31 lines
1.5 KiB
Plaintext
31 lines
1.5 KiB
Plaintext
import "hash"
|
|
rule Gen_Trojan_Mikey {
|
|
meta:
|
|
description ="Detect the risk of Malware Mikey Rule 1"
|
|
hash = "a8e6c3ca056b3ff2495d7728654b780735b3a4cb"
|
|
strings:
|
|
$s0 = "nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\ERAWTFOS" fullword ascii
|
|
/* reversed string 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' */
|
|
$x1 = "User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)" fullword ascii
|
|
$x2 = "User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01)" fullword ascii
|
|
$x3 = "%d*%u%s" fullword ascii
|
|
$x4 = "%s %s:%d" fullword ascii
|
|
$x5 = "Mnopqrst Vwxyabcde Ghijklm Opqrstuv Xya" fullword ascii
|
|
condition:
|
|
uint16(0) == 0x5a4d and $s0 and 2 of ($x*)
|
|
}
|
|
|
|
rule Mikey_hash
|
|
{
|
|
meta:
|
|
description ="Detect the risk of Malware Mikey Rule 2"
|
|
condition:
|
|
hash.sha256(0,filesize) =="71f9b10d43494f2b88e0621f0b389f3848415e6737510d8e882b58ba0dad56b0" or
|
|
hash.sha256(0,filesize) =="b5c0ffd178d50a325199f3df0951d088585f40a00d0cd44fa610c894867935f6" or
|
|
hash.sha256(0,filesize) =="0f5827b2364a8411542b806aa02c106473faff7b9b7a4da5eaa98104a8abf7fd" or
|
|
hash.sha256(0,filesize) =="dc422934a782db00afa24cc085c779101386bf8d11bc2fda0db73418935f9fc5" or
|
|
hash.sha256(0,filesize) =="37699bfb7cae547a1a312ba7cc47716e6d805b48f58c3783342b801875e20ff8" or
|
|
hash.sha256(0,filesize) =="f55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c" or
|
|
hash.sha256(0,filesize) =="121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924"
|
|
|
|
} |