45 lines
1,009 B
Text
45 lines
1,009 B
Text
|
private rule BangatCode : Bangat Family
|
||
|
|
{
|
||
|
|
meta:
|
||
|
|
description = "Bangat code features"
|
||
|
|
author = "Seth Hardy"
|
||
|
|
last_modified = "2014-07-10"
|
||
|
|
|
||
|
|
strings:
|
||
|
|
// dec [ebp + procname], push eax, push edx, call get procaddress
|
||
|
|
$ = { FE 4D ?? 8D 4? ?? 50 5? FF }
|
||
|
|
|
||
|
|
condition:
|
||
|
|
any of them
|
||
|
|
}
|
||
|
|
|
||
|
|
private rule BangatStrings : Bangat Family
|
||
|
|
{
|
||
|
|
meta:
|
||
|
|
description = "Bangat Identifying Strings"
|
||
|
|
author = "Seth Hardy"
|
||
|
|
last_modified = "2014-07-10"
|
||
|
|
|
||
|
|
strings:
|
||
|
|
$lib1 = "DreatePipe"
|
||
|
|
$lib2 = "HetSystemDirectoryA"
|
||
|
|
$lib3 = "SeleaseMutex"
|
||
|
|
$lib4 = "DloseWindowStation"
|
||
|
|
$lib5 = "DontrolService"
|
||
|
|
$file = "~hhC2F~.tmp"
|
||
|
|
$mc = "~_MC_3~"
|
||
|
|
|
||
|
|
condition:
|
||
|
|
all of ($lib*) or $file or $mc
|
||
|
|
}
|
||
|
|
|
||
|
|
rule Bangat : Family
|
||
|
|
{
|
||
|
|
meta:
|
||
|
|
description = "Bangat"
|
||
|
|
author = "Seth Hardy"
|
||
|
|
last_modified = "2014-07-10"
|
||
|
|
|
||
|
|
condition:
|
||
|
|
BangatCode or BangatStrings
|
||
|
|
}
|