29 lines
2.4 KiB
Plaintext
29 lines
2.4 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Donoff_gen_D{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Donoff.gen!D,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 13 00 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {65 6e 76 69 72 6f 6e 24 28 22 74 6d 70 22 29 [0-05] 26 20 22 5c 22 20 26 } //1
|
|
$a_02_1 = {65 6e 76 69 72 6f 6e 24 28 22 61 70 70 64 61 74 61 22 29 [0-05] 26 20 22 5c 22 20 26 } //1
|
|
$a_02_2 = {20 3d 20 65 6e 76 69 72 6f 6e 24 28 22 74 [0-01] 6d 70 22 29 20 26 } //1
|
|
$a_01_3 = {20 3d 20 22 50 75 74 74 79 2e 65 78 22 20 26 20 22 65 22 } //1 = "Putty.ex" & "e"
|
|
$a_00_4 = {22 20 26 20 22 2e 65 78 65 22 } //1 " & ".exe"
|
|
$a_02_5 = {22 75 72 6c 6d 6f 6e 22 [0-05] 61 6c 69 61 73 [0-05] 22 75 72 6c 64 6f 77 6e 6c 6f 61 64 74 6f 66 69 6c 65 61 22 } //1
|
|
$a_02_6 = {22 73 68 65 6c 6c 33 32 2e 64 6c 6c 22 [0-05] 61 6c 69 61 73 [0-05] 22 73 68 65 6c 6c 65 78 65 63 75 74 65 61 22 } //1
|
|
$a_03_7 = {30 2c 20 22 6f 70 65 6e 22 2c 20 [0-03] 62 2c 20 22 22 2c 20 76 62 4e 75 6c 6c 53 74 72 69 6e 67 2c 20 76 62 4e 6f 72 6d 61 6c 46 6f 63 75 73 } //1
|
|
$a_02_8 = {30 2c 20 22 6f 70 65 6e 22 2c 20 5f 0d 0a 90 05 20 06 61 2d 7a 30 2d 39 2c 20 22 22 2c 20 76 62 6e 75 6c 6c 73 74 72 69 6e 67 2c 20 76 62 6e 6f 72 6d 61 6c 66 6f 63 75 73 } //1
|
|
$a_02_9 = {63 61 6c 6c 20 73 68 65 6c 6c 28 90 05 20 06 61 2d 7a 30 2d 39 2c 20 31 29 } //1
|
|
$a_02_10 = {30 2c 20 22 6f 70 65 6e 22 2c 20 90 05 20 06 61 2d 7a 30 2d 39 2c 20 22 22 2c 20 76 62 6e 75 6c 6c 73 74 72 69 6e 67 2c 20 76 62 6e 6f 72 6d 61 6c 66 6f 63 75 73 } //1
|
|
$a_03_11 = {20 3d 20 22 68 74 74 70 [0-01] 3a 2f 2f } //1
|
|
$a_01_12 = {2e 74 74 2f 61 70 69 2f } //1 .tt/api/
|
|
$a_01_13 = {2f 62 6c 6f 62 3f 64 6f 77 6e 6c 6f 61 64 } //1 /blob?download
|
|
$a_03_14 = {20 3d 20 5f 0d 0a 22 68 74 74 70 [0-01] 3a 2f 2f } //1
|
|
$a_03_15 = {20 3d 20 22 68 74 22 20 26 20 22 74 70 [0-01] 3a 2f 2f } //1
|
|
$a_03_16 = {20 3d 20 22 68 74 74 22 20 26 20 22 70 [0-01] 3a 2f 2f } //1
|
|
$a_01_17 = {3d 20 22 62 6c 75 65 66 69 6c 65 2e 62 69 7a 2f } //1 = "bluefile.biz/
|
|
$a_00_18 = {3d 20 22 68 65 72 65 75 72 6c 22 } //1 = "hereurl"
|
|
condition:
|
|
((#a_02_0 & 1)*1+(#a_02_1 & 1)*1+(#a_02_2 & 1)*1+(#a_01_3 & 1)*1+(#a_00_4 & 1)*1+(#a_02_5 & 1)*1+(#a_02_6 & 1)*1+(#a_03_7 & 1)*1+(#a_02_8 & 1)*1+(#a_02_9 & 1)*1+(#a_02_10 & 1)*1+(#a_03_11 & 1)*1+(#a_01_12 & 1)*1+(#a_01_13 & 1)*1+(#a_03_14 & 1)*1+(#a_03_15 & 1)*1+(#a_03_16 & 1)*1+(#a_01_17 & 1)*1+(#a_00_18 & 1)*1) >=3
|
|
|
|
} |