Sneed-Reactivity/yara-mikesxrs/Nick Hoffman/logpos.yar

rule LogPOS
{
    meta:
        author = "Nick Hoffman - Morphick Security"
        description = "Detects Versions of LogPOS"
        md5 = "af13e7583ed1b27c4ae219e344a37e2b"
    strings:
        $mailslot = "\\\\.\\mailslot\\LogCC"
        $get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="
        //64A130000000      mov eax, dword ptr fs:[0x30]
        //8B400C        mov eax, dword ptr [eax + 0xc]
        //8B401C        mov eax, dword ptr [eax + 0x1c]
        //8B4008        mov eax, dword ptr [eax + 8]
        $sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }
    condition:
        $sc and 1 of ($mailslot,$get)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule LogPOS`
			`{`
			`meta:`
			`author = "Nick Hoffman - Morphick Security"`
			`description = "Detects Versions of LogPOS"`
			`md5 = "af13e7583ed1b27c4ae219e344a37e2b"`
			`strings:`
			`$mailslot = "\\\\.\\mailslot\\LogCC"`
			`$get = "GET /%s?encoding=%c&t=%c&cc=%I64d&process="`
			`//64A130000000 mov eax, dword ptr fs:[0x30]`
			`//8B400C mov eax, dword ptr [eax + 0xc]`
			`//8B401C mov eax, dword ptr [eax + 0x1c]`
			`//8B4008 mov eax, dword ptr [eax + 8]`
			`$sc = {64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 }`
			`condition:`
			`$sc and 1 of ($mailslot,$get)`
			`}`