qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanDownloader/Win32/Vimponey/TrojanDownloader_Win32_Vimp...

42 lines
5.5 KiB
Plaintext
Raw Blame History

rule TrojanDownloader_Win32_Vimponey_A{
meta:
description = "TrojanDownloader:Win32/Vimponey.A,SIGNATURE_TYPE_PEHSTR_EXT,50 00 46 00 20 00 00 "
strings :
$a_00_0 = {49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 74 00 20 00 45 00 78 00 70 00 31 00 6f 00 72 00 65 00 72 00 2e 00 6c 00 6e 00 6b 00 } //8 Internet Exp1orer.lnk
$a_00_1 = {6e 00 74 00 66 00 73 00 2e 00 73 00 79 00 73 00 } //1 ntfs.sys
$a_00_2 = {62 00 63 00 2e 00 73 00 79 00 73 00 } //1 bc.sys
$a_00_3 = {62 00 6f 00 6f 00 74 00 73 00 61 00 66 00 65 00 2e 00 73 00 79 00 73 00 } //1 bootsafe.sys
$a_00_4 = {54 00 54 00 72 00 61 00 76 00 65 00 6c 00 65 00 72 00 2e 00 65 00 78 00 65 00 } //4 TTraveler.exe
$a_00_5 = {6b 00 73 00 6d 00 67 00 75 00 69 00 2e 00 65 00 78 00 65 00 } //5 ksmgui.exe
$a_00_6 = {33 00 36 00 30 00 73 00 65 00 2e 00 65 00 78 00 65 00 } //2 360se.exe
$a_01_7 = {6e 74 6f 73 6b 72 6e 6c 2e 65 78 65 } //1 ntoskrnl.exe
$a_00_8 = {5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 6e 00 74 00 64 00 6c 00 6c 00 2e 00 64 00 31 00 31 00 } //3 \SystemRoot\System32\ntdll.d11
$a_00_9 = {65 00 6b 00 72 00 6e 00 2e 00 65 00 78 00 65 00 65 00 67 00 75 00 69 00 2e 00 65 00 78 00 65 00 } //4 ekrn.exeegui.exe
$a_00_10 = {5c 00 52 00 45 00 47 00 49 00 53 00 54 00 52 00 59 00 5c 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 2a 00 5c 00 52 00 6f 00 6f 00 74 00 } //2 \REGISTRY\MACHINE\SYSTEM\*\Root
$a_00_11 = {5c 00 72 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 5c 00 75 00 73 00 65 00 72 00 5c 00 2a 00 5c 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 49 00 6e 00 74 00 65 00 72 00 6e 00 65 00 74 00 20 00 45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 4d 00 61 00 69 00 6e 00 } //2 \registry\user\*\Software\Microsoft\Internet Explorer\Main
$a_00_12 = {5c 00 52 00 45 00 47 00 49 00 53 00 54 00 52 00 59 00 5c 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 2a 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 } //2 \REGISTRY\MACHINE\SYSTEM\*\Services
$a_00_13 = {5c 00 52 00 45 00 47 00 49 00 53 00 54 00 52 00 59 00 5c 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 5c 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 2a 00 4d 00 41 00 43 00 50 00 49 00 45 00 54 00 } //4 \REGISTRY\MACHINE\SYSTEM\*MACPIET
$a_01_14 = {5a 77 43 72 65 61 74 65 53 65 63 74 69 6f 6e } //3 ZwCreateSection
$a_01_15 = {4d 6d 4d 61 70 56 69 65 77 4f 66 53 65 63 74 69 6f 6e } //1 MmMapViewOfSection
$a_01_16 = {57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 } //2 WriteProcessMemory
$a_01_17 = {5a 77 4c 6f 61 64 44 72 69 76 65 72 } //4 ZwLoadDriver
$a_01_18 = {77 77 77 2e 75 6e 69 6f 6e 38 38 38 2e 63 6f 6d } //2 www.union888.com
$a_00_19 = {68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 77 00 77 00 2e 00 6b 00 75 00 6b 00 75 00 35 00 33 00 30 00 2e 00 63 00 6f 00 6d 00 2f 00 3f 00 } //3 http://www.kuku530.com/?
$a_01_20 = {55 52 4c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 6b 75 6b 75 35 33 30 2e 63 6f 6d 2f 3f 46 61 76 6f 72 69 74 65 73 } //1 URL=http://www.kuku530.com/?Favorites
$a_01_21 = {50 4f 53 54 20 2f 63 63 2e 61 73 70 78 20 48 54 54 50 2f 31 2e 30 } //3 POST /cc.aspx HTTP/1.0
$a_01_22 = {41 63 63 65 70 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 20 6d 6f 6e 65 79 2f 72 6d 62 } //1 Accept: text/html, money/rmb
$a_00_23 = {4e 00 54 00 49 00 43 00 45 00 } //3 NTICE
$a_00_24 = {53 00 59 00 53 00 45 00 52 00 42 00 4f 00 4f 00 54 00 } //4 SYSERBOOT
$a_00_25 = {49 00 43 00 45 00 45 00 58 00 54 00 } //3 ICEEXT
$a_00_26 = {6c 00 65 00 67 00 61 00 63 00 79 00 5f 00 } //2 legacy_
$a_01_27 = {6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 7c 75 73 65 72 33 32 2e 64 6c 6c 7c 44 6e 73 61 70 69 2e 64 6c 6c 7c 57 73 32 5f 33 32 2e 64 6c 6c 7c 50 53 41 50 49 2e 44 4c 4c 7c 57 53 4f 43 4b 33 32 2e 44 4c 4c 7c 73 68 6c 77 61 70 69 2e 64 6c 6c 7c 77 73 70 72 69 6e 74 66 41 7c 47 65 74 4d 6f 64 75 6c 65 42 61 73 65 4e 61 6d 65 57 7c 44 6e 73 51 75 65 72 79 5f 57 7c 53 48 47 65 74 56 61 6c 75 65 41 7c 53 48 53 65 74 56 61 6c 75 65 41 7c 6e 31 2e 68 61 6f 64 65 38 31 2e 63 6f 6d 7c 6e 32 2e 68 61 6f 64 65 38 31 2e 63 6f 6d 7c 77 77 77 2e 6b 75 6b 75 35 33 30 2e 63 6f 6d 7c 2e 6b 75 6b 75 35 33 30 2e 7c 2e 67 6f 6f 67 6c 65 73 79 6e 64 69 63 61 74 69 6f 6e 2e 7c 65 73 65 74 2e 7c 5b 49 6e 74 65 72 6e 65 74 53 68 6f 72 74 63 75 74 5d } //3 kernel32.dll|user32.dll|Dnsapi.dll|Ws2_32.dll|PSAPI.DLL|WSOCK32.DLL|shlwapi.dll|wsprintfA|GetModuleBaseNameW|DnsQuery_W|SHGetValueA|SHSetValueA|n1.haode81.com|n2.haode81.com|www.kuku530.com|.kuku530.|.googlesyndication.|eset.|[InternetShortcut]
$a_01_28 = {7c 55 53 45 52 50 52 4f 46 49 4c 45 7c 5c 46 61 76 6f 72 69 74 65 73 5c } //2 |USERPROFILE|\Favorites\
$a_01_29 = {48 4f 53 54 3a 20 25 73 } //1 HOST: %s
$a_01_30 = {45 54 61 67 3a 20 25 73 } //1 ETag: %s
$a_01_31 = {2e 76 6d 70 31 } //1 .vmp1
condition:
((#a_00_0 & 1)*8+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1+(#a_00_4 & 1)*4+(#a_00_5 & 1)*5+(#a_00_6 & 1)*2+(#a_01_7 & 1)*1+(#a_00_8 & 1)*3+(#a_00_9 & 1)*4+(#a_00_10 & 1)*2+(#a_00_11 & 1)*2+(#a_00_12 & 1)*2+(#a_00_13 & 1)*4+(#a_01_14 & 1)*3+(#a_01_15 & 1)*1+(#a_01_16 & 1)*2+(#a_01_17 & 1)*4+(#a_01_18 & 1)*2+(#a_00_19 & 1)*3+(#a_01_20 & 1)*1+(#a_01_21 & 1)*3+(#a_01_22 & 1)*1+(#a_00_23 & 1)*3+(#a_00_24 & 1)*4+(#a_00_25 & 1)*3+(#a_00_26 & 1)*2+(#a_01_27 & 1)*3+(#a_01_28 & 1)*2+(#a_01_29 & 1)*1+(#a_01_30 & 1)*1+(#a_01_31 & 1)*1) >=70
}
Reference in New Issue View Git Blame Copy Permalink