qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/TrojanSpy/Win32/Logsnif/TrojanSpy_Win32_Logsnif_gen...

40 lines
3.0 KiB
Plaintext
Raw Blame History

rule TrojanSpy_Win32_Logsnif_gen_D{
meta:
description = "TrojanSpy:Win32/Logsnif.gen!D,SIGNATURE_TYPE_PEHSTR_EXT,ffffffe6 00 ffffffe1 00 1e 00 00 "
strings :
$a_00_0 = {53 4f 46 54 57 41 52 45 5c 42 6f 72 6c 61 6e 64 5c 44 65 6c 70 68 69 5c 52 54 4c } //100 SOFTWARE\Borland\Delphi\RTL
$a_00_1 = {52 61 76 4d 6f 6e 48 65 6c 70 } //50 RavMonHelp
$a_00_2 = {73 6f 75 6c 2e 65 78 65 } //50 soul.exe
$a_00_3 = {53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e } //1 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
$a_00_4 = {43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 } //1 Content-Type: application/x-www-form-urlencoded
$a_01_5 = {52 65 61 64 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 } //5 ReadProcessMemory
$a_01_6 = {57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 } //5 WriteProcessMemory
$a_01_7 = {49 6e 74 65 72 6e 65 74 52 65 61 64 46 69 6c 65 } //5 InternetReadFile
$a_01_8 = {49 6e 74 65 72 6e 65 74 4f 70 65 6e 41 } //1 InternetOpenA
$a_00_9 = {49 6e 74 65 72 6e 65 74 43 6f 6e 6e 65 63 74 41 } //1 InternetConnectA
$a_01_10 = {48 74 74 70 53 65 6e 64 52 65 71 75 65 73 74 41 } //1 HttpSendRequestA
$a_00_11 = {48 74 74 70 4f 70 65 6e 52 65 71 75 65 73 74 41 } //1 HttpOpenRequestA
$a_01_12 = {43 72 65 61 74 65 54 6f 6f 6c 68 65 6c 70 33 32 53 6e 61 70 73 68 6f 74 } //1 CreateToolhelp32Snapshot
$a_01_13 = {54 6f 6f 6c 68 65 6c 70 33 32 52 65 61 64 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 } //1 Toolhelp32ReadProcessMemory
$a_00_14 = {61 76 70 63 63 2e } //1 avpcc.
$a_00_15 = {5f 61 76 70 6d 2e } //1 _avpm.
$a_00_16 = {61 76 70 33 32 2e } //1 avp32.
$a_00_17 = {61 6e 74 69 76 69 72 75 73 2e } //1 antivirus.
$a_00_18 = {66 73 61 76 2e 65 78 65 } //1 fsav.exe
$a_00_19 = {6e 6f 72 74 6f 6e 2e } //1 norton.
$a_00_20 = {6d 73 6d 70 65 6e 67 2e } //1 msmpeng.
$a_00_21 = {6d 73 6d 70 73 76 63 2e } //1 msmpsvc.
$a_00_22 = {32 2e 30 2e 30 2e 31 } //1 2.0.0.1
$a_00_23 = {26 73 65 72 76 65 72 73 3d } //1 &servers=
$a_00_24 = {26 75 73 65 72 6e 61 6d 65 3d } //1 &username=
$a_00_25 = {26 70 61 73 73 77 6f 72 64 3d } //1 &password=
$a_00_26 = {26 72 77 6d 63 3d } //1 &rwmc=
$a_00_27 = {26 70 61 73 73 6c 6f 63 6b 3d } //1 &passlock=
$a_00_28 = {6d 61 69 6c 2e 61 73 70 } //1 mail.asp
$a_01_29 = {53 65 6e 64 20 4f 4b 21 } //1 Send OK!
condition:
((#a_00_0 & 1)*100+(#a_00_1 & 1)*50+(#a_00_2 & 1)*50+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1+(#a_01_5 & 1)*5+(#a_01_6 & 1)*5+(#a_01_7 & 1)*5+(#a_01_8 & 1)*1+(#a_00_9 & 1)*1+(#a_01_10 & 1)*1+(#a_00_11 & 1)*1+(#a_01_12 & 1)*1+(#a_01_13 & 1)*1+(#a_00_14 & 1)*1+(#a_00_15 & 1)*1+(#a_00_16 & 1)*1+(#a_00_17 & 1)*1+(#a_00_18 & 1)*1+(#a_00_19 & 1)*1+(#a_00_20 & 1)*1+(#a_00_21 & 1)*1+(#a_00_22 & 1)*1+(#a_00_23 & 1)*1+(#a_00_24 & 1)*1+(#a_00_25 & 1)*1+(#a_00_26 & 1)*1+(#a_00_27 & 1)*1+(#a_00_28 & 1)*1+(#a_01_29 & 1)*1) >=225
}
Reference in New Issue View Git Blame Copy Permalink