qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Worm/Win32/Simpan/Worm_Win32_Simpan_A.yar

53 lines
9.8 KiB
Plaintext
Raw Permalink Blame History

rule Worm_Win32_Simpan_A{
meta:
description = "Worm:Win32/Simpan.A,SIGNATURE_TYPE_PEHSTR,50 00 28 00 2b 00 00 01 00 "
strings :
$a_01_0 = {5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 2e 00 73 00 79 00 73 00 } //01 00 \System.sys
$a_01_1 = {61 00 74 00 20 00 2f 00 64 00 65 00 6c 00 65 00 74 00 65 00 20 00 2f 00 79 00 } //01 00 at /delete /y
$a_01_2 = {46 00 53 00 75 00 6d 00 3d 00 72 00 65 00 70 00 6c 00 61 00 63 00 65 00 28 00 46 00 53 00 75 00 6d 00 2c 00 40 00 2d 00 40 00 2e 00 48 00 54 00 4d 00 40 00 2d 00 40 00 2c 00 40 00 2d 00 40 00 40 00 2d 00 40 00 29 00 } //01 00 FSum=replace(FSum,@-@.HTM@-@,@-@@-@)
$a_01_3 = {46 00 53 00 75 00 6d 00 3d 00 72 00 65 00 70 00 6c 00 61 00 63 00 65 00 28 00 46 00 53 00 75 00 6d 00 2c 00 40 00 2d 00 40 00 2e 00 48 00 54 00 4d 00 4c 00 40 00 2d 00 40 00 2c 00 40 00 2d 00 40 00 40 00 2d 00 40 00 29 00 } //01 00 FSum=replace(FSum,@-@.HTML@-@,@-@@-@)
$a_01_4 = {46 00 53 00 75 00 6d 00 3d 00 72 00 65 00 70 00 6c 00 61 00 63 00 65 00 28 00 46 00 53 00 75 00 6d 00 2c 00 40 00 2d 00 40 00 2f 00 40 00 2d 00 40 00 2c 00 40 00 2d 00 40 00 40 00 2d 00 40 00 29 00 } //01 00 FSum=replace(FSum,@-@/@-@,@-@@-@)
$a_01_5 = {46 00 53 00 75 00 6d 00 3d 00 72 00 65 00 70 00 6c 00 61 00 63 00 65 00 28 00 6c 00 6f 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 70 00 61 00 74 00 68 00 6e 00 61 00 6d 00 65 00 2c 00 40 00 2d 00 40 00 25 00 32 00 30 00 40 00 2d 00 40 00 2c 00 40 00 2d 00 40 00 20 00 40 00 2d 00 40 00 29 00 } //01 00 FSum=replace(location.pathname,@-@%20@-@,@-@ @-@)
$a_01_6 = {53 00 65 00 74 00 20 00 57 00 53 00 48 00 53 00 68 00 65 00 6c 00 6c 00 20 00 3d 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 4f 00 62 00 6a 00 65 00 63 00 74 00 28 00 40 00 2d 00 40 00 57 00 53 00 63 00 72 00 69 00 70 00 74 00 2e 00 53 00 68 00 65 00 6c 00 6c 00 40 00 2d 00 40 00 29 00 } //01 00 Set WSHShell = CreateObject(@-@WScript.Shell@-@)
$a_01_7 = {56 00 61 00 67 00 4e 00 50 00 61 00 74 00 68 00 30 00 2e 00 74 00 78 00 74 00 3b 00 3b 00 3b 00 56 00 61 00 67 00 4e 00 50 00 61 00 74 00 68 00 31 00 2e 00 74 00 78 00 74 00 3b 00 3b 00 3b 00 56 00 61 00 67 00 4e 00 50 00 61 00 74 00 68 00 32 00 2e 00 74 00 78 00 74 00 3b 00 3b 00 3b 00 56 00 61 00 67 00 4e 00 50 00 61 00 74 00 68 00 33 00 2e 00 74 00 78 00 74 00 } //05 00 VagNPath0.txt;;;VagNPath1.txt;;;VagNPath2.txt;;;VagNPath3.txt
$a_01_8 = {57 00 53 00 48 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 52 00 75 00 6e 00 20 00 43 00 68 00 72 00 28 00 33 00 34 00 29 00 20 00 26 00 20 00 46 00 53 00 75 00 6d 00 20 00 26 00 20 00 40 00 2d 00 40 00 5f 00 66 00 69 00 6c 00 65 00 73 00 5c 00 49 00 6d 00 61 00 67 00 65 00 31 00 2e 00 73 00 63 00 72 00 40 00 2d 00 40 00 20 00 26 00 20 00 43 00 68 00 72 00 28 00 33 00 34 00 29 00 } //05 00 WSHShell.Run Chr(34) & FSum & @-@_files\Image1.scr@-@ & Chr(34)
$a_01_9 = {5c 00 49 00 4e 00 44 00 4f 00 4e 00 45 00 53 00 49 00 41 00 2d 00 52 00 41 00 59 00 41 00 2d 00 49 00 4e 00 44 00 4f 00 4e 00 45 00 53 00 49 00 41 00 2d 00 4d 00 45 00 52 00 44 00 45 00 4b 00 41 00 2d 00 31 00 37 00 2d 00 41 00 47 00 55 00 53 00 54 00 55 00 53 00 2d 00 31 00 39 00 34 00 35 00 2e 00 49 00 4e 00 46 00 } //01 00 \INDONESIA-RAYA-INDONESIA-MERDEKA-17-AGUSTUS-1945.INF
$a_01_10 = {5c 00 56 00 61 00 67 00 45 00 6d 00 4f 00 2d 00 } //01 00 \VagEmO-
$a_01_11 = {5c 00 56 00 61 00 67 00 45 00 6d 00 4f 00 45 00 2d 00 } //01 00 \VagEmOE-
$a_01_12 = {5c 00 56 00 61 00 67 00 4f 00 6b 00 53 00 65 00 6e 00 64 00 2d 00 } //01 00 \VagOkSend-
$a_01_13 = {5c 00 56 00 61 00 67 00 53 00 4b 00 43 00 6f 00 6e 00 2e 00 76 00 62 00 73 00 } //05 00 \VagSKCon.vbs
$a_01_14 = {64 00 77 00 23 00 34 00 3c 00 3d 00 33 00 33 00 23 00 32 00 68 00 79 00 68 00 75 00 7c 00 3d 00 50 00 2f 00 57 00 2f 00 5a 00 2f 00 57 00 6b 00 2f 00 49 00 2f 00 56 00 2f 00 56 00 78 00 23 00 46 00 3d 00 5f 00 5a 00 6c 00 71 00 67 00 72 00 7a 00 76 00 5f 00 53 00 4c 00 49 00 5f 00 46 00 59 00 57 00 36 00 35 00 31 00 73 00 6c 00 69 00 } //05 00 dw#4<=33#2hyhu|=P/W/Z/Wk/I/V/Vx#F=_Zlqgrzv_SLI_FYW651sli
$a_01_15 = {46 00 3d 00 5f 00 59 00 64 00 6a 00 64 00 71 00 7d 00 64 00 62 00 72 00 7b 00 34 00 67 00 64 00 31 00 77 00 7b 00 77 00 } //05 00 F=_Ydjdq}dbr{4gd1w{w
$a_01_16 = {46 00 3d 00 5f 00 59 00 64 00 6a 00 64 00 71 00 7d 00 64 00 62 00 72 00 7b 00 34 00 67 00 64 00 62 00 4f 00 68 00 7a 00 64 00 77 00 6c 00 62 00 46 00 72 00 73 00 7c 00 50 00 64 00 76 00 76 00 64 00 6f 00 31 00 77 00 7b 00 77 00 } //05 00 F=_Ydjdq}dbr{4gdbOhzdwlbFrs|Pdvvdo1w{w
$a_01_17 = {46 00 3d 00 5f 00 5a 00 6c 00 71 00 67 00 72 00 7a 00 76 00 } //05 00 F=_Zlqgrzv
$a_01_18 = {46 00 3d 00 5f 00 5a 00 4c 00 51 00 47 00 52 00 5a 00 56 00 5f 00 4d 00 44 00 59 00 44 00 } //05 00 F=_ZLQGRZV_MDYD
$a_01_19 = {46 00 3d 00 5f 00 5a 00 4c 00 51 00 47 00 52 00 5a 00 56 00 5f 00 53 00 4c 00 49 00 } //05 00 F=_ZLQGRZV_SLI
$a_01_20 = {47 00 6c 00 76 00 64 00 65 00 6f 00 68 00 46 00 50 00 47 00 } //05 00 GlvdeohFPG
$a_01_21 = {47 00 6c 00 76 00 64 00 65 00 6f 00 68 00 55 00 68 00 6a 00 6c 00 76 00 77 00 75 00 7c 00 57 00 72 00 72 00 6f 00 76 00 } //05 00 GlvdeohUhjlvwu|Wrrov
$a_01_22 = {47 00 6c 00 76 00 64 00 65 00 6f 00 68 00 57 00 64 00 76 00 6e 00 50 00 6a 00 75 00 } //05 00 GlvdeohWdvnPju
$a_01_23 = {4d 00 73 00 67 00 42 00 6f 00 78 00 20 00 40 00 2d 00 40 00 59 00 6f 00 75 00 20 00 4d 00 75 00 73 00 74 00 20 00 43 00 6c 00 69 00 63 00 6b 00 20 00 40 00 2d 00 40 00 20 00 26 00 20 00 43 00 68 00 72 00 28 00 33 00 34 00 29 00 20 00 26 00 20 00 40 00 2d 00 40 00 59 00 45 00 53 00 40 00 2d 00 40 00 20 00 26 00 20 00 43 00 68 00 72 00 28 00 33 00 34 00 29 00 20 00 26 00 20 00 40 00 2d 00 40 00 20 00 74 00 6f 00 20 00 45 00 6e 00 61 00 62 00 6c 00 65 00 20 00 54 00 68 00 65 00 20 00 41 00 63 00 74 00 69 00 76 00 65 00 58 00 20 00 69 00 6e 00 20 00 54 00 68 00 69 00 73 00 20 00 53 00 65 00 63 00 75 00 72 00 65 00 20 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 40 00 2d 00 40 00 } //05 00 MsgBox @-@You Must Click @-@ & Chr(34) & @-@YES@-@ & Chr(34) & @-@ to Enable The ActiveX in This Secure Document@-@
$a_01_24 = {50 00 4c 00 46 00 55 00 52 00 56 00 52 00 49 00 57 00 3e 00 44 00 47 00 52 00 45 00 48 00 3e 00 44 00 46 00 55 00 52 00 45 00 44 00 57 00 } //05 00 PLFURVRIW>DGREH>DFUREDW
$a_01_25 = {51 00 72 00 49 00 72 00 6f 00 67 00 68 00 75 00 52 00 73 00 77 00 6c 00 72 00 71 00 76 00 } //05 00 QrIroghuRswlrqv
$a_01_26 = {51 00 52 00 55 00 57 00 52 00 51 00 3e 00 44 00 59 00 4a 00 3e 00 46 00 4c 00 4f 00 4f 00 4c 00 51 00 3e 00 53 00 44 00 51 00 47 00 44 00 3e 00 51 00 44 00 59 00 3e 00 50 00 46 00 44 00 49 00 3e 00 56 00 46 00 44 00 51 00 3e 00 59 00 4c 00 55 00 58 00 56 00 3e 00 53 00 48 00 55 00 56 00 4e 00 5c 00 3e 00 59 00 44 00 4e 00 56 00 4c 00 51 00 3e 00 55 00 48 00 4a 00 4c 00 56 00 57 00 55 00 5c 00 3e 00 57 00 44 00 56 00 4e 00 3e 00 4d 00 44 00 59 00 44 00 3e 00 46 00 52 00 51 00 49 00 4c 00 4a 00 58 00 55 00 44 00 57 00 4c 00 52 00 51 00 3e 00 46 00 52 00 50 00 50 00 44 00 51 00 47 00 3e 00 46 00 50 00 47 00 3e 00 46 00 52 00 51 00 57 00 55 00 52 00 4f 00 3e 00 56 00 48 00 44 00 } //01 00 QRUWRQ>DYJ>FLOOLQ>SDQGD>QDY>PFDI>VFDQ>YLUXV>SHUVN\>YDNVLQ>UHJLVWU\>WDVN>MDYD>FRQILJXUDWLRQ>FRPPDQG>FPG>FRQWURO>VHD
$a_01_27 = {56 00 61 00 67 00 41 00 67 00 65 00 6e 00 74 00 2d 00 } //01 00 VagAgent-
$a_01_28 = {56 00 61 00 67 00 45 00 6d 00 4f 00 2d 00 } //01 00 VagEmO-
$a_01_29 = {56 00 61 00 67 00 45 00 6d 00 4f 00 45 00 2d 00 } //01 00 VagEmOE-
