19 lines
1.3 KiB
Plaintext
19 lines
1.3 KiB
Plaintext
|
|
rule Backdoor_Win32_Jedobot_C{
|
|
meta:
|
|
description = "Backdoor:Win32/Jedobot.C,SIGNATURE_TYPE_PEHSTR_EXT,73 00 73 00 08 00 00 64 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {00 53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 00 } //0a 00
|
|
$a_01_1 = {25 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 25 00 5c 00 73 00 6d 00 73 00 73 00 2e 00 65 00 78 00 65 00 } //03 00 %APPDATA%\smss.exe
|
|
$a_01_2 = {00 3f 70 3d 42 6f 74 50 6f 6b 65 00 } //03 00 㼀㵰潂側歯e
|
|
$a_03_3 = {00 62 6f 74 6d 61 6a 6f 72 3d 90 02 02 26 62 6f 74 6d 69 6e 6f 72 3d 90 00 } //01 00
|
|
$a_01_4 = {00 64 64 6f 73 2e 74 63 70 00 } //01 00
|
|
$a_01_5 = {00 64 64 6f 73 2e 75 64 70 00 } //01 00
|
|
$a_01_6 = {00 64 64 6f 73 2e 68 74 74 70 00 } //01 00
|
|
$a_01_7 = {25 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 25 00 5c 00 73 00 6d 00 73 00 73 00 2e 00 65 00 78 00 65 00 } //00 00 %SystemRoot%\smss.exe
|
|
$a_00_8 = {5d 04 00 00 f1 20 03 80 5c 23 00 00 f5 20 03 80 00 00 01 00 27 00 0d 00 cb 01 44 79 6e 61 73 74 65 61 6c 2e 41 00 00 01 40 05 82 5f 00 04 00 78 8d 01 00 03 00 03 00 05 00 00 01 00 3a 01 44 00 79 00 6e 00 61 00 73 00 74 00 79 00 20 00 38 00 2e 00 78 00 2e 00 78 00 20 00 53 00 74 00 65 00 61 00 6c 00 65 00 72 00 20 00 4c 00 6f 00 67 } //00 20
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |