27 lines
1 KiB
Text
27 lines
1 KiB
Text
|
rule apt_win_gimmick_dotnet_base : StormCloud
|
||
|
{
|
||
|
meta:
|
||
|
author = "threatintel@volexity.com"
|
||
|
description = "Detects the base version of GIMMICK in .NET."
|
||
|
reference = "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/"
|
||
|
date = "2020-03-16"
|
||
|
hash1 = "b554bfe4c2da7d0ac42d1b4f28f4aae854331fd6d2b3af22af961f6919740234"
|
||
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
||
|
memory_suitable = 1
|
||
|
|
||
|
strings:
|
||
|
$other1 = "srcStr is null" wide
|
||
|
$other2 = "srcBs is null " wide
|
||
|
$other3 = "Key cannot be null" wide
|
||
|
$other4 = "Faild to get target constructor, targetType=" wide
|
||
|
$other5 = "hexMoudule(public key) cannot be null or empty." wide
|
||
|
$other6 = "https://oauth2.googleapis.com/token" wide
|
||
|
|
||
|
$magic1 = "TWljcm9zb2Z0IUAjJCVeJiooKQ==" ascii wide
|
||
|
$magic2 = "DAE47700E8CF3DAB0@" ascii wide
|
||
|
|
||
|
condition:
|
||
|
5 of ($other*) or
|
||
|
any of ($magic*)
|
||
|
}
|