19 lines
1.3 KiB
Plaintext
19 lines
1.3 KiB
Plaintext
|
|
rule TrojanClicker_Win32_Small_AAR_eml{
|
|
meta:
|
|
description = "TrojanClicker:Win32/Small.AAR!eml,SIGNATURE_TYPE_PEHSTR_EXT,4b 00 4b 00 08 00 00 28 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {33 d2 b9 1d f3 01 00 f7 f1 8b c8 b8 a7 41 00 00 f7 e2 8b d1 8b c8 b8 14 0b 00 00 f7 e2 2b c8 33 d2 8b c1 89 0d 90 01 04 f7 75 08 8b c2 59 5a 90 00 } //05 00
|
|
$a_02_1 = {63 00 72 00 61 00 63 00 6b 00 73 00 70 00 6c 00 61 00 6e 00 65 00 74 00 2e 00 63 00 6f 00 6d 00 2f 00 72 00 65 00 61 00 64 00 65 00 78 00 65 00 2e 00 68 00 74 00 6d 00 6c 00 90 0a 28 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 77 00 77 00 2e 00 90 00 } //05 00
|
|
$a_02_2 = {63 72 61 63 6b 73 70 6c 61 6e 65 74 2e 63 6f 6d 2f 72 65 61 64 65 78 65 2e 68 74 6d 6c 90 0a 28 00 68 74 74 70 3a 2f 2f 77 77 77 2e 90 00 } //05 00
|
|
$a_02_3 = {63 00 72 00 61 00 63 00 6b 00 64 00 62 00 2e 00 63 00 6f 00 6d 00 90 0a 0f 00 77 00 77 00 77 00 2e 00 90 00 } //05 00
|
|
$a_02_4 = {63 72 61 63 6b 64 62 2e 63 6f 6d 90 0a 0f 00 77 77 77 2e 90 00 } //0a 00
|
|
$a_80_5 = {53 68 65 6c 6c 45 78 65 63 75 74 65 41 } //ShellExecuteA 0a 00
|
|
$a_80_6 = {57 72 69 74 65 46 69 6c 65 } //WriteFile 0a 00
|
|
$a_80_7 = {57 69 6e 45 78 65 63 } //WinExec 00 00
|
|
$a_00_8 = {5d 04 00 00 da ff 03 80 5c 39 00 00 db ff 03 80 00 00 01 00 04 00 23 00 54 72 6f 6a 61 6e 44 6f 77 6e 6c 6f 61 64 65 72 } //3a 4f
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |