29 lines
832 B
Text
29 lines
832 B
Text
|
|
||
|
rule appraisel_exe {
|
||
|
strings:
|
||
|
$decode_function = {8B3883C0048D8FFFFEFEFEF7D723CF23CD75398B3883C0048D8FFFFEFEFEF7D723CF23CD75268B3883C0048D8FFFFEFEFEF7D723CF23CD75138B3883C0048D8FFFFEFEFEF7D723CF23CD74B4}
|
||
|
condition:
|
||
|
$decode_function
|
||
|
}
|
||
|
|
||
|
rule appraisel_exe_payload {
|
||
|
meta:
|
||
|
decoder = "appraisel_exe_payload.py"
|
||
|
|
||
|
strings:
|
||
|
$filename1 = "%s\\Tmp" wide
|
||
|
$filename2 = "%s\\Volume Panel" wide
|
||
|
$filename3 = "\\VolPanlu.exe" wide
|
||
|
$filename4 = "%s\\updstat.bin" wide
|
||
|
$filename5 = "%s\\srvstat.bin" wide
|
||
|
|
||
|
$string1 = "Panlu" wide fullword
|
||
|
|
||
|
// AFC5BE36ED870435A2E3C9714CCFFD44 @ 0x4012f0
|
||
|
$3min_uptime_test = {FF15????????3D20BF0200730B68C0D40100FF15????????680F270000}
|
||
|
|
||
|
condition:
|
||
|
4 of ($filename*,$string1) or $3min_uptime_test
|
||
|
}
|
||
|
|