$a_00_4 = {3d 20 61 63 74 69 76 65 64 6f 63 75 6d 65 6e 74 2e 64 65 66 61 75 6c 74 74 61 62 6c 65 73 74 79 6c 65 } //5 = activedocument.defaulttablestyle
$a_00_5 = {20 3d 20 22 63 6d 64 22 0d 0a } //1
$a_00_6 = {20 3d 20 22 68 74 74 22 0d 0a } //1
$a_00_7 = {20 3d 20 22 64 6f 77 22 0d 0a } //1
$a_00_8 = {20 3d 20 22 65 27 22 22 22 0d 0a } //1
$a_00_9 = {20 3d 20 22 63 6d 22 0d 0a } //1
$a_00_10 = {20 3d 20 22 2f 2f 22 0d 0a } //1
$a_00_11 = {20 3d 20 22 22 22 22 0d 0a } //1
$a_00_12 = {20 3d 20 22 27 22 22 22 0d 0a } //1
$a_00_13 = {20 3d 20 22 2f 63 22 0d 0a } //1
$a_00_14 = {20 3d 20 22 78 65 22 0d 0a } //1
$a_00_15 = {20 3d 20 22 68 74 22 0d 0a } //1
$a_00_16 = {20 3d 20 22 65 78 65 22 0d 0a } //1
$a_00_17 = {20 3d 20 22 2e 65 78 22 0d 0a } //1
condition:
((#a_02_0 & 1)*5+(#a_02_1 & 1)*5+(#a_02_2 & 1)*5+(#a_02_3 & 1)*5+(#a_00_4 & 1)*5+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_00_13 & 1)*1+(#a_00_14 & 1)*1+(#a_00_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*1) >=18
}
Reference in New Issue View Git Blame Copy Permalink