Mirrors/APT_CyberCriminal_Campagin_Collections
6
0
Fork 0
mirror of https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections synced 2024-06-27 09:20:05 +00:00
Code Issues Projects Releases Wiki Activity
625ff1ea13
APT_CyberCriminal_Campagin_.../2016/2016.11.09_down-the-h-w0rm-hole-with-houdinis-rat/hworm.yar
CyberMonitor 7cd6ba7319 go
2017-02-11 15:00:00 +08:00

126 lines
2.2 KiB
Plaintext
Raw Blame History

rule win_vbs_rat_hworm
{
strings:
$sa1 = "CONFIG"
$sa2 = "MYCODE"
$sa3 = "SHELLOBJ.EXPANDENVIRONMENTSTRINGS"
$sa4 = "BASE64TOHEX"
$sa5 = "DCOM.VIRTUALALLOC"
$sa6 = "LOADER_"
$sa7 = "PE_PTR"
$sa8 = "OBJWMISERVICE.EXECQUERY"
$sa9 = "WSCRIPT.EXE" nocase
$sa10 = "FUNCTION"
$sa11 = "DIM"
$sa12 = "END SUB"
$sb1 = "HOST_FILE"
$sb2 = "FILE_NAME"
$sb3 = "INSTALL_DIR"
$sb4 = "START_UP_REG"
$sb5 = "START_UP_TASK"
$sb6 = "START_UP_FOLDER"
$sc1 = "DCOM_DATA"
$sc2 = "LOADER_DATA"
$sc3 = "FILE_DATA"
$sc4 = "(1)"
$sc5 = "(2)"
$sc6 = "(3)"
$sc7 = "FILE_SIZE"
condition:
(all of ($sa*)) and ( (all of ($sb*)) or (all of ($sc*)) )
}
rule win_exe_rat_hworm
{
strings:
$sa1 = "connection_host" wide ascii
$sa2 = "connection_port" wide ascii
$sa3 = "install_folder" wide ascii
$sa4 = "install_name" wide ascii
$sa5 = "nickname_id" wide ascii
$sa6 = "password" wide ascii
$sa7 = "injection" wide ascii
$sa8 = "startup_registry" wide ascii
$sa9 = "startup_folder" wide ascii
$sa10 = "startup_task" wide ascii
$sa11 = "process_name" wide ascii
$sa12 = "fkeylogger_host" wide ascii
$sa13 = "fkeylogger_port" wide ascii
$sa14 = "keylogger_init" wide ascii
$sa15 = "keylogger_offline" wide ascii
$sa16 = "file_manager" wide ascii
$sa17 = "usb" wide ascii
$sa18 = "password" wide ascii
$sa19 = "filemanager" wide ascii
$sa20 = "keylogger" wide ascii
$sa21 = "screenshot" wide ascii
$sa22 = "show" nocase wide ascii
$sa23 = "open" wide ascii
$sa25 = "create" wide ascii
$sa26 = "Self" wide ascii
$sa27 = "createsuspended" wide ascii
condition:
(uint16(0) == 0x5A4D) and (all of them)
}
Reference in New Issue View Git Blame Copy Permalink