$a_01_30 = {56 00 61 00 67 00 46 00 6f 00 6c 00 64 00 4e 00 65 00 74 00 44 00 6f 00 6d 00 4c 00 69 00 73 00 74 00 2e 00 64 00 72 00 76 00 } //01 00 VagFoldNetDomList.drv
$a_01_31 = {56 00 61 00 67 00 49 00 6e 00 66 00 65 00 6b 00 2e 00 65 00 78 00 65 00 } //01 00 VagInfek.exe
$a_01_32 = {56 00 61 00 67 00 4c 00 6f 00 61 00 64 00 44 00 6f 00 63 00 2d 00 } //01 00 VagLoadDoc-
$a_01_33 = {56 00 61 00 67 00 4d 00 61 00 69 00 6c 00 2d 00 } //01 00 VagMail-
$a_01_34 = {56 00 61 00 67 00 4e 00 65 00 74 00 44 00 6f 00 6d 00 4c 00 69 00 73 00 74 00 2e 00 62 00 61 00 74 00 } //01 00 VagNetDomList.bat
$a_01_35 = {56 00 61 00 67 00 4e 00 50 00 61 00 74 00 68 00 } //01 00 VagNPath
$a_01_36 = {56 00 61 00 67 00 4e 00 50 00 61 00 74 00 68 00 30 00 2e 00 74 00 78 00 74 00 } //01 00 VagNPath0.txt
$a_01_37 = {56 00 61 00 67 00 52 00 65 00 6d 00 2e 00 49 00 6e 00 64 00 6f 00 } //01 00 VagRem.Indo
$a_01_38 = {56 00 67 00 4e 00 50 00 61 00 74 00 68 00 48 00 74 00 6d 00 6c 00 2e 00 74 00 78 00 74 00 } //05 00 VgNPathHtml.txt
$a_01_39 = {76 00 72 00 69 00 77 00 7a 00 64 00 75 00 68 00 5f 00 70 00 6c 00 66 00 75 00 72 00 76 00 72 00 69 00 77 00 5f 00 4c 00 71 00 77 00 68 00 75 00 71 00 68 00 77 00 23 00 48 00 7b 00 73 00 6f 00 72 00 75 00 68 00 75 00 5f 00 50 00 64 00 6c 00 71 00 } //05 00 vriwzduh_plfurvriw_Lqwhuqhw#H{soruhu_Pdlq
$a_01_40 = {76 00 72 00 69 00 77 00 7a 00 64 00 75 00 68 00 5f 00 70 00 6c 00 66 00 75 00 72 00 76 00 72 00 69 00 77 00 5f 00 7a 00 6c 00 71 00 67 00 72 00 7a 00 76 00 5f 00 66 00 78 00 75 00 75 00 68 00 71 00 77 00 79 00 68 00 75 00 76 00 6c 00 72 00 71 00 5f 00 53 00 72 00 6f 00 6c 00 66 00 6c 00 68 00 76 00 5f 00 48 00 7b 00 73 00 6f 00 72 00 75 00 68 00 75 00 } //05 00 vriwzduh_plfurvriw_zlqgrzv_fxuuhqwyhuvlrq_Srolflhv_H{soruhu
$a_01_41 = {76 00 72 00 69 00 77 00 7a 00 64 00 75 00 68 00 5f 00 70 00 6c 00 66 00 75 00 72 00 76 00 72 00 69 00 77 00 5f 00 7a 00 6c 00 71 00 67 00 72 00 7a 00 76 00 5f 00 66 00 78 00 75 00 75 00 68 00 71 00 77 00 79 00 68 00 75 00 76 00 6c 00 72 00 71 00 5f 00 53 00 72 00 6f 00 6c 00 66 00 6c 00 68 00 76 00 5f 00 56 00 7c 00 76 00 77 00 68 00 70 00 } //05 00 vriwzduh_plfurvriw_zlqgrzv_fxuuhqwyhuvlrq_Srolflhv_V|vwhp
$a_01_42 = {76 00 72 00 69 00 77 00 7a 00 64 00 75 00 68 00 5f 00 70 00 6c 00 66 00 75 00 72 00 76 00 72 00 69 00 77 00 5f 00 7a 00 6c 00 71 00 67 00 72 00 7a 00 76 00 5f 00 66 00 78 00 75 00 75 00 68 00 71 00 77 00 79 00 68 00 75 00 76 00 6c 00 72 00 71 00 5f 00 75 00 78 00 71 00 } //00 00 vriwzduh_plfurvriw_zlqgrzv_fxuuhqwyhuvlrq_uxq
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink