35 lines
1.4 KiB
Text
35 lines
1.4 KiB
Text
|
rule TropicTrooper_keyboy_PDB
|
||
|
{
|
||
|
meta:
|
||
|
author = "mikesxrs"
|
||
|
description = "PDB Path in malware"
|
||
|
reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/"
|
||
|
reference2 = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html"
|
||
|
|
||
|
strings:
|
||
|
$pdb1 = "D:\\Work\\Project\\VS\\house\\Apple\\Apple_20180115\\Release\\InstallClient.pdb"
|
||
|
$pdb2 = "D:\\Work\\Project\\VS\\house\\Apple\\Apple_20180115\\Release\\FakeRun.pdb"
|
||
|
$pdb3 = "D:\\Work\\Project\\VS\\HSSL\\HSSL_Unicode _2\\Release\\ServiceClient.pdb"
|
||
|
$pdb4 = "D:\\Work\\VS\\Horse\\TSSL\\TSSL_v3.0\\TClient\\Release\\TClient.pdb"
|
||
|
$pdb5 = "D:\\Work\\VS\\Horse\\TSSL\\TSSL_v0.3.1_20170722\\TClient\\x64\\Release\\TClient.pdb"
|
||
|
$pdb6 = "D:\\Work\\VS\\Horse\\TSSL\\TSSL_v0.3.1_20170722\\TClient\\Release\\TClient.pdb"
|
||
|
$pdb7 = "D:\\work\\vs\\UsbFerry_v2\\bin\\UsbFerry.pdb"
|
||
|
$pdb8 = "E:\\Work\\VS Project\\cyassl-3.3.0\\out\\SSLClient_x64.pdb"
|
||
|
//hunting rule
|
||
|
$pdb9 = "D:\\Work\\Project\\VS\\house\\"
|
||
|
$pdb10 = "D:\\Work\\VS\\Horse\\"
|
||
|
$pdb11 = "D:\\work\\vs\\"
|
||
|
$pdb12 = "E:\\Work\\VS Project\\"
|
||
|
$pdb13 = "\\Release\\InstallClient.pdb"
|
||
|
$pdb14 = "\\Release\\FakeRun.pdb"
|
||
|
$pdb15 = "\\Release\\ServiceClient.pdb"
|
||
|
$pdb16 = "\\Release\\TClient.pdb"
|
||
|
$pdb17 = "\\bin\\UsbFerry.pdb"
|
||
|
$pdb18 = "\\out\\SSLClient_x64.pdb"
|
||
|
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
|
||
|
}
|