qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/InstantAccess/Backdoor_Win32_InstantAcces...

41 lines
3.2 KiB
Plaintext
Raw Blame History

rule Backdoor_Win32_InstantAccess{
meta:
description = "Backdoor:Win32/InstantAccess,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 01 00 "
strings :
$a_00_0 = {50 6f 72 74 20 68 61 73 20 62 65 65 6e 20 6f 70 65 6e 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e } //01 00 Port has been opened successfully.
$a_00_1 = {3c 68 74 6d 6c 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 } //01 00 <html><iframe src="
$a_02_2 = {65 67 61 63 63 65 73 73 90 02 03 2e 44 4c 4c 90 00 } //01 00
$a_00_3 = {49 6e 73 74 61 6e 74 41 63 63 65 73 73 00 4f 70 65 6e 41 63 63 65 73 73 00 65 63 6e 68 65 00 65 73 77 68 65 00 65 75 68 77 65 00 69 65 64 69 73 63 6f } //00 00 湉瑳湡䅴捣獥s灏湥捁散獳攀湣敨攀睳敨攀桵敷椀摥獩潣
condition:
any of ($a_*)
}
rule Backdoor_Win32_InstantAccess_2{
meta:
description = "Backdoor:Win32/InstantAccess,SIGNATURE_TYPE_PEHSTR_EXT,0b 00 0b 00 03 00 00 0a 00 "
strings :
$a_03_0 = {59 85 c0 59 0f 85 90 01 02 00 00 8d 85 90 01 02 ff ff 68 90 01 04 50 ff 15 90 01 02 40 00 59 85 c0 59 0f 85 90 01 02 00 00 90 01 01 8d 85 90 01 02 ff ff 56 50 e8 90 01 02 00 00 83 c4 0c 8d 85 90 01 02 ff ff 90 01 01 50 ff 15 90 01 02 40 00 8d 85 90 01 02 ff ff 68 90 01 04 50 ff 15 90 01 02 40 00 90 00 } //01 00
$a_02_1 = {5c 45 78 65 44 69 61 6c 65 72 2e 65 78 65 90 02 10 65 78 65 64 69 61 6c 65 72 90 02 10 69 6e 73 74 61 6e 74 20 61 63 63 65 73 73 2e 65 78 65 90 00 } //01 00
$a_02_2 = {5c 49 6e 73 74 61 6e 74 20 41 63 63 65 73 73 5c 43 65 6e 74 65 72 5c 90 02 10 43 44 69 61 6c 65 72 45 58 45 44 6c 67 3a 3a 43 72 65 61 74 65 53 68 6f 72 74 43 75 74 28 29 90 00 } //00 00
condition:
any of ($a_*)
}
rule Backdoor_Win32_InstantAccess_3{
meta:
description = "Backdoor:Win32/InstantAccess,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 06 00 00 01 00 "
strings :
$a_00_0 = {3c 64 65 73 63 72 69 70 74 69 6f 6e 3e 69 6e 73 74 61 6e 74 2d 61 63 65 73 73 3c 2f 64 65 73 63 72 69 70 74 69 6f 6e 3e } //01 00 <description>instant-acess</description>
$a_00_1 = {3c 72 65 71 75 65 73 74 65 64 45 78 65 63 75 74 69 6f 6e 4c 65 76 65 6c 20 6c 65 76 65 6c 3d 22 72 65 71 75 69 72 65 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 22 } //01 00 <requestedExecutionLevel level="requireAdministrator"
$a_00_2 = {53 68 65 6c 6c 45 78 65 63 75 74 65 41 } //01 00 ShellExecuteA
$a_02_3 = {65 67 61 63 63 65 73 73 90 02 03 2e 44 4c 4c 90 00 } //01 00
$a_02_4 = {49 6e 73 74 61 6e 74 41 63 63 65 73 73 90 02 05 4f 70 65 6e 41 63 63 65 73 73 90 02 05 52 65 67 69 73 74 65 72 45 58 45 90 02 05 65 63 6e 68 65 90 02 05 65 73 77 68 65 90 02 05 65 75 68 77 65 90 02 05 69 65 64 69 73 63 6f 90 02 05 73 64 73 90 00 } //05 00
$a_02_5 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 90 02 06 49 00 6e 00 73 00 74 00 61 00 6e 00 74 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 2e 00 65 00 78 00 65 00 90 02 10 50 00 72 00 69 00 76 00 61 00 74 00 65 00 42 00 75 00 69 00 6c 00 64 00 90 02 09 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 90 02 06 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 90 02 06 49 00 6e 00 73 00 74 00 61 00 6e 00 74 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 90 00 } //00 00
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink