15 lines
1.1 KiB
Plaintext
15 lines
1.1 KiB
Plaintext
|
|
rule Backdoor_Win32_Craunpirp_A{
|
|
meta:
|
|
description = "Backdoor:Win32/Craunpirp.A,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 05 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {be a7 c6 67 4e 85 ff 74 1c 53 8b 5d 08 0f b6 0b 8b d6 c1 e2 05 8b c6 c1 e8 02 03 d0 03 d1 33 f2 43 4f 75 e9 } //02 00
|
|
$a_03_1 = {68 0c 00 00 08 50 50 50 ff 75 10 ff 75 08 ff 15 90 01 04 85 c0 0f 84 90 01 04 a1 90 01 04 85 c0 0f 85 90 01 04 8d 85 90 01 04 c7 85 90 01 04 07 00 01 00 90 00 } //01 00
|
|
$a_01_2 = {4f 00 4c 00 4c 00 59 00 44 00 42 00 47 00 2e 00 45 00 58 00 45 00 00 00 00 00 00 00 6f 00 6c 00 6c 00 79 00 64 00 62 00 67 00 2e 00 65 00 78 00 65 00 00 00 00 00 00 00 4f 00 6c 00 6c 00 79 00 64 00 62 00 67 00 2e 00 65 00 78 00 65 00 00 00 00 00 00 00 4f 00 6c 00 6c 00 79 00 44 00 62 00 67 00 2e 00 65 00 78 00 65 00 } //01 00
|
|
$a_03_3 = {8b f1 8a 04 95 90 01 04 30 06 46 42 33 c0 83 fa 08 0f 4d d0 38 06 75 e9 90 00 } //03 00
|
|
$a_01_4 = {00 52 54 7c 00 46 54 7c 00 56 49 7c 00 56 56 7c 00 49 50 7c 00 43 50 7c 00 52 50 7c 00 52 41 7c 00 55 4e 7c 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |