47 lines
1.1 KiB
Text
47 lines
1.1 KiB
Text
|
rule MSSUP : AST
|
||
|
|
|
||
|
|
{
|
||
|
|
|
||
|
|
meta:
|
||
|
|
|
||
|
|
author="PwC Cyber Threat Operations"
|
||
|
|
|
||
|
|
date="2014-09-11"
|
||
|
|
|
||
|
|
hash="8083ee212588a05d72561eebe83c57bb"
|
||
|
|
|
||
|
|
reference = "http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html"
|
||
|
|
|
||
|
|
strings:
|
||
|
|
|
||
|
|
$debug1="d:\\Programming\\CSharp\\BlackBerry\\BlackBerry\\obj\\Debug\\MSSUP.pdb" nocase
|
||
|
|
|
||
|
|
$debug2="D:\\Programming\\CSharp\\BlackBerry\\UploadDownload\\bin\\x86\\Debug\\UploadDownload.pdb" nocase
|
||
|
|
|
||
|
|
$debug3="Unexpected error has been occurred in {0}, the process must restart for some reason, if it's first time you see this message restart the {0}, if problem was standing contacts the support team ."
|
||
|
|
|
||
|
|
$fileheader1="MSSUP" ascii wide
|
||
|
|
|
||
|
|
$fileheader2="1.0.0.0" ascii wide
|
||
|
|
|
||
|
|
$fileheader3="2014" ascii wide
|
||
|
|
|
||
|
|
$configload1="sqlite3.dll"
|
||
|
|
|
||
|
|
$configload2="URLExtractRegex"
|
||
|
|
|
||
|
|
$configload3="HTTPHeaderName"
|
||
|
|
|
||
|
|
$configload4="HTTPHeaderType"
|
||
|
|
|
||
|
|
$configload5="MsupPath"
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
condition:
|
||
|
|
|
||
|
|
(all of ($fileheader*) or 3 of ($configload*)) and filesize < 200KB or any of ($debug*)
|
||
|
|
|
||
|
|
}
|
||
|
|
|