qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Cycbot/Backdoor_Win32_Cycbot_B.yar

37 lines
3.0 KiB
Plaintext
Raw Blame History

rule Backdoor_Win32_Cycbot_B{
meta:
description = "Backdoor:Win32/Cycbot.B,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 1b 00 00 02 00 "
strings :
$a_00_0 = {2f 67 62 6f 74 2f 74 2e 70 68 70 3f 71 3d 25 73 } //02 00 /gbot/t.php?q=%s
$a_00_1 = {74 79 70 65 3d 25 73 26 73 79 73 74 65 6d 3d 25 73 26 69 64 3d 25 73 26 73 74 61 74 75 73 3d 25 73 } //02 00 type=%s&system=%s&id=%s&status=%s
$a_02_2 = {2f 63 67 69 2d 62 69 6e 2f 63 79 63 6c 65 5f 72 65 70 6f 72 74 90 02 02 2e 63 67 69 90 00 } //02 00
$a_00_3 = {25 73 2f 67 62 6f 74 2f 73 63 2e 63 67 69 3f 69 64 3d 25 73 26 63 3d 25 64 } //01 00 %s/gbot/sc.cgi?id=%s&c=%d
$a_00_4 = {50 49 4e 47 5f 4c 53 5f 54 4d 5f 25 64 } //01 00 PING_LS_TM_%d
$a_00_5 = {73 74 6f 72 2e 63 66 67 00 } //01 00
$a_00_6 = {5f 4c 41 53 54 5f 54 49 4d 45 5f 46 41 49 4c 5f 43 4f 4e 4e 45 43 54 5f 4d 41 49 4e 5f 53 45 52 56 45 52 } //01 00 _LAST_TIME_FAIL_CONNECT_MAIN_SERVER
$a_00_7 = {53 45 4e 44 5f 49 4e 53 54 41 4c 4c 5f 52 45 50 4f 52 54 } //02 00 SEND_INSTALL_REPORT
$a_00_8 = {55 73 65 72 2d 41 67 65 6e 74 3a 20 67 62 6f 74 2f } //02 00 User-Agent: gbot/
$a_00_9 = {55 73 65 72 2d 41 67 65 6e 74 3a 20 69 61 6d 78 2f } //02 00 User-Agent: iamx/
$a_00_10 = {69 64 3d 25 73 26 68 77 69 64 3d 25 73 26 63 3d 25 64 26 76 65 72 3d } //01 00 id=%s&hwid=%s&c=%d&ver=
$a_02_11 = {50 41 52 41 4d 5f 50 52 4f 58 59 5f 50 4f 52 54 90 03 07 01 5f 4e 55 4d 42 45 52 4e 90 00 } //01 00
$a_00_12 = {69 6d 61 67 65 73 2f 69 6d 31 33 33 2e 6a 70 67 } //01 00 images/im133.jpg
$a_00_13 = {69 6d 61 67 65 73 2f 33 35 32 31 2e 6a 70 67 } //02 00 images/3521.jpg
$a_00_14 = {2f 67 2f 74 2e 70 68 70 3f 71 3d 25 73 00 } //01 00 术琯瀮灨焿┽s
$a_00_15 = {68 77 69 64 3d 25 73 26 69 64 3d 25 73 } //01 00 hwid=%s&id=%s
$a_00_16 = {26 77 64 3d 25 64 26 61 76 3d 25 73 } //01 00 &wd=%d&av=%s
$a_01_17 = {49 4e 53 54 5f 52 45 50 4f 52 54 5f 54 4d 00 } //01 00
$a_01_18 = {4c 53 5f 50 49 4e 47 5f 54 4d 00 } //02 00
$a_02_19 = {68 77 69 64 3d 25 73 26 63 3d 25 64 26 90 01 03 3d 30 26 76 65 72 3d 90 00 } //01 00
$a_00_20 = {74 3d 25 73 26 68 72 73 3d 25 64 26 71 3d 25 73 26 73 3d 25 64 } //03 00 t=%s&hrs=%d&q=%s&s=%d
$a_03_21 = {43 81 fb d0 07 00 00 72 e7 eb 90 01 01 81 7c 24 0c dc 05 00 00 73 06 ff 44 24 0c eb 90 01 01 50 e8 90 00 } //02 00
$a_01_22 = {50 41 52 41 4d 5f 4c 49 53 54 45 4e 5f 50 4f 52 54 00 } //01 00 䅐䅒彍䥌呓久偟剏T
$a_00_23 = {5c 67 62 5f 25 64 2e 62 61 74 00 } //02 00
$a_01_24 = {8b 45 f4 80 7d ff 06 fe 45 ff 8d 34 02 8a 06 72 04 c6 45 ff 01 0f b6 4d ff d2 c0 42 88 06 3b 55 f8 72 dd } //03 00
$a_03_25 = {99 b9 2c 01 00 00 f7 f9 90 03 06 0b 8b fb 8b f2 81 c6 89 9d 90 01 02 ff ff 8b fa 81 c7 c8 00 00 00 74 90 01 01 e8 90 01 04 25 3f 00 00 80 79 90 00 } //03 00
$a_03_26 = {b8 28 01 00 00 39 06 75 90 01 01 8b 4d 90 01 01 3b cb 74 08 3b 8e 08 01 00 00 75 90 01 01 8b 8d 90 01 02 ff ff 3b cb 74 08 8b 96 0c 01 00 00 89 11 39 5d 90 01 01 75 90 00 } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink