18 lines
804 B
Plaintext
18 lines
804 B
Plaintext
|
|
rule TrojanSpy_BAT_Siplog_A{
|
|
meta:
|
|
description = "TrojanSpy:BAT/Siplog.A,SIGNATURE_TYPE_PEHSTR_EXT,12 00 12 00 07 00 00 0a 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {00 4b 69 6c 6c 41 56 00 } //02 00
|
|
$a_01_1 = {00 46 75 63 6b 46 69 6c 65 4e 61 6d 65 00 } //02 00
|
|
$a_01_2 = {00 42 6f 74 6b 69 6c 6c 65 72 00 } //01 00
|
|
$a_01_3 = {00 4b 65 79 4c 6f 67 00 } //02 00
|
|
$a_01_4 = {69 00 53 00 70 00 79 00 20 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 } //02 00
|
|
$a_01_5 = {69 00 6e 00 76 00 69 00 73 00 69 00 62 00 6c 00 65 00 73 00 6f 00 66 00 74 00 2e 00 6e 00 65 00 74 00 2f 00 69 00 53 00 70 00 79 00 53 00 6f 00 66 00 74 00 } //01 00
|
|
$a_01_6 = {00 43 4c 49 50 42 4f 41 52 44 5f 4d 4f 4e 49 54 4f 52 49 4e 47 00 } //00 00
|
|
$a_00_7 = {80 10 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |