16 lines
1.1 KiB
Plaintext
16 lines
1.1 KiB
Plaintext
|
|
rule TrojanSpy_Win32_Camec_AQ{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Camec.AQ,SIGNATURE_TYPE_PEHSTR_EXT,07 00 05 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {8d 95 50 ff ff ff 6a 38 52 ff d6 8d 85 40 ff ff ff 6a 37 50 ff d6 8d 8d 20 ff ff ff 6a 36 } //2
|
|
$a_01_1 = {43 61 70 74 63 68 61 5f 44 6f 63 5f 45 6d 70 72 65 73 61 00 } //1 慃瑰档彡潄彣浅牰獥a
|
|
$a_01_2 = {76 00 61 00 6c 00 75 00 65 00 31 00 3d 00 31 00 26 00 76 00 61 00 6c 00 75 00 65 00 32 00 3d 00 32 00 } //1 value1=1&value2=2
|
|
$a_01_3 = {2d 00 2d 00 58 00 75 00 30 00 32 00 3d 00 24 00 2d 00 2d 00 } //1 --Xu02=$--
|
|
$a_01_4 = {37 00 43 00 37 00 33 00 36 00 44 00 36 00 35 00 37 00 39 00 37 00 42 00 36 00 37 00 37 00 33 00 31 00 42 00 37 00 30 00 36 00 42 00 37 00 44 00 } //1 7C736D65797B67731B706B7D
|
|
$a_01_5 = {36 00 45 00 30 00 42 00 36 00 36 00 35 00 30 00 34 00 37 00 35 00 44 00 35 00 34 00 35 00 41 00 31 00 35 00 35 00 31 00 35 00 43 00 31 00 38 00 37 00 39 00 37 00 32 00 30 00 32 00 31 00 38 00 } //1 6E0B6650475D545A15515C1879720218
|
|
condition:
|
|
((#a_01_0 & 1)*2+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1+(#a_01_5 & 1)*1) >=5
|
|
|
|
} |