18 lines
1.2 KiB
Plaintext
18 lines
1.2 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Donoff_SE_MSR{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Donoff.SE!MSR,SIGNATURE_TYPE_MACROHSTR_EXT,08 00 08 00 08 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {2e 46 6f 6c 64 65 72 45 78 69 73 74 73 28 22 63 3a 5c 31 22 29 20 3d 20 46 61 6c 73 65 } //1 .FolderExists("c:\1") = False
|
|
$a_03_1 = {2e 43 72 65 61 74 65 54 65 78 74 46 69 6c 65 28 22 63 3a 5c 31 5c [0-0a] 2e 63 6d 64 22 2c 20 54 72 75 65 29 } //1
|
|
$a_03_2 = {2e 57 72 69 74 65 4c 69 6e 65 20 28 22 [0-64] 22 29 } //1
|
|
$a_03_3 = {2e 57 72 69 74 65 4c 69 6e 65 20 28 [0-0f] 2e [0-0a] 2e [0-0a] 29 } //1
|
|
$a_01_4 = {2e 57 72 69 74 65 4c 69 6e 65 20 28 22 62 72 65 61 6b 3e 25 46 6f 6c 64 65 72 56 42 53 25 22 29 } //1 .WriteLine ("break>%FolderVBS%")
|
|
$a_03_5 = {3d 20 43 72 65 61 74 65 50 72 6f 63 65 73 73 57 28 [0-02] 2c 20 53 74 72 50 74 72 28 22 63 3a 5c 31 5c [0-0a] 2e 63 6d 64 22 29 } //1
|
|
$a_03_6 = {49 66 20 4c 65 6e 28 [0-05] 28 44 65 6c 65 74 65 46 69 6c 65 29 29 20 3e 20 30 20 54 68 65 6e } //1
|
|
$a_01_7 = {4b 69 6c 6c 20 44 65 6c 65 74 65 46 69 6c 65 } //1 Kill DeleteFile
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1+(#a_03_5 & 1)*1+(#a_03_6 & 1)*1+(#a_01_7 & 1)*1) >=8
|
|
|
|
} |