40 lines
928 B
Text
40 lines
928 B
Text
|
rule apt3_bemstour_implant_byte_patch
|
||
|
{
|
||
|
meta:
|
||
|
|
||
|
description = "Detects an implant used by Bemstour exploitation tool (APT3)"
|
||
|
reference = "https://research.checkpoint.com/2019/upsynergy/"
|
||
|
author = "Mark Lechtik"
|
||
|
company = "Check Point Software Technologies LTD."
|
||
|
date = "2019-06-25"
|
||
|
sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a"
|
||
|
|
||
|
/*
|
||
|
|
||
|
0x41b7e1L C745B8558BEC83 mov dword ptr [ebp - 0x48], 0x83ec8b55
|
||
|
0x41b7e8L C745BCEC745356 mov dword ptr [ebp - 0x44], 0x565374ec
|
||
|
0x41b7efL C745C08B750833 mov dword ptr [ebp - 0x40], 0x3308758b
|
||
|
0x41b7f6L C745C4C957C745 mov dword ptr [ebp - 0x3c], 0x45c757c9
|
||
|
0x41b7fdL C745C88C4C6F61 mov dword ptr [ebp - 0x38], 0x616f4c8c
|
||
|
|
||
|
*/
|
||
|
|
||
|
strings:
|
||
|
|
||
|
$chunk_1 = {
|
||
|
|
||
|
C7 45 ?? 55 8B EC 83
|
||
|
C7 45 ?? EC 74 53 56
|
||
|
C7 45 ?? 8B 75 08 33
|
||
|
C7 45 ?? C9 57 C7 45
|
||
|
C7 45 ?? 8C 4C 6F 61
|
||
|
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
|
||
|
|