Sneed-Reactivity/yara-mikesxrs/Spider-labs/cherryPicker.yar

35 lines
1.1 KiB
Text
Raw Permalink Normal View History

rule cherryPicker
{
meta:
author = "Trustwave SpiderLabs"
date = "2015-11-17"
description = "Used to detect Cherry Picker malware. Blog: https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/?page=1&year=0&month=0"
strings:
$string1 = "srch1mutex" nocase
$string2 = "SYNC32TOOLBOX" nocase
$string3 = "kb852310.dll"
$config1 = "[config]" nocase
$config2 = "timeout"
$config3 = "r_cnt"
$config4 = "f_passive"
$config5 = "prlog"
condition:
any of ($string*) or all of ($config*)
}
rule cherryInstaller
{
strings:
$string1 = "(inject base: %08x)"
$string2 = "injected ok"
$string3 = "inject failed"
$string4 = "-i name.dll - install path dll"
$string5 = "-s name.dll procname|PID - inject dll into processes or PID"
$fileinfect1 = "\\ServicePackFiles\\i386\\user32.dll"
$fileinfect2 = "\\dllcache\\user32.dll"
$fileinfect3 = "\\user32.tmp"
condition:
all of ($string*) or all of ($fileinfect*)
}