qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Gamaredon/TrojanSpy_Win32_Gamaredon_M...

17 lines
2.5 KiB
Plaintext
Raw Permalink Blame History

rule TrojanSpy_Win32_Gamaredon_MA_MTB{
meta:
description = "TrojanSpy:Win32/Gamaredon.MA!MTB,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 07 00 00 "
strings :
$a_80_0 = {49 6e 73 74 61 6c 6c 50 61 74 68 3d 22 25 41 50 50 44 41 54 41 25 5c 5c 54 4e 22 } //InstallPath="%APPDATA%\\TN" 1
$a_80_1 = {52 75 6e 50 72 6f 67 72 61 6d 3d 22 68 69 64 63 6f 6e 3a 6e 6f 77 61 69 74 3a 63 6d 64 20 2f 63 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 22 } //RunProgram="hidcon:nowait:cmd /c document.doc" 1
$a_80_2 = {52 75 6e 50 72 6f 67 72 61 6d 3d 22 68 69 64 63 6f 6e 3a 77 67 65 74 20 2d 2d 6e 6f 2d 63 68 65 63 6b 2d 63 65 72 74 69 66 69 63 61 74 65 20 68 74 74 70 73 3a 2f 2f 6e 6f 64 65 6a 73 2e 6f 72 67 2f 64 69 73 74 2f 6c 61 74 65 73 74 2d 63 61 72 62 6f 6e 2f 77 69 6e 2d 78 38 36 2f 6e 6f 64 65 2e 65 78 65 22 } //RunProgram="hidcon:wget --no-check-certificate https://nodejs.org/dist/latest-carbon/win-x86/node.exe" 1
$a_80_3 = {52 75 6e 50 72 6f 67 72 61 6d 3d 22 68 69 64 63 6f 6e 3a 77 67 65 74 20 2d 2d 6e 6f 2d 63 68 65 63 6b 2d 63 65 72 74 69 66 69 63 61 74 65 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 6f 72 70 72 6f 6a 65 63 74 2e 6f 72 67 2f 64 69 73 74 2f 74 6f 72 62 72 6f 77 73 65 72 2f 39 2e 35 2e 31 2f 74 6f 72 2d 77 69 6e 33 32 2d 30 2e 34 2e 33 2e 35 2e 7a 69 70 22 } //RunProgram="hidcon:wget --no-check-certificate https://www.torproject.org/dist/torbrowser/9.5.1/tor-win32-0.4.3.5.zip" 1
$a_80_4 = {52 75 6e 50 72 6f 67 72 61 6d 3d 22 68 69 64 63 6f 6e 3a 37 7a 61 20 65 20 2d 79 20 74 6f 72 2d 77 69 6e 33 32 2d 30 2e 34 2e 33 2e 35 2e 7a 69 70 22 } //RunProgram="hidcon:7za e -y tor-win32-0.4.3.5.zip" 1
$a_02_5 = {52 00 75 00 6e 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 3d 00 22 00 68 00 69 00 64 00 63 00 6f 00 6e 00 3a 00 6e 00 6f 00 77 00 61 00 69 00 74 00 3a 00 63 00 6d 00 64 00 20 00 2f 00 63 00 20 00 69 00 66 00 20 00 6e 00 6f 00 74 00 20 00 65 00 78 00 69 00 73 00 74 00 20 00 68 00 6f 00 73 00 74 00 6e 00 61 00 6d 00 65 00 20 00 28 00 6e 00 6f 00 64 00 65 00 20 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00 ?? ?? ?? 2e 00 ?? ?? ?? 2e 00 ?? ?? ?? 2e 00 ?? ?? ?? 29 00 22 00 } //1
$a_02_6 = {52 75 6e 50 72 6f 67 72 61 6d 3d 22 68 69 64 63 6f 6e 3a 6e 6f 77 61 69 74 3a 63 6d 64 20 2f 63 20 69 66 20 6e 6f 74 20 65 78 69 73 74 20 68 6f 73 74 6e 61 6d 65 20 28 6e 6f 64 65 20 73 65 72 76 69 63 65 20 ?? ?? ?? 2e ?? ?? ?? 2e ?? ?? ?? 2e ?? ?? ?? 29 22 } //1
condition:
((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_02_5 & 1)*1+(#a_02_6 & 1)*1) >=6
}
Reference in New Issue View Git Blame Copy Permalink