17 lines
1.8 KiB
Plaintext
17 lines
1.8 KiB
Plaintext
|
|
rule TrojanDownloader_Win32_Delf_ZDE{
|
|
meta:
|
|
description = "TrojanDownloader:Win32/Delf.ZDE,SIGNATURE_TYPE_PEHSTR,0a 00 0a 00 07 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {3f 00 00 6d 6d 6d 6d 20 64 2c 20 79 79 79 79 00 00 00 00 04 a6 40 00 04 a6 40 00 60 3f 00 00 61 6d 00 00 04 a6 40 00 04 a6 40 00 50 3f 00 00 70 6d 00 00 04 a6 40 00 04 a6 40 00 40 3f 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 53 59 53 54 45 4d 33 32 5c 6b 65 72 6e 65 6c 33 32 2e 65 78 65 30 00 00 00 1b 00 00 00 00 00 00 00 09 00 00 00 68 3a 6d 6d 20 41 4d 50 4d 00 00 00 04 a6 40 00 04 a6 40 00 f8 3e 00 00 68 3a 6d 6d 3a 73 73 20 41 4d 50 4d 00 00 00 00 04 a6 40 00 04 a6 40 00 dc } //02 00
|
|
$a_01_1 = {3e 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 53 59 53 54 45 20 00 00 00 27 00 00 00 00 00 00 00 14 00 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 53 59 53 54 45 4d 33 32 5c 00 00 00 00 64 01 81 00 64 01 81 00 58 00 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 53 59 53 54 45 4d 33 32 5c 63 6d 64 2e 65 78 65 00 3c 00 81 00 bc 00 81 00 30 00 00 00 43 3a 5c 57 49 4e 44 4f 18 00 00 00 1b 00 00 00 00 } //02 00
|
|
$a_01_2 = {00 00 00 0b 00 00 00 43 3a 5c 57 49 4e 44 4f 9c 00 00 00 27 00 00 00 00 00 00 00 14 00 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 6d 66 63 34 32 2e 65 78 65 00 00 40 00 04 a6 40 00 04 a6 40 00 1c 3e 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 53 59 53 54 45 4d 33 32 5c 63 6d 64 2e 65 78 65 00 04 a6 40 00 04 a6 40 00 f4 3d 00 00 04 a6 40 00 ec 3d 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 6b 65 72 6e 6c 33 32 2e 65 78 65 00 } //01 00
|
|
$a_01_3 = {47 65 74 53 74 61 72 74 75 70 49 6e 66 6f 41 } //01 00 GetStartupInfoA
|
|
$a_01_4 = {52 65 67 4f 70 65 6e 4b 65 79 45 78 41 } //01 00 RegOpenKeyExA
|
|
$a_01_5 = {53 74 61 72 74 53 65 72 76 69 63 65 41 } //01 00 StartServiceA
|
|
$a_01_6 = {47 65 74 57 69 6e 64 6f 77 73 44 69 72 65 63 74 6f 72 79 41 } //00 00 GetWindowsDirectoryA
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |