12 lines
485 B
Text
12 lines
485 B
Text
|
rule Gozi_JJ_struct: trojan {
|
||
|
meta:
|
||
|
module = "Gozi_JJ_struct"
|
||
|
reference = "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/"
|
||
|
strings:
|
||
|
$jj = "JJ" ascii
|
||
|
$pe_file = "This program cannot be run in DOS mode" ascii
|
||
|
$bss = ".bss" ascii
|
||
|
condition:
|
||
|
#jj >= 2 and (for all i in (1,2) : (@jj[i] < 0x400 and @jj[i] > 0x200)) and (@jj[2] - @jj[1] == 0x14) and ($pe_file in (0..1000)) and ($bss in (0..1000))
|
||
|
}
|