34 lines
2.8 KiB
Plaintext
34 lines
2.8 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Obfuse_LC_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.LC!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 05 00 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 [0-14] 28 22 49 75 48 33 49 75 48 33 77 49 75 48 33 69 49 75 48 33 6e 6d 67 49 75 48 33 6d 74 49 75 48 33 73 49 75 48 33 49 75 48 33 3a 49 75 48 33 57 49 75 48 33 49 75 48 33 69 49 75 48 33 6e 33 49 75 48 33 32 5f 50 49 75 48 33 72 6f 49 75 48 33 63 49 75 48 33 65 49 75 48 33 73 73 49 75 48 33 22 29 29 } //1
|
|
$a_03_1 = {43 72 65 61 74 65 4f 62 6a 65 63 74 28 [0-14] 28 22 79 69 77 61 77 69 79 69 77 61 79 69 77 61 79 69 77 61 6e 6d 67 6d 79 69 77 61 74 73 79 69 77 61 79 69 77 61 3a 79 69 77 61 79 69 77 61 57 69 79 69 77 61 79 69 77 61 6e 79 69 77 61 33 79 69 77 61 32 79 69 77 61 5f 79 69 77 61 50 72 6f 79 69 77 61 63 65 79 69 77 61 73 73 79 69 77 61 79 69 77 61 22 29 29 } //1
|
|
$a_03_2 = {2e 43 72 65 61 74 65 20 [0-38] 2c } //1
|
|
$a_03_3 = {54 68 69 73 44 6f 63 75 6d 65 6e 74 2e [0-14] 29 20 2b } //1
|
|
$a_01_4 = {2e 53 68 6f 77 57 69 6e 64 6f 77 21 20 3d } //1 .ShowWindow! =
|
|
condition:
|
|
((#a_03_0 & 1)*1+(#a_03_1 & 1)*1+(#a_03_2 & 1)*1+(#a_03_3 & 1)*1+(#a_01_4 & 1)*1) >=4
|
|
|
|
}
|
|
rule TrojanDownloader_O97M_Obfuse_LC_MTB_2{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.LC!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,0a 00 0a 00 0a 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {2e 52 75 6e 20 28 6c 56 6b 52 77 45 47 78 20 2b 20 63 4f 56 32 31 33 35 6c 20 2b 20 52 5a 59 51 70 55 38 4a } //1 .Run (lVkRwEGx + cOV2135l + RZYQpU8J
|
|
$a_01_1 = {2e 52 75 6e 20 28 65 79 62 6b 4c 7a 76 49 20 2b 20 5a 74 4c 62 65 59 4e 4a 20 2b 20 58 42 52 51 70 63 6a 47 29 } //1 .Run (eybkLzvI + ZtLbeYNJ + XBRQpcjG)
|
|
$a_01_2 = {54 69 6d 65 72 20 2d 20 74 65 6d 70 20 3c 20 73 65 63 } //1 Timer - temp < sec
|
|
$a_01_3 = {52 65 70 6c 61 63 65 28 22 21 21 21 68 74 22 2c 20 22 21 22 2c 20 22 22 29 } //1 Replace("!!!ht", "!", "")
|
|
$a_01_4 = {52 65 70 6c 61 63 65 28 22 21 21 21 74 70 22 2c 20 22 21 22 2c 20 22 22 29 } //1 Replace("!!!tp", "!", "")
|
|
$a_01_5 = {52 65 70 6c 61 63 65 28 22 5e 5e 5e 57 22 2c 20 22 5e 22 2c 20 22 22 29 } //1 Replace("^^^W", "^", "")
|
|
$a_01_6 = {52 65 70 6c 61 63 65 28 22 72 21 21 21 69 22 2c 20 22 21 22 2c 20 22 22 29 } //1 Replace("r!!!i", "!", "")
|
|
$a_01_7 = {52 65 70 6c 61 63 65 28 22 5e 70 74 2e 5e 5e 53 68 22 2c 20 22 5e 22 2c 20 22 22 29 } //1 Replace("^pt.^^Sh", "^", "")
|
|
$a_01_8 = {52 65 70 6c 61 63 65 28 22 21 21 21 65 6c 6c 22 2c 20 22 21 22 2c 20 22 22 29 } //1 Replace("!!!ell", "!", "")
|
|
$a_01_9 = {52 65 70 6c 61 63 65 28 22 2f 40 40 40 22 2c 20 22 40 22 2c 20 22 22 29 } //1 Replace("/@@@", "@", "")
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_01_9 & 1)*1) >=10
|
|
|
|
} |