22 lines
1.5 KiB
Plaintext
22 lines
1.5 KiB
Plaintext
|
|
rule VirTool_BAT_Covent_F{
|
|
meta:
|
|
description = "VirTool:BAT/Covent.F,SIGNATURE_TYPE_PEHSTR_EXT,0b 00 0b 00 0c 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {7b 00 22 00 74 00 79 00 70 00 65 00 22 00 3a 00 22 00 7b 00 } //1 {"type":"{
|
|
$a_00_1 = {7b 00 22 00 47 00 55 00 49 00 44 00 22 00 3a 00 } //1 {"GUID":
|
|
$a_00_2 = {7d 00 22 00 2c 00 22 00 74 00 6f 00 6b 00 65 00 6e 00 22 00 3a 00 7b 00 } //1 }","token":{
|
|
$a_00_3 = {22 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 4d 00 65 00 73 00 73 00 61 00 67 00 65 00 22 00 3a 00 } //1 "EncryptedMessage":
|
|
$a_00_4 = {22 00 6a 00 69 00 74 00 74 00 65 00 72 00 22 00 3a 00 } //1 "jitter":
|
|
$a_00_5 = {22 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 41 00 74 00 74 00 65 00 6d 00 70 00 74 00 73 00 22 00 3a 00 } //1 "connectAttempts":
|
|
$a_01_6 = {4e 61 6d 65 64 50 69 70 65 53 65 72 76 65 72 53 74 72 65 61 6d 00 } //1 慎敭偤灩卥牥敶卲牴慥m
|
|
$a_01_7 = {4e 61 6d 65 64 50 69 70 65 43 6c 69 65 6e 74 53 74 72 65 61 6d 00 } //1 慎敭偤灩䍥楬湥却牴慥m
|
|
$a_01_8 = {46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 00 } //1
|
|
$a_00_9 = {73 65 74 5f 55 70 73 74 72 65 61 6d 4d 65 73 73 65 6e 67 65 72 00 } //1 敳彴灕瑳敲浡敍獳湥敧r
|
|
$a_00_10 = {47 72 75 6e 74 54 61 73 6b } //1 GruntTask
|
|
$a_81_11 = {56 58 4e 6c 63 69 31 42 5a 32 56 75 64 41 3d 3d } //1 VXNlci1BZ2VudA==
|
|
condition:
|
|
((#a_00_0 & 1)*1+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_01_6 & 1)*1+(#a_01_7 & 1)*1+(#a_01_8 & 1)*1+(#a_00_9 & 1)*1+(#a_00_10 & 1)*1+(#a_81_11 & 1)*1) >=11
|
|
|
|
} |