44 lines
1.1 KiB
Text
44 lines
1.1 KiB
Text
|
private rule RookieCode : Rookie Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Rookie code features"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-25"
|
||
|
|
||
|
strings:
|
||
|
// hidden AutoConfigURL
|
||
|
$ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 }
|
||
|
// hidden ProxyEnable
|
||
|
$ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 }
|
||
|
// xor on rand value?
|
||
|
$ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 }
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
private rule RookieStrings : Rookie Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Rookie Identifying Strings"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-25"
|
||
|
|
||
|
strings:
|
||
|
$ = "RookIE/1.0"
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
rule Rookie : Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Rookie"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-06-25"
|
||
|
|
||
|
condition:
|
||
|
RookieCode or RookieStrings
|
||
|
}
|