DefenderYara/TrojanSpy/Win32/Logsnif/TrojanSpy_Win32_Logsnif_gen_E.yar

rule TrojanSpy_Win32_Logsnif_gen_E{
	meta:
		description = "TrojanSpy:Win32/Logsnif.gen!E,SIGNATURE_TYPE_PEHSTR_EXT,ffffff82 00 7d 00 1e 00 00 64 00 "
		
	strings :
		$a_00_0 = {52 69 6e 67 30 50 6f 72 74 2e 73 79 73 } //01 00  Ring0Port.sys
		$a_00_1 = {70 69 6e 67 2e 65 78 65 } //01 00  ping.exe
		$a_01_2 = {6c 73 61 73 73 2e 65 78 65 } //01 00  lsass.exe
		$a_00_3 = {73 76 63 68 6f 73 74 2e 65 78 65 } //01 00  svchost.exe
		$a_00_4 = {73 6c 69 6c 2e 72 75 } //01 00  slil.ru
		$a_00_5 = {3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 43 6f 6d 6d 6f 6e 20 46 69 6c 65 73 5c 6d 6f 61 74 75 6d 6f 6e 6e 2e 65 78 65 } //01 00  :\Program Files\Common Files\moatumonn.exe
		$a_00_6 = {3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 5c 49 65 78 70 6c 6f 72 65 2e 65 78 65 } //01 00  :\Program Files\Internet Explorer\Iexplore.exe
		$a_00_7 = {3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 6f 70 65 72 61 5c 6f 70 65 72 61 2e 65 78 65 } //01 00  :\Program Files\opera\opera.exe
		$a_00_8 = {3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 4f 75 74 6c 6f 6f 6b 20 45 78 70 72 65 73 73 5c 6d 73 69 6d 6e 2e 65 78 65 } //01 00  :\Program Files\Outlook Express\msimn.exe
		$a_00_9 = {5c 73 79 73 74 65 6d 33 32 5c 64 72 69 76 65 72 73 5c 73 76 63 68 6f 73 74 2e 65 78 65 } //01 00  \system32\drivers\svchost.exe
		$a_00_10 = {73 79 73 74 65 6d 5c 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 53 65 72 76 69 63 65 73 } //03 00  system\CurrentControlSet\Services
		$a_00_11 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 20 4e 54 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 57 69 6e 6c 6f 67 6f 6e } //01 00  SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
		$a_00_12 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 4f 6e 63 65 } //01 00  SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
		$a_00_13 = {4f 75 74 70 6f 73 74 4d 61 69 6e 57 69 6e 64 6f 77 43 6c 61 73 73 } //01 00  OutpostMainWindowClass
		$a_00_14 = {4f 75 74 70 6f 73 74 20 46 69 72 65 77 61 6c 6c 20 50 72 6f } //01 00  Outpost Firewall Pro
		$a_00_15 = {4b 61 73 70 65 72 73 6b 79 20 41 6e 74 69 2d 48 61 63 6b 65 72 } //01 00  Kaspersky Anti-Hacker
		$a_00_16 = {4a 65 74 69 63 6f 50 65 72 73 6f 6e 61 6c 46 69 72 65 77 61 6c 6c } //01 00  JeticoPersonalFirewall
		$a_00_17 = {41 63 74 69 76 69 74 79 20 4d 6f 6e 69 74 6f 72 } //01 00  Activity Monitor
		$a_00_18 = {4d 6d 47 65 74 50 68 79 73 69 63 61 6c 41 64 64 72 65 73 73 } //01 00  MmGetPhysicalAddress
		$a_00_19 = {4d 6d 49 73 41 64 64 72 65 73 73 56 61 6c 69 64 } //05 00  MmIsAddressValid
		$a_00_20 = {49 6f 47 65 74 43 75 72 72 65 6e 74 50 72 6f 63 65 73 73 } //01 00  IoGetCurrentProcess
		$a_00_21 = {4b 65 33 38 36 53 65 74 49 6f 41 63 63 65 73 73 4d 61 70 } //02 00  Ke386SetIoAccessMap
		$a_00_22 = {4b 65 33 38 36 51 75 65 72 79 49 6f 41 63 63 65 73 73 4d 61 70 } //05 00  Ke386QueryIoAccessMap
		$a_01_23 = {57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 } //01 00  WriteProcessMemory
		$a_00_24 = {5a 77 4f 70 65 6e 53 65 63 74 69 6f 6e } //01 00  ZwOpenSection
		$a_00_25 = {5a 77 4c 6f 61 64 44 72 69 76 65 72 } //01 00  ZwLoadDriver
		$a_00_26 = {5a 77 51 75 65 72 79 53 79 73 74 65 6d 49 6e 66 6f 72 6d 61 74 69 6f 6e } //02 00  ZwQuerySystemInformation
		$a_00_27 = {4f 70 65 6e 53 43 4d 61 6e 61 67 65 72 41 } //01 00  OpenSCManagerA
		$a_00_28 = {73 6f 63 6b 65 74 } //03 00  socket
		$a_00_29 = {57 53 41 53 74 61 72 74 75 70 } //00 00  WSAStartup
	condition:
		any of ($a_*)
 
}