Sneed-Reactivity/yara-mikesxrs/Novetta/UniformJuliett.yara

41 lines
1,006 B
Text
Raw Normal View History

rule UniformJuliett
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "Cmd03000_1a6f62e1630d512c3b67bfdbff26270177585c82802ffa834b768ff47be0a008.bin"
strings:
/*
56 push esi ; hSCObject
FF D5 call ebp ; CloseServiceHandle
68 B8 0B 00 00 push 0BB8h ; dwMilliseconds
FF 15 38 70 40 00 call ds:Sleep
6A 00 push 0 ; fCreateHighestLevel
68 60 A9 40 00 push offset PathName ; lpPathName
E8 43 FE FF FF call RecursivelyCreateDirectories
83 C4 08 add esp, 8
68 60 A9 40 00 push offset PathName ; lpFileName
FF 15 3C 70 40 00 call ds:DeleteFileA
*/
$a = {
56
FF D5
68 B8 0B 00 00
FF 15 [4]
6A 00
68 [4]
E8 [4]
83 C4 08
68 [4]
FF 15
}
$ = "wauserv.dll"
$ = "Rpcss"
condition:
all of them
}