23 lines
823 B
Text
23 lines
823 B
Text
|
import "pe"
|
||
|
|
||
|
rule SUSP_Unsigned_GoogleUpdate {
|
||
|
meta:
|
||
|
description = "Detects suspicious unsigned GoogleUpdate.exe"
|
||
|
author = "Florian Roth (Nextron Systems)"
|
||
|
reference = "Internal Research"
|
||
|
date = "2019-08-05"
|
||
|
score = 60
|
||
|
hash1 = "5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354"
|
||
|
id = "2575b882-3526-5c42-9d50-83fb0b7df3f5"
|
||
|
strings:
|
||
|
/* OriginalName GoogleUpdate.exe */
|
||
|
$ac1 = { 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C
|
||
|
00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65
|
||
|
00 00 00 47 00 6F 00 6F 00 67 00 6C 00 65 00 55
|
||
|
00 70 00 64 00 61 00 74 00 65 00 2E 00 65 00 78
|
||
|
00 65 }
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d and filesize < 2000KB and $ac1
|
||
|
and pe.number_of_signatures < 1
|
||
|
}
|