19 lines
1.9 KiB
Plaintext
19 lines
1.9 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Donoff_MXSS_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Donoff.MXSS!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,09 00 09 00 09 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {41 70 70 6c 69 63 61 74 69 6f 6e 2e 53 63 72 65 65 6e 55 70 64 61 74 69 6e 67 20 3d 20 46 61 6c 73 65 } //1 Application.ScreenUpdating = False
|
|
$a_03_1 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 [0-0f] 28 22 34 64 36 39 36 33 37 32 36 66 37 33 36 66 22 29 20 26 20 [0-0f] 28 22 36 36 37 34 32 65 35 38 34 64 34 63 34 38 35 34 35 34 35 30 22 29 29 } //1
|
|
$a_03_2 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 [0-0f] 28 22 34 31 36 34 36 66 36 34 36 32 32 65 35 33 37 34 37 32 36 35 22 29 20 26 20 [0-0f] 28 22 36 31 36 64 22 29 29 } //1
|
|
$a_03_3 = {4f 70 65 6e 20 [0-0f] 28 22 34 37 34 35 35 34 22 29 2c 20 [0-0f] 28 22 36 38 37 34 37 34 37 30 33 61 32 66 32 66 33 33 33 37 32 65 33 35 33 39 22 29 20 26 20 [0-0f] 28 22 32 65 33 31 33 36 33 30 32 65 33 31 33 34 33 37 32 66 37 36 36 35 37 32 37 33 36 39 36 66 36 65 35 66 33 34 32 65 36 35 37 38 36 35 22 29 2c 20 46 61 6c 73 65 } //1
|
|
$a_01_4 = {3d 20 45 6e 76 69 72 6f 6e 28 22 41 70 70 44 61 74 61 22 29 } //1 = Environ("AppData")
|
|
$a_03_5 = {53 68 65 6c 6c 20 28 [0-12] 20 26 20 [0-0f] 28 22 35 63 33 31 22 29 20 26 20 [0-0f] 28 22 33 33 33 30 36 39 36 37 36 61 37 34 33 34 32 65 36 35 37 38 36 35 22 29 29 } //1
|
|
$a_03_6 = {43 68 72 24 28 56 61 6c 28 22 26 48 22 20 26 20 4d 69 64 24 28 [0-0f] 2c 20 [0-0f] 2c 20 32 29 29 29 } //1
|
|
$a_03_7 = {77 72 69 74 65 20 [0-12] 2e 72 65 73 70 6f 6e 73 65 42 6f 64 79 } //1
|
|
$a_03_8 = {73 61 76 65 74 6f 66 69 6c 65 20 [0-12] 20 26 20 [0-0f] 28 22 35 63 33 31 33 33 33 30 36 39 36 37 36 61 37 34 33 34 32 65 36 35 22 29 20 26 20 [0-0f] 28 22 37 38 36 35 22 29 2c 20 32 } //1
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1+(#a_03_5 & 1)*1+(#a_03_6 & 1)*1+(#a_03_7 & 1)*1+(#a_03_8 & 1)*1) >=9
|
|
|
|
} |