qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Bifrose/Backdoor_Win32_Bifrose.yar

23 lines
2.1 KiB
Plaintext
Raw Blame History

rule Backdoor_Win32_Bifrose{
meta:
description = "Backdoor:Win32/Bifrose,SIGNATURE_TYPE_PEHSTR_EXT,0e 00 0e 00 0e 00 00 01 00 "
strings :
$a_00_0 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 41 70 70 20 50 61 74 68 73 5c 69 65 78 70 6c 6f 72 65 2e 65 78 65 } //01 00 SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe
$a_00_1 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 49 6e 74 65 72 6e 65 74 20 53 65 74 74 69 6e 67 73 } //01 00 SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
$a_00_2 = {53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 49 6e 74 65 72 6e 65 74 20 41 63 63 6f 75 6e 74 20 4d 61 6e 61 67 65 72 5c 41 63 63 6f 75 6e 74 73 } //01 00 Software\Microsoft\Internet Account Manager\Accounts
$a_00_3 = {53 4f 46 54 57 41 52 45 5c 43 6c 61 73 73 65 73 5c 48 54 54 50 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 } //01 00 SOFTWARE\Classes\HTTP\shell\open\command
$a_01_4 = {49 6e 74 65 72 6e 65 74 47 65 74 43 6f 6e 6e 65 63 74 65 64 53 74 61 74 65 } //01 00 InternetGetConnectedState
$a_01_5 = {63 61 70 43 72 65 61 74 65 43 61 70 74 75 72 65 57 69 6e 64 6f 77 41 } //01 00 capCreateCaptureWindowA
$a_01_6 = {53 48 47 65 74 53 70 65 63 69 61 6c 46 6f 6c 64 65 72 50 61 74 68 41 } //01 00 SHGetSpecialFolderPathA
$a_01_7 = {41 64 6a 75 73 74 54 6f 6b 65 6e 50 72 69 76 69 6c 65 67 65 73 } //01 00 AdjustTokenPrivileges
$a_01_8 = {43 72 65 61 74 65 52 65 6d 6f 74 65 54 68 72 65 61 64 } //01 00 CreateRemoteThread
$a_01_9 = {57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 } //01 00 WriteProcessMemory
$a_01_10 = {57 4e 65 74 45 6e 75 6d 52 65 73 6f 75 72 63 65 41 } //01 00 WNetEnumResourceA
$a_01_11 = {50 4f 50 33 20 50 61 73 73 77 6f 72 64 } //01 00 POP3 Password
$a_01_12 = {48 54 54 50 4d 61 69 6c 20 50 61 73 73 77 6f 72 64 } //01 00 HTTPMail Password
$a_01_13 = {48 6f 74 6d 61 69 6c 00 48 54 54 50 4d 61 69 6c 20 55 73 65 72 20 4e 61 6d 65 } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink