Sneed-Reactivity/yara-mikesxrs/Mikesxrs/TropicTrooper_keyboy_PDB.yar

35 lines
1.4 KiB
Text
Raw Permalink Normal View History

rule TropicTrooper_keyboy_PDB
{
meta:
author = "mikesxrs"
description = "PDB Path in malware"
reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/"
reference2 = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html"
strings:
$pdb1 = "D:\\Work\\Project\\VS\\house\\Apple\\Apple_20180115\\Release\\InstallClient.pdb"
$pdb2 = "D:\\Work\\Project\\VS\\house\\Apple\\Apple_20180115\\Release\\FakeRun.pdb"
$pdb3 = "D:\\Work\\Project\\VS\\HSSL\\HSSL_Unicode _2\\Release\\ServiceClient.pdb"
$pdb4 = "D:\\Work\\VS\\Horse\\TSSL\\TSSL_v3.0\\TClient\\Release\\TClient.pdb"
$pdb5 = "D:\\Work\\VS\\Horse\\TSSL\\TSSL_v0.3.1_20170722\\TClient\\x64\\Release\\TClient.pdb"
$pdb6 = "D:\\Work\\VS\\Horse\\TSSL\\TSSL_v0.3.1_20170722\\TClient\\Release\\TClient.pdb"
$pdb7 = "D:\\work\\vs\\UsbFerry_v2\\bin\\UsbFerry.pdb"
$pdb8 = "E:\\Work\\VS Project\\cyassl-3.3.0\\out\\SSLClient_x64.pdb"
//hunting rule
$pdb9 = "D:\\Work\\Project\\VS\\house\\"
$pdb10 = "D:\\Work\\VS\\Horse\\"
$pdb11 = "D:\\work\\vs\\"
$pdb12 = "E:\\Work\\VS Project\\"
$pdb13 = "\\Release\\InstallClient.pdb"
$pdb14 = "\\Release\\FakeRun.pdb"
$pdb15 = "\\Release\\ServiceClient.pdb"
$pdb16 = "\\Release\\TClient.pdb"
$pdb17 = "\\bin\\UsbFerry.pdb"
$pdb18 = "\\out\\SSLClient_x64.pdb"
condition:
any of them
}