qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/O97M/PShell/TrojanDownloader_O97M_PShel...

27 lines
3.2 KiB
Plaintext
Raw Permalink Blame History

rule TrojanDownloader_O97M_PShell_C{
meta:
description = "TrojanDownloader:O97M/PShell.C,SIGNATURE_TYPE_MACROHSTR_EXT,01 00 01 00 11 00 00 "
strings :
$a_00_0 = {2b 20 22 3d 70 22 20 2b 20 22 6f 77 65 22 20 2b 20 22 72 3b 22 20 2b 20 22 68 65 22 20 2b 20 22 6c 6c } //1 + "=p" + "owe" + "r;" + "he" + "ll
$a_03_1 = {20 3d 20 22 64 20 2f 56 5e 3a 5e 4f [0-02] 2f 43 22 20 2b 20 22 22 22 22 20 2b 20 22 5e 73 5e 65 5e 74 20 } //1
$a_01_2 = {20 3d 20 22 64 2e 65 78 65 20 2f 63 20 70 5e 4f 5e 77 5e 65 5e 52 5e 73 5e 48 5e 65 5e 22 20 2b 20 46 6f 72 6d 61 74 28 43 68 72 28 28 28 } //1 = "d.exe /c p^O^w^e^R^s^H^e^" + Format(Chr(((
$a_00_3 = {2f 2f 5e 3a 22 20 2b 20 22 5e 22 20 2b 20 22 70 22 20 2b 20 22 5e 74 5e 74 22 20 2b 20 22 68 40 5e 22 20 2b } //1 //^:" + "^" + "p" + "^t^t" + "h@^" +
$a_00_4 = {2f 2f 5e 22 20 2b 20 22 3a 5e 70 5e 22 20 2b 20 22 74 5e 74 68 22 } //1 //^" + ":^p^" + "t^th"
$a_00_5 = {20 3d 20 22 64 20 2f 56 2f 43 22 20 2b 20 22 22 22 22 20 2b 20 22 5e 73 5e } //1 = "d /V/C" + """" + "^s^
$a_00_6 = {20 3d 20 22 64 20 22 20 2b 20 43 53 74 72 28 43 68 72 28 36 20 2b 20 37 20 2b 20 37 20 2b 20 32 20 2b 20 32 35 29 29 20 2b 20 22 56 22 20 2b 20 43 53 74 72 28 43 68 72 28 } //1 = "d " + CStr(Chr(6 + 7 + 7 + 2 + 25)) + "V" + CStr(Chr(
$a_00_7 = {2f 22 20 2b 20 22 2f 3a 22 20 2b 20 22 70 74 5e 74 22 20 2b 20 22 5e 68 5e } //1 /" + "/:" + "pt^t" + "^h^
$a_00_8 = {29 20 2b 20 22 5e 73 65 5e 74 22 20 2b 20 22 20 22 20 2b 20 22 } //1 ) + "^se^t" + " " + "
$a_02_9 = {20 3d 20 46 6f 72 6d 61 74 28 43 68 72 28 [0-20] 29 29 20 2b 20 22 6d 64 20 2f 56 [0-20] 22 20 2b 20 46 6f 72 6d 61 74 28 43 68 72 28 } //1
$a_00_10 = {20 3d 20 22 44 20 20 2f 63 20 22 20 2b 20 22 22 22 5e 63 6d 5e 44 3b 20 20 3b 20 20 3b 20 20 5e 2f 76 3a 5e 4f 4e 5e 20 20 20 3b 2f 5e 63 20 22 22 3b 20 3b } //1 = "D /c " + """^cm^D; ; ; ^/v:^ON^ ;/^c ""; ;
$a_00_11 = {2e 44 6f 77 6e 6c 6f 61 64 53 74 72 69 6e 67 28 27 68 74 74 70 3a 2f 2f 34 68 6f 73 74 2e 70 75 62 6c 69 63 76 6d 2e 63 6f 6d 2f 61 70 69 2f 63 73 63 72 69 70 74 27 29 20 7c 20 50 6f 77 65 72 73 48 65 6c 6c } //1 .DownloadString('http://4host.publicvm.com/api/cscript') | PowersHell
$a_00_12 = {5c 2e 2e 5c 2e 22 20 2b 20 22 2e 5c 2e 2e 5c 77 69 6e 22 20 2b 20 22 64 6f 77 73 5c 73 79 73 74 65 6d 22 20 2b 20 22 33 32 5c 63 6d 64 2e 65 78 65 22 20 2b 20 22 20 2f 63 20 25 50 72 6f 67 72 61 6d 22 20 2b 20 22 44 61 74 61 3a } //1 \..\." + ".\..\win" + "dows\system" + "32\cmd.exe" + " /c %Program" + "Data:
$a_01_13 = {20 2b 20 22 6d 64 20 2f 56 22 20 2b 20 22 5e 3a 2f 22 20 2b 20 43 68 72 28 } //1 + "md /V" + "^:/" + Chr(
$a_03_14 = {53 68 65 6c 6c 20 46 6f 72 6d 61 74 28 [0-20] 29 20 2b 20 46 6f 72 6d 61 74 28 } //1
$a_03_15 = {20 2b 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 73 63 72 69 70 74 2e 73 68 65 6c 6c 22 29 2e 52 75 6e 28 [0-20] 20 2b 20 43 68 72 28 } //1
$a_03_16 = {56 42 41 2e 53 68 65 6c 6c 20 22 22 20 2b 20 [0-30] 20 2b 20 43 56 61 72 28 22 43 22 29 20 2b } //1
condition:
((#a_00_0 & 1)*1+(#a_03_1 & 1)*1+(#a_01_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*1+(#a_00_7 & 1)*1+(#a_00_8 & 1)*1+(#a_02_9 & 1)*1+(#a_00_10 & 1)*1+(#a_00_11 & 1)*1+(#a_00_12 & 1)*1+(#a_01_13 & 1)*1+(#a_03_14 & 1)*1+(#a_03_15 & 1)*1+(#a_03_16 & 1)*1) >=1
}
Reference in New Issue View Git Blame Copy Permalink