65 lines
1.5 KiB
Text
65 lines
1.5 KiB
Text
|
rule spyeye : banker
|
||
|
{
|
||
|
meta:
|
||
|
author = "Jean-Philippe Teissier / @Jipe_"
|
||
|
description = "SpyEye X.Y memory"
|
||
|
date = "2012-05-23"
|
||
|
version = "1.0"
|
||
|
filetype = "memory"
|
||
|
|
||
|
strings:
|
||
|
$spyeye = "SpyEye"
|
||
|
$a = "%BOTNAME%"
|
||
|
$b = "globplugins"
|
||
|
$c = "data_inject"
|
||
|
$d = "data_before"
|
||
|
$e = "data_after"
|
||
|
$f = "data_end"
|
||
|
$g = "bot_version"
|
||
|
$h = "bot_guid"
|
||
|
$i = "TakeBotGuid"
|
||
|
$j = "TakeGateToCollector"
|
||
|
$k = "[ERROR] : Omfg! Process is still active? Lets kill that mazafaka!"
|
||
|
$l = "[ERROR] : Update is not successfull for some reason"
|
||
|
$m = "[ERROR] : dwErr == %u"
|
||
|
$n = "GRABBED DATA"
|
||
|
|
||
|
condition:
|
||
|
$spyeye or (any of ($a,$b,$c,$d,$e,$f,$g,$h,$i,$j,$k,$l,$m,$n))
|
||
|
}
|
||
|
|
||
|
rule spyeye_plugins : banker
|
||
|
{
|
||
|
meta:
|
||
|
author = "Jean-Philippe Teissier / @Jipe_"
|
||
|
description = "SpyEye X.Y Plugins memory"
|
||
|
date = "2012-05-23"
|
||
|
version = "1.0"
|
||
|
filetype = "memory"
|
||
|
|
||
|
strings:
|
||
|
$a = "webfakes.dll"
|
||
|
$b = "config.dat" //may raise some FP
|
||
|
$c = "collectors.txt"
|
||
|
$d = "webinjects.txt"
|
||
|
$e = "screenshots.txt"
|
||
|
$f = "billinghammer.dll"
|
||
|
$g = "block.dll" //may raise some FP
|
||
|
$h = "bugreport.dll" //may raise some FP
|
||
|
$i = "ccgrabber.dll"
|
||
|
$j = "connector2.dll"
|
||
|
$k = "creditgrab.dll"
|
||
|
$l = "customconnector.dll"
|
||
|
$m = "ffcertgrabber.dll"
|
||
|
$n = "ftpbc.dll"
|
||
|
$o = "rdp.dll" //may raise some FP
|
||
|
$p = "rt_2_4.dll"
|
||
|
$q = "socks5.dll" //may raise some FP
|
||
|
$r = "spySpread.dll"
|
||
|
$s = "w2chek4_4.dll"
|
||
|
$t = "w2chek4_6.dll"
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|