qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Win32/Ziyazo/Backdoor_Win32_Ziyazo_A.yar

24 lines
2.2 KiB
Plaintext
Raw Blame History

rule Backdoor_Win32_Ziyazo_A{
meta:
description = "Backdoor:Win32/Ziyazo.A,SIGNATURE_TYPE_PEHSTR,0a 00 0a 00 0e 00 00 02 00 "
strings :
$a_01_0 = {5a 69 59 61 6e 67 5a 68 6f 75 68 75 } //02 00 ZiYangZhouhu
$a_01_1 = {25 30 34 64 2d 25 30 32 64 2d 25 30 32 64 20 25 30 32 64 3a 25 30 32 64 09 25 31 34 64 } //02 00
$a_01_2 = {25 30 34 64 2d 25 30 32 64 2d 25 30 32 64 20 25 30 32 64 3a 25 30 32 64 09 3c 44 49 52 3e } //02 00 〥搴┭㈰ⵤ〥搲┠㈰㩤〥搲㰉䥄㹒
$a_01_3 = {5b 63 64 20 25 73 5d 20 65 72 72 6f 72 20 77 69 74 68 20 63 6f 64 65 3a 20 25 64 20 49 20 77 69 6c 6c 20 73 6c 65 65 70 20 25 64 20 4d 69 6e 75 74 65 73 2c 20 47 6f 6f 64 62 79 65 2c 20 57 6f 72 6b 61 68 6f 6c 69 63 21 } //02 00 [cd %s] error with code: %d I will sleep %d Minutes, Goodbye, Workaholic!
$a_01_4 = {5b 53 65 72 63 68 2b 5d 3f 25 30 34 64 2d 25 30 32 64 2d 25 30 32 64 20 25 30 32 64 3a 25 30 32 64 25 31 35 64 20 25 73 25 73 } //02 00 [Serch+]?%04d-%02d-%02d %02d:%02d%15d %s%s
$a_01_5 = {25 73 7c 7c 25 73 7c 7c 25 73 7c 7c 25 73 7c 7c 25 73 } //01 00 %s||%s||%s||%s||%s
$a_01_6 = {5b 52 65 6d 6f 74 65 5d 20 46 69 6c 65 20 53 74 61 72 74 20 55 70 4c 6f 61 64 20 41 74 3a 25 64 20 42 79 74 65 73 } //01 00 [Remote] File Start UpLoad At:%d Bytes
$a_01_7 = {5b 52 65 6d 6f 74 65 5d 20 50 75 74 20 5b 25 73 5d 20 46 61 69 6c 65 64 20 57 69 74 68 20 43 6f 64 65 3a 20 25 64 } //01 00 [Remote] Put [%s] Failed With Code: %d
$a_01_8 = {5b 52 65 6d 6f 74 65 5d 20 46 69 6c 65 20 53 74 61 72 74 20 44 6f 77 6e 4c 6f 61 64 20 41 74 3a 25 64 20 42 79 74 65 73 } //01 00 [Remote] File Start DownLoad At:%d Bytes
$a_01_9 = {5b 52 65 6d 6f 74 65 5d 20 47 65 74 20 5b 25 73 5d 20 46 61 69 6c 65 64 20 57 69 74 68 20 43 6f 64 65 3a 20 25 64 } //01 00 [Remote] Get [%s] Failed With Code: %d
$a_01_10 = {2a 00 4a 00 69 00 61 00 6e 00 67 00 4d 00 69 00 6e 00 2a 00 } //01 00 *JiangMin*
$a_01_11 = {2a 00 54 00 72 00 65 00 6e 00 64 00 20 00 4d 00 69 00 63 00 72 00 6f 00 2a 00 } //01 00 *Trend Micro*
$a_01_12 = {2a 00 4b 00 61 00 73 00 70 00 65 00 72 00 73 00 6b 00 79 00 2a 00 } //01 00 *Kaspersky*
$a_01_13 = {2a 00 53 00 79 00 6d 00 61 00 6e 00 74 00 65 00 63 00 2a 00 } //00 00 *Symantec*
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink