76 lines
2.2 KiB
Text
76 lines
2.2 KiB
Text
|
// Point of Sale (POS) Malware
|
||
|
|
||
|
rule pos_memory_scrapper2
|
||
|
{
|
||
|
meta:
|
||
|
author = "@patrickrolsen"
|
||
|
maltype = "Point of Sale (POS) Malware Memory Scraper"
|
||
|
version = "0.2"
|
||
|
description = "POS Memory Scraper"
|
||
|
reference = "7f9cdc380eeed16eaab3e48d59f271aa http://www.xylibox.com/2013/05/dump-memory-grabber-blackpos.html"
|
||
|
date = "01/03/2014"
|
||
|
strings:
|
||
|
$magic = { 4D 5A } // MZ Header
|
||
|
$string1 = "kartoxa" nocase
|
||
|
$string2 = "CC2 region:"
|
||
|
$string3 = "CC memregion:"
|
||
|
$string4 = "target pid:"
|
||
|
$string5 = "scan all processes:"
|
||
|
$string6 = "<pid> <PATTERN>"
|
||
|
$string7 = "KAPTOXA" nocase
|
||
|
condition:
|
||
|
($magic at 0) and all of ($string*)
|
||
|
}
|
||
|
rule pos_malwre_dexter_stardust
|
||
|
{
|
||
|
meta:
|
||
|
author = "@patrickrolsen"
|
||
|
maltype = "Dexter Malware - StarDust Variant"
|
||
|
version = "0.1"
|
||
|
description = "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
|
||
|
reference = "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658"
|
||
|
date = "12/30/2013"
|
||
|
strings:
|
||
|
$magic = { 4D 5A } // MZ Header
|
||
|
$string1 = "ceh_3\\.\\ceh_4\\..\\ceh_6"
|
||
|
$string2 = "Yatoed3fe3rex23030am39497403"
|
||
|
$string3 = "Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19"
|
||
|
$string4 = "CommonFile.exe"
|
||
|
condition:
|
||
|
($magic at 0) and all of ($string*)
|
||
|
}
|
||
|
|
||
|
rule pos_malware_project_hook
|
||
|
{
|
||
|
meta:
|
||
|
author = "@patrickrolsen"
|
||
|
maltype = "Project Hook"
|
||
|
version = "0.1"
|
||
|
description = "Table 1 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
|
||
|
reference = "759154d20849a25315c4970fe37eac59"
|
||
|
date = "12/30/2013"
|
||
|
strings:
|
||
|
$magic = { 4D 5A } // MZ Header
|
||
|
$string1 = "CallImage.exe"
|
||
|
$string2 = "BurpSwim"
|
||
|
$string3 = "Work\\Project\\Load"
|
||
|
$string4 = "WortHisnal"
|
||
|
|
||
|
condition:
|
||
|
($magic at 0) and all of ($string*)
|
||
|
}
|
||
|
|
||
|
rule pdb_strings_Rescator
|
||
|
{
|
||
|
meta:
|
||
|
author = "@patrickrolsen"
|
||
|
maltype = "N/A Threat Intel..."
|
||
|
version = "0.2"
|
||
|
description = "Rescator PDB strings within binaries"
|
||
|
date = "01/03/2014"
|
||
|
strings:
|
||
|
$magic = { 4D 5A } // MZ Header
|
||
|
$pdb1 = "\\Projects\\Rescator" nocase
|
||
|
condition:
|
||
|
($magic at 0) and $pdb1
|
||
|
}
|