41 lines
852 B
Text
41 lines
852 B
Text
|
private rule MongalCode : Mongal Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Mongal code features"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-15"
|
||
|
|
||
|
strings:
|
||
|
// gettickcount value checking
|
||
|
$ = { 8B C8 B8 D3 4D 62 10 F7 E1 C1 EA 06 2B D6 83 FA 05 76 EB }
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
private rule MongalStrings : Mongal Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Mongal Identifying Strings"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-15"
|
||
|
|
||
|
strings:
|
||
|
$ = "NSCortr.dll"
|
||
|
$ = "NSCortr1.dll"
|
||
|
$ = "Sina.exe"
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|
||
|
|
||
|
rule Mongal : Family
|
||
|
{
|
||
|
meta:
|
||
|
description = "Mongal"
|
||
|
author = "Seth Hardy"
|
||
|
last_modified = "2014-07-15"
|
||
|
|
||
|
condition:
|
||
|
MongalCode or MongalStrings
|
||
|
}
|