17 lines
978 B
Plaintext
17 lines
978 B
Plaintext
|
|
rule TrojanSpy_Win32_Elvatka_A{
|
|
meta:
|
|
description = "TrojanSpy:Win32/Elvatka.A,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 06 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {50 52 4f 54 4f 43 41 4c 5f 55 53 45 5f 53 4f 43 4b 45 54 } //01 00 PROTOCAL_USE_SOCKET
|
|
$a_01_1 = {55 70 64 61 74 65 49 6d 70 6f 72 74 54 61 62 6c 65 41 64 64 72 65 73 73 20 6f 6b 21 00 } //01 00
|
|
$a_01_2 = {62 65 67 69 6e 20 43 72 65 61 74 65 46 69 6c 65 41 20 70 61 74 68 20 69 73 20 25 73 21 00 } //01 00
|
|
$a_01_3 = {45 6c 65 76 61 74 65 44 6c 6c 5f 78 38 36 2e 70 64 62 00 } //01 00
|
|
$a_01_4 = {53 00 48 00 46 00 69 00 6c 00 65 00 4f 00 70 00 65 00 72 00 61 00 74 00 69 00 6f 00 6e 00 20 00 5b 00 25 00 73 00 5d 00 20 00 73 00 75 00 63 00 63 00 65 00 65 00 64 00 73 00 21 00 } //01 00 SHFileOperation [%s] succeeds!
|
|
$a_01_5 = {25 00 73 00 5c 00 75 00 70 00 64 00 61 00 74 00 65 00 25 00 64 00 2e 00 65 00 78 00 65 00 00 00 } //00 00
|
|
$a_00_6 = {5d 04 00 } //00 e9
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |