14 lines
1.0 KiB
Plaintext
14 lines
1.0 KiB
Plaintext
|
|
rule TrojanDownloader_O97M_Obfuse_PDP_MTB{
|
|
meta:
|
|
description = "TrojanDownloader:O97M/Obfuse.PDP!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,03 00 03 00 04 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {3d 63 68 72 28 35 30 29 2b 63 68 72 28 34 38 29 2b 63 68 72 28 34 38 29 90 02 03 77 73 68 73 68 65 6c 6c 90 00 } //01 00
|
|
$a_03_1 = {73 70 65 63 69 61 6c 70 61 74 68 3d 77 73 68 73 68 65 6c 6c 2e 73 70 65 63 69 61 6c 66 6f 6c 64 65 72 73 28 22 90 02 0a 22 29 64 69 6d 64 69 6d 90 00 } //01 00
|
|
$a_03_2 = {3d 73 70 65 63 69 61 6c 70 61 74 68 2b 28 22 5c 90 02 0a 2e 22 29 2e 6f 70 65 6e 22 67 65 74 22 2c 28 22 68 3a 2f 2f 77 77 77 2e 68 6b 6c 6c 2e 6d 2f 6a 76 76 71 77 76 62 67 6d 2f 6b 6a 64 68 2e 90 00 } //01 00
|
|
$a_03_3 = {3d 73 70 65 63 69 61 6c 70 61 74 68 2b 28 22 5c 90 02 0a 2e 22 29 2e 6f 70 65 6e 22 67 65 74 22 2c 28 22 68 3a 2f 2f 77 77 77 2e 68 6b 6c 6c 2e 6d 2f 6a 6b 6a 7a 64 67 64 6c 7a 6a 6b 62 6b 62 6b 7a 6a 62 6b 6a 68 62 67 2f 67 68 67 67 68 68 68 67 62 76 76 6d 68 2e 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |