Sneed-Reactivity/yara-mikesxrs/Citizen Lab/msattacker.yara

35 lines
992 B
Text
Raw Normal View History

private rule MsAttackerStage2 : MsAttacker Family
{
meta:
description = "Identifying strings for MsAttacker stage 2"
last_modified = "2015-03-12"
strings:
$ = "MiniJS.dll"
$ = "%s \"rundll32.exe %s RealService %s\" /f"
$ = "reg delete HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"Start Pages\" /f"
$ = "3111431114311121270018000127001808012700180"
$ = "Global\\MSAttacker %d"
condition:
any of them
}
private rule MsAttackerStage1 : MsAttacker Family
{
meta:
description = "Identifying strings for MsAttacker stage 1"
last_modified = "2015-03-12"
strings:
$ = "http://122.10.117.152/download/ms/CryptBase.32.cab"
$ = "http://122.10.117.152/download/ms/CryptBase.64.cab"
$ = "http://122.10.117.152/download/ms/MiniJS.dll"
$ = "MiniJS.dll"
$ = "%s;new Downloader('%s', '%s').Fire();"
$ = "rundll32.exe %s RealService %s"
condition:
any of them
}
rule MsAttacker : MsAttacker Family {
condition:
MsAttackerStage1 or MsAttackerStage2
}