Sneed-Reactivity/yara-mikesxrs/Elastic/Windows_Trojan_Deimos_DLL.yar

24 lines
966 B
Text
Raw Normal View History

rule Windows_Trojan_Deimos_DLL {
meta:
author = "Elastic Security"
creation_date = "2021-09-18"
last_modified = "2021-09-18"
os = "Windows"
arch = "x86"
category_type = "Trojan"
family = "Deimos"
threat_name = "Windows.Trojan.Deimos"
description = "Detects the presence of the Deimos trojan DLL file."
reference = "https://www.elastic.co/security-labs/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant"
reference_sample = "2c1941847f660a99bbc6de16b00e563f70d900f9dbc40c6734871993961d3d3e"
strings:
$a1 = "\\APPDATA\\ROAMING" wide fullword
$a2 = "{\"action\":\"ping\",\"" wide fullword
$a3 = "Deimos" ascii fullword
$b1 = { 00 57 00 58 00 59 00 5A 00 5F 00 00 17 75 00 73 00 65 00 72 00 }
$b2 = { 0C 08 16 1F 68 9D 08 17 1F 77 9D 08 18 1F 69 9D 08 19 1F 64 9D }
condition:
all of ($a*) or 1 of ($b*)
}