DefenderYara/Backdoor/Win32/Ripinip/Backdoor_Win32_Ripinip_L.yar

rule Backdoor_Win32_Ripinip_L{
	meta:
		description = "Backdoor:Win32/Ripinip.L,SIGNATURE_TYPE_PEHSTR_EXT,0d 00 0d 00 0a 00 00 05 00 "
		
	strings :
		$a_00_0 = {43 3a 5c 62 6f 6f 74 2e 62 69 6e } //05 00  C:\boot.bin
		$a_00_1 = {2e 64 6c 6c 00 49 6e 73 74 61 6c 6c 00 52 75 6e 49 6e 73 74 61 6c 6c 41 } //03 00  搮汬䤀獮慴汬刀湵湉瑳污䅬
		$a_01_2 = {53 68 c8 24 22 00 56 ff 15 } //01 00 
		$a_00_3 = {73 79 73 74 65 6d 70 2e 6c 6f 67 } //01 00  systemp.log
		$a_00_4 = {73 79 73 6f 75 74 2e 6c 6f 67 } //01 00  sysout.log
		$a_00_5 = {4b 65 53 65 72 76 69 63 65 44 65 73 63 72 69 70 74 6f 72 54 61 62 6c 65 } //01 00  KeServiceDescriptorTable
		$a_00_6 = {5c 00 73 00 76 00 63 00 68 00 6f 00 73 00 74 00 2e 00 65 00 78 00 65 00 20 00 2d 00 6b 00 20 00 6e 00 65 00 74 00 73 00 76 00 63 00 73 00 } //01 00  \svchost.exe -k netsvcs
		$a_00_7 = {4e 00 65 00 6f 00 2c 00 77 00 65 00 6c 00 63 00 6f 00 6d 00 65 00 20 00 74 00 6f 00 20 00 74 00 68 00 65 00 20 00 64 00 65 00 73 00 65 00 72 00 74 00 20 00 6f 00 66 00 20 00 72 00 65 00 61 00 6c 00 2e 00 } //01 00  Neo,welcome to the desert of real.
		$a_00_8 = {77 00 65 00 6c 00 63 00 6f 00 6d 00 65 00 20 00 74 00 6f 00 20 00 74 00 68 00 69 00 73 00 20 00 77 00 6f 00 72 00 64 00 } //01 00  welcome to this word
		$a_00_9 = {3c 00 25 00 73 00 2a 00 25 00 64 00 2a 00 25 00 64 00 2a 00 25 00 64 00 2a 00 25 00 64 00 2a 00 3e 00 } //00 00  <%s*%d*%d*%d*%d*>
	condition:
		any of ($a_*)
 
}