36 lines
3.6 KiB
Plaintext
36 lines
3.6 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Obfuse_PR_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.PR!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,02 00 02 00 02 00 00 "
|
|
|
|
strings :
|
|
$a_02_0 = {2e 6f 70 65 6e 28 22 22 47 45 54 22 22 2c 22 22 68 74 74 70 3a 2f 2f [0-20] 2f 63 63 63 2e 6a 73 22 22 2c 66 61 6c 73 65 29 3b 78 6d 6c 2e 73 65 6e 64 28 29 3b } //1
|
|
$a_00_1 = {45 6e 76 69 72 6f 6e 28 52 65 70 6c 61 63 65 28 22 55 23 23 23 53 45 23 23 23 52 50 23 23 23 52 4f 46 23 23 23 49 4c 45 22 2c 20 22 23 23 23 22 2c 20 22 22 29 29 20 26 20 22 5c 22 20 26 20 52 65 70 6c 61 63 65 28 22 44 23 23 23 6f 77 23 23 23 6e 6c 23 23 23 6f 61 23 23 23 64 73 22 2c 20 22 23 23 23 22 2c 20 22 22 29 20 26 20 22 5c 42 75 73 69 6e 65 73 73 4c 61 79 65 72 2e 6a 73 22 } //1 Environ(Replace("U###SE###RP###ROF###ILE", "###", "")) & "\" & Replace("D###ow###nl###oa###ds", "###", "") & "\BusinessLayer.js"
|
|
condition:
|
|
((#a_02_0 & 1)*1+(#a_00_1 & 1)*1) >=2
|
|
|
|
}
|
|
rule TrojanDownloader_O97M_Obfuse_PR_MTB_2{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.PR!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,04 00 04 00 04 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {4a 4f 20 3d 20 4a 4f 20 2b 20 30 2e 30 30 30 30 31 31 31 33 31 30 37 20 2a 20 41 74 6e 28 35 2e 31 34 39 38 37 33 35 30 31 34 32 20 2b 20 33 33 34 30 2e 36 31 32 34 32 36 36 39 39 38 20 2a 20 4a 29 } //1 JO = JO + 0.00001113107 * Atn(5.14987350142 + 3340.6124266998 * J)
|
|
$a_01_1 = {44 65 6c 65 74 65 46 69 6c 65 20 3d 20 22 43 3a 5c 70 72 6f 67 72 61 6d 64 61 74 61 5c 57 6f 72 69 64 2e 62 61 74 22 } //1 DeleteFile = "C:\programdata\Worid.bat"
|
|
$a_01_2 = {2e 43 72 65 61 74 65 54 65 78 74 46 69 6c 65 28 22 43 3a 5c 70 72 6f 67 72 61 6d 64 61 74 61 5c 57 6f 72 69 64 2e 76 62 73 22 2c 20 54 72 75 65 29 } //1 .CreateTextFile("C:\programdata\Worid.vbs", True)
|
|
$a_01_3 = {3d 20 4c 20 26 20 22 7c 22 20 26 20 42 20 26 20 22 7c 22 20 26 20 52 } //1 = L & "|" & B & "|" & R
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1) >=4
|
|
|
|
}
|
|
rule TrojanDownloader_O97M_Obfuse_PR_MTB_3{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.PR!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,02 00 02 00 02 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {30 30 31 31 30 30 30 31 2c 30 30 31 31 31 30 30 31 2c 30 30 31 31 31 30 30 30 2c 30 30 31 30 31 31 31 30 2c 30 30 31 31 30 30 31 30 2c 30 30 31 31 30 30 31 31 2c 30 30 31 30 31 31 31 30 2c 30 30 31 31 30 30 31 30 2c 30 30 31 31 30 31 30 31 2c 30 30 31 31 30 30 30 31 2c 30 30 31 30 31 31 31 30 2c 30 30 31 31 30 30 30 31 2c 30 30 31 31 30 30 30 31 2c 30 30 31 31 30 30 30 30 2c 30 30 31 30 31 31 31 31 } //1 00110001,00111001,00111000,00101110,00110010,00110011,00101110,00110010,00110101,00110001,00101110,00110001,00110001,00110000,00101111
|
|
$a_01_1 = {30 31 30 30 30 31 31 30 2c 30 31 31 30 31 30 30 31 2c 30 31 31 30 31 31 30 30 2c 30 31 31 30 30 31 30 31 2c 30 30 31 30 31 30 30 30 2c 30 30 31 30 30 31 31 31 2c 30 30 31 30 30 31 31 31 2c 30 31 31 30 31 30 30 30 2c 30 31 31 31 30 31 30 30 2c 30 31 31 31 30 31 30 30 2c 30 31 31 31 30 30 30 30 2c 30 30 31 31 31 30 31 30 2c 30 30 31 30 31 31 31 31 2c 30 30 31 30 31 31 31 31 2c 30 30 31 31 30 30 30 31 2c 30 30 31 31 31 30 30 31 2c 30 30 31 31 31 30 30 30 2c 30 30 31 30 31 31 31 30 2c 30 30 31 31 30 30 31 30 2c 30 30 31 31 30 30 31 31 2c 30 30 31 30 31 31 31 30 2c 30 30 31 31 30 30 31 30 2c 30 30 31 31 30 31 30 31 2c 30 30 31 31 30 30 30 31 2c 30 30 31 30 31 31 31 30 } //1 01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00111000,00101110,00110010,00110011,00101110,00110010,00110101,00110001,00101110
|
|
condition:
|
|
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1) >=2
|
|
|
|
} |