40 lines
1.4 KiB
Text
40 lines
1.4 KiB
Text
|
rule xDedic_SysScan_unpacked {
|
||
|
meta:
|
||
|
author = " Kaspersky Lab"
|
||
|
maltype = "crimeware"
|
||
|
type ="crimeware"
|
||
|
description = "Detects SysScan APT tool"
|
||
|
reference = "https://securelist.com/blog/research/75027/xdedic-the-shady-world-of-hacked-servers-for-sale/"
|
||
|
filetype = "Win32 EXE"
|
||
|
date = "2016-03-14"
|
||
|
version = "1.0"
|
||
|
hash1 = "fac495be1c71012682ebb27092060b43"
|
||
|
hash2 = "e8cc69231e209db7968397e8a244d104"
|
||
|
hash3 = "a53847a51561a7e76fd034043b9aa36d"
|
||
|
hash4 = "e8691fa5872c528cd8e72b82e7880e98"
|
||
|
hash5 = "F661b50d45400e7052a2427919e2f777"
|
||
|
id = "4f5d37b3-e3aa-51ec-b36e-b494c8abe227"
|
||
|
strings:
|
||
|
$a1 = "/c ping -n 2 127.0.0.1 & del \"SysScan.exe\"" ascii wide
|
||
|
$a2 = "SysScan DEBUG Mode!!!" ascii wide
|
||
|
$a3 = "This rechecking? (set 0/1 or press enter key)" ascii wide
|
||
|
$a4 = "http://37.49.224.144:8189/manual_result" ascii wide
|
||
|
|
||
|
$b1 = "Checker end work!" ascii wide
|
||
|
$b2 = "Trying send result..." ascii wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5A4D and filesize < 5000000 and ( any of ($a*) or all of ($b*) )
|
||
|
}
|
||
|
|
||
|
rule xdedic_packed_syscan {
|
||
|
meta:
|
||
|
author = "Kaspersky Lab - modified by Florian Roth"
|
||
|
company = "Kaspersky Lab"
|
||
|
id = "da8e59f3-53f9-504b-afff-9caab798db6c"
|
||
|
strings:
|
||
|
$a1 = "SysScan.exe" nocase ascii wide
|
||
|
$a2 = "1.3.4." wide
|
||
|
condition:
|
||
|
uint16(0) == 0x5A4D and filesize > 500KB and filesize < 1500KB and all of them
|
||
|
}
|