19 lines
603 B
Text
19 lines
603 B
Text
|
import "pe"
|
||
|
|
||
|
|
||
|
rule apt_c16_win_memory_pcclient : Memory APT
|
||
|
{
|
||
|
meta:
|
||
|
author = "@dragonthreatlab"
|
||
|
md5 = "ec532bbe9d0882d403473102e9724557"
|
||
|
description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
|
||
|
date = "2015/01/11"
|
||
|
reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
|
||
|
strings:
|
||
|
$str1 = "Kill You" ascii
|
||
|
$str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
|
||
|
$str3 = "%4.2f KB" ascii
|
||
|
$encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|