14 lines
935 B
Plaintext
14 lines
935 B
Plaintext
|
|
rule Backdoor_Win32_Spiderpig_A{
|
|
meta:
|
|
description = "Backdoor:Win32/Spiderpig.A,SIGNATURE_TYPE_PEHSTR_EXT,15 00 15 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {0f 84 aa 01 00 00 80 39 4c 0f 85 30 01 00 00 80 79 01 43 0f 85 26 01 00 00 80 79 02 5f 0f 85 1c 01 00 00 8b f9 } //01 00
|
|
$a_01_1 = {4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d } //0a 00 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTM
|
|
$a_02_2 = {77 62 65 6d 00 00 00 00 5c 25 64 00 31 32 37 2e 30 2e 30 2e 31 90 02 10 2f 90 02 08 2e 62 69 6e 90 02 10 63 6f 6e 66 69 67 20 70 61 74 68 3a 25 90 00 } //0a 00
|
|
$a_03_3 = {55 6a 00 68 00 01 80 84 6a 00 6a 00 68 90 01 03 00 68 90 01 03 00 68 90 01 03 00 53 c7 44 24 3c 80 33 80 80 ff 15 90 01 03 00 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |